Add latest changes from gitlab-org/gitlab@master

2025-07-19 00:10:19 +00:00 · 2025-07-19 00:10:19 +00:00 · 23158f6b5f
parent df7548f5e8
commit 23158f6b5f
8 changed files with 90 additions and 45 deletions
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@ -782,7 +782,7 @@ lib/gitlab/checks/
 /doc/api/group_push_rules.md @brendan777
 /doc/api/group_relations_export.md @ashrafkhamis
 /doc/api/group_repository_storage_moves.md @brendan777
-/doc/api/group_service_accounts.md @idurham
+/doc/api/group_security_settings.md @rlehmann1
 /doc/api/group_ssh_certificates.md @brendan777
 /doc/api/group_webhooks.md @ashrafkhamis
 /doc/api/group_wikis.md @msedlakjakubowski
@ -866,6 +866,7 @@ lib/gitlab/checks/
 /doc/api/search.md @ashrafkhamis
 /doc/api/search_admin.md @ashrafkhamis
 /doc/api/secure_files.md @marcel.amirault
+/doc/api/service_accounts.md @idurham
 /doc/api/settings.md @idurham
 /doc/api/sidekiq_metrics.md @axil @eread
 /doc/api/snippet_repository_storage_moves.md @brendan777
@ -885,7 +886,6 @@ lib/gitlab/checks/
 /doc/api/user_follow_unfollow.md @idurham
 /doc/api/user_keys.md @idurham
 /doc/api/user_moderation.md @idurham
-/doc/api/user_service_accounts.md @idurham
 /doc/api/user_tokens.md @idurham
 /doc/api/users.md @idurham
 /doc/api/vulnerabilities.md @rlehmann1
@ -945,7 +945,7 @@ lib/gitlab/checks/
 /doc/development/ai_features/ @gitlab-org/ai-powered
 /doc/development/ai_features/embeddings.md @gitlab-org/search-team/migration-maintainers
 /doc/development/application_limits.md @gitlab-org/distribution
-/doc/development/audit_event_guide/ @gitlab-org/security-risk-management/security-policies/frontend @gitlab-org/security-risk-management/security-insights/frontend @gitlab-org/security-risk-management/security-insights/backend
+/doc/development/audit_event_guide/ @gitlab-org/govern/security-policies-frontend @gitlab-org/govern/threat-insights-frontend-team @gitlab-org/govern/threat-insights-backend-team
 /doc/development/avoiding_required_stops.md @gitlab-org/distribution
 /doc/development/build_test_package.md @gitlab-org/distribution
 /doc/development/cascading_settings.md @gitlab-org/foundations/engineering
@ -1009,8 +1009,9 @@ lib/gitlab/checks/
 /doc/policy/ @axil @eread
 /doc/security/ @idurham
 /doc/security/asset_proxy.md @msedlakjakubowski
+/doc/security/compliance_security_policy_management.md @rlehmann1
 /doc/security/user_file_uploads.md @msedlakjakubowski
-/doc/solutions/ @jfullam @DarwinJS @sbrightwell
+/doc/solutions/ @jfullam @Darwinjs @sbrightwell
 /doc/solutions/integrations/servicenow.md @ashrafkhamis
 /doc/subscriptions/ @lciutacu
 /doc/subscriptions/gitlab_com/compute_minutes.md @lyspin
@ -1061,11 +1062,13 @@ lib/gitlab/checks/
 /doc/user/application_security/cve_id_request.md @rlehmann1
 /doc/user/application_security/dast/ @phillipwells
 /doc/user/application_security/dependency_list/ @rlehmann1
+/doc/user/application_security/detect/security_configuration.md @rlehmann1
 /doc/user/application_security/detect/security_scanning_results.md @rlehmann1
 /doc/user/application_security/get-started-security.md @phillipwells
 /doc/user/application_security/policies/ @rlehmann1
 /doc/user/application_security/secret_detection/ @phillipwells
 /doc/user/application_security/security_dashboard/ @rlehmann1
+/doc/user/application_security/security_inventory/ @rlehmann1
 /doc/user/application_security/vulnerabilities/_index.md @rlehmann1
 /doc/user/application_security/vulnerabilities/risk_assessment_data.md @rdickenson
 /doc/user/application_security/vulnerabilities/severities.md @rlehmann1
@ -1083,11 +1086,14 @@ lib/gitlab/checks/
 /doc/user/duo_amazon_q/ @sselhorn
 /doc/user/emoji_reactions.md @msedlakjakubowski
 /doc/user/enterprise_user/ @idurham
+/doc/user/free_user_limit.md @lciutacu
 /doc/user/get_started/get_started_managing_code.md @brendan777
 /doc/user/get_started/get_started_planning_work.md @msedlakjakubowski
 /doc/user/get_started/get_started_projects.md @phillipwells
+/doc/user/get_started/get_started_runner.md @rsarangadharan
 /doc/user/get_started/getting_started_gitlab_duo.md @sselhorn
 /doc/user/gitlab_duo/ @sselhorn
+/doc/user/gitlab_duo/context_exclusion.md @scawood
 /doc/user/gitlab_duo/model_selection.md @jglassman1
 /doc/user/gitlab_duo/tutorials/ @gl-docsteam
 /doc/user/gitlab_duo_chat/ @jglassman1
--- a/app/assets/javascripts/pages/shared/form_error_tracker.js
+++ b/app/assets/javascripts/pages/shared/form_error_tracker.js
@ -72,12 +72,20 @@ export default class FormErrorTracker {
    return FormErrorTracker.inputErrorMessage(element);
  }

