From 1dbd5e4a8082d0ca86a8b2dad73b34523be137db Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 4 Aug 2023 21:09:50 +0000
Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master

---
 .../components/inbound_token_access.vue       |  11 +++-
 .../components/outbound_token_access.vue      |  13 +++-
 .../page_bundles/merge_requests.scss          |   4 ++
 ...ipeline_success_unlock_artifacts_worker.rb |   4 +-
 app/workers/concerns/worker_attributes.rb     |   4 +-
 config/settings.rb                            |   4 +-
 config/sidekiq_queues.yml                     |   2 +
 .../15-9-insecure-ci-job-token.yml            |   2 +
 .../20230727144741_add_label_lock_on_merge.rb |   7 +++
 db/schema_migrations/20230727144741           |   1 +
 db/structure.sql                              |   3 +-
 doc/api/project_job_token_scopes.md           |   4 +-
 doc/ci/jobs/ci_job_token.md                   |  12 +++-
 doc/ci/troubleshooting.md                     |   4 +-
 .../advanced_search_migration_styleguide.md   |  21 +++++++
 doc/development/sidekiq/index.md              |   2 +-
 .../advanced_search/elasticsearch.md          |  14 +++++
 .../incident_management/manage_incidents.md   |   2 +-
 doc/update/deprecations.md                    |   2 +
 doc/user/okrs.md                              |  56 ++++++++++++++++++
 .../project/issues/confidential_issues.md     |  33 ++++-------
 .../img/confidential_issues_search_guest.png  | Bin 8593 -> 0 bytes
 .../img/confidential_issues_search_master.png | Bin 13228 -> 0 bytes
 lib/gitlab/sidekiq_middleware/skip_jobs.rb    |   4 +-
 locale/gitlab.pot                             |  12 ++--
 .../sidekiq_middleware/skip_jobs_spec.rb      |   2 +-
 ...ne_success_unlock_artifacts_worker_spec.rb |  39 ++++++++++++
 .../concerns/worker_attributes_spec.rb        |   4 +-
 28 files changed, 216 insertions(+), 50 deletions(-)
 create mode 100644 db/migrate/20230727144741_add_label_lock_on_merge.rb
 create mode 100644 db/schema_migrations/20230727144741
 delete mode 100644 doc/user/project/issues/img/confidential_issues_search_guest.png
 delete mode 100644 doc/user/project/issues/img/confidential_issues_search_master.png

diff --git a/app/assets/javascripts/token_access/components/inbound_token_access.vue b/app/assets/javascripts/token_access/components/inbound_token_access.vue
index eb1222d5130..ac359b4f901 100644
--- a/app/assets/javascripts/token_access/components/inbound_token_access.vue
+++ b/app/assets/javascripts/token_access/components/inbound_token_access.vue
@@ -21,9 +21,9 @@ import TokenProjectsTable from './token_projects_table.vue';
 
 export default {
   i18n: {
-    toggleLabelTitle: s__('CICD|Allow access to this project with a CI_JOB_TOKEN'),
+    toggleLabelTitle: s__('CICD|Limit access %{italicStart}to%{italicEnd} this project'),
     toggleHelpText: s__(
-      `CICD|Manage which projects can use their CI_JOB_TOKEN to access this project. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more.%{linkEnd}`,
+      `CICD|Prevent access to this project from other project CI/CD job tokens, unless the other project is added to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more.%{linkEnd}`,
     ),
     cardHeaderTitle: s__(
       'CICD|Allow CI job tokens from the following projects to access this project',
@@ -209,6 +209,13 @@ export default {
         :label="$options.i18n.toggleLabelTitle"
         @change="updateCIJobTokenScope"
       >
+        <template #label>
+          <gl-sprintf :message="$options.i18n.toggleLabelTitle">
+            <template #italic="{ content }">
+              <i>{{ content }}</i>
+            </template>
+          </gl-sprintf>
+        </template>
         <template #help>
           <gl-sprintf :message="$options.i18n.toggleHelpText">
             <template #link="{ content }">
diff --git a/app/assets/javascripts/token_access/components/outbound_token_access.vue b/app/assets/javascripts/token_access/components/outbound_token_access.vue
index f70bb77b780..cad1fff062a 100644
--- a/app/assets/javascripts/token_access/components/outbound_token_access.vue
+++ b/app/assets/javascripts/token_access/components/outbound_token_access.vue
@@ -23,9 +23,11 @@ import TokenProjectsTable from './token_projects_table.vue';
 // Note: This component will be removed in 17.0, as the outbound access token is getting deprecated
 export default {
   i18n: {
-    toggleLabelTitle: s__('CICD|Limit CI_JOB_TOKEN access'),
+    toggleLabelTitle: s__(
+      'CICD|Limit access %{italicStart}from%{italicEnd} this project (Deprecated)',
+    ),
     toggleHelpText: s__(
-      `CICD|Select the projects that can be accessed by API requests authenticated with this project's CI_JOB_TOKEN CI/CD variable. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more.%{linkEnd}`,
+      `CICD|Prevent CI/CD job tokens from this project from being used to access other projects unless the other project is added to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more.%{linkEnd}`,
     ),
     cardHeaderTitle: s__('CICD|Add an existing project to the scope'),
     settingDisabledMessage: s__(
@@ -246,6 +248,13 @@ export default {
         :disabled="disableTokenToggle"
         @change="updateCIJobTokenScope"
       >
+        <template #label>
+          <gl-sprintf :message="$options.i18n.toggleLabelTitle">
+            <template #italic="{ content }">
+              <i>{{ content }}</i>
+            </template>
+          </gl-sprintf>
+        </template>
         <template #help>
           <gl-sprintf :message="$options.i18n.toggleHelpText">
             <template #link="{ content }">
diff --git a/app/assets/stylesheets/page_bundles/merge_requests.scss b/app/assets/stylesheets/page_bundles/merge_requests.scss
index 697ed9e4d07..f39247f06c2 100644
--- a/app/assets/stylesheets/page_bundles/merge_requests.scss
+++ b/app/assets/stylesheets/page_bundles/merge_requests.scss
@@ -836,6 +836,10 @@ $tabs-holder-z-index: 250;
   background-color: var(--gray-10, $gray-10);
   container-name: mr-widget-extension;
   container-type: inline-size;
+  // Adds a fix for the view app dropdown not showing up
+  // correctly.
+  @include gl-relative;
+  @include gl-z-index-1;
 
   &.clickable:hover {
     background-color: var(--gray-50, $gray-50);
diff --git a/app/workers/ci/pipeline_success_unlock_artifacts_worker.rb b/app/workers/ci/pipeline_success_unlock_artifacts_worker.rb
index 2a1f492cacb..2bebfdf9114 100644
--- a/app/workers/ci/pipeline_success_unlock_artifacts_worker.rb
+++ b/app/workers/ci/pipeline_success_unlock_artifacts_worker.rb
@@ -3,14 +3,16 @@
 module Ci
   class PipelineSuccessUnlockArtifactsWorker
     include ApplicationWorker
+    include PipelineBackgroundQueue
 
     data_consistency :always
 
     sidekiq_options retry: 3
-    include PipelineBackgroundQueue
 
     idempotent!
 
+    defer_on_database_health_signal :gitlab_ci, [:ci_job_artifacts]
+
     def perform(pipeline_id)
       ::Ci::Pipeline.find_by_id(pipeline_id).try do |pipeline|
         # TODO: Move this check inside the Ci::UnlockArtifactsService
diff --git a/app/workers/concerns/worker_attributes.rb b/app/workers/concerns/worker_attributes.rb
index cc8d77e91f1..02eda924b71 100644
--- a/app/workers/concerns/worker_attributes.rb
+++ b/app/workers/concerns/worker_attributes.rb
@@ -197,10 +197,10 @@ module WorkerAttributes
       !!get_class_attribute(:big_payload)
     end
 
-    def defer_on_database_health_signal(gitlab_schema, delay_by = DEFAULT_DEFER_DELAY, tables = [])
+    def defer_on_database_health_signal(gitlab_schema, tables = [], delay_by = DEFAULT_DEFER_DELAY)
       set_class_attribute(
         :database_health_check_attrs,
-        { gitlab_schema: gitlab_schema, delay_by: delay_by, tables: tables }
+        { gitlab_schema: gitlab_schema, tables: tables, delay_by: delay_by }
       )
     end
 
diff --git a/config/settings.rb b/config/settings.rb
index c25531a3311..3edbcc9b5ed 100644
--- a/config/settings.rb
+++ b/config/settings.rb
@@ -5,6 +5,8 @@ require_relative '../lib/gitlab_settings'
 file = ENV.fetch('GITLAB_CONFIG') { Rails.root.join('config/gitlab.yml') }
 section = ENV.fetch('GITLAB_ENV') { Rails.env }
 
+GITLAB_INSTANCE_UUID_NOT_SET = 'uuid-not-set'
+
 Settings = GitlabSettings.load(file, section) do
   def gitlab_on_standard_port?
     on_standard_port?(gitlab)
@@ -212,7 +214,7 @@ Settings = GitlabSettings.load(file, section) do
   # these pings. The sidekiq job handles temporary http failures.
   def cron_for_service_ping
     # Set a default UUID for the case when the UUID hasn't been initialized.
-    uuid = Gitlab::CurrentSettings.uuid || 'uuid-not-set'
+    uuid = Gitlab::CurrentSettings.uuid || GITLAB_INSTANCE_UUID_NOT_SET
 
     minute = Digest::SHA256.hexdigest(uuid + 'minute').to_i(16) % 60
     hour = Digest::SHA256.hexdigest(uuid + 'hour').to_i(16) % 24
diff --git a/config/sidekiq_queues.yml b/config/sidekiq_queues.yml
index d278986266c..6f9ba5be29d 100644
--- a/config/sidekiq_queues.yml
+++ b/config/sidekiq_queues.yml
@@ -637,6 +637,8 @@
   - 1
 - - vulnerabilities_statistics_adjustment
   - 1
+- - vulnerabilities_update_namespace_ids_of_vulnerability_reads
+  - 1
 - - vulnerability_exports_export
   - 1
 - - vulnerability_exports_export_deletion
diff --git a/data/deprecations/15-9-insecure-ci-job-token.yml b/data/deprecations/15-9-insecure-ci-job-token.yml
index 5664ffee008..f807c337de8 100644
--- a/data/deprecations/15-9-insecure-ci-job-token.yml
+++ b/data/deprecations/15-9-insecure-ci-job-token.yml
@@ -18,6 +18,8 @@
     In 17.0, we plan to remove the **Limit** setting completely, and set the **Allow access** setting to enabled for all projects. This change ensures a higher level of security between projects. If you currently use the **Limit** setting, you should update your projects to use the **Allow access** setting instead. If other projects access your project with a job token, you must add them to the **Allow access** allowlist.
 
