Add latest changes from gitlab-org/gitlab@master

.rubocop_todo/rspec/context_wording.yml

@@ -1883,7 +1883,6 @@ RSpec/ContextWording:
     - 'spec/lib/gitlab/usage/service_ping_report_spec.rb'
     - 'spec/lib/gitlab/usage_data/topology_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/ipynb_diff_activity_counter_spec.rb'
-    - 'spec/lib/gitlab/usage_data_counters/kubernetes_agent_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/quick_action_activity_unique_counter_spec.rb'
     - 'spec/lib/gitlab/utils/lazy_attributes_spec.rb'
     - 'spec/lib/gitlab/utils/mime_type_spec.rb'

.rubocop_todo/rspec/expect_change.yml

@@ -224,7 +224,6 @@ RSpec/ExpectChange:
     - 'spec/lib/gitlab/legacy_github_import/label_formatter_spec.rb'
     - 'spec/lib/gitlab/legacy_github_import/project_creator_spec.rb'
     - 'spec/lib/gitlab/query_limiting/transaction_spec.rb'
-    - 'spec/lib/gitlab/usage_data_counters/kubernetes_agent_counter_spec.rb'
     - 'spec/models/ci/build_metadata_spec.rb'
     - 'spec/models/ci/build_spec.rb'
     - 'spec/models/ci/job_artifact_spec.rb'

.rubocop_todo/rspec/feature_category.yml

@@ -3290,7 +3290,6 @@ RSpec/FeatureCategory:
     - 'spec/lib/gitlab/usage_data_counters/ipynb_diff_activity_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/issue_activity_unique_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/jetbrains_plugin_activity_unique_counter_spec.rb'
-    - 'spec/lib/gitlab/usage_data_counters/kubernetes_agent_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/merge_request_activity_unique_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/merge_request_widget_extension_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/package_event_counter_spec.rb'

.rubocop_todo/rspec/named_subject.yml

@@ -2305,7 +2305,6 @@ RSpec/NamedSubject:
     - 'spec/lib/gitlab/usage/metrics/instrumentations/redis_metric_spec.rb'
     - 'spec/lib/gitlab/usage_data/topology_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/hll_redis_counter_spec.rb'
-    - 'spec/lib/gitlab/usage_data_counters/kubernetes_agent_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/redis_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters_spec.rb'
     - 'spec/lib/gitlab/usage_data_metrics_spec.rb'

app/assets/javascripts/custom_emoji/components/list.vue

@@ -2,7 +2,7 @@
 <script>
 import { GlLoadingIcon, GlTableLite, GlTabs, GlTab, GlBadge, GlKeysetPagination } from '@gitlab/ui';
 import { __ } from '~/locale';
-import { formatDate } from '~/lib/utils/datetime/date_format_utility';
+import { localeDateFormat } from '~/lib/utils/datetime/locale_dateformat';
 import DeleteItem from './delete_item.vue';
 
 export default {
@@ -63,7 +63,7 @@ export default {
       });
     },
     formatDate(date) {
-      return formatDate(date, 'mmmm d, yyyy');
+      return localeDateFormat.asDate.format(date);
     },
   },
   fields: [

app/helpers/emails_helper.rb

@@ -100,6 +100,7 @@ module EmailsHelper
 
   def closure_reason_text(closed_via, format:, name:)
     name = sanitize_name(name)
+
     case closed_via
     when MergeRequest
       merge_request = MergeRequest.find(closed_via[:id]).present
@@ -122,8 +123,10 @@ module EmailsHelper
 
       _("Issue was closed by %{name} with %{closed_via}") % { name: name, closed_via: closed_via }
     else
+      type = work_item_type_for(@issue).capitalize
+
       if name
-        _("Issue was closed by %{name}") % { name: name }
+        _("%{type} was closed by %{name}") % { name: name, type: type }
       else
         ""
       end

app/views/admin/gitaly_servers/index.html.haml

@@ -1,15 +1,11 @@
 - breadcrumb_title _("Gitaly servers")
 - page_title _("Gitaly servers")
 
-= render ::Layouts::PageHeadingComponent.new(_('Gitaly servers'))
-= render Pajamas::CardComponent.new(card_options: { class: 'gl-new-card' }, header_options: { class: 'gl-new-card-header' }, body_options: { class: 'gl-new-card-body gl-px-0' }) do |c|
-  - c.with_header do
-    .gl-new-card-title-wrapper{ data: { event_tracking_load: 'true', event_tracking: 'view_admin_gitaly_servers_pageload' } }
-      %h3.gl-new-card-title
-        = _('Gitaly servers')
-      .gl-new-card-count
-        = sprite_icon('earth', css_class: "gl-mr-2 gl-fill-icon-subtle gl-icon")
-        = @gitaly_servers.size
+= render ::Layouts::PageHeadingComponent.new(_('Gitaly servers'), options: { data: { event_tracking_load: 'true', event_tracking: 'view_admin_gitaly_servers_pageload' } })
+
+= render ::Layouts::CrudComponent.new(_('Gitaly servers'),
+  icon: 'earth',
+  count: @gitaly_servers.size) do |c|
   - c.with_body do
     - if @gitaly_servers.any?
       %table.table.b-table.gl-table.b-table-stacked-md

app/views/notify/closed_issue_email.text.haml

@@ -1,3 +1,3 @@
 = closure_reason_text(@closed_via, format: formats.first, name: @updated_by.name)
 
-Issue ##{@issue.iid}: #{@target_url}
+#{work_item_type_for(@issue).capitalize} ##{@issue.iid}: #{@target_url}

config/events/created_flux_git_push_notifications.yml

@@ -0,0 +1,14 @@
+---
+description: Tracks Flux Git Push notification from KAS to agentk
+internal_events: true
+action: create_flux_git_push_notification
+product_group: environments
+milestone: '17.3'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150613
+distributions:
+  - ce
+  - ee
+tiers:
+  - free
+  - premium
+  - ultimate

config/events/request_api_proxy_access.yml

@@ -0,0 +1,14 @@
+---
+description: Tracks Kubernetes API proxy request
+internal_events: true
+action: request_api_proxy_access
+product_group: environments
+milestone: '17.3'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150613
+distributions:
+  - ce
+  - ee
+tiers:
+  - free
+  - premium
+  - ultimate

config/events/request_api_proxy_access_via_ci.yml

@@ -0,0 +1,14 @@
+---
+description: Tracks Kubernetes API proxy request via CI
+internal_events: true
+action: request_api_proxy_access_via_ci
+product_group: environments
+milestone: '17.3'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150613
+distributions:
+  - ce
+  - ee
+tiers:
+  - free
+  - premium
+  - ultimate

config/events/request_api_proxy_access_via_pat.yml

@@ -0,0 +1,14 @@
+---
+description: Tracks Kubernetes API proxy request via Personal Access Token
+internal_events: true
+action: request_api_proxy_access_via_pat
+product_group: environments
+milestone: '17.3'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150613
+distributions:
+  - ce
+  - ee
+tiers:
+  - free
+  - premium
+  - ultimate

config/events/request_api_proxy_access_via_user.yml

@@ -0,0 +1,14 @@
+---
+description: Tracks Kubernetes API proxy request via user
+internal_events: true
+action: request_api_proxy_access_via_user
+product_group: environments
+milestone: '17.3'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150613
+distributions:
+  - ce
+  - ee
+tiers:
+  - free
+  - premium
+  - ultimate

config/gitlab_loose_foreign_keys.yml

@@ -204,6 +204,10 @@ dast_site_profiles_builds:
   - table: p_ci_builds
     column: ci_build_id
     on_delete: async_delete
+dast_site_tokens:
+  - table: projects
+    column: project_id
+    on_delete: async_delete
 deployment_clusters:
   - table: clusters
     column: cluster_id

config/metrics/counts_all/20210505015532_kubernetes_agent_k8s_api_proxy_request.yml

@@ -9,11 +9,9 @@ status: active
 milestone: '13.12'
 introduced_by_url:
 time_frame: all
-data_source: redis
-instrumentation_class: RedisMetric
-options:
-  prefix: kubernetes_agent
-  event: k8s_api_proxy_request
+data_source: internal_events
+events:
+  - name: request_api_proxy_access
 distribution:
 - ce
 - ee

config/metrics/counts_all/20230616065123_kubernetes_agent_flux_git_push_notifications_total.yml

@@ -7,13 +7,11 @@ status: active
 milestone: "16.1"
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/123782
 time_frame: all
-data_source: redis
+data_source: internal_events
 data_category: optional
-instrumentation_class: RedisMetric
 performance_indicator_type: []
-options:
-  prefix: kubernetes_agent
-  event: flux_git_push_notifications_total
+events:
+  - name: create_flux_git_push_notification
 distribution:
 - ce
 - ee

config/metrics/counts_all/20230620073845_kubernetes_agent_k8s_api_proxy_requests_via_ci_access.yml

@@ -7,13 +7,11 @@ status: active
 milestone: "16.2"
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124147
 time_frame: all
-data_source: redis
+data_source: internal_events
 data_category: optional
-instrumentation_class: RedisMetric
 performance_indicator_type: []
-options:
-  prefix: kubernetes_agent
-  event: k8s_api_proxy_requests_via_ci_access
+events:
+  - name: request_api_proxy_access_via_ci
 distribution:
 - ce
 - ee

config/metrics/counts_all/20230620074102_kubernetes_agent_k8s_api_proxy_requests_via_user_access.yml

@@ -7,13 +7,11 @@ status: active
 milestone: "16.2"
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124147
 time_frame: all
-data_source: redis
+data_source: internal_events
 data_category: optional
-instrumentation_class: RedisMetric
 performance_indicator_type: []
-options:
-  prefix: kubernetes_agent
-  event: k8s_api_proxy_requests_via_user_access
+events:
+  - name: request_api_proxy_access_via_user
 distribution:
 - ce
 - ee

config/metrics/counts_all/20230816085929_kubernetes_agent_k8s_api_proxy_requests_via_pat_access.yml

