Add latest changes from gitlab-org/gitlab@master

2025-02-14 21:07:15 +00:00 · 2025-02-14 21:07:15 +00:00 · 0399a25cdd
parent a3f7526b22
commit 0399a25cdd
17 changed files with 179 additions and 35 deletions
--- a/2
+++ b/2
@ -221,7 +221,7 @@ gem 'google-apis-core', '~> 0.11.0', '>= 0.11.1', feature_category: :shared
 gem 'google-apis-compute_v1', '~> 0.57.0', feature_category: :shared
 gem 'google-apis-container_v1', '~> 0.43.0', feature_category: :shared
 gem 'google-apis-container_v1beta1', '~> 0.43.0', feature_category: :shared
-gem 'google-apis-cloudbilling_v1', '~> 0.21.0', feature_category: :shared
+gem 'google-apis-cloudbilling_v1', '~> 0.22.0', feature_category: :shared
 gem 'google-apis-cloudresourcemanager_v1', '~> 0.31.0', feature_category: :shared
 gem 'google-apis-iam_v1', '~> 0.36.0', feature_category: :shared
 gem 'google-apis-serviceusage_v1', '~> 0.28.0', feature_category: :shared
--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@ -247,7 +247,7 @@
 {"name":"globalid","version":"1.1.0","platform":"ruby","checksum":"b337e1746f0c8cb0a6c918234b03a1ddeb4966206ce288fbb57779f59b2d154f"},
 {"name":"gon","version":"6.4.0","platform":"ruby","checksum":"e3a618d659392890f1aa7db420f17c75fd7d35aeb5f8fe003697d02c4b88d2f0"},
 {"name":"google-apis-androidpublisher_v3","version":"0.34.0","platform":"ruby","checksum":"d7e1d7dd92f79c498fe2082222a1740d788e022e660c135564b3fd299cab5425"},
-{"name":"google-apis-cloudbilling_v1","version":"0.21.0","platform":"ruby","checksum":"ea2d847b4409e2ccd7f8a11a58cfcfdcbfb44ffd81c05768389f67341e291e02"},
+{"name":"google-apis-cloudbilling_v1","version":"0.22.0","platform":"ruby","checksum":"db2b72aebdc2664fd5095264a160cf757119ba3a83a036817b78d0d2ad7886fd"},
 {"name":"google-apis-cloudresourcemanager_v1","version":"0.31.0","platform":"ruby","checksum":"f0a472a228c0b9b592741380ce79ead2458ea0066a4b5a78635818b9b62efbbf"},
 {"name":"google-apis-compute_v1","version":"0.57.0","platform":"ruby","checksum":"404514548abc3a44f5e96393d6a6d588d287548ecb6f5a886ad76e1beea78068"},
 {"name":"google-apis-container_v1","version":"0.43.0","platform":"ruby","checksum":"781d2514cb27268be9cfbae57cbc4203966afb2cf8f2c636326f5bc603862424"},
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -822,7 +822,7 @@ GEM
      request_store (>= 1.0)
    google-apis-androidpublisher_v3 (0.34.0)
      google-apis-core (>= 0.9.1, < 2.a)
-    google-apis-cloudbilling_v1 (0.21.0)
+    google-apis-cloudbilling_v1 (0.22.0)
      google-apis-core (>= 0.9.1, < 2.a)
    google-apis-cloudresourcemanager_v1 (0.31.0)
      google-apis-core (>= 0.9.1, < 2.a)
@ -2122,7 +2122,7 @@ DEPENDENCIES
  gitlab_quality-test_tooling (~> 2.4.0)
  gon (~> 6.4.0)
  google-apis-androidpublisher_v3 (~> 0.34.0)
-  google-apis-cloudbilling_v1 (~> 0.21.0)
+  google-apis-cloudbilling_v1 (~> 0.22.0)
  google-apis-cloudresourcemanager_v1 (~> 0.31.0)
  google-apis-compute_v1 (~> 0.57.0)
  google-apis-container_v1 (~> 0.43.0)
--- a/Gemfile.next.checksum
+++ b/Gemfile.next.checksum
@ -247,7 +247,7 @@
 {"name":"globalid","version":"1.1.0","platform":"ruby","checksum":"b337e1746f0c8cb0a6c918234b03a1ddeb4966206ce288fbb57779f59b2d154f"},
 {"name":"gon","version":"6.4.0","platform":"ruby","checksum":"e3a618d659392890f1aa7db420f17c75fd7d35aeb5f8fe003697d02c4b88d2f0"},
 {"name":"google-apis-androidpublisher_v3","version":"0.34.0","platform":"ruby","checksum":"d7e1d7dd92f79c498fe2082222a1740d788e022e660c135564b3fd299cab5425"},