+  static formattedLabel(fieldName) {
+    return `${fieldName}_is_invalid`;
+  }
+
  static inputErrorMessage(element) {
    return convertToSnakeCase(element.validationMessage);
  }

  static action(element) {
-    return `track_${element.dataset.trackActionForErrors}_error`;
+    return FormErrorTracker.formattedAction(element.dataset.trackActionForErrors);
+  }
+
+  static formattedAction(baseActionName) {
+    return `track_${baseActionName}_error`;
  }

  static label(element, message) {
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@ -2144,7 +2144,12 @@ class MergeRequest < ApplicationRecord
  end

  def has_secret_detection_reports?
-    !!diff_head_pipeline&.complete_or_manual_and_has_reports?(::Ci::JobArtifact.of_report_type(:secret_detection))
+    if Feature.enabled?(:show_child_reports_in_mr_page, project)
+      !!diff_head_pipeline&.complete_or_manual? &&
+        !!diff_head_pipeline&.latest_report_builds_in_self_and_project_descendants(Ci::JobArtifact.of_report_type(:secret_detection))&.exists?
+    else
+      !!diff_head_pipeline&.complete_or_manual_and_has_reports?(::Ci::JobArtifact.of_report_type(:secret_detection))
+    end
  end

  def compare_sast_reports(current_user)
@ -2674,9 +2679,11 @@ class MergeRequest < ApplicationRecord
  end

  def report_type_enabled?(report_type)
+    supported_report_types_for_child_pipelines = [:sast, :secret_detection]
+
    if report_type == :license_scanning
      ::Gitlab::LicenseScanning.scanner_for_pipeline(project, diff_head_pipeline).has_data?
-    elsif report_type == :sast && Feature.enabled?(:show_child_reports_in_mr_page, project)
+    elsif supported_report_types_for_child_pipelines.include?(report_type) && Feature.enabled?(:show_child_reports_in_mr_page, project)
      !!diff_head_pipeline&.latest_report_builds_in_self_and_project_descendants(::Ci::JobArtifact.of_report_type(report_type))&.exists?
    else
      !!diff_head_pipeline&.batch_lookup_report_artifact_for_file_type(report_type)
--- a/lib/gitlab/redis/wrapper.rb
+++ b/lib/gitlab/redis/wrapper.rb
@ -123,6 +123,9 @@ module Gitlab
        # we use strings to look up Gitlab::Instrumentation::Redis.storage_hash as a bypass
        options[:custom] = { instrumentation_class: self.class.store_name }