@@ -7,12 +7,10 @@ status: active
 milestone: "16.4"
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129463
 time_frame: all
-data_source: redis
+data_source: internal_events
 data_category: optional
-instrumentation_class: RedisMetric
-options:
-  prefix: kubernetes_agent
-  event: k8s_api_proxy_requests_via_pat_access
+events:
+  - name: request_api_proxy_access_via_pat
 performance_indicator_type: []
 distribution:
 - ce

data/deprecations/17-0-deprecate-support-for-OWASP-2017.yml

@@ -1,5 +1,5 @@
 - title: "Group vulnerability report by OWASP top 10 2017 is deprecated"
-  removal_milestone: "17.3"
+  removal_milestone: "17.4"
   announcement_milestone: "17.0"
   breaking_change: false
   reporter: abellucci

data/deprecations/17-3-codeclimate.yml

@@ -0,0 +1,22 @@
+- title: "CodeClimate-based Code Quality scanning will be removed"  # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
+  announcement_milestone: "17.3"  # (required) The milestone when this feature was first announced as deprecated.
+  removal_milestone: "18.0"  # (required) The milestone when this feature is planned to be removed
+  breaking_change: true  # (required) Change to false if this is not a breaking change.
+  reporter: connorgilbert  # (required) GitLab username of the person reporting the change
+  stage: secure  # (required) String value of the stage that the feature was created in. e.g., Growth
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/471677  # (required) Link to the deprecation issue in GitLab
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    In GitLab 18.0, we will remove CodeClimate-based Code Quality scanning.
+    However, you'll still be able to import results from quality tools by [providing a report as an artifact](https://docs.gitlab.com/ee/ci/testing/code_quality.html#implement-a-custom-tool), just as you can today.
+    In addition, you can also see this [epic](https://gitlab.com/groups/gitlab-org/-/epics/8790) for new directions considered for Code Quality.
+
+    We expect to implement this change by:
+
+    1. Changing the [`Code-Quality.gitlab-ci.yml` CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml) to no longer execute scans. Today, this template runs CodeClimate-based scans. (We plan to change the template rather than delete it to reduce the impact on any pipelines that still `include` the template after 18.0.)
+    1. No longer running CodeClimate-based scanning as part of Auto DevOps.
+
+    Effective immediately, CodeClimate-based scanning will receive only [limited updates](https://docs.gitlab.com/ee/update/terminology.html#deprecation).
+    After End of Support in GitLab 18.0, we won't provide further updates.
+    However, we won't delete previously published container images or remove the ability to run them by using custom CI/CD pipeline job definitions.
+
+    For more details and required actions, see the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/471677#action-required).

db/docs/batched_background_migrations/backfill_error_tracking_error_events_project_id.yml

@@ -0,0 +1,9 @@
+---
+migration_job_name: BackfillErrorTrackingErrorEventsProjectId
+description: Backfills sharding key `error_tracking_error_events.project_id` from `error_tracking_errors`.
+feature_category: error_tracking
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161341
+milestone: '17.3'
+queued_migration_version: 20240731160144
+finalize_after: '2024-08-22'
+finalized_by: # version of the migration that finalized this BBM

db/docs/batched_background_migrations/make_security_policy_bots_private.yml

@@ -0,0 +1,9 @@
+---
+migration_job_name: MakeSecurityPolicyBotsPrivate
+description: Updates private_profile to true for all security policy bot users.
+feature_category: security_policy_management
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161151
+milestone: '17.3'
+queued_migration_version: 20240729124632
+finalize_after: '2024-08-15'
+finalized_by: # version of the migration that finalized this BBM

db/docs/dast_site_tokens.yml

@@ -7,7 +7,7 @@ feature_categories:
 description: Token for the site to be validated
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41639
 milestone: '13.4'
-gitlab_schema: gitlab_main_cell
+gitlab_schema: gitlab_sec
 allow_cross_foreign_keys:
 - gitlab_main_clusterwide
 sharding_key:

db/docs/error_tracking_error_events.yml

@@ -19,3 +19,4 @@ desired_sharding_key:
         table: error_tracking_errors
         sharding_key: project_id
         belongs_to: error
+desired_sharding_key_migration_job_name: BackfillErrorTrackingErrorEventsProjectId

db/migrate/20240731160140_add_project_id_to_error_tracking_error_events.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddProjectIdToErrorTrackingErrorEvents < Gitlab::Database::Migration[2.2]
+  milestone '17.3'
+
+  def change
+    add_column :error_tracking_error_events, :project_id, :bigint
+  end
+end

db/post_migrate/20240722075838_remove_projects_dast_site_tokens_project_id_fk.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class RemoveProjectsDastSiteTokensProjectIdFk < Gitlab::Database::Migration[2.2]
+  milestone '17.3'
+  disable_ddl_transaction!
+
+  FOREIGN_KEY_NAME = "fk_rails_e84f721a8e"
+
+  def up
+    with_lock_retries do
+      remove_foreign_key_if_exists(:dast_site_tokens, :projects,
+        name: FOREIGN_KEY_NAME, reverse_lock_order: true)
+    end
+  end
+
+  def down
+    add_concurrent_foreign_key(:dast_site_tokens, :projects,
+      name: FOREIGN_KEY_NAME, column: :project_id,
+      target_column: :id, on_delete: :cascade)
+  end
+end

db/post_migrate/20240729124632_queue_make_security_policy_bots_private.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+class QueueMakeSecurityPolicyBotsPrivate < Gitlab::Database::Migration[2.2]
+  milestone '17.3'
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+  MIGRATION = "MakeSecurityPolicyBotsPrivate"
+  DELAY_INTERVAL = 2.minutes
+  BATCH_SIZE = 1000
+  SUB_BATCH_SIZE = 100
+
+  def up
+    queue_batched_background_migration(
+      MIGRATION,
+      :users,
+      :id,
+      job_interval: DELAY_INTERVAL,
+      batch_size: BATCH_SIZE,
+      sub_batch_size: SUB_BATCH_SIZE
+    )
+  end
+
+  def down
+    delete_batched_background_migration(MIGRATION, :users, :id, [])
+  end
+end

db/post_migrate/20240731160141_index_error_tracking_error_events_on_project_id.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class IndexErrorTrackingErrorEventsOnProjectId < Gitlab::Database::Migration[2.2]
+  milestone '17.3'
+  disable_ddl_transaction!
+
+  INDEX_NAME = 'index_error_tracking_error_events_on_project_id'
+
+  def up
+    add_concurrent_index :error_tracking_error_events, :project_id, name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index_by_name :error_tracking_error_events, INDEX_NAME
+  end
+end

db/post_migrate/20240731160142_add_error_tracking_error_events_project_id_fk.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class AddErrorTrackingErrorEventsProjectIdFk < Gitlab::Database::Migration[2.2]
+  milestone '17.3'
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_foreign_key :error_tracking_error_events, :projects, column: :project_id, on_delete: :cascade
+  end
+
+  def down
+    with_lock_retries do
+      remove_foreign_key :error_tracking_error_events, column: :project_id
+    end
+  end
+end

db/post_migrate/20240731160143_add_error_tracking_error_events_project_id_trigger.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class AddErrorTrackingErrorEventsProjectIdTrigger < Gitlab::Database::Migration[2.2]
+  milestone '17.3'
+
+  def up
+    install_sharding_key_assignment_trigger(
+      table: :error_tracking_error_events,
+      sharding_key: :project_id,
+      parent_table: :error_tracking_errors,
+      parent_sharding_key: :project_id,
+      foreign_key: :error_id
+    )
+  end
+
+  def down
+    remove_sharding_key_assignment_trigger(
+      table: :error_tracking_error_events,
+      sharding_key: :project_id,
+      parent_table: :error_tracking_errors,
+      parent_sharding_key: :project_id,
+      foreign_key: :error_id
+    )
+  end
+end

db/post_migrate/20240731160144_queue_backfill_error_tracking_error_events_project_id.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+class QueueBackfillErrorTrackingErrorEventsProjectId < Gitlab::Database::Migration[2.2]
+  milestone '17.3'
+  restrict_gitlab_migration gitlab_schema: :gitlab_main_cell
+
+  MIGRATION = "BackfillErrorTrackingErrorEventsProjectId"
+  DELAY_INTERVAL = 2.minutes
+  BATCH_SIZE = 1000
+  SUB_BATCH_SIZE = 100
+
+  def up
+    queue_batched_background_migration(
+      MIGRATION,
+      :error_tracking_error_events,
+      :id,
+      :project_id,
+      :error_tracking_errors,
+      :project_id,
+      :error_id,
+      job_interval: DELAY_INTERVAL,
+      batch_size: BATCH_SIZE,
+      sub_batch_size: SUB_BATCH_SIZE
+    )
+  end
+
+  def down
+    delete_batched_background_migration(
+      MIGRATION,
+      :error_tracking_error_events,
+      :id,
+      [
+        :project_id,
+        :error_tracking_errors,
+        :project_id,
+        :error_id
+      ]
+    )
+  end
+end

db/schema_migrations/20240722075838

@@ -0,0 +1 @@
+98d457dad465ed47213aeb5f19cc0e4c4b7b63b637d7e3889cbff96508948955

db/schema_migrations/20240729124632

@@ -0,0 +1 @@
+27d17854dc925a1272057cc62471418707e40ef93d3e84bd6f350b3c6bbd8fd7

db/schema_migrations/20240731160140

@@ -0,0 +1 @@
+33e2ea59ff299bcf4273ad1ac5bd759762d2179868788093e44416b151eeedb9

db/schema_migrations/20240731160141

@@ -0,0 +1 @@
+0f5a739b5dd0c71a1f351e0f4a326ec9fa6f9a66e4b8966bbbd630a56886f2cb

db/schema_migrations/20240731160142

@@ -0,0 +1 @@
+7dc617273783f9ab59fbcf43c8dc33888c9bcbcdfaa6620b4cb57acba65c8dcf

db/schema_migrations/20240731160143

@@ -0,0 +1 @@
+3009cdf89090e618ac365ec0b921bad58a6d9477d75b4c84049f63d2739dd21c

db/schema_migrations/20240731160144

@@ -0,0 +1 @@
+6a8655271f76b8bf06d320d29617cb33c28f24fb7bb0a0a78c233ddd7650a6f7

db/structure.sql

@@ -1330,6 +1330,22 @@ RETURN NEW;
 END
 $$;
 
