Add latest changes from gitlab-org/gitlab@14-5-stable-ee

.gitlab/ci/rules.gitlab-ci.yml

@@ -19,6 +19,9 @@
 .if-default-branch-refs: &if-default-branch-refs
   if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'
 
+.if-stable-branch-refs: &if-stable-branch-refs
+  if: '$CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/'
+
 .if-default-branch-push: &if-default-branch-push
   if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push"'
 
@@ -40,6 +43,9 @@
 .if-automated-merge-request: &if-automated-merge-request
   if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == "release-tools/update-gitaly" || $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /stable-ee$/'
 
+.if-merge-request-targeting-stable-branch: &if-merge-request-targeting-stable-branch
+  if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^[\d-]+-stable(-ee)?$/'
+
 .if-merge-request-labels-as-if-foss: &if-merge-request-labels-as-if-foss
   if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-as-if-foss/'
 
@@ -577,6 +583,12 @@
       when: never
     - <<: *if-jh
       when: never
+    - <<: *if-security-merge-request
+      when: never
+    - <<: *if-merge-request-targeting-stable-branch
+      when: never
+    - <<: *if-stable-branch-refs
+      when: never
     - <<: *if-merge-request-labels-as-if-jh
     - <<: *if-merge-request-labels-run-all-rspec
     - changes: *code-backstage-qa-patterns
@@ -609,7 +621,11 @@
     - <<: *if-jh
       when: never
     - <<: *if-security-merge-request
-      changes: *code-backstage-patterns
+      when: never
+    - <<: *if-merge-request-targeting-stable-branch
+      when: never
+    - <<: *if-stable-branch-refs
+      when: never
     - <<: *if-merge-request-labels-as-if-jh
     - <<: *if-merge-request-labels-run-all-rspec
     - <<: *if-merge-request
@@ -1255,8 +1271,11 @@
     - <<: *if-jh
       when: never
     - <<: *if-security-merge-request
-      changes: *code-backstage-patterns
-      allow_failure: true
+      when: never
+    - <<: *if-merge-request-targeting-stable-branch
+      when: never
+    - <<: *if-stable-branch-refs
+      when: never
     - <<: *if-merge-request-labels-as-if-jh
       allow_failure: true
     - <<: *if-merge-request
@@ -1806,6 +1825,12 @@
       when: never
     - <<: *if-jh
       when: never
+    - <<: *if-security-merge-request
+      when: never
+    - <<: *if-merge-request-targeting-stable-branch
+      when: never
+    - <<: *if-stable-branch-refs
+      when: never
     - <<: *if-merge-request-labels-as-if-jh
     - <<: *if-merge-request-labels-run-all-rspec
     - changes: *code-backstage-qa-patterns

GITLAB_SHELL_VERSION

@@ -1 +1 @@
-13.22.0
+13.22.1

config/initializers/action_cable.rb

@@ -9,6 +9,8 @@ Rails.application.configure do
   config.action_cable.worker_pool_size = Gitlab::ActionCable::Config.worker_pool_size
 end
 
+ActionCable::SubscriptionAdapter::Base.prepend(Gitlab::Patch::ActionCableSubscriptionAdapterIdentifier)
+
 # https://github.com/rails/rails/blob/bb5ac1623e8de08c1b7b62b1368758f0d3bb6379/actioncable/lib/action_cable/subscription_adapter/redis.rb#L18
 ActionCable::SubscriptionAdapter::Redis.redis_connector = lambda do |config|
   args = config.except(:adapter, :channel_prefix)

