diff --git a/.gitlab/issue_templates/Analytics Instrumentation Issue.md b/.gitlab/issue_templates/Analytics Instrumentation Issue.md
index f07fb5d5122..ec5b8d623f8 100644
--- a/.gitlab/issue_templates/Analytics Instrumentation Issue.md	
+++ b/.gitlab/issue_templates/Analytics Instrumentation Issue.md	
@@ -20,7 +20,7 @@
 <!-- Any further tasks that need to be completed after the main work of the issue is done, such as announcing the changes. -->
 <!-- This section is optional. -->
 
-<!-- Make sure to add one of the type labels (as per https://handbook.gitlab.com/handbook/engineering/metrics/#work-type-classification):-->
+<!-- Make sure to add one of the type labels (as per https://handbook.gitlab.com/handbook/product/groups/product-analysis/engineering/metrics/#work-type-classification):-->
 <!-- /label ~"type::bug" ~"type::feature" ~"type::tooling" ~"type::maintenance" -->
 
 /label ~devops::analytics ~"group::analytics instrumentation"
diff --git a/.gitlab/issue_templates/Global Search - bug.md b/.gitlab/issue_templates/Global Search - bug.md
index 2f568fe32bc..5a38ee781c1 100644
--- a/.gitlab/issue_templates/Global Search - bug.md	
+++ b/.gitlab/issue_templates/Global Search - bug.md	
@@ -23,8 +23,8 @@
 
 <!-- If you can, link to the line of code that might be responsible for the problem. -->
 
-<!-- Please add a label for the type of bug as per https://about.gitlab.com/handbook/engineering/metrics/#work-type-classification -->
+<!-- Please add a label for the type of bug as per https://handbook.gitlab.com/handbook/product/groups/product-analysis/engineering/metrics/#work-type-classification -->
 /label ~"type::bug"
 /label ~"group::global search"
 /label ~"workflow::solution validation" 
-/milestone %Backlog
\ No newline at end of file
+/milestone %Backlog
diff --git a/.gitlab/issue_templates/Global Search - feature.md b/.gitlab/issue_templates/Global Search - feature.md
index ebc4248b7fd..e337372d730 100644
--- a/.gitlab/issue_templates/Global Search - feature.md	
+++ b/.gitlab/issue_templates/Global Search - feature.md	
@@ -6,8 +6,8 @@
 
 <!-- Use this section to explain the feature and how it will work. It can be helpful to add technical details, design proposals, and links to related epics or issues. -->
 
-<!-- Please add a label for the type of feature as per https://about.gitlab.com/handbook/engineering/metrics/#work-type-classification -->
+<!-- Please add a label for the type of feature as per https://handbook.gitlab.com/handbook/product/groups/product-analysis/engineering/metrics/#work-type-classification -->
 /label ~"type::feature"
 /label ~"group::global search"
 /label ~"workflow::solution validation" 
-/milestone %Backlog
\ No newline at end of file
+/milestone %Backlog
diff --git a/.gitlab/issue_templates/Global Search - maintenance.md b/.gitlab/issue_templates/Global Search - maintenance.md
index 38ce56479f2..552b33d36b7 100644
--- a/.gitlab/issue_templates/Global Search - maintenance.md	
+++ b/.gitlab/issue_templates/Global Search - maintenance.md	
@@ -4,8 +4,8 @@
 
 <!-- Use this section to explain the feature and how it will work. It can be helpful to add technical details, design proposals, and links to related epics or issues. -->
 
-<!-- Please add a label for the type of maintenance as per https://about.gitlab.com/handbook/engineering/metrics/#work-type-classification -->
+<!-- Please add a label for the type of maintenance as per https://handbook.gitlab.com/handbook/product/groups/product-analysis/engineering/metrics/#work-type-classification -->
 /label ~"type::maintenance"
 /label ~"group::global search"
 /label ~"workflow::solution validation" 
-/milestone %Backlog
\ No newline at end of file
+/milestone %Backlog
diff --git a/.gitlab/issue_templates/QA Failure.md b/.gitlab/issue_templates/QA Failure.md
index 3a0ce5cf431..54baf046d82 100644
--- a/.gitlab/issue_templates/QA Failure.md	
+++ b/.gitlab/issue_templates/QA Failure.md	
@@ -56,7 +56,7 @@ If you include multiple screenshots it can be helpful to hide all but the first
 <!-- Base labels. -->
 /label ~Quality ~QA ~test
 
-<!-- Work classification type label, please apply ignore type label until the investigation is complete and an [issue type](https://about.gitlab.com/handbook/engineering/metrics/#work-type-classification) is determined.-->
+<!-- Work classification type label, please apply ignore type label until the investigation is complete and an [issue type](https://handbook.gitlab.com/handbook/product/groups/product-analysis/engineering/metrics/#work-type-classification) is determined.-->
 /label ~"type::ignore" 
 
 <!-- Test failure type label, please use just one.-->
diff --git a/.rubocop_todo/gitlab/bounded_contexts.yml b/.rubocop_todo/gitlab/bounded_contexts.yml
index 54067a84415..ab20369d312 100644
--- a/.rubocop_todo/gitlab/bounded_contexts.yml
+++ b/.rubocop_todo/gitlab/bounded_contexts.yml
@@ -3203,7 +3203,6 @@ Gitlab/BoundedContexts:
     - 'ee/app/services/elastic/index_projects_by_range_service.rb'
     - 'ee/app/services/elastic/process_bookkeeping_service.rb'
     - 'ee/app/services/elastic/process_initial_bookkeeping_service.rb'
-    - 'ee/app/services/epic_issues/create_service.rb'
     - 'ee/app/services/epic_issues/destroy_service.rb'
     - 'ee/app/services/epic_issues/list_service.rb'
     - 'ee/app/services/epic_issues/update_service.rb'
diff --git a/.rubocop_todo/layout/array_alignment.yml b/.rubocop_todo/layout/array_alignment.yml
index bbc5fbb6e8e..0b1f3503ed2 100644
--- a/.rubocop_todo/layout/array_alignment.yml
+++ b/.rubocop_todo/layout/array_alignment.yml
@@ -39,7 +39,6 @@ Layout/ArrayAlignment:
     - 'ee/spec/serializers/user_analytics_entity_spec.rb'
     - 'ee/spec/services/audit_events/export_csv_service_spec.rb'
     - 'ee/spec/services/ee/boards/issues/list_service_spec.rb'
-    - 'ee/spec/services/epic_issues/create_service_spec.rb'
     - 'ee/spec/services/incident_management/issuable_resource_links/zoom_link_service_spec.rb'
     - 'ee/spec/services/security/security_orchestration_policies/create_pipeline_service_spec.rb'
     - 'ee/spec/services/security/token_revocation_service_spec.rb'
diff --git a/.rubocop_todo/layout/line_continuation_spacing.yml b/.rubocop_todo/layout/line_continuation_spacing.yml
index b5426be9191..fbc982a8a5d 100644
--- a/.rubocop_todo/layout/line_continuation_spacing.yml
+++ b/.rubocop_todo/layout/line_continuation_spacing.yml
@@ -72,7 +72,6 @@ Layout/LineContinuationSpacing:
     - 'ee/spec/requests/api/graphql/mutations/vulnerabilities/create_external_issue_link_spec.rb'
     - 'ee/spec/requests/api/graphql/mutations/vulnerabilities/destroy_external_issue_link_spec.rb'
     - 'ee/spec/services/boards/epic_lists/destroy_service_spec.rb'
-    - 'ee/spec/services/epic_issues/create_service_spec.rb'
     - 'ee/spec/services/phone_verification/telesign_client/risk_score_service_spec.rb'
     - 'ee/spec/services/phone_verification/telesign_client/send_verification_code_service_spec.rb'
     - 'ee/spec/workers/ee/issuable_export_csv_worker_spec.rb'
diff --git a/.rubocop_todo/layout/line_end_string_concatenation_indentation.yml b/.rubocop_todo/layout/line_end_string_concatenation_indentation.yml
index 03a075c3d96..49660960b8a 100644
--- a/.rubocop_todo/layout/line_end_string_concatenation_indentation.yml
+++ b/.rubocop_todo/layout/line_end_string_concatenation_indentation.yml
@@ -300,7 +300,6 @@ Layout/LineEndStringConcatenationIndentation:
     - 'ee/spec/services/ee/members/invite_service_spec.rb'
     - 'ee/spec/services/ee/post_receive_service_spec.rb'
     - 'ee/spec/services/ee/work_items/related_work_item_links/create_service_spec.rb'
-    - 'ee/spec/services/epic_issues/create_service_spec.rb'
     - 'ee/spec/services/geo/container_repository_sync_spec.rb'
     - 'ee/spec/services/gitlab_subscriptions/add_on_purchases/create_service_spec.rb'
     - 'ee/spec/services/gitlab_subscriptions/add_on_purchases/update_service_spec.rb'
diff --git a/.rubocop_todo/layout/line_length.yml b/.rubocop_todo/layout/line_length.yml
index dcbb192a779..dd2095491f5 100644
--- a/.rubocop_todo/layout/line_length.yml
+++ b/.rubocop_todo/layout/line_length.yml
@@ -1696,7 +1696,6 @@ Layout/LineLength:
     - 'ee/spec/services/ee/users/destroy_service_spec.rb'
     - 'ee/spec/services/ee/users/update_service_spec.rb'
     - 'ee/spec/services/elastic/process_initial_bookkeeping_service_spec.rb'
-    - 'ee/spec/services/epic_issues/create_service_spec.rb'
     - 'ee/spec/services/epics/issue_promote_service_spec.rb'
     - 'ee/spec/services/epics/update_service_spec.rb'
     - 'ee/spec/services/external_status_checks/update_service_spec.rb'
diff --git a/.rubocop_todo/lint/no_return_in_begin_end_blocks.yml b/.rubocop_todo/lint/no_return_in_begin_end_blocks.yml
index a3b94dc66b2..c4ea8ebb2d1 100644
--- a/.rubocop_todo/lint/no_return_in_begin_end_blocks.yml
+++ b/.rubocop_todo/lint/no_return_in_begin_end_blocks.yml
@@ -4,7 +4,6 @@ Lint/NoReturnInBeginEndBlocks:
     - 'app/models/concerns/metric_image_uploading.rb'
     - 'app/models/merge_request.rb'
     - 'app/services/security/ci_configuration/sast_parser_service.rb'
-    - 'ee/app/services/epic_issues/create_service.rb'
     - 'ee/app/services/gitlab_subscriptions/preview_billable_user_change_service.rb'
     - 'ee/app/services/security/token_revocation_service.rb'
     - 'ee/lib/api/vulnerability_findings.rb'
diff --git a/.rubocop_todo/performance/flat_map.yml b/.rubocop_todo/performance/flat_map.yml
index 8c4f00ffbc7..25eb5d92ea6 100644
--- a/.rubocop_todo/performance/flat_map.yml
+++ b/.rubocop_todo/performance/flat_map.yml
@@ -6,7 +6,6 @@ Performance/FlatMap:
     - 'ee/app/models/burndown.rb'
     - 'ee/app/models/geo_node_status.rb'
     - 'ee/app/serializers/dashboard_environments_serializer.rb'
-    - 'ee/app/services/elastic/process_bookkeeping_service.rb'
     - 'ee/spec/requests/api/members_spec.rb'
     - 'ee/spec/support/helpers/license_scanning_report_helpers.rb'
     - 'lib/gitlab/ci/pipeline/chain/ensure_environments.rb'
diff --git a/.rubocop_todo/rspec/before_all_role_assignment.yml b/.rubocop_todo/rspec/before_all_role_assignment.yml
index 4d1eb87020a..ea76db71af2 100644
--- a/.rubocop_todo/rspec/before_all_role_assignment.yml
+++ b/.rubocop_todo/rspec/before_all_role_assignment.yml
@@ -553,7 +553,6 @@ RSpec/BeforeAllRoleAssignment:
     - 'ee/spec/services/ee/todos/destroy/entity_leave_service_spec.rb'
     - 'ee/spec/services/ee/two_factor/destroy_service_spec.rb'
     - 'ee/spec/services/ee/work_items/import_csv_service_spec.rb'
-    - 'ee/spec/services/epic_issues/create_service_spec.rb'
     - 'ee/spec/services/epic_issues/update_service_spec.rb'
     - 'ee/spec/services/epics/close_service_spec.rb'
     - 'ee/spec/services/epics/create_service_spec.rb'
diff --git a/.rubocop_todo/rspec/expect_change.yml b/.rubocop_todo/rspec/expect_change.yml
index aaeb7ef76a0..97bbb2e14c8 100644
--- a/.rubocop_todo/rspec/expect_change.yml
+++ b/.rubocop_todo/rspec/expect_change.yml
@@ -97,7 +97,6 @@ RSpec/ExpectChange:
     - 'ee/spec/services/ee/users/block_service_spec.rb'
     - 'ee/spec/services/ee/users/create_service_spec.rb'
     - 'ee/spec/services/ee/users/destroy_service_spec.rb'
-    - 'ee/spec/services/epic_issues/create_service_spec.rb'
     - 'ee/spec/services/epics/issue_promote_service_spec.rb'
     - 'ee/spec/services/epics/transfer_service_spec.rb'
     - 'ee/spec/services/geo/container_repository_registry_removal_service_spec.rb'
diff --git a/.rubocop_todo/rspec/named_subject.yml b/.rubocop_todo/rspec/named_subject.yml
index 9ff7184c34f..858522ad77c 100644
--- a/.rubocop_todo/rspec/named_subject.yml
+++ b/.rubocop_todo/rspec/named_subject.yml
@@ -902,7 +902,6 @@ RSpec/NamedSubject:
     - 'ee/spec/services/ee/users/build_service_spec.rb'
     - 'ee/spec/services/ee/work_items/import_csv_service_spec.rb'
     - 'ee/spec/services/elastic/metrics_update_service_spec.rb'
-    - 'ee/spec/services/epic_issues/create_service_spec.rb'
     - 'ee/spec/services/epic_issues/destroy_service_spec.rb'
     - 'ee/spec/services/epic_issues/list_service_spec.rb'
     - 'ee/spec/services/epic_issues/update_service_spec.rb'
diff --git a/.rubocop_todo/rspec/receive_messages.yml b/.rubocop_todo/rspec/receive_messages.yml
index 45c567a0176..b975fbbb9ef 100644
--- a/.rubocop_todo/rspec/receive_messages.yml
+++ b/.rubocop_todo/rspec/receive_messages.yml
@@ -148,7 +148,6 @@ RSpec/ReceiveMessages:
     - 'ee/spec/services/ee/post_receive_service_spec.rb'
     - 'ee/spec/services/ee/spam/spam_verdict_service_spec.rb'
     - 'ee/spec/services/ee/work_items/related_work_item_links/create_service_spec.rb'
-    - 'ee/spec/services/epic_issues/create_service_spec.rb'
     - 'ee/spec/services/geo/container_repository_sync_spec.rb'
     - 'ee/spec/services/geo/framework_repository_sync_service_spec.rb'
     - 'ee/spec/services/gitlab_subscriptions/create_service_spec.rb'
diff --git a/.rubocop_todo/rspec/scattered_let.yml b/.rubocop_todo/rspec/scattered_let.yml
index 6f2fb149986..5d5d7bec725 100644
--- a/.rubocop_todo/rspec/scattered_let.yml
+++ b/.rubocop_todo/rspec/scattered_let.yml
@@ -48,7 +48,6 @@ RSpec/ScatteredLet:
     - 'ee/spec/services/ee/issue_links/create_service_spec.rb'
     - 'ee/spec/services/ee/issues/create_service_spec.rb'
     - 'ee/spec/services/ee/merge_requests/base_service_spec.rb'
-    - 'ee/spec/services/epic_issues/create_service_spec.rb'
     - 'ee/spec/services/epics/issue_promote_service_spec.rb'
     - 'ee/spec/services/geo/metrics_update_service_spec.rb'
     - 'ee/spec/services/group_saml/saml_provider/create_service_spec.rb'
diff --git a/.rubocop_todo/style/inline_disable_annotation.yml b/.rubocop_todo/style/inline_disable_annotation.yml
index 02ef9458932..45d4e345b4f 100644
--- a/.rubocop_todo/style/inline_disable_annotation.yml
+++ b/.rubocop_todo/style/inline_disable_annotation.yml
@@ -1279,7 +1279,6 @@ Style/InlineDisableAnnotation:
     - 'ee/app/services/ee/users/update_service.rb'
     - 'ee/app/services/elastic/index_projects_by_range_service.rb'
     - 'ee/app/services/elastic/process_bookkeeping_service.rb'
-    - 'ee/app/services/epic_issues/create_service.rb'
     - 'ee/app/services/epics/strategies/base_dates_strategy.rb'
     - 'ee/app/services/epics/strategies/due_date_inherited_strategy.rb'
     - 'ee/app/services/epics/strategies/start_date_inherited_strategy.rb'
diff --git a/.rubocop_todo/style/redundant_self.yml b/.rubocop_todo/style/redundant_self.yml
index f4999bc8ff6..c2ecd263cf7 100644
--- a/.rubocop_todo/style/redundant_self.yml
+++ b/.rubocop_todo/style/redundant_self.yml
@@ -186,7 +186,6 @@ Style/RedundantSelf:
     - 'ee/app/models/push_rule.rb'
     - 'ee/app/models/security/orchestration_policy_configuration.rb'
     - 'ee/app/models/vulnerabilities/finding.rb'
-    - 'ee/app/services/elastic/process_bookkeeping_service.rb'
     - 'ee/lib/api/dependencies.rb'
     - 'ee/lib/ee/gitlab/auth/ldap/sync/groups.rb'
     - 'ee/lib/ee/gitlab/auth/ldap/sync/proxy.rb'
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 74acb142152..70a6464b0b2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,25 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 17.8.2 (2025-02-11)
+
+### Fixed (3 changes)
+
+- [Fix storing incorrect policy index in scan_result_policies](https://gitlab.com/gitlab-org/security/gitlab/-/commit/49e2809628b91b4200b62faf512ae73ba4bfaa27) **GitLab Enterprise Edition**
+- [Enable ai tracking even with feature flag disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/27526bdc24302c80940356e93928956ea6cb21d3) **GitLab Enterprise Edition**
+- [Fix Workhorse failing on 64-bit unaligned access on Raspberry Pi 32-bit](https://gitlab.com/gitlab-org/security/gitlab/-/commit/a026bcb6a7a0a69329ab6cc63cfe2ef51a7d2d83)
+
+### Security (8 changes)
+
+- [Security Duo Chat Escape Unknown Domain Hyperlinks](https://gitlab.com/gitlab-org/security/gitlab/-/commit/44436a9c648b077a89efb5d2b394f36702f0e315) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4706))
+- [Hide sensitive workhorse headers and fix route confusion between web and workhorse routes](https://gitlab.com/gitlab-org/security/gitlab/-/commit/80e0601861d797ed6126b999c5830409ee5e8abf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4760))
+- [Do not allow Planner role to update or delete incidents](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3c76c42d1451fea9f74aec4ff31d17483f8c2d14) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4746))
+- [Reduce memory allocations on create PAT endpoint](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3183ac5d359b349b248dfb6d094e6791b2cf716a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4750))
+- [Prevent SSRF attacks for Workspaces](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ad1ddf3353d1817d3b7eb583ea333dab0dd3f6a2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4729))
+- [Prevent read code access when repository is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/be2a9c24d18e2735f4d8e640bfd61633851da60e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4705))
+- [Fixes XSS on the target branch in the merge request widget](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3de176b1ee5c0df452d265a9ca39ae950c9553aa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4735))
+- [Unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/85760efaf82d85241732360045a1763095740049) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4725))
+
 ## 17.8.1 (2025-01-22)
 
 ### Security (4 changes)
@@ -467,6 +486,19 @@ entry.
 - [Remove default on `group_saved_replies_flag feature flag](https://gitlab.com/gitlab-org/gitlab/-/commit/75d49fe13646e1e0d3b68233ac4a965c86853917) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175647))
 - [Remove use_actual_plan_in_license_check flag](https://gitlab.com/gitlab-org/gitlab/-/commit/b8c3fe16aedb69c82ff52d1c695d72e933c4b946) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175649))
 
+## 17.7.4 (2025-02-11)
+
+### Security (8 changes)
+
+- [Security Duo Chat Escape Unknown Domain Hyperlinks](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d3eafa571712e6891f16ecccaaefd82b147b75f6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4691))
+- [Hide sensitive workhorse headers and fix route confusion between web and workhorse routes](https://gitlab.com/gitlab-org/security/gitlab/-/commit/af871eb34f21f862bce699839af69c88826a3420) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4762))
+- [Do not allow Planner role to update or delete incidents](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f5ae9423dbd353f571ffbea5a8ffe2ac77b587d6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4747))
+- [Reduce memory allocations on create PAT endpoint](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d443ded9eaed1300b888594125684db884c88e4d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4751))
+- [Prevent SSRF attacks for Workspaces](https://gitlab.com/gitlab-org/security/gitlab/-/commit/03fbdbe7b80e1028098df6bb10abc749b4f4b968) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4730))
+- [Prevent read code access when repository is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fb3eb2135770abcea4951ffe432cebb2065e7d3c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4700))
+- [Fixes XSS on the target branch in the merge request widget](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f4fd06e3450f686817104895eb6aca42af4fab11) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4736))
+- [Unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/972f392e7daa6b60ed8ff03e6651944e1d045b40) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4726))
+
 ## 17.7.3 (2025-01-22)
 
 ### Fixed (1 change)
@@ -1318,6 +1350,18 @@ entry.
 - [Finalize migration BackfillMlExperimentMetadataProjectId](https://gitlab.com/gitlab-org/gitlab/-/commit/0768d34e5d66ec56aa9104206120d2b691d3781f) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172003))
 - [Finalize migration BackfillDastSiteValidationsProjectId](https://gitlab.com/gitlab-org/gitlab/-/commit/edb777429d66afe879a5bb8d4652a610eb39eb7c) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/171199))
 
+## 17.6.5 (2025-02-11)
+
+### Security (7 changes)
+
+- [Security Duo Chat Escape Unknown Domain Hyperlinks](https://gitlab.com/gitlab-org/security/gitlab/-/commit/cdb737c04cdf611b2f6818a294b7157039adcce8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4692))
+- [Hide sensitive workhorse headers and fix route confusion between web and workhorse routes](https://gitlab.com/gitlab-org/security/gitlab/-/commit/dd5fb5b4e217868aa8602acee276883ae8e42126) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4763))
+- [Reduce memory allocations on create PAT endpoint](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d86c90fdfee1aef2eaa958ddc9e0ba379f8e221e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4752))
+- [Prevent SSRF attacks for Workspaces](https://gitlab.com/gitlab-org/security/gitlab/-/commit/16659a9efb33ec22055b927fd716f5acc80361e9) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4731))
+- [Prevent read code access when repository is disabled](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ff08db2dd2efa55e4e868591c61c144ec3febe32) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4701))
+- [Fixes XSS on the target branch in the merge request widget](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1cc0ad7a4f3f0ab44dd959a58b3ed63786037a06) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4737))
+- [Unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/26fff506ff66eedea4dc911eb1c9f4686d643650) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4727))
+
 ## 17.6.4 (2025-01-22)
 
 ### Fixed (2 changes)
diff --git a/Gemfile b/Gemfile
index 2e8d9c503a9..5e9f61b76d3 100644
--- a/Gemfile
+++ b/Gemfile
@@ -591,7 +591,7 @@ group :test do
 
   gem 'shoulda-matchers', '~> 5.1.0', require: false, feature_category: :shared
   gem 'email_spec', '~> 2.3.0', feature_category: :shared
-  gem 'webmock', '~> 3.24.0', feature_category: :shared
+  gem 'webmock', '~> 3.25.0', feature_category: :shared
   gem 'rails-controller-testing', feature_category: :shared
   gem 'concurrent-ruby', '~> 1.1', feature_category: :shared
   gem 'test-prof', '~> 1.4.0', feature_category: :tooling
diff --git a/Gemfile.checksum b/Gemfile.checksum
index b2773db6bcf..38cc00d78fa 100644
--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@@ -784,7 +784,7 @@
 {"name":"warning","version":"1.3.0","platform":"ruby","checksum":"23695a5d8e50bd5c46068931b529bee0b28e4982cbcefbe77d867800dde8069e"},
 {"name":"webauthn","version":"3.0.0","platform":"ruby","checksum":"3f77d422c2a8a4b31e56cf42f83414bd066e0506e9896936e1730262dc4a20e6"},
 {"name":"webfinger","version":"2.1.3","platform":"ruby","checksum":"567a52bde77fb38ca6b67e55db755f988766ec4651c1d24916a65aa70540695c"},
-{"name":"webmock","version":"3.24.0","platform":"ruby","checksum":"be01357f6fc773606337ca79f3ba332b7d52cbe5c27587671abc0572dbec7122"},
+{"name":"webmock","version":"3.25.0","platform":"ruby","checksum":"573c23fc4887008c830f22da588db339ca38b6d59856fd57f5a068959474198e"},
 {"name":"webrick","version":"1.8.2","platform":"ruby","checksum":"431746a349199546ff9dd272cae10849c865f938216e41c402a6489248f12f21"},
 {"name":"websocket","version":"1.2.10","platform":"ruby","checksum":"2cc1a4a79b6e63637b326b4273e46adcddf7871caa5dc5711f2ca4061a629fa8"},
 {"name":"websocket-driver","version":"0.7.6","platform":"java","checksum":"bc894b9e9d5aee55ac04b61003e1957c4ef411a5a048199587d0499785b505c3"},
diff --git a/Gemfile.lock b/Gemfile.lock
index 34a68d4deff..7327cbbf262 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1959,7 +1959,7 @@ GEM
       activesupport
       faraday (~> 2.0)
       faraday-follow_redirects
-    webmock (3.24.0)
+    webmock (3.25.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -2349,7 +2349,7 @@ DEPENDENCIES
   vmstat (~> 2.3.0)
   warning (~> 1.3.0)
   webauthn (~> 3.0)
-  webmock (~> 3.24.0)
+  webmock (~> 3.25.0)
   webrick (~> 1.8.1)
   wikicloth (= 0.8.1)
   yajl-ruby (~> 1.4.3)
diff --git a/Gemfile.next.checksum b/Gemfile.next.checksum
index bd2db05ae76..39be319be4d 100644
--- a/Gemfile.next.checksum
+++ b/Gemfile.next.checksum
@@ -797,7 +797,7 @@
 {"name":"warning","version":"1.3.0","platform":"ruby","checksum":"23695a5d8e50bd5c46068931b529bee0b28e4982cbcefbe77d867800dde8069e"},
 {"name":"webauthn","version":"3.0.0","platform":"ruby","checksum":"3f77d422c2a8a4b31e56cf42f83414bd066e0506e9896936e1730262dc4a20e6"},
 {"name":"webfinger","version":"2.1.3","platform":"ruby","checksum":"567a52bde77fb38ca6b67e55db755f988766ec4651c1d24916a65aa70540695c"},
-{"name":"webmock","version":"3.24.0","platform":"ruby","checksum":"be01357f6fc773606337ca79f3ba332b7d52cbe5c27587671abc0572dbec7122"},
+{"name":"webmock","version":"3.25.0","platform":"ruby","checksum":"573c23fc4887008c830f22da588db339ca38b6d59856fd57f5a068959474198e"},
 {"name":"webrick","version":"1.8.2","platform":"ruby","checksum":"431746a349199546ff9dd272cae10849c865f938216e41c402a6489248f12f21"},
 {"name":"websocket","version":"1.2.10","platform":"ruby","checksum":"2cc1a4a79b6e63637b326b4273e46adcddf7871caa5dc5711f2ca4061a629fa8"},
 {"name":"websocket-driver","version":"0.7.7","platform":"java","checksum":"e2520a6049feb88691e042d631063fa96d50620fb7f53b30180ae6fb2cf75eb1"},
diff --git a/Gemfile.next.lock b/Gemfile.next.lock
index 231f43cdaed..a332ed0cdea 100644
--- a/Gemfile.next.lock
+++ b/Gemfile.next.lock
@@ -1993,7 +1993,7 @@ GEM
       activesupport
       faraday (~> 2.0)
       faraday-follow_redirects
-    webmock (3.24.0)
+    webmock (3.25.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -2384,7 +2384,7 @@ DEPENDENCIES
   vmstat (~> 2.3.0)
   warning (~> 1.3.0)
   webauthn (~> 3.0)
-  webmock (~> 3.24.0)
+  webmock (~> 3.25.0)
   webrick (~> 1.8.1)
   wikicloth (= 0.8.1)
   yajl-ruby (~> 1.4.3)
diff --git a/app/assets/javascripts/repository/components/header_area/breadcrumbs.vue b/app/assets/javascripts/repository/components/header_area/breadcrumbs.vue
index 3d0fc4994d2..4b7ef9700ef 100644
--- a/app/assets/javascripts/repository/components/header_area/breadcrumbs.vue
+++ b/app/assets/javascripts/repository/components/header_area/breadcrumbs.vue
@@ -1,6 +1,6 @@
 <!-- eslint-disable vue/multi-word-component-names -->
 <script>
-import { GlDisclosureDropdown, GlModalDirective, GlLink } from '@gitlab/ui';
+import { GlBreadcrumb, GlDisclosureDropdown, GlModalDirective, GlLink } from '@gitlab/ui';
 import permissionsQuery from 'shared_queries/repository/permissions.query.graphql';
 import { joinPaths, escapeFileUrl, buildURLwithRefType } from '~/lib/utils/url_utility';
 import { BV_SHOW_MODAL } from '~/lib/utils/constants';
@@ -12,6 +12,7 @@ import UploadBlobModal from '~/repository/components/upload_blob_modal.vue';
 import NewDirectoryModal from '~/repository/components/new_directory_modal.vue';
 import ClipboardButton from '~/vue_shared/components/clipboard_button.vue';
 import featureFlagMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
+import { logError } from '~/lib/logger';
 
 const UPLOAD_BLOB_MODAL_ID = 'modal-upload-blob';
 const NEW_DIRECTORY_MODAL_ID = 'modal-new-directory';
@@ -19,6 +20,7 @@ const NEW_DIRECTORY_MODAL_ID = 'modal-new-directory';
 export default {
   components: {
     ClipboardButton,
+    GlBreadcrumb,
     GlDisclosureDropdown,
     UploadBlobModal,
     NewDirectoryModal,
@@ -40,7 +42,10 @@ export default {
       },
       update: (data) => data.project?.userPermissions,
       error(error) {
-        throw error;
+        logError(
+          `Failed to fetch user permissions. See exception details for more information.`,
+          error,
+        );
       },
     },
   },
@@ -303,8 +308,11 @@ export default {
     gfmCopyText() {
       return `\`${this.currentPath}\``;
     },
-    showCopyButton() {
-      return this.glFeatures.blobOverflowMenu && this.currentPath?.trim().length;
+    doesCurrentPathExist() {
+      return this.currentPath?.trim().length;
+    },
+    crumbs() {
+      return this.pathLinks.map(({ name, url, ...rest }) => ({ text: name, to: url, ...rest }));
     },
   },
   methods: {
@@ -317,6 +325,7 @@ export default {
 
