Add latest changes from gitlab-org/gitlab@master

.gitlab/CODEOWNERS

@@ -396,24 +396,31 @@ lib/gitlab/checks/**
 ^[Documentation Pages]
 # This block is managed by the rake script at lib/tasks/gitlab/tw/codeowners.rake, manual updates will be overwritten!
 # Begin rake-managed-docs-block
+/doc/administration/analytics/ @lciutacu
 /doc/administration/application_settings_cache.md @jglassman1
-/doc/administration/audit_event_streaming.md @eread
+/doc/administration/audit_event_streaming/ @eread
 /doc/administration/audit_events.md @eread
 /doc/administration/audit_reports.md @eread
 /doc/administration/auditor_users.md @jglassman1
 /doc/administration/auth/ @jglassman1
+/doc/administration/backup_restore/ @axil
 /doc/administration/cicd.md @marcel.amirault
 /doc/administration/clusters/ @phillipwells
 /doc/administration/compliance.md @eread
 /doc/administration/configure.md @axil
 /doc/administration/consul.md @axil
+/doc/administration/credentials_inventory.md @jglassman1
+/doc/administration/custom_project_templates.md @aqualls @msedlakjakubowski
+/doc/administration/diff_limits.md @aqualls @msedlakjakubowski
 /doc/administration/docs_self_host.md @axil
 /doc/administration/encrypted_configuration.md @axil
 /doc/administration/environment_variables.md @axil
 /doc/administration/external_pipeline_validation.md @marcel.amirault
+/doc/administration/external_users.md @jglassman1
 /doc/administration/feature_flags.md @axil
 /doc/administration/file_hooks.md @eread @ashrafkhamis
 /doc/administration/geo/ @axil
+/doc/administration/geo_sites.md @axil
 /doc/administration/get_started.md @kpaizee
 /doc/administration/git_protocol.md @aqualls @msedlakjakubowski
 /doc/administration/gitaly/ @eread
@@ -431,14 +438,20 @@ lib/gitlab/checks/**
 /doc/administration/issue_closing_pattern.md @aqualls
 /doc/administration/job_artifacts.md @marcel.amirault
 /doc/administration/job_logs.md @fneill
+/doc/administration/labels.md @msedlakjakubowski
 /doc/administration/lfs/ @aqualls @msedlakjakubowski
 /doc/administration/libravatar.md @axil
+/doc/administration/license.md @fneill
+/doc/administration/license_file.md @fneill
 /doc/administration/load_balancer.md @axil
 /doc/administration/logs/ @axil
 /doc/administration/logs/index.md @msedlakjakubowski
 /doc/administration/maintenance_mode/ @axil
 /doc/administration/merge_request_diffs.md @aqualls @msedlakjakubowski
+/doc/administration/merge_requests_approvals.md @aqualls @msedlakjakubowski
+/doc/administration/moderate_users.md @jglassman1
 /doc/administration/monitoring/github_imports.md @eread @ashrafkhamis
+/doc/administration/monitoring/health_check.md @msedlakjakubowski
 /doc/administration/monitoring/index.md @msedlakjakubowski
 /doc/administration/monitoring/ip_allowlist.md @jglassman1
 /doc/administration/monitoring/performance/gitlab_configuration.md @msedlakjakubowski
@@ -471,11 +484,36 @@ lib/gitlab/checks/**
 /doc/administration/reference_architectures/ @axil
 /doc/administration/reply_by_email.md @msedlakjakubowski
 /doc/administration/reply_by_email_postfix_setup.md @axil
+/doc/administration/reporting/ @phillipwells
+/doc/administration/reporting/spamcheck.md @axil
 /doc/administration/repository_checks.md @eread
 /doc/administration/repository_storage_paths.md @eread
 /doc/administration/repository_storage_types.md @eread
 /doc/administration/restart_gitlab.md @axil
+/doc/administration/review_abuse_reports.md @phillipwells
 /doc/administration/server_hooks.md @eread
+/doc/administration/settings/account_and_limit_settings.md @aqualls @msedlakjakubowski
+/doc/administration/settings/deprecated_api_rate_limits.md @aqualls @msedlakjakubowski
+/doc/administration/settings/git_lfs_rate_limits.md @aqualls @msedlakjakubowski
+/doc/administration/settings/gitaly_timeouts.md @eread
+/doc/administration/settings/import_export_rate_limits.md @eread @ashrafkhamis
+/doc/administration/settings/incident_management_rate_limits.md @msedlakjakubowski
+/doc/administration/settings/index.md @aqualls @msedlakjakubowski
+/doc/administration/settings/instance_template_repository.md @aqualls @msedlakjakubowski
+/doc/administration/settings/package_registry_rate_limits.md @phillipwells
+/doc/administration/settings/project_integration_management.md @eread @ashrafkhamis
+/doc/administration/settings/push_event_activities_limit.md @aqualls @msedlakjakubowski
+/doc/administration/settings/rate_limit_on_issues_creation.md @msedlakjakubowski
+/doc/administration/settings/rate_limit_on_notes_creation.md @msedlakjakubowski
+/doc/administration/settings/rate_limit_on_pipelines_creation.md @marcel.amirault
+/doc/administration/settings/rate_limit_on_projects_api.md @lciutacu
+/doc/administration/settings/rate_limit_on_users_api.md @jglassman1
+/doc/administration/settings/rate_limits_on_git_ssh_operations.md @aqualls @msedlakjakubowski
+/doc/administration/settings/scim_setup.md @jglassman1
+/doc/administration/settings/security_and_compliance.md @rdickenson
+/doc/administration/settings/terraform_limits.md @phillipwells
+/doc/administration/settings/third_party_offers.md @lciutacu
+/doc/administration/settings/visibility_and_access_controls.md @aqualls @msedlakjakubowski
 /doc/administration/sidekiq/ @axil
 /doc/administration/sidekiq/sidekiq_memory_killer.md @jglassman1
 /doc/administration/silent_mode/ @axil
@@ -505,6 +543,7 @@ lib/gitlab/checks/**
 /doc/api/commits.md @aqualls @msedlakjakubowski
 /doc/api/container_registry.md @marcel.amirault
 /doc/api/custom_attributes.md @msedlakjakubowski
+/doc/api/database_migrations.md @aqualls
 /doc/api/dependencies.md @rdickenson
 /doc/api/dependency_proxy.md @marcel.amirault
 /doc/api/deploy_keys.md @phillipwells
@@ -594,7 +633,7 @@ lib/gitlab/checks/**
 /doc/api/project_aliases.md @aqualls @msedlakjakubowski
 /doc/api/project_badges.md @aqualls @msedlakjakubowski
 /doc/api/project_clusters.md @phillipwells
-/doc/api/project_import_export.md @aqualls @msedlakjakubowski
+/doc/api/project_import_export.md @eread @ashrafkhamis
 /doc/api/project_job_token_scopes.md @marcel.amirault
 /doc/api/project_level_variables.md @marcel.amirault
 /doc/api/project_relations_export.md @eread @ashrafkhamis
@@ -689,12 +728,10 @@ lib/gitlab/checks/**
 /doc/development/distribution/ @axil
 /doc/development/documentation/ @sselhorn
 /doc/development/export_csv.md @eread @ashrafkhamis
+/doc/development/fe_guide/ @sselhorn
 /doc/development/fe_guide/customizable_dashboards.md @lciutacu
-/doc/development/fe_guide/dark_mode.md @sselhorn
-/doc/development/fe_guide/graphql.md @sselhorn
 /doc/development/fe_guide/merge_request_widget_extensions.md @aqualls
 /doc/development/fe_guide/source_editor.md @aqualls @msedlakjakubowski
-/doc/development/fe_guide/view_component.md @sselhorn
 /doc/development/feature_categorization/ @sselhorn
 /doc/development/feature_development.md @sselhorn
 /doc/development/feature_flags/ @sselhorn
@@ -715,6 +752,7 @@ lib/gitlab/checks/**
 /doc/development/integrations/ @eread @ashrafkhamis
 /doc/development/integrations/secure.md @rdickenson
 /doc/development/integrations/secure_partner_integration.md @rdickenson
+/doc/development/internal_analytics/ @lciutacu
 /doc/development/internal_api/ @aqualls @msedlakjakubowski
 /doc/development/internal_users.md @sselhorn
 /doc/development/issuable-like-models.md @msedlakjakubowski
@@ -734,6 +772,7 @@ lib/gitlab/checks/**
 /doc/development/packages/cleanup_policies.md @marcel.amirault
 /doc/development/packages/dependency_proxy.md @marcel.amirault
 /doc/development/permissions.md @jglassman1
+/doc/development/permissions/ @jglassman1
 /doc/development/policies.md @jglassman1
 /doc/development/project_templates.md @aqualls @msedlakjakubowski
 /doc/development/prometheus_metrics.md @msedlakjakubowski
@@ -743,8 +782,6 @@ lib/gitlab/checks/**
 /doc/development/search/ @ashrafkhamis
 /doc/development/sec/ @rdickenson
 /doc/development/secure_coding_guidelines.md @sselhorn
-/doc/development/service_ping/ @lciutacu
-/doc/development/snowplow/ @lciutacu
 /doc/development/spam_protection_and_captcha/ @phillipwells
 /doc/development/sql.md @aqualls
 /doc/development/testing_guide/ @sselhorn
@@ -773,8 +810,6 @@ lib/gitlab/checks/**
 /doc/integration/mattermost/ @axil
 /doc/integration/partner_marketplace.md @fneill
 /doc/integration/recaptcha.md @phillipwells
-/doc/integration/security_partners/ @rdickenson
-/doc/integration/slash_commands.md @eread @ashrafkhamis
 /doc/integration/sourcegraph.md @aqualls @msedlakjakubowski
 /doc/integration/trello_power_up.md @eread @ashrafkhamis
 /doc/integration/vault.md @phillipwells
@@ -783,8 +818,6 @@ lib/gitlab/checks/**
 /doc/operations/index.md @msedlakjakubowski
 /doc/policy/ @axil
 /doc/raketasks/ @axil
-/doc/raketasks/generate_sample_prometheus_data.md @msedlakjakubowski
-/doc/raketasks/migrate_snippets.md @ashrafkhamis
 /doc/raketasks/spdx.md @rdickenson
 /doc/raketasks/x509_signatures.md @aqualls @msedlakjakubowski
 /doc/security/ @jglassman1
@@ -802,53 +835,21 @@ lib/gitlab/checks/**
 /doc/tutorials/boards_for_teams/ @msedlakjakubowski
 /doc/tutorials/compliance_pipeline/ @eread
 /doc/tutorials/configure_gitlab_runner_to_use_gke/ @fneill
+/doc/tutorials/container_scanning/ @rdickenson
 /doc/tutorials/convert_personal_namespace_to_group/ @lciutacu
+/doc/tutorials/dependency_scanning.md @rdickenson
 /doc/tutorials/fuzz_testing/ @rdickenson
 /doc/tutorials/move_personal_project_to_group/ @lciutacu
+/doc/tutorials/protected_workflow/ @aqualls
 /doc/tutorials/scan_result_policy/ @rdickenson
 /doc/update/ @axil
 /doc/update/background_migrations.md @aqualls
-/doc/user/admin_area/analytics/ @lciutacu
-/doc/user/admin_area/credentials_inventory.md @jglassman1
-/doc/user/admin_area/custom_project_templates.md @aqualls @msedlakjakubowski
-/doc/user/admin_area/diff_limits.md @aqualls @msedlakjakubowski
-/doc/user/admin_area/external_users.md @jglassman1
-/doc/user/admin_area/geo_sites.md @axil
-/doc/user/admin_area/labels.md @msedlakjakubowski
-/doc/user/admin_area/license.md @fneill
-/doc/user/admin_area/license_file.md @fneill
-/doc/user/admin_area/merge_requests_approvals.md @aqualls @msedlakjakubowski
-/doc/user/admin_area/moderate_users.md @jglassman1
-/doc/user/admin_area/monitoring/ @msedlakjakubowski
-/doc/user/admin_area/reporting/git_abuse_rate_limit.md @phillipwells
-/doc/user/admin_area/reporting/spamcheck.md @axil
-/doc/user/admin_area/review_abuse_reports.md @phillipwells
-/doc/user/admin_area/settings/account_and_limit_settings.md @aqualls @msedlakjakubowski
 /doc/user/admin_area/settings/continuous_integration.md @marcel.amirault
-/doc/user/admin_area/settings/deprecated_api_rate_limits.md @aqualls @msedlakjakubowski
 /doc/user/admin_area/settings/email.md @msedlakjakubowski
 /doc/user/admin_area/settings/external_authorization.md @jglassman1
 /doc/user/admin_area/settings/files_api_rate_limits.md @aqualls @msedlakjakubowski
-/doc/user/admin_area/settings/git_lfs_rate_limits.md @aqualls @msedlakjakubowski
-/doc/user/admin_area/settings/gitaly_timeouts.md @eread
-/doc/user/admin_area/settings/import_export_rate_limits.md @eread @ashrafkhamis
-/doc/user/admin_area/settings/incident_management_rate_limits.md @msedlakjakubowski
-/doc/user/admin_area/settings/index.md @aqualls @msedlakjakubowski
-/doc/user/admin_area/settings/instance_template_repository.md @aqualls @msedlakjakubowski
-/doc/user/admin_area/settings/package_registry_rate_limits.md @phillipwells
-/doc/user/admin_area/settings/project_integration_management.md @eread @ashrafkhamis
-/doc/user/admin_area/settings/push_event_activities_limit.md @aqualls @msedlakjakubowski
-/doc/user/admin_area/settings/rate_limit_on_issues_creation.md @msedlakjakubowski
-/doc/user/admin_area/settings/rate_limit_on_notes_creation.md @msedlakjakubowski
-/doc/user/admin_area/settings/rate_limit_on_pipelines_creation.md @marcel.amirault
-/doc/user/admin_area/settings/rate_limit_on_projects_api.md @lciutacu
-/doc/user/admin_area/settings/rate_limit_on_users_api.md @jglassman1
-/doc/user/admin_area/settings/scim_setup.md @jglassman1
-/doc/user/admin_area/settings/security_and_compliance.md @rdickenson
-/doc/user/admin_area/settings/terraform_limits.md @phillipwells
-/doc/user/admin_area/settings/third_party_offers.md @lciutacu
+/doc/user/admin_area/settings/slack_app.md @eread @ashrafkhamis
 /doc/user/admin_area/settings/usage_statistics.md @lciutacu
-/doc/user/admin_area/settings/visibility_and_access_controls.md @aqualls @msedlakjakubowski
 /doc/user/analytics/ @lciutacu
 /doc/user/analytics/ci_cd_analytics.md @phillipwells
 /doc/user/application_security/ @rdickenson
@@ -957,6 +958,7 @@ lib/gitlab/checks/**
 /doc/user/report_abuse.md @phillipwells
 /doc/user/reserved_names.md @lciutacu
 /doc/user/search/ @ashrafkhamis
+/doc/user/search/command_palette.md @sselhorn
 /doc/user/shortcuts.md @ashrafkhamis
 /doc/user/snippets.md @aqualls @msedlakjakubowski
 /doc/user/ssh.md @jglassman1