     To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or later can enable the **Allow access** setting now and add the other projects. It will not be possible to disable the setting in 17.0 or later.
+
+    In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**.
   #
   # OPTIONAL END OF SUPPORT FIELDS
   #
diff --git a/db/migrate/20230727144741_add_label_lock_on_merge.rb b/db/migrate/20230727144741_add_label_lock_on_merge.rb
new file mode 100644
index 00000000000..a352051a4ba
--- /dev/null
+++ b/db/migrate/20230727144741_add_label_lock_on_merge.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddLabelLockOnMerge < Gitlab::Database::Migration[2.1]
+  def change
+    add_column :labels, :lock_on_merge, :boolean, default: false, null: false
+  end
+end
diff --git a/db/schema_migrations/20230727144741 b/db/schema_migrations/20230727144741
new file mode 100644
index 00000000000..8d762d5db29
--- /dev/null
+++ b/db/schema_migrations/20230727144741
@@ -0,0 +1 @@
+e2b2b76f54ee551e777aecbaefe51663d55ea2b305ffccc3acf5d8a2da351a63
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 024106a26f5..f49aba6486f 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -17834,7 +17834,8 @@ CREATE TABLE labels (
     description_html text,
     type character varying,
     group_id integer,
-    cached_markdown_version integer
+    cached_markdown_version integer,
+    lock_on_merge boolean DEFAULT false NOT NULL
 );
 
 CREATE SEQUENCE labels_id_seq
diff --git a/doc/api/project_job_token_scopes.md b/doc/api/project_job_token_scopes.md
index 4d1e013ee14..486149ad180 100644
--- a/doc/api/project_job_token_scopes.md
+++ b/doc/api/project_job_token_scopes.md
@@ -50,7 +50,9 @@ Example response:
 
 ## Patch a project's CI/CD job token access settings
 
-Patch the [**Allow access to this project with a CI_JOB_TOKEN** setting](../ci/jobs/ci_job_token.md#disable-the-job-token-scope-allowlist) (job token scope) of a project.
+> **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
+
+Patch the [**Limit access _to_ this project** setting](../ci/jobs/ci_job_token.md#disable-the-job-token-scope-allowlist) (job token scope) of a project.
 
 ```plaintext
 PATCH /projects/:id/job_token_scope
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index befa9c89d72..3dcbf79b2a9 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -105,6 +105,8 @@ access is needed.
 
 ### Disable the job token scope allowlist
 
+> **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
+
 WARNING:
 It is a security risk to disable the allowlist. A malicious user could try to compromise
 a pipeline created in an unauthorized project. If the pipeline was created by one of
@@ -122,13 +124,15 @@ To disable the job token scope allowlist:
 1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your project.
 1. Select **Settings > CI/CD**.
 1. Expand **Token Access**.
-1. Toggle **Allow access to this project with a CI_JOB_TOKEN** to disabled.
+1. Toggle **Limit access _to_ this project** to disabled.
    Enabled by default in new projects.
 
 You can also disable the allowlist [with the API](../../api/graphql/reference/index.md#mutationprojectcicdsettingsupdate).
 
 ### Add a project to the job token scope allowlist
 
+> **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
+
 You can add projects to the allowlist for a project. Projects added to the allowlist
 can make API calls from running pipelines by using the CI/CD job token.
 
@@ -143,7 +147,7 @@ To add a project:
 1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your project.
 1. Select **Settings > CI/CD**.
 1. Expand **Token Access**.
-1. Verify **Allow access to this project with a CI_JOB_TOKEN** is enabled.
+1. Verify **Limit access _to_ this project** is enabled.
 1. Under **Allow CI job tokens from the following projects to access this project**,
    add projects to the allowlist.
 
@@ -176,6 +180,8 @@ If project `B` is public or internal, you do not need to add
 
 ### Configure the job token scope
 
+> **Limit CI_JOB_TOKEN access** setting [renamed to **Limit access _from_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
+
 Prerequisite:
 
 - You must not have more than 200 projects added to the token's scope.
@@ -185,7 +191,7 @@ To configure the job token scope:
 1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your project.
 1. Select **Settings > CI/CD**.
 1. Expand **Token Access**.
-1. Toggle **Limit CI_JOB_TOKEN access** to enabled.
+1. Toggle **Limit access _from_ this project** to enabled.
 1. Optional. Add existing projects to the token's access scope. The user adding a
    project must have the Maintainer role in both projects.
 
diff --git a/doc/ci/troubleshooting.md b/doc/ci/troubleshooting.md
index 623589e2cbc..ac5976de20a 100644
--- a/doc/ci/troubleshooting.md
+++ b/doc/ci/troubleshooting.md
@@ -330,6 +330,8 @@ start a new pipeline to use the new configuration.
 
 ### Unable to pull image from another project
 
+> **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
+
 When a runner tries to pull an image from a private project, the job could fail with the following error:
 
 ```shell
@@ -338,7 +340,7 @@ WARNING: Failed to pull image with policy "always": Error response from daemon:
 
 This error can happen if the following are both true:
 