 <template>
   <nav
+    v-if="!glFeatures.blobOverflowMenu"
     :aria-label="__('Files breadcrumb')"
     :data-current-path="currentDirectoryPath"
     class="js-repo-breadcrumbs gl-flex"
@@ -339,14 +348,6 @@ export default {
         />
       </li>
     </ol>
-    <clipboard-button
-      v-if="showCopyButton"
-      :text="currentPath"
-      :gfm="gfmCopyText"
-      :title="__('Copy file path')"
-      category="tertiary"
-      css-class="gl-mx-2"
-    />
     <upload-blob-modal
       v-if="showUploadModal"
       :modal-id="$options.uploadBlobModalId"
@@ -367,4 +368,21 @@ export default {
       :path="newDirectoryPath"
     />
   </nav>
+  <div v-else class="gl-flex gl-w-full gl-justify-between sm:gl-w-auto">
+    <gl-breadcrumb
+      :items="crumbs"
+      :data-current-path="currentDirectoryPath"
+      :aria-label="__('Files breadcrumb')"
+      size="md"
+      class="breadcrumb-item"
+    />
+    <clipboard-button
+      v-if="doesCurrentPathExist"
+      :text="currentPath"
+      :gfm="gfmCopyText"
+      :title="__('Copy file path')"
+      category="tertiary"
+      css-class="gl-mx-2"
+    />
+  </div>
 </template>
diff --git a/app/assets/javascripts/search/sidebar/components/merge_requests_filters.vue b/app/assets/javascripts/search/sidebar/components/merge_requests_filters.vue
index 850cd77404b..740c7149de4 100644
--- a/app/assets/javascripts/search/sidebar/components/merge_requests_filters.vue
+++ b/app/assets/javascripts/search/sidebar/components/merge_requests_filters.vue
@@ -25,10 +25,7 @@ export default {
     ...mapGetters(['hasMissingProjectContext']),
     ...mapState(['groupInitialJson', 'searchType']),
     shouldShowSourceBranchFilter() {
-      return (
-        this.glFeatures.searchMrFilterSourceBranch &&
-        (!this.hasMissingProjectContext || this.groupInitialJson?.id)
-      );
+      return !this.hasMissingProjectContext || this.groupInitialJson?.id;
     },
     isAdvancedSearch() {
       return this.searchType === SEARCH_TYPE_ADVANCED;
diff --git a/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline.vue b/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline.vue
index 2147178bd1d..109bf2c1de9 100644
--- a/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline.vue
+++ b/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline.vue
@@ -127,6 +127,11 @@ export default {
       type: String,
       required: true,
     },
+    isPostMerge: {
+      type: Boolean,
+      required: false,
+      default: false,
+    },
   },
   data() {
     return {
@@ -322,11 +327,13 @@ export default {
                 <template v-if="showSourceBranch">
                   {{ s__('Pipeline|on') }}
                   <tooltip-on-truncate
-                    v-safe-html="sourceBranchLink"
                     :title="sourceBranch"
                     truncate-target="child"
                     class="label-branch label-truncate ref-container"
-                  />
+                  >
+                    <template v-if="isPostMerge">{{ sourceBranchLink }}</template>
+                    <span v-else v-safe-html="sourceBranchLink"></span>
+                  </tooltip-on-truncate>
                 </template>
                 <template v-if="finishedAt">
                   <time-ago-tooltip
diff --git a/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue b/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
index d72ac542cb0..2f34fe974d2 100644
--- a/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
+++ b/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
@@ -93,6 +93,7 @@ export default {
       :target-project-id="mr.targetProjectId"
       :iid="mr.iid"
       :target-project-full-path="mr.targetProjectFullPath"
+      :is-post-merge="isPostMerge"
     />
     <template #footer>
       <div v-if="mr.exposedArtifactsPath" class="js-exposed-artifacts">
diff --git a/app/assets/javascripts/vue_shared/components/tooltip_on_truncate/tooltip_on_truncate.stories.js b/app/assets/javascripts/vue_shared/components/tooltip_on_truncate/tooltip_on_truncate.stories.js
index 1e279c888a5..7aecb17d868 100644
--- a/app/assets/javascripts/vue_shared/components/tooltip_on_truncate/tooltip_on_truncate.stories.js
+++ b/app/assets/javascripts/vue_shared/components/tooltip_on_truncate/tooltip_on_truncate.stories.js
@@ -7,7 +7,7 @@ export default {
   title: 'vue_shared/tooltip_on_truncate/tooltip_on_truncate.vue',
 };
 
-const createStory = ({ ...options }) => {
+const createStory = ({ ...options } = {}) => {
   return (_, { argTypes }) => {
     const comp = {
       components: { TooltipOnTruncate },
diff --git a/app/channels/application_cable/channel.rb b/app/channels/application_cable/channel.rb
index bbd8c4111a5..27d6de8af38 100644
--- a/app/channels/application_cable/channel.rb
+++ b/app/channels/application_cable/channel.rb
@@ -6,11 +6,12 @@ module ApplicationCable
     include Gitlab::Auth::AuthFinders
 
     before_subscribe :validate_token_scope
+    periodically :validate_token_scope, every: 10.minutes
 
     def validate_token_scope
-      validate_and_save_access_token!(scopes: authorization_scopes)
+      validate_and_save_access_token!(scopes: authorization_scopes, reset_token: true)
     rescue Gitlab::Auth::AuthenticationError
-      reject
+      handle_authentication_error
     end
 
     def authorization_scopes
@@ -19,6 +20,18 @@ module ApplicationCable
 
     private
 
+    def client_subscribed?
+      !subscription_rejected? && subscription_confirmation_sent?
+    end
+
+    def handle_authentication_error
+      if client_subscribed?
+        unsubscribe_from_channel
+      else
+        reject
+      end
+    end
+
     def notification_payload(_)
       super.merge!(params: params.except(:channel))
     end
diff --git a/app/controllers/jwks_controller.rb b/app/controllers/jwks_controller.rb
index e4e00ecfb79..d7cbde65b3a 100644
--- a/app/controllers/jwks_controller.rb
+++ b/app/controllers/jwks_controller.rb
@@ -12,13 +12,22 @@ class JwksController < Doorkeeper::OpenidConnect::DiscoveryController
   def payload
     [
       Rails.application.credentials.openid_connect_signing_key,
-      Gitlab::CurrentSettings.ci_jwt_signing_key
-    ].compact.map do |key_data|
-      OpenSSL::PKey::RSA.new(key_data)
+      Gitlab::CurrentSettings.ci_jwt_signing_key,
+      cloud_connector_keys
+    ].flatten.compact.map { |key_data| pem_to_jwk(key_data) }.uniq
+  end
+
+  def cloud_connector_keys
+    return unless Gitlab.ee?
+
+    CloudConnector::Keys.all_as_pem
+  end
+
+  def pem_to_jwk(key_data)
+    OpenSSL::PKey::RSA.new(key_data)
         .public_key
         .to_jwk
         .slice(:kty, :kid, :e, :n)
         .merge(use: 'sig', alg: 'RS256')
-    end
   end
 end
diff --git a/app/controllers/user_settings/personal_access_tokens_controller.rb b/app/controllers/user_settings/personal_access_tokens_controller.rb
index 55579bc2d8c..d8f0975145c 100644
--- a/app/controllers/user_settings/personal_access_tokens_controller.rb
+++ b/app/controllers/user_settings/personal_access_tokens_controller.rb
@@ -15,7 +15,21 @@ module UserSettings
 
     def index
       set_index_vars
-      scopes = params[:scopes].split(',').map(&:squish).select(&:present?).map(&:to_sym) unless params[:scopes].nil?
+
+      unless params[:scopes].nil?
+        scopes = []
+        # An over engineered solution to generate scopes array without extra object allocations
+        params[:scopes].split(",", Gitlab::Auth.all_available_scopes.count + 1) do |scope|
+          scope = scope.squish
+          next if scope.empty?
+
+          scope = scope.to_sym
+          next if Gitlab::Auth.all_available_scopes.exclude?(scope)
+
+          scopes << scope
+        end
+      end
+
       @personal_access_token = finder.build(
         name: params[:name],
         description: params[:description],
diff --git a/app/finders/keys_finder.rb b/app/finders/keys_finder.rb
index bac7f5d81e1..84f9d94f9c1 100644
--- a/app/finders/keys_finder.rb
+++ b/app/finders/keys_finder.rb
@@ -48,28 +48,28 @@ class KeysFinder
     keys.for_user(params[:users])
   end
 
-  def by_created_before(tokens)
-    return tokens unless params[:created_before]
+  def by_created_before(keys)
+    return keys unless params[:created_before]
 
-    tokens.created_before(params[:created_before])
+    keys.created_before(params[:created_before])
   end
 
-  def by_created_after(tokens)
-    return tokens unless params[:created_after]
+  def by_created_after(keys)
+    return keys unless params[:created_after]
 
-    tokens.created_after(params[:created_after])
+    keys.created_after(params[:created_after])
   end
 
-  def by_expires_before(tokens)
-    return tokens unless params[:expires_before]
+  def by_expires_before(keys)
+    return keys unless params[:expires_before]
 
-    tokens.expires_before(params[:expires_before])
+    keys.expires_before(params[:expires_before])
   end
 
-  def by_expires_after(tokens)
-    return tokens unless params[:expires_after]
+  def by_expires_after(keys)
+    return keys unless params[:expires_after]
 
-    tokens.expires_after(params[:expires_after])
+    keys.expires_after(params[:expires_after])
   end
 
   def by_fingerprint(keys)
diff --git a/app/graphql/types/user_interface.rb b/app/graphql/types/user_interface.rb
index ee2e1a79027..712c9be3bac 100644
--- a/app/graphql/types/user_interface.rb
+++ b/app/graphql/types/user_interface.rb
@@ -16,9 +16,9 @@ module Types
       method: :itself
 
     field :id,
-      type: GraphQL::Types::ID,
+      type: Types::GlobalIDType[::User],
       null: false,
-      description: 'ID of the user.'
+      description: 'Global ID of the user.'
     field :bot,
       type: GraphQL::Types::Boolean,
       null: false,
diff --git a/app/models/ci/job_token/allowlist_migration_task.rb b/app/models/ci/job_token/allowlist_migration_task.rb
new file mode 100644
index 00000000000..76bfb83a3a1
--- /dev/null
+++ b/app/models/ci/job_token/allowlist_migration_task.rb
@@ -0,0 +1,130 @@
+# frozen_string_literal: true
+
+module Ci
+  module JobToken
+    class AllowlistMigrationTask
+      include Gitlab::Utils::StrongMemoize
+
+      attr_reader :only_ids, :exclude_ids
+
+      INPUT_ID_LIMIT = 1000
+
+      def initialize(only_ids: nil, exclude_ids: nil, preview: nil, user: nil, output_stream: $stdout)
+        @only_ids = parse_project_ids(only_ids)
+        @exclude_ids = parse_project_ids(exclude_ids)
+        @preview = !preview.blank?
+        @user = user
+        @output_stream = output_stream
+      end
+
+      def execute
+        if valid_configuration?
+          @output_stream.puts preview_banner if preview_mode?
+          @output_stream.puts start_message
+
+          migrate!
+
+          @output_stream.puts finish_message
+        else
+          @output_stream.puts configuration_error_banner
+        end
+      end
+
+      private
+
+      def migrate!
+        if @only_ids.present?
+          migrate_batch(@only_ids)
+        else
+          ProjectCiCdSetting.each_batch do |batch|
+            batch = batch.where(inbound_job_token_scope_enabled: false)
+
+            project_ids = batch.pluck(:project_id) - @exclude_ids # rubocop: disable Database/AvoidUsingPluckWithoutLimit -- pluck limited to batch size
+            migrate_batch(project_ids)
+          end
+        end
+      end
+
+      def migrate_batch(project_ids)
+        Project.where(id: project_ids).preload(:ci_cd_settings).find_each do |project|
+          @output_stream.puts migrate_project(project)
+        end
+      end
+
+      def migrate_project(project)
+        if preview_mode?
+          "Would have migrated project id: #{project.id}."
+        else
+          perform_migration!(project)
+          "Migrated project id: #{project.id}."
+        end
+      rescue StandardError => error
+        "Error migrating project id: #{project.id}, error: #{error.message}"
+      end
+
+      def perform_migration!(project)
+        service = ::Ci::JobToken::AutopopulateAllowlistService.new(project, @user) # rubocop:disable CodeReuse/ServiceClass -- This class is not an ActiveRecord model
+        service.unsafe_execute!
+      end
+
+      def valid_configuration?
+        (@only_ids.empty? || @exclude_ids.empty?) &&
+          @only_ids.size <= INPUT_ID_LIMIT &&
+          @exclude_ids.size <= INPUT_ID_LIMIT
+      end
+
+      def preview_mode?
+        @preview
+      end
+
+      def start_message
+        if preview_mode?
+          "\nMigrating project(s) in preview mode...\n\n"
+        else
+          "\nMigrating project(s)...\n\n"
+        end
+      end
+
+      def finish_message
+        if preview_mode?
+          "\nMigration complete in preview mode.\n\n"
+        else
+          "\nMigration complete.\n\n"
+        end
+      end
+
+      def preview_banner
+        banner("PREVIEW MODE ENABLED")
+      end
+
+      def configuration_error_banner
+        error = if @only_ids.size > INPUT_ID_LIMIT || @exclude_ids.size > INPUT_ID_LIMIT
+                  "must contain less than #{INPUT_ID_LIMIT} items"
+                else
+                  "cannot both be set"
+                end
+
+        banner("ERROR: ONLY_PROJECT_IDS and EXCLUDE_PROJECT_IDS #{error}, try again.")
+      end
+
+      def parse_project_ids(ids_string)
+        return [] if ids_string.blank?
+
+        ids_string.split(',')
+          .map(&:strip)
+          .map(&:to_i)
+          .uniq
+      end
+
+      def banner(message)
+        output = []
+        output << "##########"
+        output << "#"
+        output << "# #{message}"
+        output << "#"
+        output << "##########"
+        output.join("\n")
+      end
+    end
+  end
+end
diff --git a/app/models/ci/job_token/authorizations_compactor.rb b/app/models/ci/job_token/authorizations_compactor.rb
index 49e7a8ade2f..79a2220b8c6 100644
--- a/app/models/ci/job_token/authorizations_compactor.rb
+++ b/app/models/ci/job_token/authorizations_compactor.rb
@@ -7,11 +7,10 @@ module Ci
 
       attr_reader :allowlist_groups, :allowlist_projects
 
-      UnexpectedCompactionEntry = Class.new(StandardError)
-      RedundantCompactionEntry = Class.new(StandardError)
+      Error = Class.new(StandardError)
 
-      def initialize(project_id)
-        @project_id = project_id
+      def initialize(project)
+        @project = project
         @allowlist_groups = []
         @allowlist_projects = []
       end
@@ -23,7 +22,7 @@ module Ci
 
           # Collecting id batches to avoid cross-database transactions.
           Ci::JobToken::Authorization.where(
-            accessed_project_id: @project_id
+            accessed_project_id: @project.id
           ).each_batch(column: :origin_project_id) do |batch|
             origin_project_id_batches << batch.pluck(:origin_project_id) # rubocop:disable Database/AvoidUsingPluckWithoutLimit -- pluck limited by batch size
           end
@@ -55,6 +54,12 @@ module Ci
             @allowlist_groups << namespace
           end
         end
+
+      rescue Gitlab::Utils::TraversalIdCompactor::CompactionLimitCannotBeAchievedError,
+        Gitlab::Utils::TraversalIdCompactor::RedundantCompactionEntry,
+        Gitlab::Utils::TraversalIdCompactor::UnexpectedCompactionEntry => error
+
+        raise Error, error.class.name.demodulize
       end
 
       def path_already_allowlisted?(namespace_path)
@@ -65,7 +70,7 @@ module Ci
       end
 
       def existing_links_traversal_ids
-        allowlist = Ci::JobToken::Allowlist.new(Project.find(@project_id))
+        allowlist = Ci::JobToken::Allowlist.new(@project)
         allowlist.group_link_traversal_ids + allowlist.project_link_traversal_ids
       end
       strong_memoize_attr :existing_links_traversal_ids
diff --git a/app/models/ci/runner.rb b/app/models/ci/runner.rb
index d2da0672bb8..86ed2b0887d 100644
--- a/app/models/ci/runner.rb
+++ b/app/models/ci/runner.rb
@@ -331,14 +331,6 @@ module Ci
       end
     end
 
-    # TODO: Remove once https://gitlab.com/gitlab-org/gitlab/-/issues/516929 is closed.
-    def self.sharded_table_proxy_model
-      @sharded_table_proxy_class ||= Class.new(self) do
-        self.table_name = :ci_runners_e59bb2812d
-        self.primary_key = :id
-      end
-    end
-
     def self.taggings_join_model
       ::Ci::RunnerTagging
     end
@@ -445,14 +437,6 @@ module Ci
       tag_list.any?
     end
 
-    # TODO: Remove once https://gitlab.com/gitlab-org/gitlab/-/issues/516929 is closed.
-    def ensure_partitioned_runner_record_exists
-      self.class.sharded_table_proxy_model.insert_all(
-        [attributes.except('tag_list')], unique_by: [:id, :runner_type],
-        returning: false, record_timestamps: false
-      )
-    end
-
     def predefined_variables
       Gitlab::Ci::Variables::Collection.new
         .append(key: 'CI_RUNNER_ID', value: id.to_s)
@@ -539,10 +523,6 @@ module Ci
     def ensure_manager(system_xid)
       # rubocop: disable Performance/ActiveRecordSubtransactionMethods -- This is used only in API endpoints outside of transactions
       RunnerManager.safe_find_or_create_by!(runner_id: id, system_xid: system_xid.to_s) do |m|
-        # Avoid inserting partitioned runner managers that refer to a missing ci_runners partitioned record, since
-        # the backfill is not yet finalized.
-        ensure_partitioned_runner_record_exists if Feature.disabled?(:reject_orphaned_runners, Feature.current_request)
-
         m.runner_type = runner_type
         m.sharding_key_id = sharding_key_id
       end
@@ -633,7 +613,7 @@ module Ci
     end
 
     def any_project
-      errors.add(:runner, 'needs to be assigned to at least one project') unless runner_projects.any?
+      errors.add(:runner, 'needs to be assigned to at least one project') if runner_projects.empty?
     end
 
     def exactly_one_group
diff --git a/app/models/ci/runner_tagging.rb b/app/models/ci/runner_tagging.rb
index 2486b0eae12..09be73c6c28 100644
--- a/app/models/ci/runner_tagging.rb
+++ b/app/models/ci/runner_tagging.rb
@@ -19,7 +19,7 @@ module Ci
     belongs_to :tag, class_name: 'Ci::Tag', optional: false
 
     validates :runner_type, presence: true
-    validates :sharding_key_id, presence: true
+    validate :check_sharding_key_id
 
     scope :scoped_runners, -> do
       where(arel_table[:runner_id].eq(Ci::Runner.arel_table[Ci::Runner.primary_key]))
@@ -32,5 +32,17 @@ module Ci
     def set_runner_type
       self.runner_type = runner.runner_type
     end
+
+    def check_sharding_key_id
+      if runner_type == 'instance_type'
+        return if sharding_key_id.nil?
+
+        errors.add(:sharding_key_id, 'instance_type runners must not have a sharding_key_id')
+      else
+        return if sharding_key_id.present?
+
+        errors.add(:sharding_key_id, 'non-instance_type runners must have a sharding_key_id')
+      end
+    end
   end
 end
diff --git a/app/models/concerns/integrations/base/pivotaltracker.rb b/app/models/concerns/integrations/base/pivotaltracker.rb
new file mode 100644
index 00000000000..85dc61e4d4e
--- /dev/null
+++ b/app/models/concerns/integrations/base/pivotaltracker.rb
@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module Integrations
+  module Base
+    module Pivotaltracker
+      extend ActiveSupport::Concern
+
+      API_ENDPOINT = 'https://www.pivotaltracker.com/services/v5/source_commits'
+
+      class_methods do
+        def title
+          'Pivotal Tracker'
+        end
+
+        def description
+          s_('PivotalTrackerService|Add commit messages as comments to Pivotal Tracker stories.')
+        end
+
+        def help
+          build_help_page_url(
+            'user/project/integrations/pivotal_tracker.md',
+            s_("Add commit messages as comments to Pivotal Tracker stories.")
+          )
+        end
+
+        def to_param
+          'pivotaltracker'
+        end
+
+        def supported_events
+          %w[push]
+        end
+      end
+
+      included do
+        validates :token, presence: true, if: :activated?
+
+        field :token,
+          type: :password,
+          help: -> do
+            s_('PivotalTrackerService|Pivotal Tracker API token. User must have access to the story. ' \
+              'All comments are attributed to this user.')
+          end,
+          description: -> { _('The Pivotal Tracker token.') },
+          non_empty_password_title: -> { s_('ProjectService|Enter new token') },
+          non_empty_password_help: -> { s_('ProjectService|Leave blank to use your current token.') },
+          required: true
+
+        field :restrict_to_branch,
+          title: -> { s_('Integrations|Restrict to branch (optional)') },
+          help: -> do
+            s_('PivotalTrackerService|Comma-separated list of branches to ' \
+              'automatically inspect. Leave blank to include all branches.')
+          end
+
+        def execute(data)
+          return unless supported_events.include?(data[:object_kind])
+          return unless allowed_branch?(data[:ref])
+
+          data[:commits].each do |commit|
+            message = {
+              'source_commit' => {
+                'commit_id' => commit[:id],
+                'author' => commit[:author][:name],
+                'url' => commit[:url],
+                'message' => commit[:message]
+              }
+            }
+            Gitlab::HTTP.post(
+              API_ENDPOINT,
+              body: Gitlab::Json.dump(message),
+              headers: {
+                'Content-Type' => 'application/json',
+                'X-TrackerToken' => token
+              }
+            )
+          end
+        end
+
+        def avatar_url
+          ActionController::Base
+            .helpers
+            .image_path('illustrations/third-party-logos/integrations-logos/pivotal-tracker.svg')
+        end
+
+        private
+
+        def allowed_branch?(ref)
+          return true unless ref.present? && restrict_to_branch.present?
+
+          branch = Gitlab::Git.ref_name(ref)
+          allowed_branches = restrict_to_branch.split(',').map(&:strip)
+
+          branch.present? && allowed_branches.include?(branch)
+        end
+      end
+    end
+  end
+end
diff --git a/app/models/integrations/instance/pivotaltracker.rb b/app/models/integrations/instance/pivotaltracker.rb
index 0728fbd9d8f..8a23a048946 100644
--- a/app/models/integrations/instance/pivotaltracker.rb
+++ b/app/models/integrations/instance/pivotaltracker.rb
@@ -3,7 +3,7 @@
 module Integrations
   module Instance
     class Pivotaltracker < Integration
-      # To be updated as part of https://gitlab.com/gitlab-org/gitlab/-/issues/474809
+      include Integrations::Base::Pivotaltracker
     end
   end
 end
diff --git a/app/models/integrations/pivotaltracker.rb b/app/models/integrations/pivotaltracker.rb
index 365a1534cfd..cd6970fcdf8 100644
--- a/app/models/integrations/pivotaltracker.rb
+++ b/app/models/integrations/pivotaltracker.rb
@@ -2,84 +2,6 @@
 
 module Integrations
   class Pivotaltracker < Integration
-    API_ENDPOINT = 'https://www.pivotaltracker.com/services/v5/source_commits'
-
-    validates :token, presence: true, if: :activated?
-
-    field :token,
-      type: :password,
-      help: -> { s_('PivotalTrackerService|Pivotal Tracker API token. User must have access to the story. All comments are attributed to this user.') },
-      description: -> { _('The Pivotal Tracker token.') },
-      non_empty_password_title: -> { s_('ProjectService|Enter new token') },
-      non_empty_password_help: -> { s_('ProjectService|Leave blank to use your current token.') },
-      required: true
-
-    field :restrict_to_branch,
-      title: -> { s_('Integrations|Restrict to branch (optional)') },
-      help: -> do
-        s_('PivotalTrackerService|Comma-separated list of branches to ' \
-        'automatically inspect. Leave blank to include all branches.')
-      end
-
-    def self.title
-      'Pivotal Tracker'
-    end
-
-    def self.description
-      s_('PivotalTrackerService|Add commit messages as comments to Pivotal Tracker stories.')
-    end
-
-    def self.help
-      build_help_page_url(
-        'user/project/integrations/pivotal_tracker.md', s_("Add commit messages as comments to Pivotal Tracker stories.")
-      )
-    end
-
-    def self.to_param
-      'pivotaltracker'
-    end
-
-    def self.supported_events
-      %w[push]
-    end
-
-    def execute(data)
-      return unless supported_events.include?(data[:object_kind])
-      return unless allowed_branch?(data[:ref])
-
-      data[:commits].each do |commit|
-        message = {
-          'source_commit' => {
-            'commit_id' => commit[:id],
-            'author' => commit[:author][:name],
-            'url' => commit[:url],
-            'message' => commit[:message]
-          }
-        }
-        Gitlab::HTTP.post(
-          API_ENDPOINT,
-          body: Gitlab::Json.dump(message),
-          headers: {
-            'Content-Type' => 'application/json',
-            'X-TrackerToken' => token
-          }
-        )
-      end
-    end
-
-    def avatar_url
-      ActionController::Base.helpers.image_path('illustrations/third-party-logos/integrations-logos/pivotal-tracker.svg')
-    end
-
-    private
-
-    def allowed_branch?(ref)
-      return true unless ref.present? && restrict_to_branch.present?
-
-      branch = Gitlab::Git.ref_name(ref)
-      allowed_branches = restrict_to_branch.split(',').map(&:strip)
-
-      branch.present? && allowed_branches.include?(branch)
-    end
+    include Integrations::Base::Pivotaltracker
   end
 end
diff --git a/app/models/project_ci_cd_setting.rb b/app/models/project_ci_cd_setting.rb
index 1ae6a218ea1..dddc9fd987f 100644
--- a/app/models/project_ci_cd_setting.rb
+++ b/app/models/project_ci_cd_setting.rb
@@ -2,6 +2,7 @@
 
 class ProjectCiCdSetting < ApplicationRecord
   include ChronicDurationAttribute
+  include EachBatch
 
   belongs_to :project, inverse_of: :ci_cd_settings
 
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index dc691858be0..0445041e129 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -159,6 +159,15 @@ class IssuePolicy < IssuablePolicy
     enable :clone_issue
   end
 
+  rule { is_incident & ~can?(:reporter_access) }.policy do
+    prevent :admin_issue
+    prevent :update_issue
+  end
+
+  rule { is_incident & ~can?(:owner_access) }.policy do
+    prevent :destroy_issue
+  end
+
   # IMPORTANT: keep the prevent rules as last rules defined in the policy, as these are based on
   # all abilities defined up to this point.
   rule { group_issue & ~group_level_issues_license_available }.policy do
diff --git a/app/policies/work_item_policy.rb b/app/policies/work_item_policy.rb
index 0e6ca011875..e048ef5404a 100644
--- a/app/policies/work_item_policy.rb
+++ b/app/policies/work_item_policy.rb
@@ -32,6 +32,15 @@ class WorkItemPolicy < IssuePolicy
     enable :clone_work_item
   end
 
+  rule { is_incident & ~can?(:reporter_access) }.policy do
+    prevent :update_work_item
+    prevent :admin_work_item
+  end
+
+  rule { is_incident & ~can?(:owner_access) }.policy do
+    prevent :delete_work_item
+  end
+
   # IMPORTANT: keep the prevent rules as last rules defined in the policy, as these are based on
   # all abilities defined up to this point.
   rule { group_issue & ~group_level_issues_license_available }.policy do
diff --git a/app/serializers/issuable_sidebar_basic_entity.rb b/app/serializers/issuable_sidebar_basic_entity.rb
index 192a3c41295..2eda6ec183c 100644
--- a/app/serializers/issuable_sidebar_basic_entity.rb
+++ b/app/serializers/issuable_sidebar_basic_entity.rb
@@ -28,7 +28,9 @@ class IssuableSidebarBasicEntity < Grape::Entity
     end
 
     expose :can_edit do |issuable|
-      can?(current_user, :"admin_#{issuable.to_ability_name}", issuable.project)
+      subject = issuable.try(:incident_type_issue?) ? issuable : issuable.project
+
+      can?(current_user, :"admin_#{issuable.to_ability_name}", subject)
     end
 
     expose :can_move do |issuable|
diff --git a/app/services/ci/job_token/autopopulate_allowlist_service.rb b/app/services/ci/job_token/autopopulate_allowlist_service.rb
index d23a8b95a48..db4b0c6cec1 100644
--- a/app/services/ci/job_token/autopopulate_allowlist_service.rb
+++ b/app/services/ci/job_token/autopopulate_allowlist_service.rb
@@ -13,32 +13,34 @@ module Ci
         @user = user
       end
 
-      def execute
-        raise Gitlab::Access::AccessDeniedError unless authorized?
-
+      def unsafe_execute!
         allowlist = Ci::JobToken::Allowlist.new(@project)
         groups = compactor.allowlist_groups
         projects = compactor.allowlist_projects
 
         ApplicationRecord.transaction do
-          allowlist.bulk_add_groups!(groups, user: @user, autopopulated: true)
-          allowlist.bulk_add_projects!(projects, user: @user, autopopulated: true)
+          allowlist.bulk_add_groups!(groups, user: @user, autopopulated: true) if groups.any?
+          allowlist.bulk_add_projects!(projects, user: @user, autopopulated: true) if projects.any?
         end
 
+        enable_enforcement!
+
         ServiceResponse.success
-      rescue Gitlab::Utils::TraversalIdCompactor::CompactionLimitCannotBeAchievedError,
-        Gitlab::Utils::TraversalIdCompactor::RedundantCompactionEntry,
-        Gitlab::Utils::TraversalIdCompactor::UnexpectedCompactionEntry,
-        Ci::JobToken::AuthorizationsCompactor::UnexpectedCompactionEntry,
-        Ci::JobToken::AuthorizationsCompactor::RedundantCompactionEntry => e
+      rescue Ci::JobToken::AuthorizationsCompactor::Error => e
         Gitlab::ErrorTracking.log_exception(e, { project_id: @project.id, user_id: @user.id })
         ServiceResponse.error(message: e.message)
       end
 
+      def execute
+        raise Gitlab::Access::AccessDeniedError unless authorized?
+
+        unsafe_execute!
+      end
+
       private
 
       def compactor
-        Ci::JobToken::AuthorizationsCompactor.new(@project.id).tap do |compactor|
+        Ci::JobToken::AuthorizationsCompactor.new(@project).tap do |compactor|
           compactor.compact(COMPACTION_LIMIT)
         end
       end
@@ -47,6 +49,10 @@ module Ci
       def authorized?
         @user.can?(:admin_project, @project)
       end
+
+      def enable_enforcement!
+        @project.ci_cd_settings.update!(inbound_job_token_scope_enabled: true)
+      end
     end
   end
 end
diff --git a/app/services/import/source_users/generate_csv_service.rb b/app/services/import/source_users/generate_csv_service.rb
index 62d182bdf93..b16ecbe524f 100644
--- a/app/services/import/source_users/generate_csv_service.rb
+++ b/app/services/import/source_users/generate_csv_service.rb
@@ -32,6 +32,7 @@ module Import
         # We use :owner_access here because it's shared between GroupPolicy and
         # NamespacePolicy.
         return error_invalid_permissions unless current_user.can?(:owner_access, namespace)
+        return error_no_source_users if import_source_users.empty?
 
