Add latest changes from gitlab-org/gitlab@master

2025-05-13 06:11:45 +00:00 · 2025-05-13 06:11:45 +00:00 · 14b3e98b7e
parent 232b95461c
commit 14b3e98b7e
21 changed files with 87 additions and 35 deletions
--- a/.rubocop_todo/gitlab/bounded_contexts.yml
+++ b/.rubocop_todo/gitlab/bounded_contexts.yml
@ -3533,7 +3533,6 @@ Gitlab/BoundedContexts:
    - 'ee/lib/ee/event_filter.rb'
    - 'ee/lib/ee/feature.rb'
    - 'ee/lib/ee/feature/definition.rb'
    - 'ee/lib/ee/sidebars/admin/menus/admin_overview_menu.rb'
    - 'ee/lib/ee/sidebars/admin/menus/admin_settings_menu.rb'
    - 'ee/lib/ee/sidebars/admin/menus/monitoring_menu.rb'
    - 'ee/lib/ee/sidebars/admin/panel.rb'
--- a/2
+++ b/2
@ -1 +1 @@
-503d70e59609c805742ef9ac6537240e0db33c40
+75281001cbb0339ff4467b1a1ba8f9390af95a7b
--- a/2
+++ b/2
@ -1 +1 @@
-14.41.0
+14.42.0
--- a/app/assets/javascripts/lib/graphql.js
+++ b/app/assets/javascripts/lib/graphql.js
@ -79,6 +79,9 @@ export const typePolicies = {
  ProjectValueStreamAnalyticsFlowMetrics: {
    merge: true,
  },
  ValueStreamStageMetrics: {
    merge: true,
  },
  ScanExecutionPolicy: {
    keyFields: ['name'],
  },
--- a/app/helpers/sidebars_helper.rb
+++ b/app/helpers/sidebars_helper.rb
@ -521,7 +521,7 @@ module SidebarsHelper
  end
  def display_admin_area_link?
-    current_user&.can_admin_all_resources?
+    current_user&.can?(:access_admin_area)
  end
 end
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@ -141,6 +141,7 @@ class GlobalPolicy < BasePolicy
  end
  rule { admin }.policy do
    enable :access_admin_area
    enable :read_custom_attribute
    enable :update_custom_attribute
    enable :approve_user
@ -159,6 +160,8 @@ class GlobalPolicy < BasePolicy
    enable :read_admin_health_check
    enable :read_admin_metrics_dashboard
    enable :read_admin_system_information
    enable :read_admin_users
    enable :read_application_statistics
  end
  # We can't use `read_statistics` because the user may have different permissions for different projects
--- a/doc/ci/debugging.md
+++ b/doc/ci/debugging.md
@ -242,7 +242,7 @@ as they could be viewed by any user with access to the pipelines.
 ### Run the job's commands locally
-You can use a tool like [Rancher Desktop](https://rancherdesktop.io/) or [similar alternatives](https://handbook.gitlab.com/handbook/tools-and-tips/mac/#docker-desktop)
+You can use a tool like [Rancher Desktop](https://rancherdesktop.io/) or similar alternatives
 to run the job's container image on your local machine. Then, run the job's `script` commands
 in the container and verify the behavior.
--- a/doc/ci/pipelines/compute_minutes.md
+++ b/doc/ci/pipelines/compute_minutes.md
@ -133,7 +133,7 @@ Certain [discounts apply to GitLab.com](#cost-factors-for-gitlabcom) based on pr
 Community contributors can use up to 300,000 minutes on instance runners when contributing to open source projects
 maintained by GitLab. The maximum of 300,000 minutes would only be possible if contributing exclusively to projects
-[part of the GitLab product](https://handbook.gitlab.com/handbook/product/groups/product-analysis/engineering/metrics/#projects-that-are-part-of-the-product).
+part of the GitLab product.
 The total number of minutes available on instance runners is reduced by the compute minutes used by pipelines from
 other projects. The 300,000 minutes applies to all GitLab.com tiers.