.rubocop_todo/performance/regexp_match.yml

@@ -3,29 +3,6 @@
 Performance/RegexpMatch:
   Details: grace period
   Exclude:
-    - 'app/controllers/concerns/internal_redirect.rb'
-    - 'app/controllers/import/bitbucket_server_controller.rb'
-    - 'app/finders/ci/pipelines_finder.rb'
-    - 'app/helpers/application_helper.rb'
-    - 'app/helpers/colors_helper.rb'
-    - 'app/helpers/emails_helper.rb'
-    - 'app/models/commit_range.rb'
-    - 'app/models/commit_status.rb'
-    - 'app/models/concerns/ignorable_columns.rb'
-    - 'app/models/external_issue.rb'
-    - 'app/models/hooks/web_hook_log.rb'
-    - 'app/models/projects/topic.rb'
-    - 'app/models/repository.rb'
-    - 'app/models/user.rb'
-    - 'app/services/bulk_imports/create_service.rb'
-    - 'app/services/clusters/cleanup/project_namespace_service.rb'
-    - 'app/services/clusters/cleanup/service_account_service.rb'
-    - 'app/services/projects/update_remote_mirror_service.rb'
-    - 'app/uploaders/file_uploader.rb'
-    - 'app/validators/abstract_path_validator.rb'
-    - 'app/validators/cluster_name_validator.rb'
-    - 'app/validators/devise_email_validator.rb'
-    - 'app/validators/line_code_validator.rb'
     - 'config/initializers/wikicloth_redos_patch.rb'
     - 'ee/app/controllers/concerns/audit_events/enforces_valid_date_params.rb'
     - 'ee/lib/ee/banzai/filter/references/vulnerability_reference_filter.rb'

app/assets/javascripts/observability/client.js

@@ -1,34 +1,36 @@
-// import axios from '~/lib/utils/axios_utils';
-import * as mockData from './mock_traces.json';
-
-function enableTraces(provisioningUrl) {
-  console.log(`Enabling tracing - ${provisioningUrl}`); // eslint-disable-line no-console
+import axios from '~/lib/utils/axios_utils';
 
+function enableTraces() {
+  // TODO remove mocks https://gitlab.com/gitlab-org/opstrace/opstrace/-/issues/2271
   return new Promise((resolve) => {
     setTimeout(() => {
       resolve();
-    }, 500);
-  });
-}
-
-function isTracingEnabled(provisioningUrl) {
-  console.log(`Checking status - ${provisioningUrl}`); // eslint-disable-line no-console
-
-  return new Promise((resolve) => {
-    setTimeout(() => {
-      resolve(false);
     }, 1000);
   });
 }
 
-function fetchTraces(tracingUrl) {
-  console.log(`Fetching traces from ${tracingUrl}`); // eslint-disable-line no-console
-
-  // axios.get(`${this.endpoint}/v1/jaeger/22/api/services`, { credentials: 'include' });
+function isTracingEnabled() {
+  // TODO remove mocks https://gitlab.com/gitlab-org/opstrace/opstrace/-/issues/2271
   return new Promise((resolve) => {
     setTimeout(() => {
-      resolve(mockData.data);
-    }, 2000);
+      // Currently relying on manual provisioning, hence assuming tracing is enabled
+      resolve(true);
+    }, 1000);
+  });
+}
+
+async function fetchTraces(tracingUrl) {
+  const { data } = await axios.get(tracingUrl, { withCredentials: true });
+  if (!Array.isArray(data.traces)) {
+    throw new Error('traces are missing/invalid in the response.'); // eslint-disable-line @gitlab/require-i18n-strings
+  }
+  return data.traces.map((t) => {
+    // aggregating duration on the client for now, but expecting to be coming from the backend
+    const duration = t.spans.reduce((acc, cur) => acc + cur.duration_nano, 0);
+    return {
+      ...t,
+      duration: duration / 1000,
+    };
   });
 }
 

app/assets/javascripts/observability/components/observability_container.vue

@@ -1,8 +1,10 @@
 <script>
 import { buildClient } from '../client';
+import { SKELETON_SPINNER_VARIANT } from '../constants';
 import ObservabilitySkeleton from './skeleton/index.vue';
 
 export default {
+  SKELETON_SPINNER_VARIANT,
   components: {
     ObservabilitySkeleton,
   },
@@ -30,6 +32,7 @@ export default {
     window.addEventListener('message', this.messageHandler);
 
     // TODO Remove once backend work done - just for testing
+    // https://gitlab.com/gitlab-org/opstrace/opstrace/-/issues/2270
     // setTimeout(() => {
     //   this.messageHandler({
     //     data: { type: 'AUTH_COMPLETION', status: 'success' },
@@ -79,7 +82,10 @@ export default {
       data-testid="observability-oauth-iframe"
     ></iframe>
 
-    <observability-skeleton ref="observabilitySkeleton">
+    <observability-skeleton
+      ref="observabilitySkeleton"
+      :variant="$options.SKELETON_SPINNER_VARIANT"
+    >
       <slot v-if="observabilityClient" :observability-client="observabilityClient"></slot>
     </observability-skeleton>
   </div>

app/assets/javascripts/observability/components/skeleton/index.vue

@@ -1,5 +1,5 @@
 <script>
-import { GlSkeletonLoader, GlAlert } from '@gitlab/ui';
+import { GlSkeletonLoader, GlAlert, GlLoadingIcon } from '@gitlab/ui';
 
 import {
   SKELETON_VARIANTS_BY_ROUTE,
@@ -9,6 +9,7 @@ import {
   TIMEOUT_ERROR_LABEL,
   TIMEOUT_ERROR_MESSAGE,
   SKELETON_VARIANT_EMBED,
+  SKELETON_SPINNER_VARIANT,
 } from '../../constants';
 import DashboardsSkeleton from './dashboards.vue';
 import ExploreSkeleton from './explore.vue';
@@ -23,6 +24,7 @@ export default {
     ManageSkeleton,
     EmbedSkeleton,
     GlAlert,
+    GlLoadingIcon,
   },
   SKELETON_VARIANTS_BY_ROUTE,
   SKELETON_STATE,
@@ -46,6 +48,23 @@ export default {
       errorTimeout: null,
     };
   },
+  computed: {
+    skeletonVisible() {
+      return this.state === SKELETON_STATE.VISIBLE;
+    },
+    skeletonHidden() {
+      return this.state === SKELETON_STATE.HIDDEN;
+    },
+    errorVisible() {
+      return this.state === SKELETON_STATE.ERROR;
+    },
+    spinnerVariant() {
+      return this.variant === SKELETON_SPINNER_VARIANT;
+    },
+    embedVariant() {
+      return this.variant === SKELETON_VARIANT_EMBED;
+    },
+  },
   mounted() {
     this.setLoadingTimeout();
     this.setErrorTimeout();
@@ -98,8 +117,7 @@ export default {
     showError() {
       this.state = SKELETON_STATE.ERROR;
     },
-
-    isSkeletonShown(route) {
+    isVariantByRoute(route) {
       return this.variant === SKELETON_VARIANTS_BY_ROUTE[route];
     },
   },
@@ -108,11 +126,12 @@ export default {
 <template>
   <div class="gl-flex-grow-1 gl-display-flex gl-flex-direction-column gl-flex-align-items-stretch">
     <transition name="fade">
-      <div v-if="state === $options.SKELETON_STATE.VISIBLE" class="gl-px-5">
-        <dashboards-skeleton v-if="isSkeletonShown($options.OBSERVABILITY_ROUTES.DASHBOARDS)" />
-        <explore-skeleton v-else-if="isSkeletonShown($options.OBSERVABILITY_ROUTES.EXPLORE)" />
-        <manage-skeleton v-else-if="isSkeletonShown($options.OBSERVABILITY_ROUTES.MANAGE)" />
-        <embed-skeleton v-else-if="variant === $options.SKELETON_VARIANT_EMBED" />
+      <div v-if="skeletonVisible" class="gl-px-5 gl-my-5">
+        <dashboards-skeleton v-if="isVariantByRoute($options.OBSERVABILITY_ROUTES.DASHBOARDS)" />
+        <explore-skeleton v-else-if="isVariantByRoute($options.OBSERVABILITY_ROUTES.EXPLORE)" />
+        <manage-skeleton v-else-if="isVariantByRoute($options.OBSERVABILITY_ROUTES.MANAGE)" />
+        <embed-skeleton v-else-if="embedVariant" />
+        <gl-loading-icon v-else-if="spinnerVariant" size="lg" />
 
         <gl-skeleton-loader v-else>
           <rect y="2" width="10" height="8" />
@@ -121,10 +140,19 @@ export default {
           <rect y="15" width="400" height="30" />
         </gl-skeleton-loader>
       </div>
+
+      <!-- The double condition is only here temporarily for back-compatibility reasons. Will be removed in next iteration https://gitlab.com/gitlab-org/opstrace/opstrace/-/issues/2275 -->
+      <div
+        v-if="spinnerVariant && skeletonHidden"
+        data-testid="content-wrapper"
+        class="gl-flex-grow-1 gl-display-flex gl-flex-direction-column gl-flex-align-items-stretch"
+      >
+        <slot></slot>
+      </div>
     </transition>
 
     <gl-alert
-      v-if="state === $options.SKELETON_STATE.ERROR"
+      v-if="errorVisible"
       :title="$options.i18n.TIMEOUT_ERROR_LABEL"
       variant="danger"
       :dismissible="false"
@@ -133,9 +161,10 @@ export default {
       {{ $options.i18n.TIMEOUT_ERROR_MESSAGE }}
     </gl-alert>
 
-    <transition>
+    <!-- This is only kept temporarily for back-compatibility reasons. Will be removed in next iteration https://gitlab.com/gitlab-org/opstrace/opstrace/-/issues/2275 -->
+    <transition v-if="!spinnerVariant">
       <div
-        v-show="state === $options.SKELETON_STATE.HIDDEN"
+        v-show="skeletonHidden"
         data-testid="content-wrapper"
         class="gl-flex-grow-1 gl-display-flex gl-flex-direction-column gl-flex-align-items-stretch"
       >

app/assets/javascripts/observability/constants.js

@@ -18,6 +18,7 @@ export const SKELETON_VARIANTS_BY_ROUTE = Object.freeze({
 });
 
 export const SKELETON_VARIANT_EMBED = 'embed';
+export const SKELETON_SPINNER_VARIANT = 'spinner';
 
 export const SKELETON_STATE = Object.freeze({
   ERROR: 'error',

app/assets/javascripts/organizations/groups_and_projects/components/app.vue

@@ -0,0 +1,62 @@
+<script>
+import { GlLoadingIcon } from '@gitlab/ui';
+import { __, s__ } from '~/locale';
+import ProjectsList from '~/vue_shared/components/projects_list/projects_list.vue';
+import { getIdFromGraphQLId } from '~/graphql_shared/utils';
+import { createAlert } from '~/alert';
+import projectsQuery from '../graphql/queries/projects.query.graphql';
+
+export default {
+  i18n: {
+    pageTitle: __('Groups and projects'),
+    errorMessage: s__(
+      'Organization|An error occurred loading the projects. Please refresh the page to try again.',
+    ),
+  },
+  components: {
+    ProjectsList,
+    GlLoadingIcon,
+  },
+  data() {
+    return {
+      projects: [],
+    };
+  },
+  apollo: {
+    projects: {
+      query: projectsQuery,
+      update(data) {
+        return data.organization.projects.nodes;
+      },
+      error(error) {
+        createAlert({ message: this.$options.i18n.errorMessage, error, captureError: true });
+      },
+    },
+  },
+  computed: {
+    formattedProjects() {
+      return this.projects.map(({ id, nameWithNamespace, accessLevel, ...project }) => ({
+        ...project,
+        id: getIdFromGraphQLId(id),
+        name: nameWithNamespace,
+        permissions: {
+          projectAccess: {
+            accessLevel: accessLevel.integerValue,
+          },
+        },
+      }));
+    },
+    isLoading() {
+      return this.$apollo.queries.projects?.loading;
+    },
+  },
+};
+</script>
+
+<template>
+  <div>
+    <h1 class="gl-font-size-h-display">{{ $options.i18n.pageTitle }}</h1>
+    <gl-loading-icon v-if="isLoading" class="gl-mt-5" size="md" />
+    <projects-list v-else :projects="formattedProjects" show-project-icon />
+  </div>
+</template>

app/assets/javascripts/organizations/groups_and_projects/graphql/queries/projects.query.graphql

@@ -0,0 +1,24 @@
+query getOrganizationProjects {
+  organization @client {
+    id
+    projects {
+      nodes {
+        id
+        nameWithNamespace
+        webUrl
+        topics
+        forksCount
+        avatarUrl
+        starCount
+        visibility
+        openIssuesCount
+        descriptionHtml
+        issuesAccessLevel
+        forkingAccessLevel
+        accessLevel {
+          integerValue
+        }
+      }
+    }
+  }
+}

app/assets/javascripts/organizations/groups_and_projects/graphql/resolvers.js

@@ -0,0 +1,14 @@
+import { organizationProjects } from 'jest/organizations/groups_and_projects/components/mock_data';
+
+export default {
+  Query: {
+    organization: async () => {
+      // Simulate API loading
+      await new Promise((resolve) => {
+        setTimeout(resolve, 1000);
+      });
+
+      return organizationProjects;
+    },
+  },
+};

app/assets/javascripts/organizations/groups_and_projects/index.js

@@ -0,0 +1,24 @@
+import Vue from 'vue';
+import VueApollo from 'vue-apollo';
+import createDefaultClient from '~/lib/graphql';
+import resolvers from './graphql/resolvers';
+import App from './components/app.vue';
+
+export const initOrganizationsGroupsAndProjects = () => {
+  const el = document.getElementById('js-organizations-groups-and-projects');
+
+  if (!el) return false;
+
+  const apolloProvider = new VueApollo({
+    defaultClient: createDefaultClient(resolvers),
+  });
+
+  return new Vue({
+    el,
+    name: 'OrganizationsGroupsAndProjects',
+    apolloProvider,
+    render(createElement) {
+      return createElement(App);
+    },
+  });
+};

app/assets/javascripts/pages/organizations/organizations/groups_and_projects/index.js