         ServiceResponse.success(payload: csv_data)
       end
@@ -55,6 +56,13 @@ module Import
           reason: :forbidden
         )
       end
+
+      def error_no_source_users
+        ServiceResponse.error(
+          message: s_('No placeholder users are awaiting reassignment.'),
+          reason: :no_source_users
+        )
+      end
     end
   end
 end
diff --git a/app/services/incident_management/link_alerts/base_service.rb b/app/services/incident_management/link_alerts/base_service.rb
index 474a63ab528..c452bb308ee 100644
--- a/app/services/incident_management/link_alerts/base_service.rb
+++ b/app/services/incident_management/link_alerts/base_service.rb
@@ -8,7 +8,7 @@ module IncidentManagement
       attr_reader :incident
 
       def allowed?
-        current_user&.can?(:admin_issue, project)
+        current_user&.can?(:admin_issue, incident)
       end
 
       def success
diff --git a/app/validators/json_schema_validator.rb b/app/validators/json_schema_validator.rb
index bbaadecb806..52780671ad6 100644
--- a/app/validators/json_schema_validator.rb
+++ b/app/validators/json_schema_validator.rb
@@ -29,7 +29,7 @@ class JsonSchemaValidator < ActiveModel::EachValidator
     value = Gitlab::Json.parse(value.to_s) if options[:parse_json] == true && !value.nil?
 
     if options[:detail_errors]
-      validator.validate(value).each do |error|
+      schema.validate(value).each do |error|
         message = format_error_message(error)
         record.errors.add(attribute, message)
       end
@@ -38,6 +38,10 @@ class JsonSchemaValidator < ActiveModel::EachValidator
     end
   end
 
+  def schema
+    @schema ||= JSONSchemer.schema(Pathname.new(schema_path))
+  end
+
   private
 
   attr_reader :base_directory
@@ -69,11 +73,7 @@ class JsonSchemaValidator < ActiveModel::EachValidator
   end
 
   def valid_schema?(value)
-    validator.valid?(value)
-  end
-
-  def validator
-    @validator ||= JSONSchemer.schema(Pathname.new(schema_path))
+    schema.valid?(value)
   end
 
   def schema_path
diff --git a/app/views/projects/runners/_runner.html.haml b/app/views/projects/runners/_runner.html.haml
index 139c764d063..9696a6196b8 100644
--- a/app/views/projects/runners/_runner.html.haml
+++ b/app/views/projects/runners/_runner.html.haml
@@ -21,7 +21,7 @@
           - if runner.belongs_to_one_project?
             = link_button_to _('Remove runner'), project_runner_path(@project, runner), aria: { label: _('Remove') }, data: { confirm: _("Are you sure?"), 'confirm-btn-variant': 'danger' }, method: :delete, variant: :danger
           - else
-            - runner_project = @project.runner_projects.find_by(runner_id: runner) # rubocop: disable CodeReuse/ActiveRecord
+            - runner_project = @project.runner_projects.find_by_runner_id(runner)
             = link_button_to _('Disable for this project'), project_runner_project_path(@project, runner_project), aria: { label: _('Disable') }, data: { confirm: _("Are you sure?"), 'confirm-btn-variant': 'danger' }, method: :delete, variant: :danger
         - elsif runner.project_type?
           = form_for [@project, @project.runner_projects.new] do |f|
diff --git a/app/views/snippets/_snippets_scope_menu.html.haml b/app/views/snippets/_snippets_scope_menu.html.haml
index 4745b3b888f..fa75ee80650 100644
--- a/app/views/snippets/_snippets_scope_menu.html.haml
+++ b/app/views/snippets/_snippets_scope_menu.html.haml
@@ -2,7 +2,7 @@
 - include_private = local_assigns.fetch(:include_private, false)
 - params[:scope] ||= []
 
-= gl_tabs_nav({ class: 'js-snippets-nav-tabs gl-border-b-0 gl-overflow-x-auto gl-grow gl-flex-nowrap' }) do
+= gl_tabs_nav({ class: 'js-snippets-nav-tabs gl-border-b-0 gl-grow gl-flex-nowrap' }) do
   = gl_tab_link_to subject_snippets_path(subject), { item_active: params[:scope].empty? } do
     = _('All')
     = gl_tab_counter_badge(include_private ? counts[:total] : counts[:are_public_or_internal])
diff --git a/config/feature_flags/gitlab_com_derisk/reject_orphaned_runners.yml b/config/feature_flags/gitlab_com_derisk/reject_orphaned_runners.yml
deleted file mode 100644
index 1a4b4c60194..00000000000
--- a/config/feature_flags/gitlab_com_derisk/reject_orphaned_runners.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-name: reject_orphaned_runners
-feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/516862
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180163
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/516929
-milestone: '17.9'
-group: group::runner
-type: gitlab_com_derisk
-default_enabled: false
diff --git a/db/post_migrate/20240902014331_sync_fk_referencing_p_ci_pipelines.rb b/db/post_migrate/20240902014331_sync_fk_referencing_p_ci_pipelines.rb
index 06901ae8dc0..586391183ff 100644
--- a/db/post_migrate/20240902014331_sync_fk_referencing_p_ci_pipelines.rb
+++ b/db/post_migrate/20240902014331_sync_fk_referencing_p_ci_pipelines.rb
@@ -99,6 +99,8 @@ class SyncFkReferencingPCiPipelines < Gitlab::Database::Migration[2.2]
 
   def up
     FOREIGN_KEYS.each do |options|
+      next unless foreign_key_exists?(options[:source_table], name: options[:name])
+
       with_lock_retries do
         validate_foreign_key(options[:source_table], options[:column], name: options[:name])
       end
@@ -106,6 +108,9 @@ class SyncFkReferencingPCiPipelines < Gitlab::Database::Migration[2.2]
     end
 
     P_FOREIGN_KEYS.each do |options|
+      new_name = options[:name].to_s.gsub('_tmp', '')
+      next if foreign_key_exists?(options[:source_table], NEW_REFERENCING_TABLE, name: new_name)
+
       add_concurrent_partitioned_foreign_key(
         options[:source_table], NEW_REFERENCING_TABLE,
         **with_defaults(options, validate: true)
diff --git a/doc/administration/monitoring/prometheus/gitlab_metrics.md b/doc/administration/monitoring/prometheus/gitlab_metrics.md
index 9de7f9e43a0..c4c7f8e777c 100644
--- a/doc/administration/monitoring/prometheus/gitlab_metrics.md
+++ b/doc/administration/monitoring/prometheus/gitlab_metrics.md
@@ -197,6 +197,7 @@ The following metrics are available:
 | `gitlab_rack_attack_throttle_limit` | Gauge | 17.6 | Reports the maximum number of requests that a client can make before Rack Attack throttles them. | `event_name` |
 | `gitlab_rack_attack_throttle_period_seconds` | Gauge | 17.6 | Reports the duration over which requests for a client are counted before Rack Attack throttles them. | `event_name` |
 | `gitlab_application_rate_limiter_throttle_utilization_ratio` | Histogram | 17.6 | Utilization ratio of a throttle in GitLab Application Rate Limiter. | `throttle_key`, `peek`, `feature_category` |
+| `search_zoekt_task_processing_queue_size` | Gauge | 17.9 | Number of tasks waiting to be processed by Zoekt. | |
 
 ## Metrics controlled by a feature flag
 
diff --git a/doc/api/graphql/reference/_index.md b/doc/api/graphql/reference/_index.md
index 05dfcf626c1..5de767a1a01 100644
--- a/doc/api/graphql/reference/_index.md
+++ b/doc/api/graphql/reference/_index.md
@@ -19202,7 +19202,7 @@ A user with add-on data.
 | <a id="addonusergroupcount"></a>`groupCount` | [`Int`](#int) | Group count for the user. |
 | <a id="addonusergroupmemberships"></a>`groupMemberships` | [`GroupMemberConnection`](#groupmemberconnection) | Group memberships of the user. (see [Connections](#connections)) |
 | <a id="addonuserhuman"></a>`human` | [`Boolean`](#boolean) | Indicates if the user is a regular user. |
-| <a id="addonuserid"></a>`id` | [`ID!`](#id) | ID of the user. |
+| <a id="addonuserid"></a>`id` | [`UserID!`](#userid) | Global ID of the user. |
 | <a id="addonuseride"></a>`ide` | [`Ide`](#ide) | IDE settings. |
 | <a id="addonuserjobtitle"></a>`jobTitle` | [`String`](#string) | Job title of the user. |
 | <a id="addonuserlastactivityon"></a>`lastActivityOn` | [`Date`](#date) | Date the user last performed any actions. |
@@ -20234,7 +20234,7 @@ Core representation of a GitLab user.
 | <a id="autocompletedusergroupcount"></a>`groupCount` | [`Int`](#int) | Group count for the user. |
 | <a id="autocompletedusergroupmemberships"></a>`groupMemberships` | [`GroupMemberConnection`](#groupmemberconnection) | Group memberships of the user. (see [Connections](#connections)) |
 | <a id="autocompleteduserhuman"></a>`human` | [`Boolean`](#boolean) | Indicates if the user is a regular user. |
-| <a id="autocompleteduserid"></a>`id` | [`ID!`](#id) | ID of the user. |
+| <a id="autocompleteduserid"></a>`id` | [`UserID!`](#userid) | Global ID of the user. |
 | <a id="autocompleteduseride"></a>`ide` | [`Ide`](#ide) | IDE settings. |
 | <a id="autocompleteduserjobtitle"></a>`jobTitle` | [`String`](#string) | Job title of the user. |
 | <a id="autocompleteduserlastactivityon"></a>`lastActivityOn` | [`Date`](#date) | Date the user last performed any actions. |
@@ -22914,7 +22914,7 @@ The currently authenticated GitLab user.
 | <a id="currentusergroupcount"></a>`groupCount` | [`Int`](#int) | Group count for the user. |
 | <a id="currentusergroupmemberships"></a>`groupMemberships` | [`GroupMemberConnection`](#groupmemberconnection) | Group memberships of the user. (see [Connections](#connections)) |
 | <a id="currentuserhuman"></a>`human` | [`Boolean`](#boolean) | Indicates if the user is a regular user. |
-| <a id="currentuserid"></a>`id` | [`ID!`](#id) | ID of the user. |
+| <a id="currentuserid"></a>`id` | [`UserID!`](#userid) | Global ID of the user. |
 | <a id="currentuseride"></a>`ide` | [`Ide`](#ide) | IDE settings. |
 | <a id="currentuserjobtitle"></a>`jobTitle` | [`String`](#string) | Job title of the user. |
 | <a id="currentuserlastactivityon"></a>`lastActivityOn` | [`Date`](#date) | Date the user last performed any actions. |
@@ -29085,7 +29085,7 @@ A user assigned to a merge request.
 | <a id="mergerequestassigneegroupcount"></a>`groupCount` | [`Int`](#int) | Group count for the user. |
 | <a id="mergerequestassigneegroupmemberships"></a>`groupMemberships` | [`GroupMemberConnection`](#groupmemberconnection) | Group memberships of the user. (see [Connections](#connections)) |
 | <a id="mergerequestassigneehuman"></a>`human` | [`Boolean`](#boolean) | Indicates if the user is a regular user. |
-| <a id="mergerequestassigneeid"></a>`id` | [`ID!`](#id) | ID of the user. |
+| <a id="mergerequestassigneeid"></a>`id` | [`UserID!`](#userid) | Global ID of the user. |
 | <a id="mergerequestassigneeide"></a>`ide` | [`Ide`](#ide) | IDE settings. |
 | <a id="mergerequestassigneejobtitle"></a>`jobTitle` | [`String`](#string) | Job title of the user. |
 | <a id="mergerequestassigneelastactivityon"></a>`lastActivityOn` | [`Date`](#date) | Date the user last performed any actions. |
@@ -29495,7 +29495,7 @@ The author of the merge request.
 | <a id="mergerequestauthorgroupcount"></a>`groupCount` | [`Int`](#int) | Group count for the user. |
 | <a id="mergerequestauthorgroupmemberships"></a>`groupMemberships` | [`GroupMemberConnection`](#groupmemberconnection) | Group memberships of the user. (see [Connections](#connections)) |
 | <a id="mergerequestauthorhuman"></a>`human` | [`Boolean`](#boolean) | Indicates if the user is a regular user. |
-| <a id="mergerequestauthorid"></a>`id` | [`ID!`](#id) | ID of the user. |
+| <a id="mergerequestauthorid"></a>`id` | [`UserID!`](#userid) | Global ID of the user. |
 | <a id="mergerequestauthoride"></a>`ide` | [`Ide`](#ide) | IDE settings. |
 | <a id="mergerequestauthorjobtitle"></a>`jobTitle` | [`String`](#string) | Job title of the user. |
 | <a id="mergerequestauthorlastactivityon"></a>`lastActivityOn` | [`Date`](#date) | Date the user last performed any actions. |
@@ -29956,7 +29956,7 @@ A user participating in a merge request.
 | <a id="mergerequestparticipantgroupcount"></a>`groupCount` | [`Int`](#int) | Group count for the user. |
 | <a id="mergerequestparticipantgroupmemberships"></a>`groupMemberships` | [`GroupMemberConnection`](#groupmemberconnection) | Group memberships of the user. (see [Connections](#connections)) |
 | <a id="mergerequestparticipanthuman"></a>`human` | [`Boolean`](#boolean) | Indicates if the user is a regular user. |
-| <a id="mergerequestparticipantid"></a>`id` | [`ID!`](#id) | ID of the user. |
+| <a id="mergerequestparticipantid"></a>`id` | [`UserID!`](#userid) | Global ID of the user. |
 | <a id="mergerequestparticipantide"></a>`ide` | [`Ide`](#ide) | IDE settings. |
 | <a id="mergerequestparticipantjobtitle"></a>`jobTitle` | [`String`](#string) | Job title of the user. |
 | <a id="mergerequestparticipantlastactivityon"></a>`lastActivityOn` | [`Date`](#date) | Date the user last performed any actions. |
@@ -30385,7 +30385,7 @@ A user assigned to a merge request as a reviewer.
 | <a id="mergerequestreviewergroupcount"></a>`groupCount` | [`Int`](#int) | Group count for the user. |
 | <a id="mergerequestreviewergroupmemberships"></a>`groupMemberships` | [`GroupMemberConnection`](#groupmemberconnection) | Group memberships of the user. (see [Connections](#connections)) |
 | <a id="mergerequestreviewerhuman"></a>`human` | [`Boolean`](#boolean) | Indicates if the user is a regular user. |
-| <a id="mergerequestreviewerid"></a>`id` | [`ID!`](#id) | ID of the user. |
+| <a id="mergerequestreviewerid"></a>`id` | [`UserID!`](#userid) | Global ID of the user. |
 | <a id="mergerequestrevieweride"></a>`ide` | [`Ide`](#ide) | IDE settings. |
 | <a id="mergerequestreviewerjobtitle"></a>`jobTitle` | [`String`](#string) | Job title of the user. |
 | <a id="mergerequestreviewerlastactivityon"></a>`lastActivityOn` | [`Date`](#date) | Date the user last performed any actions. |
@@ -37447,7 +37447,7 @@ Core representation of a GitLab user.
 | <a id="usercoregroupcount"></a>`groupCount` | [`Int`](#int) | Group count for the user. |
 | <a id="usercoregroupmemberships"></a>`groupMemberships` | [`GroupMemberConnection`](#groupmemberconnection) | Group memberships of the user. (see [Connections](#connections)) |
 | <a id="usercorehuman"></a>`human` | [`Boolean`](#boolean) | Indicates if the user is a regular user. |
-| <a id="usercoreid"></a>`id` | [`ID!`](#id) | ID of the user. |
+| <a id="usercoreid"></a>`id` | [`UserID!`](#userid) | Global ID of the user. |
 | <a id="usercoreide"></a>`ide` | [`Ide`](#ide) | IDE settings. |
 | <a id="usercorejobtitle"></a>`jobTitle` | [`String`](#string) | Job title of the user. |
 | <a id="usercorelastactivityon"></a>`lastActivityOn` | [`Date`](#date) | Date the user last performed any actions. |
@@ -45390,7 +45390,7 @@ Implementations:
 | <a id="usergroupcount"></a>`groupCount` | [`Int`](#int) | Group count for the user. |
 | <a id="usergroupmemberships"></a>`groupMemberships` | [`GroupMemberConnection`](#groupmemberconnection) | Group memberships of the user. (see [Connections](#connections)) |
 | <a id="userhuman"></a>`human` | [`Boolean`](#boolean) | Indicates if the user is a regular user. |
-| <a id="userid"></a>`id` | [`ID!`](#id) | ID of the user. |
+| <a id="userid"></a>`id` | [`UserID!`](#userid) | Global ID of the user. |
 | <a id="useride"></a>`ide` | [`Ide`](#ide) | IDE settings. |
 | <a id="userjobtitle"></a>`jobTitle` | [`String`](#string) | Job title of the user. |
 | <a id="userlastactivityon"></a>`lastActivityOn` | [`Date`](#date) | Date the user last performed any actions. |
diff --git a/doc/api/group_access_tokens.md b/doc/api/group_access_tokens.md
index 5bda7b86b7d..525289a97a7 100644
--- a/doc/api/group_access_tokens.md
+++ b/doc/api/group_access_tokens.md
@@ -17,17 +17,21 @@ Use this API to interact with group access tokens. For more information, see [Gr
 
 Lists all group access tokens for a group.
 
-In GitLab 17.2 and later, you can use the `state` attribute to limit the response to group access tokens with a specified state.
-
 ```plaintext
 GET /groups/:id/access_tokens
 GET /groups/:id/access_tokens?state=inactive
 ```
 
-| Attribute | Type              | required | Description |
-| --------- | ----------------- | -------- | ----------- |
-| `id`      | integer or string | yes      | ID or [URL-encoded path](rest/_index.md#namespaced-paths) of a group. |
-| `state`   | string            | No       | If defined, only returns tokens with the specified state. Possible values: `active` and `inactive`. |
+| Attribute          | Type                | required | Description |
+| ------------------ | ------------------- | -------- | ----------- |
+| `id`               | integer or string   | yes      | ID or [URL-encoded path](rest/_index.md#namespaced-paths) of a group. |
+| `created_after`    | datetime (ISO 8601) | No       | If defined, returns tokens created after the specified time. |
+| `created_before`   | datetime (ISO 8601) | No       | If defined, returns tokens created before the specified time. |
+| `last_used_after`  | datetime (ISO 8601) | No       | If defined, returns tokens last used after the specified time. |
+| `last_used_before` | datetime (ISO 8601) | No       | If defined, returns tokens last used before the specified time. |
+| `revoked`          | boolean             | No       | If `true`, only returns revoked tokens. |
+| `search`           | string              | No       | If defined, returns tokens that include the specified value in the name. |
+| `state`            | string              | No       | If defined, returns tokens with the specified state. Possible values: `active` and `inactive`. |
 
 ```shell
 curl --request GET \
@@ -156,13 +160,13 @@ curl --request POST \
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/403042) in GitLab 16.0
 > - `expires_at` attribute [added](https://gitlab.com/gitlab-org/gitlab/-/issues/416795) in GitLab 16.6.
 
-Rotates a group access token. This immediately revokes the previous token and creates a new token. Generally, this endpoint rotates a specific group access token by authenticating with a personal access token. You can also use a group access token to rotate itself. For more information, see [Self-rotation](#self-rotation).
+Rotates a group access token. This immediately revokes the previous token and creates a new token. Generally, this endpoint rotates a specific group access token by authenticating with a personal access token. You can also use a group access token to rotate itself. For more information, see [Self-rotate](#self-rotate).
 
 If you attempt to use the revoked token later, GitLab immediately revokes the new token. For more information, see [Automatic reuse detection](personal_access_tokens.md#automatic-reuse-detection).
 
 Prerequisites:
 
-- A personal access token with the [`api` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes) or a group access token with the [`api` or `self_rotate` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes). See [Self-rotation](#self-rotation).
+- A personal access token with the [`api` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes) or a group access token with the [`api` or `self_rotate` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes). See [Self-rotate](#self-rotate).
 
 ```plaintext
 POST /groups/:id/access_tokens/:token_id/rotate
@@ -209,14 +213,14 @@ Other possible responses:
   - The token has expired.
   - The token was revoked.
   - You do not have access to the specified token.
-  - You're using a group access token to rotate another group access token. See [Self-rotate a project access token](#self-rotation) instead.
+  - You're using a group access token to rotate another group access token. See [Self-rotate](#self-rotate) instead.
 - `403: Forbidden` if the token is not allowed to rotate itself.
-- `404: Not Found` if the user is an administrator but the token with the specified ID does not exist.
+- `404: Not Found` if the user is an administrator but the token does not exist.
 - `405: Method Not Allowed` if the token is not an access token.
 
-### Self-rotation
+### Self-rotate
 
-Instead of rotating a specific group access token, you can instead rotate the same group access token you used to authenticate the request. To self-rotate a group access token, you must:
+Instead of rotating a specific group access token, you can rotate the same group access token you used to authenticate the request. To self-rotate a group access token, you must:
 
 - Rotate a group access token with the [`api` or `self_rotate` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes).
 - Use the `self` keyword in the request URL.
diff --git a/doc/api/personal_access_tokens.md b/doc/api/personal_access_tokens.md
index dcbf9b965cd..6690ae04bac 100644
--- a/doc/api/personal_access_tokens.md
+++ b/doc/api/personal_access_tokens.md
@@ -11,24 +11,13 @@ DETAILS:
 
 Use this API to interact with personal access tokens. For more information, see [Personal access tokens](../user/profile/personal_access_tokens.md).
 
-## List personal access tokens
+## List all personal access tokens
 
 > - `created_after`, `created_before`, `last_used_after`, `last_used_before`, `revoked`, `search` and `state` filters were [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/362248) in GitLab 15.5.
 
-Get all personal access tokens the authenticated user has access to. By default, returns an unfiltered list of:
-
-- Only personal access tokens created by the current user to a non-administrator.
-- All personal access tokens to an administrator.
-
-Administrators:
-
-- Can use the `user_id` parameter to filter by a user.
-- Can use other filters on all personal access tokens (GitLab 15.5 and later).
-
-Non-administrators:
-
-- Cannot use the `user_id` parameter to filter on any user except themselves, otherwise they receive a `401 Unauthorized` response.
-- Can only filter on their own personal access tokens (GitLab 15.5 and later).
+Lists all personal access tokens accessible by the authenticating user. For administrators, returns
+a list of all personal access tokens in the instance. For non-administrators, returns a list of the
+personal access tokens for the current user.
 
 ```plaintext
 GET /personal_access_tokens
@@ -46,50 +35,21 @@ Supported attributes:
 
 | Attribute           | Type           | Required | Description         |
 |---------------------|----------------|----------|---------------------|
-| `created_after`     | datetime (ISO 8601) | No | Limit results to PATs created after specified time. |
-| `created_before`    | datetime (ISO 8601) | No | Limit results to PATs created before specified time. |
-| `last_used_after`   | datetime (ISO 8601) | No | Limit results to PATs last used after specified time. |
-| `last_used_before`  | datetime (ISO 8601) | No | Limit results to PATs last used before specified time. |
-| `revoked`           | boolean             | No | Limit results to PATs with specified revoked state. Valid values are `true` and `false`. |
-| `search`            | string              | No | Limit results to PATs with name containing search string. |
-| `state`             | string              | No | Limit results to PATs with specified state. Valid values are `active` and `inactive`. |
-| `user_id`           | integer or string   | No | Limit results to PATs owned by specified user. |
+| `created_after`     | datetime (ISO 8601) | No | If defined, returns tokens created after the specified time. |
+| `created_before`    | datetime (ISO 8601) | No | If defined, returns tokens created before the specified time. |
+| `last_used_after`   | datetime (ISO 8601) | No | If defined, returns tokens last used after the specified time. |
+| `last_used_before`  | datetime (ISO 8601) | No | If defined, returns tokens last used before the specified time. |
+| `revoked`           | boolean             | No | If `true`, only returns revoked tokens. |
+| `search`            | string              | No | If defined, returns tokens that include the specified value in the name. |
+| `state`             | string              | No | If defined, returns tokens with the specified state. Possible values: `active` and `inactive`. |
+| `user_id`           | integer or string   | No | If defined, returns tokens owned by the specified user. Non-administrators can only filter their own tokens. |
 
 Example request:
 
 ```shell
 curl --request GET \
   --header "PRIVATE-TOKEN: <your_access_token>" \
-  --url "https://gitlab.example.com/api/v4/personal_access_tokens"
-```
-
-Example response:
-
-```json
-[
-    {
-        "id": 4,
-        "name": "Test Token",
-        "revoked": false,
-        "created_at": "2020-07-23T14:31:47.729Z",
-        "description": "Test Token description",
-        "scopes": [
-            "api"
-        ],
-        "user_id": 24,
-        "last_used_at": "2021-10-06T17:58:37.550Z",
-        "active": true,
-        "expires_at": null
-    }
-]
-```
-
-Example request:
-
-```shell
-curl --request GET \
-  --header "PRIVATE-TOKEN: <your_access_token>" \
-  --url "https://gitlab.example.com/api/v4/personal_access_tokens?user_id=3"
+  --url "https://gitlab.example.com/api/v4/personal_access_tokens?user_id=3&created_before=2022-01-01"
 ```
 
 Example response:
@@ -113,54 +73,19 @@ Example response:
 ]
 ```
 
-Example request:
+If successful, returns a list of tokens.
 
-```shell
-curl --request GET \
-  --header "PRIVATE-TOKEN: <your_access_token>" \
-  --url "https://gitlab.example.com/api/v4/personal_access_tokens?revoked=true"
-```
+Other possible response:
 
-Example response:
+- `401: Unauthorized` if a non-administrator uses the `user_id` attribute to filter for other users.
 
-```json
-[
-    {
-        "id": 41,
-        "name": "Revoked Test Token",
-        "revoked": true,
-        "created_at": "2022-01-01T14:31:47.729Z",
-        "description": "Test Token description",
-        "scopes": [
-            "api"
-        ],
-        "user_id": 8,
-        "last_used_at": "2022-05-18T17:58:37.550Z",
-        "active": false,
-        "expires_at": null
-    }
-]
-```
-
-You can filter by merged attributes with:
-
-```plaintext
-GET /personal_access_tokens?revoked=true&created_before=2022-01-01
-```
-
-## Get single personal access token
-
-Get a personal access token by either:
-
-- Using the ID of the personal access token.
-- Passing it to the API in a header.
-
-### Using a personal access token ID
+## Get details on a personal access token
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/362239) in GitLab 15.1.
+> - `404` HTTP status code [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/93650) in GitLab 15.3.
 
-Get a single personal access token by its ID. Users can get their own tokens.
-Administrators can get any token.
+Gets details on a specified personal access token. Administrators can get details on any token.
+Non-administrators can only get details on own tokens.
 
 ```plaintext
 GET /personal_access_tokens/:id
@@ -168,7 +93,7 @@ GET /personal_access_tokens/:id
 
 | Attribute | Type    | Required | Description         |
 |-----------|---------|----------|---------------------|
-| `id` | integer/string | yes | ID of personal access token |
+| `id` | integer or string | yes | ID of a personal access token or the keyword `self`. |
 
 ```shell
 curl --request GET \
@@ -176,24 +101,22 @@ curl --request GET \
   --url "https://gitlab.example.com/api/v4/personal_access_tokens/<id>"
 ```
 
-#### Responses
+If successful, returns details on the token.
 
-> - `404` HTTP status code [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/93650) in GitLab 15.3.
+Other possible responses:
 
 - `401: Unauthorized` if either:
-  - The user doesn't have access to the token with the specified ID.
-  - The token with the specified ID doesn't exist.
-- `404: Not Found` if the user is an administrator but the token with the specified ID doesn't exist.
+  - The token does not exist.
+  - You do not have access to the specified token.
+- `404: Not Found` if the user is an administrator but the token does not exist.
 
-### Using a request header
+### Self-inform
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/373999) in GitLab 15.5
 
-Get a single personal access token and information about that token by passing the token in a header.
-
-```plaintext
-GET /personal_access_tokens/self
-```
+Instead of getting details on a specific personal access token, you can also return details on
+the personal access token you used to authenticate the request. To return these details, you must
+use the `self` keyword in the request URL.
 
 ```shell
 curl --request GET \
@@ -201,39 +124,24 @@ curl --request GET \
   --url "https://gitlab.example.com/api/v4/personal_access_tokens/self"
 ```
 
-Example response:
+## Create a personal access token
 
-```json
-{
-    "id": 4,
-    "name": "Test Token",
-    "revoked": false,
-    "created_at": "2020-07-23T14:31:47.729Z",
-    "description": "Test Token description",
-    "scopes": [
-        "api"
-    ],
-    "user_id": 3,
-    "last_used_at": "2021-10-06T17:58:37.550Z",
-    "active": true,
-    "expires_at": null
-}
-```
+DETAILS:
+**Offering:** GitLab Self-Managed, GitLab Dedicated
+
+You can create personal access tokens with the user tokens API. For more information, see the following endpoints:
+
+- [Create a personal access token](user_tokens.md#create-a-personal-access-token)
+- [Create a personal access token for a user](user_tokens.md#create-a-personal-access-token-for-a-user)
 
 ## Rotate a personal access token
 
-Rotate a personal access token. Revokes the previous token and creates a new token that expires in one week.
-
-You can either:
-
-- Use the personal access token ID.
-- In GitLab 16.10 and later, pass the personal access token to the API in a request header.
-
-### Use a personal access token ID
-
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/403042) in GitLab 16.0
+> - `expires_at` attribute [added](https://gitlab.com/gitlab-org/gitlab/-/issues/416795) in GitLab 16.6.
 
-In GitLab 16.6 and later, you can use the `expires_at` parameter to set a different expiry date. This non-default expiry date is subject to the [maximum allowable lifetime limits](../user/profile/personal_access_tokens.md#access-token-expiration).
+Rotates a specified personal access token. This revokes the previous token and creates a new token
+that expires after one week. Administrators can revoke tokens for any user. Non-administrators can
+only revoke their own tokens.
 
