From 39b47b75cf634a613cb5fe1c5f1f02e8c8f57399 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 24 Apr 2024 18:10:01 +0000
Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master

---
 .rubocop_todo/rspec/feature_category.yml      |   1 -
 .../style/class_and_module_children.yml       |   1 -
 CHANGELOG.md                                  |  34 ++
 Gemfile                                       |   4 +-
 Gemfile.checksum                              |   4 +-
 Gemfile.lock                                  |  11 +-
 .../components/details/ci_resource_header.vue |   6 +-
 .../list/ci_resources_list_item.vue           |   7 +-
 .../javascripts/observability/client.js       | 293 ++++++++++-----
 .../javascripts/profile/edit/constants.js     |   2 +-
 .../render_vue_component_for_legacy_js.js     |   5 +-
 .../sidebar/components/group_filter.vue       |   2 +-
 .../sidebar/components/project_filter.vue     |   2 +-
 .../search/topbar/components/app.vue          |  48 +--
 .../components/search_type_indicator.vue      |  14 +-
 app/assets/javascripts/sentry/init_sentry.js  |   3 +-
 .../javascripts/sentry/legacy_constants.js    |  46 ---
 app/assets/javascripts/sentry/legacy_index.js |  34 --
 .../sentry/legacy_sentry_config.js            |  64 ----
 app/assets/javascripts/single_file_diff.js    |  13 +-
 .../avatar_upload_dropzone.vue                |   2 +-
 app/channels/application_cable/channel.rb     |   9 +
 app/channels/graphql_channel.rb               |   5 +-
 .../omniauth_callbacks_controller.rb          |   9 +
 app/graphql/resolvers/base_resolver.rb        |   2 +-
 app/graphql/types/base_enum.rb                |   2 +-
 app/graphql/types/base_field.rb               |   2 +-
 app/graphql/types/base_object.rb              |   2 +-
 app/helpers/application_settings_helper.rb    |   3 +
 app/models/application_setting.rb             |   7 +
 app/models/merge_request.rb                   |   8 +-
 app/models/user.rb                            |   2 +-
 .../merge_requests/approval_service.rb        |   2 +-
 .../merge_requests/remove_approval_service.rb |   2 +-
 .../update_reviewer_state_service.rb          |  16 +
 app/validators/devise_email_validator.rb      |  13 +-
 .../_git_http_limits.html.haml                |  18 +
 .../application_settings/_sentry.html.haml    |   8 +-
 .../application_settings/network.html.haml    |  12 +
 app/views/layouts/_head.html.haml             |   4 +-
 app/views/search/_results_status.html.haml    |  53 ++-
 app/views/search/results/_issuable.html.haml  |   2 +-
 .../shared/_choose_avatar_button.html.haml    |   2 +-
 .../user_settings/profiles/show.html.haml     |   2 +-
 .../enable_new_sentry_integration.yml         |   8 -
 .../enable_old_sentry_integration.yml         |   8 -
 .../native_header_anchors.yml                 |   9 +
 config/gitlab_loose_foreign_keys.yml          |  10 +
 config/webpack.config.js                      |   1 -
 .../14-8-graphql-runner-active.yml            |  40 ++
 data/whats_new/202404160001_16_11.yml         |   4 +-
 ...ackfill_workspace_variables_project_id.yml |   9 +
 db/docs/merge_request_requested_changes.yml   |  12 +
 db/docs/workspace_variables.yml               |   1 +
 ...icated_git_http_to_application_settings.rb |  22 ++
 ...icated_git_http_in_application_settings.rb |  24 ++
 ...07_add_trusted_extern_uid_to_identities.rb |  11 +
 ...0415190848_index_identities_on_provider.rb |  17 +
 ...6_add_project_id_to_workspace_variables.rb |   9 +
 ...index_workspace_variables_on_project_id.rb |  16 +
 ...8_add_workspace_variables_project_id_fk.rb |  16 +
 ..._create_merge_request_requested_changes.rb |  19 +
 ..._workspace_variables_project_id_trigger.rb |  25 ++
 ...backfill_workspace_variables_project_id.rb |  40 ++
 ...false_for_existing_bitbucket_identities.rb |  17 +
 db/schema_migrations/20240405090000           |   1 +
 db/schema_migrations/20240405090010           |   1 +
 db/schema_migrations/20240415184907           |   1 +
 db/schema_migrations/20240415190848           |   1 +
 db/schema_migrations/20240419035356           |   1 +
 db/schema_migrations/20240419035357           |   1 +
 db/schema_migrations/20240419035358           |   1 +
 db/schema_migrations/20240419035359           |   1 +
 db/schema_migrations/20240419035360           |   1 +
 db/schema_migrations/20240419085004           |   1 +
 db/schema_migrations/20240419140530           |   1 +
 db/structure.sql                              |  60 ++-
 doc/administration/job_artifacts.md           |   3 +-
 .../job_artifacts_troubleshooting.md          |  53 +--
 doc/administration/pages/index.md             |  23 +-
 .../settings/git_http_rate_limits.md          |  41 ++
 doc/administration/settings/rate_limits.md    |   1 +
 doc/api/dependencies.md                       |   3 -
 doc/api/job_artifacts.md                      |   3 -
 doc/api/project_level_variables.md            |   3 -
 doc/api/releases/index.md                     |   2 -
 doc/api/releases/links.md                     |   2 -
 doc/api/secure_files.md                       |   1 -
 doc/ci/cloud_services/index.md                |   5 +-
 .../index.md                                  |   4 +-
 doc/ci/jobs/ci_job_token.md                   |   4 -
 doc/ci/jobs/job_artifacts.md                  |   4 -
 doc/ci/secrets/id_token_authentication.md     |   4 +-
 doc/ci/secrets/index.md                       |   6 -
 doc/ci/secure_files/index.md                  |   1 -
 doc/ci/variables/index.md                     |  18 +-
 doc/ci/variables/predefined_variables.md      |   2 +-
 .../variables/where_variables_can_be_used.md  |   7 +-
 doc/drawers/exact_code_search_syntax.md       |  29 +-
 doc/update/deprecations.md                    |  18 +
 .../container_scanning/index.md               |  22 +-
 .../dependency_list/index.md                  |   1 -
 .../dependency_scanning/index.md              |   9 +-
 .../troubleshooting_dependency_scanning.md    |   5 +-
 doc/user/clusters/agent/vulnerabilities.md    |   1 -
 doc/user/gitlab_duo_chat.md                   |   4 +
 doc/user/search/exact_code_search.md          |  49 ++-
 .../output_example_snapshots/html.yml         | 160 ++++----
 .../snapshot_spec.html                        | 355 ++++++------------
 glfm_specification/output_spec/spec.html      |  10 +-
 .../filter/markdown_engines/glfm_markdown.rb  |  12 +-
 lib/banzai/filter/sanitization_filter.rb      |  37 +-
 lib/banzai/filter/table_of_contents_filter.rb |   6 +
 .../filter/table_of_contents_tag_filter.rb    |  84 +++++
 lib/banzai/pipeline/description_pipeline.rb   |   4 +-
 lib/gitlab/auth/o_auth/user.rb                |  21 +-
 ...backfill_workspace_variables_project_id.rb |  12 +
 .../security/validators/schema_validator.rb   |  10 +-
 .../content_security_policy/config_loader.rb  |  13 -
 lib/gitlab/error_tracking.rb                  |  90 +++--
 lib/gitlab/error_tracking/log_formatter.rb    |  11 +-
 .../concerns/processes_exceptions.rb          |   8 +-
 .../processor/sanitizer_processor.rb          |   3 -
 lib/gitlab/file_finder.rb                     |  14 +-
 lib/gitlab/git/repository.rb                  |   4 +-
 lib/gitlab/gitaly_client/operation_service.rb |   7 +-
 lib/gitlab/gon_helper.rb                      |  12 +-
 .../graphql/authorize/authorize_resource.rb   |   2 +-
 .../graphql/authorize/object_authorization.rb |   2 +-
 lib/gitlab/rack_attack.rb                     |  10 +
 lib/gitlab/rack_attack/request.rb             |  11 +
 lib/gitlab/throttle.rb                        |   7 +
 lib/gitlab/usage_data_counters.rb             |   1 -
 .../productivity_analytics_counter.rb         |   8 -
 .../total_counter_redis_key_overrides.yml     |   1 +
 lib/omni_auth/strategies/bitbucket.rb         |   5 +-
 lib/tasks/gitlab/ldap.rake                    |   8 +-
 lib/tasks/gitlab/seed.rake                    |   4 +-
 lib/tasks/gitlab/setup.rake                   |   4 +-
 lib/tasks/gitlab/shell.rake                   |   4 +-
 locale/gitlab.pot                             |  82 +++-
 package.json                                  |   3 +-
 .../nuget/nuget_group_level_spec.rb           |   6 +-
 .../nuget/nuget_project_level_spec.rb         |   6 +-
 spec/channels/graphql_channel_spec.rb         |  81 ++++
 spec/channels/noteable/notes_channel_spec.rb  |  60 ++-
 .../omniauth_callbacks_controller_spec.rb     |  20 +-
 .../users/admin_sees_unconfirmed_user_spec.rb |   3 +-
 spec/features/sentry_js_spec.rb               |  55 +--
 .../list/ci_resources_list_item_spec.js       |   7 +-
 spec/frontend/observability/client_spec.js    |  60 ++-
 spec/frontend/sentry/init_sentry_spec.js      |  15 +-
 spec/frontend/sentry/legacy_index_spec.js     |  51 ---
 .../sentry/legacy_sentry_config_spec.js       | 215 -----------
 spec/graphql/resolvers/base_resolver_spec.rb  |  17 +-
 spec/graphql/types/base_enum_spec.rb          |  15 +
 spec/graphql/types/base_field_spec.rb         |  17 +
 spec/graphql/types/base_object_spec.rb        |  20 +-
 .../markdown_engines/glfm_markdown_spec.rb    |  34 +-
 .../banzai/filter/sanitization_filter_spec.rb |  30 ++
 .../filter/table_of_contents_filter_spec.rb   |  42 ++-
 .../table_of_contents_tag_filter_spec.rb      |  82 ++++
 spec/lib/gitlab/auth/o_auth/user_spec.rb      | 133 ++++++-
 ...ill_workspace_variables_project_id_spec.rb |  15 +
 .../validators/schema_validator_spec.rb       |  32 +-
 .../config_loader_spec.rb                     |  41 --
 .../error_tracking/log_formatter_spec.rb      |   8 +-
 .../context_payload_processor_spec.rb         |  31 +-
 .../processor/grpc_error_processor_spec.rb    |  31 --
 .../sanitize_error_message_processor_spec.rb  |  14 -
 .../processor/sidekiq_processor_spec.rb       |  42 ---
 spec/lib/gitlab/error_tracking_spec.rb        | 115 ++----
 spec/lib/gitlab/file_finder_spec.rb           |  55 ++-
 .../gitaly_client/operation_service_spec.rb   |  26 +-
 spec/lib/gitlab/gon_helper_spec.rb            |  28 --
 .../authorize/authorize_resource_spec.rb      |  22 +-
 .../authorize/object_authorization_spec.rb    |  26 +-
 spec/lib/gitlab/import_export/all_models.yml  |   1 +
 spec/lib/gitlab/rack_attack/request_spec.rb   |  32 ++
 .../productivity_analytics_counter_spec.rb    |   9 -
 .../omni_auth/strategies/bitbucket_spec.rb    |  73 +++-
 ...ill_workspace_variables_project_id_spec.rb |  33 ++
 ..._for_existing_bitbucket_identities_spec.rb |  56 +++
 spec/models/merge_request_spec.rb             |  16 -
 spec/models/repository_spec.rb                |  24 ++
 spec/requests/api/helpers_spec.rb             |   1 -
 .../api/merge_request_approvals_spec.rb       |   2 +-
 spec/requests/rack_attack_global_spec.rb      |  42 +++
 .../quick_actions/interpret_service_spec.rb   |   2 +-
 .../helpers/stub_action_cable_connection.rb   |   3 +-
 spec/support/helpers/stub_configuration.rb    |   3 -
 spec/support/rspec_order_todo.yml             |   1 -
 .../lint_factories_shared_examples.rb         |   1 +
 .../models/email_format_shared_examples.rb    |  16 +-
 .../requests/rack_attack_shared_examples.rb   |  35 +-
 .../validators/devise_email_validator_spec.rb |  60 ++-
 .../network.html.haml_spec.rb                 |  10 +
 yarn.lock                                     |  76 +---
 198 files changed, 2667 insertions(+), 1807 deletions(-)
 delete mode 100644 app/assets/javascripts/sentry/legacy_constants.js
 delete mode 100644 app/assets/javascripts/sentry/legacy_index.js
 delete mode 100644 app/assets/javascripts/sentry/legacy_sentry_config.js
 create mode 100644 app/views/admin/application_settings/_git_http_limits.html.haml
 delete mode 100644 config/feature_flags/development/enable_new_sentry_integration.yml
 delete mode 100644 config/feature_flags/development/enable_old_sentry_integration.yml
 create mode 100644 config/feature_flags/gitlab_com_derisk/native_header_anchors.yml
 create mode 100644 data/deprecations/14-8-graphql-runner-active.yml
 create mode 100644 db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml
 create mode 100644 db/docs/merge_request_requested_changes.yml
 create mode 100644 db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb
 create mode 100644 db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb
 create mode 100644 db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb
 create mode 100644 db/migrate/20240415190848_index_identities_on_provider.rb
 create mode 100644 db/migrate/20240419035356_add_project_id_to_workspace_variables.rb
 create mode 100644 db/migrate/20240419035357_index_workspace_variables_on_project_id.rb
 create mode 100644 db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb
 create mode 100644 db/migrate/20240419085004_create_merge_request_requested_changes.rb
 create mode 100644 db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb
 create mode 100644 db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb
 create mode 100644 db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb
 create mode 100644 db/schema_migrations/20240405090000
 create mode 100644 db/schema_migrations/20240405090010
 create mode 100644 db/schema_migrations/20240415184907
 create mode 100644 db/schema_migrations/20240415190848
 create mode 100644 db/schema_migrations/20240419035356
 create mode 100644 db/schema_migrations/20240419035357
 create mode 100644 db/schema_migrations/20240419035358
 create mode 100644 db/schema_migrations/20240419035359
 create mode 100644 db/schema_migrations/20240419035360
 create mode 100644 db/schema_migrations/20240419085004
 create mode 100644 db/schema_migrations/20240419140530
 create mode 100644 doc/administration/settings/git_http_rate_limits.md
 create mode 100644 lib/gitlab/background_migration/backfill_workspace_variables_project_id.rb
 delete mode 100644 lib/gitlab/usage_data_counters/productivity_analytics_counter.rb
 create mode 100644 spec/channels/graphql_channel_spec.rb
 delete mode 100644 spec/frontend/sentry/legacy_index_spec.js
 delete mode 100644 spec/frontend/sentry/legacy_sentry_config_spec.js
 create mode 100644 spec/lib/gitlab/background_migration/backfill_workspace_variables_project_id_spec.rb
 delete mode 100644 spec/lib/gitlab/usage_data_counters/productivity_analytics_counter_spec.rb
 create mode 100644 spec/migrations/20240419035360_queue_backfill_workspace_variables_project_id_spec.rb
 create mode 100644 spec/migrations/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities_spec.rb

diff --git a/.rubocop_todo/rspec/feature_category.yml b/.rubocop_todo/rspec/feature_category.yml
index a3811dfb2dd..c7c5e3545e6 100644
--- a/.rubocop_todo/rspec/feature_category.yml
+++ b/.rubocop_todo/rspec/feature_category.yml
@@ -3980,7 +3980,6 @@ RSpec/FeatureCategory:
     - 'spec/lib/gitlab/usage_data_counters/merge_request_widget_extension_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/note_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/package_event_counter_spec.rb'
-    - 'spec/lib/gitlab/usage_data_counters/productivity_analytics_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/quick_action_activity_unique_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/redis_counter_spec.rb'
     - 'spec/lib/gitlab/usage_data_counters/search_counter_spec.rb'
diff --git a/.rubocop_todo/style/class_and_module_children.yml b/.rubocop_todo/style/class_and_module_children.yml
index e6a3076b089..c389a3966d2 100644
--- a/.rubocop_todo/style/class_and_module_children.yml
+++ b/.rubocop_todo/style/class_and_module_children.yml
@@ -510,7 +510,6 @@ Style/ClassAndModuleChildren:
     - 'lib/gitlab/usage_data_counters/ci_template_unique_counter.rb'
     - 'lib/gitlab/usage_data_counters/designs_counter.rb'
     - 'lib/gitlab/usage_data_counters/note_counter.rb'
-    - 'lib/gitlab/usage_data_counters/productivity_analytics_counter.rb'
     - 'lib/gitlab/usage_data_counters/snippet_counter.rb'
     - 'lib/gitlab/usage_data_counters/source_code_counter.rb'
     - 'lib/gitlab/usage_data_counters/wiki_page_counter.rb'
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8ae50ea0307..c082652e7cf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,16 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 16.11.1 (2024-04-24)
+
+### Security (5 changes)
+
+- [Validation for encoded formatting characters](gitlab-org/security/gitlab@fc42e4b96ae1ac3cd766569d62d025cbf23ef16c) ([merge request](gitlab-org/security/gitlab!3979))
+- [Forbid untrusted sign-ins to GitLab with Bitbucket and fix related uid](gitlab-org/security/gitlab@ef083c319e67072029787cd5c6a588562984a58c) ([merge request](gitlab-org/security/gitlab!3983))
+- [Ensure PAT scope is validated everywhere for GraphQL/ActionCable](gitlab-org/security/gitlab@1847435210161d95b9c5fcd079380e7f2892195f) ([merge request](gitlab-org/security/gitlab!3975))
+- [Protect against ReDoS in FileFinder with wildcard filters](gitlab-org/security/gitlab@dc16f3baa640ca8d5b223782ef3d58369423a1dd) ([merge request](gitlab-org/security/gitlab!3969))
+- [fix: Validate security report version against schema during parsing](gitlab-org/security/gitlab@55e58d49051aa42938ec1d159b5e7eb3c47d2eb1) ([merge request](gitlab-org/security/gitlab!3967))
+
 ## 16.11.0 (2024-04-17)
 
 ### Added (121 changes)
@@ -605,6 +615,20 @@ entry.
 - [Finalize the backfill migration for onboarding status step url](gitlab-org/gitlab@f986c1b1cf00968ff106136893bfe68d47895c69) ([merge request](gitlab-org/gitlab!147278))
 - [Remove ClusterRepositoryCache migration helper class](gitlab-org/gitlab@f71a7a94ce8d70d9d378ebc225b802b58f0ae006) ([merge request](gitlab-org/gitlab!147244))
 
+## 16.10.4 (2024-04-24)
+
+### Fixed (1 change)
+
+- [Update vulnerability_reads scanner in the ingestion pipeline](gitlab-org/security/gitlab@14b8876233e5dd29149426fd88bab0fc4f014d46) **GitLab Enterprise Edition**
+
+### Security (5 changes)
+
+- [Validation for encoded formatting characters](gitlab-org/security/gitlab@4cd13c705ce1a94152fb2fd6fcaa77e90e6441e5) ([merge request](gitlab-org/security/gitlab!3950))
+- [Forbid untrusted sign-ins to GitLab with Bitbucket and fix related uid](gitlab-org/security/gitlab@5d3c3a599cc5560dea2236474309537536428cdc) ([merge request](gitlab-org/security/gitlab!3984))
+- [Ensure PAT scope is validated everywhere for GraphQL/ActionCable](gitlab-org/security/gitlab@079dfee8cff9da9075eec7c03ce002e87eeebfff) ([merge request](gitlab-org/security/gitlab!3976))
+- [Protect against ReDoS in FileFinder with wildcard filters](gitlab-org/security/gitlab@0e7e54050f1c4829b1d55aac85bd4e9cd96f1580) ([merge request](gitlab-org/security/gitlab!3960))
+- [fix: Validate security report version against schema during parsing](gitlab-org/security/gitlab@217040b1062caad501d60af387c47cff758788a1) ([merge request](gitlab-org/security/gitlab!3956))
+
 ## 16.10.3 (2024-04-12)
 
 No changes.
@@ -1319,6 +1343,16 @@ No changes.
 - [Add sharding keys for system_access](gitlab-org/gitlab@62c2fd4788e62e46f1469e2f18d178840e8e3df2) ([merge request](gitlab-org/gitlab!142501))
 - [Add sharding keys for purchase](gitlab-org/gitlab@9c3843da74714c72483c17489d5d3d68ceffd2c8) ([merge request](gitlab-org/gitlab!142505))
 
+## 16.9.6 (2024-04-24)
+
+### Security (5 changes)
+
+- [Validation for encoded formatting characters](gitlab-org/security/gitlab@de8dc151e5ef3f07cf50839e50645df6ec12f5a5) ([merge request](gitlab-org/security/gitlab!3951))
+- [Forbid untrusted sign-ins to GitLab with Bitbucket and fix related uid](gitlab-org/security/gitlab@94496a91c17a0f73202cd5c55abc93395825c68c) ([merge request](gitlab-org/security/gitlab!3985))
+- [Ensure PAT scope is validated everywhere for GraphQL/ActionCable](gitlab-org/security/gitlab@0dccf32b71614584e05a8590b21a902220e8c701) ([merge request](gitlab-org/security/gitlab!3977))
+- [Protect against ReDoS in FileFinder with wildcard filters](gitlab-org/security/gitlab@60a7418ec10f7c6f4ef9bcc75b2fec71255ddcc3) ([merge request](gitlab-org/security/gitlab!3961))
+- [fix: Validate security report version against schema during parsing](gitlab-org/security/gitlab@ce709ff78fd8f18024383085d6ac0bf43fa2efbb) ([merge request](gitlab-org/security/gitlab!3957))
+
 ## 16.9.5 (2024-04-12)
 
 No changes.
diff --git a/Gemfile b/Gemfile
index f6ecd52da52..13ff99f7b68 100644
--- a/Gemfile
+++ b/Gemfile
@@ -358,7 +358,6 @@ gem 'gitlab-license', '~> 2.4', feature_category: :shared
 gem 'rack-attack', '~> 6.7.0' # rubocop:todo Gemfile/MissingFeatureCategory
 
 # Sentry integration
-gem 'sentry-raven', '~> 3.1', feature_category: :error_tracking
 gem 'sentry-ruby', '~> 5.10.0', feature_category: :error_tracking
 gem 'sentry-rails', '~> 5.10.0', feature_category: :error_tracking
 gem 'sentry-sidekiq', '~> 5.10.0', feature_category: :error_tracking
@@ -411,7 +410,6 @@ group :opentelemetry do
   gem 'opentelemetry-instrumentation-action_view', feature_category: :tooling
   gem 'opentelemetry-instrumentation-aws_sdk', feature_category: :tooling
   gem 'opentelemetry-instrumentation-http', feature_category: :tooling
-  gem 'opentelemetry-instrumentation-active_model_serializers', feature_category: :tooling
   gem 'opentelemetry-instrumentation-concurrent_ruby', feature_category: :tooling
   gem 'opentelemetry-instrumentation-ethon', feature_category: :tooling
   gem 'opentelemetry-instrumentation-excon', feature_category: :tooling
@@ -592,7 +590,7 @@ gem 'ssh_data', '~> 1.3' # rubocop:todo Gemfile/MissingFeatureCategory
 gem 'spamcheck', '~> 1.3.0' # rubocop:todo Gemfile/MissingFeatureCategory
 
 # Gitaly GRPC protocol definitions
-gem 'gitaly', '~> 16.11.0.pre.rc1', feature_category: :gitaly
+gem 'gitaly', '~> 17.0.0.pre.rc2', feature_category: :gitaly
 
 # KAS GRPC protocol definitions
 gem 'kas-grpc', '~> 0.4.0', feature_category: :deployment_management
diff --git a/Gemfile.checksum b/Gemfile.checksum
index 476c0f8f31e..3dbd7f5e4d9 100644
--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@@ -206,7 +206,7 @@
 {"name":"gettext","version":"3.4.9","platform":"ruby","checksum":"292864fe6a15c224cee4125a4a72fab426fdbb280e4cff3cfe44935f549b009a"},
 {"name":"gettext_i18n_rails","version":"1.12.0","platform":"ruby","checksum":"6ac4817731a9e2ce47e1e83381ac34f9142263bc2911aaaafb2526d2f1afc1be"},
 {"name":"git","version":"1.18.0","platform":"ruby","checksum":"c9b80462e4565cd3d7a9ba8440c41d2c52244b17b0dad0bfddb46de70630c465"},
-{"name":"gitaly","version":"16.11.0.pre.rc1","platform":"ruby","checksum":"24334f5f3fd5b6c3d278eea9fe2b6732dd08e87a4146cd4374615506b1a6e7ae"},
+{"name":"gitaly","version":"17.0.0.pre.rc2","platform":"ruby","checksum":"2fa5998d3cbc37ba66bef428fb7150ab3f8b4105a4bd29ea48d965fae98ead43"},
 {"name":"gitlab","version":"4.19.0","platform":"ruby","checksum":"3f645e3e195dbc24f0834fbf83e8ccfb2056d8e9712b01a640aad418a6949679"},
 {"name":"gitlab-chronic","version":"0.10.5","platform":"ruby","checksum":"f80f18dc699b708870a80685243331290bc10cfeedb6b99c92219722f729c875"},
 {"name":"gitlab-dangerfiles","version":"4.7.0","platform":"ruby","checksum":"2576876a8dcb7290853fc3aef8048001cfe593b87318dd0016959d42e0e145ca"},
@@ -453,7 +453,6 @@
 {"name":"opentelemetry-instrumentation-action_pack","version":"0.9.0","platform":"ruby","checksum":"c5df8472afc9cdbfc1425d9af7816b9cfc1a1a69b86621f1fc624974bd9acb9a"},
 {"name":"opentelemetry-instrumentation-action_view","version":"0.7.0","platform":"ruby","checksum":"bc7c714be0b4bb76843085c29ecc9465e65cb7fe6722e34c71629e44f8c3cb75"},
 {"name":"opentelemetry-instrumentation-active_job","version":"0.7.1","platform":"ruby","checksum":"da24806c9d92fe580db42638f6c763fe1324ff90aa147d45d4247f8052c68089"},
-{"name":"opentelemetry-instrumentation-active_model_serializers","version":"0.20.1","platform":"ruby","checksum":"8c47f859fc925c4c078d37f5a13c55f4ba9751f880aa64d0c9568f3f59a3efaa"},
 {"name":"opentelemetry-instrumentation-active_record","version":"0.7.0","platform":"ruby","checksum":"327ca53ebb74187b463ab05c1d89508552e9cd9122db0843ad1f27930ee91797"},
 {"name":"opentelemetry-instrumentation-active_support","version":"0.5.1","platform":"ruby","checksum":"03898327e8284410b8935a3d3b980bda56e2063eb5a7d30acf75487dd6934a66"},
 {"name":"opentelemetry-instrumentation-aws_sdk","version":"0.5.1","platform":"ruby","checksum":"496a8d13c59ff4d08dcd69b16db97c013398173295058593aa0c2f3ef3090cce"},
@@ -623,7 +622,6 @@
 {"name":"selenium-webdriver","version":"4.19.0","platform":"ruby","checksum":"4c8bd1d6016a456154b4ba71a3bb4d532a0ae185a38acf9cec0acbd38b4e5066"},
 {"name":"semver_dialects","version":"2.0.2","platform":"ruby","checksum":"60059c9f416f931b5212d862fad2879d6b9affb8e0b9afb0d91b793639c116fe"},
 {"name":"sentry-rails","version":"5.10.0","platform":"ruby","checksum":"99aa2fac136c26942eb1897c65de65dac88ad43ac5eb183ff20711287a137ebd"},
-{"name":"sentry-raven","version":"3.1.2","platform":"ruby","checksum":"103d3b122958810d34898ce2e705bcf549ddb9d855a70ce9a3970ee2484f364a"},
 {"name":"sentry-ruby","version":"5.10.0","platform":"ruby","checksum":"115c24c0aee1309210f3a2988fb118e2bec1f11609feeda90e694388b1183619"},
 {"name":"sentry-sidekiq","version":"5.10.0","platform":"ruby","checksum":"cc81018d0733fb1be3fb5641c9e0b61030bbeaa1d0b23ca64797d70def7aea1a"},
 {"name":"sexp_processor","version":"4.17.1","platform":"ruby","checksum":"91110946720307f30bf1d549e90d9a529fef40d1fc471c069c8cca7667015da0"},
diff --git a/Gemfile.lock b/Gemfile.lock
index da5d5dcac70..d6740b03c1d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -680,7 +680,7 @@ GEM
     git (1.18.0)
       addressable (~> 2.8)
       rchardet (~> 1.8)
-    gitaly (16.11.0.pre.rc1)
+    gitaly (17.0.0.pre.rc2)
       grpc (~> 1.0)
     gitlab (4.19.0)
       httparty (~> 0.20)
@@ -1253,9 +1253,6 @@ GEM
     opentelemetry-instrumentation-active_job (0.7.1)
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-base (~> 0.22.1)
-    opentelemetry-instrumentation-active_model_serializers (0.20.1)
-      opentelemetry-api (~> 1.0)
-      opentelemetry-instrumentation-base (~> 0.22.1)
     opentelemetry-instrumentation-active_record (0.7.0)
       opentelemetry-api (~> 1.0)
       opentelemetry-instrumentation-base (~> 0.22.1)
@@ -1669,8 +1666,6 @@ GEM
     sentry-rails (5.10.0)
       railties (>= 5.0)
       sentry-ruby (~> 5.10.0)
-    sentry-raven (3.1.2)
-      faraday (>= 1.0)
     sentry-ruby (5.10.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
     sentry-sidekiq (5.10.0)
@@ -2008,7 +2003,7 @@ DEPENDENCIES
   gdk-toogle (~> 0.9)
   gettext (~> 3.4, >= 3.4.9)
   gettext_i18n_rails (~> 1.12.0)
-  gitaly (~> 16.11.0.pre.rc1)
+  gitaly (~> 17.0.0.pre.rc2)
   gitlab-backup-cli!
   gitlab-chronic (~> 0.10.5)
   gitlab-dangerfiles (~> 4.7.0)
@@ -2142,7 +2137,6 @@ DEPENDENCIES
   opentelemetry-instrumentation-action_pack
   opentelemetry-instrumentation-action_view
   opentelemetry-instrumentation-active_job
-  opentelemetry-instrumentation-active_model_serializers
   opentelemetry-instrumentation-active_record
   opentelemetry-instrumentation-active_support
   opentelemetry-instrumentation-aws_sdk
@@ -2224,7 +2218,6 @@ DEPENDENCIES
   selenium-webdriver (~> 4.19)
   semver_dialects (~> 2.0, >= 2.0.2)
   sentry-rails (~> 5.10.0)
-  sentry-raven (~> 3.1)
   sentry-ruby (~> 5.10.0)
   sentry-sidekiq (~> 5.10.0)
   shoulda-matchers (~> 5.1.0)
diff --git a/app/assets/javascripts/ci/catalog/components/details/ci_resource_header.vue b/app/assets/javascripts/ci/catalog/components/details/ci_resource_header.vue
index a027363a0c2..3001bb2e1ae 100644
--- a/app/assets/javascripts/ci/catalog/components/details/ci_resource_header.vue
+++ b/app/assets/javascripts/ci/catalog/components/details/ci_resource_header.vue
@@ -13,6 +13,7 @@ import { getIdFromGraphQLId } from '~/graphql_shared/utils';
 import { cleanLeadingSeparator } from '~/lib/utils/url_utility';
 import { formatDate } from '~/lib/utils/datetime_utility';
 import AbuseCategorySelector from '~/abuse_reports/components/abuse_category_selector.vue';
+import Markdown from '~/vue_shared/components/markdown/non_gfm_markdown.vue';
 import CiVerificationBadge from '../shared/ci_verification_badge.vue';
 import CiResourceAbout from './ci_resource_about.vue';
 import CiResourceHeaderSkeletonLoader from './ci_resource_header_skeleton_loader.vue';
@@ -35,6 +36,7 @@ export default {
     GlDisclosureDropdown,
     GlDisclosureDropdownItem,
     GlLink,
+    Markdown,
   },
   directives: {
     GlTooltip: GlTooltipDirective,
@@ -198,9 +200,7 @@ export default {
       v-if="isLoadingSharedData"
       class="gl-animate-skeleton-loader gl-h-4 gl-rounded-base gl-my-3 gl-max-w-20!"
     ></div>
-    <p v-else class="gl-mt-2">
-      {{ resource.description }}
-    </p>
+    <markdown v-else class="gl-mt-2" :markdown="resource.description" />
     <abuse-category-selector
       v-if="hasLatestVersion && isReportAbuseDrawerOpen && reportAbusePath"
       :reported-user-id="authorId"
diff --git a/app/assets/javascripts/ci/catalog/components/list/ci_resources_list_item.vue b/app/assets/javascripts/ci/catalog/components/list/ci_resources_list_item.vue
index d227a7c152d..770495db87b 100644
--- a/app/assets/javascripts/ci/catalog/components/list/ci_resources_list_item.vue
+++ b/app/assets/javascripts/ci/catalog/components/list/ci_resources_list_item.vue
@@ -13,6 +13,7 @@ import { getIdFromGraphQLId } from '~/graphql_shared/utils';
 import { formatDate, getTimeago } from '~/lib/utils/datetime_utility';
 import { toNounSeriesText } from '~/lib/utils/grammar';
 import { cleanLeadingSeparator } from '~/lib/utils/url_utility';
+import Markdown from '~/vue_shared/components/markdown/non_gfm_markdown.vue';
 import { CI_RESOURCE_DETAILS_PAGE_NAME } from '../../router/constants';
 import CiVerificationBadge from '../shared/ci_verification_badge.vue';
 
@@ -30,6 +31,7 @@ export default {
     GlLink,
     GlSprintf,
     GlTruncate,
+    Markdown,
   },
   directives: {
     GlTooltip: GlTooltipDirective,
@@ -183,7 +185,10 @@ export default {
         class="gl-display-flex gl-flex-direction-column gl-md-flex-direction-row gl-justify-content-space-between gl-font-sm"
       >
         <div>
-          <span class="gl-display-flex gl-flex-basis-two-thirds">{{ resource.description }}</span>
+          <markdown
+            class="gl-display-flex gl-flex-basis-two-thirds"
+            :markdown="resource.description"
+          />
           <div
             v-if="hasComponents"
             data-testid="ci-resource-component-names"
diff --git a/app/assets/javascripts/observability/client.js b/app/assets/javascripts/observability/client.js
index 16034a37a6d..ab858eb94d2 100644
--- a/app/assets/javascripts/observability/client.js
+++ b/app/assets/javascripts/observability/client.js
@@ -9,6 +9,13 @@ function reportErrorAndThrow(e) {
   Sentry.captureException(e);
   throw e;
 }
+
+/** ****
+ *
+ * Provisioning API
+ *
+ * ***** */
+
 // Provisioning API spec: https://gitlab.com/gitlab-org/opstrace/opstrace/-/blob/main/provisioning-api/pkg/provisioningapi/routes.go#L59
 async function enableObservability(provisioningUrl) {
   try {
@@ -40,6 +47,97 @@ async function isObservabilityEnabled(provisioningUrl) {
   return reportErrorAndThrow(new Error('Failed to check provisioning')); // eslint-disable-line @gitlab/require-i18n-strings
 }
 
+/** ****
+ *
+ * Common utils
+ *
+ * ***** */
+
+const FILTER_OPERATORS_PREFIX = {
+  '!=': 'not',
+  '>': 'gt',
+  '<': 'lt',
+  '!~': 'not_like',
+  '=~': 'like',
+};
+
+const SEARCH_FILTER_NAME = 'search';
+
+/**
+ * Return the query parameter name, given an operator and param key
+ *
+ * e.g
+ *    if paramKey is 'foo' and operator is "=", param name is 'foo'
+ *    if paramKey is 'foo' and operator is "!=", param name is 'not[foo]'
+ *
+ * @param {String} paramKey - The parameter name
+ * @param {String} operator - The operator
+ * @returns String | undefined - Query param name
+ */
+function getFilterParamName(filterName, operator, filterToQueryMapping) {
+  const paramKey = filterToQueryMapping[filterName];
+  if (!paramKey) return undefined;
+
+  if (operator === '=' || filterName === SEARCH_FILTER_NAME) {
+    return paramKey;
+  }
+
+  const prefix = FILTER_OPERATORS_PREFIX[operator];
+  if (prefix) {
+    return `${prefix}[${paramKey}]`;
+  }
+
+  return undefined;
+}
+
+/**
+ * Process `filterValue` and append the proper query params to the  `searchParams` arg, using `nameParam` and `valueParam`
+ *
+ * It mutates `searchParams`
+ *
+ * @param {String} filterValue The filter value, in the format `attribute_name=attribute_value`
+ * @param {String} filterOperator The filter operator
+ * @param {URLSearchParams} searchParams The URLSearchParams object where to append the proper query params
+ * @param {String} nameParam The query param name for the attribute name
+ * @param {String} nameParam The query param name for the attribute value
+ *
+ * e.g.
+ *
+ *    handleAttributeFilter('foo=bar', '=', searchParams, 'attr_name', 'attr_value')
+ *
+ *        it adds { attr_name: 'foo', attr_value: 'bar'} to `searchParams`
+ *
+ */
+function handleAttributeFilter(filterValue, filterOperator, searchParams, nameParam, valueParam) {
+  const [attrName, attrValue] = filterValue.split('=');
+  if (attrName && attrValue) {
+    if (filterOperator === '=') {
+      searchParams.append(nameParam, attrName);
+      searchParams.append(valueParam, attrValue);
+    }
+  }
+}
+
+function addDateRangeFilterToQueryParams(dateRangeFilter, params) {
+  if (!dateRangeFilter || !params) return;
+
+  const { value, endDate, startDate } = dateRangeFilter;
+  if (value === CUSTOM_DATE_RANGE_OPTION) {
+    if (isValidDate(startDate) && isValidDate(endDate)) {
+      params.append('start_time', startDate.toISOString());
+      params.append('end_time', endDate.toISOString());
+    }
+  } else if (typeof value === 'string') {
+    params.append('period', value);
+  }
+}
+
+/** ****
+ *
+ * Tracing API
+ *
+ * ***** */
+
 async function fetchTrace(tracingUrl, traceId) {
   try {
     if (!traceId) {
@@ -67,88 +165,23 @@ const SUPPORTED_TRACING_FILTERS = {
   traceId: ['=', '!='],
   attribute: ['='],
   status: ['=', '!='],
-  // free-text 'search' temporarily ignored https://gitlab.com/gitlab-org/opstrace/opstrace/-/issues/2309
+  // 'search' temporarily ignored https://gitlab.com/gitlab-org/opstrace/opstrace/-/issues/2309
 };
 
 /**
- * Mapping of filter name to query param
+ * Mapping of filter name to tracing query param
  */
 const TRACING_FILTER_TO_QUERY_PARAM = {
   durationMs: 'duration_nano',
   operation: 'operation',
   service: 'service_name',
-  period: 'period',
   traceId: 'trace_id',
-  attribute: 'attribute',
   status: 'status',
+  // `attribute` is handled separately, see `handleAttributeFilter` method
+  // `period` is handled separately, see `handleTracingPeriodFilter` method
 };
 
-const FILTER_OPERATORS_PREFIX = {
-  '!=': 'not',
-  '>': 'gt',
-  '<': 'lt',
-  '!~': 'not_like',
-  '=~': 'like',
-};
-
-/**
- * Return the query parameter name, given an operator and param key
- *
- * e.g
- *    if paramKey is 'foo' and operator is "=", param name is 'foo'
- *    if paramKey is 'foo' and operator is "!=", param name is 'not[foo]'
- *
- * @param {String} paramKey - The parameter name
- * @param {String} operator - The operator
- * @returns String | undefined - Query param name
- */
-function getFilterParamName(paramKey, operator) {
-  if (operator === '=') {
-    return paramKey;
-  }
-
-  const prefix = FILTER_OPERATORS_PREFIX[operator];
-  if (prefix) {
-    return `${prefix}[${paramKey}]`;
-  }
-
-  return undefined;
-}
-
-/**
- * Builds the tracing query param name for the given filter and operator
- *
- * @param {String} filterName - The filter name
- * @param {String} operator - The operator
- * @returns String | undefined - Query param name
- */
-function getTracingFilterParamName(filterName, operator) {
-  const paramKey = TRACING_FILTER_TO_QUERY_PARAM[filterName];
-  if (!paramKey) return undefined;
-
-  return getFilterParamName(paramKey, operator);
-}
-
-/**
- * Process `filterValue` and append the proper query params to the  `searchParams` arg
- *
- * It mutates `searchParams`
- *
- * @param {String} filterValue The filter value, in the format `attribute_name=attribute_value`
- * @param {String} filterOperator The filter operator
- * @param {URLSearchParams} searchParams The URLSearchParams object where to append the proper query params
- */
-function handleAttributeFilter(filterValue, filterOperator, searchParams) {
-  const [attrName, attrValue] = filterValue.split('=');
-  if (attrName && attrValue) {
-    if (filterOperator === '=') {
-      searchParams.append('attr_name', attrName);
-      searchParams.append('attr_value', attrValue);
-    }
-  }
-}
-
-function handlePeriodFilter(rawValue, filterName, filterParams) {
+function handleTracingPeriodFilter(rawValue, filterName, filterParams) {
   if (rawValue.trim().indexOf(' ') < 0) {
     filterParams.append(filterName, rawValue.trim());
     return;
@@ -189,13 +222,14 @@ function tracingFilterObjToQueryParams(filterObj) {
     const validFilters = filterValues.filter((f) =>
       SUPPORTED_TRACING_FILTERS[filterName].includes(f.operator),
     );
+
     validFilters.forEach(({ operator, value: rawValue }) => {
       if (filterName === 'attribute') {
-        handleAttributeFilter(rawValue, operator, filterParams);
+        handleAttributeFilter(rawValue, operator, filterParams, 'attr_name', 'attr_value');
       } else if (filterName === 'period') {
-        handlePeriodFilter(rawValue, filterName, filterParams);
+        handleTracingPeriodFilter(rawValue, filterName, filterParams);
       } else {
-        const paramName = getTracingFilterParamName(filterName, operator);
+        const paramName = getFilterParamName(filterName, operator, TRACING_FILTER_TO_QUERY_PARAM);
         let value = rawValue;
         if (filterName === 'durationMs') {
           // converting durationMs to duration_nano
@@ -318,6 +352,12 @@ function handleMetricsAttributeFilters(attributeFilters, params) {
   }
 }
 
+/** ****
+ *
+ * Metrics API
+ *
+ * ***** */
+
 async function fetchMetrics(metricsUrl, { filters = {}, limit } = {}) {
   try {
     const params = new URLSearchParams();
@@ -359,6 +399,7 @@ const SUPPORTED_METRICS_DIMENSIONS_OPERATORS = {
   '=~': 're',
   '!~': 'nre',
 };
+
 function addMetricsAttributeFilterToQueryParams(dimensionFilter, params) {
   if (!dimensionFilter || !params) return;
 
@@ -374,21 +415,7 @@ function addMetricsAttributeFilterToQueryParams(dimensionFilter, params) {
   });
 }
 
-function addDateRangeFilterToQueryParams(dateRangeFilter, params) {
-  if (!dateRangeFilter || !params) return;
-
-  const { value, endDate, startDate } = dateRangeFilter;
-  if (value === CUSTOM_DATE_RANGE_OPTION) {
-    if (isValidDate(startDate) && isValidDate(endDate)) {
-      params.append('start_time', startDate.toISOString());
-      params.append('end_time', endDate.toISOString());
-    }
-  } else if (typeof value === 'string') {
-    params.append('period', value);
-  }
-}
-
-function addGroupByFilterToQueryParams(groupByFilter, params) {
+function addMetricsGroupByFilterToQueryParams(groupByFilter, params) {
   if (!groupByFilter || !params) return;
 
   const { func, attributes } = groupByFilter;
@@ -429,7 +456,7 @@ async function fetchMetric(searchUrl, name, type, options = {}) {
     }
 
     if (groupBy) {
-      addGroupByFilterToQueryParams(groupBy, params);
+      addMetricsGroupByFilterToQueryParams(groupBy, params);
     }
 
     const { data } = await axios.get(searchUrl, {
@@ -470,15 +497,95 @@ async function fetchMetricSearchMetadata(searchMetadataUrl, name, type) {
   }
 }
 
+/** ****
+ *
+ * Logs API
+ *
+ * ***** */
+
+/**
+ * Filters (and operators) allowed by logs query API
+ */
+const SUPPORTED_LOGS_FILTERS = {
+  service: ['=', '!='],
+  severityName: ['=', '!='],
+  traceId: ['='],
+  spanId: ['='],
+  fingerprint: ['='],
+  traceFlags: ['=', '!='],
+  attribute: ['='],
+  resourceAttribute: ['='],
+  search: [], // 'search' filter does not have any operator
+};
+
+/**
+ * Mapping of filter name to query param
+ */
+const LOGS_FILTER_TO_QUERY_PARAM = {
+  service: 'service_name',
+  severityName: 'severity_name',
+  traceId: 'trace_id',
+  spanId: 'span_id',
+  fingerprint: 'fingerprint',
+  traceFlags: 'trace_flags',
+  search: 'body',
+  // `attribute` and `resource_attribute` are handled separately
+};
+
+/**
+ * Builds URLSearchParams from a filter object of type { [filterName]: undefined | null | Array<{operator: String, value: any} }
+ *  e.g:
+ *
+ *  filterObj =  {
+ *      severityName: [{operator: '=', value: 'info' }],
+ *      service: [{operator: '!=', value: 'foo' }]
+ *    }
+ *
+ * It handles converting the filter to the proper supported query params
+ *
+ * @param {Object} filterObj : An Object representing handleAttributeFilter
+ * @returns URLSearchParams
+ */
+function addLogsAttributesFiltersToQueryParams(filterObj, filterParams) {
+  Object.keys(SUPPORTED_LOGS_FILTERS).forEach((filterName) => {
+    const filterValues = Array.isArray(filterObj[filterName])
+      ? filterObj[filterName].filter(({ value }) => Boolean(value)) // ignore empty strings
+      : [];
+    const validFilters = filterValues.filter(
+      (f) =>
+        (filterName === SEARCH_FILTER_NAME && SUPPORTED_LOGS_FILTERS[filterName]) ||
+        SUPPORTED_LOGS_FILTERS[filterName].includes(f.operator),
+    );
+    validFilters.forEach(({ operator, value: rawValue }) => {
+      if (filterName === 'attribute') {
+        handleAttributeFilter(rawValue, operator, filterParams, 'log_attr_name', 'log_attr_value');
+      } else if (filterName === 'resourceAttribute') {
+        handleAttributeFilter(rawValue, operator, filterParams, 'res_attr_name', 'res_attr_value');
+      } else {
+        const paramName = getFilterParamName(filterName, operator, LOGS_FILTER_TO_QUERY_PARAM);
+        const value = rawValue;
+        if (paramName && value) {
+          filterParams.append(paramName, value);
+        }
+      }
+    });
+  });
+  return filterParams;
+}
+
 export async function fetchLogs(logsSearchUrl, { pageToken, pageSize, filters = {} } = {}) {
   try {
     const params = new URLSearchParams();
 
-    const { dateRange } = filters;
+    const { dateRange, attributes } = filters;
     if (dateRange) {
       addDateRangeFilterToQueryParams(dateRange, params);
     }
 
+    if (attributes) {
+      addLogsAttributesFiltersToQueryParams(attributes, params);
+    }
+
     if (pageToken) {
       params.append('page_token', pageToken);
     }
@@ -501,6 +608,12 @@ export async function fetchLogs(logsSearchUrl, { pageToken, pageSize, filters =
   }
 }
 
+/** ****
+ *
+ * ObservabilityClient
+ *
+ * ***** */
+
 export function buildClient(config) {
   if (!config) {
     throw new Error('No options object provided'); // eslint-disable-line @gitlab/require-i18n-strings
diff --git a/app/assets/javascripts/profile/edit/constants.js b/app/assets/javascripts/profile/edit/constants.js
index 2a4f690c3be..a6e7a5eb4ef 100644
--- a/app/assets/javascripts/profile/edit/constants.js
+++ b/app/assets/javascripts/profile/edit/constants.js
@@ -13,7 +13,7 @@ export const avatarI18n = {
   uploadNewAvatar: s__('Profiles|Upload new avatar'),
   chooseFile: s__('Profiles|Choose file...'),
   noFileChosen: s__('Profiles|No file chosen.'),
-  maximumFileSize: s__('Profiles|The maximum file size allowed is 200KB.'),
+  maximumFileSize: s__('Profiles|The maximum file size allowed is 200 KiB.'),
   imageDimensions: s__('Profiles|The ideal image size is 192 x 192 pixels.'),
   removeAvatar: s__('Profiles|Remove avatar'),
   removeAvatarConfirmation: s__('Profiles|Avatar will be removed. Are you sure?'),
diff --git a/app/assets/javascripts/render_vue_component_for_legacy_js.js b/app/assets/javascripts/render_vue_component_for_legacy_js.js
index 7ef1943f7ac..47706411ebb 100644
--- a/app/assets/javascripts/render_vue_component_for_legacy_js.js
+++ b/app/assets/javascripts/render_vue_component_for_legacy_js.js
@@ -14,15 +14,14 @@ import Vue from 'vue';
  * @returns {HTMLElement}
  */
 export const renderVueComponentForLegacyJS = (Component, data, children) => {
-  const mountEl = document.createElement('div');
-
   const vm = new Vue({
-    el: mountEl,
     render(h) {
       return h(Component, data, children);
     },
   });
 
+  vm.$mount();
+
   // Ensure it's rendered
   vm.$forceUpdate();
 
diff --git a/app/assets/javascripts/search/sidebar/components/group_filter.vue b/app/assets/javascripts/search/sidebar/components/group_filter.vue
index 20231cdda6a..d649c789ed5 100644
--- a/app/assets/javascripts/search/sidebar/components/group_filter.vue
+++ b/app/assets/javascripts/search/sidebar/components/group_filter.vue
@@ -67,7 +67,7 @@ export default {
 
 <template>
   <div>
-    <h5 :id="labelId" class="gl-mt-0 gl-mb-5 gl-font-sm">
+    <h5 :id="labelId" class="gl-mt-0 gl-mb-2 gl-font-sm">
       {{ $options.i18n.groupFieldLabel }}
     </h5>
     <searchable-dropdown
diff --git a/app/assets/javascripts/search/sidebar/components/project_filter.vue b/app/assets/javascripts/search/sidebar/components/project_filter.vue
index ad1c97fbde4..8cf81459570 100644
--- a/app/assets/javascripts/search/sidebar/components/project_filter.vue
+++ b/app/assets/javascripts/search/sidebar/components/project_filter.vue
@@ -76,7 +76,7 @@ export default {
 
 <template>
   <div>
-    <h5 :id="labelId" class="gl-mt-0 gl-mb-5 gl-font-sm">
+    <h5 :id="labelId" class="gl-mt-0 gl-mb-2 gl-font-sm">
       {{ $options.i18n.projectFieldLabel }}
     </h5>
     <searchable-dropdown
diff --git a/app/assets/javascripts/search/topbar/components/app.vue b/app/assets/javascripts/search/topbar/components/app.vue
index 32a26badca5..86cb91cc80c 100644
--- a/app/assets/javascripts/search/topbar/components/app.vue
+++ b/app/assets/javascripts/search/topbar/components/app.vue
@@ -22,7 +22,7 @@ export default {
   i18n: {
     searchPlaceholder: s__(`GlobalSearch|Search for projects, issues, etc.`),
     searchLabel: s__(`GlobalSearch|What are you searching for?`),
-    syntaxOptionsLabel: s__('GlobalSearch|Syntax options'),
+    syntaxOptionsLabel: s__('GlobalSearch|View syntax options.'),
     groupFieldLabel: s__('GlobalSearch|Group'),
     projectFieldLabel: s__('GlobalSearch|Project'),
   },
@@ -102,43 +102,27 @@ export default {
 
 <template>
   <section>
-    <div
-      class="gl-lg-display-flex gl-flex-direction-row gl-py-5"
-      :class="{
-        'gl-justify-content-space-between': showSyntaxOptions,
-        'gl-justify-content-end': !showSyntaxOptions,
-      }"
-    >
+    <div class="search-page-form gl-mt-5">
+      <search-type-indicator />
       <template v-if="showSyntaxOptions">
-        <div>
-          <gl-button
-            category="tertiary"
-            variant="link"
-            size="small"
-            button-text-classes="gl-font-sm!"
-            @click="onToggleDrawer"
+        <div class="gl-display-inline-block">
+          <gl-button category="tertiary" variant="link" @click="onToggleDrawer"
             >{{ $options.i18n.syntaxOptionsLabel }}
           </gl-button>
         </div>
         <markdown-drawer ref="markdownDrawer" :document-path="documentBasedOnSearchType" />
       </template>
-      <search-type-indicator />
-    </div>
-    <div class="search-page-form gl-lg-display-flex gl-flex-direction-column">
-      <div class="gl-lg-display-flex gl-flex-direction-row gl-align-items-flex-start">
-        <div class="gl-flex-grow-1 gl-pb-8 gl-lg-mb-0 gl-lg-mr-2">
-          <gl-search-box-by-type
-            id="dashboard_search"
-            v-model="search"
-            name="search"
-            :regex-button-is-visible="isRegexButtonVisible"
-            :regex-button-state="regexEnabled"
-            :regex-button-handler="regexButtonHandler"
-            :placeholder="$options.i18n.searchPlaceholder"
-            @keydown.enter.stop.prevent="applyQuery"
-          />
-        </div>
-      </div>
+      <gl-search-box-by-type
+        id="dashboard_search"
+        v-model="search"
+        name="search"
+        class="gl-mt-2"
+        :regex-button-is-visible="isRegexButtonVisible"
+        :regex-button-state="regexEnabled"
+        :regex-button-handler="regexButtonHandler"
+        :placeholder="$options.i18n.searchPlaceholder"
+        @keydown.enter.stop.prevent="applyQuery"
+      />
     </div>
   </section>
 </template>
diff --git a/app/assets/javascripts/search/topbar/components/search_type_indicator.vue b/app/assets/javascripts/search/topbar/components/search_type_indicator.vue
index b57290172a5..d33e974edca 100644
--- a/app/assets/javascripts/search/topbar/components/search_type_indicator.vue
+++ b/app/assets/javascripts/search/topbar/components/search_type_indicator.vue
@@ -28,7 +28,7 @@ export default {
   },
   i18n: {
     zoekt_enabled: s__(
-      'GlobalSearch|%{linkStart}Exact code search (powered by Zoekt)%{linkEnd} is enabled',
+      'GlobalSearch|%{linkStart}Exact code search (powered by Zoekt)%{linkEnd} is enabled.',
     ),
     zoekt_disabled: s__(
       'GlobalSearch|%{linkStart}Exact code search (powered by Zoekt)%{linkEnd} is disabled since %{ref_elem} is not the default branch. %{docs_link}',
@@ -119,19 +119,19 @@ export default {
 </script>
 
