From 380d41a71bda9d5e8da5b03c0069e7fab1afacbc Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 15 Jul 2024 18:14:45 +0000
Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master

---
 .gitlab/ci/rails.gitlab-ci.yml                |  11 +-
 .gitlab/ci/rails/shared.gitlab-ci.yml         |   6 +
 .gitlab/ci/rules.gitlab-ci.yml                |   6 +
 .rubocop_todo/rspec/file_path.yml             |   1 +
 GITALY_SERVER_VERSION                         |   2 +-
 Gemfile                                       |   2 +-
 Gemfile.checksum                              |   2 +-
 Gemfile.lock                                  |   4 +-
 app/assets/javascripts/editor/schema/ci.json  |  47 ++++++
 .../list/components/issue_card_time_info.vue  |   6 +-
 .../permissions/components/settings_panel.vue |   2 +-
 .../security_configuration/utils.js           |   2 +-
 .../concerns/integrations/actions.rb          |   4 +-
 .../settings/integrations_controller.rb       |   8 +-
 app/finders/banzai/uploads_finder.rb          |   2 +
 app/finders/organizations/groups_finder.rb    |   2 +-
 app/models/ci/build.rb                        |   2 +-
 app/models/upload.rb                          |  13 +-
 app/policies/group_policy.rb                  |   1 +
 app/policies/project_policy.rb                |   1 +
 app/validators/json_schema_validator.rb       |   2 +-
 .../merge_requests/_merge_request.html.haml   |   4 +-
 ...ed_groups.yml => pipeline_run_keyword.yml} |  10 +-
 .../custom_project_templates.md               |   2 +-
 .../settings/security_and_compliance.md       |   4 +-
 doc/api/groups.md                             |  93 +++++++++++
 doc/api/integrations.md                       |  94 +++++------
 doc/api/projects.md                           |  95 ++++++++++-
 doc/ci/pipelines/settings.md                  |   2 +-
 doc/ci/yaml/includes.md                       |   8 +-
 .../documentation/styleguide/word_list.md     |  18 +-
 .../permissions/predefined_roles.md           |   2 +-
 doc/security/user_file_uploads.md             |   3 +
 .../configuration/enabling_the_analyzer.md    |   2 +-
 .../configuration/enabling_the_analyzer.md    |   2 +-
 .../application_security/policies/index.md    |   4 +-
 .../secret_push_protection/index.md           |   2 +-
 doc/user/group/custom_project_templates.md    |   2 +-
 lib/api/entities/ci/job_request/response.rb   |  13 +-
 lib/api/entities/markdown_upload_admin.rb     |  13 ++
 lib/api/markdown_uploads.rb                   | 143 ++++++++++++++++
 lib/gitlab/ci/config.rb                       |  35 +++-
 lib/gitlab/ci/config/entry/job.rb             |  23 ++-
 lib/gitlab/ci/config/entry/jobs.rb            |   2 +-
 lib/gitlab/ci/pipeline/seed/build.rb          |  14 ++
 lib/gitlab/ci/yaml_processor/result.rb        |   1 +
 .../menus/security_compliance_menu.rb         |   2 +-
 locale/gitlab.pot                             |   4 +-
 .../projects/ci/lints_controller_spec.rb      |   6 +-
 .../settings/integrations_controller_spec.rb  |  19 +++
 spec/factories/ci/builds.rb                   |   2 +
 .../organizations/groups_finder_spec.rb       |  12 --
 .../editor/schema/ci/ci_schema_spec.js        |   4 +
 .../ci/yaml_tests/negative_tests/run.yml      |  58 +++++++
 .../ci/yaml_tests/positive_tests/run.yml      |  63 +++++++
 .../entities/markdown_upload_admin_spec.rb    |  26 +++
 spec/lib/gitlab/ci/config/entry/job_spec.rb   | 158 +++++++++++++++++-
 spec/lib/gitlab/ci/config/entry/jobs_spec.rb  |   4 +-
 spec/lib/gitlab/ci/config/entry/root_spec.rb  |   2 +-
 spec/lib/gitlab/ci/lint_spec.rb               |   2 +-
 .../lib/gitlab/ci/pipeline/seed/build_spec.rb |  50 ++++++
 spec/lib/gitlab/ci/yaml_processor_spec.rb     |   4 +-
 .../menus/security_compliance_menu_spec.rb    |   4 +-
 spec/models/ci/build_spec.rb                  |  13 ++
 spec/policies/project_policy_spec.rb          |   4 +-
 .../admin/integrations_controller_spec.rb     |  74 ++++----
 .../api/ci/runner/jobs_request_post_spec.rb   |  93 +++++++++++
 spec/requests/api/markdown_uploads_spec.rb    | 133 ++++++++++++++-
 ...create_downstream_pipeline_service_spec.rb |   6 +-
 .../creation_errors_and_warnings_spec.rb      |   2 +-
 .../ci/create_pipeline_service/run_spec.rb    | 144 ++++++++++++++++
 .../policies/group_policy_shared_context.rb   |   2 +-
 .../policies/project_policy_shared_context.rb |   2 +-
 ...d_compliance_permissions_shared_context.rb |   4 +-
 vendor/gems/bundler-checksum/.gitlab-ci.yml   |  11 +-
 .../lib/bundler_checksum/command/init.rb      |  48 ++++--
 .../project_with_checksum_lock/Gemfile.lock   |   2 +-
 .../project_with_checksum_lock/scripts/test   |  11 +-
 workhorse/go.mod                              |   2 +-
 workhorse/go.sum                              |   4 +-
 80 files changed, 1484 insertions(+), 208 deletions(-)
 rename config/feature_flags/gitlab_com_derisk/{filter_deleted_groups.yml => pipeline_run_keyword.yml} (73%)
 create mode 100644 lib/api/entities/markdown_upload_admin.rb
 create mode 100644 spec/frontend/editor/schema/ci/yaml_tests/negative_tests/run.yml
 create mode 100644 spec/frontend/editor/schema/ci/yaml_tests/positive_tests/run.yml
 create mode 100644 spec/lib/api/entities/markdown_upload_admin_spec.rb
 create mode 100644 spec/services/ci/create_pipeline_service/run_spec.rb

diff --git a/.gitlab/ci/rails.gitlab-ci.yml b/.gitlab/ci/rails.gitlab-ci.yml
index b5153ae668c..0e2993bffcf 100644
--- a/.gitlab/ci/rails.gitlab-ci.yml
+++ b/.gitlab/ci/rails.gitlab-ci.yml
@@ -336,28 +336,27 @@ rspec system pg14 no_gitaly_transactions:
 rspec-ee migration pg14 no_gitaly_transactions:
   extends:
     - rspec-ee migration pg14
-    - .gitaly-without-transactions
+    - .ee-only-gitaly-without-transactions
 
 rspec-ee background_migration pg14 no_gitaly_transactions:
   extends:
     - rspec-ee background_migration pg14
-    - .gitaly-without-transactions
+    - .ee-only-gitaly-without-transactions
 
 rspec-ee unit pg14 no_gitaly_transactions:
   extends:
     - rspec-ee unit pg14
-    - .gitaly-without-transactions
+    - .ee-only-gitaly-without-transactions
 
 rspec-ee integration pg14 no_gitaly_transactions:
   extends:
     - rspec-ee integration pg14
-    - .gitaly-without-transactions
+    - .ee-only-gitaly-without-transactions
 
 rspec-ee system pg14 no_gitaly_transactions:
   extends:
     - rspec-ee system pg14
-    - .gitaly-without-transactions
-
+    - .ee-only-gitaly-without-transactions
 
 # Dedicated job to test DB library code against PG13.
 # Note that these are already tested against PG13 in the `rspec unit pg13` / `rspec-ee unit pg13` jobs.
diff --git a/.gitlab/ci/rails/shared.gitlab-ci.yml b/.gitlab/ci/rails/shared.gitlab-ci.yml
index 41d33510742..941e974484b 100644
--- a/.gitlab/ci/rails/shared.gitlab-ci.yml
+++ b/.gitlab/ci/rails/shared.gitlab-ci.yml
@@ -66,6 +66,12 @@ include:
   variables:
     GITALY_TRANSACTIONS_ENABLED: "false"
 
+.ee-only-gitaly-without-transactions:
+  extends:
+    - .rails:rules:ee-only-gitaly-without-transactions
+  variables:
+    GITALY_TRANSACTIONS_ENABLED: "false"
+
 .rspec-base-needs:
   needs:
     - !reference [.repo-from-artifacts, needs]
diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml
index 400d232fd0d..e775ccfd9d1 100644
--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -2002,6 +2002,12 @@
     - <<: *if-schedule-maintenance
     - <<: *if-merge-request-labels-run-without-gitaly-transactions
 
+.rails:rules:ee-only-gitaly-without-transactions:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - !reference [".rails:rules:gitaly-without-transactions", rules]
+
 .rails:rules:ee-and-foss-migration:
   rules:
     - <<: *if-fork-merge-request
diff --git a/.rubocop_todo/rspec/file_path.yml b/.rubocop_todo/rspec/file_path.yml
index 2b435d164b0..0e0c08a18a1 100644
--- a/.rubocop_todo/rspec/file_path.yml
+++ b/.rubocop_todo/rspec/file_path.yml
@@ -65,6 +65,7 @@ RSpec/FilePath:
     - 'spec/services/ci/create_pipeline_service/rate_limit_spec.rb'
     - 'spec/services/ci/create_pipeline_service/rules_spec.rb'
     - 'spec/services/ci/create_pipeline_service/scripts_spec.rb'
+    - 'spec/services/ci/create_pipeline_service/run_spec.rb'
     - 'spec/services/ci/create_pipeline_service/tags_spec.rb'
     - 'spec/services/ci/create_pipeline_service/variables_spec.rb'
     - 'spec/services/ci/create_pipeline_service/workflow_auto_cancel_spec.rb'
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index df8e0d57ff2..3442df5ec66 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-47c3c8bc2d5a93e83eee6b250a06e4c39d9c929c
+8274bcec3ce5fd5059d83e724a4671bc3dcd2d68
diff --git a/Gemfile b/Gemfile
index 5cf4d505cfb..cdb2f98b438 100644
--- a/Gemfile
+++ b/Gemfile
@@ -565,7 +565,7 @@ group :test do
   # Moved in `test` because https://gitlab.com/gitlab-org/gitlab/-/issues/217527
   gem 'derailed_benchmarks', require: false # rubocop:todo Gemfile/MissingFeatureCategory
 
-  gem 'gitlab_quality-test_tooling', '~> 1.30.0', require: false, feature_category: :tooling
+  gem 'gitlab_quality-test_tooling', '~> 1.31.0', require: false, feature_category: :tooling
 end
 
 gem 'octokit', '~> 9.0', feature_category: :importers
diff --git a/Gemfile.checksum b/Gemfile.checksum
index d3c067ceca2..ff2b8b6d617 100644
--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@@ -234,7 +234,7 @@
 {"name":"gitlab-styles","version":"12.0.1","platform":"ruby","checksum":"d8a302b0ab0e1f18e2d11501760f1b85c5e70b5e5ca628828a0786c7984ed133"},
 {"name":"gitlab_chronic_duration","version":"0.12.0","platform":"ruby","checksum":"0d766944d415b5c831f176871ee8625783fc0c5bfbef2d79a3a616f207ffc16d"},
 {"name":"gitlab_omniauth-ldap","version":"2.2.0","platform":"ruby","checksum":"bb4d20acb3b123ed654a8f6a47d3fac673ece7ed0b6992edb92dca14bad2838c"},
-{"name":"gitlab_quality-test_tooling","version":"1.30.0","platform":"ruby","checksum":"06722db6aed571e2ec22e04a4179215cf0b49c9658ef14f71b8bd2245bc0c56c"},
+{"name":"gitlab_quality-test_tooling","version":"1.31.0","platform":"ruby","checksum":"c13d38f2ba01469179db7211008722b1f4a55270cca561d832b1eee438124f52"},
 {"name":"globalid","version":"1.1.0","platform":"ruby","checksum":"b337e1746f0c8cb0a6c918234b03a1ddeb4966206ce288fbb57779f59b2d154f"},
 {"name":"gon","version":"6.4.0","platform":"ruby","checksum":"e3a618d659392890f1aa7db420f17c75fd7d35aeb5f8fe003697d02c4b88d2f0"},
 {"name":"google-apis-androidpublisher_v3","version":"0.34.0","platform":"ruby","checksum":"d7e1d7dd92f79c498fe2082222a1740d788e022e660c135564b3fd299cab5425"},
diff --git a/Gemfile.lock b/Gemfile.lock
index f63e5f1e39a..317aaa3dc73 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -754,7 +754,7 @@ GEM
       omniauth (>= 1.3, < 3)
       pyu-ruby-sasl (>= 0.0.3.3, < 0.1)
       rubyntlm (~> 0.5)
-    gitlab_quality-test_tooling (1.30.0)
+    gitlab_quality-test_tooling (1.31.0)
       activesupport (>= 7.0, < 7.2)
       amatch (~> 0.4.1)
       gitlab (~> 4.19)
@@ -2044,7 +2044,7 @@ DEPENDENCIES
   gitlab-utils!
   gitlab_chronic_duration (~> 0.12)
   gitlab_omniauth-ldap (~> 2.2.0)
-  gitlab_quality-test_tooling (~> 1.30.0)
+  gitlab_quality-test_tooling (~> 1.31.0)
   gon (~> 6.4.0)
   google-apis-androidpublisher_v3 (~> 0.34.0)
   google-apis-cloudbilling_v1 (~> 0.21.0)
diff --git a/app/assets/javascripts/editor/schema/ci.json b/app/assets/javascripts/editor/schema/ci.json
index d6d427b8261..8ecb23b732a 100644
--- a/app/assets/javascripts/editor/schema/ci.json
+++ b/app/assets/javascripts/editor/schema/ci.json
@@ -880,6 +880,49 @@
         }
       ]
     },
+    "steps": {
+      "type": "array",
+      "items": {
+        "oneOf": [
+          {
+            "required": [
+              "step"
+            ]
+          },
+          {
+            "required": [
+              "script"
+            ]
+          }
+        ],
+        "properties": {
+          "name": {
+            "type": "string",
+            "description": "Unique identifier for this step."
+          },
+          "step": {
+            "type": "string",
+            "description": "Reference to the step to invoke."
+          },
+          "env": {
+            "$ref": "#/definitions/globalVariables"
+          },
+          "inputs": {
+            "$ref": "#/definitions/inputs"
+          },
+          "script": {
+            "type": "string",
+            "description": "Shell script to evaluate."
+          }
+        },
+        "additionalProperties": false,
+        "type": "object",
+        "required": [
+          "name"
+        ],
+        "description": "A single step invocation."
+      }
+    },
     "optional_script": {
       "oneOf": [
         {
@@ -1742,6 +1785,10 @@
           "$ref": "#/definitions/script",
           "markdownDescription": "Shell scripts executed by the Runner. The only required property of jobs. Be careful with special characters (e.g. `:`, `{`, `}`, `&`) and use single or double quotes to avoid issues. [Learn More](https://docs.gitlab.com/ee/ci/yaml/#script)"
         },
+        "run": {
+          "$ref": "#/definitions/steps",
+          "markdownDescription": "Specifies a list of steps to execute in the job. The `run` keyword is an alternative to `script` and allows for more advanced job configuration. Each step is an object that defines a single task or command. Use either `run` or `script` in a job, but not both, otherwise the pipeline will error out."
+        },
         "stage": {
           "description": "Define what stage the job will run in.",
           "anyOf": [
diff --git a/app/assets/javascripts/issues/list/components/issue_card_time_info.vue b/app/assets/javascripts/issues/list/components/issue_card_time_info.vue
index 5945a329759..8bc6896a87a 100644
--- a/app/assets/javascripts/issues/list/components/issue_card_time_info.vue
+++ b/app/assets/javascripts/issues/list/components/issue_card_time_info.vue
@@ -97,11 +97,7 @@ export default {
 