@@ -0,0 +1,3 @@
+import { initOrganizationsGroupsAndProjects } from '~/organizations/groups_and_projects';
+
+initOrganizationsGroupsAndProjects();

app/assets/javascripts/pipelines/components/pipeline_details_header.vue

@@ -404,7 +404,7 @@ export default {
     <gl-loading-icon v-if="loading" class="gl-text-left" size="lg" />
     <div
       v-else
-      class="gl-display-flex gl-justify-content-space-between"
+      class="gl-display-flex gl-justify-content-space-between gl-flex-wrap"
       data-qa-selector="pipeline_details_header"
     >
       <div>
@@ -571,7 +571,7 @@ export default {
           </span>
         </div>
       </div>
-      <div>
+      <div class="gl-mt-5 gl-lg-mt-0">
         <gl-button
           v-if="canRetryPipeline"
           v-gl-tooltip

app/assets/javascripts/profile/components/user_achievements.vue

@@ -85,7 +85,7 @@ export default {
         :size="32"
         tabindex="0"
         shape="rect"
-        class="gl-mx-2"
+        class="gl-mx-2 gl-p-1 gl-border-none"
       />
       <br />
       <gl-badge v-if="showCountBadge(userAchievement.count)" variant="info" size="sm">{{

app/assets/javascripts/tracing/components/tracing_empty_state.vue

@@ -0,0 +1,46 @@
+<script>
+import EMPTY_TRACING_SVG from '@gitlab/svgs/dist/illustrations/monitoring/tracing.svg?url';
+import { GlEmptyState, GlButton } from '@gitlab/ui';
+import { __ } from '~/locale';
+
+export default {
+  EMPTY_TRACING_SVG,
+  name: 'TracingEmptyState',
+  i18n: {
+    title: __('Get started with Tracing'),
+    description: __('Monitor your applications with GitLab Distributed Tracing.'),
+    enableButtonText: __('Enable'),
+  },
+  components: {
+    GlEmptyState,
+    GlButton,
+  },
+  props: {
+    enableTracing: {
+      type: Function,
+      required: true,
+    },
+  },
+  methods: {
+    onEnabledClicked() {
+      this.enableTracing();
+    },
+  },
+};
+</script>
+
+<template>
+  <gl-empty-state :title="$options.i18n.title" :svg-path="$options.EMPTY_TRACING_SVG">
+    <template #description>
+      <div>
+        <span>{{ $options.i18n.description }}</span>
+      </div>
+    </template>
+
+    <template #actions>
+      <gl-button variant="confirm" class="gl-mx-2 gl-mb-3" @click="onEnabledClicked">
+        {{ $options.i18n.enableButtonText }}
+      </gl-button>
+    </template>
+  </gl-empty-state>
+</template>

app/assets/javascripts/tracing/components/tracing_list.vue

@@ -1,14 +1,93 @@
 <script>
+import { GlLoadingIcon } from '@gitlab/ui';
+import { __ } from '~/locale';
+import { createAlert } from '~/alert';
+import TracingEmptyState from './tracing_empty_state.vue';
+import TracingTableList from './tracing_table_list.vue';
+
 export default {
+  components: {
+    GlLoadingIcon,
+    TracingTableList,
+    TracingEmptyState,
+  },
   props: {
     observabilityClient: {
       required: true,
       type: Object,
     },
   },
+  data() {
+    return {
+      loading: true,
+      /**
+       * tracingEnabled: boolean | null.
+       * null identifies a state where we don't know if tracing is enabled or not (e.g. when fetching the status from the API fails)
+       */
+      tracingEnabled: null,
+      traces: [],
+    };
+  },
+  async created() {
+    this.checkEnabled();
+  },
+  methods: {
+    async checkEnabled() {
+      this.loading = true;
+      try {
+        this.tracingEnabled = await this.observabilityClient.isTracingEnabled();
+        if (this.tracingEnabled) {
+          await this.fetchTraces();
+        }
+      } catch (e) {
+        createAlert({
+          message: __('Failed to load page.'),
+        });
+      } finally {
+        this.loading = false;
+      }
+    },
+    async enableTracing() {
+      this.loading = true;
+      try {
+        await this.observabilityClient.enableTraces();
+        this.tracingEnabled = true;
+        await this.fetchTraces();
+      } catch (e) {
+        createAlert({
+          message: __('Failed to enable tracing.'),
+        });
+      } finally {
+        this.loading = false;
+      }
+    },
+    async fetchTraces() {
+      this.loading = true;
+      try {
+        const traces = await this.observabilityClient.fetchTraces();
+        this.traces = traces;
+      } catch (e) {
+        createAlert({
+          message: __('Failed to load traces.'),
+        });
+      } finally {
+        this.loading = false;
+      }
+    },
+  },
 };
 </script>
 
 <template>
-  <div></div>
+  <div>
+    <div v-if="loading" class="gl-py-5">
+      <gl-loading-icon size="lg" />
+    </div>
+
+    <template v-else-if="tracingEnabled !== null">
+      <tracing-empty-state v-if="tracingEnabled === false" :enable-tracing="enableTracing" />
+
+      <tracing-table-list v-else :traces="traces" @reload="fetchTraces" />
+    </template>
+  </div>
 </template>

app/assets/javascripts/tracing/components/tracing_table_list.vue

@@ -0,0 +1,89 @@
+<script>
+import { GlTable, GlLink } from '@gitlab/ui';
+import { __ } from '~/locale';
+
+export const tableDataClass = 'gl-display-flex gl-md-display-table-cell gl-align-items-center';
+export default {
+  name: 'TracingTableList',
+  i18n: {
+    title: __('Traces'),
+    emptyText: __('No traces to display.'),
+    emptyLinkText: __('Check again'),
+  },
+  fields: [
+    {
+      key: 'date',
+      label: __('Date'),
+      tdClass: tableDataClass,
+      sortable: true,
+    },
+    {
+      key: 'service',
+      label: __('Service'),
+      tdClass: tableDataClass,
+      sortable: true,
+    },
+    {
+      key: 'operation',
+      label: __('Operation'),
+      tdClass: tableDataClass,
+      sortable: true,
+    },
+    {
+      key: 'duration',
+      label: __('Duration'),
+      thClass: 'gl-w-15p',
+      tdClass: tableDataClass,
+      sortable: true,
+    },
+  ],
+  components: {
+    GlTable,
+    GlLink,
+  },
+  props: {
+    traces: {
+      required: true,
+      type: Array,
+    },
+  },
+};
+</script>
+
+<template>
+  <div>
+    <h4 class="gl-display-block gl-md-display-none! gl-my-5">{{ $options.i18n.title }}</h4>
+
+    <gl-table
+      class="gl-mt-5"
+      :items="traces"
+      :fields="$options.fields"
+      show-empty
+      fixed
+      stacked="md"
+      tbody-tr-class="table-row"
+    >
+      <template #cell(date)="data">
+        {{ data.item.timestamp }}
+      </template>
+
+      <template #cell(service)="data">
+        {{ data.item.service_name }}
+      </template>
+
+      <template #cell(operation)="data">
+        {{ data.item.operation }}
+      </template>
+
+      <template #cell(duration)="data">
+        <!-- eslint-disable-next-line @gitlab/vue-require-i18n-strings -->
+        {{ `${data.item.duration} ms` }}
+      </template>
+
+      <template #empty>
+        {{ $options.i18n.emptyText }}
+        <gl-link @click="$emit('reload')">{{ $options.i18n.emptyLinkText }}</gl-link>
+      </template>
+    </gl-table>
+  </div>
+</template>

app/assets/javascripts/vue_shared/components/projects_list/projects_list.vue

@@ -30,12 +30,22 @@ export default {
       type: Array,
       required: true,
     },
+    showProjectIcon: {
+      type: Boolean,
+      required: false,
+      default: false,
+    },
   },
 };
 </script>
 
 <template>
   <ul class="gl-p-0 gl-list-style-none">
-    <projects-list-item v-for="project in projects" :key="project.id" :project="project" />
+    <projects-list-item
+      v-for="project in projects"
+      :key="project.id"
+      :project="project"
+      :show-project-icon="showProjectIcon"
+    />
   </ul>
 </template>

app/assets/javascripts/vue_shared/components/projects_list/projects_list_item.vue

@@ -34,6 +34,7 @@ export default {
     moreTopics: __('More topics'),
     updated: __('Updated'),
   },
+  avatarSize: { default: 32, md: 48 },
   safeHtmlConfig: {
     ADD_TAGS: ['gl-emoji'],
   },
@@ -78,6 +79,11 @@ export default {
       type: Object,
       required: true,
     },
+    showProjectIcon: {
+      type: Boolean,
+      required: false,
+      default: false,
+    },
   },
   data() {
     return {
@@ -153,72 +159,87 @@ export default {
 
 <template>
   <li class="projects-list-item gl-py-5 gl-md-display-flex gl-align-items-center gl-border-b">
-    <gl-avatar-labeled
-      class="gl-flex-grow-1"
-      :entity-id="project.id"
-      :entity-name="project.name"
-      :label="project.name"
-      :label-link="project.webUrl"
-      shape="rect"
-      :size="48"
-    >
-      <template #meta>
-        <gl-icon
-          v-if="visibility"
-          v-gl-tooltip="visibilityTooltip"
-          :name="visibilityIcon"
-          class="gl-text-secondary gl-ml-3"
-        />
-        <user-access-role-badge v-if="shouldShowAccessLevel" class="gl-ml-3">{{
-          accessLevelLabel
-        }}</user-access-role-badge>
-      </template>
-      <div
-        v-if="project.descriptionHtml"
-        v-safe-html:[$options.safeHtmlConfig]="project.descriptionHtml"
-        class="gl-font-sm gl-overflow-hidden gl-line-height-20 description"
-        data-testid="project-description"
-      ></div>
-      <div v-if="hasTopics" class="gl-mt-3" data-testid="project-topics">
-        <div
-          class="gl-w-full gl-display-inline-flex gl-flex-wrap gl-font-base gl-font-weight-normal gl-align-items-center gl-mx-n2 gl-my-n2"
-        >
-          <span class="gl-p-2 gl-text-secondary">{{ $options.i18n.topics }}:</span>
-          <div v-for="topic in visibleTopics" :key="topic" class="gl-p-2">
-            <gl-badge v-gl-tooltip="topicTooltipTitle(topic)" :href="topicPath(topic)">
-              {{ topicTitle(topic) }}
-            </gl-badge>
-          </div>
-          <template v-if="popoverTopics.length">
-            <div
-              :id="topicsPopoverTarget"
-              class="gl-p-2 gl-text-secondary"
-              role="button"
-              tabindex="0"
-            >
-              <gl-sprintf :message="$options.i18n.topicsPopoverTargetText">
-                <template #count>{{ popoverTopics.length }}</template>
-              </gl-sprintf>
-            </div>
-            <gl-popover :target="topicsPopoverTarget" :title="$options.i18n.moreTopics">
-              <div class="gl-font-base gl-font-weight-normal gl-mx-n2 gl-my-n2">
-                <div
-                  v-for="topic in popoverTopics"
-                  :key="topic"
-                  class="gl-p-2 gl-display-inline-block"
-                >
-                  <gl-badge v-gl-tooltip="topicTooltipTitle(topic)" :href="topicPath(topic)">
-                    {{ topicTitle(topic) }}
-                  </gl-badge>
-                </div>
+    <div class="gl-display-flex gl-flex-grow-1">
+      <gl-icon
+        v-if="showProjectIcon"
+        class="gl-mr-3 gl-mt-3 gl-md-mt-5 gl-flex-shrink-0 gl-text-secondary"
+        name="project"
+      />
+      <gl-avatar-labeled
+        :entity-id="project.id"
+        :entity-name="project.name"
+        :label="project.name"
+        :label-link="project.webUrl"
+        shape="rect"
+        :size="$options.avatarSize"
+      >
+        <template #meta>
+          <div class="gl-px-2">
+            <div class="gl-mx-n2 gl-display-flex gl-align-items-center gl-flex-wrap">
+              <div class="gl-px-2">
+                <gl-icon
+                  v-if="visibility"
+                  v-gl-tooltip="visibilityTooltip"
+                  :name="visibilityIcon"
+                  class="gl-text-secondary"
+                />
               </div>
-            </gl-popover>
-          </template>
+              <div class="gl-px-2">
+                <user-access-role-badge v-if="shouldShowAccessLevel">{{
+                  accessLevelLabel
+                }}</user-access-role-badge>
+              </div>
+            </div>
+          </div>
+        </template>
+        <div
+          v-if="project.descriptionHtml"
+          v-safe-html:[$options.safeHtmlConfig]="project.descriptionHtml"
+          class="gl-font-sm gl-overflow-hidden gl-line-height-20 description md"
+          data-testid="project-description"
+        ></div>
+        <div v-if="hasTopics" class="gl-mt-3" data-testid="project-topics">
+          <div
+            class="gl-w-full gl-display-inline-flex gl-flex-wrap gl-font-base gl-font-weight-normal gl-align-items-center gl-mx-n2 gl-my-n2"
+          >
+            <span class="gl-p-2 gl-text-secondary">{{ $options.i18n.topics }}:</span>
+            <div v-for="topic in visibleTopics" :key="topic" class="gl-p-2">
+              <gl-badge v-gl-tooltip="topicTooltipTitle(topic)" :href="topicPath(topic)">
+                {{ topicTitle(topic) }}
+              </gl-badge>
+            </div>
+            <template v-if="popoverTopics.length">
+              <div
+                :id="topicsPopoverTarget"
+                class="gl-p-2 gl-text-secondary"
+                role="button"
+                tabindex="0"
+              >
+                <gl-sprintf :message="$options.i18n.topicsPopoverTargetText">
+                  <template #count>{{ popoverTopics.length }}</template>
+                </gl-sprintf>
+              </div>
+              <gl-popover :target="topicsPopoverTarget" :title="$options.i18n.moreTopics">
+                <div class="gl-font-base gl-font-weight-normal gl-mx-n2 gl-my-n2">
+                  <div
+                    v-for="topic in popoverTopics"
+                    :key="topic"
+                    class="gl-p-2 gl-display-inline-block"
+                  >
+                    <gl-badge v-gl-tooltip="topicTooltipTitle(topic)" :href="topicPath(topic)">
+                      {{ topicTitle(topic) }}
+                    </gl-badge>
+                  </div>
+                </div>
+              </gl-popover>
+            </template>
+          </div>
         </div>
-      </div>
-    </gl-avatar-labeled>
+      </gl-avatar-labeled>
+    </div>
     <div
-      class="gl-md-display-flex gl-flex-direction-column gl-align-items-flex-end gl-flex-shrink-0 gl-mt-3 gl-pl-10 gl-md-pl-0 gl-md-mt-0"
+      class="gl-md-display-flex gl-flex-direction-column gl-align-items-flex-end gl-flex-shrink-0 gl-mt-3 gl-md-pl-0 gl-md-mt-0"
+      :class="showProjectIcon ? 'gl-pl-11' : 'gl-pl-8'"
     >
       <div class="gl-display-flex gl-align-items-center gl-gap-x-3">
         <gl-badge v-if="project.archived" variant="warning">{{ $options.i18n.archived }}</gl-badge>

app/controllers/concerns/internal_redirect.rb

@@ -6,7 +6,7 @@ module InternalRedirect
   def safe_redirect_path(path)
     return unless path
     # Verify that the string starts with a `/` and a known route character.
-    return unless path =~ %r{\A/[-\w].*\z}
+    return unless %r{\A/[-\w].*\z}.match?(path)
 
     uri = URI(path)
     # Ignore anything path of the redirect except for the path, querystring and,

app/controllers/import/bitbucket_server_controller.rb

@@ -103,8 +103,8 @@ class Import::BitbucketServerController < Import::BaseController
 
     return render_validation_error('Missing project key') unless @project_key.present? && @repo_slug.present?
     return render_validation_error('Missing repository slug') unless @repo_slug.present?
-    return render_validation_error('Invalid project key') unless @project_key =~ VALID_BITBUCKET_PROJECT_CHARS
-    return render_validation_error('Invalid repository slug') unless @repo_slug =~ VALID_BITBUCKET_CHARS
+    return render_validation_error('Invalid project key') unless VALID_BITBUCKET_PROJECT_CHARS.match?(@project_key)
+    return render_validation_error('Invalid repository slug') unless VALID_BITBUCKET_CHARS.match?(@repo_slug)
   end
 
   def render_validation_error(message)

app/finders/ci/pipelines_finder.rb

@@ -164,7 +164,7 @@ module Ci
                    :id
                  end
 
-      sort = if params[:sort] =~ /\A(ASC|DESC)\z/i
+      sort = if /\A(ASC|DESC)\z/i.match?(params[:sort])
                params[:sort]
              else
                :desc

