Add latest changes from gitlab-org/gitlab@master

.rubocop_todo/style/class_and_module_children.yml

@@ -389,7 +389,6 @@ Style/ClassAndModuleChildren:
     - 'ee/app/controllers/projects/insights_controller.rb'
     - 'ee/app/controllers/projects/iteration_cadences_controller.rb'
     - 'ee/app/controllers/projects/iterations_controller.rb'
-    - 'ee/app/controllers/projects/path_locks_controller.rb'
     - 'ee/app/controllers/projects/protected_environments_controller.rb'
     - 'ee/app/controllers/projects/push_rules_controller.rb'
     - 'ee/app/controllers/projects/quality/test_cases_controller.rb'

Gemfile

@@ -265,7 +265,7 @@ gem 'asciidoctor-include-ext', '~> 0.4.0', require: false, feature_category: :ma
 gem 'asciidoctor-plantuml', '~> 0.0.16', feature_category: :markdown
 gem 'asciidoctor-kroki', '~> 0.10.0', require: false, feature_category: :markdown
 gem 'rouge', '~> 4.5.0', feature_category: :shared
-gem 'truncato', '~> 0.7.12', feature_category: :team_planning
+gem 'truncato', '~> 0.7.13', feature_category: :team_planning
 gem 'nokogiri', '~> 1.18', feature_category: :shared
 gem 'gitlab-glfm-markdown', '~> 0.0.27', feature_category: :markdown
 gem 'tanuki_emoji', '~> 0.13', feature_category: :markdown

Gemfile.lock

@@ -2342,7 +2342,7 @@ DEPENDENCIES
   thrift (>= 0.16.0)
   timfel-krb5-auth (~> 0.8)
   toml-rb (~> 2.2.0)
-  truncato (~> 0.7.12)
+  truncato (~> 0.7.13)
   tty-prompt (~> 0.23)
   typhoeus (~> 1.4.0)
   undercover (~> 0.6.0)

Gemfile.next.lock

@@ -2376,7 +2376,7 @@ DEPENDENCIES
   thrift (>= 0.16.0)
   timfel-krb5-auth (~> 0.8)
   toml-rb (~> 2.2.0)
-  truncato (~> 0.7.12)
+  truncato (~> 0.7.13)
   tty-prompt (~> 0.23)
   typhoeus (~> 1.4.0)
   undercover (~> 0.6.0)

app/models/plan_limits.rb

@@ -3,7 +3,6 @@
 class PlanLimits < ApplicationRecord
   include SafelyChangeColumnDefault
 
-  columns_changing_default :ci_max_artifact_size_lsif
   columns_changing_default :active_versioned_pages_deployments_limit_by_namespace
 
   ALLOWED_LIMITS_HISTORY_ATTRIBUTES = %i[notification_limit enforcement_limit storage_size_limit

app/views/admin/users/_stat_card.html.haml

@@ -1,7 +1,7 @@
 = render Pajamas::CardComponent.new do |c|
   - c.with_body do
     %div
-      = render Pajamas::SingleStatComponent.new(title: title, stat_value: value)
+      = render Pajamas::SingleStatComponent.new(title: title, stat_value: value, title_tag: 'h2')
       - if href && link_title
-        = render Pajamas::ButtonComponent.new(size: :small, button_options: { class: 'gl-w-max' }, variant: :link, block: false, href: href) do
+        = render Pajamas::ButtonComponent.new(size: :small, button_options: { class: 'gl-w-max', title: _("Filter list for %{title}").html_safe % { title: title } }, variant: :link, block: false, href: href) do
           = link_title

danger/code_suggestions/Dangerfile

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-CODE_SUGGESTIONS_CATEGORY_LABEL = "Category:Code Suggestions"
-
 CODE_SUGGESTIONS_DANGER_MESSAGE = <<~MSG
 ## Code Suggestions
 

db/docs/batched_background_migrations/backfill_ci_pipeline_schedule_variables_project_id.yml