 <template>
   <span>
-    <span
-      v-if="milestone"
-      class="issuable-milestone gl-mr-3 gl-text-truncate gl-max-w-26 gl-display-inline-block gl-align-bottom"
-      data-testid="issuable-milestone"
-    >
+    <span v-if="milestone" class="issuable-milestone gl-mr-3" data-testid="issuable-milestone">
       <gl-link
         v-gl-tooltip
         :href="milestoneLink"
diff --git a/app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue b/app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue
index 5154ff309d4..4ca6defff6c 100644
--- a/app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue
+++ b/app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue
@@ -77,7 +77,7 @@ export default {
     ),
     duoLabel: s__('ProjectSettings|GitLab Duo'),
     duoHelpText: s__('ProjectSettings|Use AI-powered features in this project.'),
-    securityAndComplianceLabel: s__('ProjectSettings|Security and Compliance'),
+    securityAndComplianceLabel: s__('ProjectSettings|Security and compliance'),
     snippetsLabel: s__('ProjectSettings|Snippets'),
     wikiLabel: s__('ProjectSettings|Wiki'),
     pucWarningLabel: s__('ProjectSettings|Warn about Potentially Unwanted Characters'),
diff --git a/app/assets/javascripts/security_configuration/utils.js b/app/assets/javascripts/security_configuration/utils.js
index aa0f4bf92cd..ac83f21c1d2 100644
--- a/app/assets/javascripts/security_configuration/utils.js
+++ b/app/assets/javascripts/security_configuration/utils.js
@@ -11,7 +11,7 @@ import { REPORT_TYPE_DAST } from '~/vue_shared/security_reports/constants';
  * It then filters out any scanner features that lack a security config for rednering in the UI
  * @param [{}] features
  * @param {Object} securityFeatures Object containing client side UI options
- * @returns {Object} Object with enriched features from constants divided into Security and Compliance Features
+ * @returns {Object} Object with enriched features from constants divided into Security and compliance Features
  */
 
 export const augmentFeatures = (securityFeatures, features = []) => {
diff --git a/app/controllers/concerns/integrations/actions.rb b/app/controllers/concerns/integrations/actions.rb
index d936247d8c8..682759ff873 100644
--- a/app/controllers/concerns/integrations/actions.rb
+++ b/app/controllers/concerns/integrations/actions.rb
@@ -13,8 +13,8 @@ module Integrations::Actions
     before_action :integration, only: [:edit, :update, :overrides, :test]
     # rubocop:enable Rails/LexicallyScopedActionFilter
 
-    before_action :render_404, only: :edit, if: -> do
-      integration.to_param == 'prometheus' && Feature.enabled?(:remove_monitor_metrics)
+    before_action :render_404, only: [:edit, :update, :overrides, :test], if: -> do
+      integration.is_a?(::Integrations::Prometheus) && Feature.enabled?(:remove_monitor_metrics)
     end
 
     urgency :low, [:test]
diff --git a/app/controllers/projects/settings/integrations_controller.rb b/app/controllers/projects/settings/integrations_controller.rb
index fb304a5b77c..d1a38070d9f 100644
--- a/app/controllers/projects/settings/integrations_controller.rb
+++ b/app/controllers/projects/settings/integrations_controller.rb
@@ -13,6 +13,10 @@ module Projects
       before_action :web_hook_logs, only: [:edit, :update]
       before_action -> { check_test_rate_limit! }, only: :test
 
+      before_action :render_404, only: [:edit, :update, :test], if: -> do
+        integration.is_a?(::Integrations::Prometheus) && Feature.enabled?(:remove_monitor_metrics)
+      end
+
       respond_to :html
 
       layout "project_settings"
@@ -24,9 +28,7 @@ module Projects
         @integrations = @project.find_or_initialize_integrations
       end
 
-      def edit
-        render_404 if integration.to_param == 'prometheus' && Feature.enabled?(:remove_monitor_metrics)
-      end
+      def edit; end
 
       def update
         attributes = integration_params[:integration]
diff --git a/app/finders/banzai/uploads_finder.rb b/app/finders/banzai/uploads_finder.rb
index e05e426e27e..28dc83b907c 100644
--- a/app/finders/banzai/uploads_finder.rb
+++ b/app/finders/banzai/uploads_finder.rb
@@ -2,6 +2,8 @@
 
 module Banzai
   class UploadsFinder
+    include FinderMethods
+
     def initialize(parent:)
       @parent = parent
     end
diff --git a/app/finders/organizations/groups_finder.rb b/app/finders/organizations/groups_finder.rb
index a86f8d77ec3..89cd6fa9b4c 100644
--- a/app/finders/organizations/groups_finder.rb
+++ b/app/finders/organizations/groups_finder.rb
@@ -4,7 +4,7 @@ module Organizations
   class GroupsFinder < GroupsFinder
     def execute
       groups = find_union(filtered_groups, Group)
-      groups = groups.without_deleted if Feature.enabled?(:filter_deleted_groups, current_user)
+      groups = groups.without_deleted
 
       unless default_organization?
         cte = Gitlab::SQL::CTE.new(:filtered_groups_cte, groups, materialized: false)
diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb
index d9f9c10aa54..7ac97f451de 100644
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -233,7 +233,7 @@ module Ci
           yaml_variables when environment coverage_regex
           description tag_list protected needs_attributes
           job_variables_attributes resource_group scheduling_type
-          ci_stage partition_id id_tokens interruptible].freeze
+          ci_stage partition_id id_tokens interruptible execution_config_id].freeze
       end
 
       def supported_keyset_orderings
diff --git a/app/models/upload.rb b/app/models/upload.rb
index bad9fb660af..1ebcac75baa 100644
--- a/app/models/upload.rb
+++ b/app/models/upload.rb
@@ -20,6 +20,7 @@ class Upload < ApplicationRecord
   scope :for_model_type_and_id, ->(type, id) { where(model_type: type, model_id: id) }
   scope :for_uploader, ->(uploader_class) { where(uploader: uploader_class.to_s) }
   scope :order_by_created_at_desc, -> { reorder(created_at: :desc) }
+  scope :preload_uploaded_by_user, -> { preload(:uploaded_by_user) }
 
   before_save :calculate_checksum!, if: :foreground_checksummable?
   # as the FileUploader is not mounted, the default CarrierWave ActiveRecord
@@ -98,7 +99,7 @@ class Upload < ApplicationRecord
   # @return [GitlabUploader] one of the subclasses, defined at the model's uploader attribute
   def retrieve_uploader(mounted_as = nil)
     build_uploader(mounted_as).tap do |uploader|
-      uploader.retrieve_from_store!(identifier)
+      uploader.retrieve_from_store!(filename)
     end
   end
 
@@ -124,7 +125,7 @@ class Upload < ApplicationRecord
 
   def uploader_context
     {
-      identifier: identifier,
+      identifier: filename,
       secret: secret,
       uploaded_by_user_id: uploaded_by_user_id
     }.compact
@@ -144,6 +145,10 @@ class Upload < ApplicationRecord
     checksum.nil? && local? && exist?
   end
 
+  def filename
+    File.basename(path)
+  end
+
   private
 
   def delete_file!
@@ -166,10 +171,6 @@ class Upload < ApplicationRecord
     Object.const_get(uploader, false)
   end
 
-  def identifier
-    File.basename(path)
-  end
-
   def mount_point
     super&.to_sym
   end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index a9ad133c023..249c52bf330 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -256,6 +256,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :create_jira_connect_subscription
     enable :maintainer_access
     enable :read_upload
+    enable :admin_upload
     enable :destroy_upload
     enable :admin_push_rules
   end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 3a6b07c3f8d..2fd481310a1 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -613,6 +613,7 @@ class ProjectPolicy < BasePolicy
     enable :admin_project_aws
     enable :admin_secure_files
     enable :read_upload
+    enable :admin_upload
     enable :destroy_upload
     enable :admin_incident_management_timeline_event_tag
     enable :stop_environment
diff --git a/app/validators/json_schema_validator.rb b/app/validators/json_schema_validator.rb
index f661392082f..7dce1bbbf16 100644
--- a/app/validators/json_schema_validator.rb
+++ b/app/validators/json_schema_validator.rb
@@ -25,7 +25,7 @@ class JsonSchemaValidator < ActiveModel::EachValidator
   end
 
   def validate_each(record, attribute, value)
-    value = value.to_h.deep_stringify_keys if options[:hash_conversion] == true
+    value = Gitlab::Json.parse(Gitlab::Json.dump(value)) if options[:hash_conversion] == true
     value = Gitlab::Json.parse(value.to_s) if options[:parse_json] == true && !value.nil?
 
     if options[:detail_errors]
diff --git a/app/views/projects/merge_requests/_merge_request.html.haml b/app/views/projects/merge_requests/_merge_request.html.haml
index 171a36fac97..809572eab21 100644
--- a/app/views/projects/merge_requests/_merge_request.html.haml
+++ b/app/views/projects/merge_requests/_merge_request.html.haml
@@ -26,13 +26,13 @@
           &middot;
           #{s_('IssueList|created %{timeAgoString} by %{user}').html_safe % { timeAgoString: time_ago_with_tooltip(merge_request.created_at, placement: 'bottom'), user: link_to_member(@project, merge_request.author, avatar: false, extra_class: 'gl-text-gray-500!') }}
         - if merge_request.milestone
-          %span.issuable-milestone.gl-inline-block.gl-text-truncate.gl-max-w-26.gl-align-bottom
+          %span.issuable-milestone.gl-inline-block
             &nbsp;
             = link_to project_merge_requests_path(merge_request.project, milestone_title: merge_request.milestone.title), class: 'gl-text-gray-500!', data: { html: 'true', toggle: 'tooltip', title: milestone_tooltip_due_date(merge_request.milestone) } do
               = sprite_icon('milestone', size: 12, css_class: 'gl-vertical-align-text-bottom')
               = merge_request.milestone.title
         - if merge_request.target_project.default_branch != merge_request.target_branch
-          %span.project-ref-path.has-tooltip.gl-inline-block.gl-text-truncate.gl-max-w-26.gl-align-bottom{ title: _('Target branch: %{target_branch}') % {target_branch: merge_request.target_branch} }
+          %span.project-ref-path.has-tooltip.gl-inline-block{ title: _('Target branch: %{target_branch}') % {target_branch: merge_request.target_branch} }
             &nbsp;
             = link_to project_ref_path(merge_request.project, merge_request.target_branch), class: 'ref-name gl-text-gray-500!' do
               = sprite_icon('branch', size: 12, css_class: 'fork-sprite')
diff --git a/config/feature_flags/gitlab_com_derisk/filter_deleted_groups.yml b/config/feature_flags/gitlab_com_derisk/pipeline_run_keyword.yml
similarity index 73%
rename from config/feature_flags/gitlab_com_derisk/filter_deleted_groups.yml
rename to config/feature_flags/gitlab_com_derisk/pipeline_run_keyword.yml
index 526066186cd..86c253dc277 100644
--- a/config/feature_flags/gitlab_com_derisk/filter_deleted_groups.yml
+++ b/config/feature_flags/gitlab_com_derisk/pipeline_run_keyword.yml
@@ -1,9 +1,9 @@
 ---
-name: filter_deleted_groups
-feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/455871
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158309
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/470628
+name: pipeline_run_keyword
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/440487
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146333
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/471925
 milestone: '17.2'
-group: group::tenant scale
+group: group::pipeline authoring
 type: gitlab_com_derisk
 default_enabled: false
diff --git a/doc/administration/custom_project_templates.md b/doc/administration/custom_project_templates.md
index dcd8ad0933a..04559d48977 100644
--- a/doc/administration/custom_project_templates.md
+++ b/doc/administration/custom_project_templates.md
@@ -57,7 +57,7 @@ Prerequisites:
 1. Review the project's
    [feature settings](../user/project/settings/index.md#configure-project-features-and-permissions).
    All enabled project features should be set to **Everyone With Access**, except
-   **GitLab Pages** and **Security and Compliance**.
+   **GitLab Pages** and **Security and compliance**.
 
 Repository and database information that are copied over to each new project are
 identical to the data exported with the [GitLab Project Import/Export](../user/project/settings/import_export.md).
diff --git a/doc/administration/settings/security_and_compliance.md b/doc/administration/settings/security_and_compliance.md
index f3f6e3b3e1d..2770ff319bd 100644
--- a/doc/administration/settings/security_and_compliance.md
+++ b/doc/administration/settings/security_and_compliance.md
@@ -4,7 +4,7 @@ group: Composition Analysis
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
 ---
 
-# Security and Compliance Admin area settings
+# Security and compliance Admin area settings
 
 DETAILS:
 **Tier:** Ultimate
@@ -17,7 +17,7 @@ The settings for package metadata synchronization are located in the [Admin area
 To choose the packages you want to synchronize with the GitLab Package Metadata Database for [License Compliance](../../user/compliance/license_scanning_of_cyclonedx_files/index.md) and [Continuous Vulnerability Scanning](../../user/application_security/continuous_vulnerability_scanning/index.md):
 