-{"name":"google-apis-cloudbilling_v1","version":"0.21.0","platform":"ruby","checksum":"ea2d847b4409e2ccd7f8a11a58cfcfdcbfb44ffd81c05768389f67341e291e02"},
+{"name":"google-apis-cloudbilling_v1","version":"0.22.0","platform":"ruby","checksum":"db2b72aebdc2664fd5095264a160cf757119ba3a83a036817b78d0d2ad7886fd"},
 {"name":"google-apis-cloudresourcemanager_v1","version":"0.31.0","platform":"ruby","checksum":"f0a472a228c0b9b592741380ce79ead2458ea0066a4b5a78635818b9b62efbbf"},
 {"name":"google-apis-compute_v1","version":"0.57.0","platform":"ruby","checksum":"404514548abc3a44f5e96393d6a6d588d287548ecb6f5a886ad76e1beea78068"},
 {"name":"google-apis-container_v1","version":"0.43.0","platform":"ruby","checksum":"781d2514cb27268be9cfbae57cbc4203966afb2cf8f2c636326f5bc603862424"},
@ -727,8 +727,8 @@
 {"name":"state_machines","version":"0.5.0","platform":"ruby","checksum":"23e6249d374a920b528dccade403518b4abbd83841a3e2c9ef13e6f1a009b102"},
 {"name":"state_machines-activemodel","version":"0.8.0","platform":"ruby","checksum":"e932dab190d4be044fb5f9cab01a3ea0b092c5f113d4676c6c0a0d49bf738d2c"},
 {"name":"state_machines-activerecord","version":"0.8.0","platform":"ruby","checksum":"072fb701b8ab03de0608297f6c55dc34ed096e556fa8f77e556f3c461c71aab6"},
-{"name":"stringio","version":"3.1.2","platform":"java","checksum":"8a11a30ec257e6d9851a42dacb968b07a56bf2cfe359b2d906ec1f8774ac7d71"},
-{"name":"stringio","version":"3.1.2","platform":"ruby","checksum":"204f1828f85cdb39d57cac4abc6dc44b04505a223f131587f2e20ae3729ba131"},
+{"name":"stringio","version":"3.1.3","platform":"java","checksum":"c8602527d7c568e13d7097de97dd23c59302af13c3f7cdf6ace7af0f2d290efe"},
+{"name":"stringio","version":"3.1.3","platform":"ruby","checksum":"1eedb8369ee99a9a0edfdacea95c72d647feb8ce844427c150bd641e1797abc8"},
 {"name":"strings","version":"0.2.1","platform":"ruby","checksum":"933293b3c95cf85b81eb44b3cf673e3087661ba739bbadfeadf442083158d6fb"},
 {"name":"strings-ansi","version":"0.2.0","platform":"ruby","checksum":"90262d760ea4a94cc2ae8d58205277a343409c288cbe7c29416b1826bd511c88"},
 {"name":"swd","version":"2.0.3","platform":"ruby","checksum":"4cdbe2a4246c19f093fce22e967ec3ebdd4657d37673672e621bf0c7eb770655"},
--- a/Gemfile.next.lock
+++ b/Gemfile.next.lock
@ -834,7 +834,7 @@ GEM
      request_store (>= 1.0)
    google-apis-androidpublisher_v3 (0.34.0)
      google-apis-core (>= 0.9.1, < 2.a)
-    google-apis-cloudbilling_v1 (0.21.0)
+    google-apis-cloudbilling_v1 (0.22.0)
      google-apis-core (>= 0.9.1, < 2.a)
    google-apis-cloudresourcemanager_v1 (0.31.0)
      google-apis-core (>= 0.9.1, < 2.a)
@ -1852,7 +1852,7 @@ GEM
    state_machines-activerecord (0.8.0)
      activerecord (>= 5.1)
      state_machines-activemodel (>= 0.8.0)
-    stringio (3.1.2)
+    stringio (3.1.3)
    strings (0.2.1)
      strings-ansi (~> 0.2)
      unicode-display_width (>= 1.5, < 3.0)
@ -2157,7 +2157,7 @@ DEPENDENCIES
  gitlab_quality-test_tooling (~> 2.4.0)
  gon (~> 6.4.0)
  google-apis-androidpublisher_v3 (~> 0.34.0)
-  google-apis-cloudbilling_v1 (~> 0.21.0)
+  google-apis-cloudbilling_v1 (~> 0.22.0)
  google-apis-cloudresourcemanager_v1 (~> 0.31.0)
  google-apis-compute_v1 (~> 0.57.0)
  google-apis-container_v1 (~> 0.43.0)
--- a/data/deprecations/17-9-DS-upgrade-to-SBOM-scanner.yml
+++ b/data/deprecations/17-9-DS-upgrade-to-SBOM-scanner.yml
@ -25,8 +25,10 @@

