- {{ resource.description }}
+
': 'gt',
+ '<': 'lt',
+ '!~': 'not_like',
+ '=~': 'like',
+};
+
+const SEARCH_FILTER_NAME = 'search';
+
+/**
+ * Return the query parameter name, given an operator and param key
+ *
+ * e.g
+ * if paramKey is 'foo' and operator is "=", param name is 'foo'
+ * if paramKey is 'foo' and operator is "!=", param name is 'not[foo]'
+ *
+ * @param {String} paramKey - The parameter name
+ * @param {String} operator - The operator
+ * @returns String | undefined - Query param name
+ */
+function getFilterParamName(filterName, operator, filterToQueryMapping) {
+ const paramKey = filterToQueryMapping[filterName];
+ if (!paramKey) return undefined;
+
+ if (operator === '=' || filterName === SEARCH_FILTER_NAME) {
+ return paramKey;
+ }
+
+ const prefix = FILTER_OPERATORS_PREFIX[operator];
+ if (prefix) {
+ return `${prefix}[${paramKey}]`;
+ }
+
+ return undefined;
+}
+
+/**
+ * Process `filterValue` and append the proper query params to the `searchParams` arg, using `nameParam` and `valueParam`
+ *
+ * It mutates `searchParams`
+ *
+ * @param {String} filterValue The filter value, in the format `attribute_name=attribute_value`
+ * @param {String} filterOperator The filter operator
+ * @param {URLSearchParams} searchParams The URLSearchParams object where to append the proper query params
+ * @param {String} nameParam The query param name for the attribute name
+ * @param {String} nameParam The query param name for the attribute value
+ *
+ * e.g.
+ *
+ * handleAttributeFilter('foo=bar', '=', searchParams, 'attr_name', 'attr_value')
+ *
+ * it adds { attr_name: 'foo', attr_value: 'bar'} to `searchParams`
+ *
+ */
+function handleAttributeFilter(filterValue, filterOperator, searchParams, nameParam, valueParam) {
+ const [attrName, attrValue] = filterValue.split('=');
+ if (attrName && attrValue) {
+ if (filterOperator === '=') {
+ searchParams.append(nameParam, attrName);
+ searchParams.append(valueParam, attrValue);
+ }
+ }
+}
+
+function addDateRangeFilterToQueryParams(dateRangeFilter, params) {
+ if (!dateRangeFilter || !params) return;
+
+ const { value, endDate, startDate } = dateRangeFilter;
+ if (value === CUSTOM_DATE_RANGE_OPTION) {
+ if (isValidDate(startDate) && isValidDate(endDate)) {
+ params.append('start_time', startDate.toISOString());
+ params.append('end_time', endDate.toISOString());
+ }
+ } else if (typeof value === 'string') {
+ params.append('period', value);
+ }
+}
+
+/** ****
+ *
+ * Tracing API
+ *
+ * ***** */
+
async function fetchTrace(tracingUrl, traceId) {
try {
if (!traceId) {
@@ -67,88 +165,23 @@ const SUPPORTED_TRACING_FILTERS = {
traceId: ['=', '!='],
attribute: ['='],
status: ['=', '!='],
- // free-text 'search' temporarily ignored https://gitlab.com/gitlab-org/opstrace/opstrace/-/issues/2309
+ // 'search' temporarily ignored https://gitlab.com/gitlab-org/opstrace/opstrace/-/issues/2309
};
/**
- * Mapping of filter name to query param
+ * Mapping of filter name to tracing query param
*/
const TRACING_FILTER_TO_QUERY_PARAM = {
durationMs: 'duration_nano',
operation: 'operation',
service: 'service_name',
- period: 'period',
traceId: 'trace_id',
- attribute: 'attribute',
status: 'status',
+ // `attribute` is handled separately, see `handleAttributeFilter` method
+ // `period` is handled separately, see `handleTracingPeriodFilter` method
};
-const FILTER_OPERATORS_PREFIX = {
- '!=': 'not',
- '>': 'gt',
- '<': 'lt',
- '!~': 'not_like',
- '=~': 'like',
-};
-
-/**
- * Return the query parameter name, given an operator and param key
- *
- * e.g
- * if paramKey is 'foo' and operator is "=", param name is 'foo'
- * if paramKey is 'foo' and operator is "!=", param name is 'not[foo]'
- *
- * @param {String} paramKey - The parameter name
- * @param {String} operator - The operator
- * @returns String | undefined - Query param name
- */
-function getFilterParamName(paramKey, operator) {
- if (operator === '=') {
- return paramKey;
- }
-
- const prefix = FILTER_OPERATORS_PREFIX[operator];
- if (prefix) {
- return `${prefix}[${paramKey}]`;
- }
-
- return undefined;
-}
-
-/**
- * Builds the tracing query param name for the given filter and operator
- *
- * @param {String} filterName - The filter name
- * @param {String} operator - The operator
- * @returns String | undefined - Query param name
- */
-function getTracingFilterParamName(filterName, operator) {
- const paramKey = TRACING_FILTER_TO_QUERY_PARAM[filterName];
- if (!paramKey) return undefined;
-
- return getFilterParamName(paramKey, operator);
-}
-
-/**
- * Process `filterValue` and append the proper query params to the `searchParams` arg
- *
- * It mutates `searchParams`
- *
- * @param {String} filterValue The filter value, in the format `attribute_name=attribute_value`
- * @param {String} filterOperator The filter operator
- * @param {URLSearchParams} searchParams The URLSearchParams object where to append the proper query params
- */
-function handleAttributeFilter(filterValue, filterOperator, searchParams) {
- const [attrName, attrValue] = filterValue.split('=');
- if (attrName && attrValue) {
- if (filterOperator === '=') {
- searchParams.append('attr_name', attrName);
- searchParams.append('attr_value', attrValue);
- }
- }
-}
-
-function handlePeriodFilter(rawValue, filterName, filterParams) {
+function handleTracingPeriodFilter(rawValue, filterName, filterParams) {
if (rawValue.trim().indexOf(' ') < 0) {
filterParams.append(filterName, rawValue.trim());
return;
@@ -189,13 +222,14 @@ function tracingFilterObjToQueryParams(filterObj) {
const validFilters = filterValues.filter((f) =>
SUPPORTED_TRACING_FILTERS[filterName].includes(f.operator),
);
+
validFilters.forEach(({ operator, value: rawValue }) => {
if (filterName === 'attribute') {
- handleAttributeFilter(rawValue, operator, filterParams);
+ handleAttributeFilter(rawValue, operator, filterParams, 'attr_name', 'attr_value');
} else if (filterName === 'period') {
- handlePeriodFilter(rawValue, filterName, filterParams);
+ handleTracingPeriodFilter(rawValue, filterName, filterParams);
} else {
- const paramName = getTracingFilterParamName(filterName, operator);
+ const paramName = getFilterParamName(filterName, operator, TRACING_FILTER_TO_QUERY_PARAM);
let value = rawValue;
if (filterName === 'durationMs') {
// converting durationMs to duration_nano
@@ -318,6 +352,12 @@ function handleMetricsAttributeFilters(attributeFilters, params) {
}
}
+/** ****
+ *
+ * Metrics API
+ *
+ * ***** */
+
async function fetchMetrics(metricsUrl, { filters = {}, limit } = {}) {
try {
const params = new URLSearchParams();
@@ -359,6 +399,7 @@ const SUPPORTED_METRICS_DIMENSIONS_OPERATORS = {
'=~': 're',
'!~': 'nre',
};
+
function addMetricsAttributeFilterToQueryParams(dimensionFilter, params) {
if (!dimensionFilter || !params) return;
@@ -374,21 +415,7 @@ function addMetricsAttributeFilterToQueryParams(dimensionFilter, params) {
});
}
-function addDateRangeFilterToQueryParams(dateRangeFilter, params) {
- if (!dateRangeFilter || !params) return;
-
- const { value, endDate, startDate } = dateRangeFilter;
- if (value === CUSTOM_DATE_RANGE_OPTION) {
- if (isValidDate(startDate) && isValidDate(endDate)) {
- params.append('start_time', startDate.toISOString());
- params.append('end_time', endDate.toISOString());
- }
- } else if (typeof value === 'string') {
- params.append('period', value);
- }
-}
-
-function addGroupByFilterToQueryParams(groupByFilter, params) {
+function addMetricsGroupByFilterToQueryParams(groupByFilter, params) {
if (!groupByFilter || !params) return;
const { func, attributes } = groupByFilter;
@@ -429,7 +456,7 @@ async function fetchMetric(searchUrl, name, type, options = {}) {
}
if (groupBy) {
- addGroupByFilterToQueryParams(groupBy, params);
+ addMetricsGroupByFilterToQueryParams(groupBy, params);
}
const { data } = await axios.get(searchUrl, {
@@ -470,15 +497,95 @@ async function fetchMetricSearchMetadata(searchMetadataUrl, name, type) {
}
}
+/** ****
+ *
+ * Logs API
+ *
+ * ***** */
+
+/**
+ * Filters (and operators) allowed by logs query API
+ */
+const SUPPORTED_LOGS_FILTERS = {
+ service: ['=', '!='],
+ severityName: ['=', '!='],
+ traceId: ['='],
+ spanId: ['='],
+ fingerprint: ['='],
+ traceFlags: ['=', '!='],
+ attribute: ['='],
+ resourceAttribute: ['='],
+ search: [], // 'search' filter does not have any operator
+};
+
+/**
+ * Mapping of filter name to query param
+ */
+const LOGS_FILTER_TO_QUERY_PARAM = {
+ service: 'service_name',
+ severityName: 'severity_name',
+ traceId: 'trace_id',
+ spanId: 'span_id',
+ fingerprint: 'fingerprint',
+ traceFlags: 'trace_flags',
+ search: 'body',
+ // `attribute` and `resource_attribute` are handled separately
+};
+
+/**
+ * Builds URLSearchParams from a filter object of type { [filterName]: undefined | null | Array<{operator: String, value: any} }
+ * e.g:
+ *
+ * filterObj = {
+ * severityName: [{operator: '=', value: 'info' }],
+ * service: [{operator: '!=', value: 'foo' }]
+ * }
+ *
+ * It handles converting the filter to the proper supported query params
+ *
+ * @param {Object} filterObj : An Object representing handleAttributeFilter
+ * @returns URLSearchParams
+ */
+function addLogsAttributesFiltersToQueryParams(filterObj, filterParams) {
+ Object.keys(SUPPORTED_LOGS_FILTERS).forEach((filterName) => {
+ const filterValues = Array.isArray(filterObj[filterName])
+ ? filterObj[filterName].filter(({ value }) => Boolean(value)) // ignore empty strings
+ : [];
+ const validFilters = filterValues.filter(
+ (f) =>
+ (filterName === SEARCH_FILTER_NAME && SUPPORTED_LOGS_FILTERS[filterName]) ||
+ SUPPORTED_LOGS_FILTERS[filterName].includes(f.operator),
+ );
+ validFilters.forEach(({ operator, value: rawValue }) => {
+ if (filterName === 'attribute') {
+ handleAttributeFilter(rawValue, operator, filterParams, 'log_attr_name', 'log_attr_value');
+ } else if (filterName === 'resourceAttribute') {
+ handleAttributeFilter(rawValue, operator, filterParams, 'res_attr_name', 'res_attr_value');
+ } else {
+ const paramName = getFilterParamName(filterName, operator, LOGS_FILTER_TO_QUERY_PARAM);
+ const value = rawValue;
+ if (paramName && value) {
+ filterParams.append(paramName, value);
+ }
+ }
+ });
+ });
+ return filterParams;
+}
+
export async function fetchLogs(logsSearchUrl, { pageToken, pageSize, filters = {} } = {}) {
try {
const params = new URLSearchParams();
- const { dateRange } = filters;
+ const { dateRange, attributes } = filters;
if (dateRange) {
addDateRangeFilterToQueryParams(dateRange, params);
}
+ if (attributes) {
+ addLogsAttributesFiltersToQueryParams(attributes, params);
+ }
+
if (pageToken) {
params.append('page_token', pageToken);
}
@@ -501,6 +608,12 @@ export async function fetchLogs(logsSearchUrl, { pageToken, pageSize, filters =
}
}
+/** ****
+ *
+ * ObservabilityClient
+ *
+ * ***** */
+
export function buildClient(config) {
if (!config) {
throw new Error('No options object provided'); // eslint-disable-line @gitlab/require-i18n-strings
diff --git a/app/assets/javascripts/profile/edit/constants.js b/app/assets/javascripts/profile/edit/constants.js
index 2a4f690c3be..a6e7a5eb4ef 100644
--- a/app/assets/javascripts/profile/edit/constants.js
+++ b/app/assets/javascripts/profile/edit/constants.js
@@ -13,7 +13,7 @@ export const avatarI18n = {
uploadNewAvatar: s__('Profiles|Upload new avatar'),
chooseFile: s__('Profiles|Choose file...'),
noFileChosen: s__('Profiles|No file chosen.'),
- maximumFileSize: s__('Profiles|The maximum file size allowed is 200KB.'),
+ maximumFileSize: s__('Profiles|The maximum file size allowed is 200 KiB.'),
imageDimensions: s__('Profiles|The ideal image size is 192 x 192 pixels.'),
removeAvatar: s__('Profiles|Remove avatar'),
removeAvatarConfirmation: s__('Profiles|Avatar will be removed. Are you sure?'),
diff --git a/app/assets/javascripts/render_vue_component_for_legacy_js.js b/app/assets/javascripts/render_vue_component_for_legacy_js.js
index 7ef1943f7ac..47706411ebb 100644
--- a/app/assets/javascripts/render_vue_component_for_legacy_js.js
+++ b/app/assets/javascripts/render_vue_component_for_legacy_js.js
@@ -14,15 +14,14 @@ import Vue from 'vue';
* @returns {HTMLElement}
*/
export const renderVueComponentForLegacyJS = (Component, data, children) => {
- const mountEl = document.createElement('div');
-
const vm = new Vue({
- el: mountEl,
render(h) {
return h(Component, data, children);
},
});
+ vm.$mount();
+
// Ensure it's rendered
vm.$forceUpdate();
diff --git a/app/assets/javascripts/search/sidebar/components/group_filter.vue b/app/assets/javascripts/search/sidebar/components/group_filter.vue
index 20231cdda6a..d649c789ed5 100644
--- a/app/assets/javascripts/search/sidebar/components/group_filter.vue
+++ b/app/assets/javascripts/search/sidebar/components/group_filter.vue
@@ -67,7 +67,7 @@ export default {
-
+
+
{{ $options.i18n.groupFieldLabel }}
-
+
{{ $options.i18n.projectFieldLabel }}
-
+
+
+ {{ $options.i18n.syntaxOptionsLabel }}
- {{ content }}
+ {{ content }}
-
+
- {{ content }}
+ {{ content }}
{{ query.repository_ref }}
diff --git a/app/assets/javascripts/sentry/init_sentry.js b/app/assets/javascripts/sentry/init_sentry.js
index 722741b50e4..8c8d8b655de 100644
--- a/app/assets/javascripts/sentry/init_sentry.js
+++ b/app/assets/javascripts/sentry/init_sentry.js
@@ -1,3 +1,4 @@
+/* eslint-disable no-restricted-imports */
import {
BrowserClient,
getCurrentHub,
@@ -9,7 +10,7 @@ import {
// exports
captureException,
SDK_VERSION,
-} from 'sentrybrowser';
+} from '@sentry/browser';
const initSentry = () => {
if (!gon?.sentry_dsn) {
diff --git a/app/assets/javascripts/sentry/legacy_constants.js b/app/assets/javascripts/sentry/legacy_constants.js
deleted file mode 100644
index d04011dab2f..00000000000
--- a/app/assets/javascripts/sentry/legacy_constants.js
+++ /dev/null
@@ -1,46 +0,0 @@
-import { __ } from '~/locale';
-
-// https://docs.sentry.io/platforms/javascript/configuration/filtering/#decluttering-sentry
-export const IGNORE_ERRORS = [
- // Random plugins/extensions
- 'top.GLOBALS',
- // See: http://blog.errorception.com/2012/03/tale-of-unfindable-js-error. html
- 'originalCreateNotification',
- 'canvas.contentDocument',
- 'MyApp_RemoveAllHighlights',
- 'http://tt.epicplay.com',
- __("Can't find variable: ZiteReader"),
- __('jigsaw is not defined'),
- __('ComboSearch is not defined'),
- 'http://loading.retry.widdit.com/',
- 'atomicFindClose',
- // Facebook borked
- 'fb_xd_fragment',
- // ISP "optimizing" proxy - `Cache-Control: no-transform` seems to
- // reduce this. (thanks @acdha)
- 'bmi_SafeAddOnload',
- 'EBCallBackMessageReceived',
- // See http://toolbar.conduit.com/Developer/HtmlAndGadget/Methods/JSInjection.aspx
- 'conduitPage',
- // Exclude errors from polling when navigating away from a page
- 'TypeError: Failed to fetch',
-];
-
-export const DENY_URLS = [
- // Facebook flakiness
- /graph\.facebook\.com/i,
- // Facebook blocked
- /connect\.facebook\.net\/en_US\/all\.js/i,
- // Woopra flakiness
- /eatdifferent\.com\.woopra-ns\.com/i,
- /static\.woopra\.com\/js\/woopra\.js/i,
- // Chrome extensions
- /extensions\//i,
- /^chrome:\/\//i,
- // Other plugins
- /127\.0\.0\.1:4001\/isrunning/i, // Cacaoweb
- /webappstoolbarba\.texthelp\.com\//i,
- /metrics\.itunes\.apple\.com\.edgesuite\.net\//i,
-];
-
-export const SAMPLE_RATE = 0.95;
diff --git a/app/assets/javascripts/sentry/legacy_index.js b/app/assets/javascripts/sentry/legacy_index.js
deleted file mode 100644
index 688f8eb0a44..00000000000
--- a/app/assets/javascripts/sentry/legacy_index.js
+++ /dev/null
@@ -1,34 +0,0 @@
-import '../webpack';
-
-import * as Sentry5 from 'sentrybrowser5';
-import LegacySentryConfig from './legacy_sentry_config';
-
-const index = function index() {
- // Configuration for legacy versions of Sentry SDK (v5)
- LegacySentryConfig.init({
- dsn: gon.sentry_dsn,
- currentUserId: gon.current_user_id,
- whitelistUrls:
- process.env.NODE_ENV === 'production'
- ? [gon.gitlab_url]
- : [gon.gitlab_url, 'webpack-internal://'],
- environment: gon.sentry_environment,
- release: gon.revision,
- tags: {
- revision: gon.revision,
- feature_category: gon.feature_category,
- },
- });
-};
-
-index();
-
-// The _Sentry object is globally exported so it can be used by
-// ./sentry_browser_wrapper.js
-// This hack allows us to load a single version of `~/sentry/sentry_browser_wrapper`
-// in the browser, see app/views/layouts/_head.html.haml to find how it is imported.
-
-// eslint-disable-next-line no-underscore-dangle
-window._Sentry = Sentry5;
-
-export default index;
diff --git a/app/assets/javascripts/sentry/legacy_sentry_config.js b/app/assets/javascripts/sentry/legacy_sentry_config.js
deleted file mode 100644
index 137c31f5526..00000000000
--- a/app/assets/javascripts/sentry/legacy_sentry_config.js
+++ /dev/null
@@ -1,64 +0,0 @@
-import * as Sentry5 from 'sentrybrowser5';
-import $ from 'jquery';
-import { __ } from '~/locale';
-import { IGNORE_ERRORS, DENY_URLS, SAMPLE_RATE } from './legacy_constants';
-
-const SentryConfig = {
- IGNORE_ERRORS,
- DENYLIST_URLS: DENY_URLS,
- SAMPLE_RATE,
- init(options = {}) {
- this.options = options;
-
- this.configure();
- this.bindSentryErrors();
- if (this.options.currentUserId) this.setUser();
- },
-
- configure() {
- const { dsn, release, tags, whitelistUrls, environment } = this.options;
-
- Sentry5.init({
- dsn,
- release,
- whitelistUrls,
- environment,
- ignoreErrors: this.IGNORE_ERRORS, // TODO: Remove in favor of https://gitlab.com/gitlab-org/gitlab/issues/35144
- blacklistUrls: this.DENYLIST_URLS,
- sampleRate: SAMPLE_RATE,
- });
-
- Sentry5.setTags(tags);
- },
-
- setUser() {
- Sentry5.setUser({
- id: this.options.currentUserId,
- });
- },
-
- bindSentryErrors() {
- $(document).on('ajaxError.sentry', this.handleSentryErrors);
- },
-
- handleSentryErrors(event, req, config, err) {
- const error = err || req.statusText;
- const { responseText = __('Unknown response text') } = req;
- const { type, url, data } = config;
- const { status } = req;
-
- Sentry5.captureMessage(error, {
- extra: {
- type,
- url,
- data,
- status,
- response: responseText,
- error,
- event,
- },
- });
- },
-};
-
-export default SentryConfig;
diff --git a/app/assets/javascripts/single_file_diff.js b/app/assets/javascripts/single_file_diff.js
index 1e01da795e8..a3b10f3a77b 100644
--- a/app/assets/javascripts/single_file_diff.js
+++ b/app/assets/javascripts/single_file_diff.js
@@ -1,6 +1,8 @@
import $ from 'jquery';
+import { GlButton } from '@gitlab/ui';
import { createAlert } from '~/alert';
import { loadingIconForLegacyJS } from '~/loading_icon_for_legacy_js';
+import { renderVueComponentForLegacyJS } from '~/render_vue_component_for_legacy_js';
import { spriteIcon } from '~/lib/utils/common_utils';
import FilesCommentButton from './files_comment_button';
import initImageDiffHelper from './image_diff/helpers/init_image_diff';
@@ -14,8 +16,15 @@ const ERROR_HTML = `${spriteIcon(
'warning-solid',
's16',
)} Could not load diff`;
-const COLLAPSED_HTML =
- 'This diff is collapsed. ';
+const CLICK_TO_EXPAND_BUTTON_HTML = renderVueComponentForLegacyJS(
+ GlButton,
+ {
+ class: 'click-to-expand',
+ props: { variant: 'link' },
+ },
+ __('Click to expand it.'),
+).outerHTML;
+const COLLAPSED_HTML = `This diff is collapsed. ${CLICK_TO_EXPAND_BUTTON_HTML}`;
export default class SingleFileDiff {
constructor(file) {
diff --git a/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue b/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue
index b6bbb5df93e..69c87cd3cfc 100644
--- a/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue
+++ b/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue
@@ -7,7 +7,7 @@ import { AVATAR_SHAPE_OPTION_RECT } from '~/vue_shared/constants';
export default {
i18n: {
uploadText: __('Drop or %{linkStart}upload%{linkEnd} an avatar.'),
- maxFileSize: s__('Profiles|The maximum file size allowed is 200KB.'),
+ maxFileSize: s__('Profiles|The maximum file size allowed is 200 KiB.'),
imageDimensions: s__('Profiles|The ideal image size is 192 x 192 pixels.'),
removeAvatar: __('Remove avatar'),
},
diff --git a/app/channels/application_cable/channel.rb b/app/channels/application_cable/channel.rb
index 0de2b0185b5..84c1705c2b5 100644
--- a/app/channels/application_cable/channel.rb
+++ b/app/channels/application_cable/channel.rb
@@ -3,6 +3,15 @@
module ApplicationCable
class Channel < ActionCable::Channel::Base
include Logging
+ include Gitlab::Auth::AuthFinders
+
+ before_subscribe :validate_token_scope
+
+ def validate_token_scope
+ validate_access_token!(scopes: [:api, :read_api])
+ rescue Gitlab::Auth::InsufficientScopeError
+ reject
+ end
private
diff --git a/app/channels/graphql_channel.rb b/app/channels/graphql_channel.rb
index ae37be85da8..cc2a9126004 100644
--- a/app/channels/graphql_channel.rb
+++ b/app/channels/graphql_channel.rb
@@ -48,7 +48,8 @@ class GraphqlChannel < ApplicationCable::Channel # rubocop:disable Gitlab/Namesp
# Objects added to the context may also need to be reloaded in
# `Subscriptions::BaseSubscription` so that they are not stale
def context
- # is_sessionless_user is always false because we only support cookie auth in ActionCable
- { channel: self, current_user: current_user, is_sessionless_user: false }
+ request_authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
+ scope_validator = ::Gitlab::Auth::ScopeValidator.new(current_user, request_authenticator)
+ { channel: self, current_user: current_user, is_sessionless_user: false, scope_validator: scope_validator }
end
end
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 47c3d54df3a..912469382d6 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -222,6 +222,8 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
else
fail_login(@user)
end
+ rescue Gitlab::Auth::OAuth::User::IdentityWithUntrustedExternUidError
+ handle_identity_with_untrusted_extern_uid
rescue Gitlab::Auth::OAuth::User::SigninDisabledForProviderError
handle_disabled_provider
rescue Gitlab::Auth::OAuth::User::SignupDisabledError
@@ -271,6 +273,13 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
redirect_to profile_account_path, notice: _('Request to link SAML account must be authorized')
end
+ def handle_identity_with_untrusted_extern_uid
+ label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
+ flash[:alert] = format(_("Signing in using your %{label} account has been disabled for security reasons. Please sign in to your GitLab account using another authentication method and reconnect to your %{label} account."), label: label)
+
+ redirect_to new_user_session_path
+ end
+
def handle_disabled_provider
label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
flash[:alert] = _("Signing in using %{label} has been disabled") % { label: label }
diff --git a/app/graphql/resolvers/base_resolver.rb b/app/graphql/resolvers/base_resolver.rb
index 17db91a685f..e6d54d9e31c 100644
--- a/app/graphql/resolvers/base_resolver.rb
+++ b/app/graphql/resolvers/base_resolver.rb
@@ -174,7 +174,7 @@ module Resolvers
end
def self.authorized?(object, context)
- authorization.ok?(object, context[:current_user])
+ authorization.ok?(object, context[:current_user], scope_validator: context[:scope_validator])
end
end
end
diff --git a/app/graphql/types/base_enum.rb b/app/graphql/types/base_enum.rb
index ca86e399f6b..d7ceaafb318 100644
--- a/app/graphql/types/base_enum.rb
+++ b/app/graphql/types/base_enum.rb
@@ -65,7 +65,7 @@ module Types
end
def authorized?(object, context)
- authorization.ok?(object, context[:current_user])
+ authorization.ok?(object, context[:current_user], scope_validator: context[:scope_validator])
end
end
end
diff --git a/app/graphql/types/base_field.rb b/app/graphql/types/base_field.rb
index 886490ba62f..ca671533ef1 100644
--- a/app/graphql/types/base_field.rb
+++ b/app/graphql/types/base_field.rb
@@ -97,7 +97,7 @@ module Types
def field_authorized?(object, ctx)
object = object.node if object.is_a?(GraphQL::Pagination::Connection::Edge)
- authorization.ok?(object, ctx[:current_user])
+ authorization.ok?(object, ctx[:current_user], scope_validator: ctx[:scope_validator])
end
# Historically our resolvers have used declarative permission checks only
diff --git a/app/graphql/types/base_object.rb b/app/graphql/types/base_object.rb
index 4ad88e43f52..1783db3cc33 100644
--- a/app/graphql/types/base_object.rb
+++ b/app/graphql/types/base_object.rb
@@ -32,7 +32,7 @@ module Types
end
def self.authorized?(object, context)
- authorization.ok?(object, context[:current_user])
+ authorization.ok?(object, context[:current_user], scope_validator: context[:scope_validator])
end
def current_user
diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index 60a229ef42a..177adb36cd4 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -411,6 +411,9 @@ module ApplicationSettingsHelper
:throttle_unauthenticated_files_api_enabled,
:throttle_unauthenticated_files_api_period_in_seconds,
:throttle_unauthenticated_files_api_requests_per_period,
+ :throttle_unauthenticated_git_http_enabled,
+ :throttle_unauthenticated_git_http_period_in_seconds,
+ :throttle_unauthenticated_git_http_requests_per_period,
:throttle_unauthenticated_deprecated_api_enabled,
:throttle_unauthenticated_deprecated_api_period_in_seconds,
:throttle_unauthenticated_deprecated_api_requests_per_period,
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 5ff1bca975d..0eb1a79dfe1 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -553,6 +553,8 @@ class ApplicationSetting < MainClusterwide::ApplicationRecord
:throttle_unauthenticated_deprecated_api_requests_per_period,
:throttle_unauthenticated_files_api_period_in_seconds,
:throttle_unauthenticated_files_api_requests_per_period,
+ :throttle_unauthenticated_git_http_period_in_seconds,
+ :throttle_unauthenticated_git_http_requests_per_period,
:throttle_unauthenticated_packages_api_period_in_seconds,
:throttle_unauthenticated_packages_api_requests_per_period,
:throttle_unauthenticated_period_in_seconds,
@@ -612,6 +614,11 @@ class ApplicationSetting < MainClusterwide::ApplicationRecord
jsonb_accessor :service_ping_settings,
gitlab_environment_toolkit_instance: [:boolean, { default: false }]
+ jsonb_accessor :rate_limits_unauthenticated_git_http,
+ throttle_unauthenticated_git_http_enabled: [:boolean, { default: false }],
+ throttle_unauthenticated_git_http_requests_per_period: [:integer, { default: 3600 }],
+ throttle_unauthenticated_git_http_period_in_seconds: [:integer, { default: 3600 }]
+
validates :rate_limits, json_schema: { filename: "application_setting_rate_limits" }
validates :search_rate_limit_allowlist,
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index 9caf712d0dc..3f1540e9b8c 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -2148,8 +2148,12 @@ class MergeRequest < ApplicationRecord
merge_request_reviewers.where(user_id: user_ids)
end
- def has_changes_requested?
- merge_request_reviewers.exists?(state: :requested_changes)
+ def create_requested_changes(user)
+ # Overridden in EE
+ end
+
+ def destroy_requested_changes(user)
+ # Overridden in EE
end
def batch_update_reviewer_state(user_ids, state)
diff --git a/app/models/user.rb b/app/models/user.rb
index 88382c85653..9002b1cedb2 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -320,7 +320,7 @@ class User < MainClusterwide::ApplicationRecord
validates :name, presence: true, length: { maximum: 255 }
validates :first_name, length: { maximum: 127 }
validates :last_name, length: { maximum: 127 }
- validates :email, confirmation: true
+ validates :email, confirmation: true, devise_email: true
validates :notification_email, devise_email: true, allow_blank: true
validates :public_email, uniqueness: true, devise_email: true, allow_blank: true
validates :commit_email, devise_email: true, allow_blank: true, unless: ->(user) { user.commit_email == Gitlab::PrivateCommitEmail::TOKEN }
diff --git a/app/services/merge_requests/approval_service.rb b/app/services/merge_requests/approval_service.rb
index 679ee7b4c35..2770bb95c70 100644
--- a/app/services/merge_requests/approval_service.rb
+++ b/app/services/merge_requests/approval_service.rb
@@ -13,7 +13,7 @@ module MergeRequests
return success unless save_approval(approval)
- update_reviewer_state(merge_request, current_user, :approved)
+ update_reviewer_state(merge_request, current_user, 'approved')
reset_approvals_cache(merge_request)
diff --git a/app/services/merge_requests/remove_approval_service.rb b/app/services/merge_requests/remove_approval_service.rb
index ffe3799b540..9bf582e2091 100644
--- a/app/services/merge_requests/remove_approval_service.rb
+++ b/app/services/merge_requests/remove_approval_service.rb
@@ -15,7 +15,7 @@ module MergeRequests
trigger_approval_hooks(merge_request, skip_notification) do
next unless approval.destroy_all # rubocop: disable Cop/DestroyAll
- update_reviewer_state(merge_request, current_user, :unapproved) unless skip_updating_state
+ update_reviewer_state(merge_request, current_user, 'unapproved') unless skip_updating_state
reset_approvals_cache(merge_request)
unless skip_system_note
diff --git a/app/services/merge_requests/update_reviewer_state_service.rb b/app/services/merge_requests/update_reviewer_state_service.rb
index a77cdeeb121..9e4c3fd2180 100644
--- a/app/services/merge_requests/update_reviewer_state_service.rb
+++ b/app/services/merge_requests/update_reviewer_state_service.rb
@@ -12,8 +12,12 @@ module MergeRequests
trigger_merge_request_reviewers_updated(merge_request)
+ destroy_requested_changes(merge_request) if state == 'approved'
+
return success if state != 'requested_changes'
+ create_requested_changes(merge_request)
+
if merge_request.approved_by?(current_user) && !remove_approval(merge_request, current_user)
return error("Failed to remove approval")
end
@@ -23,5 +27,17 @@ module MergeRequests
error("Reviewer not found")
end
end
+
+ private
+
+ def create_requested_changes(merge_request)
+ merge_request.create_requested_changes(current_user)
+
+ trigger_merge_request_merge_status_updated(merge_request)
+ end
+
+ def destroy_requested_changes(merge_request)
+ merge_request.destroy_requested_changes(current_user)
+ end
end
end
diff --git a/app/validators/devise_email_validator.rb b/app/validators/devise_email_validator.rb
index b91cfe23f08..b462fa0ffde 100644
--- a/app/validators/devise_email_validator.rb
+++ b/app/validators/devise_email_validator.rb
@@ -19,7 +19,8 @@
# end
class DeviseEmailValidator < ActiveModel::EachValidator
DEFAULT_OPTIONS = {
- regexp: Devise.email_regexp
+ regexp: Devise.email_regexp,
+ invalid_characters_regexp: %r{[?!#$%&*\/=^<>]}
}.freeze
def initialize(options)
@@ -31,6 +32,14 @@ class DeviseEmailValidator < ActiveModel::EachValidator
end
def validate_each(record, attribute, value)
- record.errors.add(attribute, :invalid) unless options[:regexp].match?(value)
+ return if record.errors.include?(attribute)
+
+ record.errors.add(attribute, :invalid) unless valid_email?(value)
+ end
+
+ private
+
+ def valid_email?(value)
+ options[:regexp].match?(value) && !options[:invalid_characters_regexp].match?(value)
end
end
diff --git a/app/views/admin/application_settings/_git_http_limits.html.haml b/app/views/admin/application_settings/_git_http_limits.html.haml
new file mode 100644
index 00000000000..fc777a17443
--- /dev/null
+++ b/app/views/admin/application_settings/_git_http_limits.html.haml
@@ -0,0 +1,18 @@
+= gitlab_ui_form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-git-http-limits-settings'), html: { class: 'fieldset-form' } do |f|
+ = form_errors(@application_setting)
+
+ %fieldset
+ %h5
+ = _('Unauthenticated Git HTTP request rate limit')
+ .form-group
+ = f.gitlab_ui_checkbox_component :throttle_unauthenticated_git_http_enabled,
+ _('Enable unauthenticated Git HTTP request rate limit'),
+ help_text: _('Helps reduce unauthenticated Git HTTP request volume for git paths.')
+ .form-group
+ = f.label :throttle_unauthenticated_git_http_requests_per_period, _('Maximum unauthenticated Git HTTP requests per period per IP'), class: 'gl-font-weight-bold'
+ = f.number_field :throttle_unauthenticated_git_http_requests_per_period, class: 'form-control gl-form-input'
+ .form-group
+ = f.label :throttle_unauthenticated_git_http_period_in_seconds, _('Unauthenticated Git HTTP rate limit period in seconds'), class: 'gl-font-weight-bold'
+ = f.number_field :throttle_unauthenticated_git_http_period_in_seconds, class: 'form-control gl-form-input'
+
+ = f.submit _('Save changes'), pajamas_button: true
diff --git a/app/views/admin/application_settings/_sentry.html.haml b/app/views/admin/application_settings/_sentry.html.haml
index 5079f374c84..7058a4b5cca 100644
--- a/app/views/admin/application_settings/_sentry.html.haml
+++ b/app/views/admin/application_settings/_sentry.html.haml
@@ -1,12 +1,8 @@
= gitlab_ui_form_for @application_setting, url: metrics_and_profiling_admin_application_settings_path(anchor: 'js-sentry-settings'), html: { class: 'fieldset-form', id: 'sentry-settings' } do |f|
= form_errors(@application_setting)
- - if Feature.disabled?(:enable_new_sentry_integration)
- %fieldset.gl-text-secondary
- = safe_format(s_('AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, enable the %{code_start}enable_new_sentry_integration%{code_end} feature flag and restart GitLab.'), tag_pair(tag.b, :bold_start, :bold_end), tag_pair(tag.code, :code_start, :code_end))
- - else
- %fieldset.gl-text-secondary
- = safe_format(s_('AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, restart GitLab.'), tag_pair(tag.b, :bold_start, :bold_end))
+ %fieldset.gl-text-secondary
+ = safe_format(s_('AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, restart GitLab.'), tag_pair(tag.b, :bold_start, :bold_end))
%fieldset
.form-group
diff --git a/app/views/admin/application_settings/network.html.haml b/app/views/admin/application_settings/network.html.haml
index 86fbbef8dac..b951c97814f 100644
--- a/app/views/admin/application_settings/network.html.haml
+++ b/app/views/admin/application_settings/network.html.haml
@@ -72,6 +72,18 @@
.settings-content
= render partial: 'network_rate_limits', locals: { anchor: 'js-deprecated-limits-settings', setting_fragment: 'deprecated_api' }
+%section.settings.as-git-http-limits.no-animate#js-git-http-limits-settings{ class: ('expanded' if expanded_by_default?) }
+ .settings-header
+ %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
+ = _('Git HTTP rate limits')
+ = render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do
+ = expanded_by_default? ? _('Collapse') : _('Expand')
+ %p.gl-text-secondary
+ = _('Configure specific limits for Git HTTP requests.')
+ = link_to _('Learn more.'), help_page_path('administration/settings/git_http_rate_limits'), target: '_blank', rel: 'noopener noreferrer'
+ .settings-content
+ = render 'git_http_limits'
+
%section.settings.as-git-lfs-limits.no-animate#js-git-lfs-limits-settings{ class: ('expanded' if expanded_by_default?) }
.settings-header
%h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
diff --git a/app/views/layouts/_head.html.haml b/app/views/layouts/_head.html.haml
index 728997d39c7..ea770a076f3 100644
--- a/app/views/layouts/_head.html.haml
+++ b/app/views/layouts/_head.html.haml
@@ -48,10 +48,8 @@
= render 'layouts/loading_hints'
= render_if_exists 'layouts/header/translations'
- - if Feature.enabled?(:enable_new_sentry_integration) && Gitlab::CurrentSettings.sentry_enabled
+ - if Gitlab::CurrentSettings.sentry_enabled
= webpack_bundle_tag 'sentry'
- - elsif Gitlab.config.sentry.enabled
- = webpack_bundle_tag 'legacy_sentry'
= webpack_bundle_tag 'performance_bar' if performance_bar_enabled?
= yield :page_specific_javascripts
diff --git a/app/views/search/_results_status.html.haml b/app/views/search/_results_status.html.haml
index 3c42126e480..28fc99c3de5 100644
--- a/app/views/search/_results_status.html.haml
+++ b/app/views/search/_results_status.html.haml
@@ -1,30 +1,25 @@
-.section{ class: ('gl-lg-display-none' if @search_objects.to_a.empty?) }
- .search-results-status
- .gl-display-flex.gl-flex-direction-column
- .gl-p-5.gl-display-flex.gl-flex-wrap
- - unless @search_objects.to_a.empty?
- .gl-display-flex.gl-text-left.gl-flex-grow-1.gl-flex-shrink-1.gl-white-space-nowrap.gl-flex-wrap.gl-sm-w-half
+.search-results-status.gl-sm-display-flex.gl-flex-wrap.gl-justify-content-space-between.gl-my-4{ class: ('gl-lg-display-none' if @search_objects.to_a.empty?) }
+ - unless @search_objects.to_a.empty?
+ %p.gl-text-truncate.gl-my-auto
+ - unless @search_service_presenter.without_count?
+ = search_entries_info(@search_objects, @scope, @search_term)
+ - unless @search_service_presenter.show_snippets?
+ - if @project
+ - link_to_project = link_to(@project.full_name, @project, class: 'search-wrap-f-md-down')
+ - if @scope == 'blobs'
+ = _("in")
+ .mx-md-1.gl-my-auto
+ #js-blob-ref-switcher{ data: { "project-id" => @project.id, "ref" => repository_ref(@project), "field-name": "repository_ref" } }
%p.gl-text-truncate.gl-my-auto
- - unless @search_service_presenter.without_count?
- = search_entries_info(@search_objects, @scope, @search_term)
- - unless @search_service_presenter.show_snippets?
- - if @project
- - link_to_project = link_to(@project.full_name, @project, class: 'search-wrap-f-md-down')
- - if @scope == 'blobs'
- = _("in")
- .mx-md-1.gl-my-auto
- #js-blob-ref-switcher{ data: { "project-id" => @project.id, "ref" => repository_ref(@project), "field-name": "repository_ref" } }
- %p.gl-text-truncate.gl-my-auto
- = s_('SearchCodeResults|of %{link_to_project}').html_safe % { link_to_project: link_to_project }
- - else
- = _("in project %{link_to_project}").html_safe % { link_to_project: link_to_project }
- - elsif @group
- - link_to_group = link_to(@group.name, @group, class: 'ml-md-1')
- = _("in group %{link_to_group}").html_safe % { link_to_group: link_to_group }
- .gl-display-flex.gl-my-3.gl-flex-grow-1.gl-flex-shrink-1.gl-justify-content-end
- = render Pajamas::ButtonComponent.new(category: 'primary', icon: 'filter', button_options: {id: 'js-open-mobile-filters', class: 'gl-lg-display-none'}) do
- = s_('GlobalSearch|Filters')
- - if @search_service_presenter.show_sort_dropdown? && !@search_objects.to_a.empty?
- .gl-ml-3
- #js-search-sort{ data: { "search-sort-options" => search_sort_options.to_json } }
- %hr.gl-mb-5.gl-mt-0.gl-border-gray-100.gl-w-full
+ = s_('SearchCodeResults|of %{link_to_project}').html_safe % { link_to_project: link_to_project }
+ - else
+ = _("in project %{link_to_project}").html_safe % { link_to_project: link_to_project }
+ - elsif @group
+ - link_to_group = link_to(@group.name, @group, class: 'ml-md-1')
+ = _("in group %{link_to_group}").html_safe % { link_to_group: link_to_group }
+ .gl-display-flex
+ = render Pajamas::ButtonComponent.new(category: 'primary', icon: 'filter', button_options: {id: 'js-open-mobile-filters', class: 'gl-lg-display-none'}) do
+ = s_('GlobalSearch|Filters')
+ - if @search_service_presenter.show_sort_dropdown? && !@search_objects.to_a.empty?
+ .gl-ml-3
+ #js-search-sort{ data: { "search-sort-options" => search_sort_options.to_json } }
diff --git a/app/views/search/results/_issuable.html.haml b/app/views/search/results/_issuable.html.haml
index 75530b616bf..52da4ca254a 100644
--- a/app/views/search/results/_issuable.html.haml
+++ b/app/views/search/results/_issuable.html.haml
@@ -1,4 +1,4 @@
-%div{ class: 'search-result-row gl-display-flex gl-sm-flex-direction-row gl-flex-direction-column gl-align-items-center gl-pb-5! gl-mt-5 gl-mb-0!' }
+.search-result-row.row.gl-display-flex.gl-sm-flex-direction-row.gl-flex-direction-column.gl-align-items-center.gl-mt-5{ class: 'gl-pb-5! gl-mb-0!' }
.col-sm-9
%span.gl-display-flex.gl-align-items-center
= gl_badge_tag issuable_state_text(issuable), variant: issuable_state_to_badge_class(issuable), size: :sm
diff --git a/app/views/shared/_choose_avatar_button.html.haml b/app/views/shared/_choose_avatar_button.html.haml
index 30a6a31cdd4..3fbc4d30744 100644
--- a/app/views/shared/_choose_avatar_button.html.haml
+++ b/app/views/shared/_choose_avatar_button.html.haml
@@ -1 +1 @@
-= render 'shared/file_picker_button', f: f, field: :avatar, help_text: s_("Profiles|The ideal image size is 192 x 192 pixels.") + " " + s_("Profiles|The maximum file size allowed is 200KB.")
+= render 'shared/file_picker_button', f: f, field: :avatar, help_text: s_("Profiles|The ideal image size is 192 x 192 pixels.") + " " + s_("Profiles|The maximum file size allowed is 200 KiB.")
diff --git a/app/views/user_settings/profiles/show.html.haml b/app/views/user_settings/profiles/show.html.haml
index 39b0084cbeb..66977d814b9 100644
--- a/app/views/user_settings/profiles/show.html.haml
+++ b/app/views/user_settings/profiles/show.html.haml
@@ -38,7 +38,7 @@
= f.file_field :avatar, class: 'js-user-avatar-input hidden', accept: 'image/*'
.gl-text-gray-500
= s_("Profiles|The ideal image size is 192 x 192 pixels.")
- = s_("Profiles|The maximum file size allowed is 200KB.")
+ = s_("Profiles|The maximum file size allowed is 200 KiB.")
- if @user.avatar?
= render Pajamas::ButtonComponent.new(variant: :danger,
category: :secondary,
diff --git a/config/feature_flags/development/enable_new_sentry_integration.yml b/config/feature_flags/development/enable_new_sentry_integration.yml
deleted file mode 100644
index 00665f80ed6..00000000000
--- a/config/feature_flags/development/enable_new_sentry_integration.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: enable_new_sentry_integration
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72428
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/344832
-milestone: '14.9'
-type: development
-group: group::pipeline execution
-default_enabled: false
diff --git a/config/feature_flags/development/enable_old_sentry_integration.yml b/config/feature_flags/development/enable_old_sentry_integration.yml
deleted file mode 100644
index 4911dbfdc78..00000000000
--- a/config/feature_flags/development/enable_old_sentry_integration.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: enable_old_sentry_integration
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72428
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/344832
-milestone: '14.9'
-type: development
-group: group::pipeline execution
-default_enabled: true
diff --git a/config/feature_flags/gitlab_com_derisk/native_header_anchors.yml b/config/feature_flags/gitlab_com_derisk/native_header_anchors.yml
new file mode 100644
index 00000000000..24f36fcd99f
--- /dev/null
+++ b/config/feature_flags/gitlab_com_derisk/native_header_anchors.yml
@@ -0,0 +1,9 @@
+---
+name: native_header_anchors
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/440733
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144690
+rollout_issue_url:
+milestone: '17.0'
+group: group::project management
+type: gitlab_com_derisk
+default_enabled: false
diff --git a/config/gitlab_loose_foreign_keys.yml b/config/gitlab_loose_foreign_keys.yml
index 56a233425e5..b29b31cb20e 100644
--- a/config/gitlab_loose_foreign_keys.yml
+++ b/config/gitlab_loose_foreign_keys.yml
@@ -245,6 +245,16 @@ merge_request_metrics:
- table: ci_pipelines
column: pipeline_id
on_delete: async_nullify
+merge_request_requested_changes:
+ - table: merge_requests
+ column: merge_request_id
+ on_delete: async_delete
+ - table: projects
+ column: project_id
+ on_delete: async_delete
+ - table: users
+ column: user_id
+ on_delete: async_delete
merge_requests:
- table: ci_pipelines
column: head_pipeline_id
diff --git a/config/webpack.config.js b/config/webpack.config.js
index ca5506a1e39..f6cd978f300 100644
--- a/config/webpack.config.js
+++ b/config/webpack.config.js
@@ -261,7 +261,6 @@ module.exports = {
*/
return {
default: defaultEntries,
- legacy_sentry: './sentry/legacy_index.js',
sentry: './sentry/index.js',
performance_bar: './performance_bar/index.js',
jira_connect_app: './jira_connect/subscriptions/index.js',
diff --git a/data/deprecations/14-8-graphql-runner-active.yml b/data/deprecations/14-8-graphql-runner-active.yml
new file mode 100644
index 00000000000..296ed3b6ddf
--- /dev/null
+++ b/data/deprecations/14-8-graphql-runner-active.yml
@@ -0,0 +1,40 @@
+- title: 'Runner `active` GraphQL fields replaced by `paused`'
+ # The milestones for the deprecation announcement, and the removal.
+ removal_milestone: '18.0'
+ announcement_milestone: '14.8'
+ # Change breaking_change to false if needed.
+ breaking_change: true
+ # The stage and GitLab username of the person reporting the change,
+ # and a link to the deprecation issue
+ reporter: pedropombeiro
+ stage: Verify
+ issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/351109
+ impact: low
+ scope: # Can be one or a combination of: [instance, group, project]
+ resolution_role: Developer
+ manual_task: true
+ body: | # (required) Don't change this line.
+ Occurrences of the `active` identifier in the GitLab GraphQL API endpoints will be renamed to `paused` in GitLab 18.0:
+
+ - The `CiRunner` property.
+ - The `RunnerUpdateInput` input type for the `runnerUpdate` mutation.
+ - The `runners`, `Group.runners`, and `Project.runners` queries.
+
+ # ==============================
+ # OPTIONAL END-OF-SUPPORT FIELDS
+ # ==============================
+ #
+ # If an End of Support period applies:
+ # 1) Share this announcement in the `#spt_managers` Support channel in Slack
+ # 2) Mention `@gitlab-com/support` in this merge request.
+ #
+ # When support for this feature ends, in XX.YY milestone format.
+ end_of_support_milestone:
+ # Array of tiers the feature is currently available to,
+ # like [Free, Silver, Gold, Core, Premium, Ultimate]
+ tiers:
+ # Links to documentation and thumbnail image
+ documentation_url: https://docs.gitlab.com/ee/api/graphql/reference/index.html#cirunner
+ image_url:
+ # Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
+ video_url:
diff --git a/data/whats_new/202404160001_16_11.yml b/data/whats_new/202404160001_16_11.yml
index ff9361acdd7..69129bcf6fd 100644
--- a/data/whats_new/202404160001_16_11.yml
+++ b/data/whats_new/202404160001_16_11.yml
@@ -10,7 +10,7 @@
stage: ai-powered
self-managed: true
gitlab-com: true
- available_in: [Free, Premium, Ultimate]
+ available_in: [Premium, Ultimate]
documentation_link: https://docs.gitlab.com/ee/user/gitlab_duo_chat.html
image_url: https://img.youtube.com/vi/ZQBAuf-CTAY/hqdefault.jpg
published_at: 2024-04-18
@@ -52,7 +52,7 @@
stage: govern
self-managed: true
gitlab-com: true
- available_in: [Free, Premium, Ultimate]
+ available_in: [Premium, Ultimate]
documentation_link: https://docs.gitlab.com/ee/editor_extensions/jetbrains_ide/index.html
image_url: https://about.gitlab.com/images/16_11/create-duo-chat-in-jetbrains.png
published_at: 2024-04-18
diff --git a/db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml b/db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml
new file mode 100644
index 00000000000..8aacc82b2fa
--- /dev/null
+++ b/db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml
@@ -0,0 +1,9 @@
+---
+migration_job_name: BackfillWorkspaceVariablesProjectId
+description: Backfills sharding key `workspace_variables.project_id` from `workspaces`.
+feature_category: remote_development
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150074
+milestone: '17.0'
+queued_migration_version: 20240419035360
+finalize_after: '2024-05-22'
+finalized_by: # version of the migration that finalized this BBM
diff --git a/db/docs/merge_request_requested_changes.yml b/db/docs/merge_request_requested_changes.yml
new file mode 100644
index 00000000000..fe49f404a4e
--- /dev/null
+++ b/db/docs/merge_request_requested_changes.yml
@@ -0,0 +1,12 @@
+---
+table_name: merge_request_requested_changes
+classes:
+- MergeRequests::RequestedChange
+feature_categories:
+- code_review_workflow
+description: Blocker for changes requested on a merge request
+introduced_by_url:
+milestone: '17.0'
+gitlab_schema: gitlab_main_cell
+sharding_key:
+ project_id: projects
\ No newline at end of file
diff --git a/db/docs/workspace_variables.yml b/db/docs/workspace_variables.yml
index f92750f84c1..f8f0369e75f 100644
--- a/db/docs/workspace_variables.yml
+++ b/db/docs/workspace_variables.yml
@@ -23,3 +23,4 @@ desired_sharding_key:
table: workspaces
sharding_key: project_id
belongs_to: workspace
+desired_sharding_key_migration_job_name: BackfillWorkspaceVariablesProjectId
diff --git a/db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb b/db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb
new file mode 100644
index 00000000000..1881b8d630b
--- /dev/null
+++ b/db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+class AddThrottleUnauthenticatedGitHttpToApplicationSettings < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ disable_ddl_transaction!
+
+ def up
+ add_column :application_settings, :rate_limits_unauthenticated_git_http, :jsonb, default: {}, null: false,
+ if_not_exists: true
+
+ add_check_constraint(
+ :application_settings,
+ "(jsonb_typeof(rate_limits_unauthenticated_git_http) = 'object')",
+ 'check_application_settings_rate_limits_unauth_git_http_is_hash'
+ )
+ end
+
+ def down
+ remove_column :application_settings, :rate_limits_unauthenticated_git_http, it_exists: true
+ end
+end
diff --git a/db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb b/db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb
new file mode 100644
index 00000000000..d4458912262
--- /dev/null
+++ b/db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+class UpdateThrottleUnauthenticatedGitHttpInApplicationSettings < Gitlab::Database::Migration[2.2]
+ restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+ milestone '17.0'
+
+ disable_ddl_transaction!
+
+ def up
+ execute <<~SQL
+ UPDATE application_settings
+ SET rate_limits_unauthenticated_git_http = jsonb_build_object(
+ 'throttle_unauthenticated_git_http_enabled', throttle_unauthenticated_enabled,
+ 'throttle_unauthenticated_git_http_requests_per_period', throttle_unauthenticated_requests_per_period,
+ 'throttle_unauthenticated_git_http_period_in_seconds', throttle_unauthenticated_period_in_seconds
+ );
+ SQL
+ end
+
+ def down
+ execute "UPDATE application_settings SET rate_limits_unauthenticated_git_http = CAST('{}' AS jsonb)"
+ end
+end
diff --git a/db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb b/db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb
new file mode 100644
index 00000000000..a2759fd4d82
--- /dev/null
+++ b/db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class AddTrustedExternUidToIdentities < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ enable_lock_retries!
+
+ def change
+ add_column :identities, :trusted_extern_uid, :boolean, default: true
+ end
+end
diff --git a/db/migrate/20240415190848_index_identities_on_provider.rb b/db/migrate/20240415190848_index_identities_on_provider.rb
new file mode 100644
index 00000000000..60553840c17
--- /dev/null
+++ b/db/migrate/20240415190848_index_identities_on_provider.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class IndexIdentitiesOnProvider < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ disable_ddl_transaction!
+
+ INDEX_NAME = 'index_identities_on_provider'
+
+ def up
+ add_concurrent_index :identities, :provider, name: INDEX_NAME
+ end
+
+ def down
+ remove_concurrent_index_by_name :identities, name: INDEX_NAME
+ end
+end
diff --git a/db/migrate/20240419035356_add_project_id_to_workspace_variables.rb b/db/migrate/20240419035356_add_project_id_to_workspace_variables.rb
new file mode 100644
index 00000000000..7616169c0d2
--- /dev/null
+++ b/db/migrate/20240419035356_add_project_id_to_workspace_variables.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddProjectIdToWorkspaceVariables < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ def change
+ add_column :workspace_variables, :project_id, :bigint
+ end
+end
diff --git a/db/migrate/20240419035357_index_workspace_variables_on_project_id.rb b/db/migrate/20240419035357_index_workspace_variables_on_project_id.rb
new file mode 100644
index 00000000000..66a236b4b34
--- /dev/null
+++ b/db/migrate/20240419035357_index_workspace_variables_on_project_id.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class IndexWorkspaceVariablesOnProjectId < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+ disable_ddl_transaction!
+
+ INDEX_NAME = 'index_workspace_variables_on_project_id'
+
+ def up
+ add_concurrent_index :workspace_variables, :project_id, name: INDEX_NAME
+ end
+
+ def down
+ remove_concurrent_index_by_name :workspace_variables, INDEX_NAME
+ end
+end
diff --git a/db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb b/db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb
new file mode 100644
index 00000000000..9229fd1f7c6
--- /dev/null
+++ b/db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class AddWorkspaceVariablesProjectIdFk < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+ disable_ddl_transaction!
+
+ def up
+ add_concurrent_foreign_key :workspace_variables, :projects, column: :project_id, on_delete: :cascade
+ end
+
+ def down
+ with_lock_retries do
+ remove_foreign_key :workspace_variables, column: :project_id
+ end
+ end
+end
diff --git a/db/migrate/20240419085004_create_merge_request_requested_changes.rb b/db/migrate/20240419085004_create_merge_request_requested_changes.rb
new file mode 100644
index 00000000000..e32fd425aae
--- /dev/null
+++ b/db/migrate/20240419085004_create_merge_request_requested_changes.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class CreateMergeRequestRequestedChanges < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ def change
+ create_table :merge_request_requested_changes do |t|
+ t.bigint :project_id, null: false
+ t.bigint :user_id, null: false
+ t.bigint :merge_request_id, null: false
+
+ t.timestamps_with_timezone null: false
+
+ t.index :project_id
+ t.index :user_id
+ t.index :merge_request_id
+ end
+ end
+end
diff --git a/db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb b/db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb
new file mode 100644
index 00000000000..7702bf1d9e8
--- /dev/null
+++ b/db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class AddWorkspaceVariablesProjectIdTrigger < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ def up
+ install_sharding_key_assignment_trigger(
+ table: :workspace_variables,
+ sharding_key: :project_id,
+ parent_table: :workspaces,
+ parent_sharding_key: :project_id,
+ foreign_key: :workspace_id
+ )
+ end
+
+ def down
+ remove_sharding_key_assignment_trigger(
+ table: :workspace_variables,
+ sharding_key: :project_id,
+ parent_table: :workspaces,
+ parent_sharding_key: :project_id,
+ foreign_key: :workspace_id
+ )
+ end
+end
diff --git a/db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb b/db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb
new file mode 100644
index 00000000000..b735a769eab
--- /dev/null
+++ b/db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+class QueueBackfillWorkspaceVariablesProjectId < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+ restrict_gitlab_migration gitlab_schema: :gitlab_main_cell
+
+ MIGRATION = "BackfillWorkspaceVariablesProjectId"
+ DELAY_INTERVAL = 2.minutes
+ BATCH_SIZE = 1000
+ SUB_BATCH_SIZE = 100
+
+ def up
+ queue_batched_background_migration(
+ MIGRATION,
+ :workspace_variables,
+ :id,
+ :project_id,
+ :workspaces,
+ :project_id,
+ :workspace_id,
+ job_interval: DELAY_INTERVAL,
+ batch_size: BATCH_SIZE,
+ sub_batch_size: SUB_BATCH_SIZE
+ )
+ end
+
+ def down
+ delete_batched_background_migration(
+ MIGRATION,
+ :workspace_variables,
+ :id,
+ [
+ :project_id,
+ :workspaces,
+ :project_id,
+ :workspace_id
+ ]
+ )
+ end
+end
diff --git a/db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb b/db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb
new file mode 100644
index 00000000000..9be3f89235c
--- /dev/null
+++ b/db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class SetTrustedExternUidToFalseForExistingBitbucketIdentities < Gitlab::Database::Migration[2.2]
+ restrict_gitlab_migration gitlab_schema: :gitlab_main_clusterwide
+
+ milestone '17.0'
+
+ disable_ddl_transaction!