 1. On the left sidebar, at the bottom, select **Admin area**.
-1. Select **Settings > Security and Compliance**.
+1. Select **Settings > Security and compliance**.
 1. In **Package registry metadata to sync**, select or clear checkboxes for the
    package registries that you want to sync.
 1. Select **Save changes**.
diff --git a/doc/api/groups.md b/doc/api/groups.md
index 6ebac6295ff..870b70d727f 100644
--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -1701,6 +1701,99 @@ Example response:
 }
 ```
 
+## Markdown uploads
+
+Markdown uploads are files uploaded to a group that can be referenced in Markdown text in an epic or wiki page.
+
+### List uploads
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) in GitLab 17.2.
+
+Get all uploads of the group sorted by `created_at` in descending order.
+
+You must have at least the Maintainer role to use this endpoint.
+
+```plaintext
+GET /groups/:id/uploads
+```
+
+| Attribute | Type              | Required | Description |
+|-----------|-------------------|----------|-------------|
+| `id`      | integer or string | Yes      | The ID or [URL-encoded path of the group](rest/index.md#namespaced-path-encoding). |
+
+Example request:
+
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/5/uploads"
+```
+
+Returned object:
+
+```json
+[
+  {
+    "id": 1,
+    "size": 1024,
+    "filename": "image.png",
+    "created_at":"2024-06-20T15:53:03.067Z",
+    "uploaded_by": {
+      "id": 18,
+      "name" : "Alexandra Bashirian",
+      "username" : "eileen.lowe"
+    }
+  },
+  {
+    "id": 2,
+    "size": 512,
+    "filename": "other-image.png",
+    "created_at":"2024-06-19T15:53:03.067Z",
+    "uploaded_by": null
+  }
+]
+```
+
+### Download an uploaded file
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) in GitLab 17.2.
+
+You must have at least the Maintainer role to use this endpoint.
+
+```plaintext
+GET /groups/:id/uploads/:upload_id
+```
+
+| Attribute   | Type              | Required | Description |
+|-------------|-------------------|----------|-------------|
+| `id`        | integer or string | Yes      | The ID or [URL-encoded path of the group](rest/index.md#namespaced-path-encoding). |
+| `upload_id` | integer           | Yes      | The ID of the upload. |
+
+Example request:
+
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/5/uploads/1"
+```
+
+### Delete an uploaded file
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) in GitLab 17.2.
+
+You must have at least the Maintainer role to use this endpoint.
+
+```plaintext
+DELETE /groups/:id/uploads/:upload_id
+```
+
+| Attribute   | Type              | Required | Description |
+|-------------|-------------------|----------|-------------|
+| `id`        | integer or string | Yes      | The ID or [URL-encoded path of the group](rest/index.md#namespaced-path-encoding). |
+| `upload_id` | integer           | Yes      | The ID of the upload. |
+
+Example request:
+
+```shell
+curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/5/uploads/1"
+```
+
 ## Hooks
 
 DETAILS:
diff --git a/doc/api/integrations.md b/doc/api/integrations.md
index 13b9bbee47b..4c351e12187 100644
--- a/doc/api/integrations.md
+++ b/doc/api/integrations.md
@@ -99,7 +99,7 @@ Parameters:
 | `app_store_private_key_file_name` | string | yes | Apple App Store Connect private key filename. |
 | `app_store_private_key` | string | yes | Apple App Store Connect private key. |
 | `app_store_protected_refs` | boolean | no | Set variables on protected branches and tags only. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Apple App Store Connect
 
@@ -133,7 +133,7 @@ Parameters:
 | --------- | ---- | -------- | ----------- |
 | `api_key` | string | yes | User API token. The user must have access to the task. All comments are attributed to this user. |
 | `restrict_to_branch` | string | no | Comma-separated list of branches to be automatically inspected. Leave blank to include all branches. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Asana
 
@@ -167,7 +167,7 @@ Parameters:
 | --------- | ---- | -------- | ----------- |
 | `token` | string | yes | The authentication token. |
 | `subdomain` | string | no | The subdomain setting. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Assembla
 
@@ -206,7 +206,7 @@ Parameters:
 | `build_key` | string | yes | Bamboo build plan key (for example, `KEY`). |
 | `username` | string | yes | User with API access to the Bamboo server. |
 | `password` | string | yes | Password of the user. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Atlassian Bamboo
 
@@ -241,7 +241,7 @@ Parameters:
 | `new_issue_url` | string | yes |  URL of the new issue. |
 | `issues_url` | string | yes | URL of the issue. |
 | `project_url` | string | yes | URL of the project. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Bugzilla
 
@@ -279,7 +279,7 @@ Parameters:
 | `push_events` | boolean | no | Enable notifications for push events. |
 | `merge_requests_events` | boolean | no | Enable notifications for merge request events. |
 | `tag_push_events` | boolean | no | Enable notifications for tag push events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Buildkite
 
@@ -317,7 +317,7 @@ Parameters:
 | `token`       | string  | yes     | API authentication token from Campfire Classic. To get the token, sign in to Campfire Classic and select **My info**. |
 | `subdomain`   | string  | no    | `.campfirenow.com` subdomain when you're signed in. |
 | `room`        | string  | no    | ID portion of the Campfire Classic room URL. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Campfire Classic
 
@@ -353,7 +353,7 @@ Parameters:
 | ------------- | ------ | -------- | -------------- |
 | `issues_url`  | string | yes     | URL of the issue.     |
 | `project_url` | string | yes     | URL of the project.   |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable ClickUp
 
@@ -386,7 +386,7 @@ Parameters:
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `confluence_url` | string | yes | URL of the Confluence Workspace hosted on `atlassian.net`. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Confluence Workspace
 
@@ -421,7 +421,7 @@ Parameters:
 | `new_issue_url` | string | yes |  URL of the new issue. |
 | `issues_url` | string | yes | URL of the issue. |
 | `project_url` | string | yes | URL of the project. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable a custom issue tracker
 
@@ -460,7 +460,7 @@ Parameters:
 | `datadog_site`         | string  | no    | The Datadog site to send data to. To send data to the EU site, use `datadoghq.eu`.                                                                                                      |
 | `datadog_tags`         | string  | no    | Custom tags in Datadog. Specify one tag per line in the format `key:value\nkey2:value2`                                                                                                 |
 | `archive_trace_events` | boolean | no    | When enabled, job logs are collected by Datadog and displayed along with pipeline execution traces ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/346339) in GitLab 15.3). |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Datadog
 
@@ -495,7 +495,7 @@ Parameters:
 | `diffblue_license_key` | string | yes | Diffblue Cover license key. |
 | `diffblue_access_token_name` | string | yes | Access token name used by Diffblue Cover in pipelines. |
 | `diffblue_access_token_secret` | string  | yes | Access token secret used by Diffblue Cover in pipelines. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Diffblue Cover
 
@@ -556,7 +556,7 @@ Parameters:
 | `tag_push_channel` | string | no | The webhook override to receive notifications for tag push events. |
 | `wiki_page_events` | boolean | no | Enable notifications for wiki page events. |
 | `wiki_page_channel` | string | no | The webhook override to receive notifications for wiki page events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Discord Notifications
 
@@ -594,7 +594,7 @@ Parameters:
 | `push_events` | boolean | no | Enable notifications for push events. |
 | `merge_requests_events` | boolean | no | Enable notifications for merge request events. |
 | `tag_push_events` | boolean | no | Enable notifications for tag push events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Drone
 
@@ -632,7 +632,7 @@ Parameters:
 | `push_events` | boolean | no | Enable notifications for push events. |
 | `tag_push_events` | boolean | no | Enable notifications for tag push events. |
 | `branches_to_be_notified` | string | no | Branches to send notifications for. Valid options are `all`, `default`, `protected`, and `default_and_protected`. Notifications are always fired for tag pushes. The default value is `all`. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable emails on push
 
@@ -667,7 +667,7 @@ Parameters:
 | `new_issue_url` | string | yes | URL of the new issue. |
 | `project_url`   | string | yes | URL of the project. |
 | `issues_url`    | string | yes | URL of the issue. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable EWM
 
@@ -700,7 +700,7 @@ Parameters:
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `external_wiki_url` | string | yes | URL of the external wiki. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable an external wiki
 
@@ -760,7 +760,7 @@ Parameters:
 | Parameter | Type | Required | Description                                   |
 | --------- | ---- | -------- |-----------------------------------------------|
 | `token` | string | yes | GitGuardian API token with `scan` scope. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable GitGuardian
 
@@ -799,7 +799,7 @@ Parameters:
 | `token` | string | yes | GitHub API token with `repo:status` OAuth scope. |
 | `repository_url` | string | yes | GitHub repository URL. |
 | `static_context` | boolean | no | Append the hostname of your GitLab instance to the [status check name](../user/project/integrations/github.md#static-or-dynamic-status-check-names). |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable GitHub
 
@@ -853,7 +853,7 @@ Parameters:
 | `tag_push_events` | boolean | no | Enable notifications for tag push events. |
 | `vulnerability_events` | boolean | no | Enable notifications for vulnerability events. |
 | `wiki_page_events` | boolean | no | Enable notifications for wiki page events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable GitLab for Slack app
 
@@ -898,7 +898,7 @@ Parameters:
 | `confidential_note_events` | boolean | no | Enable notifications for confidential note events. |
 | `pipeline_events` | boolean | no | Enable notifications for pipeline events. |
 | `wiki_page_events` | boolean | no | Enable notifications for wiki page events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Google Chat
 
@@ -943,7 +943,7 @@ Parameters:
 | `artifact_registry_project_id` | string | yes | ID of the Google Cloud project. |
 | `artifact_registry_location` | string | yes | Location of the Artifact Registry repository. |
 | `artifact_registry_repositories` | string | yes | Repository of Artifact Registry. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Google Artifact Management
 
@@ -989,7 +989,7 @@ Parameters:
 | `workload_identity_federation_project_number` | integer | yes | Google Cloud project number for the Workload Identity Federation. |
 | `workload_identity_pool_id` | string | yes | ID of the Workload Identity Pool. |
 | `workload_identity_pool_provider_id` | string | yes | ID of the Workload Identity Pool provider. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Google Cloud Identity and Access Management
 
@@ -1025,7 +1025,7 @@ Parameters:
 | `service_account_key` | string | yes | Google Play service account key. |
 | `service_account_key_file_name` | string | yes | File name of the Google Play service account key. |
 | `google_play_protected_refs` | boolean | no | Set variables on protected branches and tags only. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Google Play
 
@@ -1061,7 +1061,7 @@ Parameters:
 | `project_name` | string | yes | The name of the project in the Harbor instance. For example, `testproject`. |
 | `username` | string | yes | The username created in the Harbor interface. |
 | `password` | string | yes | The password of the user. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Harbor
 
@@ -1098,7 +1098,7 @@ Parameters:
 | `server_host` | string | no | localhost. |
 | `server_port` | integer | no | 6659. |
 | `colorize_messages` | boolean | no | Colorize messages. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable irker
 
@@ -1138,7 +1138,7 @@ Parameters:
 | `push_events` | boolean | no | Enable notifications for push events. |
 | `merge_requests_events` | boolean | no | Enable notifications for merge request events. |
 | `tag_push_events` | boolean | no | Enable notifications for tag push events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Jenkins
 
@@ -1180,7 +1180,7 @@ Parameters:
 | `password` | string | yes | The password of the user. |
 | `push_events` | boolean | no | Enable notifications for push events. |
 | `merge_requests_events` | boolean | no | Enable notifications for merge request events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable JetBrains TeamCity
 
@@ -1227,7 +1227,7 @@ Parameters:
 | `comment_on_event_enabled` | boolean | no | Enable comments in Jira issues on each GitLab event (commit or merge request). |
 | `issues_enabled` | boolean | no | Enable viewing Jira issues in GitLab. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/267015) in GitLab 17.0. |
 | `project_keys` | array of strings | no | Keys of Jira projects. When `issues_enabled` is `true`, this setting specifies which Jira projects to view issues from in GitLab. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/267015) in GitLab 17.0. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Jira
 
@@ -1285,7 +1285,7 @@ Parameters:
 | `tag_push_channel` | string | no | The name of the channel to receive notifications for tag push events. |
 | `pipeline_channel` | string | no | The name of the channel to receive notifications for pipeline events. |
 | `wiki_page_channel` | string | no | The name of the channel to receive notifications for wiki page events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Mattermost notifications
 
@@ -1318,7 +1318,7 @@ Parameters:
 | Parameter | Type   | Required | Description           |
 | --------- | ------ | -------- | --------------------- |
 | `token`   | string | yes      | The Mattermost token. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Mattermost slash commands
 
@@ -1363,7 +1363,7 @@ Parameters:
 | `confidential_note_events` | boolean | no | Enable notifications for confidential note events. |
 | `pipeline_events` | boolean | no | Enable notifications for pipeline events. |
 | `wiki_page_events` | boolean | no | Enable notifications for wiki page events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Microsoft Teams notifications
 
@@ -1400,7 +1400,7 @@ Parameters:
 | --------- | ---- | -------- | ----------- |
 | `mock_service_url` | string | yes | URL of the Mock CI integration. |
 | `enable_ssl_verification` | boolean | no | Enable SSL verification. Defaults to `true` (enabled). |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Mock CI
 
@@ -1438,7 +1438,7 @@ Parameters:
 | `push_events` | boolean | no | Enable notifications for push events. |
 | `merge_requests_events` | boolean | no | Enable notifications for merge request events. |
 | `tag_push_events` | boolean | no | Enable notifications for tag push events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Packagist
 
@@ -1474,7 +1474,7 @@ Parameters:
 |-----------------|--------|----------|-----------------------|
 | `issues_url`    | string | yes     | URL of the issue.     |
 | `project_url`   | string | yes     | URL of the project.   |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Phorge
 
@@ -1511,7 +1511,7 @@ Parameters:
 | `branches_to_be_notified` | string | no | Branches to send notifications for. Valid options are `all`, `default`, `protected`, and `default_and_protected`. The default value is `default`. |
 | `notify_only_default_branch` | boolean | no | Send notifications for the default branch. |
 | `pipeline_events` | boolean | no | Enable notifications for pipeline events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable pipeline status emails
 
@@ -1545,7 +1545,7 @@ Parameters:
 | --------- | ---- | -------- | ----------- |
 | `token` | string | yes | The Pivotal Tracker token. |
 | `restrict_to_branch` | boolean | no | Comma-separated list of branches to automatically inspect. Leave blank to include all branches. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Pivotal Tracker
 
@@ -1589,7 +1589,7 @@ Parameters:
 | `push_events` | boolean | no | Enable notifications for push events. |
 | `tag_push_events` | boolean | no | Enable notifications for tag push events. |