--- a/doc/ci/pipelines/pipeline_efficiency.md
+++ b/doc/ci/pipelines/pipeline_efficiency.md
@ -258,5 +258,5 @@ identify recurring problems with CI pipeline efficiency.
 ### Related topics
 - [CI Monitoring Webcast Slides](https://docs.google.com/presentation/d/1ONwIIzRB7GWX-WOSziIIv8fz1ngqv77HO1yVfRooOHM/edit?usp=sharing)
- [GitLab.com Monitoring Handbook](https://handbook.gitlab.com/handbook/engineering/monitoring/)
+- GitLab.com Monitoring Handbook
 - [Buildings dashboards for operational visibility](https://aws.amazon.com/builders-library/building-dashboards-for-operational-visibility/)
--- a/doc/ci/runners/hosted_runners/_index.md
+++ b/doc/ci/runners/hosted_runners/_index.md
@ -85,7 +85,7 @@ For more information about the security of hosted runners for GitLab.com, see:
 - [Google Cloud Infrastructure Security Design Overview whitepaper](https://cloud.google.com/docs/security/infrastructure/design/resources/google_infrastructure_whitepaper_fa.pdf)
 - [GitLab Trust Center](https://about.gitlab.com/security/)
- [GitLab Security Compliance Controls](https://handbook.gitlab.com/handbook/security/security-assurance/security-compliance/sec-controls/)
+- GitLab Security Compliance Controls
 ### Caching on hosted runners for GitLab.com
--- a/doc/ci/runners/new_creation_workflow.md
+++ b/doc/ci/runners/new_creation_workflow.md
@ -20,7 +20,7 @@ Use the [runner creation workflow](https://docs.gitlab.com/runner/register/#regi
 For information about the current development status of the new workflow, see [epic 7663](https://gitlab.com/groups/gitlab-org/-/epics/7663).
-For information about the technical design and reasons for the new architecture, see [Next GitLab Runner Token Architecture](https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/runner_tokens/).
+For information about the technical design and reasons for the new architecture, see Next GitLab Runner Token Architecture.
 If you experience problems or have concerns about the new runner registration workflow,
 or need more information, let us know in the [feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/387993).
--- a/doc/integration/exact_code_search/zoekt.md
+++ b/doc/integration/exact_code_search/zoekt.md
@ -76,16 +76,10 @@ To enable [exact code search](../../user/search/exact_code_search.md) in GitLab:
 - Stopping indexing when Zoekt node storage exceeds the critical watermark [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/504945) in GitLab 17.7 [with a flag](../../administration/feature_flags.md) named `zoekt_critical_watermark_stop_indexing`. Disabled by default.
 - [Enabled on GitLab.com, GitLab Self-Managed, and GitLab Dedicated](https://gitlab.com/gitlab-org/gitlab/-/issues/505334) in GitLab 18.0.
 - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/505334) in GitLab 18.1. Feature flag `zoekt_critical_watermark_stop_indexing` removed.
 {{< /history >}}
 {{< alert type="flag" >}}
 The availability of this feature is controlled by a feature flag.
 For more information, see the history.
 {{< /alert >}}
 Prerequisites:
 - You must have administrator access to the instance.
--- a/doc/update/terminology.md
+++ b/doc/update/terminology.md
@ -44,3 +44,21 @@ A "breaking change" is any change that requires users to make a corresponding ch
 - Removing a public method from a code class.
 A breaking change can be considered major if it affects many users, or represents a significant change in behavior.
 ## Third-party dependencies
 This section applies to all above terms.
 Changes (deprecation, end of support, removal, or breaking change) in third-party dependencies are handled separately from changes to features in GitLab itself:
 - These changes follow the dependency's own lifecycle and are not subject to feature process and timeline requirements for GitLab.
 - GitLab will try to minimize impact and provide a smooth migration experience for third-party dependency changes that affect our product.