app/helpers/application_helper.rb

@@ -348,7 +348,7 @@ module ApplicationHelper
 
   def linkedin_url(user)
     name = user.linkedin
-    if name =~ %r{\Ahttps?://(www\.)?linkedin\.com/in/}
+    if %r{\Ahttps?://(www\.)?linkedin\.com/in/}.match?(name)
       name
     else
       "https://www.linkedin.com/in/#{name}"
@@ -357,7 +357,7 @@ module ApplicationHelper
 
   def twitter_url(user)
     name = user.twitter
-    if name =~ %r{\Ahttps?://(www\.)?twitter\.com/}
+    if %r{\Ahttps?://(www\.)?twitter\.com/}.match?(name)
       name
     else
       "https://twitter.com/#{name}"

app/helpers/colors_helper.rb

@@ -4,7 +4,7 @@ module ColorsHelper
   HEX_COLOR_PATTERN = /\A\#(?:[0-9A-Fa-f]{3}){1,2}\Z/.freeze
 
   def hex_color_to_rgb_array(hex_color)
-    unless hex_color.is_a?(String) && hex_color =~ HEX_COLOR_PATTERN
+    unless hex_color.is_a?(String) && HEX_COLOR_PATTERN.match?(hex_color)
       raise ArgumentError, "invalid hex color `#{hex_color}`"
     end
 

app/helpers/emails_helper.rb

@@ -41,7 +41,7 @@ module EmailsHelper
   end
 
   def sanitize_name(name)
-    if name =~ URI::DEFAULT_PARSER.regexp[:URI_REF]
+    if URI::DEFAULT_PARSER.regexp[:URI_REF].match?(name)
       name.tr('.', '_')
     else
       name

app/models/commit_range.rb

@@ -64,7 +64,7 @@ class CommitRange
 
     range_string = range_string.strip
 
-    unless range_string =~ /\A#{PATTERN}\z/o
+    unless /\A#{PATTERN}\z/o.match?(range_string)
       raise ArgumentError, "invalid CommitRange string format: #{range_string}"
     end
 

app/models/commit_status.rb

@@ -288,7 +288,7 @@ class CommitStatus < Ci::ApplicationRecord
 
   def sortable_name
     name.to_s.split(/(\d+)/).map do |v|
-      v =~ /\d+/ ? v.to_i : v
+      /\d+/.match?(v) ? v.to_i : v
     end
   end
 

app/models/concerns/ignorable_columns.rb

@@ -18,7 +18,7 @@ module IgnorableColumns
     #
     # Indicate the earliest date and release we can stop ignoring the column with +remove_after+ (a date string) and +remove_with+ (a release)
     def ignore_columns(*columns, remove_after:, remove_with:)
-      raise ArgumentError, 'Please indicate when we can stop ignoring columns with remove_after (date string YYYY-MM-DD), example: ignore_columns(:name, remove_after: \'2019-12-01\', remove_with: \'12.6\')' unless remove_after =~ Gitlab::Regex.utc_date_regex
+      raise ArgumentError, 'Please indicate when we can stop ignoring columns with remove_after (date string YYYY-MM-DD), example: ignore_columns(:name, remove_after: \'2019-12-01\', remove_with: \'12.6\')' unless Gitlab::Regex.utc_date_regex.match?(remove_after)
       raise ArgumentError, 'Please indicate in which release we can stop ignoring columns with remove_with, example: ignore_columns(:name, remove_after: \'2019-12-01\', remove_with: \'12.6\')' unless remove_with
 
       self.ignored_columns += columns.flatten # rubocop:disable Cop/IgnoredColumns

app/models/external_issue.rb

@@ -44,7 +44,7 @@ class ExternalIssue
   end
 
   def reference_link_text(from = nil)
-    return "##{id}" if id =~ /^\d+$/
+    return "##{id}" if /^\d+$/.match?(id)
 
     id
   end

app/models/hooks/web_hook_log.rb

@@ -66,7 +66,7 @@ class WebHookLog < ApplicationRecord
 
   def redact_user_emails
     self.request_data.deep_transform_values! do |value|
-      value.to_s =~ URI::MailTo::EMAIL_REGEXP ? _('[REDACTED]') : value
+      URI::MailTo::EMAIL_REGEXP.match?(value.to_s) ? _('[REDACTED]') : value
     end
   end
 

app/models/ml/model.rb

@@ -13,6 +13,7 @@ module Ml
 
     has_one :default_experiment, class_name: 'Ml::Experiment'
     belongs_to :project
+    has_many :versions, class_name: 'Ml::ModelVersion'
 
     def valid_default_experiment?
       return unless default_experiment

app/models/ml/model_version.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Ml
+  class ModelVersion < ApplicationRecord
+    validates :project, :model, presence: true
+
+    validates :version,
+      format: Gitlab::Regex.ml_model_version_regex,
+      uniqueness: { scope: [:project, :model_id] },
+      presence: true,
+      length: { maximum: 255 }
+
+    validate :valid_model?, :valid_package?
+
+    belongs_to :model, class_name: 'Ml::Model'
+    belongs_to :project
+    belongs_to :package, class_name: 'Packages::Package', optional: true
+
+    delegate :name, to: :model
+
+    private
+
+    def valid_model?
+      return unless model
+
+      errors.add(:model, 'model project must be the same') unless model.project_id == project_id
+    end
+
+    def valid_package?
+      return unless package
+
+      errors.add(:package, 'package must be ml_model') unless package.ml_model?
+      errors.add(:package, 'package name must be the same') unless package.name == name
+      errors.add(:package, 'package version must be the same') unless package.version == version
+      errors.add(:package, 'package project must be the same') unless package.project_id == project_id
+    end
+  end
+end

app/models/projects/topic.rb

@@ -71,7 +71,7 @@ module Projects
 
       # /\R/ - A linebreak: \n, \v, \f, \r \u0085 (NEXT LINE),
       # \u2028 (LINE SEPARATOR), \u2029 (PARAGRAPH SEPARATOR) or \r\n.
-      return unless name =~ /\R/
+      return unless /\R/.match?(name)
 
       errors.add(:name, 'has characters that are not allowed')
     end

app/models/repository.rb

@@ -838,7 +838,7 @@ class Repository
     files = ls_files(options[:branch_name])
 
     options[:actions] = files.each_with_object([]) do |item, list|
-      next unless item =~ regex
+      next unless regex.match?(item)
 
       list.push(
         action: :move,

app/models/user.rb

@@ -1544,7 +1544,7 @@ class User < ApplicationRecord
   end
 
   def full_website_url
-    return "http://#{website_url}" if website_url !~ %r{\Ahttps?://}
+    return "http://#{website_url}" unless %r{\Ahttps?://}.match?(website_url)
 
     website_url
   end

app/models/user_preference.rb

@@ -28,7 +28,6 @@ class UserPreference < ApplicationRecord
   validates :pinned_nav_items, json_schema: { filename: 'pinned_nav_items' }
 
   ignore_columns :experience_level, remove_with: '14.10', remove_after: '2021-03-22'
-  ignore_columns :time_format_in_24h, remove_with: '16.2', remove_after: '2023-07-22'
   # 2023-06-22 is after 16.1 release and during 16.2 release https://docs.gitlab.com/ee/development/database/avoiding_downtime_in_migrations.html#ignoring-the-column-release-m
   ignore_columns :use_legacy_web_ide, remove_with: '16.2', remove_after: '2023-06-22'
 

app/services/bulk_imports/create_service.rb

@@ -105,7 +105,7 @@ module BulkImports
     def validate_setting_enabled!
       source_full_path, source_type = Array.wrap(params)[0].values_at(:source_full_path, :source_type)
       entity_type = ENTITY_TYPES_MAPPING.fetch(source_type)
-      if source_full_path =~ /^[0-9]+$/
+      if /^[0-9]+$/.match?(source_full_path)
         query = query_type(entity_type)
         response = graphql_client.execute(
           graphql_client.parse(query.to_s),
@@ -154,7 +154,7 @@ module BulkImports
     end
 
     def validate_destination_slug(destination_slug)
-      return if destination_slug =~ Gitlab::Regex.oci_repository_path_regex
+      return if Gitlab::Regex.oci_repository_path_regex.match?(destination_slug)
 
       raise BulkImports::Error.destination_slug_validation_failure
     end

app/services/clusters/cleanup/project_namespace_service.rb

@@ -29,7 +29,7 @@ module Clusters
           rescue Kubeclient::HttpError => e
             # unauthorized, forbidden: GitLab's access has been revoked
             # certificate verify failed: Cluster is probably gone forever
-            raise unless e.message =~ /unauthorized|forbidden|certificate verify failed/i
+            raise unless /unauthorized|forbidden|certificate verify failed/i.match?(e.message)
           end
 
           kubernetes_namespace.destroy!

app/services/clusters/cleanup/service_account_service.rb

@@ -27,7 +27,7 @@ module Clusters
       rescue Kubeclient::HttpError => e
         # unauthorized, forbidden: GitLab's access has been revoked
         # certificate verify failed: Cluster is probably gone forever
-        raise unless e.message =~ /unauthorized|forbidden|certificate verify failed/i
+        raise unless /unauthorized|forbidden|certificate verify failed/i.match?(e.message)
       end
     end
   end

app/services/draft_notes/publish_service.rb

@@ -49,6 +49,7 @@ module DraftNotes
       notification_service.async.new_review(review)
       MergeRequests::ResolvedDiscussionNotificationService.new(project: project, current_user: current_user).execute(merge_request)
       GraphqlTriggers.merge_request_merge_status_updated(merge_request)
+      after_publish(review)
     end
 
     def create_note_from_draft(draft, skip_capture_diff_note_position: false, skip_keep_around_commits: false, skip_merge_status_trigger: false)
@@ -108,5 +109,11 @@ module DraftNotes
         project.repository.keep_around(*shas)
       end
     end
+
+    def after_publish(review)
+      # Overridden in EE
+    end
   end
 end
+
+DraftNotes::PublishService.prepend_mod

app/services/projects/update_remote_mirror_service.rb

@@ -93,7 +93,7 @@ module Projects
 
       # TODO: Support LFS sync over SSH
       # https://gitlab.com/gitlab-org/gitlab/-/issues/249587
-      return unless remote_mirror.url =~ %r{\Ahttps?://}i
+      return unless %r{\Ahttps?://}i.match?(remote_mirror.url)
       return unless remote_mirror.password_auth?
 
       Lfs::PushService.new(

app/uploaders/file_uploader.rb

@@ -165,7 +165,7 @@ class FileUploader < GitlabUploader
   def secret
     @secret ||= self.class.generate_secret
 
-    raise InvalidSecret unless @secret =~ VALID_SECRET_PATTERN
+    raise InvalidSecret unless VALID_SECRET_PATTERN.match?(@secret)
 
     @secret
   end

app/validators/abstract_path_validator.rb

@@ -21,7 +21,7 @@ class AbstractPathValidator < ActiveModel::EachValidator
   end
 
   def validate_each(record, attribute, value)
-    unless value =~ self.class.format_regex
+    unless self.class.format_regex.match?(value)
       record.errors.add(attribute, self.class.format_error_message)
       return
     end

app/validators/cluster_name_validator.rb

@@ -16,7 +16,7 @@ class ClusterNameValidator < ActiveModel::EachValidator
         record.errors.add(attribute, " is invalid syntax")
       end
 
-      unless value =~ Gitlab::Regex.kubernetes_namespace_regex
+      unless Gitlab::Regex.kubernetes_namespace_regex.match(value)
         record.errors.add(attribute, Gitlab::Regex.kubernetes_namespace_regex_message)
       end
     end

app/validators/devise_email_validator.rb

@@ -31,6 +31,6 @@ class DeviseEmailValidator < ActiveModel::EachValidator
   end
 
   def validate_each(record, attribute, value)
-    record.errors.add(attribute, :invalid) unless value =~ options[:regexp]
+    record.errors.add(attribute, :invalid) unless options[:regexp].match?(value)
   end
 end

app/validators/line_code_validator.rb

@@ -7,7 +7,7 @@ class LineCodeValidator < ActiveModel::EachValidator
   PATTERN = /\A[a-z0-9]+_\d+_\d+\z/.freeze
 
   def validate_each(record, attribute, value)
-    unless value =~ PATTERN
+    unless PATTERN.match?(value)
       record.errors.add(attribute, "must be a valid line code")
     end
   end

app/views/organizations/organizations/groups_and_projects.html.haml

@@ -1 +1,3 @@
 - page_title _('Groups and projects')
+
+#js-organizations-groups-and-projects

app/views/projects/edit.html.haml

@@ -77,8 +77,8 @@
       %p
         = _('Runs a number of housekeeping tasks within the current repository, such as compressing file revisions and removing unreachable objects.')
         = link_to _('Learn more.'), help_page_path('administration/housekeeping'), target: '_blank', rel: 'noopener noreferrer'
-      = link_to _('Run housekeeping'), housekeeping_project_path(@project),
-        method: :post, class: "btn gl-button btn-default"
+      = render Pajamas::ButtonComponent.new(method: :post, href: housekeeping_project_path(@project)) do
+        = _('Run housekeeping')
 
       .gl-display-inline-flex
         #js-project-prune-unreachable-objects-button{ data: { prune_objects_path: housekeeping_project_path(@project, prune: true), prune_objects_doc_path: help_page_path('administration/housekeeping', anchor: 'prune-unreachable-objects') } }

db/docs/ml_model_versions.yml

@@ -0,0 +1,10 @@
+---
+table_name: ml_model_versions
+classes:
+  - Ml::ModelVersion
+feature_categories:
+  - mlops
+description: A version of a machine learning model for the model registry
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125729
+milestone: '16.2'
+gitlab_schema: gitlab_main

db/migrate/20230707090835_create_ml_model_versions.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class CreateMlModelVersions < Gitlab::Database::Migration[2.1]
+  enable_lock_retries!
+
+  def up
+    create_table :ml_model_versions do |t|
+      t.timestamps_with_timezone null: false
+      t.references :project, foreign_key: { on_delete: :cascade }, index: true, null: false
+
+      t.bigint :model_id, null: false # fk cascade
+      t.bigint :package_id, null: true # fk nullify
+
+      t.text :version, limit: 255, null: false
+
+      t.index :model_id
+      t.index :package_id
+      t.index [:project_id, :model_id, :version], unique: true
+    end
+  end
+
+  def down
+    drop_table :ml_model_versions
+  end
+end

db/migrate/20230707094002_add_fk_on_ml_model_versions_to_ml_models.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class AddFkOnMlModelVersionsToMlModels < Gitlab::Database::Migration[2.1]
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_foreign_key(:ml_model_versions, :ml_models, column: :model_id, on_delete: :cascade)
+  end
+
+  def down
+    with_lock_retries do
+      remove_foreign_key_if_exists(:ml_model_versions, column: :model_id, on_delete: :cascade)
+    end
+  end
+end

db/migrate/20230707094003_add_fk_on_ml_model_versions_to_packages.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class AddFkOnMlModelVersionsToPackages < Gitlab::Database::Migration[2.1]
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_foreign_key(:ml_model_versions, :packages_packages, column: :package_id, on_delete: :nullify)
+  end
+
+  def down
+    with_lock_retries do
+      remove_foreign_key_if_exists(:ml_model_versions, column: :package_id, on_delete: :nullify)
+    end
+  end
+end

db/schema_migrations/20230707090835

@@ -0,0 +1 @@
+500559ce2b6a3ef8dbf33c6e1ebd1e11b4645d19b52139eaa247fc06c00a1f7c

db/schema_migrations/20230707094002

@@ -0,0 +1 @@
+7e946c03c02800868016387682c3f4146edcd604c8007747ff64b6e4ef4badb2

db/schema_migrations/20230707094003

@@ -0,0 +1 @@
+bf71e6fec331ea1b38a79fc376f63ce30c896f197ffa335b0ec8a914317a391f

db/structure.sql

@@ -18605,6 +18605,26 @@ CREATE SEQUENCE ml_experiments_id_seq
 
 ALTER SEQUENCE ml_experiments_id_seq OWNED BY ml_experiments.id;
 