 ```plaintext
 POST /personal_access_tokens/:id/rotate
@@ -241,11 +149,8 @@ POST /personal_access_tokens/:id/rotate
 
 | Attribute | Type      | Required | Description         |
 |-----------|-----------|----------|---------------------|
-| `id` | integer/string | yes      | ID of personal access token |
-| `expires_at` | date   | no       | Expiration date of the access token in ISO format (`YYYY-MM-DD`). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/416795) in GitLab 16.6. If undefined, the token expires after one week. |
-
-NOTE:
-Non-administrators can rotate their own tokens. Administrators can rotate tokens of any user.
+| `id` | integer or string | yes      | ID of a personal access token or the keyword `self`. |
+| `expires_at` | date   | no       | Expiration date of the access token in ISO format (`YYYY-MM-DD`). The date must be one year or less from the rotation date. If undefined, the token expires after one week. |
 
 ```shell
 curl --request POST \
@@ -271,28 +176,29 @@ Example response:
 }
 ```
 
-#### Responses
+If successful, returns `200: OK`.
+
+Other possible responses:
 
-- `200: OK` if the existing token is successfully revoked and the new token successfully created.
 - `400: Bad Request` if not rotated successfully.
-- `401: Unauthorized` if either the:
-  - User does not have access to the token with the specified ID.
-  - Token with the specified ID does not exist.
-- `404: Not Found` if the user is an administrator but the token with the specified ID does not exist.
+- `401: Unauthorized` if any of the following conditions are true:
+  - The token does not exist.
+  - The token has expired.
+  - The token was revoked.
+  - You do not have access to the specified token.
+- `403: Forbidden` if the token is not allowed to rotate itself.
+- `404: Not Found` if the user is an administrator but the token does not exist.
+- `405: Method Not Allowed` if the token is not a personal access token.
 
-### Use a request header
+### Self-rotate
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/426779) in GitLab 16.10
 
-Requires:
+Instead of rotating a specific personal access token, you can also rotate the same personal access
+token you used to authenticate the request. To self-rotate a personal access token, you must:
 
-- `api` or `self_rotate` scope.
-
-In GitLab 16.6 and later, you can use the `expires_at` parameter to set a different expiry date. This non-default expiry date is subject to the [maximum allowable lifetime limits](../user/profile/personal_access_tokens.md#access-token-expiration).
-
-```plaintext
-POST /personal_access_tokens/self/rotate
-```
+- Rotate a personal access token with the [`api` or `self_rotate` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes).
+- Use the `self` keyword in the request URL.
 
 ```shell
 curl --request POST \
@@ -300,61 +206,25 @@ curl --request POST \
   --url "https://gitlab.example.com/api/v4/personal_access_tokens/self/rotate"
 ```
 
-Example response:
-
-```json
-{
-    "id": 42,
-    "name": "Rotated Token",
-    "revoked": false,
-    "created_at": "2023-08-01T15:00:00.000Z",
-    "description": "Test Token description",
-    "scopes": ["api"],
-    "user_id": 1337,
-    "last_used_at": null,
-    "active": true,
-    "expires_at": "2023-08-08",
-    "token": "s3cr3t"
-}
-```
-
-#### Responses
-
-- `200: OK` if the existing token is successfully revoked and the new token successfully created.
-- `400: Bad Request` if not rotated successfully.
-- `401: Unauthorized` if either:
-  - The token does not exist.
-  - The token has expired.
-  - The token has been revoked.
-- `403: Forbidden` if the token is not allowed to rotate itself.
-- `405: Method Not Allowed` if the token is not a personal access token.
-
 ### Automatic reuse detection
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/395352) in GitLab 16.3
 
-For each rotated token, the previous and now revoked token is referenced. This
-chain of references defines a token family. In a token family, only the latest
-token is active, and all other tokens in that family are revoked.
+When you rotate or revoke a token, GitLab automatically tracks the relationship between the old and
+new tokens. Each time a new token is generated, a connection is made to the previous token. These
+connected tokens form a token family. Only the newest token can authenticate requests.
 
-When a revoked token from a token family is used in an authentication attempt
-for the token rotation endpoint, that attempt fails and the active token from
-the token family gets revoked.
-This mechanism helps to prevent compromise when a personal access token is
-leaked.
+If an old token is ever used to authenticate a request, the request fails and GitLab immediately
+revokes the newest token in the family.
 
-Automatic reuse detection is enabled for token rotation API requests.
+This feature helps secure GitLab if an old token is ever leaked or stolen. By tracking token
+relationships and automatically revoking access when old tokens are used, attackers cannot exploit
+compromised tokens.
 
 ## Revoke a personal access token
 
-Revoke a personal access token by either:
-
-- Using the ID of the personal access token.
-- Passing it to the API in a header.
-
-### Using a personal access token ID
-
-Revoke a personal access token using its ID.
+Revokes a specified personal access token. Administrators can revoke tokens for any user.
+Non-administrators can only revoke their own tokens.
 
 ```plaintext
 DELETE /personal_access_tokens/:id
@@ -362,10 +232,7 @@ DELETE /personal_access_tokens/:id
 
 | Attribute | Type    | Required | Description         |
 |-----------|---------|----------|---------------------|
-| `id` | integer/string | yes | ID of personal access token |
-
-NOTE:
-Non-administrators can revoke their own tokens. Administrators can revoke tokens of any user.
+| `id` | integer or string | yes | ID of a personal access token or the keyword `self`. |
 
 ```shell
 curl --request DELETE \
@@ -373,26 +240,22 @@ curl --request DELETE \
   --url "https://gitlab.example.com/api/v4/personal_access_tokens/<personal_access_token_id>"
 ```
 
-#### Responses
+If successful, returns `204: No Content`.
+
+Other possible responses:
 
-- `204: No Content` if successfully revoked.
 - `400: Bad Request` if not revoked successfully.
 - `401: Unauthorized` if the access token is invalid.
 - `403: Forbidden` if the access token does not have the required permissions.
 
-### Using a request header
+### Self-revoke
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350240) in GitLab 15.0. Limited to tokens with `api` scope.
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/369103) in GitLab 15.4, any token can use this endpoint.
 
-Revokes a personal access token that is passed in using a request header. Requires:
-
-- `api` scope in GitLab 15.0 to GitLab 15.3.
-- Any scope in GitLab 15.4 and later.
-
-```plaintext
-DELETE /personal_access_tokens/self
-```
+Instead of revoking a specific personal access token, you can also revoke the same personal access
+token you used to authenticate the request. To self-revoke a personal access token, you must use
+the `self` keyword in the request URL.
 
 ```shell
 curl --request DELETE \
@@ -400,17 +263,11 @@ curl --request DELETE \
   --url "https://gitlab.example.com/api/v4/personal_access_tokens/self"
 ```
 
-#### Responses
-
-- `204: No Content` if successfully revoked.
-- `400: Bad Request` if not revoked successfully.
-- `401: Unauthorized` if the access token is invalid.
-
-## List token associations
+## List all token associations
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/466046) in GitLab 17.4.
 
-Returns an unfiltered list of all groups, subgroups, and projects the current authenticated user can access.
+Lists all groups, subgroups, and projects associated with the personal access token used to authenticate the request.
 
 ```plaintext
 GET /personal_access_tokens/self/associations
@@ -488,20 +345,6 @@ Example response:
 }
 ```
 
-## Create a personal access token (administrator only)
+## Related topics
 
-See the [User tokens API](user_tokens.md#create-a-personal-access-token) for information on creating a personal access
-token.
-
-## Create a personal access token with limited scopes for the currently authenticated user
-
-DETAILS:
-**Tier:** Free, Premium, Ultimate
-**Offering:** GitLab Self-Managed, GitLab Dedicated
-
-See the [User tokens API](user_tokens.md#create-a-personal-access-token) for
-information on creating a personal access token for the currently authenticated user.
-
-## Troubleshooting access tokens
-
-To troubleshoot access token issues, see the [token troubleshooting guide](../security/tokens/token_troubleshooting.md).
+- [Token troubleshooting](../security/tokens/token_troubleshooting.md)
diff --git a/doc/api/project_access_tokens.md b/doc/api/project_access_tokens.md
index 0915a776559..3eb2f7b3e7a 100644
--- a/doc/api/project_access_tokens.md
+++ b/doc/api/project_access_tokens.md
@@ -17,17 +17,21 @@ Use this API to interact with project access tokens. For more information, see [
 
 Lists all project access tokens for a specified project.
 
-In GitLab 17.2 and later, you can use the `state` attribute to limit the response to project access tokens with a specified state.
-
 ```plaintext
 GET projects/:id/access_tokens
 GET projects/:id/access_tokens?state=inactive
 ```
 
-| Attribute | Type              | required | Description |
-| --------- | ----------------- | -------- | ----------- |
-| `id`      | integer or string | yes      | ID or [URL-encoded path](rest/_index.md#namespaced-paths) of a project. |
-| `state`   | string            | No       | If defined, only returns tokens with the specified state. Possible values: `active` and `inactive`. |
+| Attribute          | Type                | required | Description |
+| ------------------ | ------------------- | -------- | ----------- |
+| `id`               | integer or string   | yes      | ID or [URL-encoded path](rest/_index.md#namespaced-paths) of a project. |
+| `created_after`    | datetime (ISO 8601) | No       | If defined, returns tokens created after the specified time. |
+| `created_before`   | datetime (ISO 8601) | No       | If defined, returns tokens created before the specified time. |
+| `last_used_after`  | datetime (ISO 8601) | No       | If defined, returns tokens last used after the specified time. |
+| `last_used_before` | datetime (ISO 8601) | No       | If defined, returns tokens last used before the specified time. |
+| `revoked`          | boolean             | No       | If `true`, only returns revoked tokens. |
+| `search`           | string              | No       | If defined, returns tokens that include the specified value in the name. |
+| `state`            | string              | No       | If defined, returns tokens with the specified state. Possible values: `active` and `inactive`. |
 
 ```shell
 curl --request GET \
@@ -153,13 +157,13 @@ curl --request POST \
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/403042) in GitLab 16.0
 > - `expires_at` attribute [added](https://gitlab.com/gitlab-org/gitlab/-/issues/416795) in GitLab 16.6.
 
-Rotates a project access token. This immediately revokes the previous token and creates a new token. Generally, this endpoint rotates a specific project access token by authenticating with a personal access token. You can also use a project access token to rotate itself. For more information, see [Self-rotation](#self-rotation).
+Rotates a project access token. This immediately revokes the previous token and creates a new token. Generally, this endpoint rotates a specific project access token by authenticating with a personal access token. You can also use a project access token to rotate itself. For more information, see [Self-rotate](#self-rotate).
 
 If you attempt to use the revoked token later, GitLab immediately revokes the new token. For more information, see [Automatic reuse detection](personal_access_tokens.md#automatic-reuse-detection).
 
 Prerequisites:
 