+
+ BATCH_SIZE = 1000
+
+ def up
+ define_batchable_model('identities').where(provider: 'bitbucket').each_batch(of: BATCH_SIZE) do |batch|
+ batch.update_all(trusted_extern_uid: false)
+ end
+ end
+end
diff --git a/db/schema_migrations/20240405090000 b/db/schema_migrations/20240405090000
new file mode 100644
index 00000000000..42e1ac97298
--- /dev/null
+++ b/db/schema_migrations/20240405090000
@@ -0,0 +1 @@
+1f79208f10eac682970b91dd12159c9c7446fab637409d2f62dc91231af1dd13
\ No newline at end of file
diff --git a/db/schema_migrations/20240405090010 b/db/schema_migrations/20240405090010
new file mode 100644
index 00000000000..3b93267c8f9
--- /dev/null
+++ b/db/schema_migrations/20240405090010
@@ -0,0 +1 @@
+c84be5380fb2c1e90aabd987b8a7c020ec17405a8d0b97f0ca44e4ea724b7c6d
\ No newline at end of file
diff --git a/db/schema_migrations/20240415184907 b/db/schema_migrations/20240415184907
new file mode 100644
index 00000000000..bb000eeb996
--- /dev/null
+++ b/db/schema_migrations/20240415184907
@@ -0,0 +1 @@
+66b22a6c730d44535b321e0dd626c1b47fa3206ff811acd16007e9587a4c5d65
\ No newline at end of file
diff --git a/db/schema_migrations/20240415190848 b/db/schema_migrations/20240415190848
new file mode 100644
index 00000000000..d7c525ca496
--- /dev/null
+++ b/db/schema_migrations/20240415190848
@@ -0,0 +1 @@
+8e74960909f458e3500f3857a4154b4b930dc21d4f5c1d7916f321f197220ba6
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035356 b/db/schema_migrations/20240419035356
new file mode 100644
index 00000000000..55a4f207a17
--- /dev/null
+++ b/db/schema_migrations/20240419035356
@@ -0,0 +1 @@
+a1f5f62a9782df2887fea2f8f1bccca6759e9da59d9a2778d6e7d09fc998d690
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035357 b/db/schema_migrations/20240419035357
new file mode 100644
index 00000000000..9c33231778a
--- /dev/null
+++ b/db/schema_migrations/20240419035357
@@ -0,0 +1 @@
+ae763de6e4f8d746dce6d4c5d1aa68b1e756bbd0488d2ad705c016ecc7c04fcd
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035358 b/db/schema_migrations/20240419035358
new file mode 100644
index 00000000000..f79680cb39c
--- /dev/null
+++ b/db/schema_migrations/20240419035358
@@ -0,0 +1 @@
+1867e85e95b2def01e9fc4ef4209e64f7afd5e71a1378a0024dadc3715cc07aa
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035359 b/db/schema_migrations/20240419035359
new file mode 100644
index 00000000000..7c45f82c416
--- /dev/null
+++ b/db/schema_migrations/20240419035359
@@ -0,0 +1 @@
+0ed31058286c68932a683e6072002fd5fe6a4d785c113db22028262aafc47c86
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035360 b/db/schema_migrations/20240419035360
new file mode 100644
index 00000000000..a8912146466
--- /dev/null
+++ b/db/schema_migrations/20240419035360
@@ -0,0 +1 @@
+6f571972797eee34572944fb18ecf389d97c5880838b9c3c0ccf7ebbe5937f1d
\ No newline at end of file
diff --git a/db/schema_migrations/20240419085004 b/db/schema_migrations/20240419085004
new file mode 100644
index 00000000000..4b65832cf5d
--- /dev/null
+++ b/db/schema_migrations/20240419085004
@@ -0,0 +1 @@
+a845ee1d6e023d976f526e76d2d690ec2a168d8975eda3edb5a1e9932d26c16c
\ No newline at end of file
diff --git a/db/schema_migrations/20240419140530 b/db/schema_migrations/20240419140530
new file mode 100644
index 00000000000..37f6a20d23c
--- /dev/null
+++ b/db/schema_migrations/20240419140530
@@ -0,0 +1 @@
+cab7740141a0b515fbaf0c6e38c3d2aea4ac5ff765a2978ccd89f4274d44c1d1
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index be87a452f0d..904f9229def 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -695,6 +695,22 @@ BEGIN
END;
$$;
+CREATE FUNCTION trigger_56d49f4ed623() RETURNS trigger
+ LANGUAGE plpgsql
+ AS $$
+BEGIN
+IF NEW."project_id" IS NULL THEN
+ SELECT "project_id"
+ INTO NEW."project_id"
+ FROM "workspaces"
+ WHERE "workspaces"."id" = NEW."workspace_id";
+END IF;
+
+RETURN NEW;
+
+END
+$$;
+
CREATE FUNCTION trigger_94514aeadc50() RETURNS trigger
LANGUAGE plpgsql
AS $$
@@ -4319,6 +4335,7 @@ CREATE TABLE application_settings (
include_optional_metrics_in_service_ping boolean DEFAULT true NOT NULL,
zoekt_settings jsonb DEFAULT '{}'::jsonb NOT NULL,
service_ping_settings jsonb DEFAULT '{}'::jsonb NOT NULL,
+ rate_limits_unauthenticated_git_http jsonb DEFAULT '{}'::jsonb NOT NULL,
CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)),
CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),
@@ -4371,6 +4388,7 @@ CREATE TABLE application_settings (
CONSTRAINT check_app_settings_sentry_clientside_traces_sample_rate_range CHECK (((sentry_clientside_traces_sample_rate >= (0)::double precision) AND (sentry_clientside_traces_sample_rate <= (1)::double precision))),
CONSTRAINT check_application_settings_clickhouse_is_hash CHECK ((jsonb_typeof(clickhouse) = 'object'::text)),
CONSTRAINT check_application_settings_rate_limits_is_hash CHECK ((jsonb_typeof(rate_limits) = 'object'::text)),
+ CONSTRAINT check_application_settings_rate_limits_unauth_git_http_is_hash CHECK ((jsonb_typeof(rate_limits_unauthenticated_git_http) = 'object'::text)),
CONSTRAINT check_application_settings_service_ping_settings_is_hash CHECK ((jsonb_typeof(service_ping_settings) = 'object'::text)),
CONSTRAINT check_b8c74ea5b3 CHECK ((char_length(deactivation_email_additional_text) <= 1000)),
CONSTRAINT check_cdfbd99405 CHECK ((char_length(security_txt_content) <= 2048)),
@@ -9764,7 +9782,8 @@ CREATE TABLE identities (
created_at timestamp without time zone,
updated_at timestamp without time zone,
secondary_extern_uid character varying,
- saml_provider_id integer
+ saml_provider_id integer,
+ trusted_extern_uid boolean DEFAULT true
);
CREATE SEQUENCE identities_id_seq
@@ -11250,6 +11269,24 @@ CREATE SEQUENCE merge_request_predictions_merge_request_id_seq
ALTER SEQUENCE merge_request_predictions_merge_request_id_seq OWNED BY merge_request_predictions.merge_request_id;
+CREATE TABLE merge_request_requested_changes (
+ id bigint NOT NULL,
+ project_id bigint NOT NULL,
+ user_id bigint NOT NULL,
+ merge_request_id bigint NOT NULL,
+ created_at timestamp with time zone NOT NULL,
+ updated_at timestamp with time zone NOT NULL
+);
+
+CREATE SEQUENCE merge_request_requested_changes_id_seq
+ START WITH 1
+ INCREMENT BY 1
+ NO MINVALUE
+ NO MAXVALUE
+ CACHE 1;
+
+ALTER SEQUENCE merge_request_requested_changes_id_seq OWNED BY merge_request_requested_changes.id;
+
CREATE TABLE merge_request_review_llm_summaries (
id bigint NOT NULL,
user_id bigint,
@@ -18123,6 +18160,7 @@ CREATE TABLE workspace_variables (
key text NOT NULL,
encrypted_value bytea NOT NULL,
encrypted_value_iv bytea NOT NULL,
+ project_id bigint,
CONSTRAINT check_5545042100 CHECK ((char_length(key) <= 255))
);
@@ -19403,6 +19441,8 @@ ALTER TABLE ONLY merge_request_metrics ALTER COLUMN id SET DEFAULT nextval('merg
ALTER TABLE ONLY merge_request_predictions ALTER COLUMN merge_request_id SET DEFAULT nextval('merge_request_predictions_merge_request_id_seq'::regclass);
+ALTER TABLE ONLY merge_request_requested_changes ALTER COLUMN id SET DEFAULT nextval('merge_request_requested_changes_id_seq'::regclass);
+
ALTER TABLE ONLY merge_request_review_llm_summaries ALTER COLUMN id SET DEFAULT nextval('merge_request_review_llm_summaries_id_seq'::regclass);
ALTER TABLE ONLY merge_request_reviewers ALTER COLUMN id SET DEFAULT nextval('merge_request_reviewers_id_seq'::regclass);
@@ -21650,6 +21690,9 @@ ALTER TABLE ONLY merge_request_metrics
ALTER TABLE ONLY merge_request_predictions
ADD CONSTRAINT merge_request_predictions_pkey PRIMARY KEY (merge_request_id);
+ALTER TABLE ONLY merge_request_requested_changes
+ ADD CONSTRAINT merge_request_requested_changes_pkey PRIMARY KEY (id);
+
ALTER TABLE ONLY merge_request_review_llm_summaries
ADD CONSTRAINT merge_request_review_llm_summaries_pkey PRIMARY KEY (id);
@@ -25656,6 +25699,8 @@ CREATE INDEX index_historical_data_on_recorded_at ON historical_data USING btree
CREATE UNIQUE INDEX index_http_integrations_on_project_and_endpoint ON alert_management_http_integrations USING btree (project_id, endpoint_identifier);
+CREATE INDEX index_identities_on_provider ON identities USING btree (provider);
+
CREATE INDEX index_identities_on_saml_provider_id ON identities USING btree (saml_provider_id) WHERE (saml_provider_id IS NOT NULL);
CREATE INDEX index_identities_on_user_id ON identities USING btree (user_id);
@@ -26068,6 +26113,12 @@ CREATE INDEX index_merge_request_metrics_on_merged_at ON merge_request_metrics U
CREATE INDEX index_merge_request_metrics_on_pipeline_id ON merge_request_metrics USING btree (pipeline_id);
+CREATE INDEX index_merge_request_requested_changes_on_merge_request_id ON merge_request_requested_changes USING btree (merge_request_id);
+
+CREATE INDEX index_merge_request_requested_changes_on_project_id ON merge_request_requested_changes USING btree (project_id);
+
+CREATE INDEX index_merge_request_requested_changes_on_user_id ON merge_request_requested_changes USING btree (user_id);
+
CREATE INDEX index_merge_request_review_llm_summaries_on_mr_diff_id ON merge_request_review_llm_summaries USING btree (merge_request_diff_id);
CREATE INDEX index_merge_request_review_llm_summaries_on_review_id ON merge_request_review_llm_summaries USING btree (review_id);
@@ -27838,6 +27889,8 @@ CREATE UNIQUE INDEX index_work_item_widget_definitions_on_namespace_type_and_nam
CREATE INDEX index_work_item_widget_definitions_on_work_item_type_id ON work_item_widget_definitions USING btree (work_item_type_id);
+CREATE INDEX index_workspace_variables_on_project_id ON workspace_variables USING btree (project_id);
+
CREATE INDEX index_workspace_variables_on_workspace_id ON workspace_variables USING btree (workspace_id);
CREATE INDEX index_workspaces_on_cluster_agent_id ON workspaces USING btree (cluster_agent_id);
@@ -29722,6 +29775,8 @@ CREATE TRIGGER trigger_3857ca5ea4af BEFORE INSERT OR UPDATE ON merge_trains FOR
CREATE TRIGGER trigger_388e93f88fdd BEFORE INSERT OR UPDATE ON packages_build_infos FOR EACH ROW EXECUTE FUNCTION trigger_388e93f88fdd();
+CREATE TRIGGER trigger_56d49f4ed623 BEFORE INSERT OR UPDATE ON workspace_variables FOR EACH ROW EXECUTE FUNCTION trigger_56d49f4ed623();
+
CREATE TRIGGER trigger_94514aeadc50 BEFORE INSERT OR UPDATE ON deployment_approvals FOR EACH ROW EXECUTE FUNCTION trigger_94514aeadc50();
CREATE TRIGGER trigger_b2d852e1e2cb BEFORE INSERT OR UPDATE ON ci_pipelines FOR EACH ROW EXECUTE FUNCTION trigger_b2d852e1e2cb();
@@ -30091,6 +30146,9 @@ ALTER TABLE ONLY todos
ALTER TABLE ONLY releases
ADD CONSTRAINT fk_47fe2a0596 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+ALTER TABLE ONLY workspace_variables
+ ADD CONSTRAINT fk_494e093520 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+
ALTER TABLE ONLY geo_event_log
ADD CONSTRAINT fk_4a99ebfd60 FOREIGN KEY (repositories_changed_event_id) REFERENCES geo_repositories_changed_events(id) ON DELETE CASCADE;
diff --git a/doc/administration/job_artifacts.md b/doc/administration/job_artifacts.md
index 17a1a87df5e..ada4dcdb31c 100644
--- a/doc/administration/job_artifacts.md
+++ b/doc/administration/job_artifacts.md
@@ -177,8 +177,7 @@ WARNING:
In a multi-server setup you must use one of the options to
[eliminate local disk usage for job logs](job_logs.md#prevent-local-disk-usage), or job logs could be lost.
-In GitLab 13.2 and later, you should use the
-[consolidated object storage settings](object_storage.md#configure-a-single-storage-connection-for-all-object-types-consolidated-form).
+You should use the [consolidated object storage settings](object_storage.md#configure-a-single-storage-connection-for-all-object-types-consolidated-form).
### Migrating to object storage
diff --git a/doc/administration/job_artifacts_troubleshooting.md b/doc/administration/job_artifacts_troubleshooting.md
index 17797a15702..fb66aac7a86 100644
--- a/doc/administration/job_artifacts_troubleshooting.md
+++ b/doc/administration/job_artifacts_troubleshooting.md
@@ -23,8 +23,7 @@ reasons are:
- Artifact files might be left on disk and not deleted by housekeeping. Run the
[Rake task for _orphaned_ artifact files](../raketasks/cleanup.md#remove-orphan-artifact-files)
to remove these. This script should always find work to do, as it also removes empty directories (see above).
-- [Artifact housekeeping was changed significantly](#housekeeping-disabled-in-gitlab-146-to-152),
- and you might need to enable a feature flag to use the updated system.
+- [Artifact housekeeping was changed significantly](#housekeeping-disabled-in-gitlab-150-to-152), and you might need to enable a feature flag to use the updated system.
- The [keep latest artifacts from most recent success jobs](../ci/jobs/job_artifacts.md#keep-artifacts-from-most-recent-successful-jobs)
feature is enabled.
@@ -37,15 +36,11 @@ space, and in some cases, manually delete job artifacts to reclaim disk space.
Artifacts housekeeping is the process that identifies which artifacts are expired
and can be deleted.
-#### Housekeeping disabled in GitLab 14.6 to 15.2
+#### Housekeeping disabled in GitLab 15.0 to 15.2
-Artifact housekeeping was disabled in GitLab 14.6. It was significantly improved
-in GitLab 14.10, and the changes were back ported to patch versions of GitLab 14.6 and later,
-introduced behind [feature flags](feature_flags.md) disabled by default. The flags were
-enabled by default [in GitLab 15.3](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92931).
+Artifact housekeeping was significantly improved in GitLab 15.0, introduced behind [feature flags](feature_flags.md) disabled by default. The flags were enabled by default [in GitLab 15.3](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92931).
-If artifacts housekeeping does not seem to be working in GitLab 14.6 to GitLab 15.2,
-you should check if the feature flags are enabled.
+If artifacts housekeeping does not seem to be working in GitLab 15.0 to GitLab 15.2, you should check if the feature flags are enabled.
To check if the feature flags are enabled:
@@ -53,21 +48,11 @@ To check if the feature flags are enabled:
1. Check if the feature flags are enabled.
- - GitLab 14.10 and earlier:
-
- ```ruby
- Feature.enabled?(:ci_detect_wrongly_expired_artifacts, default_enabled: :yaml)
- Feature.enabled?(:ci_update_unlocked_job_artifacts, default_enabled: :yaml)
- Feature.enabled?(:ci_job_artifacts_backlog_work, default_enabled: :yaml)
- ```
-
- - GitLab 15.0 and later:
-
- ```ruby
- Feature.enabled?(:ci_detect_wrongly_expired_artifacts)
- Feature.enabled?(:ci_update_unlocked_job_artifacts)
- Feature.enabled?(:ci_job_artifacts_backlog_work)
- ```
+ ```ruby
+ Feature.enabled?(:ci_detect_wrongly_expired_artifacts)
+ Feature.enabled?(:ci_update_unlocked_job_artifacts)
+ Feature.enabled?(:ci_job_artifacts_backlog_work)
+ ```
1. If any of the feature flags are disabled, enable them:
@@ -154,23 +139,15 @@ GitLab 15.3 and later. It analyzes the artifacts returned by the above database
determines which should be `locked` or `unlocked`. Artifacts are then deleted
by that worker if needed.
-The worker can be enabled on self-managed instances running GitLab 14.10 and later:
+The worker can be enabled on self-managed instances:
1. Start a [Rails console](operations/rails_console.md#starting-a-rails-console-session).
1. Check if the feature is enabled.
-
- - GitLab 14.10:
-
- ```ruby
- Feature.enabled?(:ci_job_artifacts_backlog_work, default_enabled: :yaml)
- ```
-
- - GitLab 15.0 and later:
-
- ```ruby
- Feature.enabled?(:ci_job_artifacts_backlog_work)
- ```
+
+ ```ruby
+ Feature.enabled?(:ci_job_artifacts_backlog_work)
+ ```
1. Enable the feature, if needed:
@@ -429,8 +406,6 @@ For more information, [see the investigation details](https://gitlab.com/gitlab-
## Usage quota shows incorrect artifact storage usage
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/238536) in GitLab 14.10.
-
Sometimes the [artifacts storage usage](../user/usage_quotas.md) displays an incorrect
value for the total storage space used by artifacts. To recalculate the artifact
usage statistics for all projects in the instance, you can run this background script:
diff --git a/doc/administration/pages/index.md b/doc/administration/pages/index.md
index 2e6915f2409..3d499c78789 100644
--- a/doc/administration/pages/index.md
+++ b/doc/administration/pages/index.md
@@ -119,28 +119,25 @@ If you need support for namespace in the URL path to remove the requirement for
1. Enable the GitLab Pages flag for this feature by adding
`gitlab_pages["namespace_in_path"] = true` to `/etc/gitlab/gitlab.rb`.
-1. In your DNS provider, add entries for `example.io` and `projects.example.io`.
- In both lines, replace `example.io` with your domain name, and `192.0.0.0` with
+1. In your DNS provider, add entries for `example.io`.
+ Replace `example.io` with your domain name, and `192.0.0.0` with
the IPv4 version of your IP address. The entries look like this:
```plaintext
example.io 1800 IN A 192.0.0.0
- projects.example.io 1800 IN A 192.0.0.0
```
1. Optional. If your GitLab instance has an IPv6 address, add entries for it.
- In both lines, replace `example.io` with your domain name, and `2001:db8::1` with
+ Replace `example.io` with your domain name, and `2001:db8::1` with
the IPv6 version of your IP address. The entries look like this:
```plaintext
example.io 1800 IN AAAA 2001:db8::1
- projects.example.io 1800 IN AAAA 2001:db8::1
```
This example contains the following:
- `example.io`: The domain GitLab Pages is served from.
-- `projects.example.io`: An additional subdomain for GitLab Pages default authentication flow.
#### DNS configuration for custom domains
@@ -306,8 +303,7 @@ Prerequisites:
- Your instance must use the Linux package installation method.
- You have configured DNS setup
[without a wildcard](#for-namespace-in-url-path-without-wildcard-dns).
-- You have a single TLS certificate that covers your domain (like `example.io`)
- and the `projects.*` version of your domain, like `projects.example.io`.
+- You have a TLS certificate that covers your domain (like `example.io`).
In this configuration, NGINX proxies all requests to the daemon. The GitLab Pages
daemon doesn't listen to the outside world:
@@ -337,17 +333,18 @@ daemon doesn't listen to the outside world:
pages_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/pages-nginx.key"
```
-1. [Reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation).
+1. If you're using [Pages Access Control](#access-control), update the redirect URI in the GitLab Pages
+ [System OAuth application](../../integration/oauth_provider.md#create-an-instance-wide-application)
+ to use the HTTPS protocol.
WARNING:
- GitLab Pages does not update the OAuth application if changes are made to the redirect URI.
+ GitLab Pages does not update the OAuth application, and
+ the default `auth_redirect_uri` is updated to `https://example.io/projects/auth`.
Before you reconfigure, remove the `gitlab_pages` section from `/etc/gitlab/gitlab-secrets.json`,
then run `gitlab-ctl reconfigure`. For more information, see
[GitLab Pages does not regenerate OAuth](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/3947).
-1. If you're using [Pages Access Control](#access-control), update the redirect URI in the GitLab Pages
- [System OAuth application](../../integration/oauth_provider.md#create-an-instance-wide-application)
- to use the HTTPS protocol.
+1. [Reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation).
NGINX uses the custom proxy header `X-Gitlab-Namespace-In-Path`
to send the namespace to the GitLab Pages daemon.
diff --git a/doc/administration/settings/git_http_rate_limits.md b/doc/administration/settings/git_http_rate_limits.md
new file mode 100644
index 00000000000..751e41eec9b
--- /dev/null
+++ b/doc/administration/settings/git_http_rate_limits.md
@@ -0,0 +1,41 @@
+---
+stage: Create
+group: Source Code
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# Rate limits on Git HTTP
+
+DETAILS:
+**Tier:** Free, Premium, Ultimate
+**Offering:** Self-managed, GitLab Dedicated
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147112) in GitLab 17.0.
+
+If you use Git HTTP in your repository,
+common Git operations can generate many Git HTTP requests.
+Some of these Git HTTP requests do not contain authentication parameter and
+are considered unauthenticated. You can enforce rate limits on Git HTTP requests.
+This can improve the security and durability of your web application.
+[General user and IP rate limits](../settings/user_and_ip_rate_limits.md) aren't applied
+to Git HTTP requests.
+
+## Configure Git HTTP rate limits
+
+Git HTTP rate limits are disabled by default. If enabled and configured, these limits
+are applied to Git HTTP requests.
+
+To configure Git HTTP rate limits:
+
+1. On the left sidebar, at the bottom, select **Admin Area**.
+1. Select **Settings > Network**.
+1. Expand **Git HTTP rate limits**.
+1. Select **Enable unauthenticated Git HTTP request rate limit**.
+1. Enter a value for **Max unauthenticated Git HTTP requests per period per user**.
+1. Enter a value for **Unauthenticated Git HTTP rate limit period in seconds**.
+1. Select **Save changes**.
+
+## Related topics
+
+- [Rate limiting](../../security/rate_limits.md)
+- [User and IP rate limits](../settings/user_and_ip_rate_limits.md)
diff --git a/doc/administration/settings/rate_limits.md b/doc/administration/settings/rate_limits.md
index 89e64344e0c..3bcd47ebdc3 100644
--- a/doc/administration/settings/rate_limits.md
+++ b/doc/administration/settings/rate_limits.md
@@ -9,6 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
You can change network settings to limit the rate of connections with your instance.
- [Deprecated API rate limits](deprecated_api_rate_limits.md)
+- [Git HTTP](git_http_rate_limits.md)
- [Git LFS](git_lfs_rate_limits.md)
- [Git SSH operations](rate_limits_on_git_ssh_operations.md)
- [Incident management](incident_management_rate_limits.md)
diff --git a/doc/api/dependencies.md b/doc/api/dependencies.md
index a1f7ee97200..4d0c12de47a 100644
--- a/doc/api/dependencies.md
+++ b/doc/api/dependencies.md
@@ -15,9 +15,6 @@ This API is in an [Experiment](../policy/experiment-beta-support.md#experiment)
The response payload may be subject to change or breakage
across GitLab releases.
-> - Introduced in GitLab 12.1.
-> - Pagination introduced in 14.4.
-
Every call to this endpoint requires authentication. To perform this call, user should be authorized to read repository.
To see vulnerabilities in response, user should be authorized to read
[Project Security Dashboard](../user/application_security/security_dashboard/index.md).
diff --git a/doc/api/job_artifacts.md b/doc/api/job_artifacts.md
index 10c923c0498..f75cba3008a 100644
--- a/doc/api/job_artifacts.md
+++ b/doc/api/job_artifacts.md
@@ -316,9 +316,6 @@ If the artifacts were deleted successfully, a response with status `204 No Conte
## Delete project artifacts
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/223793) in GitLab 14.7 [with a flag](../administration/feature_flags.md) named `bulk_expire_project_artifacts`. Enabled by default on GitLab self-managed. Enabled on GitLab.com.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/350609) in GitLab 14.10.
-
Delete artifacts eligible for deletion in a project. By default, artifacts from
[the most recent successful pipeline of each ref](../ci/jobs/job_artifacts.md#keep-artifacts-from-most-recent-successful-jobs)
are not deleted.
diff --git a/doc/api/project_level_variables.md b/doc/api/project_level_variables.md
index 5753381bf29..4d6ae96921f 100644
--- a/doc/api/project_level_variables.md
+++ b/doc/api/project_level_variables.md
@@ -184,9 +184,6 @@ curl --request DELETE --header "PRIVATE-TOKEN: " "https://git
## The `filter` parameter
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/34490) in GitLab 13.2.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/227052) in GitLab 13.4.
-
When multiple variables have the same `key`, [GET](#get-a-single-variable), [PUT](#update-a-variable),
or [DELETE](#delete-a-variable) requests might return:
diff --git a/doc/api/releases/index.md b/doc/api/releases/index.md
index b424ac8bef6..59e377e5961 100644
--- a/doc/api/releases/index.md
+++ b/doc/api/releases/index.md
@@ -416,7 +416,6 @@ GET /projects/:id/releases/:tag_name/downloads/:direct_asset_path
|----------------------------| -------------- | -------- | ----------------------------------------------------------------------------------- |
| `id` | integer/string | yes | The ID or [URL-encoded path of the project](../rest/index.md#namespaced-path-encoding). |
| `tag_name` | string | yes | The Git tag the release is associated with. |
-| `filepath` | string | yes | Deprecated: Use `direct_asset_path` instead. |
| `direct_asset_path` | string | yes | Path to the release asset file as specified when [creating](links.md#create-a-release-link) or [updating](links.md#update-a-release-link) its link. |
Example request:
@@ -476,7 +475,6 @@ POST /projects/:id/releases
| `assets:links` | array of hash | no | An array of assets links. |
| `assets:links:name`| string | required by: `assets:links` | The name of the link. Link names must be unique within the release. |
| `assets:links:url` | string | required by: `assets:links` | The URL of the link. Link URLs must be unique within the release. |
-| `assets:links:filepath` | string | no | Deprecated: Use `direct_asset_path` instead. |
| `assets:links:direct_asset_path` | string | no | Optional path for a [direct asset link](../../user/project/releases/release_fields.md#permanent-links-to-release-assets). |
| `assets:links:link_type` | string | no | The type of the link: `other`, `runbook`, `image`, `package`. Defaults to `other`. |
| `released_at` | datetime | no | Date and time for the release. Defaults to the current time. Expected in ISO 8601 format (`2019-03-15T08:00:00Z`). Only provide this field if creating an [upcoming](../../user/project/releases/index.md#upcoming-releases) or [historical](../../user/project/releases/index.md#historical-releases) release. |
diff --git a/doc/api/releases/links.md b/doc/api/releases/links.md
index 3967730f25a..9fec47cfb5d 100644
--- a/doc/api/releases/links.md
+++ b/doc/api/releases/links.md
@@ -100,7 +100,6 @@ POST /projects/:id/releases/:tag_name/assets/links
| `tag_name` | string | yes | The tag associated with the Release. |
| `name` | string | yes | The name of the link. Link names must be unique in the release. |
| `url` | string | yes | The URL of the link. Link URLs must be unique in the release. |
-| `filepath` | string | no | Deprecated: Use `direct_asset_path` instead. |
| `direct_asset_path` | string | no | Optional path for a [direct asset link](../../user/project/releases/release_fields.md#permanent-links-to-release-assets). |
| `link_type` | string | no | The type of the link: `other`, `runbook`, `image`, `package`. Defaults to `other`. |
@@ -142,7 +141,6 @@ PUT /projects/:id/releases/:tag_name/assets/links/:link_id
| `link_id` | integer | yes | The ID of the link. |
| `name` | string | no | The name of the link. |
| `url` | string | no | The URL of the link. |
-| `filepath` | string | no | Deprecated: Use `direct_asset_path` instead. |
| `direct_asset_path` | string | no | Optional path for a [direct asset link](../../user/project/releases/release_fields.md#permanent-links-to-release-assets). |
| `link_type` | string | no | The type of the link: `other`, `runbook`, `image`, `package`. Defaults to `other`. |
diff --git a/doc/api/secure_files.md b/doc/api/secure_files.md
index caa3253afcd..091be69088e 100644
--- a/doc/api/secure_files.md
+++ b/doc/api/secure_files.md
@@ -10,7 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78227) in GitLab 14.8 [with a flag](../administration/feature_flags.md) named `ci_secure_files`. Disabled by default.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/350748) in GitLab 15.7. Feature flag `ci_secure_files` removed.
This feature is part of [Mobile DevOps](../ci/mobile_devops.md) developed by [GitLab Incubation Engineering](https://handbook.gitlab.com/handbook/engineering/development/incubation/).
diff --git a/doc/ci/cloud_services/index.md b/doc/ci/cloud_services/index.md
index 85afd7e488e..eb02b3d1978 100644
--- a/doc/ci/cloud_services/index.md
+++ b/doc/ci/cloud_services/index.md
@@ -10,8 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - `CI_JOB_JWT` variable for reading secrets from Vault [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/207125) in GitLab 12.10.
-> - `CI_JOB_JWT_V2` variable to support additional OIDC providers [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/346737) in GitLab 14.7.
> - [ID tokens](../yaml/index.md#id_tokens) to support any OIDC provider, including HashiCorp Vault, [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/356986) in GitLab 15.7.
WARNING:
@@ -24,8 +22,7 @@ Historically, teams stored secrets in projects or applied permissions on the Git
instance to build and deploy. OIDC capable [ID tokens](../yaml/index.md#id_tokens) are configurable
in the CI/CD job allowing you to follow a scalable and least-privilege security approach.
-In GitLab 15.6 and earlier, you must use `CI_JOB_JWT_V2` instead of an ID token,
-but it is not customizable. In GitLab 14.6 an earlier you must use the `CI_JOB_JWT`, which has limited support.
+In GitLab 15.6 and earlier, you must use `CI_JOB_JWT_V2` instead of an ID token, but it is not customizable.
## Prerequisites
diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
index a4ffff7c6e5..f051b9795cf 100644
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -58,9 +58,9 @@ The following fields are included in the JWT:
| `ref_type` | Always | Git ref type, either `branch` or `tag` |
| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise |
-| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
+| `environment` | Job specifies an environment | Environment this job specifies |
| `groups_direct` | User is a direct member of 0 to 200 groups | The paths of the user's direct membership groups. Omitted if the user is a direct member of more than 200 groups. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/435848) in GitLab 16.11). |
-| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
+| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise |
| `deployment_tier` | Job specifies an environment | [Deployment tier](../../environments/index.md#deployment-tier-of-environments) of environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2) |
| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) |
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index 46846bac132..7dea2a5e529 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -187,10 +187,6 @@ proposes to change this behavior.
## Limit your project's job token access (deprecated)
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1. [Deployed behind the `:ci_scoped_job_token` feature flag](../../user/feature_flags.md), disabled by default.
-> - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/332272) in GitLab 14.4.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/332272) in GitLab 14.6.
-
NOTE:
The [**Limit access _from_ this project**](#configure-the-job-token-scope-deprecated)
setting is disabled by default for all new projects and is [scheduled for removal](https://gitlab.com/gitlab-org/gitlab/-/issues/383084)
diff --git a/doc/ci/jobs/job_artifacts.md b/doc/ci/jobs/job_artifacts.md
index 537892bba30..f7c10d3567e 100644
--- a/doc/ci/jobs/job_artifacts.md
+++ b/doc/ci/jobs/job_artifacts.md
@@ -194,7 +194,6 @@ job:
## View all job artifacts in a project
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/31271) in GitLab 12.4 [with a flag](../../administration/feature_flags.md) named `artifacts_management_page`. Disabled by default.
> - [Improved look](https://gitlab.com/gitlab-org/gitlab/-/issues/33418) in GitLab 15.6.
> - [Improved performance](https://gitlab.com/gitlab-org/gitlab/-/issues/387765) in GitLab 15.9.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/407475) in GitLab 16.0. Feature flag `artifacts_management_page` removed.
@@ -362,9 +361,6 @@ With this configuration, GitLab adds **artifact 1** as a link to `file.txt` to t
## Keep artifacts from most recent successful jobs
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/16267) in GitLab 13.0.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/229936) in GitLab 13.4.
-> - [Made optional with a CI/CD setting](https://gitlab.com/gitlab-org/gitlab/-/issues/241026) in GitLab 13.8.
> - Artifacts for [blocked](https://gitlab.com/gitlab-org/gitlab/-/issues/387087) or [failed](https://gitlab.com/gitlab-org/gitlab/-/issues/266958) pipelines no longer kept indefinitely in GitLab 16.7.
By default artifacts are always kept for successful pipelines for the most recent commit on each ref.
diff --git a/doc/ci/secrets/id_token_authentication.md b/doc/ci/secrets/id_token_authentication.md
index 1e5fd29c8ec..09f92d933a8 100644
--- a/doc/ci/secrets/id_token_authentication.md
+++ b/doc/ci/secrets/id_token_authentication.md
@@ -73,8 +73,8 @@ The token also includes custom claims provided by GitLab:
| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. |
| `groups_direct` | User is a direct member of 0 to 200 groups | The paths of the user's direct membership groups. Omitted if the user is a direct member of more than 200 groups. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/435848) in GitLab 16.11). |
-| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
-| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
+| `environment` | Job specifies an environment | Environment this job deploys to. |
+| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise. |
| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. |
| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) |
| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
diff --git a/doc/ci/secrets/index.md b/doc/ci/secrets/index.md
index 3f35c7238d7..6342e35b1fb 100644
--- a/doc/ci/secrets/index.md
+++ b/doc/ci/secrets/index.md
@@ -10,10 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218746) in GitLab 13.4 and GitLab Runner 13.4.
-> - `file` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250695) in GitLab 14.1 and GitLab Runner 14.1.
-> - `VAULT_NAMESPACE` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/255619) in GitLab 14.9 and GitLab Runner 14.9.
-
Secrets represent sensitive information your CI job needs to complete work. This
sensitive information can be items like API tokens, database credentials, or private keys.
Secrets are sourced from your secrets provider.
@@ -125,8 +121,6 @@ DETAILS:
**Tier:** Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/28321) in GitLab 13.4 and GitLab Runner 13.4.
-
After [configuring your Vault server](#configure-your-vault-server), you can use
the secrets stored in Vault by defining them with the [`vault` keyword](../yaml/index.md#secretsvault):
diff --git a/doc/ci/secure_files/index.md b/doc/ci/secure_files/index.md
index 833f5b5037f..763ea4570bf 100644
--- a/doc/ci/secure_files/index.md
+++ b/doc/ci/secure_files/index.md
@@ -10,7 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78227) in GitLab 14.8 [with a flag](../../administration/feature_flags.md) named `ci_secure_files`. Disabled by default.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/350748) in GitLab 15.7. Feature flag `ci_secure_files` removed.
This feature is part of [Mobile DevOps](../mobile_devops.md) developed by [GitLab Incubation Engineering](https://handbook.gitlab.com/handbook/engineering/development/incubation/).
diff --git a/doc/ci/variables/index.md b/doc/ci/variables/index.md
index 619934dc469..1e49880248f 100644
--- a/doc/ci/variables/index.md
+++ b/doc/ci/variables/index.md
@@ -201,9 +201,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14108) in GitLab 13.0.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/299879) in GitLab 13.11.
-
You can make a CI/CD variable available to all projects and groups in a GitLab instance.
Prerequisites:
@@ -216,9 +213,8 @@ To add an instance variable:
1. Select **Settings > CI/CD** and expand the **Variables** section.
1. Select **Add variable** and fill in the details:
- **Key**: Must be one line, with no spaces, using only letters, numbers, or `_`.
- - **Value**: In [GitLab 13.3 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/220028),
- the value is limited to 10,000 characters, but also bounded by any limits in the
- runner's operating system. In GitLab 13.0 to 13.2, the value is limited to 700 characters.
+ - **Value**: The value is limited to 10,000 characters, but also bounded by any limits in the
+ runner's operating system.
- **Type**: `Variable` (default) or [`File`](#use-file-type-cicd-variables).
- **Protect variable** Optional. If selected, the variable is only available
in pipelines that run on protected branches or tags.
@@ -267,8 +263,6 @@ valid [secrets file](../../administration/backup_restore/troubleshooting_backup_
### Mask a CI/CD variable
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330650) in GitLab 13.12, the `~` character can be used in masked variables.
-
WARNING:
Masking a CI/CD variable is not a guaranteed way to prevent malicious users from
accessing variable values. The masking feature is "best-effort" and there to
@@ -473,9 +467,6 @@ variables:
### Pass an environment variable to another job
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22638) in GitLab 13.0.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/217834) in GitLab 13.1.
-
You can create a new environment variables in a job, and pass it to another job
in a later stage. These variables cannot be used as CI/CD variables to configure a pipeline,
but they can be used in job scripts.
@@ -712,8 +703,6 @@ can cause the pipeline to behave unexpectedly.
### Restrict who can override variables
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/295234) in GitLab 13.8.
-
You can limit the ability to override variables to only users with the Maintainer role.
When other users try to run a pipeline with overridden variables, they receive the
`Insufficient permissions to set pipeline variables` error message.
@@ -951,9 +940,6 @@ if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then
#### Restrict access to debug logging
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213159) in GitLab 13.7.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/292661) in GitLab 13.8.
-
You can restrict access to debug logging. When restricted, only users with
at least the Developer role
can view job logs when debug logging is enabled with a variable in:
diff --git a/doc/ci/variables/predefined_variables.md b/doc/ci/variables/predefined_variables.md
index f37c7897957..e282c7630e9 100644
--- a/doc/ci/variables/predefined_variables.md
+++ b/doc/ci/variables/predefined_variables.md
@@ -125,7 +125,7 @@ as it can cause the pipeline to behave unexpectedly.
| `CI_RUNNER_EXECUTABLE_ARCH` | Jobs only | all | 10.6 | The OS/architecture of the GitLab Runner executable. Might not be the same as the environment of the executor. |
| `CI_RUNNER_ID` | Jobs only | 8.10 | 0.5 | The unique ID of the runner being used. |
| `CI_RUNNER_REVISION` | Jobs only | all | 10.6 | The revision of the runner running the job. |
-| `CI_RUNNER_SHORT_TOKEN` | Jobs only | all | 12.3 | The runner's unique ID, used to authenticate new job requests. In [GitLab 14.9](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2251) and later, the token contains a prefix, and the first 17 characters are used. Prior to 14.9, the first eight characters are used. |
+| `CI_RUNNER_SHORT_TOKEN` | Jobs only | all | 12.3 | The runner's unique ID, used to authenticate new job requests. The token contains a prefix, and the first 17 characters are used. |
| `CI_RUNNER_TAGS` | Jobs only | 8.10 | 0.5 | A comma-separated list of the runner tags. |
| `CI_RUNNER_VERSION` | Jobs only | all | 10.6 | The version of the GitLab Runner running the job. |
| `CI_SERVER_FQDN` | Pipeline | 16.10 | all | The fully qualified domain name (FQDN) of the instance. For example `gitlab.example.com:8080`. |
diff --git a/doc/ci/variables/where_variables_can_be_used.md b/doc/ci/variables/where_variables_can_be_used.md
index 7389d438ee5..e315def8857 100644
--- a/doc/ci/variables/where_variables_can_be_used.md
+++ b/doc/ci/variables/where_variables_can_be_used.md
@@ -50,7 +50,7 @@ There are two places defined variables can be used. On the:
| [`script`](../yaml/index.md#script) | yes | Script execution shell | The variable expansion is made by the [execution shell environment](#execution-shell-environment). |
| [`services:name`](../yaml/index.md#services) | yes | Runner | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). |
| [`services`](../yaml/index.md#services) | yes | Runner | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). |
-| [`tags`](../yaml/index.md#tags) | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35742) in GitLab 14.1. |
+| [`tags`](../yaml/index.md#tags) | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab. |
| [`trigger` and `trigger:project`](../yaml/index.md#trigger) | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab. Variable expansion for `trigger:project` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/367660) in GitLab 15.3. |
| [`variables`](../yaml/index.md#variables) | yes | GitLab/Runner | The variable expansion is first made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab, and then any unrecognized or unavailable variables are expanded by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). |
| [`workflow:name`](../yaml/index.md#workflowname) | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab.
Supported are all variables available in `workflow`:
- Project/Group variables.
- Global `variables` and `workflow:rules:variables` (when matching the rule).
- Variables inherited from parent pipelines.
- Variables from triggers.
- Variables from pipeline schedules.
Not supported are variables defined in the GitLab Runner `config.toml`, variables defined in jobs, or [Persisted variables](#persisted-variables). |
@@ -81,11 +81,6 @@ because the expansion is done in GitLab before any runner gets the job.
#### Nested variable expansion
-- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/48627) in GitLab 13.10. [Deployed behind the `variable_inside_variable` feature flag](../../user/feature_flags.md), disabled by default.
-- [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/297382) in GitLab 14.3.
-- [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/297382) in GitLab 14.4.
-- Feature flag `variable_inside_variable` removed in GitLab 14.5.
-
GitLab expands job variable values recursively before sending them to the runner. For example, in the following scenario:
```yaml
diff --git a/doc/drawers/exact_code_search_syntax.md b/doc/drawers/exact_code_search_syntax.md
index ce4a97f9f87..ff425080ee2 100644
--- a/doc/drawers/exact_code_search_syntax.md
+++ b/doc/drawers/exact_code_search_syntax.md
@@ -7,17 +7,18 @@ source: /doc/user/search/exact_code_search.md
# Search tips
-| Query | Description |
-| -------------------- |-------------------------------------------------------------------------------------- |
-| `foo` | Returns files that contain `foo` |
-| `"class foo"` | Returns files that contain the exact string `class foo` |
-| `class foo` | Returns files that contain both `class` and `foo` |
-| `foo or bar` | Returns files that contain either `foo` or `bar` |
-| `class Foo` | Returns files that contain `class` (case insensitive) and `Foo` (case sensitive) |
-| `class Foo case:yes` | Returns files that contain `class` and `Foo` (both case sensitive) |
-| `foo -bar` | Returns files that contain `foo` but not `bar` |
-| `foo file:js` | Searches for `foo` in files with names that contain `js` |
-| `foo -file:test` | Searches for `foo` in files with names that do not contain `test` |
-| `foo lang:ruby` | Searches for `foo` in Ruby source code |
-| `foo f:\.js$` | Searches for `foo` in files with names that end with `.js` |
-| `foo.*bar` | Searches for strings that match the regular expression `foo.*bar` |
+| Query | Regular expression mode | Exact match mode |
+| -------------------- | ----------------------------------------------------- | ------------------------------ |
+| `"foo"` | `foo` | `"foo"` |
+| `foo file:^doc/` | `foo` in directories that start with `/doc` | `foo` in directories that start with `/doc` |
+| `"class foo"` | `class foo` | `"class foo"` |
+| `class foo` | `class` and `foo` | `class foo` |
+| `foo or bar` | `foo` or `bar` | `foo or bar` |
+| `class Foo` | `class` (case insensitive) and `Foo` (case sensitive) | `class Foo` (case insensitive) |
+| `class Foo case:yes` | `class` and `Foo` (both case sensitive) | `class Foo` (case sensitive) |
+| `foo -bar` | `foo` but not `bar` | `foo -bar` |
+| `foo file:js` | `foo` in files with names that contain `js` | `foo` in files with names that contain `js` |
+| `foo -file:test` | `foo` in files with names that do not contain `test` | `foo` in files with names that do not contain `test` |
+| `foo lang:ruby` | `foo` in Ruby source code | `foo` in Ruby source code |
+| `foo file:\.js$` | `foo` in files with names that end with `.js` | `foo` in files with names that end with `.js` |
+| `foo.*bar` | `foo.*bar` (regular expression) | None |
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index b0626a1147e..7afe9e30511 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -325,6 +325,24 @@ This change is a breaking change. You should [create a runner in the UI](https:/
+### Runner `active` GraphQL fields replaced by `paused`
+
+
+- Announced in GitLab 14.8
+- Removal in GitLab 18.0 ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change))
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/351109).
+
+
+Occurrences of the `active` identifier in the GitLab GraphQL API endpoints will be renamed to `paused` in GitLab 18.0:
+
+- The `CiRunner` property.
+- The `RunnerUpdateInput` input type for the `runnerUpdate` mutation.
+- The `runners`, `Group.runners`, and `Project.runners` queries.
+
+
+
+
+
### Running a single database is deprecated
diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index 0304f7ba37c..358e34c8b89 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -200,8 +200,6 @@ Authenticating to a remote registry is not supported when [FIPS mode](../../../d
#### Dependency list
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6.
-
The `CS_DISABLE_DEPENDENCY_LIST` CI/CD variable controls whether the scan creates a
[Dependency List](../dependency_list/index.md)
report. This variable is currently only supported when the `trivy` analyzer is used. The variable's default setting of `"false"` causes the scan to create the report. To disable
@@ -220,8 +218,6 @@ container_scanning:
#### Report language-specific findings
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/7277) in GitLab 14.6.
-
The `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` CI/CD variable controls whether the scan reports
findings related to programming languages. The languages supported depend on the
[scanner used](#change-scanners):
@@ -267,15 +263,15 @@ including a large number of false positives.
| `CI_APPLICATION_REPOSITORY` | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` | Docker repository URL for the image to be scanned. | All |
| `CI_APPLICATION_TAG` | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. | All |
| `CS_ANALYZER_IMAGE` | `registry.gitlab.com/security-products/container-scanning:7` | Docker image of the analyzer. | All |
-| `CS_DEFAULT_BRANCH_IMAGE` | `""` | The name of the `CS_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338877) in GitLab 14.5. | All |
-| `CS_DISABLE_DEPENDENCY_LIST` | `"false"` | Disable Dependency Scanning for packages installed in the scanned image. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6. | All |
-| `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6. | All |
+| `CS_DEFAULT_BRANCH_IMAGE` | `""` | The name of the `CS_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. | All |
+| `CS_DISABLE_DEPENDENCY_LIST` | `"false"` | Disable Dependency Scanning for packages installed in the scanned image. | All |
+| `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. | All |
| `CS_DOCKER_INSECURE` | `"false"` | Allow access to secure Docker registries using HTTPS without validating the certificates. | All |
| `CS_DOCKERFILE_PATH` | `Dockerfile` | The path to the `Dockerfile` to use for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project. You should configure this variable only if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. | All |
| `CS_IGNORE_STATUSES`1 | `""` | Force the analyzer to ignore vulnerability findings with specified statuses in a comma-delimited list. For `trivy`, the following values are allowed: `unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life`. For `grype`, the following values are allowed: `fixed,not-fixed,unknown,wont-fix` | All |
| `CS_IGNORE_UNFIXED` | `"false"` | Ignore vulnerabilities that are not fixed. | All |
| `CS_IMAGE` | `$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG` | The Docker image to be scanned. If set, this variable overrides the `$CI_APPLICATION_REPOSITORY` and `$CI_APPLICATION_TAG` variables. | All |
-| `CS_IMAGE_SUFFIX` | `""` | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/7630) in GitLab 14.10. | All |
+| `CS_IMAGE_SUFFIX` | `""` | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. | All |
| `CS_QUIET` | `""` | If set, this variable disables output of the [vulnerabilities table](#container-scanning-job-log-format) in the job log. [Introduced](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/merge_requests/50) in GitLab 15.1. | All |
| `CS_REGISTRY_INSECURE` | `"false"` | Allow access to insecure registries (HTTP only). Should only be set to `true` when testing the image locally. Works with all scanners, but the registry must listen on port `80/tcp` for Trivy to work. | All |
| `CS_REGISTRY_PASSWORD` | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode) is enabled. | All |
@@ -316,8 +312,6 @@ Support depends on which scanner is used:
#### FIPS-enabled images
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5775) in GitLab 14.1.
-
GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
versions of the container-scanning images. You can therefore replace standard images with FIPS-enabled
images. To configure the images, set the `CS_IMAGE_SUFFIX` to `-fips` or modify the `CS_ANALYZER_IMAGE` variable to the
@@ -330,10 +324,8 @@ standard tag plus the `-fips` extension.
| Trivy | `registry.gitlab.com/security-products/container-scanning/trivy:7-fips` |
NOTE:
-Prior to GitLab 15.0, the `-ubi` image extension is also available. GitLab 15.0 and later only
-support `-fips`.
-Starting with GitLab 14.10, `-fips` is automatically added to `CS_ANALYZER_IMAGE` when FIPS mode is
+The `-fips` flag is automatically added to `CS_ANALYZER_IMAGE` when FIPS mode is
enabled in the GitLab instance.
Container scanning of images in authenticated registries is not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode)
@@ -342,8 +334,6 @@ the analyzer exits with an error and does not perform the scan.
### Enable Container Scanning through an automatic merge request
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6334) in GitLab 14.9.
-
To enable Container Scanning in a project, create a merge request from the Security Configuration
page:
@@ -393,8 +383,6 @@ Do not use the `:latest` tag when selecting the scanner image.
### Setting the default branch image
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338877) in GitLab 14.5.
-
By default, container scanning assumes that the image naming convention stores any branch-specific
identifiers in the image tag rather than the image name. When the image name differs between the
default branch and the non-default branch, previously-detected vulnerabilities show up as newly
diff --git a/doc/user/application_security/dependency_list/index.md b/doc/user/application_security/dependency_list/index.md
index 3a49690e520..c79d6513f87 100644
--- a/doc/user/application_security/dependency_list/index.md
+++ b/doc/user/application_security/dependency_list/index.md
@@ -10,7 +10,6 @@ DETAILS:
**Tier:** Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - System dependencies [introduced](https://gitlab.com/groups/gitlab-org/-/epics/6698) in GitLab 14.6.
> - Group-level dependency list [introduced](https://gitlab.com/groups/gitlab-org/-/epics/8090) in GitLab 16.2 [with a flag](../../../administration/feature_flags.md) named `group_level_dependencies`. Disabled by default.
> - Group-level dependency list [enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/411257) in GitLab 16.4.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132015) in GitLab 16.5. Feature flag `group_level_dependencies` removed.
diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md
index 7cc1264f27b..76ec49ca2d5 100644
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -670,7 +670,7 @@ The following analyzers are executed, each of which have different behavior when
Does not support multiple lockfiles. When multiple lockfiles exist, `Retire.js`
analyzes the first lockfile discovered while traversing the directory tree in alphabetical order.
-From GitLab 14.8 the `gemnasium` analyzer scans supported JavaScript projects for vendored libraries
+The `gemnasium` analyzer scans supports JavaScript projects for vendored libraries
(that is, those checked into the project but not managed by the package manager).
#### Go
@@ -748,9 +748,6 @@ Pipelines now include a dependency scanning job.
#### Use a preconfigured merge request
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4908) in GitLab 14.1 [with a flag](../../../administration/feature_flags.md) named `sec_dependency_scanning_ui_enable`. Enabled by default.
-> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/326005) in GitLab 14.2. Feature flag `sec_dependency_scanning_ui_enable` removed.
-
This method automatically prepares a merge request that includes the dependency scanning template
in the `.gitlab-ci.yml` file. You then merge the merge request to enable dependency scanning.
@@ -837,7 +834,7 @@ The following variables configure the behavior of specific dependency scanning a
| `GEMNASIUM_DB_REF_NAME` | `gemnasium` | `master` | Branch name for remote repository database. `GEMNASIUM_DB_REMOTE_URL` is required. |
| `DS_REMEDIATE` | `gemnasium` | `"true"`, `"false"` in FIPS mode | Enable automatic remediation of vulnerable dependencies. Not supported in FIPS mode. |
| `DS_REMEDIATE_TIMEOUT` | `gemnasium` | `5m` | Timeout for auto-remediation. |
-| `GEMNASIUM_LIBRARY_SCAN_ENABLED` | `gemnasium` | `"true"` | Enable detecting vulnerabilities in vendored JavaScript libraries (libraries which are not managed by a package manager). This functionality requires a JavaScript lockfile to be present in a commit, otherwise Dependency Scanning is not executed and vendored files are not scanned.
Dependency scanning uses the [Retire.js](https://github.com/RetireJS/retire.js) scanner to detect a limited set of vulnerabilities. For details of which vulnerabilities are detected, see the [Retire.js repository](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350512) in GitLab 14.8. |
+| `GEMNASIUM_LIBRARY_SCAN_ENABLED` | `gemnasium` | `"true"` | Enable detecting vulnerabilities in vendored JavaScript libraries (libraries which are not managed by a package manager). This functionality requires a JavaScript lockfile to be present in a commit, otherwise Dependency Scanning is not executed and vendored files are not scanned.
Dependency scanning uses the [Retire.js](https://github.com/RetireJS/retire.js) scanner to detect a limited set of vulnerabilities. For details of which vulnerabilities are detected, see the [Retire.js repository](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json). |
| `DS_INCLUDE_DEV_DEPENDENCIES` | `gemnasium` | `"true"` | When set to `"false"`, development dependencies and their vulnerabilities are not reported. Only projects using Composer, npm, pnpm, Pipenv or Poetry are supported. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/227861) in GitLab 15.1. |
| `GOOS` | `gemnasium` | `"linux"` | The operating system for which to compile Go code. |
| `GOARCH` | `gemnasium` | `"amd64"` | The architecture of the processor for which to compile Go code. |
@@ -925,7 +922,6 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m
### FIPS-enabled images
-> - Introduced in GitLab 14.10. GitLab team members can view more information in this confidential issue: `https://gitlab.com/gitlab-org/gitlab/-/issues/354796`
> - Introduced in GitLab 15.0 - Gemnasium uses FIPS-enabled images when FIPS mode is enabled.
GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
@@ -956,7 +952,6 @@ For more details of the dependency scanning report, see:
### CycloneDX Software Bill of Materials
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350509) in GitLab 14.8 in [Beta](../../../policy/experiment-beta-support.md#beta).
> - Generally available in GitLab 15.7.
Dependency Scanning outputs a [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (SBOM)
diff --git a/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md b/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md
index 924e7732f01..b677cb6d259 100644
--- a/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md
+++ b/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md
@@ -99,10 +99,7 @@ gemnasium-maven-dependency_scanning:
## Dependency Scanning job fails with message `strconv.ParseUint: parsing "0.0": invalid syntax`
-Invoking Docker-in-Docker is the likely cause of this error. Docker-in-Docker is:
-
-- Disabled by default in GitLab 13.0 and later.
-- Unsupported from GitLab 13.4 and later.
+Docker-in-Docker is unsupported, and attempting to invoke it is the likely cause of this error.
To fix this error, disable Docker-in-Docker for dependency scanning. Individual
`-dependency_scanning` jobs are created for each analyzer that runs in your CI/CD
diff --git a/doc/user/clusters/agent/vulnerabilities.md b/doc/user/clusters/agent/vulnerabilities.md
index 6dea65d197a..5b3b716565d 100644
--- a/doc/user/clusters/agent/vulnerabilities.md
+++ b/doc/user/clusters/agent/vulnerabilities.md
@@ -10,7 +10,6 @@ DETAILS:
**Tier:** Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6346) in GitLab 14.8.
> - [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/368828) the starboard directive in GitLab 15.4. The starboard directive is scheduled for removal in GitLab 16.0.
## Supported architectures
diff --git a/doc/user/gitlab_duo_chat.md b/doc/user/gitlab_duo_chat.md
index 634a30ef249..bc548f97357 100644
--- a/doc/user/gitlab_duo_chat.md
+++ b/doc/user/gitlab_duo_chat.md
@@ -83,6 +83,10 @@ You can ask about a specific GitLab issue. For example:
NOTE:
If the issue contains a large amount of text (more than 40,000 words), GitLab Duo Chat might not be able to consider every word. The AI model has a limit to the amount of input it can process at one time.
+
+For tips on how GitLab Duo Chat can improve your productivity with issues and epics, see [Boost your productivity with GitLab Duo Chat](https://youtu.be/RJezT5_V6dI).
+
+
### Ask about a specific epic
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/128487) for SaaS in GitLab 16.3.
diff --git a/doc/user/search/exact_code_search.md b/doc/user/search/exact_code_search.md
index 18bf2a00526..c916944bd61 100644
--- a/doc/user/search/exact_code_search.md
+++ b/doc/user/search/exact_code_search.md
@@ -60,22 +60,37 @@ Use this feature to search code across the entire GitLab instance.
Global code search does not perform well on large GitLab instances.
If you enable this feature for instances with more than 20,000 projects, your search might time out.
-## Syntax
+## Search modes
-This table shows some example queries for exact code search.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/434417) in GitLab 16.8 [with a flag](../../administration/feature_flags.md) named `zoekt_exact_search`. Disabled by default.