+CREATE TABLE ml_model_versions (
+    id bigint NOT NULL,
+    created_at timestamp with time zone NOT NULL,
+    updated_at timestamp with time zone NOT NULL,
+    project_id bigint NOT NULL,
+    model_id bigint NOT NULL,
+    package_id bigint,
+    version text NOT NULL,
+    CONSTRAINT check_28b2d892c8 CHECK ((char_length(version) <= 255))
+);
+
+CREATE SEQUENCE ml_model_versions_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+ALTER SEQUENCE ml_model_versions_id_seq OWNED BY ml_model_versions.id;
+
 CREATE TABLE ml_models (
     id bigint NOT NULL,
     created_at timestamp with time zone NOT NULL,
@@ -25595,6 +25615,8 @@ ALTER TABLE ONLY ml_experiment_metadata ALTER COLUMN id SET DEFAULT nextval('ml_
 
 ALTER TABLE ONLY ml_experiments ALTER COLUMN id SET DEFAULT nextval('ml_experiments_id_seq'::regclass);
 
+ALTER TABLE ONLY ml_model_versions ALTER COLUMN id SET DEFAULT nextval('ml_model_versions_id_seq'::regclass);
+
 ALTER TABLE ONLY ml_models ALTER COLUMN id SET DEFAULT nextval('ml_models_id_seq'::regclass);
 
 ALTER TABLE ONLY namespace_admin_notes ALTER COLUMN id SET DEFAULT nextval('namespace_admin_notes_id_seq'::regclass);
@@ -27812,6 +27834,9 @@ ALTER TABLE ONLY ml_experiment_metadata
 ALTER TABLE ONLY ml_experiments
     ADD CONSTRAINT ml_experiments_pkey PRIMARY KEY (id);
 
+ALTER TABLE ONLY ml_model_versions
+    ADD CONSTRAINT ml_model_versions_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY ml_models
     ADD CONSTRAINT ml_models_pkey PRIMARY KEY (id);
 
@@ -31945,6 +31970,14 @@ CREATE UNIQUE INDEX index_ml_experiments_on_project_id_and_name ON ml_experiment
 
 CREATE INDEX index_ml_experiments_on_user_id ON ml_experiments USING btree (user_id);
 
+CREATE INDEX index_ml_model_versions_on_model_id ON ml_model_versions USING btree (model_id);
+
+CREATE INDEX index_ml_model_versions_on_package_id ON ml_model_versions USING btree (package_id);
+
+CREATE INDEX index_ml_model_versions_on_project_id ON ml_model_versions USING btree (project_id);
+
+CREATE UNIQUE INDEX index_ml_model_versions_on_project_id_and_model_id_and_version ON ml_model_versions USING btree (project_id, model_id, version);
+
 CREATE INDEX index_ml_models_on_project_id ON ml_models USING btree (project_id);
 
 CREATE UNIQUE INDEX index_ml_models_on_project_id_and_name ON ml_models USING btree (project_id, name);
@@ -35540,6 +35573,9 @@ ALTER TABLE ONLY incident_management_timeline_events
 ALTER TABLE ONLY bulk_import_exports
     ADD CONSTRAINT fk_39c726d3b5 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
 
+ALTER TABLE ONLY ml_model_versions
+    ADD CONSTRAINT fk_39f8aa0b8a FOREIGN KEY (package_id) REFERENCES packages_packages(id) ON DELETE SET NULL;
+
 ALTER TABLE p_ci_builds
     ADD CONSTRAINT fk_3a9eaa254d FOREIGN KEY (stage_id) REFERENCES ci_stages(id) ON DELETE CASCADE;
 
@@ -35606,6 +35642,9 @@ ALTER TABLE ONLY sbom_occurrences
 ALTER TABLE ONLY namespace_commit_emails
     ADD CONSTRAINT fk_4d6ba63ba5 FOREIGN KEY (namespace_id) REFERENCES namespaces(id) ON DELETE CASCADE;
 
+ALTER TABLE ONLY ml_model_versions
+    ADD CONSTRAINT fk_4e8b59e7a8 FOREIGN KEY (model_id) REFERENCES ml_models(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY user_achievements
     ADD CONSTRAINT fk_4efde02858 FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE;
 
@@ -37295,6 +37334,9 @@ ALTER TABLE ONLY achievements
 ALTER TABLE ONLY protected_environment_deploy_access_levels
     ADD CONSTRAINT fk_rails_898a13b650 FOREIGN KEY (protected_environment_id) REFERENCES protected_environments(id) ON DELETE CASCADE;
 
+ALTER TABLE ONLY ml_model_versions
+    ADD CONSTRAINT fk_rails_8a481bd22e FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY snippet_repositories
     ADD CONSTRAINT fk_rails_8afd7e2f71 FOREIGN KEY (snippet_id) REFERENCES snippets(id) ON DELETE CASCADE;
 

doc/administration/geo/replication/location_aware_git_url.md

@@ -107,7 +107,7 @@ You can customize the:
 - SSH remote URL to use the location-aware `git.example.com`. To do so, change the SSH remote URL
   host by setting `gitlab_rails['gitlab_ssh_host']` in `gitlab.rb` of web nodes.
 - HTTP remote URL as shown in
-  [Custom Git clone URL for HTTP(S)](../../../user/admin_area/settings/visibility_and_access_controls.md#customize-git-clone-url-for-https).
+  [Custom Git clone URL for HTTP(S)](../../settings/visibility_and_access_controls.md#customize-git-clone-url-for-https).
 
 ## Example Git request handling behavior
 

doc/administration/get_started.md

@@ -41,7 +41,7 @@ Get started:
 - [Add members](../user/group/index.md#add-users-to-a-group) to the group.
 - Create a [subgroup](../user/group/subgroups/index.md#create-a-subgroup).
 - [Add members](../user/group/subgroups/index.md#subgroup-membership) to the subgroup.
-- Enable [external authorization control](../user/admin_area/settings/external_authorization.md#configuration).
+- Enable [external authorization control](../administration/settings/external_authorization.md#configuration).
 
 **More resources**
 

doc/administration/settings/deprecated_api_rate_limits.md

@@ -0,0 +1,54 @@
+---
+stage: Create
+group: Source Code
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+type: reference
+---
+
+# Deprecated API rate limits **(FREE SELF)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68645) in GitLab 14.4.
+
+Deprecated API endpoints are those which have been replaced with alternative
+functionality, but cannot be removed without breaking backward compatibility.
+Setting a restrictive rate limit on these endpoints can encourage users to
+switch to the alternatives.
+
+## Deprecated API endpoints
+
+Not all deprecated API endpoints are included in this rate limit - just those
+that might have a performance impact:
+
+- [`GET /groups/:id`](../../api/groups.md#details-of-a-group) **without** the `with_projects=0` query parameter.
+
+## Define Deprecated API rate limits
+
+Rate limits for deprecated API endpoints are disabled by default. When enabled, they supersede
+the general user and IP rate limits for requests to deprecated endpoints. You can keep any general user
+and IP rate limits already in place, and increase or decrease the rate limits
+for deprecated API endpoints. No other new features are provided by this override.
+
+Prerequisite:
+
+- You must have administrator access to the instance.
+
+To override the general user and IP rate limits for requests to deprecated API endpoints:
+
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > Network**.
+1. Expand **Deprecated API Rate Limits**.
+1. Select the checkboxes for the types of rate limits you want to enable:
+   - **Unauthenticated API request rate limit**
+   - **Authenticated API request rate limit**
+1. If you selected **unauthenticated**:
+   1. Select the **Maximum unauthenticated API requests per period per IP**.
+   1. Select the **Unauthenticated API rate limit period in seconds**.
+1. If you selected **authenticated**:
+   1. Select the **Maximum authenticated API requests per period per user**.
+   1. Select the **Authenticated API rate limit period in seconds**.
+
+## Related topics
+
+- [Rate limits](../../security/rate_limits.md)
+- [User and IP rate limits](../../user/admin_area/settings/user_and_ip_rate_limits.md)

doc/administration/settings/external_authorization.md

@@ -0,0 +1,144 @@
+---
+stage: Manage
+group: Authentication and Authorization
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# External authorization control **(FREE SELF)**
+
+> [Moved](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/27056) from GitLab Premium to GitLab Free in 11.10.
+
+In highly controlled environments, it may be necessary for access policy to be
+controlled by an external service that permits access based on project
+classification and user access. GitLab provides a way to check project
+authorization with your own defined service.
+
+After the external service is configured and enabled, when a project is
+accessed, a request is made to the external service with the user information
+and project classification label assigned to the project. When the service
+replies with a known response, the result is cached for six hours.
+
+If the external authorization is enabled, GitLab further blocks pages and
+functionality that render cross-project data. That includes:
+
+- Most pages under Dashboard (Activity, Milestones, Snippets, Assigned merge
+  requests, Assigned issues, To-Do List).
+- Under a specific group (Activity, Contribution analytics, Issues, Issue boards,
+  Labels, Milestones, Merge requests).
+- Global and Group search are disabled.
+
+This is to prevent performing too many requests at once to the external
+authorization service.
+
+Whenever access is granted or denied this is logged in a log file called
+`external-policy-access-control.log`. Read more about the logs GitLab keeps in
+the [Linux package documentation](https://docs.gitlab.com/omnibus/settings/logs.html).
+
+When using TLS Authentication with a self signed certificate, the CA certificate
+needs to be trusted by the OpenSSL installation. When using GitLab installed
+using the Linux package, learn to install a custom CA in the
+[Linux package documentation](https://docs.gitlab.com/omnibus/settings/ssl/index.html).
+Alternatively, learn where to install custom certificates by using
+`openssl version -d`.
+
+## Configuration
+
+The external authorization service can be enabled by an administrator:
+
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand **External authorization**.
+1. Complete the fields.
+1. Select **Save changes**.
+
+### Allow external authorization with deploy tokens and deploy keys
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/386656) in GitLab 15.9.
+> - Deploy tokens no longer being able to access container or package registries [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387721) in GitLab 16.0.
+
+You can set your instance to allow external authorization for Git operations with
+[deploy tokens](../../user/project/deploy_tokens/index.md) or [deploy keys](../../user/project/deploy_keys/index.md).
+
+Prerequisites:
+
+- You must be using classification labels without a service URL for external authorization.
+
+To allow authorization with deploy tokens and keys:
+
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand **External authorization**, and:
+   - Leave the service URL field empty.
+   - Select **Allow deploy tokens and deploy keys to be used with external authorization**.
+1. Select **Save changes**.
+
+WARNING:
+If you enable external authorization, deploy tokens cannot access container or package registries. If you use deploy tokens to access these registries, this measure breaks this use of these tokens. Disable external authorization to use tokens with container or package registries.
+
+## How it works
+
+When GitLab requests access, it sends a JSON POST request to the external
+service with this body:
+
+```json
+{
+  "user_identifier": "jane@acme.org",
+  "project_classification_label": "project-label",
+  "user_ldap_dn": "CN=Jane Doe,CN=admin,DC=acme",
+  "identities": [
+    { "provider": "ldap", "extern_uid": "CN=Jane Doe,CN=admin,DC=acme" },
+    { "provider": "bitbucket", "extern_uid": "2435223452345" }
+  ]
+}
+```
+
+The `user_ldap_dn` is optional and is only sent when the user is signed in
+through LDAP.
+
+`identities` contains the details of all the identities associated with the
+user. This is an empty array if there are no identities associated with the
+user.
+
+When the external authorization service responds with a status code 200, the
+user is granted access. When the external service responds with a status code
+401 or 403, the user is denied access. In any case, the request is cached for
+six hours.
+
+When denying access, a `reason` can be optionally specified in the JSON body:
+
+```json
+{
+  "reason": "You are not allowed access to this project."
+}
+```
+
+Any other status code than 200, 401 or 403 also deny access to the user, but the
+response isn't cached.
+
+If the service times out (after 500 ms), a message "External Policy Server did
+not respond" is displayed.
+
+## Classification labels
+
+You can use your own classification label in the project's
+**Settings > General > General project settings** page in the "Classification
+label" box. When no classification label is specified on a project, the default
+label defined in the [global settings](#configuration) is used.
+
+On all project pages, in the upper-right corner, the label appears.
+
+![classification label on project page](img/classification_label_on_project_page_v14_8.png)
+
+<!-- ## Troubleshooting
+
+Include any troubleshooting steps that you can foresee. If you know beforehand what issues
+one might have when setting this up, or when something is changed, or on upgrading, it's
+important to describe those, too. Think of things that may go wrong and include them here.
+This is important to minimize requests for support, and to avoid doc comments with
+questions that you know someone might ask.
+
+Each scenario can be a third-level heading, for example `### Getting error message X`.
+If you have none to add when creating a doc, leave this section in place
+but commented out to help encourage others to add to it in the future. -->

doc/administration/settings/help_page.md

@@ -27,7 +27,7 @@ You can now see the message on `/help`.
 
 NOTE:
 By default, `/help` is visible to unauthenticated users. However, if the
-[**Public** visibility level](../../user/admin_area/settings/visibility_and_access_controls.md#restrict-visibility-levels)
+[**Public** visibility level](visibility_and_access_controls.md#restrict-visibility-levels)
 is restricted, `/help` is visible only to authenticated users.
 
 ## Add a help message to the sign-in page

doc/administration/settings/index.md

@@ -47,7 +47,7 @@ The **General** settings contain:
  Enable mandatory two-factor authentication.
 - [Terms of Service and Privacy Policy](../../user/admin_area/settings/terms.md) - Include a Terms of Service agreement
  and Privacy Policy that all users must accept.
-- [External Authentication](../../user/admin_area/settings/external_authorization.md#configuration) - External Classification Policy Authorization.
+- [External Authentication](../../administration/settings/external_authorization.md#configuration) - External Classification Policy Authorization.
 - [Web terminal](../integration/terminal.md#limiting-websocket-connection-time) -
  Set max session time for web terminal.
 - [FLoC](floc.md) - Enable or disable
@@ -174,7 +174,7 @@ The **Repository** settings contain:
   Set a custom branch name for new repositories created in your instance.
 - [Repository's initial default branch protection](../../user/project/repository/branches/default.md#instance-level-default-branch-protection) -
   Configure the branch protections to apply to every repository's default branch.
-- [Repository mirror](../../user/admin_area/settings/visibility_and_access_controls.md#enable-project-mirroring) -
+- [Repository mirror](visibility_and_access_controls.md#enable-project-mirroring) -
   Configure repository mirroring.
 - [Repository storage](../repository_storage_types.md) - Configure storage path settings.
 - Repository maintenance:

doc/administration/settings/instance_template_repository.md

@@ -66,7 +66,7 @@ extension and not be empty. So, the hierarchy should look like this:
 
 Your custom templates are displayed on the dropdown list when a new file is added through the GitLab UI:
 
-![Custom template dropdown list](../../user/admin_area/settings/img/file_template_user_dropdown.png)
+![Custom template dropdown list](img/file_template_user_dropdown.png)
 
 If this feature is disabled or no templates are present,
 no **Custom** section displays in the selection dropdown.

doc/administration/settings/protected_paths.md

@@ -38,6 +38,6 @@ customized on **Admin > Network > Protected Paths**, along with these options:
 - Rate limit period in seconds.
 - Paths to be protected.
 