 <template>
-  <div class="gl-text-gray-600">
-    <div v-if="isBasicSearch" data-testid="basic">&nbsp;</div>
-    <div v-else-if="isEnabled" :data-testid="`${searchTypeTestId}-enabled`">
+  <div class="gl-inline gl-text-gray-600">
+    <div v-if="isBasicSearch" data-testid="basic"></div>
+    <div v-else-if="isEnabled" :data-testid="`${searchTypeTestId}-enabled`" class="gl-inline">
       <gl-sprintf :message="enabledMessage">
         <template #link="{ content }">
-          <gl-link :href="helpUrl" target="_blank" data-testid="docs-link">{{ content }} </gl-link>
+          <gl-link :href="helpUrl" target="_blank" data-testid="docs-link">{{ content }}</gl-link>
         </template>
       </gl-sprintf>
     </div>
-    <div v-else :data-testid="`${searchTypeTestId}-disabled`">
+    <div v-else :data-testid="`${searchTypeTestId}-disabled`" class="gl-inline">
       <gl-sprintf :message="disabledMessage">
         <template #link="{ content }">
-          <gl-link :href="helpUrl" target="_blank" data-testid="docs-link">{{ content }} </gl-link>
+          <gl-link :href="helpUrl" target="_blank" data-testid="docs-link">{{ content }}</gl-link>
         </template>
         <template #ref_elem>
           <code v-gl-tooltip :title="query.repository_ref">{{ query.repository_ref }}</code>
diff --git a/app/assets/javascripts/sentry/init_sentry.js b/app/assets/javascripts/sentry/init_sentry.js
index 722741b50e4..8c8d8b655de 100644
--- a/app/assets/javascripts/sentry/init_sentry.js
+++ b/app/assets/javascripts/sentry/init_sentry.js
@@ -1,3 +1,4 @@
+/* eslint-disable no-restricted-imports */
 import {
   BrowserClient,
   getCurrentHub,
@@ -9,7 +10,7 @@ import {
   // exports
   captureException,
   SDK_VERSION,
-} from 'sentrybrowser';
+} from '@sentry/browser';
 
 const initSentry = () => {
   if (!gon?.sentry_dsn) {
diff --git a/app/assets/javascripts/sentry/legacy_constants.js b/app/assets/javascripts/sentry/legacy_constants.js
deleted file mode 100644
index d04011dab2f..00000000000
--- a/app/assets/javascripts/sentry/legacy_constants.js
+++ /dev/null
@@ -1,46 +0,0 @@
-import { __ } from '~/locale';
-
-// https://docs.sentry.io/platforms/javascript/configuration/filtering/#decluttering-sentry
-export const IGNORE_ERRORS = [
-  // Random plugins/extensions
-  'top.GLOBALS',
-  // See: http://blog.errorception.com/2012/03/tale-of-unfindable-js-error. html
-  'originalCreateNotification',
-  'canvas.contentDocument',
-  'MyApp_RemoveAllHighlights',
-  'http://tt.epicplay.com',
-  __("Can't find variable: ZiteReader"),
-  __('jigsaw is not defined'),
-  __('ComboSearch is not defined'),
-  'http://loading.retry.widdit.com/',
-  'atomicFindClose',
-  // Facebook borked
-  'fb_xd_fragment',
-  // ISP "optimizing" proxy - `Cache-Control: no-transform` seems to
-  // reduce this. (thanks @acdha)
-  'bmi_SafeAddOnload',
-  'EBCallBackMessageReceived',
-  // See http://toolbar.conduit.com/Developer/HtmlAndGadget/Methods/JSInjection.aspx
-  'conduitPage',
-  // Exclude errors from polling when navigating away from a page
-  'TypeError: Failed to fetch',
-];
-
-export const DENY_URLS = [
-  // Facebook flakiness
-  /graph\.facebook\.com/i,
-  // Facebook blocked
-  /connect\.facebook\.net\/en_US\/all\.js/i,
-  // Woopra flakiness
-  /eatdifferent\.com\.woopra-ns\.com/i,
-  /static\.woopra\.com\/js\/woopra\.js/i,
-  // Chrome extensions
-  /extensions\//i,
-  /^chrome:\/\//i,
-  // Other plugins
-  /127\.0\.0\.1:4001\/isrunning/i, // Cacaoweb
-  /webappstoolbarba\.texthelp\.com\//i,
-  /metrics\.itunes\.apple\.com\.edgesuite\.net\//i,
-];
-
-export const SAMPLE_RATE = 0.95;
diff --git a/app/assets/javascripts/sentry/legacy_index.js b/app/assets/javascripts/sentry/legacy_index.js
deleted file mode 100644
index 688f8eb0a44..00000000000
--- a/app/assets/javascripts/sentry/legacy_index.js
+++ /dev/null
@@ -1,34 +0,0 @@
-import '../webpack';
-
-import * as Sentry5 from 'sentrybrowser5';
-import LegacySentryConfig from './legacy_sentry_config';
-
-const index = function index() {
-  // Configuration for legacy versions of Sentry SDK (v5)
-  LegacySentryConfig.init({
-    dsn: gon.sentry_dsn,
-    currentUserId: gon.current_user_id,
-    whitelistUrls:
-      process.env.NODE_ENV === 'production'
-        ? [gon.gitlab_url]
-        : [gon.gitlab_url, 'webpack-internal://'],
-    environment: gon.sentry_environment,
-    release: gon.revision,
-    tags: {
-      revision: gon.revision,
-      feature_category: gon.feature_category,
-    },
-  });
-};
-
-index();
-
-// The _Sentry object is globally exported so it can be used by
-//   ./sentry_browser_wrapper.js
-// This hack allows us to load a single version of `~/sentry/sentry_browser_wrapper`
-// in the browser, see app/views/layouts/_head.html.haml to find how it is imported.
-
-// eslint-disable-next-line no-underscore-dangle
-window._Sentry = Sentry5;
-
-export default index;
diff --git a/app/assets/javascripts/sentry/legacy_sentry_config.js b/app/assets/javascripts/sentry/legacy_sentry_config.js
deleted file mode 100644
index 137c31f5526..00000000000
--- a/app/assets/javascripts/sentry/legacy_sentry_config.js
+++ /dev/null
@@ -1,64 +0,0 @@
-import * as Sentry5 from 'sentrybrowser5';
-import $ from 'jquery';
-import { __ } from '~/locale';
-import { IGNORE_ERRORS, DENY_URLS, SAMPLE_RATE } from './legacy_constants';
-
-const SentryConfig = {
-  IGNORE_ERRORS,
-  DENYLIST_URLS: DENY_URLS,
-  SAMPLE_RATE,
-  init(options = {}) {
-    this.options = options;
-
-    this.configure();
-    this.bindSentryErrors();
-    if (this.options.currentUserId) this.setUser();
-  },
-
-  configure() {
-    const { dsn, release, tags, whitelistUrls, environment } = this.options;
-
-    Sentry5.init({
-      dsn,
-      release,
-      whitelistUrls,
-      environment,
-      ignoreErrors: this.IGNORE_ERRORS, // TODO: Remove in favor of https://gitlab.com/gitlab-org/gitlab/issues/35144
-      blacklistUrls: this.DENYLIST_URLS,
-      sampleRate: SAMPLE_RATE,
-    });
-
-    Sentry5.setTags(tags);
-  },
-
-  setUser() {
-    Sentry5.setUser({
-      id: this.options.currentUserId,
-    });
-  },
-
-  bindSentryErrors() {
-    $(document).on('ajaxError.sentry', this.handleSentryErrors);
-  },
-
-  handleSentryErrors(event, req, config, err) {
-    const error = err || req.statusText;
-    const { responseText = __('Unknown response text') } = req;
-    const { type, url, data } = config;
-    const { status } = req;
-
-    Sentry5.captureMessage(error, {
-      extra: {
-        type,
-        url,
-        data,
-        status,
-        response: responseText,
-        error,
-        event,
-      },
-    });
-  },
-};
-
-export default SentryConfig;
diff --git a/app/assets/javascripts/single_file_diff.js b/app/assets/javascripts/single_file_diff.js
index 1e01da795e8..a3b10f3a77b 100644
--- a/app/assets/javascripts/single_file_diff.js
+++ b/app/assets/javascripts/single_file_diff.js
@@ -1,6 +1,8 @@
 import $ from 'jquery';
+import { GlButton } from '@gitlab/ui';
 import { createAlert } from '~/alert';
 import { loadingIconForLegacyJS } from '~/loading_icon_for_legacy_js';
+import { renderVueComponentForLegacyJS } from '~/render_vue_component_for_legacy_js';
 import { spriteIcon } from '~/lib/utils/common_utils';
 import FilesCommentButton from './files_comment_button';
 import initImageDiffHelper from './image_diff/helpers/init_image_diff';
@@ -14,8 +16,15 @@ const ERROR_HTML = `<div class="nothing-here-block">${spriteIcon(
   'warning-solid',
   's16',
 )} Could not load diff</div>`;
-const COLLAPSED_HTML =
-  '<div class="nothing-here-block diff-collapsed">This diff is collapsed. <button class="click-to-expand btn btn-link gl-button">Click to expand it.</button></div>';
+const CLICK_TO_EXPAND_BUTTON_HTML = renderVueComponentForLegacyJS(
+  GlButton,
+  {
+    class: 'click-to-expand',
+    props: { variant: 'link' },
+  },
+  __('Click to expand it.'),
+).outerHTML;
+const COLLAPSED_HTML = `<div class="nothing-here-block diff-collapsed">This diff is collapsed. ${CLICK_TO_EXPAND_BUTTON_HTML}</div>`;
 
 export default class SingleFileDiff {
   constructor(file) {
diff --git a/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue b/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue
index b6bbb5df93e..69c87cd3cfc 100644
--- a/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue
+++ b/app/assets/javascripts/vue_shared/components/upload_dropzone/avatar_upload_dropzone.vue
@@ -7,7 +7,7 @@ import { AVATAR_SHAPE_OPTION_RECT } from '~/vue_shared/constants';
 export default {
   i18n: {
     uploadText: __('Drop or %{linkStart}upload%{linkEnd} an avatar.'),
-    maxFileSize: s__('Profiles|The maximum file size allowed is 200KB.'),
+    maxFileSize: s__('Profiles|The maximum file size allowed is 200 KiB.'),
     imageDimensions: s__('Profiles|The ideal image size is 192 x 192 pixels.'),
     removeAvatar: __('Remove avatar'),
   },
diff --git a/app/channels/application_cable/channel.rb b/app/channels/application_cable/channel.rb
index 0de2b0185b5..84c1705c2b5 100644
--- a/app/channels/application_cable/channel.rb
+++ b/app/channels/application_cable/channel.rb
@@ -3,6 +3,15 @@
 module ApplicationCable
   class Channel < ActionCable::Channel::Base
     include Logging
+    include Gitlab::Auth::AuthFinders
+
+    before_subscribe :validate_token_scope
+
+    def validate_token_scope
+      validate_access_token!(scopes: [:api, :read_api])
+    rescue Gitlab::Auth::InsufficientScopeError
+      reject
+    end
 
     private
 
diff --git a/app/channels/graphql_channel.rb b/app/channels/graphql_channel.rb
index ae37be85da8..cc2a9126004 100644
--- a/app/channels/graphql_channel.rb
+++ b/app/channels/graphql_channel.rb
@@ -48,7 +48,8 @@ class GraphqlChannel < ApplicationCable::Channel # rubocop:disable Gitlab/Namesp
   # Objects added to the context may also need to be reloaded in
   # `Subscriptions::BaseSubscription` so that they are not stale
   def context
-    # is_sessionless_user is always false because we only support cookie auth in ActionCable
-    { channel: self, current_user: current_user, is_sessionless_user: false }
+    request_authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
+    scope_validator = ::Gitlab::Auth::ScopeValidator.new(current_user, request_authenticator)
+    { channel: self, current_user: current_user, is_sessionless_user: false, scope_validator: scope_validator }
   end
 end
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 47c3d54df3a..912469382d6 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -222,6 +222,8 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     else
       fail_login(@user)
     end
+  rescue Gitlab::Auth::OAuth::User::IdentityWithUntrustedExternUidError
+    handle_identity_with_untrusted_extern_uid
   rescue Gitlab::Auth::OAuth::User::SigninDisabledForProviderError
     handle_disabled_provider
   rescue Gitlab::Auth::OAuth::User::SignupDisabledError
@@ -271,6 +273,13 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     redirect_to profile_account_path, notice: _('Request to link SAML account must be authorized')
   end
 
+  def handle_identity_with_untrusted_extern_uid
+    label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
+    flash[:alert] = format(_("Signing in using your %{label} account has been disabled for security reasons. Please sign in to your GitLab account using another authentication method and reconnect to your %{label} account."), label: label)
+
+    redirect_to new_user_session_path
+  end
+
   def handle_disabled_provider
     label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
     flash[:alert] = _("Signing in using %{label} has been disabled") % { label: label }
diff --git a/app/graphql/resolvers/base_resolver.rb b/app/graphql/resolvers/base_resolver.rb
index 17db91a685f..e6d54d9e31c 100644
--- a/app/graphql/resolvers/base_resolver.rb
+++ b/app/graphql/resolvers/base_resolver.rb
@@ -174,7 +174,7 @@ module Resolvers
     end
 
     def self.authorized?(object, context)
-      authorization.ok?(object, context[:current_user])
+      authorization.ok?(object, context[:current_user], scope_validator: context[:scope_validator])
     end
   end
 end
diff --git a/app/graphql/types/base_enum.rb b/app/graphql/types/base_enum.rb
index ca86e399f6b..d7ceaafb318 100644
--- a/app/graphql/types/base_enum.rb
+++ b/app/graphql/types/base_enum.rb
@@ -65,7 +65,7 @@ module Types
       end
 
       def authorized?(object, context)
-        authorization.ok?(object, context[:current_user])
+        authorization.ok?(object, context[:current_user], scope_validator: context[:scope_validator])
       end
     end
   end
diff --git a/app/graphql/types/base_field.rb b/app/graphql/types/base_field.rb
index 886490ba62f..ca671533ef1 100644
--- a/app/graphql/types/base_field.rb
+++ b/app/graphql/types/base_field.rb
@@ -97,7 +97,7 @@ module Types
     def field_authorized?(object, ctx)
       object = object.node if object.is_a?(GraphQL::Pagination::Connection::Edge)
 
-      authorization.ok?(object, ctx[:current_user])
+      authorization.ok?(object, ctx[:current_user], scope_validator: ctx[:scope_validator])
     end
 
     # Historically our resolvers have used declarative permission checks only
diff --git a/app/graphql/types/base_object.rb b/app/graphql/types/base_object.rb
index 4ad88e43f52..1783db3cc33 100644
--- a/app/graphql/types/base_object.rb
+++ b/app/graphql/types/base_object.rb
@@ -32,7 +32,7 @@ module Types
     end
 
     def self.authorized?(object, context)
-      authorization.ok?(object, context[:current_user])
+      authorization.ok?(object, context[:current_user], scope_validator: context[:scope_validator])
     end
 
     def current_user
diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index 60a229ef42a..177adb36cd4 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -411,6 +411,9 @@ module ApplicationSettingsHelper
       :throttle_unauthenticated_files_api_enabled,
       :throttle_unauthenticated_files_api_period_in_seconds,
       :throttle_unauthenticated_files_api_requests_per_period,
+      :throttle_unauthenticated_git_http_enabled,
+      :throttle_unauthenticated_git_http_period_in_seconds,
+      :throttle_unauthenticated_git_http_requests_per_period,
       :throttle_unauthenticated_deprecated_api_enabled,
       :throttle_unauthenticated_deprecated_api_period_in_seconds,
       :throttle_unauthenticated_deprecated_api_requests_per_period,
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 5ff1bca975d..0eb1a79dfe1 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -553,6 +553,8 @@ class ApplicationSetting < MainClusterwide::ApplicationRecord
       :throttle_unauthenticated_deprecated_api_requests_per_period,
       :throttle_unauthenticated_files_api_period_in_seconds,
       :throttle_unauthenticated_files_api_requests_per_period,
+      :throttle_unauthenticated_git_http_period_in_seconds,
+      :throttle_unauthenticated_git_http_requests_per_period,
       :throttle_unauthenticated_packages_api_period_in_seconds,
       :throttle_unauthenticated_packages_api_requests_per_period,
       :throttle_unauthenticated_period_in_seconds,
@@ -612,6 +614,11 @@ class ApplicationSetting < MainClusterwide::ApplicationRecord
   jsonb_accessor :service_ping_settings,
     gitlab_environment_toolkit_instance: [:boolean, { default: false }]
 
+  jsonb_accessor :rate_limits_unauthenticated_git_http,
+    throttle_unauthenticated_git_http_enabled: [:boolean, { default: false }],
+    throttle_unauthenticated_git_http_requests_per_period: [:integer, { default: 3600 }],
+    throttle_unauthenticated_git_http_period_in_seconds: [:integer, { default: 3600 }]
+
   validates :rate_limits, json_schema: { filename: "application_setting_rate_limits" }
 
   validates :search_rate_limit_allowlist,
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index 9caf712d0dc..3f1540e9b8c 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -2148,8 +2148,12 @@ class MergeRequest < ApplicationRecord
     merge_request_reviewers.where(user_id: user_ids)
   end
 
-  def has_changes_requested?
-    merge_request_reviewers.exists?(state: :requested_changes)
+  def create_requested_changes(user)
+    # Overridden in EE
+  end
+
+  def destroy_requested_changes(user)
+    # Overridden in EE
   end
 
   def batch_update_reviewer_state(user_ids, state)
diff --git a/app/models/user.rb b/app/models/user.rb
index 88382c85653..9002b1cedb2 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -320,7 +320,7 @@ class User < MainClusterwide::ApplicationRecord
   validates :name, presence: true, length: { maximum: 255 }
   validates :first_name, length: { maximum: 127 }
   validates :last_name, length: { maximum: 127 }
-  validates :email, confirmation: true
+  validates :email, confirmation: true, devise_email: true
   validates :notification_email, devise_email: true, allow_blank: true
   validates :public_email, uniqueness: true, devise_email: true, allow_blank: true
   validates :commit_email, devise_email: true, allow_blank: true, unless: ->(user) { user.commit_email == Gitlab::PrivateCommitEmail::TOKEN }
diff --git a/app/services/merge_requests/approval_service.rb b/app/services/merge_requests/approval_service.rb
index 679ee7b4c35..2770bb95c70 100644
--- a/app/services/merge_requests/approval_service.rb
+++ b/app/services/merge_requests/approval_service.rb
@@ -13,7 +13,7 @@ module MergeRequests
 
       return success unless save_approval(approval)
 
-      update_reviewer_state(merge_request, current_user, :approved)
+      update_reviewer_state(merge_request, current_user, 'approved')
 
       reset_approvals_cache(merge_request)
 
diff --git a/app/services/merge_requests/remove_approval_service.rb b/app/services/merge_requests/remove_approval_service.rb
index ffe3799b540..9bf582e2091 100644
--- a/app/services/merge_requests/remove_approval_service.rb
+++ b/app/services/merge_requests/remove_approval_service.rb
@@ -15,7 +15,7 @@ module MergeRequests
       trigger_approval_hooks(merge_request, skip_notification) do
         next unless approval.destroy_all # rubocop: disable Cop/DestroyAll
 
-        update_reviewer_state(merge_request, current_user, :unapproved) unless skip_updating_state
+        update_reviewer_state(merge_request, current_user, 'unapproved') unless skip_updating_state
         reset_approvals_cache(merge_request)
 
         unless skip_system_note
diff --git a/app/services/merge_requests/update_reviewer_state_service.rb b/app/services/merge_requests/update_reviewer_state_service.rb
index a77cdeeb121..9e4c3fd2180 100644
--- a/app/services/merge_requests/update_reviewer_state_service.rb
+++ b/app/services/merge_requests/update_reviewer_state_service.rb
@@ -12,8 +12,12 @@ module MergeRequests
 
         trigger_merge_request_reviewers_updated(merge_request)
 
+        destroy_requested_changes(merge_request) if state == 'approved'
+
         return success if state != 'requested_changes'
 
+        create_requested_changes(merge_request)
+
         if merge_request.approved_by?(current_user) && !remove_approval(merge_request, current_user)
           return error("Failed to remove approval")
         end
@@ -23,5 +27,17 @@ module MergeRequests
         error("Reviewer not found")
       end
     end
+
+    private
+
+    def create_requested_changes(merge_request)
+      merge_request.create_requested_changes(current_user)
+
+      trigger_merge_request_merge_status_updated(merge_request)
+    end
+
+    def destroy_requested_changes(merge_request)
+      merge_request.destroy_requested_changes(current_user)
+    end
   end
 end
diff --git a/app/validators/devise_email_validator.rb b/app/validators/devise_email_validator.rb
index b91cfe23f08..b462fa0ffde 100644
--- a/app/validators/devise_email_validator.rb
+++ b/app/validators/devise_email_validator.rb
@@ -19,7 +19,8 @@
 #   end
 class DeviseEmailValidator < ActiveModel::EachValidator
   DEFAULT_OPTIONS = {
-    regexp: Devise.email_regexp
+    regexp: Devise.email_regexp,
+    invalid_characters_regexp: %r{[?!#$%&*\/=^<>]}
   }.freeze
 
   def initialize(options)
@@ -31,6 +32,14 @@ class DeviseEmailValidator < ActiveModel::EachValidator
   end
 
   def validate_each(record, attribute, value)
-    record.errors.add(attribute, :invalid) unless options[:regexp].match?(value)
+    return if record.errors.include?(attribute)
+
+    record.errors.add(attribute, :invalid) unless valid_email?(value)
+  end
+
+  private
+
+  def valid_email?(value)
+    options[:regexp].match?(value) && !options[:invalid_characters_regexp].match?(value)
   end
 end
diff --git a/app/views/admin/application_settings/_git_http_limits.html.haml b/app/views/admin/application_settings/_git_http_limits.html.haml
new file mode 100644
index 00000000000..fc777a17443
--- /dev/null
+++ b/app/views/admin/application_settings/_git_http_limits.html.haml
@@ -0,0 +1,18 @@
+= gitlab_ui_form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-git-http-limits-settings'), html: { class: 'fieldset-form' } do |f|
+  = form_errors(@application_setting)
+
+  %fieldset
+    %h5
+      = _('Unauthenticated Git HTTP request rate limit')
+    .form-group
+      = f.gitlab_ui_checkbox_component :throttle_unauthenticated_git_http_enabled,
+        _('Enable unauthenticated Git HTTP request rate limit'),
+        help_text: _('Helps reduce unauthenticated Git HTTP request volume for git paths.')
+    .form-group
+      = f.label :throttle_unauthenticated_git_http_requests_per_period, _('Maximum unauthenticated Git HTTP requests per period per IP'), class: 'gl-font-weight-bold'
+      = f.number_field :throttle_unauthenticated_git_http_requests_per_period, class: 'form-control gl-form-input'
+    .form-group
+      = f.label :throttle_unauthenticated_git_http_period_in_seconds, _('Unauthenticated Git HTTP rate limit period in seconds'), class: 'gl-font-weight-bold'
+      = f.number_field :throttle_unauthenticated_git_http_period_in_seconds, class: 'form-control gl-form-input'
+
+  = f.submit _('Save changes'), pajamas_button: true
diff --git a/app/views/admin/application_settings/_sentry.html.haml b/app/views/admin/application_settings/_sentry.html.haml
index 5079f374c84..7058a4b5cca 100644
--- a/app/views/admin/application_settings/_sentry.html.haml
+++ b/app/views/admin/application_settings/_sentry.html.haml
@@ -1,12 +1,8 @@
 = gitlab_ui_form_for @application_setting, url: metrics_and_profiling_admin_application_settings_path(anchor: 'js-sentry-settings'), html: { class: 'fieldset-form', id: 'sentry-settings' } do |f|
   = form_errors(@application_setting)
 
-  - if Feature.disabled?(:enable_new_sentry_integration)
-    %fieldset.gl-text-secondary
-      = safe_format(s_('AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, enable the %{code_start}enable_new_sentry_integration%{code_end} feature flag and restart GitLab.'), tag_pair(tag.b, :bold_start, :bold_end), tag_pair(tag.code, :code_start, :code_end))
-  - else
-    %fieldset.gl-text-secondary
-      = safe_format(s_('AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, restart GitLab.'), tag_pair(tag.b, :bold_start, :bold_end))
+  %fieldset.gl-text-secondary
+    = safe_format(s_('AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, restart GitLab.'), tag_pair(tag.b, :bold_start, :bold_end))
 
   %fieldset
     .form-group
diff --git a/app/views/admin/application_settings/network.html.haml b/app/views/admin/application_settings/network.html.haml
index 86fbbef8dac..b951c97814f 100644
--- a/app/views/admin/application_settings/network.html.haml
+++ b/app/views/admin/application_settings/network.html.haml
@@ -72,6 +72,18 @@
   .settings-content
     = render partial: 'network_rate_limits', locals: { anchor: 'js-deprecated-limits-settings', setting_fragment: 'deprecated_api' }
 
+%section.settings.as-git-http-limits.no-animate#js-git-http-limits-settings{ class: ('expanded' if expanded_by_default?) }
+  .settings-header
+    %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
+      = _('Git HTTP rate limits')
+    = render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do
+      = expanded_by_default? ? _('Collapse') : _('Expand')
+    %p.gl-text-secondary
+      = _('Configure specific limits for Git HTTP requests.')
+      = link_to _('Learn more.'), help_page_path('administration/settings/git_http_rate_limits'), target: '_blank', rel: 'noopener noreferrer'
+  .settings-content
+    = render 'git_http_limits'
+
 %section.settings.as-git-lfs-limits.no-animate#js-git-lfs-limits-settings{ class: ('expanded' if expanded_by_default?) }
   .settings-header
     %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
diff --git a/app/views/layouts/_head.html.haml b/app/views/layouts/_head.html.haml
index 728997d39c7..ea770a076f3 100644
--- a/app/views/layouts/_head.html.haml
+++ b/app/views/layouts/_head.html.haml
@@ -48,10 +48,8 @@
   = render 'layouts/loading_hints'
 
   = render_if_exists 'layouts/header/translations'
-  - if Feature.enabled?(:enable_new_sentry_integration) && Gitlab::CurrentSettings.sentry_enabled
+  - if Gitlab::CurrentSettings.sentry_enabled
     = webpack_bundle_tag 'sentry'
-  - elsif Gitlab.config.sentry.enabled
-    = webpack_bundle_tag 'legacy_sentry'
   = webpack_bundle_tag 'performance_bar' if performance_bar_enabled?
 
   = yield :page_specific_javascripts
diff --git a/app/views/search/_results_status.html.haml b/app/views/search/_results_status.html.haml
index 3c42126e480..28fc99c3de5 100644
--- a/app/views/search/_results_status.html.haml
+++ b/app/views/search/_results_status.html.haml
@@ -1,30 +1,25 @@
-.section{ class: ('gl-lg-display-none' if @search_objects.to_a.empty?) }
-  .search-results-status
-    .gl-display-flex.gl-flex-direction-column
-      .gl-p-5.gl-display-flex.gl-flex-wrap
-        - unless @search_objects.to_a.empty?
-          .gl-display-flex.gl-text-left.gl-flex-grow-1.gl-flex-shrink-1.gl-white-space-nowrap.gl-flex-wrap.gl-sm-w-half
+.search-results-status.gl-sm-display-flex.gl-flex-wrap.gl-justify-content-space-between.gl-my-4{ class: ('gl-lg-display-none' if @search_objects.to_a.empty?) }
+  - unless @search_objects.to_a.empty?
+    %p.gl-text-truncate.gl-my-auto
+      - unless @search_service_presenter.without_count?
+        = search_entries_info(@search_objects, @scope, @search_term)
+      - unless @search_service_presenter.show_snippets?
+        - if @project
+          - link_to_project = link_to(@project.full_name, @project, class: 'search-wrap-f-md-down')
+          - if @scope == 'blobs'
+            = _("in")
+            .mx-md-1.gl-my-auto
+              #js-blob-ref-switcher{ data: { "project-id" => @project.id, "ref" => repository_ref(@project), "field-name": "repository_ref" } }
             %p.gl-text-truncate.gl-my-auto
-              - unless @search_service_presenter.without_count?
-                = search_entries_info(@search_objects, @scope, @search_term)
-              - unless @search_service_presenter.show_snippets?
-                - if @project
-                  - link_to_project = link_to(@project.full_name, @project, class: 'search-wrap-f-md-down')
-                  - if @scope == 'blobs'
-                    = _("in")
-                    .mx-md-1.gl-my-auto
-                      #js-blob-ref-switcher{ data: { "project-id" => @project.id, "ref" => repository_ref(@project), "field-name": "repository_ref" } }
-                    %p.gl-text-truncate.gl-my-auto
-                      = s_('SearchCodeResults|of %{link_to_project}').html_safe % { link_to_project: link_to_project }
-                  - else
-                    = _("in project %{link_to_project}").html_safe % { link_to_project: link_to_project }
-                - elsif @group
-                  - link_to_group = link_to(@group.name, @group, class: 'ml-md-1')
-                  = _("in group %{link_to_group}").html_safe % { link_to_group: link_to_group }
-        .gl-display-flex.gl-my-3.gl-flex-grow-1.gl-flex-shrink-1.gl-justify-content-end
-          = render Pajamas::ButtonComponent.new(category: 'primary', icon: 'filter', button_options: {id: 'js-open-mobile-filters', class: 'gl-lg-display-none'}) do
-            = s_('GlobalSearch|Filters')
-          - if @search_service_presenter.show_sort_dropdown? && !@search_objects.to_a.empty?
-            .gl-ml-3
-              #js-search-sort{ data: { "search-sort-options" => search_sort_options.to_json } }
-    %hr.gl-mb-5.gl-mt-0.gl-border-gray-100.gl-w-full
+              = s_('SearchCodeResults|of %{link_to_project}').html_safe % { link_to_project: link_to_project }
+          - else
+            = _("in project %{link_to_project}").html_safe % { link_to_project: link_to_project }
+        - elsif @group
+          - link_to_group = link_to(@group.name, @group, class: 'ml-md-1')
+          = _("in group %{link_to_group}").html_safe % { link_to_group: link_to_group }
+  .gl-display-flex
+    = render Pajamas::ButtonComponent.new(category: 'primary', icon: 'filter', button_options: {id: 'js-open-mobile-filters', class: 'gl-lg-display-none'}) do
+      = s_('GlobalSearch|Filters')
+    - if @search_service_presenter.show_sort_dropdown? && !@search_objects.to_a.empty?
+      .gl-ml-3
+        #js-search-sort{ data: { "search-sort-options" => search_sort_options.to_json } }
diff --git a/app/views/search/results/_issuable.html.haml b/app/views/search/results/_issuable.html.haml
index 75530b616bf..52da4ca254a 100644
--- a/app/views/search/results/_issuable.html.haml
+++ b/app/views/search/results/_issuable.html.haml
@@ -1,4 +1,4 @@
-%div{ class: 'search-result-row gl-display-flex gl-sm-flex-direction-row gl-flex-direction-column gl-align-items-center gl-pb-5! gl-mt-5 gl-mb-0!' }
+.search-result-row.row.gl-display-flex.gl-sm-flex-direction-row.gl-flex-direction-column.gl-align-items-center.gl-mt-5{ class: 'gl-pb-5! gl-mb-0!' }
   .col-sm-9
     %span.gl-display-flex.gl-align-items-center
       = gl_badge_tag issuable_state_text(issuable), variant: issuable_state_to_badge_class(issuable), size: :sm
diff --git a/app/views/shared/_choose_avatar_button.html.haml b/app/views/shared/_choose_avatar_button.html.haml
index 30a6a31cdd4..3fbc4d30744 100644
--- a/app/views/shared/_choose_avatar_button.html.haml
+++ b/app/views/shared/_choose_avatar_button.html.haml
@@ -1 +1 @@
-= render 'shared/file_picker_button', f: f, field: :avatar, help_text: s_("Profiles|The ideal image size is 192 x 192 pixels.") + " " + s_("Profiles|The maximum file size allowed is 200KB.")
+= render 'shared/file_picker_button', f: f, field: :avatar, help_text: s_("Profiles|The ideal image size is 192 x 192 pixels.") + " " + s_("Profiles|The maximum file size allowed is 200 KiB.")
diff --git a/app/views/user_settings/profiles/show.html.haml b/app/views/user_settings/profiles/show.html.haml
index 39b0084cbeb..66977d814b9 100644
--- a/app/views/user_settings/profiles/show.html.haml
+++ b/app/views/user_settings/profiles/show.html.haml
@@ -38,7 +38,7 @@
         = f.file_field :avatar, class: 'js-user-avatar-input hidden', accept: 'image/*'
       .gl-text-gray-500
         = s_("Profiles|The ideal image size is 192 x 192 pixels.")
-        = s_("Profiles|The maximum file size allowed is 200KB.")
+        = s_("Profiles|The maximum file size allowed is 200 KiB.")
       - if @user.avatar?
         = render Pajamas::ButtonComponent.new(variant: :danger,
           category: :secondary,
diff --git a/config/feature_flags/development/enable_new_sentry_integration.yml b/config/feature_flags/development/enable_new_sentry_integration.yml
deleted file mode 100644
index 00665f80ed6..00000000000
--- a/config/feature_flags/development/enable_new_sentry_integration.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: enable_new_sentry_integration
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72428
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/344832
-milestone: '14.9'
-type: development
-group: group::pipeline execution
-default_enabled: false
diff --git a/config/feature_flags/development/enable_old_sentry_integration.yml b/config/feature_flags/development/enable_old_sentry_integration.yml
deleted file mode 100644
index 4911dbfdc78..00000000000
--- a/config/feature_flags/development/enable_old_sentry_integration.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: enable_old_sentry_integration
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72428
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/344832
-milestone: '14.9'
-type: development
-group: group::pipeline execution
-default_enabled: true
diff --git a/config/feature_flags/gitlab_com_derisk/native_header_anchors.yml b/config/feature_flags/gitlab_com_derisk/native_header_anchors.yml
new file mode 100644
index 00000000000..24f36fcd99f
--- /dev/null
+++ b/config/feature_flags/gitlab_com_derisk/native_header_anchors.yml
@@ -0,0 +1,9 @@
+---
+name: native_header_anchors
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/440733
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144690
+rollout_issue_url:
+milestone: '17.0'
+group: group::project management
+type: gitlab_com_derisk
+default_enabled: false
diff --git a/config/gitlab_loose_foreign_keys.yml b/config/gitlab_loose_foreign_keys.yml
index 56a233425e5..b29b31cb20e 100644
--- a/config/gitlab_loose_foreign_keys.yml
+++ b/config/gitlab_loose_foreign_keys.yml
@@ -245,6 +245,16 @@ merge_request_metrics:
   - table: ci_pipelines
     column: pipeline_id
     on_delete: async_nullify
+merge_request_requested_changes:
+  - table: merge_requests
+    column: merge_request_id
+    on_delete: async_delete
+  - table: projects
+    column: project_id
+    on_delete: async_delete
+  - table: users
+    column: user_id
+    on_delete: async_delete
 merge_requests:
   - table: ci_pipelines
     column: head_pipeline_id
diff --git a/config/webpack.config.js b/config/webpack.config.js
index ca5506a1e39..f6cd978f300 100644
--- a/config/webpack.config.js
+++ b/config/webpack.config.js
@@ -261,7 +261,6 @@ module.exports = {
      */
     return {
       default: defaultEntries,
-      legacy_sentry: './sentry/legacy_index.js',
       sentry: './sentry/index.js',
       performance_bar: './performance_bar/index.js',
       jira_connect_app: './jira_connect/subscriptions/index.js',
diff --git a/data/deprecations/14-8-graphql-runner-active.yml b/data/deprecations/14-8-graphql-runner-active.yml
new file mode 100644
index 00000000000..296ed3b6ddf
--- /dev/null
+++ b/data/deprecations/14-8-graphql-runner-active.yml
@@ -0,0 +1,40 @@
+- title: 'Runner `active` GraphQL fields replaced by `paused`'
+  # The milestones for the deprecation announcement, and the removal.
+  removal_milestone: '18.0'
+  announcement_milestone: '14.8'
+  # Change breaking_change to false if needed.
+  breaking_change: true
+  # The stage and GitLab username of the person reporting the change,
+  # and a link to the deprecation issue
+  reporter: pedropombeiro
+  stage: Verify
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/351109
+  impact: low
+  scope: # Can be one or a combination of: [instance, group, project]
+  resolution_role: Developer
+  manual_task: true
+  body: | # (required) Don't change this line.
+    Occurrences of the `active` identifier in the GitLab GraphQL API endpoints will be renamed to `paused` in GitLab 18.0:
+
+    - The `CiRunner` property.
+    - The `RunnerUpdateInput` input type for the `runnerUpdate` mutation.
+    - The `runners`, `Group.runners`, and `Project.runners` queries.
+
+  # ==============================
+  # OPTIONAL END-OF-SUPPORT FIELDS
+  # ==============================
+  #
+  # If an End of Support period applies:
+  # 1) Share this announcement in the `#spt_managers` Support channel in Slack
+  # 2) Mention `@gitlab-com/support` in this merge request.
+  #
+  # When support for this feature ends, in XX.YY milestone format.
+  end_of_support_milestone:
+  # Array of tiers the feature is currently available to,
+  # like [Free, Silver, Gold, Core, Premium, Ultimate]
+  tiers:
+  # Links to documentation and thumbnail image
+  documentation_url: https://docs.gitlab.com/ee/api/graphql/reference/index.html#cirunner
+  image_url:
+  # Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
+  video_url:
diff --git a/data/whats_new/202404160001_16_11.yml b/data/whats_new/202404160001_16_11.yml
index ff9361acdd7..69129bcf6fd 100644
--- a/data/whats_new/202404160001_16_11.yml
+++ b/data/whats_new/202404160001_16_11.yml
@@ -10,7 +10,7 @@
   stage: ai-powered
   self-managed: true
   gitlab-com: true
-  available_in: [Free, Premium, Ultimate]
+  available_in: [Premium, Ultimate]
   documentation_link: https://docs.gitlab.com/ee/user/gitlab_duo_chat.html
   image_url: https://img.youtube.com/vi/ZQBAuf-CTAY/hqdefault.jpg
   published_at: 2024-04-18
@@ -52,7 +52,7 @@
   stage: govern
   self-managed: true
   gitlab-com: true
-  available_in: [Free, Premium, Ultimate]
+  available_in: [Premium, Ultimate]
   documentation_link: https://docs.gitlab.com/ee/editor_extensions/jetbrains_ide/index.html
   image_url: https://about.gitlab.com/images/16_11/create-duo-chat-in-jetbrains.png
   published_at: 2024-04-18
diff --git a/db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml b/db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml
new file mode 100644
index 00000000000..8aacc82b2fa
--- /dev/null
+++ b/db/docs/batched_background_migrations/backfill_workspace_variables_project_id.yml
@@ -0,0 +1,9 @@
+---
+migration_job_name: BackfillWorkspaceVariablesProjectId
+description: Backfills sharding key `workspace_variables.project_id` from `workspaces`.
+feature_category: remote_development
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150074
+milestone: '17.0'
+queued_migration_version: 20240419035360
+finalize_after: '2024-05-22'
+finalized_by: # version of the migration that finalized this BBM
diff --git a/db/docs/merge_request_requested_changes.yml b/db/docs/merge_request_requested_changes.yml
new file mode 100644
index 00000000000..fe49f404a4e
--- /dev/null
+++ b/db/docs/merge_request_requested_changes.yml
@@ -0,0 +1,12 @@
+---
+table_name: merge_request_requested_changes
+classes:
+- MergeRequests::RequestedChange
+feature_categories:
+- code_review_workflow
+description: Blocker for changes requested on a merge request
+introduced_by_url: 
+milestone: '17.0'
+gitlab_schema: gitlab_main_cell
+sharding_key:
+  project_id: projects
\ No newline at end of file
diff --git a/db/docs/workspace_variables.yml b/db/docs/workspace_variables.yml
index f92750f84c1..f8f0369e75f 100644
--- a/db/docs/workspace_variables.yml
+++ b/db/docs/workspace_variables.yml
@@ -23,3 +23,4 @@ desired_sharding_key:
         table: workspaces
         sharding_key: project_id
         belongs_to: workspace
+desired_sharding_key_migration_job_name: BackfillWorkspaceVariablesProjectId
diff --git a/db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb b/db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb
new file mode 100644
index 00000000000..1881b8d630b
--- /dev/null
+++ b/db/migrate/20240405090000_add_throttle_unauthenticated_git_http_to_application_settings.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+class AddThrottleUnauthenticatedGitHttpToApplicationSettings < Gitlab::Database::Migration[2.2]
+  milestone '17.0'
+
+  disable_ddl_transaction!
+
+  def up
+    add_column :application_settings, :rate_limits_unauthenticated_git_http, :jsonb, default: {}, null: false,
+      if_not_exists: true
+
+    add_check_constraint(
+      :application_settings,
+      "(jsonb_typeof(rate_limits_unauthenticated_git_http) = 'object')",
+      'check_application_settings_rate_limits_unauth_git_http_is_hash'
+    )
+  end
+
+  def down
+    remove_column :application_settings, :rate_limits_unauthenticated_git_http, it_exists: true
+  end
+end
diff --git a/db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb b/db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb
new file mode 100644
index 00000000000..d4458912262
--- /dev/null
+++ b/db/migrate/20240405090010_update_throttle_unauthenticated_git_http_in_application_settings.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+class UpdateThrottleUnauthenticatedGitHttpInApplicationSettings < Gitlab::Database::Migration[2.2]
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+  milestone '17.0'
+
+  disable_ddl_transaction!
+
+  def up
+    execute <<~SQL
+      UPDATE application_settings
+      SET rate_limits_unauthenticated_git_http = jsonb_build_object(
+        'throttle_unauthenticated_git_http_enabled', throttle_unauthenticated_enabled,
+        'throttle_unauthenticated_git_http_requests_per_period', throttle_unauthenticated_requests_per_period,
+        'throttle_unauthenticated_git_http_period_in_seconds', throttle_unauthenticated_period_in_seconds
+      );
+    SQL
+  end
+
+  def down
+    execute "UPDATE application_settings SET rate_limits_unauthenticated_git_http = CAST('{}' AS jsonb)"
+  end
+end
diff --git a/db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb b/db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb
new file mode 100644
index 00000000000..a2759fd4d82
--- /dev/null
+++ b/db/migrate/20240415184907_add_trusted_extern_uid_to_identities.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class AddTrustedExternUidToIdentities < Gitlab::Database::Migration[2.2]
+  milestone '17.0'
+
+  enable_lock_retries!
+
+  def change
+    add_column :identities, :trusted_extern_uid, :boolean, default: true
+  end
+end
diff --git a/db/migrate/20240415190848_index_identities_on_provider.rb b/db/migrate/20240415190848_index_identities_on_provider.rb
new file mode 100644
index 00000000000..60553840c17
--- /dev/null
+++ b/db/migrate/20240415190848_index_identities_on_provider.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class IndexIdentitiesOnProvider < Gitlab::Database::Migration[2.2]
+  milestone '17.0'
+
+  disable_ddl_transaction!
+
+  INDEX_NAME = 'index_identities_on_provider'
+
+  def up
+    add_concurrent_index :identities, :provider, name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index_by_name :identities, name: INDEX_NAME
+  end
+end
diff --git a/db/migrate/20240419035356_add_project_id_to_workspace_variables.rb b/db/migrate/20240419035356_add_project_id_to_workspace_variables.rb
new file mode 100644
index 00000000000..7616169c0d2
--- /dev/null
+++ b/db/migrate/20240419035356_add_project_id_to_workspace_variables.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddProjectIdToWorkspaceVariables < Gitlab::Database::Migration[2.2]
+  milestone '17.0'
+
+  def change
+    add_column :workspace_variables, :project_id, :bigint
+  end
+end
diff --git a/db/migrate/20240419035357_index_workspace_variables_on_project_id.rb b/db/migrate/20240419035357_index_workspace_variables_on_project_id.rb
new file mode 100644
index 00000000000..66a236b4b34
--- /dev/null
+++ b/db/migrate/20240419035357_index_workspace_variables_on_project_id.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class IndexWorkspaceVariablesOnProjectId < Gitlab::Database::Migration[2.2]
+  milestone '17.0'
+  disable_ddl_transaction!
+
+  INDEX_NAME = 'index_workspace_variables_on_project_id'
+
+  def up
+    add_concurrent_index :workspace_variables, :project_id, name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index_by_name :workspace_variables, INDEX_NAME
+  end
+end
diff --git a/db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb b/db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb
new file mode 100644
index 00000000000..9229fd1f7c6
--- /dev/null
+++ b/db/migrate/20240419035358_add_workspace_variables_project_id_fk.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class AddWorkspaceVariablesProjectIdFk < Gitlab::Database::Migration[2.2]
+  milestone '17.0'
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_foreign_key :workspace_variables, :projects, column: :project_id, on_delete: :cascade
+  end
+
+  def down
+    with_lock_retries do
+      remove_foreign_key :workspace_variables, column: :project_id
+    end
+  end
+end
diff --git a/db/migrate/20240419085004_create_merge_request_requested_changes.rb b/db/migrate/20240419085004_create_merge_request_requested_changes.rb
new file mode 100644
index 00000000000..e32fd425aae
--- /dev/null
+++ b/db/migrate/20240419085004_create_merge_request_requested_changes.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class CreateMergeRequestRequestedChanges < Gitlab::Database::Migration[2.2]
+  milestone '17.0'
+
+  def change
+    create_table :merge_request_requested_changes do |t|
+      t.bigint :project_id, null: false
+      t.bigint :user_id, null: false
+      t.bigint :merge_request_id, null: false
+
+      t.timestamps_with_timezone null: false
+
+      t.index :project_id
+      t.index :user_id
+      t.index :merge_request_id
+    end
+  end
+end
diff --git a/db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb b/db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb
new file mode 100644
index 00000000000..7702bf1d9e8
--- /dev/null
+++ b/db/post_migrate/20240419035359_add_workspace_variables_project_id_trigger.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class AddWorkspaceVariablesProjectIdTrigger < Gitlab::Database::Migration[2.2]
+  milestone '17.0'
+
+  def up
+    install_sharding_key_assignment_trigger(
+      table: :workspace_variables,
+      sharding_key: :project_id,
+      parent_table: :workspaces,
+      parent_sharding_key: :project_id,
+      foreign_key: :workspace_id
+    )
+  end
+
+  def down
+    remove_sharding_key_assignment_trigger(
+      table: :workspace_variables,
+      sharding_key: :project_id,
+      parent_table: :workspaces,
+      parent_sharding_key: :project_id,
+      foreign_key: :workspace_id
+    )
+  end
+end
diff --git a/db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb b/db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb
new file mode 100644
index 00000000000..b735a769eab
--- /dev/null
+++ b/db/post_migrate/20240419035360_queue_backfill_workspace_variables_project_id.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+class QueueBackfillWorkspaceVariablesProjectId < Gitlab::Database::Migration[2.2]
+  milestone '17.0'
+  restrict_gitlab_migration gitlab_schema: :gitlab_main_cell
+
+  MIGRATION = "BackfillWorkspaceVariablesProjectId"
+  DELAY_INTERVAL = 2.minutes
+  BATCH_SIZE = 1000
+  SUB_BATCH_SIZE = 100
+
+  def up
+    queue_batched_background_migration(
+      MIGRATION,
+      :workspace_variables,
+      :id,
+      :project_id,
+      :workspaces,
+      :project_id,
+      :workspace_id,
+      job_interval: DELAY_INTERVAL,
+      batch_size: BATCH_SIZE,
+      sub_batch_size: SUB_BATCH_SIZE
+    )
+  end
+
+  def down
+    delete_batched_background_migration(
+      MIGRATION,
+      :workspace_variables,
+      :id,
+      [
+        :project_id,
+        :workspaces,
+        :project_id,
+        :workspace_id
+      ]
+    )
+  end
+end
diff --git a/db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb b/db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb
new file mode 100644
index 00000000000..9be3f89235c
--- /dev/null
+++ b/db/post_migrate/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class SetTrustedExternUidToFalseForExistingBitbucketIdentities < Gitlab::Database::Migration[2.2]
+  restrict_gitlab_migration gitlab_schema: :gitlab_main_clusterwide
+
+  milestone '17.0'
+
+  disable_ddl_transaction!
+
+  BATCH_SIZE = 1000
+
+  def up
+    define_batchable_model('identities').where(provider: 'bitbucket').each_batch(of: BATCH_SIZE) do |batch|
+      batch.update_all(trusted_extern_uid: false)
+    end
+  end
+end
diff --git a/db/schema_migrations/20240405090000 b/db/schema_migrations/20240405090000
new file mode 100644
index 00000000000..42e1ac97298
--- /dev/null
+++ b/db/schema_migrations/20240405090000
@@ -0,0 +1 @@
+1f79208f10eac682970b91dd12159c9c7446fab637409d2f62dc91231af1dd13
\ No newline at end of file
diff --git a/db/schema_migrations/20240405090010 b/db/schema_migrations/20240405090010
new file mode 100644
index 00000000000..3b93267c8f9
--- /dev/null
+++ b/db/schema_migrations/20240405090010
@@ -0,0 +1 @@
+c84be5380fb2c1e90aabd987b8a7c020ec17405a8d0b97f0ca44e4ea724b7c6d
\ No newline at end of file
diff --git a/db/schema_migrations/20240415184907 b/db/schema_migrations/20240415184907
new file mode 100644
index 00000000000..bb000eeb996
--- /dev/null
+++ b/db/schema_migrations/20240415184907
@@ -0,0 +1 @@
+66b22a6c730d44535b321e0dd626c1b47fa3206ff811acd16007e9587a4c5d65
\ No newline at end of file
diff --git a/db/schema_migrations/20240415190848 b/db/schema_migrations/20240415190848
new file mode 100644
index 00000000000..d7c525ca496
--- /dev/null
+++ b/db/schema_migrations/20240415190848
@@ -0,0 +1 @@
+8e74960909f458e3500f3857a4154b4b930dc21d4f5c1d7916f321f197220ba6
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035356 b/db/schema_migrations/20240419035356
new file mode 100644
index 00000000000..55a4f207a17
--- /dev/null
+++ b/db/schema_migrations/20240419035356
@@ -0,0 +1 @@
+a1f5f62a9782df2887fea2f8f1bccca6759e9da59d9a2778d6e7d09fc998d690
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035357 b/db/schema_migrations/20240419035357
new file mode 100644
index 00000000000..9c33231778a
--- /dev/null
+++ b/db/schema_migrations/20240419035357
@@ -0,0 +1 @@
+ae763de6e4f8d746dce6d4c5d1aa68b1e756bbd0488d2ad705c016ecc7c04fcd
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035358 b/db/schema_migrations/20240419035358
new file mode 100644
index 00000000000..f79680cb39c
--- /dev/null
+++ b/db/schema_migrations/20240419035358
@@ -0,0 +1 @@
+1867e85e95b2def01e9fc4ef4209e64f7afd5e71a1378a0024dadc3715cc07aa
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035359 b/db/schema_migrations/20240419035359
new file mode 100644
index 00000000000..7c45f82c416
--- /dev/null
+++ b/db/schema_migrations/20240419035359
@@ -0,0 +1 @@
+0ed31058286c68932a683e6072002fd5fe6a4d785c113db22028262aafc47c86
\ No newline at end of file
diff --git a/db/schema_migrations/20240419035360 b/db/schema_migrations/20240419035360
new file mode 100644
index 00000000000..a8912146466
--- /dev/null
+++ b/db/schema_migrations/20240419035360
@@ -0,0 +1 @@
+6f571972797eee34572944fb18ecf389d97c5880838b9c3c0ccf7ebbe5937f1d
\ No newline at end of file
diff --git a/db/schema_migrations/20240419085004 b/db/schema_migrations/20240419085004
new file mode 100644
index 00000000000..4b65832cf5d
--- /dev/null
+++ b/db/schema_migrations/20240419085004
@@ -0,0 +1 @@
+a845ee1d6e023d976f526e76d2d690ec2a168d8975eda3edb5a1e9932d26c16c
\ No newline at end of file
diff --git a/db/schema_migrations/20240419140530 b/db/schema_migrations/20240419140530
new file mode 100644
index 00000000000..37f6a20d23c
--- /dev/null
+++ b/db/schema_migrations/20240419140530
@@ -0,0 +1 @@
+cab7740141a0b515fbaf0c6e38c3d2aea4ac5ff765a2978ccd89f4274d44c1d1
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index be87a452f0d..904f9229def 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -695,6 +695,22 @@ BEGIN
 END;
 $$;
 
+CREATE FUNCTION trigger_56d49f4ed623() RETURNS trigger
+    LANGUAGE plpgsql
+    AS $$
+BEGIN
+IF NEW."project_id" IS NULL THEN
+  SELECT "project_id"
+  INTO NEW."project_id"
+  FROM "workspaces"
+  WHERE "workspaces"."id" = NEW."workspace_id";
+END IF;
+
+RETURN NEW;
+
+END
+$$;
+
 CREATE FUNCTION trigger_94514aeadc50() RETURNS trigger
     LANGUAGE plpgsql
     AS $$
@@ -4319,6 +4335,7 @@ CREATE TABLE application_settings (
     include_optional_metrics_in_service_ping boolean DEFAULT true NOT NULL,
     zoekt_settings jsonb DEFAULT '{}'::jsonb NOT NULL,
     service_ping_settings jsonb DEFAULT '{}'::jsonb NOT NULL,
+    rate_limits_unauthenticated_git_http jsonb DEFAULT '{}'::jsonb NOT NULL,
     CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
     CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)),
     CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),
@@ -4371,6 +4388,7 @@ CREATE TABLE application_settings (
     CONSTRAINT check_app_settings_sentry_clientside_traces_sample_rate_range CHECK (((sentry_clientside_traces_sample_rate >= (0)::double precision) AND (sentry_clientside_traces_sample_rate <= (1)::double precision))),
     CONSTRAINT check_application_settings_clickhouse_is_hash CHECK ((jsonb_typeof(clickhouse) = 'object'::text)),
     CONSTRAINT check_application_settings_rate_limits_is_hash CHECK ((jsonb_typeof(rate_limits) = 'object'::text)),
+    CONSTRAINT check_application_settings_rate_limits_unauth_git_http_is_hash CHECK ((jsonb_typeof(rate_limits_unauthenticated_git_http) = 'object'::text)),
     CONSTRAINT check_application_settings_service_ping_settings_is_hash CHECK ((jsonb_typeof(service_ping_settings) = 'object'::text)),
     CONSTRAINT check_b8c74ea5b3 CHECK ((char_length(deactivation_email_additional_text) <= 1000)),
     CONSTRAINT check_cdfbd99405 CHECK ((char_length(security_txt_content) <= 2048)),
@@ -9764,7 +9782,8 @@ CREATE TABLE identities (
     created_at timestamp without time zone,
     updated_at timestamp without time zone,
     secondary_extern_uid character varying,
-    saml_provider_id integer
+    saml_provider_id integer,
+    trusted_extern_uid boolean DEFAULT true
 );
 
 CREATE SEQUENCE identities_id_seq
@@ -11250,6 +11269,24 @@ CREATE SEQUENCE merge_request_predictions_merge_request_id_seq
 
 ALTER SEQUENCE merge_request_predictions_merge_request_id_seq OWNED BY merge_request_predictions.merge_request_id;
 
+CREATE TABLE merge_request_requested_changes (
+    id bigint NOT NULL,
+    project_id bigint NOT NULL,
+    user_id bigint NOT NULL,
+    merge_request_id bigint NOT NULL,
+    created_at timestamp with time zone NOT NULL,
+    updated_at timestamp with time zone NOT NULL
+);
+
+CREATE SEQUENCE merge_request_requested_changes_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+ALTER SEQUENCE merge_request_requested_changes_id_seq OWNED BY merge_request_requested_changes.id;
+
 CREATE TABLE merge_request_review_llm_summaries (
     id bigint NOT NULL,
     user_id bigint,
@@ -18123,6 +18160,7 @@ CREATE TABLE workspace_variables (
     key text NOT NULL,
     encrypted_value bytea NOT NULL,
     encrypted_value_iv bytea NOT NULL,
+    project_id bigint,
     CONSTRAINT check_5545042100 CHECK ((char_length(key) <= 255))
 );
 
@@ -19403,6 +19441,8 @@ ALTER TABLE ONLY merge_request_metrics ALTER COLUMN id SET DEFAULT nextval('merg
 
 ALTER TABLE ONLY merge_request_predictions ALTER COLUMN merge_request_id SET DEFAULT nextval('merge_request_predictions_merge_request_id_seq'::regclass);
 
+ALTER TABLE ONLY merge_request_requested_changes ALTER COLUMN id SET DEFAULT nextval('merge_request_requested_changes_id_seq'::regclass);
+
 ALTER TABLE ONLY merge_request_review_llm_summaries ALTER COLUMN id SET DEFAULT nextval('merge_request_review_llm_summaries_id_seq'::regclass);
 
 ALTER TABLE ONLY merge_request_reviewers ALTER COLUMN id SET DEFAULT nextval('merge_request_reviewers_id_seq'::regclass);
@@ -21650,6 +21690,9 @@ ALTER TABLE ONLY merge_request_metrics
 ALTER TABLE ONLY merge_request_predictions
     ADD CONSTRAINT merge_request_predictions_pkey PRIMARY KEY (merge_request_id);
 
+ALTER TABLE ONLY merge_request_requested_changes
+    ADD CONSTRAINT merge_request_requested_changes_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY merge_request_review_llm_summaries
     ADD CONSTRAINT merge_request_review_llm_summaries_pkey PRIMARY KEY (id);
 
@@ -25656,6 +25699,8 @@ CREATE INDEX index_historical_data_on_recorded_at ON historical_data USING btree
 
 CREATE UNIQUE INDEX index_http_integrations_on_project_and_endpoint ON alert_management_http_integrations USING btree (project_id, endpoint_identifier);
 
+CREATE INDEX index_identities_on_provider ON identities USING btree (provider);
+
 CREATE INDEX index_identities_on_saml_provider_id ON identities USING btree (saml_provider_id) WHERE (saml_provider_id IS NOT NULL);
 
 CREATE INDEX index_identities_on_user_id ON identities USING btree (user_id);
@@ -26068,6 +26113,12 @@ CREATE INDEX index_merge_request_metrics_on_merged_at ON merge_request_metrics U
 
 CREATE INDEX index_merge_request_metrics_on_pipeline_id ON merge_request_metrics USING btree (pipeline_id);
 
+CREATE INDEX index_merge_request_requested_changes_on_merge_request_id ON merge_request_requested_changes USING btree (merge_request_id);
+
+CREATE INDEX index_merge_request_requested_changes_on_project_id ON merge_request_requested_changes USING btree (project_id);
+
+CREATE INDEX index_merge_request_requested_changes_on_user_id ON merge_request_requested_changes USING btree (user_id);
+
 CREATE INDEX index_merge_request_review_llm_summaries_on_mr_diff_id ON merge_request_review_llm_summaries USING btree (merge_request_diff_id);
 
 CREATE INDEX index_merge_request_review_llm_summaries_on_review_id ON merge_request_review_llm_summaries USING btree (review_id);
@@ -27838,6 +27889,8 @@ CREATE UNIQUE INDEX index_work_item_widget_definitions_on_namespace_type_and_nam
 
 CREATE INDEX index_work_item_widget_definitions_on_work_item_type_id ON work_item_widget_definitions USING btree (work_item_type_id);
 
+CREATE INDEX index_workspace_variables_on_project_id ON workspace_variables USING btree (project_id);
+
 CREATE INDEX index_workspace_variables_on_workspace_id ON workspace_variables USING btree (workspace_id);
 
 CREATE INDEX index_workspaces_on_cluster_agent_id ON workspaces USING btree (cluster_agent_id);
@@ -29722,6 +29775,8 @@ CREATE TRIGGER trigger_3857ca5ea4af BEFORE INSERT OR UPDATE ON merge_trains FOR
 
 CREATE TRIGGER trigger_388e93f88fdd BEFORE INSERT OR UPDATE ON packages_build_infos FOR EACH ROW EXECUTE FUNCTION trigger_388e93f88fdd();
 
+CREATE TRIGGER trigger_56d49f4ed623 BEFORE INSERT OR UPDATE ON workspace_variables FOR EACH ROW EXECUTE FUNCTION trigger_56d49f4ed623();
+
 CREATE TRIGGER trigger_94514aeadc50 BEFORE INSERT OR UPDATE ON deployment_approvals FOR EACH ROW EXECUTE FUNCTION trigger_94514aeadc50();
 
 CREATE TRIGGER trigger_b2d852e1e2cb BEFORE INSERT OR UPDATE ON ci_pipelines FOR EACH ROW EXECUTE FUNCTION trigger_b2d852e1e2cb();
@@ -30091,6 +30146,9 @@ ALTER TABLE ONLY todos
 ALTER TABLE ONLY releases
     ADD CONSTRAINT fk_47fe2a0596 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
 
+ALTER TABLE ONLY workspace_variables
+    ADD CONSTRAINT fk_494e093520 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY geo_event_log
     ADD CONSTRAINT fk_4a99ebfd60 FOREIGN KEY (repositories_changed_event_id) REFERENCES geo_repositories_changed_events(id) ON DELETE CASCADE;
 
diff --git a/doc/administration/job_artifacts.md b/doc/administration/job_artifacts.md
index 17a1a87df5e..ada4dcdb31c 100644
--- a/doc/administration/job_artifacts.md
+++ b/doc/administration/job_artifacts.md
@@ -177,8 +177,7 @@ WARNING:
 In a multi-server setup you must use one of the options to
 [eliminate local disk usage for job logs](job_logs.md#prevent-local-disk-usage), or job logs could be lost.
 
