From 55a8c39b971ce3acef77daebfe0d23befd802fd7 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 26 Feb 2025 18:12:12 +0000
Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master

---
 .gitlab/CODEOWNERS                            |   6 +-
 .rubocop_todo/style/symbol_proc.yml           |  12 -
 CHANGELOG.md                                  |  35 +++
 GITLAB_KAS_VERSION                            |   2 +-
 .../ci_environments_dropdown.vue              |   6 +
 .../components/ci_variable_drawer.vue         |  11 +-
 .../services/serialization_helpers.js         |  14 +-
 .../services/serializer/image.js              |   7 +-
 .../services/serializer/link.js               |  16 +-
 .../notes/components/note_body.vue            |  14 +-
 .../projects/commit/rapid_diffs/index.js      |  14 +-
 .../pages/projects/commit/show/index.js       |   2 +
 app/assets/javascripts/popovers/index.js      |  18 +-
 .../javascripts/rapid_diffs/diff_file.js      |   2 +-
 .../rapid_diffs/expand_lines/adapter.js       |  51 ++--
 .../rapid_diffs/expand_lines/diff_line_row.js |  20 ++
 .../rapid_diffs/expand_lines/get_lines.js     |  85 ++++--
 .../components/states/ready_to_merge.vue      |   2 +-
 .../states/ready_to_merge.fragment.graphql    |   2 +-
 .../entity_select/init_project_selects.js     |   2 +
 .../entity_select/project_select.vue          |   6 +
 .../shared/work_item_token_input.vue          |  16 +-
 .../rapid_diffs/text_file_viewers.scss        |  25 +-
 .../rapid_diffs/diff_file_component.rb        |   2 +-
 .../text/expand_lines_component.html.haml     |   7 +-
 .../text/inline_hunk_component.html.haml      |   2 +-
 .../viewers/text/inline_hunk_component.rb     |   4 -
 .../text/line_number_component.html.haml      |   2 +-
 .../text/parallel_hunk_component.html.haml    |   2 +-
 .../viewers/text/parallel_hunk_component.rb   |   4 -
 .../clusters/clusters_controller.rb           |   5 +-
 .../event_forward/event_forward_controller.rb |  28 ++
 app/controllers/event_forward/logger.rb       |   9 +
 app/controllers/profiles_controller.rb        |   8 +-
 app/controllers/projects/commit_controller.rb |   1 +
 .../resolvers/repositories/commit_resolver.rb |  22 ++
 app/graphql/types/repository_type.rb          |   4 +
 app/helpers/clusters_helper.rb                |  30 +++
 app/models/clusters/agent_migration.rb        |   2 +
 app/models/commit.rb                          |   2 +-
 app/models/concerns/cached_commit.rb          |   2 +-
 app/models/container_repository.rb            |   2 +-
 app/models/discussion.rb                      |   2 +-
 app/models/integrations/prometheus.rb         |   4 +-
 app/models/members/project_member.rb          |   4 +-
 app/models/packages/conan/package_revision.rb |   6 +-
 app/models/packages/conan/recipe_revision.rb  |   6 +-
 .../merge_request_diff_preloader.rb           |   2 +-
 app/models/release.rb                         |   2 +-
 app/presenters/clusters/cluster_presenter.rb  |   4 +
 .../clusters/migration/create_service.rb      |  18 +-
 .../clusters/clusters/_migrate.html.haml      |  80 +++++-
 .../clusters/clusters/_migrate_tab.html.haml  |   1 +
 .../commit/_signature_badge.html.haml         |   2 +-
 .../projects/commit/rapid_diffs.html.haml     |   6 +-
 .../inactive_tokens_deletion_cron_worker.rb   |   7 +-
 config/routes.rb                              |   2 +
 ...t-da-deprecate-cov-guided-fuzz-testing.yml |  24 ++
 ...em_type_custom_fields_work_item_type_id.rb |  24 ++
 ...em_type_custom_fields_work_item_type_id.rb |  26 ++
 ...type_user_preferences_work_item_type_id.rb |  24 ++
 ...type_user_preferences_work_item_type_id.rb |  26 ++
 db/schema_migrations/20250220004946           |   1 +
 db/schema_migrations/20250220005723           |   1 +
 db/schema_migrations/20250225001149           |   1 +
 db/schema_migrations/20250225001333           |   1 +
 db/structure.sql                              |  12 +-
 doc/.vale/gitlab_base/spelling-exceptions.txt |  20 +-
 .../monitoring/prometheus/gitlab_metrics.md   |   2 +-
 doc/api/graphql/reference/_index.md           |  12 +
 doc/ci/variables/predefined_variables.md      | 250 +++++++++---------
 doc/topics/git/img/revert_v14_0.png           | Bin 11230 -> 0 bytes
 doc/topics/git/undo.md                        |  17 +-
 doc/update/deprecations.md                    |  22 ++
 .../application_security/policies/_index.md   |   1 +
 doc/user/glql/fields.md                       | 193 +++++++++++++-
 doc/user/profile/account/create_accounts.md   |  16 +-
 lib/bulk_imports/ndjson_pipeline.rb           |   2 +-
 lib/container_registry/client.rb              |   8 +-
 lib/container_registry/gitlab_api_client.rb   |   4 +-
 .../analytics/cycle_analytics/stage_events.rb |   2 +-
 lib/gitlab/diff/viewer_hunk.rb                |   5 +-
 lib/gitlab/tracking/destinations/snowplow.rb  |  24 +-
 locale/gitlab.pot                             |  55 +++-
 scripts/database/query_analyzers.rb           |   2 +-
 scripts/database/query_analyzers.yml          |   2 +
 scripts/database/query_analyzers/base.rb      |   2 +-
 .../query_analyzers/jsonb_scan_detector.rb    |  46 ++++
 .../multiple_partition_scan_detector.rb       |   2 +-
 .../rapid_diffs/diff_file_component_spec.rb   |   4 +-
 .../text/expand_lines_component_spec.rb       |   6 +
 .../text/inline_hunk_component_spec.rb        |  15 +-
 .../text/line_number_component_spec.rb        |   2 +
 .../text/parallel_hunk_component_spec.rb      |  15 +-
 .../admin/clusters_controller_spec.rb         |   6 +-
 spec/controllers/event_forward/logger_spec.rb |  15 ++
 .../groups/clusters_controller_spec.rb        |   7 +-
 .../projects/clusters_controller_spec.rb      |   7 +-
 spec/factories/clusters/agent_migrations.rb   |   1 +
 .../clusters/cluster_detail_page_spec.rb      |  85 ++++++
 .../services/serializer/image_spec.js         |   8 +
 .../services/serializer/link_spec.js          |  11 +
 spec/frontend/popovers/index_spec.js          |  21 ++
 spec/frontend/rapid_diffs/diff_file_spec.js   |   5 +-
 .../rapid_diffs/expand_lines/adapter_spec.js  |  81 ++++++
 .../expand_lines/diff_line_row_spec.js        |  33 +++
 .../expand_lines/get_lines_spec.js            |  81 ++++++
 .../entity_select/project_select_spec.js      |   3 +
 .../shared/work_item_token_input_spec.js      |  33 ++-
 .../repositories/commit_resolver_spec.rb      |  33 +++
 spec/graphql/types/repository_type_spec.rb    |   4 +-
 spec/helpers/clusters_helper_spec.rb          |  56 ++++
 spec/lib/gitlab/diff/viewer_hunk_spec.rb      |   6 +
 .../tracking/destinations/snowplow_spec.rb    |  13 +
 .../packages/conan/package_revision_spec.rb   |  34 ++-
 .../packages/conan/recipe_revision_spec.rb    |  34 ++-
 .../clusters/cluster_presenter_spec.rb        |  29 ++
 .../api/graphql/project/repository_spec.rb    |  28 ++
 .../event_forward_controller_spec.rb          |  48 ++++
 .../jsonb_scan_detector_spec.rb               |  54 ++++
 .../clusters/migration/create_service_spec.rb |  10 +-
 .../lib/api/access_token_shared_examples.rb   | 136 ++++++++++
 ...active_tokens_deletion_cron_worker_spec.rb |  22 ++
 tooling/lib/tooling/test_map_generator.rb     |   2 +-
 124 files changed, 2011 insertions(+), 416 deletions(-)
 create mode 100644 app/assets/javascripts/rapid_diffs/expand_lines/diff_line_row.js
 create mode 100644 app/controllers/event_forward/event_forward_controller.rb
 create mode 100644 app/controllers/event_forward/logger.rb
 create mode 100644 app/graphql/resolvers/repositories/commit_resolver.rb
 create mode 100644 data/deprecations/17-9-ast-da-deprecate-cov-guided-fuzz-testing.yml
 create mode 100644 db/post_migrate/20250220004946_new_fk_for_work_item_type_custom_fields_work_item_type_id.rb
 create mode 100644 db/post_migrate/20250220005723_drop_old_fk_for_work_item_type_custom_fields_work_item_type_id.rb
 create mode 100644 db/post_migrate/20250225001149_new_fk_for_work_item_type_user_preferences_work_item_type_id.rb
 create mode 100644 db/post_migrate/20250225001333_drop_old_fk_for_work_item_type_user_preferences_work_item_type_id.rb
 create mode 100644 db/schema_migrations/20250220004946
 create mode 100644 db/schema_migrations/20250220005723
 create mode 100644 db/schema_migrations/20250225001149
 create mode 100644 db/schema_migrations/20250225001333
 delete mode 100644 doc/topics/git/img/revert_v14_0.png
 create mode 100644 scripts/database/query_analyzers/jsonb_scan_detector.rb
 create mode 100644 spec/controllers/event_forward/logger_spec.rb
 create mode 100644 spec/frontend/rapid_diffs/expand_lines/adapter_spec.js
 create mode 100644 spec/frontend/rapid_diffs/expand_lines/diff_line_row_spec.js
 create mode 100644 spec/frontend/rapid_diffs/expand_lines/get_lines_spec.js
 create mode 100644 spec/graphql/resolvers/repositories/commit_resolver_spec.rb
 create mode 100644 spec/requests/event_forward/event_forward_controller_spec.rb
 create mode 100644 spec/scripts/database/query_analyzers/jsonb_scan_detector_spec.rb
 create mode 100644 spec/support/shared_examples/lib/api/access_token_shared_examples.rb

diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS
index 5e8fd72fab5..e78c91baee0 100644
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -795,7 +795,6 @@ lib/gitlab/checks/**
 /doc/api/import.md @ashrafkhamis
 /doc/api/instance_clusters.md @z_painter
 /doc/api/instance_level_ci_variables.md @marcel.amirault
-/doc/api/integrations.md @ashrafkhamis
 /doc/api/invitations.md @emily.sahlani
 /doc/api/issue_links.md @msedlakjakubowski
 /doc/api/issues.md @msedlakjakubowski
@@ -840,6 +839,7 @@ lib/gitlab/checks/**
 /doc/api/project_clusters.md @z_painter
 /doc/api/project_forks.md @emily.sahlani
 /doc/api/project_import_export.md @ashrafkhamis
+/doc/api/project_integrations.md @ashrafkhamis
 /doc/api/project_job_token_scopes.md @marcel.amirault
 /doc/api/project_level_variables.md @marcel.amirault
 /doc/api/project_markdown_uploads.md @msedlakjakubowski
@@ -1027,7 +1027,7 @@ lib/gitlab/checks/**
 /doc/raketasks/x509_signatures.md @brendan777
 /doc/security/ @idurham
 /doc/security/hardening_nist_800_53.md @emily.sahlani
-/doc/solutions/ @jfullam @brianwald @Darwinjs
+/doc/solutions/ @jfullam @Darwinjs @sbrightwell
 /doc/solutions/integrations/servicenow.md @ashrafkhamis
 /doc/subscriptions/ @lciutacu
 /doc/subscriptions/gitlab_com/ @lyspin
@@ -1111,8 +1111,6 @@ lib/gitlab/checks/**
 /doc/user/group/_index.md @emily.sahlani
 /doc/user/group/access_and_permissions.md @emily.sahlani
 /doc/user/group/clusters/ @z_painter
-/doc/user/group/compliance_frameworks.md @eread
-/doc/user/group/compliance_pipelines.md @eread
 /doc/user/group/contribution_analytics/ @lciutacu
 /doc/user/group/credentials_inventory.md @idurham
 /doc/user/group/custom_project_templates.md @brendan777
diff --git a/.rubocop_todo/style/symbol_proc.yml b/.rubocop_todo/style/symbol_proc.yml
index 27e3107eb85..b0ebcbd4b84 100644
--- a/.rubocop_todo/style/symbol_proc.yml
+++ b/.rubocop_todo/style/symbol_proc.yml
@@ -2,15 +2,8 @@
 # Cop supports --autocorrect.
 Style/SymbolProc:
   Exclude:
-    - 'app/controllers/profiles_controller.rb'
     - 'app/models/ci/pipeline.rb'
-    - 'app/models/container_repository.rb'
-    - 'app/models/discussion.rb'
     - 'app/models/environment.rb'
-    - 'app/models/integrations/prometheus.rb'
-    - 'app/models/members/project_member.rb'
-    - 'app/models/preloaders/merge_request_diff_preloader.rb'
-    - 'app/models/release.rb'
     - 'app/models/remote_mirror.rb'
     - 'app/models/snippet_input_action_collection.rb'
     - 'app/policies/group_policy.rb'
@@ -95,10 +88,6 @@ Style/SymbolProc:
     - 'lib/api/helpers/internal_helpers.rb'
     - 'lib/atlassian/jira_connect/serializers/base_entity.rb'
     - 'lib/bulk_imports/common/pipelines/entity_finisher.rb'
-    - 'lib/bulk_imports/ndjson_pipeline.rb'
-    - 'lib/container_registry/client.rb'
-    - 'lib/container_registry/gitlab_api_client.rb'
-    - 'lib/gitlab/analytics/cycle_analytics/stage_events.rb'
     - 'lib/gitlab/auth/o_auth/auth_hash.rb'
     - 'lib/gitlab/blob_helper.rb'
     - 'lib/gitlab/cache/ci/project_pipeline_status.rb'
@@ -188,4 +177,3 @@ Style/SymbolProc:
     - 'spec/support/shared_examples/models/label_note_shared_examples.rb'
     - 'spec/views/layouts/_published_experiments.html.haml_spec.rb'
     - 'spec/workers/snippets/schedule_bulk_repository_shard_moves_worker_spec.rb'
-    - 'tooling/lib/tooling/test_map_generator.rb'
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 35be130f23f..0989e16c57e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,19 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 17.9.1 (2025-02-26)
+
+### Fixed (1 change)
+
+- [Fix instance level dashboard by default severity override](https://gitlab.com/gitlab-org/security/gitlab/-/commit/56d2f940bb6e87b34e4f26ba9a298f28360dd23a) **GitLab Enterprise Edition**
+
+### Security (4 changes)
+
+- [Increase minimum role in SPP to read policy yaml](https://gitlab.com/gitlab-org/security/gitlab/-/commit/593c0a6f70564e9570fb16b25a37298eacf6c644) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4718))
+- [Fix access to read code review analytics in private projects](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0faa526c76e3c523ff6486057c5b5b07e8e4e5d9) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4794))
+- [Escape work item dropdown items and restrict HTML tags](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fc777a98ebd45b30ab95bc0d94a418479d15f09c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4788))
+- [Use stricter CSP values in the packages dependency proxy](https://gitlab.com/gitlab-org/security/gitlab/-/commit/922d3ad17cf7493a10f8dbf90c0cae8d9d4b063d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4787))
+
 ## 17.9.0 (2025-02-19)
 
 ### Added (202 changes)
@@ -1083,6 +1096,15 @@ entry.
 - [Quarantine a flaky test](https://gitlab.com/gitlab-org/gitlab/-/commit/c932e35efdc0e3c6f316a3c2d37045e115ce8cd5) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/176452))
 - [Finalize migration BackfillRemoteDevelopmentAgentConfigsProjectId](https://gitlab.com/gitlab-org/gitlab/-/commit/da4c63d7aab3685c3fbe9d1e48f68ba2162a0b5e) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172769))
 
+## 17.8.4 (2025-02-26)
+
+### Security (4 changes)
+
+- [Increase minimum role in SPP to read policy yaml](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9bfcf4a596b965ce73426d68861cec83ee70f19e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4716))
+- [Fix access to read code review analytics in private projects](https://gitlab.com/gitlab-org/security/gitlab/-/commit/537159f505cad7d23cded01140fbdfd84e9cdfa2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4758))
+- [Escape work item dropdown items and restrict HTML tags](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5548168c3d4e0ba660ed934f23c332045a640799) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4784))
+- [Use stricter CSP values in the packages dependency proxy](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d491abd511c9c1cb00c928e28dc84cb7ef8e4cd3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4764))
+
 ## 17.8.3 (2025-02-21)
 
 ### Fixed (2 changes)
@@ -1574,6 +1596,19 @@ entry.
 - [Remove default on `group_saved_replies_flag feature flag](https://gitlab.com/gitlab-org/gitlab/-/commit/75d49fe13646e1e0d3b68233ac4a965c86853917) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175647))
 - [Remove use_actual_plan_in_license_check flag](https://gitlab.com/gitlab-org/gitlab/-/commit/b8c3fe16aedb69c82ff52d1c695d72e933c4b946) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/175649))
 
+## 17.7.6 (2025-02-26)
+
+### Fixed (1 change)
+
+- [Fix failed jobs widget polling issue](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e2154d3d886d82e1f5fe62fb9d234d00e257e784)
+
+### Security (4 changes)
+
+- [Increase minimum role in SPP to read policy yaml](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6d5c2ea1feb6097cb5720650f39b3808554b6a29) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4717))
+- [Fix access to read code review analytics in private projects](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4454c18d19d2d8df92520f4c0fafa24ddbf9fbe4) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4757))
+- [Escape work item dropdown items and restrict HTML tags](https://gitlab.com/gitlab-org/security/gitlab/-/commit/a834b94cf4e967065590f6b78b15c8733d67df30) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4785))
+- [Use stricter CSP values in the packages dependency proxy](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d975b402434b9e17ff2963d9c4c6f438f52545ed) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4765))
+
 ## 17.7.5 (2025-02-21)
 
 ### Fixed (1 change)
diff --git a/GITLAB_KAS_VERSION b/GITLAB_KAS_VERSION
index 79614cfc4af..5af311270d3 100644
--- a/GITLAB_KAS_VERSION
+++ b/GITLAB_KAS_VERSION
@@ -1 +1 @@
-afc35fcc49db7d999d74b4f2fcccc2625567bd75
+efced52dc4e4f9f202e32dc6239573d4aceb4d4e
diff --git a/app/assets/javascripts/ci/ci_environments_dropdown/ci_environments_dropdown.vue b/app/assets/javascripts/ci/ci_environments_dropdown/ci_environments_dropdown.vue
index 3ef23f6e5f7..dc6cefb537f 100644
--- a/app/assets/javascripts/ci/ci_environments_dropdown/ci_environments_dropdown.vue
+++ b/app/assets/javascripts/ci/ci_environments_dropdown/ci_environments_dropdown.vue
@@ -58,6 +58,11 @@ export default {
       required: false,
       default: '',
     },
+    ariaLabelledBy: {
+      type: String,
+      required: false,
+      default: '',
+    },
   },
   data() {
     return {
@@ -158,6 +163,7 @@ export default {
     :loading="isDropdownLoading"
     :searching="isDropdownSearching"
     :toggle-text="toggleText"
+    :toggle-aria-labelled-by="ariaLabelledBy"
     @search="debouncedSearch"
     @select="selectEnvironment"
     @shown="toggleDropdownShown(true)"
diff --git a/app/assets/javascripts/ci/ci_variable_list/components/ci_variable_drawer.vue b/app/assets/javascripts/ci/ci_variable_list/components/ci_variable_drawer.vue
index 79fbb25269f..e3ea7c56312 100644
--- a/app/assets/javascripts/ci/ci_variable_list/components/ci_variable_drawer.vue
+++ b/app/assets/javascripts/ci/ci_variable_list/components/ci_variable_drawer.vue
@@ -482,16 +482,18 @@ export default {
       </gl-alert>
       <gl-form-group
         :label="$options.i18n.type"
-        label-for="ci-variable-type"
+        label-class="!gl-pt-5 -gl-mb-5"
         class="gl-border-none"
         :class="{
           '-gl-mb-5': !hideEnvironmentScope,
           '-gl-mb-1': hideEnvironmentScope,
         }"
       >
+        <span id="ci-variable-type" class="gl-sr-only">{{ $options.i18n.type }}</span>
         <gl-collapsible-listbox
           v-model="variable.variableType"
           :items="$options.variableOptions"
+          toggle-aria-labelled-by="ci-variable-type"
           block
           fluid-width
         />
@@ -499,12 +501,12 @@ export default {
       <gl-form-group
         v-if="!hideEnvironmentScope"
         class="-gl-mb-5 gl-border-none"
-        label-for="ci-variable-env"
+        label-class="!gl-pt-5 -gl-mb-5"
         data-testid="environment-scope"
       >
         <template #label>
           <div class="gl-flex gl-items-center">
-            <span class="gl-mr-2">
+            <span id="ci-variable-environments" class="gl-mr-2">
               {{ $options.i18n.environments }}
             </span>
             <span
@@ -533,6 +535,7 @@ export default {
         </template>
         <ci-environments-dropdown
           v-if="areScopedVariablesAvailable"
+          aria-labelled-by="ci-variable-environments"
           class="gl-mb-5"
           :are-environments-loading="areEnvironmentsLoading"
           :environments="environments"
@@ -636,8 +639,8 @@ export default {
         </gl-form-checkbox>
       </gl-form-group>
       <gl-form-group
-        label-for="ci-variable-description"
         :label="$options.i18n.description"
+        label-for="ci-variable-description"
         class="-gl-mb-5 gl-border-none"
         data-testid="ci-variable-description-label"
         :description="$options.i18n.descriptionHelpText"
diff --git a/app/assets/javascripts/content_editor/services/serialization_helpers.js b/app/assets/javascripts/content_editor/services/serialization_helpers.js
index 68df604d5e5..79906567eaf 100644
--- a/app/assets/javascripts/content_editor/services/serialization_helpers.js
+++ b/app/assets/javascripts/content_editor/services/serialization_helpers.js
@@ -1,4 +1,4 @@
-import { isFunction } from 'lodash';
+import { identity, isFunction } from 'lodash';
 
 const defaultAttrs = {
   td: { colspan: 1, rowspan: 1, colwidth: null, align: 'left' },
@@ -194,10 +194,11 @@ export function preserveUnchanged(configOrRender) {
   };
 }
 
-export function preserveUnchangedMark({ open, close, ...restConfig }) {
+export function preserveUnchangedMark({ open, close, escape = true, ...restConfig }) {
   // use a buffer to replace the content of the serialized mark with the sourceMarkdown
   // when the mark is unchanged
   let bufferStartPos = -1;
+  let esc;
 
   function startBuffer(state) {
     bufferStartPos = state.out.length;
@@ -216,6 +217,11 @@ export function preserveUnchangedMark({ open, close, ...restConfig }) {
     ...restConfig,
     // eslint-disable-next-line max-params
     open: (state, mark, parent, index) => {
+      if (!escape) {
+        esc = state.esc;
+        state.esc = identity;
+      }
+
       const same = state.options.changeTracker.get(mark);
 
       if (same) {
@@ -227,6 +233,10 @@ export function preserveUnchangedMark({ open, close, ...restConfig }) {
     },
     // eslint-disable-next-line max-params
     close: (state, mark, parent, index) => {
+      if (!escape) {
+        state.esc = esc;
+      }
+
       const { sourceMarkdown } = mark.attrs;
 
       if (bufferStarted()) {
diff --git a/app/assets/javascripts/content_editor/services/serializer/image.js b/app/assets/javascripts/content_editor/services/serializer/image.js
index e0b5deab38b..6b382d14629 100644
--- a/app/assets/javascripts/content_editor/services/serializer/image.js
+++ b/app/assets/javascripts/content_editor/services/serializer/image.js
@@ -1,5 +1,6 @@
 import { pickBy, identity } from 'lodash';
 import { preserveUnchanged, openTag } from '../serialization_helpers';
+import { escape, quote } from './link';
 
 function getMediaSrc(node, useCanonicalSrc = true) {
   const { canonicalSrc, src } = node.attrs;
@@ -12,7 +13,7 @@ const image = preserveUnchanged({
   render: (state, node) => {
     const { alt, title, width, height, isReference, sourceMarkdown, sourceTagName } = node.attrs;
 
-    const realSrc = getMediaSrc(node, state.options.useCanonicalSrc);
+    const realSrc = escape(getMediaSrc(node, state.options.useCanonicalSrc));
     // eslint-disable-next-line @gitlab/require-i18n-strings
     if (realSrc.startsWith('data:') || realSrc.startsWith('blob:')) return;
 
@@ -22,7 +23,7 @@ const image = preserveUnchanged({
         state.write(openTag(sourceTagName, { src: realSrc, ...attrs }));
         return;
       }
-      const quotedTitle = title ? ` ${state.quote(title)}` : '';
+      const quotedTitle = title ? ` ${quote(title)}` : '';
       const sourceExpression = isReference ? `[${realSrc}]` : `(${realSrc}${quotedTitle})`;
 
       const sizeAttributes = [];
@@ -35,7 +36,7 @@ const image = preserveUnchanged({
 
       const attributes = sizeAttributes.length ? `{${sizeAttributes.join(' ')}}` : '';
 
-      state.write(`![${state.esc(alt || '')}]${sourceExpression}${attributes}`);
+      state.write(`![${escape(alt || '')}]${sourceExpression}${attributes}`);
     }
   },
   inline: true,
diff --git a/app/assets/javascripts/content_editor/services/serializer/link.js b/app/assets/javascripts/content_editor/services/serializer/link.js
index e9a05873815..0a791f91ec7 100644
--- a/app/assets/javascripts/content_editor/services/serializer/link.js
+++ b/app/assets/javascripts/content_editor/services/serializer/link.js
@@ -25,6 +25,9 @@ const normalizeUrl = (url) => {
   }
 };
 
+export const escape = (link) => link.replace(/[()"]/g, '\\$&');
+export const quote = (title) => `"${title.replace(/"/g, '\\"')}"`;
+
 /**
  * This function detects whether a link should be serialized
  * as an autolink.
@@ -67,6 +70,7 @@ function getLinkHref(mark, useCanonicalSrc = true) {
 }
 
 const link = preserveUnchangedMark({
+  escape: false,
   open(state, mark, parent) {
     if (isAutoLink(mark, parent)) {
       return isBracketAutoLink(mark.attrs.sourceMarkdown) ? '<' : '';
@@ -78,11 +82,11 @@ const link = preserveUnchangedMark({
     if (href.startsWith('data:') || href.startsWith('blob:')) return '';
 
     const attrs = {
-      href: state.esc(getLinkHref(mark, state.options.useCanonicalSrc)),
+      href: escape(getLinkHref(mark, state.options.useCanonicalSrc)),
     };
 
     if (title) {
-      attrs.title = state.esc(title);
+      attrs.title = title;
     }
 
     if (sourceTagName && !sourceMarkdown) return openTag(sourceTagName, attrs);
@@ -112,12 +116,12 @@ const link = preserveUnchangedMark({
     }
 
     if (isReference) {
-      return `][${state.esc(getLinkHref(mark, state.options.useCanonicalSrc))}]`;
+      return `][${escape(getLinkHref(mark, state.options.useCanonicalSrc))}]`;
     }
 
     if (isGollumLink) {
       const text = getMarkText(mark, parent);
-      const escapedCanonicalSrc = state.esc(canonicalSrc);
+      const escapedCanonicalSrc = escape(canonicalSrc);
 
       if (text.toLowerCase() === escapedCanonicalSrc.toLowerCase()) {
         return ']]';
@@ -126,8 +130,8 @@ const link = preserveUnchangedMark({
       return `|${escapedCanonicalSrc}]]`;
     }
 
