Add latest changes from gitlab-org/gitlab@master

.gitlab-ci.yml

@@ -139,6 +139,7 @@ variables:
   GIT_SUBMODULE_STRATEGY: "none"
   GET_SOURCES_ATTEMPTS: "3"
   DEBIAN_VERSION: "bullseye"
+  UBI_VERSION: "8.6"
   CHROME_VERSION: "109"
   DOCKER_VERSION: "23.0.1"
   RUBY_VERSION: "2.7"

.gitlab/ci/rules.gitlab-ci.yml

@@ -1328,17 +1328,17 @@
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
       changes: *ci-qa-patterns
       allow_failure: true
+    - <<: *if-dot-com-gitlab-org-and-security-merge-request
+      changes:
+        - qa/Gemfile.lock # qa/Gemfile.lock is a part of *qa-patterns, so this rule must be placed before the one with *qa-patterns changes
+      variables:
+        UPDATE_QA_CACHE: "true"
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
       changes: *qa-patterns
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-and-security-merge-request-and-qa-tests-specified
       changes: *code-patterns
       allow_failure: true
-    - <<: *if-dot-com-gitlab-org-and-security-merge-request
-      changes:
-        - qa/Gemfile.lock
-      variables:
-        UPDATE_QA_CACHE: "true"
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
       changes: *code-patterns
       when: manual

.gitlab/ci/workhorse.gitlab-ci.yml

@@ -10,7 +10,7 @@ workhorse:verify:
 
 .workhorse:test:
   extends: .workhorse:rules:workhorse
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}-golang-${GO_VERSION}:git-2.36
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}-golang-${GO_VERSION}-rust-${RUST_VERSION}:rubygems-${RUBYGEMS_VERSION}-git-2.36-exiftool-12.60
   variables:
     GITALY_ADDRESS: "tcp://127.0.0.1:8075"
   stage: test
@@ -18,7 +18,6 @@ workhorse:verify:
     - setup-test-env
   before_script:
     - go version
-    - apt-get update && apt-get -y install libimage-exiftool-perl
     - scripts/gitaly-test-build
   script:
     - make -C workhorse test
@@ -37,7 +36,10 @@ workhorse:test go:
 
 workhorse:test fips:
   extends: .workhorse:test
-  image: registry.gitlab.com/gitlab-org/gitlab-omnibus-builder/ubuntu_20.04_fips:4.0.0
+  parallel:
+    matrix:
+      - GO_VERSION: ["1.18", "1.19"]
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/ubi-${UBI_VERSION}-ruby-${RUBY_VERSION}-golang-${GO_VERSION}-rust-${RUST_VERSION}:rubygems-${RUBYGEMS_VERSION}-git-2.36-exiftool-12.60
   variables:
     FIPS_MODE: 1
 

Gemfile

@@ -515,7 +515,7 @@ gem 'kas-grpc', '~> 0.0.2'
 
 gem 'grpc', '~> 1.42.0'
 
-gem 'google-protobuf', '~> 3.22', '>= 3.22.2'
+gem 'google-protobuf', '~> 3.22', '>= 3.22.3'
 
 gem 'toml-rb', '~> 2.2.0'
 