@@ -1,9 +1,10 @@
 ---
 migration_job_name: BackfillCiPipelineScheduleVariablesProjectId
-description: Backfills sharding key `ci_pipeline_schedule_variables.project_id` from `ci_pipeline_schedules`.
+description: Backfills sharding key `ci_pipeline_schedule_variables.project_id` from
+  `ci_pipeline_schedules`.
 feature_category: continuous_integration
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168110
 milestone: '17.5'
 queued_migration_version: 20241003181431
 finalize_after: '2024-11-22'
-finalized_by: # version of the migration that finalized this BBM
+finalized_by: '20250217231827'

db/post_migrate/20250217231827_finalize_hk_backfill_ci_pipeline_schedule_variables_project_id.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class FinalizeHkBackfillCiPipelineScheduleVariablesProjectId < Gitlab::Database::Migration[2.2]
+  milestone '17.10'
+
+  disable_ddl_transaction!
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_ci
+
+  def up
+    ensure_batched_background_migration_is_finished(
+      job_class_name: 'BackfillCiPipelineScheduleVariablesProjectId',
+      table_name: :ci_pipeline_schedule_variables,
+      column_name: :id,
+      job_arguments: [:project_id, :ci_pipeline_schedules, :project_id, :pipeline_schedule_id],
+      finalize: true
+    )
+  end
+
+  def down; end
+end

db/schema_migrations/20250217231827

@@ -0,0 +1 @@
+1cc5695baa913f1cb7b0c280126d683c5590922a6ce40a7659fd481f2853ec9b

doc/administration/geo/replication/container_registry.md

@@ -218,7 +218,7 @@ To fix this, make sure that the authorization headers being sent with the regist
 
 To replicate a container image, Sidekiq uses JWT to authenticate itself towards the container registry. Geo replication takes it as a prerequisite that the [container registry configuration](../../packages/container_registry.md) has been done correctly.
 
-Make sure that both sites share a single signing key pair, as instructed under [Configure secondary site](#configure-secondary-site), and that both container registries, plus primary and secondary sites are [all configured to use the same token issuer](../../packages/container_registry.md#configure-gitlab-and-registry-to-run-on-separate-nodes-linux-package-installations).
+Make sure that both sites share a single signing key pair, as instructed under [Configure secondary site](#configure-secondary-site), and that both container registries, plus primary and secondary sites are [all configured to use the same token issuer](../../packages/container_registry.md#configure-gitlab-and-registry-on-separate-nodes-linux-package-installations).
 
 On multinode deployments, make sure that the issuer configured on the Sidekiq node matches the value configured on the registries.
 

doc/administration/packages/container_registry.md

@@ -1422,7 +1422,7 @@ and there are no scaling guides which target number of seats or requests per sec
 
 ### Registry server
 
-1. **Move to a separate node**: A [separate node](#configure-gitlab-and-registry-to-run-on-separate-nodes-linux-package-installations)
+1. **Move to a separate node**: A [separate node](#configure-gitlab-and-registry-on-separate-nodes-linux-package-installations)
    is one way to scale vertically to increase the resources available to the container registry server process.
 1. **Run multiple registry nodes behind a load balancer**: While the registry can handle
    a high amount of traffic with a single large node, the registry is generally intended to
@@ -1457,28 +1457,28 @@ cache improves performance, but also enables features such as renaming repositor
    with multi-node deployments, online garbage collection automatically scales without
    the need for configuration changes.
 
-## Configure GitLab and Registry to run on separate nodes (Linux package installations)
+## Configure GitLab and registry on separate nodes (Linux package installations)
 
-By default, package assumes that both services are running on the same node.
+By default, the GitLab package assumes both services run on the same node.
-To get GitLab and Registry to run on a separate nodes, separate configuration
+Running them on separate nodes requires separate configuration.
-is necessary for Registry and GitLab.
 
-### Configure Registry
+### Configuration options
 
-Below you can find configuration options you should set in `/etc/gitlab/gitlab.rb`,
+The following configuration options should be set in `/etc/gitlab/gitlab.rb` on the respective nodes.
-for Registry to run separately from GitLab:
 