-    return `](${state.esc(getLinkHref(mark, state.options.useCanonicalSrc))}${
-      title ? ` ${state.quote(title)}` : ''
+    return `](${escape(getLinkHref(mark, state.options.useCanonicalSrc))}${
+      title ? ` ${quote(title)}` : ''
     })`;
   },
 });
diff --git a/app/assets/javascripts/notes/components/note_body.vue b/app/assets/javascripts/notes/components/note_body.vue
index 9b492efdcb1..8e2c343de97 100644
--- a/app/assets/javascripts/notes/components/note_body.vue
+++ b/app/assets/javascripts/notes/components/note_body.vue
@@ -108,11 +108,15 @@ export default {
       return escape(suggestion);
     },
   },
-  mounted() {
-    this.renderGFM();
-  },
-  updated() {
-    this.renderGFM();
+  watch: {
+    note: {
+      async handler() {
+        await this.$nextTick();
+        this.renderGFM();
+      },
+      deep: true,
+      immediate: true,
+    },
   },
   methods: {
     ...mapActions([
diff --git a/app/assets/javascripts/pages/projects/commit/rapid_diffs/index.js b/app/assets/javascripts/pages/projects/commit/rapid_diffs/index.js
index f485148a327..bdf92f3ba6b 100644
--- a/app/assets/javascripts/pages/projects/commit/rapid_diffs/index.js
+++ b/app/assets/javascripts/pages/projects/commit/rapid_diffs/index.js
@@ -1,16 +1,10 @@
 import initCommitActions from '~/projects/commit';
 import { initCommitBoxInfo } from '~/projects/commit_box/info';
-import { renderHtmlStreams } from '~/streaming/render_html_streams';
-import { toPolyfillReadable } from '~/streaming/polyfills';
+import { createRapidDiffsApp } from '~/rapid_diffs/app';
 
 initCommitBoxInfo();
 initCommitActions();
 
-const streamContainer = document.getElementById('js-stream-container');
-if (streamContainer) {
-  const request = fetch(streamContainer.dataset.diffsStreamUrl);
-  renderHtmlStreams(
-    [request.then((response) => toPolyfillReadable(response.body))],
-    streamContainer,
-  );
-}
+const app = createRapidDiffsApp();
+app.streamRemainingDiffs();
+app.init();
diff --git a/app/assets/javascripts/pages/projects/commit/show/index.js b/app/assets/javascripts/pages/projects/commit/show/index.js
index d875f28433e..b9f7e156034 100644
--- a/app/assets/javascripts/pages/projects/commit/show/index.js
+++ b/app/assets/javascripts/pages/projects/commit/show/index.js
@@ -18,7 +18,9 @@ import ZenMode from '~/zen_mode';
 import '~/sourcegraph/load';
 import DiffStats from '~/diffs/components/diff_stats.vue';
 import { initReportAbuse } from '~/projects/report_abuse';
+import * as popovers from '~/popovers';
 
+popovers.initPopovers();
 initDiffStatsDropdown();
 new ZenMode();
 addShortcutsExtension(ShortcutsNavigation);
diff --git a/app/assets/javascripts/popovers/index.js b/app/assets/javascripts/popovers/index.js
index 94340ae16a0..cbedfcc1d05 100644
--- a/app/assets/javascripts/popovers/index.js
+++ b/app/assets/javascripts/popovers/index.js
@@ -3,6 +3,7 @@ import Vue from 'vue';
 import PopoversComponent from './components/popovers.vue';
 
 let app;
+let isInitialized = false;
 
 const APP_ELEMENT_ID = 'gl-popovers-app';
 
@@ -32,13 +33,16 @@ const handlePopoverEvent = (rootTarget, e, selector) => {
 };
 
 export const initPopovers = () => {
-  ['mouseenter', 'focus', 'click'].forEach((event) => {
-    document.addEventListener(
-      event,
-      (e) => handlePopoverEvent(document, e, '[data-toggle="popover"]'),
-      true,
-    );
-  });
+  if (!isInitialized) {
+    ['mouseenter', 'focus', 'click'].forEach((event) => {
+      document.addEventListener(
+        event,
+        (e) => handlePopoverEvent(document, e, '[data-toggle="popover"]'),
+        true,
+      );
+    });
+    isInitialized = true;
+  }
 
   return getPopoversApp();
 };
diff --git a/app/assets/javascripts/rapid_diffs/diff_file.js b/app/assets/javascripts/rapid_diffs/diff_file.js
index 448b623095d..e25d105ac5e 100644
--- a/app/assets/javascripts/rapid_diffs/diff_file.js
+++ b/app/assets/javascripts/rapid_diffs/diff_file.js
@@ -69,7 +69,7 @@ export class DiffFile extends HTMLElement {
     if (clickActionElement) {
       const clickAction = clickActionElement.dataset.click;
       this.adapters.forEach((adapter) =>
-        adapter.clicks?.[clickAction]?.call?.(this.adapterContext, event),
+        adapter.clicks?.[clickAction]?.call?.(this.adapterContext, event, clickActionElement),
       );
     }
     this.trigger(events.CLICK, event);
diff --git a/app/assets/javascripts/rapid_diffs/expand_lines/adapter.js b/app/assets/javascripts/rapid_diffs/expand_lines/adapter.js
index 8fc0014e6a8..03eccf4f28b 100644
--- a/app/assets/javascripts/rapid_diffs/expand_lines/adapter.js
+++ b/app/assets/javascripts/rapid_diffs/expand_lines/adapter.js
@@ -1,44 +1,37 @@
 import { getLines } from '~/rapid_diffs/expand_lines/get_lines';
+import { DiffLineRow } from '~/rapid_diffs/expand_lines/diff_line_row';
 
-const getLineNumber = (el) => parseInt(el.dataset.linenumber, 10);
-
-const collectLineData = (element) => {
-  const buttons = element.querySelectorAll('[data-linenumber]');
-  const lineNumbers = Array.from(buttons).map(getLineNumber);
-  const previousEl = element.previousElementSibling;
-  const prevNewLine = previousEl?.querySelector('[data-linenumber]:last-child');
-  const prevNewLineNumber = prevNewLine ? getLineNumber(prevNewLine) : 0;
-  return [...lineNumbers, prevNewLineNumber];
-};
-
-const viewersMap = {
-  text_inline: 'text',
-  text_parallel: 'parallel',
+const getSurroundingLines = (hunkHeaderRow) => {
+  const wrapperElements = Array.from(hunkHeaderRow.parentElement.children);
+  const rowIndex = wrapperElements.indexOf(hunkHeaderRow);
+  const lineBefore = wrapperElements.slice(0, rowIndex).findLast((el) => 'hunkLines' in el.dataset);
+  const lineAfter = wrapperElements
+    .slice(rowIndex, wrapperElements.length)
+    .find((el) => 'hunkLines' in el.dataset);
+  return [lineBefore, lineAfter].map((lineRow) => (lineRow ? new DiffLineRow(lineRow) : null));
 };
 
 export const ExpandLinesAdapter = {
   clicks: {
-    async expandLines(event) {
-      const { target } = event;
-      const { expandPrevLine, expandNextLine } = target.dataset;
-      if (!expandPrevLine && !expandNextLine) return;
-      const parent = target.closest('tr');
-      if (parent.dataset.loading) return;
+    async expandLines(event, button) {
+      const { expandDirection } = button.dataset;
+      const hunkHeaderRow = button.closest('tr');
 
-      parent.dataset.loading = true;
+      if (hunkHeaderRow.dataset.loading) return;
+      hunkHeaderRow.dataset.loading = expandDirection;
+      button.setAttribute('disabled', 'disabled');
 
-      const { blobDiffPath } = this.data;
+      const { diffLinesPath } = this.data;
       const lines = await getLines({
-        expandPrevLine,
-        lineData: collectLineData(parent),
-        blobDiffPath,
-        view: viewersMap[this.viewer],
+        expandDirection,
+        surroundingLines: getSurroundingLines(hunkHeaderRow),
+        diffLinesPath,
+        view: this.viewer === 'text_parallel' ? 'parallel' : undefined,
       });
 
-      const method = expandPrevLine ? 'beforebegin' : 'afterend';
       // eslint-disable-next-line no-unsanitized/method
-      parent.insertAdjacentHTML(method, lines);
-      parent.remove();
+      hunkHeaderRow.insertAdjacentHTML('afterend', lines);
+      hunkHeaderRow.remove();
     },
   },
 };
diff --git a/app/assets/javascripts/rapid_diffs/expand_lines/diff_line_row.js b/app/assets/javascripts/rapid_diffs/expand_lines/diff_line_row.js
new file mode 100644
index 00000000000..b0bcca18640
--- /dev/null
+++ b/app/assets/javascripts/rapid_diffs/expand_lines/diff_line_row.js
@@ -0,0 +1,20 @@
+export class DiffLineRow {
+  constructor(row) {
+    this.row = row;
+  }
+
+  #getLineNumber(position) {
+    const { lineNumber } = this.row.querySelector(
+      `[data-position="${position}"] [data-line-number]`,
+    ).dataset;
+    return parseInt(lineNumber, 10);
+  }
+
+  get oldLineNumber() {
+    return this.#getLineNumber('old');
+  }
+
+  get newLineNumber() {
+    return this.#getLineNumber('new');
+  }
+}
diff --git a/app/assets/javascripts/rapid_diffs/expand_lines/get_lines.js b/app/assets/javascripts/rapid_diffs/expand_lines/get_lines.js
index 0603251d129..72adaa7638f 100644
--- a/app/assets/javascripts/rapid_diffs/expand_lines/get_lines.js
+++ b/app/assets/javascripts/rapid_diffs/expand_lines/get_lines.js
@@ -1,35 +1,68 @@
+/**
+ * @typedef {import('./diff_line_row').DiffLineRow} DiffLineRow
+ */
+
 import axios from '~/lib/utils/axios_utils';
 
 const UNFOLD_COUNT = 20;
 
-// eslint-disable-next-line max-params
-const getRequestParams = (expandPrevLine, oldLineNumber, newLineNumber, prevNewLineNumber) => {
-  const offset = newLineNumber - oldLineNumber;
-  let since;
-  let to;
-  let unfold = true;
-
-  if (!expandPrevLine) {
-    const lineNumber = newLineNumber + 1;
-    since = lineNumber;
-    to = lineNumber + UNFOLD_COUNT;
-  } else {
-    const lineNumber = newLineNumber - 1;
-    since = lineNumber - UNFOLD_COUNT;
-    to = lineNumber;
-
-    // make sure we aren't loading more than we need
-    if (since <= prevNewLineNumber + 1) {
-      since = prevNewLineNumber + 1;
-      unfold = false;
-    }
+/**
+ * @typedef {'up' | 'down' | 'both'} ExpandDirection
+ * 'up' - ↑
+ * 'down' - ↓
+ * 'both' - ↕
+ */
+/**
+ * @typedef {Object} RequestParams
+ * @property {boolean} unfold - Adds hunk header (contains expand buttons) to the returned HTML
+ * @property {number} since - Starting new line number for the line range
+ * @property {number} to - Ending new line number for the line range
+ * @property {boolean} bottom - Positions diff hunk header either before or after the lines
+ * @property {number} offset - The difference between new and old line numbers
+ * @property {number} [closest_line_number] - The next new line number near the existing diff hunk header
+ * 'closest_line_number' - this param helps backend understand which expand buttons should be shown: ↑/↓ or ↕
+ */
+/**
+ * @param {ExpandDirection} expandDirection
+ * @param {[DiffLineRow, DiffLineRow]} surroundingLines
+ * @returns {RequestParams}
+ */
+const getRequestParams = (expandDirection, [lineBefore, lineAfter]) => {
+  switch (expandDirection) {
+    case 'both':
+      return {
+        unfold: false,
+        since: lineBefore.newLineNumber + 1,
+        to: lineAfter.newLineNumber - 1,
+        bottom: false,
+        offset: lineBefore.newLineNumber - lineBefore.oldLineNumber,
+      };
+    case 'up':
+      return {
+        unfold: true,
+        since: Math.max(lineAfter.newLineNumber - UNFOLD_COUNT - 1, 1),
+        to: lineAfter.newLineNumber - 1,
+        closest_line_number: lineBefore ? lineBefore.newLineNumber : 0,
+        offset: lineAfter.newLineNumber - lineAfter.oldLineNumber,
+        bottom: false,
+      };
+    case 'down':
+      return {
+        unfold: true,
+        since: lineBefore.newLineNumber + 1,
+        to: lineBefore.newLineNumber + UNFOLD_COUNT + 1,
+        closest_line_number: lineAfter ? lineAfter.newLineNumber : 0,
+        offset: lineBefore.newLineNumber - lineBefore.oldLineNumber,
+        bottom: true,
+      };
+    default:
+      // eslint-disable-next-line @gitlab/require-i18n-strings
+      throw new Error('Invalid expand option provided');
   }
-
-  return { since, to, bottom: !expandPrevLine, offset, unfold };
 };
 
-export const getLines = async ({ expandPrevLine, lineData, blobDiffPath, view }) => {
-  const params = getRequestParams(expandPrevLine, ...lineData);
-  const { data: lines } = await axios.get(blobDiffPath, { params: { ...params, view } });
+export const getLines = async ({ expandDirection, surroundingLines, diffLinesPath, view }) => {
+  const params = getRequestParams(expandDirection, surroundingLines);
+  const { data: lines } = await axios.get(diffLinesPath, { params: { ...params, view } });
   return lines;
 };
diff --git a/app/assets/javascripts/vue_merge_request_widget/components/states/ready_to_merge.vue b/app/assets/javascripts/vue_merge_request_widget/components/states/ready_to_merge.vue
index 14a10d3b1cc..3f6a3f6ee3b 100644
--- a/app/assets/javascripts/vue_merge_request_widget/components/states/ready_to_merge.vue
+++ b/app/assets/javascripts/vue_merge_request_widget/components/states/ready_to_merge.vue
@@ -80,7 +80,7 @@ export default {
             false;
           this.commitMessage = data.project.mergeRequest.defaultMergeCommitMessage;
           this.squashBeforeMerge = data.project.mergeRequest.squashOnMerge;
-          this.isSquashReadOnly = data.project.squashReadOnly;
+          this.isSquashReadOnly = data.project.mergeRequest.squashReadOnly;
           this.squashCommitMessage = data.project.mergeRequest.defaultSquashCommitMessage;
         }
 
diff --git a/app/assets/javascripts/vue_merge_request_widget/queries/states/ready_to_merge.fragment.graphql b/app/assets/javascripts/vue_merge_request_widget/queries/states/ready_to_merge.fragment.graphql
index 9b0420cc7fa..57554c6c640 100644
--- a/app/assets/javascripts/vue_merge_request_widget/queries/states/ready_to_merge.fragment.graphql
+++ b/app/assets/javascripts/vue_merge_request_widget/queries/states/ready_to_merge.fragment.graphql
@@ -4,8 +4,8 @@ fragment ReadyToMerge on Project {
   id
   onlyAllowMergeIfPipelineSucceeds
   mergeRequestsFfOnlyEnabled
-  squashReadOnly
   mergeRequest(iid: $iid) {
     ...ReadyToMergeMergeRequest
+    squashReadOnly
   }
 }
diff --git a/app/assets/javascripts/vue_shared/components/entity_select/init_project_selects.js b/app/assets/javascripts/vue_shared/components/entity_select/init_project_selects.js
index 12db70d8e9c..dcbc297e8c1 100644
--- a/app/assets/javascripts/vue_shared/components/entity_select/init_project_selects.js
+++ b/app/assets/javascripts/vue_shared/components/entity_select/init_project_selects.js
@@ -13,6 +13,7 @@ export const initProjectSelects = () => {
   document.querySelectorAll(SELECTOR).forEach((el) => {
     const {
       label,
+      description,
       inputName,
       inputId,
       groupId,
@@ -34,6 +35,7 @@ export const initProjectSelects = () => {
           props: {
             label,
             hasHtmlLabel,
+            description,
             inputName,
             inputId,
             groupId,
diff --git a/app/assets/javascripts/vue_shared/components/entity_select/project_select.vue b/app/assets/javascripts/vue_shared/components/entity_select/project_select.vue
index 521e4577750..5d3c0a4c78d 100644
--- a/app/assets/javascripts/vue_shared/components/entity_select/project_select.vue
+++ b/app/assets/javascripts/vue_shared/components/entity_select/project_select.vue
@@ -30,6 +30,11 @@ export default {
       type: String,
       required: true,
     },
+    description: {
+      type: String,
+      required: false,
+      default: '',
+    },
     hasHtmlLabel: {
       type: Boolean,
       required: false,
@@ -168,6 +173,7 @@ export default {
 <template>
   <entity-selector
     :label="label"
+    :description="description"
     :input-name="inputName"
     :input-id="inputId"
     :initial-selection="initialSelection"
diff --git a/app/assets/javascripts/work_items/components/shared/work_item_token_input.vue b/app/assets/javascripts/work_items/components/shared/work_item_token_input.vue
index 2dba3812e28..f826c601623 100644
--- a/app/assets/javascripts/work_items/components/shared/work_item_token_input.vue
+++ b/app/assets/javascripts/work_items/components/shared/work_item_token_input.vue
@@ -1,6 +1,6 @@
 <script>
 import { GlTokenSelector, GlAlert } from '@gitlab/ui';
-import { debounce } from 'lodash';
+import { debounce, escape } from 'lodash';
 
 import { getIdFromGraphQLId } from '~/graphql_shared/utils';
 import { isNumeric } from '~/lib/utils/number_utils';
@@ -208,11 +208,13 @@ export default {
       });
     },
     formatResults(input) {
+      const escapedInput = escape(input);
+
       if (!this.searchTerm) {
-        return input;
+        return escapedInput;
       }
 
-      return highlighter(`<span class="gl-text-default">${input}</span>`, this.searchTerm);
+      return highlighter(`<span class="gl-text-default">${escapedInput}</span>`, this.searchTerm);
     },
     unsetError() {
       this.error = '';
@@ -233,6 +235,7 @@ export default {
     noMatchesFoundMessage: I18N_WORK_ITEM_NO_MATCHES_FOUND,
     addInputPlaceholder: I18N_WORK_ITEM_SEARCH_INPUT_PLACEHOLDER,
   },
+  safeHtmlConfig: { ADD_TAGS: ['strong', 'span'] },
 };
 </script>
 <template>
@@ -262,10 +265,13 @@ export default {
       <template #dropdown-item-content="{ dropdownItem }">
         <div class="gl-flex">
           <div
-            v-safe-html="formatResults(dropdownItem.iid)"
+            v-safe-html:[$options.safeHtmlConfig]="formatResults(dropdownItem.iid)"
             class="gl-mr-4 gl-text-sm gl-text-subtle"
           ></div>
-          <div v-safe-html="formatResults(dropdownItem.title)" class="gl-truncate"></div>
+          <div
+            v-safe-html:[$options.safeHtmlConfig]="formatResults(dropdownItem.title)"
+            class="gl-truncate"
+          ></div>
         </div>
       </template>
       <template #no-results-content>
diff --git a/app/assets/stylesheets/components/rapid_diffs/text_file_viewers.scss b/app/assets/stylesheets/components/rapid_diffs/text_file_viewers.scss
index 9a2b68a5e41..e2569e22a7c 100644
--- a/app/assets/stylesheets/components/rapid_diffs/text_file_viewers.scss
+++ b/app/assets/stylesheets/components/rapid_diffs/text_file_viewers.scss
@@ -26,6 +26,8 @@
 }
 
 .rd-hunk-header {
+  // this is used when a hunk header doesn't have any text, only expand buttons
+  min-height: calc(1em * $code-line-height);
   border-top: 1px solid var(--rd-hunk-header-border-color, $gray-100);
   border-bottom: 1px solid var(--rd-hunk-header-border-color, $gray-100);
   background-color: var(--rd-hunk-header-background-color, $gray-50);
@@ -40,6 +42,18 @@
   }
 }
 
+.rd-hunk-header[data-loading=both] [data-visible-when=loading],
+.rd-hunk-header[data-loading=up] [data-expand-direction=up] [data-visible-when=loading],
+.rd-hunk-header[data-loading=down] [data-expand-direction=down] [data-visible-when=loading] {
+  display: block;
+}
+
+.rd-hunk-header[data-loading=both] [data-visible-when=idle],
+.rd-hunk-header[data-loading=up] [data-expand-direction=up] [data-visible-when=idle],
+.rd-hunk-header[data-loading=down] [data-expand-direction=down] [data-visible-when=idle] {
+  display: none;
+}
+
 .rd-hunk-header-parallel,
 .rd-hunk-lines-parallel, {
   grid-template-columns: 50px 1fr 50px 1fr;
@@ -62,7 +76,12 @@
 .rd-expand-lines-button {
   @include common.diff-expansion($gray-100, $gray-700, $gray-200, $gray-800);
 
-  display: block;
+  display: flex;
+  justify-content: center;
+  align-items: center;
+  // whitespace inside button increases the minimum size of the row
+  // this causes jumps when the icons change from idle to loading
+  font-size: 0;
   border: 0;
 
   background-color: var(--rd-expand-lines-button-background-color, $gray-100);
@@ -75,6 +94,10 @@
   }
 }
 
+.rd-expand-lines-button [data-visible-when=loading] {
+  display: none;
+}
+
 .rd-line-number {
   padding: 0 10px 0 5px;
   text-align: right;
diff --git a/app/components/rapid_diffs/diff_file_component.rb b/app/components/rapid_diffs/diff_file_component.rb
index 3fa068af61f..a8a5bf7ca1d 100644
--- a/app/components/rapid_diffs/diff_file_component.rb
+++ b/app/components/rapid_diffs/diff_file_component.rb
@@ -18,7 +18,7 @@ module RapidDiffs
       params = tree_join(@diff_file.content_sha, @diff_file.file_path)
       {
         viewer: viewer_component.viewer_name,
-        blob_diff_path: project_blob_diff_path(project, params)
+        diff_lines_path: project_blob_diff_lines_path(project, params)
       }
     end
 
diff --git a/app/components/rapid_diffs/viewers/text/expand_lines_component.html.haml b/app/components/rapid_diffs/viewers/text/expand_lines_component.html.haml
index e8c5a9775f2..7af83bfa6c8 100644
--- a/app/components/rapid_diffs/viewers/text/expand_lines_component.html.haml
+++ b/app/components/rapid_diffs/viewers/text/expand_lines_component.html.haml
@@ -1,3 +1,6 @@
 - @directions.each do |direction|
-  %button.rd-expand-lines-button{ type: "button", data: { click: 'expandLines' } }
-    = helpers.sprite_icon(icon_name(direction))
+  %button.rd-expand-lines-button{ type: "button", data: { click: 'expandLines', expand_direction: direction } }
+    %span{ data: { visible_when: 'idle' } }
+      = helpers.sprite_icon(icon_name(direction))
+    %span{ data: { visible_when: 'loading' } }
+      = helpers.gl_loading_icon(size: 'sm', inline: true)
diff --git a/app/components/rapid_diffs/viewers/text/inline_hunk_component.html.haml b/app/components/rapid_diffs/viewers/text/inline_hunk_component.html.haml
index 04ea562566d..7a4f6b28cc1 100644
--- a/app/components/rapid_diffs/viewers/text/inline_hunk_component.html.haml
+++ b/app/components/rapid_diffs/viewers/text/inline_hunk_component.html.haml
@@ -5,7 +5,7 @@
 
 - if @diff_hunk.lines
   - @diff_hunk.lines.each do |line|
-    %tr.rd-hunk-lines.rd-hunk-lines-inline{ data: { testid: testid } }
+    %tr.rd-hunk-lines.rd-hunk-lines-inline{ data: { testid: 'hunk-lines-inline', hunk_lines: true } }
       = render RapidDiffs::Viewers::Text::LineNumberComponent.new(file_hash: @file_hash, file_path: @file_path, line: line, position: :old)
       = render RapidDiffs::Viewers::Text::LineNumberComponent.new(file_hash: @file_hash, file_path: @file_path, line: line, position: :new, border: :right)
       = render RapidDiffs::Viewers::Text::LineContentComponent.new(line: line, position: nil)
diff --git a/app/components/rapid_diffs/viewers/text/inline_hunk_component.rb b/app/components/rapid_diffs/viewers/text/inline_hunk_component.rb
index b365576e39a..1ff9161e5bc 100644
--- a/app/components/rapid_diffs/viewers/text/inline_hunk_component.rb
+++ b/app/components/rapid_diffs/viewers/text/inline_hunk_component.rb
@@ -11,10 +11,6 @@ module RapidDiffs
           @file_hash = file_hash
           @file_path = file_path
         end
-
-        def testid
-          'hunk-lines-inline'
-        end
       end
     end
   end
diff --git a/app/components/rapid_diffs/viewers/text/line_number_component.html.haml b/app/components/rapid_diffs/viewers/text/line_number_component.html.haml
index 12d6a2d25a7..969f332cf3c 100644
--- a/app/components/rapid_diffs/viewers/text/line_number_component.html.haml
+++ b/app/components/rapid_diffs/viewers/text/line_number_component.html.haml
@@ -1,5 +1,5 @@
 - if visible?
-  %td.rd-line-number{ id: id, class: border_class, data: { legacy_id: legacy_id, change: change_type } }
+  %td.rd-line-number{ id: id, class: border_class, data: { legacy_id: legacy_id, change: change_type, position: @position } }
     = link_to '', "##{id}", { class: 'rd-line-link', data: { line_number: line_number }, aria: { label: s_('Line number %{number}').html_safe % { number: line_number } } }
 - else
   %td.rd-line-number{ class: border_class, data: { change: change_type } }
diff --git a/app/components/rapid_diffs/viewers/text/parallel_hunk_component.html.haml b/app/components/rapid_diffs/viewers/text/parallel_hunk_component.html.haml
index 7c67dac568a..75ae0638f60 100644
--- a/app/components/rapid_diffs/viewers/text/parallel_hunk_component.html.haml
+++ b/app/components/rapid_diffs/viewers/text/parallel_hunk_component.html.haml
@@ -5,7 +5,7 @@
       %td.rd-hunk-header-content{ data: { position: index == 0 ? :old : :new }, tabindex: '-1' }= @diff_hunk.header.text
 