+CREATE FUNCTION trigger_6c38ba395cc1() RETURNS trigger
+    LANGUAGE plpgsql
+    AS $$
+BEGIN
+IF NEW."project_id" IS NULL THEN
+  SELECT "project_id"
+  INTO NEW."project_id"
+  FROM "error_tracking_errors"
+  WHERE "error_tracking_errors"."id" = NEW."error_id";
+END IF;
+
+RETURN NEW;
+
+END
+$$;
+
 CREATE FUNCTION trigger_6cdea9559242() RETURNS trigger
     LANGUAGE plpgsql
     AS $$
@@ -10490,6 +10506,7 @@ CREATE TABLE error_tracking_error_events (
     payload jsonb DEFAULT '{}'::jsonb NOT NULL,
     created_at timestamp with time zone NOT NULL,
     updated_at timestamp with time zone NOT NULL,
+    project_id bigint,
     CONSTRAINT check_92ecc3077b CHECK ((char_length(description) <= 1024)),
     CONSTRAINT check_c67d5b8007 CHECK ((char_length(level) <= 255)),
     CONSTRAINT check_f4b52474ad CHECK ((char_length(environment) <= 255))
@@ -27527,6 +27544,8 @@ CREATE INDEX index_error_tracking_client_keys_on_project_id ON error_tracking_cl
 
 CREATE INDEX index_error_tracking_error_events_on_error_id ON error_tracking_error_events USING btree (error_id);
 
+CREATE INDEX index_error_tracking_error_events_on_project_id ON error_tracking_error_events USING btree (project_id);
+
 CREATE INDEX index_error_tracking_errors_on_project_id ON error_tracking_errors USING btree (project_id);
 
 CREATE INDEX index_esc_protected_branches_on_external_status_check_id ON external_status_checks_protected_branches USING btree (external_status_check_id);
@@ -32079,6 +32098,8 @@ CREATE TRIGGER trigger_664594a3d0a7 BEFORE INSERT OR UPDATE ON merge_request_use
 
 CREATE TRIGGER trigger_68435a54ee2b BEFORE INSERT OR UPDATE ON packages_debian_project_architectures FOR EACH ROW EXECUTE FUNCTION trigger_68435a54ee2b();
 
+CREATE TRIGGER trigger_6c38ba395cc1 BEFORE INSERT OR UPDATE ON error_tracking_error_events FOR EACH ROW EXECUTE FUNCTION trigger_6c38ba395cc1();
+
 CREATE TRIGGER trigger_6cdea9559242 BEFORE INSERT OR UPDATE ON issue_links FOR EACH ROW EXECUTE FUNCTION trigger_6cdea9559242();
 
 CREATE TRIGGER trigger_77d9fbad5b12 BEFORE INSERT OR UPDATE ON packages_debian_project_distribution_keys FOR EACH ROW EXECUTE FUNCTION trigger_77d9fbad5b12();
@@ -33554,6 +33575,9 @@ ALTER TABLE ONLY namespaces
 ALTER TABLE ONLY fork_networks
     ADD CONSTRAINT fk_e7b436b2b5 FOREIGN KEY (root_project_id) REFERENCES projects(id) ON DELETE SET NULL;
 
+ALTER TABLE ONLY error_tracking_error_events
+    ADD CONSTRAINT fk_e84882273e FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY ml_candidates
     ADD CONSTRAINT fk_e86e0bfa5a FOREIGN KEY (model_version_id) REFERENCES ml_model_versions(id) ON DELETE CASCADE;
 
@@ -35474,9 +35498,6 @@ ALTER TABLE ONLY boards_epic_board_recent_visits
 ALTER TABLE ONLY audit_events_streaming_instance_event_type_filters
     ADD CONSTRAINT fk_rails_e7bb18c0e1 FOREIGN KEY (instance_external_audit_event_destination_id) REFERENCES audit_events_instance_external_audit_event_destinations(id) ON DELETE CASCADE;
 
-ALTER TABLE ONLY dast_site_tokens
-    ADD CONSTRAINT fk_rails_e84f721a8e FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
-
 ALTER TABLE ONLY group_deploy_keys_groups
     ADD CONSTRAINT fk_rails_e87145115d FOREIGN KEY (group_id) REFERENCES namespaces(id) ON DELETE CASCADE;
 

doc/update/deprecations.md

@@ -168,6 +168,35 @@ The change will be introduced in GitLab 16.6 behind a feature flag. If you are i
 
 <div class="deprecation breaking-change" data-milestone="18.0">
 
+### CodeClimate-based Code Quality scanning will be removed
+
+<div class="deprecation-notes">
+
+- Announced in GitLab <span class="milestone">17.3</span>
+- Removal in GitLab <span class="milestone">18.0</span> ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change))
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/471677).
+
+</div>
+
+In GitLab 18.0, we will remove CodeClimate-based Code Quality scanning.
+However, you'll still be able to import results from quality tools by [providing a report as an artifact](https://docs.gitlab.com/ee/ci/testing/code_quality.html#implement-a-custom-tool), just as you can today.
+In addition, you can also see this [epic](https://gitlab.com/groups/gitlab-org/-/epics/8790) for new directions considered for Code Quality.
+
+We expect to implement this change by:
+
+1. Changing the [`Code-Quality.gitlab-ci.yml` CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml) to no longer execute scans. Today, this template runs CodeClimate-based scans. (We plan to change the template rather than delete it to reduce the impact on any pipelines that still `include` the template after 18.0.)
+1. No longer running CodeClimate-based scanning as part of Auto DevOps.
+
+Effective immediately, CodeClimate-based scanning will receive only [limited updates](https://docs.gitlab.com/ee/update/terminology.html#deprecation).
+After End of Support in GitLab 18.0, we won't provide further updates.
+However, we won't delete previously published container images or remove the ability to run them by using custom CI/CD pipeline job definitions.
+
+For more details and required actions, see the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/471677#action-required).
+
+</div>
+
+<div class="deprecation breaking-change" data-milestone="18.0">
+
 ### Compliance pipelines
 
 <div class="deprecation-notes">
@@ -853,6 +882,23 @@ This is one small step towards moving away from CI/CD templates in preference of
 
 <div class="deprecation " data-milestone="17.4">
 
+### Group vulnerability report by OWASP top 10 2017 is deprecated
+
+<div class="deprecation-notes">
+
+- Announced in GitLab <span class="milestone">17.0</span>
+- Removal in GitLab <span class="milestone">17.4</span>
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/458835).
+
+</div>
+
+Grouping the vulnerability report by OWASP top 10 2017 is deprecated, replaced by grouping by OWASP top 10 2021.
+In the future we will support the most recent version of OWASP top 10 for grouping on the vulnerability report.
+
+</div>
+
+<div class="deprecation " data-milestone="17.4">
+
 ### Removed Needs tab from the pipeline view
 
 <div class="deprecation-notes">
@@ -895,23 +941,6 @@ GitLab's [Statement of Support](https://about.gitlab.com/support/statement-of-su
 For example, installing additional packages in a `before_script` is not a supported modification.
 Nevertheless, if you rely on this type of customization, see the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/471869#action-required) to learn how to respond to this change or to provide feedback about your current customizations.
 
-</div>
-
-<div class="deprecation " data-milestone="17.3">
-
-### Group vulnerability report by OWASP top 10 2017 is deprecated
-
-<div class="deprecation-notes">
-
-- Announced in GitLab <span class="milestone">17.0</span>
-- Removal in GitLab <span class="milestone">17.3</span>
-- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/458835).
-
-</div>
-
-Grouping the vulnerability report by OWASP top 10 2017 is deprecated, replaced by grouping by OWASP top 10 2021.
-In the future we will support the most recent version of OWASP top 10 for grouping on the vulnerability report.
-
 </div>
 </div>
 