    Please review the fully detailed changes below and consult [the migration guide](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans.html) to assist you with the transition.

-    - When using the Dependency Scanning CI/CD template (`Dependency-Scanning.gitlab-ci.yml`), the existing CI/CD jobs based on the Gemnasium analyzer will continue to be used by default. The new Dependency Scanning analyzer will run by default only
-    for newly supported languages and package managers that are not already covered by the Gemnasium analyzer. You can also opt-in to fully migrate to the new Dependency Scanning analyzer and use for all supported projects.
+    - To prevent disruptions to your CI/CD configuration, when your application uses the stable Dependency Scanning CI/CD template (`Dependency-Scanning.gitlab-ci.yml`), Dependency Scanning uses only the existing CI/CD jobs based on the Gemnasium analyzer.
+    - When your application uses the latest Dependency Scanning CI/CD template (`Dependency-Scanning.latest.gitlab-ci.yml`), Dependency Scanning uses the existing CI/CD jobs based on the Gemnasium analyzer and the new Dependency Scanning analyzer also runs on the supported file types.
+    - You can also opt-in to enforce the new Dependency Scanning analyzer for all projects.
+    - Other migration paths might be considered as the feature gains maturity.
    - To transition to Dependency Scanning with SBOM, the security scan results generated by the Gemansium analyzer will no longer be uploaded to the GitLab platform as a
    [Dependency Scanning security report artifact](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdependency_scanning). Instead, Dependency Scanning results will be generated within the GitLab platform,
    using the GitLab SBOM Vulnerability Scanner, and based on the [CycloneDX SBOM report artifact](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscyclonedx) generated in the CI/CD pipeline.
--- a/data/deprecations/17-9-ast-da-dast-devtools-api-timeout-env-change.yml
+++ b/data/deprecations/17-9-ast-da-dast-devtools-api-timeout-env-change.yml
@ -0,0 +1,20 @@
+- title: "DAST `dast_devtools_api_timeout` will have a lower default value"
+  removal_milestone: "18.0"
+  announcement_milestone: "17.9"
+  breaking_change: true
+  window: 1
+  reporter: DavidNelsonGL
+  stage: application security testing
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/517254
+  impact: low
+  scope: project
+  resolution_role: Developer
+  manual_task: false
+  body: |  # (required) Don't change this line.
+    The `DAST_DEVTOOLS_API_TIMEOUT` environment variable determines how long a DAST scan waits for a response from the browser. Before GitLab 18.0, the variable has a static value of 45 seconds. After GitLab 18.0, `DAST_DEVTOOLS_API_TIMEOUT` environment variable has a dynamic value, which is calculated based on other timeout configurations.
+    In most cases, the 45-second value was higher than the timeout value of many scanner functions. The dynamically calculated value makes the `DAST_DEVTOOLS_API_TIMEOUT` variable more useful by increasing the number of cases it applies to.
+  end_of_support_milestone:
+  tiers: [Ultimate]
+  documentation_url: https://docs.gitlab.com/ee/user/application_security/dast/browser/configuration/variables.html
+  image_url:
+  video_url:
--- a/data/deprecations/17-9-ast-da-deprecate-crawl-extract-search-timeout-envs.yml
+++ b/data/deprecations/17-9-ast-da-deprecate-crawl-extract-search-timeout-envs.yml