 - @diff_hunk.parallel_lines.each do |pair|
-  %tr.rd-hunk-lines.rd-hunk-lines-parallel{ data: { testid: testid } }
+  %tr.rd-hunk-lines.rd-hunk-lines-parallel{ data: { testid: 'hunk-lines-parallel', hunk_lines: true } }
     - sides(pair).each do |side|
       - line, position = side.values_at(:line, :position)
       = render RapidDiffs::Viewers::Text::LineNumberComponent.new(file_hash: @file_hash, file_path: @file_path, **side)
diff --git a/app/components/rapid_diffs/viewers/text/parallel_hunk_component.rb b/app/components/rapid_diffs/viewers/text/parallel_hunk_component.rb
index 35ec7908284..d99863cf2e4 100644
--- a/app/components/rapid_diffs/viewers/text/parallel_hunk_component.rb
+++ b/app/components/rapid_diffs/viewers/text/parallel_hunk_component.rb
@@ -26,10 +26,6 @@ module RapidDiffs
             }
           ]
         end
-
-        def testid
-          'hunk-lines-parallel'
-        end
       end
     end
   end
diff --git a/app/controllers/clusters/clusters_controller.rb b/app/controllers/clusters/clusters_controller.rb
index 4524bc339e5..d1dace49ca0 100644
--- a/app/controllers/clusters/clusters_controller.rb
+++ b/app/controllers/clusters/clusters_controller.rb
@@ -105,7 +105,8 @@ class Clusters::ClustersController < ::Clusters::BaseController
     response = Clusters::Migration::CreateService.new(
       cluster.cluster,
       current_user: current_user,
-      configuration_project_id: migrate_params[:configuration_project_id]
+      configuration_project_id: migrate_params[:configuration_project_id],
+      agent_name: migrate_params[:agent_name]
     ).execute
 
     if response.success?
@@ -120,7 +121,7 @@ class Clusters::ClustersController < ::Clusters::BaseController
   private
 
   def migrate_params
-    params.permit(:configuration_project_id)
+    params.require(:cluster_migration).permit(:configuration_project_id, :agent_name)
   end
 
   def ensure_feature_enabled!
diff --git a/app/controllers/event_forward/event_forward_controller.rb b/app/controllers/event_forward/event_forward_controller.rb
new file mode 100644
index 00000000000..886a84048de
--- /dev/null
+++ b/app/controllers/event_forward/event_forward_controller.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module EventForward
+  class EventForwardController < BaseActionController
+    def forward
+      process_events
+
+      head :ok
+    end
+
+    private
+
+    def process_events
+      payload = Gitlab::Json.parse(request.raw_post)
+      tracker = Gitlab::Tracking.tracker
+
+      payload['data'].each do |event|
+        tracker.emit_event_payload(event)
+      end
+
+      logger.info("Enqueued events for forwarding. Count: #{payload['data'].size}")
+    end
+
+    def logger
+      @logger ||= EventForward::Logger.build
+    end
+  end
+end
diff --git a/app/controllers/event_forward/logger.rb b/app/controllers/event_forward/logger.rb
new file mode 100644
index 00000000000..3171de86112
--- /dev/null
+++ b/app/controllers/event_forward/logger.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module EventForward
+  class Logger < ::Gitlab::JsonLogger
+    def self.file_name_noext
+      'event_collection'
+    end
+  end
+end
diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb
index bdb223bb235..786eb6fa4af 100644
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -15,9 +15,7 @@ class ProfilesController < Profiles::ApplicationController
     :reset_static_object_token, :update_username]
 
   def reset_incoming_email_token
-    Users::UpdateService.new(current_user, user: @user).execute! do |user|
-      user.reset_incoming_email_token!
-    end
+    Users::UpdateService.new(current_user, user: @user).execute!(&:reset_incoming_email_token!)
 
     flash[:notice] = s_("Profiles|Incoming email token was successfully reset")
 
@@ -37,9 +35,7 @@ class ProfilesController < Profiles::ApplicationController
   end
 
   def reset_static_object_token
-    Users::UpdateService.new(current_user, user: @user).execute! do |user|
-      user.reset_static_object_token!
-    end
+    Users::UpdateService.new(current_user, user: @user).execute!(&:reset_static_object_token!)
 
     redirect_to user_settings_personal_access_tokens_path,
       notice: s_('Profiles|Static object token was successfully reset')
diff --git a/app/controllers/projects/commit_controller.rb b/app/controllers/projects/commit_controller.rb
index 2942d717b5d..1e0dd40b687 100644
--- a/app/controllers/projects/commit_controller.rb
+++ b/app/controllers/projects/commit_controller.rb
@@ -161,6 +161,7 @@ class Projects::CommitController < Projects::ApplicationController
     return render_404 unless ::Feature.enabled?(:rapid_diffs, current_user, type: :wip)
 
     streaming_offset = 5
+    @reload_stream_url = diffs_stream_url(@commit)
     @stream_url = diffs_stream_url(@commit, streaming_offset, diff_view)
     @diffs_slice = @commit.first_diffs_slice(streaming_offset, commit_diff_options)
 
diff --git a/app/graphql/resolvers/repositories/commit_resolver.rb b/app/graphql/resolvers/repositories/commit_resolver.rb
new file mode 100644
index 00000000000..bb85842d7dd
--- /dev/null
+++ b/app/graphql/resolvers/repositories/commit_resolver.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Resolvers
+  module Repositories
+    class CommitResolver < BaseResolver
+      type Types::Repositories::CommitType, null: true
+
+      argument :ref,
+        GraphQL::Types::String,
+        required: true,
+        description: "Commit reference (SHA, branch name, or tag name)."
+
+      calls_gitaly!
+
+      alias_method :repository, :object
+
+      def resolve(ref:)
+        repository.commit(ref)
+      end
+    end
+  end
+end
diff --git a/app/graphql/types/repository_type.rb b/app/graphql/types/repository_type.rb
index 8d1f50a2108..0665de05f8e 100644
--- a/app/graphql/types/repository_type.rb
+++ b/app/graphql/types/repository_type.rb
@@ -11,6 +11,10 @@ module Types
     field :branch_names, [GraphQL::Types::String], null: true, calls_gitaly: true,
       complexity: 170, description: 'Names of branches available in this repository that match the search pattern.',
       resolver: Resolvers::RepositoryBranchNamesResolver
+    field :commit, Types::Repositories::CommitType, null: true,
+      calls_gitaly: true,
+      description: 'Commit from the repository.',
+      resolver: Resolvers::Repositories::CommitResolver
     field :disk_path, GraphQL::Types::String,
       description: 'Shows a disk path of the repository.',
       null: true,
diff --git a/app/helpers/clusters_helper.rb b/app/helpers/clusters_helper.rb
index 2c27a1098d2..595aec10175 100644
--- a/app/helpers/clusters_helper.rb
+++ b/app/helpers/clusters_helper.rb
@@ -101,6 +101,17 @@ module ClustersHelper
     can?(user, :admin_cluster, cluster)
   end
 
+  def migration_alert_config(migration)
+    return unless migration
+
+    status = migration.agent_install_status.to_sym
+    config = migration_alert_configs[status]
+
+    return config unless config && status == :error && migration.agent_install_message.present?
+
+    config.merge(details: migration.agent_install_message)
+  end
+
   private
 
   def default_branch_name(clusterable)
@@ -110,4 +121,23 @@ module ClustersHelper
   def clusterable_project_path(clusterable)
     clusterable.full_path if clusterable.is_a?(Project)
   end
+
+  def migration_alert_configs
+    {
+      in_progress: {
+        variant: :info,
+        message: s_('ClusterIntegration|Installing agent in progress.')
+      },
+      success: {
+        variant: :success,
+        message: s_('ClusterIntegration|The agent connection is set up.')
+      },
+      error: {
+        variant: :warning,
+        title: s_('ClusterIntegration|Agent setup failed'),
+        message: s_('ClusterIntegration|The agent was not installed in the cluster.'),
+        show_help: true
+      }
+    }.freeze
+  end
 end
diff --git a/app/models/clusters/agent_migration.rb b/app/models/clusters/agent_migration.rb
index b3cab5c24f4..6d84c0fd56b 100644
--- a/app/models/clusters/agent_migration.rb
+++ b/app/models/clusters/agent_migration.rb
@@ -4,6 +4,8 @@ module Clusters
   class AgentMigration < ApplicationRecord
     self.table_name = 'cluster_agent_migrations'
 
+    attr_accessor :agent_name
+
     belongs_to :cluster, optional: false, class_name: 'Clusters::Cluster'
     belongs_to :project, optional: false, class_name: '::Project'
     belongs_to :agent, optional: false, class_name: 'Clusters::Agent'
diff --git a/app/models/commit.rb b/app/models/commit.rb
index a69caff04ab..6404c734025 100644
--- a/app/models/commit.rb
+++ b/app/models/commit.rb
@@ -608,7 +608,7 @@ class Commit
   def first_diffs_slice(limit, diff_options = {})
     diff_options[:max_files] = limit
 
-    diffs(diff_options)
+    diffs(diff_options).diff_files
   end
 
   private
diff --git a/app/models/concerns/cached_commit.rb b/app/models/concerns/cached_commit.rb
index 74120f49d01..747e0e84c74 100644
--- a/app/models/concerns/cached_commit.rb
+++ b/app/models/concerns/cached_commit.rb
@@ -9,7 +9,7 @@ module CachedCommit
     end
   end
 
-  # We don't save these, because they would need a table or a serialised
+  # We don't save these, because they would need a table or a serialized
   # field. They aren't used anywhere, so just pretend the commit has no parents.
   def parent_ids
     []
diff --git a/app/models/container_repository.rb b/app/models/container_repository.rb
index 40b1a760e04..a84dc2c0964 100644
--- a/app/models/container_repository.rb
+++ b/app/models/container_repository.rb
@@ -220,7 +220,7 @@ class ContainerRepository < ApplicationRecord
   def delete_tags!
     return unless has_tags?
 
-    digests = tags.map { |tag| tag.digest }.compact.to_set
+    digests = tags.map(&:digest).compact.to_set
 
     digests.map { |digest| delete_tag(digest) }.all?
   end
diff --git a/app/models/discussion.rb b/app/models/discussion.rb
index de93423bc37..c494ad2192d 100644
--- a/app/models/discussion.rb
+++ b/app/models/discussion.rb
@@ -53,7 +53,7 @@ class Discussion
     notes = model_class.where(discussion_id: discussion_ids).fresh
     notes = notes.inc_note_diff_file if preload_note_diff_file
 
-    grouped_notes = notes.group_by { |n| n.discussion_id }
+    grouped_notes = notes.group_by(&:discussion_id)
     grouped_notes.transform_values { |notes| Discussion.build(notes, context_noteable) }
   end
 
diff --git a/app/models/integrations/prometheus.rb b/app/models/integrations/prometheus.rb
index 13a38545677..9ee26ea1cf4 100644
--- a/app/models/integrations/prometheus.rb
+++ b/app/models/integrations/prometheus.rb
@@ -93,9 +93,7 @@ module Integrations
     def prometheus_available?
       return false unless project
 
-      project.all_clusters.enabled.eager_load(:integration_prometheus).any? do |cluster|
-        cluster.integration_prometheus_available?
-      end
+      project.all_clusters.enabled.eager_load(:integration_prometheus).any?(&:integration_prometheus_available?)
     end
 
     def allow_local_api_url?
diff --git a/app/models/members/project_member.rb b/app/models/members/project_member.rb
index 414ffba6f1e..3361831636b 100644
--- a/app/models/members/project_member.rb
+++ b/app/models/members/project_member.rb
@@ -27,9 +27,7 @@ class ProjectMember < Member
       ProjectMember.transaction do
         members = ProjectMember.where(source_id: project_ids)
 
-        members.each do |member|
-          member.destroy
-        end
+        members.each(&:destroy)
       end
 
       true
diff --git a/app/models/packages/conan/package_revision.rb b/app/models/packages/conan/package_revision.rb
index 5e797341994..98e61a6818c 100644
--- a/app/models/packages/conan/package_revision.rb
+++ b/app/models/packages/conan/package_revision.rb
@@ -5,8 +5,6 @@ module Packages
     class PackageRevision < ApplicationRecord
       include ShaAttribute
 
-      REVISION_LENGTH_MAX = 40
-
       sha_attribute :revision
 
       belongs_to :package, class_name: 'Packages::Conan::Package', inverse_of: :conan_package_revisions
@@ -17,8 +15,8 @@ module Packages
       has_many :file_metadata, inverse_of: :package_revision, class_name: 'Packages::Conan::FileMetadatum'
 
       validates :package, :package_reference, :project, presence: true
-      validates :revision, presence: true, bytesize: { maximum: -> { REVISION_LENGTH_MAX } },
-        uniqueness: { scope: [:package_id, :package_reference_id] }
+      validates :revision, presence: true, uniqueness: { scope: [:package_id, :package_reference_id] },
+        format: { with: ::Gitlab::Regex.conan_revision_regex_v2 }
     end
   end
 end
diff --git a/app/models/packages/conan/recipe_revision.rb b/app/models/packages/conan/recipe_revision.rb
index 3f5d915ad74..e13c7843eaa 100644
--- a/app/models/packages/conan/recipe_revision.rb
+++ b/app/models/packages/conan/recipe_revision.rb
@@ -5,8 +5,6 @@ module Packages
     class RecipeRevision < ApplicationRecord
       include ShaAttribute
 
-      REVISION_LENGTH_MAX = 40
-
       sha_attribute :revision
 
       belongs_to :package, class_name: 'Packages::Conan::Package', inverse_of: :conan_recipe_revisions
@@ -17,8 +15,8 @@ module Packages
       has_many :file_metadata, inverse_of: :recipe_revision, class_name: 'Packages::Conan::FileMetadatum'
 
       validates :package, :project, presence: true
-      validates :revision, presence: true, bytesize: { maximum: -> { REVISION_LENGTH_MAX } },
-        uniqueness: { scope: :package_id }
+      validates :revision, presence: true,
+        uniqueness: { scope: :package_id }, format: { with: ::Gitlab::Regex.conan_revision_regex_v2 }
     end
   end
 end
diff --git a/app/models/preloaders/merge_request_diff_preloader.rb b/app/models/preloaders/merge_request_diff_preloader.rb
index ee9995c497d..854f3e7f31c 100644
--- a/app/models/preloaders/merge_request_diff_preloader.rb
+++ b/app/models/preloaders/merge_request_diff_preloader.rb
@@ -14,7 +14,7 @@ module Preloaders
 
     def preload_all
       merge_request_diffs = MergeRequestDiff.latest_diff_for_merge_requests(@merge_requests)
-      cache = merge_request_diffs.index_by { |diff| diff.merge_request_id }
+      cache = merge_request_diffs.index_by(&:merge_request_id)
 
       @merge_requests.each do |merge_request|
         merge_request_diff = cache[merge_request.id]
diff --git a/app/models/release.rb b/app/models/release.rb
index 9e200bf8502..bc0be083314 100644
--- a/app/models/release.rb
+++ b/app/models/release.rb
@@ -152,7 +152,7 @@ class Release < ApplicationRecord
   end
 
   def milestone_titles
-    self.milestones.order_by_dates_and_title.map { |m| m.title }.join(', ')
+    self.milestones.order_by_dates_and_title.map(&:title).join(', ')
   end
 
   def to_hook_data(action)
diff --git a/app/presenters/clusters/cluster_presenter.rb b/app/presenters/clusters/cluster_presenter.rb
index 35cfe3e5a3e..fd8787b64bd 100644
--- a/app/presenters/clusters/cluster_presenter.rb
+++ b/app/presenters/clusters/cluster_presenter.rb
@@ -65,6 +65,10 @@ module Clusters
       }
     end
 
+    def agent_migration_for_display
+      cluster.agent_migration || Clusters::AgentMigration.new(cluster: cluster)
+    end
+
     private
 
     def image_path(path)
diff --git a/app/services/clusters/migration/create_service.rb b/app/services/clusters/migration/create_service.rb
index e7ec525fff6..939de7361c8 100644
--- a/app/services/clusters/migration/create_service.rb
+++ b/app/services/clusters/migration/create_service.rb
@@ -3,13 +3,14 @@
 module Clusters
   module Migration
     class CreateService
-      attr_reader :cluster, :clusterable, :current_user, :configuration_project
+      attr_reader :cluster, :clusterable, :current_user, :configuration_project, :agent_name
 
-      def initialize(cluster, current_user:, configuration_project_id:)
+      def initialize(cluster, current_user:, configuration_project_id:, agent_name:)
         @cluster = cluster
         @clusterable = cluster.clusterable
         @current_user = current_user
         @configuration_project = find_configuration_project(configuration_project_id)
+        @agent_name = agent_name
       end
 
       def execute
@@ -27,7 +28,8 @@ module Clusters
         migration = Clusters::AgentMigration.new(
           cluster: cluster,
           agent: agent,
-          project: configuration_project
+          project: configuration_project,
+          agent_name: agent_name
         )
 
         if migration.save
@@ -41,11 +43,11 @@ module Clusters
 
       def validate_inputs
         message = if !feature_enabled?
-                    'Feature disabled'
+                    _('Feature disabled')
                   elsif !current_user.can?(:admin_cluster, cluster)
-                    'Unauthorized'
+                    _('Unauthorized')
                   elsif configuration_project.nil?
-                    'Invalid configuration project'
+                    s_('ClusterIntegration|Invalid configuration project')
                   end
 
         error_response(message: message) if message
@@ -74,10 +76,6 @@ module Clusters
         clusterable.root_ancestor.all_projects.find_by_id(project_id)
       end
 
-      def agent_name
-        cluster.name.first(63).parameterize
-      end
-
       def feature_enabled?
         Feature.enabled?(:cluster_agent_migrations, clusterable)
       end
diff --git a/app/views/clusters/clusters/_migrate.html.haml b/app/views/clusters/clusters/_migrate.html.haml
index 1fde1179ba2..5e5711832e4 100644
--- a/app/views/clusters/clusters/_migrate.html.haml
+++ b/app/views/clusters/clusters/_migrate.html.haml
@@ -1,12 +1,72 @@
 - if can_admin_cluster?(current_user, @cluster)
-  .settings.expanded.border-0.m-0
+  - cluster_migration = @cluster.agent_migration_for_display
+
+  %h4.gl-mt-0= s_('ClusterIntegration|Migrate to GitLab Agent for Kubernetes')
+
+  - tag_pair_agent_docs = tag_pair(link_to('', help_page_path('user/clusters/agent/_index.md'), target: '_blank', rel: 'noopener noreferrer'), :agent_docs_link_start, :agent_docs_link_end)
+  - tag_pair_install_docs = tag_pair(link_to('', help_page_path('user/clusters/agent/install/_index.md'), target: '_blank', rel: 'noopener noreferrer'), :install_docs_link_start, :install_docs_link_end)
+
+  %p
+    = safe_format(s_('ClusterIntegration|The %{agent_docs_link_start}GitLab Agent for Kubernetes %{agent_docs_link_end} offers improved security, reliability, and functionality. Follow the steps below to create a new agent and migrate your existing certificate-based integration. The process is automated, but you still need to %{install_docs_link_start}install the agent%{install_docs_link_end} in your cluster.') , tag_pair_agent_docs, tag_pair_install_docs)
+    = link_to s_('ClusterIntegration|How do I migrate to the GitLab agent?'), help_page_path('user/infrastructure/clusters/migrate_to_gitlab_agent.md'), target: '_blank', rel: 'noopener noreferrer'
+
+  %h5= s_('ClusterIntegration|Step 1. Connect the agent')
+
+  - if (config = migration_alert_config(cluster_migration))
+    = render Pajamas::AlertComponent.new(title: config[:title],
+      variant: config[:variant],
+      alert_options: { class: 'gl-mb-5' }) do |c|
+      = c.with_body do
+        = config[:message]
+        - if config[:details].present?
+          = config[:details]
+        - if config[:show_help]
+          - c.with_actions do
+            = link_to s_('ClusterIntegration|Learn more about migrating to GitLab Agent'),
+              help_page_path('user/infrastructure/clusters/migrate_to_gitlab_agent.md'),
+              target: '_blank',
+              rel: 'noopener noreferrer'
+
+  - agent = cluster_migration&.agent
+  - project = cluster_migration&.project
+  - if agent.present?
+
+    %p.gl-font-bold.gl-mb-2
+      = s_('ClusterIntegration|Project name')
     %p
-      = s_('ClusterIntegration|Migrate this cluster to use the GitLab agent for Kubernetes')
-    .settings-content#migrate-section
-      .sub-section.form-group
-        %h4
-          = s_('ClusterIntegration|Migrate to the GitLab agent for Kubernetes')
-        %p
-          = s_("ClusterIntegration|This cluster integration is deprecated. To continue using this Kubernetes cluster with GitLab, you must install the agent.")
-        = render Pajamas::ButtonComponent.new(method: :post, href: clusterable.create_cluster_migration_path(@cluster)) do
-          = s_('ClusterIntegration|Install agent')
+      = link_to project.full_name, project_path(project)
+
+    %p.gl-font-bold.gl-mb-2
+      = s_('ClusterIntegration|Agent name')
+    %p
+      - agent_link_name = "#{agent.name}##{agent.id}"
+      = link_to agent_link_name, project_cluster_agent_path(project, agent.name)
+
+  - else
+    - group_id = @cluster.group.id if @cluster.group_type?
+
+    - if @cluster.project_type?
+      - group_id = @cluster.project.group.id if @cluster.project.group
+      - user_id = @cluster.project.namespace.owner_id unless group_id
+
+    = gitlab_ui_form_for cluster_migration, url: clusterable.create_cluster_migration_path(@cluster), html: { class: 'fieldset-form' }, data: { testid: 'cluster-migration-form' }, method: :post do |f|
+      .form-group{ class: 'md:gl-w-1/2' }
+        .js-vue-project-select{ data: { label: s_('ClusterIntegration|Project name'),
+            description: s_('ClusterIntegration|Select a project for the GitLab Agent.'),
+            input_name: 'cluster_migration[configuration_project_id]',
+            input_id: 'cluster_migration_configuration_project_id',
+            order_by: 'last_activity_at',
+            group_id: group_id,
+            user_id: user_id,
+            with_shared: true.to_s,
+            include_subgroups: true.to_s,
+            membership: true.to_s,
+            selected: @cluster.management_project_id } }
+
+      .form-group.-gl-mt-2{ class: 'md:gl-w-1/2' }
+        = f.label :agent_name, s_('ClusterIntegration|Agent name'), class: 'label-bold'
+        = f.text_field :agent_name, name: 'cluster_migration[agent_name]', class: 'form-control gl-form-input', placeholder: s_('ClusterIntegration|New agent name')
+        .form-text.gl-text-subtle
+          = s_('ClusterIntegration|Enter a unique name for your new GitLab Agent. This name will be used to identify the agent in your project.')
+
+      = f.submit s_('ClusterIntegration|Create agent and migrate'), pajamas_button: true
diff --git a/app/views/clusters/clusters/_migrate_tab.html.haml b/app/views/clusters/clusters/_migrate_tab.html.haml
index a817c65b492..8e3752af143 100644
--- a/app/views/clusters/clusters/_migrate_tab.html.haml
+++ b/app/views/clusters/clusters/_migrate_tab.html.haml
@@ -2,4 +2,5 @@
 
 - if Feature.enabled?(:cluster_agent_migrations, clusterable) && can_admin_cluster?(current_user, @cluster)
   = gl_tab_link_to clusterable.cluster_path(@cluster.id, params: { tab: 'migrate' }), { item_active: active } do
+    = sprite_icon('warning', css_class: 'gl-mr-2')
     = s_('ClusterIntegration|Migrate')
diff --git a/app/views/projects/commit/_signature_badge.html.haml b/app/views/projects/commit/_signature_badge.html.haml
index 0d16730ec4a..71d439c49c0 100644
--- a/app/views/projects/commit/_signature_badge.html.haml
+++ b/app/views/projects/commit/_signature_badge.html.haml
@@ -32,4 +32,4 @@
 
     = link_to(_('Learn about signing commits'), help_page_path('user/project/repository/signed_commits/_index.md'), class: 'gl-link gl-block gl-mt-3')
 
-= gl_badge_tag(label, { variant: variant, icon: icon, href: '#' }, { class: 'signature-badge gl-inline-flex gl-ml-4 gl-align-middle', role: 'button', tabindex: 0, data: { toggle: 'popover', html: 'true', placement: 'bottom', title: title, content: content } })
+= gl_badge_tag(label, { variant: variant, icon: icon, href: '#' }, { class: 'signature-badge gl-inline-flex gl-ml-4 gl-align-middle', role: 'button', tabindex: 0, data: { toggle: 'popover', html: 'true', triggers: 'click blur', placement: 'bottom', title: title, content: content} })
diff --git a/app/views/projects/commit/rapid_diffs.html.haml b/app/views/projects/commit/rapid_diffs.html.haml
index 3f66bcdff4b..4a9df13a4ad 100644
--- a/app/views/projects/commit/rapid_diffs.html.haml
+++ b/app/views/projects/commit/rapid_diffs.html.haml
@@ -11,7 +11,5 @@
 .container-fluid{ class: [container_class] }
   = render "commit_box"
   = render "ci_menu"
-  .code{ class: user_color_scheme }
-    = render RapidDiffs::DiffFileComponent.with_collection(@diffs_slice.diff_files, parallel_view: diff_view == :parallel)
-    - if @stream_url
-      #js-stream-container{ data: { diffs_stream_url: @stream_url } }
+  - args = { diffs_slice: @diffs_slice, reload_stream_url: @reload_stream_url, stream_url: @stream_url, show_whitespace: @show_whitespace_default, diff_view: @diff_view, update_user_endpoint: @update_current_user_path, metadata_endpoint: @endpoint_metadata_url }
+  = render ::RapidDiffs::AppComponent.new(**args)
diff --git a/app/workers/resource_access_tokens/inactive_tokens_deletion_cron_worker.rb b/app/workers/resource_access_tokens/inactive_tokens_deletion_cron_worker.rb
index 2a8859a4d40..c099291e042 100644
--- a/app/workers/resource_access_tokens/inactive_tokens_deletion_cron_worker.rb
+++ b/app/workers/resource_access_tokens/inactive_tokens_deletion_cron_worker.rb
@@ -27,8 +27,11 @@ module ResourceAccessTokens
                 .select(1)
                 .where('"personal_access_tokens"."user_id" = "users"."id"')
                 .and(
-                  PersonalAccessToken.expired_before(cut_off).or(PersonalAccessToken.revoked_before(cut_off))
-                    .invert_where
+                  PersonalAccessToken.active
+                    .or(
+                      PersonalAccessToken.expired_before(cut_off).or(PersonalAccessToken.revoked_before(cut_off))
+                        .invert_where
+                    )
                 )
             )
 
diff --git a/config/routes.rb b/config/routes.rb
index ae9ef248af5..c41b4ee3a6b 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -242,6 +242,8 @@ InitializerConnections.raise_if_new_database_connection do
       post '/track_namespace_visits' => 'users/namespace_visits#create'
 
       get '/external_redirect' => 'external_redirect/external_redirect#index'
+
+      post '/collect_events', to: 'event_forward/event_forward#forward', as: :event_forwarding
     end
     # End of the /-/ scope.
 