-| Query | Description |
-|----------------------|-----------------------------------------------------------------------------------|
-| `foo` | Returns files that contain `foo`. |
-| `foo file:^doc/` | Returns files that contain `foo` in directories that start with `doc/`. |
-| `"class foo"` | Returns files that contain the exact string `class foo`. |
-| `class foo` | Returns files that contain both `class` and `foo`. |
-| `foo or bar` | Returns files that contain either `foo` or `bar`. |
-| `class Foo` | Returns files that contain `class` (case insensitive) and `Foo` (case sensitive). |
-| `class Foo case:yes` | Returns files that contain `class` and `Foo` (both case sensitive). |
-| `foo -bar` | Returns files that contain `foo` but not `bar`. |
-| `foo file:js` | Searches for `foo` in files with names that contain `js`. |
-| `foo -file:test` | Searches for `foo` in files with names that do not contain `test`. |
-| `foo lang:ruby` | Searches for `foo` in Ruby source code. |
-| `foo file:\.js$` | Searches for `foo` in files with names that end with `.js`. |
-| `foo.*bar` | Searches for strings that match the regular expression `foo.*bar`. |
+FLAG:
+The availability of this feature is controlled by a feature flag.
+For more information, see the history.
+
+When you enable `zoekt_exact_search`, you can switch between two search modes:
+
+- **Regular expression mode:** supports regular and boolean expressions.
+- **Exact match mode:** returns results that exactly match the query.
+
+When `zoekt_exact_search` is disabled, the regular expression mode is used by default.
+
+### Syntax
+
+This table shows some example queries for regular expression and exact match modes.
+
+| Query | Regular expression mode | Exact match mode |
+| -------------------- | ----------------------------------------------------- | ------------------------------ |
+| `"foo"` | `foo` | `"foo"` |
+| `foo file:^doc/` | `foo` in directories that start with `/doc` | `foo` in directories that start with `/doc` |
+| `"class foo"` | `class foo` | `"class foo"` |
+| `class foo` | `class` and `foo` | `class foo` |
+| `foo or bar` | `foo` or `bar` | `foo or bar` |
+| `class Foo` | `class` (case insensitive) and `Foo` (case sensitive) | `class Foo` (case insensitive) |
+| `class Foo case:yes` | `class` and `Foo` (both case sensitive) | `class Foo` (case sensitive) |
+| `foo -bar` | `foo` but not `bar` | `foo -bar` |
+| `foo file:js` | `foo` in files with names that contain `js` | `foo` in files with names that contain `js` |
+| `foo -file:test` | `foo` in files with names that do not contain `test` | `foo` in files with names that do not contain `test` |
+| `foo lang:ruby` | `foo` in Ruby source code | `foo` in Ruby source code |
+| `foo file:\.js$` | `foo` in files with names that end with `.js` | `foo` in files with names that end with `.js` |
+| `foo.*bar` | `foo.*bar` (regular expression) | None |
diff --git a/glfm_specification/output_example_snapshots/html.yml b/glfm_specification/output_example_snapshots/html.yml
index 4c5579bcc01..de2d0742610 100644
--- a/glfm_specification/output_example_snapshots/html.yml
+++ b/glfm_specification/output_example_snapshots/html.yml
@@ -136,7 +136,7 @@
Foo
static: |-
- Foo
+ Foo
wysiwyg: |-
Foo
02_01_00__preliminaries__tabs__011:
@@ -328,7 +328,7 @@
bar
static: |-
- Foo
+ Foo
bar
wysiwyg: |-
Foo
@@ -381,17 +381,17 @@
foo
static: |-
- foo
+ foo
- foo
+ foo
- foo
+ foo
- foo
+ foo
- foo
+ foo
- foo
+ foo
wysiwyg: |-
foo
foo
@@ -428,7 +428,7 @@
foo bar *baz*
static: |-
- foo bar *baz*
+ foo bar *baz*
wysiwyg: |-
foo bar *baz*
04_02_00__leaf_blocks__atx_headings__006:
@@ -436,7 +436,7 @@
foo
static: |-
- foo
+ foo
wysiwyg: |-
foo
04_02_00__leaf_blocks__atx_headings__007:
@@ -446,11 +446,11 @@
foo
static: |-
- foo
+ foo
- foo
+ foo
- foo
+ foo
wysiwyg: |-
foo
foo
@@ -482,9 +482,9 @@
bar
static: |-
- foo
+ foo
- bar
+ bar
wysiwyg: |-
foo
bar
@@ -494,9 +494,9 @@
foo
static: |-
- foo
+ foo
- foo
+ foo
wysiwyg: |-
foo
foo
@@ -505,7 +505,7 @@
foo
static: |-
- foo
+ foo
wysiwyg: |-
foo
04_02_00__leaf_blocks__atx_headings__013:
@@ -513,7 +513,7 @@
foo ### b
static: |-
- foo ### b
+ foo ### b
wysiwyg: |-
foo ### b
04_02_00__leaf_blocks__atx_headings__014:
@@ -521,7 +521,7 @@
foo#
static: |-
- foo#
+ foo#
wysiwyg: |-
foo#
04_02_00__leaf_blocks__atx_headings__015:
@@ -531,11 +531,11 @@
foo #
static: |-
- foo ###
+ foo ###
- foo ###
+ foo ###
- foo #
+ foo #
wysiwyg: |-
foo ###
@@ -549,7 +549,7 @@
static: |-
- foo
+ foo
wysiwyg: |-
@@ -563,7 +563,7 @@
static: |-
Foo bar
- baz
+ baz
Bar foo
wysiwyg: |-
Foo bar
@@ -575,9 +575,9 @@
static: |-
-
-
-
+
+
+
wysiwyg: |-
@@ -588,10 +588,10 @@
Foo bar
static: |-
- Foo bar
+ Foo bar
- Foo bar
+ Foo bar
wysiwyg: |-
Foo bar
@@ -602,7 +602,7 @@
baz
static: |-
- Foo bar
+ Foo bar
baz
wysiwyg: |-
@@ -614,7 +614,7 @@
baz
static: |-
- Foo bar
+ Foo bar
baz
wysiwyg: |-
@@ -626,9 +626,9 @@
Foo
static: |-
- Foo
+ Foo
- Foo
+ Foo
wysiwyg: |-
Foo
Foo
@@ -639,11 +639,11 @@
Foo
static: |-
- Foo
+ Foo
- Foo
+ Foo
- Foo
+ Foo
wysiwyg: |-
Foo
Foo
@@ -676,7 +676,7 @@
Foo
static: |-
- Foo
+ Foo
wysiwyg: |-
Foo
04_03_00__leaf_blocks__setext_headings__008:
@@ -710,7 +710,7 @@
Foo
static: |-
- Foo
+ Foo
wysiwyg: |-
Foo
04_03_00__leaf_blocks__setext_headings__011:
@@ -718,7 +718,7 @@
Foo\
static: |-
- Foo\
+ Foo\
wysiwyg: |-
Foo\
04_03_00__leaf_blocks__setext_headings__012:
@@ -729,10 +729,10 @@
of dashes"/>
static: |-
- `Foo
+ `Foo
`
- <a title="a lot
+ <a title="a lot
of dashes"/>
wysiwyg: |-
`Foo
@@ -790,7 +790,7 @@
Bar
static: |-
- Foo
+ Foo
Bar
wysiwyg: |-
Foo
@@ -807,7 +807,7 @@
- Bar
+ Bar
Baz
wysiwyg: |-
Foo
@@ -878,7 +878,7 @@
> foo
static: |-
- > foo
+ > foo
wysiwyg: |-
> foo
04_03_00__leaf_blocks__setext_headings__024:
@@ -889,7 +889,7 @@
static: |-
Foo
- bar
+ bar
baz
wysiwyg: |-
Foo
@@ -1090,13 +1090,13 @@
static: |-
- Heading
+ Heading
foo
- Heading
+ Heading
foo
baz
static: |-
- foo
+ foo
bar
- baz
+ baz
wysiwyg: |-
foo
bar
@@ -2345,7 +2345,7 @@
static: |-
- Foo
+ Foo
bar
@@ -2360,7 +2360,7 @@
static: |-
- bar
+ bar
wysiwyg: |-
[foo]: /url
@@ -2510,7 +2510,7 @@
static: |-
aaa
- aaa
+ aaa
wysiwyg: |-
aaa
aaa
@@ -2784,7 +2784,7 @@
static: |-
- Foo
+ Foo
bar
baz
@@ -2801,7 +2801,7 @@
static: |-
- Foo
+ Foo
bar
baz
@@ -2818,7 +2818,7 @@
static: |-
- Foo
+ Foo
bar
baz
@@ -2852,7 +2852,7 @@
static: |-
- Foo
+ Foo
bar
baz
@@ -4142,11 +4142,11 @@
-
- Foo
+ Foo
-
- Bar
+ Bar
baz
wysiwyg: |-
@@ -7572,7 +7572,7 @@
foo\
static: |-
- foo\
+ foo\
wysiwyg: |-
foo\
06_13_00__inlines__hard_line_breaks__015:
@@ -7580,7 +7580,7 @@
foo
static: |-
- foo
+ foo
wysiwyg: |-
foo
06_14_00__inlines__soft_line_breaks__001:
@@ -7753,7 +7753,7 @@
text
- title: YAML front matter
+ title: YAML front matter
wysiwyg: |-
text
@@ -7765,7 +7765,7 @@
static: |-
- title: YAML front matter
+ title: YAML front matter
wysiwyg: |-
title: YAML front matter
@@ -7786,9 +7786,9 @@
Heading 1
- Heading 1
+ Heading 1
- Heading 2
+ Heading 2
wysiwyg: |-
Table of contents
Heading 1
@@ -7810,9 +7810,9 @@
Heading 1
- Heading 1
+ Heading 1
- Heading 2
+ Heading 2
wysiwyg: |-
Table of contents
Heading 1
@@ -7842,7 +7842,7 @@
static: |-
- Heading 1
+ Heading 1
wysiwyg: |-
Table of contents
Heading 1
@@ -8292,17 +8292,17 @@
TODO: Write canonical HTML for this example
static: |-
- Heading 1
+ Heading 1
- Heading 2
+ Heading 2
- Heading 3
+ Heading 3
- Heading 4
+ Heading 4
- Heading 5
+ Heading 5
- Heading 6
+ Heading 6
wysiwyg: |-
Heading 1
Heading 2
@@ -8517,7 +8517,7 @@
- content after table
+ content after table
wysiwyg: |-
header
header
code
cell with bold
strike
cell with italic
content after table
@@ -8536,16 +8536,16 @@
- Lorem
+ Lorem
Well, that's just like... your opinion.. man.
- Ipsum
+ Ipsum
- Dolar
+ Dolar
- Sit amit
+ Sit amit
- I don't know
+ I don't know
wysiwyg: |-
Table of contents
Lorem
diff --git a/glfm_specification/output_example_snapshots/snapshot_spec.html b/glfm_specification/output_example_snapshots/snapshot_spec.html
index e8c3551ea20..b176e0ebf8c 100644
--- a/glfm_specification/output_example_snapshots/snapshot_spec.html
+++ b/glfm_specification/output_example_snapshots/snapshot_spec.html
@@ -238,148 +238,11 @@
GitLab Flavored Markdown Internal Extensions
Version alpha
-
--
-Preliminaries
-
--
-Blocks and inlines
-
--
-Leaf blocks
-
--
-Container blocks
-
--
-Inlines
-
--
-GitLab Official Specification Markdown
-
--
-GitLab Internal Extension Markdown
-- Audio
-- Video
-- Markdown Preview API Request Overrides
--
-Migrated golden master examples
-- attachment_image_for_group
-- attachment_image_for_project
-- attachment_image_for_project_wiki
-- attachment_link_for_group
-- attachment_link_for_project
-- attachment_link_for_project_wiki
-- attachment_link_for_group_wiki
-- audio
-- audio_and_video_in_lists
-- blockquote
-- bold
-- bullet_list_style_1
-- bullet_list_style_2
-- bullet_list_style_3
-- code_block_javascript
-- code_block_plaintext
-- code_block_unknown
-- color_chips
-- description_list
-- details
-- diagram_kroki_nomnoml
-- diagram_plantuml
-- diagram_plantuml_unicode
-- div
-- emoji
-- emphasis
-- figure
-- footnotes
-- frontmatter_json
-- frontmatter_toml
-- frontmatter_yaml
-- hard_break
-- headings
-- horizontal_rule
-- html_marks
-- image
-- inline_code
-- inline_diff
-- label
-- link
-- math
-- ordered_list
-- ordered_list_with_start_order
-- ordered_task_list
-- ordered_task_list_with_order
-- reference_for_project_wiki
-- strike
-- table
-- table_of_contents
-- task_list
-- video
-- word_break
-
-
-- Image Attributes
-- Footnotes
-
-
--
-GFM undocumented extensions and more robust test
-
-
+
-Preliminaries
+Preliminaries
-Characters and lines
+Characters and lines
Any sequence of [characters] is a valid CommonMark
document.
A character is a Unicode code point. Although some
@@ -422,7 +285,7 @@ is !, Pc, Pd, Pe, Pf, Pi, Po, or Ps.
-Tabs
+Tabs
Tabs in lines are not expanded to [spaces]. However,
in contexts where whitespace helps to define block structure,
tabs behave as if they were replaced by spaces with a tab stop
@@ -607,11 +470,11 @@ code block starting with two spaces.
-Insecure characters
+Insecure characters
For security reasons, the Unicode character U+0000 must be replaced
with the REPLACEMENT CHARACTER (U+FFFD).
-Blocks and inlines
+Blocks and inlines
We can think of a document as a sequence of
blocks---structural elements like paragraphs, block
quotations, lists, headings, rules, and code blocks. Some blocks (like
@@ -619,7 +482,7 @@ block quotes and list items) contain other blocks; others (like
headings and paragraphs) contain inline content---text,
links, emphasized text, images, code spans, and so on.
-Precedence
+Precedence
Indicators of block structure always take precedence over indicators
of inline structure. So, for example, the following is a list with
two items, not a list with one item containing a code span:
@@ -647,17 +510,17 @@ step. Note that the first step requires processing lines in sequence,
but the second can be parallelized, since the inline parsing of
one block element does not affect the inline parsing of any other.
-Container blocks and leaf blocks
+Container blocks and leaf blocks
We can divide blocks into two types:
container blocks,
which can contain other blocks, and leaf blocks,
which cannot.
-Leaf blocks
+Leaf blocks
This section describes the different kinds of leaf block that make up a
Markdown document.
-Thematic breaks
+Thematic breaks
A line consisting of 0-3 spaces of indentation, followed by a sequence
of three or more matching -, _, or * characters, each followed
optionally by any number of spaces or tabs, forms a
@@ -942,7 +805,7 @@ interpretations of a line, the thematic break takes precedence:
-ATX headings
+ATX headings
An ATX heading
consists of a string of characters, parsed as inline content, between an
opening sequence of 1--6 unescaped # characters and an optional
@@ -1219,7 +1082,7 @@ lines, and they can interrupt paragraphs:
-Setext headings
+Setext headings
A setext heading consists of one or more
lines of text, each containing at least one [non-whitespace
character], with no more than 3 spaces indentation, followed by
@@ -1720,7 +1583,7 @@ underline], such as
-Indented code blocks
+Indented code blocks
An indented code block is composed of one or more
[indented chunks] separated by blank lines.
An indented chunk is a sequence of non-blank lines,
@@ -1954,7 +1817,7 @@ are not included in it:
-
+
+
{{ $options.i18n.projectFieldLabel }}
-
+
+
+ {{ $options.i18n.syntaxOptionsLabel }}
- {{ content }}
+ {{ content }}
-
+
- {{ content }}
+ {{ content }}
{{ query.repository_ref }}
diff --git a/app/assets/javascripts/sentry/init_sentry.js b/app/assets/javascripts/sentry/init_sentry.js
index 722741b50e4..8c8d8b655de 100644
--- a/app/assets/javascripts/sentry/init_sentry.js
+++ b/app/assets/javascripts/sentry/init_sentry.js
@@ -1,3 +1,4 @@
+/* eslint-disable no-restricted-imports */
import {
BrowserClient,
getCurrentHub,
@@ -9,7 +10,7 @@ import {
// exports
captureException,
SDK_VERSION,
-} from 'sentrybrowser';
+} from '@sentry/browser';
const initSentry = () => {
if (!gon?.sentry_dsn) {
diff --git a/app/assets/javascripts/sentry/legacy_constants.js b/app/assets/javascripts/sentry/legacy_constants.js
deleted file mode 100644
index d04011dab2f..00000000000
--- a/app/assets/javascripts/sentry/legacy_constants.js
+++ /dev/null
@@ -1,46 +0,0 @@
-import { __ } from '~/locale';
-
-// https://docs.sentry.io/platforms/javascript/configuration/filtering/#decluttering-sentry
-export const IGNORE_ERRORS = [
- // Random plugins/extensions
- 'top.GLOBALS',
- // See: http://blog.errorception.com/2012/03/tale-of-unfindable-js-error. html
- 'originalCreateNotification',
- 'canvas.contentDocument',
- 'MyApp_RemoveAllHighlights',
- 'http://tt.epicplay.com',
- __("Can't find variable: ZiteReader"),
- __('jigsaw is not defined'),
- __('ComboSearch is not defined'),
- 'http://loading.retry.widdit.com/',
- 'atomicFindClose',
- // Facebook borked
- 'fb_xd_fragment',
- // ISP "optimizing" proxy - `Cache-Control: no-transform` seems to
- // reduce this. (thanks @acdha)
- 'bmi_SafeAddOnload',
- 'EBCallBackMessageReceived',
- // See http://toolbar.conduit.com/Developer/HtmlAndGadget/Methods/JSInjection.aspx
- 'conduitPage',
- // Exclude errors from polling when navigating away from a page
- 'TypeError: Failed to fetch',
-];
-
-export const DENY_URLS = [
- // Facebook flakiness
- /graph\.facebook\.com/i,
- // Facebook blocked
- /connect\.facebook\.net\/en_US\/all\.js/i,
- // Woopra flakiness
- /eatdifferent\.com\.woopra-ns\.com/i,
- /static\.woopra\.com\/js\/woopra\.js/i,
- // Chrome extensions
- /extensions\//i,
- /^chrome:\/\//i,
- // Other plugins
- /127\.0\.0\.1:4001\/isrunning/i, // Cacaoweb
- /webappstoolbarba\.texthelp\.com\//i,
- /metrics\.itunes\.apple\.com\.edgesuite\.net\//i,
-];
-
-export const SAMPLE_RATE = 0.95;
diff --git a/app/assets/javascripts/sentry/legacy_index.js b/app/assets/javascripts/sentry/legacy_index.js
deleted file mode 100644
index 688f8eb0a44..00000000000
--- a/app/assets/javascripts/sentry/legacy_index.js
+++ /dev/null
@@ -1,34 +0,0 @@
-import '../webpack';
-
-import * as Sentry5 from 'sentrybrowser5';
-import LegacySentryConfig from './legacy_sentry_config';
-
-const index = function index() {
- // Configuration for legacy versions of Sentry SDK (v5)
- LegacySentryConfig.init({
- dsn: gon.sentry_dsn,
- currentUserId: gon.current_user_id,
- whitelistUrls:
- process.env.NODE_ENV === 'production'
- ? [gon.gitlab_url]
- : [gon.gitlab_url, 'webpack-internal://'],
- environment: gon.sentry_environment,
- release: gon.revision,
- tags: {
- revision: gon.revision,
- feature_category: gon.feature_category,
- },
- });
-};
-
-index();
-
-// The _Sentry object is globally exported so it can be used by
-// ./sentry_browser_wrapper.js
-// This hack allows us to load a single version of `~/sentry/sentry_browser_wrapper`
-// in the browser, see app/views/layouts/_head.html.haml to find how it is imported.
-
-// eslint-disable-next-line no-underscore-dangle
-window._Sentry = Sentry5;
-
-export default index;
diff --git a/app/assets/javascripts/sentry/legacy_sentry_config.js b/app/assets/javascripts/sentry/legacy_sentry_config.js
deleted file mode 100644
index 137c31f5526..00000000000
--- a/app/assets/javascripts/sentry/legacy_sentry_config.js
+++ /dev/null
@@ -1,64 +0,0 @@
-import * as Sentry5 from 'sentrybrowser5';
-import $ from 'jquery';
-import { __ } from '~/locale';
-import { IGNORE_ERRORS, DENY_URLS, SAMPLE_RATE } from './legacy_constants';
-
-const SentryConfig = {
- IGNORE_ERRORS,
- DENYLIST_URLS: DENY_URLS,
- SAMPLE_RATE,
- init(options = {}) {
- this.options = options;
-
- this.configure();
- this.bindSentryErrors();
- if (this.options.currentUserId) this.setUser();
- },
-
- configure() {
- const { dsn, release, tags, whitelistUrls, environment } = this.options;
-
- Sentry5.init({
- dsn,
- release,
- whitelistUrls,
- environment,
- ignoreErrors: this.IGNORE_ERRORS, // TODO: Remove in favor of https://gitlab.com/gitlab-org/gitlab/issues/35144
- blacklistUrls: this.DENYLIST_URLS,
- sampleRate: SAMPLE_RATE,
- });
-
- Sentry5.setTags(tags);
- },
-
- setUser() {
- Sentry5.setUser({
- id: this.options.currentUserId,
- });
- },
-
- bindSentryErrors() {
- $(document).on('ajaxError.sentry', this.handleSentryErrors);
- },
-
- handleSentryErrors(event, req, config, err) {
- const error = err || req.statusText;
- const { responseText = __('Unknown response text') } = req;
- const { type, url, data } = config;
- const { status } = req;
-
- Sentry5.captureMessage(error, {
- extra: {
- type,
- url,
- data,
- status,
- response: responseText,
- error,
- event,
- },
- });
- },
-};
-
-export default SentryConfig;
diff --git a/app/assets/javascripts/single_file_diff.js b/app/assets/javascripts/single_file_diff.js
index 1e01da795e8..a3b10f3a77b 100644
--- a/app/assets/javascripts/single_file_diff.js
+++ b/app/assets/javascripts/single_file_diff.js
@@ -1,6 +1,8 @@
import $ from 'jquery';
+import { GlButton } from '@gitlab/ui';
import { createAlert } from '~/alert';
import { loadingIconForLegacyJS } from '~/loading_icon_for_legacy_js';
+import { renderVueComponentForLegacyJS } from '~/render_vue_component_for_legacy_js';
import { spriteIcon } from '~/lib/utils/common_utils';
import FilesCommentButton from './files_comment_button';
import initImageDiffHelper from './image_diff/helpers/init_image_diff';
@@ -14,8 +16,15 @@ const ERROR_HTML = `${spriteIcon(
'warning-solid',
's16',
)} Could not load diff`;
-const COLLAPSED_HTML =
- 'This diff is collapsed. ';
+const CLICK_TO_EXPAND_BUTTON_HTML = renderVueComponentForLegacyJS(
+ GlButton,
+ {
+ class: 'click-to-expand',
+ props: { variant: 'link' },
+ },
+ __('Click to expand it.'),
+).outerHTML;
+const COLLAPSED_HTML = `This diff is collapsed. ${CLICK_TO_EXPAND_BUTTON_HTML}`;
export default class SingleFileDiff {
constructor(file) {
diff --git a/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue b/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue
index b6bbb5df93e..69c87cd3cfc 100644
--- a/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue
+++ b/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue
@@ -7,7 +7,7 @@ import { AVATAR_SHAPE_OPTION_RECT } from '~/vue_shared/constants';
export default {
i18n: {
uploadText: __('Drop or %{linkStart}upload%{linkEnd} an avatar.'),
- maxFileSize: s__('Profiles|The maximum file size allowed is 200KB.'),
+ maxFileSize: s__('Profiles|The maximum file size allowed is 200 KiB.'),
imageDimensions: s__('Profiles|The ideal image size is 192 x 192 pixels.'),
removeAvatar: __('Remove avatar'),
},
diff --git a/app/channels/application_cable/channel.rb b/app/channels/application_cable/channel.rb
index 0de2b0185b5..84c1705c2b5 100644
--- a/app/channels/application_cable/channel.rb
+++ b/app/channels/application_cable/channel.rb
@@ -3,6 +3,15 @@
module ApplicationCable
class Channel < ActionCable::Channel::Base
include Logging
+ include Gitlab::Auth::AuthFinders
+
+ before_subscribe :validate_token_scope
+
+ def validate_token_scope
+ validate_access_token!(scopes: [:api, :read_api])
+ rescue Gitlab::Auth::InsufficientScopeError
+ reject
+ end
private
diff --git a/app/channels/graphql_channel.rb b/app/channels/graphql_channel.rb
index ae37be85da8..cc2a9126004 100644
--- a/app/channels/graphql_channel.rb
+++ b/app/channels/graphql_channel.rb
@@ -48,7 +48,8 @@ class GraphqlChannel < ApplicationCable::Channel # rubocop:disable Gitlab/Namesp
# Objects added to the context may also need to be reloaded in
# `Subscriptions::BaseSubscription` so that they are not stale
def context
- # is_sessionless_user is always false because we only support cookie auth in ActionCable
- { channel: self, current_user: current_user, is_sessionless_user: false }
+ request_authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
+ scope_validator = ::Gitlab::Auth::ScopeValidator.new(current_user, request_authenticator)
+ { channel: self, current_user: current_user, is_sessionless_user: false, scope_validator: scope_validator }
end
end
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 47c3d54df3a..912469382d6 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -222,6 +222,8 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
else
fail_login(@user)
end
+ rescue Gitlab::Auth::OAuth::User::IdentityWithUntrustedExternUidError
+ handle_identity_with_untrusted_extern_uid
rescue Gitlab::Auth::OAuth::User::SigninDisabledForProviderError
handle_disabled_provider
rescue Gitlab::Auth::OAuth::User::SignupDisabledError
@@ -271,6 +273,13 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
redirect_to profile_account_path, notice: _('Request to link SAML account must be authorized')
end
+ def handle_identity_with_untrusted_extern_uid
+ label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
+ flash[:alert] = format(_("Signing in using your %{label} account has been disabled for security reasons. Please sign in to your GitLab account using another authentication method and reconnect to your %{label} account."), label: label)
+
+ redirect_to new_user_session_path
+ end
+
def handle_disabled_provider
label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
flash[:alert] = _("Signing in using %{label} has been disabled") % { label: label }
diff --git a/app/graphql/resolvers/base_resolver.rb b/app/graphql/resolvers/base_resolver.rb
index 17db91a685f..e6d54d9e31c 100644
--- a/app/graphql/resolvers/base_resolver.rb
+++ b/app/graphql/resolvers/base_resolver.rb
@@ -174,7 +174,7 @@ module Resolvers
end
def self.authorized?(object, context)
- authorization.ok?(object, context[:current_user])
+ authorization.ok?(object, context[:current_user], scope_validator: context[:scope_validator])
end
end
end
diff --git a/app/graphql/types/base_enum.rb b/app/graphql/types/base_enum.rb
index ca86e399f6b..d7ceaafb318 100644
--- a/app/graphql/types/base_enum.rb
+++ b/app/graphql/types/base_enum.rb
@@ -65,7 +65,7 @@ module Types
end
def authorized?(object, context)
- authorization.ok?(object, context[:current_user])
+ authorization.ok?(object, context[:current_user], scope_validator: context[:scope_validator])
end
end
end
diff --git a/app/graphql/types/base_field.rb b/app/graphql/types/base_field.rb
index 886490ba62f..ca671533ef1 100644
--- a/app/graphql/types/base_field.rb
+++ b/app/graphql/types/base_field.rb
@@ -97,7 +97,7 @@ module Types
def field_authorized?(object, ctx)
object = object.node if object.is_a?(GraphQL::Pagination::Connection::Edge)
- authorization.ok?(object, ctx[:current_user])
+ authorization.ok?(object, ctx[:current_user], scope_validator: ctx[:scope_validator])
end
# Historically our resolvers have used declarative permission checks only
diff --git a/app/graphql/types/base_object.rb b/app/graphql/types/base_object.rb
index 4ad88e43f52..1783db3cc33 100644
--- a/app/graphql/types/base_object.rb
+++ b/app/graphql/types/base_object.rb
@@ -32,7 +32,7 @@ module Types
end
def self.authorized?(object, context)
- authorization.ok?(object, context[:current_user])
+ authorization.ok?(object, context[:current_user], scope_validator: context[:scope_validator])
end
def current_user
diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index 60a229ef42a..177adb36cd4 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -411,6 +411,9 @@ module ApplicationSettingsHelper
:throttle_unauthenticated_files_api_enabled,
:throttle_unauthenticated_files_api_period_in_seconds,
:throttle_unauthenticated_files_api_requests_per_period,
+ :throttle_unauthenticated_git_http_enabled,
+ :throttle_unauthenticated_git_http_period_in_seconds,
+ :throttle_unauthenticated_git_http_requests_per_period,
:throttle_unauthenticated_deprecated_api_enabled,
:throttle_unauthenticated_deprecated_api_period_in_seconds,
:throttle_unauthenticated_deprecated_api_requests_per_period,
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 5ff1bca975d..0eb1a79dfe1 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -553,6 +553,8 @@ class ApplicationSetting < MainClusterwide::ApplicationRecord
:throttle_unauthenticated_deprecated_api_requests_per_period,
:throttle_unauthenticated_files_api_period_in_seconds,
:throttle_unauthenticated_files_api_requests_per_period,
+ :throttle_unauthenticated_git_http_period_in_seconds,
+ :throttle_unauthenticated_git_http_requests_per_period,
:throttle_unauthenticated_packages_api_period_in_seconds,
:throttle_unauthenticated_packages_api_requests_per_period,
:throttle_unauthenticated_period_in_seconds,
@@ -612,6 +614,11 @@ class ApplicationSetting < MainClusterwide::ApplicationRecord
jsonb_accessor :service_ping_settings,
gitlab_environment_toolkit_instance: [:boolean, { default: false }]
+ jsonb_accessor :rate_limits_unauthenticated_git_http,
+ throttle_unauthenticated_git_http_enabled: [:boolean, { default: false }],
+ throttle_unauthenticated_git_http_requests_per_period: [:integer, { default: 3600 }],
+ throttle_unauthenticated_git_http_period_in_seconds: [:integer, { default: 3600 }]
+
validates :rate_limits, json_schema: { filename: "application_setting_rate_limits" }
validates :search_rate_limit_allowlist,
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index 9caf712d0dc..3f1540e9b8c 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -2148,8 +2148,12 @@ class MergeRequest < ApplicationRecord
merge_request_reviewers.where(user_id: user_ids)
end
- def has_changes_requested?
- merge_request_reviewers.exists?(state: :requested_changes)
+ def create_requested_changes(user)
+ # Overridden in EE
+ end
+
+ def destroy_requested_changes(user)
+ # Overridden in EE
end
def batch_update_reviewer_state(user_ids, state)
diff --git a/app/models/user.rb b/app/models/user.rb
index 88382c85653..9002b1cedb2 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -320,7 +320,7 @@ class User < MainClusterwide::ApplicationRecord
validates :name, presence: true, length: { maximum: 255 }
validates :first_name, length: { maximum: 127 }
validates :last_name, length: { maximum: 127 }
- validates :email, confirmation: true
+ validates :email, confirmation: true, devise_email: true
validates :notification_email, devise_email: true, allow_blank: true
validates :public_email, uniqueness: true, devise_email: true, allow_blank: true
validates :commit_email, devise_email: true, allow_blank: true, unless: ->(user) { user.commit_email == Gitlab::PrivateCommitEmail::TOKEN }
diff --git a/app/services/merge_requests/approval_service.rb b/app/services/merge_requests/approval_service.rb
index 679ee7b4c35..2770bb95c70 100644
--- a/app/services/merge_requests/approval_service.rb
+++ b/app/services/merge_requests/approval_service.rb
@@ -13,7 +13,7 @@ module MergeRequests
return success unless save_approval(approval)
- update_reviewer_state(merge_request, current_user, :approved)
+ update_reviewer_state(merge_request, current_user, 'approved')
reset_approvals_cache(merge_request)
diff --git a/app/services/merge_requests/remove_approval_service.rb b/app/services/merge_requests/remove_approval_service.rb
index ffe3799b540..9bf582e2091 100644
--- a/app/services/merge_requests/remove_approval_service.rb
+++ b/app/services/merge_requests/remove_approval_service.rb
@@ -15,7 +15,7 @@ module MergeRequests
trigger_approval_hooks(merge_request, skip_notification) do
next unless approval.destroy_all # rubocop: disable Cop/DestroyAll
- update_reviewer_state(merge_request, current_user, :unapproved) unless skip_updating_state
+ update_reviewer_state(merge_request, current_user, 'unapproved') unless skip_updating_state
reset_approvals_cache(merge_request)
unless skip_system_note
diff --git a/app/services/merge_requests/update_reviewer_state_service.rb b/app/services/merge_requests/update_reviewer_state_service.rb
index a77cdeeb121..9e4c3fd2180 100644
--- a/app/services/merge_requests/update_reviewer_state_service.rb
+++ b/app/services/merge_requests/update_reviewer_state_service.rb
@@ -12,8 +12,12 @@ module MergeRequests
trigger_merge_request_reviewers_updated(merge_request)
+ destroy_requested_changes(merge_request) if state == 'approved'
+
return success if state != 'requested_changes'
+ create_requested_changes(merge_request)
+
if merge_request.approved_by?(current_user) && !remove_approval(merge_request, current_user)
return error("Failed to remove approval")
end
@@ -23,5 +27,17 @@ module MergeRequests
error("Reviewer not found")
end
end
+
+ private
+
+ def create_requested_changes(merge_request)
+ merge_request.create_requested_changes(current_user)
+
+ trigger_merge_request_merge_status_updated(merge_request)
+ end
+
+ def destroy_requested_changes(merge_request)
+ merge_request.destroy_requested_changes(current_user)
+ end
end
end
diff --git a/app/validators/devise_email_validator.rb b/app/validators/devise_email_validator.rb
index b91cfe23f08..b462fa0ffde 100644
--- a/app/validators/devise_email_validator.rb
+++ b/app/validators/devise_email_validator.rb
@@ -19,7 +19,8 @@
# end
class DeviseEmailValidator < ActiveModel::EachValidator
DEFAULT_OPTIONS = {
- regexp: Devise.email_regexp
+ regexp: Devise.email_regexp,
+ invalid_characters_regexp: %r{[?!#$%&*\/=^<>]}
}.freeze
def initialize(options)
@@ -31,6 +32,14 @@ class DeviseEmailValidator < ActiveModel::EachValidator
end
def validate_each(record, attribute, value)
- record.errors.add(attribute, :invalid) unless options[:regexp].match?(value)
+ return if record.errors.include?(attribute)
+
+ record.errors.add(attribute, :invalid) unless valid_email?(value)
+ end
+
+ private
+
+ def valid_email?(value)
+ options[:regexp].match?(value) && !options[:invalid_characters_regexp].match?(value)
end
end
diff --git a/app/views/admin/application_settings/_git_http_limits.html.haml b/app/views/admin/application_settings/_git_http_limits.html.haml
new file mode 100644
index 00000000000..fc777a17443
--- /dev/null
+++ b/app/views/admin/application_settings/_git_http_limits.html.haml
@@ -0,0 +1,18 @@
+= gitlab_ui_form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-git-http-limits-settings'), html: { class: 'fieldset-form' } do |f|
+ = form_errors(@application_setting)
+
+ %fieldset
+ %h5
+ = _('Unauthenticated Git HTTP request rate limit')
+ .form-group
+ = f.gitlab_ui_checkbox_component :throttle_unauthenticated_git_http_enabled,
+ _('Enable unauthenticated Git HTTP request rate limit'),
+ help_text: _('Helps reduce unauthenticated Git HTTP request volume for git paths.')
+ .form-group
+ = f.label :throttle_unauthenticated_git_http_requests_per_period, _('Maximum unauthenticated Git HTTP requests per period per IP'), class: 'gl-font-weight-bold'
+ = f.number_field :throttle_unauthenticated_git_http_requests_per_period, class: 'form-control gl-form-input'
+ .form-group
+ = f.label :throttle_unauthenticated_git_http_period_in_seconds, _('Unauthenticated Git HTTP rate limit period in seconds'), class: 'gl-font-weight-bold'
+ = f.number_field :throttle_unauthenticated_git_http_period_in_seconds, class: 'form-control gl-form-input'
+
+ = f.submit _('Save changes'), pajamas_button: true
diff --git a/app/views/admin/application_settings/_sentry.html.haml b/app/views/admin/application_settings/_sentry.html.haml
index 5079f374c84..7058a4b5cca 100644
--- a/app/views/admin/application_settings/_sentry.html.haml
+++ b/app/views/admin/application_settings/_sentry.html.haml
@@ -1,12 +1,8 @@
= gitlab_ui_form_for @application_setting, url: metrics_and_profiling_admin_application_settings_path(anchor: 'js-sentry-settings'), html: { class: 'fieldset-form', id: 'sentry-settings' } do |f|
= form_errors(@application_setting)
- - if Feature.disabled?(:enable_new_sentry_integration)
- %fieldset.gl-text-secondary
- = safe_format(s_('AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, enable the %{code_start}enable_new_sentry_integration%{code_end} feature flag and restart GitLab.'), tag_pair(tag.b, :bold_start, :bold_end), tag_pair(tag.code, :code_start, :code_end))
- - else
- %fieldset.gl-text-secondary
- = safe_format(s_('AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, restart GitLab.'), tag_pair(tag.b, :bold_start, :bold_end))
+ %fieldset.gl-text-secondary
+ = safe_format(s_('AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, restart GitLab.'), tag_pair(tag.b, :bold_start, :bold_end))
%fieldset
.form-group
diff --git a/app/views/admin/application_settings/network.html.haml b/app/views/admin/application_settings/network.html.haml
index 86fbbef8dac..b951c97814f 100644
--- a/app/views/admin/application_settings/network.html.haml
+++ b/app/views/admin/application_settings/network.html.haml
@@ -72,6 +72,18 @@
.settings-content
= render partial: 'network_rate_limits', locals: { anchor: 'js-deprecated-limits-settings', setting_fragment: 'deprecated_api' }
+%section.settings.as-git-http-limits.no-animate#js-git-http-limits-settings{ class: ('expanded' if expanded_by_default?) }
+ .settings-header
+ %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
+ = _('Git HTTP rate limits')
+ = render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do
+ = expanded_by_default? ? _('Collapse') : _('Expand')
+ %p.gl-text-secondary
+ = _('Configure specific limits for Git HTTP requests.')
+ = link_to _('Learn more.'), help_page_path('administration/settings/git_http_rate_limits'), target: '_blank', rel: 'noopener noreferrer'
+ .settings-content
+ = render 'git_http_limits'
+
%section.settings.as-git-lfs-limits.no-animate#js-git-lfs-limits-settings{ class: ('expanded' if expanded_by_default?) }
.settings-header
%h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
diff --git a/app/views/layouts/_head.html.haml b/app/views/layouts/_head.html.haml
index 728997d39c7..ea770a076f3 100644
--- a/app/views/layouts/_head.html.haml
+++ b/app/views/layouts/_head.html.haml
@@ -48,10 +48,8 @@
= render 'layouts/loading_hints'
= render_if_exists 'layouts/header/translations'
- - if Feature.enabled?(:enable_new_sentry_integration) && Gitlab::CurrentSettings.sentry_enabled
+ - if Gitlab::CurrentSettings.sentry_enabled
= webpack_bundle_tag 'sentry'
- - elsif Gitlab.config.sentry.enabled
- = webpack_bundle_tag 'legacy_sentry'
= webpack_bundle_tag 'performance_bar' if performance_bar_enabled?
= yield :page_specific_javascripts
diff --git a/app/views/search/_results_status.html.haml b/app/views/search/_results_status.html.haml
index 3c42126e480..28fc99c3de5 100644
--- a/app/views/search/_results_status.html.haml
+++ b/app/views/search/_results_status.html.haml
@@ -1,30 +1,25 @@
-.section{ class: ('gl-lg-display-none' if @search_objects.to_a.empty?) }
- .search-results-status
- .gl-display-flex.gl-flex-direction-column
- .gl-p-5.gl-display-flex.gl-flex-wrap
- - unless @search_objects.to_a.empty?
- .gl-display-flex.gl-text-left.gl-flex-grow-1.gl-flex-shrink-1.gl-white-space-nowrap.gl-flex-wrap.gl-sm-w-half
+.search-results-status.gl-sm-display-flex.gl-flex-wrap.gl-justify-content-space-between.gl-my-4{ class: ('gl-lg-display-none' if @search_objects.to_a.empty?) }
+ - unless @search_objects.to_a.empty?
+ %p.gl-text-truncate.gl-my-auto
+ - unless @search_service_presenter.without_count?
+ = search_entries_info(@search_objects, @scope, @search_term)
+ - unless @search_service_presenter.show_snippets?
+ - if @project
+ - link_to_project = link_to(@project.full_name, @project, class: 'search-wrap-f-md-down')
+ - if @scope == 'blobs'
+ = _("in")
+ .mx-md-1.gl-my-auto
+ #js-blob-ref-switcher{ data: { "project-id" => @project.id, "ref" => repository_ref(@project), "field-name": "repository_ref" } }
%p.gl-text-truncate.gl-my-auto
- - unless @search_service_presenter.without_count?
- = search_entries_info(@search_objects, @scope, @search_term)
- - unless @search_service_presenter.show_snippets?
- - if @project
- - link_to_project = link_to(@project.full_name, @project, class: 'search-wrap-f-md-down')
- - if @scope == 'blobs'
- = _("in")
- .mx-md-1.gl-my-auto
- #js-blob-ref-switcher{ data: { "project-id" => @project.id, "ref" => repository_ref(@project), "field-name": "repository_ref" } }
- %p.gl-text-truncate.gl-my-auto
- = s_('SearchCodeResults|of %{link_to_project}').html_safe % { link_to_project: link_to_project }
- - else
- = _("in project %{link_to_project}").html_safe % { link_to_project: link_to_project }
- - elsif @group
- - link_to_group = link_to(@group.name, @group, class: 'ml-md-1')
- = _("in group %{link_to_group}").html_safe % { link_to_group: link_to_group }
- .gl-display-flex.gl-my-3.gl-flex-grow-1.gl-flex-shrink-1.gl-justify-content-end
- = render Pajamas::ButtonComponent.new(category: 'primary', icon: 'filter', button_options: {id: 'js-open-mobile-filters', class: 'gl-lg-display-none'}) do
- = s_('GlobalSearch|Filters')
- - if @search_service_presenter.show_sort_dropdown? && !@search_objects.to_a.empty?
- .gl-ml-3
- #js-search-sort{ data: { "search-sort-options" => search_sort_options.to_json } }
- %hr.gl-mb-5.gl-mt-0.gl-border-gray-100.gl-w-full
+ = s_('SearchCodeResults|of %{link_to_project}').html_safe % { link_to_project: link_to_project }
+ - else
+ = _("in project %{link_to_project}").html_safe % { link_to_project: link_to_project }
+ - elsif @group
+ - link_to_group = link_to(@group.name, @group, class: 'ml-md-1')
+ = _("in group %{link_to_group}").html_safe % { link_to_group: link_to_group }
+ .gl-display-flex
+ = render Pajamas::ButtonComponent.new(category: 'primary', icon: 'filter', button_options: {id: 'js-open-mobile-filters', class: 'gl-lg-display-none'}) do
+ = s_('GlobalSearch|Filters')
+ - if @search_service_presenter.show_sort_dropdown? && !@search_objects.to_a.empty?
+ .gl-ml-3
+ #js-search-sort{ data: { "search-sort-options" => search_sort_options.to_json } }
diff --git a/app/views/search/results/_issuable.html.haml b/app/views/search/results/_issuable.html.haml
index 75530b616bf..52da4ca254a 100644
--- a/app/views/search/results/_issuable.html.haml
+++ b/app/views/search/results/_issuable.html.haml
@@ -1,4 +1,4 @@
-%div{ class: 'search-result-row gl-display-flex gl-sm-flex-direction-row gl-flex-direction-column gl-align-items-center gl-pb-5! gl-mt-5 gl-mb-0!' }
+.search-result-row.row.gl-display-flex.gl-sm-flex-direction-row.gl-flex-direction-column.gl-align-items-center.gl-mt-5{ class: 'gl-pb-5! gl-mb-0!' }
.col-sm-9
%span.gl-display-flex.gl-align-items-center
= gl_badge_tag issuable_state_text(issuable), variant: issuable_state_to_badge_class(issuable), size: :sm
diff --git a/app/views/shared/_choose_avatar_button.html.haml b/app/views/shared/_choose_avatar_button.html.haml
index 30a6a31cdd4..3fbc4d30744 100644
--- a/app/views/shared/_choose_avatar_button.html.haml
+++ b/app/views/shared/_choose_avatar_button.html.haml
@@ -1 +1 @@
-= render 'shared/file_picker_button', f: f, field: :avatar, help_text: s_("Profiles|The ideal image size is 192 x 192 pixels.") + " " + s_("Profiles|The maximum file size allowed is 200KB.")
+= render 'shared/file_picker_button', f: f, field: :avatar, help_text: s_("Profiles|The ideal image size is 192 x 192 pixels.") + " " + s_("Profiles|The maximum file size allowed is 200 KiB.")
diff --git a/app/views/user_settings/profiles/show.html.haml b/app/views/user_settings/profiles/show.html.haml
index 39b0084cbeb..66977d814b9 100644
--- a/app/views/user_settings/profiles/show.html.haml
+++ b/app/views/user_settings/profiles/show.html.haml
@@ -38,7 +38,7 @@
= f.file_field :avatar, class: 'js-user-avatar-input hidden', accept: 'image/*'
.gl-text-gray-500
= s_("Profiles|The ideal image size is 192 x 192 pixels.")
- = s_("Profiles|The maximum file size allowed is 200KB.")
+ = s_("Profiles|The maximum file size allowed is 200 KiB.")
- if @user.avatar?
= render Pajamas::ButtonComponent.new(variant: :danger,
category: :secondary,
diff --git a/config/feature_flags/development/enable_new_sentry_integration.yml b/config/feature_flags/development/enable_new_sentry_integration.yml
deleted file mode 100644
index 00665f80ed6..00000000000
--- a/config/feature_flags/development/enable_new_sentry_integration.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: enable_new_sentry_integration
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72428
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/344832
-milestone: '14.9'
-type: development
-group: group::pipeline execution
-default_enabled: false
diff --git a/config/feature_flags/development/enable_old_sentry_integration.yml b/config/feature_flags/development/enable_old_sentry_integration.yml
deleted file mode 100644
index 4911dbfdc78..00000000000
--- a/config/feature_flags/development/enable_old_sentry_integration.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: enable_old_sentry_integration
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72428
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/344832
-milestone: '14.9'
-type: development
-group: group::pipeline execution
-default_enabled: true
diff --git a/config/feature_flags/gitlab_com_derisk/native_header_anchors.yml b/config/feature_flags/gitlab_com_derisk/native_header_anchors.yml
new file mode 100644
index 00000000000..24f36fcd99f
--- /dev/null
+++ b/config/feature_flags/gitlab_com_derisk/native_header_anchors.yml
@@ -0,0 +1,9 @@
+---
+name: native_header_anchors
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/440733
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144690
+rollout_issue_url:
+milestone: '17.0'
+group: group::project management
+type: gitlab_com_derisk
+default_enabled: false
diff --git a/config/gitlab_loose_foreign_keys.yml b/config/gitlab_loose_foreign_keys.yml
index 56a233425e5..b29b31cb20e 100644
--- a/config/gitlab_loose_foreign_keys.yml
+++ b/config/gitlab_loose_foreign_keys.yml
@@ -245,6 +245,16 @@ merge_request_metrics:
- table: ci_pipelines
column: pipeline_id
on_delete: async_nullify
+merge_request_requested_changes:
+ - table: merge_requests
+ column: merge_request_id
+ on_delete: async_delete
+ - table: projects
+ column: project_id
+ on_delete: async_delete
+ - table: users
+ column: user_id
+ on_delete: async_delete
merge_requests:
- table: ci_pipelines
column: head_pipeline_id
diff --git a/config/webpack.config.js b/config/webpack.config.js
index ca5506a1e39..f6cd978f300 100644
--- a/config/webpack.config.js
+++ b/config/webpack.config.js
@@ -261,7 +261,6 @@ module.exports = {
*/
return {
default: defaultEntries,
- legacy_sentry: './sentry/legacy_index.js',
sentry: './sentry/index.js',
performance_bar: './performance_bar/index.js',
jira_connect_app: './jira_connect/subscriptions/index.js',
diff --git a/data/deprecations/14-8-graphql-runner-active.yml b/data/deprecations/14-8-graphql-runner-active.yml
new file mode 100644
index 00000000000..296ed3b6ddf
--- /dev/null
+++ b/data/deprecations/14-8-graphql-runner-active.yml
@@ -0,0 +1,40 @@
+- title: 'Runner `active` GraphQL fields replaced by `paused`'
+ # The milestones for the deprecation announcement, and the removal.
+ removal_milestone: '18.0'
+ announcement_milestone: '14.8'
+ # Change breaking_change to false if needed.
+ breaking_change: true
+ # The stage and GitLab username of the person reporting the change,
+ # and a link to the deprecation issue
+ reporter: pedropombeiro
+ stage: Verify
+ issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/351109
+ impact: low
+ scope: # Can be one or a combination of: [instance, group, project]
+ resolution_role: Developer
+ manual_task: true
+ body: | # (required) Don't change this line.
+ Occurrences of the `active` identifier in the GitLab GraphQL API endpoints will be renamed to `paused` in GitLab 18.0:
+
+ - The `CiRunner` property.
+ - The `RunnerUpdateInput` input type for the `runnerUpdate` mutation.
+ - The `runners`, `Group.runners`, and `Project.runners` queries.
+
+ # ==============================
+ # OPTIONAL END-OF-SUPPORT FIELDS
+ # ==============================
+ #
+ # If an End of Support period applies:
+ # 1) Share this announcement in the `#spt_managers` Support channel in Slack
+ # 2) Mention `@gitlab-com/support` in this merge request.
+ #
+ # When support for this feature ends, in XX.YY milestone format.
+ end_of_support_milestone:
+ # Array of tiers the feature is currently available to,
+ # like [Free, Silver, Gold, Core, Premium, Ultimate]
+ tiers:
+ # Links to documentation and thumbnail image
+ documentation_url: https://docs.gitlab.com/ee/api/graphql/reference/index.html#cirunner
+ image_url:
+ # Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
+ video_url:
diff --git a/data/whats_new/202404160001_16_11.yml b/data/whats_new/202404160001_16_11.yml
index ff9361acdd7..69129bcf6fd 100644
--- a/data/whats_new/202404160001_16_11.yml
+++ b/data/whats_new/202404160001_16_11.yml
@@ -10,7 +10,7 @@
stage: ai-powered
self-managed: true
gitlab-com: true
- available_in: [Free, Premium, Ultimate]
+ available_in: [Premium, Ultimate]
documentation_link: https://docs.gitlab.com/ee/user/gitlab_duo_chat.html
image_url: https://img.youtube.com/vi/ZQBAuf-CTAY/hqdefault.jpg
published_at: 2024-04-18
@@ -52,7 +52,7 @@
stage: govern
self-managed: true
gitlab-com: true
- available_in: [Free, Premium, Ultimate]
+ available_in: [Premium, Ultimate]
documentation_link: https://docs.gitlab.com/ee/editor_extensions/jetbrains_ide/index.html
image_url: https://about.gitlab.com/images/16_11/create-duo-chat-in-jetbrains.png
published_at: 2024-04-18
diff --git a/db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml b/db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml
new file mode 100644
index 00000000000..8aacc82b2fa
--- /dev/null
+++ b/db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml
@@ -0,0 +1,9 @@
+---
+migration_job_name: BackfillWorkspaceVariablesProjectId
+description: Backfills sharding key `workspace_variables.project_id` from `workspaces`.
+feature_category: remote_development
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150074
+milestone: '17.0'
+queued_migration_version: 20240419035360
+finalize_after: '2024-05-22'
+finalized_by: # version of the migration that finalized this BBM
diff --git a/db/docs/merge_request_requested_changes.yml b/db/docs/merge_request_requested_changes.yml
new file mode 100644
index 00000000000..fe49f404a4e
--- /dev/null
+++ b/db/docs/merge_request_requested_changes.yml
@@ -0,0 +1,12 @@
+---
+table_name: merge_request_requested_changes
+classes:
+- MergeRequests::RequestedChange
+feature_categories:
+- code_review_workflow
+description: Blocker for changes requested on a merge request
+introduced_by_url:
+milestone: '17.0'
+gitlab_schema: gitlab_main_cell
+sharding_key:
+ project_id: projects
\ No newline at end of file
diff --git a/db/docs/workspace_variables.yml b/db/docs/workspace_variables.yml
index f92750f84c1..f8f0369e75f 100644
--- a/db/docs/workspace_variables.yml
+++ b/db/docs/workspace_variables.yml
@@ -23,3 +23,4 @@ desired_sharding_key:
table: workspaces
sharding_key: project_id
belongs_to: workspace
+desired_sharding_key_migration_job_name: BackfillWorkspaceVariablesProjectId
diff --git a/db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb b/db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb
new file mode 100644
index 00000000000..1881b8d630b
--- /dev/null
+++ b/db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+class AddThrottleUnauthenticatedGitHttpToApplicationSettings < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ disable_ddl_transaction!
+
+ def up
+ add_column :application_settings, :rate_limits_unauthenticated_git_http, :jsonb, default: {}, null: false,
+ if_not_exists: true
+
+ add_check_constraint(
+ :application_settings,
+ "(jsonb_typeof(rate_limits_unauthenticated_git_http) = 'object')",
+ 'check_application_settings_rate_limits_unauth_git_http_is_hash'
+ )
+ end
+
+ def down
+ remove_column :application_settings, :rate_limits_unauthenticated_git_http, it_exists: true
+ end
+end
diff --git a/db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb b/db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb
new file mode 100644
index 00000000000..d4458912262
--- /dev/null
+++ b/db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+class UpdateThrottleUnauthenticatedGitHttpInApplicationSettings < Gitlab::Database::Migration[2.2]
+ restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+ milestone '17.0'
+
+ disable_ddl_transaction!
+
+ def up
+ execute <<~SQL
+ UPDATE application_settings
+ SET rate_limits_unauthenticated_git_http = jsonb_build_object(
+ 'throttle_unauthenticated_git_http_enabled', throttle_unauthenticated_enabled,
+ 'throttle_unauthenticated_git_http_requests_per_period', throttle_unauthenticated_requests_per_period,
+ 'throttle_unauthenticated_git_http_period_in_seconds', throttle_unauthenticated_period_in_seconds
+ );
+ SQL
+ end
+
+ def down
+ execute "UPDATE application_settings SET rate_limits_unauthenticated_git_http = CAST('{}' AS jsonb)"
+ end
+end
diff --git a/db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb b/db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb
new file mode 100644
index 00000000000..a2759fd4d82
--- /dev/null
+++ b/db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class AddTrustedExternUidToIdentities < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ enable_lock_retries!
+
+ def change
+ add_column :identities, :trusted_extern_uid, :boolean, default: true
+ end
+end
diff --git a/db/migrate/20240415190848_index_identities_on_provider.rb b/db/migrate/20240415190848_index_identities_on_provider.rb
new file mode 100644
index 00000000000..60553840c17
--- /dev/null
+++ b/db/migrate/20240415190848_index_identities_on_provider.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class IndexIdentitiesOnProvider < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ disable_ddl_transaction!
+
+ INDEX_NAME = 'index_identities_on_provider'
+
+ def up
+ add_concurrent_index :identities, :provider, name: INDEX_NAME
+ end
+
+ def down
+ remove_concurrent_index_by_name :identities, name: INDEX_NAME
+ end
+end
diff --git a/db/migrate/20240419035356_add_project_id_to_workspace_variables.rb b/db/migrate/20240419035356_add_project_id_to_workspace_variables.rb
new file mode 100644
index 00000000000..7616169c0d2
--- /dev/null
+++ b/db/migrate/20240419035356_add_project_id_to_workspace_variables.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddProjectIdToWorkspaceVariables < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ def change
+ add_column :workspace_variables, :project_id, :bigint
+ end
+end
diff --git a/db/migrate/20240419035357_index_workspace_variables_on_project_id.rb b/db/migrate/20240419035357_index_workspace_variables_on_project_id.rb
new file mode 100644
index 00000000000..66a236b4b34
--- /dev/null
+++ b/db/migrate/20240419035357_index_workspace_variables_on_project_id.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class IndexWorkspaceVariablesOnProjectId < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+ disable_ddl_transaction!
+
+ INDEX_NAME = 'index_workspace_variables_on_project_id'
+
+ def up
+ add_concurrent_index :workspace_variables, :project_id, name: INDEX_NAME
+ end
+
+ def down
+ remove_concurrent_index_by_name :workspace_variables, INDEX_NAME
+ end
+end
diff --git a/db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb b/db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb
new file mode 100644
index 00000000000..9229fd1f7c6
--- /dev/null
+++ b/db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class AddWorkspaceVariablesProjectIdFk < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+ disable_ddl_transaction!
+
+ def up
+ add_concurrent_foreign_key :workspace_variables, :projects, column: :project_id, on_delete: :cascade
+ end
+
+ def down
+ with_lock_retries do
+ remove_foreign_key :workspace_variables, column: :project_id
+ end
+ end
+end
diff --git a/db/migrate/20240419085004_create_merge_request_requested_changes.rb b/db/migrate/20240419085004_create_merge_request_requested_changes.rb
new file mode 100644
index 00000000000..e32fd425aae
--- /dev/null
+++ b/db/migrate/20240419085004_create_merge_request_requested_changes.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class CreateMergeRequestRequestedChanges < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ def change
+ create_table :merge_request_requested_changes do |t|
+ t.bigint :project_id, null: false
+ t.bigint :user_id, null: false
+ t.bigint :merge_request_id, null: false
+
+ t.timestamps_with_timezone null: false
+
+ t.index :project_id
+ t.index :user_id
+ t.index :merge_request_id
+ end
+ end
+end
diff --git a/db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb b/db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb
new file mode 100644
index 00000000000..7702bf1d9e8
--- /dev/null
+++ b/db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class AddWorkspaceVariablesProjectIdTrigger < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ def up
+ install_sharding_key_assignment_trigger(
+ table: :workspace_variables,
+ sharding_key: :project_id,
+ parent_table: :workspaces,
+ parent_sharding_key: :project_id,
+ foreign_key: :workspace_id
+ )
+ end
+
+ def down
+ remove_sharding_key_assignment_trigger(
+ table: :workspace_variables,
+ sharding_key: :project_id,
+ parent_table: :workspaces,
+ parent_sharding_key: :project_id,
+ foreign_key: :workspace_id
+ )
+ end
+end
diff --git a/db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb b/db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb
new file mode 100644
index 00000000000..b735a769eab
--- /dev/null
+++ b/db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+class QueueBackfillWorkspaceVariablesProjectId < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+ restrict_gitlab_migration gitlab_schema: :gitlab_main_cell
+
+ MIGRATION = "BackfillWorkspaceVariablesProjectId"
+ DELAY_INTERVAL = 2.minutes
+ BATCH_SIZE = 1000
+ SUB_BATCH_SIZE = 100
+
+ def up
+ queue_batched_background_migration(
+ MIGRATION,
+ :workspace_variables,
+ :id,
+ :project_id,
+ :workspaces,
+ :project_id,
+ :workspace_id,
+ job_interval: DELAY_INTERVAL,
+ batch_size: BATCH_SIZE,
+ sub_batch_size: SUB_BATCH_SIZE
+ )
+ end
+
+ def down
+ delete_batched_background_migration(
+ MIGRATION,
+ :workspace_variables,
+ :id,
+ [
+ :project_id,
+ :workspaces,
+ :project_id,
+ :workspace_id
+ ]
+ )
+ end
+end
diff --git a/db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb b/db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb
new file mode 100644
index 00000000000..9be3f89235c
--- /dev/null
+++ b/db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class SetTrustedExternUidToFalseForExistingBitbucketIdentities < Gitlab::Database::Migration[2.2]
+ restrict_gitlab_migration gitlab_schema: :gitlab_main_clusterwide
+
+ milestone '17.0'
+
+ disable_ddl_transaction!