-In GitLab 13.2 and later, you should use the
-[consolidated object storage settings](object_storage.md#configure-a-single-storage-connection-for-all-object-types-consolidated-form).
+You should use the [consolidated object storage settings](object_storage.md#configure-a-single-storage-connection-for-all-object-types-consolidated-form).
 
 ### Migrating to object storage
 
diff --git a/doc/administration/job_artifacts_troubleshooting.md b/doc/administration/job_artifacts_troubleshooting.md
index 17797a15702..fb66aac7a86 100644
--- a/doc/administration/job_artifacts_troubleshooting.md
+++ b/doc/administration/job_artifacts_troubleshooting.md
@@ -23,8 +23,7 @@ reasons are:
 - Artifact files might be left on disk and not deleted by housekeeping. Run the
   [Rake task for _orphaned_ artifact files](../raketasks/cleanup.md#remove-orphan-artifact-files)
   to remove these. This script should always find work to do, as it also removes empty directories (see above).
-- [Artifact housekeeping was changed significantly](#housekeeping-disabled-in-gitlab-146-to-152),
-  and you might need to enable a feature flag to use the updated system.
+- [Artifact housekeeping was changed significantly](#housekeeping-disabled-in-gitlab-150-to-152), and you might need to enable a feature flag to use the updated system.
 - The [keep latest artifacts from most recent success jobs](../ci/jobs/job_artifacts.md#keep-artifacts-from-most-recent-successful-jobs)
   feature is enabled.
 
@@ -37,15 +36,11 @@ space, and in some cases, manually delete job artifacts to reclaim disk space.
 Artifacts housekeeping is the process that identifies which artifacts are expired
 and can be deleted.
 
-#### Housekeeping disabled in GitLab 14.6 to 15.2
+#### Housekeeping disabled in GitLab 15.0 to 15.2
 
-Artifact housekeeping was disabled in GitLab 14.6. It was significantly improved
-in GitLab 14.10, and the changes were back ported to patch versions of GitLab 14.6 and later,
-introduced behind [feature flags](feature_flags.md) disabled by default. The flags were
-enabled by default [in GitLab 15.3](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92931).
+Artifact housekeeping was significantly improved in GitLab 15.0, introduced behind [feature flags](feature_flags.md) disabled by default. The flags were enabled by default [in GitLab 15.3](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92931).
 
-If artifacts housekeeping does not seem to be working in GitLab 14.6 to GitLab 15.2,
-you should check if the feature flags are enabled.
+If artifacts housekeeping does not seem to be working in GitLab 15.0 to GitLab 15.2, you should check if the feature flags are enabled.
 
 To check if the feature flags are enabled:
 
@@ -53,21 +48,11 @@ To check if the feature flags are enabled:
 
 1. Check if the feature flags are enabled.
 
-   - GitLab 14.10 and earlier:
-
-     ```ruby
-     Feature.enabled?(:ci_detect_wrongly_expired_artifacts, default_enabled: :yaml)
-     Feature.enabled?(:ci_update_unlocked_job_artifacts, default_enabled: :yaml)
-     Feature.enabled?(:ci_job_artifacts_backlog_work, default_enabled: :yaml)
-     ```
-
-   - GitLab 15.0 and later:
-
-     ```ruby
-     Feature.enabled?(:ci_detect_wrongly_expired_artifacts)
-     Feature.enabled?(:ci_update_unlocked_job_artifacts)
-     Feature.enabled?(:ci_job_artifacts_backlog_work)
-     ```
+   ```ruby
+   Feature.enabled?(:ci_detect_wrongly_expired_artifacts)
+   Feature.enabled?(:ci_update_unlocked_job_artifacts)
+   Feature.enabled?(:ci_job_artifacts_backlog_work)
+   ```
 
 1. If any of the feature flags are disabled, enable them:
 
@@ -154,23 +139,15 @@ GitLab 15.3 and later. It analyzes the artifacts returned by the above database
 determines which should be `locked` or `unlocked`. Artifacts are then deleted
 by that worker if needed.
 
-The worker can be enabled on self-managed instances running GitLab 14.10 and later:
+The worker can be enabled on self-managed instances:
 
 1. Start a [Rails console](operations/rails_console.md#starting-a-rails-console-session).
 
 1. Check if the feature is enabled.
-
-   - GitLab 14.10:
-
-     ```ruby
-     Feature.enabled?(:ci_job_artifacts_backlog_work, default_enabled: :yaml)
-     ```
-
-   - GitLab 15.0 and later:
-
-     ```ruby
-     Feature.enabled?(:ci_job_artifacts_backlog_work)
-     ```
+   
+   ```ruby
+   Feature.enabled?(:ci_job_artifacts_backlog_work)
+   ```
 
 1. Enable the feature, if needed:
 
@@ -429,8 +406,6 @@ For more information, [see the investigation details](https://gitlab.com/gitlab-
 
 ## Usage quota shows incorrect artifact storage usage
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/238536) in GitLab 14.10.
-
 Sometimes the [artifacts storage usage](../user/usage_quotas.md) displays an incorrect
 value for the total storage space used by artifacts. To recalculate the artifact
 usage statistics for all projects in the instance, you can run this background script:
diff --git a/doc/administration/pages/index.md b/doc/administration/pages/index.md
index 2e6915f2409..3d499c78789 100644
--- a/doc/administration/pages/index.md
+++ b/doc/administration/pages/index.md
@@ -119,28 +119,25 @@ If you need support for namespace in the URL path to remove the requirement for
 
 1. Enable the GitLab Pages flag for this feature by adding
    `gitlab_pages["namespace_in_path"] = true` to `/etc/gitlab/gitlab.rb`.
-1. In your DNS provider, add entries for `example.io` and `projects.example.io`.
-   In both lines, replace `example.io` with your domain name, and `192.0.0.0` with
+1. In your DNS provider, add entries for `example.io`.
+   Replace `example.io` with your domain name, and `192.0.0.0` with
    the IPv4 version of your IP address. The entries look like this:
 
    ```plaintext
    example.io          1800 IN A    192.0.0.0
-   projects.example.io 1800 IN A    192.0.0.0
    ```
 
 1. Optional. If your GitLab instance has an IPv6 address, add entries for it.
-   In both lines, replace `example.io` with your domain name, and `2001:db8::1` with
+   Replace `example.io` with your domain name, and `2001:db8::1` with
    the IPv6 version of your IP address. The entries look like this:
 
    ```plaintext
    example.io          1800 IN AAAA 2001:db8::1
-   projects.example.io 1800 IN AAAA 2001:db8::1
    ```
 
 This example contains the following:
 
 - `example.io`: The domain GitLab Pages is served from.
-- `projects.example.io`: An additional subdomain for GitLab Pages default authentication flow.
 
 #### DNS configuration for custom domains
 
@@ -306,8 +303,7 @@ Prerequisites:
 - Your instance must use the Linux package installation method.
 - You have configured DNS setup
   [without a wildcard](#for-namespace-in-url-path-without-wildcard-dns).
-- You have a single TLS certificate that covers your domain (like `example.io`)
-  and the `projects.*` version of your domain, like `projects.example.io`.
+- You have a TLS certificate that covers your domain (like `example.io`).
 
 In this configuration, NGINX proxies all requests to the daemon. The GitLab Pages
 daemon doesn't listen to the outside world:
@@ -337,17 +333,18 @@ daemon doesn't listen to the outside world:
    pages_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/pages-nginx.key"
    ```
 
-1. [Reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation).
+1. If you're using [Pages Access Control](#access-control), update the redirect URI in the GitLab Pages
+   [System OAuth application](../../integration/oauth_provider.md#create-an-instance-wide-application)
+   to use the HTTPS protocol.
 
    WARNING:
-   GitLab Pages does not update the OAuth application if changes are made to the redirect URI.
+   GitLab Pages does not update the OAuth application, and
+   the default `auth_redirect_uri` is updated to `https://example.io/projects/auth`.
    Before you reconfigure, remove the `gitlab_pages` section from `/etc/gitlab/gitlab-secrets.json`,
    then run `gitlab-ctl reconfigure`. For more information, see
    [GitLab Pages does not regenerate OAuth](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/3947).
 
-1. If you're using [Pages Access Control](#access-control), update the redirect URI in the GitLab Pages
-   [System OAuth application](../../integration/oauth_provider.md#create-an-instance-wide-application)
-   to use the HTTPS protocol.
+1. [Reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation).
 
 NGINX uses the custom proxy header `X-Gitlab-Namespace-In-Path`
 to send the namespace to the GitLab Pages daemon.
diff --git a/doc/administration/settings/git_http_rate_limits.md b/doc/administration/settings/git_http_rate_limits.md
new file mode 100644
index 00000000000..751e41eec9b
--- /dev/null
+++ b/doc/administration/settings/git_http_rate_limits.md
@@ -0,0 +1,41 @@
+---
+stage: Create
+group: Source Code
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# Rate limits on Git HTTP
+
+DETAILS:
+**Tier:** Free, Premium, Ultimate
+**Offering:** Self-managed, GitLab Dedicated
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147112) in GitLab 17.0.
+
+If you use Git HTTP in your repository,
+common Git operations can generate many Git HTTP requests.
+Some of these Git HTTP requests do not contain authentication parameter and
+are considered unauthenticated. You can enforce rate limits on Git HTTP requests.
+This can improve the security and durability of your web application.
+[General user and IP rate limits](../settings/user_and_ip_rate_limits.md) aren't applied
+to Git HTTP requests.
+
+## Configure Git HTTP rate limits
+
+Git HTTP rate limits are disabled by default. If enabled and configured, these limits
+are applied to Git HTTP requests.
+
+To configure Git HTTP rate limits:
+
+1. On the left sidebar, at the bottom, select **Admin Area**.
+1. Select **Settings > Network**.
+1. Expand **Git HTTP rate limits**.
+1. Select **Enable unauthenticated Git HTTP request rate limit**.
+1. Enter a value for **Max unauthenticated Git HTTP requests per period per user**.
+1. Enter a value for **Unauthenticated Git HTTP rate limit period in seconds**.
+1. Select **Save changes**.
+
+## Related topics
+
+- [Rate limiting](../../security/rate_limits.md)
+- [User and IP rate limits](../settings/user_and_ip_rate_limits.md)
diff --git a/doc/administration/settings/rate_limits.md b/doc/administration/settings/rate_limits.md
index 89e64344e0c..3bcd47ebdc3 100644
--- a/doc/administration/settings/rate_limits.md
+++ b/doc/administration/settings/rate_limits.md
@@ -9,6 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 You can change network settings to limit the rate of connections with your instance.
 
 - [Deprecated API rate limits](deprecated_api_rate_limits.md)
+- [Git HTTP](git_http_rate_limits.md)
 - [Git LFS](git_lfs_rate_limits.md)
 - [Git SSH operations](rate_limits_on_git_ssh_operations.md)
 - [Incident management](incident_management_rate_limits.md)
diff --git a/doc/api/dependencies.md b/doc/api/dependencies.md
index a1f7ee97200..4d0c12de47a 100644
--- a/doc/api/dependencies.md
+++ b/doc/api/dependencies.md
@@ -15,9 +15,6 @@ This API is in an [Experiment](../policy/experiment-beta-support.md#experiment)
 The response payload may be subject to change or breakage
 across GitLab releases.
 
-> - Introduced in GitLab 12.1.
-> - Pagination introduced in 14.4.
-
 Every call to this endpoint requires authentication. To perform this call, user should be authorized to read repository.
 To see vulnerabilities in response, user should be authorized to read
 [Project Security Dashboard](../user/application_security/security_dashboard/index.md).
diff --git a/doc/api/job_artifacts.md b/doc/api/job_artifacts.md
index 10c923c0498..f75cba3008a 100644
--- a/doc/api/job_artifacts.md
+++ b/doc/api/job_artifacts.md
@@ -316,9 +316,6 @@ If the artifacts were deleted successfully, a response with status `204 No Conte
 
 ## Delete project artifacts
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/223793) in GitLab 14.7 [with a flag](../administration/feature_flags.md) named `bulk_expire_project_artifacts`. Enabled by default on GitLab self-managed. Enabled on GitLab.com.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/350609) in GitLab 14.10.
-
 Delete artifacts eligible for deletion in a project. By default, artifacts from
 [the most recent successful pipeline of each ref](../ci/jobs/job_artifacts.md#keep-artifacts-from-most-recent-successful-jobs)
 are not deleted.
diff --git a/doc/api/project_level_variables.md b/doc/api/project_level_variables.md
index 5753381bf29..4d6ae96921f 100644
--- a/doc/api/project_level_variables.md
+++ b/doc/api/project_level_variables.md
@@ -184,9 +184,6 @@ curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://git
 
 ## The `filter` parameter
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/34490) in GitLab 13.2.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/227052) in GitLab 13.4.
-
 When multiple variables have the same `key`, [GET](#get-a-single-variable), [PUT](#update-a-variable),
 or [DELETE](#delete-a-variable) requests might return:
 
diff --git a/doc/api/releases/index.md b/doc/api/releases/index.md
index b424ac8bef6..59e377e5961 100644
--- a/doc/api/releases/index.md
+++ b/doc/api/releases/index.md
@@ -416,7 +416,6 @@ GET /projects/:id/releases/:tag_name/downloads/:direct_asset_path
 |----------------------------| -------------- | -------- | ----------------------------------------------------------------------------------- |
 | `id`                       | integer/string | yes      | The ID or [URL-encoded path of the project](../rest/index.md#namespaced-path-encoding).  |
 | `tag_name`                 | string         | yes      | The Git tag the release is associated with.                                         |
-| `filepath`                 | string         | yes      | Deprecated: Use `direct_asset_path` instead.                                        |
 | `direct_asset_path`        | string         | yes      | Path to the release asset file as specified when [creating](links.md#create-a-release-link) or [updating](links.md#update-a-release-link) its link. |
 
 Example request:
@@ -476,7 +475,6 @@ POST /projects/:id/releases
 | `assets:links`     | array of hash   | no                          | An array of assets links.                                                                                                        |
 | `assets:links:name`| string          | required by: `assets:links` | The name of the link. Link names must be unique within the release.                                                              |
 | `assets:links:url` | string          | required by: `assets:links` | The URL of the link. Link URLs must be unique within the release.                                                                |
-| `assets:links:filepath` | string     | no | Deprecated: Use `direct_asset_path` instead. |
 | `assets:links:direct_asset_path` | string     | no | Optional path for a [direct asset link](../../user/project/releases/release_fields.md#permanent-links-to-release-assets). |
 | `assets:links:link_type` | string     | no | The type of the link: `other`, `runbook`, `image`, `package`. Defaults to `other`. |
 | `released_at`      | datetime        | no                          | Date and time for the release. Defaults to the current time. Expected in ISO 8601 format (`2019-03-15T08:00:00Z`). Only provide this field if creating an [upcoming](../../user/project/releases/index.md#upcoming-releases) or [historical](../../user/project/releases/index.md#historical-releases) release.  |
diff --git a/doc/api/releases/links.md b/doc/api/releases/links.md
index 3967730f25a..9fec47cfb5d 100644
--- a/doc/api/releases/links.md
+++ b/doc/api/releases/links.md
@@ -100,7 +100,6 @@ POST /projects/:id/releases/:tag_name/assets/links
 | `tag_name`           | string         | yes      | The tag associated with the Release.                                                                                      |
 | `name`               | string         | yes      | The name of the link. Link names must be unique in the release.                                                           |
 | `url`                | string         | yes      | The URL of the link. Link URLs must be unique in the release.                                                             |
-| `filepath`           | string         | no       | Deprecated: Use `direct_asset_path` instead.                                                                              |
 | `direct_asset_path`  | string         | no       | Optional path for a [direct asset link](../../user/project/releases/release_fields.md#permanent-links-to-release-assets). |
 | `link_type`          | string         | no       | The type of the link: `other`, `runbook`, `image`, `package`. Defaults to `other`.                                        |
 
@@ -142,7 +141,6 @@ PUT /projects/:id/releases/:tag_name/assets/links/:link_id
 | `link_id`            | integer        | yes      | The ID of the link. |
 | `name`               | string         | no       | The name of the link. |
 | `url`                | string         | no       | The URL of the link. |
-| `filepath`           | string         | no       | Deprecated: Use `direct_asset_path` instead. |
 | `direct_asset_path`  | string         | no       | Optional path for a [direct asset link](../../user/project/releases/release_fields.md#permanent-links-to-release-assets). |
 | `link_type`          | string         | no       | The type of the link: `other`, `runbook`, `image`, `package`. Defaults to `other`. |
 
diff --git a/doc/api/secure_files.md b/doc/api/secure_files.md
index caa3253afcd..091be69088e 100644
--- a/doc/api/secure_files.md
+++ b/doc/api/secure_files.md
@@ -10,7 +10,6 @@ DETAILS:
 **Tier:** Free, Premium, Ultimate
 **Offering:** GitLab.com, Self-managed, GitLab Dedicated
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78227) in GitLab 14.8 [with a flag](../administration/feature_flags.md) named `ci_secure_files`. Disabled by default.
 > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/350748) in GitLab 15.7. Feature flag `ci_secure_files` removed.
 
 This feature is part of [Mobile DevOps](../ci/mobile_devops.md) developed by [GitLab Incubation Engineering](https://handbook.gitlab.com/handbook/engineering/development/incubation/).
diff --git a/doc/ci/cloud_services/index.md b/doc/ci/cloud_services/index.md
index 85afd7e488e..eb02b3d1978 100644
--- a/doc/ci/cloud_services/index.md
+++ b/doc/ci/cloud_services/index.md
@@ -10,8 +10,6 @@ DETAILS:
 **Tier:** Free, Premium, Ultimate
 **Offering:** GitLab.com, Self-managed, GitLab Dedicated
 
-> - `CI_JOB_JWT` variable for reading secrets from Vault [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/207125) in GitLab 12.10.
-> - `CI_JOB_JWT_V2` variable to support additional OIDC providers [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/346737) in GitLab 14.7.
 > - [ID tokens](../yaml/index.md#id_tokens) to support any OIDC provider, including HashiCorp Vault, [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/356986) in GitLab 15.7.
 
 WARNING:
@@ -24,8 +22,7 @@ Historically, teams stored secrets in projects or applied permissions on the Git
 instance to build and deploy. OIDC capable [ID tokens](../yaml/index.md#id_tokens) are configurable
 in the CI/CD job allowing you to follow a scalable and least-privilege security approach.
 
-In GitLab 15.6 and earlier, you must use `CI_JOB_JWT_V2` instead of an ID token,
-but it is not customizable. In GitLab 14.6 an earlier you must use the `CI_JOB_JWT`, which has limited support.
+In GitLab 15.6 and earlier, you must use `CI_JOB_JWT_V2` instead of an ID token, but it is not customizable.
 
 ## Prerequisites
 
diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
index a4ffff7c6e5..f051b9795cf 100644
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -58,9 +58,9 @@ The following fields are included in the JWT:
 | `ref_type`              | Always                       | Git ref type, either `branch` or `tag`                                                                                                                                                               |
 | `ref_path`              | Always                       | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0.                                          |
 | `ref_protected`         | Always                       | `true` if this Git ref is protected, `false` otherwise                                                                                                                                               |
-| `environment`           | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9)                                                                                   |
+| `environment`           | Job specifies an environment | Environment this job specifies                                                                                   |
 | `groups_direct`         | User is a direct member of 0 to 200 groups | The paths of the user's direct membership groups. Omitted if the user is a direct member of more than 200 groups. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/435848) in GitLab 16.11). |
-| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9)                                                  |
+| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise                                                  |
 | `deployment_tier`       | Job specifies an environment | [Deployment tier](../../environments/index.md#deployment-tier-of-environments) of environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2) |
 | `environment_action`    | Job specifies an environment | [Environment action (`environment:action`)](../../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5)                                   |
 
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index 46846bac132..7dea2a5e529 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -187,10 +187,6 @@ proposes to change this behavior.
 
 ## Limit your project's job token access (deprecated)
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/328553) in GitLab 14.1. [Deployed behind the `:ci_scoped_job_token` feature flag](../../user/feature_flags.md), disabled by default.
-> - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/332272) in GitLab 14.4.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/332272) in GitLab 14.6.
-
 NOTE:
 The [**Limit access _from_ this project**](#configure-the-job-token-scope-deprecated)
 setting is disabled by default for all new projects and is [scheduled for removal](https://gitlab.com/gitlab-org/gitlab/-/issues/383084)
diff --git a/doc/ci/jobs/job_artifacts.md b/doc/ci/jobs/job_artifacts.md
index 537892bba30..f7c10d3567e 100644
--- a/doc/ci/jobs/job_artifacts.md
+++ b/doc/ci/jobs/job_artifacts.md
@@ -194,7 +194,6 @@ job:
 
 ## View all job artifacts in a project
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/31271) in GitLab 12.4 [with a flag](../../administration/feature_flags.md) named `artifacts_management_page`. Disabled by default.
 > - [Improved look](https://gitlab.com/gitlab-org/gitlab/-/issues/33418) in GitLab 15.6.
 > - [Improved performance](https://gitlab.com/gitlab-org/gitlab/-/issues/387765) in GitLab 15.9.
 > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/407475) in GitLab 16.0. Feature flag `artifacts_management_page` removed.
@@ -362,9 +361,6 @@ With this configuration, GitLab adds **artifact 1** as a link to `file.txt` to t
 
 ## Keep artifacts from most recent successful jobs
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/16267) in GitLab 13.0.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/229936) in GitLab 13.4.
-> - [Made optional with a CI/CD setting](https://gitlab.com/gitlab-org/gitlab/-/issues/241026) in GitLab 13.8.
 > - Artifacts for [blocked](https://gitlab.com/gitlab-org/gitlab/-/issues/387087) or [failed](https://gitlab.com/gitlab-org/gitlab/-/issues/266958) pipelines no longer kept indefinitely in GitLab 16.7.
 
 By default artifacts are always kept for successful pipelines for the most recent commit on each ref.
diff --git a/doc/ci/secrets/id_token_authentication.md b/doc/ci/secrets/id_token_authentication.md
index 1e5fd29c8ec..09f92d933a8 100644
--- a/doc/ci/secrets/id_token_authentication.md
+++ b/doc/ci/secrets/id_token_authentication.md
@@ -73,8 +73,8 @@ The token also includes custom claims provided by GitLab:
 | `ref_path`              | Always                       | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0.                                                                                                                                                      |
 | `ref_protected`         | Always                       | `true` if the Git ref is protected, `false` otherwise.                                                                                                                                                                                                                                                           |
 | `groups_direct`         | User is a direct member of 0 to 200 groups | The paths of the user's direct membership groups. Omitted if the user is a direct member of more than 200 groups. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/435848) in GitLab 16.11). |
-| `environment`           | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9).                                                                                                                                                                                             |
-| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9).                                                                                                                                                              |
+| `environment`           | Job specifies an environment | Environment this job deploys to.                                                                                                                                                                                             |
+| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise.                                                                                                                                                              |
 | `deployment_tier`       | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2.                                                                                                             |
 | `environment_action`    | Job specifies an environment | [Environment action (`environment:action`)](../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5)                                                                                                                                               |
 | `runner_id`             | Always                       | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0.                                                                                                                                                                                           |
diff --git a/doc/ci/secrets/index.md b/doc/ci/secrets/index.md
index 3f35c7238d7..6342e35b1fb 100644
--- a/doc/ci/secrets/index.md
+++ b/doc/ci/secrets/index.md
@@ -10,10 +10,6 @@ DETAILS:
 **Tier:** Free, Premium, Ultimate
 **Offering:** GitLab.com, Self-managed, GitLab Dedicated
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218746) in GitLab 13.4 and GitLab Runner 13.4.
-> - `file` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250695) in GitLab 14.1 and GitLab Runner 14.1.
-> - `VAULT_NAMESPACE` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/255619) in GitLab 14.9 and GitLab Runner 14.9.
-
 Secrets represent sensitive information your CI job needs to complete work. This
 sensitive information can be items like API tokens, database credentials, or private keys.
 Secrets are sourced from your secrets provider.
@@ -125,8 +121,6 @@ DETAILS:
 **Tier:** Premium, Ultimate
 **Offering:** GitLab.com, Self-managed, GitLab Dedicated
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/28321) in GitLab 13.4 and GitLab Runner 13.4.
-
 After [configuring your Vault server](#configure-your-vault-server), you can use
 the secrets stored in Vault by defining them with the [`vault` keyword](../yaml/index.md#secretsvault):
 
diff --git a/doc/ci/secure_files/index.md b/doc/ci/secure_files/index.md
index 833f5b5037f..763ea4570bf 100644
--- a/doc/ci/secure_files/index.md
+++ b/doc/ci/secure_files/index.md
@@ -10,7 +10,6 @@ DETAILS:
 **Tier:** Free, Premium, Ultimate
 **Offering:** GitLab.com, Self-managed, GitLab Dedicated
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78227) in GitLab 14.8 [with a flag](../../administration/feature_flags.md) named `ci_secure_files`. Disabled by default.
 > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/350748) in GitLab 15.7. Feature flag `ci_secure_files` removed.
 
 This feature is part of [Mobile DevOps](../mobile_devops.md) developed by [GitLab Incubation Engineering](https://handbook.gitlab.com/handbook/engineering/development/incubation/).
diff --git a/doc/ci/variables/index.md b/doc/ci/variables/index.md
index 619934dc469..1e49880248f 100644
--- a/doc/ci/variables/index.md
+++ b/doc/ci/variables/index.md
@@ -201,9 +201,6 @@ DETAILS:
 **Tier:** Free, Premium, Ultimate
 **Offering:** Self-managed, GitLab Dedicated
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14108) in GitLab 13.0.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/299879) in GitLab 13.11.
-
 You can make a CI/CD variable available to all projects and groups in a GitLab instance.
 
 Prerequisites:
@@ -216,9 +213,8 @@ To add an instance variable:
 1. Select **Settings > CI/CD** and expand the **Variables** section.
 1. Select **Add variable** and fill in the details:
    - **Key**: Must be one line, with no spaces, using only letters, numbers, or `_`.
-   - **Value**: In [GitLab 13.3 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/220028),
-     the value is limited to 10,000 characters, but also bounded by any limits in the
-     runner's operating system. In GitLab 13.0 to 13.2, the value is limited to 700 characters.
+   - **Value**: The value is limited to 10,000 characters, but also bounded by any limits in the
+     runner's operating system.
    - **Type**: `Variable` (default) or [`File`](#use-file-type-cicd-variables).
    - **Protect variable** Optional. If selected, the variable is only available
      in pipelines that run on protected branches or tags.
@@ -267,8 +263,6 @@ valid [secrets file](../../administration/backup_restore/troubleshooting_backup_
 
 ### Mask a CI/CD variable
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330650) in GitLab 13.12, the `~` character can be used in masked variables.
-
 WARNING:
 Masking a CI/CD variable is not a guaranteed way to prevent malicious users from
 accessing variable values. The masking feature is "best-effort" and there to
@@ -473,9 +467,6 @@ variables:
 
 ### Pass an environment variable to another job
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22638) in GitLab 13.0.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/217834) in GitLab 13.1.
-
 You can create a new environment variables in a job, and pass it to another job
 in a later stage. These variables cannot be used as CI/CD variables to configure a pipeline,
 but they can be used in job scripts.
@@ -712,8 +703,6 @@ can cause the pipeline to behave unexpectedly.
 
 ### Restrict who can override variables
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/295234) in GitLab 13.8.
-
 You can limit the ability to override variables to only users with the Maintainer role.
 When other users try to run a pipeline with overridden variables, they receive the
 `Insufficient permissions to set pipeline variables` error message.
@@ -951,9 +940,6 @@ if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then
 
 #### Restrict access to debug logging
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213159) in GitLab 13.7.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/292661) in GitLab 13.8.
-
 You can restrict access to debug logging. When restricted, only users with
 at least the Developer role
 can view job logs when debug logging is enabled with a variable in:
diff --git a/doc/ci/variables/predefined_variables.md b/doc/ci/variables/predefined_variables.md
index f37c7897957..e282c7630e9 100644
--- a/doc/ci/variables/predefined_variables.md
+++ b/doc/ci/variables/predefined_variables.md
@@ -125,7 +125,7 @@ as it can cause the pipeline to behave unexpectedly.
 | `CI_RUNNER_EXECUTABLE_ARCH`       | Jobs only   | all    | 10.6   | The OS/architecture of the GitLab Runner executable. Might not be the same as the environment of the executor. |
 | `CI_RUNNER_ID`                    | Jobs only   | 8.10   | 0.5    | The unique ID of the runner being used. |
 | `CI_RUNNER_REVISION`              | Jobs only   | all    | 10.6   | The revision of the runner running the job. |
-| `CI_RUNNER_SHORT_TOKEN`           | Jobs only   | all    | 12.3   | The runner's unique ID, used to authenticate new job requests. In [GitLab 14.9](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2251) and later, the token contains a prefix, and the first 17 characters are used. Prior to 14.9, the first eight characters are used. |
+| `CI_RUNNER_SHORT_TOKEN`           | Jobs only   | all    | 12.3   | The runner's unique ID, used to authenticate new job requests. The token contains a prefix, and the first 17 characters are used. |
 | `CI_RUNNER_TAGS`                  | Jobs only   | 8.10   | 0.5    | A comma-separated list of the runner tags. |
 | `CI_RUNNER_VERSION`               | Jobs only   | all    | 10.6   | The version of the GitLab Runner running the job. |
 | `CI_SERVER_FQDN`                  | Pipeline    | 16.10  | all    | The fully qualified domain name (FQDN) of the instance. For example `gitlab.example.com:8080`. |
diff --git a/doc/ci/variables/where_variables_can_be_used.md b/doc/ci/variables/where_variables_can_be_used.md
index 7389d438ee5..e315def8857 100644
--- a/doc/ci/variables/where_variables_can_be_used.md
+++ b/doc/ci/variables/where_variables_can_be_used.md
@@ -50,7 +50,7 @@ There are two places defined variables can be used. On the:
 | [`script`](../yaml/index.md#script)                                   | yes              | Script execution shell | The variable expansion is made by the [execution shell environment](#execution-shell-environment). |
 | [`services:name`](../yaml/index.md#services)                          | yes              | Runner                 | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). |
 | [`services`](../yaml/index.md#services)                               | yes              | Runner                 | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). |
-| [`tags`](../yaml/index.md#tags)                                       | yes              | GitLab                 | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35742) in GitLab 14.1. |
+| [`tags`](../yaml/index.md#tags)                                       | yes              | GitLab                 | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab.  |
 | [`trigger` and `trigger:project`](../yaml/index.md#trigger)           | yes              | GitLab                 | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab. Variable expansion for `trigger:project` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/367660) in GitLab 15.3. |
 | [`variables`](../yaml/index.md#variables)                             | yes              | GitLab/Runner          | The variable expansion is first made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab, and then any unrecognized or unavailable variables are expanded by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). |
 | [`workflow:name`](../yaml/index.md#workflowname)                      | yes              | GitLab                 | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab.<br/><br/>Supported are all variables available in `workflow`:<br/>- Project/Group variables.<br/>- Global `variables` and `workflow:rules:variables` (when matching the rule).<br/>- Variables inherited from parent pipelines.<br/>- Variables from triggers.<br/>- Variables from pipeline schedules.<br/><br/>Not supported are variables defined in the GitLab Runner `config.toml`, variables defined in jobs, or [Persisted variables](#persisted-variables). |
@@ -81,11 +81,6 @@ because the expansion is done in GitLab before any runner gets the job.
 