diff --git a/data/deprecations/17-9-ast-da-deprecate-cov-guided-fuzz-testing.yml b/data/deprecations/17-9-ast-da-deprecate-cov-guided-fuzz-testing.yml
new file mode 100644
index 00000000000..85420518d8a
--- /dev/null
+++ b/data/deprecations/17-9-ast-da-deprecate-cov-guided-fuzz-testing.yml
@@ -0,0 +1,24 @@
+- title: "Coverage-guided fuzz testing is deprecated"
+  removal_milestone: "19.0"
+  announcement_milestone: "18.0"
+  breaking_change: true
+  window: 1
+  reporter: mikeeddington
+  stage: application security testing
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/517841
+  impact: high
+  scope: project
+  resolution_role: Owner
+  manual_task: false
+  body: |  # (required) Don't change this line.
+    Coverage-guided fuzz testing is deprecated and will not be supported
+    from GitLab 18.0. The feature will be completely removed in GitLab 19.0.
+
+    Coverage-guided fuzz testing integrated several open-source fuzzers into GitLab.
+    If you are impacted, you can integrate your open-source fuzzers as standalone applications,
+    or migrate to another security feature like [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html).
+  end_of_support_milestone: 18.0
+  tiers: [Ultimate]
+  documentation_url: https://docs.gitlab.com/ee/user/application_security/coverage_fuzzing/
+  image_url:
+  video_url:
diff --git a/db/post_migrate/20250220004946_new_fk_for_work_item_type_custom_fields_work_item_type_id.rb b/db/post_migrate/20250220004946_new_fk_for_work_item_type_custom_fields_work_item_type_id.rb
new file mode 100644
index 00000000000..69d8feb1472
--- /dev/null
+++ b/db/post_migrate/20250220004946_new_fk_for_work_item_type_custom_fields_work_item_type_id.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+class NewFkForWorkItemTypeCustomFieldsWorkItemTypeId < Gitlab::Database::Migration[2.2]
+  disable_ddl_transaction!
+  milestone '17.10'
+
+  NEW_CONSTRAINT_NAME = 'fk_work_item_type_custom_fields_on_work_item_type_id'
+
+  def up
+    add_concurrent_foreign_key :work_item_type_custom_fields,
+      :work_item_types,
+      column: :work_item_type_id,
+      name: NEW_CONSTRAINT_NAME
+  end
+
+  def down
+    with_lock_retries do
+      remove_foreign_key_if_exists :work_item_type_custom_fields,
+        :work_item_types,
+        column: :work_item_type_id,
+        name: NEW_CONSTRAINT_NAME
+    end
+  end
+end
diff --git a/db/post_migrate/20250220005723_drop_old_fk_for_work_item_type_custom_fields_work_item_type_id.rb b/db/post_migrate/20250220005723_drop_old_fk_for_work_item_type_custom_fields_work_item_type_id.rb
new file mode 100644
index 00000000000..64633063971
--- /dev/null
+++ b/db/post_migrate/20250220005723_drop_old_fk_for_work_item_type_custom_fields_work_item_type_id.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class DropOldFkForWorkItemTypeCustomFieldsWorkItemTypeId < Gitlab::Database::Migration[2.2]
+  disable_ddl_transaction!
+  milestone '17.10'
+
+  OLD_CONSTRAINT_NAME = 'fk_9447fad7b4'
+
+  def up
+    with_lock_retries do
+      remove_foreign_key_if_exists :work_item_type_custom_fields,
+        :work_item_types,
+        column: :work_item_type_id,
+        on_delete: :cascade,
+        name: OLD_CONSTRAINT_NAME
+    end
+  end
+
+  def down
+    add_concurrent_foreign_key :work_item_type_custom_fields,
+      :work_item_types,
+      column: :work_item_type_id,
+      target_column: :correct_id,
+      on_delete: :cascade
+  end
+end
diff --git a/db/post_migrate/20250225001149_new_fk_for_work_item_type_user_preferences_work_item_type_id.rb b/db/post_migrate/20250225001149_new_fk_for_work_item_type_user_preferences_work_item_type_id.rb
new file mode 100644
index 00000000000..38eb0fc2e0e
--- /dev/null
+++ b/db/post_migrate/20250225001149_new_fk_for_work_item_type_user_preferences_work_item_type_id.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+class NewFkForWorkItemTypeUserPreferencesWorkItemTypeId < Gitlab::Database::Migration[2.2]
+  disable_ddl_transaction!
+  milestone '17.10'
+
+  NEW_CONSTRAINT_NAME = 'fk_work_item_type_user_preferences_on_work_item_type_id'
+
+  def up
+    add_concurrent_foreign_key :work_item_type_user_preferences,
+      :work_item_types,
+      column: :work_item_type_id,
+      name: NEW_CONSTRAINT_NAME
+  end
+
+  def down
+    with_lock_retries do
+      remove_foreign_key_if_exists :work_item_type_user_preferences,
+        :work_item_types,
+        column: :work_item_type_id,
+        name: NEW_CONSTRAINT_NAME
+    end
+  end
+end
diff --git a/db/post_migrate/20250225001333_drop_old_fk_for_work_item_type_user_preferences_work_item_type_id.rb b/db/post_migrate/20250225001333_drop_old_fk_for_work_item_type_user_preferences_work_item_type_id.rb
new file mode 100644
index 00000000000..a532ed9a7fd
--- /dev/null
+++ b/db/post_migrate/20250225001333_drop_old_fk_for_work_item_type_user_preferences_work_item_type_id.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class DropOldFkForWorkItemTypeUserPreferencesWorkItemTypeId < Gitlab::Database::Migration[2.2]
+  disable_ddl_transaction!
+  milestone '17.10'
+
+  OLD_CONSTRAINT_NAME = 'fk_79e0353950'
+
+  def up
+    with_lock_retries do
+      remove_foreign_key_if_exists :work_item_type_user_preferences,
+        :work_item_types,
+        column: :work_item_type_id,
+        on_delete: :cascade,
+        name: OLD_CONSTRAINT_NAME
+    end
+  end
+
+  def down
+    add_concurrent_foreign_key :work_item_type_user_preferences,
+      :work_item_types,
+      column: :work_item_type_id,
+      target_column: :correct_id,
+      on_delete: :cascade
+  end
+end
diff --git a/db/schema_migrations/20250220004946 b/db/schema_migrations/20250220004946
new file mode 100644
index 00000000000..2a4aa4d91ae
--- /dev/null
+++ b/db/schema_migrations/20250220004946
@@ -0,0 +1 @@
+844ab7d792599f4f2e3da9ad2bc4a182b9d15947ca703ad00f31e4602261cd3f
\ No newline at end of file
diff --git a/db/schema_migrations/20250220005723 b/db/schema_migrations/20250220005723
new file mode 100644
index 00000000000..4ac0cef4c7e
--- /dev/null
+++ b/db/schema_migrations/20250220005723
@@ -0,0 +1 @@
+50efa17bf234df2e972eeb81b4d9897b496655e79162bc6d78c9c99b7a39c259
\ No newline at end of file
diff --git a/db/schema_migrations/20250225001149 b/db/schema_migrations/20250225001149
new file mode 100644
index 00000000000..0c91be1fdb6
--- /dev/null
+++ b/db/schema_migrations/20250225001149
@@ -0,0 +1 @@
+d5b47a465e11070c8a35712609a787f695e4236d6596503ff17a32c5c1bf51d1
\ No newline at end of file
diff --git a/db/schema_migrations/20250225001333 b/db/schema_migrations/20250225001333
new file mode 100644
index 00000000000..f11623110ee
--- /dev/null
+++ b/db/schema_migrations/20250225001333
@@ -0,0 +1 @@
+e4f05e6255bed30ce5a19679fd9b5bb0652f5ef302dcdec629532be11b1c9599
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index aa95277340f..e934db46778 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -39627,9 +39627,6 @@ ALTER TABLE ONLY topics
 ALTER TABLE ONLY work_item_text_field_values
     ADD CONSTRAINT fk_79c719630f FOREIGN KEY (namespace_id) REFERENCES namespaces(id) ON DELETE CASCADE;
 
-ALTER TABLE ONLY work_item_type_user_preferences
-    ADD CONSTRAINT fk_79e0353950 FOREIGN KEY (work_item_type_id) REFERENCES work_item_types(correct_id) ON DELETE CASCADE;
-
 ALTER TABLE ONLY packages_maven_metadata
     ADD CONSTRAINT fk_7a170ee0a3 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
 
@@ -39807,9 +39804,6 @@ ALTER TABLE ONLY todos
 ALTER TABLE ONLY packages_debian_group_architectures
     ADD CONSTRAINT fk_92714bcab1 FOREIGN KEY (group_id) REFERENCES namespaces(id) ON DELETE CASCADE;
 
-ALTER TABLE ONLY work_item_type_custom_fields
-    ADD CONSTRAINT fk_9447fad7b4 FOREIGN KEY (work_item_type_id) REFERENCES work_item_types(correct_id) ON DELETE CASCADE;
-
 ALTER TABLE ONLY workspaces_agent_configs
     ADD CONSTRAINT fk_94660551c8 FOREIGN KEY (cluster_agent_id) REFERENCES cluster_agents(id) ON DELETE CASCADE;
 
@@ -42729,6 +42723,12 @@ ALTER TABLE ONLY work_item_related_link_restrictions
 ALTER TABLE ONLY work_item_related_link_restrictions
     ADD CONSTRAINT fk_work_item_related_link_restrictions_target_type_id FOREIGN KEY (target_type_id) REFERENCES work_item_types(id) ON UPDATE CASCADE ON DELETE CASCADE;
 
+ALTER TABLE ONLY work_item_type_custom_fields
+    ADD CONSTRAINT fk_work_item_type_custom_fields_on_work_item_type_id FOREIGN KEY (work_item_type_id) REFERENCES work_item_types(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY work_item_type_user_preferences
+    ADD CONSTRAINT fk_work_item_type_user_preferences_on_work_item_type_id FOREIGN KEY (work_item_type_id) REFERENCES work_item_types(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY work_item_widget_definitions
     ADD CONSTRAINT fk_work_item_widget_definitions_work_item_type_id FOREIGN KEY (work_item_type_id) REFERENCES work_item_types(id) ON UPDATE CASCADE ON DELETE CASCADE;
 
diff --git a/doc/.vale/gitlab_base/spelling-exceptions.txt b/doc/.vale/gitlab_base/spelling-exceptions.txt
index fa6505c9029..6113be00c65 100644
--- a/doc/.vale/gitlab_base/spelling-exceptions.txt
+++ b/doc/.vale/gitlab_base/spelling-exceptions.txt
@@ -74,6 +74,7 @@ Azure
 B-tree
 backfilling
 backfills
+backoff
 backport
 backported
 backporting
@@ -182,9 +183,10 @@ Coinbase
 colocate
 colocated
 colocating
+Colorama
+Command Palette
 commit's
 committer's
-Command Palette
 CommonMark
 compilable
 composable
@@ -252,6 +254,7 @@ deduplicated
 deduplicates
 deduplicating
 deduplication
+Deepin
 delegators
 deliverables
 denormalization
@@ -378,6 +381,7 @@ Flutterwave
 Flycheck
 focusable
 Forgerock
+Forky
 formatters
 Fortanix
 Fortinet
@@ -515,6 +519,7 @@ kaniko
 Karma
 Kata
 KCachegrind
+keepalive
 Kerberos
 KEV
 Keycloak
@@ -549,6 +554,7 @@ Lemmy
 libFuzzer
 Libgcrypt
 Libravatar
+LinuxMint
 liveness
 LLM
 LLMs
@@ -567,6 +573,7 @@ Lookbook
 lookups
 loopback
 LSP
+Lts
 Lua
 Lucene
 Lucidchart
@@ -650,6 +657,7 @@ nosniff
 noteable
 noteables
 npm
+NTFSSecurity
 NuGet
 nullability
 nullable
@@ -664,7 +672,6 @@ offboarding
 offboards
 OIDs
 OKRs
-OKRs
 Okta
 OLM
 OmniAuth
@@ -681,6 +688,7 @@ OSs
 OTel
 outdent
 Overcommit
+Packagecloud
 Packagist
 packfile
 packfiles
@@ -1069,6 +1077,7 @@ triaged
 triages
 triaging
 Trivy
+Trixie
 Truststore
 truthy
 Twilio
@@ -1080,6 +1089,11 @@ Ubuntu
 Udemy
 UI
 UIDs
+ulimit
+Ulyana
+Ulyssa
+Uma
+Una
 unapplied
 unapprove
 unapproved
@@ -1234,7 +1248,9 @@ worktree
 worktrees
 Worldline
 Xcode
+Xenial
 Xeon
+Xerus
 XPath
 Yandex
 YouTrack
diff --git a/doc/administration/monitoring/prometheus/gitlab_metrics.md b/doc/administration/monitoring/prometheus/gitlab_metrics.md
index 107fae76a95..c41e121ded0 100644
--- a/doc/administration/monitoring/prometheus/gitlab_metrics.md
+++ b/doc/administration/monitoring/prometheus/gitlab_metrics.md
@@ -204,7 +204,7 @@ The following metrics are available:
 | `gitlab_rack_attack_throttle_limit` | Gauge | 17.6 | Reports the maximum number of requests that a client can make before Rack Attack throttles them. | `event_name` |
 | `gitlab_rack_attack_throttle_period_seconds` | Gauge | 17.6 | Reports the duration over which requests for a client are counted before Rack Attack throttles them. | `event_name` |
 | `gitlab_application_rate_limiter_throttle_utilization_ratio` | Histogram | 17.6 | Utilization ratio of a throttle in GitLab Application Rate Limiter. | `throttle_key`, `peek`, `feature_category` |
-| `search_zoekt_task_processing_queue_size` | Gauge | 17.9 | Number of tasks waiting to be processed by Zoekt. | |
+| `search_zoekt_task_processing_queue_size` | Gauge | 17.9 | Number of tasks waiting to be processed by Zoekt. | `node_name` |
 
 ## Metrics controlled by a feature flag
 
diff --git a/doc/api/graphql/reference/_index.md b/doc/api/graphql/reference/_index.md
index 0c7f12a0641..adea4ffab6f 100644
--- a/doc/api/graphql/reference/_index.md
+++ b/doc/api/graphql/reference/_index.md
@@ -36350,6 +36350,18 @@ Returns [`String`](#string).
 | ---- | ---- | ----------- |
 | <a id="repositorycodeownerspathref"></a>`ref` | [`String`](#string) | Name of the ref. |
 
+##### `Repository.commit`
+
+Commit from the repository.
+
+Returns [`Commit`](#commit).
+
+###### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="repositorycommitref"></a>`ref` | [`String!`](#string) | Commit reference (SHA, branch name, or tag name). |
+
 ##### `Repository.paginatedTree`
 
 Paginated tree of the repository.
diff --git a/doc/ci/variables/predefined_variables.md b/doc/ci/variables/predefined_variables.md
index 838c95106e2..629dec943bd 100644
--- a/doc/ci/variables/predefined_variables.md
+++ b/doc/ci/variables/predefined_variables.md
@@ -36,132 +36,132 @@ Predefined variables become available at three different phases of pipeline exec
 
