[ci skip]

[ci skip]

[ci skip]

[ci skip]

[ci skip]

[ci skip]

Any objects other than `User` (such as `DeployToken`) are not allowed

Changelog: security

Verify that read_api tokens cannot run mutations.

Also: adds tests use of OAuth tokens for GraphQL

We make some changes to the sessionless_authentication module
in order to capture the request_authenticator, so that we can access
the token scopes, without making any extra queries.

We ensure we always authorize the mutation, which, like all resolvers,
needs to opt in to the check.

Unlike resolvers, mutations should always raise. So
`BaseMutation.authorized?` raises on failure.

Logic for handling scopes is pushed down to the `ObjectAuthorization`
class, and encapsulated in the `ScopeValidator`, which limits the
methods that can be called by resolvers.

When an issue is created or updated though API for import
purposes we allow providing created_at and updated_at params
these would then be reflected also in system notes. Only admins
and project owners should be able to set these dates.

It seems that with this feature flag enabled, pagination doesn't work
correctly in conjunction with a search. The FF is already disabled on
GitLab.com, but disabling it in the YAML file means that self-managed
instances will also be protected from the security issue (unless they
explicitly opt-in to some beta code, of course).

Changelog: security

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/230864

* Remove password value from the pull mirror form
* Hide username from mirror url

Subscription Activation: Success Banner

See merge request gitlab-org/gitlab!60389

Docs: Remove create_default examples with freeze

See merge request gitlab-org/gitlab!60379

Document all the configuration options

See merge request gitlab-org/gitlab!59562

Document order-dependent flaky tests

See merge request gitlab-org/gitlab!59369

ImportExport: Validate URL before downloading

See merge request gitlab-org/gitlab!60388

ci: Streamline our usage of 'needs' after latest improvements

See merge request gitlab-org/gitlab!60030

Change success variant for primary button in upload file modal to confirm

See merge request gitlab-org/gitlab!59463

Merge branch '21033-controller-groups-groupmemberscontroller-index-executes-more-than-100-sql-queries-p80-108-5' into 'master'

Resolve admin_group_member group policy n+1

See merge request gitlab-org/gitlab!58948

Link change management for feature flag rollout in issue template

See merge request gitlab-org/gitlab!60470

Update Usage Ping Metrics Definitions for group::release

See merge request gitlab-org/gitlab!60377

Correct load balancer typo in database load balancing doc

See merge request gitlab-org/gitlab!60156

Remove optimized_timebox_queries feature flag [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!60326

Revert '323357-mlunoe-subscription-plans-service'

See merge request gitlab-org/gitlab!59371

This reverts commit 636c36aa, reversing
changes made to ce6ed97f.

Refresh cache on user for assigned open issues count after cache invalidation [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!59961

Refresh cache on user for assigned open issues count after cache invalidation [RUN ALL RSPEC] [RUN AS-IF-FOSS]

Add `static-analysis as-if-foss` job

See merge request gitlab-org/gitlab!60363

Fix tier for instance and group DevOps Adoption

See merge request gitlab-org/gitlab!60032

Add Metrics definition JSON schema for histogram metric

See merge request gitlab-org/gitlab!58056

Add ConfigureSecretDetection graphql mutation

See merge request gitlab-org/gitlab!58230

Update Usage Ping Metrics Definitions for 5 min app metrics

See merge request gitlab-org/gitlab!60364

Update Usage Ping Metrics Definitions instance auto devops  enabled

See merge request gitlab-org/gitlab!60374