+
+ BATCH_SIZE = 1000
+
+ def up
+ define_batchable_model('identities').where(provider: 'bitbucket').each_batch(of: BATCH_SIZE) do |batch|
+ batch.update_all(trusted_extern_uid: false)
+ end
+ end
+end
diff --git a/db/schema_migrations/20240405090000 b/db/schema_migrations/20240405090000
new file mode 100644
index 00000000000..42e1ac97298
--- /dev/null
+++ b/db/schema_migrations/20240405090000
@@ -0,0 +1 @@
+1f79208f10eac682970b91dd12159c9c7446fab637409d2f62dc91231af1dd13
\ No newline at end of file
diff --git a/db/schema_migrations/20240405090010 b/db/schema_migrations/20240405090010
new file mode 100644
index 00000000000..3b93267c8f9
--- /dev/null
+++ b/db/schema_migrations/20240405090010
@@ -0,0 +1 @@
+c84be5380fb2c1e90aabd987b8a7c020ec17405a8d0b97f0ca44e4ea724b7c6d
\ No newline at end of file
diff --git a/db/schema_migrations/20240415184907 b/db/schema_migrations/20240415184907
new file mode 100644
index 00000000000..bb000eeb996
--- /dev/null
+++ b/db/schema_migrations/20240415184907
@@ -0,0 +1 @@
+66b22a6c730d44535b321e0dd626c1b47fa3206ff811acd16007e9587a4c5d65
\ No newline at end of file
diff --git a/db/schema_migrations/20240415190848 b/db/schema_migrations/20240415190848
new file mode 100644
index 00000000000..d7c525ca496
--- /dev/null
+++ b/db/schema_migrations/20240415190848
@@ -0,0 +1 @@
+8e74960909f458e3500f3857a4154b4b930dc21d4f5c1d7916f321f197220ba6
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035356 b/db/schema_migrations/20240419035356
new file mode 100644
index 00000000000..55a4f207a17
--- /dev/null
+++ b/db/schema_migrations/20240419035356
@@ -0,0 +1 @@
+a1f5f62a9782df2887fea2f8f1bccca6759e9da59d9a2778d6e7d09fc998d690
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035357 b/db/schema_migrations/20240419035357
new file mode 100644
index 00000000000..9c33231778a
--- /dev/null
+++ b/db/schema_migrations/20240419035357
@@ -0,0 +1 @@
+ae763de6e4f8d746dce6d4c5d1aa68b1e756bbd0488d2ad705c016ecc7c04fcd
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035358 b/db/schema_migrations/20240419035358
new file mode 100644
index 00000000000..f79680cb39c
--- /dev/null
+++ b/db/schema_migrations/20240419035358
@@ -0,0 +1 @@
+1867e85e95b2def01e9fc4ef4209e64f7afd5e71a1378a0024dadc3715cc07aa
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035359 b/db/schema_migrations/20240419035359
new file mode 100644
index 00000000000..7c45f82c416
--- /dev/null
+++ b/db/schema_migrations/20240419035359
@@ -0,0 +1 @@
+0ed31058286c68932a683e6072002fd5fe6a4d785c113db22028262aafc47c86
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035360 b/db/schema_migrations/20240419035360
new file mode 100644
index 00000000000..a8912146466
--- /dev/null
+++ b/db/schema_migrations/20240419035360
@@ -0,0 +1 @@
+6f571972797eee34572944fb18ecf389d97c5880838b9c3c0ccf7ebbe5937f1d
\ No newline at end of file
diff --git a/db/schema_migrations/20240419085004 b/db/schema_migrations/20240419085004
new file mode 100644
index 00000000000..4b65832cf5d
--- /dev/null
+++ b/db/schema_migrations/20240419085004
@@ -0,0 +1 @@
+a845ee1d6e023d976f526e76d2d690ec2a168d8975eda3edb5a1e9932d26c16c
\ No newline at end of file
diff --git a/db/schema_migrations/20240419140530 b/db/schema_migrations/20240419140530
new file mode 100644
index 00000000000..37f6a20d23c
--- /dev/null
+++ b/db/schema_migrations/20240419140530
@@ -0,0 +1 @@
+cab7740141a0b515fbaf0c6e38c3d2aea4ac5ff765a2978ccd89f4274d44c1d1
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index be87a452f0d..904f9229def 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -695,6 +695,22 @@ BEGIN
END;
$$;
+CREATE FUNCTION trigger_56d49f4ed623() RETURNS trigger
+ LANGUAGE plpgsql
+ AS $$
+BEGIN
+IF NEW."project_id" IS NULL THEN
+ SELECT "project_id"
+ INTO NEW."project_id"
+ FROM "workspaces"
+ WHERE "workspaces"."id" = NEW."workspace_id";
+END IF;
+
+RETURN NEW;
+
+END
+$$;
+
CREATE FUNCTION trigger_94514aeadc50() RETURNS trigger
LANGUAGE plpgsql
AS $$
@@ -4319,6 +4335,7 @@ CREATE TABLE application_settings (
include_optional_metrics_in_service_ping boolean DEFAULT true NOT NULL,
zoekt_settings jsonb DEFAULT '{}'::jsonb NOT NULL,
service_ping_settings jsonb DEFAULT '{}'::jsonb NOT NULL,
+ rate_limits_unauthenticated_git_http jsonb DEFAULT '{}'::jsonb NOT NULL,
CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)),
CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),
@@ -4371,6 +4388,7 @@ CREATE TABLE application_settings (
CONSTRAINT check_app_settings_sentry_clientside_traces_sample_rate_range CHECK (((sentry_clientside_traces_sample_rate >= (0)::double precision) AND (sentry_clientside_traces_sample_rate <= (1)::double precision))),
CONSTRAINT check_application_settings_clickhouse_is_hash CHECK ((jsonb_typeof(clickhouse) = 'object'::text)),
CONSTRAINT check_application_settings_rate_limits_is_hash CHECK ((jsonb_typeof(rate_limits) = 'object'::text)),
+ CONSTRAINT check_application_settings_rate_limits_unauth_git_http_is_hash CHECK ((jsonb_typeof(rate_limits_unauthenticated_git_http) = 'object'::text)),
CONSTRAINT check_application_settings_service_ping_settings_is_hash CHECK ((jsonb_typeof(service_ping_settings) = 'object'::text)),
CONSTRAINT check_b8c74ea5b3 CHECK ((char_length(deactivation_email_additional_text) <= 1000)),
CONSTRAINT check_cdfbd99405 CHECK ((char_length(security_txt_content) <= 2048)),
@@ -9764,7 +9782,8 @@ CREATE TABLE identities (
created_at timestamp without time zone,
updated_at timestamp without time zone,
secondary_extern_uid character varying,
- saml_provider_id integer
+ saml_provider_id integer,
+ trusted_extern_uid boolean DEFAULT true
);
CREATE SEQUENCE identities_id_seq
@@ -11250,6 +11269,24 @@ CREATE SEQUENCE merge_request_predictions_merge_request_id_seq
ALTER SEQUENCE merge_request_predictions_merge_request_id_seq OWNED BY merge_request_predictions.merge_request_id;
+CREATE TABLE merge_request_requested_changes (
+ id bigint NOT NULL,
+ project_id bigint NOT NULL,
+ user_id bigint NOT NULL,
+ merge_request_id bigint NOT NULL,
+ created_at timestamp with time zone NOT NULL,
+ updated_at timestamp with time zone NOT NULL
+);
+
+CREATE SEQUENCE merge_request_requested_changes_id_seq
+ START WITH 1
+ INCREMENT BY 1
+ NO MINVALUE
+ NO MAXVALUE
+ CACHE 1;
+
+ALTER SEQUENCE merge_request_requested_changes_id_seq OWNED BY merge_request_requested_changes.id;
+
CREATE TABLE merge_request_review_llm_summaries (
id bigint NOT NULL,
user_id bigint,
@@ -18123,6 +18160,7 @@ CREATE TABLE workspace_variables (
key text NOT NULL,
encrypted_value bytea NOT NULL,
encrypted_value_iv bytea NOT NULL,
+ project_id bigint,
CONSTRAINT check_5545042100 CHECK ((char_length(key) <= 255))
);
@@ -19403,6 +19441,8 @@ ALTER TABLE ONLY merge_request_metrics ALTER COLUMN id SET DEFAULT nextval('merg
ALTER TABLE ONLY merge_request_predictions ALTER COLUMN merge_request_id SET DEFAULT nextval('merge_request_predictions_merge_request_id_seq'::regclass);
+ALTER TABLE ONLY merge_request_requested_changes ALTER COLUMN id SET DEFAULT nextval('merge_request_requested_changes_id_seq'::regclass);
+
ALTER TABLE ONLY merge_request_review_llm_summaries ALTER COLUMN id SET DEFAULT nextval('merge_request_review_llm_summaries_id_seq'::regclass);
ALTER TABLE ONLY merge_request_reviewers ALTER COLUMN id SET DEFAULT nextval('merge_request_reviewers_id_seq'::regclass);
@@ -21650,6 +21690,9 @@ ALTER TABLE ONLY merge_request_metrics
ALTER TABLE ONLY merge_request_predictions
ADD CONSTRAINT merge_request_predictions_pkey PRIMARY KEY (merge_request_id);
+ALTER TABLE ONLY merge_request_requested_changes
+ ADD CONSTRAINT merge_request_requested_changes_pkey PRIMARY KEY (id);
+
ALTER TABLE ONLY merge_request_review_llm_summaries
ADD CONSTRAINT merge_request_review_llm_summaries_pkey PRIMARY KEY (id);
@@ -25656,6 +25699,8 @@ CREATE INDEX index_historical_data_on_recorded_at ON historical_data USING btree
CREATE UNIQUE INDEX index_http_integrations_on_project_and_endpoint ON alert_management_http_integrations USING btree (project_id, endpoint_identifier);
+CREATE INDEX index_identities_on_provider ON identities USING btree (provider);
+
CREATE INDEX index_identities_on_saml_provider_id ON identities USING btree (saml_provider_id) WHERE (saml_provider_id IS NOT NULL);
CREATE INDEX index_identities_on_user_id ON identities USING btree (user_id);
@@ -26068,6 +26113,12 @@ CREATE INDEX index_merge_request_metrics_on_merged_at ON merge_request_metrics U
CREATE INDEX index_merge_request_metrics_on_pipeline_id ON merge_request_metrics USING btree (pipeline_id);
+CREATE INDEX index_merge_request_requested_changes_on_merge_request_id ON merge_request_requested_changes USING btree (merge_request_id);
+
+CREATE INDEX index_merge_request_requested_changes_on_project_id ON merge_request_requested_changes USING btree (project_id);
+
+CREATE INDEX index_merge_request_requested_changes_on_user_id ON merge_request_requested_changes USING btree (user_id);
+
CREATE INDEX index_merge_request_review_llm_summaries_on_mr_diff_id ON merge_request_review_llm_summaries USING btree (merge_request_diff_id);
CREATE INDEX index_merge_request_review_llm_summaries_on_review_id ON merge_request_review_llm_summaries USING btree (review_id);
@@ -27838,6 +27889,8 @@ CREATE UNIQUE INDEX index_work_item_widget_definitions_on_namespace_type_and_nam
CREATE INDEX index_work_item_widget_definitions_on_work_item_type_id ON work_item_widget_definitions USING btree (work_item_type_id);
+CREATE INDEX index_workspace_variables_on_project_id ON workspace_variables USING btree (project_id);
+
CREATE INDEX index_workspace_variables_on_workspace_id ON workspace_variables USING btree (workspace_id);
CREATE INDEX index_workspaces_on_cluster_agent_id ON workspaces USING btree (cluster_agent_id);
@@ -29722,6 +29775,8 @@ CREATE TRIGGER trigger_3857ca5ea4af BEFORE INSERT OR UPDATE ON merge_trains FOR
CREATE TRIGGER trigger_388e93f88fdd BEFORE INSERT OR UPDATE ON packages_build_infos FOR EACH ROW EXECUTE FUNCTION trigger_388e93f88fdd();
+CREATE TRIGGER trigger_56d49f4ed623 BEFORE INSERT OR UPDATE ON workspace_variables FOR EACH ROW EXECUTE FUNCTION trigger_56d49f4ed623();
+
CREATE TRIGGER trigger_94514aeadc50 BEFORE INSERT OR UPDATE ON deployment_approvals FOR EACH ROW EXECUTE FUNCTION trigger_94514aeadc50();
CREATE TRIGGER trigger_b2d852e1e2cb BEFORE INSERT OR UPDATE ON ci_pipelines FOR EACH ROW EXECUTE FUNCTION trigger_b2d852e1e2cb();
@@ -30091,6 +30146,9 @@ ALTER TABLE ONLY todos
ALTER TABLE ONLY releases
ADD CONSTRAINT fk_47fe2a0596 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+ALTER TABLE ONLY workspace_variables
+ ADD CONSTRAINT fk_494e093520 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+
ALTER TABLE ONLY geo_event_log
ADD CONSTRAINT fk_4a99ebfd60 FOREIGN KEY (repositories_changed_event_id) REFERENCES geo_repositories_changed_events(id) ON DELETE CASCADE;
diff --git a/doc/administration/job_artifacts.md b/doc/administration/job_artifacts.md
index 17a1a87df5e..ada4dcdb31c 100644
--- a/doc/administration/job_artifacts.md
+++ b/doc/administration/job_artifacts.md
@@ -177,8 +177,7 @@ WARNING:
In a multi-server setup you must use one of the options to
[eliminate local disk usage for job logs](job_logs.md#prevent-local-disk-usage), or job logs could be lost.
-In GitLab 13.2 and later, you should use the
-[consolidated object storage settings](object_storage.md#configure-a-single-storage-connection-for-all-object-types-consolidated-form).
+You should use the [consolidated object storage settings](object_storage.md#configure-a-single-storage-connection-for-all-object-types-consolidated-form).
### Migrating to object storage
diff --git a/doc/administration/job_artifacts_troubleshooting.md b/doc/administration/job_artifacts_troubleshooting.md
index 17797a15702..fb66aac7a86 100644
--- a/doc/administration/job_artifacts_troubleshooting.md
+++ b/doc/administration/job_artifacts_troubleshooting.md
@@ -23,8 +23,7 @@ reasons are:
- Artifact files might be left on disk and not deleted by housekeeping. Run the
[Rake task for _orphaned_ artifact files](../raketasks/cleanup.md#remove-orphan-artifact-files)
to remove these. This script should always find work to do, as it also removes empty directories (see above).
-- [Artifact housekeeping was changed significantly](#housekeeping-disabled-in-gitlab-146-to-152),
- and you might need to enable a feature flag to use the updated system.
+- [Artifact housekeeping was changed significantly](#housekeeping-disabled-in-gitlab-150-to-152), and you might need to enable a feature flag to use the updated system.
- The [keep latest artifacts from most recent success jobs](../ci/jobs/job_artifacts.md#keep-artifacts-from-most-recent-successful-jobs)
feature is enabled.
@@ -37,15 +36,11 @@ space, and in some cases, manually delete job artifacts to reclaim disk space.
Artifacts housekeeping is the process that identifies which artifacts are expired
and can be deleted.
-#### Housekeeping disabled in GitLab 14.6 to 15.2
+#### Housekeeping disabled in GitLab 15.0 to 15.2
-Artifact housekeeping was disabled in GitLab 14.6. It was significantly improved
-in GitLab 14.10, and the changes were back ported to patch versions of GitLab 14.6 and later,
-introduced behind [feature flags](feature_flags.md) disabled by default. The flags were
-enabled by default [in GitLab 15.3](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92931).
+Artifact housekeeping was significantly improved in GitLab 15.0, introduced behind [feature flags](feature_flags.md) disabled by default. The flags were enabled by default [in GitLab 15.3](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92931).
-If artifacts housekeeping does not seem to be working in GitLab 14.6 to GitLab 15.2,
-you should check if the feature flags are enabled.
+If artifacts housekeeping does not seem to be working in GitLab 15.0 to GitLab 15.2, you should check if the feature flags are enabled.
To check if the feature flags are enabled:
@@ -53,21 +48,11 @@ To check if the feature flags are enabled:
1. Check if the feature flags are enabled.
- - GitLab 14.10 and earlier:
-
- ```ruby
- Feature.enabled?(:ci_detect_wrongly_expired_artifacts, default_enabled: :yaml)
- Feature.enabled?(:ci_update_unlocked_job_artifacts, default_enabled: :yaml)
- Feature.enabled?(:ci_job_artifacts_backlog_work, default_enabled: :yaml)
- ```
-
- - GitLab 15.0 and later:
-
- ```ruby
- Feature.enabled?(:ci_detect_wrongly_expired_artifacts)
- Feature.enabled?(:ci_update_unlocked_job_artifacts)
- Feature.enabled?(:ci_job_artifacts_backlog_work)
- ```
+ ```ruby
+ Feature.enabled?(:ci_detect_wrongly_expired_artifacts)
+ Feature.enabled?(:ci_update_unlocked_job_artifacts)
+ Feature.enabled?(:ci_job_artifacts_backlog_work)
+ ```
1. If any of the feature flags are disabled, enable them:
@@ -154,23 +139,15 @@ GitLab 15.3 and later. It analyzes the artifacts returned by the above database
determines which should be `locked` or `unlocked`. Artifacts are then deleted
by that worker if needed.
-The worker can be enabled on self-managed instances running GitLab 14.10 and later:
+The worker can be enabled on self-managed instances:
1. Start a [Rails console](operations/rails_console.md#starting-a-rails-console-session).
1. Check if the feature is enabled.
-
- - GitLab 14.10:
-
- ```ruby
- Feature.enabled?(:ci_job_artifacts_backlog_work, default_enabled: :yaml)
- ```
-
- - GitLab 15.0 and later:
-
- ```ruby
- Feature.enabled?(:ci_job_artifacts_backlog_work)
- ```
+
+ ```ruby
+ Feature.enabled?(:ci_job_artifacts_backlog_work)
+ ```
1. Enable the feature, if needed:
@@ -429,8 +406,6 @@ For more information, [see the investigation details](https://gitlab.com/gitlab-
## Usage quota shows incorrect artifact storage usage
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/238536) in GitLab 14.10.
-
Sometimes the [artifacts storage usage](../user/usage_quotas.md) displays an incorrect
value for the total storage space used by artifacts. To recalculate the artifact
usage statistics for all projects in the instance, you can run this background script:
diff --git a/doc/administration/pages/index.md b/doc/administration/pages/index.md
index 2e6915f2409..3d499c78789 100644
--- a/doc/administration/pages/index.md
+++ b/doc/administration/pages/index.md
@@ -119,28 +119,25 @@ If you need support for namespace in the URL path to remove the requirement for
1. Enable the GitLab Pages flag for this feature by adding
`gitlab_pages["namespace_in_path"] = true` to `/etc/gitlab/gitlab.rb`.
-1. In your DNS provider, add entries for `example.io` and `projects.example.io`.
- In both lines, replace `example.io` with your domain name, and `192.0.0.0` with
+1. In your DNS provider, add entries for `example.io`.
+ Replace `example.io` with your domain name, and `192.0.0.0` with
the IPv4 version of your IP address. The entries look like this:
```plaintext
example.io 1800 IN A 192.0.0.0
- projects.example.io 1800 IN A 192.0.0.0
```
1. Optional. If your GitLab instance has an IPv6 address, add entries for it.
- In both lines, replace `example.io` with your domain name, and `2001:db8::1` with
+ Replace `example.io` with your domain name, and `2001:db8::1` with
the IPv6 version of your IP address. The entries look like this:
```plaintext
example.io 1800 IN AAAA 2001:db8::1
- projects.example.io 1800 IN AAAA 2001:db8::1
```
This example contains the following:
- `example.io`: The domain GitLab Pages is served from.
-- `projects.example.io`: An additional subdomain for GitLab Pages default authentication flow.
#### DNS configuration for custom domains
@@ -306,8 +303,7 @@ Prerequisites:
- Your instance must use the Linux package installation method.
- You have configured DNS setup
[without a wildcard](#for-namespace-in-url-path-without-wildcard-dns).
-- You have a single TLS certificate that covers your domain (like `example.io`)
- and the `projects.*` version of your domain, like `projects.example.io`.
+- You have a TLS certificate that covers your domain (like `example.io`).
In this configuration, NGINX proxies all requests to the daemon. The GitLab Pages
daemon doesn't listen to the outside world:
@@ -337,17 +333,18 @@ daemon doesn't listen to the outside world:
pages_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/pages-nginx.key"
```
-1. [Reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation).
+1. If you're using [Pages Access Control](#access-control), update the redirect URI in the GitLab Pages
+ [System OAuth application](../../integration/oauth_provider.md#create-an-instance-wide-application)
+ to use the HTTPS protocol.
WARNING:
- GitLab Pages does not update the OAuth application if changes are made to the redirect URI.
+ GitLab Pages does not update the OAuth application, and
+ the default `auth_redirect_uri` is updated to `https://example.io/projects/auth`.
Before you reconfigure, remove the `gitlab_pages` section from `/etc/gitlab/gitlab-secrets.json`,
then run `gitlab-ctl reconfigure`. For more information, see
[GitLab Pages does not regenerate OAuth](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/3947).
-1. If you're using [Pages Access Control](#access-control), update the redirect URI in the GitLab Pages
- [System OAuth application](../../integration/oauth_provider.md#create-an-instance-wide-application)
- to use the HTTPS protocol.
+1. [Reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation).
NGINX uses the custom proxy header `X-Gitlab-Namespace-In-Path`
to send the namespace to the GitLab Pages daemon.
diff --git a/doc/administration/settings/git_http_rate_limits.md b/doc/administration/settings/git_http_rate_limits.md
new file mode 100644
index 00000000000..751e41eec9b
--- /dev/null
+++ b/doc/administration/settings/git_http_rate_limits.md
@@ -0,0 +1,41 @@
+---
+stage: Create
+group: Source Code
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# Rate limits on Git HTTP
+
+DETAILS:
+**Tier:** Free, Premium, Ultimate
+**Offering:** Self-managed, GitLab Dedicated
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147112) in GitLab 17.0.
+
+If you use Git HTTP in your repository,
+common Git operations can generate many Git HTTP requests.
+Some of these Git HTTP requests do not contain authentication parameter and
+are considered unauthenticated. You can enforce rate limits on Git HTTP requests.
+This can improve the security and durability of your web application.
+[General user and IP rate limits](../settings/user_and_ip_rate_limits.md) aren't applied
+to Git HTTP requests.
+
+## Configure Git HTTP rate limits
+
+Git HTTP rate limits are disabled by default. If enabled and configured, these limits
+are applied to Git HTTP requests.
+
+To configure Git HTTP rate limits:
+
+1. On the left sidebar, at the bottom, select **Admin Area**.
+1. Select **Settings > Network**.
+1. Expand **Git HTTP rate limits**.
+1. Select **Enable unauthenticated Git HTTP request rate limit**.
+1. Enter a value for **Max unauthenticated Git HTTP requests per period per user**.
+1. Enter a value for **Unauthenticated Git HTTP rate limit period in seconds**.
+1. Select **Save changes**.
+
+## Related topics
+
+- [Rate limiting](../../security/rate_limits.md)
+- [User and IP rate limits](../settings/user_and_ip_rate_limits.md)
diff --git a/doc/administration/settings/rate_limits.md b/doc/administration/settings/rate_limits.md
index 89e64344e0c..3bcd47ebdc3 100644
--- a/doc/administration/settings/rate_limits.md
+++ b/doc/administration/settings/rate_limits.md
@@ -9,6 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
You can change network settings to limit the rate of connections with your instance.
- [Deprecated API rate limits](deprecated_api_rate_limits.md)
+- [Git HTTP](git_http_rate_limits.md)
- [Git LFS](git_lfs_rate_limits.md)
- [Git SSH operations](rate_limits_on_git_ssh_operations.md)
- [Incident management](incident_management_rate_limits.md)
diff --git a/doc/api/dependencies.md b/doc/api/dependencies.md
index a1f7ee97200..4d0c12de47a 100644
--- a/doc/api/dependencies.md
+++ b/doc/api/dependencies.md
@@ -15,9 +15,6 @@ This API is in an [Experiment](../policy/experiment-beta-support.md#experiment)
The response payload may be subject to change or breakage
across GitLab releases.
-> - Introduced in GitLab 12.1.
-> - Pagination introduced in 14.4.
-
Every call to this endpoint requires authentication. To perform this call, user should be authorized to read repository.
To see vulnerabilities in response, user should be authorized to read
[Project Security Dashboard](../user/application_security/security_dashboard/index.md).
diff --git a/doc/api/job_artifacts.md b/doc/api/job_artifacts.md
index 10c923c0498..f75cba3008a 100644
--- a/doc/api/job_artifacts.md
+++ b/doc/api/job_artifacts.md
@@ -316,9 +316,6 @@ If the artifacts were deleted successfully, a response with status `204 No Conte
## Delete project artifacts
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/223793) in GitLab 14.7 [with a flag](../administration/feature_flags.md) named `bulk_expire_project_artifacts`. Enabled by default on GitLab self-managed. Enabled on GitLab.com.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/350609) in GitLab 14.10.
-
Delete artifacts eligible for deletion in a project. By default, artifacts from
[the most recent successful pipeline of each ref](../ci/jobs/job_artifacts.md#keep-artifacts-from-most-recent-successful-jobs)
are not deleted.
diff --git a/doc/api/project_level_variables.md b/doc/api/project_level_variables.md
index 5753381bf29..4d6ae96921f 100644
--- a/doc/api/project_level_variables.md
+++ b/doc/api/project_level_variables.md
@@ -184,9 +184,6 @@ curl --request DELETE --header "PRIVATE-TOKEN: " "https://git
## The `filter` parameter
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/34490) in GitLab 13.2.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/227052) in GitLab 13.4.
-
When multiple variables have the same `key`, [GET](#get-a-single-variable), [PUT](#update-a-variable),
or [DELETE](#delete-a-variable) requests might return:
diff --git a/doc/api/releases/index.md b/doc/api/releases/index.md
index b424ac8bef6..59e377e5961 100644
--- a/doc/api/releases/index.md
+++ b/doc/api/releases/index.md
@@ -416,7 +416,6 @@ GET /projects/:id/releases/:tag_name/downloads/:direct_asset_path
|----------------------------| -------------- | -------- | ----------------------------------------------------------------------------------- |
| `id` | integer/string | yes | The ID or [URL-encoded path of the project](../rest/index.md#namespaced-path-encoding). |
| `tag_name` | string | yes | The Git tag the release is associated with. |
-| `filepath` | string | yes | Deprecated: Use `direct_asset_path` instead. |
| `direct_asset_path` | string | yes | Path to the release asset file as specified when [creating](links.md#create-a-release-link) or [updating](links.md#update-a-release-link) its link. |
Example request:
@@ -476,7 +475,6 @@ POST /projects/:id/releases
| `assets:links` | array of hash | no | An array of assets links. |
| `assets:links:name`| string | required by: `assets:links` | The name of the link. Link names must be unique within the release. |
| `assets:links:url` | string | required by: `assets:links` | The URL of the link. Link URLs must be unique within the release. |
-| `assets:links:filepath` | string | no | Deprecated: Use `direct_asset_path` instead. |
| `assets:links:direct_asset_path` | string | no | Optional path for a [direct asset link](../../user/project/releases/release_fields.md#permanent-links-to-release-assets). |
| `assets:links:link_type` | string | no | The type of the link: `other`, `runbook`, `image`, `package`. Defaults to `other`. |
| `released_at` | datetime | no | Date and time for the release. Defaults to the current time. Expected in ISO 8601 format (`2019-03-15T08:00:00Z`). Only provide this field if creating an [upcoming](../../user/project/releases/index.md#upcoming-releases) or [historical](../../user/project/releases/index.md#historical-releases) release. |
diff --git a/doc/api/releases/links.md b/doc/api/releases/links.md
index 3967730f25a..9fec47cfb5d 100644
--- a/doc/api/releases/links.md
+++ b/doc/api/releases/links.md
@@ -100,7 +100,6 @@ POST /projects/:id/releases/:tag_name/assets/links
| `tag_name` | string | yes | The tag associated with the Release. |
| `name` | string | yes | The name of the link. Link names must be unique in the release. |
| `url` | string | yes | The URL of the link. Link URLs must be unique in the release. |
-| `filepath` | string | no | Deprecated: Use `direct_asset_path` instead. |
| `direct_asset_path` | string | no | Optional path for a [direct asset link](../../user/project/releases/release_fields.md#permanent-links-to-release-assets). |
| `link_type` | string | no | The type of the link: `other`, `runbook`, `image`, `package`. Defaults to `other`. |
@@ -142,7 +141,6 @@ PUT /projects/:id/releases/:tag_name/assets/links/:link_id
| `link_id` | integer | yes | The ID of the link. |
| `name` | string | no | The name of the link. |
| `url` | string | no | The URL of the link. |
-| `filepath` | string | no | Deprecated: Use `direct_asset_path` instead. |
| `direct_asset_path` | string | no | Optional path for a [direct asset link](../../user/project/releases/release_fields.md#permanent-links-to-release-assets). |
| `link_type` | string | no | The type of the link: `other`, `runbook`, `image`, `package`. Defaults to `other`. |
diff --git a/doc/api/secure_files.md b/doc/api/secure_files.md
index caa3253afcd..091be69088e 100644
--- a/doc/api/secure_files.md
+++ b/doc/api/secure_files.md
@@ -10,7 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78227) in GitLab 14.8 [with a flag](../administration/feature_flags.md) named `ci_secure_files`. Disabled by default.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/350748) in GitLab 15.7. Feature flag `ci_secure_files` removed.
This feature is part of [Mobile DevOps](../ci/mobile_devops.md) developed by [GitLab Incubation Engineering](https://handbook.gitlab.com/handbook/engineering/development/incubation/).
diff --git a/doc/ci/cloud_services/index.md b/doc/ci/cloud_services/index.md
index 85afd7e488e..eb02b3d1978 100644
--- a/doc/ci/cloud_services/index.md
+++ b/doc/ci/cloud_services/index.md
@@ -10,8 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - `CI_JOB_JWT` variable for reading secrets from Vault [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/207125) in GitLab 12.10.
-> - `CI_JOB_JWT_V2` variable to support additional OIDC providers [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/346737) in GitLab 14.7.
> - [ID tokens](../yaml/index.md#id_tokens) to support any OIDC provider, including HashiCorp Vault, [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/356986) in GitLab 15.7.
WARNING:
@@ -24,8 +22,7 @@ Historically, teams stored secrets in projects or applied permissions on the Git
instance to build and deploy. OIDC capable [ID tokens](../yaml/index.md#id_tokens) are configurable
in the CI/CD job allowing you to follow a scalable and least-privilege security approach.
-In GitLab 15.6 and earlier, you must use `CI_JOB_JWT_V2` instead of an ID token,
-but it is not customizable. In GitLab 14.6 an earlier you must use the `CI_JOB_JWT`, which has limited support.
+In GitLab 15.6 and earlier, you must use `CI_JOB_JWT_V2` instead of an ID token, but it is not customizable.
## Prerequisites
diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
index a4ffff7c6e5..f051b9795cf 100644
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -58,9 +58,9 @@ The following fields are included in the JWT:
| `ref_type` | Always | Git ref type, either `branch` or `tag` |
| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise |
-| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
+| `environment` | Job specifies an environment | Environment this job specifies |
| `groups_direct` | User is a direct member of 0 to 200 groups | The paths of the user's direct membership groups. Omitted if the user is a direct member of more than 200 groups. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/435848) in GitLab 16.11). |
-| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
+| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise |
| `deployment_tier` | Job specifies an environment | [Deployment tier](../../environments/index.md#deployment-tier-of-environments) of environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2) |
| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) |
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index 46846bac132..7dea2a5e529 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -187,10 +187,6 @@ proposes to change this behavior.
## Limit your project's job token access (deprecated)
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1. [Deployed behind the `:ci_scoped_job_token` feature flag](../../user/feature_flags.md), disabled by default.
-> - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/332272) in GitLab 14.4.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/332272) in GitLab 14.6.
-
NOTE:
The [**Limit access _from_ this project**](#configure-the-job-token-scope-deprecated)
setting is disabled by default for all new projects and is [scheduled for removal](https://gitlab.com/gitlab-org/gitlab/-/issues/383084)
diff --git a/doc/ci/jobs/job_artifacts.md b/doc/ci/jobs/job_artifacts.md
index 537892bba30..f7c10d3567e 100644
--- a/doc/ci/jobs/job_artifacts.md
+++ b/doc/ci/jobs/job_artifacts.md
@@ -194,7 +194,6 @@ job:
## View all job artifacts in a project
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/31271) in GitLab 12.4 [with a flag](../../administration/feature_flags.md) named `artifacts_management_page`. Disabled by default.
> - [Improved look](https://gitlab.com/gitlab-org/gitlab/-/issues/33418) in GitLab 15.6.
> - [Improved performance](https://gitlab.com/gitlab-org/gitlab/-/issues/387765) in GitLab 15.9.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/407475) in GitLab 16.0. Feature flag `artifacts_management_page` removed.
@@ -362,9 +361,6 @@ With this configuration, GitLab adds **artifact 1** as a link to `file.txt` to t
## Keep artifacts from most recent successful jobs
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/16267) in GitLab 13.0.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/229936) in GitLab 13.4.
-> - [Made optional with a CI/CD setting](https://gitlab.com/gitlab-org/gitlab/-/issues/241026) in GitLab 13.8.
> - Artifacts for [blocked](https://gitlab.com/gitlab-org/gitlab/-/issues/387087) or [failed](https://gitlab.com/gitlab-org/gitlab/-/issues/266958) pipelines no longer kept indefinitely in GitLab 16.7.
By default artifacts are always kept for successful pipelines for the most recent commit on each ref.
diff --git a/doc/ci/secrets/id_token_authentication.md b/doc/ci/secrets/id_token_authentication.md
index 1e5fd29c8ec..09f92d933a8 100644
--- a/doc/ci/secrets/id_token_authentication.md
+++ b/doc/ci/secrets/id_token_authentication.md
@@ -73,8 +73,8 @@ The token also includes custom claims provided by GitLab:
| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. |
| `groups_direct` | User is a direct member of 0 to 200 groups | The paths of the user's direct membership groups. Omitted if the user is a direct member of more than 200 groups. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/435848) in GitLab 16.11). |
-| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
-| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
+| `environment` | Job specifies an environment | Environment this job deploys to. |
+| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise. |
| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. |
| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) |
| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
diff --git a/doc/ci/secrets/index.md b/doc/ci/secrets/index.md
index 3f35c7238d7..6342e35b1fb 100644
--- a/doc/ci/secrets/index.md
+++ b/doc/ci/secrets/index.md
@@ -10,10 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218746) in GitLab 13.4 and GitLab Runner 13.4.
-> - `file` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250695) in GitLab 14.1 and GitLab Runner 14.1.
-> - `VAULT_NAMESPACE` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/255619) in GitLab 14.9 and GitLab Runner 14.9.
-
Secrets represent sensitive information your CI job needs to complete work. This
sensitive information can be items like API tokens, database credentials, or private keys.
Secrets are sourced from your secrets provider.
@@ -125,8 +121,6 @@ DETAILS:
**Tier:** Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/28321) in GitLab 13.4 and GitLab Runner 13.4.
-
After [configuring your Vault server](#configure-your-vault-server), you can use
the secrets stored in Vault by defining them with the [`vault` keyword](../yaml/index.md#secretsvault):
diff --git a/doc/ci/secure_files/index.md b/doc/ci/secure_files/index.md
index 833f5b5037f..763ea4570bf 100644
--- a/doc/ci/secure_files/index.md
+++ b/doc/ci/secure_files/index.md
@@ -10,7 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78227) in GitLab 14.8 [with a flag](../../administration/feature_flags.md) named `ci_secure_files`. Disabled by default.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/350748) in GitLab 15.7. Feature flag `ci_secure_files` removed.
This feature is part of [Mobile DevOps](../mobile_devops.md) developed by [GitLab Incubation Engineering](https://handbook.gitlab.com/handbook/engineering/development/incubation/).
diff --git a/doc/ci/variables/index.md b/doc/ci/variables/index.md
index 619934dc469..1e49880248f 100644
--- a/doc/ci/variables/index.md
+++ b/doc/ci/variables/index.md
@@ -201,9 +201,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14108) in GitLab 13.0.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/299879) in GitLab 13.11.
-
You can make a CI/CD variable available to all projects and groups in a GitLab instance.
Prerequisites:
@@ -216,9 +213,8 @@ To add an instance variable:
1. Select **Settings > CI/CD** and expand the **Variables** section.
1. Select **Add variable** and fill in the details:
- **Key**: Must be one line, with no spaces, using only letters, numbers, or `_`.
- - **Value**: In [GitLab 13.3 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/220028),
- the value is limited to 10,000 characters, but also bounded by any limits in the
- runner's operating system. In GitLab 13.0 to 13.2, the value is limited to 700 characters.
+ - **Value**: The value is limited to 10,000 characters, but also bounded by any limits in the
+ runner's operating system.
- **Type**: `Variable` (default) or [`File`](#use-file-type-cicd-variables).
- **Protect variable** Optional. If selected, the variable is only available
in pipelines that run on protected branches or tags.
@@ -267,8 +263,6 @@ valid [secrets file](../../administration/backup_restore/troubleshooting_backup_
### Mask a CI/CD variable
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330650) in GitLab 13.12, the `~` character can be used in masked variables.
-
WARNING:
Masking a CI/CD variable is not a guaranteed way to prevent malicious users from
accessing variable values. The masking feature is "best-effort" and there to
@@ -473,9 +467,6 @@ variables:
### Pass an environment variable to another job
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22638) in GitLab 13.0.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/217834) in GitLab 13.1.
-
You can create a new environment variables in a job, and pass it to another job
in a later stage. These variables cannot be used as CI/CD variables to configure a pipeline,
but they can be used in job scripts.
@@ -712,8 +703,6 @@ can cause the pipeline to behave unexpectedly.
### Restrict who can override variables
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/295234) in GitLab 13.8.
-
You can limit the ability to override variables to only users with the Maintainer role.
When other users try to run a pipeline with overridden variables, they receive the
`Insufficient permissions to set pipeline variables` error message.
@@ -951,9 +940,6 @@ if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then
#### Restrict access to debug logging
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213159) in GitLab 13.7.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/292661) in GitLab 13.8.
-
You can restrict access to debug logging. When restricted, only users with
at least the Developer role
can view job logs when debug logging is enabled with a variable in:
diff --git a/doc/ci/variables/predefined_variables.md b/doc/ci/variables/predefined_variables.md
index f37c7897957..e282c7630e9 100644
--- a/doc/ci/variables/predefined_variables.md
+++ b/doc/ci/variables/predefined_variables.md
@@ -125,7 +125,7 @@ as it can cause the pipeline to behave unexpectedly.
| `CI_RUNNER_EXECUTABLE_ARCH` | Jobs only | all | 10.6 | The OS/architecture of the GitLab Runner executable. Might not be the same as the environment of the executor. |
| `CI_RUNNER_ID` | Jobs only | 8.10 | 0.5 | The unique ID of the runner being used. |
| `CI_RUNNER_REVISION` | Jobs only | all | 10.6 | The revision of the runner running the job. |
-| `CI_RUNNER_SHORT_TOKEN` | Jobs only | all | 12.3 | The runner's unique ID, used to authenticate new job requests. In [GitLab 14.9](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2251) and later, the token contains a prefix, and the first 17 characters are used. Prior to 14.9, the first eight characters are used. |
+| `CI_RUNNER_SHORT_TOKEN` | Jobs only | all | 12.3 | The runner's unique ID, used to authenticate new job requests. The token contains a prefix, and the first 17 characters are used. |
| `CI_RUNNER_TAGS` | Jobs only | 8.10 | 0.5 | A comma-separated list of the runner tags. |
| `CI_RUNNER_VERSION` | Jobs only | all | 10.6 | The version of the GitLab Runner running the job. |
| `CI_SERVER_FQDN` | Pipeline | 16.10 | all | The fully qualified domain name (FQDN) of the instance. For example `gitlab.example.com:8080`. |
diff --git a/doc/ci/variables/where_variables_can_be_used.md b/doc/ci/variables/where_variables_can_be_used.md
index 7389d438ee5..e315def8857 100644
--- a/doc/ci/variables/where_variables_can_be_used.md
+++ b/doc/ci/variables/where_variables_can_be_used.md
@@ -50,7 +50,7 @@ There are two places defined variables can be used. On the:
| [`script`](../yaml/index.md#script) | yes | Script execution shell | The variable expansion is made by the [execution shell environment](#execution-shell-environment). |
| [`services:name`](../yaml/index.md#services) | yes | Runner | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). |
| [`services`](../yaml/index.md#services) | yes | Runner | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). |
-| [`tags`](../yaml/index.md#tags) | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35742) in GitLab 14.1. |
+| [`tags`](../yaml/index.md#tags) | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab. |
| [`trigger` and `trigger:project`](../yaml/index.md#trigger) | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab. Variable expansion for `trigger:project` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/367660) in GitLab 15.3. |
| [`variables`](../yaml/index.md#variables) | yes | GitLab/Runner | The variable expansion is first made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab, and then any unrecognized or unavailable variables are expanded by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). |
| [`workflow:name`](../yaml/index.md#workflowname) | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab.
Supported are all variables available in `workflow`:
- Project/Group variables.
- Global `variables` and `workflow:rules:variables` (when matching the rule).
- Variables inherited from parent pipelines.
- Variables from triggers.
- Variables from pipeline schedules.
Not supported are variables defined in the GitLab Runner `config.toml`, variables defined in jobs, or [Persisted variables](#persisted-variables). |
@@ -81,11 +81,6 @@ because the expansion is done in GitLab before any runner gets the job.
#### Nested variable expansion
-- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/48627) in GitLab 13.10. [Deployed behind the `variable_inside_variable` feature flag](../../user/feature_flags.md), disabled by default.
-- [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/297382) in GitLab 14.3.
-- [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/297382) in GitLab 14.4.
-- Feature flag `variable_inside_variable` removed in GitLab 14.5.
-
GitLab expands job variable values recursively before sending them to the runner. For example, in the following scenario:
```yaml
diff --git a/doc/drawers/exact_code_search_syntax.md b/doc/drawers/exact_code_search_syntax.md
index ce4a97f9f87..ff425080ee2 100644
--- a/doc/drawers/exact_code_search_syntax.md
+++ b/doc/drawers/exact_code_search_syntax.md
@@ -7,17 +7,18 @@ source: /doc/user/search/exact_code_search.md
# Search tips
-| Query | Description |
-| -------------------- |-------------------------------------------------------------------------------------- |
-| `foo` | Returns files that contain `foo` |
-| `"class foo"` | Returns files that contain the exact string `class foo` |
-| `class foo` | Returns files that contain both `class` and `foo` |
-| `foo or bar` | Returns files that contain either `foo` or `bar` |
-| `class Foo` | Returns files that contain `class` (case insensitive) and `Foo` (case sensitive) |
-| `class Foo case:yes` | Returns files that contain `class` and `Foo` (both case sensitive) |
-| `foo -bar` | Returns files that contain `foo` but not `bar` |
-| `foo file:js` | Searches for `foo` in files with names that contain `js` |
-| `foo -file:test` | Searches for `foo` in files with names that do not contain `test` |
-| `foo lang:ruby` | Searches for `foo` in Ruby source code |
-| `foo f:\.js$` | Searches for `foo` in files with names that end with `.js` |
-| `foo.*bar` | Searches for strings that match the regular expression `foo.*bar` |
+| Query | Regular expression mode | Exact match mode |
+| -------------------- | ----------------------------------------------------- | ------------------------------ |
+| `"foo"` | `foo` | `"foo"` |
+| `foo file:^doc/` | `foo` in directories that start with `/doc` | `foo` in directories that start with `/doc` |
+| `"class foo"` | `class foo` | `"class foo"` |
+| `class foo` | `class` and `foo` | `class foo` |
+| `foo or bar` | `foo` or `bar` | `foo or bar` |
+| `class Foo` | `class` (case insensitive) and `Foo` (case sensitive) | `class Foo` (case insensitive) |
+| `class Foo case:yes` | `class` and `Foo` (both case sensitive) | `class Foo` (case sensitive) |
+| `foo -bar` | `foo` but not `bar` | `foo -bar` |
+| `foo file:js` | `foo` in files with names that contain `js` | `foo` in files with names that contain `js` |
+| `foo -file:test` | `foo` in files with names that do not contain `test` | `foo` in files with names that do not contain `test` |
+| `foo lang:ruby` | `foo` in Ruby source code | `foo` in Ruby source code |
+| `foo file:\.js$` | `foo` in files with names that end with `.js` | `foo` in files with names that end with `.js` |
+| `foo.*bar` | `foo.*bar` (regular expression) | None |
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index b0626a1147e..7afe9e30511 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -325,6 +325,24 @@ This change is a breaking change. You should [create a runner in the UI](https:/
+### Runner `active` GraphQL fields replaced by `paused`
+
+
+- Announced in GitLab 14.8
+- Removal in GitLab 18.0 ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change))
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/351109).
+
+
+Occurrences of the `active` identifier in the GitLab GraphQL API endpoints will be renamed to `paused` in GitLab 18.0:
+
+- The `CiRunner` property.
+- The `RunnerUpdateInput` input type for the `runnerUpdate` mutation.
+- The `runners`, `Group.runners`, and `Project.runners` queries.
+
+
+
+
+
### Running a single database is deprecated
diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index 0304f7ba37c..358e34c8b89 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -200,8 +200,6 @@ Authenticating to a remote registry is not supported when [FIPS mode](../../../d
#### Dependency list
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6.
-
The `CS_DISABLE_DEPENDENCY_LIST` CI/CD variable controls whether the scan creates a
[Dependency List](../dependency_list/index.md)
report. This variable is currently only supported when the `trivy` analyzer is used. The variable's default setting of `"false"` causes the scan to create the report. To disable
@@ -220,8 +218,6 @@ container_scanning:
#### Report language-specific findings
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/7277) in GitLab 14.6.
-
The `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` CI/CD variable controls whether the scan reports
findings related to programming languages. The languages supported depend on the
[scanner used](#change-scanners):
@@ -267,15 +263,15 @@ including a large number of false positives.
| `CI_APPLICATION_REPOSITORY` | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` | Docker repository URL for the image to be scanned. | All |
| `CI_APPLICATION_TAG` | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. | All |
| `CS_ANALYZER_IMAGE` | `registry.gitlab.com/security-products/container-scanning:7` | Docker image of the analyzer. | All |
-| `CS_DEFAULT_BRANCH_IMAGE` | `""` | The name of the `CS_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338877) in GitLab 14.5. | All |
-| `CS_DISABLE_DEPENDENCY_LIST` | `"false"` | Disable Dependency Scanning for packages installed in the scanned image. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6. | All |
-| `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6. | All |
+| `CS_DEFAULT_BRANCH_IMAGE` | `""` | The name of the `CS_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. | All |
+| `CS_DISABLE_DEPENDENCY_LIST` | `"false"` | Disable Dependency Scanning for packages installed in the scanned image. | All |
+| `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. | All |
| `CS_DOCKER_INSECURE` | `"false"` | Allow access to secure Docker registries using HTTPS without validating the certificates. | All |
| `CS_DOCKERFILE_PATH` | `Dockerfile` | The path to the `Dockerfile` to use for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project. You should configure this variable only if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. | All |
| `CS_IGNORE_STATUSES`1 | `""` | Force the analyzer to ignore vulnerability findings with specified statuses in a comma-delimited list. For `trivy`, the following values are allowed: `unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life`. For `grype`, the following values are allowed: `fixed,not-fixed,unknown,wont-fix` | All |
| `CS_IGNORE_UNFIXED` | `"false"` | Ignore vulnerabilities that are not fixed. | All |
| `CS_IMAGE` | `$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG` | The Docker image to be scanned. If set, this variable overrides the `$CI_APPLICATION_REPOSITORY` and `$CI_APPLICATION_TAG` variables. | All |
-| `CS_IMAGE_SUFFIX` | `""` | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/7630) in GitLab 14.10. | All |
+| `CS_IMAGE_SUFFIX` | `""` | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. | All |
| `CS_QUIET` | `""` | If set, this variable disables output of the [vulnerabilities table](#container-scanning-job-log-format) in the job log. [Introduced](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/merge_requests/50) in GitLab 15.1. | All |
| `CS_REGISTRY_INSECURE` | `"false"` | Allow access to insecure registries (HTTP only). Should only be set to `true` when testing the image locally. Works with all scanners, but the registry must listen on port `80/tcp` for Trivy to work. | All |
| `CS_REGISTRY_PASSWORD` | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode) is enabled. | All |
@@ -316,8 +312,6 @@ Support depends on which scanner is used:
#### FIPS-enabled images
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5775) in GitLab 14.1.
-
GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
versions of the container-scanning images. You can therefore replace standard images with FIPS-enabled
images. To configure the images, set the `CS_IMAGE_SUFFIX` to `-fips` or modify the `CS_ANALYZER_IMAGE` variable to the
@@ -330,10 +324,8 @@ standard tag plus the `-fips` extension.
| Trivy | `registry.gitlab.com/security-products/container-scanning/trivy:7-fips` |
NOTE:
-Prior to GitLab 15.0, the `-ubi` image extension is also available. GitLab 15.0 and later only
-support `-fips`.
-Starting with GitLab 14.10, `-fips` is automatically added to `CS_ANALYZER_IMAGE` when FIPS mode is
+The `-fips` flag is automatically added to `CS_ANALYZER_IMAGE` when FIPS mode is
enabled in the GitLab instance.
Container scanning of images in authenticated registries is not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode)
@@ -342,8 +334,6 @@ the analyzer exits with an error and does not perform the scan.
### Enable Container Scanning through an automatic merge request
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6334) in GitLab 14.9.
-
To enable Container Scanning in a project, create a merge request from the Security Configuration
page:
@@ -393,8 +383,6 @@ Do not use the `:latest` tag when selecting the scanner image.
### Setting the default branch image
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338877) in GitLab 14.5.
-
By default, container scanning assumes that the image naming convention stores any branch-specific
identifiers in the image tag rather than the image name. When the image name differs between the
default branch and the non-default branch, previously-detected vulnerabilities show up as newly
diff --git a/doc/user/application_security/dependency_list/index.md b/doc/user/application_security/dependency_list/index.md
index 3a49690e520..c79d6513f87 100644
--- a/doc/user/application_security/dependency_list/index.md
+++ b/doc/user/application_security/dependency_list/index.md
@@ -10,7 +10,6 @@ DETAILS:
**Tier:** Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - System dependencies [introduced](https://gitlab.com/groups/gitlab-org/-/epics/6698) in GitLab 14.6.
> - Group-level dependency list [introduced](https://gitlab.com/groups/gitlab-org/-/epics/8090) in GitLab 16.2 [with a flag](../../../administration/feature_flags.md) named `group_level_dependencies`. Disabled by default.
> - Group-level dependency list [enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/411257) in GitLab 16.4.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132015) in GitLab 16.5. Feature flag `group_level_dependencies` removed.
diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md
index 7cc1264f27b..76ec49ca2d5 100644
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -670,7 +670,7 @@ The following analyzers are executed, each of which have different behavior when
Does not support multiple lockfiles. When multiple lockfiles exist, `Retire.js`
analyzes the first lockfile discovered while traversing the directory tree in alphabetical order.
-From GitLab 14.8 the `gemnasium` analyzer scans supported JavaScript projects for vendored libraries
+The `gemnasium` analyzer scans supports JavaScript projects for vendored libraries
(that is, those checked into the project but not managed by the package manager).
#### Go
@@ -748,9 +748,6 @@ Pipelines now include a dependency scanning job.
#### Use a preconfigured merge request
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4908) in GitLab 14.1 [with a flag](../../../administration/feature_flags.md) named `sec_dependency_scanning_ui_enable`. Enabled by default.
-> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/326005) in GitLab 14.2. Feature flag `sec_dependency_scanning_ui_enable` removed.
-
This method automatically prepares a merge request that includes the dependency scanning template
in the `.gitlab-ci.yml` file. You then merge the merge request to enable dependency scanning.
@@ -837,7 +834,7 @@ The following variables configure the behavior of specific dependency scanning a
| `GEMNASIUM_DB_REF_NAME` | `gemnasium` | `master` | Branch name for remote repository database. `GEMNASIUM_DB_REMOTE_URL` is required. |
| `DS_REMEDIATE` | `gemnasium` | `"true"`, `"false"` in FIPS mode | Enable automatic remediation of vulnerable dependencies. Not supported in FIPS mode. |
| `DS_REMEDIATE_TIMEOUT` | `gemnasium` | `5m` | Timeout for auto-remediation. |
-| `GEMNASIUM_LIBRARY_SCAN_ENABLED` | `gemnasium` | `"true"` | Enable detecting vulnerabilities in vendored JavaScript libraries (libraries which are not managed by a package manager). This functionality requires a JavaScript lockfile to be present in a commit, otherwise Dependency Scanning is not executed and vendored files are not scanned.
Dependency scanning uses the [Retire.js](https://github.com/RetireJS/retire.js) scanner to detect a limited set of vulnerabilities. For details of which vulnerabilities are detected, see the [Retire.js repository](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350512) in GitLab 14.8. |
+| `GEMNASIUM_LIBRARY_SCAN_ENABLED` | `gemnasium` | `"true"` | Enable detecting vulnerabilities in vendored JavaScript libraries (libraries which are not managed by a package manager). This functionality requires a JavaScript lockfile to be present in a commit, otherwise Dependency Scanning is not executed and vendored files are not scanned.
Dependency scanning uses the [Retire.js](https://github.com/RetireJS/retire.js) scanner to detect a limited set of vulnerabilities. For details of which vulnerabilities are detected, see the [Retire.js repository](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json). |
| `DS_INCLUDE_DEV_DEPENDENCIES` | `gemnasium` | `"true"` | When set to `"false"`, development dependencies and their vulnerabilities are not reported. Only projects using Composer, npm, pnpm, Pipenv or Poetry are supported. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/227861) in GitLab 15.1. |
| `GOOS` | `gemnasium` | `"linux"` | The operating system for which to compile Go code. |
| `GOARCH` | `gemnasium` | `"amd64"` | The architecture of the processor for which to compile Go code. |
@@ -925,7 +922,6 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m
### FIPS-enabled images
-> - Introduced in GitLab 14.10. GitLab team members can view more information in this confidential issue: `https://gitlab.com/gitlab-org/gitlab/-/issues/354796`
> - Introduced in GitLab 15.0 - Gemnasium uses FIPS-enabled images when FIPS mode is enabled.
GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
@@ -956,7 +952,6 @@ For more details of the dependency scanning report, see:
### CycloneDX Software Bill of Materials
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350509) in GitLab 14.8 in [Beta](../../../policy/experiment-beta-support.md#beta).
> - Generally available in GitLab 15.7.
Dependency Scanning outputs a [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (SBOM)
diff --git a/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md b/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md
index 924e7732f01..b677cb6d259 100644
--- a/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md
+++ b/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md
@@ -99,10 +99,7 @@ gemnasium-maven-dependency_scanning:
## Dependency Scanning job fails with message `strconv.ParseUint: parsing "0.0": invalid syntax`
-Invoking Docker-in-Docker is the likely cause of this error. Docker-in-Docker is:
-
-- Disabled by default in GitLab 13.0 and later.
-- Unsupported from GitLab 13.4 and later.
+Docker-in-Docker is unsupported, and attempting to invoke it is the likely cause of this error.
To fix this error, disable Docker-in-Docker for dependency scanning. Individual
`-dependency_scanning` jobs are created for each analyzer that runs in your CI/CD
diff --git a/doc/user/clusters/agent/vulnerabilities.md b/doc/user/clusters/agent/vulnerabilities.md
index 6dea65d197a..5b3b716565d 100644
--- a/doc/user/clusters/agent/vulnerabilities.md
+++ b/doc/user/clusters/agent/vulnerabilities.md
@@ -10,7 +10,6 @@ DETAILS:
**Tier:** Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6346) in GitLab 14.8.
> - [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/368828) the starboard directive in GitLab 15.4. The starboard directive is scheduled for removal in GitLab 16.0.
## Supported architectures
diff --git a/doc/user/gitlab_duo_chat.md b/doc/user/gitlab_duo_chat.md
index 634a30ef249..bc548f97357 100644
--- a/doc/user/gitlab_duo_chat.md
+++ b/doc/user/gitlab_duo_chat.md
@@ -83,6 +83,10 @@ You can ask about a specific GitLab issue. For example:
NOTE:
If the issue contains a large amount of text (more than 40,000 words), GitLab Duo Chat might not be able to consider every word. The AI model has a limit to the amount of input it can process at one time.
+
+For tips on how GitLab Duo Chat can improve your productivity with issues and epics, see [Boost your productivity with GitLab Duo Chat](https://youtu.be/RJezT5_V6dI).
+
+
### Ask about a specific epic
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/128487) for SaaS in GitLab 16.3.
diff --git a/doc/user/search/exact_code_search.md b/doc/user/search/exact_code_search.md
index 18bf2a00526..c916944bd61 100644
--- a/doc/user/search/exact_code_search.md
+++ b/doc/user/search/exact_code_search.md
@@ -60,22 +60,37 @@ Use this feature to search code across the entire GitLab instance.
Global code search does not perform well on large GitLab instances.
If you enable this feature for instances with more than 20,000 projects, your search might time out.
-## Syntax
+## Search modes
-This table shows some example queries for exact code search.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/434417) in GitLab 16.8 [with a flag](../../administration/feature_flags.md) named `zoekt_exact_search`. Disabled by default.