@ -0,0 +1,21 @@
+- title: "DAST `dast_crawl_extract_element_timeout` and `dast_crawl_search_element_timeout` variables are deprecated"
+  removal_milestone: "18.0"
+  announcement_milestone: "17.9"
+  breaking_change: false
+  window: 1
+  reporter: DavidNelsonGL
+  stage: application security testing
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/517250
+  impact: low
+  scope: project
+  resolution_role: Developer
+  manual_task: true
+  body: |  # (required) Don't change this line.
+   The DAST variables `DAST_CRAWL_EXTRACT_ELEMENT_TIMEOUT` and `DAST_CRAWL_SEARCH_ELEMENT_TIMEOUT` are deprecated and will be removed in GitLab 18.0.
+   When they were introduced, the variables provided granular timeout controls for specific browser interactions. These interactions are now governed by a common timeout value, which makes the variables unnecessary. In addition, because of an underlying implementation issue, the variables haven't been functional since the introduction of the DAST browser-based analyzer.
+   Removing these two variables will simplify DAST configuration, and provide a better onboarding experience for users.
+  end_of_support_milestone:
+  tiers: [Ultimate]
+  documentation_url: https://docs.gitlab.com/ee/user/application_security/dast/browser/configuration/variables.html
+  image_url:
+  video_url:
--- a/data/deprecations/18-0-updating-ci-job-token.yml
+++ b/data/deprecations/18-0-updating-ci-job-token.yml
@ -0,0 +1,17 @@
+- title: "Updating CI/CD job tokens to JWT standard"
+  announcement_milestone: "17.9"
+  removal_milestone: "18.0"
+  breaking_change: true
+  reporter: jayswain
+  stage: Software Supply Chain Security
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/509578
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    In GitLab 18.0, CI/CD job tokens are moving to the JWT standard by default. All new projects will use this standard, but existing projects will continue to use the legacy format. Existing projects can switch to the JWT standard before the GitLab 18.0 release.
+
+    In GitLab 18.3, all CI/CD job tokens must use the JWT standard. Before this release, you can temporarily revert your tokens back to the legacy job token format.
+
+    Known issues:
+
+    1. GitLab Runner's AWS Fargate Drive 0.5.0 and earlier is incompatible with the JWT standard. Users of the [AWS Fargate custom executor driver](https://docs.gitlab.com/runner/configuration/runner_autoscale_aws_fargate/index.html) must upgrade to 0.5.1 or later. For migration instructions, see [the documentation](https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs).
+    1. The much longer JWT standard breaks the `echo $CI_JOB_TOKEN | base64` command used in some CI/CD configuration files. You can use the `echo $CI_JOB_TOKEN | base64 -w0` command instead.
+  window: 2
--- a/doc/.vale/gitlab_docs/ReferenceLinks.yml
+++ b/doc/.vale/gitlab_docs/ReferenceLinks.yml
@ -6,7 +6,7 @@
 # For a list of all options, see https://vale.sh/docs/topics/styles/
 extends: existence
 message: "Put this link inline with the rest of the text."
-link: https://docs.gitlab.com/ee/development/documentation/styleguide/#links
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/#inline-links
 vocab: false
 level: error
 nonword: true
--- a/doc/administration/gitlab_duo_self_hosted/_index.md
+++ b/doc/administration/gitlab_duo_self_hosted/_index.md
@ -20,7 +20,7 @@ To maintain full control over your data privacy, security, and the deployment of