 - Security updates to dependencies might be applied without following their standard deprecation processes when necessary to address severe vulnerabilities within vulnerability resolution SLAs. For more information, see the GitLab Handbook.
 - In cases where dependencies change outside our control or timeline, GitLab might need to implement changes to our own software outside our usual process and timeline to
  maintain our functionality, compatibility, or security.
 - GitLab will make reasonable efforts to communicate significant third-party dependency changes.
 - GitLab is not responsible for any changes in third-party dependency functionality that is not directly used by GitLab products.
 - Customers who leverage these third-party dependencies beyond the usage patterns of GitLab do so at their own risk and should:
  - Monitor the third-party's release notes independently.
  - Test their custom implementations against new dependency versions.
  - Plan their own migration strategies for third-party changes.
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@ -376,7 +376,8 @@ module API
    end
    def authorize_read_application_statistics!
-      authenticated_as_admin!
+      authenticate!
      forbidden! unless current_user.can?(:read_application_statistics)
    end
    def authorize!(action, subject = :global, reason = nil)
--- a/lib/gitlab/exclusive_lease.rb
+++ b/lib/gitlab/exclusive_lease.rb
@ -180,6 +180,13 @@ module Gitlab
    def cancel
      self.class.cancel(@redis_shared_state_key, @uuid)
    end
    # Returns true if the UUID for the key hasn't changed.
    def same_uuid?
      ::Gitlab::Redis::SharedState.with do |redis|
        redis.get(@redis_shared_state_key) == @uuid
      end
    end
  end
 end
--- a/lib/gitlab/metrics/samplers/concurrency_limit_sampler.rb
+++ b/lib/gitlab/metrics/samplers/concurrency_limit_sampler.rb
@ -29,7 +29,7 @@ module Gitlab
          try_obtain_lease do
            # Keep reporting the metrics while the lease is valid
            # to ensure we have continuous data
-            while exclusive_lease.exists?
+            while exclusive_lease.same_uuid?
              report_metrics
              Kernel.sleep(DEFAULT_SAMPLING_INTERVAL_SECONDS)
            end
--- a/lib/sidebars/admin/menus/admin_overview_menu.rb
+++ b/lib/sidebars/admin/menus/admin_overview_menu.rb
@ -32,74 +32,79 @@ module Sidebars
          { testid: 'admin-overview-submenu-content' }
        end
        override :render_with_abilities
        def render_with_abilities
          super + %i[access_admin_area]
        end
        private
        def dashboard_menu_item
-          ::Sidebars::MenuItem.new(
+          build_menu_item(
            title: _('Dashboard'),
            link: admin_root_path,
            active_routes: { controller: 'dashboard' },
            item_id: :dashboard
-          )
+          ) { can?(current_user, :read_application_statistics) }
        end
        def projects_menu_item
-          ::Sidebars::MenuItem.new(
+          build_menu_item(
            title: _('Projects'),
            link: admin_projects_path,
            active_routes: { controller: 'admin/projects' },
            item_id: :projects
-          )
+          ) { can?(current_user, :admin_all_resources) }
        end
        def users_menu_item
-          ::Sidebars::MenuItem.new(
+          build_menu_item(
            title: _('Users'),
            link: admin_users_path,
            active_routes: { controller: 'users' },
            item_id: :users,
            container_html_options: { 'data-testid': 'admin-overview-users-link' }
-          )
+          ) { can?(current_user, :read_admin_users) }
        end
        def groups_menu_item
-          ::Sidebars::MenuItem.new(
+          build_menu_item(
            title: _('Groups'),
            link: admin_groups_path,
            active_routes: { controller: 'groups' },
            item_id: :groups,
            container_html_options: { 'data-testid': 'admin-overview-groups-link' }
-          )
+          ) { can?(current_user, :admin_all_resources) }
        end
        def organizations_menu_item
          return unless Feature.enabled?(:ui_for_organizations, current_user)
-          ::Sidebars::MenuItem.new(
+          build_menu_item(
            title: _('Organizations'),
            link: admin_organizations_path,
            active_routes: { controller: 'organizations' },
            item_id: :organizations,
            container_html_options: { 'data-testid': 'admin-overview-organizations-link' }
-          )
+          ) { can?(current_user, :admin_all_resources) }
        end
        def topics_menu_item
-          ::Sidebars::MenuItem.new(
+          build_menu_item(
            title: _('Topics'),
            link: admin_topics_path,
            active_routes: { controller: 'admin/topics' },
            item_id: :topics
-          )
+          ) { can?(current_user, :admin_all_resources) }
        end
        def gitaly_servers_menu_item
-          ::Sidebars::MenuItem.new(
+          build_menu_item(
            title: _('Gitaly servers'),
            link: admin_gitaly_servers_path,
            active_routes: { controller: 'gitaly_servers' },
            item_id: :gitaly_servers
-          )
+          ) { can?(current_user, :read_admin_gitaly_servers) }
        end
      end
    end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@ -19399,6 +19399,9 @@ msgstr ""
 msgid "CycleAnalytics|There is no data for 'Total time' available. Adjust the current filters."