 ## Predefined variables
 
-| Variable                                        | Availability | Description                                                                                                                                                                                                                                                                                                                                                                                                                               |
-|-------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `CHAT_CHANNEL`                                  | Pipeline     | The Source chat channel that triggered the [ChatOps](../chatops/_index.md) command.                                                                                                                                                                                                                                                                                                                                                       |
-| `CHAT_INPUT`                                    | Pipeline     | The additional arguments passed with the [ChatOps](../chatops/_index.md) command.                                                                                                                                                                                                                                                                                                                                                         |
-| `CHAT_USER_ID`                                  | Pipeline     | The chat service's user ID of the user who triggered the [ChatOps](../chatops/_index.md) command.                                                                                                                                                                                                                                                                                                                                         |
-| `CI`                                            | Pre-pipeline | Available for all jobs executed in CI/CD. `true` when available.                                                                                                                                                                                                                                                                                                                                                                          |
-| `CI_API_V4_URL`                                 | Pre-pipeline | The GitLab API v4 root URL.                                                                                                                                                                                                                                                                                                                                                                                                               |
-| `CI_API_GRAPHQL_URL`                            | Pre-pipeline | The GitLab API GraphQL root URL. Introduced in GitLab 15.11.                                                                                                                                                                                                                                                                                                                                                                              |
-| `CI_BUILDS_DIR`                                 | Job-only     | The top-level directory where builds are executed.                                                                                                                                                                                                                                                                                                                                                                                        |
-| `CI_COMMIT_AUTHOR`                              | Pre-pipeline | The author of the commit in `Name <email>` format.                                                                                                                                                                                                                                                                                                                                                                                        |
-| `CI_COMMIT_BEFORE_SHA`                          | Pre-pipeline | The previous latest commit present on a branch or tag. Is always `0000000000000000000000000000000000000000` for merge request pipelines, the first commit in pipelines for branches or tags, or when manually running a pipeline.                                                                                                                                                                                                         |
-| `CI_COMMIT_BRANCH`                              | Pre-pipeline | The commit branch name. Available in branch pipelines, including pipelines for the default branch. Not available in merge request pipelines or tag pipelines.                                                                                                                                                                                                                                                                             |
-| `CI_COMMIT_DESCRIPTION`                         | Pre-pipeline | The description of the commit. If the title is shorter than 100 characters, the message without the first line.                                                                                                                                                                                                                                                                                                                           |
-| `CI_COMMIT_MESSAGE`                             | Pre-pipeline | The full commit message.                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| `CI_COMMIT_REF_NAME`                            | Pre-pipeline | The branch or tag name for which project is built.                                                                                                                                                                                                                                                                                                                                                                                        |
-| `CI_COMMIT_REF_PROTECTED`                       | Pre-pipeline | `true` if the job is running for a protected reference, `false` otherwise.                                                                                                                                                                                                                                                                                                                                                                |
-| `CI_COMMIT_REF_SLUG`                            | Pre-pipeline | `CI_COMMIT_REF_NAME` in lowercase, shortened to 63 bytes, and with everything except `0-9` and `a-z` replaced with `-`. No leading / trailing `-`. Use in URLs, host names and domain names.                                                                                                                                                                                                                                              |
-| `CI_COMMIT_SHA`                                 | Pre-pipeline | The commit revision the project is built for.                                                                                                                                                                                                                                                                                                                                                                                             |
-| `CI_COMMIT_SHORT_SHA`                           | Pre-pipeline | The first eight characters of `CI_COMMIT_SHA`.                                                                                                                                                                                                                                                                                                                                                                                            |
-| `CI_COMMIT_TAG`                                 | Pre-pipeline | The commit tag name. Available only in pipelines for tags.                                                                                                                                                                                                                                                                                                                                                                                |
-| `CI_COMMIT_TAG_MESSAGE`                         | Pre-pipeline | The commit tag message. Available only in pipelines for tags. Introduced in GitLab 15.5.                                                                                                                                                                                                                                                                                                                                                  |
-| `CI_COMMIT_TIMESTAMP`                           | Pre-pipeline | The timestamp of the commit in the [ISO 8601](https://www.rfc-editor.org/rfc/rfc3339#appendix-A) format. For example, `2022-01-31T16:47:55Z`. [UTC by default](../../administration/timezone.md).                                                                                                                                                                                                                                         |
-| `CI_COMMIT_TITLE`                               | Pre-pipeline | The title of the commit. The full first line of the message.                                                                                                                                                                                                                                                                                                                                                                              |
-| `CI_CONCURRENT_ID`                              | Job-only     | The unique ID of build execution in a single executor.                                                                                                                                                                                                                                                                                                                                                                                    |
-| `CI_CONCURRENT_PROJECT_ID`                      | Job-only     | The unique ID of build execution in a single executor and project.                                                                                                                                                                                                                                                                                                                                                                        |
-| `CI_CONFIG_PATH`                                | Pre-pipeline | The path to the CI/CD configuration file. Defaults to `.gitlab-ci.yml`.                                                                                                                                                                                                                                                                                                                                                                   |
-| `CI_DEBUG_TRACE`                                | Pipeline     | `true` if [debug logging (tracing)](_index.md#enable-debug-logging) is enabled.                                                                                                                                                                                                                                                                                                                                                            |
-| `CI_DEBUG_SERVICES`                             | Pipeline     | `true` if [service container logging](../services/_index.md#capturing-service-container-logs) is enabled. Introduced in GitLab 15.7. Requires GitLab Runner 15.7.                                                                                                                                                                                                                                                                         |
-| `CI_DEFAULT_BRANCH`                             | Pre-pipeline | The name of the project's default branch.                                                                                                                                                                                                                                                                                                                                                                                                 |
-| `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX` | Pre-pipeline | The direct group image prefix for pulling images through the Dependency Proxy.                                                                                                                                                                                                                                                                                                                                                            |
-| `CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX`        | Pre-pipeline | The top-level group image prefix for pulling images through the Dependency Proxy.                                                                                                                                                                                                                                                                                                                                                         |
-| `CI_DEPENDENCY_PROXY_PASSWORD`                  | Pipeline     | The password to pull images through the Dependency Proxy.                                                                                                                                                                                                                                                                                                                                                                                 |
-| `CI_DEPENDENCY_PROXY_SERVER`                    | Pre-pipeline | The server for logging in to the Dependency Proxy. This variable is equivalent to `$CI_SERVER_HOST:$CI_SERVER_PORT`.                                                                                                                                                                                                                                                                                                                      |
-| `CI_DEPENDENCY_PROXY_USER`                      | Pipeline     | The username to pull images through the Dependency Proxy.                                                                                                                                                                                                                                                                                                                                                                                 |
-| `CI_DEPLOY_FREEZE`                              | Pre-pipeline | Only available if the pipeline runs during a [deploy freeze window](../../user/project/releases/_index.md#prevent-unintentional-releases-by-setting-a-deploy-freeze). `true` when available.                                                                                                                                                                                                                                               |
-| `CI_DEPLOY_PASSWORD`                            | Job-only     | The authentication password of the [GitLab Deploy Token](../../user/project/deploy_tokens/_index.md#gitlab-deploy-token), if the project has one.                                                                                                                                                                                                                                                                                          |
-| `CI_DEPLOY_USER`                                | Job-only     | The authentication username of the [GitLab Deploy Token](../../user/project/deploy_tokens/_index.md#gitlab-deploy-token), if the project has one.                                                                                                                                                                                                                                                                                          |
-| `CI_DISPOSABLE_ENVIRONMENT`                     | Pipeline     | Only available if the job is executed in a disposable environment (something that is created only for this job and disposed of/destroyed after the execution - all executors except `shell` and `ssh`). `true` when available.                                                                                                                                                                                                            |
-| `CI_ENVIRONMENT_NAME`                           | Pipeline     | The name of the environment for this job. Available if [`environment:name`](../yaml/_index.md#environmentname) is set.                                                                                                                                                                                                                                                                                                                     |
-| `CI_ENVIRONMENT_SLUG`                           | Pipeline     | The simplified version of the environment name, suitable for inclusion in DNS, URLs, Kubernetes labels, and so on. Available if [`environment:name`](../yaml/_index.md#environmentname) is set. The slug is [truncated to 24 characters](https://gitlab.com/gitlab-org/gitlab/-/issues/20941). A random suffix is automatically added to [uppercase environment names](https://gitlab.com/gitlab-org/gitlab/-/issues/415526).              |
-| `CI_ENVIRONMENT_URL`                            | Pipeline     | The URL of the environment for this job. Available if [`environment:url`](../yaml/_index.md#environmenturl) is set.                                                                                                                                                                                                                                                                                                                        |
-| `CI_ENVIRONMENT_ACTION`                         | Pipeline     | The action annotation specified for this job's environment. Available if [`environment:action`](../yaml/_index.md#environmentaction) is set. Can be `start`, `prepare`, or `stop`.                                                                                                                                                                                                                                                         |
-| `CI_ENVIRONMENT_TIER`                           | Pipeline     | The [deployment tier of the environment](../environments/_index.md#deployment-tier-of-environments) for this job.                                                                                                                                                                                                                                                                                                                          |
-| `CI_GITLAB_FIPS_MODE`                           | Pre-pipeline | Only available if [FIPS mode](../../development/fips_gitlab.md) is enabled in the GitLab instance. `true` when available.                                                                                                                                                                                                                                                                                                             |
-| `CI_HAS_OPEN_REQUIREMENTS`                      | Pipeline     | Only available if the pipeline's project has an open [requirement](../../user/project/requirements/_index.md). `true` when available.                                                                                                                                                                                                                                                                                                      |
-| `CI_JOB_ID`                                     | Job-only     | The internal ID of the job, unique across all jobs in the GitLab instance.                                                                                                                                                                                                                                                                                                                                                                |
-| `CI_JOB_IMAGE`                                  | Pipeline     | The name of the Docker image running the job.                                                                                                                                                                                                                                                                                                                                                                                             |
-| `CI_JOB_MANUAL`                                 | Pipeline     | Only available if the job was started manually. `true` when available.                                                                                                                                                                                                                                                                                                                                                                    |
-| `CI_JOB_NAME`                                   | Pipeline     | The name of the job.                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| `CI_JOB_NAME_SLUG`                              | Pipeline     | `CI_JOB_NAME` in lowercase, shortened to 63 bytes, and with everything except `0-9` and `a-z` replaced with `-`. No leading / trailing `-`. Use in paths. Introduced in GitLab 15.4.                                                                                                                                                                                                                                                      |
-| `CI_JOB_STAGE`                                  | Pipeline     | The name of the job's stage.                                                                                                                                                                                                                                                                                                                                                                                                              |
-| `CI_JOB_STATUS`                                 | Job-only     | The status of the job as each runner stage is executed. Use with [`after_script`](../yaml/_index.md#after_script). Can be `success`, `failed`, or `canceled`.                                                                                                                                                                                                                                                                              |
-| `CI_JOB_TIMEOUT`                                | Job-only     | The job timeout, in seconds. Introduced in GitLab 15.7. Requires GitLab Runner 15.7.                                                                                                                                                                                                                                                                                                                                                      |
-| `CI_JOB_TOKEN`                                  | Job-only     | A token to authenticate with [certain API endpoints](../jobs/ci_job_token.md). The token is valid as long as the job is running.                                                                                                                                                                                                                                                                                                          |
-| `CI_JOB_URL`                                    | Job-only     | The job details URL.                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| `CI_JOB_STARTED_AT`                             | Job-only     | The date and time when a job started, in [ISO 8601](https://www.rfc-editor.org/rfc/rfc3339#appendix-A) format. For example, `2022-01-31T16:47:55Z`. [UTC by default](../../administration/timezone.md).                                                                                                                                                                                                                                   |
-| `CI_KUBERNETES_ACTIVE`                          | Pre-pipeline | Only available if the pipeline has a Kubernetes cluster available for deployments. `true` when available.                                                                                                                                                                                                                                                                                                                                 |
-| `CI_NODE_INDEX`                                 | Pipeline     | The index of the job in the job set. Only available if the job uses [`parallel`](../yaml/_index.md#parallel).                                                                                                                                                                                                                                                                                                                              |
-| `CI_NODE_TOTAL`                                 | Pipeline     | The total number of instances of this job running in parallel. Set to `1` if the job does not use [`parallel`](../yaml/_index.md#parallel).                                                                                                                                                                                                                                                                                                |
-| `CI_OPEN_MERGE_REQUESTS`                        | Pre-pipeline | A comma-separated list of up to four merge requests that use the current branch and project as the merge request source. Only available in branch and merge request pipelines if the branch has an associated merge request. For example, `gitlab-org/gitlab!333,gitlab-org/gitlab-foss!11`.                                                                                                                                              |
-| `CI_PAGES_DOMAIN`                               | Pre-pipeline | The instance's domain that hosts GitLab Pages, not including the namespace subdomain. To use the full hostname, use `CI_PAGES_HOSTNAME` instead.                                                                                                                                                                                                                                                                                          |
-| `CI_PAGES_HOSTNAME`                             | Job-only     | The full hostname of the Pages deployment.                                                                                                                                                                                                                                                                                                                                                                                                |
-| `CI_PAGES_URL`                                  | Job-only     | The URL for a GitLab Pages site. Always a subdomain of `CI_PAGES_DOMAIN`. In GitLab 17.9 and later, the value includes the `path_prefix` when one is specified.                                                                                                                                                                                                                                                                            |
-| `CI_PIPELINE_ID`                                | Job-only     | The instance-level ID of the current pipeline. This ID is unique across all projects on the GitLab instance.                                                                                                                                                                                                                                                                                                                              |
-| `CI_PIPELINE_IID`                               | Pipeline     | The project-level IID (internal ID) of the current pipeline. This ID is unique only in the current project.                                                                                                                                                                                                                                                                                                                               |
-| `CI_PIPELINE_SOURCE`                            | Pre-pipeline | How the pipeline was triggered. The value can be one of the [pipeline sources](../jobs/job_rules.md#ci_pipeline_source-predefined-variable).                                                                                                                                                                                                                                                                                              |
-| `CI_PIPELINE_TRIGGERED`                         | Pipeline     | `true` if the job was [triggered](../triggers/_index.md).                                                                                                                                                                                                                                                                                                                                                                                  |
-| `CI_PIPELINE_URL`                               | Job-only     | The URL for the pipeline details.                                                                                                                                                                                                                                                                                                                                                                                                         |
-| `CI_PIPELINE_CREATED_AT`                        | Pre-pipeline | The date and time when the pipeline was created, in [ISO 8601](https://www.rfc-editor.org/rfc/rfc3339#appendix-A) format. For example, `2022-01-31T16:47:55Z`. [UTC by default](../../administration/timezone.md).                                                                                                                                                                                                                        |
-| `CI_PIPELINE_NAME`                              | Pre-pipeline | The pipeline name defined in [`workflow:name`](../yaml/_index.md#workflowname). Introduced in GitLab 16.3.                                                                                                                                                                                                                                                                                                                                 |
-| `CI_PIPELINE_SCHEDULE_DESCRIPTION`              | Pre-pipeline | The description of the pipeline schedule. Only available in scheduled pipelines. Introduced in GitLab 17.8.                                                                                                                                                                                                                                                                                                                               |
-| `CI_PROJECT_DIR`                                | Job-only     | The full path the repository is cloned to, and where the job runs from. If the GitLab Runner `builds_dir` parameter is set, this variable is set relative to the value of `builds_dir`. For more information, see the [Advanced GitLab Runner configuration](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section).                                                                               |
-| `CI_PROJECT_ID`                                 | Pre-pipeline | The ID of the current project. This ID is unique across all projects on the GitLab instance.                                                                                                                                                                                                                                                                                                                                              |
-| `CI_PROJECT_NAME`                               | Pre-pipeline | The name of the directory for the project. For example if the project URL is `gitlab.example.com/group-name/project-1`, `CI_PROJECT_NAME` is `project-1`.                                                                                                                                                                                                                                                                                 |
-| `CI_PROJECT_NAMESPACE`                          | Pre-pipeline | The project namespace (username or group name) of the job.                                                                                                                                                                                                                                                                                                                                                                                |
-| `CI_PROJECT_NAMESPACE_ID`                       | Pre-pipeline | The project namespace ID of the job. Introduced in GitLab 15.7.                                                                                                                                                                                                                                                                                                                                                                           |
-| `CI_PROJECT_PATH_SLUG`                          | Pre-pipeline | `$CI_PROJECT_PATH` in lowercase with characters that are not `a-z` or `0-9` replaced with `-` and shortened to 63 bytes. Use in URLs and domain names.                                                                                                                                                                                                                                                                                    |
-| `CI_PROJECT_PATH`                               | Pre-pipeline | The project namespace with the project name included.                                                                                                                                                                                                                                                                                                                                                                                     |
-| `CI_PROJECT_REPOSITORY_LANGUAGES`               | Pre-pipeline | A comma-separated, lowercase list of the languages used in the repository. For example `ruby,javascript,html,css`. The maximum number of languages is limited to 5. An issue [proposes to increase the limit](https://gitlab.com/gitlab-org/gitlab/-/issues/368925).                                                                                                                                                                      |
-| `CI_PROJECT_ROOT_NAMESPACE`                     | Pre-pipeline | The root project namespace (username or group name) of the job. For example, if `CI_PROJECT_NAMESPACE` is `root-group/child-group/grandchild-group`, `CI_PROJECT_ROOT_NAMESPACE` is `root-group`.                                                                                                                                                                                                                                         |
-| `CI_PROJECT_TITLE`                              | Pre-pipeline | The human-readable project name as displayed in the GitLab web interface.                                                                                                                                                                                                                                                                                                                                                                 |
-| `CI_PROJECT_DESCRIPTION`                        | Pre-pipeline | The project description as displayed in the GitLab web interface. Introduced in GitLab 15.1.                                                                                                                                                                                                                                                                                                                                              |
-| `CI_PROJECT_URL`                                | Pre-pipeline | The HTTP(S) address of the project.                                                                                                                                                                                                                                                                                                                                                                                                       |
-| `CI_PROJECT_VISIBILITY`                         | Pre-pipeline | The project visibility. Can be `internal`, `private`, or `public`.                                                                                                                                                                                                                                                                                                                                                                        |
-| `CI_PROJECT_CLASSIFICATION_LABEL`               | Pre-pipeline | The project [external authorization classification label](../../administration/settings/external_authorization.md).                                                                                                                                                                                                                                                                                                                       |
-| `CI_REGISTRY`                                   | Pre-pipeline | Address of the [container registry](../../user/packages/container_registry/_index.md) server, formatted as `<host>[:<port>]`. For example: `registry.gitlab.example.com`. Only available if the container registry is enabled for the GitLab instance.                                                                                                                                                                                     |
+| Variable                                        | Availability | Description |
+|-------------------------------------------------|--------------|-------------|
+| `CHAT_CHANNEL`                                  | Pipeline     | The Source chat channel that triggered the [ChatOps](../chatops/_index.md) command. |
+| `CHAT_INPUT`                                    | Pipeline     | The additional arguments passed with the [ChatOps](../chatops/_index.md) command. |
+| `CHAT_USER_ID`                                  | Pipeline     | The chat service's user ID of the user who triggered the [ChatOps](../chatops/_index.md) command. |
+| `CI`                                            | Pre-pipeline | Available for all jobs executed in CI/CD. `true` when available. |
+| `CI_API_V4_URL`                                 | Pre-pipeline | The GitLab API v4 root URL. |
+| `CI_API_GRAPHQL_URL`                            | Pre-pipeline | The GitLab API GraphQL root URL. Introduced in GitLab 15.11. |
+| `CI_BUILDS_DIR`                                 | Job-only     | The top-level directory where builds are executed. |
+| `CI_COMMIT_AUTHOR`                              | Pre-pipeline | The author of the commit in `Name <email>` format. |
+| `CI_COMMIT_BEFORE_SHA`                          | Pre-pipeline | The previous latest commit present on a branch or tag. Is always `0000000000000000000000000000000000000000` for merge request pipelines, the first commit in pipelines for branches or tags, or when manually running a pipeline. |
+| `CI_COMMIT_BRANCH`                              | Pre-pipeline | The commit branch name. Available in branch pipelines, including pipelines for the default branch. Not available in merge request pipelines or tag pipelines. |
+| `CI_COMMIT_DESCRIPTION`                         | Pre-pipeline | The description of the commit. If the title is shorter than 100 characters, the message without the first line. |
+| `CI_COMMIT_MESSAGE`                             | Pre-pipeline | The full commit message. |
+| `CI_COMMIT_REF_NAME`                            | Pre-pipeline | The branch or tag name for which project is built. |
+| `CI_COMMIT_REF_PROTECTED`                       | Pre-pipeline | `true` if the job is running for a protected reference, `false` otherwise. |
+| `CI_COMMIT_REF_SLUG`                            | Pre-pipeline | `CI_COMMIT_REF_NAME` in lowercase, shortened to 63 bytes, and with everything except `0-9` and `a-z` replaced with `-`. No leading / trailing `-`. Use in URLs, host names and domain names. |
+| `CI_COMMIT_SHA`                                 | Pre-pipeline | The commit revision the project is built for. |
+| `CI_COMMIT_SHORT_SHA`                           | Pre-pipeline | The first eight characters of `CI_COMMIT_SHA`. |
+| `CI_COMMIT_TAG`                                 | Pre-pipeline | The commit tag name. Available only in pipelines for tags. |
+| `CI_COMMIT_TAG_MESSAGE`                         | Pre-pipeline | The commit tag message. Available only in pipelines for tags. Introduced in GitLab 15.5. |
+| `CI_COMMIT_TIMESTAMP`                           | Pre-pipeline | The timestamp of the commit in the [ISO 8601](https://www.rfc-editor.org/rfc/rfc3339#appendix-A) format. For example, `2022-01-31T16:47:55Z`. [UTC by default](../../administration/timezone.md). |
+| `CI_COMMIT_TITLE`                               | Pre-pipeline | The title of the commit. The full first line of the message. |
+| `CI_CONCURRENT_ID`                              | Job-only     | The unique ID of build execution in a single executor. |
+| `CI_CONCURRENT_PROJECT_ID`                      | Job-only     | The unique ID of build execution in a single executor and project. |
+| `CI_CONFIG_PATH`                                | Pre-pipeline | The path to the CI/CD configuration file. Defaults to `.gitlab-ci.yml`. |
+| `CI_DEBUG_TRACE`                                | Pipeline     | `true` if [debug logging (tracing)](_index.md#enable-debug-logging) is enabled. |
+| `CI_DEBUG_SERVICES`                             | Pipeline     | `true` if [service container logging](../services/_index.md#capturing-service-container-logs) is enabled. Introduced in GitLab 15.7. Requires GitLab Runner 15.7. |
+| `CI_DEFAULT_BRANCH`                             | Pre-pipeline | The name of the project's default branch. |
+| `CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX` | Pre-pipeline | The direct group image prefix for pulling images through the Dependency Proxy. |
+| `CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX`        | Pre-pipeline | The top-level group image prefix for pulling images through the Dependency Proxy. |
+| `CI_DEPENDENCY_PROXY_PASSWORD`                  | Pipeline     | The password to pull images through the Dependency Proxy. |
+| `CI_DEPENDENCY_PROXY_SERVER`                    | Pre-pipeline | The server for logging in to the Dependency Proxy. This variable is equivalent to `$CI_SERVER_HOST:$CI_SERVER_PORT`. |
+| `CI_DEPENDENCY_PROXY_USER`                      | Pipeline     | The username to pull images through the Dependency Proxy. |
+| `CI_DEPLOY_FREEZE`                              | Pre-pipeline | Only available if the pipeline runs during a [deploy freeze window](../../user/project/releases/_index.md#prevent-unintentional-releases-by-setting-a-deploy-freeze). `true` when available. |
+| `CI_DEPLOY_PASSWORD`                            | Job-only     | The authentication password of the [GitLab Deploy Token](../../user/project/deploy_tokens/_index.md#gitlab-deploy-token), if the project has one. |
+| `CI_DEPLOY_USER`                                | Job-only     | The authentication username of the [GitLab Deploy Token](../../user/project/deploy_tokens/_index.md#gitlab-deploy-token), if the project has one. |
+| `CI_DISPOSABLE_ENVIRONMENT`                     | Pipeline     | Only available if the job is executed in a disposable environment (something that is created only for this job and disposed of/destroyed after the execution - all executors except `shell` and `ssh`). `true` when available. |
+| `CI_ENVIRONMENT_NAME`                           | Pipeline     | The name of the environment for this job. Available if [`environment:name`](../yaml/_index.md#environmentname) is set. |
+| `CI_ENVIRONMENT_SLUG`                           | Pipeline     | The simplified version of the environment name, suitable for inclusion in DNS, URLs, Kubernetes labels, and so on. Available if [`environment:name`](../yaml/_index.md#environmentname) is set. The slug is [truncated to 24 characters](https://gitlab.com/gitlab-org/gitlab/-/issues/20941). A random suffix is automatically added to [uppercase environment names](https://gitlab.com/gitlab-org/gitlab/-/issues/415526). |
+| `CI_ENVIRONMENT_URL`                            | Pipeline     | The URL of the environment for this job. Available if [`environment:url`](../yaml/_index.md#environmenturl) is set. |
+| `CI_ENVIRONMENT_ACTION`                         | Pipeline     | The action annotation specified for this job's environment. Available if [`environment:action`](../yaml/_index.md#environmentaction) is set. Can be `start`, `prepare`, or `stop`. |
+| `CI_ENVIRONMENT_TIER`                           | Pipeline     | The [deployment tier of the environment](../environments/_index.md#deployment-tier-of-environments) for this job. |
+| `CI_GITLAB_FIPS_MODE`                           | Pre-pipeline | Only available if [FIPS mode](../../development/fips_gitlab.md) is enabled in the GitLab instance. `true` when available. |
+| `CI_HAS_OPEN_REQUIREMENTS`                      | Pipeline     | Only available if the pipeline's project has an open [requirement](../../user/project/requirements/_index.md). `true` when available. |
+| `CI_JOB_ID`                                     | Job-only     | The internal ID of the job, unique across all jobs in the GitLab instance. |
+| `CI_JOB_IMAGE`                                  | Pipeline     | The name of the Docker image running the job. |
+| `CI_JOB_MANUAL`                                 | Pipeline     | Only available if the job was started manually. `true` when available. |
+| `CI_JOB_NAME`                                   | Pipeline     | The name of the job. |
+| `CI_JOB_NAME_SLUG`                              | Pipeline     | `CI_JOB_NAME` in lowercase, shortened to 63 bytes, and with everything except `0-9` and `a-z` replaced with `-`. No leading / trailing `-`. Use in paths. Introduced in GitLab 15.4. |
+| `CI_JOB_STAGE`                                  | Pipeline     | The name of the job's stage. |
+| `CI_JOB_STATUS`                                 | Job-only     | The status of the job as each runner stage is executed. Use with [`after_script`](../yaml/_index.md#after_script). Can be `success`, `failed`, or `canceled`. |
+| `CI_JOB_TIMEOUT`                                | Job-only     | The job timeout, in seconds. Introduced in GitLab 15.7. Requires GitLab Runner 15.7. |
+| `CI_JOB_TOKEN`                                  | Job-only     | A token to authenticate with [certain API endpoints](../jobs/ci_job_token.md). The token is valid as long as the job is running. |
+| `CI_JOB_URL`                                    | Job-only     | The job details URL. |
+| `CI_JOB_STARTED_AT`                             | Job-only     | The date and time when a job started, in [ISO 8601](https://www.rfc-editor.org/rfc/rfc3339#appendix-A) format. For example, `2022-01-31T16:47:55Z`. [UTC by default](../../administration/timezone.md). |
+| `CI_KUBERNETES_ACTIVE`                          | Pre-pipeline | Only available if the pipeline has a Kubernetes cluster available for deployments. `true` when available. |
+| `CI_NODE_INDEX`                                 | Pipeline     | The index of the job in the job set. Only available if the job uses [`parallel`](../yaml/_index.md#parallel). |
+| `CI_NODE_TOTAL`                                 | Pipeline     | The total number of instances of this job running in parallel. Set to `1` if the job does not use [`parallel`](../yaml/_index.md#parallel). |
+| `CI_OPEN_MERGE_REQUESTS`                        | Pre-pipeline | A comma-separated list of up to four merge requests that use the current branch and project as the merge request source. Only available in branch and merge request pipelines if the branch has an associated merge request. For example, `gitlab-org/gitlab!333,gitlab-org/gitlab-foss!11`. |
+| `CI_PAGES_DOMAIN`                               | Pre-pipeline | The instance's domain that hosts GitLab Pages, not including the namespace subdomain. To use the full hostname, use `CI_PAGES_HOSTNAME` instead. |
+| `CI_PAGES_HOSTNAME`                             | Job-only     | The full hostname of the Pages deployment. |
+| `CI_PAGES_URL`                                  | Job-only     | The URL for a GitLab Pages site. Always a subdomain of `CI_PAGES_DOMAIN`. In GitLab 17.9 and later, the value includes the `path_prefix` when one is specified. |
+| `CI_PIPELINE_ID`                                | Job-only     | The instance-level ID of the current pipeline. This ID is unique across all projects on the GitLab instance. |
+| `CI_PIPELINE_IID`                               | Pipeline     | The project-level IID (internal ID) of the current pipeline. This ID is unique only in the current project. |
+| `CI_PIPELINE_SOURCE`                            | Pre-pipeline | How the pipeline was triggered. The value can be one of the [pipeline sources](../jobs/job_rules.md#ci_pipeline_source-predefined-variable). |
+| `CI_PIPELINE_TRIGGERED`                         | Pipeline     | `true` if the job was [triggered](../triggers/_index.md). |
+| `CI_PIPELINE_URL`                               | Job-only     | The URL for the pipeline details. |
+| `CI_PIPELINE_CREATED_AT`                        | Pre-pipeline | The date and time when the pipeline was created, in [ISO 8601](https://www.rfc-editor.org/rfc/rfc3339#appendix-A) format. For example, `2022-01-31T16:47:55Z`. [UTC by default](../../administration/timezone.md). |
+| `CI_PIPELINE_NAME`                              | Pre-pipeline | The pipeline name defined in [`workflow:name`](../yaml/_index.md#workflowname). Introduced in GitLab 16.3. |
+| `CI_PIPELINE_SCHEDULE_DESCRIPTION`              | Pre-pipeline | The description of the pipeline schedule. Only available in scheduled pipelines. Introduced in GitLab 17.8. |
+| `CI_PROJECT_DIR`                                | Job-only     | The full path the repository is cloned to, and where the job runs from. If the GitLab Runner `builds_dir` parameter is set, this variable is set relative to the value of `builds_dir`. For more information, see the [Advanced GitLab Runner configuration](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section). |
+| `CI_PROJECT_ID`                                 | Pre-pipeline | The ID of the current project. This ID is unique across all projects on the GitLab instance. |
+| `CI_PROJECT_NAME`                               | Pre-pipeline | The name of the directory for the project. For example if the project URL is `gitlab.example.com/group-name/project-1`, `CI_PROJECT_NAME` is `project-1`. |
+| `CI_PROJECT_NAMESPACE`                          | Pre-pipeline | The project namespace (username or group name) of the job. |
+| `CI_PROJECT_NAMESPACE_ID`                       | Pre-pipeline | The project namespace ID of the job. Introduced in GitLab 15.7. |
+| `CI_PROJECT_PATH_SLUG`                          | Pre-pipeline | `$CI_PROJECT_PATH` in lowercase with characters that are not `a-z` or `0-9` replaced with `-` and shortened to 63 bytes. Use in URLs and domain names. |
+| `CI_PROJECT_PATH`                               | Pre-pipeline | The project namespace with the project name included. |
+| `CI_PROJECT_REPOSITORY_LANGUAGES`               | Pre-pipeline | A comma-separated, lowercase list of the languages used in the repository. For example `ruby,javascript,html,css`. The maximum number of languages is limited to 5. An issue [proposes to increase the limit](https://gitlab.com/gitlab-org/gitlab/-/issues/368925). |
+| `CI_PROJECT_ROOT_NAMESPACE`                     | Pre-pipeline | The root project namespace (username or group name) of the job. For example, if `CI_PROJECT_NAMESPACE` is `root-group/child-group/grandchild-group`, `CI_PROJECT_ROOT_NAMESPACE` is `root-group`. |
+| `CI_PROJECT_TITLE`                              | Pre-pipeline | The human-readable project name as displayed in the GitLab web interface. |
+| `CI_PROJECT_DESCRIPTION`                        | Pre-pipeline | The project description as displayed in the GitLab web interface. Introduced in GitLab 15.1. |
+| `CI_PROJECT_URL`                                | Pre-pipeline | The HTTP(S) address of the project. |
+| `CI_PROJECT_VISIBILITY`                         | Pre-pipeline | The project visibility. Can be `internal`, `private`, or `public`. |
+| `CI_PROJECT_CLASSIFICATION_LABEL`               | Pre-pipeline | The project [external authorization classification label](../../administration/settings/external_authorization.md). |
+| `CI_REGISTRY`                                   | Pre-pipeline | Address of the [container registry](../../user/packages/container_registry/_index.md) server, formatted as `<host>[:<port>]`. For example: `registry.gitlab.example.com`. Only available if the container registry is enabled for the GitLab instance. |
 | `CI_REGISTRY_IMAGE`                             | Pre-pipeline | Base address for the container registry to push, pull, or tag project's images, formatted as `<host>[:<port>]/<project_full_path>`. For example: `registry.gitlab.example.com/my_group/my_project`. Image names must follow the [container registry naming convention](../../user/packages/container_registry/_index.md#naming-convention-for-your-container-images). Only available if the container registry is enabled for the project. |
-| `CI_REGISTRY_PASSWORD`                          | Job-only     | The password to push containers to the GitLab project's container registry. Only available if the container registry is enabled for the project. This password value is the same as the `CI_JOB_TOKEN` and is valid only as long as the job is running. Use the `CI_DEPLOY_PASSWORD` for long-lived access to the registry                                                                                                                |
-| `CI_REGISTRY_USER`                              | Job-only     | The username to push containers to the project's GitLab container registry. Only available if the container registry is enabled for the project.                                                                                                                                                                                                                                                                                          |
-| `CI_RELEASE_DESCRIPTION`                        | Pipeline     | The description of the release. Available only on pipelines for tags. Description length is limited to first 1024 characters. Introduced in GitLab 15.5.                                                                                                                                                                                                                                                                                  |
-| `CI_REPOSITORY_URL`                             | Job-only     | The full path to Git clone (HTTP) the repository with a [CI/CD job token](../jobs/ci_job_token.md), in the format `https://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.example.com/my-group/my-project.git`.                                                                                                                                                                                                                                     |
-| `CI_RUNNER_DESCRIPTION`                         | Job-only     | The description of the runner.                                                                                                                                                                                                                                                                                                                                                                                                            |
-| `CI_RUNNER_EXECUTABLE_ARCH`                     | Job-only     | The OS/architecture of the GitLab Runner executable. Might not be the same as the environment of the executor.                                                                                                                                                                                                                                                                                                                            |
-| `CI_RUNNER_ID`                                  | Job-only     | The unique ID of the runner being used.                                                                                                                                                                                                                                                                                                                                                                                                   |
-| `CI_RUNNER_REVISION`                            | Job-only     | The revision of the runner running the job.                                                                                                                                                                                                                                                                                                                                                                                               |
-| `CI_RUNNER_SHORT_TOKEN`                         | Job-only     | The runner's unique ID, used to authenticate new job requests. The token contains a prefix, and the first 17 characters are used.                                                                                                                                                                                                                                                                                                         |
-| `CI_RUNNER_TAGS`                                | Job-only     | A JSON array of runner tags. For example `["tag_1", "tag_2"]`.                                                                                                                                                                                                                                                                                                                                                                                                |
-| `CI_RUNNER_VERSION`                             | Job-only     | The version of the GitLab Runner running the job.                                                                                                                                                                                                                                                                                                                                                                                         |
-| `CI_SERVER_FQDN`                                | Pre-pipeline | The fully qualified domain name (FQDN) of the instance. For example `gitlab.example.com:8080`. Introduced in GitLab 16.10.                                                                                                                                                                                                                                                                                                                |
-| `CI_SERVER_HOST`                                | Pre-pipeline | The host of the GitLab instance URL, without protocol or port. For example `gitlab.example.com`.                                                                                                                                                                                                                                                                                                                                          |
-| `CI_SERVER_NAME`                                | Pre-pipeline | The name of CI/CD server that coordinates jobs.                                                                                                                                                                                                                                                                                                                                                                                           |
-| `CI_SERVER_PORT`                                | Pre-pipeline | The port of the GitLab instance URL, without host or protocol. For example `8080`.                                                                                                                                                                                                                                                                                                                                                        |
-| `CI_SERVER_PROTOCOL`                            | Pre-pipeline | The protocol of the GitLab instance URL, without host or port. For example `https`.                                                                                                                                                                                                                                                                                                                                                       |
-| `CI_SERVER_SHELL_SSH_HOST`                      | Pre-pipeline | The SSH host of the GitLab instance, used for access to Git repositories through SSH. For example `gitlab.com`. Introduced in GitLab 15.11.                                                                                                                                                                                                                                                                                               |
-| `CI_SERVER_SHELL_SSH_PORT`                      | Pre-pipeline | The SSH port of the GitLab instance, used for access to Git repositories through SSH. For example `22`. Introduced in GitLab 15.11.                                                                                                                                                                                                                                                                                                       |
-| `CI_SERVER_REVISION`                            | Pre-pipeline | GitLab revision that schedules jobs.                                                                                                                                                                                                                                                                                                                                                                                                      |
-| `CI_SERVER_TLS_CA_FILE`                         | Pipeline     | File containing the TLS CA certificate to verify the GitLab server when `tls-ca-file` set in [runner settings](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section).                                                                                                                                                                                                                             |
-| `CI_SERVER_TLS_CERT_FILE`                       | Pipeline     | File containing the TLS certificate to verify the GitLab server when `tls-cert-file` set in [runner settings](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section).                                                                                                                                                                                                                              |
-| `CI_SERVER_TLS_KEY_FILE`                        | Pipeline     | File containing the TLS key to verify the GitLab server when `tls-key-file` set in [runner settings](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section).                                                                                                                                                                                                                                       |
-| `CI_SERVER_URL`                                 | Pre-pipeline | The base URL of the GitLab instance, including protocol and port. For example `https://gitlab.example.com:8080`.                                                                                                                                                                                                                                                                                                                          |
-| `CI_SERVER_VERSION_MAJOR`                       | Pre-pipeline | The major version of the GitLab instance. For example, if the GitLab version is `17.2.1`, the `CI_SERVER_VERSION_MAJOR` is `17`.                                                                                                                                                                                                                                                                                                          |
-| `CI_SERVER_VERSION_MINOR`                       | Pre-pipeline | The minor version of the GitLab instance. For example, if the GitLab version is `17.2.1`, the `CI_SERVER_VERSION_MINOR` is `2`.                                                                                                                                                                                                                                                                                                           |
-| `CI_SERVER_VERSION_PATCH`                       | Pre-pipeline | The patch version of the GitLab instance. For example, if the GitLab version is `17.2.1`, the `CI_SERVER_VERSION_PATCH` is `1`.                                                                                                                                                                                                                                                                                                           |
-| `CI_SERVER_VERSION`                             | Pre-pipeline | The full version of the GitLab instance.                                                                                                                                                                                                                                                                                                                                                                                                  |
-| `CI_SERVER`                                     | Job-only     | Available for all jobs executed in CI/CD. `yes` when available.                                                                                                                                                                                                                                                                                                                                                                           |
-| `CI_SHARED_ENVIRONMENT`                         | Pipeline     | Only available if the job is executed in a shared environment (something that is persisted across CI/CD invocations, like the `shell` or `ssh` executor). `true` when available.                                                                                                                                                                                                                                                          |
-| `CI_TEMPLATE_REGISTRY_HOST`                     | Pre-pipeline | The host of the registry used by CI/CD templates. Defaults to `registry.gitlab.com`. Introduced in GitLab 15.3.                                                                                                                                                                                                                                                                                                                           |
-| `CI_TRIGGER_SHORT_TOKEN`                        | Job-only     | First 4 characters of the [trigger token](../triggers/_index.md#create-a-pipeline-trigger-token) of the current job. Only available if the pipeline was [triggered with a trigger token](../triggers/_index.md). For example, for a trigger token of `glptt-1234567890abcdefghij`, `CI_TRIGGER_SHORT_TOKEN` would be `1234`. Introduced in GitLab 17.0. <!-- gitleaks:allow -->                                                             |
-| `GITLAB_CI`                                     | Pre-pipeline | Available for all jobs executed in CI/CD. `true` when available.                                                                                                                                                                                                                                                                                                                                                                          |
-| `GITLAB_FEATURES`                               | Pre-pipeline | The comma-separated list of licensed features available for the GitLab instance and license.                                                                                                                                                                                                                                                                                                                                              |
-| `GITLAB_USER_EMAIL`                             | Pipeline     | The email of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the email of the user who started the job.                                                                                                                                                                                                                                                                                   |
-| `GITLAB_USER_ID`                                | Pipeline     | The numeric ID of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the ID of the user who started the job.                                                                                                                                                                                                                                                                                 |
-| `GITLAB_USER_LOGIN`                             | Pipeline     | The unique username of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the username of the user who started the job.                                                                                                                                                                                                                                                                      |
-| `GITLAB_USER_NAME`                              | Pipeline     | The display name (user-defined **Full name** in the profile settings) of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the name of the user who started the job.                                                                                                                                                                                                                        |
-| `KUBECONFIG`                                    | Pipeline     | The path to the `kubeconfig` file with contexts for every shared agent connection. Only available when a [GitLab agent is authorized to access the project](../../user/clusters/agent/ci_cd_workflow.md#authorize-the-agent).                                                                                                                                                                                                             |
-| `TRIGGER_PAYLOAD`                               | Pipeline     | The webhook payload. Only available when a pipeline is [triggered with a webhook](../triggers/_index.md#access-webhook-payload).                                                                                                                                                                                                                                                                                                           |
+| `CI_REGISTRY_PASSWORD`                          | Job-only     | The password to push containers to the GitLab project's container registry. Only available if the container registry is enabled for the project. This password value is the same as the `CI_JOB_TOKEN` and is valid only as long as the job is running. Use the `CI_DEPLOY_PASSWORD` for long-lived access to the registry |
+| `CI_REGISTRY_USER`                              | Job-only     | The username to push containers to the project's GitLab container registry. Only available if the container registry is enabled for the project. |
+| `CI_RELEASE_DESCRIPTION`                        | Pipeline     | The description of the release. Available only on pipelines for tags. Description length is limited to first 1024 characters. Introduced in GitLab 15.5. |
+| `CI_REPOSITORY_URL`                             | Job-only     | The full path to Git clone (HTTP) the repository with a [CI/CD job token](../jobs/ci_job_token.md), in the format `https://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.example.com/my-group/my-project.git`. |
+| `CI_RUNNER_DESCRIPTION`                         | Job-only     | The description of the runner. |
+| `CI_RUNNER_EXECUTABLE_ARCH`                     | Job-only     | The OS/architecture of the GitLab Runner executable. Might not be the same as the environment of the executor. |
+| `CI_RUNNER_ID`                                  | Job-only     | The unique ID of the runner being used. |
+| `CI_RUNNER_REVISION`                            | Job-only     | The revision of the runner running the job. |
+| `CI_RUNNER_SHORT_TOKEN`                         | Job-only     | The runner's unique ID, used to authenticate new job requests. The token contains a prefix, and the first 17 characters are used. |
+| `CI_RUNNER_TAGS`                                | Job-only     | A JSON array of runner tags. For example `["tag_1", "tag_2"]`. |
+| `CI_RUNNER_VERSION`                             | Job-only     | The version of the GitLab Runner running the job. |
+| `CI_SERVER_FQDN`                                | Pre-pipeline | The fully qualified domain name (FQDN) of the instance. For example `gitlab.example.com:8080`. Introduced in GitLab 16.10. |
+| `CI_SERVER_HOST`                                | Pre-pipeline | The host of the GitLab instance URL, without protocol or port. For example `gitlab.example.com`. |
+| `CI_SERVER_NAME`                                | Pre-pipeline | The name of CI/CD server that coordinates jobs. |
+| `CI_SERVER_PORT`                                | Pre-pipeline | The port of the GitLab instance URL, without host or protocol. For example `8080`. |
+| `CI_SERVER_PROTOCOL`                            | Pre-pipeline | The protocol of the GitLab instance URL, without host or port. For example `https`. |
+| `CI_SERVER_SHELL_SSH_HOST`                      | Pre-pipeline | The SSH host of the GitLab instance, used for access to Git repositories through SSH. For example `gitlab.com`. Introduced in GitLab 15.11. |
+| `CI_SERVER_SHELL_SSH_PORT`                      | Pre-pipeline | The SSH port of the GitLab instance, used for access to Git repositories through SSH. For example `22`. Introduced in GitLab 15.11. |
+| `CI_SERVER_REVISION`                            | Pre-pipeline | GitLab revision that schedules jobs. |
+| `CI_SERVER_TLS_CA_FILE`                         | Pipeline     | File containing the TLS CA certificate to verify the GitLab server when `tls-ca-file` set in [runner settings](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section). |
+| `CI_SERVER_TLS_CERT_FILE`                       | Pipeline     | File containing the TLS certificate to verify the GitLab server when `tls-cert-file` set in [runner settings](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section). |
+| `CI_SERVER_TLS_KEY_FILE`                        | Pipeline     | File containing the TLS key to verify the GitLab server when `tls-key-file` set in [runner settings](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section). |
+| `CI_SERVER_URL`                                 | Pre-pipeline | The base URL of the GitLab instance, including protocol and port. For example `https://gitlab.example.com:8080`. |
+| `CI_SERVER_VERSION_MAJOR`                       | Pre-pipeline | The major version of the GitLab instance. For example, if the GitLab version is `17.2.1`, the `CI_SERVER_VERSION_MAJOR` is `17`. |
+| `CI_SERVER_VERSION_MINOR`                       | Pre-pipeline | The minor version of the GitLab instance. For example, if the GitLab version is `17.2.1`, the `CI_SERVER_VERSION_MINOR` is `2`. |
+| `CI_SERVER_VERSION_PATCH`                       | Pre-pipeline | The patch version of the GitLab instance. For example, if the GitLab version is `17.2.1`, the `CI_SERVER_VERSION_PATCH` is `1`. |
+| `CI_SERVER_VERSION`                             | Pre-pipeline | The full version of the GitLab instance. |
+| `CI_SERVER`                                     | Job-only     | Available for all jobs executed in CI/CD. `yes` when available. |
+| `CI_SHARED_ENVIRONMENT`                         | Pipeline     | Only available if the job is executed in a shared environment (something that is persisted across CI/CD invocations, like the `shell` or `ssh` executor). `true` when available. |
+| `CI_TEMPLATE_REGISTRY_HOST`                     | Pre-pipeline | The host of the registry used by CI/CD templates. Defaults to `registry.gitlab.com`. Introduced in GitLab 15.3. |
+| `CI_TRIGGER_SHORT_TOKEN`                        | Job-only     | First 4 characters of the [trigger token](../triggers/_index.md#create-a-pipeline-trigger-token) of the current job. Only available if the pipeline was [triggered with a trigger token](../triggers/_index.md). For example, for a trigger token of `glptt-1234567890abcdefghij`, `CI_TRIGGER_SHORT_TOKEN` would be `1234`. Introduced in GitLab 17.0. <!-- gitleaks:allow --> |
+| `GITLAB_CI`                                     | Pre-pipeline | Available for all jobs executed in CI/CD. `true` when available. |
+| `GITLAB_FEATURES`                               | Pre-pipeline | The comma-separated list of licensed features available for the GitLab instance and license. |
+| `GITLAB_USER_EMAIL`                             | Pipeline     | The email of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the email of the user who started the job. |
+| `GITLAB_USER_ID`                                | Pipeline     | The numeric ID of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the ID of the user who started the job. |
+| `GITLAB_USER_LOGIN`                             | Pipeline     | The unique username of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the username of the user who started the job. |
+| `GITLAB_USER_NAME`                              | Pipeline     | The display name (user-defined **Full name** in the profile settings) of the user who started the pipeline, unless the job is a manual job. In manual jobs, the value is the name of the user who started the job. |
+| `KUBECONFIG`                                    | Pipeline     | The path to the `kubeconfig` file with contexts for every shared agent connection. Only available when a [GitLab agent is authorized to access the project](../../user/clusters/agent/ci_cd_workflow.md#authorize-the-agent). |
+| `TRIGGER_PAYLOAD`                               | Pipeline     | The webhook payload. Only available when a pipeline is [triggered with a webhook](../triggers/_index.md#access-webhook-payload). |
 