data/whats_new/2021111800001_14_05.yml

@@ -0,0 +1,77 @@
+- title: Introducing Infrastructure as Code (IaC) security scanning
+  body: |
+    With Gitlab 14.5 we're introducing security scanning for Infrastructure as Code (IaC) configuration files. Like all our SAST scanners, we've chosen to make this capability available for all customers for free to encourage secure coding practices with the rise of IaC. The initial version of this IaC security scanner supports configuration files for Terraform, Ansible, AWS CloudFormation, and Kubernetes and is based on the open-source [Keeping Infrastructure as Code Secure (KICS) project](https://kics.io/). This new IaC scanning capability joins our [existing Kubernetes manifest SAST scanner](https://docs.gitlab.com/ee/user/application_security/sast/#enabling-kubesec-analyzer).
+  stage: Secure
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/application_security/iac_scanning/'
+  image_url: https://about.gitlab.com/images/14_5/gitlab-iac.png
+  published_at: 2021-11-22
+  release: 14.5
+- title: Add personal README to profile
+  body: |
+    You can now add a README section to your GitLab profile! This is a great way to tell others about, your interests, how you work, or anything else you want! To add a README section, create a new public project with the same name as your user account and add a new [README file](https://docs.gitlab.com/ee/user/project/repository/index.html#readme-and-index-files). The contents of that file are automatically shown on your GitLab profile.
+  stage: Manage
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/profile/#user-profile-readme'
+  image_url: https://about.gitlab.com/images/14_5/user_profiles_readme.png
+  published_at: 2021-11-22
+  release: 14.5
+- title: Geo provides a single command to promote a secondary node
+  body: |
+    When performing a failover, systems administrators use different tools depending on the underlying architecture. On a single-node Geo site, administrators can use the `gitlab-ctl promote-to-primary-node` command. However, multi-node sites did not support this command and required manual editing of configuration. This was cumbersome for large environments because it required updating dozens of configuration files.
+
+    Now, administrators can use `gitlab-ctl geo promote` on any node of a Geo secondary site to promote it to a primary. In a disaster recovery scenario or planned failover, this saves precious time and reduces potential errors when promoting a secondary site to a primary. This command also makes it easier to script the failover process.
+
+    As of GitLab 14.5, the commands `gitlab-ctl promote-to-primary-node` and `gitlab-ctl promote-db` are deprecated and will be removed in GitLab 15.0.
+  stage: Enablement
+  self-managed: true
+  gitlab-com: false
+  packages: [Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/administration/geo/disaster_recovery/planned_failover.html'
+  image_url: https://about.gitlab.com/images/growth/enablement.png
+  published_at: 2021-11-22
+  release: 14.5
+- title: Group-level settings for merge request approvals
+  body: |
+    You can now define and enforce values for merge request approval settings at the group level. These values cascade and are used by any projects within the group. Group-level merge request approvals make it easy for organizations to ensure proper separation of duties across all teams. You only have to specify settings in a single location now, rather than needing to update and monitor every project.
+
+    When these settings are set at the group level, you:
+
+    - Can be confident that projects will use consistent separation of duties workflows.
+    - Do not need to manually check that every project has not had its settings modified.
+  stage: Manage
+  self-managed: true
+  gitlab-com: true
+  packages: [Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/group/#group-approval-rules'
+  image_url: https://about.gitlab.com/images/14_5/group_level_mr_settings_picture.png
+  published_at: 2021-11-22
+  release: 14.5
+- title: GitLab Kubernetes Agent available in GitLab Free
+  body: |
+    Connecting a Kubernetes cluster with the GitLab Kubernetes Agent simplifies the setup for cluster applications and enables secure GitOps deployments to the cluster. Initially, the GitLab Kubernetes Agent was available only for Premium users. In our commitment to the open source ethos, we moved the core features of the GitLab Kubernetes Agent and the CI/CD Tunnel to GitLab Free. We expect that the open-sourced features are compelling to many users without dedicated infrastructure teams and strong requirements around cluster management. Advanced features remain available as part of the GitLab Premium offering.
+  stage: Configure
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/clusters/agent/'
+  image_url: https://about.gitlab.com/images/growth/configure.png
+  published_at: 2021-11-22
+  release: 14.5
+- title: Cleaner diffs for Jupyter Notebook files
+  body: |
+    Jupyter notebooks are key to data scientists' and machine learning engineers' workflows, but the file structure makes code review challenging. Often, the files can't be reviewed properly, and users are forced to accept those changes or treat their repositories as stores of data versus collaborative projects.
+
+    Now GitLab automatically strips out the noise and displays a cleaner version of the diff for these files. Human-readable diffs make it easier to review the substance of the change, without worrying about the formatting pieces that Jupyter Notebooks need.
+  stage: Create
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/project/repository/jupyter_notebooks/#cleaner-diffs'
+  image_url: https://about.gitlab.com/images/14_5/create-code-review-jupyter-notebook-diffs.png
+  published_at: 2021-11-22
+  release: 14.5

lib/gitlab/checks/branch_check.rb

@@ -40,6 +40,7 @@ module Gitlab
       private
 
       def prohibited_branch_checks
+        return if deletion?
         return unless Feature.enabled?(:prohibit_hexadecimal_branch_names, project, default_enabled: true)
 
         if branch_name =~ /\A\h{40}\z/

lib/gitlab/patch/action_cable_subscription_adapter_identifier.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+# Modifies https://github.com/rails/rails/blob/v6.1.4.1/actioncable/lib/action_cable/subscription_adapter/base.rb so
+# that we do not overwrite an id that was explicitly set to `nil` in cable.yml.
+# This is needed to support GCP Memorystore. See https://github.com/rails/rails/issues/38244.
+
+module Gitlab
+  module Patch
+    module ActionCableSubscriptionAdapterIdentifier
+      def identifier
+        @server.config.cable.has_key?(:id) ? @server.config.cable[:id] : super # rubocop:disable Gitlab/ModuleWithInstanceVariables
+      end
+    end
+  end
+end

spec/controllers/projects/raw_controller_spec.rb

@@ -101,7 +101,7 @@ RSpec.describe Projects::RawController do
         expect(response).to have_gitlab_http_status(:too_many_requests)
       end
 