 msgstr ""
 msgid "CycleAnalytics|There was an error while fetching data for the stage time chart."
 msgstr ""
 msgid "CycleAnalytics|Time to restore service"
 msgstr ""
--- a/spec/lib/gitlab/exclusive_lease_spec.rb
+++ b/spec/lib/gitlab/exclusive_lease_spec.rb
@ -331,4 +331,21 @@ RSpec.describe Gitlab::ExclusiveLease, :request_store,
      described_class.throttle(1, count: 48, period: 1.day) {}
    end
  end
  describe '#same_uuid?' do
    it 'returns true for an existing lease' do
      lease = described_class.new(unique_key, timeout: 3600)
      lease.try_obtain
      expect(lease.same_uuid?).to eq(true)
    end
    it 'returns false for a lease that does not exist' do
      described_class.new(unique_key, timeout: 3600).try_obtain
      lease = described_class.new(unique_key, timeout: 3600)
      expect(lease.same_uuid?).to eq(false)
    end
  end
 end
--- a/spec/lib/gitlab/metrics/samplers/concurrency_limit_sampler_spec.rb
+++ b/spec/lib/gitlab/metrics/samplers/concurrency_limit_sampler_spec.rb
@ -22,7 +22,7 @@ RSpec.describe Gitlab::Metrics::Samplers::ConcurrencyLimitSampler, :clean_gitlab
      before do
        allow(Gitlab::SidekiqMiddleware::ConcurrencyLimit::WorkersMap)
          .to receive(:workers).and_return(workers_with_limits)
-        allow(sampler.exclusive_lease).to receive(:exists?).and_return(true, false) # run sample once
+        allow(sampler.exclusive_lease).to receive(:same_uuid?).and_return(true, false) # run sample once
      end
      it 'fetches data for each worker and sets gauge' do
@ -77,8 +77,7 @@ RSpec.describe Gitlab::Metrics::Samplers::ConcurrencyLimitSampler, :clean_gitlab
      context 'when lease exists for more than 1 cycle' do
        before do
-          stub_exclusive_lease(lease_key, timeout: described_class::LEASE_TIMEOUT)
+          allow(sampler.exclusive_lease).to receive(:same_uuid?).and_return(true, true, true, false)
          allow(sampler.exclusive_lease).to receive(:exists?).and_return(true, true, true, false)
        end
        it 'report metrics while lease exists and afterwards reset the metrics' do
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@ -751,6 +751,9 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
      let(:current_user) { admin_user }
      let(:permissions) do
        [
          :access_admin_area,
          :read_application_statistics,
          :read_admin_users,
          :read_admin_audit_log,
          :read_admin_background_jobs,
          :read_admin_background_migrations,
`@ -1 +1 @@`
	`503d70e59609c805742ef9ac6537240e0db33c40`	`75281001cbb0339ff4467b1a1ba8f9390af95a7b`