 #### Nested variable expansion
 
-- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/48627) in GitLab 13.10. [Deployed behind the `variable_inside_variable` feature flag](../../user/feature_flags.md), disabled by default.
-- [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/297382) in GitLab 14.3.
-- [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/297382) in GitLab 14.4.
-- Feature flag `variable_inside_variable` removed in GitLab 14.5.
-
 GitLab expands job variable values recursively before sending them to the runner. For example, in the following scenario:
 
 ```yaml
diff --git a/doc/drawers/exact_code_search_syntax.md b/doc/drawers/exact_code_search_syntax.md
index ce4a97f9f87..ff425080ee2 100644
--- a/doc/drawers/exact_code_search_syntax.md
+++ b/doc/drawers/exact_code_search_syntax.md
@@ -7,17 +7,18 @@ source: /doc/user/search/exact_code_search.md
 
 # Search tips
 
-| Query                | Description                                                                           |
-| -------------------- |-------------------------------------------------------------------------------------- |
-| `foo`                | Returns files that contain `foo`                                                      |
-| `"class foo"`        | Returns files that contain the exact string `class foo`                               |
-| `class foo`          | Returns files that contain both `class` and `foo`                                     |
-| `foo or bar`         | Returns files that contain either `foo` or `bar`                                      |
-| `class Foo`          | Returns files that contain `class` (case insensitive) and `Foo` (case sensitive)      |
-| `class Foo case:yes` | Returns files that contain `class` and `Foo` (both case sensitive)                    |
-| `foo -bar`           | Returns files that contain `foo` but not `bar`                                        |
-| `foo file:js`        | Searches for `foo` in files with names that contain `js`                              |
-| `foo -file:test`     | Searches for `foo` in files with names that do not contain `test`                     |
-| `foo lang:ruby`      | Searches for `foo` in Ruby source code                                                |
-| `foo f:\.js$`        | Searches for `foo` in files with names that end with `.js`                            |
-| `foo.*bar`           | Searches for strings that match the regular expression `foo.*bar`                     |
+| Query                | Regular expression mode                               | Exact match mode               |
+| -------------------- | ----------------------------------------------------- | ------------------------------ |
+| `"foo"`              | `foo`                                                 | `"foo"`                        |
+| `foo file:^doc/`     | `foo` in directories that start with `/doc`           | `foo` in directories that start with `/doc` |
+| `"class foo"`        | `class foo`                                           | `"class foo"`                  |
+| `class foo`          | `class` and `foo`                                     | `class foo`                    |
+| `foo or bar`         | `foo` or `bar`                                        | `foo or bar`                   |
+| `class Foo`          | `class` (case insensitive) and `Foo` (case sensitive) | `class Foo` (case insensitive) |
+| `class Foo case:yes` | `class` and `Foo` (both case sensitive)               | `class Foo` (case sensitive)   |
+| `foo -bar`           | `foo` but not `bar`                                   | `foo -bar`                     |
+| `foo file:js`        | `foo` in files with names that contain `js`           | `foo` in files with names that contain `js` |
+| `foo -file:test`     | `foo` in files with names that do not contain `test`  | `foo` in files with names that do not contain `test` |
+| `foo lang:ruby`      | `foo` in Ruby source code                             | `foo` in Ruby source code      |
+| `foo file:\.js$`     | `foo` in files with names that end with `.js`         | `foo` in files with names that end with `.js` |
+| `foo.*bar`           | `foo.*bar` (regular expression)                       | None                           |
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index b0626a1147e..7afe9e30511 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -325,6 +325,24 @@ This change is a breaking change. You should [create a runner in the UI](https:/
 
 <div class="deprecation breaking-change" data-milestone="18.0">
 
+### Runner `active` GraphQL fields replaced by `paused`
+
+<div class="deprecation-notes">
+- Announced in GitLab <span class="milestone">14.8</span>
+- Removal in GitLab <span class="milestone">18.0</span> ([breaking change](https://docs.gitlab.com/ee/update/terminology.html#breaking-change))
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/351109).
+</div>
+
+Occurrences of the `active` identifier in the GitLab GraphQL API endpoints will be renamed to `paused` in GitLab 18.0:
+
+- The `CiRunner` property.
+- The `RunnerUpdateInput` input type for the `runnerUpdate` mutation.
+- The `runners`, `Group.runners`, and `Project.runners` queries.
+
+</div>
+
+<div class="deprecation breaking-change" data-milestone="18.0">
+
 ### Running a single database is deprecated
 
 <div class="deprecation-notes">
diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index 0304f7ba37c..358e34c8b89 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -200,8 +200,6 @@ Authenticating to a remote registry is not supported when [FIPS mode](../../../d
 
 #### Dependency list
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6.
-
 The `CS_DISABLE_DEPENDENCY_LIST` CI/CD variable controls whether the scan creates a
 [Dependency List](../dependency_list/index.md)
 report. This variable is currently only supported when the `trivy` analyzer is used. The variable's default setting of `"false"` causes the scan to create the report. To disable
@@ -220,8 +218,6 @@ container_scanning:
 
 #### Report language-specific findings
 
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/7277) in GitLab 14.6.
-
 The `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` CI/CD variable controls whether the scan reports
 findings related to programming languages. The languages supported depend on the
 [scanner used](#change-scanners):
@@ -267,15 +263,15 @@ including a large number of false positives.
 | `CI_APPLICATION_REPOSITORY`    | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` | Docker repository URL for the image to be scanned. | All |
 | `CI_APPLICATION_TAG`           | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. | All |
 | `CS_ANALYZER_IMAGE`            | `registry.gitlab.com/security-products/container-scanning:7` | Docker image of the analyzer. | All |
-| `CS_DEFAULT_BRANCH_IMAGE`      | `""` | The name of the `CS_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338877) in GitLab 14.5. | All |
-| `CS_DISABLE_DEPENDENCY_LIST`   | `"false"`      | Disable Dependency Scanning for packages installed in the scanned image. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6. | All |
-| `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345434) in GitLab 14.6. | All |
+| `CS_DEFAULT_BRANCH_IMAGE`      | `""` | The name of the `CS_IMAGE` on the default branch. See [Setting the default branch image](#setting-the-default-branch-image) for more details. | All |
+| `CS_DISABLE_DEPENDENCY_LIST`   | `"false"`      | Disable Dependency Scanning for packages installed in the scanned image. | All |
+| `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` | `"true"` | Disable scanning for language-specific packages installed in the scanned image. | All |
 | `CS_DOCKER_INSECURE`           | `"false"`     | Allow access to secure Docker registries using HTTPS without validating the certificates. | All |
 | `CS_DOCKERFILE_PATH`              | `Dockerfile`  | The path to the `Dockerfile` to use for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project. You should configure this variable only if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. | All |
 | `CS_IGNORE_STATUSES`<sup><b><a href="#notes-regarding-cs-ignore-statuses">1</a></b></sup> | `""` | Force the analyzer to ignore vulnerability findings with specified statuses in a comma-delimited list. For `trivy`, the following values are allowed: `unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life`. For `grype`, the following values are allowed: `fixed,not-fixed,unknown,wont-fix` | All |
 | `CS_IGNORE_UNFIXED`            | `"false"`     | Ignore vulnerabilities that are not fixed. | All |
 | `CS_IMAGE`                 | `$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG` | The Docker image to be scanned. If set, this variable overrides the `$CI_APPLICATION_REPOSITORY` and `$CI_APPLICATION_TAG` variables. | All |
-| `CS_IMAGE_SUFFIX`              | `""`          | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/7630) in GitLab 14.10. | All |
+| `CS_IMAGE_SUFFIX`              | `""`          | Suffix added to `CS_ANALYZER_IMAGE`. If set to `-fips`, `FIPS-enabled` image is used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. | All |
 | `CS_QUIET`                     | `""`          | If set, this variable disables output of the [vulnerabilities table](#container-scanning-job-log-format) in the job log. [Introduced](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/merge_requests/50) in GitLab 15.1. | All |
 | `CS_REGISTRY_INSECURE`         | `"false"`     | Allow access to insecure registries (HTTP only). Should only be set to `true` when testing the image locally. Works with all scanners, but the registry must listen on port `80/tcp` for Trivy to work. | All |
 | `CS_REGISTRY_PASSWORD`              | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode) is enabled. | All |
@@ -316,8 +312,6 @@ Support depends on which scanner is used:
 
 #### FIPS-enabled images
 
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5775) in GitLab 14.1.
-
 GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
 versions of the container-scanning images. You can therefore replace standard images with FIPS-enabled
 images. To configure the images, set the `CS_IMAGE_SUFFIX` to `-fips` or modify the `CS_ANALYZER_IMAGE` variable to the
@@ -330,10 +324,8 @@ standard tag plus the `-fips` extension.
 | Trivy           | `registry.gitlab.com/security-products/container-scanning/trivy:7-fips` |
 
 NOTE:
-Prior to GitLab 15.0, the `-ubi` image extension is also available. GitLab 15.0 and later only
-support `-fips`.
 
-Starting with GitLab 14.10, `-fips` is automatically added to `CS_ANALYZER_IMAGE` when FIPS mode is
+The `-fips` flag is automatically added to `CS_ANALYZER_IMAGE` when FIPS mode is
 enabled in the GitLab instance.
 
 Container scanning of images in authenticated registries is not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode)
@@ -342,8 +334,6 @@ the analyzer exits with an error and does not perform the scan.
 
 ### Enable Container Scanning through an automatic merge request
 
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6334) in GitLab 14.9.
-
 To enable Container Scanning in a project, create a merge request from the Security Configuration
 page:
 
@@ -393,8 +383,6 @@ Do not use the `:latest` tag when selecting the scanner image.
 
 ### Setting the default branch image
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338877) in GitLab 14.5.
-
 By default, container scanning assumes that the image naming convention stores any branch-specific
 identifiers in the image tag rather than the image name. When the image name differs between the
 default branch and the non-default branch, previously-detected vulnerabilities show up as newly
diff --git a/doc/user/application_security/dependency_list/index.md b/doc/user/application_security/dependency_list/index.md
index 3a49690e520..c79d6513f87 100644
--- a/doc/user/application_security/dependency_list/index.md
+++ b/doc/user/application_security/dependency_list/index.md
@@ -10,7 +10,6 @@ DETAILS:
 **Tier:** Ultimate
 **Offering:** GitLab.com, Self-managed, GitLab Dedicated
 
-> - System dependencies [introduced](https://gitlab.com/groups/gitlab-org/-/epics/6698) in GitLab 14.6.
 > - Group-level dependency list [introduced](https://gitlab.com/groups/gitlab-org/-/epics/8090) in GitLab 16.2 [with a flag](../../../administration/feature_flags.md) named `group_level_dependencies`. Disabled by default.
 > - Group-level dependency list [enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/411257) in GitLab 16.4.
 > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132015) in GitLab 16.5. Feature flag `group_level_dependencies` removed.
diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md
index 7cc1264f27b..76ec49ca2d5 100644
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -670,7 +670,7 @@ The following analyzers are executed, each of which have different behavior when
    Does not support multiple lockfiles. When multiple lockfiles exist, `Retire.js`
    analyzes the first lockfile discovered while traversing the directory tree in alphabetical order.
 
-From GitLab 14.8 the `gemnasium` analyzer scans supported JavaScript projects for vendored libraries
+The `gemnasium` analyzer scans supports JavaScript projects for vendored libraries
 (that is, those checked into the project but not managed by the package manager).
 
 #### Go
@@ -748,9 +748,6 @@ Pipelines now include a dependency scanning job.
 
 #### Use a preconfigured merge request
 
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4908) in GitLab 14.1 [with a flag](../../../administration/feature_flags.md) named `sec_dependency_scanning_ui_enable`. Enabled by default.
-> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/326005) in GitLab 14.2. Feature flag `sec_dependency_scanning_ui_enable` removed.
-
 This method automatically prepares a merge request that includes the dependency scanning template
 in the `.gitlab-ci.yml` file. You then merge the merge request to enable dependency scanning.
 
@@ -837,7 +834,7 @@ The following variables configure the behavior of specific dependency scanning a
 | `GEMNASIUM_DB_REF_NAME`              | `gemnasium`        | `master`                     | Branch name for remote repository database. `GEMNASIUM_DB_REMOTE_URL` is required. |
 | `DS_REMEDIATE`                       | `gemnasium`        | `"true"`, `"false"` in FIPS mode | Enable automatic remediation of vulnerable dependencies. Not supported in FIPS mode. |
 | `DS_REMEDIATE_TIMEOUT`               | `gemnasium`        | `5m`                         | Timeout for auto-remediation. |
-| `GEMNASIUM_LIBRARY_SCAN_ENABLED`     | `gemnasium`        | `"true"`                     | Enable detecting vulnerabilities in vendored JavaScript libraries (libraries which are not managed by a package manager). This functionality requires a JavaScript lockfile to be present in a commit, otherwise Dependency Scanning is not executed and vendored files are not scanned.<br>Dependency scanning uses the [Retire.js](https://github.com/RetireJS/retire.js) scanner to detect a limited set of vulnerabilities. For details of which vulnerabilities are detected, see the [Retire.js repository](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350512) in GitLab 14.8. |
+| `GEMNASIUM_LIBRARY_SCAN_ENABLED`     | `gemnasium`        | `"true"`                     | Enable detecting vulnerabilities in vendored JavaScript libraries (libraries which are not managed by a package manager). This functionality requires a JavaScript lockfile to be present in a commit, otherwise Dependency Scanning is not executed and vendored files are not scanned.<br>Dependency scanning uses the [Retire.js](https://github.com/RetireJS/retire.js) scanner to detect a limited set of vulnerabilities. For details of which vulnerabilities are detected, see the [Retire.js repository](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json). |
 | `DS_INCLUDE_DEV_DEPENDENCIES`        | `gemnasium`        | `"true"`                     | When set to `"false"`, development dependencies and their vulnerabilities are not reported. Only projects using Composer, npm, pnpm, Pipenv or Poetry are supported. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/227861) in GitLab 15.1. |
 | `GOOS`                               | `gemnasium`        | `"linux"`                    | The operating system for which to compile Go code. |
 | `GOARCH`                             | `gemnasium`        | `"amd64"`                    | The architecture of the processor for which to compile Go code. |
@@ -925,7 +922,6 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m
 
 ### FIPS-enabled images
 
-> - Introduced in GitLab 14.10. GitLab team members can view more information in this confidential issue:  `https://gitlab.com/gitlab-org/gitlab/-/issues/354796`
 > - Introduced in GitLab 15.0 - Gemnasium uses FIPS-enabled images when FIPS mode is enabled.
 
 GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
@@ -956,7 +952,6 @@ For more details of the dependency scanning report, see:
 
 ### CycloneDX Software Bill of Materials
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350509) in GitLab 14.8 in [Beta](../../../policy/experiment-beta-support.md#beta).
 > - Generally available in GitLab 15.7.
 
 Dependency Scanning outputs a [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (SBOM)
diff --git a/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md b/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md
index 924e7732f01..b677cb6d259 100644
--- a/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md
+++ b/doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md
@@ -99,10 +99,7 @@ gemnasium-maven-dependency_scanning:
 
 ## Dependency Scanning job fails with message `strconv.ParseUint: parsing "0.0": invalid syntax`
 
-Invoking Docker-in-Docker is the likely cause of this error. Docker-in-Docker is:
-
-- Disabled by default in GitLab 13.0 and later.
-- Unsupported from GitLab 13.4 and later.
+Docker-in-Docker is unsupported, and attempting to invoke it is the likely cause of this error.
 
 To fix this error, disable Docker-in-Docker for dependency scanning. Individual
 `<analyzer-name>-dependency_scanning` jobs are created for each analyzer that runs in your CI/CD
diff --git a/doc/user/clusters/agent/vulnerabilities.md b/doc/user/clusters/agent/vulnerabilities.md
index 6dea65d197a..5b3b716565d 100644
--- a/doc/user/clusters/agent/vulnerabilities.md
+++ b/doc/user/clusters/agent/vulnerabilities.md
@@ -10,7 +10,6 @@ DETAILS:
 **Tier:** Ultimate
 **Offering:** GitLab.com, Self-managed, GitLab Dedicated
 
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6346) in GitLab 14.8.
 > - [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/368828) the starboard directive in GitLab 15.4. The starboard directive is scheduled for removal in GitLab 16.0.
 
 ## Supported architectures
diff --git a/doc/user/gitlab_duo_chat.md b/doc/user/gitlab_duo_chat.md
index 634a30ef249..bc548f97357 100644
--- a/doc/user/gitlab_duo_chat.md
+++ b/doc/user/gitlab_duo_chat.md
@@ -83,6 +83,10 @@ You can ask about a specific GitLab issue. For example:
 NOTE:
 If the issue contains a large amount of text (more than 40,000 words), GitLab Duo Chat might not be able to consider every word. The AI model has a limit to the amount of input it can process at one time.
 
+<i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
+For tips on how GitLab Duo Chat can improve your productivity with issues and epics, see [Boost your productivity with GitLab Duo Chat](https://youtu.be/RJezT5_V6dI).
+<!-- Video published on 2024-04-17 -->
+
 ### Ask about a specific epic
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/128487) for SaaS in GitLab 16.3.
diff --git a/doc/user/search/exact_code_search.md b/doc/user/search/exact_code_search.md
index 18bf2a00526..c916944bd61 100644
--- a/doc/user/search/exact_code_search.md
+++ b/doc/user/search/exact_code_search.md
@@ -60,22 +60,37 @@ Use this feature to search code across the entire GitLab instance.
 Global code search does not perform well on large GitLab instances.
 If you enable this feature for instances with more than 20,000 projects, your search might time out.
 
-## Syntax
+## Search modes
 
-This table shows some example queries for exact code search.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/434417) in GitLab 16.8 [with a flag](../../administration/feature_flags.md) named `zoekt_exact_search`. Disabled by default.
 
-| Query                | Description                                                                       |
-|----------------------|-----------------------------------------------------------------------------------|
-| `foo`                | Returns files that contain `foo`.                                                 |
-| `foo file:^doc/`     | Returns files that contain `foo` in directories that start with `doc/`.           |
-| `"class foo"`        | Returns files that contain the exact string `class foo`.                          |
-| `class foo`          | Returns files that contain both `class` and `foo`.                                |
-| `foo or bar`         | Returns files that contain either `foo` or `bar`.                                 |
-| `class Foo`          | Returns files that contain `class` (case insensitive) and `Foo` (case sensitive). |
-| `class Foo case:yes` | Returns files that contain `class` and `Foo` (both case sensitive).               |
-| `foo -bar`           | Returns files that contain `foo` but not `bar`.                                   |
-| `foo file:js`        | Searches for `foo` in files with names that contain `js`.                         |
-| `foo -file:test`     | Searches for `foo` in files with names that do not contain `test`.                |
-| `foo lang:ruby`      | Searches for `foo` in Ruby source code.                                           |
-| `foo file:\.js$`     | Searches for `foo` in files with names that end with `.js`.                       |
-| `foo.*bar`           | Searches for strings that match the regular expression `foo.*bar`.                |
+FLAG:
+The availability of this feature is controlled by a feature flag.
+For more information, see the history.
+
+When you enable `zoekt_exact_search`, you can switch between two search modes:
+
+- **Regular expression mode:** supports regular and boolean expressions.
+- **Exact match mode:** returns results that exactly match the query.
+
+When `zoekt_exact_search` is disabled, the regular expression mode is used by default.
+
+### Syntax
+
+This table shows some example queries for regular expression and exact match modes.
+
+| Query                | Regular expression mode                               | Exact match mode               |
+| -------------------- | ----------------------------------------------------- | ------------------------------ |
+| `"foo"`              | `foo`                                                 | `"foo"`                        |
+| `foo file:^doc/`     | `foo` in directories that start with `/doc`           | `foo` in directories that start with `/doc` |
+| `"class foo"`        | `class foo`                                           | `"class foo"`                  |
+| `class foo`          | `class` and `foo`                                     | `class foo`                    |
+| `foo or bar`         | `foo` or `bar`                                        | `foo or bar`                   |
+| `class Foo`          | `class` (case insensitive) and `Foo` (case sensitive) | `class Foo` (case insensitive) |
+| `class Foo case:yes` | `class` and `Foo` (both case sensitive)               | `class Foo` (case sensitive)   |
+| `foo -bar`           | `foo` but not `bar`                                   | `foo -bar`                     |
+| `foo file:js`        | `foo` in files with names that contain `js`           | `foo` in files with names that contain `js` |
+| `foo -file:test`     | `foo` in files with names that do not contain `test`  | `foo` in files with names that do not contain `test` |
+| `foo lang:ruby`      | `foo` in Ruby source code                             | `foo` in Ruby source code      |
+| `foo file:\.js$`     | `foo` in files with names that end with `.js`         | `foo` in files with names that end with `.js` |
+| `foo.*bar`           | `foo.*bar` (regular expression)                       | None                           |
diff --git a/glfm_specification/output_example_snapshots/html.yml b/glfm_specification/output_example_snapshots/html.yml
index 4c5579bcc01..de2d0742610 100644
--- a/glfm_specification/output_example_snapshots/html.yml
+++ b/glfm_specification/output_example_snapshots/html.yml
@@ -136,7 +136,7 @@
     <h1>Foo</h1>
   static: |-
     <h1 data-sourcepos="1:1-1:5" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>Foo</h1>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>Foo</h1>
   wysiwyg: |-
     <h1 dir="auto">Foo</h1>
 02_01_00__preliminaries__tabs__011:
@@ -328,7 +328,7 @@
     <p>bar</p>
   static: |-
     <h2 data-sourcepos="1:1-3:3" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>Foo</h2>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>Foo</h2>
     <p data-sourcepos="3:1-3:3" dir="auto">bar</p>
   wysiwyg: |-
     <h2 dir="auto">Foo</h2>
@@ -381,17 +381,17 @@
     <h6>foo</h6>
   static: |-
     <h1 data-sourcepos="1:1-1:5" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>foo</h1>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>foo</h1>
     <h2 data-sourcepos="2:1-2:6" dir="auto">
-    <a id="user-content-foo-1" class="anchor" href="#foo-1" aria-hidden="true"></a>foo</h2>
+    <a href="#foo-1" aria-hidden="true" class="anchor" id="user-content-foo-1"></a>foo</h2>
     <h3 data-sourcepos="3:1-3:7" dir="auto">
-    <a id="user-content-foo-2" class="anchor" href="#foo-2" aria-hidden="true"></a>foo</h3>
+    <a href="#foo-2" aria-hidden="true" class="anchor" id="user-content-foo-2"></a>foo</h3>
     <h4 data-sourcepos="4:1-4:8" dir="auto">
-    <a id="user-content-foo-3" class="anchor" href="#foo-3" aria-hidden="true"></a>foo</h4>
+    <a href="#foo-3" aria-hidden="true" class="anchor" id="user-content-foo-3"></a>foo</h4>
     <h5 data-sourcepos="5:1-5:9" dir="auto">
-    <a id="user-content-foo-4" class="anchor" href="#foo-4" aria-hidden="true"></a>foo</h5>
+    <a href="#foo-4" aria-hidden="true" class="anchor" id="user-content-foo-4"></a>foo</h5>
     <h6 data-sourcepos="6:1-6:10" dir="auto">
-    <a id="user-content-foo-5" class="anchor" href="#foo-5" aria-hidden="true"></a>foo</h6>
+    <a href="#foo-5" aria-hidden="true" class="anchor" id="user-content-foo-5"></a>foo</h6>
   wysiwyg: |-
     <h1 dir="auto">foo</h1>
     <h2 dir="auto">foo</h2>
@@ -428,7 +428,7 @@
     <h1>foo <em>bar</em> *baz*</h1>
   static: |-
     <h1 data-sourcepos="1:1-1:19" dir="auto">
-    <a id="user-content-foo-bar-baz" class="anchor" href="#foo-bar-baz" aria-hidden="true"></a>foo <em data-sourcepos="1:7-1:11">bar</em> *baz*</h1>
+    <a href="#foo-bar-baz" aria-hidden="true" class="anchor" id="user-content-foo-bar-baz"></a>foo <em data-sourcepos="1:7-1:11">bar</em> *baz*</h1>
   wysiwyg: |-
     <h1 dir="auto">foo <em>bar</em> *baz*</h1>
 04_02_00__leaf_blocks__atx_headings__006:
@@ -436,7 +436,7 @@
     <h1>foo</h1>
   static: |-
     <h1 data-sourcepos="1:1-1:43" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>foo</h1>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>foo</h1>
   wysiwyg: |-
     <h1 dir="auto">foo</h1>
 04_02_00__leaf_blocks__atx_headings__007:
@@ -446,11 +446,11 @@
     <h1>foo</h1>
   static: |-
     <h3 data-sourcepos="1:2-1:8" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>foo</h3>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>foo</h3>
     <h2 data-sourcepos="2:3-2:8" dir="auto">
-    <a id="user-content-foo-1" class="anchor" href="#foo-1" aria-hidden="true"></a>foo</h2>
+    <a href="#foo-1" aria-hidden="true" class="anchor" id="user-content-foo-1"></a>foo</h2>
     <h1 data-sourcepos="3:4-3:8" dir="auto">
-    <a id="user-content-foo-2" class="anchor" href="#foo-2" aria-hidden="true"></a>foo</h1>
+    <a href="#foo-2" aria-hidden="true" class="anchor" id="user-content-foo-2"></a>foo</h1>
   wysiwyg: |-
     <h3 dir="auto">foo</h3>
     <h2 dir="auto">foo</h2>
@@ -482,9 +482,9 @@
     <h3>bar</h3>
   static: |-
     <h2 data-sourcepos="1:1-1:9" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>foo</h2>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>foo</h2>
     <h3 data-sourcepos="2:3-2:18" dir="auto">
-    <a id="user-content-bar" class="anchor" href="#bar" aria-hidden="true"></a>bar</h3>
+    <a href="#bar" aria-hidden="true" class="anchor" id="user-content-bar"></a>bar</h3>
   wysiwyg: |-
     <h2 dir="auto">foo</h2>
     <h3 dir="auto">bar</h3>
@@ -494,9 +494,9 @@
     <h5>foo</h5>
   static: |-
     <h1 data-sourcepos="1:1-1:40" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>foo</h1>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>foo</h1>
     <h5 data-sourcepos="2:1-2:12" dir="auto">
-    <a id="user-content-foo-1" class="anchor" href="#foo-1" aria-hidden="true"></a>foo</h5>
+    <a href="#foo-1" aria-hidden="true" class="anchor" id="user-content-foo-1"></a>foo</h5>
   wysiwyg: |-
     <h1 dir="auto">foo</h1>
     <h5 dir="auto">foo</h5>
@@ -505,7 +505,7 @@
     <h3>foo</h3>
   static: |-
     <h3 data-sourcepos="1:1-1:16" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>foo</h3>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>foo</h3>
   wysiwyg: |-
     <h3 dir="auto">foo</h3>
 04_02_00__leaf_blocks__atx_headings__013:
@@ -513,7 +513,7 @@
     <h3>foo ### b</h3>
   static: |-
     <h3 data-sourcepos="1:1-1:13" dir="auto">
-    <a id="user-content-foo-b" class="anchor" href="#foo-b" aria-hidden="true"></a>foo ### b</h3>
+    <a href="#foo--b" aria-hidden="true" class="anchor" id="user-content-foo--b"></a>foo ### b</h3>
   wysiwyg: |-
     <h3 dir="auto">foo ### b</h3>
 04_02_00__leaf_blocks__atx_headings__014:
@@ -521,7 +521,7 @@
     <h1>foo#</h1>
   static: |-
     <h1 data-sourcepos="1:1-1:6" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>foo#</h1>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>foo#</h1>
   wysiwyg: |-
     <h1 dir="auto">foo#</h1>
 04_02_00__leaf_blocks__atx_headings__015:
@@ -531,11 +531,11 @@
     <h1>foo #</h1>
   static: |-
     <h3 data-sourcepos="1:1-1:33" dir="auto">
-    <a id="user-content-foo-" class="anchor" href="#foo-" aria-hidden="true"></a>foo <span data-escaped-char>#</span>##</h3>
+    <a href="#foo-c" aria-hidden="true" class="anchor" id="user-content-foo-&lt;span data-escaped-char&gt;c&lt;/span&gt;"></a>foo <span data-escaped-char>#</span>##</h3>
     <h2 data-sourcepos="2:1-2:32" dir="auto">
-    <a id="user-content-foo--1" class="anchor" href="#foo--1" aria-hidden="true"></a>foo #<span data-escaped-char>#</span>#</h2>
+    <a href="#foo-c-1" aria-hidden="true" class="anchor" id="user-content-foo-&lt;span data-escaped-char&gt;c&lt;/span&gt;-1"></a>foo #<span data-escaped-char>#</span>#</h2>
     <h1 data-sourcepos="3:1-3:29" dir="auto">
-    <a id="user-content-foo--2" class="anchor" href="#foo--2" aria-hidden="true"></a>foo <span data-escaped-char>#</span>
+    <a href="#foo-c-2" aria-hidden="true" class="anchor" id="user-content-foo-&lt;span data-escaped-char&gt;c&lt;/span&gt;-2"></a>foo <span data-escaped-char>#</span>
     </h1>
   wysiwyg: |-
     <h3 dir="auto">foo ###</h3>
@@ -549,7 +549,7 @@
   static: |-
     <hr data-sourcepos="1:1-1:4">
     <h2 data-sourcepos="2:1-2:6" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>foo</h2>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>foo</h2>
     <hr data-sourcepos="3:1-3:4">
   wysiwyg: |-
     <hr>
@@ -563,7 +563,7 @@
   static: |-
     <p data-sourcepos="1:1-1:7" dir="auto">Foo bar</p>
     <h1 data-sourcepos="2:1-2:5" dir="auto">
-    <a id="user-content-baz" class="anchor" href="#baz" aria-hidden="true"></a>baz</h1>
+    <a href="#baz" aria-hidden="true" class="anchor" id="user-content-baz"></a>baz</h1>
     <p data-sourcepos="3:1-3:7" dir="auto">Bar foo</p>
   wysiwyg: |-
     <p dir="auto">Foo bar</p>
@@ -575,9 +575,9 @@
     <h1></h1>
     <h3></h3>
   static: |-
-    <h2 data-sourcepos="1:1-1:3" dir="auto"></h2>
-    <h1 data-sourcepos="2:1-2:1" dir="auto"></h1>
-    <h3 data-sourcepos="3:1-3:7" dir="auto"></h3>
+    <h2 data-sourcepos="1:1-1:3" dir="auto"><a href="#" aria-hidden="true" class="anchor" id="user-content-"></a></h2>
+    <h1 data-sourcepos="2:1-2:1" dir="auto"><a href="#-1" aria-hidden="true" class="anchor" id="user-content--1"></a></h1>
+    <h3 data-sourcepos="3:1-3:7" dir="auto"><a href="#-2" aria-hidden="true" class="anchor" id="user-content--2"></a></h3>
   wysiwyg: |-
     <h2 dir="auto"></h2>
     <h1 dir="auto"></h1>
@@ -588,10 +588,10 @@
     <h2>Foo <em>bar</em></h2>
   static: |-
     <h1 data-sourcepos="1:1-3:0" dir="auto">
-    <a id="user-content-foo-bar" class="anchor" href="#foo-bar" aria-hidden="true"></a>Foo <em data-sourcepos="1:5-1:9">bar</em>
+    <a href="#foo-bar" aria-hidden="true" class="anchor" id="user-content-foo-bar"></a>Foo <em data-sourcepos="1:5-1:9">bar</em>
     </h1>
     <h2 data-sourcepos="4:1-5:9" dir="auto">
-    <a id="user-content-foo-bar-1" class="anchor" href="#foo-bar-1" aria-hidden="true"></a>Foo <em data-sourcepos="4:5-4:9">bar</em>
+    <a href="#foo-bar-1" aria-hidden="true" class="anchor" id="user-content-foo-bar-1"></a>Foo <em data-sourcepos="4:5-4:9">bar</em>
     </h2>
   wysiwyg: |-
     <h1 dir="auto">Foo <em>bar</em></h1>
@@ -602,7 +602,7 @@
     baz</em></h1>
   static: |-
     <h1 data-sourcepos="1:1-3:4" dir="auto">
-    <a id="user-content-foo-barbaz" class="anchor" href="#foo-barbaz" aria-hidden="true"></a>Foo <em data-sourcepos="1:5-2:4">bar
+    <a href="#foo-bar-baz" aria-hidden="true" class="anchor" id="user-content-foo-bar-baz"></a>Foo <em data-sourcepos="1:5-2:4">bar
     baz</em>
     </h1>
   wysiwyg: |-
@@ -614,7 +614,7 @@
     baz</em></h1>
   static: |-
     <h1 data-sourcepos="1:3-3:4" dir="auto">
-    <a id="user-content-foo-barbaz" class="anchor" href="#foo-barbaz" aria-hidden="true"></a>Foo <em data-sourcepos="1:7-2:6">bar
+    <a href="#foo-bar-baz" aria-hidden="true" class="anchor" id="user-content-foo-bar-baz"></a>Foo <em data-sourcepos="1:7-2:6">bar
     baz</em>
     </h1>
   wysiwyg: |-
@@ -626,9 +626,9 @@
     <h1>Foo</h1>
   static: |-
     <h2 data-sourcepos="1:1-3:0" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>Foo</h2>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>Foo</h2>
     <h1 data-sourcepos="4:1-5:1" dir="auto">
-    <a id="user-content-foo-1" class="anchor" href="#foo-1" aria-hidden="true"></a>Foo</h1>
+    <a href="#foo-1" aria-hidden="true" class="anchor" id="user-content-foo-1"></a>Foo</h1>
   wysiwyg: |-
     <h2 dir="auto">Foo</h2>
     <h1 dir="auto">Foo</h1>
@@ -639,11 +639,11 @@
     <h1>Foo</h1>
   static: |-
     <h2 data-sourcepos="1:4-3:0" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>Foo</h2>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>Foo</h2>
     <h2 data-sourcepos="4:3-6:0" dir="auto">
-    <a id="user-content-foo-1" class="anchor" href="#foo-1" aria-hidden="true"></a>Foo</h2>
+    <a href="#foo-1" aria-hidden="true" class="anchor" id="user-content-foo-1"></a>Foo</h2>
     <h1 data-sourcepos="7:3-8:5" dir="auto">
-    <a id="user-content-foo-2" class="anchor" href="#foo-2" aria-hidden="true"></a>Foo</h1>
+    <a href="#foo-2" aria-hidden="true" class="anchor" id="user-content-foo-2"></a>Foo</h1>
   wysiwyg: |-
     <h2 dir="auto">Foo</h2>
     <h2 dir="auto">Foo</h2>
@@ -676,7 +676,7 @@
     <h2>Foo</h2>
   static: |-
     <h2 data-sourcepos="1:1-2:13" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>Foo</h2>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>Foo</h2>
   wysiwyg: |-
     <h2 dir="auto">Foo</h2>
 04_03_00__leaf_blocks__setext_headings__008:
@@ -710,7 +710,7 @@
     <h2>Foo</h2>
   static: |-
     <h2 data-sourcepos="1:1-2:5" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>Foo</h2>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>Foo</h2>
   wysiwyg: |-
     <h2 dir="auto">Foo</h2>
 04_03_00__leaf_blocks__setext_headings__011:
@@ -718,7 +718,7 @@
     <h2>Foo\</h2>
   static: |-
     <h2 data-sourcepos="1:1-2:4" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>Foo\</h2>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>Foo\</h2>
   wysiwyg: |-
     <h2 dir="auto">Foo\</h2>
 04_03_00__leaf_blocks__setext_headings__012:
@@ -729,10 +729,10 @@
     <p>of dashes&quot;/&gt;</p>
   static: |-
     <h2 data-sourcepos="1:1-3:1" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>`Foo</h2>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>`Foo</h2>
     <p data-sourcepos="3:1-3:1" dir="auto">`</p>
     <h2 data-sourcepos="5:1-7:12" dir="auto">
-    <a id="user-content-a-titlea-lot" class="anchor" href="#a-titlea-lot" aria-hidden="true"></a>&lt;a title="a lot</h2>
+    <a href="#a-titlea-lot" aria-hidden="true" class="anchor" id="user-content-a-titlea-lot"></a>&lt;a title="a lot</h2>
     <p data-sourcepos="7:1-7:12" dir="auto">of dashes"/&gt;</p>
   wysiwyg: |-
     <h2 dir="auto">`Foo</h2>
@@ -790,7 +790,7 @@
     Bar</h2>
   static: |-
     <h2 data-sourcepos="1:1-3:3" dir="auto">
-    <a id="user-content-foobar" class="anchor" href="#foobar" aria-hidden="true"></a>Foo
+    <a href="#foo-bar" aria-hidden="true" class="anchor" id="user-content-foo-bar"></a>Foo
     Bar</h2>
   wysiwyg: |-
     <h2 dir="auto">Foo
@@ -807,7 +807,7 @@
     <copy-code></copy-code>
     </div>
     <h2 data-sourcepos="4:1-6:3" dir="auto">
-    <a id="user-content-bar" class="anchor" href="#bar" aria-hidden="true"></a>Bar</h2>
+    <a href="#bar" aria-hidden="true" class="anchor" id="user-content-bar"></a>Bar</h2>
     <p data-sourcepos="6:1-6:3" dir="auto">Baz</p>
   wysiwyg: |-
     <pre language="yaml" class="content-editor-code-block undefined code highlight" isfrontmatter="true"><code>Foo</code></pre>
@@ -878,7 +878,7 @@
     <h2>&gt; foo</h2>
   static: |-
     <h2 data-sourcepos="1:1-2:6" dir="auto">
-    <a id="user-content--foo" class="anchor" href="#-foo" aria-hidden="true"></a>&gt; foo</h2>
+    <a href="#-foo" aria-hidden="true" class="anchor" id="user-content--foo"></a>&gt; foo</h2>
   wysiwyg: |-
     <h2 dir="auto">&gt; foo</h2>
 04_03_00__leaf_blocks__setext_headings__024:
@@ -889,7 +889,7 @@
   static: |-
     <p data-sourcepos="1:1-1:3" dir="auto">Foo</p>
     <h2 data-sourcepos="3:1-5:3" dir="auto">
-    <a id="user-content-bar" class="anchor" href="#bar" aria-hidden="true"></a>bar</h2>
+    <a href="#bar" aria-hidden="true" class="anchor" id="user-content-bar"></a>bar</h2>
     <p data-sourcepos="5:1-5:3" dir="auto">baz</p>
   wysiwyg: |-
     <p dir="auto">Foo</p>
@@ -1090,13 +1090,13 @@
     <hr />
   static: |-
     <h1 data-sourcepos="1:1-1:9" dir="auto">
-    <a id="user-content-heading" class="anchor" href="#heading" aria-hidden="true"></a>Heading</h1>
+    <a href="#heading" aria-hidden="true" class="anchor" id="user-content-heading"></a>Heading</h1>
     <div class="gl-relative markdown-code-block js-markdown-code">
     <pre data-sourcepos="2:5-2:7" class="code highlight js-syntax-highlight language-plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">foo</span></code></pre>
     <copy-code></copy-code>
     </div>
     <h2 data-sourcepos="3:1-5:7" dir="auto">
-    <a id="user-content-heading-1" class="anchor" href="#heading-1" aria-hidden="true"></a>Heading</h2>
+    <a href="#heading-1" aria-hidden="true" class="anchor" id="user-content-heading-1"></a>Heading</h2>
     <div class="gl-relative markdown-code-block js-markdown-code">
     <pre data-sourcepos="5:5-5:7" class="code highlight js-syntax-highlight language-plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">foo</span></code></pre>
     <copy-code></copy-code>
@@ -1448,13 +1448,13 @@
     <h1>baz</h1>
   static: |-
     <h2 data-sourcepos="1:1-3:3" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>foo</h2>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>foo</h2>
     <div class="gl-relative markdown-code-block js-markdown-code">
     <pre data-sourcepos="3:1-5:3" class="code highlight js-syntax-highlight language-plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">bar</span></code></pre>
     <copy-code></copy-code>
     </div>
     <h1 data-sourcepos="6:1-6:5" dir="auto">
-    <a id="user-content-baz" class="anchor" href="#baz" aria-hidden="true"></a>baz</h1>
+    <a href="#baz" aria-hidden="true" class="anchor" id="user-content-baz"></a>baz</h1>
   wysiwyg: |-
     <h2 dir="auto">foo</h2>
     <pre dir="auto" class="content-editor-code-block undefined code highlight"><code>bar</code></pre>
@@ -2345,7 +2345,7 @@
     </blockquote>
   static: |-
     <h1 data-sourcepos="1:1-1:7" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a><a data-sourcepos="1:3-1:7" href="/url">Foo</a>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a><a data-sourcepos="1:3-1:7" href="/url">Foo</a>
     </h1>
     <blockquote data-sourcepos="3:1-3:5" dir="auto">
     <p data-sourcepos="3:3-3:5">bar</p>
@@ -2360,7 +2360,7 @@
     <p><a href="/url">foo</a></p>
   static: |-
     <h1 data-sourcepos="1:1-4:5" dir="auto">
-    <a id="user-content-bar" class="anchor" href="#bar" aria-hidden="true"></a>bar</h1>
+    <a href="#bar" aria-hidden="true" class="anchor" id="user-content-bar"></a>bar</h1>
     <p data-sourcepos="4:1-4:5" dir="auto"><a data-sourcepos="4:1-4:5" href="/url">foo</a></p>
   wysiwyg: |-
     <pre>[foo]: /url</pre>
@@ -2510,7 +2510,7 @@
   static: |-
     <p data-sourcepos="3:1-3:3" dir="auto">aaa</p>
     <h1 data-sourcepos="6:1-6:5" dir="auto">
-    <a id="user-content-aaa" class="anchor" href="#aaa" aria-hidden="true"></a>aaa</h1>
+    <a href="#aaa" aria-hidden="true" class="anchor" id="user-content-aaa"></a>aaa</h1>
   wysiwyg: |-
     <p dir="auto">aaa</p>
     <h1 dir="auto">aaa</h1>
@@ -2784,7 +2784,7 @@
   static: |-
     <blockquote data-sourcepos="1:1-3:5" dir="auto">
     <h1 data-sourcepos="1:3-1:7">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>Foo</h1>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>Foo</h1>
     <p data-sourcepos="2:3-3:5">bar
     baz</p>
     </blockquote>
@@ -2801,7 +2801,7 @@
   static: |-
     <blockquote data-sourcepos="1:1-3:5" dir="auto">
     <h1 data-sourcepos="1:2-1:6">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>Foo</h1>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>Foo</h1>
     <p data-sourcepos="2:2-3:5">bar
     baz</p>
     </blockquote>
@@ -2818,7 +2818,7 @@
   static: |-
     <blockquote data-sourcepos="1:4-3:6" dir="auto">
     <h1 data-sourcepos="1:6-1:10">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>Foo</h1>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>Foo</h1>
     <p data-sourcepos="2:6-3:6">bar
     baz</p>
     </blockquote>
@@ -2852,7 +2852,7 @@
   static: |-
     <blockquote data-sourcepos="1:1-3:3" dir="auto">
     <h1 data-sourcepos="1:3-1:7">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>Foo</h1>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>Foo</h1>
     <p data-sourcepos="2:3-3:3">bar
     baz</p>
     </blockquote>
@@ -4142,11 +4142,11 @@
     <ul data-sourcepos="1:1-4:5" dir="auto">
     <li data-sourcepos="1:1-1:7">
     <h1 data-sourcepos="1:3-1:7">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>Foo</h1>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>Foo</h1>
     </li>
     <li data-sourcepos="2:1-4:5">
     <h2 data-sourcepos="2:3-4:5">
-    <a id="user-content-bar" class="anchor" href="#bar" aria-hidden="true"></a>Bar</h2>
+    <a href="#bar" aria-hidden="true" class="anchor" id="user-content-bar"></a>Bar</h2>
     baz</li>
     </ul>
   wysiwyg: |-
@@ -7572,7 +7572,7 @@
     <h3>foo\</h3>
   static: |-
     <h3 data-sourcepos="1:1-1:8" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>foo\</h3>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>foo\</h3>
   wysiwyg: |-
     <h3 dir="auto">foo\</h3>
 06_13_00__inlines__hard_line_breaks__015:
@@ -7580,7 +7580,7 @@
     <h3>foo</h3>
   static: |-
     <h3 data-sourcepos="1:1-1:9" dir="auto">
-    <a id="user-content-foo" class="anchor" href="#foo" aria-hidden="true"></a>foo</h3>
+    <a href="#foo" aria-hidden="true" class="anchor" id="user-content-foo"></a>foo</h3>
   wysiwyg: |-
     <h3 dir="auto">foo</h3>
 06_14_00__inlines__soft_line_breaks__001:
@@ -7753,7 +7753,7 @@
     <p data-sourcepos="1:1-1:4" dir="auto">text</p>
     <hr data-sourcepos="3:1-3:3">
     <h2 data-sourcepos="4:1-5:3" dir="auto">
-    <a id="user-content-title-yaml-front-matter" class="anchor" href="#title-yaml-front-matter" aria-hidden="true"></a>title: YAML front matter</h2>
+    <a href="#title-yaml-front-matter" aria-hidden="true" class="anchor" id="user-content-title-yaml-front-matter"></a>title: YAML front matter</h2>
   wysiwyg: |-
     <p dir="auto">text</p>
     <hr>
@@ -7765,7 +7765,7 @@
   static: |-
     <hr data-sourcepos="1:2-1:4">
     <h2 data-sourcepos="2:1-3:3" dir="auto">
-    <a id="user-content-title-yaml-front-matter" class="anchor" href="#title-yaml-front-matter" aria-hidden="true"></a>title: YAML front matter</h2>
+    <a href="#title-yaml-front-matter" aria-hidden="true" class="anchor" id="user-content-title-yaml-front-matter"></a>title: YAML front matter</h2>
   wysiwyg: |-
     <hr>
     <h2 dir="auto">title: YAML front matter</h2>
@@ -7786,9 +7786,9 @@
     <a href="#heading-1">Heading 1</a><ul><li><a href="#heading-2">Heading 2</a></li></ul>
     </li></ul>
     <h1 data-sourcepos="3:1-3:11" dir="auto">
-    <a id="user-content-heading-1" class="anchor" href="#heading-1" aria-hidden="true"></a>Heading 1</h1>
+    <a href="#heading-1" aria-hidden="true" class="anchor" id="user-content-heading-1"></a>Heading 1</h1>
     <h2 data-sourcepos="5:1-5:12" dir="auto">
-    <a id="user-content-heading-2" class="anchor" href="#heading-2" aria-hidden="true"></a>Heading 2</h2>
+    <a href="#heading-2" aria-hidden="true" class="anchor" id="user-content-heading-2"></a>Heading 2</h2>
   wysiwyg: |-
     <div class="table-of-contents gl-border-1 gl-border-solid gl-text-center gl-border-gray-100 gl-mb-5">Table of contents</div>
     <h1 dir="auto">Heading 1</h1>
@@ -7810,9 +7810,9 @@
     <a href="#heading-1">Heading 1</a><ul><li><a href="#heading-2">Heading 2</a></li></ul>
     </li></ul>
     <h1 data-sourcepos="3:1-3:11" dir="auto">
-    <a id="user-content-heading-1" class="anchor" href="#heading-1" aria-hidden="true"></a>Heading 1</h1>
+    <a href="#heading-1" aria-hidden="true" class="anchor" id="user-content-heading-1"></a>Heading 1</h1>
     <h2 data-sourcepos="5:1-5:12" dir="auto">
-    <a id="user-content-heading-2" class="anchor" href="#heading-2" aria-hidden="true"></a>Heading 2</h2>
+    <a href="#heading-2" aria-hidden="true" class="anchor" id="user-content-heading-2"></a>Heading 2</h2>
   wysiwyg: |-
     <div class="table-of-contents gl-border-1 gl-border-solid gl-text-center gl-border-gray-100 gl-mb-5">Table of contents</div>
     <h1 dir="auto">Heading 1</h1>
@@ -7842,7 +7842,7 @@
   static: |-
     <ul class="section-nav"><li><a href="#heading-1">Heading 1</a></li></ul>
     <h1 data-sourcepos="3:1-3:11" dir="auto">
-    <a id="user-content-heading-1" class="anchor" href="#heading-1" aria-hidden="true"></a>Heading 1</h1>
+    <a href="#heading-1" aria-hidden="true" class="anchor" id="user-content-heading-1"></a>Heading 1</h1>
   wysiwyg: |-
     <div class="table-of-contents gl-border-1 gl-border-solid gl-text-center gl-border-gray-100 gl-mb-5">Table of contents</div>
     <h1 dir="auto">Heading 1</h1>
@@ -8292,17 +8292,17 @@
     TODO: Write canonical HTML for this example
   static: |-
     <h1 data-sourcepos="1:1-1:11" dir="auto">
-    <a id="user-content-heading-1" class="anchor" href="#heading-1" aria-hidden="true"></a>Heading 1</h1>
+    <a href="#heading-1" aria-hidden="true" class="anchor" id="user-content-heading-1"></a>Heading 1</h1>
     <h2 data-sourcepos="3:1-3:12" dir="auto">
-    <a id="user-content-heading-2" class="anchor" href="#heading-2" aria-hidden="true"></a>Heading 2</h2>
+    <a href="#heading-2" aria-hidden="true" class="anchor" id="user-content-heading-2"></a>Heading 2</h2>
     <h3 data-sourcepos="5:1-5:13" dir="auto">
-    <a id="user-content-heading-3" class="anchor" href="#heading-3" aria-hidden="true"></a>Heading 3</h3>
+    <a href="#heading-3" aria-hidden="true" class="anchor" id="user-content-heading-3"></a>Heading 3</h3>
     <h4 data-sourcepos="7:1-7:14" dir="auto">
-    <a id="user-content-heading-4" class="anchor" href="#heading-4" aria-hidden="true"></a>Heading 4</h4>
+    <a href="#heading-4" aria-hidden="true" class="anchor" id="user-content-heading-4"></a>Heading 4</h4>
     <h5 data-sourcepos="9:1-9:15" dir="auto">
-    <a id="user-content-heading-5" class="anchor" href="#heading-5" aria-hidden="true"></a>Heading 5</h5>
+    <a href="#heading-5" aria-hidden="true" class="anchor" id="user-content-heading-5"></a>Heading 5</h5>
     <h6 data-sourcepos="11:1-11:16" dir="auto">
-    <a id="user-content-heading-6" class="anchor" href="#heading-6" aria-hidden="true"></a>Heading 6</h6>
+    <a href="#heading-6" aria-hidden="true" class="anchor" id="user-content-heading-6"></a>Heading 6</h6>
   wysiwyg: |-
     <h1 dir="auto">Heading 1</h1>
     <h2 dir="auto">Heading 2</h2>
@@ -8517,7 +8517,7 @@
     </tbody>
     </table>
     <h1 data-sourcepos="6:1-6:21" dir="auto">
-    <a id="user-content-content-after-table" class="anchor" href="#content-after-table" aria-hidden="true"></a>content after table</h1>
+    <a href="#content-after-table" aria-hidden="true" class="anchor" id="user-content-content-after-table"></a>content after table</h1>
   wysiwyg: |-
     <table><tbody><tr><th colspan="1" rowspan="1"><p dir="auto">header</p></th><th colspan="1" rowspan="1"><p dir="auto">header</p></th></tr><tr><td colspan="1" rowspan="1"><p dir="auto"><code>code</code></p></td><td colspan="1" rowspan="1"><p dir="auto">cell with <strong>bold</strong></p></td></tr><tr><td colspan="1" rowspan="1"><p dir="auto"><s>strike</s></p></td><td colspan="1" rowspan="1"><p dir="auto">cell with <em>italic</em></p></td></tr></tbody></table>
     <h1 dir="auto">content after table</h1>
@@ -8536,16 +8536,16 @@
     </li>
     </ul>
     <h1 data-sourcepos="3:1-3:7" dir="auto">
-    <a id="user-content-lorem" class="anchor" href="#lorem" aria-hidden="true"></a>Lorem</h1>
+    <a href="#lorem" aria-hidden="true" class="anchor" id="user-content-lorem"></a>Lorem</h1>
     <p data-sourcepos="5:1-5:45" dir="auto">Well, that's just like... your opinion.. man.</p>
     <h2 data-sourcepos="7:1-7:8" dir="auto">
-    <a id="user-content-ipsum" class="anchor" href="#ipsum" aria-hidden="true"></a>Ipsum</h2>
+    <a href="#ipsum" aria-hidden="true" class="anchor" id="user-content-ipsum"></a>Ipsum</h2>
     <h3 data-sourcepos="9:1-9:9" dir="auto">
-    <a id="user-content-dolar" class="anchor" href="#dolar" aria-hidden="true"></a>Dolar</h3>
+    <a href="#dolar" aria-hidden="true" class="anchor" id="user-content-dolar"></a>Dolar</h3>
     <h1 data-sourcepos="11:1-11:10" dir="auto">
-    <a id="user-content-sit-amit" class="anchor" href="#sit-amit" aria-hidden="true"></a>Sit amit</h1>
+    <a href="#sit-amit" aria-hidden="true" class="anchor" id="user-content-sit-amit"></a>Sit amit</h1>
     <h3 data-sourcepos="13:1-13:16" dir="auto">
-    <a id="user-content-i-dont-know" class="anchor" href="#i-dont-know" aria-hidden="true"></a>I don't know</h3>
+    <a href="#i-dont-know" aria-hidden="true" class="anchor" id="user-content-i-dont-know"></a>I don't know</h3>
   wysiwyg: |-
     <div class="table-of-contents gl-border-1 gl-border-solid gl-text-center gl-border-gray-100 gl-mb-5">Table of contents</div>
     <h1 dir="auto">Lorem</h1>
diff --git a/glfm_specification/output_example_snapshots/snapshot_spec.html b/glfm_specification/output_example_snapshots/snapshot_spec.html
index e8c3551ea20..b176e0ebf8c 100644
--- a/glfm_specification/output_example_snapshots/snapshot_spec.html
+++ b/glfm_specification/output_example_snapshots/snapshot_spec.html
@@ -238,148 +238,11 @@
 <h1 class="title">GitLab Flavored Markdown Internal Extensions</h1>
 <div class="version">Version alpha</div>
 
-<ul class="section-nav">
-<li>
-<a href="#preliminaries">Preliminaries</a><ul>
-<li><a href="#characters-and-lines">Characters and lines</a></li>
-<li><a href="#tabs">Tabs</a></li>
-<li><a href="#insecure-characters">Insecure characters</a></li>
-</ul>
-</li>
-<li>
-<a href="#blocks-and-inlines">Blocks and inlines</a><ul>
-<li><a href="#precedence">Precedence</a></li>
-<li><a href="#container-blocks-and-leaf-blocks">Container blocks and leaf blocks</a></li>
-</ul>
-</li>
-<li>
-<a href="#leaf-blocks">Leaf blocks</a><ul>
-<li><a href="#thematic-breaks">Thematic breaks</a></li>
-<li><a href="#atx-headings">ATX headings</a></li>
-<li><a href="#setext-headings">Setext headings</a></li>
-<li><a href="#indented-code-blocks">Indented code blocks</a></li>
-<li><a href="#fenced-code-blocks">Fenced code blocks</a></li>
-<li><a href="#html-blocks">HTML blocks</a></li>
-<li><a href="#link-reference-definitions">Link reference definitions</a></li>
-<li><a href="#paragraphs">Paragraphs</a></li>
-<li><a href="#blank-lines">Blank lines</a></li>
-<li><a href="#tables-extension">Tables (extension)</a></li>
-</ul>
-</li>
-<li>
-<a href="#container-blocks">Container blocks</a><ul>
-<li><a href="#block-quotes">Block quotes</a></li>
-<li>
-<a href="#list-items">List items</a><ul><li><a href="#motivation">Motivation</a></li></ul>
-</li>
-<li><a href="#task-list-items-extension">Task list items (extension)</a></li>
-<li><a href="#lists">Lists</a></li>
-</ul>
-</li>
-<li>
-<a href="#inlines">Inlines</a><ul>
-<li><a href="#backslash-escapes">Backslash escapes</a></li>
-<li><a href="#entity-and-numeric-character-references">Entity and numeric character references</a></li>
-<li><a href="#code-spans">Code spans</a></li>
-<li><a href="#emphasis-and-strong-emphasis">Emphasis and strong emphasis</a></li>
-<li><a href="#strikethrough-extension">Strikethrough (extension)</a></li>
-<li><a href="#links">Links</a></li>
-<li><a href="#images">Images</a></li>
-<li><a href="#autolinks">Autolinks</a></li>
-<li><a href="#autolinks-extension">Autolinks (extension)</a></li>
-<li><a href="#raw-html">Raw HTML</a></li>
-<li><a href="#disallowed-raw-html-extension">Disallowed Raw HTML (extension)</a></li>
-<li><a href="#hard-line-breaks">Hard line breaks</a></li>
-<li><a href="#soft-line-breaks">Soft line breaks</a></li>
-<li><a href="#textual-content">Textual content</a></li>
-</ul>
-</li>
-<li>
-<a href="#gitlab-official-specification-markdown">GitLab Official Specification Markdown</a><ul>
-<li><a href="#task-list-items">Task list items</a></li>
-<li><a href="#front-matter">Front matter</a></li>
-<li><a href="#table-of-contents">Table of contents</a></li>
-</ul>
-</li>
-<li>
-<a href="#gitlab-internal-extension-markdown">GitLab Internal Extension Markdown</a><ul>
-<li><a href="#audio">Audio</a></li>
-<li><a href="#video">Video</a></li>
-<li><a href="#markdown-preview-api-request-overrides">Markdown Preview API Request Overrides</a></li>
-<li>
-<a href="#migrated-golden-master-examples">Migrated golden master examples</a><ul>
-<li><a href="#attachment_image_for_group">attachment_image_for_group</a></li>
-<li><a href="#attachment_image_for_project">attachment_image_for_project</a></li>
-<li><a href="#attachment_image_for_project_wiki">attachment_image_for_project_wiki</a></li>
-<li><a href="#attachment_link_for_group">attachment_link_for_group</a></li>
-<li><a href="#attachment_link_for_project">attachment_link_for_project</a></li>
-<li><a href="#attachment_link_for_project_wiki">attachment_link_for_project_wiki</a></li>
-<li><a href="#attachment_link_for_group_wiki">attachment_link_for_group_wiki</a></li>
-<li><a href="#audio-1">audio</a></li>
-<li><a href="#audio_and_video_in_lists">audio_and_video_in_lists</a></li>
-<li><a href="#blockquote">blockquote</a></li>
-<li><a href="#bold">bold</a></li>
-<li><a href="#bullet_list_style_1">bullet_list_style_1</a></li>
-<li><a href="#bullet_list_style_2">bullet_list_style_2</a></li>
-<li><a href="#bullet_list_style_3">bullet_list_style_3</a></li>
-<li><a href="#code_block_javascript">code_block_javascript</a></li>
-<li><a href="#code_block_plaintext">code_block_plaintext</a></li>
-<li><a href="#code_block_unknown">code_block_unknown</a></li>
-<li><a href="#color_chips">color_chips</a></li>
-<li><a href="#description_list">description_list</a></li>
-<li><a href="#details">details</a></li>
-<li><a href="#diagram_kroki_nomnoml">diagram_kroki_nomnoml</a></li>
-<li><a href="#diagram_plantuml">diagram_plantuml</a></li>
-<li><a href="#diagram_plantuml_unicode">diagram_plantuml_unicode</a></li>
-<li><a href="#div">div</a></li>
-<li><a href="#emoji">emoji</a></li>
-<li><a href="#emphasis">emphasis</a></li>
-<li><a href="#figure">figure</a></li>
-<li><a href="#footnotes">footnotes</a></li>
-<li><a href="#frontmatter_json">frontmatter_json</a></li>
-<li><a href="#frontmatter_toml">frontmatter_toml</a></li>
-<li><a href="#frontmatter_yaml">frontmatter_yaml</a></li>
-<li><a href="#hard_break">hard_break</a></li>
-<li><a href="#headings">headings</a></li>
-<li><a href="#horizontal_rule">horizontal_rule</a></li>
-<li><a href="#html_marks">html_marks</a></li>
-<li><a href="#image">image</a></li>
-<li><a href="#inline_code">inline_code</a></li>
-<li><a href="#inline_diff">inline_diff</a></li>
-<li><a href="#label">label</a></li>
-<li><a href="#link">link</a></li>
-<li><a href="#math">math</a></li>
-<li><a href="#ordered_list">ordered_list</a></li>
-<li><a href="#ordered_list_with_start_order">ordered_list_with_start_order</a></li>
-<li><a href="#ordered_task_list">ordered_task_list</a></li>
-<li><a href="#ordered_task_list_with_order">ordered_task_list_with_order</a></li>
-<li><a href="#reference_for_project_wiki">reference_for_project_wiki</a></li>
-<li><a href="#strike">strike</a></li>
-<li><a href="#table">table</a></li>
-<li><a href="#table_of_contents">table_of_contents</a></li>
-<li><a href="#task_list">task_list</a></li>
-<li><a href="#video-1">video</a></li>
-<li><a href="#word_break">word_break</a></li>
-</ul>
-</li>
-<li><a href="#image-attributes">Image Attributes</a></li>
-<li><a href="#footnotes-1">Footnotes</a></li>
-</ul>
-</li>
-<li>
-<a href="#gfm-undocumented-extensions-and-more-robust-test">GFM undocumented extensions and more robust test</a><ul>
-<li><a href="#footnotes-2">Footnotes</a></li>
-<li><a href="#when-a-footnote-is-used-multiple-times-we-insert-multiple-backrefs">When a footnote is used multiple times, we insert multiple backrefs.</a></li>
-<li><a href="#footnote-reference-labels-are-href-escaped">Footnote reference labels are href escaped</a></li>
-<li><a href="#interop">Interop</a></li>
-<li><a href="#task-lists">Task lists</a></li>
-</ul>
-</li>
-</ul>
+
 <h1 data-sourcepos="3:1-3:15" dir="auto">
-<a id="user-content-preliminaries" class="anchor" href="#preliminaries" aria-hidden="true"></a>Preliminaries</h1>
+<a href="#preliminaries" aria-hidden="true" class="anchor" id="user-content-preliminaries"></a>Preliminaries</h1>