-![protected-paths](../../user/admin_area/settings/img/protected_paths.png)
+![protected-paths](img/protected_paths.png)
 
 Requests over the rate limit are logged into `auth.log`.

doc/administration/settings/push_event_activities_limit.md

@@ -16,7 +16,7 @@ bulk push event instead.
 For example, if 4 branches are pushed and the limit is currently set to 3,
 the activity feed displays:
 
-![Bulk push event](../../user/admin_area/settings/img/bulk_push_event_v12_4.png)
+![Bulk push event](img/bulk_push_event_v12_4.png)
 
 With this feature, when a single push includes a lot of changes (for example, 1,000
 branches), only 1 bulk push event is created instead of 1,000 push
@@ -35,4 +35,4 @@ To modify this setting:
 
 The default value is `3`, but the value can be greater than or equal to `0`. Setting this value to `0` does not disable throttling.
 
-![Push event activities limit](../../user/admin_area/settings/img/push_event_activities_limit_v12_4.png)
+![Push event activities limit](img/push_event_activities_limit_v12_4.png)

doc/administration/settings/rate_limit_on_issues_creation.md

@@ -25,7 +25,7 @@ action exceeding a rate of 300 per minute are blocked. Access to the endpoint is
 
 When using [epics](../../user/group/epics/index.md), epic creation shares this rate limit with issues.
 
-![Rate limits on issues creation](../../user/admin_area/settings/img/rate_limit_on_issues_creation_v14_2.png)
+![Rate limits on issues creation](img/rate_limit_on_issues_creation_v14_2.png)
 
 This limit is:
 

doc/administration/settings/rate_limits_on_raw_endpoints.md

@@ -18,7 +18,7 @@ This setting defaults to `300` requests per minute, and allows you to rate limit
 
 For example, requests over `300` per minute to `https://gitlab.com/gitlab-org/gitlab-foss/raw/master/app/controllers/application_controller.rb` are blocked. Access to the raw file is released after 1 minute.
 
-![Rate limits on raw endpoints](../../user/admin_area/settings/img/rate_limits_on_raw_endpoints.png)
+![Rate limits on raw endpoints](img/rate_limits_on_raw_endpoints.png)
 
 This limit is:
 

doc/administration/settings/sign_in_restrictions.md

@@ -152,7 +152,7 @@ After the two-factor authentication is configured as mandatory, users are allowe
 to skip forced configuration of two-factor authentication for the configurable grace
 period in hours.
 
-![Two-factor grace period](../../user/admin_area/settings/img/two_factor_grace_period.png)
+![Two-factor grace period](img/two_factor_grace_period.png)
 
 ## Email notification for unknown sign-ins
 
@@ -161,7 +161,7 @@ period in hours.
 When enabled, GitLab notifies users of sign-ins from unknown IP addresses or devices. For more information,
 see [Email notification for unknown sign-ins](../../user/profile/notifications.md#notifications-for-unknown-sign-ins).
 
-![Email notification for unknown sign-ins](../../user/admin_area/settings/img/email_notification_for_unknown_sign_ins_v13_2.png)
+![Email notification for unknown sign-ins](img/email_notification_for_unknown_sign_ins_v13_2.png)
 
 ## Sign-in information
 

doc/administration/settings/sign_up_restrictions.md

@@ -185,7 +185,7 @@ To create an email domain allowlist or denylist:
 domains ending in `.io`. Domains must be separated by a whitespace,
 semicolon, comma, or a new line.
 
-   ![Domain Denylist](../../user/admin_area/settings/img/domain_denylist_v14_1.png)
+   ![Domain Denylist](img/domain_denylist_v14_1.png)
 
 ## Set up LDAP user filter
 

doc/administration/settings/terms.md

@@ -34,7 +34,7 @@ If an authenticated user declines the terms, they are signed out.
 
 When enabled, it adds a mandatory checkbox to the sign up page for new users:
 
-![Sign up form](../../user/admin_area/settings/img/sign_up_terms.png)
+![Sign up form](img/sign_up_terms.png)
 
 <!-- ## Troubleshooting
 

doc/administration/settings/visibility_and_access_controls.md

@@ -0,0 +1,363 @@
+---
+stage: Create
+group: Source Code
+info: "To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments"
+type: reference
+---
+
+# Control access and visibility **(FREE SELF)**
+
+GitLab enables users with administrator access to enforce
+specific controls on branches, projects, snippets, groups, and more.
+
+To access the visibility and access control options:
+
+1. Sign in to GitLab as a user with Administrator access level.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+
+## Define which roles can create projects
+
+Instance-level protections for project creation define which roles can
+[add projects to a group](../../user/group/index.md#specify-who-can-add-projects-to-a-group)
+on the instance. To alter which roles have permission to create projects:
+
+1. Sign in to GitLab as a user with Administrator access level.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+1. For **Default project creation protection**, select the desired roles:
+   - No one.
+   - Maintainers.
+   - Developers and Maintainers.
+1. Select **Save changes**.
+
+## Restrict project deletion to administrators **(PREMIUM SELF)**
+
+> User interface [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/352960) in GitLab 15.1.
+
+By default both administrators and anyone with the **Owner** role can delete a project. To restrict project deletion to only administrators:
+
+1. Sign in to GitLab as a user with administrator access.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+1. Scroll to:
+   - (GitLab 15.1 and later) **Allowed to delete projects**, and select **Administrators**.
+   - (GitLab 15.0 and earlier) **Default project deletion protection** and select **Only admins can delete project**.
+1. Select **Save changes**.
+
+## Deletion protection **(PREMIUM SELF)**
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/255449) in GitLab 14.2 for groups created after August 12, 2021.
+> - [Renamed](https://gitlab.com/gitlab-org/gitlab/-/issues/352960) from default delayed project deletion in GitLab 15.1.
+> - [Enabled for projects in personal namespaces](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89466) in GitLab 15.1.
+> - [Disabled for projects in personal namespaces](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95495) in GitLab 15.3.
+> - [Removed option to delete immediately](https://gitlab.com/gitlab-org/gitlab/-/issues/389557) in GitLab 15.11 [with a flag](../feature_flags.md) named `always_perform_delayed_deletion`. Disabled by default.
+> - Enabled delayed deletion by default and removed the option to delete immediately [on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/393622) and [on self-managed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119606) in GitLab 16.0.
+
+Instance-level protection against accidental deletion of groups and projects.
+
+### Retention period
+
+> [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/352960) in GitLab 15.1.
+
+Groups and projects remain restorable within a defined retention period. By default this is 7 days but it can be changed.
+Setting the retention period to `0` means that groups and project are removed immediately and cannot be restored.
+
+In GitLab 15.1 and later, the retention period must be between `1` and `90`. If the retention period was `0` before the 15.1 update,
+then it gets automatically changed to `1` while also disabling deletion protection the next time any application setting is changed.
+
+### Delayed project deletion
+
+> - User interface [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/352960) in GitLab 15.1.
+> - Enabled delayed deletion by default and removed the option to delete immediately [on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/393622) and [on self-managed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119606) in GitLab 16.0.
+
+To configure delayed project deletion:
+
+1. Sign in to GitLab as a user with administrator access.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+1. Scroll to:
+   - (In GitLab 15.11 and later with `always_perform_delayed_deletion` feature flag enabled, or GitLab 16.0 and later) **Deletion protection** and set the retention period to a value between `1` and `90`.
+   - (GitLab 15.1 and later) **Deletion protection** and select keep deleted groups and projects, and select a retention period.
+   - (GitLab 15.0 and earlier) **Default delayed project protection** and select **Enable delayed project deletion by
+     default for newly-created groups.** Then set a retention period in **Default deletion delay**.
+1. Select **Save changes**.
+
+Deletion protection is not available for projects only (without being also being enabled for groups).
+
+In GitLab 15.1, and later this setting is enforced on groups when disabled and it cannot be overridden.
+
+### Delayed group deletion
+
+> - User interface [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/352960) in GitLab 15.1.
+> - [Changed to default behavior](https://gitlab.com/gitlab-org/gitlab/-/issues/389557) on the Premium and Ultimate tier in GitLab 16.0.
+
+Groups remain restorable if the retention period is `1` or more days.
+
+In GitLab 15.1 and later, delayed group deletion can be enabled by setting **Deletion projection** to **Keep deleted**.
+In GitLab 15.11 and later with the `always_perform_delayed_deletion` feature flag enabled, or in GitLab 16.0 and later:
+
+- The **Keep deleted** option is removed.
+- Delayed group deletion is the default.
+
+### Override defaults and delete immediately
+
+Alternatively, projects that are marked for removal can be deleted immediately. To do so:
+
+1. [Restore the project](../../user/project/settings/index.md#restore-a-project).
+1. Delete the project as described in the
+   [Administering Projects page](../admin_area.md#administering-projects).
+
+## Configure project visibility defaults
+
+To set the default [visibility levels for new projects](../../user/public_access.md):
+
+1. Sign in to GitLab as a user with Administrator access level.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+1. Select the desired default project visibility:
+   - **Private** - Project access must be granted explicitly to each user. If this
+     project is part of a group, access is granted to members of the group.
+   - **Internal** - The project can be accessed by any authenticated user except external users.
+   - **Public** - The project can be accessed without any authentication.
+1. Select **Save changes**.
+
+## Configure snippet visibility defaults
+
+To set the default visibility levels for new [snippets](../../user/snippets.md):
+
+1. Sign in to GitLab as a user with Administrator access level.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+1. Select the desired default snippet visibility.
+1. Select **Save changes**.
+
+For more details on snippet visibility, read
+[Project visibility](../../user/public_access.md).
+
+## Configure group visibility defaults
+
+To set the default visibility levels for new groups:
+
+1. Sign in to GitLab as a user with Administrator access level.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+1. Select the desired default group visibility:
+   - **Private** - The group and its projects can only be viewed by members.
+   - **Internal** - The group and any internal projects can be viewed by any authenticated user except external users.
+   - **Public** - The group and any public projects can be viewed without any authentication.
+1. Select **Save changes**.
+
+For more details on group visibility, see
+[Group visibility](../../user/group/index.md#group-visibility).
+
+## Restrict visibility levels
+
+When restricting visibility levels, consider how these restrictions interact
+with permissions for subgroups and projects that inherit their visibility from
+the item you're changing.
+
+To restrict visibility levels for groups, projects, snippets, and selected pages:
+
+1. Sign in to GitLab as a user with Administrator access level.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+1. In the **Restricted visibility levels** section, select the desired visibility levels to restrict.
+   - If you restrict the **Public** level:
+      - Only administrators are able to create public groups, projects, and snippets.
+      - User profiles are only visible to authenticated users through the Web interface.
+      - User attributes through the GraphQL API are:
+         - Not visible in [GitLab 15.1 and later](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88020).
+         - Only visible to authenticated users between [GitLab 13.1](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/33195) and GitLab 15.0.
+   - If you restrict the **Internal** level:
+     - Only administrators are able to create internal groups, projects, and snippets.
+   - If you restrict the **Private** level:
+     - Only administrators are able to create private groups, projects, and snippets.
+1. Select **Save changes**.
+
+For more details on project visibility, see
+[Project visibility](../../user/public_access.md).
+
+## Configure allowed import sources
+
+Before you can import projects from other systems, you must enable the
+[import source](../../user/gitlab_com/index.md#default-import-sources) for that system.
+
+1. Sign in to GitLab as a user with Administrator access level.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+1. Select each of **Import sources** to allow.
+1. Select **Save changes**.
+
+## Enable project export
+
+To enable the export of
+[projects and their data](../../user/project/settings/import_export.md#export-a-project-and-its-data):
+
+1. Sign in to GitLab as a user with Administrator access level.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+1. Scroll to **Project export**.
+1. Select the **Enabled** checkbox.
+1. Select **Save changes**.
+
+## Enable migration of groups and projects by direct transfer
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/383268) in GitLab 15.8.
+
+You can enable migration of groups by direct transfer using the UI.
+
+To enable migration of groups by direct transfer:
+
+1. Sign in to GitLab as a user with Administrator access level.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+1. Scroll to **Allow migrating GitLab groups and projects by direct transfer**.
+1. Select the **Enabled** checkbox.
+1. Select **Save changes**.
+
+The same setting
+[is available](../../api/settings.md#list-of-settings-that-can-be-accessed-via-api-calls) in the API as the
+`bulk_import_enabled` attribute.
+
+## Configure enabled Git access protocols
+
+With GitLab access restrictions, you can select the protocols users can use to
+communicate with GitLab. Disabling an access protocol does not block port access to the
+server itself. The ports used for the protocol, SSH or HTTP(S), are still accessible.
+The GitLab restrictions apply at the application level.
+
+To specify the enabled Git access protocols:
+
+1. Sign in to GitLab as a user with Administrator access level.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+1. Select the desired Git access protocols:
+   - Both SSH and HTTP(S)
+   - Only SSH
+   - Only HTTP(S)
+1. Select **Save changes**.
+
+When both SSH and HTTP(S) are enabled, users can choose either protocol.
+If only one protocol is enabled:
+
+- The project page shows only the allowed protocol's URL, with no option to
+  change it.
+- GitLab shows a tooltip when you hover over the protocol for the URL, if user action
+  (such as adding a SSH key or setting a password) is required:
+
+  ![Project URL with SSH only access](../../user/admin_area/settings/img/restricted_url.png)
+
+GitLab only allows Git actions for the protocols you select.
+
+WARNING:
+GitLab versions [10.7 and later](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/18021),
+allow the HTTP(S) protocol for Git clone or fetch requests done by GitLab Runner
+from CI/CD jobs, even if you select **Only SSH**.
+
+## Customize Git clone URL for HTTP(S)
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/18422) in GitLab 12.4.
+
+You can customize project Git clone URLs for HTTP(S), which affects the clone
+panel:
+
+For example, if:
+
+- Your GitLab instance is at `https://example.com`, then project clone URLs are like
+  `https://example.com/foo/bar.git`.
+- You want clone URLs that look like `https://git.example.com/gitlab/foo/bar.git` instead,
+  you can set this setting to `https://git.example.com/gitlab/`.
+
+![Custom Git clone URL for HTTP](../../user/admin_area/settings/img/custom_git_clone_url_for_https_v12_4.png)
+
+To specify a custom Git clone URL for HTTP(S):
+
+1. Enter a root URL for **Custom Git clone URL for HTTP(S)**.
+1. Select **Save changes**.
+
+NOTE:
+SSH clone URLs can be customized in `gitlab.rb` by setting `gitlab_rails['gitlab_ssh_host']` and
+other related settings.
+
+## Configure defaults for RSA, DSA, ECDSA, ED25519, ECDSA_SK, ED25519_SK SSH keys
+
+These options specify the permitted types and lengths for SSH keys.
+
+To specify a restriction for each key type:
+
+1. Select the desired option from the dropdown list.
+1. Select **Save changes**.
+
+For more details, see [SSH key restrictions](../../security/ssh_keys_restrictions.md).
+
+## Enable project mirroring
+
+This option is enabled by default. By disabling it, both
+[pull mirroring](../../user/project/repository/mirror/pull.md) and [push mirroring](../../user/project/repository/mirror/push.md) no longer
+work in every repository. They can only be re-enabled by an administrator user on a per-project basis.
+
+![Mirror settings](../../user/admin_area/settings/img/mirror_settings_v15_7.png)
+
+## Configure globally-allowed IP address ranges
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87579) in GitLab 15.1 [with a flag](../feature_flags.md) named `group_ip_restrictions_allow_global`. Disabled by default.
+> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/366445) in GitLab 15.4. [Feature flag `group_ip_restrictions_allow_global`](https://gitlab.com/gitlab-org/gitlab/-/issues/366445) removed.
+
+Administrators can set IP address ranges to be combined with [group-level IP restrictions](../../user/group/access_and_permissions.md#restrict-group-access-by-ip-address).
+Use globally-allowed IP addresses to allow aspects of the GitLab installation to work even when group-level IP address
+restrictions are set.
+
+For example, if the GitLab Pages daemon runs on the `10.0.0.0/24` range, you can specify that range as globally-allowed.
+This means GitLab Pages can still fetch artifacts from pipelines even if group-level IP address restrictions don't
+include the `10.0.0.0/24` range.
+
+To add a IP address range to the group-level allowlist:
+
+1. Sign in to GitLab as a user with Administrator access level.
+1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand the **Visibility and access controls** section.
+1. In **Globally-allowed IP ranges**, provide a list of IP address ranges. This list:
+   - Has no limit on the number of IP address ranges.
+   - Has a size limit of 1 GB.
+   - Applies to both SSH or HTTP authorized IP address ranges. You cannot split
+     this list by type of authorization.
+1. Select **Save changes**.
+
+<!-- ## Troubleshooting
+
+Include any troubleshooting steps that you can foresee. If you know beforehand what issues
+one might have when setting this up, or when something is changed, or on upgrading, it's
+important to describe those, too. Think of things that may go wrong and include them here.
+This is important to minimize requests for support, and to avoid doc comments with
+questions that you know someone might ask.
+
+Each scenario can be a third-level heading, for example `### Getting error message X`.
+If you have none to add when creating a doc, leave this section in place
+but commented out to help encourage others to add to it in the future. -->