Gemfile.checksum

@@ -240,16 +240,16 @@
 {"name":"google-cloud-errors","version":"1.3.0","platform":"ruby","checksum":"450b681e24c089a20721a01acc4408bb4a7b0df28c175aaab488da917480d64b"},
 {"name":"google-cloud-profiler-v2","version":"0.4.0","platform":"ruby","checksum":"53fc2ab175d08f54233c644310d47798feac996220916815c4fb44c937b5d3e3"},
 {"name":"google-cloud-storage","version":"1.44.0","platform":"ruby","checksum":"299a1e055c9277c8120f7c10d21d37e4d8c17c7b963350c0e0bff7e9d9a570ea"},
-{"name":"google-protobuf","version":"3.22.2","platform":"aarch64-linux","checksum":"21357d807fd4b7e6e423dafa98732bf9a2be2767c06ea81a8a7980e71659783a"},
-{"name":"google-protobuf","version":"3.22.2","platform":"arm64-darwin","checksum":"ee4026e3d24d2c584476dd0dd1ff4662589711709ef5a91b82d36c995bb711d1"},
-{"name":"google-protobuf","version":"3.22.2","platform":"java","checksum":"d3d5389755bcf788717f000c9de41bed64fc211c46687dd41ebf7f8545b57962"},
-{"name":"google-protobuf","version":"3.22.2","platform":"ruby","checksum":"d516c13248500fb4e1af469c2d71e8b6ecffacb6f55e9be203f01b7d0ff01eff"},
-{"name":"google-protobuf","version":"3.22.2","platform":"x64-mingw-ucrt","checksum":"c26f38dde5612793db886a19485db7d3037628edf1d35ee8b5ca1ba16c82d005"},
-{"name":"google-protobuf","version":"3.22.2","platform":"x64-mingw32","checksum":"5c36e9f519988af2ac52444f3881fc4f6f6181a6177c01bae7b8ea007c76f80b"},
-{"name":"google-protobuf","version":"3.22.2","platform":"x86-linux","checksum":"ab49eb312d414e9a7231542240a4fddc52ea8c78007b812132a2c1d9ba943e26"},
-{"name":"google-protobuf","version":"3.22.2","platform":"x86-mingw32","checksum":"7fa69f62e182bae2a32f499da9ce8e5d9412d0a5768764967a7c1d0d89492e2e"},
-{"name":"google-protobuf","version":"3.22.2","platform":"x86_64-darwin","checksum":"e716c0fc6c970d82febf2447de2c762d265c288dbc26c3043c30544c8a4d60d9"},
-{"name":"google-protobuf","version":"3.22.2","platform":"x86_64-linux","checksum":"8fd16e0115d01209494767b6182c2a9f5d257d5f3c495c513762555a46f1ab88"},
+{"name":"google-protobuf","version":"3.22.3","platform":"aarch64-linux","checksum":"ea99d1ab641dcf1f8e8b8a7e009f862c7f677c7082cbb4cc846ffe7cf9caeeb1"},
+{"name":"google-protobuf","version":"3.22.3","platform":"arm64-darwin","checksum":"ca1a0b5e3602c91794308bcfb82c83b7319ad9b6507de351a25583cbae57e93f"},
+{"name":"google-protobuf","version":"3.22.3","platform":"java","checksum":"2a5b53d9e95141788c270e32a8e248469798144c3e24f87f9a980682949451ab"},
+{"name":"google-protobuf","version":"3.22.3","platform":"ruby","checksum":"09db2a54fcdf2c8ec04d2c10b2818fd6ee0990578317b42e839811f2fd288ff5"},
+{"name":"google-protobuf","version":"3.22.3","platform":"x64-mingw-ucrt","checksum":"8c232ee5746fe4f12cb6f39aeebb5540b50da153bd3e01233b6a36270faf452a"},
+{"name":"google-protobuf","version":"3.22.3","platform":"x64-mingw32","checksum":"242cb646c7bed779fa7c39e03e62f06144ac88acda24941d0d5065269b642457"},
+{"name":"google-protobuf","version":"3.22.3","platform":"x86-linux","checksum":"e15b535d768cc99ccdf1950b71820e502fc9da4f9e7d41c252d10e7447be81e5"},
+{"name":"google-protobuf","version":"3.22.3","platform":"x86-mingw32","checksum":"225ef058f623c88f7d485eb6cc3e63596744cbe05192a9ee80668af55e04474e"},
+{"name":"google-protobuf","version":"3.22.3","platform":"x86_64-darwin","checksum":"b4a686f2bb39cf8212e2bc8c24897fa69a955c06c9db110a58bb6617e495268f"},
+{"name":"google-protobuf","version":"3.22.3","platform":"x86_64-linux","checksum":"d653acddf65acc714fa1a5e201c476bf12c21f537981527f6200365f97816bd5"},
 {"name":"googleapis-common-protos","version":"1.4.0","platform":"ruby","checksum":"da2380fb5ab1563580816c74e8d684ac17512c3654c829a3ee84f6d6139de382"},
 {"name":"googleapis-common-protos-types","version":"1.5.0","platform":"ruby","checksum":"5769cf7376abc86ef7f5897a4aaca1d5c5a3c49ddabeddd2c251fcf8155f858b"},
 {"name":"googleauth","version":"1.3.0","platform":"ruby","checksum":"51dd7362353cf1e90a2d01e1fb94321ae3926c776d4dc4a79db65230217ffcc2"},