-- The **Allow access to this project with a CI_JOB_TOKEN** option is enabled in the private project
+- The **Limit access _to_ this project** option is enabled in the private project
   hosting the image.
 - The job attempting to fetch the image is running for a project that is not listed in
   the private project's allowlist.
diff --git a/doc/development/search/advanced_search_migration_styleguide.md b/doc/development/search/advanced_search_migration_styleguide.md
index d9ef0808c5a..10c4fa3dcc6 100644
--- a/doc/development/search/advanced_search_migration_styleguide.md
+++ b/doc/development/search/advanced_search_migration_styleguide.md
@@ -210,6 +210,27 @@ class MigrationName < Elastic::Migration
 end
 ```
 
+#### `Search::Elastic::MigrationReindexBasedOnSchemaVersion`
+
+Reindexes all documents in the index that stores the specified document type and updates `schema_version`.
+
+Requires the `DOCUMENT_TYPE` and `NEW_SCHEMA_VERSION` constants.
+The index mapping must have a `schema_version` integer field in a `YYMM` format.
+
+```ruby
+class MigrationName < Elastic::Migration
+  include Search::Elastic::MigrationReindexBasedOnSchemaVersion
+
+  batched!
+  batch_size 9_000
+  throttle_delay 1.minute
+
+  DOCUMENT_TYPE = WorkItem
+  NEW_SCHEMA_VERSION = 23_08
+  UPDATE_BATCH_SIZE = 100
+end
+```
+
 #### `Elastic::MigrationHelper`
 
 Contains methods you can use when a migration doesn't fit the previous examples.
diff --git a/doc/development/sidekiq/index.md b/doc/development/sidekiq/index.md
index 936388a14fe..1b3b319ef28 100644
--- a/doc/development/sidekiq/index.md
+++ b/doc/development/sidekiq/index.md
@@ -135,7 +135,7 @@ Sidekiq workers are deferred by two ways,
         sidekiq_options retry: 3
         include ChaosQueue
 
-        defer_on_database_health_signal :gitlab_main, 1.minute, [:users]
+        defer_on_database_health_signal :gitlab_main, [:users], 1.minute
 
         def perform(duration_s)
           Gitlab::Chaos.sleep(duration_s)
diff --git a/doc/integration/advanced_search/elasticsearch.md b/doc/integration/advanced_search/elasticsearch.md
index 036be552ab7..a82730ea567 100644
--- a/doc/integration/advanced_search/elasticsearch.md
+++ b/doc/integration/advanced_search/elasticsearch.md
@@ -549,6 +549,20 @@ Sometimes, you might want to abandon the unfinished reindex job and resume the i
 1. Expand **Advanced Search**.
 1. Clear the **Pause Elasticsearch indexing** checkbox.
 
+## Index integrity
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/112369) in GitLab 15.10 [with a flag](../../administration/feature_flags.md) named `search_index_integrity`. Disabled by default.
+> - [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/392981) in GitLab 16.0.
+> - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/392981) in GitLab 16.3.
+
+FLAG:
+On self-managed GitLab, by default this feature is available. To hide the feature, an administrator can [disable the feature flag](../../administration/feature_flags.md) named `search_index_integrity`.
+On GitLab.com, this feature is available.
+
+Index integrity detects and fixes missing repository data.
+This feature is automatically used when code searches
+scoped to a group or project return no results.
+
 ## Advanced search migrations
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/234046) in GitLab 13.6.
diff --git a/doc/operations/incident_management/manage_incidents.md b/doc/operations/incident_management/manage_incidents.md
index bb9dde4b416..73ed82bed5c 100644
--- a/doc/operations/incident_management/manage_incidents.md
+++ b/doc/operations/incident_management/manage_incidents.md
@@ -245,7 +245,7 @@ To configure the setting:
 1. Select the **Automatically close associated incident** checkbox.
 1. Select **Save changes**.
 
-When GitLab receives a recovery alert, it closes the associated incident.
+When GitLab receives a [recovery alert](integrations.md#recovery-alerts), it closes the associated incident.
 This action is recorded as a system note on the incident indicating that it
 was closed automatically by the GitLab Alert bot.
 
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index 47bece45a45..be2f6386300 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -1376,6 +1376,8 @@ In 17.0, we plan to remove the **Limit** setting completely, and set the **Allow
 
 To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or later can enable the **Allow access** setting now and add the other projects. It will not be possible to disable the setting in 17.0 or later.
 
+In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**.
+
 </div>
 
 <div class="deprecation breaking-change" data-milestone="16.0">
diff --git a/doc/user/okrs.md b/doc/user/okrs.md
index 6579ecbadbc..9d99d34c359 100644
--- a/doc/user/okrs.md
+++ b/doc/user/okrs.md
@@ -354,6 +354,62 @@ Prerequisites:
 By default, child OKRs are ordered by creation date.
 To reorder them, drag them around.
 
+## Confidential OKRs
+
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/8410) in GitLab 15.3.
+
+Confidential OKRs are [OKRs](index.md) visible only to members of a project with
+[sufficient permissions](#who-can-see-confidential-okrs).
+You can use confidential OKRs to keep security vulnerabilities private or prevent surprises from
+leaking out.
+
+### Make an OKR confidential
+
+By default, OKRs are public.
+You can make an OKR confidential when you create or edit it.
+
+Prerequisites:
+
+- You must have at least the Reporter role for the project.
+- A **confidential objective** can have only confidential
+  [child objectives or key results](#child-objectives-and-key-results):
+  - To make an objective confidential: If it has any child objectives or key results, you must first
+    make all of them confidential or remove them.
+  - To make an objective non-confidential: If it has any child objectives or key results, you must
+    first make all of them non-confidential or remove them.
+  - To add child objectives or key results to a confidential objective, you must first make them
+    confidential.
+
+#### In a new OKR
+
+When you create a new objective, a checkbox right below the text area is available to mark the
+OKR as confidential.
+
+Check that box and select **Create objective** or **Create key result** to create the OKR.
+
+#### In an existing OKR
+
+To change the confidentiality of an existing OKR:
+
+1. [Open the objective](#view-an-objective) or [key result](#view-a-key-result).
+1. In the top right corner, select the vertical ellipsis (**{ellipsis_v}**).
+1. Select **Turn on confidentiality**.
+
+### Who can see confidential OKRs
+
+When an OKR is made confidential, only users with at least the Reporter role for the project have
+access to the OKR.
+Users with Guest or [Minimal](permissions.md#users-with-minimal-access) roles can't access
+the OKR even if they were actively participating before the change.
+
+However, a user with the **Guest role** can create confidential OKRs, but can only view the ones
+that they created themselves.
+
+Users with the Guest role or non-members can read the confidential issue if they are assigned to the issue.
+When a Guest user or non-member is unassigned from a confidential issue, they can no longer view it.
+
+Confidential OKRs are hidden in search results for users without the necessary permissions.
+
 ## Two-column layout
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/415077) in GitLab 16.2 [with a flag](../administration/feature_flags.md) named `work_items_mvc_2`. Disabled by default.
diff --git a/doc/user/project/issues/confidential_issues.md b/doc/user/project/issues/confidential_issues.md