 | `wiki_page_events` | boolean | no | Enable notifications for wiki page events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Pumble
 
@@ -1626,7 +1626,7 @@ Parameters:
 | `priority` | string | yes | The priority. |
 | `device` | string | no | Leave blank for all active devices. |
 | `sound` | string | no | The sound of the notification. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Pushover
 
@@ -1661,7 +1661,7 @@ Parameters:
 | `new_issue_url` | string | yes | URL of the new issue. |
 | `project_url` | string | yes | URL of the project. |
 | `issues_url` | string | yes | URL of the issue. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Redmine
 
@@ -1727,7 +1727,7 @@ Parameters:
 | `tag_push_events` | boolean | no | Enable notifications for tag push events. |
 | `wiki_page_channel` | string | no | The name of the channel to receive notifications for wiki page events. |
 | `wiki_page_events` | boolean | no | Enable notifications for wiki page events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Slack notifications
 
@@ -1760,7 +1760,7 @@ Parameters:
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `token` | string | yes | The Slack token. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Slack slash commands
 
@@ -1822,7 +1822,7 @@ Parameters:
 |-------------------------|--------|----------|-------------------------------|
 | `url`                   | string | yes      | URL of the Squash TM webhook. |
 | `token`                 | string | no       | Secret token.                 |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Squash TM
 
@@ -1869,7 +1869,7 @@ Parameters:
 | `confidential_note_events` | boolean | yes | Enable notifications for confidential note events. |
 | `pipeline_events` | boolean | yes | Enable notifications for pipeline events. |
 | `wiki_page_events` | boolean | yes | Enable notifications for wiki page events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Telegram
 
@@ -1913,7 +1913,7 @@ Parameters:
 | `confidential_note_events` | boolean | no | Enable notifications for confidential note events. |
 | `pipeline_events` | boolean | no | Enable notifications for pipeline events. |
 | `wiki_page_events` | boolean | no | Enable notifications for wiki page events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Unify Circuit
 
@@ -1957,7 +1957,7 @@ Parameters:
 | `confidential_note_events` | boolean | no | Enable notifications for confidential note events. |
 | `pipeline_events` | boolean | no | Enable notifications for pipeline events. |
 | `wiki_page_events` | boolean | no | Enable notifications for wiki page events. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable Webex Teams
 
@@ -1991,7 +1991,7 @@ Parameters:
 | --------- | ---- | -------- | ----------- |
 | `issues_url` | string | yes | URL of the issue. |
 | `project_url` | string | yes | URL of the project. |
-| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. |
+| `use_inherited_settings` | boolean | no | Indicates whether or not to inherit default settings. Defaults to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/467089) in GitLab 17.2. |
 
 ### Disable YouTrack
 
diff --git a/doc/api/projects.md b/doc/api/projects.md
index c25253c2416..b7fcaf6ac01 100644
--- a/doc/api/projects.md
+++ b/doc/api/projects.md
@@ -2599,7 +2599,11 @@ POST /projects/:id/restore
 |-----------|-------------------|----------|-------------|
 | `id`      | integer or string | Yes      | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding). |
 
-## Upload a file
+## Markdown uploads
+
+Markdown uploads are files uploaded to a project that can be referenced in Markdown text in an issue, merge request, snippet, or wiki page.
+
+### Upload a file
 
 > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/112450) in GitLab 15.10. Feature flag `enforce_max_attachment_size_upload_api` removed.
 
@@ -2640,6 +2644,95 @@ The returned `url` is relative to the project path. The returned `full_path` is
 the absolute path to the file. In Markdown contexts, the link is expanded when
 the format in `markdown` is used.
 
+### List uploads
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) in GitLab 17.2.
+
+Get all uploads of the project sorted by `created_at` in descending order.
+
+You must have at least the Maintainer role to use this endpoint.
+
+```plaintext
+GET /projects/:id/uploads
+```
+
+| Attribute | Type              | Required | Description |
+|-----------|-------------------|----------|-------------|
+| `id`      | integer or string | Yes      | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding). |
+
+Example request:
+
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/uploads"
+```
+
+Returned object:
+
+```json
+[
+  {
+    "id": 1,
+    "size": 1024,
+    "filename": "image.png",
+    "created_at":"2024-06-20T15:53:03.067Z",
+    "uploaded_by": {
+      "id": 18,
+      "name" : "Alexandra Bashirian",
+      "username" : "eileen.lowe"
+    }
+  },
+  {
+    "id": 2,
+    "size": 512,
+    "filename": "other-image.png",
+    "created_at":"2024-06-19T15:53:03.067Z",
+    "uploaded_by": null
+  }
+]
+```
+
+### Download an uploaded file
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) in GitLab 17.2.
+
+You must have at least the Maintainer role to use this endpoint.
+
+```plaintext
+GET /projects/:id/uploads/:upload_id
+```
+
+| Attribute   | Type              | Required | Description |
+|-------------|-------------------|----------|-------------|
+| `id`        | integer or string | Yes      | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding). |
+| `upload_id` | integer           | Yes      | The ID of the upload. |
+
+Example request:
+
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/uploads/1"
+```
+
+### Delete an uploaded file
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) in GitLab 17.2.
+
+You must have at least the Maintainer role to use this endpoint.
+
+```plaintext
+DELETE /projects/:id/uploads/:upload_id
+```
+
+| Attribute   | Type              | Required | Description |
+|-------------|-------------------|----------|-------------|
+| `id`        | integer or string | Yes      | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding). |
+| `upload_id` | integer           | Yes      | The ID of the upload. |
+
+Example request:
+
+```shell
+curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/uploads/1"
+```
+
 ## Upload a project avatar
 
 Uploads an avatar to the specified project.
diff --git a/doc/ci/pipelines/settings.md b/doc/ci/pipelines/settings.md
index 01f652b01ec..86609ebe5f3 100644
--- a/doc/ci/pipelines/settings.md
+++ b/doc/ci/pipelines/settings.md
@@ -87,7 +87,7 @@ running job can be cancelled before it completes. After a job with
 
 ## Prevent outdated deployment jobs
 
-> - In GitLab 15.5, the behavior was [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/363328) to prevent outdated job runs.
+> - Also preventing outdated manual or retried deployment jobs from running [added](https://gitlab.com/gitlab-org/gitlab/-/issues/363328) in GitLab 15.5.
 
 Your project may have multiple concurrent deployment jobs that are
 scheduled to run in the same time frame.
diff --git a/doc/ci/yaml/includes.md b/doc/ci/yaml/includes.md
index 85b6c21c15d..9229ec3211e 100644
--- a/doc/ci/yaml/includes.md
+++ b/doc/ci/yaml/includes.md
@@ -17,11 +17,15 @@ You can use [`include`](index.md#include) to include external YAML files in your
 To include a single configuration file, use `include` by itself with a single file
 with either of these syntax options:
 
-- ```yaml
+- On the same line:
+
+  ```yaml
   include: 'my-config.yml'
   ```
 
-- ```yaml
+- As a single item in an array:
+
+  ```yaml
   include:
     - 'my-config.yml'
   ```
diff --git a/doc/development/documentation/styleguide/word_list.md b/doc/development/documentation/styleguide/word_list.md
index be983e9fd14..fc5925f0c3d 100644
--- a/doc/development/documentation/styleguide/word_list.md
+++ b/doc/development/documentation/styleguide/word_list.md
@@ -1177,12 +1177,20 @@ Use the full phrase **dropdown list** instead.
 
 ## license
 
-When writing about licenses:
+Licenses are different than subscriptions.
 
-- Do not use variations such as [**cloud license**](#cloud-licensing), **offline license**, or **legacy license**.
-- Do not use interchangeably with **subscription**:
-  - A license grants users access to the subscription they purchased, and contains information such as the number of seats they purchased and subscription dates.
-  - A subscription is the subscription tier that the user purchases.
+- A license grants users access to the subscription they purchased. The license includes information like the number of seats and subscription dates.
+- A subscription is the subscription tier that the user purchases.
+
+Do not use the term [**cloud license**](#cloud-licensing).
+
+The following terms are displayed in the UI and in emails. You can use them when necessary:
+
+- **Online license** - a license synchronized with GitLab
+- **Offline license** - a license not synchronized with GitLab
+- **Legacy license** - a license created before synchronization was possible
+
+However, if you can, rather than using the term, use the more specific description instead.
 
 Use:
 
diff --git a/doc/development/permissions/predefined_roles.md b/doc/development/permissions/predefined_roles.md
index 44f8eb39625..2ca2e23041f 100644
--- a/doc/development/permissions/predefined_roles.md
+++ b/doc/development/permissions/predefined_roles.md
@@ -57,7 +57,7 @@ Additionally, the following project features can have different visibility level
   - Pipelines
 - Analytics
 - Requirements
-- Security and Compliance
+- Security and compliance
 - Wiki
 - Snippets
 - Pages
diff --git a/doc/security/user_file_uploads.md b/doc/security/user_file_uploads.md
index b2d6bc18fc0..b70378e0acf 100644
--- a/doc/security/user_file_uploads.md
+++ b/doc/security/user_file_uploads.md
@@ -65,6 +65,7 @@ You cannot select this option for public projects.
 ## Delete uploaded files
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92791) in GitLab 15.3.
+> - REST API [added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) support in GitLab 17.2.
 
 You should delete an uploaded file when that file contains sensitive or confidential information. When you have deleted that file, users cannot access the file and the direct URL returns a 404 error.
 
@@ -87,6 +88,8 @@ mutation{
 
 Project members that do not have the Owner or Maintainer role cannot access this GraphQL endpoint.
 
+You can also use the REST API for [projects](../api/projects.md#delete-an-uploaded-file) or [groups](../api/groups.md#delete-an-uploaded-file) to delete an uploaded file.
+
 <!-- ## Troubleshooting
 
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues
diff --git a/doc/user/application_security/api_fuzzing/configuration/enabling_the_analyzer.md b/doc/user/application_security/api_fuzzing/configuration/enabling_the_analyzer.md
index 34f3b5423f8..515390d5422 100644
--- a/doc/user/application_security/api_fuzzing/configuration/enabling_the_analyzer.md
+++ b/doc/user/application_security/api_fuzzing/configuration/enabling_the_analyzer.md
@@ -841,7 +841,7 @@ When configured correctly, a CI/CD pipeline contains a `fuzz` stage and an `apif
 typical operation, the job always succeeds even if faults are identified during fuzz testing.
 
 Faults are displayed on the **Security** pipeline tab with the suite name. When testing against the
-repositories default branch, the fuzzing faults are also shown on the Security and Compliance's
+repositories default branch, the fuzzing faults are also shown on the Security and compliance's
 Vulnerability Report page.
 
 To prevent an excessive number of reported faults, the API fuzzing scanner limits the number of
diff --git a/doc/user/application_security/api_security_testing/configuration/enabling_the_analyzer.md b/doc/user/application_security/api_security_testing/configuration/enabling_the_analyzer.md
index 23da6239de7..3bf0e3d80ad 100644
--- a/doc/user/application_security/api_security_testing/configuration/enabling_the_analyzer.md
+++ b/doc/user/application_security/api_security_testing/configuration/enabling_the_analyzer.md
@@ -771,7 +771,7 @@ variables:
 
 When configured correctly, a CI/CD pipeline contains a `dast` stage and an `dast_api` job. The job only fails when an invalid configuration is provided. During typical operation, the job always succeeds even if vulnerabilities are identified during testing.
 
-Vulnerabilities are displayed on the **Security** pipeline tab with the suite name. When testing against the repositories default branch, the API security testing vulnerabilities are also shown on the Security and Compliance's Vulnerability Report page.
+Vulnerabilities are displayed on the **Security** pipeline tab with the suite name. When testing against the repositories default branch, the API security testing vulnerabilities are also shown on the Security and compliance's Vulnerability Report page.
 
 To prevent an excessive number of reported vulnerabilities, the API security testing scanner limits the number of vulnerabilities it reports per operation.
 
diff --git a/doc/user/application_security/policies/index.md b/doc/user/application_security/policies/index.md
index 015c9828a16..c1073124fcf 100644
--- a/doc/user/application_security/policies/index.md
+++ b/doc/user/application_security/policies/index.md
@@ -71,7 +71,7 @@ GitLab SaaS users may enforce policies against their top-level group or across s
 The following example illustrates two groups and their structure:
 
 - Alpha group contains two subgroups, each of which contains multiple projects.
-- Security and Compliance group contains two policies.
+- Security and compliance group contains two policies.
 
 **Alpha** group (contains code projects)
 
@@ -85,7 +85,7 @@ The following example illustrates two groups and their structure:
   - Project L
   - Project M
 
-**Security and Compliance** group (contains security policy projects)
+**Security and compliance** group (contains security policy projects)
 
 - Security Policy Management
 - Security Policy Management - security policy project
diff --git a/doc/user/application_security/secret_detection/secret_push_protection/index.md b/doc/user/application_security/secret_detection/secret_push_protection/index.md
index f7be78c594d..2abd115c47d 100644
--- a/doc/user/application_security/secret_detection/secret_push_protection/index.md
+++ b/doc/user/application_security/secret_detection/secret_push_protection/index.md
@@ -68,7 +68,7 @@ Prerequisites:
 
 1. Sign in to your GitLab instance as an administrator.
 1. On the left sidebar, at the bottom, select **Admin area**.
-1. Select **Settings > Security and Compliance**.
+1. Select **Settings > Security and compliance**.
 1. Under **Secret Detection**, select or clear **Allow secret push protection**.
 
 ### Enable secret push protection in a project
diff --git a/doc/user/group/custom_project_templates.md b/doc/user/group/custom_project_templates.md
index 8b0a3f0fcc8..22cafc4a5e4 100644
--- a/doc/user/group/custom_project_templates.md
+++ b/doc/user/group/custom_project_templates.md
@@ -44,7 +44,7 @@ Projects in nested subgroups are not included in the template list.
 
 - Public and internal projects can be selected by any authenticated user as a template for a new project,
   if all [project features](../project/settings/index.md#configure-project-features-and-permissions)
-  except for **GitLab Pages** and **Security and Compliance** are set to **Everyone With Access**.
+  except for **GitLab Pages** and **Security and compliance** are set to **Everyone With Access**.
 - Private projects can be selected only by users who are members of the projects.
 
 There is a [known issue](https://gitlab.com/gitlab-org/gitlab/-/issues/295646):
diff --git a/lib/api/entities/ci/job_request/response.rb b/lib/api/entities/ci/job_request/response.rb
index e07bba1e850..23341900c8e 100644
--- a/lib/api/entities/ci/job_request/response.rb
+++ b/lib/api/entities/ci/job_request/response.rb
@@ -22,7 +22,11 @@ module API
           end
 
           expose :runner_variables, as: :variables
-          expose :steps, using: Entities::Ci::JobRequest::Step
+          expose :steps, using: Entities::Ci::JobRequest::Step, unless: ->(job) do
+            ::Feature.enabled?(:pipeline_run_keyword, job.project) &&
+              job.execution_config&.run_steps.present?
+          end
+
           expose :runtime_hooks, as: :hooks, using: Entities::Ci::JobRequest::Hook
           expose :image, using: Entities::Ci::JobRequest::Image
           expose :services, using: Entities::Ci::JobRequest::Service
@@ -33,6 +37,13 @@ module API
           expose :dependencies do |job, options|
             Entities::Ci::JobRequest::Dependency.represent(job.all_dependencies, options.merge(running_job: job))
           end
+
+          expose :run, if: ->(job) {