Gemfile.lock

@@ -698,7 +698,7 @@ GEM
       google-cloud-core (~> 1.6)
       googleauth (>= 0.16.2, < 2.a)
       mini_mime (~> 1.0)
-    google-protobuf (3.22.2)
+    google-protobuf (3.22.3)
     googleapis-common-protos (1.4.0)
       google-protobuf (~> 3.14)
       googleapis-common-protos-types (~> 1.2)
@@ -1764,7 +1764,7 @@ DEPENDENCIES
   google-apis-serviceusage_v1 (~> 0.28.0)
   google-apis-sqladmin_v1beta4 (~> 0.41.0)
   google-cloud-storage (~> 1.44.0)
-  google-protobuf (~> 3.22, >= 3.22.2)
+  google-protobuf (~> 3.22, >= 3.22.3)
   gpgme (~> 2.0.22)
   grape (~> 1.5.2)
   grape-entity (~> 0.10.0)

db/post_migrate/20230405094230_create_index_for_override_uuids_logic_on_vulnerability_occurrences.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class CreateIndexForOverrideUuidsLogicOnVulnerabilityOccurrences < Gitlab::Database::Migration[2.1]
+  disable_ddl_transaction!
+
+  INDEX_NAME = 'index_vulnerability_occurrences_for_override_uuids_logic'
+
+  def up
+    add_concurrent_index :vulnerability_occurrences,
+      [:project_id, :report_type, :location_fingerprint],
+      name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index_by_name :vulnerability_occurrences, INDEX_NAME
+  end
+end

db/schema_migrations/20230405094230

@@ -0,0 +1 @@
+6b9ded39763a59b0047e256b9283084b4f05dbca46de85e7c8bb6c7d44d96d23

db/structure.sql

@@ -32593,6 +32593,8 @@ CREATE INDEX index_vulnerability_occurrences_deduplication ON vulnerability_occu
 
 CREATE INDEX index_vulnerability_occurrences_for_issue_links_migration ON vulnerability_occurrences USING btree (project_id, report_type, encode(project_fingerprint, 'hex'::text));
 
+CREATE INDEX index_vulnerability_occurrences_for_override_uuids_logic ON vulnerability_occurrences USING btree (project_id, report_type, location_fingerprint);
+
 CREATE INDEX index_vulnerability_occurrences_on_location_image ON vulnerability_occurrences USING gin (((location -> 'image'::text))) WHERE (report_type = ANY (ARRAY[2, 7]));
 
 CREATE INDEX index_vulnerability_occurrences_on_location_k8s_agent_id ON vulnerability_occurrences USING gin ((((location -> 'kubernetes_resource'::text) -> 'agent_id'::text))) WHERE (report_type = 7);

doc/development/pipelines/index.md

@@ -47,22 +47,49 @@ In summary:
 - RSpec tests are dependent on the backend code.
 - Jest tests are dependent on both frontend and backend code, the latter through the frontend fixtures.
 
+### Predictive Tests Dashboards
+
+- <https://app.periscopedata.com/app/gitlab/1116767/Test-Intelligence-Accuracy>
+- <https://app.periscopedata.com/app/gitlab/899368/EP---Predictive-testing-analysis>
+
+### The `detect-tests` CI job
+
+Most CI/CD pipelines for `gitlab-org/gitlab` will run a [`detect-tests` CI job](https://gitlab.com/gitlab-org/gitlab/-/blob/0c6058def8f182b4a2410db5d08a9550b951b2d8/.gitlab/ci/setup.gitlab-ci.yml#L101-146) in the `prepare` stage to detect which backend/frontend tests should be run based on the files that changed in the given MR.
+
+The `detect-tests` job will create many files that will contain the backend/frontend tests that should be run. Those files will be read in subsequent jobs in the pipeline, and only those tests will be executed.
+
 ### RSpec predictive jobs
 
 #### Determining predictive RSpec test files in a merge request
 
-To identify the RSpec tests that are likely to fail in a merge request, we use the [`test_file_finder` gem](https://gitlab.com/gitlab-org/ci-cd/test_file_finder), with two strategies:
+To identify the RSpec tests that are likely to fail in a merge request, we use *static mappings* and *dynamic mappings*.
 
-- dynamic mapping from test coverage tracing (generated via the [`Crystalball` gem](https://github.com/toptal/crystalball))
-  ([see where it's used](https://gitlab.com/gitlab-org/gitlab/-/blob/2e19d43ba0d456808916650088c0f70d905e7810/tooling/lib/tooling/find_tests.rb#L20))
-- static mapping maintained in the [`tests.yml` file](https://gitlab.com/gitlab-org/gitlab/-/blob/master/tests.yml) for special cases that cannot
-  be mapped via coverage tracing ([see where it's used](https://gitlab.com/gitlab-org/gitlab/-/blob/2e19d43ba0d456808916650088c0f70d905e7810/tooling/lib/tooling/find_tests.rb#L20))
+##### Static mappings
+
+We use the [`test_file_finder` gem](https://gitlab.com/gitlab-org/ci-cd/test_file_finder), with a static mapping maintained in the [`tests.yml` file](https://gitlab.com/gitlab-org/gitlab/-/blob/master/tests.yml) for special cases that cannot
+  be mapped via coverage tracing ([see where it's used](https://gitlab.com/gitlab-org/gitlab/-/blob/5ab06422826c0d69c615655982a6f969a7f3c6ea/tooling/lib/tooling/find_tests.rb#L17)).
 