-| Query | Description |
-|----------------------|-----------------------------------------------------------------------------------|
-| `foo` | Returns files that contain `foo`. |
-| `foo file:^doc/` | Returns files that contain `foo` in directories that start with `doc/`. |
-| `"class foo"` | Returns files that contain the exact string `class foo`. |
-| `class foo` | Returns files that contain both `class` and `foo`. |
-| `foo or bar` | Returns files that contain either `foo` or `bar`. |
-| `class Foo` | Returns files that contain `class` (case insensitive) and `Foo` (case sensitive). |
-| `class Foo case:yes` | Returns files that contain `class` and `Foo` (both case sensitive). |
-| `foo -bar` | Returns files that contain `foo` but not `bar`. |
-| `foo file:js` | Searches for `foo` in files with names that contain `js`. |
-| `foo -file:test` | Searches for `foo` in files with names that do not contain `test`. |
-| `foo lang:ruby` | Searches for `foo` in Ruby source code. |
-| `foo file:\.js$` | Searches for `foo` in files with names that end with `.js`. |
-| `foo.*bar` | Searches for strings that match the regular expression `foo.*bar`. |
+FLAG:
+The availability of this feature is controlled by a feature flag.
+For more information, see the history.
+
+When you enable `zoekt_exact_search`, you can switch between two search modes:
+
+- **Regular expression mode:** supports regular and boolean expressions.
+- **Exact match mode:** returns results that exactly match the query.
+
+When `zoekt_exact_search` is disabled, the regular expression mode is used by default.
+
+### Syntax
+
+This table shows some example queries for regular expression and exact match modes.
+
+| Query | Regular expression mode | Exact match mode |
+| -------------------- | ----------------------------------------------------- | ------------------------------ |
+| `"foo"` | `foo` | `"foo"` |
+| `foo file:^doc/` | `foo` in directories that start with `/doc` | `foo` in directories that start with `/doc` |
+| `"class foo"` | `class foo` | `"class foo"` |
+| `class foo` | `class` and `foo` | `class foo` |
+| `foo or bar` | `foo` or `bar` | `foo or bar` |
+| `class Foo` | `class` (case insensitive) and `Foo` (case sensitive) | `class Foo` (case insensitive) |
+| `class Foo case:yes` | `class` and `Foo` (both case sensitive) | `class Foo` (case sensitive) |
+| `foo -bar` | `foo` but not `bar` | `foo -bar` |
+| `foo file:js` | `foo` in files with names that contain `js` | `foo` in files with names that contain `js` |
+| `foo -file:test` | `foo` in files with names that do not contain `test` | `foo` in files with names that do not contain `test` |
+| `foo lang:ruby` | `foo` in Ruby source code | `foo` in Ruby source code |
+| `foo file:\.js$` | `foo` in files with names that end with `.js` | `foo` in files with names that end with `.js` |
+| `foo.*bar` | `foo.*bar` (regular expression) | None |
diff --git a/glfm_specification/output_example_snapshots/html.yml b/glfm_specification/output_example_snapshots/html.yml
index 4c5579bcc01..de2d0742610 100644
--- a/glfm_specification/output_example_snapshots/html.yml
+++ b/glfm_specification/output_example_snapshots/html.yml
@@ -136,7 +136,7 @@
Foo
static: |-
- Foo
+ Foo
wysiwyg: |-
Foo
02_01_00__preliminaries__tabs__011:
@@ -328,7 +328,7 @@
bar
static: |-
- Foo
+ Foo
bar
wysiwyg: |-
Foo
@@ -381,17 +381,17 @@
foo
static: |-
- foo
+ foo
- foo
+ foo
- foo
+ foo
- foo
+ foo
- foo
+ foo
- foo
+ foo
wysiwyg: |-
foo
foo
@@ -428,7 +428,7 @@
foo bar *baz*
static: |-
- foo bar *baz*
+ foo bar *baz*
wysiwyg: |-
foo bar *baz*
04_02_00__leaf_blocks__atx_headings__006:
@@ -436,7 +436,7 @@
foo
static: |-
- foo
+ foo
wysiwyg: |-
foo
04_02_00__leaf_blocks__atx_headings__007:
@@ -446,11 +446,11 @@
foo
static: |-
- foo
+ foo
- foo
+ foo
- foo
+ foo
wysiwyg: |-
foo
foo
@@ -482,9 +482,9 @@
bar
static: |-
- foo
+ foo
- bar
+ bar
wysiwyg: |-
foo
bar
@@ -494,9 +494,9 @@
foo
static: |-
- foo
+ foo
- foo
+ foo
wysiwyg: |-
foo
foo
@@ -505,7 +505,7 @@
foo
static: |-
- foo
+ foo
wysiwyg: |-
foo
04_02_00__leaf_blocks__atx_headings__013:
@@ -513,7 +513,7 @@
foo ### b
static: |-
- foo ### b
+ foo ### b
wysiwyg: |-
foo ### b
04_02_00__leaf_blocks__atx_headings__014:
@@ -521,7 +521,7 @@
foo#
static: |-
- foo#
+ foo#
wysiwyg: |-
foo#
04_02_00__leaf_blocks__atx_headings__015:
@@ -531,11 +531,11 @@
foo #
static: |-
- foo ###
+ foo ###
- foo ###
+ foo ###
- foo #
+ foo #
wysiwyg: |-
foo ###
@@ -549,7 +549,7 @@
static: |-
- foo
+ foo
wysiwyg: |-
@@ -563,7 +563,7 @@
static: |-
Foo bar
- baz
+ baz
Bar foo
wysiwyg: |-
Foo bar
@@ -575,9 +575,9 @@
static: |-
-
-
-
+
+
+
wysiwyg: |-
@@ -588,10 +588,10 @@
Foo bar
static: |-
- Foo bar
+ Foo bar
- Foo bar
+ Foo bar
wysiwyg: |-
Foo bar
@@ -602,7 +602,7 @@
baz
static: |-
- Foo bar
+ Foo bar
baz
wysiwyg: |-
@@ -614,7 +614,7 @@
baz
static: |-
- Foo bar
+ Foo bar
baz
wysiwyg: |-
@@ -626,9 +626,9 @@
Foo
static: |-
- Foo
+ Foo
- Foo
+ Foo
wysiwyg: |-
Foo
Foo
@@ -639,11 +639,11 @@
Foo
static: |-
- Foo
+ Foo
- Foo
+ Foo
- Foo
+ Foo
wysiwyg: |-
Foo
Foo
@@ -676,7 +676,7 @@
Foo
static: |-
- Foo
+ Foo
wysiwyg: |-
Foo
04_03_00__leaf_blocks__setext_headings__008:
@@ -710,7 +710,7 @@
Foo
static: |-
- Foo
+ Foo
wysiwyg: |-
Foo
04_03_00__leaf_blocks__setext_headings__011:
@@ -718,7 +718,7 @@
Foo\
static: |-
- Foo\
+ Foo\
wysiwyg: |-
Foo\
04_03_00__leaf_blocks__setext_headings__012:
@@ -729,10 +729,10 @@
of dashes"/>
static: |-
- `Foo
+ `Foo
`
- <a title="a lot
+ <a title="a lot
of dashes"/>
wysiwyg: |-
`Foo
@@ -790,7 +790,7 @@
Bar
static: |-
- Foo
+ Foo
Bar
wysiwyg: |-
Foo
@@ -807,7 +807,7 @@
- Bar
+ Bar
Baz
wysiwyg: |-
Foo
@@ -878,7 +878,7 @@
> foo
static: |-
- > foo
+ > foo
wysiwyg: |-
> foo
04_03_00__leaf_blocks__setext_headings__024:
@@ -889,7 +889,7 @@
static: |-
Foo
- bar
+ bar
baz
wysiwyg: |-
Foo
@@ -1090,13 +1090,13 @@
static: |-
- Heading
+ Heading
foo
- Heading
+ Heading
foo
baz
static: |-
- foo
+ foo
bar
- baz
+ baz
wysiwyg: |-
foo
bar
@@ -2345,7 +2345,7 @@
static: |-
- Foo
+ Foo
bar
@@ -2360,7 +2360,7 @@
static: |-
- bar
+ bar
wysiwyg: |-
[foo]: /url
@@ -2510,7 +2510,7 @@
static: |-
aaa
- aaa
+ aaa
wysiwyg: |-
aaa
aaa
@@ -2784,7 +2784,7 @@
static: |-
- Foo
+ Foo
bar
baz
@@ -2801,7 +2801,7 @@
static: |-
- Foo
+ Foo
bar
baz
@@ -2818,7 +2818,7 @@
static: |-
- Foo
+ Foo
bar
baz
@@ -2852,7 +2852,7 @@
static: |-
- Foo
+ Foo
bar
baz
@@ -4142,11 +4142,11 @@
-
- Foo
+ Foo
-
- Bar
+ Bar
baz
wysiwyg: |-
@@ -7572,7 +7572,7 @@
foo\
static: |-
- foo\
+ foo\
wysiwyg: |-
foo\
06_13_00__inlines__hard_line_breaks__015:
@@ -7580,7 +7580,7 @@
foo
static: |-
- foo
+ foo
wysiwyg: |-
foo
06_14_00__inlines__soft_line_breaks__001:
@@ -7753,7 +7753,7 @@
text
- title: YAML front matter
+ title: YAML front matter
wysiwyg: |-
text
@@ -7765,7 +7765,7 @@
static: |-
- title: YAML front matter
+ title: YAML front matter
wysiwyg: |-
title: YAML front matter
@@ -7786,9 +7786,9 @@
Heading 1
- Heading 1
+ Heading 1
- Heading 2
+ Heading 2
wysiwyg: |-
Table of contents
Heading 1
@@ -7810,9 +7810,9 @@
Heading 1
- Heading 1
+ Heading 1
- Heading 2
+ Heading 2
wysiwyg: |-
Table of contents
Heading 1
@@ -7842,7 +7842,7 @@
static: |-
- Heading 1
+ Heading 1
wysiwyg: |-
Table of contents
Heading 1
@@ -8292,17 +8292,17 @@
TODO: Write canonical HTML for this example
static: |-
- Heading 1
+ Heading 1
- Heading 2
+ Heading 2
- Heading 3
+ Heading 3
- Heading 4
+ Heading 4
- Heading 5
+ Heading 5
- Heading 6
+ Heading 6
wysiwyg: |-
Heading 1
Heading 2
@@ -8517,7 +8517,7 @@
- content after table
+ content after table
wysiwyg: |-
header
header
code
cell with bold
strike
cell with italic
content after table
@@ -8536,16 +8536,16 @@
- Lorem
+ Lorem
Well, that's just like... your opinion.. man.
- Ipsum
+ Ipsum
- Dolar
+ Dolar
- Sit amit
+ Sit amit
- I don't know
+ I don't know
wysiwyg: |-
Table of contents
Lorem
diff --git a/glfm_specification/output_example_snapshots/snapshot_spec.html b/glfm_specification/output_example_snapshots/snapshot_spec.html
index e8c3551ea20..b176e0ebf8c 100644
--- a/glfm_specification/output_example_snapshots/snapshot_spec.html
+++ b/glfm_specification/output_example_snapshots/snapshot_spec.html
@@ -238,148 +238,11 @@
GitLab Flavored Markdown Internal Extensions
Version alpha
-
--
-Preliminaries
-
--
-Blocks and inlines
-
--
-Leaf blocks
-
--
-Container blocks
-
--
-Inlines
-
--
-GitLab Official Specification Markdown
-
--
-GitLab Internal Extension Markdown
-- Audio
-- Video
-- Markdown Preview API Request Overrides
--
-Migrated golden master examples
-- attachment_image_for_group
-- attachment_image_for_project
-- attachment_image_for_project_wiki
-- attachment_link_for_group
-- attachment_link_for_project
-- attachment_link_for_project_wiki
-- attachment_link_for_group_wiki
-- audio
-- audio_and_video_in_lists
-- blockquote
-- bold
-- bullet_list_style_1
-- bullet_list_style_2
-- bullet_list_style_3
-- code_block_javascript
-- code_block_plaintext
-- code_block_unknown
-- color_chips
-- description_list
-- details
-- diagram_kroki_nomnoml
-- diagram_plantuml
-- diagram_plantuml_unicode
-- div
-- emoji
-- emphasis
-- figure
-- footnotes
-- frontmatter_json
-- frontmatter_toml
-- frontmatter_yaml
-- hard_break
-- headings
-- horizontal_rule
-- html_marks
-- image
-- inline_code
-- inline_diff
-- label
-- link
-- math
-- ordered_list
-- ordered_list_with_start_order
-- ordered_task_list
-- ordered_task_list_with_order
-- reference_for_project_wiki
-- strike
-- table
-- table_of_contents
-- task_list
-- video
-- word_break
-
-
-- Image Attributes
-- Footnotes
-
-
--
-GFM undocumented extensions and more robust test
-
-
+
-Preliminaries
+Preliminaries
-Characters and lines
+Characters and lines
Any sequence of [characters] is a valid CommonMark
document.
A character is a Unicode code point. Although some
@@ -422,7 +285,7 @@ is !, Pc, Pd, Pe, Pf, Pi, Po, or Ps.
-Tabs
+Tabs
Tabs in lines are not expanded to [spaces]. However,
in contexts where whitespace helps to define block structure,
tabs behave as if they were replaced by spaces with a tab stop
@@ -607,11 +470,11 @@ code block starting with two spaces.
-Insecure characters
+Insecure characters
For security reasons, the Unicode character U+0000 must be replaced
with the REPLACEMENT CHARACTER (U+FFFD).
-Blocks and inlines
+Blocks and inlines
We can think of a document as a sequence of
blocks---structural elements like paragraphs, block
quotations, lists, headings, rules, and code blocks. Some blocks (like
@@ -619,7 +482,7 @@ block quotes and list items) contain other blocks; others (like
headings and paragraphs) contain inline content---text,
links, emphasized text, images, code spans, and so on.
-Precedence
+Precedence
Indicators of block structure always take precedence over indicators
of inline structure. So, for example, the following is a list with
two items, not a list with one item containing a code span:
@@ -647,17 +510,17 @@ step. Note that the first step requires processing lines in sequence,
but the second can be parallelized, since the inline parsing of
one block element does not affect the inline parsing of any other.
-Container blocks and leaf blocks
+Container blocks and leaf blocks
We can divide blocks into two types:
container blocks,
which can contain other blocks, and leaf blocks,
which cannot.
-Leaf blocks
+Leaf blocks
This section describes the different kinds of leaf block that make up a
Markdown document.
-Thematic breaks
+Thematic breaks
A line consisting of 0-3 spaces of indentation, followed by a sequence
of three or more matching -, _, or * characters, each followed
optionally by any number of spaces or tabs, forms a
@@ -942,7 +805,7 @@ interpretations of a line, the thematic break takes precedence:
-ATX headings
+ATX headings
An ATX heading
consists of a string of characters, parsed as inline content, between an
opening sequence of 1--6 unescaped # characters and an optional
@@ -1219,7 +1082,7 @@ lines, and they can interrupt paragraphs:
-Setext headings
+Setext headings
A setext heading consists of one or more
lines of text, each containing at least one [non-whitespace
character], with no more than 3 spaces indentation, followed by
@@ -1720,7 +1583,7 @@ underline], such as
-Indented code blocks
+Indented code blocks
An indented code block is composed of one or more
[indented chunks] separated by blank lines.
An indented chunk is a sequence of non-blank lines,
@@ -1954,7 +1817,7 @@ are not included in it:
+
+
-
-
+ {{ $options.i18n.syntaxOptionsLabel }}
-
diff --git a/app/assets/javascripts/search/topbar/components/search_type_indicator.vue b/app/assets/javascripts/search/topbar/components/search_type_indicator.vue
index b57290172a5..d33e974edca 100644
--- a/app/assets/javascripts/search/topbar/components/search_type_indicator.vue
+++ b/app/assets/javascripts/search/topbar/components/search_type_indicator.vue
@@ -28,7 +28,7 @@ export default {
},
i18n: {
zoekt_enabled: s__(
- 'GlobalSearch|%{linkStart}Exact code search (powered by Zoekt)%{linkEnd} is enabled',
+ 'GlobalSearch|%{linkStart}Exact code search (powered by Zoekt)%{linkEnd} is enabled.',
),
zoekt_disabled: s__(
'GlobalSearch|%{linkStart}Exact code search (powered by Zoekt)%{linkEnd} is disabled since %{ref_elem} is not the default branch. %{docs_link}',
@@ -119,19 +119,19 @@ export default {
-
-
+
-
-
-
-
+
+
+
- {{ content }}
+ {{ content }}
-
+
- {{ content }}
+ {{ content }}
" "https://git
## The `filter` parameter
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/34490) in GitLab 13.2.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/227052) in GitLab 13.4.
-
When multiple variables have the same `key`, [GET](#get-a-single-variable), [PUT](#update-a-variable),
or [DELETE](#delete-a-variable) requests might return:
diff --git a/doc/api/releases/index.md b/doc/api/releases/index.md
index b424ac8bef6..59e377e5961 100644
--- a/doc/api/releases/index.md
+++ b/doc/api/releases/index.md
@@ -416,7 +416,6 @@ GET /projects/:id/releases/:tag_name/downloads/:direct_asset_path
|----------------------------| -------------- | -------- | ----------------------------------------------------------------------------------- |
| `id` | integer/string | yes | The ID or [URL-encoded path of the project](../rest/index.md#namespaced-path-encoding). |
| `tag_name` | string | yes | The Git tag the release is associated with. |
-| `filepath` | string | yes | Deprecated: Use `direct_asset_path` instead. |
| `direct_asset_path` | string | yes | Path to the release asset file as specified when [creating](links.md#create-a-release-link) or [updating](links.md#update-a-release-link) its link. |
Example request:
@@ -476,7 +475,6 @@ POST /projects/:id/releases
| `assets:links` | array of hash | no | An array of assets links. |
| `assets:links:name`| string | required by: `assets:links` | The name of the link. Link names must be unique within the release. |
| `assets:links:url` | string | required by: `assets:links` | The URL of the link. Link URLs must be unique within the release. |
-| `assets:links:filepath` | string | no | Deprecated: Use `direct_asset_path` instead. |
| `assets:links:direct_asset_path` | string | no | Optional path for a [direct asset link](../../user/project/releases/release_fields.md#permanent-links-to-release-assets). |
| `assets:links:link_type` | string | no | The type of the link: `other`, `runbook`, `image`, `package`. Defaults to `other`. |
| `released_at` | datetime | no | Date and time for the release. Defaults to the current time. Expected in ISO 8601 format (`2019-03-15T08:00:00Z`). Only provide this field if creating an [upcoming](../../user/project/releases/index.md#upcoming-releases) or [historical](../../user/project/releases/index.md#historical-releases) release. |
diff --git a/doc/api/releases/links.md b/doc/api/releases/links.md
index 3967730f25a..9fec47cfb5d 100644
--- a/doc/api/releases/links.md
+++ b/doc/api/releases/links.md
@@ -100,7 +100,6 @@ POST /projects/:id/releases/:tag_name/assets/links
| `tag_name` | string | yes | The tag associated with the Release. |
| `name` | string | yes | The name of the link. Link names must be unique in the release. |
| `url` | string | yes | The URL of the link. Link URLs must be unique in the release. |
-| `filepath` | string | no | Deprecated: Use `direct_asset_path` instead. |
| `direct_asset_path` | string | no | Optional path for a [direct asset link](../../user/project/releases/release_fields.md#permanent-links-to-release-assets). |
| `link_type` | string | no | The type of the link: `other`, `runbook`, `image`, `package`. Defaults to `other`. |
@@ -142,7 +141,6 @@ PUT /projects/:id/releases/:tag_name/assets/links/:link_id
| `link_id` | integer | yes | The ID of the link. |
| `name` | string | no | The name of the link. |
| `url` | string | no | The URL of the link. |
-| `filepath` | string | no | Deprecated: Use `direct_asset_path` instead. |
| `direct_asset_path` | string | no | Optional path for a [direct asset link](../../user/project/releases/release_fields.md#permanent-links-to-release-assets). |
| `link_type` | string | no | The type of the link: `other`, `runbook`, `image`, `package`. Defaults to `other`. |
diff --git a/doc/api/secure_files.md b/doc/api/secure_files.md
index caa3253afcd..091be69088e 100644
--- a/doc/api/secure_files.md
+++ b/doc/api/secure_files.md
@@ -10,7 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78227) in GitLab 14.8 [with a flag](../administration/feature_flags.md) named `ci_secure_files`. Disabled by default.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/350748) in GitLab 15.7. Feature flag `ci_secure_files` removed.
This feature is part of [Mobile DevOps](../ci/mobile_devops.md) developed by [GitLab Incubation Engineering](https://handbook.gitlab.com/handbook/engineering/development/incubation/).
diff --git a/doc/ci/cloud_services/index.md b/doc/ci/cloud_services/index.md
index 85afd7e488e..eb02b3d1978 100644
--- a/doc/ci/cloud_services/index.md
+++ b/doc/ci/cloud_services/index.md
@@ -10,8 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - `CI_JOB_JWT` variable for reading secrets from Vault [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/207125) in GitLab 12.10.
-> - `CI_JOB_JWT_V2` variable to support additional OIDC providers [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/346737) in GitLab 14.7.
> - [ID tokens](../yaml/index.md#id_tokens) to support any OIDC provider, including HashiCorp Vault, [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/356986) in GitLab 15.7.
WARNING:
@@ -24,8 +22,7 @@ Historically, teams stored secrets in projects or applied permissions on the Git
instance to build and deploy. OIDC capable [ID tokens](../yaml/index.md#id_tokens) are configurable
in the CI/CD job allowing you to follow a scalable and least-privilege security approach.
-In GitLab 15.6 and earlier, you must use `CI_JOB_JWT_V2` instead of an ID token,
-but it is not customizable. In GitLab 14.6 an earlier you must use the `CI_JOB_JWT`, which has limited support.
+In GitLab 15.6 and earlier, you must use `CI_JOB_JWT_V2` instead of an ID token, but it is not customizable.
## Prerequisites
diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
index a4ffff7c6e5..f051b9795cf 100644
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -58,9 +58,9 @@ The following fields are included in the JWT:
| `ref_type` | Always | Git ref type, either `branch` or `tag` |
| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise |
-| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
+| `environment` | Job specifies an environment | Environment this job specifies |
| `groups_direct` | User is a direct member of 0 to 200 groups | The paths of the user's direct membership groups. Omitted if the user is a direct member of more than 200 groups. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/435848) in GitLab 16.11). |
-| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
+| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise |
| `deployment_tier` | Job specifies an environment | [Deployment tier](../../environments/index.md#deployment-tier-of-environments) of environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2) |
| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) |
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index 46846bac132..7dea2a5e529 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -187,10 +187,6 @@ proposes to change this behavior.
## Limit your project's job token access (deprecated)
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1. [Deployed behind the `:ci_scoped_job_token` feature flag](../../user/feature_flags.md), disabled by default.
-> - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/332272) in GitLab 14.4.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/332272) in GitLab 14.6.
-
NOTE:
The [**Limit access _from_ this project**](#configure-the-job-token-scope-deprecated)
setting is disabled by default for all new projects and is [scheduled for removal](https://gitlab.com/gitlab-org/gitlab/-/issues/383084)
diff --git a/doc/ci/jobs/job_artifacts.md b/doc/ci/jobs/job_artifacts.md
index 537892bba30..f7c10d3567e 100644
--- a/doc/ci/jobs/job_artifacts.md
+++ b/doc/ci/jobs/job_artifacts.md
@@ -194,7 +194,6 @@ job:
## View all job artifacts in a project
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/31271) in GitLab 12.4 [with a flag](../../administration/feature_flags.md) named `artifacts_management_page`. Disabled by default.
> - [Improved look](https://gitlab.com/gitlab-org/gitlab/-/issues/33418) in GitLab 15.6.
> - [Improved performance](https://gitlab.com/gitlab-org/gitlab/-/issues/387765) in GitLab 15.9.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/407475) in GitLab 16.0. Feature flag `artifacts_management_page` removed.
@@ -362,9 +361,6 @@ With this configuration, GitLab adds **artifact 1** as a link to `file.txt` to t
## Keep artifacts from most recent successful jobs
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/16267) in GitLab 13.0.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/229936) in GitLab 13.4.
-> - [Made optional with a CI/CD setting](https://gitlab.com/gitlab-org/gitlab/-/issues/241026) in GitLab 13.8.
> - Artifacts for [blocked](https://gitlab.com/gitlab-org/gitlab/-/issues/387087) or [failed](https://gitlab.com/gitlab-org/gitlab/-/issues/266958) pipelines no longer kept indefinitely in GitLab 16.7.
By default artifacts are always kept for successful pipelines for the most recent commit on each ref.
diff --git a/doc/ci/secrets/id_token_authentication.md b/doc/ci/secrets/id_token_authentication.md
index 1e5fd29c8ec..09f92d933a8 100644
--- a/doc/ci/secrets/id_token_authentication.md
+++ b/doc/ci/secrets/id_token_authentication.md
@@ -73,8 +73,8 @@ The token also includes custom claims provided by GitLab:
| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. |
| `groups_direct` | User is a direct member of 0 to 200 groups | The paths of the user's direct membership groups. Omitted if the user is a direct member of more than 200 groups. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/435848) in GitLab 16.11). |
-| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
-| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
+| `environment` | Job specifies an environment | Environment this job deploys to. |
+| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise. |
| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. |
| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) |
| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
diff --git a/doc/ci/secrets/index.md b/doc/ci/secrets/index.md
index 3f35c7238d7..6342e35b1fb 100644
--- a/doc/ci/secrets/index.md
+++ b/doc/ci/secrets/index.md
@@ -10,10 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218746) in GitLab 13.4 and GitLab Runner 13.4.
-> - `file` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250695) in GitLab 14.1 and GitLab Runner 14.1.
-> - `VAULT_NAMESPACE` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/255619) in GitLab 14.9 and GitLab Runner 14.9.
-
Secrets represent sensitive information your CI job needs to complete work. This
sensitive information can be items like API tokens, database credentials, or private keys.
Secrets are sourced from your secrets provider.
@@ -125,8 +121,6 @@ DETAILS:
**Tier:** Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/28321) in GitLab 13.4 and GitLab Runner 13.4.
-
After [configuring your Vault server](#configure-your-vault-server), you can use
the secrets stored in Vault by defining them with the [`vault` keyword](../yaml/index.md#secretsvault):
diff --git a/doc/ci/secure_files/index.md b/doc/ci/secure_files/index.md
index 833f5b5037f..763ea4570bf 100644
--- a/doc/ci/secure_files/index.md
+++ b/doc/ci/secure_files/index.md
@@ -10,7 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78227) in GitLab 14.8 [with a flag](../../administration/feature_flags.md) named `ci_secure_files`. Disabled by default.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/350748) in GitLab 15.7. Feature flag `ci_secure_files` removed.
This feature is part of [Mobile DevOps](../mobile_devops.md) developed by [GitLab Incubation Engineering](https://handbook.gitlab.com/handbook/engineering/development/incubation/).
diff --git a/doc/ci/variables/index.md b/doc/ci/variables/index.md
index 619934dc469..1e49880248f 100644
--- a/doc/ci/variables/index.md
+++ b/doc/ci/variables/index.md
@@ -201,9 +201,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14108) in GitLab 13.0.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/299879) in GitLab 13.11.
-
You can make a CI/CD variable available to all projects and groups in a GitLab instance.
Prerequisites:
@@ -216,9 +213,8 @@ To add an instance variable:
1. Select **Settings > CI/CD** and expand the **Variables** section.
1. Select **Add variable** and fill in the details:
- **Key**: Must be one line, with no spaces, using only letters, numbers, or `_`.
- - **Value**: In [GitLab 13.3 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/220028),
- the value is limited to 10,000 characters, but also bounded by any limits in the
- runner's operating system. In GitLab 13.0 to 13.2, the value is limited to 700 characters.
+ - **Value**: The value is limited to 10,000 characters, but also bounded by any limits in the
+ runner's operating system.
- **Type**: `Variable` (default) or [`File`](#use-file-type-cicd-variables).
- **Protect variable** Optional. If selected, the variable is only available
in pipelines that run on protected branches or tags.
@@ -267,8 +263,6 @@ valid [secrets file](../../administration/backup_restore/troubleshooting_backup_
### Mask a CI/CD variable
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330650) in GitLab 13.12, the `~` character can be used in masked variables.
-
WARNING:
Masking a CI/CD variable is not a guaranteed way to prevent malicious users from
accessing variable values. The masking feature is "best-effort" and there to
@@ -473,9 +467,6 @@ variables:
### Pass an environment variable to another job
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22638) in GitLab 13.0.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/217834) in GitLab 13.1.
-
You can create a new environment variables in a job, and pass it to another job
in a later stage. These variables cannot be used as CI/CD variables to configure a pipeline,
but they can be used in job scripts.
@@ -712,8 +703,6 @@ can cause the pipeline to behave unexpectedly.
### Restrict who can override variables
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/295234) in GitLab 13.8.
-
You can limit the ability to override variables to only users with the Maintainer role.
When other users try to run a pipeline with overridden variables, they receive the
`Insufficient permissions to set pipeline variables` error message.
@@ -951,9 +940,6 @@ if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then
#### Restrict access to debug logging
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213159) in GitLab 13.7.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/292661) in GitLab 13.8.
-
You can restrict access to debug logging. When restricted, only users with
at least the Developer role
can view job logs when debug logging is enabled with a variable in:
diff --git a/doc/ci/variables/predefined_variables.md b/doc/ci/variables/predefined_variables.md
index f37c7897957..e282c7630e9 100644
--- a/doc/ci/variables/predefined_variables.md
+++ b/doc/ci/variables/predefined_variables.md
@@ -125,7 +125,7 @@ as it can cause the pipeline to behave unexpectedly.
| `CI_RUNNER_EXECUTABLE_ARCH` | Jobs only | all | 10.6 | The OS/architecture of the GitLab Runner executable. Might not be the same as the environment of the executor. |
| `CI_RUNNER_ID` | Jobs only | 8.10 | 0.5 | The unique ID of the runner being used. |
| `CI_RUNNER_REVISION` | Jobs only | all | 10.6 | The revision of the runner running the job. |
-| `CI_RUNNER_SHORT_TOKEN` | Jobs only | all | 12.3 | The runner's unique ID, used to authenticate new job requests. In [GitLab 14.9](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2251) and later, the token contains a prefix, and the first 17 characters are used. Prior to 14.9, the first eight characters are used. |
+| `CI_RUNNER_SHORT_TOKEN` | Jobs only | all | 12.3 | The runner's unique ID, used to authenticate new job requests. The token contains a prefix, and the first 17 characters are used. |
| `CI_RUNNER_TAGS` | Jobs only | 8.10 | 0.5 | A comma-separated list of the runner tags. |
| `CI_RUNNER_VERSION` | Jobs only | all | 10.6 | The version of the GitLab Runner running the job. |
| `CI_SERVER_FQDN` | Pipeline | 16.10 | all | The fully qualified domain name (FQDN) of the instance. For example `gitlab.example.com:8080`. |
diff --git a/doc/ci/variables/where_variables_can_be_used.md b/doc/ci/variables/where_variables_can_be_used.md
index 7389d438ee5..e315def8857 100644
--- a/doc/ci/variables/where_variables_can_be_used.md
+++ b/doc/ci/variables/where_variables_can_be_used.md
@@ -50,7 +50,7 @@ There are two places defined variables can be used. On the:
| [`script`](../yaml/index.md#script) | yes | Script execution shell | The variable expansion is made by the [execution shell environment](#execution-shell-environment). |
| [`services:name`](../yaml/index.md#services) | yes | Runner | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). |
| [`services`](../yaml/index.md#services) | yes | Runner | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). |
-| [`tags`](../yaml/index.md#tags) | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35742) in GitLab 14.1. |
+| [`tags`](../yaml/index.md#tags) | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab. |
| [`trigger` and `trigger:project`](../yaml/index.md#trigger) | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab. Variable expansion for `trigger:project` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/367660) in GitLab 15.3. |
| [`variables`](../yaml/index.md#variables) | yes | GitLab/Runner | The variable expansion is first made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab, and then any unrecognized or unavailable variables are expanded by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). |
| [`workflow:name`](../yaml/index.md#workflowname) | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab.
Supported are all variables available in `workflow`:
- Project/Group variables.
- Global `variables` and `workflow:rules:variables` (when matching the rule).
- Variables inherited from parent pipelines.
- Variables from triggers.
- Variables from pipeline schedules.
Not supported are variables defined in the GitLab Runner `config.toml`, variables defined in jobs, or [Persisted variables](#persisted-variables). | @@ -81,11 +81,6 @@ because the expansion is done in GitLab before any runner gets the job. #### Nested variable expansion -- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/48627) in GitLab 13.10. [Deployed behind the `variable_inside_variable` feature flag](../../user/feature_flags.md), disabled by default. -- [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/297382) in GitLab 14.3. -- [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/297382) in GitLab 14.4. -- Feature flag `variable_inside_variable` removed in GitLab 14.5. - GitLab expands job variable values recursively before sending them to the runner. For example, in the following scenario: ```yaml diff --git a/doc/drawers/exact_code_search_syntax.md b/doc/drawers/exact_code_search_syntax.md index ce4a97f9f87..ff425080ee2 100644 --- a/doc/drawers/exact_code_search_syntax.md +++ b/doc/drawers/exact_code_search_syntax.md @@ -7,17 +7,18 @@ source: /doc/user/search/exact_code_search.md # Search tips -| Query | Description | -| -------------------- |-------------------------------------------------------------------------------------- | -| `foo` | Returns files that contain `foo` | -| `"class foo"` | Returns files that contain the exact string `class foo` | -| `class foo` | Returns files that contain both `class` and `foo` | -| `foo or bar` | Returns files that contain either `foo` or `bar` | -| `class Foo` | Returns files that contain `class` (case insensitive) and `Foo` (case sensitive) | -| `class Foo case:yes` | Returns files that contain `class` and `Foo` (both case sensitive) | -| `foo -bar` | Returns files that contain `foo` but not `bar` | -| `foo file:js` | Searches for `foo` in files with names that contain `js` | -| `foo -file:test` | Searches for `foo` in files with names that do not contain `test` | -| `foo lang:ruby` | Searches for `foo` in Ruby source code | -| `foo f:\.js$` | Searches for `foo` in files with names that end with `.js` | -| `foo.*bar` | Searches for strings that match the regular expression `foo.*bar` | +| Query | Regular expression mode | Exact match mode | +| -------------------- | ----------------------------------------------------- | ------------------------------ | +| `"foo"` | `foo` | `"foo"` | +| `foo file:^doc/` | `foo` in directories that start with `/doc` | `foo` in directories that start with `/doc` | +| `"class foo"` | `class foo` | `"class foo"` | +| `class foo` | `class` and `foo` | `class foo` | +| `foo or bar` | `foo` or `bar` | `foo or bar` | +| `class Foo` | `class` (case insensitive) and `Foo` (case sensitive) | `class Foo` (case insensitive) | +| `class Foo case:yes` | `class` and `Foo` (both case sensitive) | `class Foo` (case sensitive) | +| `foo -bar` | `foo` but not `bar` | `foo -bar` | +| `foo file:js` | `foo` in files with names that contain `js` | `foo` in files with names that contain `js` | +| `foo -file:test` | `foo` in files with names that do not contain `test` | `foo` in files with names that do not contain `test` | +| `foo lang:ruby` | `foo` in Ruby source code | `foo` in Ruby source code | +| `foo file:\.js$` | `foo` in files with names that end with `.js` | `foo` in files with names that end with `.js` | +| `foo.*bar` | `foo.*bar` (regular expression) | None | diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index b0626a1147e..7afe9e30511 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -325,6 +325,24 @@ This change is a breaking change. You should [create a runner in the UI](https:/
{{ query.repository_ref }}
diff --git a/app/assets/javascripts/sentry/init_sentry.js b/app/assets/javascripts/sentry/init_sentry.js
index 722741b50e4..8c8d8b655de 100644
--- a/app/assets/javascripts/sentry/init_sentry.js
+++ b/app/assets/javascripts/sentry/init_sentry.js
@@ -1,3 +1,4 @@
+/* eslint-disable no-restricted-imports */
import {
BrowserClient,
getCurrentHub,
@@ -9,7 +10,7 @@ import {
// exports
captureException,
SDK_VERSION,
-} from 'sentrybrowser';
+} from '@sentry/browser';
const initSentry = () => {
if (!gon?.sentry_dsn) {
diff --git a/app/assets/javascripts/sentry/legacy_constants.js b/app/assets/javascripts/sentry/legacy_constants.js
deleted file mode 100644
index d04011dab2f..00000000000
--- a/app/assets/javascripts/sentry/legacy_constants.js
+++ /dev/null
@@ -1,46 +0,0 @@
-import { __ } from '~/locale';
-
-// https://docs.sentry.io/platforms/javascript/configuration/filtering/#decluttering-sentry
-export const IGNORE_ERRORS = [
- // Random plugins/extensions
- 'top.GLOBALS',
- // See: http://blog.errorception.com/2012/03/tale-of-unfindable-js-error. html
- 'originalCreateNotification',
- 'canvas.contentDocument',
- 'MyApp_RemoveAllHighlights',
- 'http://tt.epicplay.com',
- __("Can't find variable: ZiteReader"),
- __('jigsaw is not defined'),
- __('ComboSearch is not defined'),
- 'http://loading.retry.widdit.com/',
- 'atomicFindClose',
- // Facebook borked
- 'fb_xd_fragment',
- // ISP "optimizing" proxy - `Cache-Control: no-transform` seems to
- // reduce this. (thanks @acdha)
- 'bmi_SafeAddOnload',
- 'EBCallBackMessageReceived',
- // See http://toolbar.conduit.com/Developer/HtmlAndGadget/Methods/JSInjection.aspx
- 'conduitPage',
- // Exclude errors from polling when navigating away from a page
- 'TypeError: Failed to fetch',
-];
-
-export const DENY_URLS = [
- // Facebook flakiness
- /graph\.facebook\.com/i,
- // Facebook blocked
- /connect\.facebook\.net\/en_US\/all\.js/i,
- // Woopra flakiness
- /eatdifferent\.com\.woopra-ns\.com/i,
- /static\.woopra\.com\/js\/woopra\.js/i,
- // Chrome extensions
- /extensions\//i,
- /^chrome:\/\//i,
- // Other plugins
- /127\.0\.0\.1:4001\/isrunning/i, // Cacaoweb
- /webappstoolbarba\.texthelp\.com\//i,
- /metrics\.itunes\.apple\.com\.edgesuite\.net\//i,
-];
-
-export const SAMPLE_RATE = 0.95;
diff --git a/app/assets/javascripts/sentry/legacy_index.js b/app/assets/javascripts/sentry/legacy_index.js
deleted file mode 100644
index 688f8eb0a44..00000000000
--- a/app/assets/javascripts/sentry/legacy_index.js
+++ /dev/null
@@ -1,34 +0,0 @@
-import '../webpack';
-
-import * as Sentry5 from 'sentrybrowser5';
-import LegacySentryConfig from './legacy_sentry_config';
-
-const index = function index() {
- // Configuration for legacy versions of Sentry SDK (v5)
- LegacySentryConfig.init({
- dsn: gon.sentry_dsn,
- currentUserId: gon.current_user_id,
- whitelistUrls:
- process.env.NODE_ENV === 'production'
- ? [gon.gitlab_url]
- : [gon.gitlab_url, 'webpack-internal://'],
- environment: gon.sentry_environment,
- release: gon.revision,
- tags: {
- revision: gon.revision,
- feature_category: gon.feature_category,
- },
- });
-};
-
-index();
-
-// The _Sentry object is globally exported so it can be used by
-// ./sentry_browser_wrapper.js
-// This hack allows us to load a single version of `~/sentry/sentry_browser_wrapper`
-// in the browser, see app/views/layouts/_head.html.haml to find how it is imported.
-
-// eslint-disable-next-line no-underscore-dangle
-window._Sentry = Sentry5;
-
-export default index;
diff --git a/app/assets/javascripts/sentry/legacy_sentry_config.js b/app/assets/javascripts/sentry/legacy_sentry_config.js
deleted file mode 100644
index 137c31f5526..00000000000
--- a/app/assets/javascripts/sentry/legacy_sentry_config.js
+++ /dev/null
@@ -1,64 +0,0 @@
-import * as Sentry5 from 'sentrybrowser5';
-import $ from 'jquery';
-import { __ } from '~/locale';
-import { IGNORE_ERRORS, DENY_URLS, SAMPLE_RATE } from './legacy_constants';
-
-const SentryConfig = {
- IGNORE_ERRORS,
- DENYLIST_URLS: DENY_URLS,
- SAMPLE_RATE,
- init(options = {}) {
- this.options = options;
-
- this.configure();
- this.bindSentryErrors();
- if (this.options.currentUserId) this.setUser();
- },
-
- configure() {
- const { dsn, release, tags, whitelistUrls, environment } = this.options;
-
- Sentry5.init({
- dsn,
- release,
- whitelistUrls,
- environment,
- ignoreErrors: this.IGNORE_ERRORS, // TODO: Remove in favor of https://gitlab.com/gitlab-org/gitlab/issues/35144
- blacklistUrls: this.DENYLIST_URLS,
- sampleRate: SAMPLE_RATE,
- });
-
- Sentry5.setTags(tags);
- },
-
- setUser() {
- Sentry5.setUser({
- id: this.options.currentUserId,
- });
- },
-
- bindSentryErrors() {
- $(document).on('ajaxError.sentry', this.handleSentryErrors);
- },
-
- handleSentryErrors(event, req, config, err) {
- const error = err || req.statusText;
- const { responseText = __('Unknown response text') } = req;
- const { type, url, data } = config;
- const { status } = req;
-
- Sentry5.captureMessage(error, {
- extra: {
- type,
- url,
- data,
- status,
- response: responseText,
- error,
- event,
- },
- });
- },
-};
-
-export default SentryConfig;
diff --git a/app/assets/javascripts/single_file_diff.js b/app/assets/javascripts/single_file_diff.js
index 1e01da795e8..a3b10f3a77b 100644
--- a/app/assets/javascripts/single_file_diff.js
+++ b/app/assets/javascripts/single_file_diff.js
@@ -1,6 +1,8 @@
import $ from 'jquery';
+import { GlButton } from '@gitlab/ui';
import { createAlert } from '~/alert';
import { loadingIconForLegacyJS } from '~/loading_icon_for_legacy_js';
+import { renderVueComponentForLegacyJS } from '~/render_vue_component_for_legacy_js';
import { spriteIcon } from '~/lib/utils/common_utils';
import FilesCommentButton from './files_comment_button';
import initImageDiffHelper from './image_diff/helpers/init_image_diff';
@@ -14,8 +16,15 @@ const ERROR_HTML = `${spriteIcon(
'warning-solid',
's16',
)} Could not load diff
`;
-const COLLAPSED_HTML =
- 'This diff is collapsed.
';
+const CLICK_TO_EXPAND_BUTTON_HTML = renderVueComponentForLegacyJS(
+ GlButton,
+ {
+ class: 'click-to-expand',
+ props: { variant: 'link' },
+ },
+ __('Click to expand it.'),
+).outerHTML;
+const COLLAPSED_HTML = `This diff is collapsed. ${CLICK_TO_EXPAND_BUTTON_HTML}
`;
export default class SingleFileDiff {
constructor(file) {
diff --git a/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue b/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue
index b6bbb5df93e..69c87cd3cfc 100644
--- a/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue
+++ b/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue
@@ -7,7 +7,7 @@ import { AVATAR_SHAPE_OPTION_RECT } from '~/vue_shared/constants';
export default {
i18n: {
uploadText: __('Drop or %{linkStart}upload%{linkEnd} an avatar.'),
- maxFileSize: s__('Profiles|The maximum file size allowed is 200KB.'),
+ maxFileSize: s__('Profiles|The maximum file size allowed is 200 KiB.'),
imageDimensions: s__('Profiles|The ideal image size is 192 x 192 pixels.'),
removeAvatar: __('Remove avatar'),
},
diff --git a/app/channels/application_cable/channel.rb b/app/channels/application_cable/channel.rb
index 0de2b0185b5..84c1705c2b5 100644
--- a/app/channels/application_cable/channel.rb
+++ b/app/channels/application_cable/channel.rb
@@ -3,6 +3,15 @@
module ApplicationCable
class Channel < ActionCable::Channel::Base
include Logging
+ include Gitlab::Auth::AuthFinders
+
+ before_subscribe :validate_token_scope
+
+ def validate_token_scope
+ validate_access_token!(scopes: [:api, :read_api])
+ rescue Gitlab::Auth::InsufficientScopeError
+ reject
+ end
private
diff --git a/app/channels/graphql_channel.rb b/app/channels/graphql_channel.rb
index ae37be85da8..cc2a9126004 100644
--- a/app/channels/graphql_channel.rb
+++ b/app/channels/graphql_channel.rb
@@ -48,7 +48,8 @@ class GraphqlChannel < ApplicationCable::Channel # rubocop:disable Gitlab/Namesp
# Objects added to the context may also need to be reloaded in
# `Subscriptions::BaseSubscription` so that they are not stale
def context
- # is_sessionless_user is always false because we only support cookie auth in ActionCable
- { channel: self, current_user: current_user, is_sessionless_user: false }
+ request_authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
+ scope_validator = ::Gitlab::Auth::ScopeValidator.new(current_user, request_authenticator)
+ { channel: self, current_user: current_user, is_sessionless_user: false, scope_validator: scope_validator }
end
end
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 47c3d54df3a..912469382d6 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -222,6 +222,8 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
else
fail_login(@user)
end
+ rescue Gitlab::Auth::OAuth::User::IdentityWithUntrustedExternUidError
+ handle_identity_with_untrusted_extern_uid
rescue Gitlab::Auth::OAuth::User::SigninDisabledForProviderError
handle_disabled_provider
rescue Gitlab::Auth::OAuth::User::SignupDisabledError
@@ -271,6 +273,13 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
redirect_to profile_account_path, notice: _('Request to link SAML account must be authorized')
end
+ def handle_identity_with_untrusted_extern_uid
+ label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
+ flash[:alert] = format(_("Signing in using your %{label} account has been disabled for security reasons. Please sign in to your GitLab account using another authentication method and reconnect to your %{label} account."), label: label)
+
+ redirect_to new_user_session_path
+ end
+
def handle_disabled_provider
label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
flash[:alert] = _("Signing in using %{label} has been disabled") % { label: label }
diff --git a/app/graphql/resolvers/base_resolver.rb b/app/graphql/resolvers/base_resolver.rb
index 17db91a685f..e6d54d9e31c 100644
--- a/app/graphql/resolvers/base_resolver.rb
+++ b/app/graphql/resolvers/base_resolver.rb
@@ -174,7 +174,7 @@ module Resolvers
end
def self.authorized?(object, context)
- authorization.ok?(object, context[:current_user])
+ authorization.ok?(object, context[:current_user], scope_validator: context[:scope_validator])
end
end
end
diff --git a/app/graphql/types/base_enum.rb b/app/graphql/types/base_enum.rb
index ca86e399f6b..d7ceaafb318 100644
--- a/app/graphql/types/base_enum.rb
+++ b/app/graphql/types/base_enum.rb
@@ -65,7 +65,7 @@ module Types
end
def authorized?(object, context)
- authorization.ok?(object, context[:current_user])
+ authorization.ok?(object, context[:current_user], scope_validator: context[:scope_validator])
end
end
end
diff --git a/app/graphql/types/base_field.rb b/app/graphql/types/base_field.rb
index 886490ba62f..ca671533ef1 100644
--- a/app/graphql/types/base_field.rb
+++ b/app/graphql/types/base_field.rb
@@ -97,7 +97,7 @@ module Types
def field_authorized?(object, ctx)
object = object.node if object.is_a?(GraphQL::Pagination::Connection::Edge)
- authorization.ok?(object, ctx[:current_user])
+ authorization.ok?(object, ctx[:current_user], scope_validator: ctx[:scope_validator])
end
# Historically our resolvers have used declarative permission checks only
diff --git a/app/graphql/types/base_object.rb b/app/graphql/types/base_object.rb
index 4ad88e43f52..1783db3cc33 100644
--- a/app/graphql/types/base_object.rb
+++ b/app/graphql/types/base_object.rb
@@ -32,7 +32,7 @@ module Types
end
def self.authorized?(object, context)
- authorization.ok?(object, context[:current_user])
+ authorization.ok?(object, context[:current_user], scope_validator: context[:scope_validator])
end
def current_user
diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index 60a229ef42a..177adb36cd4 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -411,6 +411,9 @@ module ApplicationSettingsHelper
:throttle_unauthenticated_files_api_enabled,
:throttle_unauthenticated_files_api_period_in_seconds,
:throttle_unauthenticated_files_api_requests_per_period,
+ :throttle_unauthenticated_git_http_enabled,
+ :throttle_unauthenticated_git_http_period_in_seconds,
+ :throttle_unauthenticated_git_http_requests_per_period,
:throttle_unauthenticated_deprecated_api_enabled,
:throttle_unauthenticated_deprecated_api_period_in_seconds,
:throttle_unauthenticated_deprecated_api_requests_per_period,
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 5ff1bca975d..0eb1a79dfe1 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -553,6 +553,8 @@ class ApplicationSetting < MainClusterwide::ApplicationRecord
:throttle_unauthenticated_deprecated_api_requests_per_period,
:throttle_unauthenticated_files_api_period_in_seconds,
:throttle_unauthenticated_files_api_requests_per_period,
+ :throttle_unauthenticated_git_http_period_in_seconds,
+ :throttle_unauthenticated_git_http_requests_per_period,
:throttle_unauthenticated_packages_api_period_in_seconds,
:throttle_unauthenticated_packages_api_requests_per_period,
:throttle_unauthenticated_period_in_seconds,
@@ -612,6 +614,11 @@ class ApplicationSetting < MainClusterwide::ApplicationRecord
jsonb_accessor :service_ping_settings,
gitlab_environment_toolkit_instance: [:boolean, { default: false }]
+ jsonb_accessor :rate_limits_unauthenticated_git_http,
+ throttle_unauthenticated_git_http_enabled: [:boolean, { default: false }],
+ throttle_unauthenticated_git_http_requests_per_period: [:integer, { default: 3600 }],
+ throttle_unauthenticated_git_http_period_in_seconds: [:integer, { default: 3600 }]
+
validates :rate_limits, json_schema: { filename: "application_setting_rate_limits" }
validates :search_rate_limit_allowlist,
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index 9caf712d0dc..3f1540e9b8c 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -2148,8 +2148,12 @@ class MergeRequest < ApplicationRecord
merge_request_reviewers.where(user_id: user_ids)
end
- def has_changes_requested?
- merge_request_reviewers.exists?(state: :requested_changes)
+ def create_requested_changes(user)
+ # Overridden in EE
+ end
+
+ def destroy_requested_changes(user)
+ # Overridden in EE
end
def batch_update_reviewer_state(user_ids, state)
diff --git a/app/models/user.rb b/app/models/user.rb
index 88382c85653..9002b1cedb2 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -320,7 +320,7 @@ class User < MainClusterwide::ApplicationRecord
validates :name, presence: true, length: { maximum: 255 }
validates :first_name, length: { maximum: 127 }
validates :last_name, length: { maximum: 127 }
- validates :email, confirmation: true
+ validates :email, confirmation: true, devise_email: true
validates :notification_email, devise_email: true, allow_blank: true
validates :public_email, uniqueness: true, devise_email: true, allow_blank: true
validates :commit_email, devise_email: true, allow_blank: true, unless: ->(user) { user.commit_email == Gitlab::PrivateCommitEmail::TOKEN }
diff --git a/app/services/merge_requests/approval_service.rb b/app/services/merge_requests/approval_service.rb
index 679ee7b4c35..2770bb95c70 100644
--- a/app/services/merge_requests/approval_service.rb
+++ b/app/services/merge_requests/approval_service.rb
@@ -13,7 +13,7 @@ module MergeRequests
return success unless save_approval(approval)
- update_reviewer_state(merge_request, current_user, :approved)
+ update_reviewer_state(merge_request, current_user, 'approved')
reset_approvals_cache(merge_request)
diff --git a/app/services/merge_requests/remove_approval_service.rb b/app/services/merge_requests/remove_approval_service.rb
index ffe3799b540..9bf582e2091 100644
--- a/app/services/merge_requests/remove_approval_service.rb
+++ b/app/services/merge_requests/remove_approval_service.rb
@@ -15,7 +15,7 @@ module MergeRequests
trigger_approval_hooks(merge_request, skip_notification) do
next unless approval.destroy_all # rubocop: disable Cop/DestroyAll
- update_reviewer_state(merge_request, current_user, :unapproved) unless skip_updating_state
+ update_reviewer_state(merge_request, current_user, 'unapproved') unless skip_updating_state
reset_approvals_cache(merge_request)
unless skip_system_note
diff --git a/app/services/merge_requests/update_reviewer_state_service.rb b/app/services/merge_requests/update_reviewer_state_service.rb
index a77cdeeb121..9e4c3fd2180 100644
--- a/app/services/merge_requests/update_reviewer_state_service.rb
+++ b/app/services/merge_requests/update_reviewer_state_service.rb
@@ -12,8 +12,12 @@ module MergeRequests
trigger_merge_request_reviewers_updated(merge_request)
+ destroy_requested_changes(merge_request) if state == 'approved'
+
return success if state != 'requested_changes'
+ create_requested_changes(merge_request)
+
if merge_request.approved_by?(current_user) && !remove_approval(merge_request, current_user)
return error("Failed to remove approval")
end
@@ -23,5 +27,17 @@ module MergeRequests
error("Reviewer not found")
end
end
+
+ private
+
+ def create_requested_changes(merge_request)
+ merge_request.create_requested_changes(current_user)
+
+ trigger_merge_request_merge_status_updated(merge_request)
+ end
+
+ def destroy_requested_changes(merge_request)
+ merge_request.destroy_requested_changes(current_user)
+ end
end
end
diff --git a/app/validators/devise_email_validator.rb b/app/validators/devise_email_validator.rb
index b91cfe23f08..b462fa0ffde 100644
--- a/app/validators/devise_email_validator.rb
+++ b/app/validators/devise_email_validator.rb
@@ -19,7 +19,8 @@
# end
class DeviseEmailValidator < ActiveModel::EachValidator
DEFAULT_OPTIONS = {
- regexp: Devise.email_regexp
+ regexp: Devise.email_regexp,
+ invalid_characters_regexp: %r{[?!#$%&*\/=^<>]}
}.freeze
def initialize(options)
@@ -31,6 +32,14 @@ class DeviseEmailValidator < ActiveModel::EachValidator
end
def validate_each(record, attribute, value)
- record.errors.add(attribute, :invalid) unless options[:regexp].match?(value)
+ return if record.errors.include?(attribute)
+
+ record.errors.add(attribute, :invalid) unless valid_email?(value)
+ end
+
+ private
+
+ def valid_email?(value)
+ options[:regexp].match?(value) && !options[:invalid_characters_regexp].match?(value)
end
end
diff --git a/app/views/admin/application_settings/_git_http_limits.html.haml b/app/views/admin/application_settings/_git_http_limits.html.haml
new file mode 100644
index 00000000000..fc777a17443
--- /dev/null
+++ b/app/views/admin/application_settings/_git_http_limits.html.haml
@@ -0,0 +1,18 @@
+= gitlab_ui_form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-git-http-limits-settings'), html: { class: 'fieldset-form' } do |f|
+ = form_errors(@application_setting)
+
+ %fieldset
+ %h5
+ = _('Unauthenticated Git HTTP request rate limit')
+ .form-group
+ = f.gitlab_ui_checkbox_component :throttle_unauthenticated_git_http_enabled,
+ _('Enable unauthenticated Git HTTP request rate limit'),
+ help_text: _('Helps reduce unauthenticated Git HTTP request volume for git paths.')
+ .form-group
+ = f.label :throttle_unauthenticated_git_http_requests_per_period, _('Maximum unauthenticated Git HTTP requests per period per IP'), class: 'gl-font-weight-bold'
+ = f.number_field :throttle_unauthenticated_git_http_requests_per_period, class: 'form-control gl-form-input'
+ .form-group
+ = f.label :throttle_unauthenticated_git_http_period_in_seconds, _('Unauthenticated Git HTTP rate limit period in seconds'), class: 'gl-font-weight-bold'
+ = f.number_field :throttle_unauthenticated_git_http_period_in_seconds, class: 'form-control gl-form-input'
+
+ = f.submit _('Save changes'), pajamas_button: true
diff --git a/app/views/admin/application_settings/_sentry.html.haml b/app/views/admin/application_settings/_sentry.html.haml
index 5079f374c84..7058a4b5cca 100644
--- a/app/views/admin/application_settings/_sentry.html.haml
+++ b/app/views/admin/application_settings/_sentry.html.haml
@@ -1,12 +1,8 @@
= gitlab_ui_form_for @application_setting, url: metrics_and_profiling_admin_application_settings_path(anchor: 'js-sentry-settings'), html: { class: 'fieldset-form', id: 'sentry-settings' } do |f|
= form_errors(@application_setting)
- - if Feature.disabled?(:enable_new_sentry_integration)
- %fieldset.gl-text-secondary
- = safe_format(s_('AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, enable the %{code_start}enable_new_sentry_integration%{code_end} feature flag and restart GitLab.'), tag_pair(tag.b, :bold_start, :bold_end), tag_pair(tag.code, :code_start, :code_end))
- - else
- %fieldset.gl-text-secondary
- = safe_format(s_('AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, restart GitLab.'), tag_pair(tag.b, :bold_start, :bold_end))
+ %fieldset.gl-text-secondary
+ = safe_format(s_('AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, restart GitLab.'), tag_pair(tag.b, :bold_start, :bold_end))
%fieldset
.form-group
diff --git a/app/views/admin/application_settings/network.html.haml b/app/views/admin/application_settings/network.html.haml
index 86fbbef8dac..b951c97814f 100644
--- a/app/views/admin/application_settings/network.html.haml
+++ b/app/views/admin/application_settings/network.html.haml
@@ -72,6 +72,18 @@
.settings-content
= render partial: 'network_rate_limits', locals: { anchor: 'js-deprecated-limits-settings', setting_fragment: 'deprecated_api' }
+%section.settings.as-git-http-limits.no-animate#js-git-http-limits-settings{ class: ('expanded' if expanded_by_default?) }
+ .settings-header
+ %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
+ = _('Git HTTP rate limits')
+ = render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do
+ = expanded_by_default? ? _('Collapse') : _('Expand')
+ %p.gl-text-secondary
+ = _('Configure specific limits for Git HTTP requests.')