 ## Predefined variables for merge request pipelines
 
diff --git a/doc/topics/git/img/revert_v14_0.png b/doc/topics/git/img/revert_v14_0.png
deleted file mode 100644
index d31fa0ceb8862ef4636a4388f5184c1fa497ea9d..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 11230
zcmeHtWm_Cgx9;HX?h-7x`#^%bdxE<=gNESl4#5fT4ud-c*8v6(8r&1?<axIp+5h0|
zzPhVct-hDstLj5bMX9OCVxW?u0ssIEc{wQ!007qOubhDl_qVOXI2iuh!CQY+{s;gx
zB%nQ;BK#f0xNFEt0BWbnkN*x(T;%lK{~E9SbHPY3<#_)E{IJ#1^UzaP5;k{sWH+^N
zHnU{+c69lR1^`68h5w3<mL8_m-i{7V?!w+c+J7O0|H}WUIcTZ>1@W*4(&{OzQA;|z
zSyJ<{^Rjc&ilI_dQ;WJ;SP5%L$^5(d-w}}3#>2x!n1cfZ0<nX5*qz<1Ik<#`gg7|4
zIk>sm{vz1ieVjZ@z1f`H-~F4D|L`Ma>2B_3>*8VS>_q*KUsE$@PY)n1?LUG3^Z55X
z9bNu2kdynrv--=A!`sw_gNvP$<G(ZVu(kTH^!^X4fA0L7*}qu*TQJeTr4g2Nvo!T^
zcGGfpb`blAk*$-xySb^0<v+YcIsR|Ne`PBAk4s@yH(SfUT>oJt#wE(}|LFc5FUs)`
z-T#gLzt#3%+P}pWL;V}+KPE~HmH3CY9smFbP*c*9mUU73*F^qL^FI~%|FHsd=h$6;
zdB1sRsAvKZ5RqV&W#C}oUtj(_Bcq^AKcWAAl%u&*K@Hr;RCvG;P*lB_9iKVI8%tuL
zoR!DAIx8?gp<Zd5;3YVC*L{1bhE4S2obg)FSJ$9+ije+rEtdj9k{POZ%CDc07AEwG
zYQQALXizDK+}#jo_y%alt+kkEj7tm(@cva;na{ji(_W&fk=<p>*2BspEVa>U=Jj)Z
zgimC7^c!teQ(c^eC<BM1q_$<fcu}9#c7qSTbD1^g(JGYP!Bi}Y?6ZG!)}BO+$0ljT
z*VN?ji<V-h$uCP=ALzdKs`r<Ncn-zdbT~=REd+mzpO5xS<a(bDu6E1VX>_%Z407o#
z)rrtC(ZK`&r~&d)AGN&KPIFPT2o4EGIT9*vFxDmECDmAq9s$xfCD`=4;qBN6I4)6&
zE$jqo0A}sr1_lK+&8mL-BG)Kcp$d3&UiKx3jQP??J3VPmw%rn`y@0)js*0JrQ*Tz=
z<t)<D9)RcO{Eghi`+^H}02V*Lo<jUUn<Phv8zuE$9VHvX*si$rZ^jg3)7bE^5@DNf
z%m?&Q!7PR?^5#WMf$sqFmDr5(v{eXM@9718JM8#=%@tTD?D6%&44nBHnxcqJWs)rA
zd!)sz04peGcDX7-rP^&Sgqj%M=mpSXMk53KG4Z^~xHvtarc_Egopk+-V3u%uWUGCE
zF<*vdplh|C2#oS(UY|!T2)qI#i2JfpZF?V2TF3N6!9w2dhW!q!Z(v5=-8cGkCNX|;
zX6zcGJU0D`N6#?ILen-C`4J$1Q*(IkguqFKifyPU?6nn)4k=999|U{m!e82-cGzCy
zHeH*3N@hqpNw<)ttNnzcTA&Csuzv1Qv2@yvkTE|VO<VUYSa|Pma8np^CFzeX3!q~F
zJARO(v(D6<^*;HNh8M6Cg$XV-RCTqG`>u$6a;A|c;8T)H{vr$UTS*33?N!UiX#6Bq
zFDa1qO%$RJLF`iN4}qQt)#eTtPe*YgmATnwYJEOPfXow~I`GTU5osw+X#j*zpFZVV
zr)EeQr2u98&6Mf|27;)*fGJ_m4Wqd=Tj_;{-{FPydEIC>L^dIvESm*)>%~T54ICc6
zd~kbDB~O|6nLhJ0rVu=DW&zQ17TsUYtmEFjIm@*53rntvP`nQ`6Z?>nQ5&(8N2pHb
zy!l&Viw&^HW9%0_vaz>xic86}8q<L|^+n+`0Sz~vWDh$&MF7wEo`NvqZjiPOFl)$y
zfiwuV^p@B;@2X#J^QT7AVNyUSl>aAN9j`#6>1&#1A{>kWJ?zZFkYOH=mp~u-IY`~+
zr>}-B6XI^q6@0FBOC7*nOhS|ygs+U_LM&jX0uDN4Yy}95&uDh);=o1+T&A&+_cD0?
zNqM=P`R0GZCR$jYlFMpv?r3|mhj2aVYJrK&)heBww7~LkImQkMg04ttI>&14QQW>j
zl(LpDqu0NJKIHK)Nc9j=+tZ}Sw(_;p4cZCp>NJJNkKSOAKq%@Cczwl{?W!wPuuUoR
z;urMR4oyL86BY%iGX)sc&oyoh_Xjr8`&}8|_7>+!>oc%vY`x(j3FGz->+tcLpT4kF
z4DfsoM#zkxQ3c57l#ySlw4Sj(v$$IGo(xq$Zb&fv(hgUO_4tCOf&5y*$}=Nd_9E$#
z*PdG!0K)~x0(i6_j&wU<$Q3HbyUB)bx))HrMD4C}=?fbIamV<kdx{4e%C?kUteBNK
z0*+We7}wSMD>_*_J`z`V>Ipi-ZYp4+sk4lo9dE(I!?hBSzgNw=t8%y)c5&rnsCyW%
zI9nQ^cu9MHyD>;ecYJD61_+>dL6Fa1Jf07_?k+i~E#!goSRZ^f>+|M3<}i%H&a(qb
zL61{A=|9fBc<O&cyL5ls-&xc>Qloul5&YAxqDY66ZYm9+C|EM>)5FzD{=P1?kC4<J
zzlKWj=WL+N+VeAIl-ercQ8OTS+%?}5NQA=o^l=`|Bf#ot!x}d<<0X7e-_YmOP-y`?
zN}TCrins(4E@H<89gBaAO2qBdDH5$B0|A2$GhwW{=^nB7P(-@v7;iT3--pYo;7$&U
zrCNE?z*wbD@yfiP{*X;62{|r_K^RmLCAPDUjmkO8_Jx^G!Qh>m=-Pg|INGi*-3vbR
z8lqz5obOk{DK*30*Pqg8>yhi}h=<Q{%}y$Ub50Bwn_`-=Ye|44ykuX6-4<}06G-AV
z52-RiZ3)1y-8i6UJoa7vkl%8ltB(w6Akty>!RS|FH`qWV7@75!+h}(DbKaAjyNV;S
z(8zZKv0lH?riyHc!6?PENCD3{GgO?Pdxws6@(qUB1%k{+hx>oT@ap7QV%Puq1gn~o
zH%=1W!|ioM6k2GHt{r@110qP!)Gd@go&UrF`F;6^UF?TRS|akecV;Iln;B8lhmm;6
zmFJ9+s$Tk|NbC1dTWoO8($TMrkg^_J^v6gf7%wvdz9!Nk_FZDcchf((4>lyFn3xzi
z1e8tL79$Kz_;(W>&+~=*Z{L(SqCJ!a&Lw~szE~I?BhW)#$)BHPD5Mu|(JjAw&KPoW
z5(VnWej%W_+_b421=2He^SP6avXd2`Wby3l`JkMmM`PEME-cnPYHfZ@XnS}hW0jkZ
zXo*f%P@Tu6zU1(99c?EVjRVkC-0QiXFxTgHF229-Gp*a1u{?k~A(md2yDu4OE<>gA
z;)dr)*$@b3{uwn})Fg7AN#V+nMc!uQ=_A2a#!mQD?qe}-iX{cQCoL-X>&t`G-%CXR
zN4sI9r&iKXO{1iB&ub}2PgYv~Tz6jkHz~l;ckHPo%9aebe!L=hlgBt&+8fz^$e;4;
zf?_YeXW>7bq44VHtTH~DZ4s%(r{}lmud9YEdadn<Q<4!tzo_0HbLH^#`RvQVK~f?V
zn7h2dhu6v5iAR%Fj6@(a%w9V};nyWwsF>8`XIHD!OjG9}1Dp_n^la@_r!a7OE&8|$
z3f0yWQG@+v%&!rs(c?9j)6>E(I=FYSRK=*mXYNyf<T6AcJnr|=WVAMPv&S{Jz_b+2
z($6R<!<Xh>_+kDuP-(4a$F`>qjh}$O0NBd*ioc7+Ms^4i6>=WM5FY}XXDnIQd7+Gv
zH@;}xH0C7m9Q?6e5%*t|!_JC;+^EiE<x(HSi+%gL%%QnRT=vwlhvsT7;nF`Y?fz|!
z_wugyM)~mpfy5)M)9XZi^nrRm28I~uZ&B-RJvo#1AT?>ffL)P5cKjrPa-SzIG-o^W
z)P12tZD2K_8_)Z-yS_%Y{v}YrT5xo7@i?ddHPeu8=}At@2m{q~+Aruwb1@r6MHcyE
zrIXhPg0ZF0gwyyra$R{`q_KAu_NATcXdAHW-R^)f$~{Fgc^K&0S$1ci&;O(LNjvZY
zCz7nV>%1+4?+n?1y`1uEd)W`kOFI$wIN*Bi^m|B5mbfFpufAPCMLwo|YjXzEV<fHk
zZA(7TEC9OXFB3hE;vV-Up?hxU3gX*HCqOWrg-*$nR(i3d2<gm1O~CfriLa}gkFH}%
z5Fs+$ZDkTLJqX?ul;_UXOcLIlmA>mUR1izko5DnG1Xh$IO(&?`eG^pq-KYdjEP>#C
zJ{vC<bSJ=6(Out6rqN5g*fb(TOQ-K_VC;K+U-fkNsk6!(XiP}mOIs(R8-bag1K3Z`
zKh1cd8(5z*&ly(@3}G`*xJ2Kq$vtgZNQazn+>{P^U0{p+@*}orc(J@$V55A^MCXux
z(%sA0JYN(3E+E`a^h5jc?I%<p|NJp~bM#A?Th1_)Z(*mcp%PV5`v$#DfT-!_S2GbO
zX4O;G<2Hd<w6pmy_Unl(aHnx*OocqN&Y$PrO5B>Q71M;?X5yDtp!W_K8ENkD`M1r`
ztX#()oAlOEa%gC%jXhnT=+GIps-twX%r~Z9-~v|04B0EvkST1Y(_OrZ+_t5g$3WhF
z&JL~db|6W>iO!>>`RJR_T7f6^BHy{__omhM+=`K0fzaHMV$W&Av3Qaw2&$42+es*o
zVC<51-}pTuW*>XyM&j25O<5?h+6pwxp>9Eeyk@Q6pyyLfy<NCFYM(M}d`=hw7P&3{
z_UPN**;=uE=lmn+0(k14Oie?>og`IqLXhB{&iSztnQ&yb+!}i({py=#D1#QkUIV=T
z9djk6^wOs?bb}^gzQJazXv|^->)Y=mw+%YF)-MO^hdt9B4|3=FhqbGL`v;o=J>9)8
z>%A8b0oGgYuIaohP#j{2WZ=-cSmkkg-1kGe)V&^Ps`xf4>X>qF5Q$r#2#bp%p$(L>
z1&`kiDIq3&m#>muq?4A>CXJHTl(J)SB6JY{_JV{SYB?Xj)D=h>!1wWLr4g~vF!eT}
zAP>b`FRN4Cke35yOBMwb%-w0KM{rNdIvU5cqe8P{<^PWA_va|!N-q~TJ}B4}B>z@L
zKToWerMFF$^jy0Co^@Y{X{NU)t}Rl=vi<#FSOJCV4*f;hazT?WEc>u07{tlf`E}TC
zA0}>Y3$^N(6aom;AkuPwq#%KQSRbdpbpvpgrk_CdsjYM(=y(TyU`9h>V`jppl4GtK
zpp3H~NEqoc6Hk|C#?!{Wq}so^UsQwC%u$WjBQ1GA*wB0UP*_^cSnXY^NyE#s@*CKV
z@>6mU<~bSO6F%k6Caxrf?Q5Jn6Cp2UeyVZ<Acb#wV~3rMQ!`1ZtSGdW78t||Cr?9(
z5y&qijV&&;=%L=P8LM{qrxmw&?y~Urt)`B=F6>7vN;Mix+(|Q|byN3U_2#b{Dg{J!
zV^XP@<twJAkOm43t?&(F8F$|Aqq+;yC}7uEgPk*NqCX2{fAua=QemcTZ?g=mu8p|I
z1)mCB>5hYAMhblJr-PC0Vr~_t5gygbY*Vizs>i2)e=w~hNMs3iox`))f#wx#?M)${
zzUP*41jUQQ#dH4F%EjaoYQd<$kb?v;X53TODwx^A2l~Ykdkt2&D%Bj5yZ0p3KP3;h
z{t&r*5;R&s2g|?43jt}(7{U%PSw-=anh-Yna7LYQmF@$g^?L2oidFtJ*`KnuX?|G}
zjCrySz4?`#A~JP6GH=5WE<=awQ@Vc~9~huB+dIoq#55G1Z5lR55X?{Oxuxni;rd>3
z*`%`2|9D`v$r@|3O=G}`m+fOdP+9c0Cv=0U7g3!_<ox%e8U!df3Pj>)&%mWQRdD6y
zW_7)VL`!2Hf0*?ktRzVgM+J2esy>?M%78C>%>CHZNKFGYi|ZOzY0&Y7DKyCo3Fpd<
z9FhhdzpI5X{$15%%>|M|rATThYw?-wblX6~q!V#Ui&?Khd1y_X?srs6$Q?@K2Cc_!
zDB`Nly$(H|=D@q)O4p`LvxI8<Y3NWc%Q9EuF5Ywdg7P>+Xi>Hr<I28ag?=uHKd{R4
zvGOP)30*e%S$G$=ihBngk$$YTJrr4K;X^2UcC^s+ZiER+!-5M+F%O%^ym@J}JmM;M
zh8r&y&z)H%Ye9RcLnU23h7_KQ*dP+v_1ghrvms+gigNuY38z){C<pb$rP0BM(m!Ko
zzfp}hqjGq&`-Ku1=+5VVrcIVYaXpt{3ALhU^e>PPxqpWJ@_Gk}ZQ=78EpU^aDaLCi
za@N`}G*PLUZBiW(X(*dTC4?^Dvnq@R{~4Y{bCM`rIg2#KU;o4&9h!T&Isec<?d~GL
z5se9!mb=s8hAJUa`L0X@z(jH}kE~w{c*3<YeFHaNTfk_abw2YQ@i4AdE99BKCBiNF
zw`*4XifuV-ugRTlbK(fwy;0tqvk^EKETE!1POEpMcedOz=5PLapN>Ff#gF{aHXznj
z0>o^{a;qmO=OIpOz3K$bJnzjVQ`-KSz$NC<n1JvCyjKIrGFx`tMSEEF-<^nPFo~*b
zl@s+KzpmtrSF)$~jtVD6n64}nTL^elH86WXI*84UC)fr_q}^g)bE+61e2skPG))7h
zbb|5j>y+n#am52tNIz)HDJp-x1hiL;^PW3%MS%jD_*XcIOO?gE0PYpZl7S&nb^HO!
zMO!u}9mZjO&BY-B^ee8>!=^gd=qO4}UOP+M87%~z%bWe??%ka8!5jhzlXUqPZD7yL
za?8vSPZWq|xj^ff$WAi`3i<-?=h8=mM%Q}L(Rxj~02I6Uo=H~``|Z*kKR(uneH&)O
z>p>@`z@qq5y&H9RoXYofdbVgS^w<$eI<M{oc`axnAs^HJ=sxPCxvu29%Fa-~C+xpB
zZkkOMKd&Dvoe&_O#Az-K7*pN3j3M(a6|Y*oBH#FlI~dBF9dgXiSWXI_iEk>W<~$Yq
z@L9<uS-y(NCAlSSyvNb6m@^%n3oO~`@08w~D~|ic*bL4Jep$N||HmEl>z~4QOvYL{
z6;;(4g?P*JwTR8l=|<we&m&3Ahc49~u40^<;PC1kq4gzG5Q(ckl&53lWI0W)`Ri(b
z)B@|6lZXo~(v|^qiNFJ`%#qR0ppT7XM}pJX1iF;rpbM@4Q!BER_v!&mu3zs$L|qzW
z@>7??pv==eB5JohpSqZqVO@U6J;cpp&w7^+8&9lM$t&Pm4<s)C*ifnw@^hH5o5Twx
zQl#Z-x>jf9@R?DF5NQ_<tH)iS!(t}i4%>TD>K7%kZ&Mqty5QBcd6uG;|B^9moui<q
z?oTqYz}};9F_@DE!8dfrQ!j9i0|%ip<DaWlicLip-gki<GYV?=U<z~fcD^Z)dRjQa
z!}Y-V=<fOt%h3cyR@H*~bl-)uUdu^$CwD=pVzSoNB*-Mq=4$g&%|dIxgdOYf&kG$(
z#T~5EylWd52Gi9`F>w^~6g56GsRhf)do8t<!19kSsLk`D2K~2Lk>UtOAa9Z%li#b8
z$rFHnaYo2%RSBI5p&RmBRXXMUusV;qE?lh@K)<T#M=W(FRt!esR)RrxlwZ#rUv$IQ
z$oZDA5xwDZSh@X*Dp{sQExxP3VXgLhvi&YC>X`}Mo)uf7EsT6)K{b4`<dfAa={Zw8
z>#wzTJJ+IudB1q-9s)Iiw#3?^-M&lMEsdSwA|}R_Xb3JXsG<<Y=EY5E>_%rfGO6V>
zOjuIYK|fF8IKzFeP|YCb;7F<7@nR^Sn{jE+Sjm%-T&Tf(^)?kS;81DTvjOBkZm^ek
zc4x=Q<Zqv<U!W?ir%X9yghKJP@g(X3?@TK^n0fuHo4b|_eNa#Q78G@(103trVh+Eu
zG2WT}-~pHqrfaEzOt>8FLd5f1*9hq=ym;#s;HKfE*YCngOZAE3G?y(7vWM#T_EpD6
zw|Wo_qSYXtGC{ePIJf+X0$as_>ZMlaR_?}eG5~_?kC+vOH|wDnXZ_m@iDH#Ox`SVI
zELx<y>Tk5E_c3m_oes<6+s>w($+6eFVw%h5uj6Tw=};=ZG+N0#!#+*{QY7_r56_yK
z%XBcnvvo$0AVWfT|1%tAPgviJPr8{xVVEHc+H2;Jl!Jj!tr+*Fkp1ht!2t*TOIzZi
ze7*@A#8eG71^GTDUjlETA$n%zA7swX`c7QQbFQV$4>-T9O*;*8@sK+P%R(XUR7?$n
zwb_&{t|s5AM<}Bky0C~$M5J-puT$T>PyEsN@U%X$#Am>A#wSGY%;J5WPI{JQI?4eI
z!OqsN((<B@e0TL`%PyStUA)_6o4Z3oH$B2f@4GSKu2h!-!iP4O^ECPsP#3~+WOk`|
zMUxEr+HJ-Ah2<2h5T_F~a=LL}zxQBr@i!)q56l>yR)cvi3;c_TJglGOZ!x{HOsI(;
z$9}1iRKpYKJ}TVd@L^3otg%>;d`ZsIf1+~Ng~cDv3ftnW;Q^v=2SqaN!gy~7$;6>h
zm&bV1djn*y_!SyxwdKrUN4}0a6?sb+>1%pR#U&@(#Fkqs5yqu?r=F*e@YL$?|2ojH
z-{7{d=g(=oxX3zox5~`RgY87MG|7B;3+(-J_^^31<kd2*i-dEb$g*v^ssRLTDc##~
z7O!M0LHy}8D<JWCAzX5`mC=rP64@s6bBTJ(x!LJch>1fzRdL%3t(-wRP<z<5CmSd1
zD8<E<W#MSg6ASnzqpuo1vCxl>{D`B=)p4WwV(p)!RC|kY2nqFEwYD%h>IujCrFa-U
z#0E#1#ZK9V6pgTQBUZ{zia~M(vc@cEyCo)NMcJw*U>^d*d_$tE!+qi}#-(dM?bv3^
z(i|Br1r~8<ZK~`8IYuS9+ivAtG@{4&b7kAAvds>$EW38f?X$Vr6btr-=3<_E>RmyP
zm}m=KLoWMW;b#n^&v#GfZ2sNC9!8n$*cP!5SAo9qYB^4OnW!@8s+Mo$yd5YmJ$YVD
zpOErVyaEHk#aP^qE`xEgLd>mCm<?-H(+7n;%1+i4w<_ZMCDwyK3GO#29l_iDUSLDy
z%HcZ1j%L5u5Zc>WMVD40tdW>?hqCSl3Vp$fasynEtCskDy+TEF{(Az-Sj7gdDP8i^
zVH0~aG@siQ(npC87Qy-OXG7k@HO&r05)VbWH$Y9SknpoF^NM3687*^JDr362KCoF?
zMyu1XIq0)2_;(@WtoZcsSz$lFcOXrK?2_GB{%%lx7F8vqFu3&FT&+EWZ_ZU)C1Ja)
zB<`_AwSCa|9LbRKj&7v%L*}@}u^U1Qj-RgtyVH|Nd;a|Sv{Z_SZH7*)c1MoFt7qz_
zZdp{-%DVg06XRKYi;9lSAc+wiBVV7F@Am|{Ghs(B1znbAgNB`|vSViU{AqYWc`$$P
z)Kh8c!QW5sjvlzWL)0)lJeVz~=NZjp?Z)pXp!J5_3Q7zz4!fkiww2J<7|c04b$cwO
zfX%Bj;Ly#<R!TD($JIhB85)nTOvP%vgNR>Dfg=AhcRz2~^0Kz$%l_@{N-NLGaIBU*
zcx#N#?(5m~u*Y8mMe<PaHwU7>uahaPa)S<F?iDJ03d>FKnAetx@tXtq<dm=$KAo}k
zsT}(ZOH1|=DV6o8^wNSx*gqn=CUi*edf(5})05t~D|`)}1W8gtq5rguQ3R-*7K10c
zYIkknx9!63>>!F(Sbq81n;y{!C>PIjupPr*%DVV?y75)<N>YYn`{l+$ydR13du{*)
z{FSKlu1{t-@g8d7W&QZFQN*w6ON$$qZcv69ThtJ2n&K7rxznjw+I2g{#>TBNpF_qr
z=M{x+J;TS5fwmjZF&iJ~G<vV@@bhO^5uO;r!;i$QQvQfqzOEk|C<BcN+jvr#YP4-L
zA8;1BVaI*SPbwJ67-QBEl3sCFKUl8I@0byiJ~LM7Y#YL0_^}w?4z=f^M7y-M0Z?xY
zt}yl^n(nLwya3Wk-|Ghsyw!&5*S|#a`<3iPw}fqT6U1E67029$#SF8CAqb~v)O$~A
z{0!P2VbUnNb@XYWWc|vj*iV^+8GYw|Ibotz!o}x<$|Ab*$+%r_QiBsJ5qH?0JLI)Y
zHcu-EdHl{Un!u_EgD{~N5`88&G4k$9)iPxYq8@4f8NSe}rmZ^j95?xu=~J|rrHA(C
zU*uKtiTY!^e$qti@<RIjwch!#mOm%PxurZI7jiQPMX2a~{UlFYx0dgRzOf>uIC|RA
z^>J&cHa>>U<|-a@V>}n<3+c1aS$%sTZ%cv1JI6Ka%0AI;$5YIX9+;^tqo!Xo&$Lol
z2k%)Zv#H<cJui>kGo~Wr=TUw$7)}oxf=C?SeNhgM4e1yzU}0pTQIi9+0$DD252OlW
zt>a>ptBpUrr9}!=W_PClxg6$(M-8wHsIdZ9m0b6le|4^!%|a}YR@~3^>+7?8rBOR_
zX@u^5AzqI|%qxz;3TBH;%3{}=BS%3iB?^+jn$r+M-0Jr-MTceem@rh@JkOb!(ldoW
zx5*y&!+mDMb7tx9T7`2xmcvyZunacV`};Q#goSJF=22%5Oh8$V|BeZFvv%UHr(@EN
zq{a=_3zENL3G?I9OZ1z9_Hdbyp1hP(%<r>u<#ySM2WOFPb&6ZTq)ogw6nmugD9(d>
zV=jS-ef3FQQp%p$rs(nt0fO_Okh9Nq42+46Uvw5&SqHGipcjhjtSzQN{`!QF2yesB
z_-C|m>$mE=!NMj2xmD@NjnGuZrS{q3J?ytUUgrI^@(tIB2RzwD7ALZo<8{!p3{g{2
zs*~Nesu|ZfxbWBdJlRxB9i=4wms!*phLa^~!s9{k?kCDCud3-&g>lxLmWMCGX5pHU
zhNA2shJe!aZ$=F9>bqwH4TmR_>I9#zF*j(ry}z!6ezb-s;=S@GL<D!0dK-iniT)Vv
zm)AOt$<^@9+^RY-vA9In#i(vd-$jVE%~03V%Ou@HzUR;>SR<jEeZv&hiBzDfa~)1u
z<`fp+671M^EG&_TuQC(3&V%uFaY*`POC(jR$-Hh=g3ZX3aoR=aKNq-T9#(^wHdiy2
zc)7T^s3*%yTP%fEk3ylgv}i6S2pRrEEXPqsqjCnzeSFJp);Rf#8ZKWYN}%uX2M_#W
zQ<Yn+Zb>*TRc&@v^$txhi{SX1`R;h{*s|yav@~BjnaH_DSH`2%q!h=Op7}CJam_Hv
zi{#ogAPAm))4T*XQ+v6akqGa-#tG|n2V(%=OQ83o@xqZF!Ioo;QmQNw$7cxIb#zX`
zh^P>wHYry-ybiIqp5D|f<sW>a6|R}iS2x)m-@A<SGZ=&MUl#gXaFR`W`Xt9nj%y@E
z59h?B`Py9v!(l1f&q>68SMICe7%1Pbi9Bx?a?m|`Bh!Y<f-+uFbLv<Q;BB}pnPiK=
zp+6)}o0k;X(-0J>nXZ|24rv*;F5r6BuXtt;5&l;2h=SC;rbXhbQ|)5yf?c8B!19&Z
zhOp!al{(f;nX3p-u4^sBhT1<~hw^}WN1XojwxCIP(b<>BVu=>R0L*&7zJ&~AFtS{t
zt?WcmdAb)Zc0`7yJFnbNGx;`N0{f7y#301aI+|GT9tn=WHo}iB*>k(~*6}E=PpqHd
z8aiNA`8~FQPsj*kltwc>dKP{^YPU23{=~)Mn34h<iL#ABAE(3x!JUuYrJQnZEO}fS
ztNhIF?~^6eduyvp`yg7)14T(h;H<p@1sp#P#UH9n;+i9JR*B~Ar>D2F_D%GAQ(0)k
zS$pJE!>80ae+k8krC?HQz`Rb&LlI_9X;=1Y;Lh9Yi84gHC4KhE+`*Jy4XYs%`jgK)
z1gdUYl?Y)D`nEdJujnsgN7>`4yHJ;s*ODI)Uw7+vmv+(4_^3ALH_Fl-xUD&5Vep+G
z-Bi(-lE~oPYOP?-nm%%W>$(fa<0=<rBx&8@HkDN^CdQvsvCoxd3IIUx`DZV{k3TfI
zeAPj$oF#@j<s7%(kO5Q*bX+>Wr?G9L9w;Ftx1%^BUrN>l`6bA4h4er~V<-idGde2b
zXe#os>t59JmK`xOd=PfFB|ReNu@*~{Pbo19q>TObn2b>`Mv3YuPN_->9lm?1eJR4L
zx?04}LX0<~A4DjaVvx6pEk0-Ws~Ou{e7f8b>$7nJpV99R+u*LAGv;DASA|I+#lm*L
z4$bk+*bJ<sGo#8wkkO(cD_W@Tcy@2CgUtkH4k|DD3LhMYj)9u)H-n$uL@+h?I6`SU
z_JH<U@jkbUmz(2sX$-V{-xAdiDp7<1(RVWs_xd`N(TI&BYe7DV*1K#yG`?B7sVQ%<
z-%iY*orx|`f55K-Q@6XU`alHZg3CVw3MH8{W9R`v+nvbV7u#YwIo;?3_4Pu;KTk5@
z8pUbdNqX5YuTAErN6p;w0k+h;H+zqJ)<z6V$x%4gin#<#aijeXtW^7!pQ&D~Ji^!S
zS(Sf)-rYCtke`>0)E}LsziVg4Zk*<FkBzscqNLcbSVyD44MeTOLWA5g8a$ebHZH#d
zqS+${yyJ3lzZ2A>!u{P{#w8iMNd&o2qCR|dlsAvV*jO;Xtj+bdB;sug8fmU2c`U=5
zhS8p&m@~jDGcVf+mvtLw*q9T_9qV&194HVuBl&2=I6qK01Mjd*0TgN(f0S&_DKsC5
zucI8k!Ir}ql2jm6QE*dC(A!&8^v=a%?M~`$sH|i3wX}CJU$^>hDqWMV8x^Sk@OD4V
zQBuJazh@27y{OI7C$ll=q#ZV$b9pt#M;qiFgsu7ZeNgGWFBAS;pQRSoZ<BdR(@%G)
zxG^TbXC-NXQg5k6M};=3^dt<@a<f!uUpCy+J2tFlg+Z*30Y>2=XJEhk?z|iD!|8)%
z#D{l(^xh1ja)G%y3x&gD#o5T?DcU-hx&?mFu~>#FR77XWTLH<agv+Uvv?w2R^4DoO
z-!hfKv$W6)1hy<>cD<t$)D^T%0-r#biQI1~KugjCq~Cs-b6UQtzSK|5G*`r%wUcPR
zfe1f)pyk5k#>(8O_b*QoI%UKQ&=D&^!B&Yo$CWR>Xwo5w%OeTazO6;p9AOr9s&`)u
zyF1i&R@|}pb#LQU;6zomYE;?$;7r`u4hgFS+Irp%-y*>(@(kp+2`8|4K__T3w40)q
zMU7z9fEr6y1QzNU$>}`q4se+c0puF%S-%DvK}WzxN!jFrqo>1HgKm}7uxUeO3_L&#
z+TF*Dn>&gP3R_Ul_S~(KiYw|;Q>#!}CCoGiX%r$J_7C;vBf#h|Sbv7_SW2GL*sksd
z02OhVQ*eH<5Xv<AjmK|^oJ>co+dGC%*WXwtB1f)LUznc*F{E5x>7eGw6|41wTEtZ*
zZ8{(Jta<kP#(!q<S5plmU-@Ahn1~RhM7sIlPBOj%s-AD!6z=~bn470tA1dbi*-Ju@
zVLbc=u1M(QjKaZvtFp_t^{(;H^w(0~fu3CJauqLif%QS*Byl=B9Qm0I?~>|9&*px6
zdvX$^9ERlIC+of6U^I*+L%(tHlV7)n!f8@LpBVF<8gk_I^ot*-i>oi%YZM@bk%vv;
zvZNcE;d9Fq+(lU^R&gK3vWLiwM;!PrHlgJ8LlPISY8Qj)dGXJkKg5=|KE~TGOc5j(
z8sjH$aby4Riu~qetriz`;yetpE{xu@6C{?T5`Kyy%^$Y|$}i*;A--?*6|F+kAMM<d
zfi@9*KU0|w#E2*S%v&p`PVlZdT=k_j$2sY@EKqqw6BV<Zou9CPEi3T&g)wizhE8sA
xg;6S)T0K9=?3ROX`;i7YnEJmx<+`rmN_3LwRveZe|Jjo#FRda~D`67+zW{y94uSvx