 The test mappings contain a map of each source files to a list of test files which is dependent of the source file.
 
-In the `detect-tests` job, we use this mapping to identify the predictive tests needed for the current merge request.
+##### Dynamic mappings
 
-Later on in [the `rspec fail-fast` job](#fail-fast-job-in-merge-request-pipelines), we run the predictive tests for the current merge request.
+First, we use the [`test_file_finder` gem](https://gitlab.com/gitlab-org/ci-cd/test_file_finder), with a dynamic mapping strategy from test coverage tracing (generated via the [`Crystalball` gem](https://github.com/toptal/crystalball))
+  ([see where it's used](https://gitlab.com/gitlab-org/gitlab/-/blob/master/tooling/lib/tooling/find_tests.rb#L20)).
+
+In addition to `test_file_finder`, we have added several advanced mappings to detect even more tests to run:
+
+- [`FindChanges`](https://gitlab.com/gitlab-org/gitlab/-/blob/28943cbd8b6d7e9a350d00e5ea5bb52123ee14a4/tooling/lib/tooling/find_changes.rb) ([!74003](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74003))
+  - Automatically detect Jest tests to run upon backend changes (via frontend fixtures)
+- [`PartialToViewsMappings`](https://gitlab.com/gitlab-org/gitlab/-/blob/28943cbd8b6d7e9a350d00e5ea5bb52123ee14a4/tooling/lib/tooling/mappings/partial_to_views_mappings.rb) ([#395016](https://gitlab.com/gitlab-org/gitlab/-/issues/395016))
+  - Run view specs when Rails partials included in those views are changed in an MR
+- [`JsToSystemSpecsMappings`](https://gitlab.com/gitlab-org/gitlab/-/blob/28943cbd8b6d7e9a350d00e5ea5bb52123ee14a4/tooling/lib/tooling/mappings/js_to_system_specs_mappings.rb) ([#386754](https://gitlab.com/gitlab-org/gitlab/-/issues/386754))
+  - Run certain system specs if a JavaScript file was changed in an MR
+- [`GraphqlBaseTypeMappings`](https://gitlab.com/gitlab-org/gitlab/-/blob/28943cbd8b6d7e9a350d00e5ea5bb52123ee14a4/tooling/lib/tooling/mappings/graphql_base_type_mappings.rb) ([#386756](https://gitlab.com/gitlab-org/gitlab/-/issues/386756))
+  - If a GraphQL type class changed, we should try to identify the other GraphQL types that potentially include this type, and run their specs.
+- [`ViewToSystemSpecsMappings`](https://gitlab.com/gitlab-org/gitlab/-/blob/28943cbd8b6d7e9a350d00e5ea5bb52123ee14a4/tooling/lib/tooling/mappings/view_to_system_specs_mappings.rb) ([#395017](https://gitlab.com/gitlab-org/gitlab/-/issues/395017))
+  - When a view gets changed, we try to find feature specs that would test that area of the code.
+- [`ViewToJsMappings`](https://gitlab.com/gitlab-org/gitlab/-/blob/8d7dfb7c043adf931128088b9ffab3b4a39af6f5/tooling/lib/tooling/mappings/view_to_js_mappings.rb) ([#386719](https://gitlab.com/gitlab-org/gitlab/-/issues/386719))
+  - If a JS file is changed, we should try to identify the system specs that are covering this JS component.
 
 #### Exceptional cases
 
@@ -74,6 +101,10 @@ In addition, there are a few circumstances where we would always run the full RS
 - when the merge request is created in a security mirror
 - when any CI configuration file is changed (for example, `.gitlab-ci.yml` or `.gitlab/ci/**/*`)
 
+#### Have you encountered a problem with backend predictive tests?
+
+If so, please have a look at [the Engineering Productivity RUNBOOK on predictive tests](https://gitlab.com/gitlab-org/quality/engineering-productivity/team/-/blob/main/runbooks/predictive-tests.md) for instructions on how to act upon predictive tests issues. Additionally, if you identified any test selection gaps, please let `@gl-quality/eng-prod` know so that we can take the necessary steps to optimize test selections.
+
 ### Jest predictive jobs
 
 #### Determining predictive Jest test files in a merge request
@@ -95,6 +126,10 @@ In addition, there are a few circumstances where we would always run the full Je
 The `rules` definitions for full Jest tests are defined at `.frontend:rules:jest` in
 [`rules.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/42321b18b946c64d2f6f788c38844499a5ae9141/.gitlab/ci/rules.gitlab-ci.yml#L938-955).
 