doc/api/groups.md

@@ -1140,7 +1140,7 @@ Only available to group owners and administrators.
 
 This endpoint:
 
-- On Premium and Ultimate tiers, marks the group for deletion. The deletion happens 7 days later by default, but you can change the retention period in the [instance settings](../user/admin_area/settings/visibility_and_access_controls.md#deletion-protection).
+- On Premium and Ultimate tiers, marks the group for deletion. The deletion happens 7 days later by default, but you can change the retention period in the [instance settings](../administration/settings/visibility_and_access_controls.md#deletion-protection).
 - On Free tier, removes the group immediately and queues a background job to delete all projects in the group.
 - Deletes a subgroup immediately if the subgroup is marked for deletion (GitLab 15.4 and later). The endpoint does not immediately delete top-level groups.
 

doc/api/projects.md

@@ -2469,7 +2469,7 @@ This endpoint:
 - From [GitLab 16.0](https://gitlab.com/gitlab-org/gitlab/-/issues/220382) on
   [Premium or Ultimate](https://about.gitlab.com/pricing/) tiers, delayed project deletion is enabled by default.
   The deletion happens after the number of days specified in the
-  [default deletion delay](../user/admin_area/settings/visibility_and_access_controls.md#deletion-protection).
+  [default deletion delay](../administration/settings/visibility_and_access_controls.md#deletion-protection).
 
 WARNING:
 The option to delete projects immediately from deletion protection settings in the Admin Area was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/389557) in GitLab 15.9 and removed in GitLab 16.0.

doc/api/settings.md

@@ -312,7 +312,7 @@ listed in the descriptions of the relevant settings.
 | `auto_devops_domain`                     | string           | no                                   | Specify a domain to use by default for every project's Auto Review Apps and Auto Deploy stages. |
 | `auto_devops_enabled`                    | boolean          | no                                   | Enable Auto DevOps for projects by default. It automatically builds, tests, and deploys applications based on a predefined CI/CD configuration. |
 | `automatic_purchased_storage_allocation` | boolean          | no                                   | Enabling this permits automatic allocation of purchased storage in a namespace. Relevant only to EE distributions. |
-| `bulk_import_enabled`                    | boolean          | no                                   | Enable migrating GitLab groups by direct transfer. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/383268) in GitLab 15.8. Setting also [available](../user/admin_area/settings/visibility_and_access_controls.md#enable-migration-of-groups-and-projects-by-direct-transfer) in the Admin Area. |
+| `bulk_import_enabled`                    | boolean          | no                                   | Enable migrating GitLab groups by direct transfer. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/383268) in GitLab 15.8. Setting also [available](../administration/settings/visibility_and_access_controls.md#enable-migration-of-groups-and-projects-by-direct-transfer) in the Admin Area. |
 | `can_create_group` | boolean | no | Indicates whether users can create top-level groups. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/367754) in GitLab 15.5. Defaults to `true`. |
 | `check_namespace_plan` **(PREMIUM)**     | boolean          | no                                   | Enabling this makes only licensed EE features available to projects if the project namespace's plan includes the feature or if the project is public. |
 | `ci_max_includes`                        | integer          | no                                   | The maximum number of [includes](../ci/yaml/includes.md) per pipeline. Default is `150`. |

doc/ci/ci_cd_for_external_repos/index.md

@@ -33,7 +33,7 @@ To connect to an external repository:
 
 If the **Run CI/CD for external repository** option is not available, the GitLab instance
 might not have any import sources configured. Ask an administrator for your instance to check
-the [import sources configuration](../../user/admin_area/settings/visibility_and_access_controls.md#configure-allowed-import-sources).
+the [import sources configuration](../../administration/settings/visibility_and_access_controls.md#configure-allowed-import-sources).
 