index 6c2e6cb2132..f05b8412deb 100644
--- a/doc/user/project/issues/confidential_issues.md
+++ b/doc/user/project/issues/confidential_issues.md
@@ -7,7 +7,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 # Confidential issues **(FREE)**
 
 Confidential issues are [issues](index.md) visible only to members of a project with
-[sufficient permissions](#permissions-and-access-to-confidential-issues).
+[sufficient permissions](#who-can-see-confidential-issues).
 Confidential issues can be used by open source projects and companies alike to
 keep security vulnerabilities private or prevent surprises from leaking out.
 
@@ -51,6 +51,14 @@ for the project have access to the issue.
 Users with Guest or [Minimal](../../permissions.md#users-with-minimal-access) roles can't access
 the issue even if they were actively participating before the change.
 
+However, a user with the **Guest role** can create confidential issues, but can only view the ones
+that they created themselves.
+
+Users with the Guest role or non-members can read the confidential issue if they are assigned to the issue.
+When a Guest user or non-member is unassigned from a confidential issue, they can no longer view it.
+
+Confidential issues are hidden in search results for users without the necessary permissions.
+
 ## Confidential issue indicators
 
 Confidential issues are visually different from regular issues in a few ways.
@@ -59,7 +67,7 @@ next to the issues that are marked as confidential:
 
 ![Confidential issues index page](img/confidential_issues_index_page.png)
 
-If you don't have [enough permissions](#permissions-and-access-to-confidential-issues),
+If you don't have [enough permissions](#who-can-see-confidential-issues),
 you cannot see confidential issues at all.
 
 Likewise, while inside the issue, you can see the confidential (**{eye-slash}**) icon right next to
@@ -87,27 +95,6 @@ system note in the issue's comments:
 Although you can create confidential issues (and make existing issues confidential) in a public project, you cannot make confidential merge requests.
 Learn how to create [merge requests for confidential issues](../merge_requests/confidential.md) that prevent leaks of private data.
 
-## Permissions and access to confidential issues
-
-Access to confidential issues is by one of two routes. The general rule
-is that confidential issues are visible only to members of a project with at
-least the **Reporter role**.
-
-However, a user with the **Guest role** can create
-confidential issues, but can only view the ones that they created themselves.
-
-Users with the Guest role or non-members can read the confidential issue if they are assigned to the issue.
-When a Guest user or non-member is unassigned from a confidential issue,
-they can no longer view it.
-
-Confidential issues are hidden in search results for unprivileged users.
-For example, here's what a user with the Maintainer role and the Guest role
-sees in the project's search results:
-
-| Maintainer role | Guest role |
-|:----------------|:-----------|
-| ![Confidential issues search by maintainer](img/confidential_issues_search_master.png) | ![Confidential issues search by guest](img/confidential_issues_search_guest.png) |
-
 ## Related topics
 
 - [Merge requests for confidential issues](../merge_requests/confidential.md)
diff --git a/doc/user/project/issues/img/confidential_issues_search_guest.png b/doc/user/project/issues/img/confidential_issues_search_guest.png
deleted file mode 100644
index dc1b4ba8ad72f782fe8e78973e997f1926e22a06..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8593
zcmaiZ1yEewvhEBs0S0#`Ob7%Bp5O!v65JtpaCd^+;O_1gB)Gc_1a}Vvo8TH;1L2bY
zoO|x8SNGLhwW@2^s#@J&e{H+=4pWr>fQd$i1^@ssr6k3a0RRy2>3Izm^d!?LS+@WH
zV6~#Gs`%sM<K5le*4EaqU%%dU*zfP}bGug4($ZdDUOG8BH8(e(o}PModUBPTNJso)
zV`Fo5b(N5ipr@xlIXUU=?LED`+1=fpoSYmP8F}y15Fa0Zb8|Z}F)=hWw6L%c6BG0E
z=g+rq-yR(uEiW(E)zwv2Rw57xevi8Qhd=J_?q9!tO-oDj^YfFJmj?oY_xJZpOG}fh
zhk1E<f`WqW?d>u_%{#}JGcz+*R#u^*q0G$8Yinz!rl$S<{aRXD0RaK66B}Mdqc%1+
z%F4<Mn<sYJ{W`H-OiWCfnVCvqZE!fev$HcKB*Z0u$j8SgxO_rSPmiCUKec7v-rim<
zqV4+nI;(x*gMX8Zj7(%?q`JELmoHzElaqfQoR{^l=D~lg?4I1+KO{BHB_$<^ii#ec
zUl;Z)f9Q7O;NYkjT$`Pp-8{UAteNiV>B-H_jfjY-8(lXvG`zg~ZJ5}t5#3>u+{44e
zV=)>xvb^6hy=gEI)_*wHJ-a>hW4C`{cWw8yp`l^#=J?zEPW|>^#%d!K6;*u0Y|(m`
z+jJ&Rr8zM%@$BiEd0MY}e?aK>lGTfyg-u^l0Dvk}N=!u6?Z@Fv4Q4MCM{J6nTJ%c>
zj}u6B!*o}_t@Dtj2K)xs^HGhBYz*}&;{RE~ZcViBYP5w+>XOUprSA$ny(fO>0r`XI
ziucNN<g_h5hQ)V!>iyIONs(|FWyncd647?-aE^mkrL|KCUU`pMy~e)zjd_%njWTK^
ziaT=-bGN29^mxt|gDEciXz=~sXF52a=MS^KtsiYrWt;><u57;b7h~G)(-AQ$4qJ8{
zqn_oNH~53`Hd7&S@DbEku_P;9?M^j?>f7P+kxpJchxM1+nV#bztJ;~QY`k^PJ;J9Z
zFj6x$u?6~e&5&is%R{maFR(4)hRSNQo7AsF+~yOdn~nS6c90$Y8Upx+sbIcE+^v*{
zBtH|0r--a%^45ud^9L%^NYW}X9-JstTbg@3v3DRhk`Kh11RLdK>;rQfOwY=3e_0C`
ztPzfDbqY-iAFyJaBooRnMnK$FFiM1Mx%BPug@2q^kwC=~U*L8(gs9%CsSc^Kzi@D;
z!VYNzk}q1bv}4hI>e$#K=Z0!cqTa8<9Q)llG1*OFoIP2XyZ03J3YYWs7#d8B?6`)q
z46Hp_oY}b%K)8@0+)|7^toceYs7b;9D`MAvV>gRtz1yA}=2|k0x6$239?Os95CF`h
zbOnw61qlLGir8r((<G7bu+xSyx?LA)>4e;rx717cSAW*!)9Zg>#6<c7<=tG*d@zu&
z%b00*evg)q`7ASGAV}+eiX5SoXs9^jFD{<ux|avy1+1G8P<xtr)os%b8Va`~#d)I<
zOY7}^0NPVOn{xA;s;@{86mchJkzIs=ig^4{R7UU8=AI|VDBE9szMJIGf6=b1)u_x_
zT*!OOq0bXI=+d(^*TOj@c}|pz`)3-4e&?}z#pyw}qLNd!f_sza=hJj-^;!PrW9A<M
zzNj|R+}G4R`T6T;Nz$@!_3{(L#14F<`OCldlT+Mqi`#=rwM!k10T~0DW0Km%eGSfW
zJLTk_*|irNHRQrgFsRtRQ7feRLNR;`Sci{Q;56U9fLzX6{KiN53+lK;SeL{M5q+rJ
z6oLJ*+h?4K90g<H@IH#}1fc1|sO9<DDM2PO6N$mzf@q7eDs#JC@vys6&<yM+4t1GW
z;*aU~)*{)(L~I|Lc|Drc6hG}Y-PX)lG_?|U+8(z%zsao>vf}hIyEiMw{H$GJ`)G?y
zAAXth#@dhxc(1{DhUS|rK>Zu3y~^KJ=rP4G$FCk3^A6=ub#!K1AQodVLfGQ33*=Ba
zuvk<yi$J2uP#lm<e=NdAm|!7^xMEAq=2<C4ASY{nVt`PfXK~4<b7veQm8?Eo=W8Xu
zKON|A6kN*vH*MaJ0~iZgKfTd@XP2G7E7?%*_+Tj*IH-!yCDBN7{rZ&H%LT4v`c6~N
zjshn{?9PhKI=LwM9!8QB$ae(Sa=CTrFZr+Cv2UipbWp!omk<kIJ_^!m#!tUMj<WGz
zY`*c?kix9Lz8dmW7zALO@F<A?>CITlCJq6fGX=?T@JbSWVNXwanB2dn_(d81uF7*n
zdY<;qAf)zN`CGR)@bVl@n-Jh}e6L==2WSw>*EyQDs;HGIY`lyaln;MzvVe9`D`6kC
zY5@ySM+pFe^JU6%e}%2Kap>C{9)l#KJ(p3y>4;4loS@}YV7vv~CHzE(Tfc?~+wgpf
z+&)4rR#C$*TXvq<&Hc#Tfh1O6T<0t@j>&P33;JD^7MSVz5jw0rI0o3C%tz%3_{-X}
zbnfFo*0`?JtelSYeXFkX{R~XR%VmO&13|bB5@w)NbPSO|=lBDuz7Tr8ZMD=J?A%{p
zH1G!NdYwUdOza%FgC9ljx}8CSbx`~JUCib_d6EomXrnBs+#T1L(9MVpr&?X)y;I04
zF6eC8To3$peSiaTU3F;8Z_q>fj#PhsqWtO@vjhylKK8;K99o}KZE~Swhm#qc?Peik
z2%a(9R?SFw?t*r;-@x^rHOQ}E+CRR7g`!pSR`$=HAQ1{u4V7=S0!xyU@kv4Sb90;9
zWm9`@Jgkc2BTIH?4!jo&n9XA|le5!4f6h^cbQU$v{qH;uKO~SVj+K6}g3BYpwRur{
z+yv5z0~Zoa-_O>jE(6R?WZ4hQ)G|_HiV@3@khw$lH56kGW{O&sXW^XQqX5BPPEa{6
z50&AC)&s|J=&B9j#kuulCl1T5lb?Fqj1}sGI+ZA>e5Ixg_$vpJGH1-Tuc&XUd-q50
z0~-xzPS^(W<jmw<FcAC@Uw=%QB_Bk~I>Bo{i_vi^<N~ri4<o59EUIrX<ci~D4V^C>
zCgX<6$DjsGVrEx&fyevvY=q_c;Gc2qWk83BG{gCcQZ81iLd2oPPwfiLGhyRTdltLr
zN~L06AS2|H7nP*?QSc!z;Rn%bbr-Q?Q{jT|gg$yF8$%F*Gm6g&9^NA`i4VJ1$L(m2
z)M81ff8MGK#5wY=YdY_}_~<tFI5^@h8`CB+F<jjuTDnId`{%R^y%vYseKa)~xVmzT
zrsH<9+W}0z=Ldxro4_M2NMn=N?SK9(P>}IVC1u;#`{RAuMfora8%n#JREhL4g>Q~}
z>=Jvr%7Ou?-vBtWh)=JPNzeuWExykv)1xicFYpx2Lhy=HV0`?EJRRWK#k}4<S_Euc
zXRPINdwGhSQP=aXk#%Xtd-6nNgY%=1dGpDC200+Xn{ii(47GrYBTCl7&{=K~CVVuF
z8N`P}qsb_O^_&Ksoy>?jk6R#){&anDMDJ!!KIE2(u`M#;#}}IR*w3aV#~pU2dZya0
z3Oqjp@#UWczao8>1^c*kPys@KjNh?uS$cIWLA&kiB%>8%xMTVJc@$-fp)Kw4_E5zN
z$e!AF-P>Qg1f@x(WToGaNx9UIV!u7Fp`jT{t0=nd(nFY<gh60(kl3)v7U}B0hOD6(
zWUmG-u-PkPDu3BfyK+IVRblAME|3VzzT*DDfS)@~9?$10^T!COz1z3u?K~T>ZFcXK
zaHsqt@gf~3jMf1V`HE4Q2G&qp9X&hjGGj!>KNIEz1+G(gki{0glrOk|NV-K#DJUeI
z2A`vnXq{_An$7rrpk;{a6)i`5AZ>=9IS;oEBDDZex8K4l2igioE6SGSV*H)^QqGVp
zDQ6C60ri8H9>Cv4M)Hv^jyNsz_}-IA6cX=%tBfA_{>>y8yl_lsVP83JAr1-&z2LE(
zC^~`79-^=U!h34kpXCx-B8)C=TrMkT28XTX$?5=FWiT5x{HNhu`uA>{z*#ZRD%ofJ
zrnG+!RW>5$CA|%tM@m?f607iQ^+F;WHc&2CxJq-))2WHyPF5T+z-|-ONa%9yPPN|F