+ = link_to _('Learn more.'), help_page_path('administration/settings/git_http_rate_limits'), target: '_blank', rel: 'noopener noreferrer'
+ .settings-content
+ = render 'git_http_limits'
+
%section.settings.as-git-lfs-limits.no-animate#js-git-lfs-limits-settings{ class: ('expanded' if expanded_by_default?) }
.settings-header
%h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
diff --git a/app/views/layouts/_head.html.haml b/app/views/layouts/_head.html.haml
index 728997d39c7..ea770a076f3 100644
--- a/app/views/layouts/_head.html.haml
+++ b/app/views/layouts/_head.html.haml
@@ -48,10 +48,8 @@
= render 'layouts/loading_hints'
= render_if_exists 'layouts/header/translations'
- - if Feature.enabled?(:enable_new_sentry_integration) && Gitlab::CurrentSettings.sentry_enabled
+ - if Gitlab::CurrentSettings.sentry_enabled
= webpack_bundle_tag 'sentry'
- - elsif Gitlab.config.sentry.enabled
- = webpack_bundle_tag 'legacy_sentry'
= webpack_bundle_tag 'performance_bar' if performance_bar_enabled?
= yield :page_specific_javascripts
diff --git a/app/views/search/_results_status.html.haml b/app/views/search/_results_status.html.haml
index 3c42126e480..28fc99c3de5 100644
--- a/app/views/search/_results_status.html.haml
+++ b/app/views/search/_results_status.html.haml
@@ -1,30 +1,25 @@
-.section{ class: ('gl-lg-display-none' if @search_objects.to_a.empty?) }
- .search-results-status
- .gl-display-flex.gl-flex-direction-column
- .gl-p-5.gl-display-flex.gl-flex-wrap
- - unless @search_objects.to_a.empty?
- .gl-display-flex.gl-text-left.gl-flex-grow-1.gl-flex-shrink-1.gl-white-space-nowrap.gl-flex-wrap.gl-sm-w-half
+.search-results-status.gl-sm-display-flex.gl-flex-wrap.gl-justify-content-space-between.gl-my-4{ class: ('gl-lg-display-none' if @search_objects.to_a.empty?) }
+ - unless @search_objects.to_a.empty?
+ %p.gl-text-truncate.gl-my-auto
+ - unless @search_service_presenter.without_count?
+ = search_entries_info(@search_objects, @scope, @search_term)
+ - unless @search_service_presenter.show_snippets?
+ - if @project
+ - link_to_project = link_to(@project.full_name, @project, class: 'search-wrap-f-md-down')
+ - if @scope == 'blobs'
+ = _("in")
+ .mx-md-1.gl-my-auto
+ #js-blob-ref-switcher{ data: { "project-id" => @project.id, "ref" => repository_ref(@project), "field-name": "repository_ref" } }
%p.gl-text-truncate.gl-my-auto
- - unless @search_service_presenter.without_count?
- = search_entries_info(@search_objects, @scope, @search_term)
- - unless @search_service_presenter.show_snippets?
- - if @project
- - link_to_project = link_to(@project.full_name, @project, class: 'search-wrap-f-md-down')
- - if @scope == 'blobs'
- = _("in")
- .mx-md-1.gl-my-auto
- #js-blob-ref-switcher{ data: { "project-id" => @project.id, "ref" => repository_ref(@project), "field-name": "repository_ref" } }
- %p.gl-text-truncate.gl-my-auto
- = s_('SearchCodeResults|of %{link_to_project}').html_safe % { link_to_project: link_to_project }
- - else
- = _("in project %{link_to_project}").html_safe % { link_to_project: link_to_project }
- - elsif @group
- - link_to_group = link_to(@group.name, @group, class: 'ml-md-1')
- = _("in group %{link_to_group}").html_safe % { link_to_group: link_to_group }
- .gl-display-flex.gl-my-3.gl-flex-grow-1.gl-flex-shrink-1.gl-justify-content-end
- = render Pajamas::ButtonComponent.new(category: 'primary', icon: 'filter', button_options: {id: 'js-open-mobile-filters', class: 'gl-lg-display-none'}) do
- = s_('GlobalSearch|Filters')
- - if @search_service_presenter.show_sort_dropdown? && !@search_objects.to_a.empty?
- .gl-ml-3
- #js-search-sort{ data: { "search-sort-options" => search_sort_options.to_json } }
- %hr.gl-mb-5.gl-mt-0.gl-border-gray-100.gl-w-full
+ = s_('SearchCodeResults|of %{link_to_project}').html_safe % { link_to_project: link_to_project }
+ - else
+ = _("in project %{link_to_project}").html_safe % { link_to_project: link_to_project }
+ - elsif @group
+ - link_to_group = link_to(@group.name, @group, class: 'ml-md-1')
+ = _("in group %{link_to_group}").html_safe % { link_to_group: link_to_group }
+ .gl-display-flex
+ = render Pajamas::ButtonComponent.new(category: 'primary', icon: 'filter', button_options: {id: 'js-open-mobile-filters', class: 'gl-lg-display-none'}) do
+ = s_('GlobalSearch|Filters')
+ - if @search_service_presenter.show_sort_dropdown? && !@search_objects.to_a.empty?
+ .gl-ml-3
+ #js-search-sort{ data: { "search-sort-options" => search_sort_options.to_json } }
diff --git a/app/views/search/results/_issuable.html.haml b/app/views/search/results/_issuable.html.haml
index 75530b616bf..52da4ca254a 100644
--- a/app/views/search/results/_issuable.html.haml
+++ b/app/views/search/results/_issuable.html.haml
@@ -1,4 +1,4 @@
-%div{ class: 'search-result-row gl-display-flex gl-sm-flex-direction-row gl-flex-direction-column gl-align-items-center gl-pb-5! gl-mt-5 gl-mb-0!' }
+.search-result-row.row.gl-display-flex.gl-sm-flex-direction-row.gl-flex-direction-column.gl-align-items-center.gl-mt-5{ class: 'gl-pb-5! gl-mb-0!' }
.col-sm-9
%span.gl-display-flex.gl-align-items-center
= gl_badge_tag issuable_state_text(issuable), variant: issuable_state_to_badge_class(issuable), size: :sm
diff --git a/app/views/shared/_choose_avatar_button.html.haml b/app/views/shared/_choose_avatar_button.html.haml
index 30a6a31cdd4..3fbc4d30744 100644
--- a/app/views/shared/_choose_avatar_button.html.haml
+++ b/app/views/shared/_choose_avatar_button.html.haml
@@ -1 +1 @@
-= render 'shared/file_picker_button', f: f, field: :avatar, help_text: s_("Profiles|The ideal image size is 192 x 192 pixels.") + " " + s_("Profiles|The maximum file size allowed is 200KB.")
+= render 'shared/file_picker_button', f: f, field: :avatar, help_text: s_("Profiles|The ideal image size is 192 x 192 pixels.") + " " + s_("Profiles|The maximum file size allowed is 200 KiB.")
diff --git a/app/views/user_settings/profiles/show.html.haml b/app/views/user_settings/profiles/show.html.haml
index 39b0084cbeb..66977d814b9 100644
--- a/app/views/user_settings/profiles/show.html.haml
+++ b/app/views/user_settings/profiles/show.html.haml
@@ -38,7 +38,7 @@
= f.file_field :avatar, class: 'js-user-avatar-input hidden', accept: 'image/*'
.gl-text-gray-500
= s_("Profiles|The ideal image size is 192 x 192 pixels.")
- = s_("Profiles|The maximum file size allowed is 200KB.")
+ = s_("Profiles|The maximum file size allowed is 200 KiB.")
- if @user.avatar?
= render Pajamas::ButtonComponent.new(variant: :danger,
category: :secondary,
diff --git a/config/feature_flags/development/enable_new_sentry_integration.yml b/config/feature_flags/development/enable_new_sentry_integration.yml
deleted file mode 100644
index 00665f80ed6..00000000000
--- a/config/feature_flags/development/enable_new_sentry_integration.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: enable_new_sentry_integration
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72428
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/344832
-milestone: '14.9'
-type: development
-group: group::pipeline execution
-default_enabled: false
diff --git a/config/feature_flags/development/enable_old_sentry_integration.yml b/config/feature_flags/development/enable_old_sentry_integration.yml
deleted file mode 100644
index 4911dbfdc78..00000000000
--- a/config/feature_flags/development/enable_old_sentry_integration.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: enable_old_sentry_integration
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72428
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/344832
-milestone: '14.9'
-type: development
-group: group::pipeline execution
-default_enabled: true
diff --git a/config/feature_flags/gitlab_com_derisk/native_header_anchors.yml b/config/feature_flags/gitlab_com_derisk/native_header_anchors.yml
new file mode 100644
index 00000000000..24f36fcd99f
--- /dev/null
+++ b/config/feature_flags/gitlab_com_derisk/native_header_anchors.yml
@@ -0,0 +1,9 @@
+---
+name: native_header_anchors
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/440733
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144690
+rollout_issue_url:
+milestone: '17.0'
+group: group::project management
+type: gitlab_com_derisk
+default_enabled: false
diff --git a/config/gitlab_loose_foreign_keys.yml b/config/gitlab_loose_foreign_keys.yml
index 56a233425e5..b29b31cb20e 100644
--- a/config/gitlab_loose_foreign_keys.yml
+++ b/config/gitlab_loose_foreign_keys.yml
@@ -245,6 +245,16 @@ merge_request_metrics:
- table: ci_pipelines
column: pipeline_id
on_delete: async_nullify
+merge_request_requested_changes:
+ - table: merge_requests
+ column: merge_request_id
+ on_delete: async_delete
+ - table: projects
+ column: project_id
+ on_delete: async_delete
+ - table: users
+ column: user_id
+ on_delete: async_delete
merge_requests:
- table: ci_pipelines
column: head_pipeline_id
diff --git a/config/webpack.config.js b/config/webpack.config.js
index ca5506a1e39..f6cd978f300 100644
--- a/config/webpack.config.js
+++ b/config/webpack.config.js
@@ -261,7 +261,6 @@ module.exports = {
*/
return {
default: defaultEntries,
- legacy_sentry: './sentry/legacy_index.js',
sentry: './sentry/index.js',
performance_bar: './performance_bar/index.js',
jira_connect_app: './jira_connect/subscriptions/index.js',
diff --git a/data/deprecations/14-8-graphql-runner-active.yml b/data/deprecations/14-8-graphql-runner-active.yml
new file mode 100644
index 00000000000..296ed3b6ddf
--- /dev/null
+++ b/data/deprecations/14-8-graphql-runner-active.yml
@@ -0,0 +1,40 @@
+- title: 'Runner `active` GraphQL fields replaced by `paused`'
+ # The milestones for the deprecation announcement, and the removal.
+ removal_milestone: '18.0'
+ announcement_milestone: '14.8'
+ # Change breaking_change to false if needed.
+ breaking_change: true
+ # The stage and GitLab username of the person reporting the change,
+ # and a link to the deprecation issue
+ reporter: pedropombeiro
+ stage: Verify
+ issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/351109
+ impact: low
+ scope: # Can be one or a combination of: [instance, group, project]
+ resolution_role: Developer
+ manual_task: true
+ body: | # (required) Don't change this line.
+ Occurrences of the `active` identifier in the GitLab GraphQL API endpoints will be renamed to `paused` in GitLab 18.0:
+
+ - The `CiRunner` property.
+ - The `RunnerUpdateInput` input type for the `runnerUpdate` mutation.
+ - The `runners`, `Group.runners`, and `Project.runners` queries.
+
+ # ==============================
+ # OPTIONAL END-OF-SUPPORT FIELDS
+ # ==============================
+ #
+ # If an End of Support period applies:
+ # 1) Share this announcement in the `#spt_managers` Support channel in Slack
+ # 2) Mention `@gitlab-com/support` in this merge request.
+ #
+ # When support for this feature ends, in XX.YY milestone format.
+ end_of_support_milestone:
+ # Array of tiers the feature is currently available to,
+ # like [Free, Silver, Gold, Core, Premium, Ultimate]
+ tiers:
+ # Links to documentation and thumbnail image
+ documentation_url: https://docs.gitlab.com/ee/api/graphql/reference/index.html#cirunner
+ image_url:
+ # Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
+ video_url:
diff --git a/data/whats_new/202404160001_16_11.yml b/data/whats_new/202404160001_16_11.yml
index ff9361acdd7..69129bcf6fd 100644
--- a/data/whats_new/202404160001_16_11.yml
+++ b/data/whats_new/202404160001_16_11.yml
@@ -10,7 +10,7 @@
stage: ai-powered
self-managed: true
gitlab-com: true
- available_in: [Free, Premium, Ultimate]
+ available_in: [Premium, Ultimate]
documentation_link: https://docs.gitlab.com/ee/user/gitlab_duo_chat.html
image_url: https://img.youtube.com/vi/ZQBAuf-CTAY/hqdefault.jpg
published_at: 2024-04-18
@@ -52,7 +52,7 @@
stage: govern
self-managed: true
gitlab-com: true
- available_in: [Free, Premium, Ultimate]
+ available_in: [Premium, Ultimate]
documentation_link: https://docs.gitlab.com/ee/editor_extensions/jetbrains_ide/index.html
image_url: https://about.gitlab.com/images/16_11/create-duo-chat-in-jetbrains.png
published_at: 2024-04-18
diff --git a/db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml b/db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml
new file mode 100644
index 00000000000..8aacc82b2fa
--- /dev/null
+++ b/db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml
@@ -0,0 +1,9 @@
+---
+migration_job_name: BackfillWorkspaceVariablesProjectId
+description: Backfills sharding key `workspace_variables.project_id` from `workspaces`.
+feature_category: remote_development
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150074
+milestone: '17.0'
+queued_migration_version: 20240419035360
+finalize_after: '2024-05-22'
+finalized_by: # version of the migration that finalized this BBM
diff --git a/db/docs/merge_request_requested_changes.yml b/db/docs/merge_request_requested_changes.yml
new file mode 100644
index 00000000000..fe49f404a4e
--- /dev/null
+++ b/db/docs/merge_request_requested_changes.yml
@@ -0,0 +1,12 @@
+---
+table_name: merge_request_requested_changes
+classes:
+- MergeRequests::RequestedChange
+feature_categories:
+- code_review_workflow
+description: Blocker for changes requested on a merge request
+introduced_by_url:
+milestone: '17.0'
+gitlab_schema: gitlab_main_cell
+sharding_key:
+ project_id: projects
\ No newline at end of file
diff --git a/db/docs/workspace_variables.yml b/db/docs/workspace_variables.yml
index f92750f84c1..f8f0369e75f 100644
--- a/db/docs/workspace_variables.yml
+++ b/db/docs/workspace_variables.yml
@@ -23,3 +23,4 @@ desired_sharding_key:
table: workspaces
sharding_key: project_id
belongs_to: workspace
+desired_sharding_key_migration_job_name: BackfillWorkspaceVariablesProjectId
diff --git a/db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb b/db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb
new file mode 100644
index 00000000000..1881b8d630b
--- /dev/null
+++ b/db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+class AddThrottleUnauthenticatedGitHttpToApplicationSettings < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ disable_ddl_transaction!
+
+ def up
+ add_column :application_settings, :rate_limits_unauthenticated_git_http, :jsonb, default: {}, null: false,
+ if_not_exists: true
+
+ add_check_constraint(
+ :application_settings,
+ "(jsonb_typeof(rate_limits_unauthenticated_git_http) = 'object')",
+ 'check_application_settings_rate_limits_unauth_git_http_is_hash'
+ )
+ end
+
+ def down
+ remove_column :application_settings, :rate_limits_unauthenticated_git_http, it_exists: true
+ end
+end
diff --git a/db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb b/db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb
new file mode 100644
index 00000000000..d4458912262
--- /dev/null
+++ b/db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+class UpdateThrottleUnauthenticatedGitHttpInApplicationSettings < Gitlab::Database::Migration[2.2]
+ restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+ milestone '17.0'
+
+ disable_ddl_transaction!
+
+ def up
+ execute <<~SQL
+ UPDATE application_settings
+ SET rate_limits_unauthenticated_git_http = jsonb_build_object(
+ 'throttle_unauthenticated_git_http_enabled', throttle_unauthenticated_enabled,
+ 'throttle_unauthenticated_git_http_requests_per_period', throttle_unauthenticated_requests_per_period,
+ 'throttle_unauthenticated_git_http_period_in_seconds', throttle_unauthenticated_period_in_seconds
+ );
+ SQL
+ end
+
+ def down
+ execute "UPDATE application_settings SET rate_limits_unauthenticated_git_http = CAST('{}' AS jsonb)"
+ end
+end
diff --git a/db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb b/db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb
new file mode 100644
index 00000000000..a2759fd4d82
--- /dev/null
+++ b/db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class AddTrustedExternUidToIdentities < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ enable_lock_retries!
+
+ def change
+ add_column :identities, :trusted_extern_uid, :boolean, default: true
+ end
+end
diff --git a/db/migrate/20240415190848_index_identities_on_provider.rb b/db/migrate/20240415190848_index_identities_on_provider.rb
new file mode 100644
index 00000000000..60553840c17
--- /dev/null
+++ b/db/migrate/20240415190848_index_identities_on_provider.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class IndexIdentitiesOnProvider < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ disable_ddl_transaction!
+
+ INDEX_NAME = 'index_identities_on_provider'
+
+ def up
+ add_concurrent_index :identities, :provider, name: INDEX_NAME
+ end
+
+ def down
+ remove_concurrent_index_by_name :identities, name: INDEX_NAME
+ end
+end
diff --git a/db/migrate/20240419035356_add_project_id_to_workspace_variables.rb b/db/migrate/20240419035356_add_project_id_to_workspace_variables.rb
new file mode 100644
index 00000000000..7616169c0d2
--- /dev/null
+++ b/db/migrate/20240419035356_add_project_id_to_workspace_variables.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddProjectIdToWorkspaceVariables < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ def change
+ add_column :workspace_variables, :project_id, :bigint
+ end
+end
diff --git a/db/migrate/20240419035357_index_workspace_variables_on_project_id.rb b/db/migrate/20240419035357_index_workspace_variables_on_project_id.rb
new file mode 100644
index 00000000000..66a236b4b34
--- /dev/null
+++ b/db/migrate/20240419035357_index_workspace_variables_on_project_id.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class IndexWorkspaceVariablesOnProjectId < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+ disable_ddl_transaction!
+
+ INDEX_NAME = 'index_workspace_variables_on_project_id'
+
+ def up
+ add_concurrent_index :workspace_variables, :project_id, name: INDEX_NAME
+ end
+
+ def down
+ remove_concurrent_index_by_name :workspace_variables, INDEX_NAME
+ end
+end
diff --git a/db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb b/db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb
new file mode 100644
index 00000000000..9229fd1f7c6
--- /dev/null
+++ b/db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class AddWorkspaceVariablesProjectIdFk < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+ disable_ddl_transaction!
+
+ def up
+ add_concurrent_foreign_key :workspace_variables, :projects, column: :project_id, on_delete: :cascade
+ end
+
+ def down
+ with_lock_retries do
+ remove_foreign_key :workspace_variables, column: :project_id
+ end
+ end
+end
diff --git a/db/migrate/20240419085004_create_merge_request_requested_changes.rb b/db/migrate/20240419085004_create_merge_request_requested_changes.rb
new file mode 100644
index 00000000000..e32fd425aae
--- /dev/null
+++ b/db/migrate/20240419085004_create_merge_request_requested_changes.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class CreateMergeRequestRequestedChanges < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ def change
+ create_table :merge_request_requested_changes do |t|
+ t.bigint :project_id, null: false
+ t.bigint :user_id, null: false
+ t.bigint :merge_request_id, null: false
+
+ t.timestamps_with_timezone null: false
+
+ t.index :project_id
+ t.index :user_id
+ t.index :merge_request_id
+ end
+ end
+end
diff --git a/db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb b/db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb
new file mode 100644
index 00000000000..7702bf1d9e8
--- /dev/null
+++ b/db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class AddWorkspaceVariablesProjectIdTrigger < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+
+ def up
+ install_sharding_key_assignment_trigger(
+ table: :workspace_variables,
+ sharding_key: :project_id,
+ parent_table: :workspaces,
+ parent_sharding_key: :project_id,
+ foreign_key: :workspace_id
+ )
+ end
+
+ def down
+ remove_sharding_key_assignment_trigger(
+ table: :workspace_variables,
+ sharding_key: :project_id,
+ parent_table: :workspaces,
+ parent_sharding_key: :project_id,
+ foreign_key: :workspace_id
+ )
+ end
+end
diff --git a/db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb b/db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb
new file mode 100644
index 00000000000..b735a769eab
--- /dev/null
+++ b/db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+class QueueBackfillWorkspaceVariablesProjectId < Gitlab::Database::Migration[2.2]
+ milestone '17.0'
+ restrict_gitlab_migration gitlab_schema: :gitlab_main_cell
+
+ MIGRATION = "BackfillWorkspaceVariablesProjectId"
+ DELAY_INTERVAL = 2.minutes
+ BATCH_SIZE = 1000
+ SUB_BATCH_SIZE = 100
+
+ def up
+ queue_batched_background_migration(
+ MIGRATION,
+ :workspace_variables,
+ :id,
+ :project_id,
+ :workspaces,
+ :project_id,
+ :workspace_id,
+ job_interval: DELAY_INTERVAL,
+ batch_size: BATCH_SIZE,
+ sub_batch_size: SUB_BATCH_SIZE
+ )
+ end
+
+ def down
+ delete_batched_background_migration(
+ MIGRATION,
+ :workspace_variables,
+ :id,
+ [
+ :project_id,
+ :workspaces,
+ :project_id,
+ :workspace_id
+ ]
+ )
+ end
+end
diff --git a/db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb b/db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb
new file mode 100644
index 00000000000..9be3f89235c
--- /dev/null
+++ b/db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class SetTrustedExternUidToFalseForExistingBitbucketIdentities < Gitlab::Database::Migration[2.2]
+ restrict_gitlab_migration gitlab_schema: :gitlab_main_clusterwide
+
+ milestone '17.0'
+
+ disable_ddl_transaction!
+
+ BATCH_SIZE = 1000
+
+ def up
+ define_batchable_model('identities').where(provider: 'bitbucket').each_batch(of: BATCH_SIZE) do |batch|
+ batch.update_all(trusted_extern_uid: false)
+ end
+ end
+end
diff --git a/db/schema_migrations/20240405090000 b/db/schema_migrations/20240405090000
new file mode 100644
index 00000000000..42e1ac97298
--- /dev/null
+++ b/db/schema_migrations/20240405090000
@@ -0,0 +1 @@
+1f79208f10eac682970b91dd12159c9c7446fab637409d2f62dc91231af1dd13
\ No newline at end of file
diff --git a/db/schema_migrations/20240405090010 b/db/schema_migrations/20240405090010
new file mode 100644
index 00000000000..3b93267c8f9
--- /dev/null
+++ b/db/schema_migrations/20240405090010
@@ -0,0 +1 @@
+c84be5380fb2c1e90aabd987b8a7c020ec17405a8d0b97f0ca44e4ea724b7c6d
\ No newline at end of file
diff --git a/db/schema_migrations/20240415184907 b/db/schema_migrations/20240415184907
new file mode 100644
index 00000000000..bb000eeb996
--- /dev/null
+++ b/db/schema_migrations/20240415184907
@@ -0,0 +1 @@
+66b22a6c730d44535b321e0dd626c1b47fa3206ff811acd16007e9587a4c5d65
\ No newline at end of file
diff --git a/db/schema_migrations/20240415190848 b/db/schema_migrations/20240415190848
new file mode 100644
index 00000000000..d7c525ca496
--- /dev/null
+++ b/db/schema_migrations/20240415190848
@@ -0,0 +1 @@
+8e74960909f458e3500f3857a4154b4b930dc21d4f5c1d7916f321f197220ba6
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035356 b/db/schema_migrations/20240419035356
new file mode 100644
index 00000000000..55a4f207a17
--- /dev/null
+++ b/db/schema_migrations/20240419035356
@@ -0,0 +1 @@
+a1f5f62a9782df2887fea2f8f1bccca6759e9da59d9a2778d6e7d09fc998d690
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035357 b/db/schema_migrations/20240419035357
new file mode 100644
index 00000000000..9c33231778a
--- /dev/null
+++ b/db/schema_migrations/20240419035357
@@ -0,0 +1 @@
+ae763de6e4f8d746dce6d4c5d1aa68b1e756bbd0488d2ad705c016ecc7c04fcd
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035358 b/db/schema_migrations/20240419035358
new file mode 100644
index 00000000000..f79680cb39c
--- /dev/null
+++ b/db/schema_migrations/20240419035358
@@ -0,0 +1 @@
+1867e85e95b2def01e9fc4ef4209e64f7afd5e71a1378a0024dadc3715cc07aa
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035359 b/db/schema_migrations/20240419035359
new file mode 100644
index 00000000000..7c45f82c416
--- /dev/null
+++ b/db/schema_migrations/20240419035359
@@ -0,0 +1 @@
+0ed31058286c68932a683e6072002fd5fe6a4d785c113db22028262aafc47c86
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035360 b/db/schema_migrations/20240419035360
new file mode 100644
index 00000000000..a8912146466
--- /dev/null
+++ b/db/schema_migrations/20240419035360
@@ -0,0 +1 @@
+6f571972797eee34572944fb18ecf389d97c5880838b9c3c0ccf7ebbe5937f1d
\ No newline at end of file
diff --git a/db/schema_migrations/20240419085004 b/db/schema_migrations/20240419085004
new file mode 100644
index 00000000000..4b65832cf5d
--- /dev/null
+++ b/db/schema_migrations/20240419085004
@@ -0,0 +1 @@
+a845ee1d6e023d976f526e76d2d690ec2a168d8975eda3edb5a1e9932d26c16c
\ No newline at end of file
diff --git a/db/schema_migrations/20240419140530 b/db/schema_migrations/20240419140530
new file mode 100644
index 00000000000..37f6a20d23c
--- /dev/null
+++ b/db/schema_migrations/20240419140530
@@ -0,0 +1 @@
+cab7740141a0b515fbaf0c6e38c3d2aea4ac5ff765a2978ccd89f4274d44c1d1
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index be87a452f0d..904f9229def 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -695,6 +695,22 @@ BEGIN
END;
$$;
+CREATE FUNCTION trigger_56d49f4ed623() RETURNS trigger
+ LANGUAGE plpgsql
+ AS $$
+BEGIN
+IF NEW."project_id" IS NULL THEN
+ SELECT "project_id"
+ INTO NEW."project_id"
+ FROM "workspaces"
+ WHERE "workspaces"."id" = NEW."workspace_id";
+END IF;
+
+RETURN NEW;
+
+END
+$$;
+
CREATE FUNCTION trigger_94514aeadc50() RETURNS trigger
LANGUAGE plpgsql
AS $$
@@ -4319,6 +4335,7 @@ CREATE TABLE application_settings (
include_optional_metrics_in_service_ping boolean DEFAULT true NOT NULL,
zoekt_settings jsonb DEFAULT '{}'::jsonb NOT NULL,
service_ping_settings jsonb DEFAULT '{}'::jsonb NOT NULL,
+ rate_limits_unauthenticated_git_http jsonb DEFAULT '{}'::jsonb NOT NULL,
CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)),
CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),
@@ -4371,6 +4388,7 @@ CREATE TABLE application_settings (
CONSTRAINT check_app_settings_sentry_clientside_traces_sample_rate_range CHECK (((sentry_clientside_traces_sample_rate >= (0)::double precision) AND (sentry_clientside_traces_sample_rate <= (1)::double precision))),
CONSTRAINT check_application_settings_clickhouse_is_hash CHECK ((jsonb_typeof(clickhouse) = 'object'::text)),
CONSTRAINT check_application_settings_rate_limits_is_hash CHECK ((jsonb_typeof(rate_limits) = 'object'::text)),
+ CONSTRAINT check_application_settings_rate_limits_unauth_git_http_is_hash CHECK ((jsonb_typeof(rate_limits_unauthenticated_git_http) = 'object'::text)),
CONSTRAINT check_application_settings_service_ping_settings_is_hash CHECK ((jsonb_typeof(service_ping_settings) = 'object'::text)),
CONSTRAINT check_b8c74ea5b3 CHECK ((char_length(deactivation_email_additional_text) <= 1000)),
CONSTRAINT check_cdfbd99405 CHECK ((char_length(security_txt_content) <= 2048)),
@@ -9764,7 +9782,8 @@ CREATE TABLE identities (
created_at timestamp without time zone,
updated_at timestamp without time zone,
secondary_extern_uid character varying,
- saml_provider_id integer
+ saml_provider_id integer,
+ trusted_extern_uid boolean DEFAULT true
);
CREATE SEQUENCE identities_id_seq
@@ -11250,6 +11269,24 @@ CREATE SEQUENCE merge_request_predictions_merge_request_id_seq
ALTER SEQUENCE merge_request_predictions_merge_request_id_seq OWNED BY merge_request_predictions.merge_request_id;
+CREATE TABLE merge_request_requested_changes (
+ id bigint NOT NULL,
+ project_id bigint NOT NULL,
+ user_id bigint NOT NULL,
+ merge_request_id bigint NOT NULL,
+ created_at timestamp with time zone NOT NULL,
+ updated_at timestamp with time zone NOT NULL
+);
+
+CREATE SEQUENCE merge_request_requested_changes_id_seq
+ START WITH 1
+ INCREMENT BY 1
+ NO MINVALUE
+ NO MAXVALUE
+ CACHE 1;
+
+ALTER SEQUENCE merge_request_requested_changes_id_seq OWNED BY merge_request_requested_changes.id;
+
CREATE TABLE merge_request_review_llm_summaries (
id bigint NOT NULL,
user_id bigint,
@@ -18123,6 +18160,7 @@ CREATE TABLE workspace_variables (
key text NOT NULL,
encrypted_value bytea NOT NULL,
encrypted_value_iv bytea NOT NULL,
+ project_id bigint,
CONSTRAINT check_5545042100 CHECK ((char_length(key) <= 255))
);
@@ -19403,6 +19441,8 @@ ALTER TABLE ONLY merge_request_metrics ALTER COLUMN id SET DEFAULT nextval('merg
ALTER TABLE ONLY merge_request_predictions ALTER COLUMN merge_request_id SET DEFAULT nextval('merge_request_predictions_merge_request_id_seq'::regclass);
+ALTER TABLE ONLY merge_request_requested_changes ALTER COLUMN id SET DEFAULT nextval('merge_request_requested_changes_id_seq'::regclass);
+
ALTER TABLE ONLY merge_request_review_llm_summaries ALTER COLUMN id SET DEFAULT nextval('merge_request_review_llm_summaries_id_seq'::regclass);
ALTER TABLE ONLY merge_request_reviewers ALTER COLUMN id SET DEFAULT nextval('merge_request_reviewers_id_seq'::regclass);
@@ -21650,6 +21690,9 @@ ALTER TABLE ONLY merge_request_metrics
ALTER TABLE ONLY merge_request_predictions
ADD CONSTRAINT merge_request_predictions_pkey PRIMARY KEY (merge_request_id);
+ALTER TABLE ONLY merge_request_requested_changes
+ ADD CONSTRAINT merge_request_requested_changes_pkey PRIMARY KEY (id);
+
ALTER TABLE ONLY merge_request_review_llm_summaries
ADD CONSTRAINT merge_request_review_llm_summaries_pkey PRIMARY KEY (id);
@@ -25656,6 +25699,8 @@ CREATE INDEX index_historical_data_on_recorded_at ON historical_data USING btree
CREATE UNIQUE INDEX index_http_integrations_on_project_and_endpoint ON alert_management_http_integrations USING btree (project_id, endpoint_identifier);
+CREATE INDEX index_identities_on_provider ON identities USING btree (provider);
+
CREATE INDEX index_identities_on_saml_provider_id ON identities USING btree (saml_provider_id) WHERE (saml_provider_id IS NOT NULL);
CREATE INDEX index_identities_on_user_id ON identities USING btree (user_id);
@@ -26068,6 +26113,12 @@ CREATE INDEX index_merge_request_metrics_on_merged_at ON merge_request_metrics U
CREATE INDEX index_merge_request_metrics_on_pipeline_id ON merge_request_metrics USING btree (pipeline_id);
+CREATE INDEX index_merge_request_requested_changes_on_merge_request_id ON merge_request_requested_changes USING btree (merge_request_id);
+
+CREATE INDEX index_merge_request_requested_changes_on_project_id ON merge_request_requested_changes USING btree (project_id);
+
+CREATE INDEX index_merge_request_requested_changes_on_user_id ON merge_request_requested_changes USING btree (user_id);
+
CREATE INDEX index_merge_request_review_llm_summaries_on_mr_diff_id ON merge_request_review_llm_summaries USING btree (merge_request_diff_id);
CREATE INDEX index_merge_request_review_llm_summaries_on_review_id ON merge_request_review_llm_summaries USING btree (review_id);
@@ -27838,6 +27889,8 @@ CREATE UNIQUE INDEX index_work_item_widget_definitions_on_namespace_type_and_nam
CREATE INDEX index_work_item_widget_definitions_on_work_item_type_id ON work_item_widget_definitions USING btree (work_item_type_id);
+CREATE INDEX index_workspace_variables_on_project_id ON workspace_variables USING btree (project_id);
+
CREATE INDEX index_workspace_variables_on_workspace_id ON workspace_variables USING btree (workspace_id);
CREATE INDEX index_workspaces_on_cluster_agent_id ON workspaces USING btree (cluster_agent_id);
@@ -29722,6 +29775,8 @@ CREATE TRIGGER trigger_3857ca5ea4af BEFORE INSERT OR UPDATE ON merge_trains FOR
CREATE TRIGGER trigger_388e93f88fdd BEFORE INSERT OR UPDATE ON packages_build_infos FOR EACH ROW EXECUTE FUNCTION trigger_388e93f88fdd();
+CREATE TRIGGER trigger_56d49f4ed623 BEFORE INSERT OR UPDATE ON workspace_variables FOR EACH ROW EXECUTE FUNCTION trigger_56d49f4ed623();
+
CREATE TRIGGER trigger_94514aeadc50 BEFORE INSERT OR UPDATE ON deployment_approvals FOR EACH ROW EXECUTE FUNCTION trigger_94514aeadc50();
CREATE TRIGGER trigger_b2d852e1e2cb BEFORE INSERT OR UPDATE ON ci_pipelines FOR EACH ROW EXECUTE FUNCTION trigger_b2d852e1e2cb();
@@ -30091,6 +30146,9 @@ ALTER TABLE ONLY todos
ALTER TABLE ONLY releases
ADD CONSTRAINT fk_47fe2a0596 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+ALTER TABLE ONLY workspace_variables
+ ADD CONSTRAINT fk_494e093520 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+
ALTER TABLE ONLY geo_event_log
ADD CONSTRAINT fk_4a99ebfd60 FOREIGN KEY (repositories_changed_event_id) REFERENCES geo_repositories_changed_events(id) ON DELETE CASCADE;
diff --git a/doc/administration/job_artifacts.md b/doc/administration/job_artifacts.md
index 17a1a87df5e..ada4dcdb31c 100644
--- a/doc/administration/job_artifacts.md
+++ b/doc/administration/job_artifacts.md
@@ -177,8 +177,7 @@ WARNING:
In a multi-server setup you must use one of the options to
[eliminate local disk usage for job logs](job_logs.md#prevent-local-disk-usage), or job logs could be lost.
-In GitLab 13.2 and later, you should use the
-[consolidated object storage settings](object_storage.md#configure-a-single-storage-connection-for-all-object-types-consolidated-form).
+You should use the [consolidated object storage settings](object_storage.md#configure-a-single-storage-connection-for-all-object-types-consolidated-form).
### Migrating to object storage
diff --git a/doc/administration/job_artifacts_troubleshooting.md b/doc/administration/job_artifacts_troubleshooting.md
index 17797a15702..fb66aac7a86 100644
--- a/doc/administration/job_artifacts_troubleshooting.md
+++ b/doc/administration/job_artifacts_troubleshooting.md
@@ -23,8 +23,7 @@ reasons are:
- Artifact files might be left on disk and not deleted by housekeeping. Run the
[Rake task for _orphaned_ artifact files](../raketasks/cleanup.md#remove-orphan-artifact-files)
to remove these. This script should always find work to do, as it also removes empty directories (see above).
-- [Artifact housekeeping was changed significantly](#housekeeping-disabled-in-gitlab-146-to-152),
- and you might need to enable a feature flag to use the updated system.
+- [Artifact housekeeping was changed significantly](#housekeeping-disabled-in-gitlab-150-to-152), and you might need to enable a feature flag to use the updated system.
- The [keep latest artifacts from most recent success jobs](../ci/jobs/job_artifacts.md#keep-artifacts-from-most-recent-successful-jobs)
feature is enabled.
@@ -37,15 +36,11 @@ space, and in some cases, manually delete job artifacts to reclaim disk space.
Artifacts housekeeping is the process that identifies which artifacts are expired
and can be deleted.
-#### Housekeeping disabled in GitLab 14.6 to 15.2
+#### Housekeeping disabled in GitLab 15.0 to 15.2
-Artifact housekeeping was disabled in GitLab 14.6. It was significantly improved
-in GitLab 14.10, and the changes were back ported to patch versions of GitLab 14.6 and later,
-introduced behind [feature flags](feature_flags.md) disabled by default. The flags were
-enabled by default [in GitLab 15.3](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92931).
+Artifact housekeeping was significantly improved in GitLab 15.0, introduced behind [feature flags](feature_flags.md) disabled by default. The flags were enabled by default [in GitLab 15.3](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92931).
-If artifacts housekeeping does not seem to be working in GitLab 14.6 to GitLab 15.2,
-you should check if the feature flags are enabled.
+If artifacts housekeeping does not seem to be working in GitLab 15.0 to GitLab 15.2, you should check if the feature flags are enabled.
To check if the feature flags are enabled:
@@ -53,21 +48,11 @@ To check if the feature flags are enabled:
1. Check if the feature flags are enabled.
- - GitLab 14.10 and earlier:
-
- ```ruby
- Feature.enabled?(:ci_detect_wrongly_expired_artifacts, default_enabled: :yaml)
- Feature.enabled?(:ci_update_unlocked_job_artifacts, default_enabled: :yaml)
- Feature.enabled?(:ci_job_artifacts_backlog_work, default_enabled: :yaml)
- ```
-
- - GitLab 15.0 and later:
-
- ```ruby
- Feature.enabled?(:ci_detect_wrongly_expired_artifacts)
- Feature.enabled?(:ci_update_unlocked_job_artifacts)
- Feature.enabled?(:ci_job_artifacts_backlog_work)
- ```
+ ```ruby
+ Feature.enabled?(:ci_detect_wrongly_expired_artifacts)
+ Feature.enabled?(:ci_update_unlocked_job_artifacts)
+ Feature.enabled?(:ci_job_artifacts_backlog_work)
+ ```
1. If any of the feature flags are disabled, enable them:
@@ -154,23 +139,15 @@ GitLab 15.3 and later. It analyzes the artifacts returned by the above database
determines which should be `locked` or `unlocked`. Artifacts are then deleted
by that worker if needed.
-The worker can be enabled on self-managed instances running GitLab 14.10 and later:
+The worker can be enabled on self-managed instances:
1. Start a [Rails console](operations/rails_console.md#starting-a-rails-console-session).
1. Check if the feature is enabled.
-
- - GitLab 14.10:
-
- ```ruby
- Feature.enabled?(:ci_job_artifacts_backlog_work, default_enabled: :yaml)
- ```
-
- - GitLab 15.0 and later:
-
- ```ruby
- Feature.enabled?(:ci_job_artifacts_backlog_work)
- ```
+
+ ```ruby
+ Feature.enabled?(:ci_job_artifacts_backlog_work)
+ ```
1. Enable the feature, if needed:
@@ -429,8 +406,6 @@ For more information, [see the investigation details](https://gitlab.com/gitlab-
## Usage quota shows incorrect artifact storage usage
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/238536) in GitLab 14.10.
-
Sometimes the [artifacts storage usage](../user/usage_quotas.md) displays an incorrect
value for the total storage space used by artifacts. To recalculate the artifact
usage statistics for all projects in the instance, you can run this background script:
diff --git a/doc/administration/pages/index.md b/doc/administration/pages/index.md
index 2e6915f2409..3d499c78789 100644
--- a/doc/administration/pages/index.md
+++ b/doc/administration/pages/index.md
@@ -119,28 +119,25 @@ If you need support for namespace in the URL path to remove the requirement for
1. Enable the GitLab Pages flag for this feature by adding
`gitlab_pages["namespace_in_path"] = true` to `/etc/gitlab/gitlab.rb`.
-1. In your DNS provider, add entries for `example.io` and `projects.example.io`.
- In both lines, replace `example.io` with your domain name, and `192.0.0.0` with
+1. In your DNS provider, add entries for `example.io`.
+ Replace `example.io` with your domain name, and `192.0.0.0` with
the IPv4 version of your IP address. The entries look like this:
```plaintext
example.io 1800 IN A 192.0.0.0
- projects.example.io 1800 IN A 192.0.0.0
```
1. Optional. If your GitLab instance has an IPv6 address, add entries for it.
- In both lines, replace `example.io` with your domain name, and `2001:db8::1` with
+ Replace `example.io` with your domain name, and `2001:db8::1` with
the IPv6 version of your IP address. The entries look like this:
```plaintext
example.io 1800 IN AAAA 2001:db8::1
- projects.example.io 1800 IN AAAA 2001:db8::1
```
This example contains the following:
- `example.io`: The domain GitLab Pages is served from.
-- `projects.example.io`: An additional subdomain for GitLab Pages default authentication flow.
#### DNS configuration for custom domains
@@ -306,8 +303,7 @@ Prerequisites:
- Your instance must use the Linux package installation method.
- You have configured DNS setup
[without a wildcard](#for-namespace-in-url-path-without-wildcard-dns).
-- You have a single TLS certificate that covers your domain (like `example.io`)
- and the `projects.*` version of your domain, like `projects.example.io`.
+- You have a TLS certificate that covers your domain (like `example.io`).
In this configuration, NGINX proxies all requests to the daemon. The GitLab Pages
daemon doesn't listen to the outside world:
@@ -337,17 +333,18 @@ daemon doesn't listen to the outside world:
pages_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/pages-nginx.key"
```
-1. [Reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation).
+1. If you're using [Pages Access Control](#access-control), update the redirect URI in the GitLab Pages
+ [System OAuth application](../../integration/oauth_provider.md#create-an-instance-wide-application)
+ to use the HTTPS protocol.
WARNING:
- GitLab Pages does not update the OAuth application if changes are made to the redirect URI.
+ GitLab Pages does not update the OAuth application, and
+ the default `auth_redirect_uri` is updated to `https://example.io/projects/auth`.
Before you reconfigure, remove the `gitlab_pages` section from `/etc/gitlab/gitlab-secrets.json`,
then run `gitlab-ctl reconfigure`. For more information, see
[GitLab Pages does not regenerate OAuth](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/3947).
-1. If you're using [Pages Access Control](#access-control), update the redirect URI in the GitLab Pages
- [System OAuth application](../../integration/oauth_provider.md#create-an-instance-wide-application)
- to use the HTTPS protocol.
+1. [Reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation).
NGINX uses the custom proxy header `X-Gitlab-Namespace-In-Path`
to send the namespace to the GitLab Pages daemon.
diff --git a/doc/administration/settings/git_http_rate_limits.md b/doc/administration/settings/git_http_rate_limits.md
new file mode 100644
index 00000000000..751e41eec9b
--- /dev/null
+++ b/doc/administration/settings/git_http_rate_limits.md
@@ -0,0 +1,41 @@
+---
+stage: Create
+group: Source Code
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# Rate limits on Git HTTP
+
+DETAILS:
+**Tier:** Free, Premium, Ultimate
+**Offering:** Self-managed, GitLab Dedicated
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147112) in GitLab 17.0.
+
+If you use Git HTTP in your repository,
+common Git operations can generate many Git HTTP requests.
+Some of these Git HTTP requests do not contain authentication parameter and
+are considered unauthenticated. You can enforce rate limits on Git HTTP requests.
+This can improve the security and durability of your web application.
+[General user and IP rate limits](../settings/user_and_ip_rate_limits.md) aren't applied
+to Git HTTP requests.
+
+## Configure Git HTTP rate limits
+
+Git HTTP rate limits are disabled by default. If enabled and configured, these limits
+are applied to Git HTTP requests.
+
+To configure Git HTTP rate limits:
+
+1. On the left sidebar, at the bottom, select **Admin Area**.
+1. Select **Settings > Network**.
+1. Expand **Git HTTP rate limits**.
+1. Select **Enable unauthenticated Git HTTP request rate limit**.
+1. Enter a value for **Max unauthenticated Git HTTP requests per period per user**.
+1. Enter a value for **Unauthenticated Git HTTP rate limit period in seconds**.
+1. Select **Save changes**.
+
+## Related topics
+
+- [Rate limiting](../../security/rate_limits.md)
+- [User and IP rate limits](../settings/user_and_ip_rate_limits.md)
diff --git a/doc/administration/settings/rate_limits.md b/doc/administration/settings/rate_limits.md
index 89e64344e0c..3bcd47ebdc3 100644
--- a/doc/administration/settings/rate_limits.md
+++ b/doc/administration/settings/rate_limits.md
@@ -9,6 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
You can change network settings to limit the rate of connections with your instance.
- [Deprecated API rate limits](deprecated_api_rate_limits.md)
+- [Git HTTP](git_http_rate_limits.md)
- [Git LFS](git_lfs_rate_limits.md)
- [Git SSH operations](rate_limits_on_git_ssh_operations.md)
- [Incident management](incident_management_rate_limits.md)
diff --git a/doc/api/dependencies.md b/doc/api/dependencies.md
index a1f7ee97200..4d0c12de47a 100644
--- a/doc/api/dependencies.md
+++ b/doc/api/dependencies.md
@@ -15,9 +15,6 @@ This API is in an [Experiment](../policy/experiment-beta-support.md#experiment)
The response payload may be subject to change or breakage
across GitLab releases.
-> - Introduced in GitLab 12.1.
-> - Pagination introduced in 14.4.
-
Every call to this endpoint requires authentication. To perform this call, user should be authorized to read repository.
To see vulnerabilities in response, user should be authorized to read
[Project Security Dashboard](../user/application_security/security_dashboard/index.md).
diff --git a/doc/api/job_artifacts.md b/doc/api/job_artifacts.md
index 10c923c0498..f75cba3008a 100644
--- a/doc/api/job_artifacts.md
+++ b/doc/api/job_artifacts.md
@@ -316,9 +316,6 @@ If the artifacts were deleted successfully, a response with status `204 No Conte
## Delete project artifacts
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/223793) in GitLab 14.7 [with a flag](../administration/feature_flags.md) named `bulk_expire_project_artifacts`. Enabled by default on GitLab self-managed. Enabled on GitLab.com.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/350609) in GitLab 14.10.
-
Delete artifacts eligible for deletion in a project. By default, artifacts from
[the most recent successful pipeline of each ref](../ci/jobs/job_artifacts.md#keep-artifacts-from-most-recent-successful-jobs)
are not deleted.
diff --git a/doc/api/project_level_variables.md b/doc/api/project_level_variables.md
index 5753381bf29..4d6ae96921f 100644
--- a/doc/api/project_level_variables.md
+++ b/doc/api/project_level_variables.md
@@ -184,9 +184,6 @@ curl --request DELETE --header "PRIVATE-TOKEN: Supported are all variables available in `workflow`:
- Project/Group variables.
- Global `variables` and `workflow:rules:variables` (when matching the rule).
- Variables inherited from parent pipelines.
- Variables from triggers.
- Variables from pipeline schedules.
Not supported are variables defined in the GitLab Runner `config.toml`, variables defined in jobs, or [Persisted variables](#persisted-variables). | @@ -81,11 +81,6 @@ because the expansion is done in GitLab before any runner gets the job. #### Nested variable expansion -- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/48627) in GitLab 13.10. [Deployed behind the `variable_inside_variable` feature flag](../../user/feature_flags.md), disabled by default. -- [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/297382) in GitLab 14.3. -- [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/297382) in GitLab 14.4. -- Feature flag `variable_inside_variable` removed in GitLab 14.5. - GitLab expands job variable values recursively before sending them to the runner. For example, in the following scenario: ```yaml diff --git a/doc/drawers/exact_code_search_syntax.md b/doc/drawers/exact_code_search_syntax.md index ce4a97f9f87..ff425080ee2 100644 --- a/doc/drawers/exact_code_search_syntax.md +++ b/doc/drawers/exact_code_search_syntax.md @@ -7,17 +7,18 @@ source: /doc/user/search/exact_code_search.md # Search tips -| Query | Description | -| -------------------- |-------------------------------------------------------------------------------------- | -| `foo` | Returns files that contain `foo` | -| `"class foo"` | Returns files that contain the exact string `class foo` | -| `class foo` | Returns files that contain both `class` and `foo` | -| `foo or bar` | Returns files that contain either `foo` or `bar` | -| `class Foo` | Returns files that contain `class` (case insensitive) and `Foo` (case sensitive) | -| `class Foo case:yes` | Returns files that contain `class` and `Foo` (both case sensitive) | -| `foo -bar` | Returns files that contain `foo` but not `bar` | -| `foo file:js` | Searches for `foo` in files with names that contain `js` | -| `foo -file:test` | Searches for `foo` in files with names that do not contain `test` | -| `foo lang:ruby` | Searches for `foo` in Ruby source code | -| `foo f:\.js$` | Searches for `foo` in files with names that end with `.js` | -| `foo.*bar` | Searches for strings that match the regular expression `foo.*bar` | +| Query | Regular expression mode | Exact match mode | +| -------------------- | ----------------------------------------------------- | ------------------------------ | +| `"foo"` | `foo` | `"foo"` | +| `foo file:^doc/` | `foo` in directories that start with `/doc` | `foo` in directories that start with `/doc` | +| `"class foo"` | `class foo` | `"class foo"` | +| `class foo` | `class` and `foo` | `class foo` | +| `foo or bar` | `foo` or `bar` | `foo or bar` | +| `class Foo` | `class` (case insensitive) and `Foo` (case sensitive) | `class Foo` (case insensitive) | +| `class Foo case:yes` | `class` and `Foo` (both case sensitive) | `class Foo` (case sensitive) | +| `foo -bar` | `foo` but not `bar` | `foo -bar` | +| `foo file:js` | `foo` in files with names that contain `js` | `foo` in files with names that contain `js` | +| `foo -file:test` | `foo` in files with names that do not contain `test` | `foo` in files with names that do not contain `test` | +| `foo lang:ruby` | `foo` in Ruby source code | `foo` in Ruby source code | +| `foo file:\.js$` | `foo` in files with names that end with `.js` | `foo` in files with names that end with `.js` | +| `foo.*bar` | `foo.*bar` (regular expression) | None | diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index b0626a1147e..7afe9e30511 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -325,6 +325,24 @@ This change is a breaking change. You should [create a runner in the UI](https:/
+### Runner `active` GraphQL fields replaced by `paused`
+
+
+
+
+- Announced in GitLab 14.8
+- Removal in GitLab 18.0 ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change))
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/351109).
+
+
+Occurrences of the `active` identifier in the GitLab GraphQL API endpoints will be renamed to `paused` in GitLab 18.0:
+
+- The `CiRunner` property.
+- The `RunnerUpdateInput` input type for the `runnerUpdate` mutation.
+- The `runners`, `Group.runners`, and `Project.runners` queries.
+
+
+
### Running a single database is deprecated
static: |-
diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index 0304f7ba37c..358e34c8b89 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -200,8 +200,6 @@ Authenticating to a remote registry is not supported when [FIPS mode](../../../d
#### Dependency list
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6.
-
The `CS_DISABLE_DEPENDENCY_LIST` CI/CD variable controls whether the scan creates a
[Dependency List](../dependency_list/index.md)
report. This variable is currently only supported when the `trivy` analyzer is used. The variable's default setting of `"false"` causes the scan to create the report. To disable
@@ -220,8 +218,6 @@ container_scanning:
#### Report language-specific findings
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/7277) in GitLab 14.6.
-
The `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` CI/CD variable controls whether the scan reports
findings related to programming languages. The languages supported depend on the
[scanner used](#change-scanners):
@@ -267,15 +263,15 @@ including a large number of false positives.
| `CI_APPLICATION_REPOSITORY` | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` | Docker repository URL for the image to be scanned. | All |
| `CI_APPLICATION_TAG` | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. | All |
| `CS_ANALYZER_IMAGE` | `registry.gitlab.com/security-products/container-scanning:7` | Docker image of the analyzer. | All |
-| `CS_DEFAULT_BRANCH_IMAGE` | `""` | The name of the `CS_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338877) in GitLab 14.5. | All |
-| `CS_DISABLE_DEPENDENCY_LIST` | `"false"` | Disable Dependency Scanning for packages installed in the scanned image. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6. | All |
-| `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6. | All |
+| `CS_DEFAULT_BRANCH_IMAGE` | `""` | The name of the `CS_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. | All |
+| `CS_DISABLE_DEPENDENCY_LIST` | `"false"` | Disable Dependency Scanning for packages installed in the scanned image. | All |
+| `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. | All |
| `CS_DOCKER_INSECURE` | `"false"` | Allow access to secure Docker registries using HTTPS without validating the certificates. | All |
| `CS_DOCKERFILE_PATH` | `Dockerfile` | The path to the `Dockerfile` to use for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project. You should configure this variable only if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. | All |
| `CS_IGNORE_STATUSES`1 | `""` | Force the analyzer to ignore vulnerability findings with specified statuses in a comma-delimited list. For `trivy`, the following values are allowed: `unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life`. For `grype`, the following values are allowed: `fixed,not-fixed,unknown,wont-fix` | All |
| `CS_IGNORE_UNFIXED` | `"false"` | Ignore vulnerabilities that are not fixed. | All |
| `CS_IMAGE` | `$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG` | The Docker image to be scanned. If set, this variable overrides the `$CI_APPLICATION_REPOSITORY` and `$CI_APPLICATION_TAG` variables. | All |
-| `CS_IMAGE_SUFFIX` | `""` | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/7630) in GitLab 14.10. | All |
+| `CS_IMAGE_SUFFIX` | `""` | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. | All |
| `CS_QUIET` | `""` | If set, this variable disables output of the [vulnerabilities table](#container-scanning-job-log-format) in the job log. [Introduced](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/merge_requests/50) in GitLab 15.1. | All |
| `CS_REGISTRY_INSECURE` | `"false"` | Allow access to insecure registries (HTTP only). Should only be set to `true` when testing the image locally. Works with all scanners, but the registry must listen on port `80/tcp` for Trivy to work. | All |
| `CS_REGISTRY_PASSWORD` | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode) is enabled. | All |
@@ -316,8 +312,6 @@ Support depends on which scanner is used:
#### FIPS-enabled images
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5775) in GitLab 14.1.
-
GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
versions of the container-scanning images. You can therefore replace standard images with FIPS-enabled
images. To configure the images, set the `CS_IMAGE_SUFFIX` to `-fips` or modify the `CS_ANALYZER_IMAGE` variable to the
@@ -330,10 +324,8 @@ standard tag plus the `-fips` extension.
| Trivy | `registry.gitlab.com/security-products/container-scanning/trivy:7-fips` |
NOTE:
-Prior to GitLab 15.0, the `-ubi` image extension is also available. GitLab 15.0 and later only
-support `-fips`.
-Starting with GitLab 14.10, `-fips` is automatically added to `CS_ANALYZER_IMAGE` when FIPS mode is
+The `-fips` flag is automatically added to `CS_ANALYZER_IMAGE` when FIPS mode is
enabled in the GitLab instance.
Container scanning of images in authenticated registries is not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode)
@@ -342,8 +334,6 @@ the analyzer exits with an error and does not perform the scan.
### Enable Container Scanning through an automatic merge request
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6334) in GitLab 14.9.
-
To enable Container Scanning in a project, create a merge request from the Security Configuration
page:
@@ -393,8 +383,6 @@ Do not use the `:latest` tag when selecting the scanner image.
### Setting the default branch image
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338877) in GitLab 14.5.
-
By default, container scanning assumes that the image naming convention stores any branch-specific
identifiers in the image tag rather than the image name. When the image name differs between the
default branch and the non-default branch, previously-detected vulnerabilities show up as newly
diff --git a/doc/user/application_security/dependency_list/index.md b/doc/user/application_security/dependency_list/index.md
index 3a49690e520..c79d6513f87 100644
--- a/doc/user/application_security/dependency_list/index.md
+++ b/doc/user/application_security/dependency_list/index.md
@@ -10,7 +10,6 @@ DETAILS:
**Tier:** Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - System dependencies [introduced](https://gitlab.com/groups/gitlab-org/-/epics/6698) in GitLab 14.6.
> - Group-level dependency list [introduced](https://gitlab.com/groups/gitlab-org/-/epics/8090) in GitLab 16.2 [with a flag](../../../administration/feature_flags.md) named `group_level_dependencies`. Disabled by default.
> - Group-level dependency list [enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/411257) in GitLab 16.4.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132015) in GitLab 16.5. Feature flag `group_level_dependencies` removed.
diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md
index 7cc1264f27b..76ec49ca2d5 100644
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -670,7 +670,7 @@ The following analyzers are executed, each of which have different behavior when
Does not support multiple lockfiles. When multiple lockfiles exist, `Retire.js`
analyzes the first lockfile discovered while traversing the directory tree in alphabetical order.
-From GitLab 14.8 the `gemnasium` analyzer scans supported JavaScript projects for vendored libraries
+The `gemnasium` analyzer scans supports JavaScript projects for vendored libraries
(that is, those checked into the project but not managed by the package manager).
#### Go
@@ -748,9 +748,6 @@ Pipelines now include a dependency scanning job.
#### Use a preconfigured merge request
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4908) in GitLab 14.1 [with a flag](../../../administration/feature_flags.md) named `sec_dependency_scanning_ui_enable`. Enabled by default.
-> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/326005) in GitLab 14.2. Feature flag `sec_dependency_scanning_ui_enable` removed.
-
This method automatically prepares a merge request that includes the dependency scanning template
in the `.gitlab-ci.yml` file. You then merge the merge request to enable dependency scanning.