 <h2 data-sourcepos="5:1-5:23" dir="auto">
-<a id="user-content-characters-and-lines" class="anchor" href="#characters-and-lines" aria-hidden="true"></a>Characters and lines</h2>
+<a href="#characters-and-lines" aria-hidden="true" class="anchor" id="user-content-characters-and-lines"></a>Characters and lines</h2>
 <p data-sourcepos="7:1-8:9" dir="auto">Any sequence of [characters] is a valid CommonMark
 document.</p>
 <p data-sourcepos="10:1-13:26" dir="auto">A <a data-sourcepos="10:3-10:16" href="@">character</a> is a Unicode code point.  Although some
@@ -422,7 +285,7 @@ is <code data-sourcepos="53:5-53:5">!</code>, <code data-sourcepos="53:10-53:10"
 punctuation character] or anything in
 the general Unicode categories  <code data-sourcepos="61:34-61:35">Pc</code>, <code data-sourcepos="61:40-61:41">Pd</code>, <code data-sourcepos="61:46-61:47">Pe</code>, <code data-sourcepos="61:52-61:53">Pf</code>, <code data-sourcepos="61:58-61:59">Pi</code>, <code data-sourcepos="61:64-61:65">Po</code>, or <code data-sourcepos="61:73-61:74">Ps</code>.</p>
 <h2 data-sourcepos="63:1-63:7" dir="auto">
-<a id="user-content-tabs" class="anchor" href="#tabs" aria-hidden="true"></a>Tabs</h2>
+<a href="#tabs" aria-hidden="true" class="anchor" id="user-content-tabs"></a>Tabs</h2>
 <p data-sourcepos="65:1-68:16" dir="auto">Tabs in lines are not expanded to [spaces].  However,
 in contexts where whitespace helps to define block structure,
 tabs behave as if they were replaced by spaces with a tab stop
@@ -607,11 +470,11 @@ code block starting with two spaces.</p>
 </div>
 </div>
 <h2 data-sourcepos="265:1-265:22" dir="auto">
-<a id="user-content-insecure-characters" class="anchor" href="#insecure-characters" aria-hidden="true"></a>Insecure characters</h2>
+<a href="#insecure-characters" aria-hidden="true" class="anchor" id="user-content-insecure-characters"></a>Insecure characters</h2>
 <p data-sourcepos="267:1-268:42" dir="auto">For security reasons, the Unicode character <code data-sourcepos="267:46-267:51">U+0000</code> must be replaced
 with the REPLACEMENT CHARACTER (<code data-sourcepos="268:34-268:39">U+FFFD</code>).</p>
 <h1 data-sourcepos="270:1-270:20" dir="auto">
-<a id="user-content-blocks-and-inlines" class="anchor" href="#blocks-and-inlines" aria-hidden="true"></a>Blocks and inlines</h1>
+<a href="#blocks-and-inlines" aria-hidden="true" class="anchor" id="user-content-blocks-and-inlines"></a>Blocks and inlines</h1>
 <p data-sourcepos="272:1-277:54" dir="auto">We can think of a document as a sequence of
 <a data-sourcepos="273:1-273:11" href="@">blocks</a>---structural elements like paragraphs, block
 quotations, lists, headings, rules, and code blocks.  Some blocks (like
@@ -619,7 +482,7 @@ block quotes and list items) contain other blocks; others (like
 headings and paragraphs) contain <a data-sourcepos="276:34-276:44" href="@">inline</a> content---text,
 links, emphasized text, images, code spans, and so on.</p>
 <h2 data-sourcepos="279:1-279:13" dir="auto">
-<a id="user-content-precedence" class="anchor" href="#precedence" aria-hidden="true"></a>Precedence</h2>
+<a href="#precedence" aria-hidden="true" class="anchor" id="user-content-precedence"></a>Precedence</h2>
 <p data-sourcepos="281:1-283:59" dir="auto">Indicators of block structure always take precedence over indicators
 of inline structure.  So, for example, the following is a list with
 two items, not a list with one item containing a code span:</p>
@@ -647,17 +510,17 @@ step.  Note that the first step requires processing lines in sequence,
 but the second can be parallelized, since the inline parsing of
 one block element does not affect the inline parsing of any other.</p>
 <h2 data-sourcepos="311:1-311:35" dir="auto">
-<a id="user-content-container-blocks-and-leaf-blocks" class="anchor" href="#container-blocks-and-leaf-blocks" aria-hidden="true"></a>Container blocks and leaf blocks</h2>
+<a href="#container-blocks-and-leaf-blocks" aria-hidden="true" class="anchor" id="user-content-container-blocks-and-leaf-blocks"></a>Container blocks and leaf blocks</h2>
 <p data-sourcepos="313:1-316:13" dir="auto">We can divide blocks into two types:
 <a data-sourcepos="314:1-314:21" href="@">container blocks</a>,
 which can contain other blocks, and <a data-sourcepos="315:37-315:52" href="@">leaf blocks</a>,
 which cannot.</p>
 <h1 data-sourcepos="318:1-318:13" dir="auto">
-<a id="user-content-leaf-blocks" class="anchor" href="#leaf-blocks" aria-hidden="true"></a>Leaf blocks</h1>
+<a href="#leaf-blocks" aria-hidden="true" class="anchor" id="user-content-leaf-blocks"></a>Leaf blocks</h1>
 <p data-sourcepos="320:1-321:18" dir="auto">This section describes the different kinds of leaf block that make up a
 Markdown document.</p>
 <h2 data-sourcepos="323:1-323:18" dir="auto">
-<a id="user-content-thematic-breaks" class="anchor" href="#thematic-breaks" aria-hidden="true"></a>Thematic breaks</h2>
+<a href="#thematic-breaks" aria-hidden="true" class="anchor" id="user-content-thematic-breaks"></a>Thematic breaks</h2>
 <p data-sourcepos="325:1-328:20" dir="auto">A line consisting of 0-3 spaces of indentation, followed by a sequence
 of three or more matching <code data-sourcepos="326:28-326:28">-</code>, <code data-sourcepos="326:33-326:33">_</code>, or <code data-sourcepos="326:41-326:41">*</code> characters, each followed
 optionally by any number of spaces or tabs, forms a
@@ -942,7 +805,7 @@ interpretations of a line, the thematic break takes precedence:</p>
 </div>
 </div>
 <h2 data-sourcepos="661:1-661:15" dir="auto">
-<a id="user-content-atx-headings" class="anchor" href="#atx-headings" aria-hidden="true"></a>ATX headings</h2>
+<a href="#atx-headings" aria-hidden="true" class="anchor" id="user-content-atx-headings"></a>ATX headings</h2>
 <p data-sourcepos="663:1-673:35" dir="auto">An <a data-sourcepos="663:4-663:19" href="@">ATX heading</a>
 consists of a string of characters, parsed as inline content, between an
 opening sequence of 1--6 unescaped <code data-sourcepos="665:37-665:37">#</code> characters and an optional
@@ -1219,7 +1082,7 @@ lines, and they can interrupt paragraphs:</p>
 </div>
 </div>
 <h2 data-sourcepos="991:1-991:18" dir="auto">
-<a id="user-content-setext-headings" class="anchor" href="#setext-headings" aria-hidden="true"></a>Setext headings</h2>
+<a href="#setext-headings" aria-hidden="true" class="anchor" id="user-content-setext-headings"></a>Setext headings</h2>
 <p data-sourcepos="993:1-1001:54" dir="auto">A <a data-sourcepos="993:3-993:21" href="@">setext heading</a> consists of one or more
 lines of text, each containing at least one [non-whitespace
 character], with no more than 3 spaces indentation, followed by
@@ -1720,7 +1583,7 @@ underline], such as</p>
 </div>
 </div>
 <h2 data-sourcepos="1572:1-1572:23" dir="auto">
-<a id="user-content-indented-code-blocks" class="anchor" href="#indented-code-blocks" aria-hidden="true"></a>Indented code blocks</h2>
+<a href="#indented-code-blocks" aria-hidden="true" class="anchor" id="user-content-indented-code-blocks"></a>Indented code blocks</h2>
 <p data-sourcepos="1574:1-1580:44" dir="auto">An <a data-sourcepos="1574:4-1574:27" href="@">indented code block</a> is composed of one or more
 [indented chunks] separated by blank lines.
 An <a data-sourcepos="1576:4-1576:22" href="@">indented chunk</a> is a sequence of non-blank lines,
@@ -1954,7 +1817,7 @@ are not included in it:</p>
 </div>
 </div>
 <h2 data-sourcepos="1844:1-1844:21" dir="auto">
-<a id="user-content-fenced-code-blocks" class="anchor" href="#fenced-code-blocks" aria-hidden="true"></a>Fenced code blocks</h2>
+<a href="#fenced-code-blocks" aria-hidden="true" class="anchor" id="user-content-fenced-code-blocks"></a>Fenced code blocks</h2>
 <p data-sourcepos="1846:1-1850:61" dir="auto">A <a data-sourcepos="1846:3-1846:17" href="@">code fence</a> is a sequence
 of at least three consecutive backtick characters (<code data-sourcepos="1847:54-1847:56">`</code>) or
 tildes (<code data-sourcepos="1848:10-1848:10">~</code>).  (Tildes and backticks cannot be mixed.)
@@ -2471,7 +2334,7 @@ of <code data-sourcepos="2334:5-2334:13">language-</code> followed by the langua
 </div>
 </div>
 <h2 data-sourcepos="2444:1-2444:14" dir="auto">
-<a id="user-content-html-blocks" class="anchor" href="#html-blocks" aria-hidden="true"></a>HTML blocks</h2>
+<a href="#html-blocks" aria-hidden="true" class="anchor" id="user-content-html-blocks"></a>HTML blocks</h2>
 <p data-sourcepos="2446:1-2447:53" dir="auto">An <a data-sourcepos="2446:4-2446:18" href="@">HTML block</a> is a group of lines that is treated
 as raw HTML (and will not be escaped in HTML output).</p>
 <p data-sourcepos="2449:1-2457:50" dir="auto">There are seven kinds of [HTML block], which can be defined by their
@@ -3388,7 +3251,7 @@ deleted.  The exception is inside <code data-sourcepos="3476:36-3476:40">&lt;pre
 [above][HTML blocks], raw HTML blocks starting with <code data-sourcepos="3477:54-3477:58">&lt;pre&gt;</code>
 <em data-sourcepos="3478:1-3478:5">can</em> contain blank lines.</p>
 <h2 data-sourcepos="3480:1-3480:29" dir="auto">
-<a id="user-content-link-reference-definitions" class="anchor" href="#link-reference-definitions" aria-hidden="true"></a>Link reference definitions</h2>
+<a href="#link-reference-definitions" aria-hidden="true" class="anchor" id="user-content-link-reference-definitions"></a>Link reference definitions</h2>
 <p data-sourcepos="3482:1-3490:61" dir="auto">A <a data-sourcepos="3482:3-3482:32" href="@">link reference definition</a>
 consists of a [link label], indented up to three spaces, followed
 by a colon (<code data-sourcepos="3484:14-3484:14">:</code>), optional [whitespace] (including up to one
@@ -3846,7 +3709,7 @@ no visible content:</p>
 </div>
 </div>
 <h2 data-sourcepos="4011:1-4011:13" dir="auto">
-<a id="user-content-paragraphs" class="anchor" href="#paragraphs" aria-hidden="true"></a>Paragraphs</h2>
+<a href="#paragraphs" aria-hidden="true" class="anchor" id="user-content-paragraphs"></a>Paragraphs</h2>
 <p data-sourcepos="4013:1-4018:13" dir="auto">A sequence of non-blank lines that cannot be interpreted as other
 kinds of blocks forms a <a data-sourcepos="4014:25-4014:38" href="@">paragraph</a>.
 The contents of the paragraph are the result of parsing the
@@ -3980,7 +3843,7 @@ break]:</p>
 </div>
 </div>
 <h2 data-sourcepos="4169:1-4169:14" dir="auto">
-<a id="user-content-blank-lines" class="anchor" href="#blank-lines" aria-hidden="true"></a>Blank lines</h2>
+<a href="#blank-lines" aria-hidden="true" class="anchor" id="user-content-blank-lines"></a>Blank lines</h2>
 <p data-sourcepos="4171:1-4173:22" dir="auto">[Blank lines] between block-level elements are ignored,
 except for the role they play in determining whether a [list]
 is [tight] or [loose].</p>
@@ -4006,7 +3869,7 @@ is [tight] or [loose].</p>
 </div>
 <div>
 <h2 data-sourcepos="4199:1-4199:21">
-<a id="user-content-tables-extension" class="anchor" href="#tables-extension" aria-hidden="true"></a>Tables (extension)</h2>
+<a href="#tables-extension" aria-hidden="true" class="anchor" id="user-content-tables-extension"></a>Tables (extension)</h2>
 <p data-sourcepos="4201:1-4202:10">GFM enables the <code data-sourcepos="4201:18-4201:22">table</code> extension, where an additional leaf block type is
 available.</p>
 <p data-sourcepos="4204:1-4206:23">A <a data-sourcepos="4204:3-4204:12" href="@">table</a> is an arrangement of data with rows and columns, consisting of a
@@ -4243,7 +4106,7 @@ cells are inserted.  If there are greater, the excess is ignored:</p>
 </div>
 </div>
 <h1 data-sourcepos="4455:1-4455:18" dir="auto">
-<a id="user-content-container-blocks" class="anchor" href="#container-blocks" aria-hidden="true"></a>Container blocks</h1>
+<a href="#container-blocks" aria-hidden="true" class="anchor" id="user-content-container-blocks"></a>Container blocks</h1>
 <p data-sourcepos="4457:1-4460:45" dir="auto">A <a data-sourcepos="4457:3-4457:38" href="#container-blocks">container block</a> is a block that has other
 blocks as its contents.  There are two basic kinds of container blocks:
 [block quotes] and [list items].
@@ -4261,7 +4124,7 @@ to define the syntax, although it does not give a recipe for <em data-sourcepos=
 these constructions.  (A recipe is provided below in the section entitled
 <a data-sourcepos="4473:1-4473:50" href="#appendix-a-parsing-strategy">A parsing strategy</a>.)</p>
 <h2 data-sourcepos="4475:1-4475:15" dir="auto">
-<a id="user-content-block-quotes" class="anchor" href="#block-quotes" aria-hidden="true"></a>Block quotes</h2>
+<a href="#block-quotes" aria-hidden="true" class="anchor" id="user-content-block-quotes"></a>Block quotes</h2>
 <p data-sourcepos="4477:1-4479:78" dir="auto">A <a data-sourcepos="4477:3-4477:25" href="@">block quote marker</a>
 consists of 0-3 spaces of initial indent, plus (a) the character <code data-sourcepos="4478:67-4478:67">&gt;</code> together
 with a following space, or (b) a single character <code data-sourcepos="4479:52-4479:52">&gt;</code> not followed by a space.</p>
@@ -4764,7 +4627,7 @@ the <code data-sourcepos="5028:6-5028:6">&gt;</code>:</p>
 </div>
 </div>
 <h2 data-sourcepos="5052:1-5052:13" dir="auto">
-<a id="user-content-list-items" class="anchor" href="#list-items" aria-hidden="true"></a>List items</h2>
+<a href="#list-items" aria-hidden="true" class="anchor" id="user-content-list-items"></a>List items</h2>
 <p data-sourcepos="5054:1-5055:49" dir="auto">A <a data-sourcepos="5054:3-5054:18" href="@">list marker</a> is a
 [bullet list marker] or an [ordered list marker].</p>
 <p data-sourcepos="5057:1-5058:32" dir="auto">A <a data-sourcepos="5057:3-5057:25" href="@">bullet list marker</a>
@@ -5857,7 +5720,7 @@ in the list item.</p>
 </div>
 </div>
 <h3 data-sourcepos="6274:1-6274:14" dir="auto">
-<a id="user-content-motivation" class="anchor" href="#motivation" aria-hidden="true"></a>Motivation</h3>
+<a href="#motivation" aria-hidden="true" class="anchor" id="user-content-motivation"></a>Motivation</h3>
 <p data-sourcepos="6276:1-6276:64" dir="auto">John Gruber's Markdown spec says the following about list items:</p>
 <ol data-sourcepos="6278:1-6297:0" dir="auto">
 <li data-sourcepos="6278:1-6281:0">
@@ -6034,7 +5897,7 @@ four-space rule in cases where the list marker plus its initial indentation
 takes four spaces (a common case), but diverge in other cases.</p>
 <div>
 <h2 data-sourcepos="6462:1-6462:30">
-<a id="user-content-task-list-items-extension" class="anchor" href="#task-list-items-extension" aria-hidden="true"></a>Task list items (extension)</h2>
+<a href="#task-list-items-extension" aria-hidden="true" class="anchor" id="user-content-task-list-items-extension"></a>Task list items (extension)</h2>
 <p data-sourcepos="6464:1-6465:26">GFM enables the <code data-sourcepos="6464:18-6464:25">tasklist</code> extension, where an additional processing step is
 performed on [list items].</p>
 <p data-sourcepos="6467:1-6469:46">A <a data-sourcepos="6467:3-6467:21" href="@">task list item</a> is a [list item][list items] where the first block in it
@@ -6091,7 +5954,7 @@ the final rendered document.</p>
 </div>
 </div>
 <h2 data-sourcepos="6529:1-6529:8" dir="auto">
-<a id="user-content-lists" class="anchor" href="#lists" aria-hidden="true"></a>Lists</h2>
+<a href="#lists" aria-hidden="true" class="anchor" id="user-content-lists"></a>Lists</h2>
 <p data-sourcepos="6531:1-6533:46" dir="auto">A <a data-sourcepos="6531:3-6531:11" href="@">list</a> is a sequence of one or more
 list items [of the same type].  The list items
 may be separated by any number of blank lines.</p>
@@ -6801,7 +6664,7 @@ two block elements in the list item:</p>
 </div>
 </div>
 <h1 data-sourcepos="7317:1-7317:9" dir="auto">
-<a id="user-content-inlines" class="anchor" href="#inlines" aria-hidden="true"></a>Inlines</h1>
+<a href="#inlines" aria-hidden="true" class="anchor" id="user-content-inlines"></a>Inlines</h1>
 <p data-sourcepos="7319:1-7321:21" dir="auto">Inlines are parsed sequentially from the beginning of the character
 stream to the end (left to right, in left-to-right languages).
 Thus, for example, in</p>
@@ -6819,7 +6682,7 @@ Thus, for example, in</p>
 <p data-sourcepos="7335:1-7336:9" dir="auto"><code data-sourcepos="7335:2-7335:3">hi</code> is parsed as code, leaving the backtick at the end as a literal
 backtick.</p>
 <h2 data-sourcepos="7339:1-7339:20" dir="auto">
-<a id="user-content-backslash-escapes" class="anchor" href="#backslash-escapes" aria-hidden="true"></a>Backslash escapes</h2>
+<a href="#backslash-escapes" aria-hidden="true" class="anchor" id="user-content-backslash-escapes"></a>Backslash escapes</h2>
 <p data-sourcepos="7341:1-7341:57" dir="auto">Any ASCII punctuation character may be backslash-escaped:</p>
 <div>
 <div><a href="#example-308">Example 308</a></div>
@@ -7002,7 +6865,7 @@ link references, and [info strings] in [fenced code blocks]:</p>
 </div>
 </div>
 <h2 data-sourcepos="7556:1-7556:42" dir="auto">
-<a id="user-content-entity-and-numeric-character-references" class="anchor" href="#entity-and-numeric-character-references" aria-hidden="true"></a>Entity and numeric character references</h2>
+<a href="#entity-and-numeric-character-references" aria-hidden="true" class="anchor" id="user-content-entity-and-numeric-character-references"></a>Entity and numeric character references</h2>
 <p data-sourcepos="7558:1-7560:30" dir="auto">Valid HTML entity references and numeric character references
 can be used in place of the corresponding Unicode character,
 with the following exceptions:</p>
@@ -7267,7 +7130,7 @@ documents.</p>
 </div>
 </div>
 <h2 data-sourcepos="7859:1-7859:13" dir="auto">
-<a id="user-content-code-spans" class="anchor" href="#code-spans" aria-hidden="true"></a>Code spans</h2>
+<a href="#code-spans" aria-hidden="true" class="anchor" id="user-content-code-spans"></a>Code spans</h2>
 <p data-sourcepos="7861:1-7863:36" dir="auto">A <a data-sourcepos="7861:3-7861:22" href="@">backtick string</a>
 is a string of one or more backtick characters (<code data-sourcepos="7862:51-7862:53">`</code>) that is neither
 preceded nor followed by a backtick.</p>
@@ -7576,7 +7439,7 @@ closing backtick strings to be equal in length:</p>
 </div>
 </div>
 <h2 data-sourcepos="8224:1-8224:31" dir="auto">
-<a id="user-content-emphasis-and-strong-emphasis" class="anchor" href="#emphasis-and-strong-emphasis" aria-hidden="true"></a>Emphasis and strong emphasis</h2>
+<a href="#emphasis-and-strong-emphasis" aria-hidden="true" class="anchor" id="user-content-emphasis-and-strong-emphasis"></a>Emphasis and strong emphasis</h2>
 <p data-sourcepos="8226:1-8227:73" dir="auto">John Gruber's original <a data-sourcepos="8227:24-8227:67" href="http://daringfireball.net/projects/markdown/syntax#em" rel="nofollow noreferrer noopener" target="_blank">Markdown syntax
 description</a> says:</p>
 <blockquote data-sourcepos="8229:1-8232:6" dir="auto">
@@ -9384,7 +9247,7 @@ delimiters:</p>
 </div>
 <div>
 <h2 data-sourcepos="10357:1-10357:28">
-<a id="user-content-strikethrough-extension" class="anchor" href="#strikethrough-extension" aria-hidden="true"></a>Strikethrough (extension)</h2>
+<a href="#strikethrough-extension" aria-hidden="true" class="anchor" id="user-content-strikethrough-extension"></a>Strikethrough (extension)</h2>
 <p data-sourcepos="10359:1-10360:10">GFM enables the <code data-sourcepos="10359:18-10359:30">strikethrough</code> extension, where an additional emphasis type is
 available.</p>
 <p data-sourcepos="10362:1-10362:59">Strikethrough text is any text wrapped in two tildes (<code data-sourcepos="10362:56-10362:56">~</code>).</p>
@@ -9417,7 +9280,7 @@ parsing to cease:</p>
 </div>
 </div>
 <h2 data-sourcepos="10396:1-10396:8" dir="auto">
-<a id="user-content-links" class="anchor" href="#links" aria-hidden="true"></a>Links</h2>
+<a href="#links" aria-hidden="true" class="anchor" id="user-content-links"></a>Links</h2>
 <p data-sourcepos="10398:1-10403:13" dir="auto">A link contains [link text] (the visible text), a [link destination]
 (the URI that is the link destination), and optionally a [link title].
 There are two basic kinds of links in Markdown.  In [inline links] the
@@ -10762,7 +10625,7 @@ is followed by a link label (even though <code data-sourcepos="11942:43-11942:47
 </div>
 </div>
 <h2 data-sourcepos="11961:1-11961:9" dir="auto">
-<a id="user-content-images" class="anchor" href="#images" aria-hidden="true"></a>Images</h2>
+<a href="#images" aria-hidden="true" class="anchor" id="user-content-images"></a>Images</h2>
 <p data-sourcepos="11963:1-11971:55" dir="auto">Syntax for images is like the syntax for links, with one
 difference. Instead of [link text], we have an
 <a data-sourcepos="11965:1-11965:22" href="@">image description</a>.  The rules for this are the
@@ -11065,7 +10928,7 @@ backslash-escape the opening <code data-sourcepos="12285:31-12285:31">[</code>:<
 </div>
 </div>
 <h2 data-sourcepos="12320:1-12320:12" dir="auto">
-<a id="user-content-autolinks" class="anchor" href="#autolinks" aria-hidden="true"></a>Autolinks</h2>
+<a href="#autolinks" aria-hidden="true" class="anchor" id="user-content-autolinks"></a>Autolinks</h2>
 <p data-sourcepos="12322:1-12324:18" dir="auto"><a data-sourcepos="12322:1-12322:13" href="@">Autolink</a>s are absolute URIs and email addresses inside
 <code data-sourcepos="12323:2-12323:2">&lt;</code> and <code data-sourcepos="12323:10-12323:10">&gt;</code>. They are parsed as links, with the URL or email address
 as the link label.</p>
@@ -11317,7 +11180,7 @@ spec</a>:</p>
 </div>
 <div>
 <h2 data-sourcepos="12622:1-12622:24">
-<a id="user-content-autolinks-extension" class="anchor" href="#autolinks-extension" aria-hidden="true"></a>Autolinks (extension)</h2>
+<a href="#autolinks-extension" aria-hidden="true" class="anchor" id="user-content-autolinks-extension"></a>Autolinks (extension)</h2>
 <p data-sourcepos="12624:1-12625:29">GFM enables the <code data-sourcepos="12624:18-12624:25">autolink</code> extension, where autolinks will be recognised in a
 greater number of conditions.</p>
 <p data-sourcepos="12627:1-12631:8">[Autolink]s can also be constructed without requiring the use of <code data-sourcepos="12627:67-12627:67">&lt;</code> and to <code data-sourcepos="12627:78-12627:78">&gt;</code>
@@ -11523,7 +11386,7 @@ the address:</p>
 </div>
 </div>
 <h2 data-sourcepos="12856:1-12856:11" dir="auto">
-<a id="user-content-raw-html" class="anchor" href="#raw-html" aria-hidden="true"></a>Raw HTML</h2>
+<a href="#raw-html" aria-hidden="true" class="anchor" id="user-content-raw-html"></a>Raw HTML</h2>
 <p data-sourcepos="12858:1-12861:57" dir="auto">Text between <code data-sourcepos="12858:15-12858:15">&lt;</code> and <code data-sourcepos="12858:23-12858:23">&gt;</code> that looks like an HTML tag is parsed as a
 raw HTML tag and will be rendered in HTML without escaping.
 Tag and attribute names are not limited to current HTML tags,
@@ -11846,7 +11709,7 @@ attributes:</p>
 </div>
 <div>
 <h2 data-sourcepos="13258:1-13258:34">
-<a id="user-content-disallowed-raw-html-extension" class="anchor" href="#disallowed-raw-html-extension" aria-hidden="true"></a>Disallowed Raw HTML (extension)</h2>
+<a href="#disallowed-raw-html-extension" aria-hidden="true" class="anchor" id="user-content-disallowed-raw-html-extension"></a>Disallowed Raw HTML (extension)</h2>
 <p data-sourcepos="13260:1-13261:36">GFM enables the <code data-sourcepos="13260:18-13260:26">tagfilter</code> extension, where the following HTML tags will be
 filtered when rendering HTML output:</p>
 <ul data-sourcepos="13263:1-13272:0">
@@ -11885,7 +11748,7 @@ usually undesireable in the context of other rendered Markdown content.</p>
 </div>
 </div>
 <h2 data-sourcepos="13301:1-13301:19" dir="auto">
-<a id="user-content-hard-line-breaks" class="anchor" href="#hard-line-breaks" aria-hidden="true"></a>Hard line breaks</h2>
+<a href="#hard-line-breaks" aria-hidden="true" class="anchor" id="user-content-hard-line-breaks"></a>Hard line breaks</h2>
 <p data-sourcepos="13303:1-13306:27" dir="auto">A line break (not in a code span or HTML tag) that is preceded
 by two or more spaces and does not occur at the end of a block
 is parsed as a <a data-sourcepos="13305:16-13305:35" href="@">hard line break</a> (rendered
@@ -12087,7 +11950,7 @@ other block element:</p>
 </div>
 </div>
 <h2 data-sourcepos="13541:1-13541:19" dir="auto">
-<a id="user-content-soft-line-breaks" class="anchor" href="#soft-line-breaks" aria-hidden="true"></a>Soft line breaks</h2>
+<a href="#soft-line-breaks" aria-hidden="true" class="anchor" id="user-content-soft-line-breaks"></a>Soft line breaks</h2>
 <p data-sourcepos="13543:1-13547:62" dir="auto">A regular line break (not in a code span or HTML tag) that is not
 preceded by two or more spaces or a backslash is parsed as a
 <a data-sourcepos="13545:1-13545:14" href="@">softbreak</a>.  (A softbreak may be rendered in HTML either as a
@@ -12126,7 +11989,7 @@ line break or as a space.</p>
 <p data-sourcepos="13585:1-13586:20" dir="auto">A renderer may also provide an option to render soft line breaks
 as hard line breaks.</p>
 <h2 data-sourcepos="13588:1-13588:18" dir="auto">
-<a id="user-content-textual-content" class="anchor" href="#textual-content" aria-hidden="true"></a>Textual content</h2>
+<a href="#textual-content" aria-hidden="true" class="anchor" id="user-content-textual-content"></a>Textual content</h2>
 <p data-sourcepos="13590:1-13591:35" dir="auto">Any characters not given an interpretation by the above rules will
 be parsed as plain textual content.</p>
 <div>
@@ -12164,14 +12027,14 @@ be parsed as plain textual content.</p>
 </div>
 </div>
 <h1 data-sourcepos="13634:1-13634:40" dir="auto">
-<a id="user-content-gitlab-official-specification-markdown" class="anchor" href="#gitlab-official-specification-markdown" aria-hidden="true"></a>GitLab Official Specification Markdown</h1>
+<a href="#gitlab-official-specification-markdown" aria-hidden="true" class="anchor" id="user-content-gitlab-official-specification-markdown"></a>GitLab Official Specification Markdown</h1>
 <p data-sourcepos="13636:1-13638:104" dir="auto">Note: This specification is a work in progress. Only some of the official GLFM extensions
 are defined. We will continue to add any additional ones found in the
 <a data-sourcepos="13638:1-13638:103" href="https://docs.gitlab.com/ee/user/markdown.html" rel="nofollow noreferrer noopener" target="_blank">user-facing documentation for GitLab Flavored Markdown</a>.</p>
 <p data-sourcepos="13640:1-13641:69" dir="auto">There is currently only this single top-level heading, but the
 examples may be split into multiple top-level headings in the future.</p>
 <h2 data-sourcepos="13643:1-13643:18" dir="auto">
-<a id="user-content-task-list-items" class="anchor" href="#task-list-items" aria-hidden="true"></a>Task list items</h2>
+<a href="#task-list-items" aria-hidden="true" class="anchor" id="user-content-task-list-items"></a>Task list items</h2>
 <p data-sourcepos="13645:1-13646:117" dir="auto">See
 <a data-sourcepos="13646:1-13646:70" href="https://docs.gitlab.com/ee/user/markdown.html#task-lists" rel="nofollow noreferrer noopener" target="_blank">Task lists</a> in the GitLab Flavored Markdown documentation.</p>
 <p data-sourcepos="13648:1-13651:39" dir="auto">Task list items (checkboxes) are defined as a GitHub Flavored Markdown extension in a section above.
@@ -12265,7 +12128,7 @@ loose text; it has strikethrough applied with CSS.</p>
 </div>
 </div>
 <h2 data-sourcepos="13749:1-13749:15" dir="auto">
-<a id="user-content-front-matter" class="anchor" href="#front-matter" aria-hidden="true"></a>Front matter</h2>
+<a href="#front-matter" aria-hidden="true" class="anchor" id="user-content-front-matter"></a>Front matter</h2>
 <p data-sourcepos="13751:1-13752:121" dir="auto">See
 <a data-sourcepos="13752:1-13752:74" href="https://docs.gitlab.com/ee/user/markdown.html#front-matter" rel="nofollow noreferrer noopener" target="_blank">Front matter</a> in the GitLab Flavored Markdown documentation.</p>
 <p data-sourcepos="13754:1-13755:95" dir="auto">Front matter is metadata included at the beginning of a Markdown document, preceding the content.
@@ -12362,7 +12225,7 @@ This data can be used by static site generators like Jekyll, Hugo, and many othe
 </div>
 </div>
 <h2 data-sourcepos="13858:1-13858:20" dir="auto">
-<a id="user-content-table-of-contents" class="anchor" href="#table-of-contents" aria-hidden="true"></a>Table of contents</h2>
+<a href="#table-of-contents" aria-hidden="true" class="anchor" id="user-content-table-of-contents"></a>Table of contents</h2>
 <p data-sourcepos="13860:1-13862:46" dir="auto">See
 <a data-sourcepos="13861:1-13861:84" href="https://docs.gitlab.com/ee/user/markdown.html#table-of-contents" rel="nofollow noreferrer noopener" target="_blank">table of contents</a>
 in the GitLab Flavored Markdown documentation.</p>
@@ -12459,9 +12322,9 @@ line.</p>
 </div>
 </div>
 <h1 data-sourcepos="13964:1-13964:36" dir="auto">
-<a id="user-content-gitlab-internal-extension-markdown" class="anchor" href="#gitlab-internal-extension-markdown" aria-hidden="true"></a>GitLab Internal Extension Markdown</h1>
+<a href="#gitlab-internal-extension-markdown" aria-hidden="true" class="anchor" id="user-content-gitlab-internal-extension-markdown"></a>GitLab Internal Extension Markdown</h1>
 <h2 data-sourcepos="13966:1-13966:8" dir="auto">
-<a id="user-content-audio" class="anchor" href="#audio" aria-hidden="true"></a>Audio</h2>
+<a href="#audio" aria-hidden="true" class="anchor" id="user-content-audio"></a>Audio</h2>
 <p data-sourcepos="13968:1-13969:107" dir="auto">See
 <a data-sourcepos="13969:1-13969:60" href="https://docs.gitlab.com/ee/user/markdown.html#audio" rel="nofollow noreferrer noopener" target="_blank">audio</a> in the GitLab Flavored Markdown documentation.</p>
 <p data-sourcepos="13971:1-13973:63" dir="auto">GLFM renders image elements as an audio player as long as the resource’s file extension is
@@ -12493,7 +12356,7 @@ Audio ignore the alternative text part of an image declaration.</p>
 </div>
 </div>
 <h2 data-sourcepos="14003:1-14003:8" dir="auto">
-<a id="user-content-video" class="anchor" href="#video" aria-hidden="true"></a>Video</h2>
+<a href="#video" aria-hidden="true" class="anchor" id="user-content-video"></a>Video</h2>
 <p data-sourcepos="14005:1-14006:109" dir="auto">See
 <a data-sourcepos="14006:1-14006:62" href="https://docs.gitlab.com/ee/user/markdown.html#videos" rel="nofollow noreferrer noopener" target="_blank">videos</a> in the GitLab Flavored Markdown documentation.</p>
 <p data-sourcepos="14008:1-14010:64" dir="auto">GLFM renders image elements as a video player as long as the resource’s file extension is
@@ -12525,7 +12388,7 @@ Videos ignore the alternative text part of an image declaration.</p>
 </div>
 </div>
 <h2 data-sourcepos="14041:1-14041:41" dir="auto">
-<a id="user-content-markdown-preview-api-request-overrides" class="anchor" href="#markdown-preview-api-request-overrides" aria-hidden="true"></a>Markdown Preview API Request Overrides</h2>
+<a href="#markdown-preview-api-request-overrides" aria-hidden="true" class="anchor" id="user-content-markdown-preview-api-request-overrides"></a>Markdown Preview API Request Overrides</h2>
 <p data-sourcepos="14043:1-14045:42" dir="auto">This section contains examples of all controllers which use <code data-sourcepos="14043:62-14043:76">PreviewMarkdown</code> module
 and use different <code data-sourcepos="14044:20-14044:42">markdown_context_params</code>. They exercise the various <code data-sourcepos="14044:73-14044:88">preview_markdown</code>
 endpoints via <code data-sourcepos="14045:16-14045:40">glfm_example_metadata.yml</code>.</p>
@@ -12606,9 +12469,9 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h2 data-sourcepos="14136:1-14136:34" dir="auto">
-<a id="user-content-migrated-golden-master-examples" class="anchor" href="#migrated-golden-master-examples" aria-hidden="true"></a>Migrated golden master examples</h2>
+<a href="#migrated-golden-master-examples" aria-hidden="true" class="anchor" id="user-content-migrated-golden-master-examples"></a>Migrated golden master examples</h2>
 <h3 data-sourcepos="14138:1-14138:30" dir="auto">
-<a id="user-content-attachment_image_for_group" class="anchor" href="#attachment_image_for_group" aria-hidden="true"></a>attachment_image_for_group</h3>
+<a href="#attachment_image_for_group" aria-hidden="true" class="anchor" id="user-content-attachment_image_for_group"></a>attachment_image_for_group</h3>
 <div>
 <div><a href="#example-697">Example 697</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12621,7 +12484,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14152:1-14152:32" dir="auto">
-<a id="user-content-attachment_image_for_project" class="anchor" href="#attachment_image_for_project" aria-hidden="true"></a>attachment_image_for_project</h3>
+<a href="#attachment_image_for_project" aria-hidden="true" class="anchor" id="user-content-attachment_image_for_project"></a>attachment_image_for_project</h3>
 <div>
 <div><a href="#example-698">Example 698</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12634,7 +12497,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14166:1-14166:37" dir="auto">
-<a id="user-content-attachment_image_for_project_wiki" class="anchor" href="#attachment_image_for_project_wiki" aria-hidden="true"></a>attachment_image_for_project_wiki</h3>
+<a href="#attachment_image_for_project_wiki" aria-hidden="true" class="anchor" id="user-content-attachment_image_for_project_wiki"></a>attachment_image_for_project_wiki</h3>
 <div>
 <div><a href="#example-699">Example 699</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12647,7 +12510,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14180:1-14180:29" dir="auto">
-<a id="user-content-attachment_link_for_group" class="anchor" href="#attachment_link_for_group" aria-hidden="true"></a>attachment_link_for_group</h3>
+<a href="#attachment_link_for_group" aria-hidden="true" class="anchor" id="user-content-attachment_link_for_group"></a>attachment_link_for_group</h3>
 <div>
 <div><a href="#example-700">Example 700</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12660,7 +12523,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14194:1-14194:31" dir="auto">
-<a id="user-content-attachment_link_for_project" class="anchor" href="#attachment_link_for_project" aria-hidden="true"></a>attachment_link_for_project</h3>
+<a href="#attachment_link_for_project" aria-hidden="true" class="anchor" id="user-content-attachment_link_for_project"></a>attachment_link_for_project</h3>
 <div>
 <div><a href="#example-701">Example 701</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12673,7 +12536,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14208:1-14208:36" dir="auto">
-<a id="user-content-attachment_link_for_project_wiki" class="anchor" href="#attachment_link_for_project_wiki" aria-hidden="true"></a>attachment_link_for_project_wiki</h3>
+<a href="#attachment_link_for_project_wiki" aria-hidden="true" class="anchor" id="user-content-attachment_link_for_project_wiki"></a>attachment_link_for_project_wiki</h3>
 <div>
 <div><a href="#example-702">Example 702</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12686,7 +12549,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14222:1-14222:34" dir="auto">
-<a id="user-content-attachment_link_for_group_wiki" class="anchor" href="#attachment_link_for_group_wiki" aria-hidden="true"></a>attachment_link_for_group_wiki</h3>
+<a href="#attachment_link_for_group_wiki" aria-hidden="true" class="anchor" id="user-content-attachment_link_for_group_wiki"></a>attachment_link_for_group_wiki</h3>
 <div>
 <div><a href="#example-703">Example 703</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12699,7 +12562,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14236:1-14236:9" dir="auto">
-<a id="user-content-audio-1" class="anchor" href="#audio-1" aria-hidden="true"></a>audio</h3>
+<a href="#audio-1" aria-hidden="true" class="anchor" id="user-content-audio-1"></a>audio</h3>
 <div>
 <div><a href="#example-704">Example 704</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12712,7 +12575,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14250:1-14250:28" dir="auto">
-<a id="user-content-audio_and_video_in_lists" class="anchor" href="#audio_and_video_in_lists" aria-hidden="true"></a>audio_and_video_in_lists</h3>
+<a href="#audio_and_video_in_lists" aria-hidden="true" class="anchor" id="user-content-audio_and_video_in_lists"></a>audio_and_video_in_lists</h3>
 <div>
 <div><a href="#example-705">Example 705</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12733,7 +12596,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14272:1-14272:14" dir="auto">
-<a id="user-content-blockquote" class="anchor" href="#blockquote" aria-hidden="true"></a>blockquote</h3>
+<a href="#blockquote" aria-hidden="true" class="anchor" id="user-content-blockquote"></a>blockquote</h3>
 <div>
 <div><a href="#example-706">Example 706</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12748,7 +12611,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14288:1-14288:8" dir="auto">
-<a id="user-content-bold" class="anchor" href="#bold" aria-hidden="true"></a>bold</h3>
+<a href="#bold" aria-hidden="true" class="anchor" id="user-content-bold"></a>bold</h3>
 <div>
 <div><a href="#example-707">Example 707</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12761,7 +12624,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14302:1-14302:23" dir="auto">
-<a id="user-content-bullet_list_style_1" class="anchor" href="#bullet_list_style_1" aria-hidden="true"></a>bullet_list_style_1</h3>
+<a href="#bullet_list_style_1" aria-hidden="true" class="anchor" id="user-content-bullet_list_style_1"></a>bullet_list_style_1</h3>
 <div>
 <div><a href="#example-708">Example 708</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12776,7 +12639,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14318:1-14318:23" dir="auto">
-<a id="user-content-bullet_list_style_2" class="anchor" href="#bullet_list_style_2" aria-hidden="true"></a>bullet_list_style_2</h3>
+<a href="#bullet_list_style_2" aria-hidden="true" class="anchor" id="user-content-bullet_list_style_2"></a>bullet_list_style_2</h3>
 <div>
 <div><a href="#example-709">Example 709</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12791,7 +12654,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14334:1-14334:23" dir="auto">
-<a id="user-content-bullet_list_style_3" class="anchor" href="#bullet_list_style_3" aria-hidden="true"></a>bullet_list_style_3</h3>
+<a href="#bullet_list_style_3" aria-hidden="true" class="anchor" id="user-content-bullet_list_style_3"></a>bullet_list_style_3</h3>
 <div>
 <div><a href="#example-710">Example 710</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12806,7 +12669,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14350:1-14350:25" dir="auto">
-<a id="user-content-code_block_javascript" class="anchor" href="#code_block_javascript" aria-hidden="true"></a>code_block_javascript</h3>
+<a href="#code_block_javascript" aria-hidden="true" class="anchor" id="user-content-code_block_javascript"></a>code_block_javascript</h3>
 <div>
 <div><a href="#example-711">Example 711</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12821,7 +12684,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14366:1-14366:24" dir="auto">
-<a id="user-content-code_block_plaintext" class="anchor" href="#code_block_plaintext" aria-hidden="true"></a>code_block_plaintext</h3>
+<a href="#code_block_plaintext" aria-hidden="true" class="anchor" id="user-content-code_block_plaintext"></a>code_block_plaintext</h3>
 <div>
 <div><a href="#example-712">Example 712</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12836,7 +12699,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14382:1-14382:22" dir="auto">
-<a id="user-content-code_block_unknown" class="anchor" href="#code_block_unknown" aria-hidden="true"></a>code_block_unknown</h3>
+<a href="#code_block_unknown" aria-hidden="true" class="anchor" id="user-content-code_block_unknown"></a>code_block_unknown</h3>
 <div>
 <div><a href="#example-713">Example 713</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12851,7 +12714,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14398:1-14398:15" dir="auto">
-<a id="user-content-color_chips" class="anchor" href="#color_chips" aria-hidden="true"></a>color_chips</h3>
+<a href="#color_chips" aria-hidden="true" class="anchor" id="user-content-color_chips"></a>color_chips</h3>
 <div>
 <div><a href="#example-714">Example 714</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12872,7 +12735,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14420:1-14420:20" dir="auto">
-<a id="user-content-description_list" class="anchor" href="#description_list" aria-hidden="true"></a>description_list</h3>
+<a href="#description_list" aria-hidden="true" class="anchor" id="user-content-description_list"></a>description_list</h3>
 <div>
 <div><a href="#example-715">Example 715</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12900,7 +12763,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14449:1-14449:11" dir="auto">
-<a id="user-content-details" class="anchor" href="#details" aria-hidden="true"></a>details</h3>
+<a href="#details" aria-hidden="true" class="anchor" id="user-content-details"></a>details</h3>
 <div>
 <div><a href="#example-716">Example 716</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12919,7 +12782,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14469:1-14469:25" dir="auto">
-<a id="user-content-diagram_kroki_nomnoml" class="anchor" href="#diagram_kroki_nomnoml" aria-hidden="true"></a>diagram_kroki_nomnoml</h3>
+<a href="#diagram_kroki_nomnoml" aria-hidden="true" class="anchor" id="user-content-diagram_kroki_nomnoml"></a>diagram_kroki_nomnoml</h3>
 <div>
 <div><a href="#example-717">Example 717</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12942,7 +12805,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14493:1-14493:20" dir="auto">
-<a id="user-content-diagram_plantuml" class="anchor" href="#diagram_plantuml" aria-hidden="true"></a>diagram_plantuml</h3>
+<a href="#diagram_plantuml" aria-hidden="true" class="anchor" id="user-content-diagram_plantuml"></a>diagram_plantuml</h3>
 <div>
 <div><a href="#example-718">Example 718</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12961,7 +12824,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14513:1-14513:28" dir="auto">
-<a id="user-content-diagram_plantuml_unicode" class="anchor" href="#diagram_plantuml_unicode" aria-hidden="true"></a>diagram_plantuml_unicode</h3>
+<a href="#diagram_plantuml_unicode" aria-hidden="true" class="anchor" id="user-content-diagram_plantuml_unicode"></a>diagram_plantuml_unicode</h3>
 <div>
 <div><a href="#example-719">Example 719</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12976,7 +12839,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14529:1-14529:7" dir="auto">
-<a id="user-content-div" class="anchor" href="#div" aria-hidden="true"></a>div</h3>
+<a href="#div" aria-hidden="true" class="anchor" id="user-content-div"></a>div</h3>
 <div>
 <div><a href="#example-720">Example 720</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -12994,7 +12857,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14548:1-14548:9" dir="auto">
-<a id="user-content-emoji" class="anchor" href="#emoji" aria-hidden="true"></a>emoji</h3>
+<a href="#emoji" aria-hidden="true" class="anchor" id="user-content-emoji"></a>emoji</h3>
 <div>
 <div><a href="#example-721">Example 721</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13007,7 +12870,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14562:1-14562:12" dir="auto">
-<a id="user-content-emphasis" class="anchor" href="#emphasis" aria-hidden="true"></a>emphasis</h3>
+<a href="#emphasis" aria-hidden="true" class="anchor" id="user-content-emphasis"></a>emphasis</h3>
 <div>
 <div><a href="#example-722">Example 722</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13020,7 +12883,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14576:1-14576:10" dir="auto">
-<a id="user-content-figure" class="anchor" href="#figure" aria-hidden="true"></a>figure</h3>
+<a href="#figure" aria-hidden="true" class="anchor" id="user-content-figure"></a>figure</h3>
 <div>
 <div><a href="#example-723">Example 723</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13048,7 +12911,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14605:1-14605:13" dir="auto">
-<a id="user-content-footnotes" class="anchor" href="#footnotes" aria-hidden="true"></a>footnotes</h3>
+<a href="#footnotes" aria-hidden="true" class="anchor" id="user-content-footnotes"></a>footnotes</h3>
 <div>
 <div><a href="#example-724">Example 724</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13067,7 +12930,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14625:1-14625:20" dir="auto">
-<a id="user-content-frontmatter_json" class="anchor" href="#frontmatter_json" aria-hidden="true"></a>frontmatter_json</h3>
+<a href="#frontmatter_json" aria-hidden="true" class="anchor" id="user-content-frontmatter_json"></a>frontmatter_json</h3>
 <div>
 <div><a href="#example-725">Example 725</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13084,7 +12947,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14643:1-14643:20" dir="auto">
-<a id="user-content-frontmatter_toml" class="anchor" href="#frontmatter_toml" aria-hidden="true"></a>frontmatter_toml</h3>
+<a href="#frontmatter_toml" aria-hidden="true" class="anchor" id="user-content-frontmatter_toml"></a>frontmatter_toml</h3>
 <div>
 <div><a href="#example-726">Example 726</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13099,7 +12962,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14659:1-14659:20" dir="auto">
-<a id="user-content-frontmatter_yaml" class="anchor" href="#frontmatter_yaml" aria-hidden="true"></a>frontmatter_yaml</h3>
+<a href="#frontmatter_yaml" aria-hidden="true" class="anchor" id="user-content-frontmatter_yaml"></a>frontmatter_yaml</h3>
 <div>
 <div><a href="#example-727">Example 727</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13114,7 +12977,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14675:1-14675:14" dir="auto">
-<a id="user-content-hard_break" class="anchor" href="#hard_break" aria-hidden="true"></a>hard_break</h3>
+<a href="#hard_break" aria-hidden="true" class="anchor" id="user-content-hard_break"></a>hard_break</h3>
 <div>
 <div><a href="#example-728">Example 728</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13128,7 +12991,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14690:1-14690:12" dir="auto">
-<a id="user-content-headings" class="anchor" href="#headings" aria-hidden="true"></a>headings</h3>
+<a href="#headings" aria-hidden="true" class="anchor" id="user-content-headings"></a>headings</h3>
 <div>
 <div><a href="#example-729">Example 729</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13151,7 +13014,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14714:1-14714:19" dir="auto">
-<a id="user-content-horizontal_rule" class="anchor" href="#horizontal_rule" aria-hidden="true"></a>horizontal_rule</h3>
+<a href="#horizontal_rule" aria-hidden="true" class="anchor" id="user-content-horizontal_rule"></a>horizontal_rule</h3>
 <div>
 <div><a href="#example-730">Example 730</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13164,7 +13027,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14728:1-14728:14" dir="auto">
-<a id="user-content-html_marks" class="anchor" href="#html_marks" aria-hidden="true"></a>html_marks</h3>
+<a href="#html_marks" aria-hidden="true" class="anchor" id="user-content-html_marks"></a>html_marks</h3>
 <div>
 <div><a href="#example-731">Example 731</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13191,7 +13054,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14756:1-14756:9" dir="auto">
-<a id="user-content-image" class="anchor" href="#image" aria-hidden="true"></a>image</h3>
+<a href="#image" aria-hidden="true" class="anchor" id="user-content-image"></a>image</h3>
 <div>
 <div><a href="#example-732">Example 732</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13204,7 +13067,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14770:1-14770:15" dir="auto">
-<a id="user-content-inline_code" class="anchor" href="#inline_code" aria-hidden="true"></a>inline_code</h3>
+<a href="#inline_code" aria-hidden="true" class="anchor" id="user-content-inline_code"></a>inline_code</h3>
 <div>
 <div><a href="#example-733">Example 733</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13217,7 +13080,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14784:1-14784:15" dir="auto">
-<a id="user-content-inline_diff" class="anchor" href="#inline_diff" aria-hidden="true"></a>inline_diff</h3>
+<a href="#inline_diff" aria-hidden="true" class="anchor" id="user-content-inline_diff"></a>inline_diff</h3>
 <div>
 <div><a href="#example-734">Example 734</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13231,7 +13094,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14799:1-14799:9" dir="auto">
-<a id="user-content-label" class="anchor" href="#label" aria-hidden="true"></a>label</h3>
+<a href="#label" aria-hidden="true" class="anchor" id="user-content-label"></a>label</h3>
 <div>
 <div><a href="#example-735">Example 735</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13244,7 +13107,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14813:1-14813:8" dir="auto">
-<a id="user-content-link" class="anchor" href="#link" aria-hidden="true"></a>link</h3>
+<a href="#link" aria-hidden="true" class="anchor" id="user-content-link"></a>link</h3>
 <div>
 <div><a href="#example-736">Example 736</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13257,7 +13120,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14827:1-14827:8" dir="auto">
-<a id="user-content-math" class="anchor" href="#math" aria-hidden="true"></a>math</h3>
+<a href="#math" aria-hidden="true" class="anchor" id="user-content-math"></a>math</h3>
 <div>
 <div><a href="#example-737">Example 737</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13276,7 +13139,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14847:1-14847:16" dir="auto">
-<a id="user-content-ordered_list" class="anchor" href="#ordered_list" aria-hidden="true"></a>ordered_list</h3>
+<a href="#ordered_list" aria-hidden="true" class="anchor" id="user-content-ordered_list"></a>ordered_list</h3>
 <div>
 <div><a href="#example-738">Example 738</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13291,7 +13154,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14863:1-14863:33" dir="auto">
-<a id="user-content-ordered_list_with_start_order" class="anchor" href="#ordered_list_with_start_order" aria-hidden="true"></a>ordered_list_with_start_order</h3>
+<a href="#ordered_list_with_start_order" aria-hidden="true" class="anchor" id="user-content-ordered_list_with_start_order"></a>ordered_list_with_start_order</h3>
 <div>
 <div><a href="#example-739">Example 739</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13306,7 +13169,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14879:1-14879:21" dir="auto">
-<a id="user-content-ordered_task_list" class="anchor" href="#ordered_task_list" aria-hidden="true"></a>ordered_task_list</h3>
+<a href="#ordered_task_list" aria-hidden="true" class="anchor" id="user-content-ordered_task_list"></a>ordered_task_list</h3>
 <div>
 <div><a href="#example-740">Example 740</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13324,7 +13187,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14898:1-14898:32" dir="auto">
-<a id="user-content-ordered_task_list_with_order" class="anchor" href="#ordered_task_list_with_order" aria-hidden="true"></a>ordered_task_list_with_order</h3>
+<a href="#ordered_task_list_with_order" aria-hidden="true" class="anchor" id="user-content-ordered_task_list_with_order"></a>ordered_task_list_with_order</h3>
 <div>
 <div><a href="#example-741">Example 741</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13339,7 +13202,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14914:1-14914:30" dir="auto">
-<a id="user-content-reference_for_project_wiki" class="anchor" href="#reference_for_project_wiki" aria-hidden="true"></a>reference_for_project_wiki</h3>
+<a href="#reference_for_project_wiki" aria-hidden="true" class="anchor" id="user-content-reference_for_project_wiki"></a>reference_for_project_wiki</h3>
 <div>
 <div><a href="#example-742">Example 742</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13352,7 +13215,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14928:1-14928:10" dir="auto">
-<a id="user-content-strike" class="anchor" href="#strike" aria-hidden="true"></a>strike</h3>
+<a href="#strike" aria-hidden="true" class="anchor" id="user-content-strike"></a>strike</h3>
 <div>
 <div><a href="#example-743">Example 743</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13365,7 +13228,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14942:1-14942:9" dir="auto">
-<a id="user-content-table" class="anchor" href="#table" aria-hidden="true"></a>table</h3>
+<a href="#table" aria-hidden="true" class="anchor" id="user-content-table"></a>table</h3>
 <div>
 <div><a href="#example-744">Example 744</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13383,7 +13246,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14961:1-14961:21" dir="auto">
-<a id="user-content-table_of_contents" class="anchor" href="#table_of_contents" aria-hidden="true"></a>table_of_contents</h3>
+<a href="#table_of_contents" aria-hidden="true" class="anchor" id="user-content-table_of_contents"></a>table_of_contents</h3>
 <div>
 <div><a href="#example-745">Example 745</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13408,7 +13271,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="14987:1-14987:13" dir="auto">
-<a id="user-content-task_list" class="anchor" href="#task_list" aria-hidden="true"></a>task_list</h3>
+<a href="#task_list" aria-hidden="true" class="anchor" id="user-content-task_list"></a>task_list</h3>
 <div>
 <div><a href="#example-746">Example 746</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13426,7 +13289,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="15006:1-15006:9" dir="auto">
-<a id="user-content-video-1" class="anchor" href="#video-1" aria-hidden="true"></a>video</h3>
+<a href="#video-1" aria-hidden="true" class="anchor" id="user-content-video-1"></a>video</h3>
 <div>
 <div><a href="#example-747">Example 747</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13439,7 +13302,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h3 data-sourcepos="15020:1-15020:14" dir="auto">
-<a id="user-content-word_break" class="anchor" href="#word_break" aria-hidden="true"></a>word_break</h3>
+<a href="#word_break" aria-hidden="true" class="anchor" id="user-content-word_break"></a>word_break</h3>
 <div>
 <div><a href="#example-748">Example 748</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13452,7 +13315,7 @@ also requires an EE license enabling the <code data-sourcepos="14122:43-14122:53
 </div>
 </div>
 <h2 data-sourcepos="15034:1-15034:19" dir="auto">
-<a id="user-content-image-attributes" class="anchor" href="#image-attributes" aria-hidden="true"></a>Image Attributes</h2>
+<a href="#image-attributes" aria-hidden="true" class="anchor" id="user-content-image-attributes"></a>Image Attributes</h2>
 <p data-sourcepos="15036:1-15038:46" dir="auto">See
 <a data-sourcepos="15037:1-15037:104" href="https://docs.gitlab.com/ee/user/markdown.html#change-the-image-dimensions" rel="nofollow noreferrer noopener" target="_blank">Change the image dimensions</a>
 in the GitLab Flavored Markdown documentation.</p>
@@ -13520,7 +13383,7 @@ where it makes sense.</p>
 </div>
 </div>
 <h2 data-sourcepos="15113:1-15113:12" dir="auto">
-<a id="user-content-footnotes-1" class="anchor" href="#footnotes-1" aria-hidden="true"></a>Footnotes</h2>
+<a href="#footnotes-1" aria-hidden="true" class="anchor" id="user-content-footnotes-1"></a>Footnotes</h2>
 <p data-sourcepos="15115:1-15116:143" dir="auto">See
 <a data-sourcepos="15116:1-15116:142" href="https://docs.gitlab.com/ee/user/markdown.html#footnotes" rel="nofollow noreferrer noopener" target="_blank">the footnotes section of the user-facing documentation for GitLab Flavored Markdown</a>.</p>
 <div>
@@ -13555,12 +13418,12 @@ where it makes sense.</p>
 </div>
 </div>
 <h1 data-sourcepos="15150:1-15150:50" dir="auto">
-<a id="user-content-gfm-undocumented-extensions-and-more-robust-test" class="anchor" href="#gfm-undocumented-extensions-and-more-robust-test" aria-hidden="true"></a>GFM undocumented extensions and more robust test</h1>
+<a href="#gfm-undocumented-extensions-and-more-robust-test" aria-hidden="true" class="anchor" id="user-content-gfm-undocumented-extensions-and-more-robust-test"></a>GFM undocumented extensions and more robust test</h1>
 <p data-sourcepos="15152:1-15154:16" dir="auto">This section contains tests borrowed from <a href="https://github.com/github/cmark-gfm/blob/master/test/extensions.txt" rel="nofollow noreferrer noopener" target="_blank">https://github.com/github/cmark-gfm/blob/master/test/extensions.txt</a>.
 It includes items not found in the official GFM specification, such as footnotes and additional tests for tables,
 task lists, etc.</p>
 <h2 data-sourcepos="15156:1-15156:12" dir="auto">
-<a id="user-content-footnotes-2" class="anchor" href="#footnotes-2" aria-hidden="true"></a>Footnotes</h2>
+<a href="#footnotes-2" aria-hidden="true" class="anchor" id="user-content-footnotes-2"></a>Footnotes</h2>
 <div>
 <div><a href="#example-755">Example 755</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13625,7 +13488,7 @@ task lists, etc.</p>
 </div>
 </div>
 <h2 data-sourcepos="15222:1-15222:71" dir="auto">
-<a id="user-content-when-a-footnote-is-used-multiple-times-we-insert-multiple-backrefs" class="anchor" href="#when-a-footnote-is-used-multiple-times-we-insert-multiple-backrefs" aria-hidden="true"></a>When a footnote is used multiple times, we insert multiple backrefs.</h2>
+<a href="#when-a-footnote-is-used-multiple-times-we-insert-multiple-backrefs" aria-hidden="true" class="anchor" id="user-content-when-a-footnote-is-used-multiple-times-we-insert-multiple-backrefs"></a>When a footnote is used multiple times, we insert multiple backrefs.</h2>
 <div>
 <div><a href="#example-756">Example 756</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13650,7 +13513,7 @@ task lists, etc.</p>
 </div>
 </div>
 <h2 data-sourcepos="15248:1-15248:45" dir="auto">
-<a id="user-content-footnote-reference-labels-are-href-escaped" class="anchor" href="#footnote-reference-labels-are-href-escaped" aria-hidden="true"></a>Footnote reference labels are href escaped</h2>
+<a href="#footnote-reference-labels-are-href-escaped" aria-hidden="true" class="anchor" id="user-content-footnote-reference-labels-are-href-escaped"></a>Footnote reference labels are href escaped</h2>
 <div>
 <div><a href="#example-757">Example 757</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
@@ -13672,7 +13535,7 @@ task lists, etc.</p>
 </div>
 </div>
 <h2 data-sourcepos="15271:1-15271:10" dir="auto">
-<a id="user-content-interop" class="anchor" href="#interop" aria-hidden="true"></a>Interop</h2>