 By deploying GitLab Duo Self-Hosted, you can manage the entire lifecycle of requests made to LLM backends for GitLab Duo features, ensuring that all requests stay in your enterprise network, and avoiding external dependencies.

-For a click-through demo, see [GitLab Duo Self-Hosted prooduct tour](https://gitlab.navattic.com/gitlab-duo-self-hosted).
+For a click-through demo, see [GitLab Duo Self-Hosted product tour](https://gitlab.navattic.com/gitlab-duo-self-hosted).
 <!-- Demo published on 2025-02-13 -->

 ## Why use GitLab Duo Self-Hosted
--- a/doc/development/documentation/styleguide/_index.md
+++ b/doc/development/documentation/styleguide/_index.md
@ -847,6 +847,26 @@ However, you should avoid putting too many links on any page. Too many links can
 - Consider using [Related topics](../topic_types/_index.md#related-topics) to reduce links that interrupt the flow of a task.
 - Try to avoid anchor links to sections on the same page. Let users rely on the right navigation instead.

+### Inline links
+
+Use inline links instead of reference links. Inline links are easier to parse
+and edit.
+([Vale](../testing/vale.md) rule: [`ReferenceLinks.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/.vale/gitlab_docs/ReferenceLinks.yml))
+
+- Do:
+
+  ```markdown
+  For more information, see [merge requests](path/to/merge_requests.md)
+  ```
+
+- Don't:
+
+  ```markdown
+  For more information, see [merge requests][1].
+
+  [1]: path/to/merge_requests.md
+  ```
+
 ### Links in the same repository

 To link to another documentation (`.md`) file in the same repository:
--- a/doc/update/breaking_windows.md
+++ b/doc/update/breaking_windows.md
@ -48,6 +48,7 @@ This window takes place on April 21 - 23, 2025 from 09:00 UTC to 22:00 UTC.
 | [Dependency Scanning for JavaScript vendored libraries](https://gitlab.com/gitlab-org/gitlab/-/issues/501308) | Low | Application_security_testing | Project |
 | [Dependency Scanning upgrades to the GitLab SBOM Vulnerability Scanner](https://gitlab.com/gitlab-org/gitlab/-/issues/501308) | High | Application_security_testing | Project |
 | [Resolve a vulnerability for Dependency Scanning on Yarn projects](https://gitlab.com/gitlab-org/gitlab/-/issues/501308) | Low | Application_security_testing | Project |
+| [DAST `dast_devtools_api_timeout` will have a lower default value](https://gitlab.com/gitlab-org/gitlab/-/issues/517254) | Low | Application security testing | Project |
 | [API Discovery will use branch pipelines by default](https://gitlab.com/gitlab-org/gitlab/-/issues/515487) | Low | Application_security_testing | Project |
 | [Container Scanning default severity threshold set to `medium`](https://gitlab.com/gitlab-org/gitlab/-/issues/515358) | Low | Application security testing | Project |
 | [Subscription related API endpoints in the public API are deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/515371#note_2319368251) | Low | Fulfillment | Instance |
@ -73,6 +74,7 @@ This window takes place on April 28 - 30, 2025 from 09:00 UTC to 22:00 UTC.
 | [RunnersRegistrationTokenReset GraphQL mutation is deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/505703) | High | Verify | Instance, group, project |
 | [Behavior change for Upcoming and Started milestone filters](https://gitlab.com/gitlab-org/gitlab/-/issues/501294) | Low | Plan | Group, project |
 | [`kpt`-based `agentk` is deprecated](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/issues/656) | Low | Deploy | Project |
+| [Updating CI/CD job tokens to JWT standard](https://gitlab.com/gitlab-org/gitlab/-/issues/509578) |  | Software supply chain security |  |

 ## Window 3

--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@ -595,6 +595,41 @@ To continue showing these findings, you must configure the `CS_SEVERITY_THRESHOL

 </div>

+<div class="deprecation " data-milestone="18.0">
+
+### DAST `dast_crawl_extract_element_timeout` and `dast_crawl_search_element_timeout` variables are deprecated
+
+<div class="deprecation-notes">
+
+- Announced in GitLab <span class="milestone">17.9</span>
+- Removal in GitLab <span class="milestone">18.0</span>
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/517250).
+
+</div>
+
+The DAST variables `DAST_CRAWL_EXTRACT_ELEMENT_TIMEOUT` and `DAST_CRAWL_SEARCH_ELEMENT_TIMEOUT` are deprecated and will be removed in GitLab 18.0.
+When they were introduced, the variables provided granular timeout controls for specific browser interactions. These interactions are now governed by a common timeout value, which makes the variables unnecessary. In addition, because of an underlying implementation issue, the variables haven't been functional since the introduction of the DAST browser-based analyzer.
+Removing these two variables will simplify DAST configuration, and provide a better onboarding experience for users.
+
+</div>
+
+<div class="deprecation breaking-change" data-milestone="18.0">
+
+### DAST `dast_devtools_api_timeout` will have a lower default value
+
+<div class="deprecation-notes">
+
+- Announced in GitLab <span class="milestone">17.9</span>
+- Removal in GitLab <span class="milestone">18.0</span> ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change))
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/517254).
+
+</div>
+
+The `DAST_DEVTOOLS_API_TIMEOUT` environment variable determines how long a DAST scan waits for a response from the browser. Before GitLab 18.0, the variable has a static value of 45 seconds. After GitLab 18.0, `DAST_DEVTOOLS_API_TIMEOUT` environment variable has a dynamic value, which is calculated based on other timeout configurations.
+In most cases, the 45-second value was higher than the timeout value of many scanner functions. The dynamically calculated value makes the `DAST_DEVTOOLS_API_TIMEOUT` variable more useful by increasing the number of cases it applies to.
+
+</div>
+
 <div class="deprecation breaking-change" data-milestone="18.0">

 ### Dependency Proxy token scope enforcement
@ -662,8 +697,10 @@ using the Gemnasium analyzer will continue to function by default to prevent dis

 Please review the fully detailed changes below and consult [the migration guide](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans.html) to assist you with the transition.