+                             ::Feature.enabled?(:pipeline_run_keyword, job.project) &&
+                               job.execution_config&.run_steps.present?
+                           } do |job|
+            job.execution_config.run_steps.to_json
+          end
         end
       end
     end
diff --git a/lib/api/entities/markdown_upload_admin.rb b/lib/api/entities/markdown_upload_admin.rb
new file mode 100644
index 00000000000..064e074b722
--- /dev/null
+++ b/lib/api/entities/markdown_upload_admin.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module API
+  module Entities
+    class MarkdownUploadAdmin < Grape::Entity
+      expose :id
+      expose :size
+      expose :filename
+      expose :created_at
+      expose :uploaded_by_user, as: :uploaded_by, using: Entities::UserSafe
+    end
+  end
+end
diff --git a/lib/api/markdown_uploads.rb b/lib/api/markdown_uploads.rb
index 01bad30b973..e020c9540e4 100644
--- a/lib/api/markdown_uploads.rb
+++ b/lib/api/markdown_uploads.rb
@@ -2,8 +2,21 @@
 
 module API
   class MarkdownUploads < ::API::Base
+    include PaginationParams
+
     feature_category :team_planning
 
+    helpers do
+      def find_uploads(parent)
+        uploads = Banzai::UploadsFinder.new(parent: parent).execute
+        uploads.preload_uploaded_by_user
+      end
+
+      def find_upload(parent, upload_id)
+        Banzai::UploadsFinder.new(parent: parent).find(upload_id)
+      end
+    end
+
     resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
       desc 'Workhorse authorize the file upload' do
         detail 'This feature was introduced in GitLab 13.11'
@@ -37,6 +50,136 @@ module API
 
         present upload, with: Entities::ProjectUpload
       end
+
+      desc 'Get the list of uploads of a project' do
+        success code: 200, model: Entities::MarkdownUploadAdmin
+        failure [
+          { code: 403, message: 'Unauthenticated' },
+          { code: 404, message: 'Not found' }
+        ]
+        is_array true
+        tags %w[projects]
+      end
+      params do
+        use :pagination
+      end
+      get ':id/uploads' do
+        authorize! :admin_upload, user_project
+
+        uploads = find_uploads(user_project)
+
+        present paginate(uploads), with: Entities::MarkdownUploadAdmin
+      end
+
+      desc 'Download a single project upload' do
+        success File
+        failure [
+          { code: 403, message: 'Unauthenticated' },
+          { code: 404, message: 'Not found' }
+        ]
+        tags %w[projects]
+      end
+      params do
+        requires :upload_id, type: Integer, desc: 'The ID of a project upload'
+      end
+      get ':id/uploads/:upload_id' do
+        authorize! :admin_upload, user_project
+
+        upload = find_upload(user_project, params[:upload_id])
+
+        present_carrierwave_file!(upload.retrieve_uploader)
+      end
+
+      desc 'Delete a single project upload' do
+        success code: 204
+        failure [
+          { code: 400, message: 'Bad request' },
+          { code: 403, message: 'Unauthenticated' },
+          { code: 404, message: 'Not found' }
+        ]
+        tags %w[projects]
+      end
+      params do
+        requires :upload_id, type: Integer, desc: 'The ID of a project upload'
+      end
+      delete ':id/uploads/:upload_id' do
+        authorize! :destroy_upload, user_project
+
+        upload = find_upload(user_project, params[:upload_id])
+        result = Uploads::DestroyService.new(user_project, current_user).execute(upload)
+
+        if result[:status] == :success
+          status 204
+        else
+          bad_request!(result[:message])
+        end
+      end
+    end
+
+    resource :groups, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+      desc 'Get the list of uploads of a group' do
+        success code: 200, model: Entities::MarkdownUploadAdmin
+        failure [
+          { code: 403, message: 'Unauthenticated' },
+          { code: 404, message: 'Not found' }
+        ]
+        is_array true
+        tags %w[groups]
+      end
+      params do
+        use :pagination
+      end
+      get ':id/uploads' do
+        authorize! :admin_upload, user_group
+
+        uploads = find_uploads(user_group)
+
+        present paginate(uploads), with: Entities::MarkdownUploadAdmin
+      end
+
+      desc 'Download a single group upload' do
+        success File
+        failure [
+          { code: 403, message: 'Unauthenticated' },
+          { code: 404, message: 'Not found' }
+        ]
+        tags %w[groups]
+      end
+      params do
+        requires :upload_id, type: Integer, desc: 'The ID of a group upload'
+      end
+      get ':id/uploads/:upload_id' do
+        authorize! :admin_upload, user_group
+
+        upload = find_upload(user_group, params[:upload_id])
+
+        present_carrierwave_file!(upload.retrieve_uploader)
+      end
+
+      desc 'Delete a single group upload' do
+        success code: 204
+        failure [
+          { code: 400, message: 'Bad request' },
+          { code: 403, message: 'Unauthenticated' },
+          { code: 404, message: 'Not found' }
+        ]
+        tags %w[groups]
+      end
+      params do
+        requires :upload_id, type: Integer, desc: 'The ID of a group upload'
+      end
+      delete ':id/uploads/:upload_id' do
+        authorize! :destroy_upload, user_group
+
+        upload = find_upload(user_group, params[:upload_id])
+        result = Uploads::DestroyService.new(user_group, current_user).execute(upload)
+
+        if result[:status] == :success
+          status 204
+        else
+          bad_request!(result[:message])
+        end
+      end
     end
   end
 end
diff --git a/lib/gitlab/ci/config.rb b/lib/gitlab/ci/config.rb
index 6d0cfd54b6a..8bd8a6f807a 100644
--- a/lib/gitlab/ci/config.rb
+++ b/lib/gitlab/ci/config.rb
@@ -76,36 +76,55 @@ module Gitlab
       ##
       # Temporary method that should be removed after refactoring
       #
+      # rubocop:disable Gitlab/NoCodeCoverageComment -- This is an existing method and probably never called
+      # :nocov:
       def variables
-        root.variables_value
+        Gitlab::Ci::Config::FeatureFlags.with_actor(@project) do
+          root.variables_value
+        end
       end
+      # rubocop:enable Gitlab/NoCodeCoverageComment
 
       def variables_with_data
-        root.variables_entry.value_with_data
+        Gitlab::Ci::Config::FeatureFlags.with_actor(@project) do
+          root.variables_entry.value_with_data
+        end
       end
 
       def variables_with_prefill_data
-        root.variables_entry.value_with_prefill_data
+        Gitlab::Ci::Config::FeatureFlags.with_actor(@project) do
+          root.variables_entry.value_with_prefill_data
+        end
       end
 
       def stages
-        root.stages_value
+        Gitlab::Ci::Config::FeatureFlags.with_actor(@project) do
+          root.stages_value
+        end
       end
 
       def jobs
-        root.jobs_value
+        Gitlab::Ci::Config::FeatureFlags.with_actor(@project) do
+          root.jobs_value
+        end
       end
 
       def workflow_rules
-        root.workflow_entry.rules_value
+        Gitlab::Ci::Config::FeatureFlags.with_actor(@project) do
+          root.workflow_entry.rules_value
+        end
       end
 
       def workflow_name
-        root.workflow_entry.name
+        Gitlab::Ci::Config::FeatureFlags.with_actor(@project) do
+          root.workflow_entry.name
+        end
       end
 
       def workflow_auto_cancel
-        root.workflow_entry.auto_cancel_value
+        Gitlab::Ci::Config::FeatureFlags.with_actor(@project) do
+          root.workflow_entry.auto_cancel_value
+        end
       end
 
       def normalized_jobs
diff --git a/lib/gitlab/ci/config/entry/job.rb b/lib/gitlab/ci/config/entry/job.rb
index 5276eeca01a..a290e372fe4 100644
--- a/lib/gitlab/ci/config/entry/job.rb
+++ b/lib/gitlab/ci/config/entry/job.rb
@@ -14,11 +14,12 @@ module Gitlab
           ALLOWED_KEYS = %i[tags script image services start_in artifacts
                             cache dependencies before_script after_script hooks
                             coverage retry parallel timeout
-                            release id_tokens publish pages manual_confirmation].freeze
+                            release id_tokens publish pages manual_confirmation run].freeze
 
           validations do
             validates :config, allowed_keys: Gitlab::Ci::Config::Entry::Job.allowed_keys + PROCESSABLE_ALLOWED_KEYS
-            validates :script, presence: true
+            validates :config, mutually_exclusive_keys: %i[script run]
+            validates :script, presence: true, if: -> { config.is_a?(Hash) && !config.key?(:run) }
 
             with_options allow_nil: true do
               validates :when, type: String, inclusion: {
@@ -29,6 +30,12 @@ module Gitlab
               validates :dependencies, array_of_strings: true
               validates :allow_failure, hash_or_boolean: true
               validates :manual_confirmation, type: String
+              validates :run, json_schema: {
+                base_directory: 'app/validators/json_schemas',
+                detail_errors: true,
+                filename: 'run_steps',
+                hash_conversion: true
+              }
             end
 
             validates :start_in, duration: { limit: '1 week' }, if: :delayed?
@@ -137,11 +144,14 @@ module Gitlab
           attributes :script, :tags, :when, :dependencies,
             :needs, :retry, :parallel, :start_in,
             :timeout, :release,
-            :allow_failure, :publish, :pages, :manual_confirmation
+            :allow_failure, :publish, :pages, :manual_confirmation, :run
 
           def self.matching?(name, config)
-            !name.to_s.start_with?('.') &&
-              config.is_a?(Hash) && config.key?(:script)
+            if ::Gitlab::Ci::Config::FeatureFlags.enabled?(:pipeline_run_keyword, type: :gitlab_com_derisk)
+              !name.to_s.start_with?('.') && config.is_a?(Hash) && (config.key?(:script) || config.key?(:run))
+            else
+              !name.to_s.start_with?('.') && config.is_a?(Hash) && config.key?(:script)
+            end
           end
 
           def self.visible?
@@ -178,7 +188,8 @@ module Gitlab
               id_tokens: id_tokens_value,
               publish: publish,
               pages: pages,
-              manual_confirmation: self.manual_confirmation
+              manual_confirmation: self.manual_confirmation,
+              run: ::Gitlab::Ci::Config::FeatureFlags.enabled?(:pipeline_run_keyword, type: :gitlab_com_derisk) ? run : nil
             ).compact
           end
 
diff --git a/lib/gitlab/ci/config/entry/jobs.rb b/lib/gitlab/ci/config/entry/jobs.rb
index d2a25d59669..705c75594e8 100644
--- a/lib/gitlab/ci/config/entry/jobs.rb
+++ b/lib/gitlab/ci/config/entry/jobs.rb
@@ -15,7 +15,7 @@ module Gitlab
 
             validate do
               each_unmatched_job do |name|
-                errors.add(name.to_s, 'config should implement a script: or a trigger: keyword')
+                errors.add(name.to_s, 'config should implement the script:, run:, or trigger: keyword')
               end
 
               unless has_visible_job?
diff --git a/lib/gitlab/ci/pipeline/seed/build.rb b/lib/gitlab/ci/pipeline/seed/build.rb
index 80312296909..eac800d0cfe 100644
--- a/lib/gitlab/ci/pipeline/seed/build.rb
+++ b/lib/gitlab/ci/pipeline/seed/build.rb
@@ -70,6 +70,7 @@ module Gitlab
               .deep_merge(allow_failure_criteria_attributes)
               .deep_merge(@cache.cache_attributes)
               .deep_merge(runner_tags)
+              .deep_merge(build_execution_config_attribute)
           end
 
           def bridge?
@@ -94,6 +95,19 @@ module Gitlab
 
           delegate :logger, to: :@context
 
+          def build_execution_config_attribute
+            run_value = @seed_attributes.dig(:options, :run)
+            return {} unless ::Feature.enabled?(:pipeline_run_keyword, @pipeline.project) && run_value.present?
+
+            execution_config = ::Ci::BuildExecutionConfig.new(
+              project: @pipeline.project,
+              pipeline: @pipeline,
+              run_steps: run_value
+            )
+
+            { execution_config: execution_config }
+          end
+
           def all_of_only?
             @only.all? { |spec| spec.satisfied_by?(@pipeline, evaluate_context) }
           end
diff --git a/lib/gitlab/ci/yaml_processor/result.rb b/lib/gitlab/ci/yaml_processor/result.rb
index 14bf9dc240a..c4d15da7198 100644
--- a/lib/gitlab/ci/yaml_processor/result.rb
+++ b/lib/gitlab/ci/yaml_processor/result.rb
@@ -126,6 +126,7 @@ module Gitlab
               before_script: job[:before_script],
               script: job[:script],
               manual_confirmation: job[:manual_confirmation],
+              run: job[:run],
               after_script: job[:after_script],
               hooks: job[:hooks],
               environment: job[:environment],
diff --git a/lib/sidebars/projects/menus/security_compliance_menu.rb b/lib/sidebars/projects/menus/security_compliance_menu.rb
index 0f009bff12a..8cc9269bdaf 100644
--- a/lib/sidebars/projects/menus/security_compliance_menu.rb
+++ b/lib/sidebars/projects/menus/security_compliance_menu.rb
@@ -17,7 +17,7 @@ module Sidebars
 
         override :title
         def title
-          _('Security and Compliance')
+          _('Security and compliance')
         end
 
         override :sprite_icon
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 870c31c5f7f..655ee11de12 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -41880,7 +41880,7 @@ msgstr ""
 msgid "ProjectSettings|Search for topic"
 msgstr ""
 
-msgid "ProjectSettings|Security and Compliance"
+msgid "ProjectSettings|Security and compliance"
 msgstr ""
 
 msgid "ProjectSettings|Security and compliance for this project."
@@ -47455,7 +47455,7 @@ msgstr ""
 msgid "Security Policy project already exists."
 msgstr ""
 
-msgid "Security and Compliance"
+msgid "Security and compliance"
 msgstr ""
 
 msgid "Security capabilities"
diff --git a/spec/controllers/projects/ci/lints_controller_spec.rb b/spec/controllers/projects/ci/lints_controller_spec.rb
index 403f99145fc..baa6bb1da5b 100644
--- a/spec/controllers/projects/ci/lints_controller_spec.rb
+++ b/spec/controllers/projects/ci/lints_controller_spec.rb
@@ -145,7 +145,7 @@ RSpec.describe Projects::Ci::LintsController do
       it 'assigns result with errors' do
         expect(parsed_body['errors']).to match_array(
           [
-            'jobs rubocop config should implement a script: or a trigger: keyword',
+            'jobs rubocop config should implement the script:, run:, or trigger: keyword',
             'jobs config should contain at least one visible job'
           ])
       end
@@ -154,7 +154,9 @@ RSpec.describe Projects::Ci::LintsController do
         subject { post :create, params: params.merge(dry_run: 'true') }
 
         it 'assigns result with errors' do
-          expect(parsed_body['errors']).to eq(['jobs rubocop config should implement a script: or a trigger: keyword'])
+          expect(
+            parsed_body['errors']
+          ).to match_array(['jobs rubocop config should implement the script:, run:, or trigger: keyword'])
         end
 
         it_behaves_like 'returns a successful validation'
diff --git a/spec/controllers/projects/settings/integrations_controller_spec.rb b/spec/controllers/projects/settings/integrations_controller_spec.rb
index 49851c82cc5..aadb3495e73 100644
--- a/spec/controllers/projects/settings/integrations_controller_spec.rb
+++ b/spec/controllers/projects/settings/integrations_controller_spec.rb
@@ -232,6 +232,16 @@ RSpec.describe Projects::Settings::IntegrationsController, feature_category: :in
         expect(response).to have_gitlab_http_status(:ok)
       end
     end
+
+    context 'when prometheus integration' do
+      let_it_be(:integration) { create(:prometheus_integration, project: project) }
+
+      it 'returns 404' do
+        put :test, params: project_params(service: { active: 'true' })
+        # because remove_monitor_metrics feature flag is enabled
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
   end
 
   describe 'PUT #update' do
@@ -399,6 +409,15 @@ RSpec.describe Projects::Settings::IntegrationsController, feature_category: :in
           end
         end
       end
+
+      context 'when prometheus integration' do
+        let_it_be(:integration) { create(:prometheus_integration, project: project) }
+
+        it 'returns 404' do
+          # because remove_monitor_metrics feature flag is enabled
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
     end
 
     describe 'as JSON' do
diff --git a/spec/factories/ci/builds.rb b/spec/factories/ci/builds.rb
index 903634d3e74..83f5c36c04f 100644
--- a/spec/factories/ci/builds.rb
+++ b/spec/factories/ci/builds.rb
@@ -32,6 +32,8 @@ FactoryBot.define do
 