+<a href="#interop" aria-hidden="true" class="anchor" id="user-content-interop"></a>Interop</h2>
 <p data-sourcepos="15273:1-15273:27" dir="auto">Autolink and strikethrough.</p>
 <div>
 <div><a href="#example-758">Example 758</a></div>
@@ -13716,7 +13579,7 @@ task lists, etc.</p>
 </div>
 </div>
 <h2 data-sourcepos="15319:1-15319:13" dir="auto">
-<a id="user-content-task-lists" class="anchor" href="#task-lists" aria-hidden="true"></a>Task lists</h2>
+<a href="#task-lists" aria-hidden="true" class="anchor" id="user-content-task-lists"></a>Task lists</h2>
 <div>
 <div><a href="#example-760">Example 760</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
diff --git a/glfm_specification/output_spec/spec.html b/glfm_specification/output_spec/spec.html
index 07af9a162d5..78e1e572138 100644
--- a/glfm_specification/output_spec/spec.html
+++ b/glfm_specification/output_spec/spec.html
@@ -253,7 +253,7 @@
 version: alpha
 ...</p>
 <h1 data-sourcepos="8:1-8:14" dir="auto">
-<a id="user-content-introduction" class="anchor" href="#introduction" aria-hidden="true"></a>Introduction</h1>
+<a href="#introduction" aria-hidden="true" class="anchor" id="user-content-introduction"></a>Introduction</h1>
 <p data-sourcepos="10:1-10:284" dir="auto">GitLab Flavored Markdown (GLFM) extends the <a data-sourcepos="10:45-10:108" href="https://spec.commonmark.org/current/" rel="nofollow noreferrer noopener" target="_blank">CommonMark specification</a> and is considered a strict superset of CommonMark. It also incorporates the extensions defined by the <a data-sourcepos="10:212-10:283" href="https://github.github.com/gfm/" rel="nofollow noreferrer noopener" target="_blank">GitHub Flavored Markdown specification</a>.</p>
 <p data-sourcepos="12:1-12:433" dir="auto">This specification will define the various official extensions that comprise GLFM. These extensions are GitLab independent - they do not require a GitLab server for parsing or interaction. The intent is to provide a specification that can be implemented in standard markdown editors. This includes many of the features listed in <a data-sourcepos="12:330-12:432" href="https://docs.gitlab.com/ee/user/markdown.html" rel="nofollow noreferrer noopener" target="_blank">user-facing documentation for GitLab Flavored Markdown</a>.</p>
 <p data-sourcepos="14:1-14:69" dir="auto">The CommonMark and GitHub specifications will not be duplicated here.</p>
@@ -269,14 +269,14 @@ for a complete list of all examples, which are a superset of examples from:</p>
 </ul>
 
 <h1 data-sourcepos="27:1-27:40" dir="auto">
-<a id="user-content-gitlab-official-specification-markdown" class="anchor" href="#gitlab-official-specification-markdown" aria-hidden="true"></a>GitLab Official Specification Markdown</h1>
+<a href="#gitlab-official-specification-markdown" aria-hidden="true" class="anchor" id="user-content-gitlab-official-specification-markdown"></a>GitLab Official Specification Markdown</h1>
 <p data-sourcepos="29:1-31:104" dir="auto">Note: This specification is a work in progress. Only some of the official GLFM extensions
 are defined. We will continue to add any additional ones found in the
 <a data-sourcepos="31:1-31:103" href="https://docs.gitlab.com/ee/user/markdown.html" rel="nofollow noreferrer noopener" target="_blank">user-facing documentation for GitLab Flavored Markdown</a>.</p>
 <p data-sourcepos="33:1-34:69" dir="auto">There is currently only this single top-level heading, but the
 examples may be split into multiple top-level headings in the future.</p>
 <h2 data-sourcepos="36:1-36:18" dir="auto">
-<a id="user-content-task-list-items" class="anchor" href="#task-list-items" aria-hidden="true"></a>Task list items</h2>
+<a href="#task-list-items" aria-hidden="true" class="anchor" id="user-content-task-list-items"></a>Task list items</h2>
 <p data-sourcepos="38:1-39:117" dir="auto">See
 <a data-sourcepos="39:1-39:70" href="https://docs.gitlab.com/ee/user/markdown.html#task-lists" rel="nofollow noreferrer noopener" target="_blank">Task lists</a> in the GitLab Flavored Markdown documentation.</p>
 <p data-sourcepos="41:1-44:39" dir="auto">Task list items (checkboxes) are defined as a GitHub Flavored Markdown extension in a section above.
@@ -370,7 +370,7 @@ loose text; it has strikethrough applied with CSS.</p>
 </div>
 </div>
 <h2 data-sourcepos="142:1-142:15" dir="auto">
-<a id="user-content-front-matter" class="anchor" href="#front-matter" aria-hidden="true"></a>Front matter</h2>
+<a href="#front-matter" aria-hidden="true" class="anchor" id="user-content-front-matter"></a>Front matter</h2>
 <p data-sourcepos="144:1-145:121" dir="auto">See
 <a data-sourcepos="145:1-145:74" href="https://docs.gitlab.com/ee/user/markdown.html#front-matter" rel="nofollow noreferrer noopener" target="_blank">Front matter</a> in the GitLab Flavored Markdown documentation.</p>
 <p data-sourcepos="147:1-148:95" dir="auto">Front matter is metadata included at the beginning of a Markdown document, preceding the content.
@@ -467,7 +467,7 @@ This data can be used by static site generators like Jekyll, Hugo, and many othe
 </div>
 </div>
 <h2 data-sourcepos="251:1-251:20" dir="auto">
-<a id="user-content-table-of-contents" class="anchor" href="#table-of-contents" aria-hidden="true"></a>Table of contents</h2>
+<a href="#table-of-contents" aria-hidden="true" class="anchor" id="user-content-table-of-contents"></a>Table of contents</h2>
 <p data-sourcepos="253:1-255:46" dir="auto">See
 <a data-sourcepos="254:1-254:84" href="https://docs.gitlab.com/ee/user/markdown.html#table-of-contents" rel="nofollow noreferrer noopener" target="_blank">table of contents</a>
 in the GitLab Flavored Markdown documentation.</p>
diff --git a/lib/banzai/filter/markdown_engines/glfm_markdown.rb b/lib/banzai/filter/markdown_engines/glfm_markdown.rb
index cd0dfa0ab06..6743e3a9037 100644
--- a/lib/banzai/filter/markdown_engines/glfm_markdown.rb
+++ b/lib/banzai/filter/markdown_engines/glfm_markdown.rb
@@ -15,6 +15,7 @@ module Banzai
           full_info_string: true,
           github_pre_lang: true,
           hardbreaks: false,
+          header_ids: Banzai::Renderer::USER_CONTENT_ID_PREFIX,
           math_code: true,
           math_dollars: true,
           multiline_block_quotes: true,
@@ -35,7 +36,16 @@ module Banzai
         private
 
         def render_options
-          sourcepos_disabled? ? OPTIONS.merge(sourcepos: false) : OPTIONS
+          return OPTIONS unless sourcepos_disabled? || headers_disabled?
+
+          OPTIONS.merge(
+            sourcepos: !sourcepos_disabled?,
+            header_ids: headers_disabled? ? nil : OPTIONS[:header_ids]
+          )
+        end
+
+        def headers_disabled?
+          context[:no_header_anchors] || Feature.disabled?(:native_header_anchors)
         end
       end
     end
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index da976cf9ddc..577d02cc559 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -25,11 +25,16 @@ module Banzai
         # Remove any `style` properties not required for table alignment
         allowlist[:transformers].push(self.class.remove_unsafe_table_style)
 
-        # Allow `id` in a and li elements for footnotes
-        # and remove any `id` properties not matching for footnotes
+        # Allow `id` in `a` and `li` elements for footnotes
+        # and `a` elements for header anchors.
+        # Remove any `id` properties not matching
         allowlist[:attributes]['a'].push('id')
         allowlist[:attributes]['li'] = %w[id]
-        allowlist[:transformers].push(self.class.remove_non_footnote_ids)
+        allowlist[:transformers].push(self.class.remove_id_attributes)
+
+        # Remove any `class` property not required for `a`
+        allowlist[:attributes]['a'].push('class')
+        allowlist[:transformers].push(self.class.remove_unsafe_link_class)
 
         # Allow section elements with data-footnotes attribute
         allowlist[:elements].push('section')
@@ -55,18 +60,38 @@ module Banzai
           end
         end
 
-        def remove_non_footnote_ids
+        def remove_unsafe_link_class
+          lambda do |env|
+            node = env[:node]
+
+            return unless node.name == 'a'
+            return unless node.has_attribute?('class')
+
+            node.remove_attribute('class') if remove_link_class?(node)
+          end
+        end
+
+        def remove_link_class?(node)
+          return if node['class'] == 'anchor'
+
+          true
+        end
+
+        def remove_id_attributes
           lambda do |env|
             node = env[:node]
 
             return unless node.name == 'a' || node.name == 'li'
             return unless node.has_attribute?('id')
 
+            # footnote ids should not be removed
+            return if node.name == 'li' && node['id'].start_with?(Banzai::Filter::FootnoteFilter::FOOTNOTE_ID_PREFIX)
             return if node.name == 'a' &&
               node['id'].start_with?(Banzai::Filter::FootnoteFilter::FOOTNOTE_LINK_ID_PREFIX)
 
-            return if node.name == 'li' &&
-              node['id'].start_with?(Banzai::Filter::FootnoteFilter::FOOTNOTE_ID_PREFIX)
+            # links with generated header anchors should not be removed
+            return if node.name == 'a' && node['class'] == 'anchor' &&
+              node['id'].start_with?(Banzai::Renderer::USER_CONTENT_ID_PREFIX)
 
             node.remove_attribute('id')
           end
diff --git a/lib/banzai/filter/table_of_contents_filter.rb b/lib/banzai/filter/table_of_contents_filter.rb
index 3e6505c82c4..357b880b74f 100644
--- a/lib/banzai/filter/table_of_contents_filter.rb
+++ b/lib/banzai/filter/table_of_contents_filter.rb
@@ -2,6 +2,11 @@
 
 require 'cgi/util'
 
+# TODO: This is now a legacy filter, and is only used with the Ruby parser.
+# The current markdown parser now properly handles adding anchors to headers.
+# The Ruby parser is now only for benchmarking purposes.
+# issue: https://gitlab.com/gitlab-org/gitlab/-/issues/454601
+
 # Generated HTML is transformed back to GFM by app/assets/javascripts/behaviors/markdown/nodes/table_of_contents.js
 module Banzai
   module Filter
@@ -25,6 +30,7 @@ module Banzai
       XPATH = Gitlab::Utils::Nokogiri.css_to_xpath(CSS).freeze
 
       def call
+        return doc if MarkdownFilter.glfm_markdown?(context) && Feature.enabled?(:native_header_anchors)
         return doc if context[:no_header_anchors]
 
         result[:toc] = +""
diff --git a/lib/banzai/filter/table_of_contents_tag_filter.rb b/lib/banzai/filter/table_of_contents_tag_filter.rb
index 4e80b543e2d..b7b6fded06a 100644
--- a/lib/banzai/filter/table_of_contents_tag_filter.rb
+++ b/lib/banzai/filter/table_of_contents_tag_filter.rb
@@ -14,6 +14,9 @@ module Banzai
     class TableOfContentsTagFilter < HTML::Pipeline::Filter
       TEXT_QUERY = %q(descendant-or-self::text()[ancestor::p and contains(translate(., 'TOC', 'toc'), 'toc')])
 
+      HEADER_CSS   = 'h1, h2, h3, h4, h5, h6'
+      HEADER_XPATH = Gitlab::Utils::Nokogiri.css_to_xpath(HEADER_CSS).freeze
+
       def call
         return doc if context[:no_header_anchors]
 
@@ -43,6 +46,8 @@ module Banzai
       # Replace an entire `[TOC]` node with the result generated by
       # TableOfContentsFilter
       def process_toc_tag(node)
+        build_toc if Feature.enabled?(:native_header_anchors)
+
         # we still need to go one step up to also replace the surrounding <p></p>
         node.parent.replace(result[:toc].presence || '')
       end
@@ -56,6 +61,85 @@ module Banzai
       def toc_tag?(node)
         node.parent.text.casecmp?('[toc]')
       end
+
+      def build_toc
+        return if result[:toc]
+
+        result[:toc] = +""
+
+        header_root = current_header = HeaderNode.new
+
+        doc.xpath(HEADER_XPATH).each do |node|
+          header_anchor = node.children.first
+          next unless header_anchor
+          next unless header_anchor.name == 'a'
+          next unless header_anchor[:class] == 'anchor'
+
+          # remove leading anchor `#` so we can add it back later
+          href = header_anchor[:href].slice(1..)
+          current_header = HeaderNode.new(node: node, href: href, previous_header: current_header)
+        end
+
+        push_toc(header_root.children, root: true)
+      end
+
+      def push_toc(children, root: false)
+        return if children.empty?
+
+        klass = ' class="section-nav"' if root
+
+        result[:toc] << "<ul#{klass}>"
+        children.each { |child| push_anchor(child) }
+        result[:toc] << '</ul>'
+      end
+
+      def push_anchor(header_node)
+        result[:toc] << %(<li><a href="##{header_node.href}">#{header_node.text}</a>)
+        push_toc(header_node.children)
+        result[:toc] << '</li>'
+      end
+
+      class HeaderNode
+        attr_reader :node, :href, :parent, :children
+
+        def initialize(node: nil, href: nil, previous_header: nil)
+          @node = node
+          @href = CGI.escape(href) if href
+          @children = []
+
+          @parent = find_parent(previous_header)
+          @parent.children.push(self) if @parent
+        end
+
+        def level
+          return 0 unless node
+
+          @level ||= node.name[1].to_i
+        end
+
+        def text
+          return '' unless node
+
+          @text ||= CGI.escapeHTML(node.text)
+        end
+
+        private
+
+        def find_parent(previous_header)
+          return unless previous_header
+
+          if level == previous_header.level
+            parent = previous_header.parent
+          elsif level > previous_header.level
+            parent = previous_header
+          else
+            parent = previous_header
+            parent = parent.parent while parent.level >= level
+          end
+
+          parent
+        end
+      end
     end
   end
 end
diff --git a/lib/banzai/pipeline/description_pipeline.rb b/lib/banzai/pipeline/description_pipeline.rb
index 8236c7092d2..e7632c2c4a3 100644
--- a/lib/banzai/pipeline/description_pipeline.rb
+++ b/lib/banzai/pipeline/description_pipeline.rb
@@ -9,8 +9,8 @@ module Banzai
 
       def self.transform_context(context)
         super(context).merge(
-          # SanitizationFilter
-          allowlist: ALLOWLIST
+          allowlist: ALLOWLIST,   # SanitizationFilter
+          no_header_anchors: true # header elements not allowed
         )
       end
     end
diff --git a/lib/gitlab/auth/o_auth/user.rb b/lib/gitlab/auth/o_auth/user.rb
index 4dfa8ee0a41..5afcc80c8ce 100644
--- a/lib/gitlab/auth/o_auth/user.rb
+++ b/lib/gitlab/auth/o_auth/user.rb
@@ -11,16 +11,31 @@ module Gitlab
       class User
         class << self
           # rubocop: disable CodeReuse/ActiveRecord
-          def find_by_uid_and_provider(uid, provider)
+
+          # `auth_hash` argument should be removed by https://gitlab.com/gitlab-org/gitlab/-/issues/456424
+          def find_by_uid_and_provider(uid, provider, auth_hash = nil)
             identity = ::Identity.with_extern_uid(provider, uid).take
 
-            identity && identity.user
+            # This fallback should be removed by https://gitlab.com/gitlab-org/gitlab/-/issues/456424
+            if provider == 'bitbucket' && !auth_hash.nil?
+              identity ||= ::Identity.with_extern_uid(provider, auth_hash.username).take
+
+              if identity && !identity.trusted_extern_uid? && identity.user && identity.user.email == auth_hash.email
+                identity.update(extern_uid: uid, trusted_extern_uid: true)
+              end
+            end
+
+            return unless identity
+            raise IdentityWithUntrustedExternUidError unless identity.trusted_extern_uid?
+
+            identity.user
           end
           # rubocop: enable CodeReuse/ActiveRecord
         end
 
         SignupDisabledError = Class.new(StandardError)
         SigninDisabledForProviderError = Class.new(StandardError)
+        IdentityWithUntrustedExternUidError = Class.new(StandardError)
 
         attr_reader :auth_hash
 
@@ -212,7 +227,7 @@ module Gitlab
         end
 
         def find_by_uid_and_provider
-          self.class.find_by_uid_and_provider(auth_hash.uid, auth_hash.provider)
+          self.class.find_by_uid_and_provider(auth_hash.uid, auth_hash.provider, auth_hash)
         end
 
         def build_new_user(skip_confirmation: true)
diff --git a/lib/gitlab/background_migration/backfill_workspace_variables_project_id.rb b/lib/gitlab/background_migration/backfill_workspace_variables_project_id.rb
new file mode 100644
index 00000000000..63e2cbf1d33
--- /dev/null
+++ b/lib/gitlab/background_migration/backfill_workspace_variables_project_id.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    # rubocop: disable Migration/BackgroundMigrationBaseClass -- BackfillDesiredShardingKeyJob inherits from BatchedMigrationJob.
+    class BackfillWorkspaceVariablesProjectId < BackfillDesiredShardingKeyJob
+      operation_name :backfill_workspace_variables_project_id
+      feature_category :remote_development
+    end
+    # rubocop: enable Migration/BackgroundMigrationBaseClass
+  end
+end
diff --git a/lib/gitlab/ci/parsers/security/validators/schema_validator.rb b/lib/gitlab/ci/parsers/security/validators/schema_validator.rb
index c6e065f29b8..196c907038d 100644
--- a/lib/gitlab/ci/parsers/security/validators/schema_validator.rb
+++ b/lib/gitlab/ci/parsers/security/validators/schema_validator.rb
@@ -32,6 +32,10 @@ module Gitlab
 
             CURRENT_VERSIONS = SUPPORTED_VERSIONS.to_h { |k, v| [k, v - DEPRECATED_VERSIONS[k]] }
 
+            # Matches schema-defined pattern
+            # https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/e3d280d7f0862ca66a1555ea8b24016a004bb914/src/security-report-format.json#L151
+            SCHEMA_VERSION_REGEX = /^[0-9]+\.[0-9]+\.[0-9]+$/
+
             class Schema
               def root_path
                 File.join(__dir__, 'schemas')
@@ -97,7 +101,7 @@ module Gitlab
               @deprecation_warnings = []
 
               populate_schema_version_errors
-              populate_validation_errors
+              populate_validation_errors if report_version_matches_schema?
               populate_deprecation_warnings
             end
 
@@ -147,6 +151,10 @@ module Gitlab
               end
             end
 
+            def report_version_matches_schema?
+              report_version && report_version.match(SCHEMA_VERSION_REGEX)
+            end
+
             def find_latest_patch_version
               ::Security::ReportSchemaVersionMatcher.new(
                 report_declared_version: report_version,
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb
index b22652e8e9a..d63f2c7c388 100644
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -132,7 +132,6 @@ module Gitlab
         end
 
         def allow_sentry(directives)
-          allow_legacy_sentry(directives) if legacy_sentry_configured?
           return unless sentry_client_side_dsn_enabled?
 
           sentry_uri = URI(Gitlab::CurrentSettings.sentry_clientside_dsn)
@@ -140,18 +139,6 @@ module Gitlab
           append_to_directive(directives, 'connect_src', "#{sentry_uri.scheme}://#{sentry_uri.host}")
         end
 
-        def allow_legacy_sentry(directives)
-          # Support for Sentry setup via configuration files will be removed in 16.0
-          # in favor of Gitlab::CurrentSettings.
-          sentry_uri = URI(Gitlab.config.sentry.clientside_dsn)
-
-          append_to_directive(directives, 'connect_src', "#{sentry_uri.scheme}://#{sentry_uri.host}")
-        end
-
-        def legacy_sentry_configured?
-          Gitlab.config.sentry&.enabled && Gitlab.config.sentry&.clientside_dsn
-        end
-
         def sentry_client_side_dsn_enabled?
           Gitlab::CurrentSettings.try(:sentry_enabled) && Gitlab::CurrentSettings.try(:sentry_clientside_dsn)
         end
diff --git a/lib/gitlab/error_tracking.rb b/lib/gitlab/error_tracking.rb
index 6bf30e152f8..de6be9d1617 100644
--- a/lib/gitlab/error_tracking.rb
+++ b/lib/gitlab/error_tracking.rb
@@ -27,34 +27,12 @@ module Gitlab
     ].freeze
 
     class << self
-      def configure(&block)
-        configure_raven(&block)
-        configure_sentry(&block)
-      end
-
-      def configure_raven
-        Raven.configure do |config|
+      def configure
+        Sentry.init do |config|
           config.dsn = sentry_dsn
           config.release = Gitlab.revision
-          config.current_environment = Gitlab.config.sentry.environment
-
-          # Sanitize fields based on those sanitized from Rails.
-          config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s)
-
-          # Sanitize authentication headers
-          config.sanitize_http_headers = %w[Authorization Private-Token]
-          config.before_send = method(:before_send_raven)
-
-          yield config if block_given?
-        end
-      end
-
-      def configure_sentry
-        Sentry.init do |config|
-          config.dsn = new_sentry_dsn
-          config.release = Gitlab.revision
-          config.environment = new_sentry_environment
-          config.before_send = method(:before_send_sentry)
+          config.environment = sentry_environment
+          config.before_send = method(:before_send)
           config.background_worker_threads = 0
           config.send_default_pii = true
           config.send_modules = false
@@ -134,18 +112,6 @@ module Gitlab
 
       private
 
-      def before_send_raven(event, hint)
-        return unless Feature.enabled?(:enable_old_sentry_integration)
-
-        before_send(event, hint)
-      end
-
-      def before_send_sentry(event, hint)
-        return unless Feature.enabled?(:enable_new_sentry_integration)
-
-        before_send(event, hint)
-      end
-
       def before_send(event, hint)
         # Don't report Sidekiq retry errors to Sentry
         return if hint[:exception].is_a?(Gitlab::SidekiqMiddleware::RetryError)
@@ -170,7 +136,6 @@ module Gitlab
 
       def default_trackers
         [].tap do |destinations|
-          destinations << Raven if Raven.configuration.server
           # There is a possibility that this method is called before Sentry is
           # configured. Since Sentry 4.0, some methods of Sentry are forwarded to
           # to `nil`, hence we have to check the client as well.
@@ -179,27 +144,58 @@ module Gitlab
         end
       end
 
+      # Some configuration attributes like `dsn`, and `environment`
+      # can be configured both via `ENV` and `Application Settings`.
+      # The reason being is while GitLab.com uses application_settings
+      # in Geo installations, we can't override values in the primary database.
+      # Setting this value in application_settings would propagate the value
+      # to all Geo nodes, which doesn't solve that particular problem.
       def sentry_dsn
-        return unless sentry_configurable?
-        return unless Gitlab.config.sentry.enabled
-
-        Gitlab.config.sentry.dsn
+        env_sentry_dsn || database_sentry_dsn
       end
 
-      def new_sentry_dsn
+      def sentry_environment
+        env_sentry_environment || database_sentry_environment
+      end
+
+      def database_sentry_dsn
         return unless sentry_configurable?
-        return unless Gitlab::CurrentSettings.respond_to?(:sentry_enabled?)
-        return unless Gitlab::CurrentSettings.sentry_enabled?
+        return unless database_sentry_enabled?
 
         Gitlab::CurrentSettings.sentry_dsn
       end
 
-      def new_sentry_environment
+      def env_sentry_dsn
+        return unless sentry_configurable?
+        return unless env_sentry_enabled?
+
+        Gitlab.config.sentry.dsn
+      end
+
+      def env_sentry_environment
+        return unless sentry_configurable?
+        return unless env_sentry_enabled?
+
+        Gitlab.config.sentry.environment
+      end
+
+      def database_sentry_environment
+        return unless sentry_configurable?
+        return unless database_sentry_enabled?
         return unless Gitlab::CurrentSettings.respond_to?(:sentry_environment)
 
         Gitlab::CurrentSettings.sentry_environment
       end
 
+      def database_sentry_enabled?
+        Gitlab::CurrentSettings.respond_to?(:sentry_enabled?) &&
+          Gitlab::CurrentSettings.sentry_enabled?
+      end
+
+      def env_sentry_enabled?
+        Gitlab.config.sentry.enabled
+      end
+
       def sentry_configurable?
         Rails.env.production? || Rails.env.development?
       end
diff --git a/lib/gitlab/error_tracking/log_formatter.rb b/lib/gitlab/error_tracking/log_formatter.rb
index d004c4e20bb..98b64ff335f 100644
--- a/lib/gitlab/error_tracking/log_formatter.rb
+++ b/lib/gitlab/error_tracking/log_formatter.rb
@@ -3,7 +3,7 @@
 module Gitlab
   module ErrorTracking
     class LogFormatter
-      # Note: all the accesses to Raven's contexts here are to keep the
+      # Note: all the accesses to Sentry's contexts here are to keep the
       # backward-compatibility to Sentry's built-in integrations. In future,
       # they can be removed.
       def generate_log(exception, context_payload)
@@ -20,21 +20,24 @@ module Gitlab
       private
 
       def append_user_to_log!(payload, context_payload)
-        user_context = Raven.context.user.merge(context_payload[:user])
+        user_context = context_payload[:user]
+        user_context = Sentry.get_current_scope.user.merge(user_context) if Sentry.initialized?
         user_context.each do |key, value|
           payload["user.#{key}"] = value
         end
       end
 
       def append_tags_to_log!(payload, context_payload)
-        tags_context = Raven.context.tags.merge(context_payload[:tags])
+        tags_context = context_payload[:tags]
+        tags_context = Sentry.get_current_scope.tags.merge(tags_context) if Sentry.initialized?
         tags_context.each do |key, value|
           payload["tags.#{key}"] = value
         end
       end
 
       def append_extra_to_log!(payload, context_payload)
-        extra = Raven.context.extra.merge(context_payload[:extra])
+        extra = context_payload[:extra]
+        extra = Sentry.get_current_scope.extra.merge(extra) if Sentry.initialized?
         extra = extra.except(:server)
 
         # The extra value for sidekiq is a hash whose keys are strings.
diff --git a/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb b/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb
index 4b6c69a8b33..daf570536d6 100644
--- a/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb
+++ b/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb
@@ -8,11 +8,7 @@ module Gitlab
           private
 
           def extract_exceptions_from(event)
-            exceptions = if event.is_a?(Raven::Event)
-                           event.instance_variable_get(:@interfaces)[:exception]&.values
-                         else
-                           event&.exception&.instance_variable_get(:@values)
-                         end
+            exceptions = event&.exception&.instance_variable_get(:@values)
 
             Array.wrap(exceptions)
           end
@@ -27,7 +23,7 @@ module Gitlab
 
           def valid_exception?(exception)
             case exception
-            when Raven::SingleExceptionInterface, Sentry::SingleExceptionInterface
+            when Sentry::SingleExceptionInterface
               exception&.value.present?
             else
               false
diff --git a/lib/gitlab/error_tracking/processor/sanitizer_processor.rb b/lib/gitlab/error_tracking/processor/sanitizer_processor.rb
index e6114f8e206..577b0f2697d 100644
--- a/lib/gitlab/error_tracking/processor/sanitizer_processor.rb
+++ b/lib/gitlab/error_tracking/processor/sanitizer_processor.rb
@@ -15,9 +15,6 @@ module Gitlab
         # For more information, please visit:
         # https://docs.sentry.io/platforms/ruby/guides/rails/configuration/filtering/#using-beforesend
         def self.call(event)
-          # Raven::Event instances don't need this processing.
-          return event unless event.is_a?(Sentry::Event)
-
           if event.request.present?
             event.request.cookies = {}
             event.request.data = {}
diff --git a/lib/gitlab/file_finder.rb b/lib/gitlab/file_finder.rb
index 8a894901ca1..0ca6b30f907 100644
--- a/lib/gitlab/file_finder.rb
+++ b/lib/gitlab/file_finder.rb
@@ -15,9 +15,17 @@ module Gitlab
 
     def find(query, content_match_cutoff: nil)
       query = Gitlab::Search::Query.new(query, encode_binary: true) do
-        filter :filename, matcher: ->(filter, blob) { blob.binary_path =~ /#{filter[:regex_value]}$/i }
-        filter :path, matcher: ->(filter, blob) { blob.binary_path =~ /#{filter[:regex_value]}/i }
-        filter :extension, matcher: ->(filter, blob) { blob.binary_path =~ /\.#{filter[:regex_value]}$/i }
+        filter :filename, matcher: ->(filter, blob) do
+          ::Gitlab::UntrustedRegexp.new("(?i)#{filter[:regex_value]}$").match?(blob.binary_path)
+        end
+
+        filter :path, matcher: ->(filter, blob) do
+          ::Gitlab::UntrustedRegexp.new("(?i)#{filter[:regex_value]}").match?(blob.binary_path)
+        end
+
+        filter :extension, matcher: ->(filter, blob) do
+          ::Gitlab::UntrustedRegexp.new("(?i)\\.#{filter[:regex_value]}$").match?(blob.binary_path)
+        end
       end
 
       content_match_cutoff = nil if query.filters.any?
diff --git a/lib/gitlab/git/repository.rb b/lib/gitlab/git/repository.rb
index 7ed047811fe..204dafa228d 100644
--- a/lib/gitlab/git/repository.rb
+++ b/lib/gitlab/git/repository.rb
@@ -1012,12 +1012,12 @@ module Gitlab
         user, branch_name:, message:, actions:,
         author_email: nil, author_name: nil,
         start_branch_name: nil, start_sha: nil, start_repository: nil,
-        force: false)
+        force: false, sign: true)
 
         wrapped_gitaly_errors do
           gitaly_operation_client.user_commit_files(user, branch_name,
               message, actions, author_email, author_name,
-              start_branch_name, start_repository, force, start_sha)
+              start_branch_name, start_repository, force, start_sha, sign)
         end
       end
       # rubocop:enable Metrics/ParameterLists
diff --git a/lib/gitlab/gitaly_client/operation_service.rb b/lib/gitlab/gitaly_client/operation_service.rb
index 014881535e2..bc9512b1b5c 100644
--- a/lib/gitlab/gitaly_client/operation_service.rb
+++ b/lib/gitlab/gitaly_client/operation_service.rb
@@ -479,11 +479,11 @@ module Gitlab
       # rubocop:disable Metrics/ParameterLists
       def user_commit_files(
         user, branch_name, commit_message, actions, author_email, author_name,
-        start_branch_name, start_repository, force = false, start_sha = nil)
+        start_branch_name, start_repository, force = false, start_sha = nil, sign = true)
         req_enum = Enumerator.new do |y|
           header = user_commit_files_request_header(user, branch_name,
           commit_message, actions, author_email, author_name,
-          start_branch_name, start_repository, force, start_sha)
+          start_branch_name, start_repository, force, start_sha, sign)
 
           y.yield Gitaly::UserCommitFilesRequest.new(header: header)
 
@@ -575,7 +575,7 @@ module Gitlab
       # rubocop:disable Metrics/ParameterLists
       def user_commit_files_request_header(
         user, branch_name, commit_message, actions, author_email, author_name,
-        start_branch_name, start_repository, force, start_sha)
+        start_branch_name, start_repository, force, start_sha, sign)
 
         Gitaly::UserCommitFilesRequestHeader.new(
           repository: @gitaly_repo,
@@ -588,6 +588,7 @@ module Gitlab
           start_repository: start_repository&.gitaly_repository,
           force: force,
           start_sha: encode_binary(start_sha),
+          sign: sign,
           timestamp: Google::Protobuf::Timestamp.new(seconds: Time.now.utc.to_i)
         )
       end
diff --git a/lib/gitlab/gon_helper.rb b/lib/gitlab/gon_helper.rb
index a3dd12ebabc..de4dde89f0a 100644
--- a/lib/gitlab/gon_helper.rb
+++ b/lib/gitlab/gon_helper.rb
@@ -20,14 +20,10 @@ module Gitlab
 
       add_browsersdk_tracking
 
-      if Gitlab.config.sentry.enabled
-        gon.sentry_dsn         = Gitlab.config.sentry.clientside_dsn
-        gon.sentry_environment = Gitlab.config.sentry.environment
-      end
-
-      # Support for Sentry setup via configuration files will be removed in 17.0
-      # in favor of Gitlab::CurrentSettings.
-      if Feature.enabled?(:enable_new_sentry_integration) && Gitlab::CurrentSettings.sentry_enabled
+      # Sentry configurations for the browser client are done
+      # via `Gitlab::CurrentSettings` from the Admin panel:
+      # `/admin/application_settings/metrics_and_profiling`
+      if Gitlab::CurrentSettings.sentry_enabled
         gon.sentry_dsn           = Gitlab::CurrentSettings.sentry_clientside_dsn
         gon.sentry_environment   = Gitlab::CurrentSettings.sentry_environment
         gon.sentry_clientside_traces_sample_rate = Gitlab::CurrentSettings.sentry_clientside_traces_sample_rate
diff --git a/lib/gitlab/graphql/authorize/authorize_resource.rb b/lib/gitlab/graphql/authorize/authorize_resource.rb
index e3548b97ebf..2c9b10cc33b 100644
--- a/lib/gitlab/graphql/authorize/authorize_resource.rb
+++ b/lib/gitlab/graphql/authorize/authorize_resource.rb
@@ -64,7 +64,7 @@ module Gitlab
         def authorized_resource?(object)
           raise ConfigurationError, "#{self.class.name} has no authorizations" if self.class.authorization.none?
 
-          self.class.authorization.ok?(object, current_user)
+          self.class.authorization.ok?(object, current_user, scope_validator: context[:scope_validator])
         end
 
         def raise_resource_not_available_error!(...)
diff --git a/lib/gitlab/graphql/authorize/object_authorization.rb b/lib/gitlab/graphql/authorize/object_authorization.rb
index f13acc9ea27..20f24a6823e 100644
--- a/lib/gitlab/graphql/authorize/object_authorization.rb
+++ b/lib/gitlab/graphql/authorize/object_authorization.rb
@@ -19,7 +19,7 @@ module Gitlab
           abilities.present?
         end
 
-        def ok?(object, current_user, scope_validator: nil)
+        def ok?(object, current_user, scope_validator:)
           scopes_ok?(scope_validator) && abilities_ok?(object, current_user)
         end
 
diff --git a/lib/gitlab/rack_attack.rb b/lib/gitlab/rack_attack.rb
index 2182f5b56e4..113c6dec6c1 100644
--- a/lib/gitlab/rack_attack.rb
+++ b/lib/gitlab/rack_attack.rb
@@ -126,6 +126,16 @@ module Gitlab
         'throttle_authenticated_git_lfs' => ThrottleDefinition.new(
           Gitlab::Throttle.throttle_authenticated_git_lfs_options,
           ->(req) { req.throttled_identifer([:api]) if req.throttle_authenticated_git_lfs? }
+        ),
+        **throttle_definitions_unauthenticated_git_http
+      }
+    end
+
+    def self.throttle_definitions_unauthenticated_git_http
+      {
+        'throttle_unauthenticated_git_http' => ThrottleDefinition.new(
+          Gitlab::Throttle.throttle_unauthenticated_git_http_options,
+          ->(req) { req.ip if req.throttle_unauthenticated_git_http? }
         )
       }
     end
diff --git a/lib/gitlab/rack_attack/request.rb b/lib/gitlab/rack_attack/request.rb
index e45782b8be0..63c0215c65a 100644
--- a/lib/gitlab/rack_attack/request.rb
+++ b/lib/gitlab/rack_attack/request.rb
@@ -100,6 +100,7 @@ module Gitlab
       def throttle_unauthenticated_web?
         (web_request? || frontend_request?) &&
           !should_be_skipped? &&
+          !git_path? &&
           # TODO: Column will be renamed in https://gitlab.com/gitlab-org/gitlab/-/issues/340031
           Gitlab::Throttle.settings.throttle_unauthenticated_enabled &&
           unauthenticated?
@@ -175,6 +176,12 @@ module Gitlab
           Gitlab::Throttle.settings.throttle_authenticated_packages_api_enabled
       end
 
+      def throttle_unauthenticated_git_http?
+        git_path? &&
+          Gitlab::Throttle.settings.throttle_unauthenticated_git_http_enabled &&
+          unauthenticated?
+      end
+
       def throttle_authenticated_git_lfs?
         git_lfs_path? &&
           Gitlab::Throttle.settings.throttle_authenticated_git_lfs_enabled
@@ -242,6 +249,10 @@ module Gitlab
         matches?(::Gitlab::Regex::Packages::API_PATH_REGEX)
       end
 
+      def git_path?
+        matches?(::Gitlab::PathRegex.repository_git_route_regex)
+      end
+
       def git_lfs_path?
         matches?(::Gitlab::PathRegex.repository_git_lfs_route_regex)
       end
diff --git a/lib/gitlab/throttle.rb b/lib/gitlab/throttle.rb
index 384953533b5..1aef19f1e6a 100644
--- a/lib/gitlab/throttle.rb
+++ b/lib/gitlab/throttle.rb
@@ -71,6 +71,13 @@ module Gitlab
       { limit: limit_proc, period: period_proc }
     end
 
+    def self.throttle_unauthenticated_git_http_options
+      limit_proc = proc { |req| settings.throttle_unauthenticated_git_http_requests_per_period }
+      period_proc = proc { |req| settings.throttle_unauthenticated_git_http_period_in_seconds.seconds }
+
+      { limit: limit_proc, period: period_proc }
+    end
+
     def self.throttle_authenticated_git_lfs_options
       limit_proc = proc { |req| settings.throttle_authenticated_git_lfs_requests_per_period }
       period_proc = proc { |req| settings.throttle_authenticated_git_lfs_period_in_seconds.seconds }
diff --git a/lib/gitlab/usage_data_counters.rb b/lib/gitlab/usage_data_counters.rb
index 19c6e04583e..3472d63a40a 100644
--- a/lib/gitlab/usage_data_counters.rb
+++ b/lib/gitlab/usage_data_counters.rb
@@ -13,7 +13,6 @@ module Gitlab
       WebIdeCounter,
       WikiPageCounter,
       SnippetCounter,
-      ProductivityAnalyticsCounter,
       SourceCodeCounter,
       MergeRequestWidgetExtensionCounter
     ].freeze
diff --git a/lib/gitlab/usage_data_counters/productivity_analytics_counter.rb b/lib/gitlab/usage_data_counters/productivity_analytics_counter.rb
deleted file mode 100644
index 3b92fa01fbe..00000000000
--- a/lib/gitlab/usage_data_counters/productivity_analytics_counter.rb
+++ /dev/null
@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-
-module Gitlab::UsageDataCounters
-  class ProductivityAnalyticsCounter < BaseCounter
-    KNOWN_EVENTS = %w[views].freeze
-    PREFIX = 'productivity_analytics'
-  end
-end
diff --git a/lib/gitlab/usage_data_counters/total_counter_redis_key_overrides.yml b/lib/gitlab/usage_data_counters/total_counter_redis_key_overrides.yml
index 2619f49a86d..a99631a0963 100644
--- a/lib/gitlab/usage_data_counters/total_counter_redis_key_overrides.yml
+++ b/lib/gitlab/usage_data_counters/total_counter_redis_key_overrides.yml
@@ -12,6 +12,7 @@
 '{event_counters}_usage_data_download_payload_clicked': USAGE_SERVICE_USAGE_DATA_DOWNLOAD_PAYLOAD_CLICK
 '{event_counters}_value_streams_dashboard_viewed': USAGE_VALUE_STREAMS_DASHBOARD_VIEWS
 '{event_counters}_view_cycle_analytics': USAGE_CYCLE_ANALYTICS_VIEWS
+'{event_counters}_view_productivity_analytics': USAGE_PRODUCTIVITY_ANALYTICS_VIEWS
 '{event_counters}_web_ide_viewed': WEB_IDE_VIEWS_COUNT
 '{event_counters}_status_page_incident_published': USAGE_STATUS_PAGE_INCIDENT_PUBLISHES
 '{event_counters}_status_page_incident_unpublished': USAGE_STATUS_PAGE_INCIDENT_UNPUBLISHES
diff --git a/lib/omni_auth/strategies/bitbucket.rb b/lib/omni_auth/strategies/bitbucket.rb
index d64f3dd987d..dff3652f3ca 100644
--- a/lib/omni_auth/strategies/bitbucket.rb
+++ b/lib/omni_auth/strategies/bitbucket.rb
@@ -14,12 +14,13 @@ module OmniAuth
       }
 
       uid do
-        raw_info['username']
+        raw_info['uuid']
       end
 
       info do
         {
           name: raw_info['display_name'],
+          username: raw_info['username'],
           avatar: raw_info['links']['avatar']['href'],
           email: primary_email
         }
@@ -36,7 +37,7 @@ module OmniAuth
 
       def emails
         email_response = access_token.get('api/2.0/user/emails').parsed
-        @emails ||= email_response && email_response['values'] || nil
+        @emails ||= email_response && email_response['values'] || []
       end
 
       def callback_url
diff --git a/lib/tasks/gitlab/ldap.rake b/lib/tasks/gitlab/ldap.rake
index 4da22e686ef..78a67d82096 100644
--- a/lib/tasks/gitlab/ldap.rake
+++ b/lib/tasks/gitlab/ldap.rake
@@ -5,9 +5,9 @@ namespace :gitlab do
     desc 'GitLab | LDAP | Rename provider'
     task :rename_provider, [:old_provider, :new_provider] => :gitlab_environment do |_, args|
       old_provider = args[:old_provider] ||
-        prompt('What is the old provider? Ex. \'ldapmain\': '.color(:blue))
+        prompt(Rainbow('What is the old provider? Ex. \'ldapmain\': ').blue)
       new_provider = args[:new_provider] ||
-        prompt('What is the new provider ID? Ex. \'ldapcustom\': '.color(:blue))
+        prompt(Rainbow('What is the new provider ID? Ex. \'ldapcustom\': ').blue)
       puts '' # Add some separation in the output
 
       identities = Identity.where(provider: old_provider)
@@ -31,10 +31,10 @@ namespace :gitlab do
       updated_count = identities.update_all(provider: new_provider)
 
       if updated_count == identity_count
-        puts 'User identities were successfully updated'.color(:green)
+        puts Rainbow('User identities were successfully updated').green
       else
         plural_updated_count = ActionController::Base.helpers.pluralize(updated_count, 'user')
-        puts 'Some user identities could not be updated'.color(:red)
+        puts Rainbow('Some user identities could not be updated').red
         puts "Successfully updated #{plural_updated_count} out of #{plural_id_count} total"
       end
     end
diff --git a/lib/tasks/gitlab/seed.rake b/lib/tasks/gitlab/seed.rake
index 41830065044..9cc6b906aba 100644
--- a/lib/tasks/gitlab/seed.rake
+++ b/lib/tasks/gitlab/seed.rake
@@ -16,7 +16,7 @@ namespace :gitlab do
             error_message += " Did you mean '#{potential_projects.first.full_path}'?"
           end
 
-          puts error_message.color(:red)
+          puts Rainbow(error_message).red
           exit 1
         end
 
@@ -57,7 +57,7 @@ namespace :gitlab do
               error_message += " Did you mean '#{potential_groups.first.full_path}'?"
             end
 
-            puts error_message.color(:red)
+            puts Rainbow(error_message).red
             exit 1
           end
 
diff --git a/lib/tasks/gitlab/setup.rake b/lib/tasks/gitlab/setup.rake
index 38c5902702c..2e24e38eb43 100644
--- a/lib/tasks/gitlab/setup.rake
+++ b/lib/tasks/gitlab/setup.rake
@@ -12,7 +12,7 @@ namespace :gitlab do
       Gitlab::GitalyClient::ServerService.new(name).info
     end
   rescue GRPC::Unavailable => ex
-    puts "Failed to connect to Gitaly...".color(:red)
+    puts Rainbow("Failed to connect to Gitaly...").red
     puts "Error: #{ex}"
     exit 1
   end
@@ -36,7 +36,7 @@ namespace :gitlab do
     Rake::Task["gitlab:db:lock_writes"].invoke
     Rake::Task["db:seed_fu"].invoke
   rescue Gitlab::TaskAbortedByUserError
-    puts "Quitting...".color(:red)
+    puts Rainbow("Quitting...").red
     exit 1
   end
 end
diff --git a/lib/tasks/gitlab/shell.rake b/lib/tasks/gitlab/shell.rake
index abeb5bbdf29..5eb3ff8c28b 100644
--- a/lib/tasks/gitlab/shell.rake
+++ b/lib/tasks/gitlab/shell.rake
@@ -69,12 +69,12 @@ namespace :gitlab do
 
     Key.auth.find_in_batches(batch_size: 1000) do |keys|
       unless authorized_keys.batch_add_keys(keys)
-        puts "Failed to add keys...".color(:red)
+        puts Rainbow("Failed to add keys...").red
         exit 1
       end
     end
   rescue Gitlab::TaskAbortedByUserError
-    puts "Quitting...".color(:red)
+    puts Rainbow("Quitting...").red
     exit 1
   end
 end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index fdb5631089d..b72e5ddce8f 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -3742,9 +3742,6 @@ msgstr ""
 msgid "AdminSettings|Git abuse rate limit"
 msgstr ""
 
-msgid "AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, enable the %{code_start}enable_new_sentry_integration%{code_end} feature flag and restart GitLab."
-msgstr ""
-
 msgid "AdminSettings|GitLab uses the %{bold_start}Rails%{bold_end} and %{bold_start}Browser JavaScript%{bold_end} Sentry SDKs to send events to Sentry. For changes to Rails integration settings to take effect, restart GitLab."
 msgstr ""
 
@@ -10002,9 +9999,6 @@ msgstr ""
 msgid "Can't find HEAD commit for this branch"
 msgstr ""
 
-msgid "Can't find variable: ZiteReader"
-msgstr ""
-
 msgid "Can't scan the code?"
 msgstr ""
 
@@ -12687,9 +12681,6 @@ msgstr ""
 msgid "Colorize messages"
 msgstr ""
 
-msgid "ComboSearch is not defined"
-msgstr ""
-
 msgid "Comma-separated list of branches to be automatically inspected. Leave blank to include all branches."
 msgstr ""
 
@@ -13696,6 +13687,9 @@ msgstr ""
 msgid "Configure specific limits for Files API requests that supersede the general user and IP rate limits."
 msgstr ""
 
+msgid "Configure specific limits for Git HTTP requests."
+msgstr ""
+
 msgid "Configure specific limits for Git LFS requests that supersede the general user and IP rate limits."
 msgstr ""
 
@@ -19716,6 +19710,9 @@ msgstr ""
 msgid "Enable unauthenticated API request rate limit"
 msgstr ""
 
+msgid "Enable unauthenticated Git HTTP request rate limit"
+msgstr ""
+
 msgid "Enable unauthenticated web request rate limit"
 msgstr ""
 
@@ -23088,6 +23085,9 @@ msgstr ""
 msgid "Git"
 msgstr ""
 
+msgid "Git HTTP rate limits"
+msgstr ""
+
 msgid "Git LFS is not enabled on this GitLab server, contact your admin."
 msgstr ""
 
@@ -23664,7 +23664,7 @@ msgstr ""
 msgid "GlobalSearch|%{linkStart}Exact code search (powered by Zoekt)%{linkEnd} is disabled since %{ref_elem} is not the default branch. %{docs_link}"
 msgstr ""
 
-msgid "GlobalSearch|%{linkStart}Exact code search (powered by Zoekt)%{linkEnd} is enabled"
+msgid "GlobalSearch|%{linkStart}Exact code search (powered by Zoekt)%{linkEnd} is enabled."
 msgstr ""
 
 msgid "GlobalSearch|Aggregations load error."
@@ -23838,9 +23838,6 @@ msgstr ""
 msgid "GlobalSearch|Showing top %{maxItems}"
 msgstr ""
 
-msgid "GlobalSearch|Syntax options"
-msgstr ""
-
 msgid "GlobalSearch|The search term must be at least 3 characters long."
 msgstr ""
 
@@ -23874,6 +23871,9 @@ msgstr ""
 msgid "GlobalSearch|Users"
 msgstr ""
 
+msgid "GlobalSearch|View syntax options."
+msgstr ""
+
 msgid "GlobalSearch|What are you searching for?"
 msgstr ""
 
@@ -25683,6 +25683,9 @@ msgstr ""
 msgid "Helps reduce request volume for protected paths."
 msgstr ""
 
+msgid "Helps reduce unauthenticated Git HTTP request volume for git paths."
+msgstr ""
+
 msgid "Hi %{recipient_name},"
 msgstr ""
 
@@ -31403,6 +31406,9 @@ msgstr ""
 msgid "Maximum unauthenticated API requests per rate limit period per IP"
 msgstr ""
 
+msgid "Maximum unauthenticated Git HTTP requests per period per IP"
+msgstr ""
+
 msgid "Maximum unauthenticated web requests per rate limit period per IP"
 msgstr ""
 
@@ -34941,6 +34947,9 @@ msgstr ""
 msgid "Object does not exist on the server or you don't have permissions to access it"
 msgstr ""
 
+msgid "ObservabilityLogs|Attribute"
+msgstr ""
+
 msgid "ObservabilityLogs|Attributes"
 msgstr ""
 
@@ -34962,6 +34971,9 @@ msgstr ""
 msgid "ObservabilityLogs|Fatal"
 msgstr ""
 
+msgid "ObservabilityLogs|Fingerprint"
+msgstr ""
+
 msgid "ObservabilityLogs|Info"
 msgstr ""
 
@@ -34980,21 +34992,45 @@ msgstr ""
 msgid "ObservabilityLogs|No logs to display."
 msgstr ""
 
+msgid "ObservabilityLogs|Resource Attribute"
+msgstr ""
+
 msgid "ObservabilityLogs|Resource attributes"
 msgstr ""
 
+msgid "ObservabilityLogs|Search logs..."
+msgstr ""
+
 msgid "ObservabilityLogs|Service"
 msgstr ""
 
+msgid "ObservabilityLogs|Severity"
+msgstr ""
+
 msgid "ObservabilityLogs|Showing %{count} logs"
 msgstr ""
 
+msgid "ObservabilityLogs|Span ID"
+msgstr ""
+
 msgid "ObservabilityLogs|Trace"
 msgstr ""
 
+msgid "ObservabilityLogs|Trace Flags"
+msgstr ""
+
+msgid "ObservabilityLogs|Trace ID"
+msgstr ""
+
 msgid "ObservabilityLogs|Warning"
 msgstr ""
 
+msgid "ObservabilityLogs|name"
+msgstr ""
+
+msgid "ObservabilityLogs|value"
+msgstr ""
+
 msgid "ObservabilityMetrics|+%{count} more"
 msgstr ""
 
@@ -39582,7 +39618,7 @@ msgstr ""
 msgid "Profiles|The ideal image size is 192 x 192 pixels."
 msgstr ""
 
-msgid "Profiles|The maximum file size allowed is 200KB."
+msgid "Profiles|The maximum file size allowed is 200 KiB."
 msgstr ""
 
 msgid "Profiles|This email will be displayed on your public profile."
@@ -47013,6 +47049,9 @@ msgstr ""
 msgid "SecurityReports|Confirm dismissal"
 msgstr ""
 
+msgid "SecurityReports|Container registry vulnerabilities"
+msgstr ""
+
 msgid "SecurityReports|Create Jira issue"
 msgstr ""
 
@@ -48664,6 +48703,9 @@ msgstr ""
 msgid "Signing in using %{label} has been disabled"
 msgstr ""
 
+msgid "Signing in using your %{label} account has been disabled for security reasons. Please sign in to your GitLab account using another authentication method and reconnect to your %{label} account."
+msgstr ""
+
 msgid "Signing in using your %{label} account without a pre-existing GitLab account is not allowed."
 msgstr ""
 
@@ -54817,6 +54859,12 @@ msgstr ""
 msgid "Unauthenticated API rate limit period in seconds"
 msgstr ""
 
+msgid "Unauthenticated Git HTTP rate limit period in seconds"
+msgstr ""
+
+msgid "Unauthenticated Git HTTP request rate limit"
+msgstr ""
+
 msgid "Unauthenticated requests"
 msgstr ""
 
@@ -54916,9 +54964,6 @@ msgstr ""
 msgid "Unknown format"
 msgstr ""
 
-msgid "Unknown response text"
-msgstr ""
-
 msgid "Unknown user"
 msgstr ""
 
@@ -61146,9 +61191,6 @@ msgstr ""
 msgid "it is too large"
 msgstr ""
 
-msgid "jigsaw is not defined"
-msgstr ""
-
 msgid "key result"
 msgstr ""
 
diff --git a/package.json b/package.json
index 20612d2306d..296a5864990 100644
--- a/package.json
+++ b/package.json
@@ -67,6 +67,7 @@
     "@mattiasbuelens/web-streams-adapter": "^0.1.0",
     "@rails/actioncable": "7.0.8-1",
     "@rails/ujs": "7.0.8-1",
+    "@sentry/browser": "7.102.0",
     "@snowplow/browser-plugin-client-hints": "^3.9.0",
     "@snowplow/browser-plugin-form-tracking": "^3.9.0",
     "@snowplow/browser-plugin-ga-cookies": "^3.9.0",
@@ -195,8 +196,6 @@
     "sass": "^1.69.7",
     "scrollparent": "^2.0.1",
     "semver": "^7.3.4",
-    "sentrybrowser": "npm:@sentry/browser@7.102.0",
-    "sentrybrowser5": "npm:@sentry/browser@5.30.0",
     "sortablejs": "^1.10.2",
     "string-hash": "1.1.3",
     "style-loader": "^2.0.0",
diff --git a/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_group_level_spec.rb b/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_group_level_spec.rb
index b97e16ebcf6..bde39fde877 100644
--- a/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_group_level_spec.rb
+++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_group_level_spec.rb
@@ -1,7 +1,11 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Package', :object_storage, product_group: :package_registry do
+  RSpec.describe 'Package', :object_storage, product_group: :package_registry, quarantine: {
+    issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/455304',
+    only: { condition: -> { ENV['QA_RUN_TYPE']&.match?('gdk-qa-blocking') } },
+    type: :investigating
+  } do
     describe 'NuGet group level endpoint', :external_api_calls do
       using RSpec::Parameterized::TableSyntax
       include Runtime::Fixtures
diff --git a/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb b/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb
index 15147c1a393..1c93a2bb1c5 100644
--- a/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb
+++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/nuget/nuget_project_level_spec.rb
@@ -1,7 +1,11 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Package', :object_storage, product_group: :package_registry do
+  RSpec.describe 'Package', :object_storage, product_group: :package_registry, quarantine: {
+    issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/455027',
+    only: { condition: -> { ENV['QA_RUN_TYPE']&.match?('gdk-qa-blocking') } },
+    type: :investigating
+  } do
     describe 'NuGet project level endpoint', :external_api_calls do
       include Support::Helpers::MaskToken
 
diff --git a/spec/channels/graphql_channel_spec.rb b/spec/channels/graphql_channel_spec.rb
new file mode 100644
index 00000000000..e02c58f30f9
--- /dev/null
+++ b/spec/channels/graphql_channel_spec.rb
@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GraphqlChannel, feature_category: :api do
+  let_it_be(:merge_request) { create(:merge_request) }
+  let_it_be(:user) { create(:user, developer_of: merge_request.project) }
+  let_it_be(:read_api_token) { create(:personal_access_token, scopes: ['read_api'], user: user) }
+  let_it_be(:read_user_token) { create(:personal_access_token, scopes: ['read_user'], user: user) }
+  let_it_be(:read_api_and_read_user_token) do
+    create(:personal_access_token, scopes: %w[read_user read_api], user: user)
+  end
+
+  describe '#subscribed' do
+    let(:query) do
+      <<~GRAPHQL
+      subscription mergeRequestReviewersUpdated($issuableId: IssuableID!) {
+        mergeRequestReviewersUpdated(issuableId: $issuableId) {
+          ... on MergeRequest { id title }
+        }
+      }
+      GRAPHQL
+    end
+
+    let(:subscribe_params) do
+      {
+        query: query,
+        variables: { issuableId: merge_request.to_global_id }
+      }
+    end
+
+    before do
+      stub_action_cable_connection current_user: user
+    end
+
+    it 'subscribes to the given graphql subscription' do
+      subscribe(subscribe_params)
+
+      expect(subscription).to be_confirmed
+      expect(subscription.streams).to include(/graphql-event::mergeRequestReviewersUpdated:issuableId/)
+    end
+
+    context 'with a personal access token' do
+      before do
+        stub_action_cable_connection current_user: user, access_token: access_token
+      end
+
+      context 'with an api scoped personal access token' do
+        let(:access_token) { read_api_token }
+
+        it 'subscribes to the given graphql subscription' do
+          subscribe(subscribe_params)
+
+          expect(subscription).to be_confirmed
+          expect(subscription.streams).to include(/graphql-event::mergeRequestReviewersUpdated:issuableId/)
+        end
+      end
+
+      context 'with a read_user personal access token' do
+        let(:access_token) { read_user_token }
+
+        it 'does not subscribe to the given graphql subscription' do
+          subscribe(subscribe_params)
+
+          expect(subscription).not_to be_confirmed
+        end
+      end
+
+      context 'with a read_api and read_user personal access token' do
+        let(:access_token) { read_api_and_read_user_token }
+
+        it 'subscribes to the given graphql subscription' do
+          subscribe(subscribe_params)
+
+          expect(subscription).to be_confirmed
+          expect(subscription.streams).to include(/graphql-event::mergeRequestReviewersUpdated:issuableId/)
+        end
+      end
+    end
+  end
+end
diff --git a/spec/channels/noteable/notes_channel_spec.rb b/spec/channels/noteable/notes_channel_spec.rb
index 911e70630fa..ed8c67bb64b 100644
--- a/spec/channels/noteable/notes_channel_spec.rb
+++ b/spec/channels/noteable/notes_channel_spec.rb
@@ -4,7 +4,15 @@ require 'spec_helper'
 
 RSpec.describe Noteable::NotesChannel, feature_category: :team_planning do
   let_it_be(:project) { create(:project, :repository, :private) }
-  let_it_be(:developer) { create(:user, developer_of: project) }
+  let_it_be(:user) { create(:user, developer_of: project) }
+
+  let_it_be(:read_api_token) { create(:personal_access_token, scopes: ['read_api'], user: user) }
+  let_it_be(:read_user_token) { create(:personal_access_token, scopes: ['read_user'], user: user) }
+  let_it_be(:read_api_and_read_user_token) do
+    create(:personal_access_token, scopes: %w[read_user read_api], user: user)
+  end
+
+  let_it_be(:noteable) { create(:issue, project: project) }
 
   describe '#subscribed' do
     let(:subscribe_params) do
@@ -16,7 +24,7 @@ RSpec.describe Noteable::NotesChannel, feature_category: :team_planning do
     end
 
     before do
-      stub_action_cable_connection current_user: developer
+      stub_action_cable_connection current_user: user
     end
 
     it 'rejects the subscription when noteable params are missing' do
@@ -26,8 +34,6 @@ RSpec.describe Noteable::NotesChannel, feature_category: :team_planning do
     end
 
     context 'on an issue' do
-      let_it_be(:noteable) { create(:issue, project: project) }
-
       it_behaves_like 'handle subscription based on user access'
     end
 
@@ -37,4 +43,50 @@ RSpec.describe Noteable::NotesChannel, feature_category: :team_planning do
       it_behaves_like 'handle subscription based on user access'
     end
   end
+
+  context 'with a personal access token' do
+    let(:subscribe_params) do
+      {
+        project_id: noteable.project_id,
+        noteable_type: noteable.class.underscore,
+        noteable_id: noteable.id
+      }
+    end
+
+    before do
+      stub_action_cable_connection current_user: user, access_token: access_token
+    end
+
+    context 'with an api scoped personal access token' do
+      let(:access_token) { read_api_token }
+
+      it 'subscribes to the given graphql subscription' do
+        subscribe(subscribe_params)
+
+        expect(subscription).to be_confirmed
+        expect(subscription).to have_stream_for(noteable)
+      end
+    end
+
+    context 'with a read_user personal access token' do
+      let(:access_token) { read_user_token }
+
+      it 'does not subscribe to the given graphql subscription' do
+        subscribe(subscribe_params)
+
+        expect(subscription).not_to be_confirmed
+      end
+    end
+
+    context 'with a read_api and read_user personal access token' do
+      let(:access_token) { read_api_and_read_user_token }
+
+      it 'subscribes to the given graphql subscription' do
+        subscribe(subscribe_params)
+
+        expect(subscription).to be_confirmed
+        expect(subscription).to have_stream_for(noteable)
+      end
+    end
+  end
 end
diff --git a/spec/controllers/omniauth_callbacks_controller_spec.rb b/spec/controllers/omniauth_callbacks_controller_spec.rb
index 8070ae554b3..ac4c725e132 100644
--- a/spec/controllers/omniauth_callbacks_controller_spec.rb
+++ b/spec/controllers/omniauth_callbacks_controller_spec.rb
@@ -94,10 +94,11 @@ RSpec.describe OmniauthCallbacksController, type: :controller, feature_category:
 
   describe 'omniauth' do
     let(:user) { create(:omniauth_user, extern_uid: extern_uid, provider: provider) }
+    let(:omniauth_email) { user.email }
     let(:additional_info) { {} }
 
     before do
-      @original_env_config_omniauth_auth = mock_auth_hash(provider.to_s, extern_uid, user.email, additional_info: additional_info)
+      @original_env_config_omniauth_auth = mock_auth_hash(provider.to_s, extern_uid, omniauth_email, additional_info: additional_info)
       stub_omniauth_provider(provider, context: request)
     end
 
@@ -580,6 +581,23 @@ RSpec.describe OmniauthCallbacksController, type: :controller, feature_category:
         end
       end
     end
+
+    context "when user's identity with untrusted extern_uid" do
+      let(:provider) { 'bitbucket' }
+      let(:extern_uid) { 'untrusted-uid' }
+      let(:omniauth_email) { 'bitbucketuser@example.com' }
+
+      before do
+        user.identities.with_extern_uid(provider, extern_uid).update!(trusted_extern_uid: false)
+      end
+