+#### Have you encountered a problem with frontend predictive tests?
+
+If so, please have a look at [the Engineering Productivity RUNBOOK on predictive tests](https://gitlab.com/gitlab-org/quality/engineering-productivity/team/-/blob/main/runbooks/predictive-tests.md) for instructions on how to act upon predictive tests issues.
+
 ### Fork pipelines
 
 We run only the predictive RSpec & Jest jobs for fork pipelines, unless the `pipeline:run-all-rspec`
@@ -104,8 +139,7 @@ See the [experiment issue](https://gitlab.com/gitlab-org/quality/quality-enginee
 
 ## Fail-fast job in merge request pipelines
 
-To provide faster feedback when a merge request breaks existing tests, we are experimenting with a
-fail-fast mechanism.
+To provide faster feedback when a merge request breaks existing tests, we implemented a fail-fast mechanism.
 
 An `rspec fail-fast` job is added in parallel to all other `rspec` jobs in a merge
 request pipeline. This job runs the tests that are directly related to the changes

package.json

@@ -58,7 +58,7 @@
     "@gitlab/svgs": "3.38.0",
     "@gitlab/ui": "60.0.0",
     "@gitlab/visual-review-tools": "1.7.3",
-    "@gitlab/web-ide": "0.0.1-dev-20230323132525",
+    "@gitlab/web-ide": "0.0.1-dev-20230407181558",
     "@mattiasbuelens/web-streams-adapter": "^0.1.0",
     "@popperjs/core": "^2.11.2",
     "@rails/actioncable": "6.1.4-7",

workhorse/Makefile

@@ -27,6 +27,12 @@ ifeq (${FIPS_MODE}, 1)
     # If the golang-fips compiler is built with CGO_ENABLED=0, this needs to be
     # explicitly switched on.
     export CGO_ENABLED=1
+    # Go 1.19+ now requires GOEXPERIMENT=boringcrypto for FIPS compilation.
+    # See https://github.com/golang/go/issues/51940 for more details.
+    BORINGCRYPTO_SUPPORT := $(shell GOEXPERIMENT=boringcrypto go version &> /dev/null; echo $$?)
+    ifeq ($(BORINGCRYPTO_SUPPORT), 0)
+      export GOEXPERIMENT=boringcrypto
+    endif
 endif
 
 MINIMUM_SUPPORTED_GO_VERSION := 1.11

yarn.lock

@@ -1146,10 +1146,10 @@
   resolved "https://registry.yarnpkg.com/@gitlab/visual-review-tools/-/visual-review-tools-1.7.3.tgz#9ea641146436da388ffbad25d7f2abe0df52c235"
   integrity sha512-NMV++7Ew1FSBDN1xiZaauU9tfeSfgDHcOLpn+8bGpP+O5orUPm2Eu66R5eC5gkjBPaXosNAxNWtriee+aFk4+g==
 
-"@gitlab/web-ide@0.0.1-dev-20230323132525":
-  version "0.0.1-dev-20230323132525"
-  resolved "https://registry.yarnpkg.com/@gitlab/web-ide/-/web-ide-0.0.1-dev-20230323132525.tgz#839d4ac892a0cc9b811580d342f797335976af08"
-  integrity sha512-VJqiJCBU1U0EwYAJmV1Fgko7ENoeXZFxTL+FirBtSKvh5wwT3QAnaSFieoZo/VPBHaHTDWYzPgbJz0uYJBNeqw==
+"@gitlab/web-ide@0.0.1-dev-20230407181558":
+  version "0.0.1-dev-20230407181558"
+  resolved "https://registry.yarnpkg.com/@gitlab/web-ide/-/web-ide-0.0.1-dev-20230407181558.tgz#69c5243e8c567ea3ef4879ede68566f99d47705a"
+  integrity sha512-8YdZxGvXOX3hU/2F1XSwMWFRz56a/QLvY+amne7ie1NRzIVx6SmjKOxot+F1FhSXjc0zbwooGoOn8j6wkgdHCg==
 
 "@graphql-eslint/eslint-plugin@3.18.0":
   version "3.18.0"