     runner_manager { nil }
 
+    execution_config { nil }
+
     after(:build) do |build, evaluator|
       if evaluator.runner_manager
         build.runner = evaluator.runner_manager.runner
diff --git a/spec/finders/organizations/groups_finder_spec.rb b/spec/finders/organizations/groups_finder_spec.rb
index b24c8b9c088..41091ec81d3 100644
--- a/spec/finders/organizations/groups_finder_spec.rb
+++ b/spec/finders/organizations/groups_finder_spec.rb
@@ -70,17 +70,5 @@ RSpec.describe Organizations::GroupsFinder, feature_category: :groups_and_projec
 
       expect(result).not_to include(public_group)
     end
-
-    context 'when filter_deleted_groups feature flag is disabled' do
-      before do
-        stub_feature_flags(filter_deleted_groups: false)
-      end
-
-      it 'includes deleted groups' do
-        public_group.namespace_details.update!(pending_delete: true)
-
-        expect(result).to include(public_group)
-      end
-    end
   end
 end
diff --git a/spec/frontend/editor/schema/ci/ci_schema_spec.js b/spec/frontend/editor/schema/ci/ci_schema_spec.js
index 9a87fc83811..cc4f535ee5c 100644
--- a/spec/frontend/editor/schema/ci/ci_schema_spec.js
+++ b/spec/frontend/editor/schema/ci/ci_schema_spec.js
@@ -29,6 +29,7 @@ import FilterYaml from './yaml_tests/positive_tests/filter.yml';
 import IncludeYaml from './yaml_tests/positive_tests/include.yml';
 import RulesYaml from './yaml_tests/positive_tests/rules.yml';
 import RulesNeedsYaml from './yaml_tests/positive_tests/rules_needs.yml';
+import RunYaml from './yaml_tests/positive_tests/run.yml';
 import ProjectPathYaml from './yaml_tests/positive_tests/project_path.yml';
 import VariablesYaml from './yaml_tests/positive_tests/variables.yml';
 import JobWhenYaml from './yaml_tests/positive_tests/job_when.yml';
@@ -59,6 +60,7 @@ import ProjectPathIncludeNoSlashYaml from './yaml_tests/negative_tests/project_p
 import ProjectPathIncludeTailSlashYaml from './yaml_tests/negative_tests/project_path/include/tailing_slash.yml';
 import RulesNegativeYaml from './yaml_tests/negative_tests/rules.yml';
 import RulesNeedsNegativeYaml from './yaml_tests/negative_tests/rules_needs.yml';
+import RunNegativeYaml from './yaml_tests/negative_tests/run.yml';
 import TriggerNegative from './yaml_tests/negative_tests/trigger.yml';
 import VariablesInvalidOptionsYaml from './yaml_tests/negative_tests/variables/invalid_options.yml';
 import VariablesInvalidSyntaxDescYaml from './yaml_tests/negative_tests/variables/invalid_syntax_desc.yml';
@@ -114,6 +116,7 @@ describe('positive tests', () => {
       HooksYaml,
       RulesYaml,
       RulesNeedsYaml,
+      RunYaml,
       VariablesYaml,
       ProjectPathYaml,
       IdTokensYaml,
@@ -179,6 +182,7 @@ describe('negative tests', () => {
       JobWhenNegativeYaml,
       RulesNegativeYaml,
       RulesNeedsNegativeYaml,
+      RunNegativeYaml,
       TriggerNegative,
       VariablesInvalidOptionsYaml,
       VariablesInvalidSyntaxDescYaml,
diff --git a/spec/frontend/editor/schema/ci/yaml_tests/negative_tests/run.yml b/spec/frontend/editor/schema/ci/yaml_tests/negative_tests/run.yml
new file mode 100644
index 00000000000..50363b0319b
--- /dev/null
+++ b/spec/frontend/editor/schema/ci/yaml_tests/negative_tests/run.yml
@@ -0,0 +1,58 @@
+run_with_step_script:
+  run:
+    - name: hello_steps
+      step: gitlab.com/gitlab-org/ci-cd/runner-tools/echo-step
+      script: echo 'Hello!'
+      inputs:
+        echo: hello steps!
+
+run_without_name:
+  run:
+    step: some reference
+
+run_without_name_script:
+  run:
+    script: rspec
+
+run_with_invalid_key:
+  run:
+    - name: step1
+      invalid_key: value1
+
+run_with_empty_string:
+  run: ''
+
+run_with_non_array:
+  run: "not an array"
+
+run_with_invalid_env:
+  run:
+    - name: invalid_env
+      script: echo 'Test'
+      env:
+        - not_a_key_value_pair
+
+run_with_invalid_inputs:
+  run:
+    - name: invalid_inputs
+      step: gitlab.com/gitlab-org/ci-cd/runner-tools/step1
+      inputs:
+        - not_an_object
+
+run_with_missing_step_and_script:
+  run:
+    - name: missing_required
+      env:
+        TEST: 'value'
+
+run_with_invalid_step_value:
+  run:
+    - name: invalid_step
+      step: 123  # Should be a string
+
+run_with_invalid_script_value:
+  run:
+    - name: invalid_script
+      script:
+        - not_a_string
+        - 123
diff --git a/spec/frontend/editor/schema/ci/yaml_tests/positive_tests/run.yml b/spec/frontend/editor/schema/ci/yaml_tests/positive_tests/run.yml
new file mode 100644
index 00000000000..d32c5dc1e38
--- /dev/null
+++ b/spec/frontend/editor/schema/ci/yaml_tests/positive_tests/run.yml
@@ -0,0 +1,63 @@
+hello_steps:
+  run:
+    - name: hello_steps
+      step: gitlab.com/gitlab-org/ci-cd/runner-tools/echo-step
+      inputs:
+        echo: hello steps!
+
+hello_script:
+  run:
+    - name: hello_script1
+      script: echo 'Hello script'
+      env:
+        MY_VAR: 'some value'
+
+multiple_steps:
+  run:
+    - name: step1
+      step: gitlab.com/gitlab-org/ci-cd/runner-tools/echo-step
+      inputs:
+        echo: Step 1 executed
+    - name: step2
+      script: echo 'Step 2 executed'
+    - name: step3
+      step: gitlab.com/gitlab-org/ci-cd/runner-tools/another-step
+      env:
+        DEBUG: 'true'
+
+complex_script:
+  run:
+    - name: complex_script_example
+      script: |
+        echo 'Multi-line script'
+        ls -la
+        mkdir test_dir
+        cd test_dir
+        touch test_file.txt
+      env:
+        WORKSPACE: '/tmp/workspace'
+        LOG_LEVEL: 'info'
+
+step_with_multiple_inputs:
+  run:
+    - name: multi_input_step
+      step: gitlab.com/gitlab-org/ci-cd/runner-tools/complex-step
+      inputs:
+        param1: value1
+        param2: 42
+        param3:
+          nested: data
+          array:
+            - item1
+            - item2
+
+mixed_steps_and_scripts:
+  run:
+    - name: first_step
+      step: gitlab.com/gitlab-org/ci-cd/runner-tools/setup-step
+    - name: script_step
+      script: echo 'Intermediate script'
+    - name: final_step
+      step: gitlab.com/gitlab-org/ci-cd/runner-tools/cleanup-step
+      env:
+        CLEANUP_MODE: 'full'
diff --git a/spec/lib/api/entities/markdown_upload_admin_spec.rb b/spec/lib/api/entities/markdown_upload_admin_spec.rb
new file mode 100644
index 00000000000..8c0fac547b3
--- /dev/null
+++ b/spec/lib/api/entities/markdown_upload_admin_spec.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe API::Entities::MarkdownUploadAdmin, feature_category: :team_planning do
+  describe '#as_json' do
+    let_it_be(:user) { create(:user) }
+    let_it_be(:upload) { create(:upload, :issuable_upload, uploaded_by_user: user) }
+
+    subject { described_class.new(upload).as_json }
+
+    it 'exposes correct attributes' do
+      is_expected.to include(
+        id: upload.id,
+        size: upload.size,
+        filename: upload.filename,
+        created_at: upload.created_at,
+        uploaded_by: {
+          id: user.id,
+          name: user.name,
+          username: user.username
+        }
+      )
+    end
+  end
+end
diff --git a/spec/lib/gitlab/ci/config/entry/job_spec.rb b/spec/lib/gitlab/ci/config/entry/job_spec.rb
index 6da8b43f5c0..e28e01ce7f5 100644
--- a/spec/lib/gitlab/ci/config/entry/job_spec.rb
+++ b/spec/lib/gitlab/ci/config/entry/job_spec.rb
@@ -58,6 +58,28 @@ RSpec.describe Gitlab::Ci::Config::Entry::Job, feature_category: :pipeline_compo
       it { is_expected.to be_truthy }
     end
 
+    context 'when config is a regular job with run keyword' do
+      let(:name) { :rspec }
+      let(:config) do
+        { run: [{ name: 'step1', step: 'some reference' }] }
+      end
+
+      it { is_expected.to be_truthy }
+
+      context 'when pipeline_run_keyword feature flag is disabled' do
+        before do
+          stub_feature_flags(pipeline_run_keyword: false)
+        end
+
+        context 'when config has run key' do
+          let(:name) { :rspec }
+          let(:config) { { run: [{ name: 'step1', step: 'some reference' }] } }
+
+          it { is_expected.to be_falsey }
+        end
+      end
+    end
+
     context 'when config is a bridge job' do
       let(:name) { :rspec }
       let(:config) do
@@ -235,12 +257,81 @@ RSpec.describe Gitlab::Ci::Config::Entry::Job, feature_category: :pipeline_compo
         end
       end
 
+      context 'when script and run are used together' do
+        let(:config) { { script: 'rspec', run: [{ name: 'step1', step: 'some reference' }] } }
+
+        it 'returns error about using script and run' do
+          expect(entry).not_to be_valid
+          expect(entry.errors).to include 'job config these keys cannot be used together: script, run'
+        end
+      end
+
+      context 'when run value is invalid' do
+        using RSpec::Parameterized::TableSyntax
+
+        where(:case_name, :config, :error) do
+          'when only step is used without name'   | { stage: 'build',
+run: [{ step: 'some reference' }] } | 'job run \'/0\' must be a valid \'required\''
+          'when only script is used without name' | { stage: 'build',
+run: [{ script: 'echo' }] } | 'job run \'/0\' must be a valid \'required\''
+          'when step and script are used together' | { stage: 'build',
+run: [{ name: 'step1', step: 'some reference', script: 'echo' }] } | 'job run \'/0\' must be a valid \'oneof\''
+          'when a subkey does not exist' | { stage: 'build',
+run: [{ name: 'step1', invalid_key: 'some value' }] } | 'job run \'/0\' must be a valid \'required\''
+        end
+
+        with_them do
+          it 'returns error about invalid run' do
+            expect(entry).not_to be_valid
+            expect(entry.errors).to include(error)
+          end
+        end
+
+        context 'when run value is not an array' do
+          let(:config) { { stage: 'build', run: 'invalid' } }
+
+          it 'returns error about invalid run' do
+            expect(entry).not_to be_valid
+            expect(entry.errors).to include 'job run \'\' must be a valid \'array\''
+          end
+        end
+
+        context 'with invalid env value type' do
+          let(:config) do
+            {
+              stage: 'build',
+              run: [
+                {
+                  name: 'step1',
+                  script: 'echo $MY_VAR',
+                  env: { MY_VAR: 123 }
+                }
+              ]
+            }
+          end
+
+          it 'returns error about invalid env' do
+            expect(entry).not_to be_valid
+            expect(entry.errors).to include 'job run \'/0/env/my_var\' must be a valid \'string\''
+          end
+        end
+
+        context 'when run value does not match steps schema' do
+          let(:config) { { stage: 'build', run: [{ name: 'step1' }] } }
+
+          it 'returns error about invalid run' do
+            expect(entry).not_to be_valid
+            expect(entry.errors).to include 'job run \'/0\' must be a valid \'required\''
+          end
+        end
+      end
+
       context 'when script is not provided' do
         let(:config) { { stage: 'test' } }
 
         it 'returns error about missing script entry' do
           expect(entry).not_to be_valid
-          expect(entry.errors).to include "job script can't be blank"
+          expect(entry.errors).to include 'job script can\'t be blank'
         end
       end
 
@@ -249,7 +340,7 @@ RSpec.describe Gitlab::Ci::Config::Entry::Job, feature_category: :pipeline_compo
 
         it 'returns error about wrong value type' do
           expect(entry).not_to be_valid
-          expect(entry.errors).to include "job extends should be an array of strings or a string"
+          expect(entry.errors).to include 'job extends should be an array of strings or a string'
         end
       end
 
@@ -807,6 +898,69 @@ RSpec.describe Gitlab::Ci::Config::Entry::Job, feature_category: :pipeline_compo
         end
       end
 
+      context 'when run keyword is used' do
+        let(:run_value) do
+          [
+            { name: 'step1', step: 'some reference' },
+            { name: 'step2', script: 'echo' }
+          ]
+        end
+
+        let(:config) { { run: run_value } }
+
+        it 'returns the run value' do
+          expect(entry.value).to include({ run: run_value })
+        end
+
+        context 'with valid inputs' do
+          let(:config) do
+            {
+              stage: 'build',
+              run: [
+                {
+                  name: 'step1',
+                  script: 'echo $MY_INPUT',
+                  inputs: { MY_INPUT: 'some value' }
+                }
+              ]
+            }
+          end
+
+          it 'is valid' do
+            expect(entry).to be_valid
+          end
+
+          context 'with valid env key' do
+            let(:config) do
+              {
+                stage: 'build',
+                run: [
+                  {
+                    name: 'step1',
+                    script: 'echo $MY_VAR',
+                    env: { MY_VAR: 'some value' }
+                  }
+                ]
+              }
+            end
+
+            it 'is valid' do
+              expect(entry).to be_valid
+            end
+          end
+        end
+
+        context 'when feature flag is disabled' do
+          before do
+            stub_feature_flags(pipeline_run_keyword: false)
+          end
+
+          it 'return nil for run value' do
+            expect(entry.value[:run]).to be_nil
+          end
+        end
+      end
+
       context 'with retry present in the config' do
         let(:config) do
           {
diff --git a/spec/lib/gitlab/ci/config/entry/jobs_spec.rb b/spec/lib/gitlab/ci/config/entry/jobs_spec.rb
index 9af54419f07..1ef88e41ae8 100644
--- a/spec/lib/gitlab/ci/config/entry/jobs_spec.rb
+++ b/spec/lib/gitlab/ci/config/entry/jobs_spec.rb
@@ -68,14 +68,14 @@ RSpec.describe Gitlab::Ci::Config::Entry::Jobs do
           let(:config) { { rspec: nil } }
 
           it 'reports error' do
-            expect(entry.errors).to include 'jobs rspec config should implement a script: or a trigger: keyword'
+            expect(entry.errors).to include 'jobs rspec config should implement the script:, run:, or trigger: keyword'
           end
 
           context 'when the job name cannot be cast directly to a symbol' do
             let(:config) { { true => nil } }
 
             it 'properly parses the job name without raising a NoMethodError' do
-              expect(entry.errors).to include 'jobs true config should implement a script: or a trigger: keyword'
+              expect(entry.errors).to include 'jobs true config should implement the script:, run:, or trigger: keyword'
             end
           end
         end
diff --git a/spec/lib/gitlab/ci/config/entry/root_spec.rb b/spec/lib/gitlab/ci/config/entry/root_spec.rb
index 149943b647d..a40b83406ef 100644
--- a/spec/lib/gitlab/ci/config/entry/root_spec.rb
+++ b/spec/lib/gitlab/ci/config/entry/root_spec.rb
@@ -433,7 +433,7 @@ RSpec.describe Gitlab::Ci::Config::Entry::Root do
       describe '#errors' do
         it 'reports errors about missing script or trigger' do
           expect(root.errors)
-            .to include 'jobs rspec config should implement a script: or a trigger: keyword'
+            .to include 'jobs rspec config should implement the script:, run:, or trigger: keyword'
         end
       end
     end
diff --git a/spec/lib/gitlab/ci/lint_spec.rb b/spec/lib/gitlab/ci/lint_spec.rb
index ab21a21fe21..379eb3f49f9 100644
--- a/spec/lib/gitlab/ci/lint_spec.rb
+++ b/spec/lib/gitlab/ci/lint_spec.rb
@@ -144,7 +144,7 @@ RSpec.describe Gitlab::Ci::Lint, feature_category: :pipeline_composition do
 
         it 'returns a result with errors' do
           expect(subject).not_to be_valid
-          expect(subject.errors).to include(/jobs build config should implement a script: or a trigger: keyword/)
+          expect(subject.errors).to include(/jobs build config should implement the script:, run:, or trigger: keyword/)
         end
       end
 
diff --git a/spec/lib/gitlab/ci/pipeline/seed/build_spec.rb b/spec/lib/gitlab/ci/pipeline/seed/build_spec.rb
index 14e07b1f0b3..82e23edcc99 100644
--- a/spec/lib/gitlab/ci/pipeline/seed/build_spec.rb
+++ b/spec/lib/gitlab/ci/pipeline/seed/build_spec.rb
@@ -47,6 +47,56 @@ RSpec.describe Gitlab::Ci::Pipeline::Seed::Build, feature_category: :pipeline_co
       end
     end
 
+    context 'with job:run attribute' do
+      let(:run_value) do
+        [
+          { name: 'step1', step: 'some_step_reference', env: { VAR1: 'value1', VAR2: 'value2' } },
+          { name: 'step2', script: "echo 'Hello, World!'", inputs: { input1: 'input_value1', input2: 'input_value1223' } }
+        ].map(&:deep_stringify_keys)
+      end
+
+      let(:attributes) do
+        {
+          name: 'rspec',
+          ref: 'master',
+          options: {
+            run: run_value
+          }
+        }
+      end
+