@@ -837,7 +834,7 @@ The following variables configure the behavior of specific dependency scanning a
| `GEMNASIUM_DB_REF_NAME` | `gemnasium` | `master` | Branch name for remote repository database. `GEMNASIUM_DB_REMOTE_URL` is required. |
| `DS_REMEDIATE` | `gemnasium` | `"true"`, `"false"` in FIPS mode | Enable automatic remediation of vulnerable dependencies. Not supported in FIPS mode. |
| `DS_REMEDIATE_TIMEOUT` | `gemnasium` | `5m` | Timeout for auto-remediation. |
-| `GEMNASIUM_LIBRARY_SCAN_ENABLED` | `gemnasium` | `"true"` | Enable detecting vulnerabilities in vendored JavaScript libraries (libraries which are not managed by a package manager). This functionality requires a JavaScript lockfile to be present in a commit, otherwise Dependency Scanning is not executed and vendored files are not scanned.
Dependency scanning uses the [Retire.js](https://github.com/RetireJS/retire.js) scanner to detect a limited set of vulnerabilities. For details of which vulnerabilities are detected, see the [Retire.js repository](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350512) in GitLab 14.8. | +| `GEMNASIUM_LIBRARY_SCAN_ENABLED` | `gemnasium` | `"true"` | Enable detecting vulnerabilities in vendored JavaScript libraries (libraries which are not managed by a package manager). This functionality requires a JavaScript lockfile to be present in a commit, otherwise Dependency Scanning is not executed and vendored files are not scanned.
Dependency scanning uses the [Retire.js](https://github.com/RetireJS/retire.js) scanner to detect a limited set of vulnerabilities. For details of which vulnerabilities are detected, see the [Retire.js repository](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json). | | `DS_INCLUDE_DEV_DEPENDENCIES` | `gemnasium` | `"true"` | When set to `"false"`, development dependencies and their vulnerabilities are not reported. Only projects using Composer, npm, pnpm, Pipenv or Poetry are supported. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/227861) in GitLab 15.1. | | `GOOS` | `gemnasium` | `"linux"` | The operating system for which to compile Go code. | | `GOARCH` | `gemnasium` | `"amd64"` | The architecture of the processor for which to compile Go code. | @@ -925,7 +922,6 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m ### FIPS-enabled images -> - Introduced in GitLab 14.10. GitLab team members can view more information in this confidential issue: `https://gitlab.com/gitlab-org/gitlab/-/issues/354796` > - Introduced in GitLab 15.0 - Gemnasium uses FIPS-enabled images when FIPS mode is enabled. GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image) @@ -956,7 +952,6 @@ For more details of the dependency scanning report, see: ### CycloneDX Software Bill of Materials -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350509) in GitLab 14.8 in [Beta](../../../policy/experiment-beta-support.md#beta). > - Generally available in GitLab 15.7. Dependency Scanning outputs a [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (SBOM) diff --git a/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md b/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md index 924e7732f01..b677cb6d259 100644 --- a/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md +++ b/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md @@ -99,10 +99,7 @@ gemnasium-maven-dependency_scanning: ## Dependency Scanning job fails with message `strconv.ParseUint: parsing "0.0": invalid syntax` -Invoking Docker-in-Docker is the likely cause of this error. Docker-in-Docker is: - -- Disabled by default in GitLab 13.0 and later. -- Unsupported from GitLab 13.4 and later. +Docker-in-Docker is unsupported, and attempting to invoke it is the likely cause of this error. To fix this error, disable Docker-in-Docker for dependency scanning. Individual `-dependency_scanning` jobs are created for each analyzer that runs in your CI/CD
diff --git a/doc/user/clusters/agent/vulnerabilities.md b/doc/user/clusters/agent/vulnerabilities.md
index 6dea65d197a..5b3b716565d 100644
--- a/doc/user/clusters/agent/vulnerabilities.md
+++ b/doc/user/clusters/agent/vulnerabilities.md
@@ -10,7 +10,6 @@ DETAILS:
**Tier:** Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6346) in GitLab 14.8.
> - [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/368828) the starboard directive in GitLab 15.4. The starboard directive is scheduled for removal in GitLab 16.0.
## Supported architectures
diff --git a/doc/user/gitlab_duo_chat.md b/doc/user/gitlab_duo_chat.md
index 634a30ef249..bc548f97357 100644
--- a/doc/user/gitlab_duo_chat.md
+++ b/doc/user/gitlab_duo_chat.md
@@ -83,6 +83,10 @@ You can ask about a specific GitLab issue. For example:
NOTE:
If the issue contains a large amount of text (more than 40,000 words), GitLab Duo Chat might not be able to consider every word. The AI model has a limit to the amount of input it can process at one time.
+
+For tips on how GitLab Duo Chat can improve your productivity with issues and epics, see [Boost your productivity with GitLab Duo Chat](https://youtu.be/RJezT5_V6dI).
+
+
### Ask about a specific epic
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/128487) for SaaS in GitLab 16.3.
diff --git a/doc/user/search/exact_code_search.md b/doc/user/search/exact_code_search.md
index 18bf2a00526..c916944bd61 100644
--- a/doc/user/search/exact_code_search.md
+++ b/doc/user/search/exact_code_search.md
@@ -60,22 +60,37 @@ Use this feature to search code across the entire GitLab instance.
Global code search does not perform well on large GitLab instances.
If you enable this feature for instances with more than 20,000 projects, your search might time out.
-## Syntax
+## Search modes
-This table shows some example queries for exact code search.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/434417) in GitLab 16.8 [with a flag](../../administration/feature_flags.md) named `zoekt_exact_search`. Disabled by default.
-| Query | Description |
-|----------------------|-----------------------------------------------------------------------------------|
-| `foo` | Returns files that contain `foo`. |
-| `foo file:^doc/` | Returns files that contain `foo` in directories that start with `doc/`. |
-| `"class foo"` | Returns files that contain the exact string `class foo`. |
-| `class foo` | Returns files that contain both `class` and `foo`. |
-| `foo or bar` | Returns files that contain either `foo` or `bar`. |
-| `class Foo` | Returns files that contain `class` (case insensitive) and `Foo` (case sensitive). |
-| `class Foo case:yes` | Returns files that contain `class` and `Foo` (both case sensitive). |
-| `foo -bar` | Returns files that contain `foo` but not `bar`. |
-| `foo file:js` | Searches for `foo` in files with names that contain `js`. |
-| `foo -file:test` | Searches for `foo` in files with names that do not contain `test`. |
-| `foo lang:ruby` | Searches for `foo` in Ruby source code. |
-| `foo file:\.js$` | Searches for `foo` in files with names that end with `.js`. |
-| `foo.*bar` | Searches for strings that match the regular expression `foo.*bar`. |
+FLAG:
+The availability of this feature is controlled by a feature flag.
+For more information, see the history.
+
+When you enable `zoekt_exact_search`, you can switch between two search modes:
+
+- **Regular expression mode:** supports regular and boolean expressions.
+- **Exact match mode:** returns results that exactly match the query.
+
+When `zoekt_exact_search` is disabled, the regular expression mode is used by default.
+
+### Syntax
+
+This table shows some example queries for regular expression and exact match modes.
+
+| Query | Regular expression mode | Exact match mode |
+| -------------------- | ----------------------------------------------------- | ------------------------------ |
+| `"foo"` | `foo` | `"foo"` |
+| `foo file:^doc/` | `foo` in directories that start with `/doc` | `foo` in directories that start with `/doc` |
+| `"class foo"` | `class foo` | `"class foo"` |
+| `class foo` | `class` and `foo` | `class foo` |
+| `foo or bar` | `foo` or `bar` | `foo or bar` |
+| `class Foo` | `class` (case insensitive) and `Foo` (case sensitive) | `class Foo` (case insensitive) |
+| `class Foo case:yes` | `class` and `Foo` (both case sensitive) | `class Foo` (case sensitive) |
+| `foo -bar` | `foo` but not `bar` | `foo -bar` |
+| `foo file:js` | `foo` in files with names that contain `js` | `foo` in files with names that contain `js` |
+| `foo -file:test` | `foo` in files with names that do not contain `test` | `foo` in files with names that do not contain `test` |
+| `foo lang:ruby` | `foo` in Ruby source code | `foo` in Ruby source code |
+| `foo file:\.js$` | `foo` in files with names that end with `.js` | `foo` in files with names that end with `.js` |
+| `foo.*bar` | `foo.*bar` (regular expression) | None |
diff --git a/glfm_specification/output_example_snapshots/html.yml b/glfm_specification/output_example_snapshots/html.yml
index 4c5579bcc01..de2d0742610 100644
--- a/glfm_specification/output_example_snapshots/html.yml
+++ b/glfm_specification/output_example_snapshots/html.yml
@@ -136,7 +136,7 @@
wysiwyg: |-
@@ -563,7 +563,7 @@ static: |-Foo
@@ -807,7 +807,7 @@
Dependency scanning uses the [Retire.js](https://github.com/RetireJS/retire.js) scanner to detect a limited set of vulnerabilities. For details of which vulnerabilities are detected, see the [Retire.js repository](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350512) in GitLab 14.8. | +| `GEMNASIUM_LIBRARY_SCAN_ENABLED` | `gemnasium` | `"true"` | Enable detecting vulnerabilities in vendored JavaScript libraries (libraries which are not managed by a package manager). This functionality requires a JavaScript lockfile to be present in a commit, otherwise Dependency Scanning is not executed and vendored files are not scanned.
Dependency scanning uses the [Retire.js](https://github.com/RetireJS/retire.js) scanner to detect a limited set of vulnerabilities. For details of which vulnerabilities are detected, see the [Retire.js repository](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json). | | `DS_INCLUDE_DEV_DEPENDENCIES` | `gemnasium` | `"true"` | When set to `"false"`, development dependencies and their vulnerabilities are not reported. Only projects using Composer, npm, pnpm, Pipenv or Poetry are supported. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/227861) in GitLab 15.1. | | `GOOS` | `gemnasium` | `"linux"` | The operating system for which to compile Go code. | | `GOARCH` | `gemnasium` | `"amd64"` | The architecture of the processor for which to compile Go code. | @@ -925,7 +922,6 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m ### FIPS-enabled images -> - Introduced in GitLab 14.10. GitLab team members can view more information in this confidential issue: `https://gitlab.com/gitlab-org/gitlab/-/issues/354796` > - Introduced in GitLab 15.0 - Gemnasium uses FIPS-enabled images when FIPS mode is enabled. GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image) @@ -956,7 +952,6 @@ For more details of the dependency scanning report, see: ### CycloneDX Software Bill of Materials -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350509) in GitLab 14.8 in [Beta](../../../policy/experiment-beta-support.md#beta). > - Generally available in GitLab 15.7. Dependency Scanning outputs a [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (SBOM) diff --git a/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md b/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md index 924e7732f01..b677cb6d259 100644 --- a/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md +++ b/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md @@ -99,10 +99,7 @@ gemnasium-maven-dependency_scanning: ## Dependency Scanning job fails with message `strconv.ParseUint: parsing "0.0": invalid syntax` -Invoking Docker-in-Docker is the likely cause of this error. Docker-in-Docker is: - -- Disabled by default in GitLab 13.0 and later. -- Unsupported from GitLab 13.4 and later. +Docker-in-Docker is unsupported, and attempting to invoke it is the likely cause of this error. To fix this error, disable Docker-in-Docker for dependency scanning. Individual `
Foo
static: |-- Foo
+ Foo wysiwyg: |-Foo
02_01_00__preliminaries__tabs__011: @@ -328,7 +328,7 @@bar
static: |-- Foo
+ Foobar
wysiwyg: |-Foo
@@ -381,17 +381,17 @@foo
static: |-- foo
+ foo- foo
+ foo- foo
+ foo- foo
+ foo- foo
+ foo- foo
+ foo wysiwyg: |-foo
foo
@@ -428,7 +428,7 @@foo bar *baz*
static: |-- foo bar *baz*
+ foo bar *baz* wysiwyg: |-foo bar *baz*
04_02_00__leaf_blocks__atx_headings__006: @@ -436,7 +436,7 @@foo
static: |-- foo
+ foo wysiwyg: |-foo
04_02_00__leaf_blocks__atx_headings__007: @@ -446,11 +446,11 @@foo
static: |-- foo
+ foo- foo
+ foo- foo
+ foo wysiwyg: |-foo
foo
@@ -482,9 +482,9 @@bar
static: |-- foo
+ foo- bar
+ bar wysiwyg: |-foo
bar
@@ -494,9 +494,9 @@foo
static: |-- foo
+ foo- foo
+ foo wysiwyg: |-foo
foo
@@ -505,7 +505,7 @@foo
static: |-- foo
+ foo wysiwyg: |-foo
04_02_00__leaf_blocks__atx_headings__013: @@ -513,7 +513,7 @@foo ### b
static: |-- foo ### b
+ foo ### b wysiwyg: |-foo ### b
04_02_00__leaf_blocks__atx_headings__014: @@ -521,7 +521,7 @@foo#
static: |-- foo#
+ foo# wysiwyg: |-foo#
04_02_00__leaf_blocks__atx_headings__015: @@ -531,11 +531,11 @@foo #
static: |-- foo ###
+ foo ###- foo ###
+ foo ###- foo # + foo #
wysiwyg: |-foo ###
@@ -549,7 +549,7 @@ static: |-- foo
+ foowysiwyg: |-
@@ -563,7 +563,7 @@ static: |-
Foo bar
- baz
+ bazBar foo
wysiwyg: |-Foo bar
@@ -575,9 +575,9 @@ static: |- - - - ++
+
wysiwyg: |- @@ -588,10 +588,10 @@
Foo bar
static: |-- Foo bar + Foo bar
- Foo bar + Foo bar
wysiwyg: |-Foo bar
@@ -602,7 +602,7 @@ baz static: |-- Foo bar + Foo bar baz
wysiwyg: |- @@ -614,7 +614,7 @@ baz static: |-- Foo bar + Foo bar baz
wysiwyg: |- @@ -626,9 +626,9 @@Foo
static: |-- Foo
+ Foo- Foo
+ Foo wysiwyg: |-Foo
Foo
@@ -639,11 +639,11 @@Foo
static: |-- Foo
+ Foo- Foo
+ Foo- Foo
+ Foo wysiwyg: |-Foo
Foo
@@ -676,7 +676,7 @@Foo
static: |-- Foo
+ Foo wysiwyg: |-Foo
04_03_00__leaf_blocks__setext_headings__008: @@ -710,7 +710,7 @@Foo
static: |-- Foo
+ Foo wysiwyg: |-Foo
04_03_00__leaf_blocks__setext_headings__011: @@ -718,7 +718,7 @@Foo\
static: |-- Foo\
+ Foo\ wysiwyg: |-Foo\
04_03_00__leaf_blocks__setext_headings__012: @@ -729,10 +729,10 @@of dashes"/>
static: |-- `Foo
+ `Foo`
- <a title="a lot
+ <a title="a lotof dashes"/>
wysiwyg: |-`Foo
@@ -790,7 +790,7 @@ Bar static: |-- Foo + Foo Bar
wysiwyg: |-Foo
@@ -807,7 +807,7 @@
- Bar
+ BarBaz
wysiwyg: |-Foo> foo
static: |-- > foo
+ > foo wysiwyg: |-> foo
04_03_00__leaf_blocks__setext_headings__024: @@ -889,7 +889,7 @@ static: |-Foo
- bar
+ barbaz
wysiwyg: |-Foo
@@ -1090,13 +1090,13 @@static: |-
- Heading
+ Headingfoo- Heading
+ Headingfoobaz
static: |-- foo
+ foobar- baz
+ baz wysiwyg: |-foo
bar- Foo + Foo
bar
@@ -2360,7 +2360,7 @@ static: |-- bar
+ bar wysiwyg: |-[foo]: /url@@ -2510,7 +2510,7 @@ static: |-aaa
- aaa
+ aaa wysiwyg: |-aaa
aaa
@@ -2784,7 +2784,7 @@ static: |-@@ -2801,7 +2801,7 @@ static: |-- Foo
+ Foobar baz
@@ -2818,7 +2818,7 @@ static: |-- Foo
+ Foobar baz
@@ -2852,7 +2852,7 @@ static: |-- Foo
+ Foobar baz
@@ -4142,11 +4142,11 @@- Foo
+ Foobar baz
wysiwyg: |- @@ -7572,7 +7572,7 @@
- Foo
+ Foo- Bar
+ Bar bazfoo\
static: |-- foo\
+ foo\ wysiwyg: |-foo\
06_13_00__inlines__hard_line_breaks__015: @@ -7580,7 +7580,7 @@foo
static: |-- foo
+ foo wysiwyg: |-foo
06_14_00__inlines__soft_line_breaks__001: @@ -7753,7 +7753,7 @@text
- title: YAML front matter
+ title: YAML front matter wysiwyg: |-text
@@ -7765,7 +7765,7 @@ static: |-
- title: YAML front matter
+ title: YAML front matter wysiwyg: |-
title: YAML front matter
@@ -7786,9 +7786,9 @@ Heading 1- Heading 1
+ Heading 1- Heading 2
+ Heading 2 wysiwyg: |-Table of contentsHeading 1
@@ -7810,9 +7810,9 @@ Heading 1- Heading 1
+ Heading 1- Heading 2
+ Heading 2 wysiwyg: |-Table of contentsHeading 1
@@ -7842,7 +7842,7 @@ static: |-- Heading 1
+ Heading 1 wysiwyg: |-Table of contentsHeading 1
@@ -8292,17 +8292,17 @@ TODO: Write canonical HTML for this example static: |-- Heading 1
+ Heading 1- Heading 2
+ Heading 2- Heading 3
+ Heading 3- Heading 4
+ Heading 4- Heading 5
+ Heading 5- Heading 6
+ Heading 6 wysiwyg: |-Heading 1
Heading 2
@@ -8517,7 +8517,7 @@- content after table
+ content after table wysiwyg: |-
header
header
codecell with bold
strikecell with italic
content after table
@@ -8536,16 +8536,16 @@- Lorem
+ LoremWell, that's just like... your opinion.. man.
- Ipsum
+ Ipsum- Dolar
+ Dolar- Sit amit
+ Sit amit- I don't know
+ I don't know wysiwyg: |-Table of contentsLorem
diff --git a/glfm_specification/output_example_snapshots/snapshot_spec.html b/glfm_specification/output_example_snapshots/snapshot_spec.html index e8c3551ea20..b176e0ebf8c 100644 --- a/glfm_specification/output_example_snapshots/snapshot_spec.html +++ b/glfm_specification/output_example_snapshots/snapshot_spec.html @@ -238,148 +238,11 @@GitLab Flavored Markdown Internal Extensions
Version alpha--
+- -Preliminaries -
-- -Blocks and inlines -
-- -Leaf blocks -
-- -Container blocks -
-- -Inlines -
-- -GitLab Official Specification Markdown -
-- -GitLab Internal Extension Markdown
--
-- Audio
-- Video
-- Markdown Preview API Request Overrides
-- -Migrated golden master examples
--
-- attachment_image_for_group
-- attachment_image_for_project
-- attachment_image_for_project_wiki
-- attachment_link_for_group
-- attachment_link_for_project
-- attachment_link_for_project_wiki
-- attachment_link_for_group_wiki
-- audio
-- audio_and_video_in_lists
-- blockquote
-- bold
-- bullet_list_style_1
-- bullet_list_style_2
-- bullet_list_style_3
-- code_block_javascript
-- code_block_plaintext
-- code_block_unknown
-- color_chips
-- description_list
-- details
-- diagram_kroki_nomnoml
-- diagram_plantuml
-- diagram_plantuml_unicode
-- div
-- emoji
-- emphasis
-- figure
-- footnotes
-- frontmatter_json
-- frontmatter_toml
-- frontmatter_yaml
-- hard_break
-- headings
-- horizontal_rule
-- html_marks
-- image
-- inline_code
-- inline_diff
-- label
-- link
-- math
-- ordered_list
-- ordered_list_with_start_order
-- ordered_task_list
-- ordered_task_list_with_order
-- reference_for_project_wiki
-- strike
-- table
-- table_of_contents
-- task_list
-- video
-- word_break
-- Image Attributes
-- Footnotes
-- -GFM undocumented extensions and more robust test -
--Preliminaries
+Preliminaries-Characters and lines
+Characters and linesAny sequence of [characters] is a valid CommonMark document.
A character is a Unicode code point. Although some @@ -422,7 +285,7 @@ is
!,Pc,Pd,Pe,Pf,Pi,Po, orPs.-Tabs
+TabsTabs in lines are not expanded to [spaces]. However, in contexts where whitespace helps to define block structure, tabs behave as if they were replaced by spaces with a tab stop @@ -607,11 +470,11 @@ code block starting with two spaces.
-Insecure characters
+Insecure charactersFor security reasons, the Unicode character U+0000 must be replaced
with the REPLACEMENT CHARACTER (U+FFFD).
-Blocks and inlines
+Blocks and inlinesWe can think of a document as a sequence of blocks---structural elements like paragraphs, block quotations, lists, headings, rules, and code blocks. Some blocks (like @@ -619,7 +482,7 @@ block quotes and list items) contain other blocks; others (like headings and paragraphs) contain inline content---text, links, emphasized text, images, code spans, and so on.
-Precedence
+PrecedenceIndicators of block structure always take precedence over indicators of inline structure. So, for example, the following is a list with two items, not a list with one item containing a code span:
@@ -647,17 +510,17 @@ step. Note that the first step requires processing lines in sequence, but the second can be parallelized, since the inline parsing of one block element does not affect the inline parsing of any other.-Container blocks and leaf blocks
+Container blocks and leaf blocksWe can divide blocks into two types: container blocks, which can contain other blocks, and leaf blocks, which cannot.
-Leaf blocks
+Leaf blocksThis section describes the different kinds of leaf block that make up a Markdown document.
-Thematic breaks
+Thematic breaksA line consisting of 0-3 spaces of indentation, followed by a sequence
of three or more matching -, _, or * characters, each followed
optionally by any number of spaces or tabs, forms a
@@ -942,7 +805,7 @@ interpretations of a line, the thematic break takes precedence:
-ATX headings
+ATX headingsAn ATX heading
consists of a string of characters, parsed as inline content, between an
opening sequence of 1--6 unescaped # characters and an optional
@@ -1219,7 +1082,7 @@ lines, and they can interrupt paragraphs:
-Setext headings
+Setext headingsA setext heading consists of one or more lines of text, each containing at least one [non-whitespace character], with no more than 3 spaces indentation, followed by @@ -1720,7 +1583,7 @@ underline], such as
-Indented code blocks
+Indented code blocksAn indented code block is composed of one or more [indented chunks] separated by blank lines. An indented chunk is a sequence of non-blank lines, @@ -1954,7 +1817,7 @@ are not included in it:
-Fenced code blocks
+Fenced code blocksA code fence is a sequence
of at least three consecutive backtick characters (`) or
tildes (~). (Tildes and backticks cannot be mixed.)
@@ -2471,7 +2334,7 @@ of language- followed by the langua
-HTML blocks
+HTML blocksAn HTML block is a group of lines that is treated as raw HTML (and will not be escaped in HTML output).
There are seven kinds of [HTML block], which can be defined by their
@@ -3388,7 +3251,7 @@ deleted. The exception is inside <pre
[above][HTML blocks], raw HTML blocks starting with <pre>
can contain blank lines.
-Link reference definitions
+Link reference definitionsA link reference definition
consists of a [link label], indented up to three spaces, followed
by a colon (:), optional [whitespace] (including up to one
@@ -3846,7 +3709,7 @@ no visible content:
-Paragraphs
+ParagraphsA sequence of non-blank lines that cannot be interpreted as other kinds of blocks forms a paragraph. The contents of the paragraph are the result of parsing the @@ -3980,7 +3843,7 @@ break]:
-Blank lines
+Blank lines[Blank lines] between block-level elements are ignored, except for the role they play in determining whether a [list] is [tight] or [loose].
@@ -4006,7 +3869,7 @@ is [tight] or [loose].-Tables (extension)
+Tables (extension)GFM enables the table extension, where an additional leaf block type is
available.
A table is an arrangement of data with rows and columns, consisting of a @@ -4243,7 +4106,7 @@ cells are inserted. If there are greater, the excess is ignored:
-Container blocks
+Container blocksA container block is a block that has other blocks as its contents. There are two basic kinds of container blocks: [block quotes] and [list items]. @@ -4261,7 +4124,7 @@ to define the syntax, although it does not give a recipe for A parsing strategy.)
-Block quotes
+Block quotesA block quote marker
consists of 0-3 spaces of initial indent, plus (a) the character > together
with a following space, or (b) a single character > not followed by a space.
>:
-List items
+List itemsA list marker is a [bullet list marker] or an [ordered list marker].
A bullet list marker @@ -5857,7 +5720,7 @@ in the list item.
-Motivation
+MotivationJohn Gruber's Markdown spec says the following about list items:
-
@@ -6034,7 +5897,7 @@ four-space rule in cases where the list marker plus its initial indentation
takes four spaces (a common case), but diverge in other cases.
-Task list items (extension)
+Task list items (extension)GFM enables the
tasklistextension, where an additional processing step is performed on [list items].A task list item is a [list item][list items] where the first block in it @@ -6091,7 +5954,7 @@ the final rendered document.
-Lists
+ListsA list is a sequence of one or more list items [of the same type]. The list items may be separated by any number of blank lines.
@@ -6801,7 +6664,7 @@ two block elements in the list item:-Inlines
+InlinesInlines are parsed sequentially from the beginning of the character stream to the end (left to right, in left-to-right languages). Thus, for example, in
@@ -6819,7 +6682,7 @@ Thus, for example, inhiis parsed as code, leaving the backtick at the end as a literal backtick.-Backslash escapes
+Backslash escapesAny ASCII punctuation character may be backslash-escaped:
@@ -7002,7 +6865,7 @@ link references, and [info strings] in [fenced code blocks]:-Entity and numeric character references
+Entity and numeric character referencesValid HTML entity references and numeric character references can be used in place of the corresponding Unicode character, with the following exceptions:
@@ -7267,7 +7130,7 @@ documents.-Code spans
+Code spansA backtick string is a string of one or more backtick characters (
@@ -7576,7 +7439,7 @@ closing backtick strings to be equal in length:`) that is neither preceded nor followed by a backtick.-Emphasis and strong emphasis
+Emphasis and strong emphasisJohn Gruber's original Markdown syntax description says:
@@ -9384,7 +9247,7 @@ delimiters:
-Strikethrough (extension)
+Strikethrough (extension)GFM enables the
strikethroughextension, where an additional emphasis type is available.Strikethrough text is any text wrapped in two tildes (
@@ -9417,7 +9280,7 @@ parsing to cease:~).-Links
+LinksA link contains [link text] (the visible text), a [link destination] (the URI that is the link destination), and optionally a [link title]. There are two basic kinds of links in Markdown. In [inline links] the @@ -10762,7 +10625,7 @@ is followed by a link label (even though
-Images +ImagesSyntax for images is like the syntax for links, with one difference. Instead of [link text], we have an image description. The rules for this are the @@ -11065,7 +10928,7 @@ backslash-escape the opening
[:<-Autolinks
+AutolinksAutolinks are absolute URIs and email addresses inside
@@ -11317,7 +11180,7 @@ spec:<and>. They are parsed as links, with the URL or email address as the link label.-Autolinks (extension)
+Autolinks (extension)GFM enables the
autolinkextension, where autolinks will be recognised in a greater number of conditions.[Autolink]s can also be constructed without requiring the use of
<and to>@@ -11523,7 +11386,7 @@ the address:-Raw HTML
+Raw HTMLText between
<and>that looks like an HTML tag is parsed as a raw HTML tag and will be rendered in HTML without escaping. Tag and attribute names are not limited to current HTML tags, @@ -11846,7 +11709,7 @@ attributes:-Disallowed Raw HTML (extension)
+Disallowed Raw HTML (extension)GFM enables the
tagfilterextension, where the following HTML tags will be filtered when rendering HTML output:-
@@ -11885,7 +11748,7 @@ usually undesireable in the context of other rendered Markdown content.
-Hard line breaks
+Hard line breaksA line break (not in a code span or HTML tag) that is preceded by two or more spaces and does not occur at the end of a block is parsed as a hard line break (rendered @@ -12087,7 +11950,7 @@ other block element:
-Soft line breaks
+Soft line breaksA regular line break (not in a code span or HTML tag) that is not preceded by two or more spaces or a backslash is parsed as a softbreak. (A softbreak may be rendered in HTML either as a @@ -12126,7 +11989,7 @@ line break or as a space.
A renderer may also provide an option to render soft line breaks as hard line breaks.
-Textual content
+Textual contentAny characters not given an interpretation by the above rules will be parsed as plain textual content.
@@ -12164,14 +12027,14 @@ be parsed as plain textual content.-GitLab Official Specification Markdown
+GitLab Official Specification MarkdownNote: This specification is a work in progress. Only some of the official GLFM extensions are defined. We will continue to add any additional ones found in the user-facing documentation for GitLab Flavored Markdown.
There is currently only this single top-level heading, but the examples may be split into multiple top-level headings in the future.
-Task list items
+Task list itemsSee Task lists in the GitLab Flavored Markdown documentation.
Task list items (checkboxes) are defined as a GitHub Flavored Markdown extension in a section above. @@ -12265,7 +12128,7 @@ loose text; it has strikethrough applied with CSS.
-Front matter
+Front matterSee Front matter in the GitLab Flavored Markdown documentation.
Front matter is metadata included at the beginning of a Markdown document, preceding the content. @@ -12362,7 +12225,7 @@ This data can be used by static site generators like Jekyll, Hugo, and many othe
-Table of contents
+Table of contentsSee table of contents in the GitLab Flavored Markdown documentation.
@@ -12459,9 +12322,9 @@ line.-GitLab Internal Extension Markdown
+GitLab Internal Extension Markdown-Audio
+AudioSee audio in the GitLab Flavored Markdown documentation.
GLFM renders image elements as an audio player as long as the resource’s file extension is @@ -12493,7 +12356,7 @@ Audio ignore the alternative text part of an image declaration.
-Video
+VideoSee videos in the GitLab Flavored Markdown documentation.
GLFM renders image elements as a video player as long as the resource’s file extension is @@ -12525,7 +12388,7 @@ Videos ignore the alternative text part of an image declaration.
-Markdown Preview API Request Overrides
+Markdown Preview API Request OverridesThis section contains examples of all controllers which use
@@ -12606,9 +12469,9 @@ also requires an EE license enabling thePreviewMarkdownmodule and use differentmarkdown_context_params. They exercise the variouspreview_markdownendpoints viaglfm_example_metadata.yml.-Migrated golden master examples +Migrated golden master examples-attachment_image_for_group
+attachment_image_for_group@@ -12621,7 +12484,7 @@ also requires an EE license enabling the-attachment_image_for_project +attachment_image_for_project@@ -12634,7 +12497,7 @@ also requires an EE license enabling the-attachment_image_for_project_wiki +attachment_image_for_project_wiki@@ -12647,7 +12510,7 @@ also requires an EE license enabling the-attachment_link_for_group +attachment_link_for_group@@ -12660,7 +12523,7 @@ also requires an EE license enabling the-attachment_link_for_project +attachment_link_for_project@@ -12673,7 +12536,7 @@ also requires an EE license enabling the-attachment_link_for_project_wiki +attachment_link_for_project_wiki@@ -12686,7 +12549,7 @@ also requires an EE license enabling the-attachment_link_for_group_wiki +attachment_link_for_group_wiki@@ -12699,7 +12562,7 @@ also requires an EE license enabling the-audio +audio@@ -12712,7 +12575,7 @@ also requires an EE license enabling the-audio_and_video_in_lists +audio_and_video_in_lists@@ -12733,7 +12596,7 @@ also requires an EE license enabling the-blockquote +blockquote@@ -12748,7 +12611,7 @@ also requires an EE license enabling the-bold +bold@@ -12761,7 +12624,7 @@ also requires an EE license enabling the-bullet_list_style_1 +bullet_list_style_1@@ -12776,7 +12639,7 @@ also requires an EE license enabling the-bullet_list_style_2 +bullet_list_style_2@@ -12791,7 +12654,7 @@ also requires an EE license enabling the-bullet_list_style_3 +bullet_list_style_3@@ -12806,7 +12669,7 @@ also requires an EE license enabling the-code_block_javascript +code_block_javascript@@ -12821,7 +12684,7 @@ also requires an EE license enabling the-code_block_plaintext +code_block_plaintext@@ -12836,7 +12699,7 @@ also requires an EE license enabling the-code_block_unknown +code_block_unknown@@ -12851,7 +12714,7 @@ also requires an EE license enabling the-color_chips +color_chips@@ -12872,7 +12735,7 @@ also requires an EE license enabling the-description_list +description_list@@ -12900,7 +12763,7 @@ also requires an EE license enabling the-details +details@@ -12919,7 +12782,7 @@ also requires an EE license enabling the-diagram_kroki_nomnoml +diagram_kroki_nomnoml@@ -12942,7 +12805,7 @@ also requires an EE license enabling the-diagram_plantuml +diagram_plantuml@@ -12961,7 +12824,7 @@ also requires an EE license enabling the-diagram_plantuml_unicode +diagram_plantuml_unicode@@ -12976,7 +12839,7 @@ also requires an EE license enabling the-div +div@@ -12994,7 +12857,7 @@ also requires an EE license enabling the-emoji +emoji@@ -13007,7 +12870,7 @@ also requires an EE license enabling the-emphasis +emphasis@@ -13020,7 +12883,7 @@ also requires an EE license enabling the-figure +figure@@ -13048,7 +12911,7 @@ also requires an EE license enabling the-footnotes +footnotes@@ -13067,7 +12930,7 @@ also requires an EE license enabling the-frontmatter_json +frontmatter_json@@ -13084,7 +12947,7 @@ also requires an EE license enabling the-frontmatter_toml +frontmatter_toml@@ -13099,7 +12962,7 @@ also requires an EE license enabling the-frontmatter_yaml +frontmatter_yaml@@ -13114,7 +12977,7 @@ also requires an EE license enabling the-hard_break +hard_break@@ -13128,7 +12991,7 @@ also requires an EE license enabling the-headings +headings@@ -13151,7 +13014,7 @@ also requires an EE license enabling the-horizontal_rule +horizontal_rule@@ -13164,7 +13027,7 @@ also requires an EE license enabling the-html_marks +html_marks@@ -13191,7 +13054,7 @@ also requires an EE license enabling the-image +image@@ -13204,7 +13067,7 @@ also requires an EE license enabling the-inline_code +inline_code@@ -13217,7 +13080,7 @@ also requires an EE license enabling the-inline_diff +inline_diff@@ -13231,7 +13094,7 @@ also requires an EE license enabling the-label +label@@ -13244,7 +13107,7 @@ also requires an EE license enabling the-link +link@@ -13257,7 +13120,7 @@ also requires an EE license enabling the-math +math@@ -13276,7 +13139,7 @@ also requires an EE license enabling the-ordered_list +ordered_list@@ -13291,7 +13154,7 @@ also requires an EE license enabling the-ordered_list_with_start_order +ordered_list_with_start_order@@ -13306,7 +13169,7 @@ also requires an EE license enabling the-ordered_task_list +ordered_task_list@@ -13324,7 +13187,7 @@ also requires an EE license enabling the-ordered_task_list_with_order +ordered_task_list_with_order@@ -13339,7 +13202,7 @@ also requires an EE license enabling the-reference_for_project_wiki +reference_for_project_wiki@@ -13352,7 +13215,7 @@ also requires an EE license enabling the-strike +strike@@ -13365,7 +13228,7 @@ also requires an EE license enabling the-table +table@@ -13383,7 +13246,7 @@ also requires an EE license enabling the-table_of_contents +table_of_contents@@ -13408,7 +13271,7 @@ also requires an EE license enabling the-task_list +task_list@@ -13426,7 +13289,7 @@ also requires an EE license enabling the-video +video@@ -13439,7 +13302,7 @@ also requires an EE license enabling the-word_break +word_break@@ -13452,7 +13315,7 @@ also requires an EE license enabling the-Image Attributes +Image AttributesSee Change the image dimensions in the GitLab Flavored Markdown documentation.
@@ -13520,7 +13383,7 @@ where it makes sense.-Footnotes
+FootnotesSee the footnotes section of the user-facing documentation for GitLab Flavored Markdown.
@@ -13555,12 +13418,12 @@ where it makes sense.-GFM undocumented extensions and more robust test
+GFM undocumented extensions and more robust testThis section contains tests borrowed from https://github.com/github/cmark-gfm/blob/master/test/extensions.txt. It includes items not found in the official GFM specification, such as footnotes and additional tests for tables, task lists, etc.
-Footnotes
+Footnotes@@ -13625,7 +13488,7 @@ task lists, etc.-When a footnote is used multiple times, we insert multiple backrefs.
+When a footnote is used multiple times, we insert multiple backrefs.@@ -13650,7 +13513,7 @@ task lists, etc.-Footnote reference labels are href escaped
+Footnote reference labels are href escaped@@ -13672,7 +13535,7 @@ task lists, etc.-Interop
+InteropAutolink and strikethrough.
@@ -13716,7 +13579,7 @@ task lists, etc.-Task lists
+Task listsdiff --git a/glfm_specification/output_spec/spec.html b/glfm_specification/output_spec/spec.html index 07af9a162d5..78e1e572138 100644 --- a/glfm_specification/output_spec/spec.html +++ b/glfm_specification/output_spec/spec.html @@ -253,7 +253,7 @@ version: alpha ...-Introduction
+IntroductionGitLab Flavored Markdown (GLFM) extends the CommonMark specification and is considered a strict superset of CommonMark. It also incorporates the extensions defined by the GitHub Flavored Markdown specification.
This specification will define the various official extensions that comprise GLFM. These extensions are GitLab independent - they do not require a GitLab server for parsing or interaction. The intent is to provide a specification that can be implemented in standard markdown editors. This includes many of the features listed in user-facing documentation for GitLab Flavored Markdown.
The CommonMark and GitHub specifications will not be duplicated here.
@@ -269,14 +269,14 @@ for a complete list of all examples, which are a superset of examples from:-GitLab Official Specification Markdown
+GitLab Official Specification MarkdownNote: This specification is a work in progress. Only some of the official GLFM extensions are defined. We will continue to add any additional ones found in the user-facing documentation for GitLab Flavored Markdown.
There is currently only this single top-level heading, but the examples may be split into multiple top-level headings in the future.
-Task list items
+Task list itemsSee Task lists in the GitLab Flavored Markdown documentation.
Task list items (checkboxes) are defined as a GitHub Flavored Markdown extension in a section above. @@ -370,7 +370,7 @@ loose text; it has strikethrough applied with CSS.
-Front matter
+Front matterSee Front matter in the GitLab Flavored Markdown documentation.
Front matter is metadata included at the beginning of a Markdown document, preceding the content. @@ -467,7 +467,7 @@ This data can be used by static site generators like Jekyll, Hugo, and many othe
-Table of contents
+Table of contentsSee table of contents in the GitLab Flavored Markdown documentation.
diff --git a/lib/banzai/filter/markdown_engines/glfm_markdown.rb b/lib/banzai/filter/markdown_engines/glfm_markdown.rb index cd0dfa0ab06..6743e3a9037 100644 --- a/lib/banzai/filter/markdown_engines/glfm_markdown.rb +++ b/lib/banzai/filter/markdown_engines/glfm_markdown.rb @@ -15,6 +15,7 @@ module Banzai full_info_string: true, github_pre_lang: true, hardbreaks: false, + header_ids: Banzai::Renderer::USER_CONTENT_ID_PREFIX, math_code: true, math_dollars: true, multiline_block_quotes: true, @@ -35,7 +36,16 @@ module Banzai private def render_options - sourcepos_disabled? ? OPTIONS.merge(sourcepos: false) : OPTIONS + return OPTIONS unless sourcepos_disabled? || headers_disabled? + + OPTIONS.merge( + sourcepos: !sourcepos_disabled?, + header_ids: headers_disabled? ? nil : OPTIONS[:header_ids] + ) + end + + def headers_disabled? + context[:no_header_anchors] || Feature.disabled?(:native_header_anchors) end end end diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index da976cf9ddc..577d02cc559 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -25,11 +25,16 @@ module Banzai # Remove any `style` properties not required for table alignment allowlist[:transformers].push(self.class.remove_unsafe_table_style) - # Allow `id` in a and li elements for footnotes - # and remove any `id` properties not matching for footnotes + # Allow `id` in `a` and `li` elements for footnotes + # and `a` elements for header anchors. + # Remove any `id` properties not matching allowlist[:attributes]['a'].push('id') allowlist[:attributes]['li'] = %w[id] - allowlist[:transformers].push(self.class.remove_non_footnote_ids) + allowlist[:transformers].push(self.class.remove_id_attributes) + + # Remove any `class` property not required for `a` + allowlist[:attributes]['a'].push('class') + allowlist[:transformers].push(self.class.remove_unsafe_link_class) # Allow section elements with data-footnotes attribute allowlist[:elements].push('section') @@ -55,18 +60,38 @@ module Banzai end end - def remove_non_footnote_ids + def remove_unsafe_link_class + lambda do |env| + node = env[:node] + + return unless node.name == 'a' + return unless node.has_attribute?('class') + + node.remove_attribute('class') if remove_link_class?(node) + end + end + + def remove_link_class?(node) + return if node['class'] == 'anchor' + + true + end + + def remove_id_attributes lambda do |env| node = env[:node] return unless node.name == 'a' || node.name == 'li' return unless node.has_attribute?('id') + # footnote ids should not be removed + return if node.name == 'li' && node['id'].start_with?(Banzai::Filter::FootnoteFilter::FOOTNOTE_ID_PREFIX) return if node.name == 'a' && node['id'].start_with?(Banzai::Filter::FootnoteFilter::FOOTNOTE_LINK_ID_PREFIX) - return if node.name == 'li' && - node['id'].start_with?(Banzai::Filter::FootnoteFilter::FOOTNOTE_ID_PREFIX) + # links with generated header anchors should not be removed + return if node.name == 'a' && node['class'] == 'anchor' && + node['id'].start_with?(Banzai::Renderer::USER_CONTENT_ID_PREFIX) node.remove_attribute('id') end diff --git a/lib/banzai/filter/table_of_contents_filter.rb b/lib/banzai/filter/table_of_contents_filter.rb index 3e6505c82c4..357b880b74f 100644 --- a/lib/banzai/filter/table_of_contents_filter.rb +++ b/lib/banzai/filter/table_of_contents_filter.rb @@ -2,6 +2,11 @@ require 'cgi/util' +# TODO: This is now a legacy filter, and is only used with the Ruby parser. +# The current markdown parser now properly handles adding anchors to headers. +# The Ruby parser is now only for benchmarking purposes. +# issue: https://gitlab.com/gitlab-org/gitlab/-/issues/454601 + # Generated HTML is transformed back to GFM by app/assets/javascripts/behaviors/markdown/nodes/table_of_contents.js module Banzai module Filter @@ -25,6 +30,7 @@ module Banzai XPATH = Gitlab::Utils::Nokogiri.css_to_xpath(CSS).freeze def call + return doc if MarkdownFilter.glfm_markdown?(context) && Feature.enabled?(:native_header_anchors) return doc if context[:no_header_anchors] result[:toc] = +"" diff --git a/lib/banzai/filter/table_of_contents_tag_filter.rb b/lib/banzai/filter/table_of_contents_tag_filter.rb index 4e80b543e2d..b7b6fded06a 100644 --- a/lib/banzai/filter/table_of_contents_tag_filter.rb +++ b/lib/banzai/filter/table_of_contents_tag_filter.rb @@ -14,6 +14,9 @@ module Banzai class TableOfContentsTagFilter < HTML::Pipeline::Filter TEXT_QUERY = %q(descendant-or-self::text()[ancestor::p and contains(translate(., 'TOC', 'toc'), 'toc')]) + HEADER_CSS = 'h1, h2, h3, h4, h5, h6' + HEADER_XPATH = Gitlab::Utils::Nokogiri.css_to_xpath(HEADER_CSS).freeze + def call return doc if context[:no_header_anchors] @@ -43,6 +46,8 @@ module Banzai # Replace an entire `[TOC]` node with the result generated by # TableOfContentsFilter def process_toc_tag(node) + build_toc if Feature.enabled?(:native_header_anchors) + # we still need to go one step up to also replace the surrounding node.parent.replace(result[:toc].presence || '') end @@ -56,6 +61,85 @@ module Banzai def toc_tag?(node) node.parent.text.casecmp?('[toc]') end + + def build_toc + return if result[:toc] + + result[:toc] = +"" + + header_root = current_header = HeaderNode.new + + doc.xpath(HEADER_XPATH).each do |node| + header_anchor = node.children.first + next unless header_anchor + next unless header_anchor.name == 'a' + next unless header_anchor[:class] == 'anchor' + + # remove leading anchor `#` so we can add it back later + href = header_anchor[:href].slice(1..) + current_header = HeaderNode.new(node: node, href: href, previous_header: current_header) + end + + push_toc(header_root.children, root: true) + end + + def push_toc(children, root: false) + return if children.empty? + + klass = ' class="section-nav"' if root + + result[:toc] << "- #{header_node.text}) + push_toc(header_node.children) + result[:toc] << '
' + end + + class HeaderNode + attr_reader :node, :href, :parent, :children + + def initialize(node: nil, href: nil, previous_header: nil) + @node = node + @href = CGI.escape(href) if href + @children = [] + + @parent = find_parent(previous_header) + @parent.children.push(self) if @parent + end + + def level + return 0 unless node + + @level ||= node.name[1].to_i + end + + def text + return '' unless node + + @text ||= CGI.escapeHTML(node.text) + end + + private + + def find_parent(previous_header) + return unless previous_header + + if level == previous_header.level + parent = previous_header.parent + elsif level > previous_header.level + parent = previous_header + else + parent = previous_header + parent = parent.parent while parent.level >= level + end + + parent + end + end end end end diff --git a/lib/banzai/pipeline/description_pipeline.rb b/lib/banzai/pipeline/description_pipeline.rb index 8236c7092d2..e7632c2c4a3 100644 --- a/lib/banzai/pipeline/description_pipeline.rb +++ b/lib/banzai/pipeline/description_pipeline.rb @@ -9,8 +9,8 @@ module Banzai def self.transform_context(context) super(context).merge( - # SanitizationFilter - allowlist: ALLOWLIST + allowlist: ALLOWLIST, # SanitizationFilter + no_header_anchors: true # header elements not allowed ) end end diff --git a/lib/gitlab/auth/o_auth/user.rb b/lib/gitlab/auth/o_auth/user.rb index 4dfa8ee0a41..5afcc80c8ce 100644 --- a/lib/gitlab/auth/o_auth/user.rb +++ b/lib/gitlab/auth/o_auth/user.rb @@ -11,16 +11,31 @@ module Gitlab class User class << self # rubocop: disable CodeReuse/ActiveRecord - def find_by_uid_and_provider(uid, provider) + + # `auth_hash` argument should be removed by https://gitlab.com/gitlab-org/gitlab/-/issues/456424 + def find_by_uid_and_provider(uid, provider, auth_hash = nil) identity = ::Identity.with_extern_uid(provider, uid).take - identity && identity.user + # This fallback should be removed by https://gitlab.com/gitlab-org/gitlab/-/issues/456424 + if provider == 'bitbucket' && !auth_hash.nil? + identity ||= ::Identity.with_extern_uid(provider, auth_hash.username).take + + if identity && !identity.trusted_extern_uid? && identity.user && identity.user.email == auth_hash.email + identity.update(extern_uid: uid, trusted_extern_uid: true) + end + end + + return unless identity + raise IdentityWithUntrustedExternUidError unless identity.trusted_extern_uid? + + identity.user end # rubocop: enable CodeReuse/ActiveRecord end SignupDisabledError = Class.new(StandardError) SigninDisabledForProviderError = Class.new(StandardError) + IdentityWithUntrustedExternUidError = Class.new(StandardError) attr_reader :auth_hash @@ -212,7 +227,7 @@ module Gitlab end def find_by_uid_and_provider - self.class.find_by_uid_and_provider(auth_hash.uid, auth_hash.provider) + self.class.find_by_uid_and_provider(auth_hash.uid, auth_hash.provider, auth_hash) end def build_new_user(skip_confirmation: true) diff --git a/lib/gitlab/background_migration/backfill_workspace_variables_project_id.rb b/lib/gitlab/background_migration/backfill_workspace_variables_project_id.rb new file mode 100644 index 00000000000..63e2cbf1d33 --- /dev/null +++ b/lib/gitlab/background_migration/backfill_workspace_variables_project_id.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +module Gitlab + module BackgroundMigration + # rubocop: disable Migration/BackgroundMigrationBaseClass -- BackfillDesiredShardingKeyJob inherits from BatchedMigrationJob. + class BackfillWorkspaceVariablesProjectId < BackfillDesiredShardingKeyJob + operation_name :backfill_workspace_variables_project_id + feature_category :remote_development + end + # rubocop: enable Migration/BackgroundMigrationBaseClass + end +end diff --git a/lib/gitlab/ci/parsers/security/validators/schema_validator.rb b/lib/gitlab/ci/parsers/security/validators/schema_validator.rb index c6e065f29b8..196c907038d 100644 --- a/lib/gitlab/ci/parsers/security/validators/schema_validator.rb +++ b/lib/gitlab/ci/parsers/security/validators/schema_validator.rb @@ -32,6 +32,10 @@ module Gitlab CURRENT_VERSIONS = SUPPORTED_VERSIONS.to_h { |k, v| [k, v - DEPRECATED_VERSIONS[k]] } + # Matches schema-defined pattern + # https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/e3d280d7f0862ca66a1555ea8b24016a004bb914/src/security-report-format.json#L151 + SCHEMA_VERSION_REGEX = /^[0-9]+\.[0-9]+\.[0-9]+$/ + class Schema def root_path File.join(__dir__, 'schemas') @@ -97,7 +101,7 @@ module Gitlab @deprecation_warnings = [] populate_schema_version_errors - populate_validation_errors + populate_validation_errors if report_version_matches_schema? populate_deprecation_warnings end @@ -147,6 +151,10 @@ module Gitlab end end + def report_version_matches_schema? + report_version && report_version.match(SCHEMA_VERSION_REGEX) + end + def find_latest_patch_version ::Security::ReportSchemaVersionMatcher.new( report_declared_version: report_version, diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb index b22652e8e9a..d63f2c7c388 100644 --- a/lib/gitlab/content_security_policy/config_loader.rb +++ b/lib/gitlab/content_security_policy/config_loader.rb @@ -132,7 +132,6 @@ module Gitlab end def allow_sentry(directives) - allow_legacy_sentry(directives) if legacy_sentry_configured? return unless sentry_client_side_dsn_enabled? sentry_uri = URI(Gitlab::CurrentSettings.sentry_clientside_dsn) @@ -140,18 +139,6 @@ module Gitlab append_to_directive(directives, 'connect_src', "#{sentry_uri.scheme}://#{sentry_uri.host}") end - def allow_legacy_sentry(directives) - # Support for Sentry setup via configuration files will be removed in 16.0 - # in favor of Gitlab::CurrentSettings. - sentry_uri = URI(Gitlab.config.sentry.clientside_dsn) - - append_to_directive(directives, 'connect_src', "#{sentry_uri.scheme}://#{sentry_uri.host}") - end - - def legacy_sentry_configured? - Gitlab.config.sentry&.enabled && Gitlab.config.sentry&.clientside_dsn - end - def sentry_client_side_dsn_enabled? Gitlab::CurrentSettings.try(:sentry_enabled) && Gitlab::CurrentSettings.try(:sentry_clientside_dsn) end diff --git a/lib/gitlab/error_tracking.rb b/lib/gitlab/error_tracking.rb index 6bf30e152f8..de6be9d1617 100644 --- a/lib/gitlab/error_tracking.rb +++ b/lib/gitlab/error_tracking.rb @@ -27,34 +27,12 @@ module Gitlab ].freeze class << self - def configure(&block) - configure_raven(&block) - configure_sentry(&block) - end - - def configure_raven - Raven.configure do |config| + def configure + Sentry.init do |config| config.dsn = sentry_dsn config.release = Gitlab.revision - config.current_environment = Gitlab.config.sentry.environment - - # Sanitize fields based on those sanitized from Rails. - config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s) - - # Sanitize authentication headers - config.sanitize_http_headers = %w[Authorization Private-Token] - config.before_send = method(:before_send_raven) - - yield config if block_given? - end - end - - def configure_sentry - Sentry.init do |config| - config.dsn = new_sentry_dsn - config.release = Gitlab.revision - config.environment = new_sentry_environment - config.before_send = method(:before_send_sentry) + config.environment = sentry_environment + config.before_send = method(:before_send) config.background_worker_threads = 0 config.send_default_pii = true config.send_modules = false @@ -134,18 +112,6 @@ module Gitlab private - def before_send_raven(event, hint) - return unless Feature.enabled?(:enable_old_sentry_integration) - - before_send(event, hint) - end - - def before_send_sentry(event, hint) - return unless Feature.enabled?(:enable_new_sentry_integration) - - before_send(event, hint) - end - def before_send(event, hint) # Don't report Sidekiq retry errors to Sentry return if hint[:exception].is_a?(Gitlab::SidekiqMiddleware::RetryError) @@ -170,7 +136,6 @@ module Gitlab def default_trackers [].tap do |destinations| - destinations << Raven if Raven.configuration.server # There is a possibility that this method is called before Sentry is # configured. Since Sentry 4.0, some methods of Sentry are forwarded to # to `nil`, hence we have to check the client as well. @@ -179,27 +144,58 @@ module Gitlab end end + # Some configuration attributes like `dsn`, and `environment` + # can be configured both via `ENV` and `Application Settings`. + # The reason being is while GitLab.com uses application_settings + # in Geo installations, we can't override values in the primary database. + # Setting this value in application_settings would propagate the value + # to all Geo nodes, which doesn't solve that particular problem. def sentry_dsn - return unless sentry_configurable? - return unless Gitlab.config.sentry.enabled - - Gitlab.config.sentry.dsn + env_sentry_dsn || database_sentry_dsn end - def new_sentry_dsn + def sentry_environment + env_sentry_environment || database_sentry_environment + end + + def database_sentry_dsn return unless sentry_configurable? - return unless Gitlab::CurrentSettings.respond_to?(:sentry_enabled?) - return unless Gitlab::CurrentSettings.sentry_enabled? + return unless database_sentry_enabled? Gitlab::CurrentSettings.sentry_dsn end - def new_sentry_environment + def env_sentry_dsn + return unless sentry_configurable? + return unless env_sentry_enabled? + + Gitlab.config.sentry.dsn + end + + def env_sentry_environment + return unless sentry_configurable? + return unless env_sentry_enabled? + + Gitlab.config.sentry.environment + end + + def database_sentry_environment + return unless sentry_configurable? + return unless database_sentry_enabled? return unless Gitlab::CurrentSettings.respond_to?(:sentry_environment) Gitlab::CurrentSettings.sentry_environment end + def database_sentry_enabled? + Gitlab::CurrentSettings.respond_to?(:sentry_enabled?) && + Gitlab::CurrentSettings.sentry_enabled? + end + + def env_sentry_enabled? + Gitlab.config.sentry.enabled + end + def sentry_configurable? Rails.env.production? || Rails.env.development? end diff --git a/lib/gitlab/error_tracking/log_formatter.rb b/lib/gitlab/error_tracking/log_formatter.rb index d004c4e20bb..98b64ff335f 100644 --- a/lib/gitlab/error_tracking/log_formatter.rb +++ b/lib/gitlab/error_tracking/log_formatter.rb @@ -3,7 +3,7 @@ module Gitlab module ErrorTracking class LogFormatter - # Note: all the accesses to Raven's contexts here are to keep the + # Note: all the accesses to Sentry's contexts here are to keep the # backward-compatibility to Sentry's built-in integrations. In future, # they can be removed. def generate_log(exception, context_payload) @@ -20,21 +20,24 @@ module Gitlab private def append_user_to_log!(payload, context_payload) - user_context = Raven.context.user.merge(context_payload[:user]) + user_context = context_payload[:user] + user_context = Sentry.get_current_scope.user.merge(user_context) if Sentry.initialized? user_context.each do |key, value| payload["user.#{key}"] = value end end def append_tags_to_log!(payload, context_payload) - tags_context = Raven.context.tags.merge(context_payload[:tags]) + tags_context = context_payload[:tags] + tags_context = Sentry.get_current_scope.tags.merge(tags_context) if Sentry.initialized? tags_context.each do |key, value| payload["tags.#{key}"] = value end end def append_extra_to_log!