doc/user/application_security/iac_scanning/index.md

@@ -183,6 +183,61 @@ In the following example `sast-ruleset.toml` file, rules are matched by the `typ
       severity = "Info"
 ```
 
+### Offline configuration
+
+DETAILS:
+**Tier:** PREMIUM
+**Offering:** Self-managed
+
+An offline environment has limited, restricted, or intermittent access to external resources through
+the internet. For self-managed GitLab instances in such an environment, IaC requires
+some configuration changes. The instructions in this section must be completed together with the
+instructions detailed in [offline environments](../offline_deployments/index.md).
+
+#### Configure GitLab Runner
+
+By default, a runner tries to pull Docker images from the GitLab container registry even if a local
+copy is available. You should use this default setting, to ensure Docker images remain current.
+However, if no network connectivity is available, you must change the default GitLab Runner
+`pull_policy` variable.
+
+Configure the GitLab Runner CI/CD variable `pull_policy` to
+[`if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy).
+
+#### Use local IaC analyzer image
+
+Use a local IaC analyzer image if you want to obtain the image from a local Docker
+registry instead of the GitLab container registry.
+
+Prerequisites:
+
+- Importing Docker images into a local offline Docker registry depends on your
+  network security policy. Consult your IT staff to find an accepted and approved process
+  to import or temporarily access external resources.
+
+1. Import the default IaC analyzer image from `registry.gitlab.com` into your
+   [local Docker container registry](../../packages/container_registry/index.md):
+
+   ```plaintext
+   registry.gitlab.com/security-products/kics:5
+   ```
+
+   The IaC analyzer's image is [periodically updated](../index.md#vulnerability-scanner-maintenance)
+   so you should periodically update the local copy.
+
+1. Set the CI/CD variable `SECURE_ANALYZERS_PREFIX` to the local Docker container registry.
+
+   ```yaml
+   include:
+     - template: Jobs/SAST-IaC.gitlab-ci.yml
+
+   variables:
+     SECURE_ANALYZERS_PREFIX: "localhost:5000/analyzers"
+   ```
+
+The IaC job should now use the local copy of the analyzer Docker image,
+without requiring internet access.
+
 ## Use a specific analyzer version
 
 The GitLab-managed CI/CD template specifies a major version and automatically pulls the latest

doc/user/application_security/policies/scan-result-policies.md

@@ -460,14 +460,23 @@ Lock file tampering, for example, is outside of the scope of security policy man
 
 ![Evaluating scan result findings](img/scan_results_evaluation_white-bg.png)
 
-### Known issues
+### Filter out policy violations with the attributes "Fix Available" or "False Positive"
 
-We have identified in [epic 11020](https://gitlab.com/groups/gitlab-org/-/epics/11020) common areas of confusion in scan result findings that need to be addressed. Below are a few of the known issues:
+To avoid unnecessary approval requirements, these additional filters help ensure you only block MRs on the most actionable findings. 
 
-- When using `new_needs_triage` and `new_dismissed`, some findings may require approval when they are not introduced by the merge request (such as a new CVE on a related dependency)
-- Findings or errors that cause approval to be required on a merge request approval policy may not be evident in the Security MR widget. With `merge base` introduced in [issue 428518](https://gitlab.com/gitlab-org/gitlab/-/issues/428518) some cases were addressed. Support for displaying more granular details about what caused security policy violations is proposed in [epic 11185](https://gitlab.com/groups/gitlab-org/-/epics/11185).
-- Security policy violations are distinct compared to findings displayed in the MR widgets. Some violations may not be present in the MR widget. We are working to harmonize our features in [epic 11020](https://gitlab.com/groups/gitlab-org/-/epics/11020) and to display policy violations explicitly in merge requests in [epic 11185](https://gitlab.com/groups/gitlab-org/-/epics/11185).
-- When merged results pipelines are enabled for the project, along with branch pipelines for created MRs, the comparison between source and target branches depends on the order in which the source branch's pipeline finishes. This can create race conditions, a resolution of which is proposed in [issue 384927](https://gitlab.com/gitlab-org/gitlab/-/issues/384927). The approvals may behave differently, depending on which target branch pipeline is selected.
+By setting `fix_available` to `false` in YAML, or **is not** and **Fix Available** in the policy editor, the finding is not considered a policy violation when the finding has a solution or remediation available. Solutions appear at the bottom of the vulnerability object under the heading **Solution**. Remediations appear as a **Resolve with Merge Request** button within the vulnerability object.
+
+The **Resolve with Merge Request** button only appears when one of the following criteria is met:
+
+1. A SAST vulnerability is found in a project that is on the Ultimate Tier with GitLab Duo Enterprise.
+1. A container scanning vulnerability is found in a project that is on the Ultimate Tier in a job where `GIT_STRATEGY: fetch` has been set. Additionally, the vulnerability must have a package containing a fix that is available for the repositories enabled for the container image.
+1. A dependency scanning vulnerability is found in a Node.js project that is managed by yarn and a fix is available. Additionally, the project must be on the Ultimate Tier and FIPS mode must be disabled for the instance.
+
+**Fix Available** only applies to dependency scanning and container scanning.
+
+By using the **False Positive** attribute, similarly, you can ignore findings detected by a policy by setting `false_positive` to `false` (or set attribute to **Is not** and **False Positive** in the policy editor).
+
+The **False Positive** attribute only applies to findings detected by our Vulnerability Extraction Tool for SAST results.
 
 ## Troubleshooting
 
@@ -500,16 +509,20 @@ end.each do |project, configuration_ids|
 end
 ```
 
+### Newly detected CVEs
+
+When using `new_needs_triage` and `new_dismissed`, some findings may require approval when they are not introduced by the merge request (such as a new CVE on a related dependency). These findings will not be present within the MR widget, but will be highlighted in the policy bot comment and pipeline report.
+
 ### Support request for debugging of merge request approval policy
 
-GitLab SaaS users may submit a [support ticket](https://about.gitlab.com/support/) titled "Merge request approval policy debugging". Provide the following details:
+GitLab.com users may submit a [support ticket](https://about.gitlab.com/support/) titled "Merge request approval policy debugging". Provide the following details:
 
 - Group path, project path and optionally merge request ID
 - Severity
 - Current behavior
 - Expected behavior
 
-### GitLab SaaS
+#### GitLab.com
 
 Support teams will investigate [logs](https://log.gprd.gitlab.net/) (`pubsub-sidekiq-inf-gprd*`) to identify the failure `reason`. Below is an example response snippet from logs. You can use this query to find logs related to approvals: `json.event.keyword: "update_approvals"` and `json.project_path: "group-path/project-path"`. Optionally, you can further filter by the merge request identifier using `json.merge_request_iid`:
 
@@ -525,7 +538,7 @@ Support teams will investigate [logs](https://log.gprd.gitlab.net/) (`pubsub-sid
 }
 ```
 
-### GitLab self-managed
+#### GitLab self-managed
 
 Search for keywords such as the `project-path`, `api_fuzzing`, and `merge_request`. Example: `grep group-path/project-path`, and `grep merge_request`. If you know the correlation ID you can search by correlation ID. For example, if the value of `correlation_id` is 01HWN2NFABCEDFG, search for `01HWN2NFABCEDFG`.
 Search in the following files:

doc/user/application_security/policies/scan_execution_policies.md

@@ -282,30 +282,39 @@ In GitLab 16.9 and earlier:
 - If the CI/CD variables suffixed `_EXCLUDED_ANALYZERS` were declared in a policy, their values were
   ignored, regardless of where they were defined: policy, group, or project.
 
-## Security policy scopes
+## Scope security policies to projects
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135398) in GitLab 16.7 [with a flag](../../../administration/feature_flags.md) named `security_policies_policy_scope`. Enabled by default.
 > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/443594) in GitLab 16.11. Feature flag `security_policies_policy_scope` removed.
 
-Security policy enforcement depends first on establishing a link between the group, subgroup, or
-project on which you want to enforce policies, and the security policy project that contains the
-policies. For example, if you are linking policies to a group, a group owner must create the link to
+Security policy enforcement depends first on establishing a link between:
+
+- The group, subgroup, or project on which you want to enforce policies
+- The security policy project that contains the policies.
+
+For example, if you are linking policies to a group, a group owner must create the link to
 the security policy project. Then, all policies in the security policy project are inherited by all
 projects in the group.
 
-You can refine a security policy's scope to:
+You scope security policies to projects by setting the scopes in the `policy.yml` file to:
 
-- _Include_ only projects applied with a [compliance framework](../../group/compliance_frameworks.md).
-- _Include_ or _exclude_ selected projects from enforcement.
+- _Include_ only projects with an applied [compliance framework](../../group/compliance_frameworks.md) by using
+  the compliance framework's ID. To include projects, use `policy_scope.compliance_frameworks.id` to specify IDs of
+  compliance frameworks that are applied to the projects.
+- _Include_ or _exclude_ selected projects from enforcement by using the project's ID.
 
 ### Policy scope schema
 
+A policy scope must conform to this schema.
+
 | Field | Type | Required | Possible values | Description |
 |-------|------|----------|-----------------|-------------|
 | `policy_scope` | `object` | false | `compliance_frameworks`, `projects` | Scopes the policy based on compliance framework labels or projects you define. |
 
 #### `policy_scope` scope type
 
+Policy scopes are one of two types.
+
 | Field | Type | Possible values | Description |
 |-------|------|-----------------|-------------|
 | `compliance_frameworks` | `array` |  | List of IDs of the compliance frameworks in scope of enforcement, in an array of objects with key `id`. |
@@ -313,6 +322,11 @@ You can refine a security policy's scope to:
 
 #### Example `policy.yml` with security policy scopes
 
+In this example, the security policy:
+
+- Includes any project with compliance frameworks with an ID of either `2` or `11` applied to them.
+- Excludes projects with an ID of either `24` or `27`.
+
 ```yaml
 ---
 scan_execution_policy:

doc/user/application_security/vulnerability_report/index.md

@@ -184,7 +184,7 @@ You can group by:
 WARNING:
 Support for grouping by OWASP top 10 2017 was
 [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/458835) in GitLab 17.0 and is planned for
-removal in 17.3. Support for grouping by OWASP top 10 2021 is proposed in [issue 440182](https://gitlab.com/gitlab-org/gitlab/-/issues/440182) for GitLab 17.3.
+removal in 17.4. Support for grouping by OWASP top 10 2021 is proposed in [issue 440182](https://gitlab.com/gitlab-org/gitlab/-/issues/440182) for GitLab 17.4.
 