-      it 'logs the event on auth.log' do
+      it 'logs the event on auth.log', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/345889' do
         attributes = {
           message: 'Application_Rate_Limiter_Request',
           env: :raw_blob_request_limit,

spec/features/groups/import_export/import_file_spec.rb

@@ -85,7 +85,7 @@ RSpec.describe 'Import/Export - Group Import', :js do
   context 'when the user uploads an invalid export file' do
     let(:file) { File.join(Rails.root, 'spec', %w[fixtures big-image.png]) }
 
-    it 'displays an error' do
+    it 'displays an error', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/343995' do
       visit new_group_path
       click_link 'Import group'
 

spec/initializers/action_cable_subscription_adapter_identifier_spec.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'ActionCableSubscriptionAdapterIdentifier override' do
+  describe '#identifier' do
+    context 'when id key is nil on cable.yml' do
+      it 'does not override server config id with action cable pid' do
+        config = {
+          adapter: 'redis',
+          url: 'unix:/home/localuser/redis/redis.socket',
+          channel_prefix: 'test_',
+          id: nil
+        }
+        ::ActionCable::Server::Base.config.cable = config
+
+        sub = ActionCable.server.pubsub.send(:redis_connection)
+
+        expect(sub.connection[:id]).to eq('redis:///home/localuser/redis/redis.socket/0')
+        expect(ActionCable.server.config.cable[:id]).to be_nil
+      end
+    end
+  end
+end

spec/lib/gitlab/checks/branch_check_spec.rb

@@ -32,6 +32,15 @@ RSpec.describe Gitlab::Checks::BranchCheck do
         expect { subject.validate! }.not_to raise_error
       end
 
+      context "deleting a hexadecimal branch" do
+        let(:newrev) { "0000000000000000000000000000000000000000" }
+        let(:ref) { "refs/heads/267208abfe40e546f5e847444276f7d43a39503e" }
+
+        it "doesn't prohibit the deletion of a hexadecimal branch name" do
+          expect { subject.validate! }.not_to raise_error
+        end
+      end
+
       context "the feature flag is disabled" do
         it "doesn't prohibit a 40-character hexadecimal branch name" do
           stub_feature_flags(prohibit_hexadecimal_branch_names: false)

spec/requests/api/graphql/ci/jobs_spec.rb

@@ -105,8 +105,8 @@ RSpec.describe 'Query.project.pipeline' do
         expect(jobs_graphql_data).to contain_exactly(a_hash_including('name' => 'my test job'))
       end
 
-      it 'can find all stages' do
-        post_graphql(query, current_user: user, variables: first_n.with(3))
+      it 'reports the build needs and previous stages with no duplicates', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/346433' do
+        post_graphql(query, current_user: user)
 
         expect(jobs_graphql_data).to contain_exactly(
           a_hash_including('name' => 'my test job'),

spec/services/ci/job_artifacts/create_service_spec.rb

@@ -24,6 +24,8 @@ RSpec.describe Ci::JobArtifacts::CreateService do
   def file_to_upload(path, params = {})
     upload = Tempfile.new('upload')
     FileUtils.copy(path, upload.path)
+    # This is a workaround for https://github.com/docker/for-linux/issues/1015
+    FileUtils.touch(upload.path)
 
     UploadedFile.new(upload.path, **params)
   end

spec/spec_helper.rb

@@ -475,3 +475,14 @@ Rugged::Settings['search_path_global'] = Rails.root.join('tmp/tests').to_s
 
 # Initialize FactoryDefault to use create_default helper
 TestProf::FactoryDefault.init
+
+module TouchRackUploadedFile
+  def initialize_from_file_path(path)
+    super
+
+    # This is a no-op workaround for https://github.com/docker/for-linux/issues/1015
+    File.utime @tempfile.atime, @tempfile.mtime, @tempfile.path # rubocop:disable Gitlab/ModuleWithInstanceVariables
+  end
+end
+
+Rack::Test::UploadedFile.prepend(TouchRackUploadedFile)