(payload, context_payload) - extra = Raven.context.extra.merge(context_payload[:extra]) + extra = context_payload[:extra] + extra = Sentry.get_current_scope.extra.merge(extra) if Sentry.initialized? extra = extra.except(:server) # The extra value for sidekiq is a hash whose keys are strings. diff --git a/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb b/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb index 4b6c69a8b33..daf570536d6 100644 --- a/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb +++ b/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb @@ -8,11 +8,7 @@ module Gitlab private def extract_exceptions_from(event) - exceptions = if event.is_a?(Raven::Event) - event.instance_variable_get(:@interfaces)[:exception]&.values - else - event&.exception&.instance_variable_get(:@values) - end + exceptions = event&.exception&.instance_variable_get(:@values) Array.wrap(exceptions) end @@ -27,7 +23,7 @@ module Gitlab def valid_exception?(exception) case exception - when Raven::SingleExceptionInterface, Sentry::SingleExceptionInterface + when Sentry::SingleExceptionInterface exception&.value.present? else false diff --git a/lib/gitlab/error_tracking/processor/sanitizer_processor.rb b/lib/gitlab/error_tracking/processor/sanitizer_processor.rb index e6114f8e206..577b0f2697d 100644 --- a/lib/gitlab/error_tracking/processor/sanitizer_processor.rb +++ b/lib/gitlab/error_tracking/processor/sanitizer_processor.rb @@ -15,9 +15,6 @@ module Gitlab # For more information, please visit: # https://docs.sentry.io/platforms/ruby/guides/rails/configuration/filtering/#using-beforesend def self.call(event) - # Raven::Event instances don't need this processing. - return event unless event.is_a?(Sentry::Event) - if event.request.present? event.request.cookies = {} event.request.data = {} diff --git a/lib/gitlab/file_finder.rb b/lib/gitlab/file_finder.rb index 8a894901ca1..0ca6b30f907 100644 --- a/lib/gitlab/file_finder.rb +++ b/lib/gitlab/file_finder.rb @@ -15,9 +15,17 @@ module Gitlab def find(query, content_match_cutoff: nil) query = Gitlab::Search::Query.new(query, encode_binary: true) do - filter :filename, matcher: ->(filter, blob) { blob.binary_path =~ /#{filter[:regex_value]}$/i } - filter :path, matcher: ->(filter, blob) { blob.binary_path =~ /#{filter[:regex_value]}/i } - filter :extension, matcher: ->(filter, blob) { blob.binary_path =~ /\.#{filter[:regex_value]}$/i } + filter :filename, matcher: ->(filter, blob) do + ::Gitlab::UntrustedRegexp.new("(?i)#{filter[:regex_value]}$").match?(blob.binary_path) + end + + filter :path, matcher: ->(filter, blob) do + ::Gitlab::UntrustedRegexp.new("(?i)#{filter[:regex_value]}").match?(blob.binary_path) + end + + filter :extension, matcher: ->(filter, blob) do + ::Gitlab::UntrustedRegexp.new("(?i)\\.#{filter[:regex_value]}$").match?(blob.binary_path) + end end content_match_cutoff = nil if query.filters.any? diff --git a/lib/gitlab/git/repository.rb b/lib/gitlab/git/repository.rb index 7ed047811fe..204dafa228d 100644 --- a/lib/gitlab/git/repository.rb +++ b/lib/gitlab/git/repository.rb @@ -1012,12 +1012,12 @@ module Gitlab user, branch_name:, message:, actions:, author_email: nil, author_name: nil, start_branch_name: nil, start_sha: nil, start_repository: nil, - force: false) + force: false, sign: true) wrapped_gitaly_errors do gitaly_operation_client.user_commit_files(user, branch_name, message, actions, author_email, author_name, - start_branch_name, start_repository, force, start_sha) + start_branch_name, start_repository, force, start_sha, sign) end end # rubocop:enable Metrics/ParameterLists diff --git a/lib/gitlab/gitaly_client/operation_service.rb b/lib/gitlab/gitaly_client/operation_service.rb index 014881535e2..bc9512b1b5c 100644 --- a/lib/gitlab/gitaly_client/operation_service.rb +++ b/lib/gitlab/gitaly_client/operation_service.rb @@ -479,11 +479,11 @@ module Gitlab # rubocop:disable Metrics/ParameterLists def user_commit_files( user, branch_name, commit_message, actions, author_email, author_name, - start_branch_name, start_repository, force = false, start_sha = nil) + start_branch_name, start_repository, force = false, start_sha = nil, sign = true) req_enum = Enumerator.new do |y| header = user_commit_files_request_header(user, branch_name, commit_message, actions, author_email, author_name, - start_branch_name, start_repository, force, start_sha) + start_branch_name, start_repository, force, start_sha, sign) y.yield Gitaly::UserCommitFilesRequest.new(header: header) @@ -575,7 +575,7 @@ module Gitlab # rubocop:disable Metrics/ParameterLists def user_commit_files_request_header( user, branch_name, commit_message, actions, author_email, author_name, - start_branch_name, start_repository, force, start_sha) + start_branch_name, start_repository, force, start_sha, sign) Gitaly::UserCommitFilesRequestHeader.new( repository: @gitaly_repo, @@ -588,6 +588,7 @@ module Gitlab start_repository: start_repository&.gitaly_repository, force: force, start_sha: encode_binary(start_sha), + sign: sign, timestamp: Google::Protobuf::Timestamp.new(seconds: Time.now.utc.to_i) ) end diff --git a/lib/gitlab/gon_helper.rb b/lib/gitlab/gon_helper.rb index a3dd12ebabc..de4dde89f0a 100644 --- a/lib/gitlab/gon_helper.rb +++ b/lib/gitlab/gon_helper.rb @@ -20,14 +20,10 @@ module Gitlab add_browsersdk_tracking - if Gitlab.config.sentry.enabled - gon.sentry_dsn = Gitlab.config.sentry.clientside_dsn - gon.sentry_environment = Gitlab.config.sentry.environment - end - - # Support for Sentry setup via configuration files will be removed in 17.0 - # in favor of Gitlab::CurrentSettings. - if Feature.enabled?(:enable_new_sentry_integration) && Gitlab::CurrentSettings.sentry_enabled + # Sentry configurations for the browser client are done + # via `Gitlab::CurrentSettings` from the Admin panel: + # `/admin/application_settings/metrics_and_profiling` + if Gitlab::CurrentSettings.sentry_enabled gon.sentry_dsn = Gitlab::CurrentSettings.sentry_clientside_dsn gon.sentry_environment = Gitlab::CurrentSettings.sentry_environment gon.sentry_clientside_traces_sample_rate = Gitlab::CurrentSettings.sentry_clientside_traces_sample_rate diff --git a/lib/gitlab/graphql/authorize/authorize_resource.rb b/lib/gitlab/graphql/authorize/authorize_resource.rb index e3548b97ebf..2c9b10cc33b 100644 --- a/lib/gitlab/graphql/authorize/authorize_resource.rb +++ b/lib/gitlab/graphql/authorize/authorize_resource.rb @@ -64,7 +64,7 @@ module Gitlab def authorized_resource?(object) raise ConfigurationError, "#{self.class.name} has no authorizations" if self.class.authorization.none? - self.class.authorization.ok?(object, current_user) + self.class.authorization.ok?(object, current_user, scope_validator: context[:scope_validator]) end def raise_resource_not_available_error!(...) diff --git a/lib/gitlab/graphql/authorize/object_authorization.rb b/lib/gitlab/graphql/authorize/object_authorization.rb index f13acc9ea27..20f24a6823e 100644 --- a/lib/gitlab/graphql/authorize/object_authorization.rb +++ b/lib/gitlab/graphql/authorize/object_authorization.rb @@ -19,7 +19,7 @@ module Gitlab abilities.present? end - def ok?(object, current_user, scope_validator: nil) + def ok?(object, current_user, scope_validator:) scopes_ok?(scope_validator) && abilities_ok?(object, current_user) end diff --git a/lib/gitlab/rack_attack.rb b/lib/gitlab/rack_attack.rb index 2182f5b56e4..113c6dec6c1 100644 --- a/lib/gitlab/rack_attack.rb +++ b/lib/gitlab/rack_attack.rb @@ -126,6 +126,16 @@ module Gitlab 'throttle_authenticated_git_lfs' => ThrottleDefinition.new( Gitlab::Throttle.throttle_authenticated_git_lfs_options, ->(req) { req.throttled_identifer([:api]) if req.throttle_authenticated_git_lfs? } + ), + **throttle_definitions_unauthenticated_git_http + } + end + + def self.throttle_definitions_unauthenticated_git_http + { + 'throttle_unauthenticated_git_http' => ThrottleDefinition.new( + Gitlab::Throttle.throttle_unauthenticated_git_http_options, + ->(req) { req.ip if req.throttle_unauthenticated_git_http? } ) } end diff --git a/lib/gitlab/rack_attack/request.rb b/lib/gitlab/rack_attack/request.rb index e45782b8be0..63c0215c65a 100644 --- a/lib/gitlab/rack_attack/request.rb +++ b/lib/gitlab/rack_attack/request.rb @@ -100,6 +100,7 @@ module Gitlab def throttle_unauthenticated_web? (web_request? || frontend_request?) && !should_be_skipped? && + !git_path? && # TODO: Column will be renamed in https://gitlab.com/gitlab-org/gitlab/-/issues/340031 Gitlab::Throttle.settings.throttle_unauthenticated_enabled && unauthenticated? @@ -175,6 +176,12 @@ module Gitlab Gitlab::Throttle.settings.throttle_authenticated_packages_api_enabled end + def throttle_unauthenticated_git_http? + git_path? && + Gitlab::Throttle.settings.throttle_unauthenticated_git_http_enabled && + unauthenticated? + end + def throttle_authenticated_git_lfs? git_lfs_path? && Gitlab::Throttle.settings.throttle_authenticated_git_lfs_enabled @@ -242,6 +249,10 @@ module Gitlab matches?(::Gitlab::Regex::Packages::API_PATH_REGEX) end + def git_path? + matches?(::Gitlab::PathRegex.repository_git_route_regex) + end + def git_lfs_path? matches?(::Gitlab::PathRegex.repository_git_lfs_route_regex) end diff --git a/lib/gitlab/throttle.rb b/lib/gitlab/throttle.rb index 384953533b5..1aef19f1e6a 100644 --- a/lib/gitlab/throttle.rb +++ b/lib/gitlab/throttle.rb @@ -71,6 +71,13 @@ module Gitlab { limit: limit_proc, period: period_proc } end + def self.throttle_unauthenticated_git_http_options + limit_proc = proc { |req| settings.throttle_unauthenticated_git_http_requests_per_period } + period_proc = proc { |req| settings.throttle_unauthenticated_git_http_period_in_seconds.seconds } + + { limit: limit_proc, period: period_proc } + end + def self.throttle_authenticated_git_lfs_options limit_proc = proc { |req| settings.throttle_authenticated_git_lfs_requests_per_period } period_proc = proc { |req| settings.throttle_authenticated_git_lfs_period_in_seconds.seconds } diff --git a/lib/gitlab/usage_data_counters.rb b/lib/gitlab/usage_data_counters.rb index 19c6e04583e..3472d63a40a 100644 --- a/lib/gitlab/usage_data_counters.rb +++ b/lib/gitlab/usage_data_counters.rb @@ -13,7 +13,6 @@ module Gitlab WebIdeCounter, WikiPageCounter, SnippetCounter, - ProductivityAnalyticsCounter, SourceCodeCounter, MergeRequestWidgetExtensionCounter ].freeze diff --git a/lib/gitlab/usage_data_counters/productivity_analytics_counter.rb b/lib/gitlab/usage_data_counters/productivity_analytics_counter.rb deleted file mode 100644 index 3b92fa01fbe..00000000000 --- a/lib/gitlab/usage_data_counters/productivity_analytics_counter.rb +++ /dev/null @@ -1,8 +0,0 @@ -# frozen_string_literal: true - -module Gitlab::UsageDataCounters - class ProductivityAnalyticsCounter < BaseCounter - KNOWN_EVENTS = %w[views].freeze - PREFIX = 'productivity_analytics' - end -end diff --git a/lib/gitlab/usage_data_counters/total_counter_redis_key_overrides.yml b/lib/gitlab/usage_data_counters/total_counter_redis_key_overrides.yml index 2619f49a86d..a99631a0963 100644 --- a/lib/gitlab/usage_data_counters/total_counter_redis_key_overrides.yml +++ b/lib/gitlab/usage_data_counters/total_counter_redis_key_overrides.yml @@ -12,6 +12,7 @@ '{event_counters}_usage_data_download_payload_clicked': USAGE_SERVICE_USAGE_DATA_DOWNLOAD_PAYLOAD_CLICK '{event_counters}_value_streams_dashboard_viewed': USAGE_VALUE_STREAMS_DASHBOARD_VIEWS '{event_counters}_view_cycle_analytics': USAGE_CYCLE_ANALYTICS_VIEWS +'{event_counters}_view_productivity_analytics': USAGE_PRODUCTIVITY_ANALYTICS_VIEWS '{event_counters}_web_ide_viewed': WEB_IDE_VIEWS_COUNT '{event_counters}_status_page_incident_published': USAGE_STATUS_PAGE_INCIDENT_PUBLISHES '{event_counters}_status_page_incident_unpublished': USAGE_STATUS_PAGE_INCIDENT_UNPUBLISHES diff --git a/lib/omni_auth/strategies/bitbucket.rb b/lib/omni_auth/strategies/bitbucket.rb index d64f3dd987d..dff3652f3ca 100644 --- a/lib/omni_auth/strategies/bitbucket.rb +++ b/lib/omni_auth/strategies/bitbucket.rb @@ -14,12 +14,13 @@ module OmniAuth } uid do - raw_info['username'] + raw_info['uuid'] end info do { name: raw_info['display_name'], + username: raw_info['username'], avatar: raw_info['links']['avatar']['href'], email: primary_email } @@ -36,7 +37,7 @@ module OmniAuth def emails email_response = access_token.get('api/2.0/user/emails').parsed - @emails ||= email_response && email_response['values'] || nil + @emails ||= email_response && email_response['values'] || [] end def callback_url diff --git a/lib/tasks/gitlab/ldap.rake b/lib/tasks/gitlab/ldap.rake index 4da22e686ef..78a67d82096 100644 --- a/lib/tasks/gitlab/ldap.rake +++ b/lib/tasks/gitlab/ldap.rake @@ -5,9 +5,9 @@ namespace :gitlab do desc 'GitLab | LDAP | Rename provider' task :rename_provider, [:old_provider, :new_provider] => :gitlab_environment do |_, args| old_provider = args[:old_provider] || - prompt('What is the old provider? Ex. \'ldapmain\': '.color(:blue)) + prompt(Rainbow('What is the old provider? Ex. \'ldapmain\': ').blue) new_provider = args[:new_provider] || - prompt('What is the new provider ID? Ex. \'ldapcustom\': '.color(:blue)) + prompt(Rainbow('What is the new provider ID? Ex. \'ldapcustom\': ').blue) puts '' # Add some separation in the output identities = Identity.where(provider: old_provider) @@ -31,10 +31,10 @@ namespace :gitlab do updated_count = identities.update_all(provider: new_provider) if updated_count == identity_count - puts 'User identities were successfully updated'.color(:green) + puts Rainbow('User identities were successfully updated').green else plural_updated_count = ActionController::Base.helpers.pluralize(updated_count, 'user') - puts 'Some user identities could not be updated'.color(:red) + puts Rainbow('Some user identities could not be updated').red puts "Successfully updated #{plural_updated_count} out of #{plural_id_count} total" end end diff --git a/lib/tasks/gitlab/seed.rake b/lib/tasks/gitlab/seed.rake index 41830065044..9cc6b906aba 100644 --- a/lib/tasks/gitlab/seed.rake +++ b/lib/tasks/gitlab/seed.rake @@ -16,7 +16,7 @@ namespace :gitlab do error_message += " Did you mean '#{potential_projects.first.full_path}'?" end - puts error_message.color(:red) + puts Rainbow(error_message).red exit 1 end @@ -57,7 +57,7 @@ namespace :gitlab do error_message += " Did you mean '#{potential_groups.first.full_path}'?" end - puts error_message.color(:red) + puts Rainbow(error_message).red exit 1 end diff --git a/lib/tasks/gitlab/setup.rake b/lib/tasks/gitlab/setup.rake index 38c5902702c..2e24e38eb43 100644 --- a/lib/tasks/gitlab/setup.rake +++ b/lib/tasks/gitlab/setup.rake @@ -12,7 +12,7 @@ namespace :gitlab do Gitlab::GitalyClient::ServerService.new(name).info end rescue GRPC::Unavailable => ex - puts "Failed to connect to Gitaly...".color(:red) + puts Rainbow("Failed to connect to Gitaly...").red puts "Error: #{ex}" exit 1 end @@ -36,7 +36,7 @@ namespace :gitlab do Rake::Task["gitlab:db:lock_writes"].invoke Rake::Task["db:seed_fu"].invoke rescue Gitlab::TaskAbortedByUserError - puts "Quitting...".color(:red) + puts Rainbow("Quitting...").red exit 1 end end diff --git a/lib/tasks/gitlab/shell.rake b/lib/tasks/gitlab/shell.rake index abeb5bbdf29..5eb3ff8c28b 100644 --- a/lib/tasks/gitlab/shell.rake +++ b/lib/tasks/gitlab/shell.rake @@ -69,12 +69,12 @@ namespace :gitlab do Key.auth.find_in_batches(batch_size: 1000) do |keys| unless authorized_keys.batch_add_keys(keys) - puts "Failed to add keys...".color(:red) + puts Rainbow("Failed to add keys...").red exit 1 end end rescue Gitlab::TaskAbortedByUserError - puts "Quitting...".color(:red) + puts Rainbow("Quitting...").red exit 1 end end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index fdb5631089d..b72e5ddce8f 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -3742,9 +3742,6 @@ msgstr "" msgid "AdminSettings|Git abuse rate limit" msgstr "" -msgid "AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, enable the %{code_start}enable_new_sentry_integration%{code_end} feature flag and restart GitLab." -msgstr "" - msgid "AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, restart GitLab." msgstr "" @@ -10002,9 +9999,6 @@ msgstr "" msgid "Can't find HEAD commit for this branch" msgstr "" -msgid "Can't find variable: ZiteReader" -msgstr "" - msgid "Can't scan the code?" msgstr "" @@ -12687,9 +12681,6 @@ msgstr "" msgid "Colorize messages" msgstr "" -msgid "ComboSearch is not defined" -msgstr "" - msgid "Comma-separated list of branches to be automatically inspected. Leave blank to include all branches." msgstr "" @@ -13696,6 +13687,9 @@ msgstr "" msgid "Configure specific limits for Files API requests that supersede the general user and IP rate limits." msgstr "" +msgid "Configure specific limits for Git HTTP requests." +msgstr "" + msgid "Configure specific limits for Git LFS requests that supersede the general user and IP rate limits." msgstr "" @@ -19716,6 +19710,9 @@ msgstr "" msgid "Enable unauthenticated API request rate limit" msgstr "" +msgid "Enable unauthenticated Git HTTP request rate limit" +msgstr "" + msgid "Enable unauthenticated web request rate limit" msgstr "" @@ -23088,6 +23085,9 @@ msgstr "" msgid "Git" msgstr "" +msgid "Git HTTP rate limits" +msgstr "" + msgid "Git LFS is not enabled on this GitLab server, contact your admin." msgstr "" @@ -23664,7 +23664,7 @@ msgstr "" msgid "GlobalSearch|%{linkStart}Exact code search (powered by Zoekt)%{linkEnd} is disabled since %{ref_elem} is not the default branch. %{docs_link}" msgstr "" -msgid "GlobalSearch|%{linkStart}Exact code search (powered by Zoekt)%{linkEnd} is enabled" +msgid "GlobalSearch|%{linkStart}Exact code search (powered by Zoekt)%{linkEnd} is enabled." msgstr "" msgid "GlobalSearch|Aggregations load error." @@ -23838,9 +23838,6 @@ msgstr "" msgid "GlobalSearch|Showing top %{maxItems}" msgstr "" -msgid "GlobalSearch|Syntax options" -msgstr "" - msgid "GlobalSearch|The search term must be at least 3 characters long." msgstr "" @@ -23874,6 +23871,9 @@ msgstr "" msgid "GlobalSearch|Users" msgstr "" +msgid "GlobalSearch|View syntax options." +msgstr "" + msgid "GlobalSearch|What are you searching for?" msgstr "" @@ -25683,6 +25683,9 @@ msgstr "" msgid "Helps reduce request volume for protected paths." msgstr "" +msgid "Helps reduce unauthenticated Git HTTP request volume for git paths." +msgstr "" + msgid "Hi %{recipient_name}," msgstr "" @@ -31403,6 +31406,9 @@ msgstr "" msgid "Maximum unauthenticated API requests per rate limit period per IP" msgstr "" +msgid "Maximum unauthenticated Git HTTP requests per period per IP" +msgstr "" + msgid "Maximum unauthenticated web requests per rate limit period per IP" msgstr "" @@ -34941,6 +34947,9 @@ msgstr "" msgid "Object does not exist on the server or you don't have permissions to access it" msgstr "" +msgid "ObservabilityLogs|Attribute" +msgstr "" + msgid "ObservabilityLogs|Attributes" msgstr "" @@ -34962,6 +34971,9 @@ msgstr "" msgid "ObservabilityLogs|Fatal" msgstr "" +msgid "ObservabilityLogs|Fingerprint" +msgstr "" + msgid "ObservabilityLogs|Info" msgstr "" @@ -34980,21 +34992,45 @@ msgstr "" msgid "ObservabilityLogs|No logs to display." msgstr "" +msgid "ObservabilityLogs|Resource Attribute" +msgstr "" + msgid "ObservabilityLogs|Resource attributes" msgstr "" +msgid "ObservabilityLogs|Search logs..." +msgstr "" + msgid "ObservabilityLogs|Service" msgstr "" +msgid "ObservabilityLogs|Severity" +msgstr "" + msgid "ObservabilityLogs|Showing %{count} logs" msgstr "" +msgid "ObservabilityLogs|Span ID" +msgstr "" + msgid "ObservabilityLogs|Trace" msgstr "" +msgid "ObservabilityLogs|Trace Flags" +msgstr "" + +msgid "ObservabilityLogs|Trace ID" +msgstr "" + msgid "ObservabilityLogs|Warning" msgstr "" +msgid "ObservabilityLogs|name" +msgstr "" + +msgid "ObservabilityLogs|value" +msgstr "" + msgid "ObservabilityMetrics|+%{count} more" msgstr "" @@ -39582,7 +39618,7 @@ msgstr "" msgid "Profiles|The ideal image size is 192 x 192 pixels." msgstr "" -msgid "Profiles|The maximum file size allowed is 200KB." +msgid "Profiles|The maximum file size allowed is 200 KiB." msgstr "" msgid "Profiles|This email will be displayed on your public profile." @@ -47013,6 +47049,9 @@ msgstr "" msgid "SecurityReports|Confirm dismissal" msgstr "" +msgid "SecurityReports|Container registry vulnerabilities" +msgstr "" + msgid "SecurityReports|Create Jira issue" msgstr "" @@ -48664,6 +48703,9 @@ msgstr "" msgid "Signing in using %{label} has been disabled" msgstr "" +msgid "Signing in using your %{label} account has been disabled for security reasons. Please sign in to your GitLab account using another authentication method and reconnect to your %{label} account." +msgstr "" + msgid "Signing in using your %{label} account without a pre-existing GitLab account is not allowed." msgstr "" @@ -54817,6 +54859,12 @@ msgstr "" msgid "Unauthenticated API rate limit period in seconds" msgstr "" +msgid "Unauthenticated Git HTTP rate limit period in seconds" +msgstr "" + +msgid "Unauthenticated Git HTTP request rate limit" +msgstr "" + msgid "Unauthenticated requests" msgstr "" @@ -54916,9 +54964,6 @@ msgstr "" msgid "Unknown format" msgstr "" -msgid "Unknown response text" -msgstr "" - msgid "Unknown user" msgstr "" @@ -61146,9 +61191,6 @@ msgstr "" msgid "it is too large" msgstr "" -msgid "jigsaw is not defined" -msgstr "" - msgid "key result" msgstr "" diff --git a/package.json b/package.json index 20612d2306d..296a5864990 100644 --- a/package.json +++ b/package.json @@ -67,6 +67,7 @@ "@mattiasbuelens/web-streams-adapter": "^0.1.0", "@rails/actioncable": "7.0.8-1", "@rails/ujs": "7.0.8-1", + "@sentry/browser": "7.102.0", "@snowplow/browser-plugin-client-hints": "^3.9.0", "@snowplow/browser-plugin-form-tracking": "^3.9.0", "@snowplow/browser-plugin-ga-cookies": "^3.9.0", @@ -195,8 +196,6 @@ "sass": "^1.69.7", "scrollparent": "^2.0.1", "semver": "^7.3.4", - "sentrybrowser": "npm:@sentry/browser@7.102.0", - "sentrybrowser5": "npm:@sentry/browser@5.30.0", "sortablejs": "^1.10.2", "string-hash": "1.1.3", "style-loader": "^2.0.0", diff --git a/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_group_level_spec.rb b/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_group_level_spec.rb index b97e16ebcf6..bde39fde877 100644 --- a/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_group_level_spec.rb +++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_group_level_spec.rb @@ -1,7 +1,11 @@ # frozen_string_literal: true module QA - RSpec.describe 'Package', :object_storage, product_group: :package_registry do + RSpec.describe 'Package', :object_storage, product_group: :package_registry, quarantine: { + issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/455304', + only: { condition: -> { ENV['QA_RUN_TYPE']&.match?('gdk-qa-blocking') } }, + type: :investigating + } do describe 'NuGet group level endpoint', :external_api_calls do using RSpec::Parameterized::TableSyntax include Runtime::Fixtures diff --git a/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb b/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb index 15147c1a393..1c93a2bb1c5 100644 --- a/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb +++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb @@ -1,7 +1,11 @@ # frozen_string_literal: true module QA - RSpec.describe 'Package', :object_storage, product_group: :package_registry do + RSpec.describe 'Package', :object_storage, product_group: :package_registry, quarantine: { + issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/455027', + only: { condition: -> { ENV['QA_RUN_TYPE']&.match?('gdk-qa-blocking') } }, + type: :investigating + } do describe 'NuGet project level endpoint', :external_api_calls do include Support::Helpers::MaskToken diff --git a/spec/channels/graphql_channel_spec.rb b/spec/channels/graphql_channel_spec.rb new file mode 100644 index 00000000000..e02c58f30f9 --- /dev/null +++ b/spec/channels/graphql_channel_spec.rb @@ -0,0 +1,81 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe GraphqlChannel, feature_category: :api do + let_it_be(:merge_request) { create(:merge_request) } + let_it_be(:user) { create(:user, developer_of: merge_request.project) } + let_it_be(:read_api_token) { create(:personal_access_token, scopes: ['read_api'], user: user) } + let_it_be(:read_user_token) { create(:personal_access_token, scopes: ['read_user'], user: user) } + let_it_be(:read_api_and_read_user_token) do + create(:personal_access_token, scopes: %w[read_user read_api], user: user) + end + + describe '#subscribed' do + let(:query) do + <<~GRAPHQL + subscription mergeRequestReviewersUpdated($issuableId: IssuableID!) { + mergeRequestReviewersUpdated(issuableId: $issuableId) { + ... on MergeRequest { id title } + } + } + GRAPHQL + end + + let(:subscribe_params) do + { + query: query, + variables: { issuableId: merge_request.to_global_id } + } + end + + before do + stub_action_cable_connection current_user: user + end + + it 'subscribes to the given graphql subscription' do + subscribe(subscribe_params) + + expect(subscription).to be_confirmed + expect(subscription.streams).to include(/graphql-event::mergeRequestReviewersUpdated:issuableId/) + end + + context 'with a personal access token' do + before do + stub_action_cable_connection current_user: user, access_token: access_token + end + + context 'with an api scoped personal access token' do + let(:access_token) { read_api_token } + + it 'subscribes to the given graphql subscription' do + subscribe(subscribe_params) + + expect(subscription).to be_confirmed + expect(subscription.streams).to include(/graphql-event::mergeRequestReviewersUpdated:issuableId/) + end + end + + context 'with a read_user personal access token' do + let(:access_token) { read_user_token } + + it 'does not subscribe to the given graphql subscription' do + subscribe(subscribe_params) + + expect(subscription).not_to be_confirmed + end + end + + context 'with a read_api and read_user personal access token' do + let(:access_token) { read_api_and_read_user_token } + + it 'subscribes to the given graphql subscription' do + subscribe(subscribe_params) + + expect(subscription).to be_confirmed + expect(subscription.streams).to include(/graphql-event::mergeRequestReviewersUpdated:issuableId/) + end + end + end + end +end diff --git a/spec/channels/noteable/notes_channel_spec.rb b/spec/channels/noteable/notes_channel_spec.rb index 911e70630fa..ed8c67bb64b 100644 --- a/spec/channels/noteable/notes_channel_spec.rb +++ b/spec/channels/noteable/notes_channel_spec.rb @@ -4,7 +4,15 @@ require 'spec_helper' RSpec.describe Noteable::NotesChannel, feature_category: :team_planning do let_it_be(:project) { create(:project, :repository, :private) } - let_it_be(:developer) { create(:user, developer_of: project) } + let_it_be(:user) { create(:user, developer_of: project) } + + let_it_be(:read_api_token) { create(:personal_access_token, scopes: ['read_api'], user: user) } + let_it_be(:read_user_token) { create(:personal_access_token, scopes: ['read_user'], user: user) } + let_it_be(:read_api_and_read_user_token) do + create(:personal_access_token, scopes: %w[read_user read_api], user: user) + end + + let_it_be(:noteable) { create(:issue, project: project) } describe '#subscribed' do let(:subscribe_params) do @@ -16,7 +24,7 @@ RSpec.describe Noteable::NotesChannel, feature_category: :team_planning do end before do - stub_action_cable_connection current_user: developer + stub_action_cable_connection current_user: user end it 'rejects the subscription when noteable params are missing' do @@ -26,8 +34,6 @@ RSpec.describe Noteable::NotesChannel, feature_category: :team_planning do end context 'on an issue' do - let_it_be(:noteable) { create(:issue, project: project) } - it_behaves_like 'handle subscription based on user access' end @@ -37,4 +43,50 @@ RSpec.describe Noteable::NotesChannel, feature_category: :team_planning do it_behaves_like 'handle subscription based on user access' end end + + context 'with a personal access token' do + let(:subscribe_params) do + { + project_id: noteable.project_id, + noteable_type: noteable.class.underscore, + noteable_id: noteable.id + } + end + + before do + stub_action_cable_connection current_user: user, access_token: access_token + end + + context 'with an api scoped personal access token' do + let(:access_token) { read_api_token } + + it 'subscribes to the given graphql subscription' do + subscribe(subscribe_params) + + expect(subscription).to be_confirmed + expect(subscription).to have_stream_for(noteable) + end + end + + context 'with a read_user personal access token' do + let(:access_token) { read_user_token } + + it 'does not subscribe to the given graphql subscription' do + subscribe(subscribe_params) + + expect(subscription).not_to be_confirmed + end + end + + context 'with a read_api and read_user personal access token' do + let(:access_token) { read_api_and_read_user_token } + + it 'subscribes to the given graphql subscription' do + subscribe(subscribe_params) + + expect(subscription).to be_confirmed + expect(subscription).to have_stream_for(noteable) + end + end + end end diff --git a/spec/controllers/omniauth_callbacks_controller_spec.rb b/spec/controllers/omniauth_callbacks_controller_spec.rb index 8070ae554b3..ac4c725e132 100644 --- a/spec/controllers/omniauth_callbacks_controller_spec.rb +++ b/spec/controllers/omniauth_callbacks_controller_spec.rb @@ -94,10 +94,11 @@ RSpec.describe OmniauthCallbacksController, type: :controller, feature_category: describe 'omniauth' do let(:user) { create(:omniauth_user, extern_uid: extern_uid, provider: provider) } + let(:omniauth_email) { user.email } let(:additional_info) { {} } before do - @original_env_config_omniauth_auth = mock_auth_hash(provider.to_s, extern_uid, user.email, additional_info: additional_info) + @original_env_config_omniauth_auth = mock_auth_hash(provider.to_s, extern_uid, omniauth_email, additional_info: additional_info) stub_omniauth_provider(provider, context: request) end @@ -580,6 +581,23 @@ RSpec.describe OmniauthCallbacksController, type: :controller, feature_category: end end end + + context "when user's identity with untrusted extern_uid" do + let(:provider) { 'bitbucket' } + let(:extern_uid) { 'untrusted-uid' } + let(:omniauth_email) { 'bitbucketuser@example.com' } + + before do + user.identities.with_extern_uid(provider, extern_uid).update!(trusted_extern_uid: false) + end + + it 'shows warning when attempting login' do + post provider + + expect(response).to redirect_to new_user_session_path + expect(flash[:alert]).to eq('Signing in using your Bitbucket account has been disabled for security reasons. Please sign in to your GitLab account using another authentication method and reconnect to your Bitbucket account.') + end + end end describe '#openid_connect' do diff --git a/spec/features/admin/users/admin_sees_unconfirmed_user_spec.rb b/spec/features/admin/users/admin_sees_unconfirmed_user_spec.rb index 7b45e5b5cde..3554b3d40d2 100644 --- a/spec/features/admin/users/admin_sees_unconfirmed_user_spec.rb +++ b/spec/features/admin/users/admin_sees_unconfirmed_user_spec.rb @@ -14,8 +14,7 @@ RSpec.describe 'Admin sees unconfirmed user', feature_category: :user_management end context 'when user has an unconfirmed email', :js do - # Email address contains HTML to ensure email address is displayed in an HTML safe way. - let_it_be(:unconfirmed_email) { "#{generate(:email)}testing
" }
+ let_it_be(:unconfirmed_email) { generate(:email) }
let_it_be(:unconfirmed_user) { create(:user, :unconfirmed, unconfirmed_email: unconfirmed_email) }
where(:path_helper) do
diff --git a/spec/features/sentry_js_spec.rb b/spec/features/sentry_js_spec.rb
index 583dcba6220..672dc3010aa 100644
--- a/spec/features/sentry_js_spec.rb
+++ b/spec/features/sentry_js_spec.rb
@@ -3,57 +3,22 @@
require 'spec_helper'
RSpec.describe 'Sentry', feature_category: :error_tracking do
- context 'when enable_new_sentry_integration is disabled' do
- before do
- stub_feature_flags(enable_new_sentry_integration: false)
- end
+ it 'does not load sentry if sentry settings are disabled' do
+ allow(Gitlab::CurrentSettings).to receive(:sentry_enabled).and_return(false)
- it 'does not load sentry if sentry is disabled' do
- allow(Gitlab.config.sentry).to receive(:enabled).and_return(false)
+ visit new_user_session_path
- visit new_user_session_path
-
- expect(has_requested_legacy_sentry).to eq(false)
- end
-
- it 'loads legacy sentry if sentry config is enabled', :js do
- allow(Gitlab.config.sentry).to receive(:enabled).and_return(true)
-
- visit new_user_session_path
-
- expect(has_requested_legacy_sentry).to eq(true)
- expect(evaluate_script('window._Sentry.SDK_VERSION')).to match(%r{^5\.})
- end
+ expect(has_requested_sentry).to eq(false)
end
- context 'when enable_new_sentry_integration is enabled' do
- before do
- stub_feature_flags(enable_new_sentry_integration: true)
- end
+ it 'loads sentry if sentry settings are enabled', :js do
+ allow(Gitlab::CurrentSettings).to receive(:sentry_enabled).and_return(true)
+ allow(Gitlab::CurrentSettings).to receive(:sentry_clientside_dsn).and_return('https://mockdsn@example.com/1')
- it 'does not load sentry if sentry settings are disabled' do
- allow(Gitlab::CurrentSettings).to receive(:sentry_enabled).and_return(false)
+ visit new_user_session_path
- visit new_user_session_path
-
- expect(has_requested_sentry).to eq(false)
- end
-
- it 'loads sentry if sentry settings are enabled', :js do
- allow(Gitlab::CurrentSettings).to receive(:sentry_enabled).and_return(true)
- allow(Gitlab::CurrentSettings).to receive(:sentry_clientside_dsn).and_return('https://mockdsn@example.com/1')
-
- visit new_user_session_path
-
- expect(has_requested_sentry).to eq(true)
- expect(evaluate_script('window._Sentry.SDK_VERSION')).to match(%r{^7\.})
- end
- end
-
- def has_requested_legacy_sentry
- page.all('script', visible: false).one? do |elm|
- elm[:src] =~ %r{/legacy_sentry.*\.chunk\.js\z}
- end
+ expect(has_requested_sentry).to eq(true)
+ expect(evaluate_script('window._Sentry.SDK_VERSION')).to match(%r{^7\.})
end
def has_requested_sentry
diff --git a/spec/frontend/ci/catalog/components/list/ci_resources_list_item_spec.js b/spec/frontend/ci/catalog/components/list/ci_resources_list_item_spec.js
index 9c53fab6ec1..fbc1a8ec27d 100644
--- a/spec/frontend/ci/catalog/components/list/ci_resources_list_item_spec.js
+++ b/spec/frontend/ci/catalog/components/list/ci_resources_list_item_spec.js
@@ -7,6 +7,7 @@ import { createRouter } from '~/ci/catalog/router/index';
import CiResourcesListItem from '~/ci/catalog/components/list/ci_resources_list_item.vue';
import { getIdFromGraphQLId } from '~/graphql_shared/utils';
import CiVerificationBadge from '~/ci/catalog/components/shared/ci_verification_badge.vue';
+import Markdown from '~/vue_shared/components/markdown/non_gfm_markdown.vue';
import { catalogSinglePageResponse } from '../../mock';
Vue.use(VueRouter);
@@ -46,11 +47,11 @@ describe('CiResourcesListItem', () => {
const findBadge = () => wrapper.findComponent(GlBadge);
const findComponentNames = () => wrapper.findByTestId('ci-resource-component-names');
const findResourceName = () => wrapper.findByTestId('ci-resource-link');
- const findResourceDescription = () => wrapper.findByText(defaultProps.resource.description);
const findUserLink = () => wrapper.findByTestId('user-link');
const findVerificationBadge = () => wrapper.findComponent(CiVerificationBadge);
const findTimeAgoMessage = () => wrapper.findComponent(GlSprintf);
const findFavorites = () => wrapper.findByTestId('stats-favorites');
+ const findMarkdown = () => wrapper.findComponent(Markdown);
beforeEach(() => {
routerPush = jest.spyOn(router, 'push').mockImplementation(() => {});
@@ -82,7 +83,9 @@ describe('CiResourcesListItem', () => {
});
it('renders the resource description', () => {
- expect(findResourceDescription().exists()).toBe(true);
+ const markdown = findMarkdown();
+ expect(markdown.exists()).toBe(true);
+ expect(markdown.props().markdown).toBe(defaultProps.resource.description);
});
});
diff --git a/spec/frontend/observability/client_spec.js b/spec/frontend/observability/client_spec.js
index 46726d491fa..cee501c8d7e 100644
--- a/spec/frontend/observability/client_spec.js
+++ b/spec/frontend/observability/client_spec.js
@@ -1173,16 +1173,72 @@ describe('buildClient', () => {
});
});
+ describe('attributes filters', () => {
+ it('converts filter to proper query params', async () => {
+ await client.fetchLogs({
+ filters: {
+ attributes: {
+ service: [
+ { operator: '=', value: 'serviceName' },
+ { operator: '!=', value: 'serviceName2' },
+ ],
+ severityName: [
+ { operator: '=', value: 'info' },
+ { operator: '!=', value: 'warning' },
+ ],
+ traceId: [{ operator: '=', value: 'traceId' }],
+ spanId: [{ operator: '=', value: 'spanId' }],
+ fingerprint: [{ operator: '=', value: 'fingerprint' }],
+ traceFlags: [
+ { operator: '=', value: '1' },
+ { operator: '!=', value: '2' },
+ ],
+ attribute: [{ operator: '=', value: 'attr=bar' }],
+ resourceAttribute: [{ operator: '=', value: 'res=foo' }],
+ search: [{ value: 'some-search' }],
+ },
+ },
+ });
+ expect(getQueryParam()).toEqual(
+ `service_name=serviceName¬[service_name]=serviceName2` +
+ `&severity_name=info¬[severity_name]=warning` +
+ `&trace_id=traceId` +
+ `&span_id=spanId` +
+ `&fingerprint=fingerprint` +
+ `&trace_flags=1¬[trace_flags]=2` +
+ `&log_attr_name=attr&log_attr_value=bar` +
+ `&res_attr_name=res&res_attr_value=foo` +
+ `&body=some-search`,
+ );
+ });
+
+ it('ignores unsupported operators', async () => {
+ await client.fetchLogs({
+ filters: {
+ attributes: {
+ traceId: [{ operator: '!=', value: 'traceId2' }],
+ spanId: [{ operator: '!=', value: 'spanId2' }],
+ fingerprint: [{ operator: '!=', value: 'fingerprint2' }],
+ attribute: [{ operator: '!=', value: 'bar' }],
+ resourceAttribute: [{ operator: '!=', value: 'resourceAttribute2' }],
+ unsupported: [{ value: 'something', operator: '=' }],
+ },
+ },
+ });
+ expect(getQueryParam()).toEqual('');
+ });
+ });
+
it('ignores empty filter', async () => {
await client.fetchLogs({
- filters: { dateRange: {} },
+ filters: { attributes: {}, dateRange: {} },
});
expect(getQueryParam()).toBe('');
});
it('ignores undefined filter', async () => {
await client.fetchLogs({
- filters: { dateRange: undefined },
+ filters: { dateRange: undefined, attributes: undefined },
});
expect(getQueryParam()).toBe('');
});
diff --git a/spec/frontend/sentry/init_sentry_spec.js b/spec/frontend/sentry/init_sentry_spec.js
index 118a48cc1de..0ed27196226 100644
--- a/spec/frontend/sentry/init_sentry_spec.js
+++ b/spec/frontend/sentry/init_sentry_spec.js
@@ -1,3 +1,4 @@
+/* eslint-disable no-restricted-imports */
import {
BrowserClient,
defaultStackParser,
@@ -8,8 +9,8 @@ import {
// exports
captureException,
SDK_VERSION,
-} from 'sentrybrowser';
-import * as Sentry from 'sentrybrowser';
+} from '@sentry/browser';
+import * as Sentry from '@sentry/browser';
import { initSentry } from '~/sentry/init_sentry';
@@ -23,14 +24,14 @@ const mockFeatureCategory = 'my_feature_category';
const mockPage = 'index:page';
const mockSentryClientsideTracesSampleRate = 0.1;
-jest.mock('sentrybrowser', () => {
+jest.mock('@sentry/browser', () => {
return {
- ...jest.createMockFromModule('sentrybrowser'),
+ ...jest.createMockFromModule('@sentry/browser'),
// unmock actual configuration options
- defaultStackParser: jest.requireActual('sentrybrowser').defaultStackParser,
- makeFetchTransport: jest.requireActual('sentrybrowser').makeFetchTransport,
- defaultIntegrations: jest.requireActual('sentrybrowser').defaultIntegrations,
+ defaultStackParser: jest.requireActual('@sentry/browser').defaultStackParser,
+ makeFetchTransport: jest.requireActual('@sentry/browser').makeFetchTransport,
+ defaultIntegrations: jest.requireActual('@sentry/browser').defaultIntegrations,
};
});
diff --git a/spec/frontend/sentry/legacy_index_spec.js b/spec/frontend/sentry/legacy_index_spec.js
deleted file mode 100644
index fad1760ffc5..00000000000
--- a/spec/frontend/sentry/legacy_index_spec.js
+++ /dev/null
@@ -1,51 +0,0 @@
-import index from '~/sentry/legacy_index';
-
-import LegacySentryConfig from '~/sentry/legacy_sentry_config';
-
-describe('Sentry init', () => {
- const dsn = 'https://123@sentry.gitlab.test/123';
- const environment = 'test';
- const currentUserId = '1';
- const gitlabUrl = 'gitlabUrl';
- const revision = 'revision';
- const featureCategory = 'my_feature_category';
-
- beforeEach(() => {
- window.gon = {
- sentry_dsn: dsn,
- sentry_environment: environment,
- current_user_id: currentUserId,
- gitlab_url: gitlabUrl,
- revision,
- feature_category: featureCategory,
- };
-
- jest.spyOn(LegacySentryConfig, 'init').mockImplementation();
- });
-
- it('exports legacy version of Sentry in the global object', () => {
- // eslint-disable-next-line no-underscore-dangle
- expect(window._Sentry.SDK_VERSION).toMatch(/^5\./);
- });
-
- describe('when called', () => {
- beforeEach(() => {
- index();
- });
-
- it('configures legacy sentry', () => {
- expect(LegacySentryConfig.init).toHaveBeenCalledTimes(1);
- expect(LegacySentryConfig.init).toHaveBeenCalledWith({
- dsn,
- currentUserId,
- whitelistUrls: [gitlabUrl, 'webpack-internal://'],
- environment,
- release: revision,
- tags: {
- revision,
- feature_category: featureCategory,
- },
- });
- });
- });
-});
diff --git a/spec/frontend/sentry/legacy_sentry_config_spec.js b/spec/frontend/sentry/legacy_sentry_config_spec.js
deleted file mode 100644
index 94256784ca2..00000000000
--- a/spec/frontend/sentry/legacy_sentry_config_spec.js
+++ /dev/null
@@ -1,215 +0,0 @@
-import * as Sentry5 from 'sentrybrowser5';
-import LegacySentryConfig from '~/sentry/legacy_sentry_config';
-
-describe('LegacySentryConfig', () => {
- describe('IGNORE_ERRORS', () => {
- it('should be an array of strings', () => {
- const areStrings = LegacySentryConfig.IGNORE_ERRORS.every(
- (error) => typeof error === 'string',
- );
-
- expect(areStrings).toBe(true);
- });
- });
-
- describe('DENYLIST_URLS', () => {
- it('should be an array of regexps', () => {
- const areRegExps = LegacySentryConfig.DENYLIST_URLS.every((url) => url instanceof RegExp);
-
- expect(areRegExps).toBe(true);
- });
- });
-
- describe('SAMPLE_RATE', () => {
- it('should be a finite number', () => {
- expect(typeof LegacySentryConfig.SAMPLE_RATE).toEqual('number');
- });
- });
-
- describe('init', () => {
- const options = {
- currentUserId: 1,
- };
-
- beforeEach(() => {
- jest.spyOn(LegacySentryConfig, 'configure');
- jest.spyOn(LegacySentryConfig, 'bindSentryErrors');
- jest.spyOn(LegacySentryConfig, 'setUser');
-
- LegacySentryConfig.init(options);
- });
-
- it('should set the options property', () => {
- expect(LegacySentryConfig.options).toEqual(options);
- });
-
- it('should call the configure method', () => {
- expect(LegacySentryConfig.configure).toHaveBeenCalled();
- });
-
- it('should call the error bindings method', () => {
- expect(LegacySentryConfig.bindSentryErrors).toHaveBeenCalled();
- });
-
- it('should call setUser', () => {
- expect(LegacySentryConfig.setUser).toHaveBeenCalled();
- });
-
- it('should not call setUser if there is no current user ID', () => {
- LegacySentryConfig.setUser.mockClear();
- options.currentUserId = undefined;
-
- LegacySentryConfig.init(options);
-
- expect(LegacySentryConfig.setUser).not.toHaveBeenCalled();
- });
- });
-
- describe('configure', () => {
- const sentryConfig = {};
- const options = {
- dsn: 'https://123@sentry.gitlab.test/123',
- whitelistUrls: ['//gitlabUrl', 'webpack-internal://'],
- environment: 'test',
- release: 'revision',
- tags: {
- revision: 'revision',
- feature_category: 'my_feature_category',
- },
- };
-
- beforeEach(() => {
- jest.spyOn(Sentry5, 'init').mockImplementation();
- jest.spyOn(Sentry5, 'setTags').mockImplementation();
-
- sentryConfig.options = options;
- sentryConfig.IGNORE_ERRORS = 'ignore_errors';
- sentryConfig.DENYLIST_URLS = 'blacklist_urls';
-
- LegacySentryConfig.configure.call(sentryConfig);
- });
-
- it('should call Sentry5.init', () => {
- expect(Sentry5.init).toHaveBeenCalledWith({
- dsn: options.dsn,
- release: options.release,
- sampleRate: 0.95,
- whitelistUrls: options.whitelistUrls,
- environment: 'test',
- ignoreErrors: sentryConfig.IGNORE_ERRORS,
- blacklistUrls: sentryConfig.DENYLIST_URLS,
- });
- });
-
- it('should call Sentry5.setTags', () => {
- expect(Sentry5.setTags).toHaveBeenCalledWith(options.tags);
- });
-
- it('should set environment from options', () => {
- sentryConfig.options.environment = 'development';
-
- LegacySentryConfig.configure.call(sentryConfig);
-
- expect(Sentry5.init).toHaveBeenCalledWith({
- dsn: options.dsn,
- release: options.release,
- sampleRate: 0.95,
- whitelistUrls: options.whitelistUrls,
- environment: 'development',
- ignoreErrors: sentryConfig.IGNORE_ERRORS,
- blacklistUrls: sentryConfig.DENYLIST_URLS,
- });
- });
- });
-
- describe('setUser', () => {
- let sentryConfig;
-
- beforeEach(() => {
- sentryConfig = { options: { currentUserId: 1 } };
- jest.spyOn(Sentry5, 'setUser');
-
- LegacySentryConfig.setUser.call(sentryConfig);
- });
-
- it('should call .setUser', () => {
- expect(Sentry5.setUser).toHaveBeenCalledWith({
- id: sentryConfig.options.currentUserId,
- });
- });
- });
-
- describe('handleSentryErrors', () => {
- let event;
- let req;
- let config;
- let err;
-
- beforeEach(() => {
- event = {};
- req = { status: 'status', responseText: 'Unknown response text', statusText: 'statusText' };
- config = { type: 'type', url: 'url', data: 'data' };
- err = {};
-
- jest.spyOn(Sentry5, 'captureMessage');
-
- LegacySentryConfig.handleSentryErrors(event, req, config, err);
- });
-
- it('should call Sentry5.captureMessage', () => {
- expect(Sentry5.captureMessage).toHaveBeenCalledWith(err, {
- extra: {
- type: config.type,
- url: config.url,
- data: config.data,
- status: req.status,
- response: req.responseText,
- error: err,
- event,
- },
- });
- });
-
- describe('if no err is provided', () => {
- beforeEach(() => {
- LegacySentryConfig.handleSentryErrors(event, req, config);
- });
-
- it('should use req.statusText as the error value', () => {
- expect(Sentry5.captureMessage).toHaveBeenCalledWith(req.statusText, {
- extra: {
- type: config.type,
- url: config.url,
- data: config.data,
- status: req.status,
- response: req.responseText,
- error: req.statusText,
- event,
- },
- });
- });
- });
-
- describe('if no req.responseText is provided', () => {
- beforeEach(() => {
- req.responseText = undefined;
-
- LegacySentryConfig.handleSentryErrors(event, req, config, err);
- });
-
- it('should use `Unknown response text` as the response', () => {
- expect(Sentry5.captureMessage).toHaveBeenCalledWith(err, {
- extra: {
- type: config.type,
- url: config.url,
- data: config.data,
- status: req.status,
- response: 'Unknown response text',
- error: err,
- event,
- },
- });
- });
- });
- });
-});
diff --git a/spec/graphql/resolvers/base_resolver_spec.rb b/spec/graphql/resolvers/base_resolver_spec.rb
index 16b6212a833..c46e750f91d 100644
--- a/spec/graphql/resolvers/base_resolver_spec.rb
+++ b/spec/graphql/resolvers/base_resolver_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'
RSpec.describe Resolvers::BaseResolver, feature_category: :api do
include GraphqlHelpers
+ let_it_be(:user) { create(:user) }
let(:resolver) do
Class.new(described_class) do
@@ -247,8 +248,6 @@ RSpec.describe Resolvers::BaseResolver, feature_category: :api do
end
describe '#object' do
- let_it_be(:user) { create(:user) }
-
it 'returns object' do
expect_next_instance_of(resolver) do |r|
expect(r).to receive(:process).with(user)
@@ -275,4 +274,18 @@ RSpec.describe Resolvers::BaseResolver, feature_category: :api do
expect(instance.offset_pagination(User.none)).to be_a(::Gitlab::Graphql::Pagination::OffsetPaginatedRelation)
end
end
+
+ describe '#authorized?' do
+ let(:object) { :object }
+ let(:scope_validator) { instance_double(::Gitlab::Auth::ScopeValidator) }
+ let(:context) { { current_user: user, scope_validator: scope_validator } }
+
+ it 'delegates to authorization' do
+ expect(resolver.authorization).to be_kind_of(::Gitlab::Graphql::Authorize::ObjectAuthorization)
+ expect(resolver.authorization).to receive(:ok?)
+ .with(object, user, scope_validator: scope_validator)
+
+ resolver.authorized?(object, context)
+ end
+ end
end
diff --git a/spec/graphql/types/base_enum_spec.rb b/spec/graphql/types/base_enum_spec.rb
index db8fb877390..48ef38cbb63 100644
--- a/spec/graphql/types/base_enum_spec.rb
+++ b/spec/graphql/types/base_enum_spec.rb
@@ -139,4 +139,19 @@ RSpec.describe Types::BaseEnum, feature_category: :api do
enum.values['TEST_VALUE']
end
end
+
+ describe '#authorized?' do
+ let(:object) { :object }
+ let(:scope_validator) { instance_double(::Gitlab::Auth::ScopeValidator) }
+ let(:user) { double }
+ let(:context) { { current_user: user, scope_validator: scope_validator } }
+
+ it 'delegates to authorization' do
+ expect(described_class.authorization).to be_kind_of(::Gitlab::Graphql::Authorize::ObjectAuthorization)
+ expect(described_class.authorization).to receive(:ok?)
+ .with(object, user, scope_validator: scope_validator)
+
+ described_class.authorized?(object, context)
+ end
+ end
end
diff --git a/spec/graphql/types/base_field_spec.rb b/spec/graphql/types/base_field_spec.rb
index b52d5514368..6141259cd65 100644
--- a/spec/graphql/types/base_field_spec.rb
+++ b/spec/graphql/types/base_field_spec.rb
@@ -235,4 +235,21 @@ RSpec.describe Types::BaseField, feature_category: :api do
described_class.new(**base_args.merge(args))
end
end
+
+ describe '#field_authorized?' do
+ let(:object) { :object }
+ let(:scope_validator) { instance_double(::Gitlab::Auth::ScopeValidator) }
+ let(:user) { :user }
+ let(:context) { { current_user: user, scope_validator: scope_validator } }
+
+ it 'delegates to authorization' do
+ expect_next_instance_of(::Gitlab::Graphql::Authorize::ObjectAuthorization) do |authorization|
+ expect(authorization).to receive(:ok?)
+ .with(object, user, scope_validator: scope_validator)
+ end
+
+ field = described_class.new(name: 'test', type: GraphQL::Types::String, null: true)
+ field.authorized?(object, nil, context)
+ end
+ end
end
diff --git a/spec/graphql/types/base_object_spec.rb b/spec/graphql/types/base_object_spec.rb
index af0639e84d3..2bf9f8e3f4d 100644
--- a/spec/graphql/types/base_object_spec.rb
+++ b/spec/graphql/types/base_object_spec.rb
@@ -12,15 +12,18 @@ RSpec.describe Types::BaseObject, feature_category: :api do
true
end
- def ok?(object, _current_user)
+ def ok?(object, _current_user, scope_validator: nil)
return false if object == { id: 100 }
return false if object.try(:deactivated?)
+ raise "Missing scope_validator" unless scope_validator
true
end
end
end
+ let(:scope_validator) { instance_double(::Gitlab::Auth::ScopeValidator, valid_for?: true) }
+
let_it_be(:test_schema) do
auth = custom_auth.new(nil)
@@ -172,6 +175,7 @@ RSpec.describe Types::BaseObject, feature_category: :api do
let(:data) do
{
+ scope_validator: scope_validator,
x: {
title: 'Hey',
ys: [{ id: 1 }, { id: 100 }, { id: 2 }]
@@ -216,6 +220,7 @@ RSpec.describe Types::BaseObject, feature_category: :api do
n = 7
data = {
+ scope_validator: scope_validator,
x: {
ys: (95..105).to_a.map { |id| { id: id } }
}
@@ -262,7 +267,10 @@ RSpec.describe Types::BaseObject, feature_category: :api do
active_users = create_list(:user, 3, state: :active)
inactive = create(:user, state: :deactivated)
- data = { user_ids: [inactive, *active_users].map(&:id) }
+ data = {
+ scope_validator: scope_validator,
+ user_ids: [inactive, *active_users].map(&:id)
+ }
doc = GraphQL.parse(<<~GQL)
query {
@@ -281,6 +289,7 @@ RSpec.describe Types::BaseObject, feature_category: :api do
it 'filters polymorphic connections' do
data = {
current_user: :the_user,
+ scope_validator: scope_validator,
x: {
values: [{ value: 1 }, { value: 2 }, { value: 3 }, { value: 4 }]
}
@@ -324,6 +333,7 @@ RSpec.describe Types::BaseObject, feature_category: :api do
it 'filters interface connections' do
data = {
current_user: :the_user,
+ scope_validator: scope_validator,
x: {
values: [{ value: 1 }, { value: 2 }, { value: 3 }, { value: 4 }]
}
@@ -368,6 +378,7 @@ RSpec.describe Types::BaseObject, feature_category: :api do
it 'redacts polymorphic objects' do
data = {
current_user: :the_user,
+ scope_validator: scope_validator,
x: {
values: [{ value: 1 }]
}
@@ -408,7 +419,10 @@ RSpec.describe Types::BaseObject, feature_category: :api do
inactive = create_list(:user, n - 1, state: :deactivated)
active_users = create_list(:user, 2, state: :active)
- data = { user_ids: [*inactive, *active_users].map(&:id) }
+ data = {
+ scope_validator: scope_validator,
+ user_ids: [*inactive, *active_users].map(&:id)
+ }
doc = GraphQL.parse(<<~GQL)
query {
diff --git a/spec/lib/banzai/filter/markdown_engines/glfm_markdown_spec.rb b/spec/lib/banzai/filter/markdown_engines/glfm_markdown_spec.rb
index da58b824a06..dfd7b8f0cce 100644
--- a/spec/lib/banzai/filter/markdown_engines/glfm_markdown_spec.rb
+++ b/spec/lib/banzai/filter/markdown_engines/glfm_markdown_spec.rb
@@ -5,13 +5,43 @@ require 'spec_helper'
RSpec.describe Banzai::Filter::MarkdownEngines::GlfmMarkdown, feature_category: :team_planning do
it 'defaults to generating sourcepos' do
engine = described_class.new({})
+ expected = <<~TEXT
+ hi
+ TEXT - expect(engine.render('# hi')).to eq %(hi
\n) + expect(engine.render('# hi')).to eq expected end it 'turns off sourcepos' do engine = described_class.new({ no_sourcepos: true }) + expected = <<~TEXT +hi
+ TEXT - expect(engine.render('# hi')).to eq %(hi
\n) + expect(engine.render('# hi')).to eq expected + end + + it 'turns off header anchors' do + engine = described_class.new({ no_header_anchors: true, no_sourcepos: true }) + expected = <<~TEXT +hi
+ TEXT + + expect(engine.render('# hi')).to eq expected + end + + context 'when feature flag is disabled' do + before do + stub_feature_flags(native_header_anchors: false) + end + + it 'turns off header anchors' do + engine = described_class.new({ no_sourcepos: true }) + expected = <<~TEXT +hi
+ TEXT + + expect(engine.render('# hi')).to eq expected + end end end diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index fc3a50c5ce2..e40b65fce7b 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -192,5 +192,35 @@ RSpec.describe Banzai::Filter::SanitizationFilter, feature_category: :team_plann end end end + + describe 'link anchors' do + it 'allows id property on anchor links' do + exp = %q() + act = filter(exp) + + expect(act.to_html).to eq exp + end + + it 'removes id property for non-anchor links' do + exp = %q() + act = filter(%q()) + + expect(act.to_html).to eq exp + end + + it 'removes id property for non-user-content links' do + exp = %q() + act = filter(%q()) + + expect(act.to_html).to eq exp + end + + it 'removes class property for non-anchor links' do + exp = %q() + act = filter(%q()) + + expect(act.to_html).to eq exp + end + end end end diff --git a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb index 31e6313215e..bd55cce8d3f 100644 --- a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb +++ b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb @@ -2,6 +2,10 @@ require 'spec_helper' +# TODO: This is now a legacy filter, and is only used with the Ruby parser. +# The current markdown parser now properly handles adding anchors to headers. +# The Ruby parser is now only for benchmarking purposes. +# issue: https://gitlab.com/gitlab-org/gitlab/-/issues/454601 RSpec.describe Banzai::Filter::TableOfContentsFilter, feature_category: :team_planning do include FilterSpecHelper @@ -9,20 +13,28 @@ RSpec.describe Banzai::Filter::TableOfContentsFilter, feature_category: :team_pl "