+      it 'includes execution_config attribute with run steps' do
+        expect(subject[:execution_config]).to an_object_having_attributes(
+          project: pipeline.project,
+          pipeline: pipeline,
+          run_steps: run_value
+        )
+      end
+
+      context 'when feature flag is disabled' do
+        before do
+          stub_feature_flags(pipeline_run_keyword: false)
+        end
+
+        it 'does not include execution_config attribute' do
+          expect(subject).not_to include(:execution_config)
+        end
+      end
+
+      context 'when job:run attribute is not specified' do
+        let(:attributes) do
+          {
+            name: 'rspec',
+            ref: 'master'
+          }
+        end
+
+        it 'does not include execution_config attribute' do
+          expect(subject).not_to include(:execution_config)
+        end
+      end
+    end
+
     context 'with job:rules:[when:delayed]' do
       context 'is matched' do
         let(:attributes) { { name: 'rspec', ref: 'master', rules: [{ if: '$VAR == null', when: 'delayed', start_in: '3 hours' }] } }
diff --git a/spec/lib/gitlab/ci/yaml_processor_spec.rb b/spec/lib/gitlab/ci/yaml_processor_spec.rb
index a03fa65596b..ee7f37801aa 100644
--- a/spec/lib/gitlab/ci/yaml_processor_spec.rb
+++ b/spec/lib/gitlab/ci/yaml_processor_spec.rb
@@ -3233,7 +3233,7 @@ module Gitlab
         context 'returns error if job configuration is invalid' do
           let(:config) { YAML.dump({ extra: "bundle update" }) }
 
-          it_behaves_like 'returns errors', 'jobs extra config should implement a script: or a trigger: keyword'
+          it_behaves_like 'returns errors', 'jobs extra config should implement the script:, run:, or trigger: keyword'
         end
 
         context 'returns errors if services configuration is not correct' do
@@ -3251,7 +3251,7 @@ module Gitlab
         context 'returns errors if the job script is not defined' do
           let(:config) { YAML.dump({ rspec: { before_script: "test" } }) }
 
-          it_behaves_like 'returns errors', 'jobs rspec config should implement a script: or a trigger: keyword'
+          it_behaves_like 'returns errors', 'jobs rspec config should implement the script:, run:, or trigger: keyword'
         end
 
         context 'returns errors if there are no visible jobs defined' do
diff --git a/spec/lib/sidebars/projects/menus/security_compliance_menu_spec.rb b/spec/lib/sidebars/projects/menus/security_compliance_menu_spec.rb
index c7c0586c2f1..01e73e1c5af 100644
--- a/spec/lib/sidebars/projects/menus/security_compliance_menu_spec.rb
+++ b/spec/lib/sidebars/projects/menus/security_compliance_menu_spec.rb
@@ -20,7 +20,7 @@ RSpec.describe Sidebars::Projects::Menus::SecurityComplianceMenu do
     end
 
     context 'when user is authenticated' do
-      context 'when the Security and Compliance is disabled' do
+      context 'when the Security and compliance is disabled' do
         let_it_be(:project) { create(:project, :security_and_compliance_disabled) }
 
         before do
@@ -32,7 +32,7 @@ RSpec.describe Sidebars::Projects::Menus::SecurityComplianceMenu do
         it { is_expected.to be_falsey }
       end
 
-      context 'when the Security and Compliance is not disabled' do
+      context 'when the Security and compliance is not disabled' do
         it { is_expected.to be_truthy }
       end
     end
diff --git a/spec/models/ci/build_spec.rb b/spec/models/ci/build_spec.rb
index 70ed17bbf8e..0fea8f7f627 100644
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -5688,6 +5688,19 @@ RSpec.describe Ci::Build, feature_category: :continuous_integration, factory_def
   describe '#clone' do
     let_it_be(:user) { create(:user) }
 
+    context 'when build execution config is given' do
+      let(:build_execution_config) { create(:ci_builds_execution_configs, pipeline: pipeline) }
+
+      it 'clones the config id' do
+        build = create(:ci_build, pipeline: pipeline, execution_config: build_execution_config)
+
+        new_build = build.clone(current_user: user)
+        new_build.save!
+
+        expect(new_build.execution_config_id).to eq(build_execution_config.id)
+      end
+    end
+
     context 'when given new job variables' do
       context 'when the cloned build has an action' do
         it 'applies the new job variables' do
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index de187e92625..ca890c10f59 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -2615,7 +2615,7 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
   end
 
   describe 'access_security_and_compliance' do
-    context 'when the "Security and Compliance" is enabled' do
+    context 'when the "Security and compliance" is enabled' do
       before do
         project.project_feature.update!(security_and_compliance_access_level: Featurable::PRIVATE)
       end
@@ -2661,7 +2661,7 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
       end
     end
 
-    context 'when the "Security and Compliance" is not enabled' do
+    context 'when the "Security and compliance" is not enabled' do
       before do
         project.project_feature.update!(security_and_compliance_access_level: Featurable::DISABLED)
       end
diff --git a/spec/requests/admin/integrations_controller_spec.rb b/spec/requests/admin/integrations_controller_spec.rb
index 6240c2406ea..d4b0a683491 100644
--- a/spec/requests/admin/integrations_controller_spec.rb
+++ b/spec/requests/admin/integrations_controller_spec.rb
@@ -10,12 +10,9 @@ RSpec.describe Admin::IntegrationsController, :enable_admin_mode, feature_catego
   end
 
   describe 'GET #edit' do
-    context 'when remove_monitor_metrics is true' do
-      before do
-        stub_feature_flags(remove_monitor_metrics: true)
-      end
-
-      it 'renders a 404 for the prometheus integration' do
+    context 'for prometheus integration' do
+      # feature flag remove_monitor_metrics is enabled by default in specs
+      it 'renders a 404' do
         get edit_admin_application_settings_integration_path(:prometheus)
 
         expect(response).to have_gitlab_http_status(:not_found)
@@ -24,41 +21,56 @@ RSpec.describe Admin::IntegrationsController, :enable_admin_mode, feature_catego
   end
 
   describe 'GET #overrides' do
-    let_it_be(:integration) { create(:jira_integration, :instance) }
-    let_it_be(:overridden_integration) { create(:jira_integration) }
-    let_it_be(:overridden_other_integration) { create(:confluence_integration) }
-
     let(:overrides_path) { overrides_admin_application_settings_integration_path(integration, format: format) }
 
-    context 'format html' do
-      let(:format) { :html }
+    context 'for jira integration' do
+      let_it_be(:integration) { create(:jira_integration, :instance) }
+      let_it_be(:overridden_integration) { create(:jira_integration) }
+      let_it_be(:overridden_other_integration) { create(:confluence_integration) }
 
-      it 'renders' do
-        get overrides_path
+      context 'when format is html' do
+        let(:format) { :html }
 
-        expect(response).to have_gitlab_http_status(:ok)
-        expect(response).to render_template('shared/integrations/overrides')
+        it 'renders' do
+          get overrides_path
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to render_template('shared/integrations/overrides')
+        end
+      end
+
+      context 'when format is json' do
+        let(:format) { :json }
+        let(:project) { overridden_integration.project }
+
+        it 'returns the project overrides data' do
+          get overrides_path
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to include_pagination_headers
+          expect(json_response).to contain_exactly(
+            {
+              'id' => project.id,
+              'avatar_url' => project.avatar_url,
+              'full_name' => project.full_name,
+              'name' => project.name,
+              'full_path' => project_path(project)
+            }
+          )
+        end
       end
     end
 
-    context 'format json' do
-      let(:format) { :json }
-      let(:project) { overridden_integration.project }
+    context 'for prometheus integration' do
+      # feature flag remove_monitor_metrics is enabled by default in specs
+      let_it_be(:integration) { create(:prometheus_integration, :instance) }
 
-      it 'returns the project overrides data' do
+      let(:format) { :html }
+
+      it 'renders a 404' do
         get overrides_path
 
-        expect(response).to have_gitlab_http_status(:ok)
-        expect(response).to include_pagination_headers
-        expect(json_response).to contain_exactly(
-          {
-            'id' => project.id,
-            'avatar_url' => project.avatar_url,
-            'full_name' => project.full_name,
-            'name' => project.name,
-            'full_path' => project_path(project)
-          }
-        )
+        expect(response).to have_gitlab_http_status(:not_found)
       end
     end
   end
diff --git a/spec/requests/api/ci/runner/jobs_request_post_spec.rb b/spec/requests/api/ci/runner/jobs_request_post_spec.rb
index 92a5eba5c2d..db9e04efb72 100644
--- a/spec/requests/api/ci/runner/jobs_request_post_spec.rb
+++ b/spec/requests/api/ci/runner/jobs_request_post_spec.rb
@@ -475,6 +475,99 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state, feature_catego
             end
           end
 
+          context 'with run keyword' do
+            let(:execution_config) { create(:ci_builds_execution_configs, :with_step_and_script) }
+
+            context 'when job has execution_config with run_steps' do
+              let(:job) do
+                create(
+                  :ci_build,
+                  :pending,
+                  :queued,
+                  pipeline: pipeline,
+                  name: 'spinach',
+                  stage: 'test',
+                  stage_idx: 0,
+                  execution_config: execution_config
+                )
+              end
+
+              it 'returns job with the run steps' do
+                request_job
+
+                expect(response).to have_gitlab_http_status(:created)
+                expect(json_response['run']).to eq(execution_config.run_steps.to_json)
+              end
+
+              it 'returns nil for the steps' do
+                request_job
+
+                expect(response).to have_gitlab_http_status(:created)
+                expect(json_response['steps']).to be_nil
+              end
+
+              context 'when feature flag is disabled' do
+                before do
+                  stub_feature_flags(pipeline_run_keyword: false)
+                end
+
+                it 'returns nil for run steps' do
+                  request_job
+
+                  expect(response).to have_gitlab_http_status(:created)
+                  expect(json_response['run']).to be_nil
+                end
+              end
+            end
+
+            context 'when job does not have execution config' do
+              let(:job) do
+                create(
+                  :ci_build,
+                  :pending,
+                  :queued,
+                  pipeline: pipeline,
+                  name: 'spinach',
+                  stage: 'test',
+                  stage_idx: 0
+                )
+              end
+
+              let(:expected_steps) do
+                [
+                  {
+                    "name" => "script",
+                    "script" => ["ls -a"],
+                    "timeout" => 3600,
+                    "when" => "on_success",
+                    "allow_failure" => false
+                  }
+                ]
+              end
+
+              it 'returns nil for run steps' do
+                request_job
+
+                expect(response).to have_gitlab_http_status(:created)
+                expect(json_response['run']).to be_nil
+              end
+
+              context 'when feature flag is disabled' do
+                before do
+                  stub_feature_flags(pipeline_run_keyword: false)
+                end
+
+                it 'returns nil for run steps' do
+                  request_job
+
+                  expect(response).to have_gitlab_http_status(:created)
+                  expect(json_response['run']).to be_nil
+                  expect(json_response['steps']).to eq(expected_steps)
+                end
+              end
+            end
+          end
+
           describe 'updates runner info' do
             it { expect { request_job }.to change { runner.reload.contacted_at } }
 
diff --git a/spec/requests/api/markdown_uploads_spec.rb b/spec/requests/api/markdown_uploads_spec.rb
index a9c329b4923..0f373ca60fa 100644
--- a/spec/requests/api/markdown_uploads_spec.rb
+++ b/spec/requests/api/markdown_uploads_spec.rb
@@ -3,8 +3,13 @@
 require 'spec_helper'
 
 RSpec.describe API::MarkdownUploads, feature_category: :team_planning do
+  let_it_be(:group) { create(:group, :private) }
+  let_it_be(:group_maintainer) { create(:user, maintainer_of: group) }
+
   let_it_be(:project) { create(:project, :private) }
-  let_it_be(:user) { create(:user, guest_of: project) }
+  let_it_be(:project_maintainer) { create(:user, maintainer_of: project) }
+
+  let_it_be(:user) { create(:user, guest_of: [project, group]) }
 
   describe "POST /projects/:id/uploads/authorize" do
     include WorkhorseHelpers
@@ -77,4 +82,130 @@ RSpec.describe API::MarkdownUploads, feature_category: :team_planning do
       expect(File.exist?(path)).to be(false)
     end
   end
+
+  shared_examples 'a request from an unauthorized user' do
+    it 'returns 403' do
+      get api(path, user)
+
+      expect(response).to have_gitlab_http_status(:forbidden)
+    end
+  end
+
+  describe "GET /projects/:id/uploads" do
+    let_it_be(:uploads) { create_list(:upload, 3, :issuable_upload, model: project) }
+    let_it_be(:other_upload) { create(:upload, :issuable_upload, model: create(:project)) }
+
+    let(:path) { "/projects/#{project.id}/uploads" }
+
+    it 'returns uploads ordered by created_at' do
+      get api(path, project_maintainer)
+
+      expect_paginated_array_response(uploads.reverse.map(&:id))
+    end
+
+    it_behaves_like 'a request from an unauthorized user'
+  end
+
+  describe "GET /projects/:id/uploads/:upload_id" do
+    let_it_be(:upload) { create(:upload, :issuable_upload, :with_file, model: project, filename: 'test.jpg') }
+
+    let(:path) { "/projects/#{project.id}/uploads/#{upload.id}" }
+
+    it 'returns the uploaded file' do
+      get api(path, project_maintainer)
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response.headers['Content-Disposition'])
+        .to eq(%(attachment; filename="test.jpg"; filename*=UTF-8''test.jpg))
+    end
+
+    it_behaves_like 'a request from an unauthorized user'
+  end
+
+  describe "DELETE /projects/:id/uploads/:upload_id" do
+    let_it_be(:upload) { create(:upload, :issuable_upload, model: project) }
+
+    let(:path) { "/projects/#{project.id}/uploads/#{upload.id}" }
+
+    it 'deletes the given upload' do
+      expect do
+        delete api(path, project_maintainer)
+      end.to change { Upload.count }.by(-1)
+
+      expect(response).to have_gitlab_http_status(:no_content)
+    end
+
+    it 'returns an error when deletion fails' do
+      expect_next_instance_of(Banzai::UploadsFinder) do |finder|
+        expect(finder).to receive(:find).with(upload.id).and_return(upload)
+      end
+      expect(upload).to receive(:destroy).and_return(false)
+
+      delete api(path, project_maintainer)
+
+      expect(response).to have_gitlab_http_status(:bad_request)
+      expect(json_response['message']).to include(_('Upload could not be deleted.'))
+    end
+
+    it_behaves_like 'a request from an unauthorized user'
+  end
+
+  describe "GET /groups/:id/uploads" do
+    let_it_be(:uploads) { create_list(:upload, 3, :namespace_upload, model: group) }
+    let_it_be(:other_upload) { create(:upload, :namespace_upload, model: create(:group)) }
+
+    let(:path) { "/groups/#{group.id}/uploads" }
+
+    it 'returns uploads ordered by created_at' do
+      get api(path, group_maintainer)
+
+      expect_paginated_array_response(uploads.reverse.map(&:id))
+    end
+
+    it_behaves_like 'a request from an unauthorized user'
+  end
+
+  describe "GET /groups/:id/uploads/:upload_id" do
+    let_it_be(:upload) { create(:upload, :namespace_upload, :with_file, model: group, filename: 'test.jpg') }
+
+    let(:path) { "/groups/#{group.id}/uploads/#{upload.id}" }
+
+    it 'returns the uploaded file' do
+      get api(path, group_maintainer)
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response.headers['Content-Disposition'])
+        .to eq(%(attachment; filename="test.jpg"; filename*=UTF-8''test.jpg))
+    end
+
+    it_behaves_like 'a request from an unauthorized user'
+  end
+
+  describe "DELETE /groups/:id/uploads/:upload_id" do
+    let_it_be(:upload) { create(:upload, :namespace_upload, model: group) }