 ### Group vulnerabilities
 

doc/user/compliance/audit_event_types.md

@@ -63,12 +63,12 @@ Audit event types belong to the following product categories.
 | [`audit_events_streaming_instance_headers_destroy`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127228) | Triggered when a streaming header for instance level external audit event destination is deleted. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.3](https://gitlab.com/gitlab-org/gitlab/-/issues/417433) | Instance |
 | [`audit_events_streaming_instance_headers_update`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127228) | Triggered when a streaming header for instance level external audit event destination is updated. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.3](https://gitlab.com/gitlab-org/gitlab/-/issues/417433) | Instance |
 | [`create_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74632) | Event triggered when an external audit event destination is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [14.6](https://gitlab.com/gitlab-org/gitlab/-/issues/344664) | Group |
-| [`create_http_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136047) | Event triggered when a namespace filter for an external audit event destination for a top-level group is created. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/424176) | Group |
-| [`create_instance_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/123882) | Event triggered when an instance level external audit event destination is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.2](https://gitlab.com/gitlab-org/gitlab/-/issues/404730) | Instance |
-| [`created_group_audit_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147888) | Event triggered when an external audit event destination for a top-level group is created. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/436610) | Group |
-| [`created_group_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150712) | Event triggered when a namespace filter for an external audit event destination for a top-level group is created. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.0](https://gitlab.com/gitlab-org/gitlab/-/issues/436612) | Group |
-| [`created_instance_audit_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148383) | Event triggered when an external audit event destination for a GitLab instance is created. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/436615) | Instance |
-| [`created_instance_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153156) | Event triggered when a namespace filter for an external audit event destination for an instance is created. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/436613) | Instance |
+| [`create_http_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136047) | Event triggered when a namespace filter for an external audit event destination for a top-level group is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/424176) | Group |
+| [`create_instance_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/123882) | Event triggered when an external audit event destination for an instance is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.2](https://gitlab.com/gitlab-org/gitlab/-/issues/404730) | Instance |
+| [`created_group_audit_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147888) | Triggered when an external audit event destination for a top-level group is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/436610) | Group |
+| [`created_group_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150712) | Triggered when a namespace filter for an external audit event destination for a top-level group is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.0](https://gitlab.com/gitlab-org/gitlab/-/issues/436612) | Group |
+| [`created_instance_audit_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148383) | Triggered when an external audit event destination for an instance is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/436615) | Instance |
+| [`created_instance_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153156) | Triggered when a namespace filter for an external audit event destination for an instance is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/436613) | Instance |
 | [`delete_http_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136302) | Event triggered when a namespace filter for an external audit event destination for a top-level group is deleted. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.7](https://gitlab.com/gitlab-org/gitlab/-/issues/424177) | Group |
 | [`deleted_group_audit_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148738) | Event triggered when an external audit event destination for a top-level group is deleted. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/436610) | Group |
 | [`deleted_group_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150712) | Event triggered when a namespace filter for an external audit event destination for a top-level group is deleted. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.0](https://gitlab.com/gitlab-org/gitlab/-/issues/436612) | Group |
@@ -134,12 +134,12 @@ Audit event types belong to the following product categories.
 | [`allow_committer_approval_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/102256) | Triggered when 'Prevent approvals by users who add commits' setting is updated. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.6](https://gitlab.com/gitlab-org/gitlab/-/issues/373949) | Group |
 | [`allow_overrides_to_approver_list_per_merge_request_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/102256) | Triggered when 'Prevent editing approval rules in projects and merge requests' setting is updated. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.6](https://gitlab.com/gitlab-org/gitlab/-/issues/373949) | Group |
 | [`audit_events_streaming_headers_update`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92068) | Triggered when a streaming header for audit events is updated. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.3](https://gitlab.com/gitlab-org/gitlab/-/issues/366350) | Group |
-| [`compliance_framework_added`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157893) | Triggered when a framework label is added to a project. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/464160) | Project |
-| [`compliance_framework_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/65343) | Triggered when a framework gets removed from a project | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [14.1](https://gitlab.com/gitlab-org/gitlab/-/issues/329362) | Project |
-| [`compliance_framework_id_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/94711) | audit when compliance framework ID is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369310) | Project |
-| [`compliance_framework_removed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157893) | Triggered when a framework label is removed from a project. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/464160) | Project |
-| [`create_compliance_framework`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74292) | Triggered on successful compliance framework creation | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [14.6](https://gitlab.com/gitlab-org/gitlab/-/issues/340649) | Group |
-| [`create_status_check`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84624) | Event triggered when an external status check is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/355805) | Project |
+| [`compliance_framework_added`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157893) | Triggered when a compliance framework is applied to a project | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/464160) | Project |
+| [`compliance_framework_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/65343) | Triggered when a compliance framework is removed from a project | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [14.1](https://gitlab.com/gitlab-org/gitlab/-/issues/329362) | Project |
+| [`compliance_framework_id_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/94711) | Triggered when a compliance framework ID is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369310) | Project |
+| [`compliance_framework_removed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157893) | Triggered when a compliance framework is removed from a project | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/464160) | Project |
+| [`create_compliance_framework`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74292) | Triggered on when a compliance framework is successfully created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [14.6](https://gitlab.com/gitlab-org/gitlab/-/issues/340649) | Group |
+| [`create_status_check`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84624) | Triggered when an external status check is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/355805) | Project |
 | [`delete_status_check`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84624) | Event triggered when an external status check is deleted | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/355805) | Project |
 | [`destroy_compliance_framework`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74292) | Triggered on successful compliance framework deletion | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [14.6](https://gitlab.com/gitlab-org/gitlab/-/issues/340649) | Group |
 | [`email_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/114546) | Event triggered when an email is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/374107) | User |
@@ -219,27 +219,27 @@ Audit event types belong to the following product categories.
 | Name | Description | Saved to database | Streamed | Introduced in | Scope |
 |:------------|:------------|:------------------|:---------|:--------------|:--------------|
 | [`allow_merge_on_skipped_pipeline_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83922) | Triggered when 'Skipped pipelines are considered successful' setting is updated. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [14.10](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) | Project |
-| [`ci_group_variable_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a CI variable is created at a group level | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | Group |
-| [`ci_group_variable_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a group's CI variable is deleted | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | Group |
-| [`ci_group_variable_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a group's CI variable is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | Group |
-| [`ci_instance_variable_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131882) | When an instance level CI variable is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/8070) | Instance |
-| [`ci_instance_variable_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131882) | When an instance level CI variable is deleted | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/8070) | Instance |
-| [`ci_instance_variable_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131882) | When an instance level CI variable is changed | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/8070) | Instance |
-| [`ci_variable_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a CI variable is created at a project level | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | Project |
-| [`ci_variable_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a project's CI variable is deleted | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | Project |
-| [`ci_variable_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a project's CI variable is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | Project |
+| [`ci_group_variable_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a CI/CD variable is created for a group | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | Group |
+| [`ci_group_variable_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a CI/CD variable is deleted for a group | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | Group |
+| [`ci_group_variable_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a CI/CD variable is updated for a group | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | Group |
+| [`ci_instance_variable_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131882) | Triggered when a CI/CD variable is created for an instance | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/8070) | Instance |
+| [`ci_instance_variable_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131882) | Triggered when a CI/CD variable is deleted for an instance | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/8070) | Instance |
+| [`ci_instance_variable_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131882) | Triggered when a CI/CD variable is updated for an instance | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/8070) | Instance |
+| [`ci_variable_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a CI/CD variable is created for a project | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | Project |
+| [`ci_variable_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a CI/CD variable is deleted for a project | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | Project |
+| [`ci_variable_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a CI/CD variable is updated for a project | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | Project |
 | [`destroy_pipeline`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135255) | Event triggered when a pipeline is deleted | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/339041) | Project |
 
 ### Deployment management
 
 | Name | Description | Saved to database | Streamed | Introduced in | Scope |
 |:------------|:------------|:------------------|:---------|:--------------|:--------------|
-| [`cluster_agent_create_failed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159593) | Event triggered when a user attempts to create a cluster agent but it failed | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.3](https://gitlab.com/gitlab-org/gitlab/-/issues/462749) | Project |
-| [`cluster_agent_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159593) | Event triggered when a user creates a cluster agent | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.3](https://gitlab.com/gitlab-org/gitlab/-/issues/462749) | Project |
-| [`cluster_agent_delete_failed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159593) | Event triggered when a user attempts to delete a cluster agent but it failed | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.3](https://gitlab.com/gitlab-org/gitlab/-/issues/462749) | Project |
-| [`cluster_agent_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159593) | Event triggered when a user deletes a cluster agent | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.3](https://gitlab.com/gitlab-org/gitlab/-/issues/462749) | Project |
-| [`cluster_agent_token_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/112036) | Event triggered when a user creates a cluster agent token | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.10](https://gitlab.com/gitlab-org/gitlab/-/issues/382133) | Project |
-| [`cluster_agent_token_revoked`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/112036) | Event triggered when a user revokes a cluster agent token | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.10](https://gitlab.com/gitlab-org/gitlab/-/issues/382133) | Project |
+| [`cluster_agent_create_failed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159593) | Triggered when a user attempts to create a cluster agent but it failed | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.3](https://gitlab.com/gitlab-org/gitlab/-/issues/462749) | Project |
+| [`cluster_agent_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159593) | Triggered when a user creates a cluster agent | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.3](https://gitlab.com/gitlab-org/gitlab/-/issues/462749) | Project |
+| [`cluster_agent_delete_failed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159593) | Triggered when a user attempts to delete a cluster agent but it failed | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.3](https://gitlab.com/gitlab-org/gitlab/-/issues/462749) | Project |
+| [`cluster_agent_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159593) | Triggered when a user deletes a cluster agent | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.3](https://gitlab.com/gitlab-org/gitlab/-/issues/462749) | Project |
+| [`cluster_agent_token_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/112036) | Triggered when a user creates a cluster agent token | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.10](https://gitlab.com/gitlab-org/gitlab/-/issues/382133) | Project |
+| [`cluster_agent_token_revoked`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/112036) | Triggered when a user revokes a cluster agent token | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.10](https://gitlab.com/gitlab-org/gitlab/-/issues/382133) | Project |
 
 ### Dynamic application security testing
 
@@ -283,7 +283,7 @@ Audit event types belong to the following product categories.
 
 | Name | Description | Saved to database | Streamed | Introduced in | Scope |
 |:------------|:------------|:------------------|:---------|:--------------|:--------------|
-| [`ci_runner_usage_export`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/139578) | Triggered when a runner usage report is generated. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.8](https://gitlab.com/gitlab-org/gitlab/-/issues/426560) | Instance |
+| [`ci_runner_usage_export`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/139578) | Triggered when a runner usage report is generated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.8](https://gitlab.com/gitlab-org/gitlab/-/issues/426560) | Instance |
 
 ### Fuzz testing
 
@@ -295,7 +295,7 @@ Audit event types belong to the following product categories.
 
 | Name | Description | Saved to database | Streamed | Introduced in | Scope |
 |:------------|:------------|:------------------|:---------|:--------------|:--------------|
-| [`create_ssh_certificate`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134556) | Event triggered when an SSH certificate is created. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/427413) | Group |
+| [`create_ssh_certificate`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134556) | Triggered when an SSH certificate is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/427413) | Group |
 | [`delete_ssh_certificate`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134556) | Event triggered when an SSH certificate is deleted. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/427413) | Group |
 | [`group_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121005) | Event triggered when a group is created. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.3](https://gitlab.com/gitlab-org/gitlab/-/issues/411595) | Group |
 | [`group_lfs_enabled_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106079) | Event triggered when a groups lfs enabled is updated. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369323) | Group |
@@ -505,7 +505,7 @@ Audit event types belong to the following product categories.
 