zj+Z1I6@|!$r_L5RwP+xTjVT%70Weyx#MzKx@%=S#I4cwaqo)199J|{aAU;B3S>a<+
z@0;*WAbVsxhWAlL@sQg$2WQmDlMi2LGUp_nRkv+-+H7yxT)I>v#`&ZGSPJi&<TKyz
zcw&laH;ndTz0%JiGpm=_ewg|aw2vo#%lG1dxEME8VhU>3W|QZiZxMcop--{svqbxg
z3)sjDnjaqKD^PFDcrKoQeDgW9zv>d8ql}#DEhV4tP-1Z<qwPpk1OB{g<!0%=?hhfE
zu8KZ~CHJxI5F#M4C&6pkfq;>5S_X(&!%gg}D>=3iaaSMs{x$^@=9H1syr9nbwk80w
zP#|xb81t~7-zuimDL=@EWX_JS&*`%C{+aj;fo2X|AJtFA9pxSHV**xhMS1yKOOv)e
z10!KZL3?sc^qa~S>ds?r{Q0TIn||wE)`)ypDDW;=(2W<_p&MMz@If2{eU%1?w`#9m
zo9VyS1^pXN7GU$zxo*=bn@bImEMRr67Wwjri<7=~#Xk(i@TDpJGS?7yZprt`ik&Mt
zV{Vy|cuAjLB$<)8##^1)P_zUFtEb5rn`C(>9u=X;aIs;qetgyBdPxUN9!I?5>UYA(
zrvW15eU$gZ&|m4x3pJ69_f|V11+!g_)4>}v?He-ypBeFBD;;2j?wvEI{jIf;c8zR(
z0?ps(5O5ngM(8{-ac%vQ<8MU3=jmZ{#Z&efux$@GZEfwi;J(Yu%e(Q3VwtQ30G5O9
z`kC&xoRy`ZO?u0l^!dk<hi?iZLgNO)pCU%M?|{<e`}MnHq~(<&7>thu9D!x7Q&nyw
z5Hqh|I)=xsgb;WoOXtyP0auT~5&(7?JHgdBH!Q|4h4d@8pR{i*b(#8OV%3bm5^B`n
z49;sa&95ZYvBtMosvqA_SD#<}uwv`MlWf49t_u^HaUdGCa@BIl0Kz{D)S~E}@vNtR
zzk}X|&=~{>viVLIH8&@AHs{SUy!(>z;etKXU_9a`h3@Bz3t7VfZF!yzCzO@fzIa4N
zsenU?B{~BQFIM$Y)Q}0LZ#LD7T-);4OO_`2Su{Xb#f`{yQ(4<M#^LXK**1X^iX3ur
z`muBXwinNEj{QxyNsY|~`qICMbXlA}R{x$o9h3L#!qjyGs(ecSQ(J#NU;Cyzr8d4P
zFJRzeTbG=5g#7M~{i*!B@>s`#A#ud`(4Uwg06qM5X1dJNmT#_2h8XxT-TN!YqYqiA
zA?`zw3ON}I>dg2@G?0a2qPO7?$=R)^7Sw7-o`*{yr$WPV^VZr7m<kAOEl)~vzLGNF
zmPu^rQX0p!1Kxn23k%%XxkQ^7&e5D(>x#URslT?aclt&?ww!b;_X22fNHNk|Dz&}n
z!Iy^NYr-Vd-p3-uMu->NKVBnS9&X%O!8m9fepT^F$z~_}+Wc^k(23EVTfz2d`)Y!~
zr_OGG2@_-h2>z`WnXibe^g4?`gn*a<%LR|XENC6N53R&v@qg4S12fq`q|sljoktF>
zY$07oe~dW5wjG>xKj7r2{+~Gnz?|0%Bw~{F?Bt7>4ED8B(+HNZQbRT8cov(1G$;q$
zECM*H09qJe%LKx<Xi)C|&+*j`QnLJA!0+!1T6_IW8CL9L<KJYq5_o*Om_9{Ss8?jZ
zv+Y{z2qRUGxk9!(-MDEy`^1Gc+*jIEzk1yN`CHq~nHS}$M&w0f#7ycee;XOOfW>vb
z&QDK$B?_z@AKx7#4(cL>%>-Si2RZ7{e7ETS70V1^Vq#5gb9DL|LuzVfmQeBM$?9M&
zCG!frLJ7>ye6I8o&IbhDqq&*cjxy1AYNd?;fhpNc&+X-}9bH6?4-lm3sJTAUK35!I
zMqRa%>Y@_z5#p=kYhhZMANo@UW&R1B9GwMQ9}Ij+bX>r)G!-kl257(i7@4VRWJHf;
z2dJr1^%dX)hB<A@!D>J7Xzh)PlYHrq^2*w@K@ddV%PIp14^tJOq|yl~cskNojkG=h
z-A2ZOXUagCQrQ06PQUA>y#ECy5|d*PHd;aSRqacJE+qI6GPnw2g8`&>$+|w@QT|TH
zD-(q);IUPXf=~rc2hGSm=Fr{7M_ZPkizUEKF?sU9izRNG?sa?_N@Q>O*-S_+N3aTI
z2W#&~wG1sZmM53aaby(r!0Dv=_mPZ(D#g^J-x4?Ds%BaI(pbLqoai~vWq<!FmNLTb
zi`Z4$i1%R8DiD6%rm<-B8C&&IE8$aM2(W_+s<AvYWMxsc80R6ZhwG5vk`}z0*7+MP
zSk<C}fPty{l1RJBz}6DIx|vfdURABtOoLHty^?(}agvkhHB4)&K74rOFlM;jN~LsG
z%8Tf>efqT+o)w#D5K2L*0Yq4}1rLCTTN+>;r~>Ud34Su79B_egWQ=W5P~nuCj^BR#
z5dg_etl5&9AW1C;_ZED0@1sj*0S;Lr+-wrU*|1gOKdhcm`A<rio;u!RCG9$H97ti4
z0Po{Z$)354{Hh<=)r(OW6?6`|6>nyGaz<yG+>(NmUm05h7K%SM#&LmHolI{L#9X3$
z`fWftxne6wogKZB_?gCvWnuZ7k&Fes_u3;>;zSG32=E*EjtDO>TA#+Db22JD@fj7K
ztJ<ELwcpv|m1=(NWt^IO$%(!yCkJrBdZcCJWUvfg_<EfD-0gj~KsmTyXAeb^D+*Yn
zx`To*%;3hg_$j|$1z3XvEZ!1@FGemrga37=6Jt6*6RF4c_0-nF#d+6@Tkzu_aX-~;
zNq>Ac0jw_t-r!is_FKP*VV+}20TLj!Jja?ZAptuLVHCsK5+hNbG?m{qu3D0z*H&du
zgpX?>hN(CDXImtdxNGZJ2ERz<XXaAw&{sBTU~4IKcn5ds1u)ku0G5hIz-Rgo_;*0~
zX?<;v&@r78>Vf_=tD%vT^TrIaOEfv?{ageZOyvQrO1Ks59HM*(fjbNE9{Xv8!i;Jw
z52Q20*&w+z8^~WyG7BNP(Wr=&%qk^lQWyX{&6)CM>H{DR46Jhut(pzMg|3U8dn55N
z7fIvlxHC-9IpwuA0vgRr=j6a_BR|MPt4<Q3k++4t0!$Wc!^d(1{8BUZlKwdbUIp>2
zH1(2w7=+IwOM__<lN_m~7G!=#ENr^`!D*MfpqO7X10E>Gmt@wcshC0S^OVxJSU^<f
z9ZQCq&k)7;vc+xU2>|JRTEt9d;Se`?mkl)+?t|2CH3p3bp-K+z+)Dq8(<XPiQNqPK
zoN6n)6E^gSrR={oX_s^&zu|cd2FB?YG5bWHEjFfWEJ<kMK;Mz5Vaf<=K#=TRA*e$@
zeJ!l+PZ>I54R?4Qpm@VMDtAILhAS{Q9Y99c_onE^?|?KjMFDW>P=lTdR#avM0@EBE
zZ<&(ro-Q*40MHKU5P=lnQWRVS_aE(1r+@L~M2@t|1k_euJ$r3F<VC3JHPHb=%?0b{
zz;w^mCM);MNl}VM&4<mF*e%HEQIP_lsw*$&nVfAoGFOty3a;dKk#`h_qU#*Y#GN!5
z_;uT7H;b)s0iVsYB28<L#r#W7;LaQ2RtMhLc9FKHs(M0IVoLOIMEd#?A7=R@gYRPj
z+_q&g`?=9d$MEG|(V-v=CJSG4$*B1UUJ0*4z*d(1o=vCXp*!6@?PH@VQ03r?08sYZ
zhe7@LB@C~*rfx~A^?{V0*r>)ZjUwnfmDU!T(1%-V&ll5SD=D@A%04FGiTvSi)a?U1
z+H>czEK-zM7ZAfOgbDN}V`@U&3c>f(9Bb$Rj5~=pQj_ae&2N5T;OMxv%*RZ!+!#pL
z;@Q)GJ=Q5z`I-Z88M2Bpk3wqOQe4{NYz^6P`cPFxB`lmEfQfmgVQGg0U4O#-)XKjL
z(cRQR|AabaR9xHDCVk}BuWi+)wP}k1NFyYq;-z!c^!b<0IT9bsMkka6tC*7Nt?8_S
z(Xb`dx^A!i`vIeyCqfY#b<#fJdB(Rx3mZf}74&OLT|WH4w7RcGG0CSwBhj#z2E4F5
zj{CqrHn)$ZK5u~$Y63oIkAK_?D1jMw;NS#Ncuw5;(p0pBE*3CaLi_(IJ}nj-Ap!Jp
zU<U8b?cDKhEY@EjPnrU3{&&F@fl`e5&(QaB8M`bFgQ6mwNX!W3VlC(1#@+OkVH>_~
z>~xo`Qf?r^@eF5R1&KsxNwaf^aCjl`ee0b(mokvCM^I!-$5{ihnw;u>8~C(zu=qn!
z|GldfO8e4}j%K@0fHh#xgeKy=FaoUe%ZIliJV5`G;+rX;+^p-nVlJg10S(cdv}ELR
z;s^i)#g!TZae!h44?f^+c~6=ukn-xDoJqhBADfBtYWY}b{d)c~uCnm!s&+N2Z5Cz6
z<CR4D0cs$DqDq7)jZ|-zhxe<QX&9szENsF<Y5@2oqzGzMGBSfLI$88|!9_XIR#XTm
zo*$`5-+FuLSjfW#t0e}KJaAO@Uj<^ksKl~ic}WC~N2BJ}kO7f!!FcsSjW|xCL!>Bm
zDCV$|>G_M&^8v#E0xzZ4Y>4-=6&GF<ilrc}Y4$n7wwsMj0q0YkcAHHzc9W@)2rO?J
z-3iSVK<G>LWC4Dv5VAWOopPmV*<pvB24GtIPPq*iorfd_3Uf~CIN#TMS1veM-65Wf
z*#c|#N*rd<%aOu?OmG(6WPLjVf>FpLbq7H@Ok1(d#kWG=zl+c$>$dm_-I@6!{+$#l
z&n8VdSkLXT#8r{p{%hSi8=SE4*Ly}mmMG`a)g|^qiEgqR4`NvbCQuv`(MI)N?nJ)t
z9M%uhv7$+IjMQ!z9!)@RR8cRP?ird$F)<D$8T~OAypZ5d6BYDJlEngJ663d%X|C~e
zh>ivwZz@W@7K=7+kQ-kehyP5E$T;?^ih#++$W@9@t-OWNtM5R)yf(1yi*PbuOy=g<
z$NhQp!v&SXJ7yje0nJu`SpP9Zlsc%zZb<F(v_tQ#>8pt7)yqVn7pV04_IyG@Cr~r|
zja4d0epWjwcZPWIb=S!~3uri$>i*!Z0i1G(HVU{ZVTy9fUr1yyb=ccnt?=V<1V<^f
zctaPbI4B@fA%Sm+Y8YD2zG8IJb0I)(|A}F41yrGtR*PsPE7)Y5{Eek|9hFABVgZ%a
znUa?sc$hySxAVhf`!-_?FOTN32*l68NR=tBfEt1#NrQM2M^4!g(VOx2&k<GN+Gga+
zMX-YbRcoPnXQ@`qYl3k+6JeggTc=K?_u2`eSujr-90TD;I`h68ZP;`1Nce#d-gY04
z5GehV2mUOoh>^;9@ghK=oHdziGIq1~6-eKp({#q%Ck0p?8M=7;46FHN3k|vcZI_w(
zWS)XQ`uSTp365H5aReKbV$+K^(A-zP%xRLlb_sAWxW#^nV5`sNzQRBdlG;CCrFym-
zc^OQOPTkT>QUx9VvkFtz7pAOf+)oJO$W0fmVl#NO1Xyp`h_O;4FURS`V@`IBgnrW!
z@JG+M27C`~d;T9g?71tq<rpyw0MVF7m*sF`Y`*UOqBd4ct<7)Vld^`k(Sm2Ys^4)#
zMp@{GVRoSze!%T+1E3gLwFomL_IDrb!UJzR7$?F&v2ZEii8^axspHAo&{Pm6@qBYV
zhmo+@i|lAjM7@1=94pGy(Zp>xgY!`d8A<!9vG7g?cS-~BIG6U5;dl8yL+ls8l;|?2
zr$3AGS>vGl2TwGogF88%X;^6#|6HjIvM|<>v_%=$iZvX=u;UAV$1i?W2OoAA84CoR
zYdi$FkUHiyGIgXgO@gp7(Rq-~Z%r)u*+ZuMMor4LJP!EZN$mCn1o{4%PK2iGtP|P-
zEJhkLllN_|Dt7(0W|J?;yu<I+nO_5w`XrnQ=#vZhtna@7$JT;>@M&1d%Tni;@eBOQ
z>t8W}>kzST<?5n=H2PtGi<ifo>z)>4Vzb#^7#F0z@qZbMyy*6vo3aLI=5eqZ2)$F$
z4M9j<Pwfz~C8@QY`ie+>cTqpUF@f>oYNL+_nuQ3M)tYnCO_$h=gG_b#8?pvwSwOk1
zSx(B|)-nS8cUmGo^FNtX^~YzYj^IT_^aNje4WBMcQ<vgQ7$!^DlVNk6^}()o=4VdI
zpj^<?O4fN!N6M?dxul7c?{R(ZIDwBzn%=LOP#+nw^3nZI*5d2V9dN)R|LeXP%3f?J
z!VOfqF&0fd1<fxei$zi?k%u)##1qPXHWFqfz*Tw=g>*y^<5hS2PUfr*9Y)H`CtegS
z5v-yZ=x?WOjCmS6K>nE%p{VPOG_=Ik3+Qs=XA4`SjGeWv40Lk-c%)8ZpcnZMhKQpG
zFfM-^=AbJ&Ui%7+k=t+rnLof9FOjE$Xd;WVk)zy|Joi0>nk668ob|=69O%u)HF+-n
zdj}s%&iCoFfOS!v@y{C~+)z3RAMwhV{DWgrhc-Shn-o%`%(@zqG3@=u?}`EC_&vy9
zfZ2LU2Rf7^*a|5fItg`OuglNpq?~7T6LA79QNXz91|Y}mYHlJPr@ChjFTY1fkI4z2
znmn&@fAE(n^u2Ib8Ygrb&!aHT((kQnbb5C4OX&}b0U6suJ(^xXUC6!PP|A{=ovH4k
zP=MkQ3~DIC^D=A$srZk_5mvV*FqJ2>?ta9hoavFnasoNlk|-4oF`70gG7pjXtU<Y3
zLw&NTAp&CB0gznJeY8F|0r63sRQ+3#Y*~C7x_Csxtnu^eQY~yv%=qxJmyNbCRY&jL
zPi_ghed><v64SxG*<gu`#YTa%*$$h|cNVwkOKH#YegH*!MJ^uY%qV4xY<nOFB97Ui
z3wB&^8tcAenR+!)tIY~bNzU-A=c`Y)RIJhr7@tA)Apg)H`=Z}ca6{(H(CK*vks$<w
zInQkZa%y134ZWg~TJAS_q=JEL*mgy$+1b_=z6_9j1@PDB7nysRgN<CG_S-~g)Gxog
zGq#nBPHS_x9>(t;ij(Q%CAw)I(0;sz>o4#+vPS+~GbszO+s}R?E@{f7c+=SbAL5>r
zbnNsEH^CRN+0TTA8faR5q_gyne{dQce|XX{%5QM&gDq)tsFqItGO7BA+<9WNEMe0z
zsYMq2*WLTK`F8zeoB-dKIZ#2CILO2C8D!l^VYljPPvh^~kbZ2}C520hDDwaDJp@ij
XOeWWMBQzrL_fSe)Uaa!HzW;v#fOQw|

diff --git a/doc/user/project/issues/img/confidential_issues_search_master.png b/doc/user/project/issues/img/confidential_issues_search_master.png
deleted file mode 100644
index fc01f4da9db731a2217a8c8277fccc2edcc969c2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 13228
zcmZ{K1yEc~w=HgAfB=Co=-`sz?qqOxcbDMqJ_7^@0fM_b1a}WkaJS&@u6gAD|9kKE
z>b|$DPS>73b9S#@dv~u>T_;>oUIKsyM1z5W0Z2)TD#O6QgJED`<5A#Wdpes@O<sRg
zDaxvf{rU6f;o)I>dz;I>>g43);NXD2&4HSl`sU__jg76bvGM8o$=TW2!^4A~o?cvB
z{Os&(Y;0_8ZB0&2?(5gD-mjKF92*<USz;y|+9>_ygpZGJd3kwwczAw(J~=sgZ*Q-+
zw|8P<V)yhWFfdTaxAyMt-qzNZk&#hVRrT`na%gC%zrSDQORM(R_Ot8z#l=M^6q?XD
zJHC2UTU(o*o$cr6*V@`@^1a(Gtxrcshu^EZyu3UzGBP0{!N$g>prBy=@N#{9y?kJ;