+
+    let(:path) { "/groups/#{group.id}/uploads/#{upload.id}" }
+
+    it 'deletes the given upload' do
+      expect do
+        delete api(path, group_maintainer)
+      end.to change { Upload.count }.by(-1)
+
+      expect(response).to have_gitlab_http_status(:no_content)
+    end
+
+    it 'returns an error when deletion fails' do
+      expect_next_instance_of(Banzai::UploadsFinder) do |finder|
+        expect(finder).to receive(:find).with(upload.id).and_return(upload)
+      end
+      expect(upload).to receive(:destroy).and_return(false)
+
+      delete api(path, group_maintainer)
+
+      expect(response).to have_gitlab_http_status(:bad_request)
+      expect(json_response['message']).to include(_('Upload could not be deleted.'))
+    end
+
+    it_behaves_like 'a request from an unauthorized user'
+  end
 end
diff --git a/spec/services/ci/create_downstream_pipeline_service_spec.rb b/spec/services/ci/create_downstream_pipeline_service_spec.rb
index f289c3600f0..4eb6962cf47 100644
--- a/spec/services/ci/create_downstream_pipeline_service_spec.rb
+++ b/spec/services/ci/create_downstream_pipeline_service_spec.rb
@@ -203,7 +203,8 @@ RSpec.describe Ci::CreateDownstreamPipelineService, '#execute', feature_category
         expect { subject }
           .to change { Ci::Pipeline.count }.by(1)
         expect(subject).to be_error
-        expect(subject.message).to match_array(["jobs job config should implement a script: or a trigger: keyword"])
+        expect(subject.message)
+          .to match_array(["jobs job config should implement the script:, run:, or trigger: keyword"])
       end
 
       it 'creates a new pipeline in a downstream project' do
@@ -590,7 +591,8 @@ RSpec.describe Ci::CreateDownstreamPipelineService, '#execute', feature_category
         expect { subject }
           .to change { Ci::Pipeline.count }.by(1)
         expect(subject).to be_error
-        expect(subject.message).to match_array(["jobs invalid config should implement a script: or a trigger: keyword"])
+        expect(subject.message)
+          .to match_array(["jobs invalid config should implement the script:, run:, or trigger: keyword"])
       end
 
       it 'creates a new pipeline in the downstream project' do
diff --git a/spec/services/ci/create_pipeline_service/creation_errors_and_warnings_spec.rb b/spec/services/ci/create_pipeline_service/creation_errors_and_warnings_spec.rb
index 5d429282260..322d74375bc 100644
--- a/spec/services/ci/create_pipeline_service/creation_errors_and_warnings_spec.rb
+++ b/spec/services/ci/create_pipeline_service/creation_errors_and_warnings_spec.rb
@@ -106,7 +106,7 @@ RSpec.describe Ci::CreatePipelineService, :ci_config_feature_flag_correctness, f
         end
 
         it 'contains only errors' do
-          error_message = 'jobs invalid config should implement a script: or a trigger: keyword'
+          error_message = 'jobs invalid config should implement the script:, run:, or trigger: keyword'
           expect(pipeline.yaml_errors).to eq(error_message)
           expect(pipeline.error_messages.map(&:content)).to contain_exactly(error_message)
           expect(pipeline.errors.full_messages).to contain_exactly(error_message)
diff --git a/spec/services/ci/create_pipeline_service/run_spec.rb b/spec/services/ci/create_pipeline_service/run_spec.rb
new file mode 100644
index 00000000000..e10d898f8b0
--- /dev/null
+++ b/spec/services/ci/create_pipeline_service/run_spec.rb
@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ci::CreatePipelineService, :ci_config_feature_flag_correctness,
+  feature_category: :pipeline_composition do
+  let_it_be(:project) { create(:project, :repository) }
+  let_it_be(:user)    { project.first_owner }
+
+  let(:service)  { described_class.new(project, user, { ref: 'master' }) }
+  let(:pipeline) { service.execute(:push).payload }
+
+  before do
+    stub_ci_pipeline_yaml_file(config)
+  end
+
+  context 'when job has valid run configuration' do
+    let(:config) do
+      <<-CI_CONFIG
+      job:
+        run:
+          - name: step1
+            script: echo 'hello step1'
+          - name: step2
+            step: some_predefined_step
+            env:
+              VAR1: 'value1'
+            inputs:
+              input1: 'value1'
+      CI_CONFIG
+    end
+
+    it 'creates a job with run data' do
+      expect(pipeline).to be_created_successfully
+
+      job = pipeline.builds.first
+      expect(job.execution_config.run_steps).to eq([
+        {
+          'name' => 'step1',
+          'script' => "echo 'hello step1'"
+        },
+        {
+          'name' => 'step2',
+          'step' => 'some_predefined_step',
+          'env' => { 'VAR1' => 'value1' },
+          'inputs' => { 'input1' => 'value1' }
+        }
+      ])
+    end
+
+    context 'when feature flag is disabled' do
+      before do
+        stub_feature_flags(pipeline_run_keyword: false)
+      end
+
+      it 'does not create a pipeline' do
+        expect(pipeline).not_to be_created_successfully
+      end
+    end
+  end
+
+  context 'when job has multiple run steps with different configurations' do
+    let(:config) do
+      <<-CI_CONFIG
+      job1:
+        run:
+          - name: script_step
+            script: echo 'hello script'
+          - name: predefined_step
+            step: some_step
+            env:
+              DEBUG: 'true'
+
+      job2:
+        run:
+          - name: complex_script
+            script: |
+              echo 'multi-line'
+              echo 'script'
+          - name: step_with_inputs
+            step: another_step
+            inputs:
+              param1: value1
+              param2: value2
+      CI_CONFIG
+    end
+
+    it 'creates jobs with correct execution_config data' do
+      expect(pipeline).to be_created_successfully
+
+      job1 = pipeline.builds.find_by(name: 'job1')
+      expect(job1.execution_config.run_steps).to eq([
+        {
+          'name' => 'script_step',
+          'script' => "echo 'hello script'"
+        },
+        {
+          'name' => 'predefined_step',
+          'step' => 'some_step',
+          'env' => { 'DEBUG' => 'true' }
+        }
+      ])
+
+      job2 = pipeline.builds.find_by(name: 'job2')
+      expect(job2.execution_config.run_steps).to eq([
+        {
+          'name' => 'complex_script',
+          'script' => "echo 'multi-line'\necho 'script'\n"
+        },
+        {
+          'name' => 'step_with_inputs',
+          'step' => 'another_step',
+          'inputs' => {
+            'param1' => 'value1',
+            'param2' => 'value2'
+          }
+        }
+      ])
+    end
+  end
+
+  context 'when job has invalid run configuration' do
+    let(:config) do
+      <<-CI_CONFIG
+      job:
+        run:
+          - script: echo 'missing name'
+          - name: invalid_step
+            step: 123
+          - name: invalid_env
+            script: echo 'test'
+            env:
+              KEY: null
+      CI_CONFIG
+    end
+
+    it 'returns errors for invalid configuration' do
+      expect(pipeline).not_to be_created_successfully
+      expect(pipeline.errors.full_messages).to include(
+        "jobs:job run '/0' must be a valid 'required'"
+      )
+    end
+  end
+end
diff --git a/spec/support/shared_contexts/policies/group_policy_shared_context.rb b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
index 0e41bee4f4f..d5d37e95dea 100644
--- a/spec/support/shared_contexts/policies/group_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
@@ -63,7 +63,7 @@ RSpec.shared_context 'GroupPolicy context' do
       destroy_package
       create_projects
       create_cluster update_cluster admin_cluster add_cluster
-      destroy_upload
+      admin_upload destroy_upload
       admin_achievement
       award_achievement
       read_group_runners
diff --git a/spec/support/shared_contexts/policies/project_policy_shared_context.rb b/spec/support/shared_contexts/policies/project_policy_shared_context.rb
index 452fd74b347..83eb86a5b94 100644
--- a/spec/support/shared_contexts/policies/project_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/project_policy_shared_context.rb
@@ -70,7 +70,7 @@ RSpec.shared_context 'ProjectPolicy context' do
       admin_project admin_project_member admin_push_rules admin_runner admin_snippet admin_terraform_state
       admin_wiki create_deploy_token destroy_deploy_token manage_deploy_tokens
       push_to_delete_protected_branch read_deploy_token update_snippet
-      destroy_upload admin_member_access_request rename_project manage_merge_request_settings
+      admin_upload destroy_upload admin_member_access_request rename_project manage_merge_request_settings
       admin_integrations
     ]
   end
diff --git a/spec/support/shared_contexts/security_and_compliance_permissions_shared_context.rb b/spec/support/shared_contexts/security_and_compliance_permissions_shared_context.rb
index 1fa1a5c69f4..c35d8427a95 100644
--- a/spec/support/shared_contexts/security_and_compliance_permissions_shared_context.rb
+++ b/spec/support/shared_contexts/security_and_compliance_permissions_shared_context.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-RSpec.shared_context '"Security and Compliance" permissions' do
+RSpec.shared_context '"Security and compliance" permissions' do
   let(:project_instance) { an_instance_of(Project) }
   let(:user_instance) { an_instance_of(User) }
   let(:before_request_defined) { false }
@@ -18,7 +18,7 @@ RSpec.shared_context '"Security and Compliance" permissions' do
     allow(Ability).to receive(:allowed?).with(user_instance, :access_security_and_compliance, project_instance).and_return(true)
   end
 
-  context 'when the "Security and Compliance" feature is disabled' do
+  context 'when the "Security and compliance" feature is disabled' do
     subject { response }
 
     before do
diff --git a/vendor/gems/bundler-checksum/.gitlab-ci.yml b/vendor/gems/bundler-checksum/.gitlab-ci.yml
index 0ec9a5d94f1..99c3083cc58 100644
--- a/vendor/gems/bundler-checksum/.gitlab-ci.yml
+++ b/vendor/gems/bundler-checksum/.gitlab-ci.yml
@@ -5,6 +5,15 @@ include:
       gem_path_prefix: "vendor/gems/"
 
 rspec:
-  extends: .ruby_matrix
+  variables:
+    BUNDLER_LATEST: "2.5.15"
+  # Note, needed to copy the matrix definition because
+  # There’s a known issue when using !reference tags with the parallel:matrix keyword.
+  # https://docs.gitlab.com/ee/ci/debugging.html#config-should-be-an-array-of-hashes-error-message
+  parallel:
+    matrix:
+      - RUBY_VERSION: ["${RUBY_VERSION_DEFAULT}", "${RUBY_VERSION_NEXT}"]
+        BUNDLER_VERSION: ["2.4.22", "2.5.4", "2.5.12", "${BUNDLER_LATEST}"]
   script:
+    - gem install bundler -v "$BUNDLER_VERSION"
     - pushd test/project_with_checksum_lock && scripts/test
diff --git a/vendor/gems/bundler-checksum/lib/bundler_checksum/command/init.rb b/vendor/gems/bundler-checksum/lib/bundler_checksum/command/init.rb
index 7d90a19cb05..60d5f225ea8 100644
--- a/vendor/gems/bundler-checksum/lib/bundler_checksum/command/init.rb
+++ b/vendor/gems/bundler-checksum/lib/bundler_checksum/command/init.rb
@@ -6,23 +6,15 @@ module BundlerChecksum::Command
   module Init
     extend self
 
+    BUNDLER_2_5_0 = Gem::Version.new("2.5.0")
+    BUNDLER_2_5_12 = Gem::Version.new("2.5.12")
+
     def execute
       $stderr.puts "Initializing checksum file #{checksum_file}"
 
       checksums = []
 
       require "bundler/vendored_uri"
-      # RubyGems v3.5.6 got rid of Bundler::URI in favor of a vendored Gem::URI: https://github.com/rubygems/rubygems/pull/7386
-      rubygems_source = 'https://rubygems.org'
-      remote = defined?(Gem::URI) ? Gem::URI(rubygems_source) : Bundler::URI(rubygems_source)
-      args = [nil, Bundler::Source::Rubygems::Remote.new(remote), nil]
-      # gem_remote_fetcher added in https://github.com/rubygems/rubygems/pull/7092/
-      args << nil if Gem::Version.new(Bundler::VERSION) >= Gem::Version.new("2.5.0")
-
-      compact_index_cache = Bundler::Fetcher::CompactIndex
-        .new(*args)
-        .send(:compact_index_client)
-        .instance_variable_get(:@cache)
 
       Bundler.definition.resolve.sort_by(&:name).each do |spec|
         next unless spec.source.is_a?(Bundler::Source::Rubygems)
@@ -41,7 +33,7 @@ module BundlerChecksum::Command
 
         $stderr.puts "Adding #{spec_identifier}"
 
-        compact_index_dependencies = compact_index_cache.dependencies(spec.name).select { |item| item.first == spec.version.to_s }
+        compact_index_dependencies = compact_index_dependencies(spec.name).select { |item| item.first == spec.version.to_s }
 
         if !compact_index_dependencies.empty?
           compact_index_checksums = compact_index_dependencies.map do |version, platform, dependencies, requirements|
@@ -70,6 +62,38 @@ module BundlerChecksum::Command
 
     private
 
+    def compact_index_dependencies(name)
+      if current_bundler_version >= BUNDLER_2_5_12
+        compact_index_cache.dependencies([name])
+      else
+        compact_index_cache.dependencies(name)
+      end
+    end
+
+    def compact_index_cache
+      # RubyGems v3.5.6 got rid of Bundler::URI in favor of a vendored Gem::URI: https://github.com/rubygems/rubygems/pull/7386
+      rubygems_source = 'https://rubygems.org'
+      remote_uri = defined?(Gem::URI) ? Gem::URI(rubygems_source) : Bundler::URI(rubygems_source)
+      remote = Bundler::Source::Rubygems::Remote.new(remote_uri)
+      # Constructor changed with https://github.com/rubygems/rubygems/pull/7678/
+      @compact_index_cache ||= if current_bundler_version >= BUNDLER_2_5_12
+                                 cache_path = Bundler.user_cache.join("compact_index", remote.cache_slug)
+                                 Bundler::CompactIndexClient.new(cache_path)
+                               else
+                                 args = [nil, remote, nil]
+                                 # gem_remote_fetcher added in https://github.com/rubygems/rubygems/pull/7092/
+                                 args << nil if current_bundler_version >= BUNDLER_2_5_0
+                                 Bundler::Fetcher::CompactIndex
+                                                   .new(*args)
+                                                   .send(:compact_index_client)
+                                                   .instance_variable_get(:@cache)
+                               end
+    end
+
+    def current_bundler_version
+      @bundler_version ||= Gem::Version.new(Bundler::VERSION)
+    end
+
     def previous_checksums
       @previous_checksums ||=
         if File.exist?(checksum_file)
diff --git a/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.lock b/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.lock
index 2aa6a15070f..4a5c7327b00 100644
--- a/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.lock
+++ b/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.lock
@@ -135,4 +135,4 @@ DEPENDENCIES
   rails (~> 6.1.6.1)
 
 BUNDLED WITH
-   2.5.4
+   2.4.22
diff --git a/vendor/gems/bundler-checksum/test/project_with_checksum_lock/scripts/test b/vendor/gems/bundler-checksum/test/project_with_checksum_lock/scripts/test
index 7006a98c626..d1b63a16f50 100755
--- a/vendor/gems/bundler-checksum/test/project_with_checksum_lock/scripts/test
+++ b/vendor/gems/bundler-checksum/test/project_with_checksum_lock/scripts/test
@@ -1,6 +1,13 @@
-#!/bin/sh
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
 
-set -xe
+if [[ $(bundler -v) == *"$BUNDLER_VERSION"* ]]; then
+  echo "Bundler version matches desired version: ${BUNDLER_VERSION}"
+else
+  echo "Bundler version $(bundler -v) does not match desired version: ${BUNDLER_VERSION}"
+  exit 1
+fi
 
 # Check there's no differences after re-initialising
 ruby -I ../../lib ../../bin/bundler-checksum init
diff --git a/workhorse/go.mod b/workhorse/go.mod
index 894acce7474..0defa7c4126 100644
--- a/workhorse/go.mod
+++ b/workhorse/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/alecthomas/chroma/v2 v2.14.0
 	github.com/aws/aws-sdk-go v1.54.6
 	github.com/disintegration/imaging v1.6.2
-	github.com/dlclark/regexp2 v1.11.0
+	github.com/dlclark/regexp2 v1.11.1
 	github.com/getsentry/raven-go v0.2.0
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/golang/gddo v0.0.0-20210115222349-20d68f94ee1f
diff --git a/workhorse/go.sum b/workhorse/go.sum
index 84170ce03e3..20a1e2460a5 100644
--- a/workhorse/go.sum
+++ b/workhorse/go.sum
@@ -173,8 +173,8 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/disintegration/imaging v1.6.2 h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c=
 github.com/disintegration/imaging v1.6.2/go.mod h1:44/5580QXChDfwIclfc/PCwrr44amcmDAg8hxG0Ewe4=
-github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
-github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dlclark/regexp2 v1.11.1 h1:CJs78ewKXO9PuNf6Xwlw6eibMadBkXTRpOeUdv+IcWM=
+github.com/dlclark/regexp2 v1.11.1/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=