From 14b3e98b7e6b1028cfdc4437c8f0d365ba4a5931 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Tue, 13 May 2025 06:11:45 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- .rubocop_todo/gitlab/bounded_contexts.yml | 1 - GITALY_SERVER_VERSION | 2 +- GITLAB_SHELL_VERSION | 2 +- app/assets/javascripts/lib/graphql.js | 3 ++ app/helpers/sidebars_helper.rb | 2 +- app/policies/global_policy.rb | 3 ++ doc/ci/debugging.md | 2 +- doc/ci/pipelines/compute_minutes.md | 2 +- doc/ci/pipelines/pipeline_efficiency.md | 2 +- doc/ci/runners/hosted_runners/_index.md | 2 +- doc/ci/runners/new_creation_workflow.md | 2 +- doc/integration/exact_code_search/zoekt.md | 8 +---- doc/update/terminology.md | 18 ++++++++++ lib/api/helpers.rb | 3 +- lib/gitlab/exclusive_lease.rb | 7 ++++ .../samplers/concurrency_limit_sampler.rb | 2 +- .../admin/menus/admin_overview_menu.rb | 33 +++++++++++-------- locale/gitlab.pot | 3 ++ spec/lib/gitlab/exclusive_lease_spec.rb | 17 ++++++++++ .../concurrency_limit_sampler_spec.rb | 5 ++- spec/policies/global_policy_spec.rb | 3 ++ 21 files changed, 87 insertions(+), 35 deletions(-) diff --git a/.rubocop_todo/gitlab/bounded_contexts.yml b/.rubocop_todo/gitlab/bounded_contexts.yml index f900fa3e0fe..0df7d6138ab 100644 --- a/.rubocop_todo/gitlab/bounded_contexts.yml +++ b/.rubocop_todo/gitlab/bounded_contexts.yml @@ -3533,7 +3533,6 @@ Gitlab/BoundedContexts: - 'ee/lib/ee/event_filter.rb' - 'ee/lib/ee/feature.rb' - 'ee/lib/ee/feature/definition.rb' - - 'ee/lib/ee/sidebars/admin/menus/admin_overview_menu.rb' - 'ee/lib/ee/sidebars/admin/menus/admin_settings_menu.rb' - 'ee/lib/ee/sidebars/admin/menus/monitoring_menu.rb' - 'ee/lib/ee/sidebars/admin/panel.rb' diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 151e26a4c93..8ec0d55644e 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -503d70e59609c805742ef9ac6537240e0db33c40 +75281001cbb0339ff4467b1a1ba8f9390af95a7b diff --git a/GITLAB_SHELL_VERSION b/GITLAB_SHELL_VERSION index 648c04b679f..68779e98d90 100644 --- a/GITLAB_SHELL_VERSION +++ b/GITLAB_SHELL_VERSION @@ -1 +1 @@ -14.41.0 +14.42.0 diff --git a/app/assets/javascripts/lib/graphql.js b/app/assets/javascripts/lib/graphql.js index d00ef79a130..cb8f77c33db 100644 --- a/app/assets/javascripts/lib/graphql.js +++ b/app/assets/javascripts/lib/graphql.js @@ -79,6 +79,9 @@ export const typePolicies = { ProjectValueStreamAnalyticsFlowMetrics: { merge: true, }, + ValueStreamStageMetrics: { + merge: true, + }, ScanExecutionPolicy: { keyFields: ['name'], }, diff --git a/app/helpers/sidebars_helper.rb b/app/helpers/sidebars_helper.rb index a7fade70b7b..fb7fc30a887 100644 --- a/app/helpers/sidebars_helper.rb +++ b/app/helpers/sidebars_helper.rb @@ -521,7 +521,7 @@ module SidebarsHelper end def display_admin_area_link? - current_user&.can_admin_all_resources? + current_user&.can?(:access_admin_area) end end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 41912f319ce..616f37b34cd 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -141,6 +141,7 @@ class GlobalPolicy < BasePolicy end rule { admin }.policy do + enable :access_admin_area enable :read_custom_attribute enable :update_custom_attribute enable :approve_user @@ -159,6 +160,8 @@ class GlobalPolicy < BasePolicy enable :read_admin_health_check enable :read_admin_metrics_dashboard enable :read_admin_system_information + enable :read_admin_users + enable :read_application_statistics end # We can't use `read_statistics` because the user may have different permissions for different projects diff --git a/doc/ci/debugging.md b/doc/ci/debugging.md index 81f1a92071c..f8533b00172 100644 --- a/doc/ci/debugging.md +++ b/doc/ci/debugging.md @@ -242,7 +242,7 @@ as they could be viewed by any user with access to the pipelines. ### Run the job's commands locally -You can use a tool like [Rancher Desktop](https://rancherdesktop.io/) or [similar alternatives](https://handbook.gitlab.com/handbook/tools-and-tips/mac/#docker-desktop) +You can use a tool like [Rancher Desktop](https://rancherdesktop.io/) or similar alternatives to run the job's container image on your local machine. Then, run the job's `script` commands in the container and verify the behavior. diff --git a/doc/ci/pipelines/compute_minutes.md b/doc/ci/pipelines/compute_minutes.md index a0b3e4bf950..0927d44ed03 100644 --- a/doc/ci/pipelines/compute_minutes.md +++ b/doc/ci/pipelines/compute_minutes.md @@ -133,7 +133,7 @@ Certain [discounts apply to GitLab.com](#cost-factors-for-gitlabcom) based on pr Community contributors can use up to 300,000 minutes on instance runners when contributing to open source projects maintained by GitLab. The maximum of 300,000 minutes would only be possible if contributing exclusively to projects -[part of the GitLab product](https://handbook.gitlab.com/handbook/product/groups/product-analysis/engineering/metrics/#projects-that-are-part-of-the-product). +part of the GitLab product. The total number of minutes available on instance runners is reduced by the compute minutes used by pipelines from other projects. The 300,000 minutes applies to all GitLab.com tiers. diff --git a/doc/ci/pipelines/pipeline_efficiency.md b/doc/ci/pipelines/pipeline_efficiency.md index bbe24478f69..371911b4606 100644 --- a/doc/ci/pipelines/pipeline_efficiency.md +++ b/doc/ci/pipelines/pipeline_efficiency.md @@ -258,5 +258,5 @@ identify recurring problems with CI pipeline efficiency. ### Related topics - [CI Monitoring Webcast Slides](https://docs.google.com/presentation/d/1ONwIIzRB7GWX-WOSziIIv8fz1ngqv77HO1yVfRooOHM/edit?usp=sharing) -- [GitLab.com Monitoring Handbook](https://handbook.gitlab.com/handbook/engineering/monitoring/) +- GitLab.com Monitoring Handbook - [Buildings dashboards for operational visibility](https://aws.amazon.com/builders-library/building-dashboards-for-operational-visibility/) diff --git a/doc/ci/runners/hosted_runners/_index.md b/doc/ci/runners/hosted_runners/_index.md index c74e50bc493..22f84532a75 100644 --- a/doc/ci/runners/hosted_runners/_index.md +++ b/doc/ci/runners/hosted_runners/_index.md @@ -85,7 +85,7 @@ For more information about the security of hosted runners for GitLab.com, see: - [Google Cloud Infrastructure Security Design Overview whitepaper](https://cloud.google.com/docs/security/infrastructure/design/resources/google_infrastructure_whitepaper_fa.pdf) - [GitLab Trust Center](https://about.gitlab.com/security/) -- [GitLab Security Compliance Controls](https://handbook.gitlab.com/handbook/security/security-assurance/security-compliance/sec-controls/) +- GitLab Security Compliance Controls ### Caching on hosted runners for GitLab.com diff --git a/doc/ci/runners/new_creation_workflow.md b/doc/ci/runners/new_creation_workflow.md index d1df69a12df..67b28ff279f 100644 --- a/doc/ci/runners/new_creation_workflow.md +++ b/doc/ci/runners/new_creation_workflow.md @@ -20,7 +20,7 @@ Use the [runner creation workflow](https://docs.gitlab.com/runner/register/#regi For information about the current development status of the new workflow, see [epic 7663](https://gitlab.com/groups/gitlab-org/-/epics/7663). -For information about the technical design and reasons for the new architecture, see [Next GitLab Runner Token Architecture](https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/runner_tokens/). +For information about the technical design and reasons for the new architecture, see Next GitLab Runner Token Architecture. If you experience problems or have concerns about the new runner registration workflow, or need more information, let us know in the [feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/387993). diff --git a/doc/integration/exact_code_search/zoekt.md b/doc/integration/exact_code_search/zoekt.md index f0b77670137..3ec80b404a9 100644 --- a/doc/integration/exact_code_search/zoekt.md +++ b/doc/integration/exact_code_search/zoekt.md @@ -76,16 +76,10 @@ To enable [exact code search](../../user/search/exact_code_search.md) in GitLab: - Stopping indexing when Zoekt node storage exceeds the critical watermark [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/504945) in GitLab 17.7 [with a flag](../../administration/feature_flags.md) named `zoekt_critical_watermark_stop_indexing`. Disabled by default. - [Enabled on GitLab.com, GitLab Self-Managed, and GitLab Dedicated](https://gitlab.com/gitlab-org/gitlab/-/issues/505334) in GitLab 18.0. +- [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/505334) in GitLab 18.1. Feature flag `zoekt_critical_watermark_stop_indexing` removed. {{< /history >}} -{{< alert type="flag" >}} - -The availability of this feature is controlled by a feature flag. -For more information, see the history. - -{{< /alert >}} - Prerequisites: - You must have administrator access to the instance. diff --git a/doc/update/terminology.md