 ## Pipelines for external pull requests
 

doc/development/api_graphql_styleguide.md

@@ -813,6 +813,12 @@ field :token, GraphQL::Types::String, null: true,
       description: 'Token for login.'
 ```
 
+Similarly, you can also mark an entire mutation as Alpha by updating where the mutation is mounted in `app/graphql/types/mutation_type.rb`:
+
+```ruby
+mount_mutation Mutations::Ci::JobArtifact::BulkDestroy, alpha: { milestone: '15.10' }
+```
+
 Alpha GraphQL items is a custom GitLab feature that leverages GraphQL deprecations. An Alpha item
 appears as deprecated in the GraphQL schema. Like all deprecated schema items, you can test an
 Alpha field in [GraphiQL](../api/graphql/index.md#graphiql). However, be aware that the GraphiQL

doc/user/admin_area/settings/deprecated_api_rate_limits.md

@@ -1,54 +1,11 @@
 ---
-stage: Create
-group: Source Code
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
-type: reference
+redirect_to: '../../../administration/settings/deprecated_api_rate_limits.md'
+remove_date: '2023-10-13'
 ---
 
-# Deprecated API rate limits **(FREE SELF)**
+This document was moved to [another location](../../../administration/settings/deprecated_api_rate_limits.md).
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68645) in GitLab 14.4.
-
-Deprecated API endpoints are those which have been replaced with alternative
-functionality, but cannot be removed without breaking backward compatibility.
-Setting a restrictive rate limit on these endpoints can encourage users to
-switch to the alternatives.
-
-## Deprecated API endpoints
-
-Not all deprecated API endpoints are included in this rate limit - just those
-that might have a performance impact:
-
-- [`GET /groups/:id`](../../../api/groups.md#details-of-a-group) **without** the `with_projects=0` query parameter.
-
-## Define Deprecated API rate limits
-
-Rate limits for deprecated API endpoints are disabled by default. When enabled, they supersede
-the general user and IP rate limits for requests to deprecated endpoints. You can keep any general user
-and IP rate limits already in place, and increase or decrease the rate limits
-for deprecated API endpoints. No other new features are provided by this override.
-
-Prerequisite:
-
-- You must have administrator access to the instance.
-
-To override the general user and IP rate limits for requests to deprecated API endpoints:
-
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > Network**.
-1. Expand **Deprecated API Rate Limits**.
-1. Select the checkboxes for the types of rate limits you want to enable:
-   - **Unauthenticated API request rate limit**
-   - **Authenticated API request rate limit**
-1. If you selected **unauthenticated**:
-   1. Select the **Maximum unauthenticated API requests per period per IP**.
-   1. Select the **Unauthenticated API rate limit period in seconds**.
-1. If you selected **authenticated**:
-   1. Select the **Maximum authenticated API requests per period per user**.
-   1. Select the **Authenticated API rate limit period in seconds**.
-
-## Related topics
-
-- [Rate limits](../../../security/rate_limits.md)
-- [User and IP rate limits](user_and_ip_rate_limits.md)
+<!-- This redirect file can be deleted after <2023-10-13>. -->
+<!-- Redirects that point to other docs in the same project expire in three months. -->
+<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
+<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

doc/user/admin_area/settings/external_authorization.md

@@ -1,144 +1,11 @@
 ---
-stage: Manage
-group: Authentication and Authorization
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+redirect_to: '../../../administration/settings/external_authorization.md'
+remove_date: '2023-10-14'
 ---
 
-# External authorization control **(FREE SELF)**
+This document was moved to [another location](../../../administration/settings/external_authorization.md).
 
-> [Moved](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/27056) from GitLab Premium to GitLab Free in 11.10.
-
-In highly controlled environments, it may be necessary for access policy to be
-controlled by an external service that permits access based on project
-classification and user access. GitLab provides a way to check project
-authorization with your own defined service.
-
-After the external service is configured and enabled, when a project is
-accessed, a request is made to the external service with the user information
-and project classification label assigned to the project. When the service
-replies with a known response, the result is cached for six hours.
-
-If the external authorization is enabled, GitLab further blocks pages and
-functionality that render cross-project data. That includes:
-
-- Most pages under Dashboard (Activity, Milestones, Snippets, Assigned merge
-  requests, Assigned issues, To-Do List).
-- Under a specific group (Activity, Contribution analytics, Issues, Issue boards,
-  Labels, Milestones, Merge requests).
-- Global and Group search are disabled.
-
-This is to prevent performing too many requests at once to the external
-authorization service.
-
-Whenever access is granted or denied this is logged in a log file called
-`external-policy-access-control.log`. Read more about the logs GitLab keeps in
-the [Linux package documentation](https://docs.gitlab.com/omnibus/settings/logs.html).
-
-When using TLS Authentication with a self signed certificate, the CA certificate
-needs to be trusted by the OpenSSL installation. When using GitLab installed
-using the Linux package, learn to install a custom CA in the
-[Linux package documentation](https://docs.gitlab.com/omnibus/settings/ssl/index.html).
-Alternatively, learn where to install custom certificates by using
-`openssl version -d`.
-
-## Configuration
-
-The external authorization service can be enabled by an administrator:
-
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand **External authorization**.
-1. Complete the fields.
-1. Select **Save changes**.
-
-### Allow external authorization with deploy tokens and deploy keys
-
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/386656) in GitLab 15.9.
-> - Deploy tokens no longer being able to access container or package registries [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387721) in GitLab 16.0.
-
-You can set your instance to allow external authorization for Git operations with
-[deploy tokens](../../project/deploy_tokens/index.md) or [deploy keys](../../project/deploy_keys/index.md).
-
-Prerequisites:
-
-- You must be using classification labels without a service URL for external authorization.
-
-To allow authorization with deploy tokens and keys:
-
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand **External authorization**, and:
-   - Leave the service URL field empty.
-   - Select **Allow deploy tokens and deploy keys to be used with external authorization**.
-1. Select **Save changes**.
-
-WARNING:
-If you enable external authorization, deploy tokens cannot access container or package registries. If you use deploy tokens to access these registries, this measure breaks this use of these tokens. Disable external authorization to use tokens with container or package registries.
-
-## How it works
-
-When GitLab requests access, it sends a JSON POST request to the external
-service with this body:
-
-```json
-{
-  "user_identifier": "jane@acme.org",
-  "project_classification_label": "project-label",
-  "user_ldap_dn": "CN=Jane Doe,CN=admin,DC=acme",
-  "identities": [
-    { "provider": "ldap", "extern_uid": "CN=Jane Doe,CN=admin,DC=acme" },
-    { "provider": "bitbucket", "extern_uid": "2435223452345" }
-  ]
-}
-```
-
-The `user_ldap_dn` is optional and is only sent when the user is signed in
-through LDAP.
-
-`identities` contains the details of all the identities associated with the
-user. This is an empty array if there are no identities associated with the
-user.
-
-When the external authorization service responds with a status code 200, the
-user is granted access. When the external service responds with a status code
-401 or 403, the user is denied access. In any case, the request is cached for
-six hours.
-
-When denying access, a `reason` can be optionally specified in the JSON body:
-
-```json
-{
-  "reason": "You are not allowed access to this project."
-}
-```
-
-Any other status code than 200, 401 or 403 also deny access to the user, but the
-response isn't cached.
-
-If the service times out (after 500 ms), a message "External Policy Server did
-not respond" is displayed.
-
-## Classification labels
-
-You can use your own classification label in the project's
-**Settings > General > General project settings** page in the "Classification
-label" box. When no classification label is specified on a project, the default
-label defined in the [global settings](#configuration) is used.
-
-On all project pages, in the upper-right corner, the label appears.
-
-![classification label on project page](img/classification_label_on_project_page_v14_8.png)
-
-<!-- ## Troubleshooting
-
-Include any troubleshooting steps that you can foresee. If you know beforehand what issues
-one might have when setting this up, or when something is changed, or on upgrading, it's
-important to describe those, too. Think of things that may go wrong and include them here.
-This is important to minimize requests for support, and to avoid doc comments with
-questions that you know someone might ask.
-
-Each scenario can be a third-level heading, for example `### Getting error message X`.
-If you have none to add when creating a doc, leave this section in place
-but commented out to help encourage others to add to it in the future. -->
+<!-- This redirect file can be deleted after <2023-10-14>. -->
+<!-- Redirects that point to other docs in the same project expire in three months. -->
+<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
+<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

doc/user/admin_area/settings/visibility_and_access_controls.md

@@ -1,363 +1,11 @@
 ---
-stage: Create
-group: Source Code
-info: "To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments"
-type: reference
+redirect_to: '../../../administration/settings/visibility_and_access_controls.md'
+remove_date: '2023-10-14'
 ---
 
-# Control access and visibility **(FREE SELF)**
+This document was moved to [another location](../../../administration/settings/visibility_and_access_controls.md).
 
-GitLab enables users with administrator access to enforce
-specific controls on branches, projects, snippets, groups, and more.
-
-To access the visibility and access control options:
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-
-## Define which roles can create projects
-
-Instance-level protections for project creation define which roles can
-[add projects to a group](../../group/index.md#specify-who-can-add-projects-to-a-group)
-on the instance. To alter which roles have permission to create projects:
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. For **Default project creation protection**, select the desired roles:
-   - No one.
-   - Maintainers.
-   - Developers and Maintainers.
-1. Select **Save changes**.
-
-## Restrict project deletion to administrators **(PREMIUM SELF)**
-
-> User interface [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/352960) in GitLab 15.1.
-
-By default both administrators and anyone with the **Owner** role can delete a project. To restrict project deletion to only administrators:
-
-1. Sign in to GitLab as a user with administrator access.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. Scroll to:
-   - (GitLab 15.1 and later) **Allowed to delete projects**, and select **Administrators**.
-   - (GitLab 15.0 and earlier) **Default project deletion protection** and select **Only admins can delete project**.
-1. Select **Save changes**.
-
-## Deletion protection **(PREMIUM SELF)**
-
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/255449) in GitLab 14.2 for groups created after August 12, 2021.
-> - [Renamed](https://gitlab.com/gitlab-org/gitlab/-/issues/352960) from default delayed project deletion in GitLab 15.1.
-> - [Enabled for projects in personal namespaces](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89466) in GitLab 15.1.
-> - [Disabled for projects in personal namespaces](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95495) in GitLab 15.3.
-> - [Removed option to delete immediately](https://gitlab.com/gitlab-org/gitlab/-/issues/389557) in GitLab 15.11 [with a flag](../../../administration/feature_flags.md) named `always_perform_delayed_deletion`. Disabled by default.
-> - Enabled delayed deletion by default and removed the option to delete immediately [on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/393622) and [on self-managed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119606) in GitLab 16.0.
-
-Instance-level protection against accidental deletion of groups and projects.
-
-### Retention period
-
-> [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/352960) in GitLab 15.1.
-
-Groups and projects remain restorable within a defined retention period. By default this is 7 days but it can be changed.
-Setting the retention period to `0` means that groups and project are removed immediately and cannot be restored.
-
-In GitLab 15.1 and later, the retention period must be between `1` and `90`. If the retention period was `0` before the 15.1 update,
-then it gets automatically changed to `1` while also disabling deletion protection the next time any application setting is changed.
-
-### Delayed project deletion
-
-> - User interface [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/352960) in GitLab 15.1.
-> - Enabled delayed deletion by default and removed the option to delete immediately [on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/393622) and [on self-managed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119606) in GitLab 16.0.
-
-To configure delayed project deletion:
-
-1. Sign in to GitLab as a user with administrator access.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. Scroll to:
-   - (In GitLab 15.11 and later with `always_perform_delayed_deletion` feature flag enabled, or GitLab 16.0 and later) **Deletion protection** and set the retention period to a value between `1` and `90`.
-   - (GitLab 15.1 and later) **Deletion protection** and select keep deleted groups and projects, and select a retention period.
-   - (GitLab 15.0 and earlier) **Default delayed project protection** and select **Enable delayed project deletion by
-     default for newly-created groups.** Then set a retention period in **Default deletion delay**.
-1. Select **Save changes**.
-
-Deletion protection is not available for projects only (without being also being enabled for groups).
-
-In GitLab 15.1, and later this setting is enforced on groups when disabled and it cannot be overridden.
-
-### Delayed group deletion
-
-> - User interface [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/352960) in GitLab 15.1.
-> - [Changed to default behavior](https://gitlab.com/gitlab-org/gitlab/-/issues/389557) on the Premium and Ultimate tier in GitLab 16.0.
-
-Groups remain restorable if the retention period is `1` or more days.
-
-In GitLab 15.1 and later, delayed group deletion can be enabled by setting **Deletion projection** to **Keep deleted**.
-In GitLab 15.11 and later with the `always_perform_delayed_deletion` feature flag enabled, or in GitLab 16.0 and later:
-
-- The **Keep deleted** option is removed.
-- Delayed group deletion is the default.
-
-### Override defaults and delete immediately
-
-Alternatively, projects that are marked for removal can be deleted immediately. To do so:
-
-1. [Restore the project](../../project/settings/index.md#restore-a-project).
-1. Delete the project as described in the
-   [Administering Projects page](../../../administration/admin_area.md#administering-projects).
-
-## Configure project visibility defaults
-
-To set the default [visibility levels for new projects](../../public_access.md):
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. Select the desired default project visibility:
-   - **Private** - Project access must be granted explicitly to each user. If this
-     project is part of a group, access is granted to members of the group.
-   - **Internal** - The project can be accessed by any authenticated user except external users.
-   - **Public** - The project can be accessed without any authentication.
-1. Select **Save changes**.
-
-## Configure snippet visibility defaults
-
-To set the default visibility levels for new [snippets](../../snippets.md):
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. Select the desired default snippet visibility.
-1. Select **Save changes**.
-
-For more details on snippet visibility, read
-[Project visibility](../../public_access.md).
-
-## Configure group visibility defaults
-
-To set the default visibility levels for new groups:
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. Select the desired default group visibility:
-   - **Private** - The group and its projects can only be viewed by members.
-   - **Internal** - The group and any internal projects can be viewed by any authenticated user except external users.
-   - **Public** - The group and any public projects can be viewed without any authentication.
-1. Select **Save changes**.
-
-For more details on group visibility, see
-[Group visibility](../../group/index.md#group-visibility).
-
-## Restrict visibility levels
-
-When restricting visibility levels, consider how these restrictions interact
-with permissions for subgroups and projects that inherit their visibility from
-the item you're changing.
-
-To restrict visibility levels for groups, projects, snippets, and selected pages:
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. In the **Restricted visibility levels** section, select the desired visibility levels to restrict.
-   - If you restrict the **Public** level:
-      - Only administrators are able to create public groups, projects, and snippets.
-      - User profiles are only visible to authenticated users through the Web interface.
-      - User attributes through the GraphQL API are:
-         - Not visible in [GitLab 15.1 and later](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88020).
-         - Only visible to authenticated users between [GitLab 13.1](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/33195) and GitLab 15.0.
-   - If you restrict the **Internal** level:
-     - Only administrators are able to create internal groups, projects, and snippets.
-   - If you restrict the **Private** level:
-     - Only administrators are able to create private groups, projects, and snippets.
-1. Select **Save changes**.
-
-For more details on project visibility, see
-[Project visibility](../../public_access.md).
-
-## Configure allowed import sources
-
-Before you can import projects from other systems, you must enable the
-[import source](../../gitlab_com/index.md#default-import-sources) for that system.
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. Select each of **Import sources** to allow.
-1. Select **Save changes**.
-
-## Enable project export
-
-To enable the export of
-[projects and their data](../../project/settings/import_export.md#export-a-project-and-its-data):
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. Scroll to **Project export**.
-1. Select the **Enabled** checkbox.
-1. Select **Save changes**.
-
-## Enable migration of groups and projects by direct transfer
-
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/383268) in GitLab 15.8.
-
-You can enable migration of groups by direct transfer using the UI.
-
-To enable migration of groups by direct transfer:
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. Scroll to **Allow migrating GitLab groups and projects by direct transfer**.
-1. Select the **Enabled** checkbox.
-1. Select **Save changes**.
-
-The same setting
-[is available](../../../api/settings.md#list-of-settings-that-can-be-accessed-via-api-calls) in the API as the
-`bulk_import_enabled` attribute.
-
-## Configure enabled Git access protocols
-
-With GitLab access restrictions, you can select the protocols users can use to
-communicate with GitLab. Disabling an access protocol does not block port access to the
-server itself. The ports used for the protocol, SSH or HTTP(S), are still accessible.
-The GitLab restrictions apply at the application level.
-
-To specify the enabled Git access protocols:
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. Select the desired Git access protocols:
-   - Both SSH and HTTP(S)
-   - Only SSH
-   - Only HTTP(S)
-1. Select **Save changes**.
-
-When both SSH and HTTP(S) are enabled, users can choose either protocol.
-If only one protocol is enabled:
-
-- The project page shows only the allowed protocol's URL, with no option to
-  change it.
-- GitLab shows a tooltip when you hover over the protocol for the URL, if user action
-  (such as adding a SSH key or setting a password) is required:
-
-  ![Project URL with SSH only access](img/restricted_url.png)
-
-GitLab only allows Git actions for the protocols you select.
-
-WARNING:
-GitLab versions [10.7 and later](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/18021),
-allow the HTTP(S) protocol for Git clone or fetch requests done by GitLab Runner
-from CI/CD jobs, even if you select **Only SSH**.
-
-## Customize Git clone URL for HTTP(S)
-
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/18422) in GitLab 12.4.
-
-You can customize project Git clone URLs for HTTP(S), which affects the clone
-panel:
-
-For example, if:
-
-- Your GitLab instance is at `https://example.com`, then project clone URLs are like
-  `https://example.com/foo/bar.git`.
-- You want clone URLs that look like `https://git.example.com/gitlab/foo/bar.git` instead,
-  you can set this setting to `https://git.example.com/gitlab/`.
-
-![Custom Git clone URL for HTTP](img/custom_git_clone_url_for_https_v12_4.png)
-
-To specify a custom Git clone URL for HTTP(S):
-
-1. Enter a root URL for **Custom Git clone URL for HTTP(S)**.
-1. Select **Save changes**.
-
-NOTE:
-SSH clone URLs can be customized in `gitlab.rb` by setting `gitlab_rails['gitlab_ssh_host']` and
-other related settings.
-
-## Configure defaults for RSA, DSA, ECDSA, ED25519, ECDSA_SK, ED25519_SK SSH keys
-
-These options specify the permitted types and lengths for SSH keys.
-
-To specify a restriction for each key type:
-
-1. Select the desired option from the dropdown list.
-1. Select **Save changes**.
-
-For more details, see [SSH key restrictions](../../../security/ssh_keys_restrictions.md).
-
-## Enable project mirroring
-
-This option is enabled by default. By disabling it, both
-[pull mirroring](../../project/repository/mirror/pull.md) and [push mirroring](../../project/repository/mirror/push.md) no longer
-work in every repository. They can only be re-enabled by an administrator user on a per-project basis.
-
-![Mirror settings](img/mirror_settings_v15_7.png)
-
-## Configure globally-allowed IP address ranges
-
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87579) in GitLab 15.1 [with a flag](../../../administration/feature_flags.md) named `group_ip_restrictions_allow_global`. Disabled by default.
-> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/366445) in GitLab 15.4. [Feature flag `group_ip_restrictions_allow_global`](https://gitlab.com/gitlab-org/gitlab/-/issues/366445) removed.
-
-Administrators can set IP address ranges to be combined with [group-level IP restrictions](../../group/access_and_permissions.md#restrict-group-access-by-ip-address).
-Use globally-allowed IP addresses to allow aspects of the GitLab installation to work even when group-level IP address
-restrictions are set.
-
-For example, if the GitLab Pages daemon runs on the `10.0.0.0/24` range, you can specify that range as globally-allowed.
-This means GitLab Pages can still fetch artifacts from pipelines even if group-level IP address restrictions don't
-include the `10.0.0.0/24` range.
-
-To add a IP address range to the group-level allowlist:
-
-1. Sign in to GitLab as a user with Administrator access level.
-1. On the left sidebar, expand the top-most chevron (**{chevron-down}**).
-1. Select **Admin Area**.
-1. Select **Settings > General**.
-1. Expand the **Visibility and access controls** section.
-1. In **Globally-allowed IP ranges**, provide a list of IP address ranges. This list:
-   - Has no limit on the number of IP address ranges.
-   - Has a size limit of 1 GB.
-   - Applies to both SSH or HTTP authorized IP address ranges. You cannot split
-     this list by type of authorization.
-1. Select **Save changes**.
-
-<!-- ## Troubleshooting
-
-Include any troubleshooting steps that you can foresee. If you know beforehand what issues
-one might have when setting this up, or when something is changed, or on upgrading, it's
-important to describe those, too. Think of things that may go wrong and include them here.
-This is important to minimize requests for support, and to avoid doc comments with
-questions that you know someone might ask.
-
-Each scenario can be a third-level heading, for example `### Getting error message X`.
-If you have none to add when creating a doc, leave this section in place
-but commented out to help encourage others to add to it in the future. -->
+<!-- This redirect file can be deleted after <2023-10-14>. -->
+<!-- Redirects that point to other docs in the same project expire in three months. -->
+<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
+<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

doc/user/gitlab_com/index.md

@@ -216,7 +216,7 @@ The import sources that are available by default depend on which GitLab you use:
 
 - GitLab.com: all available import sources are enabled by default.
 - GitLab self-managed: no import sources are enabled by default and must be
-  [enabled](../admin_area/settings/visibility_and_access_controls.md#configure-allowed-import-sources).
+  [enabled](../../administration/settings/visibility_and_access_controls.md#configure-allowed-import-sources).
 
 | Import source                                                                                       | GitLab.com default     | GitLab self-managed default |
 |:----------------------------------------------------------------------------------------------------|:-----------------------|:----------------------------|

doc/user/group/access_and_permissions.md

@@ -41,7 +41,7 @@ The group's new subgroups have push rules set for them based on either:
 > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/365357) in GitLab 16.0.
 
 You can set the permitted protocols used to access a group's repositories to either SSH, HTTPS, or both. This setting
-is disabled when the [instance setting](../admin_area/settings/visibility_and_access_controls.md#configure-enabled-git-access-protocols) is
+is disabled when the [instance setting](../../administration/settings/visibility_and_access_controls.md#configure-enabled-git-access-protocols) is
 configured by an administrator.
 
 To change the permitted Git access protocols for a group:
@@ -63,11 +63,11 @@ address. This top-level group setting applies to:
 - The GitLab UI, including subgroups, projects, and issues. It does not apply to GitLab Pages.
 - [In GitLab 12.3 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/12874), the API.
 - In self-managed installations of GitLab 15.1 and later, you can also configure
-[globally-allowed IP address ranges](../admin_area/settings/visibility_and_access_controls.md#configure-globally-allowed-ip-address-ranges)
+[globally-allowed IP address ranges](../../administration/settings/visibility_and_access_controls.md#configure-globally-allowed-ip-address-ranges)
 at the group level.
 
 Administrators can combine restricted access by IP address with
-[globally-allowed IP addresses](../admin_area/settings/visibility_and_access_controls.md#configure-globally-allowed-ip-address-ranges).
+[globally-allowed IP addresses](../../administration/settings/visibility_and_access_controls.md#configure-globally-allowed-ip-address-ranges).
 
 To restrict group access by IP address:
 

doc/user/group/import/index.md

@@ -30,7 +30,7 @@ If you migrate from GitLab.com to self-managed GitLab, an administrator can crea
 > - `bulk_import_projects` feature flag [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/339941) in GitLab 15.10.
 
 On self-managed GitLab, by default [migrating group items](#migrated-group-items) is not available. To show the
-feature, ask an administrator to [enable it in application settings](../../admin_area/settings/visibility_and_access_controls.md#enable-migration-of-groups-and-projects-by-direct-transfer).
+feature, ask an administrator to [enable it in application settings](../../../administration/settings/visibility_and_access_controls.md#enable-migration-of-groups-and-projects-by-direct-transfer).
 
 Migrating groups by direct transfer copies the groups from one place to another. You can:
 
@@ -105,7 +105,7 @@ To migrate groups by direct transfer:
 - The network connection between instances or GitLab.com must support HTTPS.
 - Any firewalls must not block the connection between the source and destination GitLab instances.
 - Both GitLab instances must have group migration by direct transfer
-  [enabled in application settings](../../admin_area/settings/visibility_and_access_controls.md#enable-migration-of-groups-and-projects-by-direct-transfer)
+  [enabled in application settings](../../../administration/settings/visibility_and_access_controls.md#enable-migration-of-groups-and-projects-by-direct-transfer)
   by an instance administrator.
 - The source GitLab instance must be running GitLab 14.0 or later.
 - You must have a [personal access token](../../../user/profile/personal_access_tokens.md) for the source GitLab