zqoZSMYpc7v8|+^P3k%ykzFAUIvbuMk-@QD$d79QbfB*Pg`g8Sb&D6#9ZFa|^v9WP_
zdb*&X;O*_**722whQ{&bT~$?8czF2r{iCI&<<!&^Gc&Wfxw%W$KuGB?#jxh5=a;t0
zZ4nWXp4nXo2Z!nDX#)d;AH(Yd3;SY$^})fxsi~<8+h<b24Pg}%!^?*jNj-{+iu(Of
zFc{o5v!nm5!+JE9lasS<bVIDuT|B5hvwh*`(aiqcY0Xam;`RwHE-oo4>D2iecZFs8
zYD4~dn_Q2t&s1jET+!;)Zo+c4iD2Pt?pPY6L`76R7LTTW0D73Qz!Nn_MM}BK+iLoQ
zxt5`Xd}gtI!XHpzG5^R3W97lVru;va(d5(5>bIbSQ@WUHCe;zOH}-S>C^{2jCjaOC
zx{{o<fOf(a#ZcsXHw&(^3%$xOQR8J^30F!x2&500dd>Un``*b@_v4tFMtxU4lA0;+
ztP6L+-IHaCd;+A{3Fe`T`}Z+b><rWLW6+Scd5*Qr+Cb)Le^6%~5w5hB&qRW!={Gpv
zE^Hdqg#s;VCZADu^QnD?n)~jySgQ9pzeCUGZkSFhT7p7HS;@^KGMNqQ^)q%ap63s{
za;4ULDqaS&kw^aRy%1?ve>T^VNeUTYo3R?at(1HECQB@6jqTiNJmLD~OI+UgiW{d!
zby5tlcykq{QV@)?;FC=jP+h!PX_^rn#}(j8o`p8Sg2C}7u%=%r?gd4K&t>sc>=$pi
z4!4+vHq@9Ar;$arlYzsE>CZ~`ckF<=JzXB$iDW1Vs$6z?`Q8Y3Z^+gl{xa!02Jwvb
z^$2~CPgs<N;WB8Y*y+pys!QQfPei^KLu6zPZ5HA^c3w;l2g@)r&?=&h=zZe0n$Qaa
zck=Uyx>8SoRpzl^eI!1k(01RwOe!&(bQ7ZijpDA)H+qOmNCPhMp_6Of#IY2zhcUQ$
zOPS$dJO*J!Lp(byhGO%KPo4!ORu%6TnA6nJ%|3;Fe}NMvl)oPc;cjmde(s?cDhq>@
zCz$N)_GHtVG)dQK53<z1kL~{W5%rfdF`B1U`#BAl44QB|Y-sDK<s-{@FeO5>`odFK
z*K%bAoK|@_mif^*o>Ab2ND_KrWMm@j>ZkFDI@|s6PvSN|pVhZ(i@u0JTS2%Npj_g<
zspuw<)7Dq!Ht^h2)5?xbbNVWe|6Ej9qKfVnBX;5n@rzGHrV#ncFdb2KGF)Ky=Vikd
zr6Lmk{u4(fE@ef@zB)`nBL+2PG9q67`h`H$c<s89rX5oC$<heRB)bYxJy%agB6?Q!
zz?`gZO%}>fo{h}x7+Zl8g_H5@8O`WFq+`xlM8^^Rh9_~+L1y1KeuXPLR4;@R4SoBR
z<$*;FCZnKWCDTUXt*uI4uo26SF<BbTgOsBsV7_%3Ap8W1B4?ZNF%r?);)$hLR`wmx
zu25iF+^Ac!b@!SJ*Y8+aXxdm!b7jP_uz0c%QkXb&@xoW(?oImB_cI1g3pruRr!SzA
zvLuH3YzM2G^qfhe9gdKCR*L9uHU_#amc)0Z1?%>8ryG>W(f~)R_5zIU2L3?8P=ob%
zf@17<dfQq#6h6PLPY4xiicpcDkK&{0kH8IUI+;bl_<0Ke(vpM>Vhs!+%sQn&VOv-2
zIipx{HzM%93zt5UN{r!wX?v0M&0$J7JfpWz)@Q!*Q8t}88erR=y%`;=5q+H2S@1k;
z;B3^>@I8GNyZu!G9;Qc-LMAHQzkaGe;_F@d<13^}6TNAPd~wzZns$>@(@DmMmJFF<
zh=oUsWyCgoN?hMUBGRVh@i#od<ltgXT4u8HQtsEIpl6y)8ny<_coWcUYghf7WgLgS
z{GVDZPeLG$Q;p5u<^^kAwIGYf*I9PgC(@k9{AG7<)vfT$uXp6%P>#>*bnT(i&<Z!m
zEqK?$-AyQ76;$NSr0qMMT|hxR>6CV@1Wg$6LCn8**t^xPU>($E%xOca`(Pr1V9MPD
z3!O#A5TGEhfr6n2G&lMPL41jl_#pIReN%o7*r1=m%mhJsUc(td(AoHtX}kId`gi<~
zc+fkPI1N&lJ!QtN3QL`sz4T1#X7}xw4knr$=3er{fai}AAAYlWavhBGUHoz$(3zSj
zSAw?3qK&6uLj6wZ8sm=WvQ&|FHF>ub7^yhVq<G`6=A5p!g3Yv~ut{a@L~Zk!-}G|S
za;|5<VSV^_>Yf&|k14U<oiqyTso2$P+sSXe?hO|Q!5DfIDlf~Y^%Ho_wJgmEhfis%
zpk7_h7g%KNsGxK$;bPqnz|!}wDA33AYZIJ#j?bl6#tz(>_p+WnEXOJ=3X{(3;~ht~
zyVI)Yhl?4ynfGyTOzNu2(4at$M{nTW4aSBY=*_R4(ylFXIdk@O={m?DF&du2f7bKF
zCkF+P$(;6v-#}4w@>P`@nZ+avv==KEWAH744dP3dJwE&lw0zqy&2@3^YVk3xXsII)
zKi&E2`J?@hLI+0TlpAlf3R|_S0MT=`-7SC^Ra>E;N*{3qC;R3ALN%T1smx~w?nEV%
zob|21l$ZFFH_(@DHuY&YwZbRuzVS@my*_=4k3>V4fVHyaCHXosZhB1O5<Z<I0Pdfo
z7z2JIRs>d7eWbpd`h7x`m3NO$q@rK^N>?W+B6%nw?_DLM$(U#FC~TSo4|<52k8a6@
zDsYVLy$k)58xM}Jn0%m&_u{udr)`=H@m%=NPsfYyDiq=&dCa)qQgl4^yN{CUy*7+H
z*~{&=eqRQ3Fmc5fh0zpP^kMv5&14R7IGyQ_?M+z)4N^Gmh5uR1j%wro)cEIMF6|vZ
z&s9jj|L<}Cp4{Sph|+)LiRtEK9LexKN|52Q)I%jJcWiiISGzeq_ZbbF0bd(NXjD_T
zn-?(}p>yc*6)!I54%*VbEA2?;^{$iuY{%hxiW%Rwraj+J$lO-|6QO=8fC&@uU-Av(
zbEG@=WlH$H??;@n!ALioAmj!i-A^<1P{0+kB#w-w+1>*Aq*xp3q0ucRNo&1-!_<D{
z)c5fP<zTHnidg&hzS}l?bA7In?hJ=+RGPGZGzRhXYSkij%3fHlnBviG#zr#cm$>RD
z{*XBk5^?3(KRfLzBysSfg*Gsn*H;7w^p5sJoZ<K|cBAIijb$0Q(VK>wn#CQyfyI`1
zxAmM{5VMB)f2VkA%#oCf2-l`UUBqnTbVfQ(70rh)%zRqLz|ENOr;?b&zX&HPRAv5T
zL;HgL$qOYSq3G9+IEDs=PpPeWwuYZnI<LjzhQQ=Qa$a9e2Yg|uoAqEEESvkm#N>{6
z%0erU^i2U%5Bs^&LI9yXE)|xhxI6zA2xk>`X?V3j@7Fp>wMK2F%Boz#9uJndN>&pB
znSe{{)#f%H1{HN;hkx`9Kgy160Og1QMA(WXqyqUZ7AmyO1xaqWA@FMag2TW-WJUJ{
zUGtJ4O`&uKIcEye(C)SG<8QMW^$-t(@>rV_U$@VCWIx?^;vi8jTbg~8Pnz>-I3QKH
zaCl5>T1=SEw$wu*Rh_3Rw2`&wI<nr1$$T`r!mij-ho*-&O0$O7!pNR$R!wyxHzl&r
zVg3pa<(DXw5L1tJ!A5=(@mjDc^jTzUJUIf-Px}jv@WvdF3&d<$|EnkCp0N=Fr75rE
z+YkvR$KAmUMY|%`G3b=V|0$#+P?~VHA}Q_OgwTHaQbIU*#!`&VW@@)CT9pvsK0Q=R
zLjCd~Dhlets~gKGCvz!ANH16=M<L-&8>~HMnJS)Gm)iaxh$(qd%nrkh<tKe55sY54
zahI@OQeQkncy%!Ag6Kr!6J11nnVQ7F$-K=|tjxKhZp&{(L=}<*krk=1+rnaITkyUW
zot%%Sb^IhCEKR)`5Brmr|J6expQ=*)AsG9O{nd*Zf-JT16up_PSB0uOl+W5s8_<vm
z#C*Qb1Z1too&tD(*-bJ28(GoFb!u~SevWNAx(z^697fZGOI^)n!X)Kr)sXp9QU(Ad
z;Nr;EPdy~loYkJVoRdxU5X)^66UF|1tNrm)vM@@(=ku2ctX(~=s2h&~t#gS}uUE>l
zlVo&@YGEckhDc|^Lb+1ZHMNZscVF{5xR7Xl*h5^$S`KN(KL$OkW&)azk8dU&-BR6n
z7QqD5UgG&V-zrO&=ojY(tD48Q3uaj&vDB`LsC8=DWLc7L@O3al%P3^FsPuGiV|Cc$
z_wZ37t>*$ipAC~@vPc9JiH{@(u7Dl74br~O$a&Llj6J}qeNSiwZjX(XkpPW;ltHml
z)#+L`LAmM$GiOYg$%Sdfq`XdTE@>+TdeJwENOc)XZRw*FHxW0kL(5^}VSf{ZQUE*N
zCMT|gd4DdPFd)<1cr)~|1RC=hQ_dR07M9MH=wQH?W^KPU_C9dY@FIWug^}xCu|J?g
zt>N|wk)A<N=fd^foJvvc`f=3Hj_*-iz;)xKE3Q`@aWzb8|D7Pn5=FjW&eTVIVgA^|
z{EZRLW2Z>y-}*i{{!H@Y?~2<IXaDp!H=@oaK<toR9nADZEnl4NS1!D_@vikS=$v%`
z9jNF}>{0l_&J!R%ln)!)Hq1zhAZ&SNSENCKU%0w2v>si)t`un<n$Cik?HAuYtb(Np
z_1)Fn_Y?^2*@N)MXU$&=$LVHbIfL%~Ynq^gmrg*aa4T&lVz|6UvJ9|`V43z>HErRQ
zt@HmkTMqj&FkH0=u8drO67tu&X}lTyc$5t1uwUbF|MrgCsH+vhQ@a&CaEQ_{E`rC9
z68|7()vI2>qk9glutt42Q%K{3w0j)kUkWY+oX&V%Uw(OI4Az7+Rj%~4e&%S-#sBUJ
zPcB4obxBm0qJ?I|L1W=T(GhG*wZkkVLs{x<B?6`;OAL#1blwy|P|2Q>T#g7a%;oz<
zuw=@A16sK89S8a6s=U|73^+8wY+e_NyHupUsfra#XxAyI>M(g8Z6{tLLx(qd&+&~`
ziws~gt^}Gj`h!8KjeGbZ=PB?Osp?~|#<raUCDqRI;qmqLZ+&aaCm!#6BO48BAz#uO
zL9lZK&#wIL)aE1vh?Zo3wD#V6d)L`Gvqhi<(_Y9ScLiE~C0100$iU~}set+T<-e8b
z)p^SH1OS5M);KDSf^6%kB(e%W^1uiH;Q%6m5VA;!Fjz4Qgpvyy$HKKl>9#~+M?eGy
zF~8pKiX*=KBgGoFdABN1O{2@tA7s!+LZ%E-bVR*E3=3dQR{mI&RZSpW6IrHSYE@HC
z`qcBd?6`Z6W%_wrTcC1=@y_SOx8JSOwFTrr<m7NS{I~sky@%@uAwxUR|F%;umZtSa
zl<I~DAoOm&2tQG~qprSDfV&Al65&``2z_xaj#AulW0@i{JolkvKWWZzitC2GqlM}G
zpbje`=!(V@Q`Gt`txcq+p3J6%abQdR32AZJ5W;Ga)%}()ZR}DR{4)(Nde^DDWlsmc
zfL(~+j^aM`1G5d$9=H5R$6I|t+I4P*2QSU<s*B-8gKoO3<J3rJ1L<0t$hnnZ9I?lP
zEv(SzjfB;fhy1rg5iTx?!v0YGk2fw24Tiz0F{rIS)Z4rzmNd2>w{eI!vN3}1!5C3{
z!!W#jBiZZkGY#tbaA(J2v~F<xJjc|5NIY5-2*0I6_}>Q<qI4NTaks`hnd>%S9(Zb>
z;d)`9i)%1xzhfj7qcW}Ah$E8T6GQ#jdiYEaY+!;a<(^xGR>NTm`j2mt8kG^G@t6x*
z_NtP-igntO*`78pJZ`wBU0^kb0%PcKnkx+I6KMfc;diUR-rtjjfuEwstRlJ0-Wpd+
zvR=E-Vh1!0x1*Ee>!@eb$v8Qq9$;p+3~=3h&c+5-9~D#&s$;sNmv(Y>_n=(E!$zcD
z05K_y#eN`Ny?aZ8cUthu!{eNA47k`-kPo~mAn0`PonXG1A*EpEa1q|xb2%F6gzcSZ
zko8Etm3fP@)tqPY%Xp!1M8%gnVY#hKX%0d_-Z<c$fCKkOsKZYWd?Y>|Z+twUOlN@*
z?!~F$RlrNJP=79hka2a&BY(%!<W5Zb+$=9jGVATCO-9}KMsSqYS_%nv&o}T-`MV&s
zSh27{^1*4GOA9iOSnu}nM$qewocY9XMzYf~ZIzLRs`nR|7Y;`IdPl#{@~)xu-@uDF
z{*)Z|moKB8C4-8lX{Hsj#Dj~4SyMj7@qKA&8I%Gxn3sHs`|UH@y{cz#KU2J|@}QO#
z+nhQ{5{E`E!r51USs8F-%qvINon3ykZui?yuO%Vl?R^>co7&;Zq9L#tCXxIoDE{WE
z7cuEb{`Lb@W(&}Fl}h2|QBlVdY8*(+qT_0t1<r-|y+uzB8eUzEm2Dxx3w9akKk?qp
z46}zFH~nsU@Fs?T&bPB!B4KN1fb@l{=qoIh3}VEE=-cINmN=r!IzGx&6u;88lCg;h
zYfmT1-teC@dh)|KK%Oh=mX40Q(B65(n+1PXE5V>|z9xrw?mVm7GH^eh1dGYAO>+zC
z0!!TRC2h7Vz-CT>HNkUF)=ZxG3it(WF4e2f^=Tq<#?J=~Pg}B7G2y{s24Xq2X#<po
zdWI6R>Xks4id)`kmPiJ}q(pJTUDzVr{TO;BU_#_Z3Mz{vRQ%e5-;Uk%?Fi_5uN#?`
zJG>%Q6VE=DZEQFryqOkn$XUS*E43F<tXy~Yl2?p)9TE@aM(@T@w)S^RrXc4c;)@yq
zioSmBcfGRtcBcs#N-_t)aSl=Hu)dxd%(W^Y;@g!|x6d{cmh7azFHHqYiOhvmFOKbs
z_5ypXcwD^EMJ-fFawhOlOmH{(YE%l|Mq~>3^(H*>y70Y^6jro`QKXv$sclGb-3c1q
z_d0CFyrtY~fN_?jB6g?UM9P+K!}!@n6dTxvF{%~%7FWSxpwJ*ksaymjoco7ICKqD#
zO^J7XDEO5&cWR?kk|QiCB92w>z+<$qr+Nok1FE5+Y*zOo5=nud2@aC4MAi}wy=R2U
zpnwK>CF$u0X;!sP?QM~4+`YY2a{aAm*R^EI1;%0(<Ia=j|ELS|I}^J{%gsXD_*QhX
ziHD{gF$qk+-v~BZk@&W&Hh7{KGgK=@Fn>6nBnao?w=>Qk!!plb$Nw+>e2JRHvE!5Z
zS~}|+hs$>k$=Z*C9fQEEurU}^N@k=}rf8={)u=!0YDWqyPpuUK%l-o|<&rv~hida-
z0z~ge^5&i^z<d~vWdGEN&p5sJHy7eum#D+)BYKGJTa03Cg%(>}pJ563C&J3P6`mW6
zA6Sg~-`0ZU)TR1~$?G!5PNPa=S3p~w6oMU8@Lz{Q+kVv4di81o8TK+Vx#Qn3wO&<e
z{tNEb20x&lE7bIX`4RCzZhdO~<O^rm0rY*?>WTSRFl*rN#P*p64#UGYZFHXpqmMT1
zTn{NyX)d+Qs10NaYu)};qP0YyOuJd1Y!1kx(`?TBbw7K-WWE6FDf%*_khw$lb%(W6
z;K@|-z$Lv?RU2GDl^E~<>6oWez@cub>jYH?V&;dqBaC#qKFkb`S8B2R12XGOe=G4c
z&P7zsuraOdCb;=+D0bO=Zq_W*&LF~ebaKoPr)5Z~!~A|^;zC+x(Mx!%qF*kO)m%C_
zB>NXMmvsuBBu8LjoYHl@Tqga5l%T@S<<P;GAyeCGLVB;?4)hoR%qc_uKz{<W(jY!|
z%A>3|c53H*O7|H4Awq|WC$09=&nSObpNX8zu9zXlcWf^W+kfVsq@V@PYYPp*K$uTt
zC_y}LcVP+cG!WtLM(oMdNO%`a*&fHe9+Ca5Eu;SoTkcucW4_9{CCboWC5Huw5CC3P