b/doc/update/terminology.md index 3f259e8116f..99c1359b730 100644 --- a/doc/update/terminology.md +++ b/doc/update/terminology.md @@ -44,3 +44,21 @@ A "breaking change" is any change that requires users to make a corresponding ch - Removing a public method from a code class. A breaking change can be considered major if it affects many users, or represents a significant change in behavior. + +## Third-party dependencies + +This section applies to all above terms. + +Changes (deprecation, end of support, removal, or breaking change) in third-party dependencies are handled separately from changes to features in GitLab itself: + +- These changes follow the dependency's own lifecycle and are not subject to feature process and timeline requirements for GitLab. +- GitLab will try to minimize impact and provide a smooth migration experience for third-party dependency changes that affect our product. +- Security updates to dependencies might be applied without following their standard deprecation processes when necessary to address severe vulnerabilities within vulnerability resolution SLAs. For more information, see the GitLab Handbook. +- In cases where dependencies change outside our control or timeline, GitLab might need to implement changes to our own software outside our usual process and timeline to + maintain our functionality, compatibility, or security. +- GitLab will make reasonable efforts to communicate significant third-party dependency changes. +- GitLab is not responsible for any changes in third-party dependency functionality that is not directly used by GitLab products. +- Customers who leverage these third-party dependencies beyond the usage patterns of GitLab do so at their own risk and should: + - Monitor the third-party's release notes independently. + - Test their custom implementations against new dependency versions. + - Plan their own migration strategies for third-party changes. diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index ce38a30e7ab..65279fd1fbb 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -376,7 +376,8 @@ module API end def authorize_read_application_statistics! - authenticated_as_admin! + authenticate! + forbidden! unless current_user.can?(:read_application_statistics) end def authorize!(action, subject = :global, reason = nil) diff --git a/lib/gitlab/exclusive_lease.rb b/lib/gitlab/exclusive_lease.rb index 3ada9ec5423..23cbad04d3b 100644 --- a/lib/gitlab/exclusive_lease.rb +++ b/lib/gitlab/exclusive_lease.rb @@ -180,6 +180,13 @@ module Gitlab def cancel self.class.cancel(@redis_shared_state_key, @uuid) end + + # Returns true if the UUID for the key hasn't changed. + def same_uuid? + ::Gitlab::Redis::SharedState.with do |redis| + redis.get(@redis_shared_state_key) == @uuid + end + end end end diff --git a/lib/gitlab/metrics/samplers/concurrency_limit_sampler.rb b/lib/gitlab/metrics/samplers/concurrency_limit_sampler.rb index 6c71a076d76..dac73c806a5 100644 --- a/lib/gitlab/metrics/samplers/concurrency_limit_sampler.rb +++ b/lib/gitlab/metrics/samplers/concurrency_limit_sampler.rb @@ -29,7 +29,7 @@ module Gitlab try_obtain_lease do # Keep reporting the metrics while the lease is valid # to ensure we have continuous data - while exclusive_lease.exists? + while exclusive_lease.same_uuid? report_metrics Kernel.sleep(DEFAULT_SAMPLING_INTERVAL_SECONDS) end diff --git a/lib/sidebars/admin/menus/admin_overview_menu.rb b/lib/sidebars/admin/menus/admin_overview_menu.rb index acf3ed903dd..c58cff892e8 100644 --- a/lib/sidebars/admin/menus/admin_overview_menu.rb +++ b/lib/sidebars/admin/menus/admin_overview_menu.rb @@ -32,74 +32,79 @@ module Sidebars { testid: 'admin-overview-submenu-content' } end + override :render_with_abilities + def render_with_abilities + super + %i[access_admin_area] + end + private def dashboard_menu_item - ::Sidebars::MenuItem.new( + build_menu_item( title: _('Dashboard'), link: admin_root_path, active_routes: { controller: 'dashboard' }, item_id: :dashboard - ) + ) { can?(current_user, :read_application_statistics) } end def projects_menu_item - ::Sidebars::MenuItem.new( + build_menu_item( title: _('Projects'), link: admin_projects_path, active_routes: { controller: 'admin/projects' }, item_id: :projects - ) + ) { can?