-- `registry['registry_http_addr']`, default [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/libraries/registry.rb#L50). Needs to be reachable by web server (or LB).
+#### Registry node settings
-- `registry['token_realm']`, default [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/libraries/registry.rb#L53). Specifies the endpoint to use to perform authentication, usually the GitLab URL.
+
-  This endpoint needs to be reachable by user.
+| Option                                     | Description |
-- `registry['http_secret']`, [random string](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/libraries/registry.rb#L32). A random piece of data used to sign state that may be stored with the client to protect against tampering.
+| ------------------------------------------ | ----------- |
-- `registry['internal_key']`, default [automatically generated](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb#L113-119). Contents of the key that GitLab uses to sign the tokens. They key gets created on the Registry server, but it is not used there.
+| `registry['registry_http_addr']`           | Network address and port that the registry listens on. Must be reachable by the web server or load balancer. Default: [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/libraries/registry.rb#L50). |
-- `gitlab_rails['registry_key_path']`, default [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb#L35). This is the path where `internal_key` contents are written to disk.
+| `registry['token_realm']`                  | Authentication endpoint URL, typically the GitLab instance URL. Must be reachable by users. Default: [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/libraries/registry.rb#L53). |
-- `registry['internal_certificate']`, default [automatically generated](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/registry/recipes/enable.rb#L60-66). Contents of the certificate that GitLab uses to sign the tokens.
+| `registry['http_secret']`                  | Security token used to protect against client-side tampering. Generated as a [random string](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/libraries/registry.rb#L32). |
-- `registry['rootcertbundle']`, default [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/registry/recipes/enable.rb#L60). Path to certificate. This is the path where `internal_certificate`
+| `registry['internal_key']`                 | Token-signing key, created on the registry server but used by GitLab. Default: [automatically generated](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb#L113-119). |
-  contents are written to disk.
+| `registry['internal_certificate']`         | Certificate for token signing. Default: [automatically generated](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/registry/recipes/enable.rb#L60-66). |
-- `registry['health_storagedriver_enabled']`, default [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-7-stable/files/gitlab-cookbooks/gitlab/libraries/registry.rb#L88). Configure whether health checks on the configured storage driver are enabled.
+| `registry['rootcertbundle']`               | File path where the `internal_certificate` is stored. Default: [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/registry/recipes/enable.rb#L60). |
-- `gitlab_rails['registry_issuer']`, [default value](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/attributes/default.rb#L153). This setting needs to be set the same between Registry and GitLab.
+| `registry['health_storagedriver_enabled']` | Enables health monitoring of the storage driver. Default: [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-7-stable/files/gitlab-cookbooks/gitlab/libraries/registry.rb#L88). |
+| `gitlab_rails['registry_key_path']`        | File path where the `internal_key` is stored. Default: [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb#L35). |
+| `gitlab_rails['registry_issuer']`          | Token issuer name. Must match between registry and GitLab configurations. Default: [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/attributes/default.rb#L153). |
 
 <!--- start_remove The following content will be removed on remove_date: '2025/08/15' -->
 
@@ -1490,20 +1490,74 @@ Support for authenticating requests using Amazon S3 Signature Version 2 in the c
 
 <!--- end_remove -->
 
-### Configure GitLab
+#### GitLab node settings
 
-Below you can find configuration options you should set in `/etc/gitlab/gitlab.rb`,
+| Option                              | Description |
-for GitLab to run separately from Registry:
+| ----------------------------------- | ----------- |
+| `gitlab_rails['registry_enabled']`  | Enables the GitLab registry API integration. Must be set to `true`. |
+| `gitlab_rails['registry_api_url']`  | Internal registry URL used by GitLab (not visible to users). Uses `registry['registry_http_addr']` with scheme. Default: [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/libraries/registry.rb#L52). |
+| `gitlab_rails['registry_host']`     | Public registry hostname without scheme (example: `registry.gitlab.example`). This address is shown to users. |
+| `gitlab_rails['registry_port']`     | Public registry port number shown to users. |
+| `gitlab_rails['registry_issuer']`   | Token issuer name that must match the registry's configuration. |
+| `gitlab_rails['registry_key_path']` | File path to the certificate key used by the registry. |
+| `gitlab_rails['internal_key']`      | Token-signing key content used by GitLab. |
 