+        # Reconnect 1 time with jitter to avoid CPU saturation.
+        options[:reconnect_attempts] = [Random.rand(0.25)]
+
        if options[:sentinels]
          # name is required in RedisClient::SentinelConfig
          # https://github.com/redis-rb/redis-client/blob/1ab081c1d0e47df5d55e011c9390c70b2eef6731/lib/redis_client/sentinel_config.rb#L17
--- a/lib/tasks/gitlab/tw/codeowners.rake
+++ b/lib/tasks/gitlab/tw/codeowners.rake
@ -76,6 +76,7 @@ namespace :tw do
      CodeOwnerRule.new('Hosted Runners', '@rsarangadharan'),
      CodeOwnerRule.new('Seat Management', '@lciutacu'),
      # CodeOwnerRule.new('Security Infrastructure', ''),
+      CodeOwnerRule.new('Security Platform Management', '@rlehmann1'),
      CodeOwnerRule.new('Security Policies', '@rlehmann1'),
      CodeOwnerRule.new('Secret Detection', '@phillipwells'),
      CodeOwnerRule.new('Security Insights', '@rlehmann1'),
--- a/spec/frontend/pages/shared/form_error_tracker_spec.js
+++ b/spec/frontend/pages/shared/form_error_tracker_spec.js
@ -99,6 +99,22 @@ describe('FormErrorTracker', () => {
    });
  });

+  describe('formattedLabel', () => {
+    it('returns correct sanitized label for $fieldName', () => {
+      expect(FormErrorTracker.formattedLabel('something')).toBe('something_is_invalid');
+    });
+  });
+
+  describe('formattedAction', () => {
+    it('returns formatted action', () => {
+      expect(FormErrorTracker.formattedAction(trackAction)).toBe(`track_${trackAction}_error`);
+    });
+
+    it('returns formatted action for different base action names', () => {
+      expect(FormErrorTracker.formattedAction('user_signup')).toBe('track_user_signup_error');
+    });
+  });
+
  describe('action', () => {
    it('returns action', () => {
      expect(
--- a/spec/models/merge_request_spec.rb
+++ b/spec/models/merge_request_spec.rb
@ -3091,6 +3091,37 @@ RSpec.describe MergeRequest, factory_default: :keep, feature_category: :code_rev
    end
  end

+  shared_examples_for 'reports in child pipelines' do |report_type|
+    context 'when the child pipeline has reports' do
+      let_it_be(:merge_request) { create(:merge_request, source_project: project) }
+      let_it_be(:pipeline) { create(:ci_pipeline, :success, sha: merge_request.diff_head_sha, merge_requests_as_head_pipeline: [merge_request]) }
+      let_it_be(:child_pipeline) { create(:ci_pipeline, :success, child_of: pipeline) }
+      let_it_be(:child_build) { create(:ci_build, report_type, pipeline: child_pipeline) }
+
+      context 'when the pipeline is still running' do
+        let_it_be(:pipeline) { create(:ci_pipeline, :running, sha: merge_request.diff_head_sha, merge_requests_as_head_pipeline: [merge_request]) }
+
+        it 'returns false if head pipeline is running' do
+          expect(subject).to eq(false)
+        end
+      end
+
+      it 'returns true if head pipeline is finished' do
+        expect(subject).to eq(true)
+      end
+
+      context 'when FF show_child_reports_in_mr_page is disabled' do
+        before do
+          stub_feature_flags(show_child_reports_in_mr_page: false)
+        end
+
+        it 'returns false regardless of child pipeline reports' do
+          expect(subject).to eq(false)
+        end
+      end
+    end
+  end
+
  describe '#has_test_reports?' do
    subject { merge_request.has_test_reports? }