-- A personal access token with the [`api` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes) or a project access token with the [`api` or `self_rotate` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes). See [Self-rotation](#self-rotation).
+- A personal access token with the [`api` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes) or a project access token with the [`api` or `self_rotate` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes). See [Self-rotate](#self-rotate).
 
 ```plaintext
 POST /projects/:id/access_tokens/:token_id/rotate
@@ -206,14 +210,14 @@ Other possible responses:
   - The token has expired.
   - The token was revoked.
   - You do not have access to the specified token.
-  - You're using a project access token to rotate another project access token. See [Self-rotate a project access token](#self-rotation) instead.
+  - You're using a project access token to rotate another project access token. See [Self-rotate](#self-rotate) instead.
 - `403: Forbidden` if the token is not allowed to rotate itself.
-- `404: Not Found` if the user is an administrator but the token with the specified ID does not exist.
+- `404: Not Found` if the user is an administrator but the token does not exist.
 - `405: Method Not Allowed` if the token is not a project access token.
 
-### Self-rotation
+### Self-rotate
 
-Instead of rotating a specific project access token, you can instead rotate the same project access token you used to authenticate the request. To self-rotate a project access token, you must:
+Instead of rotating a specific project access token, you can rotate the same project access token you used to authenticate the request. To self-rotate a project access token, you must:
 
 - Rotate a project access token with the [`api` or `self_rotate` scope](../user/profile/personal_access_tokens.md#personal-access-token-scopes).
 - Use the `self` keyword in the request URL.
diff --git a/doc/development/feature_flags/controls.md b/doc/development/feature_flags/controls.md
index b26a69642a2..9b75eaf1a57 100644
--- a/doc/development/feature_flags/controls.md
+++ b/doc/development/feature_flags/controls.md
@@ -501,3 +501,22 @@ The record can be deleted once the MR is deployed to all the environments:
 ```shell
 /chatops run feature delete <feature-flag-name> --dev --pre --staging --staging-ref --production
 ```
+
+## Checking feature flag status
+
+You can use the following ChatOps command to see a feature flag's current state:
+
+```shell
+/chatops run feature get <feature-flag-name>
+```
+
+Since this is a read-only command, you can avoid cluttering the production channels by either:
+
+- Running it in the `#chatops-ops-test` Slack channel
+- Sending it as a direct message to the ChatOps bot
+
+The result of this command will display:
+
+- Whether the feature flag exists
+- Its current state (enabled/disabled)
+- Any percentage rollouts or actor-based gates that are configured
diff --git a/doc/security/responding_to_security_incidents.md b/doc/security/responding_to_security_incidents.md
index 465e4aaeffb..d874965c642 100644
--- a/doc/security/responding_to_security_incidents.md
+++ b/doc/security/responding_to_security_incidents.md
@@ -40,7 +40,7 @@ Security incidents related to credentials exposure can vary in severity from low
 
 - Determine the type and scope of the token.
 - Identify the token owner and the relevant team based on the token information.
-  - For personal access tokens, you might be able to use the [personal access token API](../api/personal_access_tokens.md#using-a-request-header) to quickly retrieve token details.
+  - For personal access tokens, you can use the [personal access token API](../api/personal_access_tokens.md#get-details-on-a-personal-access-token) to quickly retrieve token details.
 - [Revoke](../api/personal_access_tokens.md#revoke-a-personal-access-token) or [rotate](../api/group_access_tokens.md#rotate-a-group-access-token) the token after you have assessed its scope and potential impact. Revoking a production token is a balance between the security risk posed by the exposed token, and the availability risk revoking a token might cause. Only revoke the token if you are:
   - Confident in your understanding of the potential impact of token revocation.
   - Following your company's security incident response guidelines.
diff --git a/doc/security/tokens/token_troubleshooting.md b/doc/security/tokens/token_troubleshooting.md
index 926830fc73d..f4543019f2d 100644
--- a/doc/security/tokens/token_troubleshooting.md
+++ b/doc/security/tokens/token_troubleshooting.md
@@ -57,7 +57,7 @@ entry:
 
 `meta.auth_fail_token_id` indicates that an access token of ID 12 was used.
 
-To find more information about this token, use the [personal access token API](../../api/personal_access_tokens.md#get-single-personal-access-token).
+To find more information about this token, use the [personal access token API](../../api/personal_access_tokens.md#get-details-on-a-personal-access-token).
 You can also use the API to [rotate the token](../../api/personal_access_tokens.md#rotate-a-personal-access-token).
 
 ### Replace expired access tokens
@@ -66,7 +66,7 @@ To replace the token:
 
 1. Check where this token may have been used previously, and remove it from any
    automation might still use the token.
-   - For personal access tokens, use the [API](../../api/personal_access_tokens.md#list-personal-access-tokens)
+   - For personal access tokens, use the [API](../../api/personal_access_tokens.md#list-all-personal-access-tokens)
      to list tokens that have expired recently. For example, go to `https://gitlab.com/api/v4/personal_access_tokens`,
      and locate tokens with a specific `expires_at` date.
    - For project access tokens, use the
diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md
index cee3ee9b6a5..e66ec15b039 100644
--- a/doc/user/group/settings/group_access_tokens.md
+++ b/doc/user/group/settings/group_access_tokens.md
@@ -162,7 +162,7 @@ The scope determines the actions you can perform when you authenticate with a gr
 | `manage_runner`    | Grants permission to manage runners in a group.                                                                                                                                                                                                                                                            |
 | `ai_features`      | Grants permission to perform API actions for GitLab Duo. This scope is designed to work with the GitLab Duo Plugin for JetBrains. For all other extensions, see scope requirements.                                                                                                          |
 | `k8s_proxy`        | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group.                                                                                                                                                                                                               |
-| `self_rotate`      | Grants permission to rotate this token using the [personal access token API](../../../api/personal_access_tokens.md#use-a-request-header). Does not allow rotation of other tokens. |
+| `self_rotate`      | Grants permission to rotate this token using the [personal access token API](../../../api/personal_access_tokens.md#rotate-a-personal-access-token). Does not allow rotation of other tokens. |
 
 ## Restrict the creation of group access tokens
 
diff --git a/doc/user/profile/personal_access_tokens.md b/doc/user/profile/personal_access_tokens.md
index 52f40cb8c1d..516b214abb1 100644
--- a/doc/user/profile/personal_access_tokens.md
+++ b/doc/user/profile/personal_access_tokens.md
@@ -207,7 +207,7 @@ A personal access token can perform actions based on the assigned scopes.
 | `manage_runner`    | Grants permission to manage runners.                                                                    |
 | `ai_features`      | This scope:<br>- Grants permission to perform API actions for features like GitLab Duo, Code Suggestions API and Duo Chat API.<br>- Does not work for GitLab Self-Managed versions 16.5, 16.6, and 16.7.<br>For GitLab Duo plugin for JetBrains, this scope:<br>- Supports users with AI features enabled in the GitLab Duo plugin for JetBrains.<br>- Addresses a security vulnerability in JetBrains IDE plugins that could expose personal access tokens.<br>- Is designed to minimize potential risks for GitLab Duo plugin users by limiting the impact of compromised tokens.<br>For all other extensions, see the individual scope requirements in their documentation.                                                                                                                                |
 | `k8s_proxy`        | Grants permission to perform Kubernetes API calls using the agent for Kubernetes.                                                                                                                                                                                                                                  |
-| `self_rotate`      | Grants permission to rotate this token using the [personal access token API](../../api/personal_access_tokens.md#use-a-request-header). Does not allow rotation of other tokens. |
+| `self_rotate`      | Grants permission to rotate this token using the [personal access token API](../../api/personal_access_tokens.md#rotate-a-personal-access-token). Does not allow rotation of other tokens. |
 | `read_service_ping`| Grant access to download Service Ping payload through the API when authenticated as an admin use. |
 
 WARNING:
diff --git a/doc/user/profile/service_accounts.md b/doc/user/profile/service_accounts.md
index ed0f65df377..1541b273a9b 100644
--- a/doc/user/profile/service_accounts.md
+++ b/doc/user/profile/service_accounts.md
@@ -165,8 +165,8 @@ Prerequisites:
 
 To revoke a personal access token, use the [personal access tokens API](../../api/personal_access_tokens.md#revoke-a-personal-access-token). You can use either of the following methods:
 
-- Use a [personal access token ID](../../api/personal_access_tokens.md#using-a-personal-access-token-id-1). The token used to perform the revocation must have the [`admin_mode`](personal_access_tokens.md#personal-access-token-scopes) scope.
-- Use a [request header](../../api/personal_access_tokens.md#using-a-request-header-1). The token used to perform the request is revoked.
+- Use a [personal access token ID](../../api/personal_access_tokens.md#revoke-a-personal-access-token). The token used to perform the revocation must have the [`admin_mode`](personal_access_tokens.md#personal-access-token-scopes) scope.
+- Use a [request header](../../api/personal_access_tokens.md#self-revoke). The token used to perform the request is revoked.
 
 ### Delete a service account
 
diff --git a/doc/user/project/settings/project_access_tokens.md b/doc/user/project/settings/project_access_tokens.md
index 4d8a3f2d5f6..83b4fd2ae4f 100644
--- a/doc/user/project/settings/project_access_tokens.md
+++ b/doc/user/project/settings/project_access_tokens.md
@@ -116,7 +116,7 @@ See the warning in [create a project access token](#create-a-project-access-toke
 | `manage_runner`    | Grants permission to manage runners in the project.                                                                                                                                                                                                                                      |
 | `ai_features`      | Grants permission to perform API actions for GitLab Duo. This scope is designed to work with the GitLab Duo Plugin for JetBrains. For all other extensions, see scope requirements.                                                                                                          |
 | `k8s_proxy`        | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in the project.                                                                                                                                                                                         |
-| `self_rotate`      | Grants permission to rotate this token using the [personal access token API](../../../api/personal_access_tokens.md#use-a-request-header). Does not allow rotation of other tokens. |
+| `self_rotate`      | Grants permission to rotate this token using the [personal access token API](../../../api/personal_access_tokens.md#rotate-a-personal-access-token). Does not allow rotation of other tokens. |
 
 ## Restrict the creation of project access tokens
 
diff --git a/lib/api/ci/helpers/runner.rb b/lib/api/ci/helpers/runner.rb
index d40852c2e4d..8b82e1c8867 100644
--- a/lib/api/ci/helpers/runner.rb
+++ b/lib/api/ci/helpers/runner.rb
@@ -12,9 +12,6 @@ module API
         JOB_TOKEN_PARAM = :token
         LEGACY_SYSTEM_XID = '<legacy>'
 
-        # TODO: Remove once https://gitlab.com/gitlab-org/gitlab/-/issues/516929 is closed.
-        UnknownRunnerOwnerError = Class.new(StandardError)
-
         def authenticate_runner!(ensure_runner_manager: true, update_contacted_at: true)
           track_runner_authentication
           forbidden! unless current_runner
@@ -22,10 +19,7 @@ module API
           # TODO: Remove in https://gitlab.com/gitlab-org/gitlab/-/issues/504963 (when ci_runners is swapped)
           # This is because the new table will have check constraints for these scenarios, and therefore
           # any orphaned runners will be missing
-          if Feature.enabled?(:reject_orphaned_runners, Feature.current_request) &&
-              current_runner.sharding_key_id.nil? && !current_runner.instance_type?
-            forbidden!('Runner is orphaned')
-          end
+          forbidden!('Runner is orphaned') if current_runner.sharding_key_id.nil? && !current_runner.instance_type?
 
           current_runner.heartbeat if update_contacted_at
           return unless ensure_runner_manager
@@ -64,9 +58,6 @@ module API
         end
 
         def current_runner_manager
-          # NOTE: Avoid orphaned runners, since we're not allowed to created records with a nil sharding_key_id
-          raise UnknownRunnerOwnerError if !current_runner.instance_type? && current_runner.sharding_key_id.nil?
-
           strong_memoize(:current_runner_manager) do
             system_xid = params.fetch(:system_id, LEGACY_SYSTEM_XID)
             current_runner&.ensure_manager(system_xid)
diff --git a/lib/api/ci/runner.rb b/lib/api/ci/runner.rb
index c92a9740534..714322c4931 100644
--- a/lib/api/ci/runner.rb
+++ b/lib/api/ci/runner.rb
@@ -128,8 +128,6 @@ module API
           status 200
 
           present current_runner, with: Entities::Ci::RunnerRegistrationDetails
-        rescue ::API::Ci::Helpers::Runner::UnknownRunnerOwnerError
-          unprocessable_entity!('Runner is orphaned')
         end
 
         desc 'Reset runner authentication token with current token' do
@@ -229,8 +227,6 @@ module API
             Gitlab::Metrics.add_event(:build_invalid)
             conflict!
           end
-        rescue ::API::Ci::Helpers::Runner::UnknownRunnerOwnerError
-          unprocessable_entity!('Runner is orphaned')
         end
 
         desc 'Update a job' do
diff --git a/lib/api/entities/ci/runner_details.rb b/lib/api/entities/ci/runner_details.rb
index 40b4d3fa1a0..0438cbffadd 100644
--- a/lib/api/entities/ci/runner_details.rb
+++ b/lib/api/entities/ci/runner_details.rb
@@ -19,24 +19,20 @@ module API
         expose :contacted_at
         expose :maintenance_note
 
-        # rubocop: disable CodeReuse/ActiveRecord
         expose :projects, with: Entities::BasicProjectDetails do |runner, options|
           if options[:current_user].can_read_all_resources?
             runner.projects
           else
-            options[:current_user].authorized_projects.where(id: runner.runner_projects.pluck(:project_id))
+            options[:current_user].authorized_projects.id_in(runner.project_ids)
           end
         end
-        # rubocop: enable CodeReuse/ActiveRecord
-        # rubocop: disable CodeReuse/ActiveRecord
         expose :groups, with: Entities::BasicGroupDetails do |runner, options|
           if options[:current_user].can_read_all_resources?
             runner.groups
           else
-            options[:current_user].authorized_groups.where(id: runner.runner_namespaces.pluck(:namespace_id))
+            options[:current_user].authorized_groups.id_in(runner.namespace_ids)
           end
         end
-        # rubocop: enable CodeReuse/ActiveRecord
 
         def latest_runner_manager(runner)
           strong_memoize_with(:latest_runner_manager, runner) do
diff --git a/lib/api/entities/ssh_key_with_user_id.rb b/lib/api/entities/ssh_key_with_user_id.rb
new file mode 100644
index 00000000000..d70b0b8b2cb
--- /dev/null
+++ b/lib/api/entities/ssh_key_with_user_id.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module API
+  module Entities
+    class SshKeyWithUserId < Grape::Entity
+      expose :id, documentation: { type: 'integer', example: 1 }
+      expose :title, documentation: { type: 'string', example: 'Sample key 25' }
+      expose :created_at, documentation: { type: 'dateTime', example: '2015-09-03T07:24:44.627Z' }
+      expose :expires_at, documentation: { type: 'dateTime', example: '2020-09-03T07:24:44.627Z' }
+      expose :last_used_at, documentation: { type: 'dateTime', example: '2020-09-03T07:24:44.627Z' }
+      expose :usage_type, documentation: { type: 'string', example: 'auth' }
+      expose :user_id, documentation: { type: 'integer', example: 3 }
+    end
+  end
+end
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index 8d23acb73e2..4f1006503da 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -187,7 +187,7 @@ module Gitlab
         ::Ci::Runner.find_by_token(token.to_s) || raise(UnauthorizedError)
       end
 
-      def validate_and_save_access_token!(scopes: [], save_auth_context: true)
+      def validate_and_save_access_token!(scopes: [], save_auth_context: true, reset_token: false)
         # return early if we've already authenticated via a job token
         return if @current_authenticated_job.present? # rubocop:disable Gitlab/ModuleWithInstanceVariables
 
@@ -196,6 +196,12 @@ module Gitlab
 
         return unless access_token
 
+        # Originally, we tried to use `reset` here to follow the rubocop rule introduced by
+        # gitlab-org/gitlab-foss#60218, but this caused a NoMethodError for OAuth tokens,
+        # leading to incident 18980 (see gitlab-com/gl-infra/production#18988).
+        # We're using reload instead and disabling the rubocop rule to prevent similar incidents.
+        access_token.reload if reset_token # rubocop:disable Cop/ActiveRecordAssociationReload
+
         case AccessTokenValidationService.new(access_token, request: request).validate(scopes: scopes)
         when AccessTokenValidationService::INSUFFICIENT_SCOPE
           save_auth_failure_in_application_context(access_token, :insufficient_scope, scopes) if save_auth_context
diff --git a/lib/tasks/ci/allowlist_migration.rake b/lib/tasks/ci/allowlist_migration.rake
new file mode 100644
index 00000000000..fec6bd88f85
--- /dev/null
+++ b/lib/tasks/ci/allowlist_migration.rake
@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+namespace :ci do
+  namespace :job_tokens do
+    namespace :allowlist do
+      desc "CI | Job Tokens | Allowlist | Autopopulate allowlist from authorization log entries"
+      task autopopulate_and_enforce: :environment do
+        only_ids = ENV['ONLY_PROJECT_IDS']
+        exclude_ids = ENV['EXCLUDE_PROJECT_IDS']
+        preview = ENV['PREVIEW']
+
+        require_relative '../../../app/models/ci/job_token/allowlist_migration_task'
+
+        task = ::Ci::JobToken::AllowlistMigrationTask.new(only_ids: only_ids,
+          exclude_ids: exclude_ids,
+          preview: preview,
+          user: ::Users::Internal.admin_bot)
+
+        task.execute
+      end
+    end
+  end
+end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 847fae99e56..15cfa7e5189 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -800,6 +800,11 @@ msgstr ""
 msgid "%{count} total weight"
 msgstr ""
 
+msgid "%{count} vulnerability set to %{severity} severity"
+msgid_plural "%{count} vulnerabilities set to %{severity} severity"
+msgstr[0] ""
+msgstr[1] ""
+
 msgid "%{days} days until tags are automatically removed"
 msgstr ""
 
@@ -16746,9 +16751,6 @@ msgstr ""
 msgid "Could not upload your designs as one or more files uploaded are not supported."
 msgstr ""
 
-msgid "Couldn't add issue due to an internal error."
-msgstr ""
-
 msgid "Couldn't assign policy to project or group"
 msgstr ""
 
@@ -38121,6 +38123,9 @@ msgstr ""
 msgid "No phone number data for matching"
 msgstr ""
 
+msgid "No placeholder users are awaiting reassignment."
+msgstr ""
+
 msgid "No plan"
 msgstr ""
 
@@ -63717,6 +63722,9 @@ msgstr ""
 msgid "VulnerabilityManagement|Something went wrong, could not get user."
 msgstr ""
 
+msgid "VulnerabilityManagement|Something went wrong, could not update vulnerability severity."
+msgstr ""
+
 msgid "VulnerabilityManagement|Something went wrong, could not update vulnerability state."
 msgstr ""
 
@@ -63735,6 +63743,9 @@ msgstr ""
 msgid "VulnerabilityManagement|Vulnerability name or type. Ex: Cross-site scripting"
 msgstr ""
 
+msgid "VulnerabilityManagement|Vulnerability set to %{severity} severity"
+msgstr ""
+
 msgid "VulnerabilityManagement|Will not fix or a false-positive"
 msgstr ""
 
diff --git a/spec/channels/application_cable/channel_spec.rb b/spec/channels/application_cable/channel_spec.rb
new file mode 100644
index 00000000000..2639ac0b945
--- /dev/null
+++ b/spec/channels/application_cable/channel_spec.rb
@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ApplicationCable::Channel, feature_category: :shared do
+  let(:user) { create(:user) }
+  let(:token) { create(:personal_access_token, user: user, scopes: [:api, :read_api]) }
+  let(:channel) { described_class.new(connection, {}) }
+
+  before do
+    stub_connection current_user: user
+  end
+
+  describe '#validate_token_scope' do
+    it 'validates the token scope' do
+      expect(channel).to receive(:validate_and_save_access_token!)
+        .with(scopes: [:api, :read_api], reset_token: true)
+
+      channel.validate_token_scope
+    end
+
+    context 'when an authentication error occurs' do
+      before do
+        allow(channel).to receive(:validate_and_save_access_token!)
+          .and_raise(Gitlab::Auth::AuthenticationError)
+      end
+
+      it 'handles the authentication error' do
+        expect(channel).to receive(:handle_authentication_error)
+
+        channel.validate_token_scope
+      end
+
+      context 'when client is subscribed' do
+        before do
+          allow(channel).to receive(:client_subscribed?).and_return(true)
+        end
+
+        it 'unsubscribes from the channel' do
+          expect(channel).to receive(:unsubscribe_from_channel)
+
+          channel.validate_token_scope
+        end
+      end
+
+      context 'when client is not subscribed' do
+        before do
+          allow(channel).to receive(:client_subscribed?).and_return(false)
+        end
+
+        it 'rejects the subscription' do
+          expect(channel).to receive(:reject)
+
+          channel.validate_token_scope
+        end
+      end
+    end
+  end
+end
diff --git a/spec/controllers/user_settings/personal_access_tokens_controller_spec.rb b/spec/controllers/user_settings/personal_access_tokens_controller_spec.rb
index 3e485397bbc..5354585129a 100644
--- a/spec/controllers/user_settings/personal_access_tokens_controller_spec.rb
+++ b/spec/controllers/user_settings/personal_access_tokens_controller_spec.rb
@@ -102,7 +102,7 @@ RSpec.describe UserSettings::PersonalAccessTokensController, feature_category: :
 
     it "builds a PAT with name, description and scopes from params" do
       name = 'My PAT'
-      scopes = 'api,read_user'
+      scopes = 'api,read_user,invalid'
       description = 'My PAT description'
 
       get :index, params: { name: name, scopes: scopes, description: description }
diff --git a/spec/features/clusters/create_agent_spec.rb b/spec/features/clusters/create_agent_spec.rb
index 78446b79b58..cfcb6564b61 100644
--- a/spec/features/clusters/create_agent_spec.rb
+++ b/spec/features/clusters/create_agent_spec.rb
@@ -24,7 +24,8 @@ RSpec.describe 'Cluster agent registration', :js, feature_category: :deployment_
       end
     end
 
-    it 'allows the user to select an agent to install, and displays the resulting agent token' do
+    it 'allows the user to select an agent to install, and displays the resulting agent token',
+      quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/510927' do
       find_by_testid('clusters-default-action-button').click
 
       expect(page).to have_content('Create and register')
diff --git a/spec/features/projects/files/project_owner_creates_license_file_spec.rb b/spec/features/projects/files/project_owner_creates_license_file_spec.rb
index 48e2f1f3f00..e08f5e2de24 100644
--- a/spec/features/projects/files/project_owner_creates_license_file_spec.rb
+++ b/spec/features/projects/files/project_owner_creates_license_file_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe 'Projects > Files > Project owner creates a license file', :js, f
   let_it_be(:project) { create(:project, :repository, namespace: project_maintainer.namespace) }
 
   before do
+    stub_feature_flags(blob_overflow_menu: false)
     project.repository.delete_file(project_maintainer, 'LICENSE',
       message: 'Remove LICENSE', branch_name: 'master')
     sign_in(project_maintainer)
diff --git a/spec/features/projects/files/user_creates_directory_spec.rb b/spec/features/projects/files/user_creates_directory_spec.rb
index e52c00d50dd..05f27e44b8a 100644
--- a/spec/features/projects/files/user_creates_directory_spec.rb
+++ b/spec/features/projects/files/user_creates_directory_spec.rb
@@ -14,6 +14,7 @@ RSpec.describe 'Projects > Files > User creates a directory', :js, feature_categ
   let(:user) { create(:user) }
 
   before do
+    stub_feature_flags(blob_overflow_menu: false)
     project.add_developer(user)
     sign_in(user)
     visit project_tree_path(project, 'master')
diff --git a/spec/features/projects/files/user_creates_files_spec.rb b/spec/features/projects/files/user_creates_files_spec.rb
index 7a392752f65..3ccbd1247d5 100644
--- a/spec/features/projects/files/user_creates_files_spec.rb
+++ b/spec/features/projects/files/user_creates_files_spec.rb
@@ -18,6 +18,7 @@ RSpec.describe 'Projects > Files > User creates files', :js, feature_category: :
   let(:user) { create(:user) }
 
   before do
+    stub_feature_flags(blob_overflow_menu: false)
     project.add_maintainer(user)
     sign_in(user)
   end
diff --git a/spec/features/projects/files/user_uploads_files_spec.rb b/spec/features/projects/files/user_uploads_files_spec.rb
index 2befa4e0151..306b59527a0 100644
--- a/spec/features/projects/files/user_uploads_files_spec.rb
+++ b/spec/features/projects/files/user_uploads_files_spec.rb
@@ -8,6 +8,7 @@ RSpec.describe 'Projects > Files > User uploads files', feature_category: :sourc
   let(:project2) { create(:project, :repository, name: 'Another Project', path: 'another-project') }
 
   before do
+    stub_feature_flags(blob_overflow_menu: false)
     project.add_maintainer(user)
     sign_in(user)
   end
diff --git a/spec/features/projects/show/user_sees_collaboration_links_spec.rb b/spec/features/projects/show/user_sees_collaboration_links_spec.rb
index fa065cf0a10..4d57426bd98 100644
--- a/spec/features/projects/show/user_sees_collaboration_links_spec.rb
+++ b/spec/features/projects/show/user_sees_collaboration_links_spec.rb
@@ -18,6 +18,7 @@ RSpec.describe 'Projects > Show > Collaboration links', :js, feature_category: :
 
   context 'with developer user' do
     before_all do
+      stub_feature_flags(blob_overflow_menu: false)
       project.add_developer(user)
     end
 
diff --git a/spec/features/projects/show/user_uploads_files_spec.rb b/spec/features/projects/show/user_uploads_files_spec.rb
index 5dde415151b..3198faac3ca 100644
--- a/spec/features/projects/show/user_uploads_files_spec.rb
+++ b/spec/features/projects/show/user_uploads_files_spec.rb
@@ -10,6 +10,7 @@ RSpec.describe 'Projects > Show > User uploads files', feature_category: :groups
   let(:project2) { create(:project, :repository, name: 'Another Project', path: 'another-project') }
 
   before do
+    stub_feature_flags(blob_overflow_menu: false)
     project.add_maintainer(user)
     sign_in(user)
   end
diff --git a/spec/frontend/repository/components/header_area/breadcrumbs_spec.js b/spec/frontend/repository/components/header_area/breadcrumbs_spec.js
index 7eebe12817a..b61ba5439b9 100644
--- a/spec/frontend/repository/components/header_area/breadcrumbs_spec.js
+++ b/spec/frontend/repository/components/header_area/breadcrumbs_spec.js
@@ -1,6 +1,6 @@
 import Vue, { nextTick } from 'vue';
 import VueApollo from 'vue-apollo';
-import { GlDisclosureDropdown, GlDisclosureDropdownGroup, GlLink } from '@gitlab/ui';
+import { GlDisclosureDropdown, GlDisclosureDropdownGroup, GlLink, GlBreadcrumb } from '@gitlab/ui';
 import { shallowMount, RouterLinkStub } from '@vue/test-utils';
 import Breadcrumbs from '~/repository/components/header_area/breadcrumbs.vue';
 import UploadBlobModal from '~/repository/components/upload_blob_modal.vue';
@@ -12,6 +12,7 @@ import projectPathQuery from '~/repository/queries/project_path.query.graphql';
 
 import createApolloProvider from 'helpers/mock_apollo_helper';
 import ClipboardButton from '~/vue_shared/components/clipboard_button.vue';
+import { logError } from '~/lib/logger';
 
 const defaultMockRoute = {
   name: 'blobPath',
@@ -20,6 +21,7 @@ const defaultMockRoute = {
 const TEST_PROJECT_PATH = 'test-project/path';
 
 Vue.use(VueApollo);
+jest.mock('~/lib/logger');
 
 describe('Repository breadcrumbs component', () => {
   let wrapper;
@@ -88,274 +90,378 @@ describe('Repository breadcrumbs component', () => {
   const findUploadBlobModal = () => wrapper.findComponent(UploadBlobModal);
   const findNewDirectoryModal = () => wrapper.findComponent(NewDirectoryModal);
   const findRouterLinks = () => wrapper.findAllComponents(GlLink);
+  const findGLBreadcrumb = () => wrapper.findComponent(GlBreadcrumb);
+  const findClipboardButton = () => wrapper.findComponent(ClipboardButton);
 
   beforeEach(() => {
     permissionsQuerySpy = jest.fn().mockResolvedValue(createPermissionsQueryResponse());
   });
 
-  it('queries for permissions', async () => {
-    factory({ currentPath: '/' });
+  describe('permissions queries', () => {
+    it.each`
+      featureFlag | description
+      ${true}     | ${'when blobOverflowMenu feature flag is enabled'}
+      ${false}    | ${'when blobOverflowMenu feature flag is disabled'}
+    `('queries for permissions $description', async ({ featureFlag }) => {
+      factory({
+        currentPath: '/',
+        glFeatures: {
+          blobOverflowMenu: featureFlag,
+        },
+      });
 
-    // We need to wait for the projectPath query to resolve
-    await waitForPromises();
+      // We need to wait for the projectPath query to resolve
+      await waitForPromises();
 
-    expect(permissionsQuerySpy).toHaveBeenCalledWith({
-      projectPath: TEST_PROJECT_PATH,
+      expect(permissionsQuerySpy).toHaveBeenCalledWith({
+        projectPath: TEST_PROJECT_PATH,
+      });
+    });
+
+    it.each`
+      featureFlag | description
+      ${true}     | ${'when blobOverflowMenu feature flag is enabled'}
+      ${false}    | ${'when blobOverflowMenu feature flag is disabled'}
+    `('queries for permissions $description', async ({ featureFlag }) => {
+      const mockError = new Error('timeout of 0ms exceeded');
+      permissionsQuerySpy = jest.fn().mockRejectedValue(mockError);
+
+      factory({
+        currentPath: '/',
+        glFeatures: {
+          blobOverflowMenu: featureFlag,
+        },
+      });
+
+      // We need to wait for the projectPath query to resolve
+      await waitForPromises();
+
+      expect(logError).toHaveBeenCalledWith(
+        'Failed to fetch user permissions. See exception details for more information.',
+        mockError,
+      );
     });
   });
 
-  it.each`
-    path                        | linkCount
-    ${'/'}                      | ${1}
-    ${'app'}                    | ${2}
-    ${'app/assets'}             | ${3}
-    ${'app/assets/javascripts'} | ${4}
-  `('renders $linkCount links for path $path', ({ path, linkCount }) => {
-    factory({ currentPath: path });
+  describe('when `blobOverflowMenu` feature flag is enabled', () => {
+    beforeEach(() => {
+      factory({
+        glFeatures: {
+          blobOverflowMenu: true,
+        },
+      });
+    });
 
-    expect(findRouterLinks().length).toEqual(linkCount);
-  });
+    it('renders the `gl-breadcrumb` component', () => {
+      expect(findGLBreadcrumb().exists()).toBe(true);
+      expect(findGLBreadcrumb().props()).toMatchObject({
+        items: [
+          {
+            path: '/',
+            text: '',
+            to: '/-/tree',
+          },
+        ],
+      });
+    });
 
-  it.each`
-    routeName            | path                        | linkTo
-    ${'treePath'}        | ${'app/assets/javascripts'} | ${'/-/tree/app/assets/javascripts'}
-    ${'treePathDecoded'} | ${'app/assets/javascripts'} | ${'/-/tree/app/assets/javascripts'}
-    ${'blobPath'}        | ${'app/assets/index.js'}    | ${'/-/blob/app/assets/index.js'}
-    ${'blobPathDecoded'} | ${'app/assets/index.js'}    | ${'/-/blob/app/assets/index.js'}
-  `(
-    'links to the correct router path when routeName is $routeName',
-    ({ routeName, path, linkTo }) => {
+    it.each`
+      path                        | linkCount
+      ${'/'}                      | ${1}
+      ${'app'}                    | ${2}
+      ${'app/assets'}             | ${3}
+      ${'app/assets/javascripts'} | ${4}
+    `('renders $linkCount links for path $path', ({ path, linkCount }) => {
       factory({
         currentPath: path,
-        mockRoute: {
-          name: routeName,
+        glFeatures: {
+          blobOverflowMenu: true,
         },
       });
-      expect(findRouterLinks().at(3).attributes('to')).toEqual(linkTo);
-    },
-  );
-
-  it('escapes hash in directory path', () => {
-    factory({ currentPath: 'app/assets/javascripts#' });
-
-    expect(findRouterLinks().at(3).attributes('to')).toEqual('/-/tree/app/assets/javascripts%23');
-  });
-
-  it('renders last link as active', () => {
-    factory({ currentPath: 'app/assets' });
-
-    expect(findRouterLinks().at(2).attributes('aria-current')).toEqual('page');
-  });
-
-  it('does not render add to tree dropdown when permissions are false', async () => {
-    factory({
-      currentPath: '/',
-      extraProps: {
-        canCollaborate: false,
-      },
+      expect(findGLBreadcrumb().props('items').length).toEqual(linkCount);
     });
-    await nextTick();
 
-    expect(findDropdown().exists()).toBe(false);
-  });
-
-  it.each`
-    routeName            | isRendered
-    ${'blobPath'}        | ${false}
-    ${'blobPathDecoded'} | ${false}
-    ${'treePath'}        | ${true}
-    ${'treePathDecoded'} | ${true}
-    ${'projectRoot'}     | ${true}
-  `(
-    'does render add to tree dropdown $isRendered when route is $routeName',
-    ({ routeName, isRendered }) => {
-      factory({