+      it 'shows warning when attempting login' do
+        post provider
+
+        expect(response).to redirect_to new_user_session_path
+        expect(flash[:alert]).to eq('Signing in using your Bitbucket account has been disabled for security reasons. Please sign in to your GitLab account using another authentication method and reconnect to your Bitbucket account.')
+      end
+    end
   end
 
   describe '#openid_connect' do
diff --git a/spec/features/admin/users/admin_sees_unconfirmed_user_spec.rb b/spec/features/admin/users/admin_sees_unconfirmed_user_spec.rb
index 7b45e5b5cde..3554b3d40d2 100644
--- a/spec/features/admin/users/admin_sees_unconfirmed_user_spec.rb
+++ b/spec/features/admin/users/admin_sees_unconfirmed_user_spec.rb
@@ -14,8 +14,7 @@ RSpec.describe 'Admin sees unconfirmed user', feature_category: :user_management
   end
 
   context 'when user has an unconfirmed email', :js do
-    # Email address contains HTML to ensure email address is displayed in an HTML safe way.
-    let_it_be(:unconfirmed_email) { "#{generate(:email)}<h2>testing<img/src=http://localhost:8000/test.png>" }
+    let_it_be(:unconfirmed_email) { generate(:email) }
     let_it_be(:unconfirmed_user) { create(:user, :unconfirmed, unconfirmed_email: unconfirmed_email) }
 
     where(:path_helper) do
diff --git a/spec/features/sentry_js_spec.rb b/spec/features/sentry_js_spec.rb
index 583dcba6220..672dc3010aa 100644
--- a/spec/features/sentry_js_spec.rb
+++ b/spec/features/sentry_js_spec.rb
@@ -3,57 +3,22 @@
 require 'spec_helper'
 
 RSpec.describe 'Sentry', feature_category: :error_tracking do
-  context 'when enable_new_sentry_integration is disabled' do
-    before do
-      stub_feature_flags(enable_new_sentry_integration: false)
-    end
+  it 'does not load sentry if sentry settings are disabled' do
+    allow(Gitlab::CurrentSettings).to receive(:sentry_enabled).and_return(false)
 
-    it 'does not load sentry if sentry is disabled' do
-      allow(Gitlab.config.sentry).to receive(:enabled).and_return(false)
+    visit new_user_session_path
 
-      visit new_user_session_path
-
-      expect(has_requested_legacy_sentry).to eq(false)
-    end
-
-    it 'loads legacy sentry if sentry config is enabled', :js do
-      allow(Gitlab.config.sentry).to receive(:enabled).and_return(true)
-
-      visit new_user_session_path
-
-      expect(has_requested_legacy_sentry).to eq(true)
-      expect(evaluate_script('window._Sentry.SDK_VERSION')).to match(%r{^5\.})
-    end
+    expect(has_requested_sentry).to eq(false)
   end
 
-  context 'when enable_new_sentry_integration is enabled' do
-    before do
-      stub_feature_flags(enable_new_sentry_integration: true)
-    end
+  it 'loads sentry if sentry settings are enabled', :js do
+    allow(Gitlab::CurrentSettings).to receive(:sentry_enabled).and_return(true)
+    allow(Gitlab::CurrentSettings).to receive(:sentry_clientside_dsn).and_return('https://mockdsn@example.com/1')
 
-    it 'does not load sentry if sentry settings are disabled' do
-      allow(Gitlab::CurrentSettings).to receive(:sentry_enabled).and_return(false)
+    visit new_user_session_path
 
-      visit new_user_session_path
-
-      expect(has_requested_sentry).to eq(false)
-    end
-
-    it 'loads sentry if sentry settings are enabled', :js do
-      allow(Gitlab::CurrentSettings).to receive(:sentry_enabled).and_return(true)
-      allow(Gitlab::CurrentSettings).to receive(:sentry_clientside_dsn).and_return('https://mockdsn@example.com/1')
-
-      visit new_user_session_path
-
-      expect(has_requested_sentry).to eq(true)
-      expect(evaluate_script('window._Sentry.SDK_VERSION')).to match(%r{^7\.})
-    end
-  end
-
-  def has_requested_legacy_sentry
-    page.all('script', visible: false).one? do |elm|
-      elm[:src] =~ %r{/legacy_sentry.*\.chunk\.js\z}
-    end
+    expect(has_requested_sentry).to eq(true)
+    expect(evaluate_script('window._Sentry.SDK_VERSION')).to match(%r{^7\.})
   end
 
   def has_requested_sentry
diff --git a/spec/frontend/ci/catalog/components/list/ci_resources_list_item_spec.js b/spec/frontend/ci/catalog/components/list/ci_resources_list_item_spec.js
index 9c53fab6ec1..fbc1a8ec27d 100644
--- a/spec/frontend/ci/catalog/components/list/ci_resources_list_item_spec.js
+++ b/spec/frontend/ci/catalog/components/list/ci_resources_list_item_spec.js
@@ -7,6 +7,7 @@ import { createRouter } from '~/ci/catalog/router/index';
 import CiResourcesListItem from '~/ci/catalog/components/list/ci_resources_list_item.vue';
 import { getIdFromGraphQLId } from '~/graphql_shared/utils';
 import CiVerificationBadge from '~/ci/catalog/components/shared/ci_verification_badge.vue';
+import Markdown from '~/vue_shared/components/markdown/non_gfm_markdown.vue';
 import { catalogSinglePageResponse } from '../../mock';
 
 Vue.use(VueRouter);
@@ -46,11 +47,11 @@ describe('CiResourcesListItem', () => {
   const findBadge = () => wrapper.findComponent(GlBadge);
   const findComponentNames = () => wrapper.findByTestId('ci-resource-component-names');
   const findResourceName = () => wrapper.findByTestId('ci-resource-link');
-  const findResourceDescription = () => wrapper.findByText(defaultProps.resource.description);
   const findUserLink = () => wrapper.findByTestId('user-link');
   const findVerificationBadge = () => wrapper.findComponent(CiVerificationBadge);
   const findTimeAgoMessage = () => wrapper.findComponent(GlSprintf);
   const findFavorites = () => wrapper.findByTestId('stats-favorites');
+  const findMarkdown = () => wrapper.findComponent(Markdown);
 
   beforeEach(() => {
     routerPush = jest.spyOn(router, 'push').mockImplementation(() => {});
@@ -82,7 +83,9 @@ describe('CiResourcesListItem', () => {
     });
 
     it('renders the resource description', () => {
-      expect(findResourceDescription().exists()).toBe(true);
+      const markdown = findMarkdown();
+      expect(markdown.exists()).toBe(true);
+      expect(markdown.props().markdown).toBe(defaultProps.resource.description);
     });
   });
 
diff --git a/spec/frontend/observability/client_spec.js b/spec/frontend/observability/client_spec.js
index 46726d491fa..cee501c8d7e 100644
--- a/spec/frontend/observability/client_spec.js
+++ b/spec/frontend/observability/client_spec.js
@@ -1173,16 +1173,72 @@ describe('buildClient', () => {
         });
       });
 
+      describe('attributes filters', () => {
+        it('converts filter to proper query params', async () => {
+          await client.fetchLogs({
+            filters: {
+              attributes: {
+                service: [
+                  { operator: '=', value: 'serviceName' },
+                  { operator: '!=', value: 'serviceName2' },
+                ],
+                severityName: [
+                  { operator: '=', value: 'info' },
+                  { operator: '!=', value: 'warning' },
+                ],
+                traceId: [{ operator: '=', value: 'traceId' }],
+                spanId: [{ operator: '=', value: 'spanId' }],
+                fingerprint: [{ operator: '=', value: 'fingerprint' }],
+                traceFlags: [
+                  { operator: '=', value: '1' },
+                  { operator: '!=', value: '2' },
+                ],
+                attribute: [{ operator: '=', value: 'attr=bar' }],
+                resourceAttribute: [{ operator: '=', value: 'res=foo' }],
+                search: [{ value: 'some-search' }],
+              },
+            },
+          });
+          expect(getQueryParam()).toEqual(
+            `service_name=serviceName&not[service_name]=serviceName2` +
+              `&severity_name=info&not[severity_name]=warning` +
+              `&trace_id=traceId` +
+              `&span_id=spanId` +
+              `&fingerprint=fingerprint` +
+              `&trace_flags=1&not[trace_flags]=2` +
+              `&log_attr_name=attr&log_attr_value=bar` +
+              `&res_attr_name=res&res_attr_value=foo` +
+              `&body=some-search`,
+          );
+        });
+
+        it('ignores unsupported operators', async () => {
+          await client.fetchLogs({
+            filters: {
+              attributes: {
+                traceId: [{ operator: '!=', value: 'traceId2' }],
+                spanId: [{ operator: '!=', value: 'spanId2' }],
+                fingerprint: [{ operator: '!=', value: 'fingerprint2' }],
+                attribute: [{ operator: '!=', value: 'bar' }],
+                resourceAttribute: [{ operator: '!=', value: 'resourceAttribute2' }],
+                unsupported: [{ value: 'something', operator: '=' }],
+              },
+            },
+          });
+          expect(getQueryParam()).toEqual('');
+        });
+      });
+
       it('ignores empty filter', async () => {
         await client.fetchLogs({
-          filters: { dateRange: {} },
+          filters: { attributes: {}, dateRange: {} },
         });
         expect(getQueryParam()).toBe('');
       });
 
       it('ignores undefined filter', async () => {
         await client.fetchLogs({
-          filters: { dateRange: undefined },
+          filters: { dateRange: undefined, attributes: undefined },
         });
         expect(getQueryParam()).toBe('');
       });
diff --git a/spec/frontend/sentry/init_sentry_spec.js b/spec/frontend/sentry/init_sentry_spec.js
index 118a48cc1de..0ed27196226 100644
--- a/spec/frontend/sentry/init_sentry_spec.js
+++ b/spec/frontend/sentry/init_sentry_spec.js
@@ -1,3 +1,4 @@
+/* eslint-disable no-restricted-imports */
 import {
   BrowserClient,
   defaultStackParser,
@@ -8,8 +9,8 @@ import {
   // exports
   captureException,
   SDK_VERSION,
-} from 'sentrybrowser';
-import * as Sentry from 'sentrybrowser';
+} from '@sentry/browser';
+import * as Sentry from '@sentry/browser';
 
 import { initSentry } from '~/sentry/init_sentry';
 
@@ -23,14 +24,14 @@ const mockFeatureCategory = 'my_feature_category';
 const mockPage = 'index:page';
 const mockSentryClientsideTracesSampleRate = 0.1;
 
-jest.mock('sentrybrowser', () => {
+jest.mock('@sentry/browser', () => {
   return {
-    ...jest.createMockFromModule('sentrybrowser'),
+    ...jest.createMockFromModule('@sentry/browser'),
 
     // unmock actual configuration options
-    defaultStackParser: jest.requireActual('sentrybrowser').defaultStackParser,
-    makeFetchTransport: jest.requireActual('sentrybrowser').makeFetchTransport,
-    defaultIntegrations: jest.requireActual('sentrybrowser').defaultIntegrations,
+    defaultStackParser: jest.requireActual('@sentry/browser').defaultStackParser,
+    makeFetchTransport: jest.requireActual('@sentry/browser').makeFetchTransport,
+    defaultIntegrations: jest.requireActual('@sentry/browser').defaultIntegrations,
   };
 });
 
diff --git a/spec/frontend/sentry/legacy_index_spec.js b/spec/frontend/sentry/legacy_index_spec.js
deleted file mode 100644
index fad1760ffc5..00000000000
--- a/spec/frontend/sentry/legacy_index_spec.js
+++ /dev/null
@@ -1,51 +0,0 @@
-import index from '~/sentry/legacy_index';
-
-import LegacySentryConfig from '~/sentry/legacy_sentry_config';
-
-describe('Sentry init', () => {
-  const dsn = 'https://123@sentry.gitlab.test/123';
-  const environment = 'test';
-  const currentUserId = '1';
-  const gitlabUrl = 'gitlabUrl';
-  const revision = 'revision';
-  const featureCategory = 'my_feature_category';
-
-  beforeEach(() => {
-    window.gon = {
-      sentry_dsn: dsn,
-      sentry_environment: environment,
-      current_user_id: currentUserId,
-      gitlab_url: gitlabUrl,
-      revision,
-      feature_category: featureCategory,
-    };
-
-    jest.spyOn(LegacySentryConfig, 'init').mockImplementation();
-  });
-
-  it('exports legacy version of Sentry in the global object', () => {
-    // eslint-disable-next-line no-underscore-dangle
-    expect(window._Sentry.SDK_VERSION).toMatch(/^5\./);
-  });
-
-  describe('when called', () => {
-    beforeEach(() => {
-      index();
-    });
-
-    it('configures legacy sentry', () => {
-      expect(LegacySentryConfig.init).toHaveBeenCalledTimes(1);
-      expect(LegacySentryConfig.init).toHaveBeenCalledWith({
-        dsn,
-        currentUserId,
-        whitelistUrls: [gitlabUrl, 'webpack-internal://'],
-        environment,
-        release: revision,
-        tags: {
-          revision,
-          feature_category: featureCategory,
-        },
-      });
-    });
-  });
-});
diff --git a/spec/frontend/sentry/legacy_sentry_config_spec.js b/spec/frontend/sentry/legacy_sentry_config_spec.js
deleted file mode 100644
index 94256784ca2..00000000000
--- a/spec/frontend/sentry/legacy_sentry_config_spec.js
+++ /dev/null
@@ -1,215 +0,0 @@
-import * as Sentry5 from 'sentrybrowser5';
-import LegacySentryConfig from '~/sentry/legacy_sentry_config';
-
-describe('LegacySentryConfig', () => {
-  describe('IGNORE_ERRORS', () => {
-    it('should be an array of strings', () => {
-      const areStrings = LegacySentryConfig.IGNORE_ERRORS.every(
-        (error) => typeof error === 'string',
-      );
-
-      expect(areStrings).toBe(true);
-    });
-  });
-
-  describe('DENYLIST_URLS', () => {
-    it('should be an array of regexps', () => {
-      const areRegExps = LegacySentryConfig.DENYLIST_URLS.every((url) => url instanceof RegExp);
-
-      expect(areRegExps).toBe(true);
-    });
-  });
-
-  describe('SAMPLE_RATE', () => {
-    it('should be a finite number', () => {
-      expect(typeof LegacySentryConfig.SAMPLE_RATE).toEqual('number');
-    });
-  });
-
-  describe('init', () => {
-    const options = {
-      currentUserId: 1,
-    };
-
-    beforeEach(() => {
-      jest.spyOn(LegacySentryConfig, 'configure');
-      jest.spyOn(LegacySentryConfig, 'bindSentryErrors');
-      jest.spyOn(LegacySentryConfig, 'setUser');
-
-      LegacySentryConfig.init(options);
-    });
-
-    it('should set the options property', () => {
-      expect(LegacySentryConfig.options).toEqual(options);
-    });
-
-    it('should call the configure method', () => {
-      expect(LegacySentryConfig.configure).toHaveBeenCalled();
-    });
-
-    it('should call the error bindings method', () => {
-      expect(LegacySentryConfig.bindSentryErrors).toHaveBeenCalled();
-    });
-
-    it('should call setUser', () => {
-      expect(LegacySentryConfig.setUser).toHaveBeenCalled();
-    });
-
-    it('should not call setUser if there is no current user ID', () => {
-      LegacySentryConfig.setUser.mockClear();
-      options.currentUserId = undefined;
-
-      LegacySentryConfig.init(options);
-
-      expect(LegacySentryConfig.setUser).not.toHaveBeenCalled();
-    });
-  });
-
-  describe('configure', () => {
-    const sentryConfig = {};
-    const options = {
-      dsn: 'https://123@sentry.gitlab.test/123',
-      whitelistUrls: ['//gitlabUrl', 'webpack-internal://'],
-      environment: 'test',
-      release: 'revision',
-      tags: {
-        revision: 'revision',
-        feature_category: 'my_feature_category',
-      },
-    };
-
-    beforeEach(() => {
-      jest.spyOn(Sentry5, 'init').mockImplementation();
-      jest.spyOn(Sentry5, 'setTags').mockImplementation();
-
-      sentryConfig.options = options;
-      sentryConfig.IGNORE_ERRORS = 'ignore_errors';
-      sentryConfig.DENYLIST_URLS = 'blacklist_urls';
-
-      LegacySentryConfig.configure.call(sentryConfig);
-    });
-
-    it('should call Sentry5.init', () => {
-      expect(Sentry5.init).toHaveBeenCalledWith({
-        dsn: options.dsn,
-        release: options.release,
-        sampleRate: 0.95,
-        whitelistUrls: options.whitelistUrls,
-        environment: 'test',
-        ignoreErrors: sentryConfig.IGNORE_ERRORS,
-        blacklistUrls: sentryConfig.DENYLIST_URLS,
-      });
-    });
-
-    it('should call Sentry5.setTags', () => {
-      expect(Sentry5.setTags).toHaveBeenCalledWith(options.tags);
-    });
-
-    it('should set environment from options', () => {
-      sentryConfig.options.environment = 'development';
-
-      LegacySentryConfig.configure.call(sentryConfig);
-
-      expect(Sentry5.init).toHaveBeenCalledWith({
-        dsn: options.dsn,
-        release: options.release,
-        sampleRate: 0.95,
-        whitelistUrls: options.whitelistUrls,
-        environment: 'development',
-        ignoreErrors: sentryConfig.IGNORE_ERRORS,
-        blacklistUrls: sentryConfig.DENYLIST_URLS,
-      });
-    });
-  });
-
-  describe('setUser', () => {
-    let sentryConfig;
-
-    beforeEach(() => {
-      sentryConfig = { options: { currentUserId: 1 } };
-      jest.spyOn(Sentry5, 'setUser');
-
-      LegacySentryConfig.setUser.call(sentryConfig);
-    });
-
-    it('should call .setUser', () => {
-      expect(Sentry5.setUser).toHaveBeenCalledWith({
-        id: sentryConfig.options.currentUserId,
-      });
-    });
-  });
-
-  describe('handleSentryErrors', () => {
-    let event;
-    let req;
-    let config;
-    let err;
-
-    beforeEach(() => {
-      event = {};
-      req = { status: 'status', responseText: 'Unknown response text', statusText: 'statusText' };
-      config = { type: 'type', url: 'url', data: 'data' };
-      err = {};
-
-      jest.spyOn(Sentry5, 'captureMessage');
-
-      LegacySentryConfig.handleSentryErrors(event, req, config, err);
-    });
-
-    it('should call Sentry5.captureMessage', () => {
-      expect(Sentry5.captureMessage).toHaveBeenCalledWith(err, {
-        extra: {
-          type: config.type,
-          url: config.url,
-          data: config.data,
-          status: req.status,
-          response: req.responseText,
-          error: err,
-          event,
-        },
-      });
-    });
-
-    describe('if no err is provided', () => {
-      beforeEach(() => {
-        LegacySentryConfig.handleSentryErrors(event, req, config);
-      });
-
-      it('should use req.statusText as the error value', () => {
-        expect(Sentry5.captureMessage).toHaveBeenCalledWith(req.statusText, {
-          extra: {
-            type: config.type,
-            url: config.url,
-            data: config.data,
-            status: req.status,
-            response: req.responseText,
-            error: req.statusText,
-            event,
-          },
-        });
-      });
-    });
-
-    describe('if no req.responseText is provided', () => {
-      beforeEach(() => {
-        req.responseText = undefined;
-
-        LegacySentryConfig.handleSentryErrors(event, req, config, err);
-      });
-
-      it('should use `Unknown response text` as the response', () => {
-        expect(Sentry5.captureMessage).toHaveBeenCalledWith(err, {
-          extra: {
-            type: config.type,
-            url: config.url,
-            data: config.data,
-            status: req.status,
-            response: 'Unknown response text',
-            error: err,
-            event,
-          },
-        });
-      });
-    });
-  });
-});
diff --git a/spec/graphql/resolvers/base_resolver_spec.rb b/spec/graphql/resolvers/base_resolver_spec.rb
index 16b6212a833..c46e750f91d 100644
--- a/spec/graphql/resolvers/base_resolver_spec.rb
+++ b/spec/graphql/resolvers/base_resolver_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Resolvers::BaseResolver, feature_category: :api do
   include GraphqlHelpers
+  let_it_be(:user) { create(:user) }
 
   let(:resolver) do
     Class.new(described_class) do
@@ -247,8 +248,6 @@ RSpec.describe Resolvers::BaseResolver, feature_category: :api do
   end
 
   describe '#object' do
-    let_it_be(:user) { create(:user) }
-
     it 'returns object' do
       expect_next_instance_of(resolver) do |r|
         expect(r).to receive(:process).with(user)
@@ -275,4 +274,18 @@ RSpec.describe Resolvers::BaseResolver, feature_category: :api do
       expect(instance.offset_pagination(User.none)).to be_a(::Gitlab::Graphql::Pagination::OffsetPaginatedRelation)
     end
   end
+
+  describe '#authorized?' do
+    let(:object) { :object }
+    let(:scope_validator) { instance_double(::Gitlab::Auth::ScopeValidator) }
+    let(:context) { { current_user: user, scope_validator: scope_validator } }
+
+    it 'delegates to authorization' do
+      expect(resolver.authorization).to be_kind_of(::Gitlab::Graphql::Authorize::ObjectAuthorization)
+      expect(resolver.authorization).to receive(:ok?)
+        .with(object, user, scope_validator: scope_validator)
+
+      resolver.authorized?(object, context)
+    end
+  end
 end
diff --git a/spec/graphql/types/base_enum_spec.rb b/spec/graphql/types/base_enum_spec.rb
index db8fb877390..48ef38cbb63 100644
--- a/spec/graphql/types/base_enum_spec.rb
+++ b/spec/graphql/types/base_enum_spec.rb
@@ -139,4 +139,19 @@ RSpec.describe Types::BaseEnum, feature_category: :api do
       enum.values['TEST_VALUE']
     end
   end
+
+  describe '#authorized?' do
+    let(:object) { :object }
+    let(:scope_validator) { instance_double(::Gitlab::Auth::ScopeValidator) }
+    let(:user) { double }
+    let(:context) { { current_user: user, scope_validator: scope_validator } }
+
+    it 'delegates to authorization' do
+      expect(described_class.authorization).to be_kind_of(::Gitlab::Graphql::Authorize::ObjectAuthorization)
+      expect(described_class.authorization).to receive(:ok?)
+        .with(object, user, scope_validator: scope_validator)
+
+      described_class.authorized?(object, context)
+    end
+  end
 end
diff --git a/spec/graphql/types/base_field_spec.rb b/spec/graphql/types/base_field_spec.rb
index b52d5514368..6141259cd65 100644
--- a/spec/graphql/types/base_field_spec.rb
+++ b/spec/graphql/types/base_field_spec.rb
@@ -235,4 +235,21 @@ RSpec.describe Types::BaseField, feature_category: :api do
       described_class.new(**base_args.merge(args))
     end
   end
+
+  describe '#field_authorized?' do
+    let(:object) { :object }
+    let(:scope_validator) { instance_double(::Gitlab::Auth::ScopeValidator) }
+    let(:user) { :user }
+    let(:context) { { current_user: user, scope_validator: scope_validator } }
+
+    it 'delegates to authorization' do
+      expect_next_instance_of(::Gitlab::Graphql::Authorize::ObjectAuthorization) do |authorization|
+        expect(authorization).to receive(:ok?)
+          .with(object, user, scope_validator: scope_validator)
+      end
+
+      field = described_class.new(name: 'test', type: GraphQL::Types::String, null: true)
+      field.authorized?(object, nil, context)
+    end
+  end
 end
diff --git a/spec/graphql/types/base_object_spec.rb b/spec/graphql/types/base_object_spec.rb
index af0639e84d3..2bf9f8e3f4d 100644
--- a/spec/graphql/types/base_object_spec.rb
+++ b/spec/graphql/types/base_object_spec.rb
@@ -12,15 +12,18 @@ RSpec.describe Types::BaseObject, feature_category: :api do
           true
         end
 
-        def ok?(object, _current_user)
+        def ok?(object, _current_user, scope_validator: nil)
           return false if object == { id: 100 }
           return false if object.try(:deactivated?)
+          raise "Missing scope_validator" unless scope_validator
 
           true
         end
       end
     end
 
+    let(:scope_validator) { instance_double(::Gitlab::Auth::ScopeValidator, valid_for?: true) }
+
     let_it_be(:test_schema) do
       auth = custom_auth.new(nil)
 
@@ -172,6 +175,7 @@ RSpec.describe Types::BaseObject, feature_category: :api do
 
     let(:data) do
       {
+        scope_validator: scope_validator,
         x: {
           title: 'Hey',
           ys: [{ id: 1 }, { id: 100 }, { id: 2 }]
@@ -216,6 +220,7 @@ RSpec.describe Types::BaseObject, feature_category: :api do
       n = 7
 
       data = {
+        scope_validator: scope_validator,
         x: {
           ys: (95..105).to_a.map { |id| { id: id } }
         }
@@ -262,7 +267,10 @@ RSpec.describe Types::BaseObject, feature_category: :api do
       active_users = create_list(:user, 3, state: :active)
       inactive = create(:user, state: :deactivated)
 
-      data = { user_ids: [inactive, *active_users].map(&:id) }
+      data = {
+        scope_validator: scope_validator,
+        user_ids: [inactive, *active_users].map(&:id)
+      }
 
       doc = GraphQL.parse(<<~GQL)
       query {
@@ -281,6 +289,7 @@ RSpec.describe Types::BaseObject, feature_category: :api do
     it 'filters polymorphic connections' do
       data = {
         current_user: :the_user,
+        scope_validator: scope_validator,
         x: {
           values: [{ value: 1 }, { value: 2 }, { value: 3 }, { value: 4 }]
         }
@@ -324,6 +333,7 @@ RSpec.describe Types::BaseObject, feature_category: :api do
     it 'filters interface connections' do
       data = {
         current_user: :the_user,
+        scope_validator: scope_validator,
         x: {
           values: [{ value: 1 }, { value: 2 }, { value: 3 }, { value: 4 }]
         }
@@ -368,6 +378,7 @@ RSpec.describe Types::BaseObject, feature_category: :api do
     it 'redacts polymorphic objects' do
       data = {
         current_user: :the_user,
+        scope_validator: scope_validator,
         x: {
           values: [{ value: 1 }]
         }
@@ -408,7 +419,10 @@ RSpec.describe Types::BaseObject, feature_category: :api do
       inactive = create_list(:user, n - 1, state: :deactivated)
       active_users = create_list(:user, 2, state: :active)
 
-      data = { user_ids: [*inactive, *active_users].map(&:id) }
+      data = {
+        scope_validator: scope_validator,
+        user_ids: [*inactive, *active_users].map(&:id)
+      }
 
       doc = GraphQL.parse(<<~GQL)
       query {
diff --git a/spec/lib/banzai/filter/markdown_engines/glfm_markdown_spec.rb b/spec/lib/banzai/filter/markdown_engines/glfm_markdown_spec.rb
index da58b824a06..dfd7b8f0cce 100644
--- a/spec/lib/banzai/filter/markdown_engines/glfm_markdown_spec.rb
+++ b/spec/lib/banzai/filter/markdown_engines/glfm_markdown_spec.rb
@@ -5,13 +5,43 @@ require 'spec_helper'
 RSpec.describe Banzai::Filter::MarkdownEngines::GlfmMarkdown, feature_category: :team_planning do
   it 'defaults to generating sourcepos' do
     engine = described_class.new({})
+    expected = <<~TEXT
+      <h1 data-sourcepos="1:1-1:4"><a href="#hi" aria-hidden="true" class="anchor" id="user-content-hi"></a>hi</h1>
+    TEXT
 
-    expect(engine.render('# hi')).to eq %(<h1 data-sourcepos="1:1-1:4">hi</h1>\n)
+    expect(engine.render('# hi')).to eq expected
   end
 
   it 'turns off sourcepos' do
     engine = described_class.new({ no_sourcepos: true })
+    expected = <<~TEXT
+      <h1><a href="#hi" aria-hidden="true" class="anchor" id="user-content-hi"></a>hi</h1>
+    TEXT
 
-    expect(engine.render('# hi')).to eq %(<h1>hi</h1>\n)
+    expect(engine.render('# hi')).to eq expected
+  end
+
+  it 'turns off header anchors' do
+    engine = described_class.new({ no_header_anchors: true, no_sourcepos: true })
+    expected = <<~TEXT
+      <h1>hi</h1>
+    TEXT
+
+    expect(engine.render('# hi')).to eq expected
+  end
+
+  context 'when feature flag is disabled' do
+    before do
+      stub_feature_flags(native_header_anchors: false)
+    end
+
+    it 'turns off header anchors' do
+      engine = described_class.new({ no_sourcepos: true })
+      expected = <<~TEXT
+        <h1>hi</h1>
+      TEXT
+
+      expect(engine.render('# hi')).to eq expected
+    end
   end
 end
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb
index fc3a50c5ce2..e40b65fce7b 100644
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -192,5 +192,35 @@ RSpec.describe Banzai::Filter::SanitizationFilter, feature_category: :team_plann
         end
       end
     end
+
+    describe 'link anchors' do
+      it 'allows id property on anchor links' do
+        exp = %q(<a href="#this-is-a-header" class="anchor" id="user-content-this-is-a-header"></a>)
+        act = filter(exp)
+
+        expect(act.to_html).to eq exp
+      end
+
+      it 'removes id property for non-anchor links' do
+        exp = %q(<a href="#this-is-a-header"></a>)
+        act = filter(%q(<a href="#this-is-a-header" id="user-content-this-is-a-header"></a>))
+
+        expect(act.to_html).to eq exp
+      end
+
+      it 'removes id property for non-user-content links' do
+        exp = %q(<a href="#this-is-a-header" class="anchor"></a>)
+        act = filter(%q(<a href="#this-is-a-header" class="anchor" id="this-is-a-header"></a>))
+
+        expect(act.to_html).to eq exp
+      end
+
+      it 'removes class property for non-anchor links' do
+        exp = %q(<a href="#this-is-a-header"></a>)
+        act = filter(%q(<a href="#this-is-a-header" class="some-other-class anchor"></a>))
+
+        expect(act.to_html).to eq exp
+      end
+    end
   end
 end
diff --git a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb
index 31e6313215e..bd55cce8d3f 100644
--- a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb
+++ b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb
@@ -2,6 +2,10 @@
 
 require 'spec_helper'
 
+# TODO: This is now a legacy filter, and is only used with the Ruby parser.
+# The current markdown parser now properly handles adding anchors to headers.
+# The Ruby parser is now only for benchmarking purposes.
+# issue: https://gitlab.com/gitlab-org/gitlab/-/issues/454601
 RSpec.describe Banzai::Filter::TableOfContentsFilter, feature_category: :team_planning do
   include FilterSpecHelper
 
@@ -9,20 +13,28 @@ RSpec.describe Banzai::Filter::TableOfContentsFilter, feature_category: :team_pl
     "<h#{level}>#{text}</h#{level}>\n"
   end
 
+  before do
+    stub_feature_flags(native_header_anchors: false)
+  end
+
+  # TODO: enable when feature flag is removed
+  # let_it_be(:context) { { markdown_engine: Banzai::Filter::MarkdownFilter::CMARK_ENGINE } }
+  let_it_be(:context) { {} }
+
   it 'does nothing when :no_header_anchors is truthy' do
     exp = act = header(1, 'Header')
-    expect(filter(act, no_header_anchors: 1).to_html).to eq exp
+    expect(filter(act, context.merge({ no_header_anchors: 1 })).to_html).to eq exp
   end
 
   it 'does nothing with empty headers' do
     exp = act = header(1, nil)
-    expect(filter(act).to_html).to eq exp
+    expect(filter(act, context).to_html).to eq exp
   end
 
   1.upto(6) do |i|
     it "processes h#{i} elements" do
       html = header(i, "Header #{i}")
-      doc = filter(html)
+      doc = filter(html, context)
 
       expect(doc.css("h#{i} a").first.attr('id')).to eq "user-content-header-#{i}"
     end
@@ -30,57 +42,57 @@ RSpec.describe Banzai::Filter::TableOfContentsFilter, feature_category: :team_pl
 
   describe 'anchor tag' do
     it 'has an `anchor` class' do
-      doc = filter(header(1, 'Header'))
+      doc = filter(header(1, 'Header'), context)
       expect(doc.css('h1 a').first.attr('class')).to eq 'anchor'
     end
 
     it 'has a namespaced id' do
-      doc = filter(header(1, 'Header'))
+      doc = filter(header(1, 'Header'), context)
       expect(doc.css('h1 a').first.attr('id')).to eq 'user-content-header'
     end
 
     it 'links to the non-namespaced id' do
-      doc = filter(header(1, 'Header'))
+      doc = filter(header(1, 'Header'), context)
       expect(doc.css('h1 a').first.attr('href')).to eq '#header'
     end
 
     describe 'generated IDs' do
       it 'translates spaces to dashes' do
-        doc = filter(header(1, 'This header has spaces in it'))
+        doc = filter(header(1, 'This header has spaces in it'), context)
         expect(doc.css('h1 a').first.attr('href')).to eq '#this-header-has-spaces-in-it'
       end
 
       it 'squeezes multiple spaces and dashes' do
-        doc = filter(header(1, 'This---header     is poorly-formatted'))
+        doc = filter(header(1, 'This---header     is poorly-formatted'), context)
         expect(doc.css('h1 a').first.attr('href')).to eq '#this-header-is-poorly-formatted'
       end
 
       it 'removes punctuation' do
-        doc = filter(header(1, "This, header! is, filled. with @ punctuation?"))
+        doc = filter(header(1, "This, header! is, filled. with @ punctuation?"), context)
         expect(doc.css('h1 a').first.attr('href')).to eq '#this-header-is-filled-with-punctuation'
       end
 
       it 'removes any leading or trailing spaces' do
-        doc = filter(header(1, " \r\n\tTitle with spaces\r\n\t "))
+        doc = filter(header(1, " \r\n\tTitle with spaces\r\n\t "), context)
         expect(doc.css('h1 a').first.attr('href')).to eq '#title-with-spaces'
       end
 
       it 'appends a unique number to duplicates' do
-        doc = filter(header(1, 'One') + header(2, 'One'))
+        doc = filter(header(1, 'One') + header(2, 'One'), context)
 
         expect(doc.css('h1 a').first.attr('href')).to eq '#one'
         expect(doc.css('h2 a').first.attr('href')).to eq '#one-1'
       end
 
       it 'prepends a prefix to digits-only ids' do
-        doc = filter(header(1, "123") + header(2, "1.0"))
+        doc = filter(header(1, "123") + header(2, "1.0"), context)
 
         expect(doc.css('h1 a').first.attr('href')).to eq '#anchor-123'
         expect(doc.css('h2 a').first.attr('href')).to eq '#anchor-10'
       end
 
       it 'supports Unicode' do
-        doc = filter(header(1, '한글'))
+        doc = filter(header(1, '한글'), context)
         expect(doc.css('h1 a').first.attr('id')).to eq 'user-content-한글'
         # check that we encode the href to avoid issues with the
         # ExternalLinkFilter (see https://gitlab.com/gitlab-org/gitlab/issues/26210)
@@ -88,7 +100,7 @@ RSpec.describe Banzai::Filter::TableOfContentsFilter, feature_category: :team_pl
       end
 
       it 'limits header href length with 255 characters' do
-        doc = filter(header(1, 'a' * 500))
+        doc = filter(header(1, 'a' * 500), context)
 
         expect(doc.css('h1 a').first.attr('href')).to eq "##{'a' * 255}"
       end
@@ -97,7 +109,7 @@ RSpec.describe Banzai::Filter::TableOfContentsFilter, feature_category: :team_pl
 
   describe 'result' do
     def result(html)
-      HTML::Pipeline.new([described_class]).call(html)
+      HTML::Pipeline.new([described_class], context).call(html)
     end
 
     let(:results) { result(header(1, 'Header 1') + header(2, 'Header 2')) }
diff --git a/spec/lib/banzai/filter/table_of_contents_tag_filter_spec.rb b/spec/lib/banzai/filter/table_of_contents_tag_filter_spec.rb
index 322225b38a9..fca44101657 100644
--- a/spec/lib/banzai/filter/table_of_contents_tag_filter_spec.rb
+++ b/spec/lib/banzai/filter/table_of_contents_tag_filter_spec.rb
@@ -44,4 +44,86 @@ RSpec.describe Banzai::Filter::TableOfContentsTagFilter, feature_category: :team
       end
     end
   end
+
+  describe 'structure of a toc' do
+    def header(level, text)
+      "#{'#' * level} #{text}\n"
+    end
+
+    def result(html)
+      HTML::Pipeline.new([Banzai::Filter::MarkdownFilter, described_class]).call(html)
+    end
+
+    let(:results) { result("[toc]\n\n#{header(1, 'Header 1')}#{header(2, 'Header 2')}") }
+    let(:doc) { results[:output] }
+
+    it 'is contained within a `ul` element' do
+      expect(doc.children.first.name).to eq 'ul'
+      expect(doc.children.first.attr('class')).to eq 'section-nav'
+    end
+
+    it 'contains an `li` element for each header' do
+      expect(doc.css('li').length).to eq 2
+
+      links = doc.css('li a')
+
+      expect(links.first.attr('href')).to eq '#header-1'
+      expect(links.first.text).to eq 'Header 1'
+      expect(links.last.attr('href')).to eq '#header-2'
+      expect(links.last.text).to eq 'Header 2'
+    end
+
+    context 'table of contents nesting' do
+      let(:results) do
+        result(
+          <<~MARKDOWN
+            [toc]
+
+            #{header(1, 'Header 1')}
+            #{header(2, 'Header 1-1')}
+            #{header(3, 'Header 1-1-1')}
+            #{header(2, 'Header 1-2')}
+            #{header(1, 'Header 2')}
+            #{header(2, 'Header 2-1')}
+            #{header(2, 'Header 2-1b')}
+          MARKDOWN
+        )
+      end
+
+      it 'keeps list levels regarding header levels' do
+        items = doc.css('li')
+
+        # Header 1
+        expect(items[0].ancestors).to satisfy_none { |node| node.name == 'li' }
+
+        # Header 1-1
+        expect(items[1].ancestors).to include(items[0])
+
+        # Header 1-1-1
+        expect(items[2].ancestors).to include(items[0], items[1])
+
+        # Header 1-2
+        expect(items[3].ancestors).to include(items[0])
+        expect(items[3].ancestors).not_to include(items[1])
+
+        # Header 2
+        expect(items[4].ancestors).to satisfy_none { |node| node.name == 'li' }
+
+        # Header 2-1
+        expect(items[5].ancestors).to include(items[4])
+
+        # Header 2-1b
+        expect(items[6].ancestors).to include(items[4])
+      end
+    end
+
+    context 'header text contains escaped content' do
+      let(:content) { '&lt;img src="x" onerror="alert(42)"&gt;' }
+      let(:results) { result(header(1, content)) }
+
+      it 'outputs escaped content' do
+        expect(doc.inner_html).to include(content)
+      end
+    end
+  end
 end
diff --git a/spec/lib/gitlab/auth/o_auth/user_spec.rb b/spec/lib/gitlab/auth/o_auth/user_spec.rb
index d02c9d16373..c1629f5a435 100644
--- a/spec/lib/gitlab/auth/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/auth/o_auth/user_spec.rb
@@ -31,19 +31,130 @@ RSpec.describe Gitlab::Auth::OAuth::User, feature_category: :system_access do
   let(:ldap_user_2) { Gitlab::Auth::Ldap::Person.new(Net::LDAP::Entry.new, 'ldapmain') }
 
   describe '.find_by_uid_and_provider' do
-    let(:dn) { 'CN=John Åström, CN=Users, DC=Example, DC=com' }
+    let(:provider) { 'provider' }
+    let(:uid) { 'uid' }
+    let(:user) { create(:user) }
+    let!(:identity) { create(:identity, provider: provider, extern_uid: uid, user: user) }
 
-    it 'retrieves the correct user' do
-      special_info = {
-        name: 'John Åström',
-        email: 'john@example.com',
-        nickname: 'jastrom'
-      }
-      special_hash = OmniAuth::AuthHash.new(uid: dn, provider: 'ldapmain', info: special_info)
-      special_chars_user = described_class.new(special_hash)
-      user = special_chars_user.save
+    context 'when user exists for given uid and provider' do
+      it 'returns the user for given uid and provider' do
+        expect(described_class.find_by_uid_and_provider(uid, provider)).to eq user
+      end
 
-      expect(described_class.find_by_uid_and_provider(dn, 'ldapmain')).to eq user
+      context "when user's identity with untrusted extern_uid" do
+        before do
+          identity.update!(trusted_extern_uid: false)
+        end
+
+        it 'raises Gitlab::Auth::OAuth::User::IdentityWithUntrustedExternUidError' do
+          expect { described_class.find_by_uid_and_provider(uid, provider) }
+            .to raise_error(Gitlab::Auth::OAuth::User::IdentityWithUntrustedExternUidError)
+        end
+      end
+    end
+
+    context 'when user does not exist for given uid and provider' do
+      it 'returns nil' do
+        expect(described_class.find_by_uid_and_provider('unknown-uid', provider)).to eq nil
+      end
+    end
+
+    context 'when identity exists for given uid and provider but is not tied to a user' do
+      before do
+        identity.update!(user: nil)
+      end
+
+      it 'returns nil' do
+        expect(described_class.find_by_uid_and_provider(uid, provider)).to eq nil
+      end
+    end
+
+    # This context should be removed by https://gitlab.com/gitlab-org/gitlab/-/issues/456424
+    context 'for fallback that allows sign-ins to GitLab with Bitbucket identity with untrusted extern_uid when email matches' do
+      let(:provider) { 'bitbucket' }
+      let(:bitbucket_username) { user.username }
+      let(:bitbucket_email) { user.email }
+      let!(:identity) { create(:identity, provider: provider, extern_uid: user.username, user: user, trusted_extern_uid: false) }
+
+      let(:auth_hash) do
+        OmniAuth::AuthHash.new(uid: uid, provider: provider, username: bitbucket_username, email: bitbucket_email)
+      end
+
+      context 'when Bitbucket and GitLab accounts have the same email' do
+        it "updates the identity's extern_uid; updates the identity's trusted_extern_uid to true; returns the user" do
+          expect(identity.reload.extern_uid).not_to eq(uid)
+          expect(identity.reload.extern_uid).to eq(user.username)
+          expect(identity.reload.trusted_extern_uid).to eq(false)
+
+          expect(described_class.find_by_uid_and_provider(uid, provider, auth_hash)).to eq user
+
+          expect(identity.reload.extern_uid).to eq(uid)
+          expect(identity.reload.trusted_extern_uid).to eq(true)
+        end
+      end
+
+      context 'when auth_hash argument is not provided' do
+        it 'returns nil' do
+          expect(described_class.find_by_uid_and_provider(uid, provider)).to eq nil
+        end
+      end
+
+      context 'when Bitbucket and GitLab accounts have different emails' do
+        let(:bitbucket_email) { 'bitbucketuser@example.com' }
+
+        it 'raises Gitlab::Auth::OAuth::User::IdentityWithUntrustedExternUidError' do
+          expect { described_class.find_by_uid_and_provider(uid, provider, auth_hash) }
+            .to raise_error(Gitlab::Auth::OAuth::User::IdentityWithUntrustedExternUidError)
+        end
+      end
+
+      context 'when there is no Bitbucket identity with untrusted extern_uid' do
+        let(:bitbucket_username) { 'bitbucketuser' }
+
+        it 'returns nil' do
+          expect(described_class.find_by_uid_and_provider(uid, provider, auth_hash)).to eq nil
+        end
+      end
+
+      context 'when identity exists for given untrusted uid and provider but is not tied to a user' do
+        before do
+          identity.update!(user: nil)
+        end
+
+        it 'raises Gitlab::Auth::OAuth::User::IdentityWithUntrustedExternUidError' do
+          expect { described_class.find_by_uid_and_provider(uid, provider, auth_hash) }
+            .to raise_error(Gitlab::Auth::OAuth::User::IdentityWithUntrustedExternUidError)
+        end
+      end
+
+      context 'when bitbucket identity with trusted_extern_uid' do
+        let!(:identity) { create(:identity, provider: provider, extern_uid: uid, user: user) }
+
+        it "does not update the identity and returns the user" do
+          identity_updated_at = identity.reload.updated_at
+
+          expect(described_class.find_by_uid_and_provider(uid, provider, auth_hash)).to eq user
+
+          expect(identity.reload.updated_at).to eq(identity_updated_at)
+        end
+      end
+    end
+
+    context 'for LDAP' do
+      let(:dn) { 'CN=John Åström, CN=Users, DC=Example, DC=com' }
+
+      it 'retrieves the correct user' do
+        special_info = {
+          name: 'John Åström',
+          email: 'john@example.com',
+          nickname: 'jastrom'
+        }
+        special_hash = OmniAuth::AuthHash.new(uid: dn, provider: 'ldapmain', info: special_info)
+        special_chars_user = described_class.new(special_hash)
+        user = special_chars_user.save
+
+        expect(described_class.find_by_uid_and_provider(dn, 'ldapmain')).to eq user
+      end
     end
   end
 
diff --git a/spec/lib/gitlab/background_migration/backfill_workspace_variables_project_id_spec.rb b/spec/lib/gitlab/background_migration/backfill_workspace_variables_project_id_spec.rb
new file mode 100644
index 00000000000..3a1b3262fb7
--- /dev/null
+++ b/spec/lib/gitlab/background_migration/backfill_workspace_variables_project_id_spec.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::BackgroundMigration::BackfillWorkspaceVariablesProjectId,
+  feature_category: :remote_development,
+  schema: 20240419035356 do
+  include_examples 'desired sharding key backfill job' do
+    let(:batch_table) { :workspace_variables }
+    let(:backfill_column) { :project_id }
+    let(:backfill_via_table) { :workspaces }
+    let(:backfill_via_column) { :project_id }
+    let(:backfill_via_foreign_key) { :workspace_id }
+  end
+end
diff --git a/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb b/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
index 2064a592246..fcb5721382d 100644
--- a/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
+++ b/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
@@ -226,6 +226,30 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator, featu
       end
     end
 
+    context 'when given a malformed schema version' do
+      let(:security_report_failure) { 'using_unsupported_schema_version' }
+
+      [
+        '../../../../../../../../../spec/fixtures/security_reports/master/gl-secret-detection-report.json',
+        './fixtures/gl-secret-detection.json',
+        '%2e%2e%2f1.2.3'
+      ].each do |version|
+        context version do
+          let(:report_version) { version }
+
+          it { is_expected.to be_falsey }
+
+          it_behaves_like 'logs related information'
+
+          it 'ensures version is not passed to schemer' do
+            expect(JSONSchemer).not_to receive(:schema)
+
+            subject
+          end
+        end
+      end
+    end
+
     context 'when not given a schema version' do
       let(:report_version) { nil }
 
@@ -290,14 +314,13 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator, featu
 
       context 'and the report does not pass schema validation' do
         let(:report_data) do
-          valid_data['version'] = "V2.7.0"
+          valid_data['version'] = "2.7.0"
           valid_data.delete('vulnerabilities')
           valid_data
         end
 
         let(:expected_errors) do
           [
-            "property '/version' does not match pattern: ^[0-9]+\\.[0-9]+\\.[0-9]+$",
             "root is missing required keys: vulnerabilities"
           ]
         end
@@ -356,7 +379,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator, featu
 
       let(:expected_errors) do
         [
-          "root is missing required keys: version",
           expected_missing_version_message
         ]
       end
@@ -398,7 +420,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator, featu
     context 'when given a deprecated schema version' do
       let(:deprecations_hash) do
         {
-          dast: %w[V2.7.0]
+          dast: %w[2.7.0]
         }
       end
 
@@ -426,7 +448,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator, featu
 
       context 'and the report does not pass schema validation' do
         let(:report_data) do
-          valid_data['version'] = "V2.7.0"
+          valid_data['version'] = "2.7.0"
           valid_data.delete('vulnerabilities')
           valid_data
         end
diff --git a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
index a795957f81e..9abea9f1281 100644
--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -346,28 +346,14 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader, feature_category: :s
     end
 
     context 'when sentry is configured' do
-      let(:legacy_dsn) { 'dummy://abc@legacy-sentry.example.com/1' }
       let(:dsn) { 'dummy://def@sentry.example.com/2' }
 
       before do
         stub_config_setting(host: 'gitlab.example.com')
       end
 
-      context 'when legacy sentry is configured' do
-        before do
-          allow(Gitlab.config.sentry).to receive(:enabled).and_return(true)
-          allow(Gitlab.config.sentry).to receive(:clientside_dsn).and_return(legacy_dsn)
-          allow(Gitlab::CurrentSettings).to receive(:sentry_enabled).and_return(false)
-        end
-
-        it 'adds legacy sentry path to CSP' do
-          expect(connect_src).to eq("'self' ws://gitlab.example.com dummy://legacy-sentry.example.com")
-        end
-      end
-
       context 'when sentry is configured' do
         before do
-          allow(Gitlab.config.sentry).to receive(:enabled).and_return(false)
           allow(Gitlab::CurrentSettings).to receive(:sentry_enabled).and_return(true)
           allow(Gitlab::CurrentSettings).to receive(:sentry_clientside_dsn).and_return(dsn)
         end
@@ -379,8 +365,6 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader, feature_category: :s
 
       context 'when sentry settings are from older schemas and sentry setting are missing' do
         before do
-          allow(Gitlab.config.sentry).to receive(:enabled).and_return(false)
-
           allow(Gitlab::CurrentSettings).to receive(:respond_to?).with(:sentry_enabled).and_return(false)
           allow(Gitlab::CurrentSettings).to receive(:sentry_enabled).and_raise(NoMethodError)
 
@@ -392,31 +376,6 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader, feature_category: :s
           expect(connect_src).to eq("'self' ws://gitlab.example.com")
         end
       end
-
-      context 'when legacy sentry and sentry are both configured' do
-        let(:connect_src_expectation) do
-          # rubocop:disable Lint/PercentStringArray
-          %w[
-            'self'
-            ws://gitlab.example.com
-            dummy://legacy-sentry.example.com
-            dummy://sentry.example.com
-          ].join(' ')
-          # rubocop:enable Lint/PercentStringArray
-        end
-
-        before do
-          allow(Gitlab.config.sentry).to receive(:enabled).and_return(true)
-          allow(Gitlab.config.sentry).to receive(:clientside_dsn).and_return(legacy_dsn)
-
-          allow(Gitlab::CurrentSettings).to receive(:sentry_enabled).and_return(true)
-          allow(Gitlab::CurrentSettings).to receive(:sentry_clientside_dsn).and_return(dsn)
-        end
-
-        it 'adds both sentry paths to CSP' do
-          expect(connect_src).to eq(connect_src_expectation)
-        end
-      end
     end
 
     describe 'Customer portal frames' do
diff --git a/spec/lib/gitlab/error_tracking/log_formatter_spec.rb b/spec/lib/gitlab/error_tracking/log_formatter_spec.rb
index 15d201401f4..7773e33a5ff 100644
--- a/spec/lib/gitlab/error_tracking/log_formatter_spec.rb
+++ b/spec/lib/gitlab/error_tracking/log_formatter_spec.rb
@@ -27,9 +27,9 @@ RSpec.describe Gitlab::ErrorTracking::LogFormatter do
   end
 
   before do
-    Raven.context.user[:user_flag] = 'flag'
-    Raven.context.tags[:shard] = 'catchall'
-    Raven.context.extra[:some_info] = 'info'
+    Sentry.get_current_scope.user[:user_flag] = 'flag'
+    Sentry.get_current_scope.tags[:shard] = 'catchall'
+    Sentry.get_current_scope.extra[:some_info] = 'info'
 
     allow(exception).to receive(:backtrace).and_return(
       [
@@ -40,7 +40,7 @@ RSpec.describe Gitlab::ErrorTracking::LogFormatter do
   end
 
   after do
-    ::Raven::Context.clear!
+    Sentry.get_current_scope.clear
   end
 
   it 'appends error-related log fields and filters sensitive Sidekiq arguments' do
diff --git a/spec/lib/gitlab/error_tracking/processor/context_payload_processor_spec.rb b/spec/lib/gitlab/error_tracking/processor/context_payload_processor_spec.rb
index c9b632b50e1..cf0e45eb833 100644
--- a/spec/lib/gitlab/error_tracking/processor/context_payload_processor_spec.rb
+++ b/spec/lib/gitlab/error_tracking/processor/context_payload_processor_spec.rb
@@ -4,18 +4,29 @@ require 'spec_helper'
 
 RSpec.describe Gitlab::ErrorTracking::Processor::ContextPayloadProcessor do
   describe '.call' do
-    let(:required_options) do
+    let(:event) { Sentry::Event.new(configuration: Sentry.configuration) }
+    let(:result_hash) { described_class.call(event).to_hash }
+    let(:payload) do
       {
-        configuration: Raven.configuration,
-        context: Raven.context,
-        breadcrumbs: Raven.breadcrumbs
+        user: { ip_address: '127.0.0.1' },
+        tags: { priority: 'high' },
+        extra: { sidekiq: { class: 'SomeWorker', args: ['[FILTERED]', 1, 2] } }
       }
     end
 
-    let(:event) { Raven::Event.new(required_options.merge(payload)) }
-    let(:result_hash) { described_class.call(event).to_hash }
+    around do |example|
+      Sentry.with_scope do |scope|
+        scope.set_user(payload[:user])
+        scope.set_tags(payload[:tags])
+        scope.set_extras(payload[:extra])
+
+        example.run
+      end
+    end
 
     before do
+      Sentry.get_current_scope.apply_to_event(event)
+
       allow_next_instance_of(Gitlab::ErrorTracking::ContextPayloadGenerator) do |generator|
         allow(generator).to receive(:generate).and_return(
           user: { username: 'root' },
@@ -25,14 +36,6 @@ RSpec.describe Gitlab::ErrorTracking::Processor::ContextPayloadProcessor do
       end
     end
 
-    let(:payload) do
-      {
-        user: { ip_address: '127.0.0.1' },
-        tags: { priority: 'high' },
-        extra: { sidekiq: { class: 'SomeWorker', args: ['[FILTERED]', 1, 2] } }
-      }
-    end
-
     it 'merges the context payload into event payload', :aggregate_failures do
       expect(result_hash[:user]).to include(ip_address: '127.0.0.1', username: 'root')
 
diff --git a/spec/lib/gitlab/error_tracking/processor/grpc_error_processor_spec.rb b/spec/lib/gitlab/error_tracking/processor/grpc_error_processor_spec.rb
index 3399c6dd9f4..2c886738f09 100644
--- a/spec/lib/gitlab/error_tracking/processor/grpc_error_processor_spec.rb
+++ b/spec/lib/gitlab/error_tracking/processor/grpc_error_processor_spec.rb
@@ -4,19 +4,6 @@ require 'spec_helper'
 
 RSpec.describe Gitlab::ErrorTracking::Processor::GrpcErrorProcessor, :sentry, feature_category: :integrations do
   describe '.call' do
-    let(:raven_required_options) do
-      {
-        configuration: Raven.configuration,
-        context: Raven.context,
-        breadcrumbs: Raven.breadcrumbs
-      }
-    end
-
-    let(:raven_event) do
-      Raven::Event
-        .from_exception(exception, raven_required_options.merge(data))
-    end
-
     let(:sentry_event) do
       Sentry.get_current_client.event_from_exception(exception)
     end
@@ -52,12 +39,6 @@ RSpec.describe Gitlab::ErrorTracking::Processor::GrpcErrorProcessor, :sentry, fe
         it { expect(result_hash).to include(data) }
       end
 
-      context 'with Raven event' do
-        let(:event) { raven_event }
-
-        it_behaves_like 'leaves data unchanged'
-      end
-
       context 'with Sentry event' do
         let(:event) { sentry_event }
 
@@ -97,12 +78,6 @@ RSpec.describe Gitlab::ErrorTracking::Processor::GrpcErrorProcessor, :sentry, fe
         end
       end
 
-      context 'with Raven event' do
-        let(:event) { raven_event }
-
-        it_behaves_like 'processes the exception'
-      end
-
       context 'with Sentry event' do
         let(:event) { sentry_event }
 
@@ -160,12 +135,6 @@ RSpec.describe Gitlab::ErrorTracking::Processor::GrpcErrorProcessor, :sentry, fe
         end
       end
 
-      context 'with Raven event' do
-        let(:event) { raven_event }
-
-        it_behaves_like 'processes the exception'
-      end
-
       context 'with Sentry event' do
         let(:event) { sentry_event }
 
diff --git a/spec/lib/gitlab/error_tracking/processor/sanitize_error_message_processor_spec.rb b/spec/lib/gitlab/error_tracking/processor/sanitize_error_message_processor_spec.rb
index 74b6df24178..8cf93287c2c 100644
--- a/spec/lib/gitlab/error_tracking/processor/sanitize_error_message_processor_spec.rb
+++ b/spec/lib/gitlab/error_tracking/processor/sanitize_error_message_processor_spec.rb
@@ -20,20 +20,6 @@ RSpec.describe Gitlab::ErrorTracking::Processor::SanitizeErrorMessageProcessor,
       end
     end
 
-    context 'with Raven event' do
-      let(:raven_required_options) do
-        {
-          configuration: Raven.configuration,
-          context: Raven.context,
-          breadcrumbs: Raven.breadcrumbs
-        }
-      end
-
-      let(:event) { Raven::Event.from_exception(exception, raven_required_options) }
-
-      it_behaves_like 'processes the exception'
-    end
-
     context 'with Sentry event' do
       let(:event) { Sentry.get_current_client.event_from_exception(exception) }
 
diff --git a/spec/lib/gitlab/error_tracking/processor/sidekiq_processor_spec.rb b/spec/lib/gitlab/error_tracking/processor/sidekiq_processor_spec.rb
index bc4526758c0..4dd780addf0 100644
--- a/spec/lib/gitlab/error_tracking/processor/sidekiq_processor_spec.rb
+++ b/spec/lib/gitlab/error_tracking/processor/sidekiq_processor_spec.rb
@@ -97,18 +97,6 @@ RSpec.describe Gitlab::ErrorTracking::Processor::SidekiqProcessor, :sentry do
   describe '.call' do
     let(:exception) { StandardError.new('Test exception') }
 
-    let(:raven_required_options) do
-      {
-        configuration: Raven.configuration,
-        context: Raven.context,
-        breadcrumbs: Raven.breadcrumbs
-      }
-    end
-
-    let(:raven_event) do
-      Raven::Event.new(raven_required_options.merge(wrapped_value))
-    end
-
     let(:sentry_event) do
       Sentry.get_current_client.event_from_exception(exception)
     end
@@ -158,12 +146,6 @@ RSpec.describe Gitlab::ErrorTracking::Processor::SidekiqProcessor, :sentry do
       end
 
       context 'when processing via the default error handler' do
-        context 'with Raven events' do
-          let(:event) { raven_event }
-
-          include_examples 'Sidekiq arguments', args_in_job_hash: true
-        end
-
         context 'with Sentry events' do
           let(:event) { sentry_event }
 
@@ -172,12 +154,6 @@ RSpec.describe Gitlab::ErrorTracking::Processor::SidekiqProcessor, :sentry do
       end
 
       context 'when processing via Gitlab::ErrorTracking' do
-        context 'with Raven events' do
-          let(:event) { raven_event }
-
-          include_examples 'Sidekiq arguments', args_in_job_hash: false
-        end
-
         context 'with Sentry events' do
           let(:event) { sentry_event }
 
@@ -208,12 +184,6 @@ RSpec.describe Gitlab::ErrorTracking::Processor::SidekiqProcessor, :sentry do
         end
       end
 
-      context 'with Raven events' do
-        let(:event) { raven_event }
-
-        it_behaves_like 'handles jobstr fields'
-      end
-
       context 'with Sentry events' do
         let(:event) { sentry_event }
 
@@ -232,12 +202,6 @@ RSpec.describe Gitlab::ErrorTracking::Processor::SidekiqProcessor, :sentry do
         end
       end
 
-      context 'with Raven events' do
-        let(:event) { raven_event }
-
-        it_behaves_like 'does nothing'
-      end
-
       context 'with Sentry events' do
         let(:event) { sentry_event }
 
@@ -255,12 +219,6 @@ RSpec.describe Gitlab::ErrorTracking::Processor::SidekiqProcessor, :sentry do
         end
       end
 
-      context 'with Raven events' do
-        let(:event) { raven_event }
-
-        it_behaves_like 'does nothing'
-      end
-
       context 'with Sentry events' do
         let(:event) { sentry_event }
 
diff --git a/spec/lib/gitlab/error_tracking_spec.rb b/spec/lib/gitlab/error_tracking_spec.rb
index 7b2c5ca27cb..5c7b3e72fbe 100644
--- a/spec/lib/gitlab/error_tracking_spec.rb
+++ b/spec/lib/gitlab/error_tracking_spec.rb
@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 require 'spec_helper'
-
-require 'raven/transports/dummy'
 require 'sentry/transport/dummy_transport'
 
 RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
@@ -44,18 +42,11 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
     }
   end
 
-  let(:raven_event) do
-    event = Raven.client.transport.events.last[1]
-    Gitlab::Json.parse(event)
-  end
-
   let(:sentry_event) do
     Sentry.get_current_client.transport.events.last
   end
 
   before do
-    stub_feature_flags(enable_old_sentry_integration: true)
-    stub_feature_flags(enable_new_sentry_integration: true)
     stub_sentry_settings
 
     allow(described_class).to receive(:sentry_configurable?).and_return(true)
@@ -86,7 +77,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
       end
 
       it 'raises the exception' do