zJ_|(qSKtxY5zN>TfI$I}tiQUCH9l^9YUiB-$>9zl<&R}hg-EAqDf+yR%CQrrZdO*@
z#SyuI5pl_3<295g1|zWr8qQ1H*0voIXf}v?W;^&X?d9JdEw?xRDLa(J+8~8Lc6kHh
zg$0FReM0$vG*8K&IPKIAsm3$N3Vz>qn*+5)nTZ_QbBQ+Iqnw{MKcZ{LAE@zVeC)KR
zocJ-$0@hjh&`EDBKnC`CabT;pJziiK_Oz5RNWp5)I2^}k?PR&KJHsW8#HZkLlb{Cd
zjWpKY*&R6T_0XN!<}h%g1!9L?D_a@mnn3!nG+_Nga9{~GE}<#eo-WA*{|d9na}9V{
z8_)7~6sFq_S#Nc^7NODm5-h!fLdSvLPSCq0n;cY&9!MYN=f`Ui<_MVwSro|*W=egS
zZ*&eLh^->_wVx?ZwN6J;k@h6;DwrP5X2Ow954e$!yrO-uxWH5!lS;D2J2j+~Kz?J(
zYg$&4`~fzST%EIYYMm-9*JP%f`yB^)J;#o@Wv*nXO?fB>r4bW*sWYE>IrlKZWUwx$
zdBq0_Phlnn_z{qJQ~s}Ur-|j%v5D;&7%~V8*>Y0j9MLs)ET&~|>7ERQ?v8?!z{iw2
z2c+H!&YW7Q#xp;s`O)#g)m6KI7HPfU`t~EgV>SDJu(U7y=4h5iTL?EM<+su3PYdD_
ziwiad4d(|gX%$`s+QJHG*wnoBI%u0NWp-X#3!=4F<o?WHJY#^P{UGUC#!dn+xT30N
z2PyAr37gC9eV7<osE;82cv#|8qIly-=9ZWJ1a?@it)oYk#a$GyfDhgPA`Li$fobNq
zjb-8El!b{>dNzvhK~SmQoI5G}f`i-ldSKW0I$7-FJzC?uv;~o+Huqt8ZUTB$M>B@E
z&aAkFZ{JnG;2#iD4@JZc%MFl46AvhooQFI6b^Qm9cfKsKV}dkc%<OI4^88!ZjY>rJ
zjqN-A=;0@+ibApDdufthr8yy3_h~t@G!SpD>L0AyYp31-$LsI(Yu#HE9?#FEex}UG
zqF?<Ri&F?)ITLGK6S=`&UeT=VhtWgq8{G-$1QV9Oi0=tDK1Y2L6gt54P;i!c;os6l
zJu<}p;LFe-MSK-o=J&br-SmI~6)pIMa&9+GHX?Tn<+`g!4`pDyaCdz6H*RMPImOw-
z3|5;tmLw8O+n@6;`i)k6K!idq6<Ek}Q6PCy{9{+>M}naIA4%aJ%-~h$+Pit|e+~94
z=CMX3j*}RbYv&e}o}DG$sw)h6on9hSesnm)0UWxIP*Qe<3Vufk;R-Q{I6vZ@EI~6O
zrab&r$>8i5IN7CHm>|VA4wNGANk9+ki;I>ugrKo3FA=4_aDWvVQ^M+sgnkQ*e&hi|
zF4@GsIrhjjvN#reB#S>T|DUnYiQjBWKMoK~LU2QK%K5VO_YO2p*SEazWg)A93=o!J
z46)ibI$>-N`i!(-n=msb@WUtrGFDPH_6A<(5EDU!9aU$N$jC!5oN>?6)N(9aywfS$
zX4rdpd@eVwFwgYt0P$8Li?HFRLG!jJ$6gjko9CzlzH;hWgId!fcf;Q~so4_atMLad
zK(ust_~x<FH&4C_ZK|uH=)p>tg8EAno#^jm%ka_g%)){!)RnjIbZsDbSTe=tkR7yl
zPgG#GFjP%e#}U#__CBsz<0~h-1)l=N)vD#&pGXhhse~=G)8C{E;`7k|md{oGTgJ^-
z9Hx7Xdv6GCXQq5_oebhr8r|GJ6@&JEdv+-II2b<}75(9451n|Y12-?O0fb{ihzcI7
zKP(SL6|G$^i<})dd#zPFWESJx<O^ixuNkxr(*)J21_ycLe-aW2y{q@6@Zf;wP7jkP
ziRY#@`m8RxKBQS&Y4eGoJ(UXY@d@YM!<ob9!c1T%y;RNptrO~SZ5-8|9K;Z0Ow*<y
zR<ka^moQp~_ld%o(K|c2u7KiFERtvd3wKB3NYbO;wMw^C+scdQb<h&r(Sw3V9U_z8
z>wSyrEXH$XL)MBE`eFvab=Hi}voerq)Y~7rm`7tV=aytHCR>OuZYSH^PwpGlb)k1}
zY5=_etWQsLgcER}UQ!*F9>jm_@EbIIZf9|vxB;+Fgx^}*6Y6t+I?!@U;EAlmgn#-3
zi8XUL8(}v^+7>N979hZU+`N5w$odh}NbFX0@0W<bKX*FKgctTtbL#qokdF<A^Va!;
zQXeM`ugCXQ>SNbn47Bxole{O9w9XU4aHkJ?VofvZRo>uq=C~8ChC)N2OO*y6H;&5Z
z$T#+Ol8M;ca?KH4Xg^j6oibNfW2_{Dd-^|<Z##gm<nv13kBve~+PN4?E|+f;yvHlH
z*AHuPKWQf1t$SmNHN4a7Q(*>Jof#R-9Lwx$KUCLlc2tx^Q+Z7cTpcphX)%<L(Qy!9
zZHqQ%AAI-cV(7#kyN)(c-u<bMm5`M#XgZnTZB#r^b<Pv}J-EdEy+RjzQWo18Z|6pn
zlKMw;@TgV;anwf^CVZ~vNw<oJ&}e=+X*ncOo^@|+6dyhL!gZDp6R_>x2~<Ppo+0xW
z7Mv^gpTrJ@$B>EaO9~8uoFeORf!r`BVxWa_QQW}7Y^uf10t4H<Svb6}QpJM-v@}op
za{JKn=A6>Z<D8=XOGO05h{>V6QHW|DFZ7<N#*VqGf>@x-PQ*$su2;BL`=fpS>C#mx
z!-^PXo1d~ZE7?%^Naf5byJ!7q0`(x|mvr*g2_P9FclLw`Uo1qJ1n>-GmEvNbAmojp
zr?E@{B%_Bpk?Z|jMncOeUE4<5(fcL8x*c8UUk93su^W&ev+gXvOQ3{v#N?hc2NxJD
z-fkcyCI9Csv6)JDi}Ty;s+Ds+SB#cxe0*sv9-aLN|3gzQQ=rQkHOkQ%MV9BXWeEOZ
zFL~KqiowR?q@UHPCs$O2L!5FPtkP>X9mK!s;%50*>HDc#h-FG|JMt0VIWe_>rm})R
zh0W~2J8Y~D`r4%5X~w#DT=`mcJk0A$-4?{hr=W*jF#3&04Z{ri@6mXTv5tA1JcPd}
zon$!L{j(nb>F;4a-aJgPzyIm@)Ck=!i?3@2nI@CL;l%KTF(U=xGY<&_ps}_(s$gM-
z6iw`9o>)CrMccCa{^(6!qv@MHIch!Nnl1Uy*^D9(7KRq`&x4x(<qwH@)ieC?uNGT`
z&p(+souMqClaZadn}dBJY@neXo*ncnvEh{KV96u;B1ZVY&L>k_JT2u1e&Frw=(5bN
zGK<ai`$$4Q(Qf*_P(hadSDB7JVVhkWno{2nCs#KWk!Pn{d)tqG9~Koel~YC6Y#!dQ
zZ|Nc5(TLu~9KGW~Wt2!>2wz8RIZ<RuOxPSL$8%;g<5#!dJC6>zN<dpwp`TJXhxqt`
zVg4lGFZ+GL+%k<{u%R_|xRTCAP!qv_Q%mr9xt+gH95D)M;8N}9&Q^>n9nT2mEe=>m
zbVd4@_*AGwE1z+DUbcjh;DJDf>Tww&*#4~xb0JtldfH>+^DlonqPFA<!buwEn)L9f
z2Dz7TAKw&9{o;ZV>3~UV6Wb8$If;}N2nj1Db`&$$Waz5@Qu!7>Jl-WJnZeQCORX3Y
z`?;oOr8Z7E+G=-I-a{^J;C!NeZan8=IoGd=zTFhyHt6_g-ey~qZXw<yV@Xk&PU^Vd
zdZ*WZzyMWId3e+@*E6&<r81_-l@P7IVR#IFM5I~L;W52wB#|onSjJ^jdAQ+`QjpjE
zM?HZGA*ne;wM6RVc>dRj#&@U8l|014?5p<0yXm!k_Gu~$)<%(+EWd;}^)$w>R^r9&
zX^;$t>&~Y3B%X7^3k|sVBmvnrpD!VH12~I2RL$ecsdU-Lte0<q1cerbEf3$j_)&dd
zR?4m0mwexHl~0$f#k_dv15=#F+_pwYN2~`vTc=Fj??ImGoA>W8Pe#JmVme}Bq=#y|
z*>9qp2wD3ZuYr2Bg3_vEIZ+t`<unITaY^4=?w$^V<?``b*(oy%${_8-{i}STOwxz9
z$Th&6nf6~H%ASCUAl;(_ooj_B2rI++1BP^2pbec@%G|ix&QJ~$1qpVW$&OpIj+p8o
z#ezRcN^*w03|Ix9y_V+M17Ir!3yw|>0_5|}eBEr9xCc!9BD6XzqI2Hh+Nz`szy=x~
zU*AK#lKYF3^h;wI7h2`tAtze)YEx(w9<XnpiRVvd#(R}zZliHri4+r8f}T_7h?Ke@
zc~AvWLQepP?*Yx_59ONVxLReQwpVnp(k0J^p*?E+K4)9H;F%Gq>M||VUQ<0p7EOO!
z`_HMje7#$AIt|n1z@xKoNwFb#KZIARFm5s?Byql_VTvPjWjse&=k^ycMd7r#6_S_Y
zr!801K7uNstVb&3GBo%69VY)>{fLO4$BWiU49_wdqsrSjPG>emq`nU=!M~<yHFoJI
z@V8S6f&dd^%kE1w3&GD$p#Azu-#p#HG{{an{X3cB-nJ3ckF;O?8lwE)BILURzdOP0
z0<8_pBO;PbbAz;xN}$yDHxO)#Kl&9y$&vuu34379PfhEAN0kZH(XXnzN4hs;&yiHC
zUK6rZq(AXii!|lI@%r<UKdlR@6;?@(X$sRT55IdP1;<WSZlm+gjrV49;c5ZN{@32}
zKOF-`1~f{<0*?mX=3$kJf^7Q!cD$KNp7mYCru9dT7Yo6^L_tmjS&{c@x>mOMs*Tyv
zmcOpj6P|Fdkf1Bx<$eJ)bSC_YwIFvo;imJ__si7hsgQ2yPr^yUr>^zjWz@`Y$Zw%_
z4VLyC!jii3{4Ao=#o0qNCjmC#F9pI8BDC{r+he4j@^cz_G_PQxMsKxQJ&s6+foDy>
zfy#{86wpc3SM!_UZ5x^LbL)$Q0|Gc&96xZK!m)-7tkrI9MNdWSrluIBwphhd3(r*c
znWm&TgwVb>>fk}Uv`b3Femr<5YeuBjZ_z`neh;FZ;I+893DR%Eo_<VM7%6mzBkr@c
zFU|l3uo~$wT3K#gZ<*H0b?=dRS%z*U|KeGt>_5bBn!1>$%5@cO<NRhNCynL>Hjn8M
zeOvJ=8nBhws2JG97|_Oa+8P6(7eVYiMr*zo1ZF7YY29EsJhl|-z3k05Ft=<1FCmE#
zrTDAXPEy=jBdqn)FV4NLjG;S_T79f#`V}=&Q(fK6qFYDe0#oKySwG+~x<PdeOE`JJ
zQ^!`$>$cv`s@ujgi{7Hy0sK1t*@*>^ec2|s8N@(N{RE+2hS>F$+ADprll=S4S*hkX
z6gYW4V$t9St%^zS1e?^ST*wtt2Pl=?Cu)ys?UtJSDPzEAhl}!Y`@*|jtTvBuk_|zT
z`ib89xH%)A6V0)<tp{V+v9a*PIZ2e#ZbwdIiD`8CH3YN`FI?4+kjmQ1=5u6px?GvW
zVMQIgH(>wSsi|ArrfjF`->}b0nI$&+yaJZ-XDgY8e=G__90Wh@huNxbaprMxe>Ptw
zX%lr}cp7R1@}@TGnzefE`i-qIB{DQbooRpnSBNHOJC|dr5K+_{_@^<alk@5&%(KLy
z6B3En4<`R@9rJZ_8Pq|{=slRNNmg34XxdY_XNuNeq?OR5>57Uhafd(wXhF!o=y73L
zzDfQr<ZDTHlNJf50<w>NPf9;NX?>pL)6xk4r@;S@zc*GynX?)2KOO(u+v{NEOA9k^
zNHpZf-tQkn%mve8$7VgJ?HP>o1O#!0i^J4@iOlv{*#HXFXEXKmbmk1)tV2e2Mg7x+
zAd3O;8ke&3(43j`w1UCpc9}r;_8f@mNiTp(tUfWJk1N`?2yFUx9zgx|b@iw1DU@nt
zDsdtH9x)A89@41gRsU(KS?nQPjEBobX+vXcsg^fBb`H?02jz6^)HOTmmBa6;Fd9r8
zaDOlN+dk#@Hn=Yx*U*|)OpUX*G+`t>)`#CQLw=u_)gs+lGf5m(zzV}k=Q|dgxN@L=
zW90xub^KV+s&fn8SB2UQVAOEgMc|Ey)o?fCtfUdv0+N3YIOw<-2^!;jJz_D_W79=a
z((9D6dO4oU*?-Z9)_Y#;Kg}$eIjjg!&Rmxbt=u78#9811P~~nsK-8r8B&G1?zkO`X
z2xmy|lGfG*pCnjTgxmW1q>OT~Gx9vUCAG0+e_bfoWzg|TX+JBe&5jR~x3zDsssb#0
z6WvbvjQXfkpei@aV~H=vV}5O8ks!n!cTgs8*#xISZ@fmD0%>lb1P*e<$AmH^+i3}R
z4D?BAQ*P#&p)N|QV<*=MB<r9LcBiz{9NVFmo4QdR3$*OxEkn#}yhN+zxJ;o7grhZS
zOGCAL+-&5;RDd>Y&n-Veea(5ukz~%r%=Pd3W{f8{Fitr}^E6HVw9S=Z=Wu1_1)$D?
zYLA1Rw)#z3Bkbp)gNQscAqrN2t(+<1`^97#uiMXIkp~|)J7c_qZE4*-RlipC97Tx%
zc)ksUHPEx0E?M`NY8;1#+73h`C^e-Ce?0M*AOM6u2AJp9ZESxr|Lw-ThNUi+(FE|t
zp$N~4j2cY(EEHS+q!av-Gl%@;!Ho&Pl_{wNZdo<+UA2Fm!xvz;i-eBqmLm8)&NtEi
zTD^G)8pZuX^pLxjo@mdU6VR)i1fJ9d%;ivtRHWV(3K{<hYRIPgCfdLdth6sb;365s
z>R*)ImC0p#;!IfG6aCq;UhbxzH-p3ug~7SGd{olNh_ISML^Xrato6?`#DPySDuVYK
zN$v369$=)CGybjZhyXh5d)O+Fm9LS$sN4F(hQM&SEBgLVw#N?|i!q)%{|+m8dxogV
zJ*~JUgZ+!`+j_ULx~b5dq7kK1lU<oY@gi`h=A|_fGG1t1i2!%);II?a9F_yA+UCep
z$SHkh2v>s9`eyVYToPd?y<48TiHy#I?e_M;WorOpo?9)zmpTbpFcRa6{_^2^mk^k)
z_Z<w_w~kGUmX<IIER3Dkw3%8umdvT1K}u^mU{RC@dngyGzM*e9K|ZkC5C$JFY`8Bi
z!R&~#CcV=V{$=;Fa>I3wzCHk{GI+4_Zn^8r3(IR&U*!53M{i|mDnS{aVCioZ$TG-s
zT7NGTv?tomxu;J*{24_dz60$?b4ou324{#`B?ukqcG9+o0tQ0ag7R4gi}rzQ763D-
z%D&PTlF1%&uGp-jaM;ijVb|+N%bWSdocWraos%Xz7Q)O|AA^C2{009qbzwTDWhHW}
zhbaB5E{$}XQ&ngJk^KK}ytD;QCDS|}2PfT=G#$AcK|+FoX{*d-xe^bhqsXFvs)nPY
z8V-Skgq6F5UW%wPnNQJ-{;n#!V}#8(H59hs2lyQSrF<k9!IkmwndWaqQ!z$B@(0o+
z2sPmbj@l|_izmJQ+?%YeJV$a8K}-d;5mLd^PWP_U%Ip2Mv9`8y>EgacOkp#HR#yS^
z+lMb-<X@@{3~u(nna5ZS_(6Hn)J8k+GoI|Q(!C0@n^Wb6*;W-Eem)4>|E701>-BUj
zyeR0vsVL6aAskLT+c}(Z25^M7G1(XkHUfMf7G2DE(0i%vR#1cn3~pvtZ<{Da$);kS
zF`StJ+wQ@8(`*0%*ayKTAuId)2fV-W4&hhJz&7ge!WOn|)<}XSLr?lEUvCTbeGxLC
zELp!`GQH6fPkUSc3tbZAqD92zV4(wZ#pc>?p6y(-5>t3^u$;@t|2IahypZmUqvbh`
zxqWtaf8g>O^rXatpG1>0@eLqZqyY3tykiI)Iz^f&b}s@=E7U_s;gA(7LdOgwMr?{+
zU(obUu^M$2$Kx8UXca2~@tmee$&e%Wq+l!B4nomFeJgO(E-d>pJVu6(>RcddWwtm6
z47+cIMpUQHbyaOP^dNgK=2mvM^@HsIIxAq|lo?rq1C~wTekF_actu13C_;pIrU9>&