- When using the Dependency Scanning CI/CD template (`Dependency-Scanning.gitlab-ci.yml`), the existing CI/CD jobs based on the Gemnasium analyzer will continue to be used by default. The new Dependency Scanning analyzer will run by default only
-for newly supported languages and package managers that are not already covered by the Gemnasium analyzer. You can also opt-in to fully migrate to the new Dependency Scanning analyzer and use for all supported projects.
+- To prevent disruptions to your CI/CD configuration, when your application uses the stable Dependency Scanning CI/CD template (`Dependency-Scanning.gitlab-ci.yml`), Dependency Scanning uses only the existing CI/CD jobs based on the Gemnasium analyzer.
+- When your application uses the latest Dependency Scanning CI/CD template (`Dependency-Scanning.latest.gitlab-ci.yml`), Dependency Scanning uses the existing CI/CD jobs based on the Gemnasium analyzer and the new Dependency Scanning analyzer also runs on the supported file types.
+- You can also opt-in to enforce the new Dependency Scanning analyzer for all projects.
+- Other migration paths might be considered as the feature gains maturity.
 - To transition to Dependency Scanning with SBOM, the security scan results generated by the Gemansium analyzer will no longer be uploaded to the GitLab platform as a
 [Dependency Scanning security report artifact](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdependency_scanning). Instead, Dependency Scanning results will be generated within the GitLab platform,
 using the GitLab SBOM Vulnerability Scanner, and based on the [CycloneDX SBOM report artifact](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscyclonedx) generated in the CI/CD pipeline.
@ -2015,6 +2052,29 @@ In other cases:

 <div class="deprecation breaking-change" data-milestone="18.0">

+### Updating CI/CD job tokens to JWT standard
+
+<div class="deprecation-notes">
+
+- Announced in GitLab <span class="milestone">17.9</span>
+- Removal in GitLab <span class="milestone">18.0</span> ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change))
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/509578).
+
+</div>
+
+In GitLab 18.0, CI/CD job tokens are moving to the JWT standard by default. All new projects will use this standard, but existing projects will continue to use the legacy format. Existing projects can switch to the JWT standard before the GitLab 18.0 release.
+
+In GitLab 18.3, all CI/CD job tokens must use the JWT standard. Before this release, you can temporarily revert your tokens back to the legacy job token format.
+
+Known issues:
+
+1. GitLab Runner's AWS Fargate Drive 0.5.0 and earlier is incompatible with the JWT standard. Users of the [AWS Fargate custom executor driver](https://docs.gitlab.com/runner/configuration/runner_autoscale_aws_fargate/index.html) must upgrade to 0.5.1 or later. For migration instructions, see [the documentation](https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs).
+1. The much longer JWT standard breaks the `echo $CI_JOB_TOKEN | base64` command used in some CI/CD configuration files. You can use the `echo $CI_JOB_TOKEN | base64 -w0` command instead.
+
+</div>
+
+<div class="deprecation breaking-change" data-milestone="18.0">
+
 ### Workspaces `editor` GraphQL field is deprecated

 <div class="deprecation-notes">
--- a/doc/user/application_security/dependency_scanning/dependency_scanning_sbom/_index.md
+++ b/doc/user/application_security/dependency_scanning/dependency_scanning_sbom/_index.md
@ -14,7 +14,13 @@ DETAILS:
 > - [Enabled on GitLab.com, GitLab Self-Managed, and GitLab Dedicated](https://gitlab.com/gitlab-org/gitlab/-/issues/395692) in GitLab 17.5.
 > - Released [lockfile-based Dependency Scanning](https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning/-/blob/main/README.md?ref_type=heads#supported-files) analyzer as an [Experiment](../../../../policy/development_stages_support.md#experiment-features) in GitLab 17.4.
 > - Released [Dependency Scanning CI/CD Component](https://gitlab.com/explore/catalog/components/dependency-scanning) version [`0.4.0`](https://gitlab.com/components/dependency-scanning/-/tags/0.4.0) in GitLab 17.5 with support for the [lockfile-based Dependency Scanning](https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning/-/blob/main/README.md?ref_type=heads#supported-files) analyzer.
-> - [Enabled by default with the Dependency Scanning CI/CD templates](https://gitlab.com/gitlab-org/gitlab/-/issues/519597) and Scan Execution Policies for Cargo, Conda, Cocoapods and Swift in GitLab 17.9.
+> - [Enabled by default with the latest Dependency Scanning CI/CD templates](https://gitlab.com/gitlab-org/gitlab/-/issues/519597) for Cargo, Conda, Cocoapods and Swift in GitLab 17.9.
+
+FLAG:
+The availability of this feature is controlled by a feature flag.
+For more information, see the history.
+This feature uses an experimental scanner.
+This feature is available for testing, but not ready for production use.