-        expect(Raven).to receive(:capture_exception).with(exception, sentry_payload)
         expect(Sentry).to receive(:capture_exception).with(exception, sentry_payload)
 
         expect do
@@ -106,7 +96,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
         end
 
         it 'includes additional tags' do
-          expect(Raven).to receive(:capture_exception).with(exception, sentry_payload)
           expect(Sentry).to receive(:capture_exception).with(exception, sentry_payload)
 
           expect do
@@ -126,7 +115,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
       end
 
       it 'logs the exception with all attributes passed' do
-        expect(Raven).to receive(:capture_exception).with(exception, sentry_payload)
         expect(Sentry).to receive(:capture_exception).with(exception, sentry_payload)
 
         described_class.track_and_raise_for_dev_exception(
@@ -150,7 +138,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
 
   describe '.track_and_raise_exception' do
     it 'always raises the exception' do
-      expect(Raven).to receive(:capture_exception).with(exception, sentry_payload)
       expect(Sentry).to receive(:capture_exception).with(exception, sentry_payload)
 
       expect do
@@ -195,7 +182,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
     end
 
     it 'only logs and raises the exception' do
-      expect(Raven).not_to receive(:capture_exception)
       expect(Sentry).not_to receive(:capture_exception)
       expect(Gitlab::ErrorTracking::Logger).to receive(:error).with(logger_payload)
 
@@ -233,17 +219,13 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
     end
 
     before do
-      allow(Raven).to receive(:capture_exception).and_call_original
       allow(Sentry).to receive(:capture_exception).and_call_original
       allow(Gitlab::ErrorTracking::Logger).to receive(:error)
     end
 
-    it 'calls Raven.capture_exception' do
+    it 'calls Sentry.capture_exception' do
       track_exception
 
-      expect(Raven)
-        .to have_received(:capture_exception).with(exception, sentry_payload)
-
       expect(Sentry)
         .to have_received(:capture_exception).with(exception, sentry_payload)
     end
@@ -296,10 +278,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
       it 'includes the extra data from the exception in the tracking information' do
         track_exception
 
-        expect(Raven).to have_received(:capture_exception).with(
-          exception, a_hash_including(extra: a_hash_including(extra_info))
-        )
-
         expect(Sentry).to have_received(:capture_exception).with(
           exception, a_hash_including(extra: a_hash_including(extra_info))
         )
@@ -316,10 +294,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
       it 'just includes the other extra info' do
         track_exception
 
-        expect(Raven).to have_received(:capture_exception).with(
-          exception, a_hash_including(extra: a_hash_including(extra))
-        )
-
         expect(Sentry).to have_received(:capture_exception).with(
           exception, a_hash_including(extra: a_hash_including(extra))
         )
@@ -331,40 +305,10 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
     subject(:track_exception) { described_class.track_exception(exception, extra) }
 
     before do
-      allow(Raven).to receive(:capture_exception).and_call_original
       allow(Sentry).to receive(:capture_exception).and_call_original
       allow(Gitlab::ErrorTracking::Logger).to receive(:error)
     end
 
-    # This is a workaround for restoring Raven's user context below.
-    # Raven.user_context(&block) does not restore the user context correctly.
-    around do |example|
-      previous_user_context = Raven.context.user.dup
-      example.run
-    ensure
-      Raven.context.user = previous_user_context
-    end
-
-    context 'with custom GitLab context when using Raven.capture_exception directly' do
-      subject(:track_exception) { Raven.capture_exception(exception) }
-
-      it 'merges a default set of tags into the existing tags' do
-        allow(Raven.context).to receive(:tags).and_return(foo: 'bar')
-
-        track_exception
-
-        expect(raven_event['tags']).to include('correlation_id', 'feature_category', 'foo', 'locale', 'program')
-      end
-
-      it 'merges the current user information into the existing user information' do
-        Raven.user_context(id: -1)
-
-        track_exception
-
-        expect(raven_event['user']).to eq('id' => -1, 'username' => user.username)
-      end
-    end
-
     context 'with custom GitLab context when using Sentry.capture_exception directly' do
       subject(:track_exception) { Sentry.capture_exception(exception) }
 
@@ -418,7 +362,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
           track_exception
           expected_data = [1, { 'id' => 2, 'name' => 'hello' }, 'some-value', 'another-value']
 
-          expect(raven_event.dig('extra', 'sidekiq', 'args')).to eq(expected_data)
           expect(sentry_event.extra[:sidekiq]['args']).to eq(expected_data)
         end
       end
@@ -429,7 +372,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
         it 'filters sensitive arguments before sending and logging' do
           track_exception
 
-          expect(raven_event.dig('extra', 'sidekiq', 'args')).to eq(['[FILTERED]', 1, 2])
           expect(sentry_event.extra[:sidekiq]['args']).to eq(['[FILTERED]', 1, 2])
           expect(Gitlab::ErrorTracking::Logger).to have_received(:error).with(
             hash_including(
@@ -450,8 +392,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
         it 'sets the GRPC debug error string in the Sentry event and adds a custom fingerprint' do
           track_exception
 
-          expect(raven_event.dig('extra', 'grpc_debug_error_string')).to eq('{"hello":1}')
-          expect(raven_event['fingerprint']).to eq(['GRPC::DeadlineExceeded', '4:unknown cause.'])
           expect(sentry_event.extra[:grpc_debug_error_string]).to eq('{"hello":1}')
           expect(sentry_event.fingerprint).to eq(['GRPC::DeadlineExceeded', '4:unknown cause.'])
         end
@@ -463,8 +403,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
         it 'does not do any processing on the event' do
           track_exception
 
-          expect(raven_event['extra']).not_to include('grpc_debug_error_string')
-          expect(raven_event['fingerprint']).to eq(['GRPC::DeadlineExceeded', '4:unknown cause'])
           expect(sentry_event.extra).not_to include(:grpc_debug_error_string)
           expect(sentry_event.fingerprint).to eq(['GRPC::DeadlineExceeded', '4:unknown cause'])
         end
@@ -485,7 +423,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
 
             track_exception
 
-            expect(Raven.client.transport.events).to eq([])
             expect(Sentry.get_current_client.transport.events).to eq([])
           end
         end
@@ -494,7 +431,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
 
     context 'when processing invalid URI exceptions' do
       let(:invalid_uri) { 'http://foo:bar' }
-      let(:raven_exception_values) { raven_event['exception']['values'] }
       let(:sentry_exception_values) { sentry_event.exception.to_hash[:values] }
 
       context 'when the error is a URI::InvalidURIError' do
@@ -507,12 +443,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
         it 'filters the URI from the error message' do
           track_exception
 
-          expect(raven_exception_values).to include(
-            hash_including(
-              'type' => 'URI::InvalidURIError',
-              'value' => 'bad URI(is not URI?): [FILTERED]'
-            )
-          )
           expect(sentry_exception_values).to include(
             hash_including(
               type: 'URI::InvalidURIError',
@@ -532,12 +462,6 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
         it 'filters the URI from the error message' do
           track_exception
 
-          expect(raven_exception_values).to include(
-            hash_including(
-              'type' => 'Addressable::URI::InvalidURIError',
-              'value' => 'Invalid port number: [FILTERED]'
-            )
-          )
           expect(sentry_exception_values).to include(
             hash_including(
               type: 'Addressable::URI::InvalidURIError',
@@ -573,7 +497,7 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
     context 'when ENABLE_SENTRY_PERFORMANCE_MONITORING env is disabled' do
       before do
         stub_env('ENABLE_SENTRY_PERFORMANCE_MONITORING', false)
-        described_class.configure_sentry # Force re-initialization to reset traces_sample_rate setting
+        described_class.configure # Force re-initialization to reset traces_sample_rate setting
       end
 
       it 'does not set traces_sample_rate' do
@@ -584,7 +508,7 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
     context 'when ENABLE_SENTRY_PERFORMANCE_MONITORING env is enabled' do
       before do
         stub_env('ENABLE_SENTRY_PERFORMANCE_MONITORING', true)
-        described_class.configure_sentry # Force re-initialization to reset traces_sample_rate setting
+        described_class.configure # Force re-initialization to reset traces_sample_rate setting
       end
 
       it 'sets traces_sample_rate' do
@@ -592,4 +516,37 @@ RSpec.describe Gitlab::ErrorTracking, feature_category: :shared do
       end
     end
   end
+
+  describe '.configure' do
+    using RSpec::Parameterized::TableSyntax
+
+    let(:envdsn) { 'dummy://b44a0828b72421a6d8e99efd68d44fa8@example.com/41' }
+    let(:appdsn) { 'dummy://b44a0828b72421a6d8e99efd68d44fa8@example.com/42' }
+
+    where(:env_enabled, :env_dsn, :env_env, :app_enabled, :app_dsn, :app_env, :dsn, :environment) do
+      true  | ref(:envdsn) | 'eprd' | true  | ref(:appdsn) | 'aprd' | ref(:envdsn) | 'eprd'
+      false | ref(:envdsn) | 'eprd' | true  | ref(:appdsn) | 'aprd' | ref(:appdsn) | 'aprd'
+      true  | ref(:envdsn) | 'eprd' | false | ref(:appdsn) | 'aprd' | ref(:envdsn) | 'eprd'
+      false | ref(:envdsn) | 'eprd' | false | ref(:appdsn) | 'aprd' | '' | ''
+    end
+    with_them do
+      before do
+        allow(Gitlab.config.sentry).to receive(:enabled) { env_enabled }
+        allow(Gitlab::CurrentSettings).to receive(:sentry_enabled?) { app_enabled }
+
+        allow(Gitlab.config.sentry).to receive(:dsn) { env_dsn }
+        allow(Gitlab::CurrentSettings).to receive(:sentry_dsn) { app_dsn }
+
+        allow(Gitlab.config.sentry).to receive(:environment).and_return('eprd')
+        allow(Gitlab::CurrentSettings).to receive(:sentry_environment).and_return('aprd')
+
+        described_class.configure
+      end
+
+      it 'selects the correct settings' do
+        expect(Sentry.configuration.dsn.to_s).to eq(dsn)
+        expect(Sentry.configuration.environment).to eq(environment)
+      end
+    end
+  end
 end
diff --git a/spec/lib/gitlab/file_finder_spec.rb b/spec/lib/gitlab/file_finder_spec.rb
index 8afaec3c381..ac4dde8a634 100644
--- a/spec/lib/gitlab/file_finder_spec.rb
+++ b/spec/lib/gitlab/file_finder_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe Gitlab::FileFinder, feature_category: :global_search do
   describe '#find' do
     let_it_be(:project) { create(:project, :public, :repository) }
 
-    subject { described_class.new(project, project.default_branch) }
+    subject(:file_finder) { described_class.new(project, project.default_branch) }
 
     it_behaves_like 'file finder' do
       let(:expected_file_by_path) { 'files/images/wm.svg' }
@@ -14,40 +14,46 @@ RSpec.describe Gitlab::FileFinder, feature_category: :global_search do
     end
 
     context 'with inclusive filters' do
-      it 'filters by filename' do
-        results = subject.find('files filename:wm.svg')
+      it 'filters by filename and ignores case', :aggregate_failures do
+        results = file_finder.find('files filename:wm.svg')
+        expect(results.count).to eq(1)
 
+        results = file_finder.find('files filename:Wm.svg')
         expect(results.count).to eq(1)
       end
 
-      it 'filters by path' do
-        results = subject.find('white path:images')
+      it 'filters by path and ignores case', :aggregate_failures do
+        results = file_finder.find('white path:images')
+        expect(results.count).to eq(2)
 
+        results = file_finder.find('white path:imAGes')
         expect(results.count).to eq(2)
       end
 
-      it 'filters by extension' do
-        results = subject.find('files extension:md')
+      it 'filters by extension and ignores case', :aggregate_failures do
+        results = file_finder.find('files extension:md')
+        expect(results.count).to eq(4)
 
+        results = file_finder.find('files extension:MD')
         expect(results.count).to eq(4)
       end
     end
 
     context 'with exclusive filters' do
       it 'filters by filename' do
-        results = subject.find('files -filename:wm.svg')
+        results = file_finder.find('files -filename:wm.svg')
 
         expect(results.count).to eq(26)
       end
 
       it 'filters by path' do
-        results = subject.find('white -path:images')
+        results = file_finder.find('white -path:images')
 
         expect(results.count).to eq(5)
       end
 
       it 'filters by extension' do
-        results = subject.find('files -extension:md')
+        results = file_finder.find('files -extension:md')
 
         expect(results.count).to eq(23)
       end
@@ -64,7 +70,34 @@ RSpec.describe Gitlab::FileFinder, feature_category: :global_search do
     it 'does not cause N+1 query' do
       expect(Gitlab::GitalyClient).to receive(:call).at_most(10).times.and_call_original
 
-      subject.find(': filename:wm.svg')
+      file_finder.find(': filename:wm.svg')
+    end
+
+    context 'for protection against ReDOS' do
+      # filter is run once for each result returned, searching for `PROCESS.md` returns 2 results
+      it 'utilizes ::Gitlab::UntrustedRegexp for filename filter' do
+        query = "PROCESS.md filename:P#{'*' * 50}m"
+        expected_regex_value = "(?i)p#{'.*?' * 50}m$"
+        expect(::Gitlab::UntrustedRegexp).to receive(:new).with(expected_regex_value).twice.and_call_original
+
+        file_finder.find(query)
+      end
+
+      it 'utilizes ::Gitlab::UntrustedRegexp for path filter' do
+        query = "PROCESS.md path:P#{'*' * 10}m"
+        expected_regex_value = "(?i)p#{'.*?' * 10}m"
+
+        expect(::Gitlab::UntrustedRegexp).to receive(:new).with(expected_regex_value).twice.and_call_original
+        file_finder.find(query)
+      end
+
+      it 'utilizes ::Gitlab::UntrustedRegexp for extension filter' do
+        query = "PROCESS.md extension:#{'*' * 10}md"
+        expected_regex_value = "(?i)\\.#{'.*?' * 10}md$"
+
+        expect(::Gitlab::UntrustedRegexp).to receive(:new).with(expected_regex_value).twice.and_call_original
+        file_finder.find(query)
+      end
     end
   end
 end
diff --git a/spec/lib/gitlab/gitaly_client/operation_service_spec.rb b/spec/lib/gitlab/gitaly_client/operation_service_spec.rb
index e462f5a8366..1ac4efcf3d2 100644
--- a/spec/lib/gitlab/gitaly_client/operation_service_spec.rb
+++ b/spec/lib/gitlab/gitaly_client/operation_service_spec.rb
@@ -1023,10 +1023,32 @@ RSpec.describe Gitlab::GitalyClient::OperationService, feature_category: :source
   end
 
   describe '#user_commit_files' do
+    let(:force) { false }
+    let(:start_sha) { nil }
+    let(:sign) { true }
+
     subject do
       client.user_commit_files(
-        gitaly_user, 'my-branch', 'Commit files message', [], 'janedoe@example.com', 'Jane Doe',
-        'master', repository)
+        user, 'my-branch', 'Commit files message', [], 'janedoe@example.com', 'Jane Doe',
+        'master', repository, force, start_sha, sign)
+    end
+
+    context 'when UserCommitFiles RPC is called' do
+      let(:force) { true }
+      let(:start_sha) { project.commit.id }
+      let(:sign) { false }
+
+      it 'successfully builds the header' do
+        expect_any_instance_of(Gitaly::OperationService::Stub).to receive(:user_commit_files) do |_, req_enum|
+          header = req_enum.first.header
+
+          expect(header.force).to eq(force)
+          expect(header.start_sha).to eq(start_sha)
+          expect(header.sign).to eq(sign)
+        end.and_return(Gitaly::UserCommitFilesResponse.new)
+
+        subject
+      end
     end
 
     context 'with unstructured errors' do
diff --git a/spec/lib/gitlab/gon_helper_spec.rb b/spec/lib/gitlab/gon_helper_spec.rb
index e95623a01e1..4fc9a525792 100644
--- a/spec/lib/gitlab/gon_helper_spec.rb
+++ b/spec/lib/gitlab/gon_helper_spec.rb
@@ -60,19 +60,6 @@ RSpec.describe Gitlab::GonHelper, feature_category: :shared do
       let(:environment) { 'staging' }
       let(:sentry_clientside_traces_sample_rate) { 0.5 }
 
-      context 'with legacy sentry configuration' do
-        before do
-          stub_config(sentry: { enabled: true, clientside_dsn: clientside_dsn, environment: environment })
-        end
-
-        it 'sets sentry dsn and environment from config' do
-          expect(gon).to receive(:sentry_dsn=).with(clientside_dsn)
-          expect(gon).to receive(:sentry_environment=).with(environment)
-
-          helper.add_gon_variables
-        end
-      end
-
       context 'with sentry settings' do
         before do
           stub_application_setting(sentry_enabled: true)
@@ -88,21 +75,6 @@ RSpec.describe Gitlab::GonHelper, feature_category: :shared do
 
           helper.add_gon_variables
         end
-
-        context 'when enable_new_sentry_integration is disabled' do
-          before do
-            stub_feature_flags(enable_new_sentry_integration: false)
-          end
-
-          it 'does not set sentry dsn and environment from config' do
-            expect(gon).not_to receive(:sentry_dsn=).with(clientside_dsn)
-            expect(gon).not_to receive(:sentry_environment=).with(environment)
-            expect(gon).not_to receive(:sentry_clientside_traces_sample_rate=)
-              .with(sentry_clientside_traces_sample_rate)
-
-            helper.add_gon_variables
-          end
-        end
       end
     end
   end
diff --git a/spec/lib/gitlab/graphql/authorize/authorize_resource_spec.rb b/spec/lib/gitlab/graphql/authorize/authorize_resource_spec.rb
index 1cd93d7b364..be94c2a958f 100644
--- a/spec/lib/gitlab/graphql/authorize/authorize_resource_spec.rb
+++ b/spec/lib/gitlab/graphql/authorize/authorize_resource_spec.rb
@@ -7,13 +7,14 @@ RSpec.describe Gitlab::Graphql::Authorize::AuthorizeResource do
     Class.new do
       include Gitlab::Graphql::Authorize::AuthorizeResource
 
-      attr_reader :user, :found_object
+      attr_reader :user, :found_object, :scope_validator
 
       authorize :read_the_thing
 
-      def initialize(user, found_object)
+      def initialize(user, found_object, scope_validator)
         @user = user
         @found_object = found_object
+        @scope_validator = scope_validator
       end
 
       def find_object
@@ -25,7 +26,7 @@ RSpec.describe Gitlab::Graphql::Authorize::AuthorizeResource do
       end
 
       def context
-        { current_user: user }
+        { current_user: user, scope_validator: scope_validator }
       end
 
       def self.authorization
@@ -35,9 +36,10 @@ RSpec.describe Gitlab::Graphql::Authorize::AuthorizeResource do
   end
 
   let(:user) { build(:user) }
+  let(:scope_validator) { instance_double(::Gitlab::Auth::ScopeValidator, valid_for?: true) }
   let(:project) { build(:project) }
 
-  subject(:loading_resource) { fake_class.new(user, project) }
+  subject(:loading_resource) { fake_class.new(user, project, scope_validator) }
 
   before do
     # don't allow anything by default
@@ -139,4 +141,16 @@ RSpec.describe Gitlab::Graphql::Authorize::AuthorizeResource do
       expect(child).to be_authorizes_object
     end
   end
+
+  describe '#authorized_resource?' do
+    let(:object) { :object }
+
+    it 'delegates to authorization' do
+      expect(fake_class.authorization).to be_kind_of(::Gitlab::Graphql::Authorize::ObjectAuthorization)
+      expect(fake_class.authorization).to receive(:ok?)
+        .with(object, user, scope_validator: scope_validator)
+
+      fake_class.new(user, :found_object, scope_validator).authorized_resource?(object)
+    end
+  end
 end
diff --git a/spec/lib/gitlab/graphql/authorize/object_authorization_spec.rb b/spec/lib/gitlab/graphql/authorize/object_authorization_spec.rb
index 274cc83a6be..54b3e260524 100644
--- a/spec/lib/gitlab/graphql/authorize/object_authorization_spec.rb
+++ b/spec/lib/gitlab/graphql/authorize/object_authorization_spec.rb
@@ -4,9 +4,10 @@ require 'spec_helper'
 
 RSpec.describe ::Gitlab::Graphql::Authorize::ObjectAuthorization do
   describe '#ok?' do
-    subject { described_class.new(%i[go_fast go_slow]) }
+    subject(:authorization) { described_class.new(%i[go_fast go_slow]) }
 
     let(:user) { double(:User, id: 10001) }
+    let(:scope_validator) { instance_double(::Gitlab::Auth::ScopeValidator, valid_for?: true) }
 
     let(:policy) do
       Class.new(::DeclarativePolicy::Base) do
@@ -31,25 +32,25 @@ RSpec.describe ::Gitlab::Graphql::Authorize::ObjectAuthorization do
     context 'when there are no abilities' do
       subject { described_class.new([]) }
 
-      it { is_expected.to be_ok(double, double) }
+      it { is_expected.to be_ok(double, double, scope_validator: scope_validator) }
     end
 
     context 'when no ability should be allowed' do
       let(:object) { Foo.new(0, 0) }
 
-      it { is_expected.not_to be_ok(object, user) }
+      it { is_expected.not_to be_ok(object, user, scope_validator: scope_validator) }
     end
 
     context 'when go_fast should be allowed' do
       let(:object) { Foo.new(100, 0) }
 
-      it { is_expected.not_to be_ok(object, user) }
+      it { is_expected.not_to be_ok(object, user, scope_validator: scope_validator) }
     end
 
     context 'when go_fast and go_slow should be allowed' do
       let(:object) { Foo.new(100, 100) }
 
-      it { is_expected.to be_ok(object, user) }
+      it { is_expected.to be_ok(object, user, scope_validator: scope_validator) }
     end
 
     context 'when the object delegates to another subject' do
@@ -57,8 +58,19 @@ RSpec.describe ::Gitlab::Graphql::Authorize::ObjectAuthorization do
         double(:Proxy, declarative_policy_subject: foo)
       end
 
-      it { is_expected.to be_ok(proxy(Foo.new(100, 100)), user) }
-      it { is_expected.not_to be_ok(proxy(Foo.new(0, 100)), user) }
+      it { is_expected.to be_ok(proxy(Foo.new(100, 100)), user, scope_validator: scope_validator) }
+      it { is_expected.not_to be_ok(proxy(Foo.new(0, 100)), user, scope_validator: scope_validator) }
+    end
+
+    context 'when scope is not valid for scope validator' do
+      let(:object) { Foo.new(100, 100) }
+
+      it 'returns false' do
+        expect(scope_validator).to receive(:valid_for?).with([:api, :read_api])
+          .and_return(false)
+
+        expect(authorization).not_to be_ok(object, user, scope_validator: scope_validator)
+      end
     end
   end
 end
diff --git a/spec/lib/gitlab/import_export/all_models.yml b/spec/lib/gitlab/import_export/all_models.yml
index 14bfe1c8d3a..3b5db907428 100644
--- a/spec/lib/gitlab/import_export/all_models.yml
+++ b/spec/lib/gitlab/import_export/all_models.yml
@@ -256,6 +256,7 @@ merge_requests:
 - user_agent_detail
 - scan_result_policy_violations
 - applicable_post_merge_approval_rules
+- requested_changes
 external_pull_requests:
 - project
 merge_request_diff:
diff --git a/spec/lib/gitlab/rack_attack/request_spec.rb b/spec/lib/gitlab/rack_attack/request_spec.rb
index 92c9acb83cf..a076cb557a0 100644
--- a/spec/lib/gitlab/rack_attack/request_spec.rb
+++ b/spec/lib/gitlab/rack_attack/request_spec.rb
@@ -248,6 +248,38 @@ RSpec.describe Gitlab::RackAttack::Request, feature_category: :rate_limiting do
     end
   end
 
+  describe '#throttle_unauthenticated_git_http?' do
+    let_it_be(:project) { create(:project) }
+
+    let(:git_clone_project_path_get_info_refs) { "/#{project.full_path}.git/info/refs?service=git-upload-pack" }
+    let(:git_clone_path_post_git_upload_pack) { "/#{project.full_path}.git/git-upload-pack" }
+
+    subject { request.throttle_unauthenticated_git_http? }
+
+    where(:path, :request_unauthenticated?, :application_setting_throttle_unauthenticated_git_http_enabled, :expected) do
+      ref(:git_clone_project_path_get_info_refs) | true  | true  | true
+      ref(:git_clone_project_path_get_info_refs) | false | true  | false
+      ref(:git_clone_project_path_get_info_refs) | true  | false | false
+      ref(:git_clone_project_path_get_info_refs) | false | false | false
+
+      ref(:git_clone_path_post_git_upload_pack)  | true  | true  | true
+      ref(:git_clone_path_post_git_upload_pack)  | false | false | false
+
+      '/users/sign_in'                           | true  | true  | false
+      '/users/sign_in'                           | false | false | false
+    end
+
+    with_them do
+      before do
+        stub_application_setting(throttle_unauthenticated_git_http_enabled: application_setting_throttle_unauthenticated_git_http_enabled)
+
+        allow(request).to receive(:unauthenticated?).and_return(request_unauthenticated?)
+      end
+
+      it { is_expected.to eq expected }
+    end
+  end
+
   describe '#protected_path?' do
     subject { request.protected_path? }
 
diff --git a/spec/lib/gitlab/usage_data_counters/productivity_analytics_counter_spec.rb b/spec/lib/gitlab/usage_data_counters/productivity_analytics_counter_spec.rb
deleted file mode 100644
index 34b2cfcf1de..00000000000
--- a/spec/lib/gitlab/usage_data_counters/productivity_analytics_counter_spec.rb
+++ /dev/null
@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe Gitlab::UsageDataCounters::ProductivityAnalyticsCounter do
-  it_behaves_like 'a redis usage counter', 'ProductivityAnalytics', :views
-
-  it_behaves_like 'a redis usage counter with totals', :productivity_analytics, views: 3
-end
diff --git a/spec/lib/omni_auth/strategies/bitbucket_spec.rb b/spec/lib/omni_auth/strategies/bitbucket_spec.rb
index d85ce71d60a..86bfe99d5c1 100644
--- a/spec/lib/omni_auth/strategies/bitbucket_spec.rb
+++ b/spec/lib/omni_auth/strategies/bitbucket_spec.rb
@@ -1,28 +1,83 @@
 # frozen_string_literal: true
 
 require 'spec_helper'
+require 'securerandom'
 
 RSpec.describe OmniAuth::Strategies::Bitbucket do
-  subject { described_class.new({}) }
+  subject(:strategy) { described_class.new({}) }
+
+  let(:raw_info) do
+    {
+      display_name: 'display_name',
+      username: 'username',
+      uuid: "{#{SecureRandom.uuid}}",
+      links: {
+        avatar: {
+          href: 'avatar-href'
+        }
+      }
+    }.deep_stringify_keys
+  end
+
+  let(:primary_email) { 'primaryemail@example.com' }
+
+  let(:emails) do
+    [
+      {
+        email: primary_email,
+        is_primary: true,
+        is_confirmed: true
+      }.stringify_keys,
+      {
+        email: 'secondaryemail@example.com',
+        is_primary: false,
+        is_confirmed: true
+      }.stringify_keys
+    ]
+  end
+
+  before do
+    allow(strategy).to receive(:raw_info).and_return(raw_info)
+    allow(strategy).to receive(:emails).and_return(emails)
+  end
+
+  describe 'uid' do
+    it 'returns Bitbucket user uuid' do
+      expect(strategy.uid).to eq(raw_info['uuid'])
+    end
+  end
+
+  describe 'info' do
+    it 'returns Bitbucket user info' do
+      expect(strategy.info).to eq(
+        {
+          name: raw_info['display_name'],
+          username: raw_info['username'],
+          avatar: raw_info['links']['avatar']['href'],
+          email: primary_email
+        }
+      )
+    end
+  end
 
   describe '#callback_url' do
     let(:base_url) { 'https://example.com' }
 
     context 'when script name is not present' do
       it 'has the correct default callback path' do
-        allow(subject).to receive(:full_host) { base_url }
-        allow(subject).to receive(:script_name).and_return('')
-        allow(subject).to receive(:query_string).and_return('')
-        expect(subject.callback_url).to eq("#{base_url}/users/auth/bitbucket/callback")
+        allow(strategy).to receive(:full_host) { base_url }
+        allow(strategy).to receive(:script_name).and_return('')
+        allow(strategy).to receive(:query_string).and_return('')
+        expect(strategy.callback_url).to eq("#{base_url}/users/auth/bitbucket/callback")
       end
     end
 
     context 'when script name is present' do
       it 'sets the callback path with script_name' do
-        allow(subject).to receive(:full_host) { base_url }
-        allow(subject).to receive(:script_name).and_return('/v1')
-        allow(subject).to receive(:query_string).and_return('')
-        expect(subject.callback_url).to eq("#{base_url}/v1/users/auth/bitbucket/callback")
+        allow(strategy).to receive(:full_host) { base_url }
+        allow(strategy).to receive(:script_name).and_return('/v1')
+        allow(strategy).to receive(:query_string).and_return('')
+        expect(strategy.callback_url).to eq("#{base_url}/v1/users/auth/bitbucket/callback")
       end
     end
   end
diff --git a/spec/migrations/20240419035360_queue_backfill_workspace_variables_project_id_spec.rb b/spec/migrations/20240419035360_queue_backfill_workspace_variables_project_id_spec.rb
new file mode 100644
index 00000000000..2c2a6a8884a
--- /dev/null
+++ b/spec/migrations/20240419035360_queue_backfill_workspace_variables_project_id_spec.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!
+
+RSpec.describe QueueBackfillWorkspaceVariablesProjectId, feature_category: :remote_development do
+  let!(:batched_migration) { described_class::MIGRATION }
+
+  it 'schedules a new batched migration' do
+    reversible_migration do |migration|
+      migration.before -> {
+        expect(batched_migration).not_to have_scheduled_batched_migration
+      }
+
+      migration.after -> {
+        expect(batched_migration).to have_scheduled_batched_migration(
+          table_name: :workspace_variables,
+          column_name: :id,
+          interval: described_class::DELAY_INTERVAL,
+          batch_size: described_class::BATCH_SIZE,
+          sub_batch_size: described_class::SUB_BATCH_SIZE,
+          gitlab_schema: :gitlab_main_cell,
+          job_arguments: [
+            :project_id,
+            :workspaces,
+            :project_id,
+            :workspace_id
+          ]
+        )
+      }
+    end
+  end
+end
diff --git a/spec/migrations/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities_spec.rb b/spec/migrations/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities_spec.rb
new file mode 100644
index 00000000000..ba098d6e9b9
--- /dev/null
+++ b/spec/migrations/20240419140530_set_trusted_extern_uid_to_false_for_existing_bitbucket_identities_spec.rb
@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!
+
+RSpec.describe SetTrustedExternUidToFalseForExistingBitbucketIdentities, feature_category: :system_access do
+  let!(:google_oauth2_identity) do
+    table(:identities).create!(id: 1, provider: 'google_oauth2')
+  end
+
+  let!(:github_identity) do
+    table(:identities).create!(id: 2, provider: 'github')
+  end
+
+  let!(:salesforce_identity) do
+    table(:identities).create!(id: 3, provider: 'salesforce')
+  end
+
+  let!(:bitbucket_identity1) do
+    table(:identities).create!(id: 4, provider: 'bitbucket')
+  end
+
+  let!(:group_saml_identity) do
+    table(:identities).create!(id: 5, provider: 'group_saml')
+  end
+
+  let!(:bitbucket_identity2) do
+    table(:identities).create!(id: 6, provider: 'bitbucket')
+  end
+
+  let!(:bitbucket_identity3) do
+    table(:identities).create!(id: 7, provider: 'bitbucket')
+  end
+
+  describe '#up' do
+    it 'sets trusted_extern_uid to false for existing bitbucket identities', :aggregate_failures do
+      expect(google_oauth2_identity.reload.trusted_extern_uid).to eq(true)
+      expect(github_identity.reload.trusted_extern_uid).to eq(true)
+      expect(salesforce_identity.reload.trusted_extern_uid).to eq(true)
+      expect(bitbucket_identity1.reload.trusted_extern_uid).to eq(true)
+      expect(group_saml_identity.reload.trusted_extern_uid).to eq(true)
+      expect(bitbucket_identity2.reload.trusted_extern_uid).to eq(true)
+      expect(bitbucket_identity3.reload.trusted_extern_uid).to eq(true)
+
+      migrate!
+
+      expect(google_oauth2_identity.reload.trusted_extern_uid).to eq(true)
+      expect(github_identity.reload.trusted_extern_uid).to eq(true)
+      expect(salesforce_identity.reload.trusted_extern_uid).to eq(true)
+      expect(bitbucket_identity1.reload.trusted_extern_uid).to eq(false)
+      expect(group_saml_identity.reload.trusted_extern_uid).to eq(true)
+      expect(bitbucket_identity2.reload.trusted_extern_uid).to eq(false)
+      expect(bitbucket_identity3.reload.trusted_extern_uid).to eq(false)
+    end
+  end
+end
diff --git a/spec/models/merge_request_spec.rb b/spec/models/merge_request_spec.rb
index ff956d99014..4d9dfa72c5a 100644
--- a/spec/models/merge_request_spec.rb
+++ b/spec/models/merge_request_spec.rb
@@ -6425,22 +6425,6 @@ RSpec.describe MergeRequest, factory_default: :keep, feature_category: :code_rev
     end
   end
 
-  describe '#has_changes_requested?' do
-    let_it_be(:merge_request) { create(:merge_request, reviewers: [create(:user)]) }
-
-    context 'reviews have requested changed' do
-      before_all do
-        merge_request.merge_request_reviewers.first.update!(state: :requested_changes)
-      end
-
-      it { expect(merge_request.has_changes_requested?).to be_truthy }
-    end
-
-    context 'reviews have not requested changed' do
-      it { expect(merge_request.has_changes_requested?).to be_falsey }
-    end
-  end
-
   describe '#batch_update_reviewer_state' do
     let_it_be(:merge_request) { create(:merge_request, reviewers: create_list(:user, 2)) }
 
diff --git a/spec/models/repository_spec.rb b/spec/models/repository_spec.rb
index f035c133d74..b85663e2ef2 100644
--- a/spec/models/repository_spec.rb
+++ b/spec/models/repository_spec.rb
@@ -4177,4 +4177,28 @@ RSpec.describe Repository, feature_category: :source_code_management do
       it { expect { file_attributes }.to raise_error(ArgumentError) }
     end
   end
+
+  describe '#commit_files' do
+    let(:project) { create(:project, :empty_repo) }
+
+    it 'calls UserCommitFiles RPC' do
+      expect_next_instance_of(Gitlab::GitalyClient::OperationService) do |client|
+        expect(client).to receive(:user_commit_files).with(
+          user, 'extra-branch', 'commit message', [],
+          'author email', 'author name', nil, nil, true, nil, false
+        )
+      end
+
+      repository.commit_files(
+        user,
+        branch_name: 'extra-branch',
+        message: 'commit message',
+        author_name: 'author name',
+        author_email: 'author email',
+        actions: [],
+        force: true,
+        sign: false
+      )
+    end
+  end
 end
diff --git a/spec/requests/api/helpers_spec.rb b/spec/requests/api/helpers_spec.rb
index 7304437bc42..28ddea7cdd9 100644
--- a/spec/requests/api/helpers_spec.rb
+++ b/spec/requests/api/helpers_spec.rb
@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'spec_helper'
-require 'raven/transports/dummy'
 require_relative '../../../config/initializers/sentry'
 
 RSpec.describe API::Helpers, :enable_admin_mode, feature_category: :system_access do
diff --git a/spec/requests/api/merge_request_approvals_spec.rb b/spec/requests/api/merge_request_approvals_spec.rb
index 08cb5f677ac..c003736b936 100644
--- a/spec/requests/api/merge_request_approvals_spec.rb
+++ b/spec/requests/api/merge_request_approvals_spec.rb
@@ -100,7 +100,7 @@ RSpec.describe API::MergeRequestApprovals, feature_category: :source_code_manage
           MergeRequests::UpdateReviewerStateService,
           project: project, current_user: unapprover
         ) do |service|
-          expect(service).to receive(:execute).with(merge_request, :unapproved)
+          expect(service).to receive(:execute).with(merge_request, 'unapproved')
         end
 
         post api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/unapprove", unapprover)
diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb
index 28cb295d3ed..56473dbc7d7 100644
--- a/spec/requests/rack_attack_global_spec.rb
+++ b/spec/requests/rack_attack_global_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
 RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_caching,
   feature_category: :system_access do
   include RackAttackSpecHelpers
+  include WorkhorseHelpers
   include SessionHelpers
 
   let(:settings) { Gitlab::CurrentSettings.current_application_settings }
@@ -27,6 +28,8 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
       throttle_unauthenticated_packages_api_period_in_seconds: 1,
       throttle_authenticated_packages_api_requests_per_period: 100,
       throttle_authenticated_packages_api_period_in_seconds: 1,
+      throttle_unauthenticated_git_http_requests_per_period: 100,
+      throttle_unauthenticated_git_http_period_in_seconds: 1,
       throttle_authenticated_git_lfs_requests_per_period: 100,
       throttle_authenticated_git_lfs_period_in_seconds: 1,
       throttle_unauthenticated_files_api_requests_per_period: 100,
@@ -697,6 +700,45 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
     end
   end
 
+  describe 'unauthenticated git http requests' do
+    let_it_be(:project) { create(:project, :repository, :public) }
+
+    let(:git_http_clone_path) { "/#{project.full_path}.git/info/refs?service=git-upload-pack" }
+
+    it_behaves_like 'rate-limited unauthenticated requests' do
+      let(:throttle_name) { 'throttle_unauthenticated_git_http' }
+      let(:throttle_setting_prefix) { 'throttle_unauthenticated_git_http' }
+      let(:url_that_does_not_require_authentication) { "/#{project.full_path}.git/info/refs?service=git-upload-pack" }
+      let(:url_that_is_not_matched) { '/users/sign_in' }
+      let(:headers) { WorkhorseHelpers.workhorse_internal_api_request_header }
+    end
+
+    context 'when authenticated' do
+      let_it_be(:user) { create(:user) }
+      let_it_be(:token) { create(:personal_access_token, user: user) }
+
+      let(:headers) { WorkhorseHelpers.workhorse_internal_api_request_header.merge(basic_auth_headers(user, token)) }
+
+      def do_request
+        get git_http_clone_path, headers: headers
+      end
+
+      before do
+        settings_to_set[:throttle_unauthenticated_git_http_requests_per_period] = requests_per_period
+        settings_to_set[:throttle_unauthenticated_git_http_period_in_seconds] = period_in_seconds
+        settings_to_set[:throttle_unauthenticated_git_http_enabled] = true
+        stub_application_setting(settings_to_set)
+      end
+
+      it 'rejects requests over the rate limit' do
+        (requests_per_period + 1).times do
+          do_request
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+    end
+  end
+
   describe 'authenticated git lfs requests', :api do
     let_it_be(:project) { create(:project, :internal) }
     let_it_be(:user) { create(:user) }
diff --git a/spec/services/quick_actions/interpret_service_spec.rb b/spec/services/quick_actions/interpret_service_spec.rb
index 7683ec4ca40..bdef2944876 100644
--- a/spec/services/quick_actions/interpret_service_spec.rb
+++ b/spec/services/quick_actions/interpret_service_spec.rb
@@ -2774,7 +2774,7 @@ RSpec.describe QuickActions::InterpretService, feature_category: :team_planning
           MergeRequests::UpdateReviewerStateService,
           project: project, current_user: current_user
         ) do |service|
-          expect(service).to receive(:execute).with(merge_request, :unapproved)
+          expect(service).to receive(:execute).with(merge_request, 'unapproved')
         end
 
         service.execute(content, merge_request)
diff --git a/spec/support/helpers/stub_action_cable_connection.rb b/spec/support/helpers/stub_action_cable_connection.rb
index b4e9c2ae48c..ede8cc1c981 100644
--- a/spec/support/helpers/stub_action_cable_connection.rb
+++ b/spec/support/helpers/stub_action_cable_connection.rb
@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
 module StubActionCableConnection
-  def stub_action_cable_connection(current_user: nil, request: ActionDispatch::TestRequest.create)
+  def stub_action_cable_connection(current_user: nil, access_token: nil, request: ActionDispatch::TestRequest.create)
+    request.headers['Authorization'] = "Bearer #{access_token.token}" if access_token
     stub_connection(current_user: current_user, request: request)
   end
 end
diff --git a/spec/support/helpers/stub_configuration.rb b/spec/support/helpers/stub_configuration.rb
index ea334fa8fac..bc769ce0796 100644
--- a/spec/support/helpers/stub_configuration.rb
+++ b/spec/support/helpers/stub_configuration.rb
@@ -109,15 +109,12 @@ module StubConfiguration
   end
 
   def stub_sentry_settings(enabled: true)
-    allow(Gitlab.config.sentry).to receive(:enabled) { enabled }
     allow(Gitlab::CurrentSettings).to receive(:sentry_enabled?) { enabled }
 
     dsn = 'dummy://b44a0828b72421a6d8e99efd68d44fa8@example.com/42'
-    allow(Gitlab.config.sentry).to receive(:dsn) { dsn }
     allow(Gitlab::CurrentSettings).to receive(:sentry_dsn) { dsn }
 
     clientside_dsn = 'dummy://b44a0828b72421a6d8e99efd68d44fa8@example.com/43'
-    allow(Gitlab.config.sentry).to receive(:clientside_dsn) { clientside_dsn }
     allow(Gitlab::CurrentSettings)
       .to receive(:sentry_clientside_dsn) { clientside_dsn }
   end
diff --git a/spec/support/rspec_order_todo.yml b/spec/support/rspec_order_todo.yml
index b0c30aea4ec..a3ec99d4870 100644
--- a/spec/support/rspec_order_todo.yml
+++ b/spec/support/rspec_order_todo.yml
@@ -6625,7 +6625,6 @@
 - './spec/lib/gitlab/usage_data_counters/merge_request_widget_extension_counter_spec.rb'
 - './spec/lib/gitlab/usage_data_counters/note_counter_spec.rb'
 - './spec/lib/gitlab/usage_data_counters/package_event_counter_spec.rb'
-- './spec/lib/gitlab/usage_data_counters/productivity_analytics_counter_spec.rb'
 - './spec/lib/gitlab/usage_data_counters/quick_action_activity_unique_counter_spec.rb'
 - './spec/lib/gitlab/usage_data_counters/redis_counter_spec.rb'
 - './spec/lib/gitlab/usage_data_counters/search_counter_spec.rb'
diff --git a/spec/support/shared_examples/lint_factories_shared_examples.rb b/spec/support/shared_examples/lint_factories_shared_examples.rb
index 8714f43169c..31266379d4b 100644
--- a/spec/support/shared_examples/lint_factories_shared_examples.rb
+++ b/spec/support/shared_examples/lint_factories_shared_examples.rb
@@ -76,6 +76,7 @@ module Support
         [:ci_job_artifact, :gzip],
         [:ci_job_artifact, :correct_checksum],
         [:dependency_proxy_blob, :remote_store],
+        [:discussion_note_on_personal_snippet, Any],
         [:environment, :non_playable],
         [:issue_customer_relations_contact, :for_contact],
         [:issue_customer_relations_contact, :for_issue],
diff --git a/spec/support/shared_examples/models/email_format_shared_examples.rb b/spec/support/shared_examples/models/email_format_shared_examples.rb
index 77ded168637..2a06ce441cd 100644
--- a/spec/support/shared_examples/models/email_format_shared_examples.rb
+++ b/spec/support/shared_examples/models/email_format_shared_examples.rb
@@ -14,7 +14,6 @@ RSpec.shared_examples 'an object with email-formatted attributes' do |*attribute
         info+test@example.com
         o'reilly@example.com
         mailto:test@example.com
-        lol!'+=?><#$%^&*()@gmail.com
       ].each do |valid_email|
         context "with a value of '#{valid_email}'" do
           let(:email_value) { valid_email }
@@ -30,6 +29,21 @@ RSpec.shared_examples 'an object with email-formatted attributes' do |*attribute
       %w[
         foobar
         test@test@example.com
+        lol!'+=?><#$%^&*()@gmail.com
+        test?invalidcharacter@example.com
+        test!invalidcharacter@example.com
+        test#invalidcharacter@example.com
+        test$invalidcharacter@example.com
+        test%invalidcharacter@example.com
+        test&invalidcharacter@example.com
+        test*invalidcharacter@example.com
+        test/invalidcharacter@example.com
+        test=invalidcharacter@example.com
+        test^invalidcharacter@example.com
+        test<invalidcharacter@example.com
+        test>invalidcharacter@example.com
+        =?iso-8859-1?q?testencodedformat=40new.example.com=3e=20?=testencodedformat@example.com
+        =?iso-8859-1?q?testencodedformat=40new.example.com?=testencodedformat@example.com
       ].each do |invalid_email|
         context "with a value of '#{invalid_email}'" do
           let(:email_value) { invalid_email }
diff --git a/spec/support/shared_examples/requests/rack_attack_shared_examples.rb b/spec/support/shared_examples/requests/rack_attack_shared_examples.rb
index 89ae165f3fa..d15c88244f8 100644
--- a/spec/support/shared_examples/requests/rack_attack_shared_examples.rb
+++ b/spec/support/shared_examples/requests/rack_attack_shared_examples.rb
@@ -459,7 +459,10 @@ end
 # * requests_per_period
 # * period_in_seconds
 # * period
+# * headers
 RSpec.shared_examples 'rate-limited unauthenticated requests' do
+  let(:headers) { {} }
+
   before do
     # Set low limits
     settings_to_set[:"#{throttle_setting_prefix}_requests_per_period"] = requests_per_period
@@ -467,6 +470,10 @@ RSpec.shared_examples 'rate-limited unauthenticated requests' do
     travel_back
   end
 
+  def do_request
+    get url_that_does_not_require_authentication, headers: headers
+  end
+
   context 'when the throttle is enabled' do
     before do
       settings_to_set[:"#{throttle_setting_prefix}_enabled"] = true
@@ -476,12 +483,12 @@ RSpec.shared_examples 'rate-limited unauthenticated requests' do
     it 'rejects requests over the rate limit' do
       # At first, allow requests under the rate limit.
       requests_per_period.times do
-        get url_that_does_not_require_authentication
+        do_request
         expect(response).to have_gitlab_http_status(:ok)
       end
 
       # the last straw
-      expect_rejection { get url_that_does_not_require_authentication }
+      expect_rejection { do_request }
     end
 
     context 'with custom response text' do
@@ -492,37 +499,37 @@ RSpec.shared_examples 'rate-limited unauthenticated requests' do
       it 'rejects requests over the rate limit' do
         # At first, allow requests under the rate limit.
         requests_per_period.times do
-          get url_that_does_not_require_authentication
+          do_request
           expect(response).to have_gitlab_http_status(:ok)
         end
 
         # the last straw
-        expect_rejection { get url_that_does_not_require_authentication }
+        expect_rejection { do_request }
         expect(response.body).to eq("Custom response\n")
       end
     end
 
     it 'allows requests after throttling and then waiting for the next period' do
       requests_per_period.times do
-        get url_that_does_not_require_authentication
+        do_request
         expect(response).to have_gitlab_http_status(:ok)
       end
 
-      expect_rejection { get url_that_does_not_require_authentication }
+      expect_rejection { do_request }
 
       travel_to(period.from_now) do
         requests_per_period.times do
-          get url_that_does_not_require_authentication
+          do_request
           expect(response).to have_gitlab_http_status(:ok)
         end
 
-        expect_rejection { get url_that_does_not_require_authentication }
+        expect_rejection { do_request }
       end
     end
 
     it 'counts requests from different IPs separately' do
       requests_per_period.times do
-        get url_that_does_not_require_authentication
+        do_request
         expect(response).to have_gitlab_http_status(:ok)
       end
 
@@ -531,7 +538,7 @@ RSpec.shared_examples 'rate-limited unauthenticated requests' do
       end
 
       # would be over limit for the same IP
-      get url_that_does_not_require_authentication
+      do_request
       expect(response).to have_gitlab_http_status(:ok)
     end
 
@@ -603,7 +610,7 @@ RSpec.shared_examples 'rate-limited unauthenticated requests' do
 
     it 'logs RackAttack info into structured logs' do
       requests_per_period.times do
-        get url_that_does_not_require_authentication
+        do_request
         expect(response).to have_gitlab_http_status(:ok)
       end
 
@@ -619,12 +626,12 @@ RSpec.shared_examples 'rate-limited unauthenticated requests' do
 
       expect(Gitlab::AuthLogger).to receive(:error).with(arguments)
 
-      get url_that_does_not_require_authentication
+      do_request
     end
 
     it_behaves_like 'tracking when dry-run mode is set' do
       def do_request
-        get url_that_does_not_require_authentication
+        get url_that_does_not_require_authentication, headers: headers
       end
     end
   end
@@ -637,7 +644,7 @@ RSpec.shared_examples 'rate-limited unauthenticated requests' do
 
     it 'allows requests over the rate limit' do
       (1 + requests_per_period).times do
-        get url_that_does_not_require_authentication
+        do_request
         expect(response).to have_gitlab_http_status(:ok)
       end
     end
diff --git a/spec/validators/devise_email_validator_spec.rb b/spec/validators/devise_email_validator_spec.rb
index 64d11d4d963..d25ab1a55a9 100644
--- a/spec/validators/devise_email_validator_spec.rb
+++ b/spec/validators/devise_email_validator_spec.rb
@@ -5,14 +5,14 @@ require 'spec_helper'
 RSpec.describe DeviseEmailValidator do
   let!(:user) { build(:user, public_email: 'test@example.com') }
 
-  subject { validator.validate(user) }
+  subject(:validate) { validator.validate(user) }
 
   describe 'validations' do
     context 'by default' do
       let(:validator) { described_class.new(attributes: [:public_email]) }
 
       it 'allows when email is valid' do
-        subject
+        validate
 
         expect(user.errors).to be_empty
       end
@@ -20,7 +20,7 @@ RSpec.describe DeviseEmailValidator do
       it 'returns error when email is invalid' do
         user.public_email = 'invalid'
 
-        subject
+        validate
 
         expect(user.errors).to be_present
         expect(user.errors.added?(:public_email)).to be true
@@ -29,7 +29,7 @@ RSpec.describe DeviseEmailValidator do
       it 'returns error when email is nil' do
         user.public_email = nil
 
-        subject
+        validate
 
         expect(user.errors).to be_present
       end
@@ -37,11 +37,40 @@ RSpec.describe DeviseEmailValidator do
       it 'returns error when email is blank' do
         user.public_email = ''
 
-        subject
+        validate
 
         expect(user.errors).to be_present
         expect(user.errors.added?(:public_email)).to be true
       end
+
+      context 'for email with invalid characters' do
+        %w[
+          lol!'+=?><#$%^&*()@gmail.com
+          test?invalidcharacter@example.com
+          test!invalidcharacter@example.com
+          test#invalidcharacter@example.com
+          test$invalidcharacter@example.com
+          test%invalidcharacter@example.com
+          test&invalidcharacter@example.com
+          test*invalidcharacter@example.com
+          test/invalidcharacter@example.com
+          test=invalidcharacter@example.com
+          test^invalidcharacter@example.com
+          test<invalidcharacter@example.com
+          test>invalidcharacter@example.com
+          =?iso-8859-1?q?testencodedformat=40new.example.com=3e=20?=testencodedformat@example.com
+          =?iso-8859-1?q?testencodedformat=40new.example.com?=testencodedformat@example.com
+        ].each do |invalid_email|
+          it "returns error as invalid email for '#{invalid_email}'" do
+            user.public_email = invalid_email
+
+            validate
+
+            expect(user.errors).to be_present
+            expect(user.errors.added?(:public_email)).to be true
+          end
+        end
+      end
     end
   end
 
@@ -51,13 +80,13 @@ RSpec.describe DeviseEmailValidator do
     it 'allows when value match' do
       user.public_email = '1'
 
-      subject
+      validate
 
       expect(user.errors).to be_empty
     end
 
     it 'returns error when value does not match' do
-      subject
+      validate
 
       expect(user.errors).to be_present
     end
@@ -75,7 +104,7 @@ RSpec.describe DeviseEmailValidator do
     it 'allows when email is nil' do
       user.public_email = nil
 
-      subject
+      validate
 
       expect(user.errors).to be_empty
     end
@@ -87,9 +116,22 @@ RSpec.describe DeviseEmailValidator do
     it 'allows when email is blank' do
       user.public_email = ''
 
-      subject
+      validate
 
       expect(user.errors).to be_empty
     end
   end
+
+  context 'when attribute is already marked invalid' do
+    let(:validator) { described_class.new(attributes: [:email]) }
+
+    it 'does not add duplicate error' do
+      user.email = 'Invalid as per Devise::Models::Validatable'
+      user.validate
+
+      validate
+
+      expect(user.errors[:email].size).to eq 1
+    end
+  end
 end
diff --git a/spec/views/admin/application_settings/network.html.haml_spec.rb b/spec/views/admin/application_settings/network.html.haml_spec.rb
index 193ee8a32d5..defaa97f82a 100644
--- a/spec/views/admin/application_settings/network.html.haml_spec.rb
+++ b/spec/views/admin/application_settings/network.html.haml_spec.rb
@@ -11,6 +11,16 @@ RSpec.describe 'admin/application_settings/network.html.haml', feature_category:
     allow(view).to receive(:current_user) { admin }
   end
 
+  context 'for Git HTTP rate limit' do
+    it 'renders the `git_http_rate_limit_unauthenticated` field' do
+      render
+
+      expect(rendered).to have_field('application_setting_throttle_unauthenticated_git_http_enabled')
+      expect(rendered).to have_field('application_setting_throttle_unauthenticated_git_http_requests_per_period')
+      expect(rendered).to have_field('application_setting_throttle_unauthenticated_git_http_period_in_seconds')
+    end
+  end
+
   context 'for Projects API rate limit' do
     it 'renders the `projects_api_rate_limit_unauthenticated` field' do
       render
diff --git a/yarn.lock b/yarn.lock
index 2b3ceef232d..da3c1e227e5 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2075,16 +2075,18 @@
     "@sentry/types" "7.102.0"
     "@sentry/utils" "7.102.0"
 
-"@sentry/core@5.30.0":
-  version "5.30.0"
-  resolved "https://registry.yarnpkg.com/@sentry/core/-/core-5.30.0.tgz#6b203664f69e75106ee8b5a2fe1d717379b331f3"
-  integrity sha512-TmfrII8w1PQZSZgPpUESqjB+jC6MvZJZdLtE/0hZ+SrnKhW3x5WlYLvTXZpcWePYBku7rl2wn1RZu6uT0qCTeg==
+"@sentry/browser@7.102.0":
+  version "7.102.0"
+  resolved "https://registry.yarnpkg.com/@sentry/browser/-/browser-7.102.0.tgz#335f51d01aabf8c4d2abc871855f9c2d19f8f70d"
+  integrity sha512-hIggcMnojIbWhbmlRfkykHmy6n7pjug0AHfF19HRUQxAx9KJfMH5YdWvohov0Hb9fS+jdvqgE+/4AWbEeXQrHw==
   dependencies:
-    "@sentry/hub" "5.30.0"
-    "@sentry/minimal" "5.30.0"
-    "@sentry/types" "5.30.0"
-    "@sentry/utils" "5.30.0"
-    tslib "^1.9.3"
+    "@sentry-internal/feedback" "7.102.0"
+    "@sentry-internal/replay-canvas" "7.102.0"
+    "@sentry-internal/tracing" "7.102.0"
+    "@sentry/core" "7.102.0"
+    "@sentry/replay" "7.102.0"
+    "@sentry/types" "7.102.0"
+    "@sentry/utils" "7.102.0"
 
 "@sentry/core@7.102.0":
   version "7.102.0"
@@ -2094,24 +2096,6 @@
     "@sentry/types" "7.102.0"
     "@sentry/utils" "7.102.0"
 
-"@sentry/hub@5.30.0":
-  version "5.30.0"
-  resolved "https://registry.yarnpkg.com/@sentry/hub/-/hub-5.30.0.tgz#2453be9b9cb903404366e198bd30c7ca74cdc100"
-  integrity sha512-2tYrGnzb1gKz2EkMDQcfLrDTvmGcQPuWxLnJKXJvYTQDGLlEvi2tWz1VIHjunmOvJrB5aIQLhm+dcMRwFZDCqQ==
-  dependencies:
-    "@sentry/types" "5.30.0"
-    "@sentry/utils" "5.30.0"
-    tslib "^1.9.3"
-
-"@sentry/minimal@5.30.0":
-  version "5.30.0"
-  resolved "https://registry.yarnpkg.com/@sentry/minimal/-/minimal-5.30.0.tgz#ce3d3a6a273428e0084adcb800bc12e72d34637b"
-  integrity sha512-BwWb/owZKtkDX+Sc4zCSTNcvZUq7YcH3uAVlmh/gtR9rmUvbzAA3ewLuB3myi4wWRAMEtny6+J/FN/x+2wn9Xw==
-  dependencies:
-    "@sentry/hub" "5.30.0"
-    "@sentry/types" "5.30.0"
-    tslib "^1.9.3"
-
 "@sentry/replay@7.102.0":
   version "7.102.0"
   resolved "https://registry.yarnpkg.com/@sentry/replay/-/replay-7.102.0.tgz#209b7adb68e89772824218ecab498d3a6fbc2c42"
@@ -2122,24 +2106,11 @@
     "@sentry/types" "7.102.0"
     "@sentry/utils" "7.102.0"
 
-"@sentry/types@5.30.0":
-  version "5.30.0"
-  resolved "https://registry.yarnpkg.com/@sentry/types/-/types-5.30.0.tgz#19709bbe12a1a0115bc790b8942917da5636f402"
-  integrity sha512-R8xOqlSTZ+htqrfteCWU5Nk0CDN5ApUTvrlvBuiH1DyP6czDZ4ktbZB0hAgBlVcK0U+qpD3ag3Tqqpa5Q67rPw==
-
 "@sentry/types@7.102.0":
   version "7.102.0"
   resolved "https://registry.yarnpkg.com/@sentry/types/-/types-7.102.0.tgz#b31e9faa54036053ab82c09c3c855035a4889c59"
   integrity sha512-FPfFBP0x3LkPARw1/6cWySLq1djIo8ao3Qo2KNBeE9CHdq8bsS1a8zzjJLuWG4Ww+wieLP8/lY3WTgrCz4jowg==
 
-"@sentry/utils@5.30.0":
-  version "5.30.0"
-  resolved "https://registry.yarnpkg.com/@sentry/utils/-/utils-5.30.0.tgz#9a5bd7ccff85ccfe7856d493bffa64cabc41e980"
-  integrity sha512-zaYmoH0NWWtvnJjC9/CBseXMtKHm/tm40sz3YfJRxeQjyzRqNQPgivpd9R/oDJCYj999mzdW382p/qi2ypjLww==
-  dependencies:
-    "@sentry/types" "5.30.0"
-    tslib "^1.9.3"
-
 "@sentry/utils@7.102.0":
   version "7.102.0"
   resolved "https://registry.yarnpkg.com/@sentry/utils/-/utils-7.102.0.tgz#66325f2567986cc3fd12fbdb980fb8ada170342b"
@@ -12560,29 +12531,6 @@ send@0.17.2:
     range-parser "~1.2.1"
     statuses "~1.5.0"
 
-"sentrybrowser5@npm:@sentry/browser@5.30.0":
-  version "5.30.0"
-  resolved "https://registry.yarnpkg.com/@sentry/browser/-/browser-5.30.0.tgz#c28f49d551db3172080caef9f18791a7fd39e3b3"
-  integrity sha512-rOb58ZNVJWh1VuMuBG1mL9r54nZqKeaIlwSlvzJfc89vyfd7n6tQ1UXMN383QBz/MS5H5z44Hy5eE+7pCrYAfw==
-  dependencies:
-    "@sentry/core" "5.30.0"
-    "@sentry/types" "5.30.0"
-    "@sentry/utils" "5.30.0"
-    tslib "^1.9.3"
-
-"sentrybrowser@npm:@sentry/browser@7.102.0":
-  version "7.102.0"
-  resolved "https://registry.yarnpkg.com/@sentry/browser/-/browser-7.102.0.tgz#335f51d01aabf8c4d2abc871855f9c2d19f8f70d"
-  integrity sha512-hIggcMnojIbWhbmlRfkykHmy6n7pjug0AHfF19HRUQxAx9KJfMH5YdWvohov0Hb9fS+jdvqgE+/4AWbEeXQrHw==
-  dependencies:
-    "@sentry-internal/feedback" "7.102.0"
-    "@sentry-internal/replay-canvas" "7.102.0"
-    "@sentry-internal/tracing" "7.102.0"
-    "@sentry/core" "7.102.0"
-    "@sentry/replay" "7.102.0"
-    "@sentry/types" "7.102.0"
-    "@sentry/utils" "7.102.0"
-
 serialize-javascript@^2.1.2:
   version "2.1.2"
   resolved "https://registry.yarnpkg.com/serialize-javascript/-/serialize-javascript-2.1.2.tgz#ecec53b0e0317bdc95ef76ab7074b7384785fa61"
@@ -13768,7 +13716,7 @@ tslib@2.3.0, tslib@~2.3.0:
   resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.3.0.tgz#803b8cdab3e12ba581a4ca41c8839bbb0dacb09e"
   integrity sha512-N82ooyxVNm6h1riLCoyS9e3fuJ3AMG2zIZs2Gd1ATcSFjSA23Q0fzjjZeh0jbJvWVDZ0cJT8yaNNaaXHzueNjg==
 
-tslib@^1.8.1, tslib@^1.9.0, tslib@^1.9.3:
+tslib@^1.8.1, tslib@^1.9.0:
   version "1.14.1"
   resolved "https://registry.yarnpkg.com/tslib/-/tslib-1.14.1.tgz#cf2d38bdc34a134bcaf1091c41f6619e2f672d00"
   integrity sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==