 | Name | Description | Saved to database | Streamed | Introduced in | Scope |
 |:------------|:------------|:------------------|:---------|:--------------|:--------------|
-| [`comment_by_project_bot`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/120927) | Triggered when a comment is added to an issue or an MR using the project access token | **{dotted-circle}** No | **{check-circle}** Yes | GitLab [16.1](https://gitlab.com/gitlab-org/gitlab/-/issues/323299) | Project |
+| [`comment_by_project_bot`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/120927) | Triggered when a comment is added to an issue or a merge request when using a project access token | **{dotted-circle}** No | **{check-circle}** Yes | GitLab [16.1](https://gitlab.com/gitlab-org/gitlab/-/issues/323299) | Project |
 | [`delete_issue`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/96773) | Event triggered on successful issue deletion | **{dotted-circle}** No | **{check-circle}** Yes | GitLab [15.4](https://gitlab.com/gitlab-org/gitlab/-/issues/370487) | Project |
 | [`delete_work_item`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/96773) | Event triggered on successful work item deletion | **{dotted-circle}** No | **{check-circle}** Yes | GitLab [15.4](https://gitlab.com/gitlab-org/gitlab/-/issues/370487) | Project |
 | [`issue_closed_by_project_bot`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121485) | Triggered when an issue is closed using a project access token | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.1](https://gitlab.com/gitlab-org/gitlab/-/issues/323299) | Project |
@@ -521,7 +521,7 @@ Audit event types belong to the following product categories.
 |:------------|:------------|:------------------|:---------|:--------------|:--------------|
 | [`authenticated_with_group_saml`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28575) | Triggered when successfully signing in with SAML authentication. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [12.10](https://gitlab.com/gitlab-org/gitlab/-/issues/35710) | Group |
 | [`ban_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116103) | Triggered when a user is banned, unbanned, blocked, or unblocked | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User |
-| [`change_membership_state`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87924) | Event triggered on a users membership is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/362200) | Group |
+| [`change_membership_state`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87924) | Triggered when a user's membership is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/362200) | Group |
 | [`password_reset_failed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129079) | Event triggered when a password reset fails for a user | **{dotted-circle}** No | **{check-circle}** Yes | GitLab [16.4](https://gitlab.com/gitlab-org/gitlab/-/issues/377762) | User |
 | [`unban_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116221) | Event triggered on user unban action | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User |
 | [`unblock_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/115727) | Event triggered on user unblock action | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User |

doc/user/compliance/license_scanning_of_cyclonedx_files/index.md

@@ -164,6 +164,24 @@ License scanning is supported for the following languages and package managers:
 The supported files and versions are the ones supported by
 [Dependency Scanning](../../application_security/dependency_scanning/index.md#supported-languages-and-package-managers).
 
+## Data sources
+
+License information for supported packages is obtained from the sources below. GitLab does
+additional processing on the original data, which includes mapping variations to the canonical
+license names.
+
+| Package manager | Source                                                           |
+|-----------------|------------------------------------------------------------------|
+| Cargo           | <https://deps.dev/>                                              |
+| Conan           | <https://github.com/conan-io/conan-center-index>                 |
+| Go              | <https://index.golang.org/>                                      |
+| Maven           | <https://storage.googleapis.com/maven-central>                   |
+| npm             | <https://deps.dev/>                                              |
+| NuGet           | <https://api.nuget.org/v3/catalog0/index.json>                   |
+| Packagist       | <https://packagist.org/packages/list.json>                       |
+| PyPI            | <https://warehouse.pypa.io/api-reference/bigquery-datasets.html> |
+| Rubygems        | <https://rubygems.org/versions>                                  |
+
 ## License expressions
 
 The License Scanning of CycloneDX files does not support [composite licenses](https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-expressions/).

doc/user/group/compliance_frameworks.md

@@ -14,7 +14,8 @@ You can create a compliance framework that is a label to identify that your proj
 requirements or needs additional oversight.
 
 In the Ultimate tier, the compliance framework can optionally enforce
-[compliance pipeline configuration](compliance_pipelines.md) and [security policies](../application_security/policies/scan_execution_policies.md#security-policy-scopes) to the projects on which it is applied.
+[compliance pipeline configuration](compliance_pipelines.md) and
+[security policies](../application_security/policies/scan_execution_policies.md#scope-security-policies-to-projects) to the projects on which it is applied.
 
 Compliance frameworks are created on top-level groups. If a project is moved outside of its existing top-level group,
 its frameworks are removed.

lib/api/helpers/kubernetes/agent_helpers.rb

@@ -6,6 +6,14 @@ module API
       module AgentHelpers
         include Gitlab::Utils::StrongMemoize
 
+        COUNTERS_EVENTS_MAPPING = {
+          'flux_git_push_notifications_total' => 'create_flux_git_push_notification',
+          'k8s_api_proxy_request' => 'request_api_proxy_access',
+          'k8s_api_proxy_requests_via_ci_access' => 'request_api_proxy_access_via_ci',
+          'k8s_api_proxy_requests_via_user_access' => 'request_api_proxy_access_via_user',
+          'k8s_api_proxy_requests_via_pat_access' => 'request_api_proxy_access_via_pat'
+        }.freeze
+
         def authenticate_gitlab_kas_request!
           render_api_error!('KAS JWT authentication invalid', 401) unless Gitlab::Kas.verify_api_request(headers)
         end
@@ -94,13 +102,16 @@ module API
         end
 
         def increment_count_events
-          events = params[:counters]&.slice(
-            :k8s_api_proxy_request, :flux_git_push_notifications_total,
-            :k8s_api_proxy_requests_via_ci_access, :k8s_api_proxy_requests_via_user_access,
-            :k8s_api_proxy_requests_via_pat_access
-          )
+          counters = params[:counters]&.slice(*COUNTERS_EVENTS_MAPPING.keys)
 
-          Gitlab::UsageDataCounters::KubernetesAgentCounter.increment_event_counts(events)
+          return unless counters.present?
+
+          counters.each do |counter, incr|
+            next if incr == 0
+
+            event = COUNTERS_EVENTS_MAPPING[counter]
+            incr.times { Gitlab::InternalEvents.track_event(event) }
+          end
         end
 
         def update_configuration(agent:, config:)

lib/gitlab/background_migration/backfill_error_tracking_error_events_project_id.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    class BackfillErrorTrackingErrorEventsProjectId < BackfillDesiredShardingKeyJob
+      operation_name :backfill_error_tracking_error_events_project_id
+      feature_category :error_tracking
+    end
+  end
+end

lib/gitlab/background_migration/make_security_policy_bots_private.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    class MakeSecurityPolicyBotsPrivate < BatchedMigrationJob
+      feature_category :security_policy_management
+
+      def perform; end
+    end
+  end
+end
+
+Gitlab::BackgroundMigration::MakeSecurityPolicyBotsPrivate.prepend_mod

lib/gitlab/usage_data_counters.rb

@@ -5,7 +5,6 @@ module Gitlab
     COUNTERS = [
       PackageEventCounter,
       DiffsCounter,
-      KubernetesAgentCounter,
       WebIdeCounter,
       MergeRequestWidgetExtensionCounter
     ].freeze

lib/gitlab/usage_data_counters/kubernetes_agent_counter.rb

@@ -1,40 +0,0 @@
-# frozen_string_literal: true
-
-module Gitlab
-  module UsageDataCounters
-    class KubernetesAgentCounter < BaseCounter
-      PREFIX = 'kubernetes_agent'
-      KNOWN_EVENTS = %w[
-        k8s_api_proxy_request
-        flux_git_push_notifications_total
-        k8s_api_proxy_requests_via_ci_access
-        k8s_api_proxy_requests_via_user_access
-        k8s_api_proxy_requests_via_pat_access
-      ].freeze
-
-      class << self
-        def increment_event_counts(events)
-          return unless events.present?
-
-          validate!(events)
-
-          events.each do |event, incr|
-            # rather then hitting redis for this no-op, we return early
-            next if incr == 0
-
-            increment_by(redis_key(event), incr)
-          end
-        end
-
-        private
-
-        def validate!(events)
-          events.each do |event, incr|
-            raise ArgumentError, "unknown event #{event}" unless event.in?(KNOWN_EVENTS)
-            raise ArgumentError, "#{event} count must be greater than or equal to zero" if incr < 0
-          end
-        end
-      end
-    end
-  end
-end

lib/gitlab/usage_data_counters/total_counter_redis_key_overrides.yml

@@ -111,3 +111,8 @@
 '{event_counters}_view_productivity_analytics': USAGE_PRODUCTIVITY_ANALYTICS_VIEWS
 '{event_counters}_view_wiki_page': USAGE_WIKI_PAGES_VIEW
 '{event_counters}_web_ide_viewed': WEB_IDE_VIEWS_COUNT
+'{event_counters}_create_flux_git_push_notification': USAGE_KUBERNETES_AGENT_FLUX_GIT_PUSH_NOTIFICATIONS_TOTAL
+'{event_counters}_request_api_proxy_access': USAGE_KUBERNETES_AGENT_K8S_API_PROXY_REQUEST
+'{event_counters}_request_api_proxy_access_via_ci': USAGE_KUBERNETES_AGENT_K8S_API_PROXY_REQUESTS_VIA_CI_ACCESS
+'{event_counters}_request_api_proxy_access_via_user': USAGE_KUBERNETES_AGENT_K8S_API_PROXY_REQUESTS_VIA_USER_ACCESS
+'{event_counters}_request_api_proxy_access_via_pat': USAGE_KUBERNETES_AGENT_K8S_API_PROXY_REQUESTS_VIA_PAT_ACCESS

locale/gitlab.pot

@@ -1449,6 +1449,9 @@ msgstr ""
 msgid "%{type} only supports %{name} name"
 msgstr ""
 
+msgid "%{type} was closed by %{name}"
+msgstr ""
+
 msgid "%{url} (optional)"
 msgstr ""
 
@@ -29007,9 +29010,6 @@ msgstr ""
 msgid "Issue update failed"
 msgstr ""
 
-msgid "Issue was closed by %{name}"
-msgstr ""
-
 msgid "Issue was closed by %{name} with %{closed_via}"
 msgstr ""
 

spec/frontend/custom_emoji/components/list_spec.js

@@ -4,8 +4,12 @@ import List from '~/custom_emoji/components/list.vue';
 import DeleteItem from '~/custom_emoji/components/delete_item.vue';
 import { CUSTOM_EMOJI } from '../mock_data';
 
-jest.mock('~/lib/utils/datetime/date_format_utility', () => ({
-  formatDate: (date) => date,
+jest.mock('~/lib/utils/datetime/locale_dateformat', () => ({
+  localeDateFormat: {
+    asDate: {
+      format: (date) => date,
+    },
+  },
 }));
 
 Vue.config.ignoredElements = ['gl-emoji'];

spec/helpers/emails_helper_spec.rb

@@ -2,10 +2,17 @@
 
 require 'spec_helper'
 