 Dependency scanning using CycloneDX SBOM analyzes your application's dependencies for known
 vulnerabilities. All dependencies are scanned, [including transitive dependencies](../_index.md).
@ -104,10 +110,10 @@ following [PURL types](https://github.com/package-url/purl-spec/blob/34658984613

 Enable the Dependency Scanning using SBOM feature with one of the following options:

- Use either the Dependency Scanning CI/CD template `Dependency-Scanning.gitlab-ci.yml` or `Dependency-Scanning.latest.gitlab-ci.yml` to enable a GitLab provided analyzer.
+- Use the `latest` Dependency Scanning CI/CD template `Dependency-Scanning.latest.gitlab-ci.yml` to enable a GitLab provided analyzer.
  - The (deprecated) Gemnasium analyzer is used by default.
  - To enable the new Dependency Scanning analyzer, set the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` to `true`.
- Use the [Scan Execution Policies](../../policies/scan_execution_policies.md) to enable a GitLab provided analyzer.
+- Use the [Scan Execution Policies](../../policies/scan_execution_policies.md) with the `latest` template to enable a GitLab provided analyzer.
  - The (deprecated) Gemnasium analyzer is used by default.
  - To enable the new Dependency Scanning analyzer, set the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` to `true`.
 - Use the [Dependency Scanning CI/CD component](https://gitlab.com/explore/catalog/components/dependency-scanning) to enable the new Dependency Scanning analyzer.
@ -133,18 +139,18 @@ Prerequisites:

 To enable the analyzer, you must:

- Use either the Dependency Scanning CI/CD template `Dependency-Scanning.gitlab-ci.yml` or `Dependency-Scanning.latest.gitlab-ci.yml`
-and enforce the new Dependency Scanning analyzer by settin the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` to `true`.
+- Use either the `latest` Dependency Scanning CI/CD template `Dependency-Scanning.latest.gitlab-ci.yml`
+and enforce the new Dependency Scanning analyzer by setting the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` to `true`.

  ```yaml
    include:
-      - template: Jobs/Dependency-Scanning.gitlab-ci.yml
+      - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml

    variables:
      DS_ENFORCE_NEW_ANALYZER: 'true'
  ```

- Use the [Scan Execution Policies](../../policies/scan_execution_policies.md) and enforce the new Dependency Scanning analyzer by settin the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` to `true`.
+- Use the [Scan Execution Policies](../../policies/scan_execution_policies.md) with the `latest` template and enforce the new Dependency Scanning analyzer by setting the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` to `true`.
 - Use the [Dependency Scanning CI/CD component](https://gitlab.com/explore/catalog/components/dependency-scanning)

  ```yaml
--- a/doc/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans.md
+++ b/doc/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans.md
@ -15,7 +15,7 @@ replace the legacy Dependency Scanning feature based on the Gemnasium analyzer.
 Follow this migration guide if you use GitLab Dependency Scanning and any of the following conditions apply:

 - The Dependency Scanning CI/CD jobs are configured by including a Dependency Scanning CI/CD templates.
- 
+
  ```yaml
    include:
      - template: Jobs/Dependency-Scanning.gitlab-ci.yml
@ -43,15 +43,10 @@ This also impacts the availability of some functionalities that depend on the se

 ### CI/CD configuration

-When you migrate, you'll find several provisions to help prevent disruption to your workflows:
+To prevent disruption to your CI/CD pipelines, the new approach is not yet applied to the stable Dependency Scanning CI/CD template (`Dependency-Scanning.gitlab-ci.yml`) and you must use the `latest` template (`Dependency-Scanning.latest.gitlab-ci.yml`) to enable it.
+Other migration paths might be considered as the feature gains maturity.