zXyzXO(?K)aI)(l_JS9CU-A1;<ne1oDsL(ho?!7^evmSRhH*;hO!o%z+n^h)i!k)F=
zQ2Z!l(l$>!s9Vm1$6Ra2F-`uSQ{_phq#Sa2fu&(bTLb>r-)<<wVxB&UFdB}|-hWhH
zob;a1O-)I*d@!Gd`K^iX;V);n?E?2~o%upmTJ|<@11_bu7crSiCBI7`WA?xpbT@U>
zz0`tjf@#~O0-{QU{-_NZRG@ZHQn<!Q8$6Tj{2&-ZUhnkb=;is}`ul(P=!1PiRKEuP
zNJPu{Gqxl$>E-eqZ@_|jFn&qyh$M40^#%RUF=rc1{kv3TD0arFB8^*x!cC^S2u+@-
zeT(anoH`Aq{!t7X6+Lh%;)Nqm$c47mw+YPKMS@|s{D#30x|d#6&YilC!6C~2ad@{l
z43CO-?K!=F&bn75S}e>`3j;IuvKH<2|BMY;4WQ}ai=Gc6SFuJJ_K9Sww6`QhhM%E8
zd}BeqxRoXwH&Hb~iF|F{P^Vg#ikYyUX0G`qxhJpEx5oqYdkD_&uW~W2I73bp+Ywln
zKBW4zAY^}Px)m0qAg4lVXQYm6{P^Ydj7aPPI%59t6gj;C_4cjC^jt*nf<ws(FAI_%
zz-+@}Uc%CXUQoS$&%U)ph4OBw4VfM|v6LWhOsiK}y1Ha$uOr~z3e2nSIMF@C7>w&f
ze<+NU8i%e(JEhu#P4P=*u&CD<MT!(p1QaK@{mY}N7rb@ct<qfg8V_`Z)<Eeoq#3Kb
zOIQm(53oZ98)UHP<GnFe+3Vlcpj9Qf6~bR#pE`X%a&NlXs^rbX`3yxE;S_cI(Trep
zaf}^;w!I4fF3MI6%-%A^IoozuMe*sL$R+g_l&6i|_)2Kkag4lV_^@{Q1#`$Mgc;ur
zwR`99BueasRk7;dbuph;&St$Bw#~<kHG4^46W;O?Iy&&>;V5@swjQn{@7ba_8zqu`
zZr2M^%zi);6-#WNsJjFP_<vKl%HTOY@7~5~Q(j-)Ji>bW*Ph)wV7p0td@#7}hyK1;
NN{PvfR(vuH`ajaVw(tM|

diff --git a/lib/gitlab/sidekiq_middleware/skip_jobs.rb b/lib/gitlab/sidekiq_middleware/skip_jobs.rb
index 8932607df52..6cc394aa5f4 100644
--- a/lib/gitlab/sidekiq_middleware/skip_jobs.rb
+++ b/lib/gitlab/sidekiq_middleware/skip_jobs.rb
@@ -84,8 +84,8 @@ module Gitlab
         health_context = Gitlab::Database::HealthStatus::Context.new(
           DatabaseHealthStatusChecker.new(job['jid'], worker_class.name),
           job_base_model.connection,
-          health_check_attrs[:gitlab_schema],
-          health_check_attrs[:tables]
+          health_check_attrs[:tables],
+          health_check_attrs[:gitlab_schema]
         )
 
         Gitlab::Database::HealthStatus.evaluate(health_context).any?(&:stop?)
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 6fb5dc0c163..c816afad373 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -8993,9 +8993,6 @@ msgstr ""
 msgid "CICD|Allow CI job tokens from the following projects to access this project"
 msgstr ""
 
-msgid "CICD|Allow access to this project with a CI_JOB_TOKEN"
-msgstr ""
-
 msgid "CICD|Auto DevOps"
 msgstr ""
 
@@ -9032,13 +9029,16 @@ msgstr ""
 msgid "CICD|Limit"
 msgstr ""
 
-msgid "CICD|Limit CI_JOB_TOKEN access"
+msgid "CICD|Limit access %{italicStart}from%{italicEnd} this project (Deprecated)"
 msgstr ""
 
-msgid "CICD|Manage which projects can use their CI_JOB_TOKEN to access this project. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more.%{linkEnd}"
+msgid "CICD|Limit access %{italicStart}to%{italicEnd} this project"
 msgstr ""
 
-msgid "CICD|Select the projects that can be accessed by API requests authenticated with this project's CI_JOB_TOKEN CI/CD variable. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more.%{linkEnd}"
+msgid "CICD|Prevent CI/CD job tokens from this project from being used to access other projects unless the other project is added to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more.%{linkEnd}"
+msgstr ""
+
+msgid "CICD|Prevent access to this project from other project CI/CD job tokens, unless the other project is added to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more.%{linkEnd}"
 msgstr ""
 
 msgid "CICD|The %{boldStart}Limit CI_JOB_TOKEN%{boldEnd} scope is deprecated and will be removed the 17.0 milestone. Configure the %{boldStart}CI_JOB_TOKEN%{boldEnd} allowlist instead. %{linkStart}How do I do this?%{linkEnd}"
diff --git a/spec/lib/gitlab/sidekiq_middleware/skip_jobs_spec.rb b/spec/lib/gitlab/sidekiq_middleware/skip_jobs_spec.rb
index 4be21591a40..620de7e7671 100644
--- a/spec/lib/gitlab/sidekiq_middleware/skip_jobs_spec.rb
+++ b/spec/lib/gitlab/sidekiq_middleware/skip_jobs_spec.rb
@@ -115,7 +115,7 @@ RSpec.describe Gitlab::SidekiqMiddleware::SkipJobs, feature_category: :scalabili
     end
 
     context 'with worker opted for database health check' do
-      let(:health_signal_attrs) { { gitlab_schema: :gitlab_main, delay: 1.minute, tables: [:users] } }
+      let(:health_signal_attrs) { { gitlab_schema: :gitlab_main, tables: [:users], delay: 1.minute } }
 
       around do |example|
         with_sidekiq_server_middleware do |chain|
diff --git a/spec/workers/ci/pipeline_success_unlock_artifacts_worker_spec.rb b/spec/workers/ci/pipeline_success_unlock_artifacts_worker_spec.rb
index 70821f3a833..60a34fdab53 100644
--- a/spec/workers/ci/pipeline_success_unlock_artifacts_worker_spec.rb
+++ b/spec/workers/ci/pipeline_success_unlock_artifacts_worker_spec.rb
@@ -69,4 +69,43 @@ RSpec.describe Ci::PipelineSuccessUnlockArtifactsWorker, feature_category: :buil
       end
     end
   end
+
+  describe '.database_health_check_attrs' do
+    it 'defines expected db health check attrs' do
+      expect(described_class.database_health_check_attrs).to eq(
+        gitlab_schema: :gitlab_ci,
+        delay_by: described_class::DEFAULT_DEFER_DELAY,
+        tables: [:ci_job_artifacts]
+      )
+    end
+  end
+
+  context 'with stop signal from database health check' do
+    let(:pipeline_id) { non_existing_record_id }
+    let(:health_signal_attrs) { described_class.database_health_check_attrs }
+
+    around do |example|
+      with_sidekiq_server_middleware do |chain|
+        chain.add Gitlab::SidekiqMiddleware::SkipJobs
+        Sidekiq::Testing.inline! { example.run }
+      end
+    end
+
+    before do
+      stub_feature_flags("drop_sidekiq_jobs_#{described_class.name}": false)
+
+      stop_signal = instance_double("Gitlab::Database::HealthStatus::Signals::Stop", stop?: true)
+      allow(Gitlab::Database::HealthStatus).to receive(:evaluate).and_return([stop_signal])
+    end
+
+    it 'defers the job by set time' do
+      expect_next_instance_of(described_class) do |worker|
+        expect(worker).not_to receive(:perform).with(pipeline_id)
+      end
+
+      expect(described_class).to receive(:perform_in).with(health_signal_attrs[:delay_by], pipeline_id)
+
+      described_class.perform_async(pipeline_id)
+    end
+  end
 end
diff --git a/spec/workers/concerns/worker_attributes_spec.rb b/spec/workers/concerns/worker_attributes_spec.rb
index 959cb62c6fb..90c07a9c959 100644
--- a/spec/workers/concerns/worker_attributes_spec.rb
+++ b/spec/workers/concerns/worker_attributes_spec.rb
@@ -37,7 +37,7 @@ RSpec.describe WorkerAttributes, feature_category: :shared do
       :worker_has_external_dependencies? | :worker_has_external_dependencies! | false            | []                                 | true
       :idempotent?                       | :idempotent!                       | false            | []                                 | true
       :big_payload?                      | :big_payload!                      | false            | []                                 | true
-      :database_health_check_attrs       | :defer_on_database_health_signal   | nil              | [:gitlab_main, 1.minute, [:users]] | { gitlab_schema: :gitlab_main, delay_by: 1.minute, tables: [:users] }
+      :database_health_check_attrs       | :defer_on_database_health_signal   | nil              | [:gitlab_main, [:users], 1.minute] | { gitlab_schema: :gitlab_main, tables: [:users], delay_by: 1.minute }
     end
     # rubocop: enable Layout/LineLength
 
@@ -148,7 +148,7 @@ RSpec.describe WorkerAttributes, feature_category: :shared do
 
     context 'when defer_on_database_health_signal is set' do
       before do
-        worker.defer_on_database_health_signal(:gitlab_main, 1.minute, [:users])
+        worker.defer_on_database_health_signal(:gitlab_main, [:users], 1.minute)
       end
 
       it { is_expected.to be(true) }