-RSpec.describe EmailsHelper do
+RSpec.describe EmailsHelper, feature_category: :shared do
   include EmailsHelperTestHelper
+  include NotifyHelper
 
   describe 'closure_reason_text' do
+    let(:issue) { create(:issue) }
+
+    before do
+      self.instance_variable_set(:@issue, issue)
+    end
+
     context 'when given a MergeRequest' do
       let(:merge_request) { create(:merge_request) }
       let(:merge_request_presenter) { merge_request.present }

spec/lib/gitlab/background_migration/backfill_error_tracking_error_events_project_id_spec.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::BackgroundMigration::BackfillErrorTrackingErrorEventsProjectId,
+  feature_category: :error_tracking,
+  schema: 20240731160140 do
+  include_examples 'desired sharding key backfill job' do
+    let(:batch_table) { :error_tracking_error_events }
+    let(:backfill_column) { :project_id }
+    let(:backfill_via_table) { :error_tracking_errors }
+    let(:backfill_via_column) { :project_id }
+    let(:backfill_via_foreign_key) { :error_id }
+  end
+end

spec/lib/gitlab/database/no_cross_db_foreign_keys_spec.rb

@@ -36,7 +36,8 @@ RSpec.describe 'cross-database foreign keys' do
       'sbom_occurrences.source_id',                           # https://gitlab.com/groups/gitlab-org/-/epics/14116#identified-cross-joins
       'sbom_occurrences.source_package_id',                   # https://gitlab.com/groups/gitlab-org/-/epics/14116#identified-cross-joins
       'vulnerability_export_parts.vulnerability_export_id',   # https://gitlab.com/gitlab-org/gitlab/-/issues/473014
-      'vulnerability_flags.vulnerability_occurrence_id'       # https://gitlab.com/gitlab-org/gitlab/-/issues/473014
+      'vulnerability_flags.vulnerability_occurrence_id',      # https://gitlab.com/gitlab-org/gitlab/-/issues/473014
+      'dast_site_validations.dast_site_token_id'              # https://gitlab.com/gitlab-org/gitlab/-/issues/474985
     ]
   end
 

spec/lib/gitlab/usage_data_counters/kubernetes_agent_counter_spec.rb

@@ -1,74 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe Gitlab::UsageDataCounters::KubernetesAgentCounter do
-  described_class::KNOWN_EVENTS.each do |event|
-    it_behaves_like 'a redis usage counter', 'Kubernetes Agent', event
-    it_behaves_like 'a redis usage counter with totals', :kubernetes_agent, event => 1
-  end
-
-  describe '.increment_event_counts' do
-    let(:events) do
-      {
-        'k8s_api_proxy_request' => 2,
-        'flux_git_push_notifications_total' => 3,
-        'k8s_api_proxy_requests_via_ci_access' => 4,
-        'k8s_api_proxy_requests_via_user_access' => 5,
-        'k8s_api_proxy_requests_via_pat_access' => 6
-      }
-    end
-
-    subject { described_class.increment_event_counts(events) }
-
-    it 'increments the specified counters by the new increment amount' do
-      described_class.increment_event_counts(events)
-      described_class.increment_event_counts(events)
-      described_class.increment_event_counts(events)
-
-      expect(described_class.totals).to eq(
-        kubernetes_agent_k8s_api_proxy_request: 6,
-        kubernetes_agent_flux_git_push_notifications_total: 9,
-        kubernetes_agent_k8s_api_proxy_requests_via_ci_access: 12,
-        kubernetes_agent_k8s_api_proxy_requests_via_user_access: 15,
-        kubernetes_agent_k8s_api_proxy_requests_via_pat_access: 18
-      )
-    end
-
-    context 'with empty events' do
-      let(:events) { nil }
-
-      it { expect { subject }.not_to change(described_class, :totals) }
-    end
-
-    context 'event is unknown' do
-      let(:events) do
-        {
-          'other_event' => 2
-        }
-      end
-
-      it 'raises an ArgumentError' do
-        expect(described_class).not_to receive(:increment_by)
-
-        expect { subject }.to raise_error(ArgumentError, 'unknown event other_event')
-      end
-    end
-
-    context 'increment is negative' do
-      let(:events) do
-        {
-          'k8s_api_proxy_request' => -2
-        }
-      end
-
-      it 'raises an ArgumentError' do
-        expect(described_class).not_to receive(:increment_by)
-
-        expect do
-          subject
-        end.to raise_error(ArgumentError, 'k8s_api_proxy_request count must be greater than or equal to zero')
-      end
-    end
-  end
-end

spec/migrations/20240729124632_queue_make_security_policy_bots_private_spec.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!
+
+RSpec.describe QueueMakeSecurityPolicyBotsPrivate, feature_category: :security_policy_management do
+  let!(:batched_migration) { described_class::MIGRATION }
+
+  it 'schedules a new batched migration' do
+    reversible_migration do |migration|
+      migration.before -> {
+        expect(batched_migration).not_to have_scheduled_batched_migration
+      }
+
+      migration.after -> {
+        expect(batched_migration).to have_scheduled_batched_migration(
+          table_name: :users,
+          column_name: :id,
+          interval: described_class::DELAY_INTERVAL,
+          batch_size: described_class::BATCH_SIZE,
+          sub_batch_size: described_class::SUB_BATCH_SIZE
+        )
+      }
+    end
+  end
+end

spec/migrations/20240731160144_queue_backfill_error_tracking_error_events_project_id_spec.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!
+
+RSpec.describe QueueBackfillErrorTrackingErrorEventsProjectId, feature_category: :error_tracking do
+  let!(:batched_migration) { described_class::MIGRATION }
+
+  it 'schedules a new batched migration' do
+    reversible_migration do |migration|
+      migration.before -> {
+        expect(batched_migration).not_to have_scheduled_batched_migration
+      }
+
+      migration.after -> {
+        expect(batched_migration).to have_scheduled_batched_migration(
+          table_name: :error_tracking_error_events,
+          column_name: :id,
+          interval: described_class::DELAY_INTERVAL,
+          batch_size: described_class::BATCH_SIZE,
+          sub_batch_size: described_class::SUB_BATCH_SIZE,
+          gitlab_schema: :gitlab_main_cell,
+          job_arguments: [
+            :project_id,
+            :error_tracking_errors,
+            :project_id,
+            :error_id
+          ]
+        )
+      }
+    end
+  end
+end

spec/requests/api/internal/kubernetes_spec.rb

@@ -112,68 +112,131 @@ RSpec.describe API::Internal::Kubernetes, feature_category: :deployment_manageme
         expect(response).to have_gitlab_http_status(:bad_request)
       end
 
-      it 'tracks events and unique events', :aggregate_failures do
-        request_count = 2
-        counters = {
-          k8s_api_proxy_request: 5,
-          flux_git_push_notifications_total: 42,
-          k8s_api_proxy_requests_via_ci_access: 43,
-          k8s_api_proxy_requests_via_user_access: 44,
-          k8s_api_proxy_requests_via_pat_access: 45
-        }
-        users = create_list(:user, 3)
-        user_ids = users.map(&:id) << users[0].id
-        unique_counters = {
-          k8s_api_proxy_requests_unique_agents_via_ci_access: user_ids,
-          k8s_api_proxy_requests_unique_agents_via_user_access: user_ids,
-          k8s_api_proxy_requests_unique_agents_via_pat_access: user_ids,
-          flux_git_push_notified_unique_projects: user_ids,
-          k8s_api_proxy_requests_unique_users_via_ci_access: user_ids,
-          k8s_api_proxy_requests_unique_users_via_user_access: user_ids,
-          k8s_api_proxy_requests_unique_users_via_pat_access: user_ids
-        }
+      describe 'events tracking' do
+        it 'correctly merges legacy Redis keys for migrated metrics', :aggregate_failures do
+          legacy_redis_keys = %w[
+            USAGE_KUBERNETES_AGENT_FLUX_GIT_PUSH_NOTIFICATIONS_TOTAL
+            USAGE_KUBERNETES_AGENT_K8S_API_PROXY_REQUEST
+            USAGE_KUBERNETES_AGENT_K8S_API_PROXY_REQUESTS_VIA_CI_ACCESS
+            USAGE_KUBERNETES_AGENT_K8S_API_PROXY_REQUESTS_VIA_USER_ACCESS
+            USAGE_KUBERNETES_AGENT_K8S_API_PROXY_REQUESTS_VIA_PAT_ACCESS
+          ]
 