(current_user, :admin_all_resources) } end def users_menu_item - ::Sidebars::MenuItem.new( + build_menu_item( title: _('Users'), link: admin_users_path, active_routes: { controller: 'users' }, item_id: :users, container_html_options: { 'data-testid': 'admin-overview-users-link' } - ) + ) { can?(current_user, :read_admin_users) } end def groups_menu_item - ::Sidebars::MenuItem.new( + build_menu_item( title: _('Groups'), link: admin_groups_path, active_routes: { controller: 'groups' }, item_id: :groups, container_html_options: { 'data-testid': 'admin-overview-groups-link' } - ) + ) { can?(current_user, :admin_all_resources) } end def organizations_menu_item return unless Feature.enabled?(:ui_for_organizations, current_user) - ::Sidebars::MenuItem.new( + build_menu_item( title: _('Organizations'), link: admin_organizations_path, active_routes: { controller: 'organizations' }, item_id: :organizations, container_html_options: { 'data-testid': 'admin-overview-organizations-link' } - ) + ) { can?(current_user, :admin_all_resources) } end def topics_menu_item - ::Sidebars::MenuItem.new( + build_menu_item( title: _('Topics'), link: admin_topics_path, active_routes: { controller: 'admin/topics' }, item_id: :topics - ) + ) { can?(current_user, :admin_all_resources) } end def gitaly_servers_menu_item - ::Sidebars::MenuItem.new( + build_menu_item( title: _('Gitaly servers'), link: admin_gitaly_servers_path, active_routes: { controller: 'gitaly_servers' }, item_id: :gitaly_servers - ) + ) { can?(current_user, :read_admin_gitaly_servers) } end end end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 03fb4ea955c..0308802ae02 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -19399,6 +19399,9 @@ msgstr "" msgid "CycleAnalytics|There is no data for 'Total time' available. Adjust the current filters." msgstr "" +msgid "CycleAnalytics|There was an error while fetching data for the stage time chart." +msgstr "" + msgid "CycleAnalytics|Time to restore service" msgstr "" diff --git a/spec/lib/gitlab/exclusive_lease_spec.rb b/spec/lib/gitlab/exclusive_lease_spec.rb index 83149f9b4f6..1997215e4d2 100644 --- a/spec/lib/gitlab/exclusive_lease_spec.rb +++ b/spec/lib/gitlab/exclusive_lease_spec.rb @@ -331,4 +331,21 @@ RSpec.describe Gitlab::ExclusiveLease, :request_store, described_class.throttle(1, count: 48, period: 1.day) {} end end + + describe '#same_uuid?' do + it 'returns true for an existing lease' do + lease = described_class.new(unique_key, timeout: 3600) + lease.try_obtain + + expect(lease.same_uuid?).to eq(true) + end + + it 'returns false for a lease that does not exist' do + described_class.new(unique_key, timeout: 3600).try_obtain + + lease = described_class.new(unique_key, timeout: 3600) + + expect(lease.same_uuid?).to eq(false) + end + end end diff --git a/spec/lib/gitlab/metrics/samplers/concurrency_limit_sampler_spec.rb b/spec/lib/gitlab/metrics/samplers/concurrency_limit_sampler_spec.rb index 2a835d9d6ef..6489d8f98fd 100644 --- a/spec/lib/gitlab/metrics/samplers/concurrency_limit_sampler_spec.rb +++ b/spec/lib/gitlab/metrics/samplers/concurrency_limit_sampler_spec.rb @@ -22,7 +22,7 @@ RSpec.describe Gitlab::Metrics::Samplers::ConcurrencyLimitSampler, :clean_gitlab before do allow(Gitlab::SidekiqMiddleware::ConcurrencyLimit::WorkersMap) .to receive(:workers).and_return(workers_with_limits) - allow(sampler.exclusive_lease).to receive(:exists?).and_return(true, false) # run sample once + allow(sampler.exclusive_lease).to receive(:same_uuid?).and_return(true, false) # run sample once end it 'fetches data for each worker and sets gauge' do @@ -77,8 +77,7 @@ RSpec.describe Gitlab::Metrics::Samplers::ConcurrencyLimitSampler, :clean_gitlab context 'when lease exists for more than 1 cycle' do before do - stub_exclusive_lease(lease_key, timeout: described_class::LEASE_TIMEOUT) - allow(sampler.exclusive_lease).to receive(:exists?).and_return(true, true, true, false) + allow(sampler.exclusive_lease).to receive(:same_uuid?).and_return(true, true, true, false) end it 'report metrics while lease exists and afterwards reset the metrics' do diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index 1bedab200ac..cbc04ca9a7a 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -751,6 +751,9 @@ RSpec.describe GlobalPolicy, feature_category: :shared do let(:current_user) { admin_user } let(:permissions) do [ + :access_admin_area, + :read_application_statistics, + :read_admin_users, :read_admin_audit_log, :read_admin_background_jobs, :read_admin_background_migrations,