-- `gitlab_rails['registry_enabled']`, must be set to `true`. This setting
+### Set up the nodes
-  signals to GitLab that it should allow Registry API requests.
+
-- `gitlab_rails['registry_api_url']`, default [set programmatically](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/10-3-stable/files/gitlab-cookbooks/gitlab/libraries/registry.rb#L52). This is the Registry URL used internally that users do not need to interact with, `registry['registry_http_addr']` with scheme.
+To configure GitLab and the container registry on separate nodes:
-- `gitlab_rails['registry_host']`, for example, `registry.gitlab.example`. Registry endpoint without the scheme, the address that gets shown to the end user.
+
-- `gitlab_rails['registry_port']`. Registry endpoint port, visible to the end user.
+1. On the registry node, edit `/etc/gitlab/gitlab.rb` with the following settings:
-- `gitlab_rails['registry_issuer']` must match the issuer in the Registry configuration.
+
-- `gitlab_rails['registry_key_path']`, path to the key that matches the certificate on the
+   ```ruby
-  Registry side.
+   # Registry server details
-- `gitlab_rails['internal_key']`, contents of the key that GitLab uses to sign the tokens.
+   # - IP address: 10.30.227.194
+   # - Domain: registry.example.com
+
+   # Disable unneeded services
+   gitlab_workhorse['enable'] = false
+   puma['enable'] = false
+   sidekiq['enable'] = false
+   postgresql['enable'] = false
+   redis['enable'] = false
+   gitlab_kas['enable'] = false
+   gitaly['enable'] = false
+   nginx['enable'] = false
+
+   # Configure registry settings
+   registry['enable'] = true
+   registry['registry_http_addr'] = '0.0.0.0:5000'
+   registry['token_realm'] = 'https://gitlab.example.com'
+   registry['http_secret'] = '6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b'
+
+   # Configure GitLab Rails settings
+   gitlab_rails['registry_issuer'] = 'omnibus-gitlab-issuer'
+   gitlab_rails['registry_key_path'] = '/etc/gitlab/gitlab-registry.key'
+   ```
+
+1. On the GitLab node, edit `/etc/gitlab/gitlab.rb` with the following settings:
+
+   ```ruby
+   # GitLab server details
+   # - IP address: 10.30.227.149
+   # - Domain: gitlab.example.com
+
+   # Configure GitLab URL
+   external_url 'https://gitlab.example.com'
+
+   # Configure registry settings
+   gitlab_rails['registry_enabled'] = true
+   gitlab_rails['registry_api_url'] = 'http://10.30.227.194:5000'
+   gitlab_rails['registry_host'] = 'registry.example.com'
+   gitlab_rails['registry_port'] = 5000
+   gitlab_rails['registry_issuer'] = 'omnibus-gitlab-issuer'
+   gitlab_rails['registry_key_path'] = '/etc/gitlab/gitlab-registry.key'
+   ```
+
+1. Synchronize the `/etc/gitlab/gitlab-secrets.json` file between both nodes:
+
+   1. Copy the file from the GitLab node to the registry node.
+   1. Ensure file permissions are correct.
+   1. Run `sudo gitlab-ctl reconfigure` on both nodes.
 
 ## Architecture of GitLab container registry
 

doc/api/releases/links.md

@@ -12,7 +12,11 @@ title: Release links API
 
 {{< /details >}}
 
-> Support for [GitLab CI/CD job token](../../ci/jobs/ci_job_token.md) authentication [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250819) in GitLab 15.1.
+{{< history >}}
+
+- [Added](https://gitlab.com/gitlab-org/gitlab/-/issues/250819) authentication with a [GitLab CI/CD job token](../../ci/jobs/ci_job_token.md) in GitLab 15.1.
+
+{{< /history >}}
 
 Use this API to manipulate GitLab [Release](../../user/project/releases/_index.md)
 links. For manipulating other Release assets, see [Release API](_index.md).

doc/ci/testing/code_coverage/_index.md

@@ -65,7 +65,7 @@ Test the regex patterns carefully. Tool output formats can change over time, and
 
 | Tool       | Language | Command        | Regex pattern |
 |------------|----------|----------------|---------------|
-| pytest-cov | Python   | `pytest --cov` | `/TOTAL.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/` |
+| pytest-cov | Python   | `pytest --cov` | `/TOTAL.*? (100(?:\.0+)?\%\|[1-9]?\d(?:\.\d+)?\%)$/` |
 | Simplecov  | Ruby     | `rspec spec`   | `/\(\d+.\d+\%\) covered/` |
 
 {{< /tab >}}

lib/gitlab/database/sos/db_stats_activity.rb

@@ -49,7 +49,7 @@ module Gitlab
               c.relname, con.conname;
           SQL
 
-          platform_info: <<~SQL
+          platform_info: <<~SQL,
             SELECT
               name AS key,
               setting AS value
@@ -58,6 +58,14 @@ module Gitlab
             UNION ALL
             SELECT 'System information', version();
           SQL
+
+          collation_check: <<~SQL
+            SELECT collname AS collation_name,
+              collversion AS version,
+              pg_collation_actual_version(oid) AS actual_version
+            FROM pg_collation
+            WHERE collprovider = 'c';
+          SQL
         }.freeze
 
         def run

locale/gitlab.pot

@@ -25040,6 +25040,9 @@ msgstr ""
 msgid "Filter by test cases that are currently open."
 msgstr ""
 
+msgid "Filter list for %{title}"
+msgstr ""
+
 msgid "Filter parameters are not valid. Make sure that the end date is after the start date."
 msgstr ""
 

spec/lib/gitlab/database/sos/db_stats_activity_spec.rb

@@ -50,6 +50,8 @@ RSpec.describe Gitlab::Database::Sos::DbStatsActivity, feature_category: :databa
           expect(result.fields).to eq %w[job_class_name table_name column_name job_arguments]
         when :platform_info
           expect(result.fields).to eq %w[key value]
+        when :collation_check
+          expect(result.fields).to eq %w[collation_name version actual_version]
         end
       end
     end