-        internal_events = %w[
-          k8s_api_proxy_requests_unique_users_via_ci_access
-          k8s_api_proxy_requests_unique_users_via_user_access
-          k8s_api_proxy_requests_unique_users_via_pat_access
-        ]
-
-        unique_user_metrics = %w[
-          redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_users_via_ci_access_weekly
-          redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_users_via_ci_access_monthly
-          redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_users_via_user_access_weekly
-          redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_users_via_user_access_monthly
-          redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_users_via_pat_access_weekly
-          redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_users_via_pat_access_monthly
-          redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_agents_via_user_access_weekly
-          redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_agents_via_user_access_monthly
-          redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_agents_via_ci_access_weekly
-          redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_agents_via_ci_access_monthly
-          redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_agents_via_pat_access_weekly
-          redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_agents_via_pat_access_monthly
-          redis_hll_counters.kubernetes_agent.flux_git_push_notified_unique_projects_weekly
-          redis_hll_counters.kubernetes_agent.flux_git_push_notified_unique_projects_monthly
-        ]
-
-        expect do
-          request_count.times do
-            send_request(params: { counters: counters, unique_counters: unique_counters })
+          legacy_redis_keys.each do |key|
+            Gitlab::Redis::SharedState.with { |redis| redis.set(key, 1) }
           end
-        end.to trigger_internal_events(internal_events).with(user: users[0], category: 'InternalEventTracking').exactly(4).times
-          .and trigger_internal_events(internal_events).with(user: users[1], category: 'InternalEventTracking').twice
-          .and trigger_internal_events(internal_events).with(user: users[2], category: 'InternalEventTracking').twice
-          .and increment_usage_metrics(unique_user_metrics).by(user_ids.uniq.count)
-          .and increment_usage_metrics('counts.kubernetes_agent_k8s_api_proxy_request')
-            .by(request_count * counters[:k8s_api_proxy_request])
-          .and increment_usage_metrics('counts.kubernetes_agent_flux_git_push_notifications_total')
-            .by(request_count * counters[:flux_git_push_notifications_total])
-          .and increment_usage_metrics('counts.kubernetes_agent_k8s_api_proxy_requests_via_ci_access')
-            .by(request_count * counters[:k8s_api_proxy_requests_via_ci_access])
-          .and increment_usage_metrics('counts.kubernetes_agent_k8s_api_proxy_requests_via_user_access')
-            .by(request_count * counters[:k8s_api_proxy_requests_via_user_access])
-          .and increment_usage_metrics('counts.kubernetes_agent_k8s_api_proxy_requests_via_pat_access')
-            .by(request_count * counters[:k8s_api_proxy_requests_via_pat_access])
+
+          counters = {
+            flux_git_push_notifications_total: 1,
+            k8s_api_proxy_request: 1,
+            k8s_api_proxy_requests_via_ci_access: 1,
+            k8s_api_proxy_requests_via_user_access: 1,
+            k8s_api_proxy_requests_via_pat_access: 1
+          }
+
+          send_request(params: { counters: counters })
+
+          migrated_metrics = %w[
+            kubernetes_agent_flux_git_push_notifications_total
+            kubernetes_agent_k8s_api_proxy_request
+            kubernetes_agent_k8s_api_proxy_requests_via_ci_access
+            kubernetes_agent_k8s_api_proxy_requests_via_user_access
+            kubernetes_agent_k8s_api_proxy_requests_via_pat_access
+          ]
+
+          migrated_metrics.each do |metric|
+            metric_definition = Gitlab::Usage::MetricDefinition.definitions["counts.#{metric}"]
+            current_value = Gitlab::Usage::Metric.new(metric_definition).send(:instrumentation_object).value
+            expect(current_value).to eq(2), "Expected metric #{metric} to be 2, but was #{current_value}"
+          end
+        end
+
+        it 'tracks counter events', :aggregate_failures do
+          events = API::Helpers::Kubernetes::AgentHelpers::COUNTERS_EVENTS_MAPPING
+          counters = {
+            flux_git_push_notifications_total: 3,
+            k8s_api_proxy_request: 5,
+            k8s_api_proxy_requests_via_ci_access: 43,
+            k8s_api_proxy_requests_via_user_access: 44,
+            k8s_api_proxy_requests_via_pat_access: 45
+          }
+
+          expect do
+            send_request(params: { counters: counters })
+          end.to trigger_internal_events(events['flux_git_push_notifications_total'])
+                   .with(category: 'InternalEventTracking')
+                     .exactly(counters[:flux_git_push_notifications_total]).times
+                   .and increment_usage_metrics('counts.kubernetes_agent_flux_git_push_notifications_total')
+                    .by(counters[:flux_git_push_notifications_total])
+                 .and trigger_internal_events(events['k8s_api_proxy_request'])
+                   .with(category: 'InternalEventTracking')
+                     .exactly(counters[:k8s_api_proxy_request]).times
+                   .and increment_usage_metrics('counts.kubernetes_agent_k8s_api_proxy_request')
+                    .by(counters[:k8s_api_proxy_request])
+                 .and trigger_internal_events(events['k8s_api_proxy_requests_via_ci_access'])
+                   .with(category: 'InternalEventTracking')
+                     .exactly(counters[:k8s_api_proxy_requests_via_ci_access]).times
+                   .and increment_usage_metrics('counts.kubernetes_agent_k8s_api_proxy_requests_via_ci_access')
+                     .by(counters[:k8s_api_proxy_requests_via_ci_access])
+                 .and trigger_internal_events(events['k8s_api_proxy_requests_via_user_access'])
+                   .with(category: 'InternalEventTracking')
+                     .exactly(counters[:k8s_api_proxy_requests_via_user_access]).times
+                   .and increment_usage_metrics('counts.kubernetes_agent_k8s_api_proxy_requests_via_user_access')
+                     .by(counters[:k8s_api_proxy_requests_via_user_access])
+                 .and trigger_internal_events(events['k8s_api_proxy_requests_via_pat_access'])
+                   .with(category: 'InternalEventTracking')
+                      .exactly(counters[:k8s_api_proxy_requests_via_pat_access]).times
+                    .and increment_usage_metrics('counts.kubernetes_agent_k8s_api_proxy_requests_via_pat_access')
+                      .by(counters[:k8s_api_proxy_requests_via_pat_access])
+        end
+
+        it 'tracks unique events', :aggregate_failures do
+          request_count = 2
+          users = create_list(:user, 3)
+          user_ids = users.map(&:id) << users[0].id
+
+          unique_counters = {
+            k8s_api_proxy_requests_unique_agents_via_ci_access: user_ids,
+            k8s_api_proxy_requests_unique_agents_via_user_access: user_ids,
+            k8s_api_proxy_requests_unique_agents_via_pat_access: user_ids,
+            flux_git_push_notified_unique_projects: user_ids,
+            k8s_api_proxy_requests_unique_users_via_ci_access: user_ids,
+            k8s_api_proxy_requests_unique_users_via_user_access: user_ids,
+            k8s_api_proxy_requests_unique_users_via_pat_access: user_ids
+          }
+
+          internal_events = %w[
+            k8s_api_proxy_requests_unique_users_via_ci_access
+            k8s_api_proxy_requests_unique_users_via_user_access
+            k8s_api_proxy_requests_unique_users_via_pat_access
+          ]
+
+          unique_user_metrics = %w[
+            redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_users_via_ci_access_weekly
+            redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_users_via_ci_access_monthly
+            redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_users_via_user_access_weekly
+            redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_users_via_user_access_monthly
+            redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_users_via_pat_access_weekly
+            redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_users_via_pat_access_monthly
+            redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_agents_via_user_access_weekly
+            redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_agents_via_user_access_monthly
+            redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_agents_via_ci_access_weekly
+            redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_agents_via_ci_access_monthly
+            redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_agents_via_pat_access_weekly
+            redis_hll_counters.kubernetes_agent.k8s_api_proxy_requests_unique_agents_via_pat_access_monthly
+            redis_hll_counters.kubernetes_agent.flux_git_push_notified_unique_projects_weekly
+            redis_hll_counters.kubernetes_agent.flux_git_push_notified_unique_projects_monthly
+          ]
+
+          expect do
+            request_count.times do
+              send_request(params: { unique_counters: unique_counters })
+            end
+          end.to trigger_internal_events(internal_events).with(user: users[0], category: 'InternalEventTracking').exactly(4).times
+            .and trigger_internal_events(internal_events).with(user: users[1], category: 'InternalEventTracking').twice
+            .and trigger_internal_events(internal_events).with(user: users[2], category: 'InternalEventTracking').twice
+            .and increment_usage_metrics(unique_user_metrics).by(user_ids.uniq.count)
+        end
       end
     end
   end

spec/support/rspec_order_todo.yml

@@ -5898,7 +5898,6 @@
 - './spec/lib/gitlab/usage_data_counters/ipynb_diff_activity_counter_spec.rb'
 - './spec/lib/gitlab/usage_data_counters/issue_activity_unique_counter_spec.rb'
 - './spec/lib/gitlab/usage_data_counters/jetbrains_plugin_activity_unique_counter_spec.rb'
-- './spec/lib/gitlab/usage_data_counters/kubernetes_agent_counter_spec.rb'
 - './spec/lib/gitlab/usage_data_counters/merge_request_activity_unique_counter_spec.rb'
 - './spec/lib/gitlab/usage_data_counters/merge_request_widget_extension_counter_spec.rb'
 - './spec/lib/gitlab/usage_data_counters/package_event_counter_spec.rb'

spec/support/shared_examples/lib/gitlab/background_migration/backfill_desired_sharding_key_shared_examples.rb

@@ -1,21 +1,28 @@
 # frozen_string_literal: true
 
 RSpec.shared_examples 'desired sharding key backfill job' do
+  let(:known_cross_joins) do
+    {
+      sbom_occurrences_vulnerabilities: {
+        sbom_occurrences: 'https://gitlab.com/groups/gitlab-org/-/epics/14116#identified-cross-joins'
+      },
+      vulnerability_finding_evidences: {
+        vulnerability_occurrences: 'https://gitlab.com/groups/gitlab-org/-/epics/14116#identified-cross-joins'
+      },
+      vulnerability_finding_signatures: {
+        vulnerability_occurrences: 'https://gitlab.com/groups/gitlab-org/-/epics/14116#identified-cross-joins'
+      },
+      vulnerability_flags: {
+        vulnerability_occurrences: 'https://gitlab.com/gitlab-org/gitlab/-/issues/473014'
+      },
+      dast_site_validations: { dast_site_tokens: 'https://gitlab.com/gitlab-org/gitlab/-/issues/474985' }
+    }
+  end
+
   let!(:connection) { table(batch_table).connection }
   let!(:starting_id) { table(batch_table).pluck(:id).min }
   let!(:end_id) { table(batch_table).pluck(:id).max }
 
-  # https://gitlab.com/groups/gitlab-org/-/epics/14116#identified-cross-joins
-  # https://gitlab.com/groups/gitlab-org/-/epics/14197#cross-db-issues-to-be-resolved
-  let(:known_crossjoins) do
-    %i[
-      sbom_occurrences_vulnerabilities
-      vulnerability_finding_signatures
-      vulnerability_finding_evidences
-      vulnerability_flags
-    ]
-  end
-
   let!(:migration) do
     described_class.new(
       start_id: starting_id,
@@ -41,16 +48,14 @@ RSpec.shared_examples 'desired sharding key backfill job' do
   it 'constructs a valid query' do
     query = migration.construct_query(sub_batch: table(batch_table).all)
 
-    expect do
-      if known_crossjoins.include?(batch_table)
-        ::Gitlab::Database.allow_cross_joins_across_databases(
-          url: 'https://gitlab.com/groups/gitlab-org/-/epics/14197#cross-db-issues-to-be-resolved'
-        ) do
-          connection.execute(query)
-        end
-      else
-        connection.execute(query)
+    if known_cross_joins.dig(batch_table, backfill_via_table).present?
+      ::Gitlab::Database.allow_cross_joins_across_databases(
+        url: known_cross_joins[batch_table][backfill_via_table]
+      ) do
+        expect { connection.execute(query) }.not_to raise_error
       end
-    end.not_to raise_error
+    else
+      expect { connection.execute(query) }.not_to raise_error
+    end
   end
 end