-        currentPath: 'app/assets/javascripts.js',
-        extraProps: {
-          canCollaborate: true,
-          canEditTree: true,
-        },
-        mockRoute: {
-          name: routeName,
-        },
-      });
-      expect(findDropdown().exists()).toBe(isRendered);
-    },
-  );
-
-  it.each`
-    currentPath           | expectedPath | routeName
-    ${'foo'}              | ${'foo'}     | ${'treePath'}
-    ${'foo/bar'}          | ${'foo/bar'} | ${'treePath'}
-    ${'foo/bar/index.js'} | ${'foo/bar'} | ${'blobPath'}
-  `(
-    'sets data-current-path to $expectedPath when path is $currentPath and routeName is $routeName',
-    ({ currentPath, expectedPath, routeName }) => {
-      factory({
-        currentPath,
-        mockRoute: {
-          name: routeName,
-        },
-      });
-
-      expect(wrapper.attributes('data-current-path')).toBe(expectedPath);
-    },
-  );
-
-  it('renders add to tree dropdown when permissions are true', async () => {
-    permissionsQuerySpy.mockResolvedValue(
-      createPermissionsQueryResponse({ forkProject: true, createMergeRequestIn: true }),
-    );
-
-    factory({
-      currentPath: '/',
-      extraProps: {
-        canCollaborate: true,
-        canEditTree: true,
-      },
-    });
-    await nextTick();
-
-    expect(findDropdown().exists()).toBe(true);
-  });
-
-  describe('copy-to-clipboard icon button', () => {
     it.each`
-      description                                  | flagValue | currentPath        | expected
-      ${'does not render button '}                 | ${false}  | ${'/path/to/file'} | ${false}
-      ${'does not render button '}                 | ${true}   | ${''}              | ${false}
-      ${'renders button that copies current path'} | ${true}   | ${'/path/to/file'} | ${true}
+      currentPath           | expectedPath | routeName
+      ${'foo'}              | ${'foo'}     | ${'treePath'}
+      ${'foo/bar'}          | ${'foo/bar'} | ${'treePath'}
+      ${'foo/bar/index.js'} | ${'foo/bar'} | ${'blobPath'}
     `(
-      'when flag is $flagValue and currentPath is "$currentPath", $description',
-      ({ flagValue, currentPath, expected }) => {
+      'sets data-current-path to $expectedPath when path is $currentPath and routeName is $routeName',
+      ({ currentPath, expectedPath, routeName }) => {
         factory({
           currentPath,
+          mockRoute: {
+            name: routeName,
+          },
           glFeatures: {
-            blobOverflowMenu: flagValue,
+            blobOverflowMenu: true,
           },
         });
-        const btn = wrapper.findComponent(ClipboardButton);
-        expect(btn.exists()).toBe(expected);
-        if (expected) {
-          expect(btn.vm.text).toBe(currentPath);
-        }
+
+        expect(findGLBreadcrumb().attributes('data-current-path')).toBe(expectedPath);
       },
     );
+
+    describe('copy-to-clipboard icon button', () => {
+      it.each`
+        description                                  | currentPath        | expected
+        ${'does not render button when path empty'}  | ${''}              | ${false}
+        ${'renders button that copies current path'} | ${'/path/to/file'} | ${true}
+      `(
+        'when feature flag is enabled and currentPath is "$currentPath", $description',
+        ({ currentPath, expected }) => {
+          factory({
+            currentPath,
+            glFeatures: {
+              blobOverflowMenu: true,
+            },
+          });
+          expect(findClipboardButton().exists()).toBe(expected);
+          if (expected) {
+            expect(findClipboardButton().vm.text).toBe(currentPath);
+          }
+        },
+      );
+    });
   });
 
-  describe('renders the upload blob modal', () => {
-    beforeEach(() => {
+  describe('when `blobOverflowMenu` feature flag is disabled', () => {
+    it.each`
+      path                        | linkCount
+      ${'/'}                      | ${1}
+      ${'app'}                    | ${2}
+      ${'app/assets'}             | ${3}
+      ${'app/assets/javascripts'} | ${4}
+    `('renders $linkCount links for path $path', ({ path, linkCount }) => {
+      factory({ currentPath: path });
+
+      expect(findRouterLinks().length).toEqual(linkCount);
+    });
+
+    it.each`
+      routeName            | path                        | linkTo
+      ${'treePath'}        | ${'app/assets/javascripts'} | ${'/-/tree/app/assets/javascripts'}
+      ${'treePathDecoded'} | ${'app/assets/javascripts'} | ${'/-/tree/app/assets/javascripts'}
+      ${'blobPath'}        | ${'app/assets/index.js'}    | ${'/-/blob/app/assets/index.js'}
+      ${'blobPathDecoded'} | ${'app/assets/index.js'}    | ${'/-/blob/app/assets/index.js'}
+    `(
+      'links to the correct router path when routeName is $routeName',
+      ({ routeName, path, linkTo }) => {
+        factory({
+          currentPath: path,
+          mockRoute: {
+            name: routeName,
+          },
+        });
+        expect(findRouterLinks().at(3).attributes('to')).toEqual(linkTo);
+      },
+    );
+
+    it('escapes hash in directory path', () => {
+      factory({ currentPath: 'app/assets/javascripts#' });
+
+      expect(findRouterLinks().at(3).attributes('to')).toEqual('/-/tree/app/assets/javascripts%23');
+    });
+
+    it('renders last link as active', () => {
+      factory({ currentPath: 'app/assets' });
+
+      expect(findRouterLinks().at(2).attributes('aria-current')).toEqual('page');
+    });
+
+    it('does not render add to tree dropdown when permissions are false', async () => {
       factory({
         currentPath: '/',
         extraProps: {
-          canEditTree: true,
+          canCollaborate: false,
         },
       });
+      await nextTick();
+
+      expect(findDropdown().exists()).toBe(false);
     });
 
-    it('does not render the modal while loading', () => {
-      expect(findUploadBlobModal().exists()).toBe(false);
-    });
+    it.each`
+      routeName            | isRendered
+      ${'blobPath'}        | ${false}
+      ${'blobPathDecoded'} | ${false}
+      ${'treePath'}        | ${true}
+      ${'treePathDecoded'} | ${true}
+      ${'projectRoot'}     | ${true}
+    `(
+      'does render add to tree dropdown $isRendered when route is $routeName',
+      ({ routeName, isRendered }) => {
+        factory({
+          currentPath: 'app/assets/javascripts.js',
+          extraProps: {
+            canCollaborate: true,
+            canEditTree: true,
+          },
+          mockRoute: {
+            name: routeName,
+          },
+        });
+        expect(findDropdown().exists()).toBe(isRendered);
+      },
+    );
 
-    it('renders the modal once loaded', async () => {
-      await waitForPromises();
+    it.each`
+      currentPath           | expectedPath | routeName
+      ${'foo'}              | ${'foo'}     | ${'treePath'}
+      ${'foo/bar'}          | ${'foo/bar'} | ${'treePath'}
+      ${'foo/bar/index.js'} | ${'foo/bar'} | ${'blobPath'}
+    `(
+      'sets data-current-path to $expectedPath when path is $currentPath and routeName is $routeName',
+      ({ currentPath, expectedPath, routeName }) => {
+        factory({
+          currentPath,
+          mockRoute: {
+            name: routeName,
+          },
+        });
 
-      expect(findUploadBlobModal().exists()).toBe(true);
-      expect(findUploadBlobModal().props()).toStrictEqual({
-        canPushCode: false,
-        canPushToBranch: false,
-        commitMessage: 'Upload New File',
-        emptyRepo: false,
-        modalId: 'modal-upload-blob',
-        originalBranch: '',
-        path: '',
-        replacePath: null,
-        targetBranch: '',
-      });
-    });
-  });
+        expect(wrapper.attributes('data-current-path')).toBe(expectedPath);
+      },
+    );
 
-  describe('renders the new directory modal', () => {
-    beforeEach(() => {
-      factory({
-        currentPath: 'some_dir',
-        extraProps: {
-          canEditTree: true,
-          newDirPath: 'root/master',
-        },
-      });
-    });
-    it('does not render the modal while loading', () => {
-      expect(findNewDirectoryModal().exists()).toBe(false);
-    });
-
-    it('renders the modal once loaded', async () => {
-      await waitForPromises();
-
-      expect(findNewDirectoryModal().exists()).toBe(true);
-      expect(findNewDirectoryModal().props('path')).toBe('root/master/some_dir');
-    });
-  });
-
-  describe('"this repository" dropdown group', () => {
-    it('renders when user has pushCode permissions', async () => {
+    it('renders add to tree dropdown when permissions are true', async () => {
       permissionsQuerySpy.mockResolvedValue(
-        createPermissionsQueryResponse({
-          pushCode: true,
-        }),
+        createPermissionsQueryResponse({ forkProject: true, createMergeRequestIn: true }),
       );
 
       factory({
         currentPath: '/',
         extraProps: {
           canCollaborate: true,
+          canEditTree: true,
         },
       });
-      await waitForPromises();
+      await nextTick();
 
-      expect(findDropdownGroup().props('group').name).toBe('This repository');
+      expect(findDropdown().exists()).toBe(true);
     });
 
-    it('does not render when user does not have pushCode permissions', async () => {
-      permissionsQuerySpy.mockResolvedValue(
-        createPermissionsQueryResponse({
-          pushCode: false,
-        }),
+    describe('copy-to-clipboard icon button', () => {
+      it.each`
+        description                                  | flagValue | currentPath        | expected
+        ${'does not render button '}                 | ${false}  | ${'/path/to/file'} | ${false}
+        ${'does not render button '}                 | ${true}   | ${''}              | ${false}
+        ${'renders button that copies current path'} | ${true}   | ${'/path/to/file'} | ${true}
+      `(
+        'when flag is $flagValue and currentPath is "$currentPath", $description',
+        ({ flagValue, currentPath, expected }) => {
+          factory({
+            currentPath,
+            glFeatures: {
+              blobOverflowMenu: flagValue,
+            },
+          });
+          expect(findClipboardButton().exists()).toBe(expected);
+          if (expected) {
+            expect(findClipboardButton().vm.text).toBe(currentPath);
+          }
+        },
       );
-
-      factory({
-        currentPath: '/',
-        extraProps: {
-          canCollaborate: true,
-        },
-      });
-      await waitForPromises();
-
-      expect(findDropdownGroup().exists()).toBe(false);
-    });
-  });
-
-  describe('link rendering', () => {
-    it('passes `href` to GlLink when isBlobView is true', () => {
-      factory({
-        currentPath: '/',
-        extraProps: {
-          isBlobView: true,
-        },
-      });
-
-      expect(findRouterLinks().at(0).attributes('href')).toBe('/test-project/path/-/tree');
     });
 
-    it('passes `to` to GlLink when isBlobView is false', () => {
-      factory({
-        currentPath: '/',
-        extraProps: {
-          isBlobView: false,
-        },
+    describe('renders the upload blob modal', () => {
+      beforeEach(() => {
+        factory({
+          currentPath: '/',
+          extraProps: {
+            canEditTree: true,
+          },
+        });
       });
 
-      expect(findRouterLinks().at(0).attributes('to')).toBe('/-/tree');
+      it('does not render the modal while loading', () => {
+        expect(findUploadBlobModal().exists()).toBe(false);
+      });
+
+      it('renders the modal once loaded', async () => {
+        await waitForPromises();
+
+        expect(findUploadBlobModal().exists()).toBe(true);
+        expect(findUploadBlobModal().props()).toStrictEqual({
+          canPushCode: false,
+          canPushToBranch: false,
+          commitMessage: 'Upload New File',
+          emptyRepo: false,
+          modalId: 'modal-upload-blob',
+          originalBranch: '',
+          path: '',
+          replacePath: null,
+          targetBranch: '',
+        });
+      });
+    });
+
+    describe('renders the new directory modal', () => {
+      beforeEach(() => {
+        factory({
+          currentPath: 'some_dir',
+          extraProps: {
+            canEditTree: true,
+            newDirPath: 'root/master',
+          },
+        });
+      });
+      it('does not render the modal while loading', () => {
+        expect(findNewDirectoryModal().exists()).toBe(false);
+      });
+
+      it('renders the modal once loaded', async () => {
+        await waitForPromises();
+
+        expect(findNewDirectoryModal().exists()).toBe(true);
+        expect(findNewDirectoryModal().props('path')).toBe('root/master/some_dir');
+      });
+    });
+
+    describe('"this repository" dropdown group', () => {
+      it('renders when user has pushCode permissions', async () => {
+        permissionsQuerySpy.mockResolvedValue(
+          createPermissionsQueryResponse({
+            pushCode: true,
+          }),
+        );
+
+        factory({
+          currentPath: '/',
+          extraProps: {
+            canCollaborate: true,
+          },
+        });
+        await waitForPromises();
+
+        expect(findDropdownGroup().props('group').name).toBe('This repository');
+      });
+
+      it('does not render when user does not have pushCode permissions', async () => {
+        permissionsQuerySpy.mockResolvedValue(
+          createPermissionsQueryResponse({
+            pushCode: false,
+          }),
+        );
+
+        factory({
+          currentPath: '/',
+          extraProps: {
+            canCollaborate: true,
+          },
+        });
+        await waitForPromises();
+
+        expect(findDropdownGroup().exists()).toBe(false);
+      });
+    });
+
+    it('does not render copy to clipboard button', () => {
+      factory({
+        currentPath: '/path/to/file',
+      });
+      expect(findClipboardButton().exists()).toBe(false);
     });
   });
 });
diff --git a/spec/frontend/search/sidebar/components/merge_requests_filters_spec.js b/spec/frontend/search/sidebar/components/merge_requests_filters_spec.js
index f2bde737fe7..e16b17b5102 100644
--- a/spec/frontend/search/sidebar/components/merge_requests_filters_spec.js
+++ b/spec/frontend/search/sidebar/components/merge_requests_filters_spec.js
@@ -20,14 +20,7 @@ describe('GlobalSearch MergeRequestsFilters', () => {
     hasMissingProjectContext: () => true,
   };
 
-  const createComponent = (
-    initialState = {},
-    provide = {
-      glFeatures: {
-        searchMrFilterSourceBranch: true,
-      },
-    },
-  ) => {
+  const createComponent = (initialState = {}) => {
     const store = new Vuex.Store({
       state: {
         urlQuery: MOCK_QUERY,
@@ -42,7 +35,6 @@ describe('GlobalSearch MergeRequestsFilters', () => {
 
     wrapper = shallowMount(MergeRequestsFilters, {
       store,
-      provide,
     });
   };
 
@@ -104,16 +96,6 @@ describe('GlobalSearch MergeRequestsFilters', () => {
     });
   });
 
-  describe('When feature flag search_mr_filter_source_branch is disabled', () => {
-    beforeEach(() => {
-      createComponent(null, { glFeatures: { searchMrFilterSourceBranch: false } });
-    });
-
-    it(`will not render SourceBranchFilter`, () => {
-      expect(findSourceBranchFilter().exists()).toBe(false);
-    });
-  });
-
   describe('#hasMissingProjectContext getter', () => {
     beforeEach(() => {
       defaultGetters.hasMissingProjectContext = () => false;
diff --git a/spec/frontend/vue_merge_request_widget/components/mr_widget_pipeline_container_spec.js b/spec/frontend/vue_merge_request_widget/components/mr_widget_pipeline_container_spec.js
index 21bd5328266..6a6377f22f1 100644
--- a/spec/frontend/vue_merge_request_widget/components/mr_widget_pipeline_container_spec.js
+++ b/spec/frontend/vue_merge_request_widget/components/mr_widget_pipeline_container_spec.js
@@ -142,6 +142,21 @@ describe('MrWidgetPipelineContainer', () => {
       expect(wrapper.findComponent(MrWidgetPipeline).props().sourceBranchLink).toBe('Foo');
     });
 
+    it('sanitizes the targetBranch output', () => {
+      createComponent({
+        props: {
+          isPostMerge: true,
+          mr: {
+            ...mockStore,
+            targetBranch:
+              "x<i/class='js-unsanitized-code'/data-context-commits-path=/$PROJECT_PATH/-/raw/main/data.json>",
+          },
+        },
+      });
+
+      expect(wrapper.find('.js-unsanitized-code').exists()).toBe(false);
+    });
+
     it('renders deployments', () => {
       const expectedProps = mockStore.postMergeDeployments.map((dep) =>
         expect.objectContaining({
diff --git a/spec/frontend/vue_merge_request_widget/mock_data.js b/spec/frontend/vue_merge_request_widget/mock_data.js
index 54105c04543..8234120a308 100644
--- a/spec/frontend/vue_merge_request_widget/mock_data.js
+++ b/spec/frontend/vue_merge_request_widget/mock_data.js
@@ -402,7 +402,7 @@ export const mockStore = {
       },
     },
     flags: {},
-    ref: {},
+    ref: { branch: '1' },
   },
   mergePipeline: {
     id: 1,
@@ -422,7 +422,7 @@ export const mockStore = {
       },
     },
     flags: {},
-    ref: {},
+    ref: { branch: '1' },
   },
   pipelineEtag: '/etag',
   pipelineIid: '12',
diff --git a/spec/lib/api/ci/helpers/runner_spec.rb b/spec/lib/api/ci/helpers/runner_spec.rb
index 10b51fc1a1f..e4b2a78603e 100644
--- a/spec/lib/api/ci/helpers/runner_spec.rb
+++ b/spec/lib/api/ci/helpers/runner_spec.rb
@@ -167,42 +167,6 @@ RSpec.describe API::Ci::Helpers::Runner, feature_category: :runner do
         expect(current_runner_manager.sharding_key_id).to eq(runner.sharding_key_id)
       end
     end
-
-    context 'when project runner is missing sharding_key_id' do
-      let(:runner) { Ci::Runner.project_type.last }
-      let(:connection) { Ci::Runner.connection }
-
-      before do
-        connection.execute(<<~SQL)
-          ALTER TABLE ci_runners DISABLE TRIGGER ALL;
-
-          INSERT INTO ci_runners(created_at, runner_type, token, sharding_key_id) VALUES(NOW(), 3, 'foo', NULL);
-
-          ALTER TABLE ci_runners ENABLE TRIGGER ALL;
-        SQL
-      end
-
-      it 'fails to create a new runner manager', :aggregate_failures do
-        allow(helper).to receive(:params).and_return(token: runner.token, system_id: 'new_system_id')
-        expect(helper.current_runner).to eq(runner)
-
-        expect { current_runner_manager }.to raise_error described_class::UnknownRunnerOwnerError
-      end
-
-      # TODO: Remove once https://gitlab.com/gitlab-org/gitlab/-/issues/516929 is closed.
-      context 'with reject_orphaned_runners FF disabled' do
-        before do
-          stub_feature_flags(reject_orphaned_runners: false)
-        end
-
-        it 'fails to create a new runner manager', :aggregate_failures do
-          allow(helper).to receive(:params).and_return(token: runner.token, system_id: 'new_system_id')
-          expect(helper.current_runner).to eq(runner)
-
-          expect { current_runner_manager }.to raise_error described_class::UnknownRunnerOwnerError
-        end
-      end
-    end
   end
 
   describe '#track_runner_authentication', :prometheus, feature_category: :runner do
diff --git a/spec/lib/api/entities/ssh_key_with_user_id_spec.rb b/spec/lib/api/entities/ssh_key_with_user_id_spec.rb
new file mode 100644
index 00000000000..6941c60ac1c
--- /dev/null
+++ b/spec/lib/api/entities/ssh_key_with_user_id_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe API::Entities::SshKeyWithUserId, feature_category: :system_access do
+  describe '#as_json' do
+    subject { entity.as_json }
+
+    let(:key) { create(:key, user: create(:user)) }
+    let(:entity) { described_class.new(key) }
+
+    it 'includes basic fields', :aggregate_failures do
+      is_expected.to include(
+        id: key.id,
+        title: key.title,
+        created_at: key.created_at,
+        expires_at: key.expires_at,
+        usage_type: 'auth_and_signing',
+        last_used_at: key.last_used_at,
+        user_id: key.user.id
+      )
+    end
+  end
+end
diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 0229f367a70..35b36be0c09 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -1095,6 +1095,88 @@ RSpec.describe Gitlab::Auth::AuthFinders, feature_category: :system_access do
     end
   end
 
+  describe '#validate_and_save_access_token!' do
+    context 'when token is a personal access token' do
+      let(:personal_access_token) { create(:personal_access_token, user: user) }
+
+      before do
+        allow_any_instance_of(described_class).to receive(:access_token).and_return(personal_access_token)
+      end
+
+      context 'when reset_token is true' do
+        it 'reloads the access token before validation' do
+          expect(personal_access_token).to receive(:reload)
+
+          validate_and_save_access_token!(reset_token: true)
+        end
+
+        it 'uses the reloaded token for validation' do
+          allow(personal_access_token).to receive(:reload) do
+            personal_access_token.expires_at = 1.day.ago
+          end
+
+          expect { validate_and_save_access_token!(reset_token: true) }.to raise_error(Gitlab::Auth::ExpiredError)
+        end
+      end
+
+      context 'when reset_token is false' do
+        it 'does not reload the access token before validation' do
+          expect(personal_access_token).not_to receive(:reload)
+
+          validate_and_save_access_token!(reset_token: false)
+        end
+      end
+
+      context 'when reset_token is not specified' do
+        it 'does not reload the access token before validation' do
+          expect(personal_access_token).not_to receive(:reload)
+
+          validate_and_save_access_token!
+        end
+      end
+    end
+
+    context 'when token is a OAuth access token' do
+      let!(:oauth_access_token) { create(:oauth_access_token, resource_owner: user) }
+
+      before do
+        allow_any_instance_of(described_class).to receive(:access_token).and_return(oauth_access_token)
+      end
+
+      context 'when reset_token is true' do
+        it 'reloads the access token before validation' do
+          expect(oauth_access_token).to receive(:reload)
+
+          validate_and_save_access_token!(reset_token: true)
+        end
+
+        it 'uses the reloaded token for validation' do
+          allow(oauth_access_token).to receive(:reload) do
+            allow(oauth_access_token).to receive(:expired?).and_return(true)
+          end
+
+          expect { validate_and_save_access_token!(reset_token: true) }.to raise_error(Gitlab::Auth::ExpiredError)
+        end
+      end
+
+      context 'when reset_token is false' do
+        it 'does not reload the access token before validation' do
+          expect(oauth_access_token).not_to receive(:reload)
+
+          validate_and_save_access_token!(reset_token: false)
+        end
+      end
+
+      context 'when reset_token is not specified' do
+        it 'does not reload the access token before validation' do
+          expect(oauth_access_token).not_to receive(:reload)
+
+          validate_and_save_access_token!
+        end
+      end
+    end
+  end
+
   describe '#find_user_from_job_token' do
     let(:token) { job.token }
 
diff --git a/spec/migrations/20240902054331_sync_fk_referencing_p_ci_pipelines_spec.rb b/spec/migrations/20240902054331_sync_fk_referencing_p_ci_pipelines_spec.rb
index fe75134c4cf..2543f7ea093 100644
--- a/spec/migrations/20240902054331_sync_fk_referencing_p_ci_pipelines_spec.rb
+++ b/spec/migrations/20240902054331_sync_fk_referencing_p_ci_pipelines_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
 require_migration!
 
 RSpec.describe SyncFkReferencingPCiPipelines, migration: :gitlab_ci, feature_category: :continuous_integration do
-  let(:all_tmp_fk_names) do
+  let!(:all_tmp_fk_names) do
     (described_class::FOREIGN_KEYS + described_class::P_FOREIGN_KEYS).pluck(:name)
   end
 
@@ -27,6 +27,27 @@ RSpec.describe SyncFkReferencingPCiPipelines, migration: :gitlab_ci, feature_cat
     end
   end
 
+  it 'is idempotent' do
+    original_foreign_keys = described_class::FOREIGN_KEYS
+    original_p_foreign_keys = described_class::P_FOREIGN_KEYS
+
+    stub_const("#{described_class}::FOREIGN_KEYS", original_foreign_keys + original_foreign_keys)
+    stub_const("#{described_class}::P_FOREIGN_KEYS", original_p_foreign_keys + original_p_foreign_keys)
+
+    reversible_migration do |migration|
+      migration.before -> {
+        expect(fk_count_for(:p_ci_pipelines, all_tmp_fk_names, is_valid: false)).to eq(16)
+        expect(fk_count_for(:p_ci_pipelines, all_fk_names)).to eq(0)
+        expect(fk_count_for(:ci_pipelines, all_fk_names)).to eq(16)
+      }
+      migration.after -> {
+        expect(fk_count_for(:p_ci_pipelines, all_tmp_fk_names, is_valid: false)).to eq(0)
+        expect(fk_count_for(:p_ci_pipelines, all_fk_names)).to eq(16)
+        expect(fk_count_for(:ci_pipelines, all_fk_names)).to eq(0)
+      }
+    end
+  end
+
   private
 
   def fk_count_for(referenced_table, names, is_valid: true)
diff --git a/spec/models/ci/job_token/allowlist_migration_task_spec.rb b/spec/models/ci/job_token/allowlist_migration_task_spec.rb
new file mode 100644
index 00000000000..45fd5486c65
--- /dev/null
+++ b/spec/models/ci/job_token/allowlist_migration_task_spec.rb
@@ -0,0 +1,166 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ci::JobToken::AllowlistMigrationTask, :silence_stdout, feature_category: :secrets_management do
+  let(:only_ids) { nil }
+  let(:exclude_ids) { nil }
+  let(:preview) { nil }
+  let(:output_stream) { StringIO.new }
+  let(:path) { Rails.root.join('tmp/tests/doc/ci/jobs') }
+  let(:user) { ::Users::Internal.admin_bot }
+
+  let(:task) do
+    described_class.new(only_ids: only_ids, exclude_ids: exclude_ids, preview: preview, user: user,
+      output_stream: output_stream)
+  end
+
+  let_it_be(:origin_project) { create(:project) }
+  let_it_be(:accessed_project1) { create(:project) }
+  let_it_be(:accessed_project2) { create(:project) }
+  let_it_be(:accessed_project3) { create(:project) }
+  let(:accessed_projects) do
+    [
+      accessed_project1.reload,
+      accessed_project2.reload,
+      accessed_project3.reload
+    ]
+  end
+
+  before do
+    accessed_projects.each do |accessed_project|
+      create(:ci_job_token_authorization, origin_project: origin_project, accessed_project: accessed_project,
+        last_authorized_at: 1.day.ago)
+
+      accessed_projects.map { |p| p.ci_cd_settings.update!(inbound_job_token_scope_enabled: false) }
+    end
+  end
+
+  describe '#execute' do
+    context "when preview mode is enabled" do
+      let(:preview) { "1" }
+
+      it 'does not call unsafe_execute!' do
+        expect_any_instance_of(::Ci::JobToken::AutopopulateAllowlistService).not_to receive(:unsafe_execute!) # rubocop:disable RSpec/AnyInstanceOf -- not the next instance
+
+        task.execute
+      end
+
+      it 'logs the expected messages' do
+        messages = []
+        messages << task.send(:preview_banner)
+        messages << "\n\nMigrating project(s) in preview mode...\n"
+        accessed_projects.each do |accessed_project|
+          messages << "\nWould have migrated project id: #{accessed_project.id}."
+        end
+        messages << "\n\nMigration complete in preview mode.\n\n"
+
+        task.execute
+
+        expect(output_stream.string).to eq(messages.join)
+      end
+    end
+
+    context "when preview mode is disabled" do
+      it 'calls unsafe_execute!' do
+        service = instance_double(::Ci::JobToken::AutopopulateAllowlistService)
+        allow(::Ci::JobToken::AutopopulateAllowlistService).to receive(:new).and_return(service)
+        expect(service).to receive(:unsafe_execute!).exactly(3).times
+
+        task.execute
+      end
+
+      it 'logs the expected messages' do
+        messages = []
+        messages << "\nMigrating project(s)...\n"
+        accessed_projects.each do |accessed_project|
+          messages << "\nMigrated project id: #{accessed_project.id}."
+        end
+        messages << "\n\nMigration complete.\n\n"
+
+        task.execute
+
+        expect(output_stream.string).to eq(messages.join)
+      end
+
+      context "when an exception is raised" do
+        let(:project) { create(:project) }
+        let(:only_ids) { project.id.to_s }
+
+        it 'logs the error' do
+          exception = Gitlab::Utils::TraversalIdCompactor::CompactionLimitCannotBeAchievedError
+          message = "Error migrating project id: #{project.id}, error: #{exception}\n"
+
+          expect_next_instance_of(::Ci::JobToken::AutopopulateAllowlistService) do |instance|
+            expect(instance).to receive(:unsafe_execute!).and_raise(exception)
+          end
+
+          task.execute
+
+          expect(output_stream.string).to include(message)
+        end
+      end
+    end
+
+    context "when exclude_ids is supplied" do
+      let(:exclude_ids) { "#{accessed_project1.id}, #{accessed_project2.id}" }
+
+      it 'migrates all projects expect those excluded by exclude_ids' do
+        expect(task).not_to receive(:migrate_project).with(accessed_project1)
+        expect(task).not_to receive(:migrate_project).with(accessed_project2)
+        expect(task).to receive(:migrate_project).with(accessed_project3)
+
+        task.execute
+      end
+
+      context 'when too many exclude_ids are supplied' do
+        let(:exclude_ids) { (1..1001).to_a.join(",") }
+
+        it 'displays an error' do
+          task.execute
+
+          expect(output_stream.string).to include(
+            "ONLY_PROJECT_IDS and EXCLUDE_PROJECT_IDS must contain less than 1000 items, try again"
+          )
+        end
+      end
+    end
+
+    context "when only_ids is supplied" do
+      let(:only_ids) { "#{accessed_project1.id}, #{accessed_project2.id}" }
+
+      it 'only migrates projects listed in only_ids' do
+        Project.find([accessed_project1.id, accessed_project2.id]).each do |project|
+          expect(task).to receive(:migrate_project).with(project)
+        end
+
+        task.execute
+      end
+
+      context 'when too many only_ids are supplied' do
+        let(:only_ids) { (1..1001).to_a.join(",") }
+
+        it 'displays an error' do
+          task.execute
+
+          expect(output_stream.string).to include(
+            "ONLY_PROJECT_IDS and EXCLUDE_PROJECT_IDS must contain less than 1000 items, try again"
+          )
+        end
+      end
+    end
+
+    context "when both only_ids and exclude_ids are supplied" do
+      let(:exclude_ids) { accessed_project1.id.to_s }
+      let(:only_ids) { accessed_project2.id.to_s }
+
+      it 'displays an error' do
+        task.execute
+
+        expect(output_stream.string).to include(
+          "ONLY_PROJECT_IDS and EXCLUDE_PROJECT_IDS cannot both be set, try again."
+        )
+      end
+    end
+  end
+end
diff --git a/spec/models/ci/job_token/authorizations_compactor_spec.rb b/spec/models/ci/job_token/authorizations_compactor_spec.rb
index de62b15a00b..f4022b7a317 100644
--- a/spec/models/ci/job_token/authorizations_compactor_spec.rb
+++ b/spec/models/ci/job_token/authorizations_compactor_spec.rb
@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Ci::JobToken::AuthorizationsCompactor, feature_category: :secrets_management do
   let_it_be(:accessed_project) { create(:project) }
   let(:excluded_namespace_paths) { [] }
-  let(:compactor) { described_class.new(accessed_project.id) }
+  let(:compactor) { described_class.new(accessed_project) }
 
   # [1, 21],            ns1, p1
   # [1, 2, 3],          ns1, ns2, p2
@@ -61,7 +61,7 @@ RSpec.describe Ci::JobToken::AuthorizationsCompactor, feature_category: :secrets
     it 'raises when the limit cannot be achieved' do
       expect do
         compactor.compact(1)
-      end.to raise_error(Gitlab::Utils::TraversalIdCompactor::CompactionLimitCannotBeAchievedError)
+      end.to raise_error(described_class::Error, "CompactionLimitCannotBeAchievedError")
     end
 
     it 'raises when an unexpected compaction entry is found' do
@@ -70,7 +70,7 @@ RSpec.describe Ci::JobToken::AuthorizationsCompactor, feature_category: :secrets
         original_response << [1, 2, 3]
       end
 
-      expect { compactor.compact(5) }.to raise_error(Gitlab::Utils::TraversalIdCompactor::UnexpectedCompactionEntry)
+      expect { compactor.compact(5) }.to raise_error(described_class::Error, "UnexpectedCompactionEntry")
     end
 
     it 'raises when a redundant compaction entry is found' do
@@ -80,7 +80,7 @@ RSpec.describe Ci::JobToken::AuthorizationsCompactor, feature_category: :secrets
         original_response << (last_item.size > 1 ? last_item[0...-1] : last_item)
       end
 
-      expect { compactor.compact(5) }.to raise_error(Gitlab::Utils::TraversalIdCompactor::RedundantCompactionEntry)
+      expect { compactor.compact(5) }.to raise_error(described_class::Error, "RedundantCompactionEntry")
     end
 
     context 'with three top-level namespaces' do
@@ -104,7 +104,7 @@ RSpec.describe Ci::JobToken::AuthorizationsCompactor, feature_category: :secrets
       it 'raises when the limit cannot be achieved' do
         expect do
           compactor.compact(2)
-        end.to raise_error(Gitlab::Utils::TraversalIdCompactor::CompactionLimitCannotBeAchievedError)
+        end.to raise_error(described_class::Error, "CompactionLimitCannotBeAchievedError")
       end
 
       it 'does not raise when the limit cannot be achieved' do
@@ -128,13 +128,13 @@ RSpec.describe Ci::JobToken::AuthorizationsCompactor, feature_category: :secrets
         end
       end
 
-      describe 'when a multiple groups exist' do
+      describe 'when multiple groups exist' do
         before do
           create(:ci_job_token_group_scope_link, source_project: accessed_project, target_group: ns6)
           create(:ci_job_token_group_scope_link, source_project: accessed_project, target_group: ns2)
         end
 
-        it 'removes it from the compaction process' do
+        it 'removes them from the compaction process' do
           compactor.compact(4)
 
           expect(compactor.allowlist_groups).to match_array([ns4])
@@ -159,7 +159,7 @@ RSpec.describe Ci::JobToken::AuthorizationsCompactor, feature_category: :secrets
       end
     end
 
-    describe 'when a multiple projects exist' do
+    describe 'when multiple projects exist' do
       before do
         create(:ci_job_token_project_scope_link, source_project: accessed_project, direction: :inbound,
           target_project: pns8.project)
@@ -167,7 +167,7 @@ RSpec.describe Ci::JobToken::AuthorizationsCompactor, feature_category: :secrets
           target_project: pns2.project)
       end
 
-      it 'removes it from the compaction process' do
+      it 'removes them from the compaction process' do
         compactor.compact(6)
 
         expect(compactor.allowlist_groups).to match_array([ns2, ns4])
@@ -183,7 +183,7 @@ RSpec.describe Ci::JobToken::AuthorizationsCompactor, feature_category: :secrets
         target_project: pns8.project)
     end
 
-    it 'removes it from the compaction process' do
+    it 'removes them from the compaction process' do
       compactor.compact(4)
 
       expect(compactor.allowlist_groups).to match_array([ns4])
@@ -196,7 +196,7 @@ RSpec.describe Ci::JobToken::AuthorizationsCompactor, feature_category: :secrets
       accessed_project_control = create(:project)