-The stable Dependency Scanning CI/CD template (`Dependency-Scanning.gitlab-ci.yml`) maintains backward compatibility by default. It continues to run existing Gemnasium analyzer jobs, while the new Dependency Scanning analyzer only activates for newly supported languages and package managers.
-You can opt-in to use the new Dependency Scanning analyzer for all projects by configuring the `DS_ENFORCE_NEW_ANALYZER` CI/CD variable to `true`.
-
-For the latest CI/CD template (`Dependency-Scanning.latest.gitlab-ci.yml`), the behavior depends on the version of GitLab you are using:
-
- In GitLab 17.9, 17.10, and 17.11, it matches the stable template's behavior.
- From GitLab 18.0 and later, it switches to use the new Dependency Scanning analyzer exclusively for all projects (`DS_ENFORCE_NEW_ANALYZER` is set to `true` by default).
+The latest Dependency Scanning CI/CD template (`Dependency-Scanning.latest.gitlab-ci.yml`) still maintains backward compatibility by default. It continues to run existing Gemnasium analyzer jobs, while the new Dependency Scanning analyzer only activates for newly supported languages and package managers. You can opt-in to use the new Dependency Scanning analyzer for all projects by configuring the `DS_ENFORCE_NEW_ANALYZER` CI/CD variable to `true`.

 If you're using [Scan Execution Policies](../policies/scan_execution_policies.md), these changes apply in the same way because they build upon the CI/CD templates.

@ -86,12 +81,12 @@ To migrate to the Dependency Scanning using SBOM method, perform the following s
   - If you have manually overridden the `gemnasium-dependency_scanning`, `gemnasium-maven-dependency_scanning`, or `gemnasium-python-dependency_scanning` CI/CD jobs to customize them in a project's `.gitlab-ci.yml` or in the CI/CD configuration for a Pipeline Execution Policy, remove them.
   - If you have configured any of [the impacted CI/CD variables](#changes-to-cicd-variables), adjust your configuration accordingly.
 1. Enable the Dependency Scanning using SBOM feature with one of the following options:
-   - Use either the Dependency Scanning CI/CD template `Dependency-Scanning.gitlab-ci.yml` or `Dependency-Scanning.latest.gitlab-ci.yml` to run the new Dependency Scanning analyzer:
-     1. Keep the Dependency Scanning CI/CD template `include` statement from your `.gitlab-ci.yml` CI/CD configuration.
+   - Use the `latest` Dependency Scanning CI/CD template `Dependency-Scanning.latest.gitlab-ci.yml` to run the new Dependency Scanning analyzer:
+     1. Ensure your `.gitlab-ci.yml` CI/CD configuration includes the latest Dependency Scanning CI/CD template.
     1. Add the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` and set it to `true`. This variable can be set in many different places, while observing the [CI/CD variable precedence](../../../ci/variables/_index.md#cicd-variable-precedence).
     1. Adjust your project and your CI/CD configuration if needed by following the language-specific instructions below.
   - Use the [Scan Execution Policies](../policies/scan_execution_policies.md) to run the new Dependency Scanning analyzer:
-     1. Edit the configured scan execution policy for Dependency Scanning.
+     1. Edit the configured scan execution policy for Dependency Scanning and ensure it uses the `latest` template.
     1. Add the CI/CD variable `DS_ENFORCE_NEW_ANALYZER` and set it to `true`. This variable can be set in many different places, while observing the [CI/CD variable precedence](../../../ci/variables/_index.md#cicd-variable-precedence).
     1. Adjust your project and your CI/CD configuration if needed by following the language-specific instructions below.
   - Use the [Dependency Scanning CI/CD component](https://gitlab.com/explore/catalog/components/dependency-scanning) to run the new Dependency Scanning analyzer:
--- a/doc/user/gitlab_duo_chat/examples.md
+++ b/doc/user/gitlab_duo_chat/examples.md
@ -251,6 +251,7 @@ DETAILS:

 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/477258) in GitLab 17.7 [with flags](../../administration/feature_flags.md) named `duo_additional_context` and `duo_include_context_file`. Disabled by default.
 > - [Enabled](https://gitlab.com/groups/gitlab-org/-/epics/15227) for [self-hosted model configuration](../../administration/gitlab_duo_self_hosted/_index.md#self-hosted-ai-gateway-and-llms) as well as the [default GitLab external AI vendor configuration](../../administration/gitlab_duo_self_hosted/_index.md#gitlabcom-ai-gateway-with-default-gitlab-external-vendor-llms) in GitLab 17.9.
+> - [Enabled on GitLab.com, GitLab Self-Managed, and GitLab Dedicated](https://gitlab.com/groups/gitlab-org/-/epics/15183) in GitLab 17.9.

 FLAG:
 The availability of this feature is controlled by a feature flag.