diff --git a/doc/topics/git/undo.md b/doc/topics/git/undo.md
index 12475798e72..b20cdef5a69 100644
--- a/doc/topics/git/undo.md
+++ b/doc/topics/git/undo.md
@@ -261,9 +261,22 @@ was merged into your branch. In that case, you must revert the changes on the re
 ### Revert remote changes without altering history
 
 To undo changes in the remote repository, you can create a new commit with the changes you
-want to undo. This process preserves the history and provides a clear timeline and development structure.
+want to undo. This process preserves the history and provides a clear timeline and development structure:
 
-![Use revert to keep branch flowing](img/revert_v14_0.png)
+```mermaid
+%%{init: { "fontFamily": "GitLab Sans" }}%%
+flowchart LR
+   REMOTE["REMOTE"] --> A(A)
+   A --> B(B)
+   B --> C(C)
+   C --> negB("-B")
+   negB --> D(D)
+
+   B:::crossed
+   classDef crossed stroke:#000,stroke-width:3px,color:#000,stroke-dasharray: 5 5
+
+   negB -.->|reverts| B
+```
 
 To revert changes introduced in a specific commit `B`:
 
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index d435aa07f1e..ec65977e54d 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -126,6 +126,28 @@ For details, see the [migration guide](https://docs.gitlab.com/user/group/compli
 
 <div class="deprecation breaking-change" data-milestone="19.0">
 
+### Coverage-guided fuzz testing is deprecated
+
+<div class="deprecation-notes">
+
+- Announced in GitLab <span class="milestone">18.0</span>
+- End of Support in GitLab <span class="milestone">18.0</span>
+- Removal in GitLab <span class="milestone">19.0</span> ([breaking change](https://docs.gitlab.com/update/terminology/#breaking-change))
+- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/517841).
+
+</div>
+
+Coverage-guided fuzz testing is deprecated and will not be supported
+from GitLab 18.0. The feature will be completely removed in GitLab 19.0.
+
+Coverage-guided fuzz testing integrated several open-source fuzzers into GitLab.
+If you are impacted, you can integrate your open-source fuzzers as standalone applications,
+or migrate to another security feature like [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html).
+
+</div>
+
+<div class="deprecation breaking-change" data-milestone="19.0">
+
 ### GitLab Self-Managed certificate-based integration with Kubernetes
 
 <div class="deprecation-notes">
diff --git a/doc/user/application_security/policies/_index.md b/doc/user/application_security/policies/_index.md
index 5024c33502d..6c37d91a8ba 100644
--- a/doc/user/application_security/policies/_index.md
+++ b/doc/user/application_security/policies/_index.md
@@ -395,6 +395,7 @@ granularly per policy, you can set a "policy scope" in each policy.
 Prerequisites:
 
 - You must have the Owner role or [custom role](../../custom_roles.md) with the`manage_security_policy_link` permission to link to the security policy project. For more information, see [separation of duties](#separation-of-duties).
+- You must have at least the Reporter role or [custom role](../../custom_roles.md) with the `manage_security_policy_link` permission to the project you want to assign as the security policy project. For more information, see [separation of duties](#separation-of-duties).
 
 To link a group, subgroup, or project to a security policy project:
 
diff --git a/doc/user/glql/fields.md b/doc/user/glql/fields.md
index c9569ec00b8..26a504c7e80 100644
--- a/doc/user/glql/fields.md
+++ b/doc/user/glql/fields.md
@@ -17,7 +17,6 @@ title: GLQL fields
 
 - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/14767) in GitLab 17.4 [with a flag](../../administration/feature_flags.md) named `glql_integration`. Disabled by default.
 - Enabled on GitLab.com in GitLab 17.4 for a subset of groups and projects.
-- `iteration` and `cadence` fields [introduced](https://gitlab.com/gitlab-org/gitlab-query-language/gitlab-query-language/-/issues/74) in GitLab 17.6.
 
 {{< /history >}}
 
@@ -40,6 +39,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Type
 
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/81) in GitLab 17.8.
+
+{{< /history >}}
+
+**Description**: The type of object to query: one of the work item types or merge requests.
+
 **Field name**: `type`
 
 **Allowed operators**: `=`, `in`
@@ -80,6 +87,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Approved by user
 
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/81) in GitLab 17.8.
+
+{{< /history >}}
+
+**Description**: Query merge requests by one or more users who approved the merge request.
+
 **Field name**: `approver`
 
 **Allowed operators**: `=`, `!=`
@@ -105,6 +120,8 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Assignees
 
+**Description**: Query issues or merge requests by one or more users who are assigned to the issue or merge request.
+
 **Field name**: `assignee`
 
 **Allowed operators**: `=`, `in`, `!=`
@@ -124,6 +141,10 @@ This page lists fields available to use as filters when querying issues or work
 - Work item types like `Task` or `Objective`
 - `MergeRequest`
 
+**Additional details:**
+
+- `List` values and the `in` operator are not supported for `MergeRequest` types.
+
 **Examples**:
 
 - List all issues where assignee is `@johndoe`:
@@ -156,12 +177,10 @@ This page lists fields available to use as filters when querying issues or work
   type = MergeRequest and assignee = @johndoe
   ```
 
-**Additional details:**
-
-- `List` values and the `in` operator are not supported for `MergeRequest` types.
-
 ## Author
 
+**Description**: Query issues or merge request by their author.
+
 **Field name**: `author`
 
 **Allowed operators**: `=`, `in`, `!=`
@@ -215,6 +234,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Cadence
 
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-haskell/-/issues/74) in GitLab 17.6.
+
+{{< /history >}}
+
+**Description**: Query issues by the [cadence](../group/iterations/_index.md#iteration-cadences) that the issue's iteration is a part of.
+
 **Field name**: `cadence`
 
 **Allowed operators**: `=`, `in`, `!=`
@@ -241,7 +268,7 @@ This page lists fields available to use as filters when querying issues or work
 - List all issues with iteration that are a part of cadence ID `123456`:
 
   ```plaintext
-  cadences = 123456
+  cadence = 123456
   ```
 
 - List all issues with iterations that are a part of any cadences `123` or `456`:
@@ -252,6 +279,8 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Closed at
 
+**Description**: Query issues or merge requests by the date when they were closed.
+
 **Field name**: `closed`
 
 **Allowed operators**: `=`, `>`, `<`
@@ -295,6 +324,8 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Confidential
 
+**Description**: Query issues by their visibility to project members.
+
 **Field name**: `confidential`
 
 **Allowed operators**: `=`, `!=`
@@ -330,6 +361,8 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Created at
 
+**Description**: Query issues or merge requests by the date when they were created.
+
 **Field name**: `created`
 
 **Allowed operators**: `=`, `>`, `<`
@@ -374,6 +407,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Deployed at
 
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/81) in GitLab 17.8.
+
+{{< /history >}}
+
+**Description**: Query merge requests by the date when they were deployed.
+
 **Field name**: `deployed`
 
 **Allowed operators**: `=`, `>`, `<`
@@ -408,6 +449,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Draft
 
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/81) in GitLab 17.8.
+
+{{< /history >}}
+
+**Description**: Query merge requests by their draft status.
+
 **Field name**: `draft`
 
 **Allowed operators**: `=`, `!=`
@@ -436,6 +485,8 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Due date
 
+**Description**: Query issues by the date when they are due.
+
 **Field name**: `due`
 
 **Allowed operators**: `=`, `>`, `<`
@@ -485,6 +536,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Environment
 
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/81) in GitLab 17.8.
+
+{{< /history >}}
+
+**Description**: Query merge requests by the environment to which they have been deployed.
+
 **Field name**: `environment`
 
 **Allowed operators**: `=`
@@ -505,6 +564,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Group
 
+{{< history >}}
+
+- [Changed](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/106) in GitLab 17.10: Group queries no longer search the entire hierarchy by default.
+
+{{< /history >}}
+
+**Description**: Query issues or merge requests within all projects in a given group.
+
 **Field name**: `group`
 
 **Allowed operators**: `=`
@@ -526,6 +593,8 @@ This page lists fields available to use as filters when querying issues or work
 - If omitted when using inside a GLQL view in a group object (like an epic), `group` is assumed to
   be the current group.
 - Using the `group` field queries all objects in that group, all its subgroups, and child projects.
+- By default, issues or merge requests are searched only in direct descendant projects in a group.
+  To query in the entire hierarchy of a project use the [`includeSubgroups` field](#include-subgroups).
 
 **Examples**:
 
@@ -543,6 +612,8 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Health status
 
+**Description**: Query issues by their health status.
+
 **Field name**: `health`
 
 **Allowed operators**: `=`
@@ -575,6 +646,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## ID
 
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/92) in GitLab 17.8.
+
+{{< /history >}}
+
+**Description**: Query issues or merge requests by their IDs.
+
 **Field name**: `id`
 
 **Allowed operators**: `=`, `in`
@@ -612,8 +691,62 @@ This page lists fields available to use as filters when querying issues or work
   type = MergeRequest and id in (1, 2, 3)
   ```
 
+## Include subgroups
+
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/106) in GitLab 17.10.
+
+{{< /history >}}
+
+**Description**: Query within the entire hierarchy of a group.
+
+**Field name**: `includeSubgroups`
+
+**Allowed operators**: `=`, `!=`
+
+**Allowed value types**:
+
+- `Boolean` (either of `true` or `false`)
+
+**Allowed in columns of a GLQL view**: Yes
+
+**Supported for object types**:
+
+- `Issue`
+- Work item types like `Task` or `Objective`
+- `MergeRequest`
+
+**Additional details**:
+
+- This field can only be used with the `group` field.
+- The value of this field defaults to `false`.
+
+**Examples**:
+
+- List issues in any project that is a direct child of the `gitlab-org` group:
+
+  ```plaintext
+  group = "gitlab-org" and includeSubgroups = false
+  ```
+
+- List issues in any project within the entire hierarchy of the `gitlab-org` group:
+
+  ```plaintext
+  group = "gitlab-org" and includeSubgroups = true
+  ```
+
 ## Iteration
 
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-haskell/-/issues/74) in GitLab 17.6.
+- Support for iteration value types [introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/79) in GitLab 17.8.
+
+{{< /history >}}
+
+**Description**: Query issues by their associated [iteration](../group/iterations/_index.md).
+
 **Field name**: `iteration`
 
 **Allowed operators**: `=`, `in`, `!=`
@@ -672,6 +805,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Labels
 
+{{< history >}}
+
+- Support for label value types [introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/79) in GitLab 17.8.
+
+{{< /history >}}
+
+**Description**: Query issues or merge requests by their associated labels.
+
 **Field name**: `label`
 
 **Allowed operators**: `=`, `in`, `!=`
@@ -742,6 +883,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Merged at
 
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/81) in GitLab 17.8.
+
+{{< /history >}}
+
+**Description**: Query merge requests by the date when they were merged.
+
 **Field name**: `merged`
 
 **Allowed operators**: `=`, `>`, `<`
@@ -776,6 +925,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Merged by user
 
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/81) in GitLab 17.8.
+
+{{< /history >}}
+
+**Description**: Query merge requests by the user that merged the merge request.
+
 **Field name**: `merger`
 
 **Allowed operators**: `=`
@@ -801,6 +958,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Milestone
 
+{{< history >}}
+
+- Support for milestone value types [introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/77) in GitLab 17.8.
+
+{{< /history >}}
+
+**Description**: Query issues or merge requests by their associated milestone.
+
 **Field name**: `milestone`
 
 **Allowed operators**: `=`, `in`, `!=`
@@ -860,6 +1025,8 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Project
 
+**Description**: Query issues or merge requests within a particular project.
+
 **Field name**: `project`
 
 **Allowed operators**: `=`
@@ -890,6 +1057,8 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Reviewers
 
+**Description**: Query merge requests that were reviewed by one or more users.
+
 **Field name**: `reviewer`
 
 **Allowed operators**: `=`, `!=`
@@ -915,6 +1084,14 @@ This page lists fields available to use as filters when querying issues or work
 
 ## State
 
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab-query-language/glql-rust/-/merge_requests/96) in GitLab 17.8.
+
+{{< /history >}}
+
+**Description**: The state of this issue or merge request.
+
 **Field name**: `state`
 
 **Allowed operators**: `=`
@@ -965,6 +1142,8 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Updated at
 
+**Description**: Query issues or merge requests by when they were last updated.
+
 **Field name**: `updated`
 
 **Allowed operators**: `=`, `>`, `<`
@@ -1009,6 +1188,8 @@ This page lists fields available to use as filters when querying issues or work
 
 ## Weight
 
+**Description**: Query issues by their weight.
+
 **Field name**: `weight`
 
 **Allowed operators**: `=`, `!=`
diff --git a/doc/user/profile/account/create_accounts.md b/doc/user/profile/account/create_accounts.md
index c9fc9891ed9..d28a1c673e0 100644
--- a/doc/user/profile/account/create_accounts.md
+++ b/doc/user/profile/account/create_accounts.md
@@ -13,14 +13,20 @@ title: Create users
 
 {{< /details >}}
 
+User accounts form the foundation of GitLab collaboration. Every person who needs access to your GitLab
+projects requires an account. User accounts control access permissions, track contributions, and maintain
+security across your instance.
+
 You can create user accounts in GitLab in different ways:
 
-- Direct users to create their own account.
-- Create accounts for other users manually.
-- Configure authentication integrations.
-- Create users through the Rails console.
+- Self-registration for teams who value autonomy
+- Admin-driven creation for controlled onboarding
+- Authentication integration for enterprise environments
+- Console access for automation and bulk operations
 
-If you want to automate user creation, you should use the [users API endpoint](../../../api/users.md#create-a-user).
+You can also use the [users API endpoint](../../../api/users.md#create-a-user) to automatically create users.
+
+Choose the right method based on your organization's size, security requirements, and workflows.
 