       create(:ci_job_token_authorization, origin_project: pns1.project, accessed_project: accessed_project_control,
         last_authorized_at: 1.day.ago)
-      compactor_control = described_class.new(accessed_project_control.id)
+      compactor_control = described_class.new(accessed_project_control)
       control = ActiveRecord::QueryRecorder.new do
         compactor_control.origin_project_traversal_ids
       end
diff --git a/spec/models/ci/runner_spec.rb b/spec/models/ci/runner_spec.rb
index cb927684dd3..216b74e6f38 100644
--- a/spec/models/ci/runner_spec.rb
+++ b/spec/models/ci/runner_spec.rb
@@ -545,8 +545,7 @@ RSpec.describe Ci::Runner, type: :model, factory_default: :keep, feature_categor
         expect(assign_to).to be_truthy
 
         expect(runner).to be_project_type
-        expect(runner.runner_projects.pluck(:project_id))
-          .to contain_exactly(project.id, owner_project.id, fallback_owner_project.id)
+        expect(runner.project_ids).to contain_exactly(project.id, owner_project.id, fallback_owner_project.id)
       end
 
       it 'does not change sharding_key_id or owner' do
diff --git a/spec/models/ci/runner_tagging_spec.rb b/spec/models/ci/runner_tagging_spec.rb
index 18cd0cc5b23..c163357e14b 100644
--- a/spec/models/ci/runner_tagging_spec.rb
+++ b/spec/models/ci/runner_tagging_spec.rb
@@ -10,7 +10,38 @@ RSpec.describe Ci::RunnerTagging, feature_category: :runner do
 
   describe 'validations' do
     it { is_expected.to validate_presence_of(:runner_type) }
-    it { is_expected.to validate_presence_of(:sharding_key_id) }
+
+    describe 'sharding_key_id' do
+      subject(:runner_tagging) { runner.taggings.first }
+
+      context 'when runner_type is instance_type' do
+        let(:runner) { create(:ci_runner, :instance, tag_list: ['postgres']) }
+
+        it { is_expected.to be_valid }
+
+        context 'and sharding_key_id is not nil' do
+          before do
+            runner_tagging.sharding_key_id = group.id
+          end
+
+          it { is_expected.to be_invalid }
+        end
+      end
+
+      context 'when runner_type is group_type' do
+        let(:runner) { create(:ci_runner, :group, groups: [group], tag_list: ['postgres']) }
+
+        it { is_expected.to be_valid }
+
+        context 'and sharding_key_id is nil' do
+          before do
+            runner_tagging.sharding_key_id = nil
+          end
+
+          it { is_expected.to be_invalid }
+        end
+      end
+    end
   end
 
   describe 'partitioning' do
diff --git a/spec/models/integrations/instance/pivotaltracker_spec.rb b/spec/models/integrations/instance/pivotaltracker_spec.rb
new file mode 100644
index 00000000000..57807135516
--- /dev/null
+++ b/spec/models/integrations/instance/pivotaltracker_spec.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Integrations::Instance::Pivotaltracker, feature_category: :integrations do
+  it_behaves_like Integrations::Base::Pivotaltracker
+end
diff --git a/spec/models/integrations/pivotaltracker_spec.rb b/spec/models/integrations/pivotaltracker_spec.rb
index babe9119ccf..b836a66aff1 100644
--- a/spec/models/integrations/pivotaltracker_spec.rb
+++ b/spec/models/integrations/pivotaltracker_spec.rb
@@ -3,104 +3,5 @@
 require 'spec_helper'
 
 RSpec.describe Integrations::Pivotaltracker, feature_category: :integrations do
-  include StubRequests
-
-  describe 'Validations' do
-    context 'when integration is active' do
-      before do
-        subject.active = true
-      end
-
-      it { is_expected.to validate_presence_of(:token) }
-    end
-
-    context 'when integration is inactive' do
-      before do
-        subject.active = false
-      end
-
-      it { is_expected.not_to validate_presence_of(:token) }
-    end
-  end
-
-  describe 'Execute' do
-    let(:integration) do
-      described_class.new.tap do |integration|
-        integration.token = 'secret_api_token'
-      end
-    end
-
-    let(:url) { described_class::API_ENDPOINT }
-
-    def push_data(branch: 'master')
-      {
-        object_kind: 'push',
-        ref: "refs/heads/#{branch}",
-        commits: [
-          {
-            id: '21c12ea',
-            author: {
-              name: 'Some User'
-            },
-            url: 'https://example.com/commit',
-            message: 'commit message'
-          }
-        ]
-      }
-    end
-
-    before do
-      stub_full_request(url, method: :post)
-    end
-
-    it 'posts correct message' do
-      integration.execute(push_data)
-      expect(WebMock).to have_requested(:post, stubbed_hostname(url)).with(
-        body: {
-          'source_commit' => {
-            'commit_id' => '21c12ea',
-            'author' => 'Some User',
-            'url' => 'https://example.com/commit',
-            'message' => 'commit message'
-          }
-        },
-        headers: {
-          'Content-Type' => 'application/json',
-          'X-TrackerToken' => 'secret_api_token'
-        }
-      ).once
-    end
-
-    context 'when allowed branches is specified' do
-      let(:integration) do
-        super().tap do |integration|
-          integration.restrict_to_branch = 'master,v10'
-        end
-      end
-
-      it 'posts message if branch is in the list' do
-        integration.execute(push_data(branch: 'master'))
-        integration.execute(push_data(branch: 'v10'))
-
-        expect(WebMock).to have_requested(:post, stubbed_hostname(url)).twice
-      end
-
-      it 'does not post message if branch is not in the list' do
-        integration.execute(push_data(branch: 'mas'))
-        integration.execute(push_data(branch: 'v11'))
-
-        expect(WebMock).not_to have_requested(:post, stubbed_hostname(url))
-      end
-    end
-  end
-
-  describe '#avatar_url' do
-    it 'returns the avatar image path' do
-      expect(subject.avatar_url).to eq(
-        ActionController::Base.helpers.image_path(
-          'illustrations/third-party-logos/integrations-logos/pivotal-tracker.svg'
-        )
-      )
-    end
-  end
+  it_behaves_like Integrations::Base::Pivotaltracker
 end
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index b08d693ca3e..2738cce695c 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -937,4 +937,17 @@ RSpec.describe IssuePolicy, feature_category: :team_planning do
       end
     end
   end
+
+  context 'with incident issue type' do
+    let_it_be(:project) { create(:project, group: group, guests: guest, planners: planner, reporters: reporter, owners: owner) }
+    let_it_be(:incident) { create(:issue, :incident, project: project) }
+
+    it 'allows accessing an incident' do
+      expect(permissions(guest, incident)).to be_disallowed(:update_issue, :admin_issue)
+      expect(permissions(planner, incident)).to be_disallowed(:update_issue, :admin_issue, :destroy_issue)
+      expect(permissions(reporter, incident)).to be_allowed(:update_issue, :admin_issue)
+      expect(permissions(reporter, incident)).to be_disallowed(:destroy_issue)
+      expect(permissions(owner, incident)).to be_allowed(:update_issue, :admin_issue, :destroy_issue)
+    end
+  end
 end
diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb
index c8920f62990..9c6c58377c0 100644
--- a/spec/policies/work_item_policy_spec.rb
+++ b/spec/policies/work_item_policy_spec.rb
@@ -38,6 +38,8 @@ RSpec.describe WorkItemPolicy, :aggregate_failures, feature_category: :team_plan
       let(:authored_project_confidential_work_item) { create(:work_item, confidential: true, project: private_project, author: guest_author) }
       let(:not_persisted_project_work_item) { build(:work_item, project: private_project) }
 
+      let_it_be(:incident_work_item) { create(:work_item, :incident, project: private_project) }
+
       it_behaves_like 'checks abilities for project level work items'
 
       it 'checks non-member abilities' do
@@ -70,6 +72,8 @@ RSpec.describe WorkItemPolicy, :aggregate_failures, feature_category: :team_plan
       let(:authored_project_confidential_work_item) { create(:work_item, confidential: true, project: private_project, author: guest_author) }
       let(:not_persisted_project_work_item) { build(:work_item, project: public_project) }
 
+      let_it_be(:incident_work_item) { create(:work_item, :incident, project: public_project) }
+
       it_behaves_like 'checks abilities for project level work items'
 
       it 'checks non-member abilities' do
diff --git a/spec/requests/api/ci/runner/jobs_request_post_spec.rb b/spec/requests/api/ci/runner/jobs_request_post_spec.rb
index 0e7d6d0beb0..adc4b60521c 100644
--- a/spec/requests/api/ci/runner/jobs_request_post_spec.rb
+++ b/spec/requests/api/ci/runner/jobs_request_post_spec.rb
@@ -203,19 +203,6 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state, feature_catego
                   expect(response).to have_gitlab_http_status(:forbidden)
                   expect(response.body).to eq({ message: '403 Forbidden - Runner is orphaned' }.to_json)
                 end
-
-                # TODO: Remove once https://gitlab.com/gitlab-org/gitlab/-/issues/516929 is closed.
-                context 'with reject_orphaned_runners FF disabled' do
-                  before do
-                    stub_feature_flags(reject_orphaned_runners: false)
-                  end
-
-                  it 'returns unprocessable entity status code', :aggregate_failures do
-                    expect { request }.not_to change { Ci::RunnerManager.count }.from(0)
-                    expect(response).to have_gitlab_http_status(:unprocessable_entity)
-                    expect(response.body).to eq({ message: 'Runner is orphaned' }.to_json)
-                  end
-                end
               end
 
               private
diff --git a/spec/requests/api/ci/runner/runners_verify_post_spec.rb b/spec/requests/api/ci/runner/runners_verify_post_spec.rb
index 4a5e36c00db..89cae75ecaf 100644
--- a/spec/requests/api/ci/runner/runners_verify_post_spec.rb
+++ b/spec/requests/api/ci/runner/runners_verify_post_spec.rb
@@ -123,21 +123,6 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state, feature_catego
                 expect(response).to have_gitlab_http_status(:forbidden)
                 expect(response.body).to eq({ message: '403 Forbidden - Runner is orphaned' }.to_json)
               end
-
-              # TODO: Remove once https://gitlab.com/gitlab-org/gitlab/-/issues/516929 is closed.
-              context 'with reject_orphaned_runners FF disabled' do
-                before do
-                  stub_feature_flags(reject_orphaned_runners: false)
-                end
-
-                it 'does not update contacted_at and returns error', :aggregate_failures do
-                  expect { verify }.not_to change { partitioned_runner_exists?(non_partitioned_runner) }.from(false)
-
-                  expect(response).to have_gitlab_http_status(:unprocessable_entity)
-                  expect(response.body).to eq({ message: 'Runner is orphaned' }.to_json)
-                  expect(non_partitioned_runner.contacted_at).to be_nil
-                end
-              end
             end
 
             private
diff --git a/spec/requests/api/graphql/mutations/issues/link_alerts_spec.rb b/spec/requests/api/graphql/mutations/issues/link_alerts_spec.rb
index df6c20d6176..edff98cc9a4 100644
--- a/spec/requests/api/graphql/mutations/issues/link_alerts_spec.rb
+++ b/spec/requests/api/graphql/mutations/issues/link_alerts_spec.rb
@@ -5,8 +5,9 @@ require 'spec_helper'
 RSpec.describe 'Link alerts to an incident', feature_category: :incident_management do
   include GraphqlHelpers
 
-  let_it_be(:user) { create(:user) }
   let_it_be(:project) { create(:project) }
+  let_it_be(:planner) { create(:user, planner_of: project) }
+  let_it_be(:developer) { create(:user, developer_of: project) }
   let_it_be(:linked_alert) { create(:alert_management_alert, project: project) }
   let_it_be(:alert1) { create(:alert_management_alert, project: project) }
   let_it_be(:alert2) { create(:alert_management_alert, project: project) }
@@ -44,7 +45,7 @@ RSpec.describe 'Link alerts to an incident', feature_category: :incident_managem
   context 'when the user is not allowed to update the incident' do
     it 'returns an error' do
       error = Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR
-      post_graphql_mutation(mutation, current_user: user)
+      post_graphql_mutation(mutation, current_user: planner)
 
       expect(response).to have_gitlab_http_status(:success)
       expect(graphql_errors).to include(a_hash_including('message' => error))
@@ -52,12 +53,8 @@ RSpec.describe 'Link alerts to an incident', feature_category: :incident_managem
   end
 
   context 'when the user is allowed to update the incident' do
-    before do
-      project.add_developer(user)
-    end
-
     it 'links alerts to the incident' do
-      post_graphql_mutation(mutation, current_user: user)
+      post_graphql_mutation(mutation, current_user: developer)
 
       expect(response).to have_gitlab_http_status(:success)
       expected_response = [linked_alert, alert1, alert2].map { |a| { 'iid' => a.iid.to_s } }
diff --git a/spec/requests/api/graphql/mutations/issues/set_escalation_status_spec.rb b/spec/requests/api/graphql/mutations/issues/set_escalation_status_spec.rb
index de1cffafd13..4f78c7fde08 100644
--- a/spec/requests/api/graphql/mutations/issues/set_escalation_status_spec.rb
+++ b/spec/requests/api/graphql/mutations/issues/set_escalation_status_spec.rb
@@ -8,12 +8,12 @@ RSpec.describe 'Setting the escalation status of an incident', feature_category:
   let_it_be(:project) { create(:project) }
   let_it_be(:issue) { create(:incident, project: project) }
   let_it_be(:escalation_status) { create(:incident_management_issuable_escalation_status, issue: issue) }
-  let_it_be(:user) { create(:user, developer_of: project) }
+  let_it_be(:developer) { create(:user, developer_of: project) }
 
   let(:status) { 'ACKNOWLEDGED' }
   let(:input) { { project_path: project.full_path, iid: issue.iid.to_s, status: status } }
+  let(:current_user) { developer }
 
-  let(:current_user) { user }
   let(:mutation) do
     graphql_mutation(:issue_set_escalation_status, input) do
       <<~QL
@@ -30,13 +30,16 @@ RSpec.describe 'Setting the escalation status of an incident', feature_category:
   let(:mutation_response) { graphql_mutation_response(:issue_set_escalation_status) }
 
   context 'when user does not have permission to edit the escalation status' do
-    let(:current_user) { create(:user) }
+    let_it_be(:planner) { create(:user, planner_of: project) }
+    let_it_be(:reporter) { create(:user, reporter_of: project) }
 
-    before_all do
-      project.add_reporter(user)
+    where(:user) { [ref(:planner), ref(:reporter)] }
+
+    with_them do
+      let(:current_user) { user }
+
+      it_behaves_like 'a mutation that returns a top-level access error'
     end
-
-    it_behaves_like 'a mutation that returns a top-level access error'
   end
 
   context 'with non-incident issue is provided' do
diff --git a/spec/requests/api/graphql/mutations/issues/set_severity_spec.rb b/spec/requests/api/graphql/mutations/issues/set_severity_spec.rb
index d53b938a983..c7536a1b6c2 100644
--- a/spec/requests/api/graphql/mutations/issues/set_severity_spec.rb
+++ b/spec/requests/api/graphql/mutations/issues/set_severity_spec.rb
@@ -5,10 +5,11 @@ require 'spec_helper'
 RSpec.describe 'Setting severity level of an incident', feature_category: :incident_management do
   include GraphqlHelpers
 
-  let_it_be(:user) { create(:user) }
+  let_it_be(:incident) { create(:incident) }
+  let_it_be(:project) { incident.project }
+  let_it_be(:planner) { create(:user, planner_of: project) }
+  let_it_be(:reporter) { create(:user, reporter_of: project) }
 
-  let(:incident) { create(:incident) }
-  let(:project) { incident.project }
   let(:input) { { severity: 'CRITICAL' } }
 
   let(:mutation) do
@@ -36,6 +37,8 @@ RSpec.describe 'Setting severity level of an incident', feature_category: :incid
   end
 
   context 'when the user is not allowed to update the incident' do
+    let(:user) { planner }
+
     it 'returns an error' do
       error = Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR
       post_graphql_mutation(mutation, current_user: user)
@@ -46,9 +49,7 @@ RSpec.describe 'Setting severity level of an incident', feature_category: :incid
   end
 
   context 'when the user is allowed to update the incident' do
-    before do
-      project.add_developer(user)
-    end
+    let(:user) { reporter }
 
     it 'updates the issue' do
       post_graphql_mutation(mutation, current_user: user)
diff --git a/spec/requests/api/graphql/mutations/issues/unlink_alerts_spec.rb b/spec/requests/api/graphql/mutations/issues/unlink_alerts_spec.rb
index 807afdfb812..45e5de052d8 100644
--- a/spec/requests/api/graphql/mutations/issues/unlink_alerts_spec.rb
+++ b/spec/requests/api/graphql/mutations/issues/unlink_alerts_spec.rb
@@ -5,8 +5,10 @@ require 'spec_helper'
 RSpec.describe 'Unlink alert from an incident', feature_category: :incident_management do
   include GraphqlHelpers
 
-  let_it_be(:user) { create(:user) }
   let_it_be(:project) { create(:project) }
+  let_it_be(:planner) { create(:user, planner_of: project) }
+  let_it_be(:reporter) { create(:user, reporter_of: project) }
+  let_it_be(:developer) { create(:user, developer_of: project) }
   let_it_be(:another_project) { create(:project) }
   let_it_be(:internal_alert) { create(:alert_management_alert, project: project) }
   let_it_be(:external_alert) { create(:alert_management_alert, project: another_project) }
@@ -48,7 +50,7 @@ RSpec.describe 'Unlink alert from an incident', feature_category: :incident_mana
 
     it 'returns an error' do
       error = Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR
-      post_graphql_mutation(mutation, current_user: user)
+      post_graphql_mutation(mutation, current_user: planner)
 
       expect(response).to have_gitlab_http_status(:success)
       expect(graphql_errors).to include(a_hash_including('message' => error))
@@ -56,13 +58,9 @@ RSpec.describe 'Unlink alert from an incident', feature_category: :incident_mana
   end
 
   context 'when the user is allowed to update the incident' do
-    before_all do
-      project.add_developer(user)
-    end
-
     shared_examples 'unlinking' do
       it 'unlinks the alert from the incident', :aggregate_failures do
-        post_graphql_mutation(mutation, current_user: user)
+        post_graphql_mutation(mutation, current_user: current_user)
 
         expect(response).to have_gitlab_http_status(:success)
         expected_response = visible_remainded_alerts.map { |a| { 'id' => a.to_global_id.to_s } }
@@ -73,6 +71,7 @@ RSpec.describe 'Unlink alert from an incident', feature_category: :incident_mana
     end
 
     context 'when the alert is internal' do
+      let(:current_user) { reporter }
       let(:alert_to_unlink) { internal_alert }
       let(:actual_remainded_alerts) { [external_alert] }
       let(:visible_remainded_alerts) { [] } # The user cannot fetch external alerts without reading permissions
@@ -81,6 +80,7 @@ RSpec.describe 'Unlink alert from an incident', feature_category: :incident_mana
     end
 
     context 'when the alert is external' do
+      let(:current_user) { developer }
       let(:alert_to_unlink) { external_alert }
       let(:actual_remainded_alerts) { [internal_alert] }
       let(:visible_remainded_alerts) { [internal_alert] }
diff --git a/spec/requests/api/graphql/mutations/issues/update_spec.rb b/spec/requests/api/graphql/mutations/issues/update_spec.rb
index 553d9d8c441..c5542c38570 100644
--- a/spec/requests/api/graphql/mutations/issues/update_spec.rb
+++ b/spec/requests/api/graphql/mutations/issues/update_spec.rb
@@ -8,6 +8,9 @@ RSpec.describe 'Update of an existing issue', feature_category: :team_planning d
   let_it_be(:current_user) { create(:user) }
   let_it_be(:project) { create(:project, :public) }
   let_it_be(:issue) { create(:issue, project: project) }
+  let_it_be(:guest) { create(:user, guest_of: project) }
+  let_it_be(:planner) { create(:user, planner_of: project) }
+  let_it_be(:reporter) { create(:user, reporter_of: project) }
   let_it_be(:label1) { create(:label, title: "a", project: project) }
   let_it_be(:label2) { create(:label, title: "b", project: project) }
 
@@ -28,13 +31,21 @@ RSpec.describe 'Update of an existing issue', feature_category: :team_planning d
   let(:mutation_response) { graphql_mutation_response(:update_issue) }
 
   context 'the user is not allowed to update issue' do
+    let(:current_user) { guest }
+
     it_behaves_like 'a mutation that returns a top-level access error'
+
+    context 'when issue type is incident' do
+      let_it_be(:issue) { create(:issue, :incident, project: project) }
+
+      let(:current_user) { planner }
+
+      it_behaves_like 'a mutation that returns a top-level access error'
+    end
   end
 
   context 'when user has permissions to update issue' do
-    before do
-      project.add_developer(current_user)
-    end
+    let(:current_user) { reporter }
 
     it 'updates the issue' do
       post_graphql_mutation(mutation, current_user: current_user)
diff --git a/spec/requests/api/graphql/mutations/work_items/delete_spec.rb b/spec/requests/api/graphql/mutations/work_items/delete_spec.rb
index b97e7cfbe19..bdecf1d3629 100644
--- a/spec/requests/api/graphql/mutations/work_items/delete_spec.rb
+++ b/spec/requests/api/graphql/mutations/work_items/delete_spec.rb
@@ -8,47 +8,99 @@ RSpec.describe 'Delete a work item', feature_category: :team_planning do
   let_it_be(:group) { create(:group) }
   let_it_be(:owner) { create(:user, owner_of: group) }
   let_it_be(:project) { create(:project, group: group) }
+  let_it_be(:planner) { create(:user, planner_of: project) }
+  let_it_be(:author) { create(:user, developer_of: project) }
   let_it_be(:developer) { create(:user, developer_of: project) }
+  let_it_be(:issue) { create(:work_item, :issue, project: project, author: author) }
+  let_it_be(:incident) { create(:work_item, :incident, project: project) }
 
-  let(:current_user) { developer }
   let(:mutation) { graphql_mutation(:workItemDelete, { 'id' => work_item.to_global_id.to_s }) }
   let(:mutation_response) { graphql_mutation_response(:work_item_delete) }
 
   context 'when the user is not allowed to delete a work item' do
-    let(:work_item) { create(:work_item, project: project) }
+    context 'with issue type' do
+      let(:work_item) { issue }
+      let(:current_user) { developer }
 
-    it_behaves_like 'a mutation that returns a top-level access error'
+      it_behaves_like 'a mutation that returns a top-level access error'
+    end
+
+    context 'with incident type' do
+      let(:work_item) { incident }
+
+      context 'when user is planner' do
+        let(:current_user) { planner }
+
+        it_behaves_like 'a mutation that returns a top-level access error'
+      end
+
+      context 'when user is author' do
+        let(:current_user) { author }
+
+        it_behaves_like 'a mutation that returns a top-level access error'
+      end
+    end
   end
 
   context 'when user has permissions to delete a work item' do
-    let_it_be(:authored_work_item, refind: true) { create(:work_item, project: project, author: developer, assignees: [developer]) }
-
-    let(:work_item) { authored_work_item }
-
-    it 'deletes the work item' do
-      expect do
-        post_graphql_mutation(mutation, current_user: current_user)
-      end.to change(WorkItem, :count).by(-1)
-
-      expect(response).to have_gitlab_http_status(:success)
-      expect(mutation_response['project']).to include('id' => work_item.project.to_global_id.to_s)
-    end
-
-    context 'when an error is produced when trying to delete the work item' do
-      let(:error_response) { ServiceResponse.error(message: 'Failed to delete') }
-
-      before do
-        allow_next_instance_of(WorkItems::DeleteService) do |instance|
-          allow(instance).to receive(:execute).and_return(error_response)
-        end
-      end
-
-      it 'returns an error message' do
+    shared_examples 'mutation that deletes work item' do
+      it 'deletes the work item' do
         expect do
           post_graphql_mutation(mutation, current_user: current_user)
-        end.to not_change(WorkItem, :count)
+        end.to change(WorkItem, :count).by(-1)
 
-        expect(mutation_response['errors']).to contain_exactly('Failed to delete')
+        expect(response).to have_gitlab_http_status(:success)
+        expect(mutation_response['project']).to include('id' => work_item.project.to_global_id.to_s)
+      end
+
+      context 'when an error is produced when trying to delete the work item' do
+        let(:error_response) { ServiceResponse.error(message: 'Failed to delete') }
+
+        before do
+          allow_next_instance_of(WorkItems::DeleteService) do |instance|
+            allow(instance).to receive(:execute).and_return(error_response)
+          end
+        end
+
+        it 'returns an error message' do
+          expect do
+            post_graphql_mutation(mutation, current_user: current_user)
+          end.to not_change(WorkItem, :count)
+
+          expect(mutation_response['errors']).to contain_exactly('Failed to delete')
+        end
+      end
+    end
+
+    context 'with issue type' do
+      context 'when user is author' do
+        let(:work_item) { issue }
+        let(:current_user) { author }
+
+        it_behaves_like 'mutation that deletes work item'
+      end
+
+      context 'when user is planner' do
+        let(:work_item) { issue }
+        let(:current_user) { planner }
+
+        it_behaves_like 'mutation that deletes work item'
+      end
+
+      context 'when user is owner' do
+        let(:work_item) { issue }
+        let(:current_user) { owner }
+
+        it_behaves_like 'mutation that deletes work item'
+      end
+    end
+
+    context 'with incident type' do
+      context 'when user is owner' do
+        let(:work_item) { incident }
+        let(:current_user) { owner }
+
+        it_behaves_like 'mutation that deletes work item'
       end
     end
   end
diff --git a/spec/requests/api/graphql/mutations/work_items/update_spec.rb b/spec/requests/api/graphql/mutations/work_items/update_spec.rb
index d51da2e243b..34ff3d5974d 100644
--- a/spec/requests/api/graphql/mutations/work_items/update_spec.rb
+++ b/spec/requests/api/graphql/mutations/work_items/update_spec.rb
@@ -11,6 +11,7 @@ RSpec.describe 'Update a work item', feature_category: :team_planning do
   let_it_be(:developer) { create(:user, developer_of: group) }
   let_it_be(:reporter) { create(:user, reporter_of: group) }
   let_it_be(:guest) { create(:user, guest_of: group) }
+  let_it_be(:planner) { create(:user, planner_of: group) }
   let_it_be(:work_item, refind: true) { create(:work_item, project: project, author: author) }
 
   let(:input) { { 'stateEvent' => 'CLOSE', 'title' => 'updated title' } }
@@ -28,6 +29,7 @@ RSpec.describe 'Update a work item', feature_category: :team_planning do
   let(:mutation) { graphql_mutation(:workItemUpdate, input.merge('id' => mutation_work_item.to_gid.to_s), fields) }
 
   let(:mutation_response) { graphql_mutation_response(:work_item_update) }
+  let(:widgets_response) { mutation_response['workItem']['widgets'] }
 
   before_all do
     # Ensure support bot user is created so creation doesn't count towards query limit
@@ -47,13 +49,20 @@ RSpec.describe 'Update a work item', feature_category: :team_planning do
   end
 
   context 'the user is not allowed to update a work item' do
-    let(:current_user) { create(:user) }
+    let(:current_user) { guest }
 
     it_behaves_like 'a mutation that returns a top-level access error'
+
+    context 'with incident type' do
+      let(:work_item) { create(:work_item, :incident, project: project) }
+      let(:current_user) { planner }
+
+      it_behaves_like 'a mutation that returns a top-level access error'
+    end
   end
 
   context 'when user has permissions to update a work item' do
-    let(:current_user) { developer }
+    let(:current_user) { planner }
 
     it_behaves_like 'has spam protection' do
       let(:mutation_class) { ::Mutations::WorkItems::Update }
@@ -564,7 +573,6 @@ RSpec.describe 'Update a work item', feature_category: :team_planning do
     end
 
     context 'with hierarchy widget input' do
-      let(:widgets_response) { mutation_response['workItem']['widgets'] }
       let(:fields) do
         <<~FIELDS
           workItem {
@@ -597,10 +605,6 @@ RSpec.describe 'Update a work item', feature_category: :team_planning do
       let(:child2_ref) { { adjacentWorkItemId: valid_child2.to_global_id.to_s } }
       let(:relative_range) { [valid_child1, valid_child2].map(&:parent_link).map(&:relative_position) }
 
-      let(:invalid_relative_position_error) do
-        WorkItems::Callbacks::Hierarchy::INVALID_RELATIVE_POSITION_ERROR
-      end
-
       shared_examples 'updates work item parent and sets the relative position' do
         it do
           expect do
@@ -639,7 +643,8 @@ RSpec.describe 'Update a work item', feature_category: :team_planning do
           end.to not_change(work_item, :work_item_parent)
 
           expect(mutation_response['workItem']).to be_nil
-          expect(mutation_response['errors']).to match_array([invalid_relative_position_error])
+          expect(mutation_response['errors'])
+            .to match_array([WorkItems::Callbacks::Hierarchy::INVALID_RELATIVE_POSITION_ERROR])
         end
       end
 
@@ -1607,7 +1612,7 @@ RSpec.describe 'Update a work item', feature_category: :team_planning do
       end
 
       context 'when user has permissions to update the work item' do
-        let(:current_user) { reporter }
+        let(:current_user) { planner }
 
         it 'updates work item discussion locked attribute on notes widget' do
           expect do
diff --git a/spec/requests/api/issues/issues_spec.rb b/spec/requests/api/issues/issues_spec.rb
index ed45ac06e4d..516d135147f 100644
--- a/spec/requests/api/issues/issues_spec.rb
+++ b/spec/requests/api/issues/issues_spec.rb
@@ -13,7 +13,9 @@ RSpec.describe API::Issues, feature_category: :team_planning do
 
   let_it_be(:user2) { create(:user) }
   let_it_be(:non_member) { create(:user) }
-  let_it_be(:guest)       { create(:user, guest_of: [project, private_mrs_project]) }
+  let_it_be(:guest) { create(:user, guest_of: [project, private_mrs_project]) }
+  let_it_be(:planner) { create(:user, planner_of: [project]) }
+  let_it_be(:owner) { create(:user, owner_of: [project]) }
   let_it_be(:author)      { create(:author) }
   let_it_be(:assignee)    { create(:assignee) }
   let_it_be(:admin) { create(:user, :admin) }
@@ -1213,6 +1215,26 @@ RSpec.describe API::Issues, feature_category: :team_planning do
   end
 
   describe 'PUT /projects/:id/issues/:issue_iid' do
+    context 'when user has insufficient permissions' do
+      let(:params) { { title: 'new title' } }
+
+      it 'returns forbidden status for guest' do
+        put api("/projects/#{project.id}/issues/#{issue.iid}", guest), params: params
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+
+      context 'when issue_type is incident' do
+        let_it_be(:incident) { create(:issue, :incident, project: project) }
+
+        it 'returns forbidden status for planner' do
+          put api("/projects/#{project.id}/issues/#{incident.iid}", planner), params: params
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+
     it_behaves_like 'issuable update endpoint' do
       let(:entity) { issue }
     end
@@ -1285,9 +1307,6 @@ RSpec.describe API::Issues, feature_category: :team_planning do
     end
 
     context 'when the user is project owner' do
-      let(:owner)     { create(:user) }
-      let(:project)   { create(:project, namespace: owner.namespace) }
-
       it 'deletes the issue if an admin requests it' do
         delete api("/projects/#{project.id}/issues/#{issue_for_deletion.iid}", owner)
 
@@ -1312,6 +1331,25 @@ RSpec.describe API::Issues, feature_category: :team_planning do
 
       expect(response).to have_gitlab_http_status(:not_found)
     end
+
+    context 'when issue type is incident' do
+      let_it_be(:incident) { create(:issue, :incident, author: author, assignees: [assignee], project: project) }
+
+      where(:current_user) { [ref(:planner), ref(:author), ref(:assignee)] }
+
+      with_them do
+        it 'rejects user from deleting an incident' do
+          delete api("/projects/#{project.id}/issues/#{incident.iid}", current_user)
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+
+      it 'allows an owner to delete an incident' do
+        delete api("/projects/#{project.id}/issues/#{incident.iid}", owner)
+
+        expect(response).to have_gitlab_http_status(:no_content)
+      end
+    end
   end
 
   describe 'time tracking endpoints' do
diff --git a/spec/requests/groups/bulk_placeholder_assignments_controller_spec.rb b/spec/requests/groups/bulk_placeholder_assignments_controller_spec.rb
index 55a89037614..61b6722a934 100644
--- a/spec/requests/groups/bulk_placeholder_assignments_controller_spec.rb
+++ b/spec/requests/groups/bulk_placeholder_assignments_controller_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe Groups::BulkPlaceholderAssignmentsController, feature_category: :
 
   let_it_be(:user) { create(:user) }
   let_it_be(:group) { create(:group, :public, owners: user) }
+  let_it_be(:source_user) { create(:import_source_user, namespace: group) }
   let(:file) { fixture_file_upload('spec/fixtures/import/user_mapping/user_mapping_upload.csv') }
 
   describe 'GET /groups/*group_id/-/group_members/bulk_reassignment_file' do
diff --git a/spec/requests/jwks_controller_spec.rb b/spec/requests/jwks_controller_spec.rb
index 8a72f894d99..cd84a19f39f 100644
--- a/spec/requests/jwks_controller_spec.rb
+++ b/spec/requests/jwks_controller_spec.rb
@@ -16,4 +16,28 @@ RSpec.describe JwksController, feature_category: :system_access do
       end
     end
   end
+
+  describe '/oauth/discovery/keys' do
+    include_context 'when doing OIDC key discovery'
+
+    it 'removes missing keys' do
+      expect(Rails.application.credentials).to receive(:openid_connect_signing_key).and_return(rsa_key_1.to_pem)
+      expect(Gitlab::CurrentSettings).to receive(:ci_jwt_signing_key).and_return(nil)
+
+      expect(jwks.size).to eq(1)
+      expect(jwks).to match_array([
+        satisfy { |jwk| key_match?(jwk, rsa_key_1) }
+      ])
+    end
+
+    it 'removes duplicate keys' do
+      expect(Rails.application.credentials).to receive(:openid_connect_signing_key).and_return(rsa_key_1.to_pem)
+      expect(Gitlab::CurrentSettings).to receive(:ci_jwt_signing_key).and_return(rsa_key_1.to_pem)
+
+      expect(jwks.size).to eq(1)
+      expect(jwks).to match_array([
+        satisfy { |jwk| key_match?(jwk, rsa_key_1) }
+      ])
+    end
+  end
 end
diff --git a/spec/serializers/issue_sidebar_basic_entity_spec.rb b/spec/serializers/issue_sidebar_basic_entity_spec.rb
index 48bd10ee7ab..908fcfa8ea1 100644
--- a/spec/serializers/issue_sidebar_basic_entity_spec.rb
+++ b/spec/serializers/issue_sidebar_basic_entity_spec.rb
@@ -5,6 +5,9 @@ require 'spec_helper'
 RSpec.describe IssueSidebarBasicEntity, feature_category: :team_planning do
   let_it_be(:group) { create(:group) }
   let_it_be(:project) { create(:project, :repository, group: group) }
+  let_it_be(:guest) { create(:user, guest_of: project) }
+  let_it_be(:planner) { create(:user, planner_of: project) }