@ -3250,47 +3281,20 @@ RSpec.describe MergeRequest, factory_default: :keep, feature_category: :code_rev
      it { is_expected.to be_falsey }
    end

-    context 'when the child pipeline has sast reports' do
-      let_it_be(:merge_request) { create(:merge_request, source_project: project) }
-      let_it_be(:pipeline) { create(:ci_pipeline, :success, sha: merge_request.diff_head_sha, merge_requests_as_head_pipeline: [merge_request]) }
-      let_it_be(:child_pipeline) { create(:ci_pipeline, :success, child_of: pipeline) }
-      let_it_be(:child_build) { create(:ci_build, :sast_report, pipeline: child_pipeline) }
-
-      context 'when the pipeline is still running' do
-        let_it_be(:pipeline) { create(:ci_pipeline, :running, sha: merge_request.diff_head_sha, merge_requests_as_head_pipeline: [merge_request]) }
-
-        it 'returns false if head pipeline is running' do
-          expect(subject).to eq(false)
-        end
-      end
-
-      it 'returns true if head pipeline is finished' do
-        expect(subject).to eq(true)
-      end
-
-      context 'when FF show_child_reports_in_mr_page is disabled' do
-        before do
-          stub_feature_flags(show_child_reports_in_mr_page: false)
-        end
-
-        it 'returns false regardless of child pipeline reports' do
-          expect(subject).to eq(false)
-        end
-      end
-    end
+    it_behaves_like 'reports in child pipelines', :sast_report
  end

  describe '#has_secret_detection_reports?' do
    subject { merge_request.has_secret_detection_reports? }

-    let(:project) { create(:project, :repository) }
+    let_it_be(:project) { create(:project, :repository) }

    before do
      stub_licensed_features(secret_detection: true)
    end

    context 'when head pipeline has secret detection reports' do
-      let(:merge_request) { create(:merge_request, :with_secret_detection_reports, source_project: project) }
+      let_it_be(:merge_request) { create(:merge_request, :with_secret_detection_reports, source_project: project) }

      it { is_expected.to be_truthy }

@ -3304,10 +3308,12 @@ RSpec.describe MergeRequest, factory_default: :keep, feature_category: :code_rev
    end

    context 'when head pipeline does not have secrets detection reports' do
-      let(:merge_request) { create(:merge_request, source_project: project) }
+      let_it_be(:merge_request) { create(:merge_request, source_project: project) }

      it { is_expected.to be_falsey }
    end
+
+    it_behaves_like 'reports in child pipelines', :secret_detection_report
  end

  describe '#calculate_reactive_cache' do
@ -6520,13 +6526,7 @@ RSpec.describe MergeRequest, factory_default: :keep, feature_category: :code_rev
          let(:child_pipeline) { create(:ci_pipeline, :success, child_of: pipeline) }
          let!(:child_build) { create(:ci_build, artifact_report, pipeline: child_pipeline) }

-          it 'returns true for sast reports' do
-            if feature == :sast
-              is_expected.to be_truthy
-            else
-              is_expected.to be_falsy
-            end
-          end
+          it { is_expected.to be_truthy }

          context 'with FF show_child_reports_in_mr_page disabled' do
            before do
--- a/spec/support/shared_examples/redis/redis_shared_examples.rb
+++ b/spec/support/shared_examples/redis/redis_shared_examples.rb
@ -117,6 +117,10 @@ RSpec.shared_examples "redis_shared_examples" do
      expect(params1.object_id).to eq(params2.object_id)
    end

+    it 'contains reconnect_attempts with random delay' do
+      expect(subject[:reconnect_attempts].first).to be_between(0, 0.25).inclusive
+    end
+
    context 'with command to generate extra config specified' do
      let(:config_file_name) { 'spec/fixtures/config/redis_config_with_extra_config_command.yml' }