+  let_it_be(:reporter) { create(:user, reporter_of: project) }
   let_it_be(:user) { create(:user, developer_of: project) }
   let_it_be_with_reload(:issue) { create(:issue, project: project, assignees: [user]) }
 
@@ -28,6 +31,8 @@ RSpec.describe IssueSidebarBasicEntity, feature_category: :team_planning do
   end
 
   describe 'current_user' do
+    let_it_be(:incident) { create(:issue, :incident, project: project, assignees: [user]) }
+
     it 'contains attributes related to the current user' do
       expect(entity[:current_user]).to include(
         :id, :name, :username, :state, :avatar_url, :web_url, :todo,
@@ -43,11 +48,7 @@ RSpec.describe IssueSidebarBasicEntity, feature_category: :team_planning do
       end
 
       context 'for an incident issue' do
-        before do
-          issue.update!(
-            work_item_type: WorkItems::Type.default_by_type(:incident)
-          )
-        end
+        let_it_be(:issue) { incident }
 
         it 'is present and true' do
           expect(entity[:current_user][:can_update_escalation_status]).to be(true)
@@ -63,6 +64,46 @@ RSpec.describe IssueSidebarBasicEntity, feature_category: :team_planning do
         end
       end
     end
+
+    describe 'can_edit' do
+      context 'for a standard issue' do
+        context 'with edit permissions' do
+          let(:user) { planner }
+
+          it 'is present and true' do
+            expect(entity[:current_user][:can_edit]).to be(true)
+          end
+        end
+
+        context 'without edit permissions' do
+          let(:user) { guest }
+
+          it 'is present and false' do
+            expect(entity[:current_user][:can_edit]).to be(false)
+          end
+        end
+      end
+
+      context 'for a incident issue' do
+        let_it_be(:issue) { incident }
+
+        context 'with edit permissions' do
+          let(:user) { reporter }
+
+          it 'is present and true' do
+            expect(entity[:current_user][:can_edit]).to be(true)
+          end
+        end
+
+        context 'without edit permissions' do
+          let(:user) { planner }
+
+          it 'is present and false' do
+            expect(entity[:current_user][:can_edit]).to be(false)
+          end
+        end
+      end
+    end
   end
 
   describe 'show_crm_contacts' do
diff --git a/spec/services/ci/job_token/autopopulate_allowlist_service_spec.rb b/spec/services/ci/job_token/autopopulate_allowlist_service_spec.rb
index d399bbe8296..ed0a3a57e74 100644
--- a/spec/services/ci/job_token/autopopulate_allowlist_service_spec.rb
+++ b/spec/services/ci/job_token/autopopulate_allowlist_service_spec.rb
@@ -90,7 +90,7 @@ RSpec.describe Ci::JobToken::AutopopulateAllowlistService, feature_category: :se
         result = service.execute
 
         expect(result).to be_error
-        expect(result.message).to eq('Gitlab::Utils::TraversalIdCompactor::CompactionLimitCannotBeAchievedError')
+        expect(result.message).to eq('CompactionLimitCannotBeAchievedError')
 
         expect(Ci::JobToken::GroupScopeLink.count).to be(0)
         expect(Ci::JobToken::ProjectScopeLink.count).to be(0)
@@ -109,7 +109,7 @@ RSpec.describe Ci::JobToken::AutopopulateAllowlistService, feature_category: :se
         result = service.execute
 
         expect(result).to be_error
-        expect(result.message).to eq('Gitlab::Utils::TraversalIdCompactor::UnexpectedCompactionEntry')
+        expect(result.message).to eq('UnexpectedCompactionEntry')
       end
 
       it 'logs a RedundantCompactionEntry error', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/513211' do
@@ -121,7 +121,7 @@ RSpec.describe Ci::JobToken::AutopopulateAllowlistService, feature_category: :se
         result = service.execute
 
         expect(result).to be_error
-        expect(result.message).to eq('Gitlab::Utils::TraversalIdCompactor::RedundantCompactionEntry')
+        expect(result.message).to eq('RedundantCompactionEntry')
       end
     end
 
@@ -148,13 +148,13 @@ RSpec.describe Ci::JobToken::AutopopulateAllowlistService, feature_category: :se
 
         it 'raises when the limit cannot be achieved' do
           expect(Gitlab::ErrorTracking).to receive(:log_exception).with(
-            kind_of(Gitlab::Utils::TraversalIdCompactor::CompactionLimitCannotBeAchievedError),
+            kind_of(Ci::JobToken::AuthorizationsCompactor::Error),
             { project_id: accessed_project.id, user_id: maintainer.id }
           )
           result = service.execute
 
           expect(result).to be_error
-          expect(result.message).to eq('Gitlab::Utils::TraversalIdCompactor::CompactionLimitCannotBeAchievedError')
+          expect(result.message).to eq('CompactionLimitCannotBeAchievedError')
 
           expect(Ci::JobToken::GroupScopeLink.count).to be(0)
           expect(Ci::JobToken::ProjectScopeLink.count).to be(0)
@@ -175,4 +175,12 @@ RSpec.describe Ci::JobToken::AutopopulateAllowlistService, feature_category: :se
       end
     end
   end
+
+  describe '#unsafe_execute!' do
+    let(:service) { described_class.new(accessed_project, maintainer) }
+
+    it 'does not raise an access denied error' do
+      expect { service.unsafe_execute! }.not_to raise_error
+    end
+  end
 end
diff --git a/spec/services/import/source_users/generate_csv_service_spec.rb b/spec/services/import/source_users/generate_csv_service_spec.rb
index a18a0e3f2dc..54bd47e6a8e 100644
--- a/spec/services/import/source_users/generate_csv_service_spec.rb
+++ b/spec/services/import/source_users/generate_csv_service_spec.rb
@@ -73,12 +73,12 @@ RSpec.describe Import::SourceUsers::GenerateCsvService, feature_category: :impor
 
         subject(:service) { described_class.new(namespace, current_user: namespace.owner) }
 
-        it 'only returns the headers' do
+        it 'returns an error response and empty payload' do
           result = service.execute
-          csv_data = CSV.parse(result.payload)
-
-          expect(csv_data.size).to eq(1)
-          expect(csv_data[0]).to match_array(described_class::COLUMN_MAPPING.keys)
+          expect(result).not_to be_success
+          expect(result.status).to eq(:error)
+          expect(result.payload).to be_empty
+          expect(result.message).to eq('No placeholder users are awaiting reassignment.')
         end
       end
 
diff --git a/spec/services/incident_management/link_alerts/create_service_spec.rb b/spec/services/incident_management/link_alerts/create_service_spec.rb
index d0885aef785..561a73329c4 100644
--- a/spec/services/incident_management/link_alerts/create_service_spec.rb
+++ b/spec/services/incident_management/link_alerts/create_service_spec.rb
@@ -10,7 +10,7 @@ RSpec.describe IncidentManagement::LinkAlerts::CreateService, feature_category:
   let_it_be(:alert2) { create(:alert_management_alert, project: project) }
   let_it_be(:external_alert) { create(:alert_management_alert, project: another_project) }
   let_it_be(:incident) { create(:incident, project: project, alert_management_alerts: [linked_alert]) }
-  let_it_be(:guest) { create(:user, guest_of: [project, another_project]) }
+  let_it_be(:planner) { create(:user, planner_of: [project, another_project]) }
   let_it_be(:developer) { create(:user, developer_of: [project, another_project]) }
   let_it_be(:another_developer) { create(:user, developer_of: project) }
 
@@ -19,8 +19,8 @@ RSpec.describe IncidentManagement::LinkAlerts::CreateService, feature_category:
 
     let(:alert_references) { [alert1.to_reference, alert2.details_url] }
 
-    context 'when current user is a guest' do
-      let(:current_user) { guest }
+    context 'when current user is a planner' do
+      let(:current_user) { planner }
 
       it 'responds with error', :aggregate_failures do
         response = execute
diff --git a/spec/services/incident_management/link_alerts/destroy_service_spec.rb b/spec/services/incident_management/link_alerts/destroy_service_spec.rb
index f2f54c6b330..6b4601551c4 100644
--- a/spec/services/incident_management/link_alerts/destroy_service_spec.rb
+++ b/spec/services/incident_management/link_alerts/destroy_service_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe IncidentManagement::LinkAlerts::DestroyService, feature_category:
   let_it_be(:project) { create(:project) }
   let_it_be(:another_project) { create(:project) }
   let_it_be(:developer) { create(:user, developer_of: project) }
-  let_it_be(:guest) { create(:user, guest_of: project) }
+  let_it_be(:planner) { create(:user, planner_of: project) }
   let_it_be(:incident) { create(:incident, project: project) }
   let_it_be(:another_incident) { create(:incident, project: project) }
   let_it_be(:internal_alert) { create(:alert_management_alert, project: project, issue: incident) }
@@ -18,8 +18,8 @@ RSpec.describe IncidentManagement::LinkAlerts::DestroyService, feature_category:
 
     let(:alert) { internal_alert }
 
-    context 'when current user is a guest' do
-      let(:current_user) { guest }
+    context 'when current user is a planner' do
+      let(:current_user) { planner }
 
       it 'responds with error', :aggregate_failures do
         response = execute
diff --git a/spec/services/work_items/delete_service_spec.rb b/spec/services/work_items/delete_service_spec.rb
index 56208fb50a9..104fb35c5f6 100644
--- a/spec/services/work_items/delete_service_spec.rb
+++ b/spec/services/work_items/delete_service_spec.rb
@@ -5,11 +5,13 @@ require 'spec_helper'
 RSpec.describe WorkItems::DeleteService, feature_category: :team_planning do
   let_it_be(:group) { create(:group) }
   let_it_be(:project) { create(:project, :repository, group: group) }
+  let_it_be(:author) { create(:user, guest_of: group) }
   let_it_be(:guest) { create(:user, guest_of: group) }
+  let_it_be(:planner) { create(:user, planner_of: group) }
   let_it_be(:owner) { create(:user, owner_of: group) }
-  let_it_be(:work_item, refind: true) { create(:work_item, project: project, author: guest) }
-
-  let(:user) { guest }
+  let_it_be(:incident) { create(:work_item, :incident, project: project, author: author) }
+  let_it_be_with_refind(:work_item) { create(:work_item, project: project, author: author) }
+  let(:user) { nil }
 
   let(:service) { described_class.new(container: project, current_user: user) }
 
@@ -21,38 +23,20 @@ RSpec.describe WorkItems::DeleteService, feature_category: :team_planning do
   describe '#execute' do
     subject(:result) { service.execute(work_item) }
 
-    context 'when user can delete the work item' do
+    shared_examples 'deletes work item' do
       it { is_expected.to be_success }
 
       it 'publish WorkItems::WorkItemDeletedEvent' do
         expect { service.execute(work_item) }
-          .to publish_event(::WorkItems::WorkItemDeletedEvent)
-            .with({
-              id: work_item.id,
-              namespace_id: work_item.namespace_id,
-              work_item_parent_id: work_item.work_item_parent&.id
-            }.tap(&:compact_blank!))
-      end
-
-      # currently we don't expect destroy to fail. Mocking here for coverage and keeping
-      # the service's return type consistent
-      context 'when there are errors preventing to delete the work item' do
-        before do
-          allow(work_item).to receive(:destroy).and_return(false)
-          work_item.errors.add(:title)
-        end
-
-        it { is_expected.to be_error }
-
-        it 'returns error messages' do
-          expect(result.errors).to contain_exactly('Title is invalid')
-        end
+          .to publish_event(::WorkItems::WorkItemDeletedEvent).with({
+            id: work_item.id,
+            namespace_id: work_item.namespace_id,
+            work_item_parent_id: work_item.work_item_parent&.id
+          }.tap(&:compact_blank!))
       end
     end
 
-    context 'when user cannot delete the work item' do
-      let(:user) { create(:user) }
-
+    shared_examples 'fails to delete work item' do
       it { is_expected.to be_error }
 
       it 'returns error messages' do
@@ -64,5 +48,70 @@ RSpec.describe WorkItems::DeleteService, feature_category: :team_planning do
           .not_to publish_event(::WorkItems::WorkItemDeletedEvent)
       end
     end
+
+    context 'when user is guest' do
+      let(:user) { guest }
+
+      it_behaves_like 'fails to delete work item'
+
+      context 'with incident type' do
+        let(:work_item) { incident }
+
+        it_behaves_like 'fails to delete work item'
+      end
+    end
+
+    context 'when user is author' do
+      let(:user) { author }
+
+      it_behaves_like 'deletes work item'
+
+      context 'with incident type' do
+        let(:work_item) { incident }
+
+        it_behaves_like 'fails to delete work item'
+      end
+    end
+
+    context 'when user is planner' do
+      let(:user) { planner }
+
+      it_behaves_like 'deletes work item'
+
+      context 'with incident type' do
+        let(:work_item) { incident }
+
+        it_behaves_like 'fails to delete work item'
+      end
+    end
+
+    context 'when user is owner' do
+      let(:user) { owner }
+
+      it_behaves_like 'deletes work item'
+
+      context 'with incident type' do
+        let(:work_item) { incident }
+
+        it_behaves_like 'deletes work item'
+      end
+    end
+
+    # currently we don't expect destroy to fail. Mocking here for coverage and keeping
+    # the service's return type consistent
+    context 'when there are errors preventing to delete the work item' do
+      let(:user) { owner }
+
+      before do
+        allow(work_item).to receive(:destroy).and_return(false)
+        work_item.errors.add(:title)
+      end
+
+      it { is_expected.to be_error }
+
+      it 'returns error messages' do
+        expect(result.errors).to contain_exactly('Title is invalid')
+      end
+    end
   end
 end
diff --git a/spec/support/helpers/user_with_namespace_shim.yml b/spec/support/helpers/user_with_namespace_shim.yml
index 6b09964cd6a..d155e5c7a63 100644
--- a/spec/support/helpers/user_with_namespace_shim.yml
+++ b/spec/support/helpers/user_with_namespace_shim.yml
@@ -247,7 +247,6 @@
 - ee/spec/services/ee/projects/remove_paid_features_service_spec.rb
 - ee/spec/services/ee/users/destroy_service_spec.rb
 - ee/spec/services/ee/users/migrate_records_to_ghost_user_service_spec.rb
-- ee/spec/services/epic_issues/create_service_spec.rb
 - ee/spec/services/epics/create_service_spec.rb
 - ee/spec/services/epics/issue_promote_service_spec.rb
 - ee/spec/services/epics/transfer_service_spec.rb
diff --git a/spec/support/rspec_order_todo.yml b/spec/support/rspec_order_todo.yml
index 04bc5bda9bb..692c990e806 100644
--- a/spec/support/rspec_order_todo.yml
+++ b/spec/support/rspec_order_todo.yml
@@ -2051,7 +2051,6 @@
 - './ee/spec/services/elastic/process_initial_bookkeeping_service_spec.rb'
 - './ee/spec/services/emails/create_service_spec.rb'
 - './ee/spec/services/emails/destroy_service_spec.rb'
-- './ee/spec/services/epic_issues/create_service_spec.rb'
 - './ee/spec/services/epic_issues/destroy_service_spec.rb'
 - './ee/spec/services/epic_issues/list_service_spec.rb'
 - './ee/spec/services/epic_issues/update_service_spec.rb'
diff --git a/spec/support/shared_contexts/requests/api/oidc_discovery_shared_context.rb b/spec/support/shared_contexts/requests/api/oidc_discovery_shared_context.rb
new file mode 100644
index 00000000000..f87b8a1efa4
--- /dev/null
+++ b/spec/support/shared_contexts/requests/api/oidc_discovery_shared_context.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.shared_context 'when doing OIDC key discovery' do
+  let_it_be(:rsa_key_1) { OpenSSL::PKey::RSA.new(2048) }
+  let_it_be(:rsa_key_2) { OpenSSL::PKey::RSA.new(2048) }
+
+  subject(:jwks) do
+    get '/oauth/discovery/keys'
+
+    jwks = Gitlab::Json.parse(response.body)
+    jwks['keys'].map { |json| ::JWT::JWK.new(json) }
+  end
+
+  def key_match?(jwk, private_key)
+    jwk.public_key.to_pem == private_key.public_key.to_pem
+  end
+end
diff --git a/spec/support/shared_examples/models/concerns/integrations/base/pivotaltracker_shared_examples.rb b/spec/support/shared_examples/models/concerns/integrations/base/pivotaltracker_shared_examples.rb
new file mode 100644
index 00000000000..f839d31f9b3
--- /dev/null
+++ b/spec/support/shared_examples/models/concerns/integrations/base/pivotaltracker_shared_examples.rb
@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples Integrations::Base::Pivotaltracker do
+  include StubRequests
+
+  describe 'Validations' do
+    context 'when integration is active' do
+      before do
+        subject.active = true
+      end
+
+      it { is_expected.to validate_presence_of(:token) }
+    end
+
+    context 'when integration is inactive' do
+      before do
+        subject.active = false
+      end
+
+      it { is_expected.not_to validate_presence_of(:token) }
+    end
+  end
+
+  describe 'Execute' do
+    let(:integration) do
+      described_class.new.tap do |integration|
+        integration.token = 'secret_api_token'
+      end
+    end
+
+    let(:url) { described_class::API_ENDPOINT }
+
+    def push_data(branch: 'master')
+      {
+        object_kind: 'push',
+        ref: "refs/heads/#{branch}",
+        commits: [
+          {
+            id: '21c12ea',
+            author: {
+              name: 'Some User'
+            },
+            url: 'https://example.com/commit',
+            message: 'commit message'
+          }
+        ]
+      }
+    end
+
+    before do
+      stub_full_request(url, method: :post)
+    end
+
+    it 'posts correct message' do
+      integration.execute(push_data)
+      expect(WebMock).to have_requested(:post, stubbed_hostname(url)).with(
+        body: {
+          'source_commit' => {
+            'commit_id' => '21c12ea',
+            'author' => 'Some User',
+            'url' => 'https://example.com/commit',
+            'message' => 'commit message'
+          }
+        },
+        headers: {
+          'Content-Type' => 'application/json',
+          'X-TrackerToken' => 'secret_api_token'
+        }
+      ).once
+    end
+
+    context 'when allowed branches is specified' do
+      let(:integration) do
+        super().tap do |integration|
+          integration.restrict_to_branch = 'master,v10'
+        end
+      end
+
+      it 'posts message if branch is in the list' do
+        integration.execute(push_data(branch: 'master'))
+        integration.execute(push_data(branch: 'v10'))
+
+        expect(WebMock).to have_requested(:post, stubbed_hostname(url)).twice
+      end
+
+      it 'does not post message if branch is not in the list' do
+        integration.execute(push_data(branch: 'mas'))
+        integration.execute(push_data(branch: 'v11'))
+
+        expect(WebMock).not_to have_requested(:post, stubbed_hostname(url))
+      end
+    end
+  end
+
+  describe '#avatar_url' do
+    it 'returns the avatar image path' do
+      expect(subject.avatar_url).to eq(
+        ActionController::Base.helpers.image_path(
+          'illustrations/third-party-logos/integrations-logos/pivotal-tracker.svg'
+        )
+      )
+    end
+  end
+end
diff --git a/spec/support/shared_examples/policies/project_level_work_items_shared_examples.rb b/spec/support/shared_examples/policies/project_level_work_items_shared_examples.rb
index 94a49d27057..4b5f8be633d 100644
--- a/spec/support/shared_examples/policies/project_level_work_items_shared_examples.rb
+++ b/spec/support/shared_examples/policies/project_level_work_items_shared_examples.rb
@@ -33,6 +33,10 @@ RSpec.shared_examples 'checks abilities for project level work items' do
     expect(permissions(guest_author, authored_project_confidential_work_item)).to be_disallowed(
       :admin_work_item, :set_work_item_metadata, :move_work_item, :clone_work_item
     )
+
+    expect(permissions(guest, incident_work_item)).to be_disallowed(
+      :admin_work_item, :update_work_item, :set_work_item_metadata, :delete_work_item
+    )
   end
 
   it 'checks planner abilities' do
@@ -49,6 +53,9 @@ RSpec.shared_examples 'checks abilities for project level work items' do
     # disallowed
     expect(permissions(planner, project_work_item)).to be_allowed(:delete_work_item)
     expect(permissions(planner, project_confidential_work_item)).to be_allowed(:delete_work_item)
+    expect(permissions(planner, incident_work_item)).to be_disallowed(
+      :admin_work_item, :update_work_item, :set_work_item_metadata, :delete_work_item
+    )
   end
 
   it 'checks group planner abilities' do
@@ -78,9 +85,14 @@ RSpec.shared_examples 'checks abilities for project level work items' do
       :admin_work_item_link, :create_note, :move_work_item, :clone_work_item
     )
 
+    expect(permissions(reporter, incident_work_item)).to be_allowed(
+      :admin_work_item, :update_work_item, :set_work_item_metadata
+    )
+
     # disallowed
     expect(permissions(reporter, project_work_item)).to be_disallowed(:delete_work_item)
     expect(permissions(reporter, project_confidential_work_item)).to be_disallowed(:delete_work_item)
+    expect(permissions(reporter, incident_work_item)).to be_disallowed(:delete_work_item)
   end
 
   it 'checks group reporter abilities' do
diff --git a/spec/tasks/ci/allowlist_migration_rake_spec.rb b/spec/tasks/ci/allowlist_migration_rake_spec.rb
new file mode 100644
index 00000000000..90d0862327a
--- /dev/null
+++ b/spec/tasks/ci/allowlist_migration_rake_spec.rb
@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'ci:job_tokens:allowlist rake tasks', feature_category: :secrets_management do
+  let(:task_class) { ::Ci::JobToken::AllowlistMigrationTask }
+  let(:user) { ::Users::Internal.admin_bot }
+
+  before do
+    Rake.application.rake_require('tasks/ci/allowlist_migration')
+  end
+
+  describe 'configuration' do
+    context 'when ONLY_PROJECT_IDS is set' do
+      it 'runs the task with only the supplied IDs' do
+        stub_env('ONLY_PROJECT_IDS', '1,2,3')
+        expect(task_class).to receive(:new).with(
+          only_ids: '1,2,3', exclude_ids: nil, preview: nil, user: user
+        ).and_call_original do |task|
+          expect(task.only_ids).to eq('1,2,3')
+        end
+
+        run_rake_task('ci:job_tokens:allowlist:autopopulate_and_enforce')
+      end
+    end
+
+    context 'when EXCLUDE_PROJECT_IDS is set' do
+      it 'runs the task without the excluded IDs' do
+        stub_env('EXCLUDE_PROJECT_IDS', '1,2,3')
+        expect(task_class).to receive(:new).with(
+          only_ids: nil, exclude_ids: '1,2,3', preview: nil, user: user
+        ).and_call_original do |task|
+          expect(task.exclude_ids).to eq('1,2,3')
+        end
+
+        run_rake_task('ci:job_tokens:allowlist:autopopulate_and_enforce')
+      end
+    end
+
+    it 'shows a configuration error if the ONLY_PROJECT_IDS and EXCLUDE_PROJECT_IDS are both set' do
+      stub_env('ONLY_PROJECT_IDS', '1,2,3')
+      stub_env('EXCLUDE_PROJECT_IDS', '2,3,4')
+
+      expect(task_class).to receive(:new).with(only_ids: '1,2,3', exclude_ids: '2,3,4',
+        preview: nil, user: user).and_call_original do |task|
+        expect(task).to receive(:configuration_error)
+        expect(task).not_to receive(:migrate!)
+      end
+
+      run_rake_task('ci:job_tokens:allowlist:autopopulate_and_enforce')
+    end
+
+    it 'runs the task in preview mode if the preview flag is set' do
+      stub_env('PREVIEW', "1")
+
+      expect(task_class).to receive(:new).with(
+        only_ids: nil, exclude_ids: nil, preview: "1", user: user
+      ).and_call_original do |task|
+        expect(task.preview?).to be(true)
+      end
+
+      run_rake_task('ci:job_tokens:allowlist:autopopulate_and_enforce')
+    end
+
+    it 'shows the preview notice if the preview flag is set' do
+      stub_env('PREVIEW', "1")
+
+      expect(task_class).to receive(:new).with(
+        only_ids: nil, exclude_ids: nil, preview: "1", user: user
+      ).and_call_original do |task|
+        expect(task).to receive(:valid_configuration?).and_call_original
+        expect(task).to receive(:preview?)
+        expect(task).not_to receive(:preview_notice)
+        expect(task).to receive(:migrate!)
+      end
+
+      run_rake_task('ci:job_tokens:allowlist:autopopulate_and_enforce')
+    end
+
+    it 'does not shows the preview notice if the preview flag is not set' do
+      expect(task_class).to receive(:new).with(
+        only_ids: nil, exclude_ids: nil, preview: nil, user: user
+      ).and_call_original do |task|
+        expect(task).to receive(:valid_configuration?).and_call_original
+        expect(task).to receive(:preview?)
+        expect(task).not_to receive(:preview_notice)
+        expect(task).to receive(:migrate!)
+      end
+
+      run_rake_task('ci:job_tokens:allowlist:autopopulate_and_enforce')
+    end
+  end
+end
diff --git a/spec/validators/json_schema_validator_spec.rb b/spec/validators/json_schema_validator_spec.rb
index b51016ddde9..4c6a0cd6587 100644
--- a/spec/validators/json_schema_validator_spec.rb
+++ b/spec/validators/json_schema_validator_spec.rb
@@ -227,4 +227,12 @@ RSpec.describe JsonSchemaValidator, feature_category: :shared do
       end
     end
   end
+
+  describe '#schema' do
+    let(:validator) { described_class.new(attributes: [:data], filename: "build_report_result_data") }
+
+    it 'is instance of JSONSchemer schema' do
+      expect(validator.schema).to be_a(JSONSchemer::Schema)
+    end
+  end
 end
diff --git a/workhorse/_support/lint_last_known_acceptable.txt b/workhorse/_support/lint_last_known_acceptable.txt
index 001808d0875..e970a4091e1 100644
--- a/workhorse/_support/lint_last_known_acceptable.txt
+++ b/workhorse/_support/lint_last_known_acceptable.txt
@@ -75,9 +75,9 @@ internal/upload/destination/objectstore/upload_strategy.go:29: internal/upload/d
 internal/upload/destination/objectstore/uploader.go:5:2: G501: Blocklisted import crypto/md5: weak cryptographic primitive (gosec)
 internal/upload/destination/objectstore/uploader.go:95:12: G401: Use of weak cryptographic primitive (gosec)
 internal/upload/exif/exif.go:103:10: G204: Subprocess launched with variable (gosec)
-internal/upstream/routes.go:171:74: `(*upstream).wsRoute` - `matchers` always receives `nil` (unparam)
-internal/upstream/routes.go:231: Function 'configureRoutes' is too long (340 > 60) (funlen)
-internal/upstream/routes.go:487: internal/upstream/routes.go:487: Line contains TODO/BUG/FIXME/NOTE/OPTIMIZE/HACK: "TODO: We should probably not return a HT..." (godox)
+internal/upstream/routes.go:178:74: `(*upstream).wsRoute` - `matchers` always receives `nil` (unparam)
+internal/upstream/routes.go:238: Function 'configureRoutes' is too long (340 > 60) (funlen)
+internal/upstream/routes.go:494: internal/upstream/routes.go:494: Line contains TODO/BUG/FIXME/NOTE/OPTIMIZE/HACK: "TODO: We should probably not return a HT..." (godox)
 internal/upstream/upstream.go:116: internal/upstream/upstream.go:116: Line contains TODO/BUG/FIXME/NOTE/OPTIMIZE/HACK: "TODO: move to LabKit https://gitlab.com/..." (godox)
 internal/zipartifacts/metadata.go:118:54: G115: integer overflow conversion int -> uint32 (gosec)
 internal/zipartifacts/open_archive.go:78:28: response body must be closed (bodyclose)
diff --git a/workhorse/internal/api/api.go b/workhorse/internal/api/api.go
index 2c42cbe7868..74664f0937b 100644
--- a/workhorse/internal/api/api.go
+++ b/workhorse/internal/api/api.go
@@ -458,6 +458,13 @@ func copyAuthHeader(httpResponse *http.Response, w http.ResponseWriter) {
 	}
 }
 
+// These are internal headers that may be returned by the rails backend. They should not be passed back to the client.
+var sensitiveHeaders = map[string]bool{
+	"gitlab-workhorse-send-data": true,
+	"gitlab-sv":                  true,
+	"gitlab-lb":                  true,
+}
+
 func passResponseBack(httpResponse *http.Response, w http.ResponseWriter, r *http.Request) {
 	// NGINX response buffering is disabled on this path (with
 	// X-Accel-Buffering: no) but we still want to free up the Puma thread
@@ -487,7 +494,7 @@ func passResponseBack(httpResponse *http.Response, w http.ResponseWriter, r *htt
 		// Accommodate broken clients that do case-sensitive header lookup
 		if k == "Www-Authenticate" {
 			w.Header()["WWW-Authenticate"] = v
-		} else {
+		} else if !sensitiveHeaders[k] {
 			w.Header()[k] = v
 		}
 	}
diff --git a/workhorse/internal/api/api_test.go b/workhorse/internal/api/api_test.go
index 1dc467de101..8e3128a1831 100644
--- a/workhorse/internal/api/api_test.go
+++ b/workhorse/internal/api/api_test.go
@@ -1,6 +1,7 @@
 package api
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -233,3 +234,31 @@ func TestSendGitAuditEvent(t *testing.T) {
 	require.NotEmpty(t, requestHeaders["Gitlab-Workhorse-Api-Request"])
 	require.Equal(t, auditRequest, requestBody)
 }
+
+func Test_passResponseBack(t *testing.T) {
+	t.Run("filters out sensitive headers", func(t *testing.T) {
+		sensitiveData := []string{"sensitive-data"}
+		safeData := "safe-data"
+
+		httpResp := &http.Response{
+			StatusCode: http.StatusOK,
+			Body:       io.NopCloser(bytes.NewBufferString("")),
+			Header: http.Header{
+				"gitlab-workhorse-send-data": sensitiveData,
+				"gitlab-sv":                  sensitiveData,
+				"gitlab-lb":                  sensitiveData,
+				"Safe-Header":                []string{safeData},
+			},
+		}
+
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/", nil)
+
+		passResponseBack(httpResp, w, r)
+
+		require.Empty(t, w.Header().Get("gitlab-workhorse-send-data"))
+		require.Empty(t, w.Header().Get("gitlab-sv"))
+		require.Empty(t, w.Header().Get("gitlab-lb"))
+		require.Equal(t, safeData, w.Header().Get("Safe-Header"))
+	})
+}
diff --git a/workhorse/internal/upstream/routes.go b/workhorse/internal/upstream/routes.go
index 5d8f6d22e96..5c259693845 100644
--- a/workhorse/internal/upstream/routes.go
+++ b/workhorse/internal/upstream/routes.go
@@ -57,8 +57,8 @@ type routeOptions struct {
 
 const (
 	apiPattern           = `^/api/`
-	gitProjectPattern    = `^/.+\.git/`
-	geoGitProjectPattern = `^/[^-].+\.git/` // Prevent matching routes like /-/push_from_secondary
+	gitProjectPattern    = `^/([^/]|[^-]/)+\.git/` // Prevent matching web routes by checking for the presence of /-/
+	geoGitProjectPattern = `^/[^-].+\.git/`        // Prevent matching routes like /-/push_from_secondary
 	projectPattern       = `^/([^/]+/){1,}[^/]+/`
 	groupPattern         = `^/groups/([^/]+/){0,}[^/]+/`
 	apiProjectPattern    = apiPattern + `v4/projects/[^/]+` // API: Projects can be encoded via group%2Fsubgroup%2Fproject
@@ -68,6 +68,13 @@ const (
 	userUploadPattern    = `^/uploads/user`
 	importPattern        = `^/import/`
 
+	gitInfoRefsPattern    = gitProjectPattern + `info/refs\z`
+	gitUploadPackPattern  = gitProjectPattern + `git-upload-pack\z`
+	gitReceivePackPattern = gitProjectPattern + `git-receive-pack\z`
+	gitLfsObjectsPattern  = gitProjectPattern + `gitlab-lfs/objects/([0-9a-f]{64})/([0-9]+)\z`
+	sshUploadPackPattern  = gitProjectPattern + `ssh-upload-pack\z`
+	sshReceivePackPattern = gitProjectPattern + `ssh-receive-pack\z`
+
 	selfBackend       routeBackend = "self"
 	railsBackend      routeBackend = "rails"
 	gitalyBackend     routeBackend = "gitaly"
@@ -272,22 +279,22 @@ func configureRoutes(u *upstream) {
 	u.Routes = []routeEntry{
 		// Git Clone
 		u.route("GET",
-			newRoute(gitProjectPattern+`info/refs\z`, "git_info_refs", gitalyBackend),
+			newRoute(gitInfoRefsPattern, "git_info_refs", gitalyBackend),
 			git.GetInfoRefsHandler(api)),
 		u.route("POST",
-			newRoute(gitProjectPattern+`git-upload-pack\z`, "git_upload_pack", gitalyBackend),
+			newRoute(gitUploadPackPattern, "git_upload_pack", gitalyBackend),
 			contentEncodingHandler(git.UploadPack(api)), withMatcher(isContentType("application/x-git-upload-pack-request"))),
 		u.route("POST",
-			newRoute(gitProjectPattern+`git-receive-pack\z`, "git_receive_pack", gitalyBackend),
+			newRoute(gitReceivePackPattern, "git_receive_pack", gitalyBackend),
 			contentEncodingHandler(git.ReceivePack(api)), withMatcher(isContentType("application/x-git-receive-pack-request"))),
 		u.route("PUT",
-			newRoute(gitProjectPattern+`gitlab-lfs/objects/([0-9a-f]{64})/([0-9]+)\z`, "git_lfs_objects", railsBackend),
+			newRoute(gitLfsObjectsPattern, "git_lfs_objects", railsBackend),
 			requestBodyUploader, withMatcher(isContentType("application/octet-stream"))),
 		u.route("POST",
-			newRoute(gitProjectPattern+`ssh-upload-pack\z`, "ssh_upload_pack", gitalyBackend),
+			newRoute(sshUploadPackPattern, "ssh_upload_pack", gitalyBackend),
 			git.SSHUploadPack(api)),
 		u.route("POST",
-			newRoute(gitProjectPattern+`ssh-receive-pack\z`, "ssh_receive_pack", gitalyBackend),
+			newRoute(sshReceivePackPattern, "ssh_receive_pack", gitalyBackend),
 			git.SSHReceivePack(api)),
 
 		// CI Artifacts
diff --git a/workhorse/internal/upstream/upstream_test.go b/workhorse/internal/upstream/upstream_test.go
index 71ac30cc39e..df555c194e5 100644
--- a/workhorse/internal/upstream/upstream_test.go
+++ b/workhorse/internal/upstream/upstream_test.go
@@ -73,7 +73,13 @@ func TestRouting(t *testing.T) {
 		u.Routes = []routeEntry{
 			handle(u, foobar),
 			handle(u, quxbaz),
-			handle(u, main),
+			handle(u, gitInfoRefsPattern),
+			handle(u, gitUploadPackPattern),
+			handle(u, gitReceivePackPattern),
+			handle(u, sshUploadPackPattern),
+			handle(u, sshReceivePackPattern),
+			handle(u, gitLfsObjectsPattern),
+			handle(u, main), // "" matches everything, so it must match last
 		}
 	}, nil)
 	ts := httptest.NewServer(u)
@@ -86,6 +92,28 @@ func TestRouting(t *testing.T) {
 		{"path traversal works, ends up in quxbaz", "/foobar/../quxbaz", quxbaz},
 		{"escaped path traversal does not match any route", "/foobar%2f%2e%2e%2fquxbaz", main},
 		{"double escaped path traversal does not match any route", "/foobar%252f%252e%252e%252fquxbaz", main},
+
+		{"info/refs route works", "/group/test.git/info/refs", gitInfoRefsPattern},
+		{"/-/ in info/refs/ does not match any route", "/group/-/test.git/info/refs/", main},
+
+		{"git-upload-pack route works", "/project/test.git/git-upload-pack", gitUploadPackPattern},
+		{"/-/ in git-upload-pack does not match any route", "/project/-/blob/main/test.git/git-upload-pack", main},
+
+		{"git-receive-pack route works", "/project/test.git/git-receive-pack", gitReceivePackPattern},
+		{"/-/ in git-receive-pack does not match any route", "/project/-/blob/main/test.git/git-receive-pack", main},
+
+		{"ssh-upload-pack route works", "/project/test.git/ssh-upload-pack", sshUploadPackPattern},
+		{"/-/ in ssh-upload-pack does not match any route", "/project/-/blob/main/test.git/ssh-upload-pack", main},
+
+		{"ssh-receive-pack route works", "/project/test.git/ssh-receive-pack", sshReceivePackPattern},
+		{"/-/ in ssh-receive-pack does not match any route", "/project/-/blob/main/test.git/ssh-upload-pack", main},
+
+		{"gitlab-lfs/objects route works", "/a.git/gitlab-lfs/objects/0000000000000000000000000000000000000000000000000000000000000000/0", gitLfsObjectsPattern},
+		{"/-/ in gitlab-lfs/objects does not match any route", "/-/a.git/gitlab-lfs/objects/0000000000000000000000000000000000000000000000000000000000000000/0", main},
+
+		{"hyphen in gitInfoRefsPattern route works", "/gitlab-org/test.git/info/refs", gitInfoRefsPattern},
+		{"double slash in gitInfoRefsPattern route works", "/org//test.git/info/refs", gitInfoRefsPattern},
+		{"hyphen and double slash in gitInfoRefsPattern route works", "/gitlab-org//test.git/info/refs", gitInfoRefsPattern},
 	}
 
 	runTestCases(t, ts, testCases)