 ## Create users on sign-in page
 
diff --git a/lib/bulk_imports/ndjson_pipeline.rb b/lib/bulk_imports/ndjson_pipeline.rb
index 13602225888..122ad48db1f 100644
--- a/lib/bulk_imports/ndjson_pipeline.rb
+++ b/lib/bulk_imports/ndjson_pipeline.rb
@@ -93,7 +93,7 @@ module BulkImports
             if sub_relation.is_a?(Array)
               sub_relation
                 .map { |entry| deep_transform_relation!(entry, sub_relation_key, sub_relation_definition, &block) }
-                .tap { |entry| entry.compact! }
+                .tap(&:compact!)
                 .presence
             else
               deep_transform_relation!(sub_relation, sub_relation_key, sub_relation_definition, &block)
diff --git a/lib/container_registry/client.rb b/lib/container_registry/client.rb
index 4dd262a6bf7..0dd2d73a7a5 100644
--- a/lib/container_registry/client.rb
+++ b/lib/container_registry/client.rb
@@ -30,15 +30,11 @@ module ContainerRegistry
     }.freeze
 
     def self.supports_tag_delete?
-      with_dummy_client(return_value_if_disabled: false) do |client|
-        client.supports_tag_delete?
-      end
+      with_dummy_client(return_value_if_disabled: false, &:supports_tag_delete?)
     end
 
     def self.registry_info
-      with_dummy_client do |client|
-        client.registry_info
-      end
+      with_dummy_client(&:registry_info)
     end
 
     def registry_info
diff --git a/lib/container_registry/gitlab_api_client.rb b/lib/container_registry/gitlab_api_client.rb
index a63ae822e9c..690732178e9 100644
--- a/lib/container_registry/gitlab_api_client.rb
+++ b/lib/container_registry/gitlab_api_client.rb
@@ -27,9 +27,7 @@ module ContainerRegistry
     UnsuccessfulResponseError = Class.new(StandardError)
 
     def self.supports_gitlab_api?
-      with_dummy_client(return_value_if_disabled: false) do |client|
-        client.supports_gitlab_api?
-      end
+      with_dummy_client(return_value_if_disabled: false, &:supports_gitlab_api?)
     end
 
     def self.deduplicated_size(path)
diff --git a/lib/gitlab/analytics/cycle_analytics/stage_events.rb b/lib/gitlab/analytics/cycle_analytics/stage_events.rb
index 9ac433944a8..c286d4e8d55 100644
--- a/lib/gitlab/analytics/cycle_analytics/stage_events.rb
+++ b/lib/gitlab/analytics/cycle_analytics/stage_events.rb
@@ -61,7 +61,7 @@ module Gitlab
 
         # hash for defining ActiveRecord enum: identifier => number
         def self.to_enum
-          enum_mapping.transform_keys { |k| k.identifier }
+          enum_mapping.transform_keys(&:identifier)
         end
 
         def self.pairing_rules
diff --git a/lib/gitlab/diff/viewer_hunk.rb b/lib/gitlab/diff/viewer_hunk.rb
index 07ecac2d830..a952bdbe7d7 100644
--- a/lib/gitlab/diff/viewer_hunk.rb
+++ b/lib/gitlab/diff/viewer_hunk.rb
@@ -110,7 +110,7 @@ module Gitlab
       end
 
       def expand_directions
-        return [:both] if (1...MAX_EXPANDABLE_LINES).cover?(line_count_between)
+        return [:both] if (1..MAX_EXPANDABLE_LINES).cover?(line_count_between)
 
         directions = []
         directions << :down if @previous_line_pos&.positive?
@@ -123,7 +123,8 @@ module Gitlab
       def line_count_between
         return 0 if invalid_pos?(@previous_line_pos) || invalid_pos?(@next_line_pos)
 
-        @next_line_pos - @previous_line_pos
+        # 1..3 -> lines in between: 1
+        @next_line_pos - @previous_line_pos - 1
       end
 
       def invalid_pos?(pos)
diff --git a/lib/gitlab/tracking/destinations/snowplow.rb b/lib/gitlab/tracking/destinations/snowplow.rb
index d2d099ef9cd..9dca183193c 100644
--- a/lib/gitlab/tracking/destinations/snowplow.rb
+++ b/lib/gitlab/tracking/destinations/snowplow.rb
@@ -33,6 +33,12 @@ module Gitlab
           increment_total_events_counter
         end
 
+        def emit_event_payload(payload)
+          # Using #input as the tracker doesn't have an option to track using a json object
+          # https://snowplow.github.io/snowplow-ruby-tracker/SnowplowTracker/Emitter.html#input-instance_method
+          emitter.input(payload)
+        end
+
         def options(group)
           additional_features = Feature.enabled?(:additional_snowplow_tracking, group, type: :ops)
           {
@@ -77,7 +83,14 @@ module Gitlab
         end
 
         def emitter
-          emitter_options = {
+          @emitter ||= SnowplowTracker::AsyncEmitter.new(
+            endpoint: hostname,
+            options: emitter_options
+          )
+        end
+
+        def emitter_options
+          options = {
             protocol: protocol,
             on_success: method(:increment_successful_events_emissions),
             on_failure: method(:failure_callback)
@@ -86,15 +99,12 @@ module Gitlab
           if Feature.enabled?(:snowplow_tracking_post_method, :instance, type: :gitlab_com_derisk)
             # By default, Snowplow uses `get` method with buffer_size set to `1`.
             # However, setting method to `post` changes default buffer_size to `10`
-            emitter_options[:method] = 'post'
+            options[:method] = 'post'
             buffer_size = Feature.enabled?(:snowplow_buffer_events, :instance, type: :gitlab_com_derisk) ? 10 : 1
-            emitter_options[:buffer_size] = buffer_size
+            options[:buffer_size] = buffer_size
           end
 
-          SnowplowTracker::AsyncEmitter.new(
-            endpoint: hostname,
-            options: emitter_options
-          )
+          options
         end
 
         def failure_callback(success_count, failures)
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 6bf076b32c3..3cf934dca48 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -13579,6 +13579,12 @@ msgstr ""
 msgid "ClusterIntegration|Advanced options on this Kubernetes cluster’s integration"
 msgstr ""
 
+msgid "ClusterIntegration|Agent name"
+msgstr ""
+
+msgid "ClusterIntegration|Agent setup failed"
+msgstr ""
+
 msgid "ClusterIntegration|Allow GitLab to manage namespaces and service accounts for this cluster."
 msgstr ""
 
@@ -13657,6 +13663,9 @@ msgstr ""
 msgid "ClusterIntegration|Create a Kubernetes cluster"
 msgstr ""
 
+msgid "ClusterIntegration|Create agent and migrate"
+msgstr ""
+
 msgid "ClusterIntegration|Deploy each environment to its own namespace. Otherwise, environments within a project share a project-wide namespace. Note that anyone who can trigger a deployment of a namespace can read its secrets. If modified, existing environments will use their current namespaces until the cluster cache is cleared."
 msgstr ""
 
@@ -13672,6 +13681,9 @@ msgstr ""
 msgid "ClusterIntegration|Enable this setting if using role-based access control (RBAC)."
 msgstr ""
 
+msgid "ClusterIntegration|Enter a unique name for your new GitLab Agent. This name will be used to identify the agent in your project."
+msgstr ""
+
 msgid "ClusterIntegration|Enter details about your cluster. %{linkStart}How do I use a certificate to connect to my cluster?%{linkEnd}"
 msgstr ""
 
@@ -13714,10 +13726,13 @@ msgstr ""
 msgid "ClusterIntegration|HTTP Error"
 msgstr ""
 
+msgid "ClusterIntegration|How do I migrate to the GitLab agent?"
+msgstr ""
+
 msgid "ClusterIntegration|If you do not wish to delete all associated GitLab resources, you can simply remove the integration."
 msgstr ""
 
-msgid "ClusterIntegration|Install agent"
+msgid "ClusterIntegration|Installing agent in progress."
 msgstr ""
 
 msgid "ClusterIntegration|Instance cluster"
@@ -13729,6 +13744,9 @@ msgstr ""
 msgid "ClusterIntegration|Integration enabled"
 msgstr ""
 
+msgid "ClusterIntegration|Invalid configuration project"
+msgstr ""
+
 msgid "ClusterIntegration|Kubernetes cluster is being created..."
 msgstr ""
 
@@ -13747,6 +13765,9 @@ msgstr ""
 msgid "ClusterIntegration|Learn more about instance Kubernetes clusters"
 msgstr ""
 
+msgid "ClusterIntegration|Learn more about migrating to GitLab Agent"
+msgstr ""
+
 msgid "ClusterIntegration|Make sure your API endpoint is correct"
 msgstr ""
 
@@ -13756,10 +13777,7 @@ msgstr ""
 msgid "ClusterIntegration|Migrate"
 msgstr ""
 
-msgid "ClusterIntegration|Migrate this cluster to use the GitLab agent for Kubernetes"
-msgstr ""
-
-msgid "ClusterIntegration|Migrate to the GitLab agent for Kubernetes"
+msgid "ClusterIntegration|Migrate to GitLab Agent for Kubernetes"
 msgstr ""
 
 msgid "ClusterIntegration|Migrating cluster - failed: \"%{error}\""
@@ -13771,12 +13789,18 @@ msgstr ""
 msgid "ClusterIntegration|Namespace per environment"
 msgstr ""
 
+msgid "ClusterIntegration|New agent name"
+msgstr ""
+
 msgid "ClusterIntegration|Node calculations use the Kubernetes Metrics API. Make sure your cluster has metrics installed"
 msgstr ""
 
 msgid "ClusterIntegration|Project cluster"
 msgstr ""
 
+msgid "ClusterIntegration|Project name"
+msgstr ""
+
 msgid "ClusterIntegration|Project namespace (optional, unique)"
 msgstr ""
 
@@ -13813,6 +13837,9 @@ msgstr ""
 msgid "ClusterIntegration|See and edit the details for your Kubernetes cluster"
 msgstr ""
 
+msgid "ClusterIntegration|Select a project for the GitLab Agent."
+msgstr ""
+
 msgid "ClusterIntegration|Service Token"
 msgstr ""
 
@@ -13831,12 +13858,24 @@ msgstr ""
 msgid "ClusterIntegration|Specifying a domain will allow you to use Auto Review Apps and Auto Deploy stages for %{linkStart}Auto DevOps.%{linkEnd} The domain should have a wildcard DNS configured matching the domain. "
 msgstr ""
 
+msgid "ClusterIntegration|Step 1. Connect the agent"
+msgstr ""
+
+msgid "ClusterIntegration|The %{agent_docs_link_start}GitLab Agent for Kubernetes %{agent_docs_link_end} offers improved security, reliability, and functionality. Follow the steps below to create a new agent and migrate your existing certificate-based integration. The process is automated, but you still need to %{install_docs_link_start}install the agent%{install_docs_link_end} in your cluster."
+msgstr ""
+
 msgid "ClusterIntegration|The Kubernetes certificate used to authenticate to the cluster."
 msgstr ""
 
 msgid "ClusterIntegration|The URL used to access the Kubernetes API."
 msgstr ""
 
+msgid "ClusterIntegration|The agent connection is set up."
+msgstr ""
+
+msgid "ClusterIntegration|The agent was not installed in the cluster."
+msgstr ""
+
 msgid "ClusterIntegration|The certificate-based Kubernetes integration is deprecated and will be removed in the future. You should %{linkStart}migrate to the GitLab agent for Kubernetes%{linkEnd}. For more information, see the %{deprecationLinkStart}deprecation epic%{deprecationLinkEnd}, or contact GitLab support."
 msgstr ""
 
@@ -13855,9 +13894,6 @@ msgstr ""
 msgid "ClusterIntegration|There was an HTTP error when connecting to your cluster."
 msgstr ""
 
-msgid "ClusterIntegration|This cluster integration is deprecated. To continue using this Kubernetes cluster with GitLab, you must install the agent."
-msgstr ""
-
 msgid "ClusterIntegration|This is necessary if your integration has become out of sync. The cache is repopulated during the next CI job that requires namespace and service accounts."
 msgstr ""
 
@@ -61722,6 +61758,9 @@ msgstr ""
 msgid "Unauthenticated web rate limit period in seconds"
 msgstr ""
 
+msgid "Unauthorized"
+msgstr ""
+
 msgid "Unauthorized to access the cluster agent in this project"
 msgstr ""
 
diff --git a/scripts/database/query_analyzers.rb b/scripts/database/query_analyzers.rb
index 89eae5e6f2c..012cba03120 100644
--- a/scripts/database/query_analyzers.rb
+++ b/scripts/database/query_analyzers.rb
@@ -2,7 +2,7 @@
 
 require 'yaml'
 
-class Database
+module Database
   class QueryAnalyzers
     attr_reader :analyzers
 
diff --git a/scripts/database/query_analyzers.yml b/scripts/database/query_analyzers.yml
index 8f87d96500d..e61e6f57f47 100644
--- a/scripts/database/query_analyzers.yml
+++ b/scripts/database/query_analyzers.yml
@@ -9,3 +9,5 @@ MultiplePartitionScanDetector:
     # These fingerprints can be found in the auto_explain pipeline artifacts.
     # Example:
     # - c2cfe803a497101b
+JSONBScanDetector:
+  todos:
diff --git a/scripts/database/query_analyzers/base.rb b/scripts/database/query_analyzers/base.rb
index e56a61b3c39..4cbb089e856 100644
--- a/scripts/database/query_analyzers/base.rb
+++ b/scripts/database/query_analyzers/base.rb
@@ -3,7 +3,7 @@
 require 'json'
 require 'zlib'
 
-class Database
+module Database
   class QueryAnalyzers
     class Base
       attr_accessor :output
diff --git a/scripts/database/query_analyzers/jsonb_scan_detector.rb b/scripts/database/query_analyzers/jsonb_scan_detector.rb
new file mode 100644
index 00000000000..b94168334eb
--- /dev/null
+++ b/scripts/database/query_analyzers/jsonb_scan_detector.rb
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require_relative 'base'
+
+module Database
+  class QueryAnalyzers
+    class JSONBScanDetector < Database::QueryAnalyzers::Base
+      JSONB_MATCH_OPERATOR_EXPRESSION = /<@|@>/
+
+      def initialize(*args)
+        super
+        output[:bad_queries] = []
+      end
+
+      def analyze(query)
+        super
+        return if config['todos']&.include?(query['fingerprint'])
+
+        output[:bad_queries] << query if has_operator_in_where?(query['query'])
+      end
+
+      def save!
+        return if output[:bad_queries].empty?
+
+        Zlib::GzipWriter.open(output_path("jsonb_column_scans.ndjson")) do |file|
+          output[:bad_queries].each do |query|
+            file.puts(JSON.generate(query))
+          end
+        end
+      end
+
+      private
+
+      def has_operator_in_where?(query)
+        return false unless query.match?(JSONB_MATCH_OPERATOR_EXPRESSION)
+
+        clauses = query.split(/\sWHERE\s|\sJOIN\s/)
+        return false if clauses.length < 2
+
+        clauses[1..].each do |c|
+          return true if c.include?('::jsonb')
+        end
+      end
+    end
+  end
+end
diff --git a/scripts/database/query_analyzers/multiple_partition_scan_detector.rb b/scripts/database/query_analyzers/multiple_partition_scan_detector.rb
index 1a1415dd8f2..b2e364be4bd 100644
--- a/scripts/database/query_analyzers/multiple_partition_scan_detector.rb
+++ b/scripts/database/query_analyzers/multiple_partition_scan_detector.rb
@@ -2,7 +2,7 @@
 
 require_relative 'base'
 
-class Database
+module Database
   class QueryAnalyzers
     class MultiplePartitionScanDetector < Database::QueryAnalyzers::Base
       def analyze(query)
diff --git a/spec/components/rapid_diffs/diff_file_component_spec.rb b/spec/components/rapid_diffs/diff_file_component_spec.rb
index 81ef7e5fe3f..656f70f54cb 100644
--- a/spec/components/rapid_diffs/diff_file_component_spec.rb
+++ b/spec/components/rapid_diffs/diff_file_component_spec.rb
@@ -17,8 +17,8 @@ RSpec.describe RapidDiffs::DiffFileComponent, type: :component, feature_category
 
   it "renders server data" do
     render_component
-    diff_path = "/#{namespace.to_param}/#{project.to_param}/-/blob/#{diff_file.content_sha}/#{diff_file.file_path}/diff"
-    expect(web_component['data-blob-diff-path']).to eq(diff_path)
+    diff_path = "/#{namespace.to_param}/#{project.to_param}/-/blob/#{diff_file.content_sha}/#{diff_file.file_path}"
+    expect(web_component['data-diff-lines-path']).to eq("#{diff_path}/diff_lines")
   end
 
   context "when is text diff" do
diff --git a/spec/components/rapid_diffs/viewers/text/expand_lines_component_spec.rb b/spec/components/rapid_diffs/viewers/text/expand_lines_component_spec.rb
index 3ff61165f4a..a5ee9d98462 100644
--- a/spec/components/rapid_diffs/viewers/text/expand_lines_component_spec.rb
+++ b/spec/components/rapid_diffs/viewers/text/expand_lines_component_spec.rb
@@ -6,21 +6,27 @@ RSpec.describe RapidDiffs::Viewers::Text::ExpandLinesComponent, type: :component
   it "renders expand up" do
     render_component([:up])
     expect(page).to have_selector('button svg use[href$="#expand-up"]')
+    expect(page).to have_selector('[data-expand-direction="up"]')
   end
 
   it "renders expand down" do
     render_component([:down])
     expect(page).to have_selector('button svg use[href$="#expand-down"]')
+    expect(page).to have_selector('[data-expand-direction="down"]')
   end
 
   it "renders expand up and down" do
     render_component([:down, :up])
+    expect(page).to have_selector('button svg use[href$="#expand-up"]')
     expect(page).to have_selector('button svg use[href$="#expand-down"]')
+    expect(page).to have_selector('[data-expand-direction="up"]')
+    expect(page).to have_selector('[data-expand-direction="down"]')
   end
 
   it "renders expand both" do
     render_component([:both])
     expect(page).to have_selector('button svg use[href$="#expand"]')
+    expect(page).to have_selector('[data-expand-direction="both"]')
   end
 
   def render_component(directions)
diff --git a/spec/components/rapid_diffs/viewers/text/inline_hunk_component_spec.rb b/spec/components/rapid_diffs/viewers/text/inline_hunk_component_spec.rb
index 88463ac8ae2..60bc3753d5e 100644
--- a/spec/components/rapid_diffs/viewers/text/inline_hunk_component_spec.rb
+++ b/spec/components/rapid_diffs/viewers/text/inline_hunk_component_spec.rb
@@ -90,6 +90,16 @@ RSpec.describe RapidDiffs::Viewers::Text::InlineHunkComponent, type: :component,
     expect(page).to have_selector('button svg use[href$="#expand"]')
   end
 
+  it "renders testid" do
+    render_component
+    expect(page).to have_selector("[data-testid='hunk-lines-inline']")
+  end
+
+  it "renders data-hunk-lines" do
+    render_component
+    expect(page).to have_selector("[data-hunk-lines]")
+  end
+
   def render_component(diff_hunk = hunk)
     render_inline(
       described_class.new(
@@ -99,9 +109,4 @@ RSpec.describe RapidDiffs::Viewers::Text::InlineHunkComponent, type: :component,
       )
     )
   end
-
-  it "renders testid" do
-    render_component
-    expect(page).to have_selector("[data-testid='hunk-lines-inline']")
-  end
 end
diff --git a/spec/components/rapid_diffs/viewers/text/line_number_component_spec.rb b/spec/components/rapid_diffs/viewers/text/line_number_component_spec.rb
index b74322098d1..2815ca290fc 100644
--- a/spec/components/rapid_diffs/viewers/text/line_number_component_spec.rb
+++ b/spec/components/rapid_diffs/viewers/text/line_number_component_spec.rb
@@ -33,6 +33,7 @@ RSpec.describe RapidDiffs::Viewers::Text::LineNumberComponent, type: :component,
     expect(link[:'data-line-number']).to eq(old_line.old_pos.to_s)
     expect(td[:id]).to eq(old_line.id(diff_file.file_hash, :old))
     expect(td[:'data-legacy-id']).to eq(diff_file.line_code(old_line))
+    expect(page).to have_selector('[data-position="old"]')
   end
 
   it "renders link for added line on right side" do
@@ -41,6 +42,7 @@ RSpec.describe RapidDiffs::Viewers::Text::LineNumberComponent, type: :component,
     expect(link[:'data-line-number']).to eq(new_line.new_pos.to_s)
     expect(td[:id]).to eq(new_line.id(diff_file.file_hash, :new))
     expect(td[:'data-legacy-id']).to eq(diff_file.line_code(new_line))
+    expect(page).to have_selector('[data-position="new"]')
   end
 
   def render_component(line:, position: nil)
diff --git a/spec/components/rapid_diffs/viewers/text/parallel_hunk_component_spec.rb b/spec/components/rapid_diffs/viewers/text/parallel_hunk_component_spec.rb
index 0a6ec452f37..c637e30745b 100644
--- a/spec/components/rapid_diffs/viewers/text/parallel_hunk_component_spec.rb
+++ b/spec/components/rapid_diffs/viewers/text/parallel_hunk_component_spec.rb
@@ -90,6 +90,16 @@ RSpec.describe RapidDiffs::Viewers::Text::ParallelHunkComponent, type: :componen
     expect(page).to have_selector('button svg use[href$="#expand"]')
   end
 
+  it "renders testid" do
+    render_component
+    expect(page).to have_selector("[data-testid='hunk-lines-parallel']")
+  end
+
+  it "renders data-hunk-lines" do
+    render_component
+    expect(page).to have_selector("[data-hunk-lines]")
+  end
+
   def render_component(diff_hunk = hunk)
     render_inline(
       described_class.new(
@@ -99,9 +109,4 @@ RSpec.describe RapidDiffs::Viewers::Text::ParallelHunkComponent, type: :componen
       )
     )
   end
-
-  it "renders testid" do
-    render_component
-    expect(page).to have_selector("[data-testid='hunk-lines-parallel']")
-  end
 end
diff --git a/spec/controllers/admin/clusters_controller_spec.rb b/spec/controllers/admin/clusters_controller_spec.rb
index c4c4564fff2..7706f1515f2 100644
--- a/spec/controllers/admin/clusters_controller_spec.rb
+++ b/spec/controllers/admin/clusters_controller_spec.rb
@@ -212,7 +212,10 @@ RSpec.describe Admin::ClustersController, feature_category: :deployment_manageme
     def go
       post :migrate,
         params: {
-          configuration_project_id: configuration_project.id,
+          cluster_migration: {
+            configuration_project_id: configuration_project.id,
+            agent_name: 'new-agent'
+          },
           id: cluster
         }
     end
@@ -226,6 +229,7 @@ RSpec.describe Admin::ClustersController, feature_category: :deployment_manageme
         Clusters::Migration::CreateService,
         an_object_having_attributes(class: cluster.class, id: cluster.id),
         current_user: admin,
+        agent_name: 'new-agent',
         configuration_project_id: configuration_project.id.to_s
       ) do |service|
         expect(service).to receive(:execute).and_call_original
diff --git a/spec/controllers/event_forward/logger_spec.rb b/spec/controllers/event_forward/logger_spec.rb
new file mode 100644
index 00000000000..bffb20bc7a7
--- /dev/null
+++ b/spec/controllers/event_forward/logger_spec.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe EventForward::Logger, feature_category: :product_analytics do
+  subject(:logger) { described_class.new('/dev/null') }
+
+  it_behaves_like 'a json logger', {}
+
+  describe '#file_name_noext' do
+    it 'returns log file name without extension' do
+      expect(described_class.file_name_noext).to eq('event_collection')
+    end
+  end
+end
diff --git a/spec/controllers/groups/clusters_controller_spec.rb b/spec/controllers/groups/clusters_controller_spec.rb
index a5579855958..12c7354d2a5 100644
--- a/spec/controllers/groups/clusters_controller_spec.rb
+++ b/spec/controllers/groups/clusters_controller_spec.rb
@@ -257,8 +257,11 @@ RSpec.describe Groups::ClustersController, feature_category: :deployment_managem
     def go
       post :migrate,
         params: {
+          cluster_migration: {
+            configuration_project_id: configuration_project.id,
+            agent_name: 'new-agent'
+          },
           group_id: group,
-          configuration_project_id: configuration_project.id,
           id: cluster
         }
     end
@@ -272,6 +275,7 @@ RSpec.describe Groups::ClustersController, feature_category: :deployment_managem
         Clusters::Migration::CreateService,
         an_object_having_attributes(class: cluster.class, id: cluster.id),
         current_user: user,
+        agent_name: 'new-agent',
         configuration_project_id: configuration_project.id.to_s
       ) do |service|
         expect(service).to receive(:execute).and_call_original
@@ -300,6 +304,7 @@ RSpec.describe Groups::ClustersController, feature_category: :deployment_managem
 
     describe 'security' do
       it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
+
       it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
       it { expect { go }.to be_allowed_for(:owner).of(group) }
       it { expect { go }.to be_allowed_for(:maintainer).of(group) }
diff --git a/spec/controllers/projects/clusters_controller_spec.rb b/spec/controllers/projects/clusters_controller_spec.rb
index 338080bc1d2..43b251fabdc 100644
--- a/spec/controllers/projects/clusters_controller_spec.rb
+++ b/spec/controllers/projects/clusters_controller_spec.rb
@@ -278,9 +278,12 @@ RSpec.describe Projects::ClustersController, feature_category: :deployment_manag
     def go
       post :migrate,
         params: {
+          cluster_migration: {
+            configuration_project_id: project.id,
+            agent_name: 'new-agent'
+          },
           namespace_id: project.namespace,
           project_id: project,
-          configuration_project_id: project.id,
           id: cluster
         }
     end
@@ -294,6 +297,7 @@ RSpec.describe Projects::ClustersController, feature_category: :deployment_manag
         Clusters::Migration::CreateService,
         an_object_having_attributes(class: cluster.class, id: cluster.id),
         current_user: user,
+        agent_name: 'new-agent',
         configuration_project_id: project.id.to_s
       ) do |service|
         expect(service).to receive(:execute).and_call_original
@@ -322,6 +326,7 @@ RSpec.describe Projects::ClustersController, feature_category: :deployment_manag
 
     describe 'security' do
       it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) }
+
       it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) }
       it { expect { go }.to be_allowed_for(:owner).of(project) }
       it { expect { go }.to be_allowed_for(:maintainer).of(project) }
diff --git a/spec/factories/clusters/agent_migrations.rb b/spec/factories/clusters/agent_migrations.rb
index b34a7bfa801..92b6affc974 100644
--- a/spec/factories/clusters/agent_migrations.rb
+++ b/spec/factories/clusters/agent_migrations.rb
@@ -8,6 +8,7 @@ FactoryBot.define do
 
     before(:create) do |migration|
       migration.project = migration.agent.project
+      migration.agent_name = migration.agent.name
     end
 
     agent_install_status { :pending }
diff --git a/spec/features/clusters/cluster_detail_page_spec.rb b/spec/features/clusters/cluster_detail_page_spec.rb
index 78ac752a375..0e837443226 100644
--- a/spec/features/clusters/cluster_detail_page_spec.rb
+++ b/spec/features/clusters/cluster_detail_page_spec.rb
@@ -99,10 +99,79 @@ RSpec.describe 'Clusterable > Show page', feature_category: :deployment_manageme
     end
   end
 
+  shared_examples 'migration tab' do
+    describe 'migration tab' do
+      before do
+        stub_feature_flags(cluster_agent_migrations: true)
+        visit cluster_path
+        click_link 'Migrate'
+      end
+
+      it 'shows the migration form when no agent exists' do
+        expect(page).to have_content('Migrate to GitLab Agent for Kubernetes')
+        expect(page).to have_selector('.js-vue-project-select')
+        expect(page).to have_field('Agent name')
+        expect(page).to have_button('Create agent and migrate')
+      end
+
+      context 'when agent exists' do
+        let!(:agent) { create(:cluster_agent) }
+        let!(:cluster_migration) do
+          create(:cluster_agent_migration, cluster: cluster, agent: agent, agent_install_status: :success)
+        end
+
+        before do
+          visit cluster_path
+          click_link 'Migrate'
+        end
+
+        it 'shows agent information' do
+          expect(page).to have_content('The agent connection is set up')
+          expect(page).to have_content("#{agent.name}##{agent.id}")
+          expect(page).to have_content(cluster_migration.project.full_name)
+        end
+      end
+
+      context 'with different installation states' do
+        let!(:cluster_migration) { create(:cluster_agent_migration, cluster: cluster) }
+
+        it 'shows in_progress state' do
+          cluster_migration.update!(agent_install_status: :in_progress)
+          visit cluster_path
+          click_link 'Migrate'
+
+          expect(page).to have_content('Installing agent in progress')
+        end
+
+        it 'shows error state' do
+          cluster_migration.update!(agent_install_status: :error, agent_install_message: 'Failed to install')
+          visit cluster_path
+          click_link 'Migrate'
+
+          expect(page).to have_content('Agent setup failed')
+          expect(page).to have_content('Failed to install')
+        end
+      end
+
+      describe 'creating an agent', :js do
+        it 'creates agent successfully' do
+          within_testid('cluster-migration-form') do
+            select_from_project_select
+            fill_in 'Agent name', with: 'test-agent'
+            click_button 'Create agent and migrate'
+          end
+
+          expect(page).to have_content('Migrating cluster - initiated')
+        end
+      end
+    end
+  end
+
   context 'when clusterable is a project' do
     let(:clusterable) { create(:project) }
     let(:cluster_path) { project_cluster_path(clusterable, cluster) }
     let(:cluster) { create(:cluster, :provided_by_gcp, :project, projects: [clusterable]) }
+    let!(:configuration_project) { clusterable }
 
     before do
       clusterable.add_maintainer(current_user)
@@ -117,12 +186,15 @@ RSpec.describe 'Clusterable > Show page', feature_category: :deployment_manageme
     it_behaves_like 'editing a user-provided cluster' do
       let(:cluster) { create(:cluster, :provided_by_user, :project, projects: [clusterable]) }
     end
+
+    it_behaves_like 'migration tab'
   end
 
   context 'when clusterable is a group' do
     let(:clusterable) { create(:group) }
     let(:cluster_path) { group_cluster_path(clusterable, cluster) }
     let(:cluster) { create(:cluster, :provided_by_gcp, :group, groups: [clusterable]) }
+    let!(:configuration_project) { create(:project, group: clusterable) }
 
     before do
       clusterable.add_maintainer(current_user)
@@ -137,15 +209,20 @@ RSpec.describe 'Clusterable > Show page', feature_category: :deployment_manageme
     it_behaves_like 'editing a user-provided cluster' do
       let(:cluster) { create(:cluster, :provided_by_user, :group, groups: [clusterable]) }
     end
+
+    it_behaves_like 'migration tab'
   end
 
   context 'when clusterable is an instance' do
     let(:current_user) { create(:admin) }
     let(:cluster_path) { admin_cluster_path(cluster) }
     let(:cluster) { create(:cluster, :provided_by_gcp, :instance) }
+    let!(:configuration_project) { create(:project) }
 
     before do
       enable_admin_mode!(current_user)
+      configuration_project.add_owner(current_user)
+      enable_admin_mode!(current_user)
     end
 
     it_behaves_like 'show page' do
@@ -157,6 +234,8 @@ RSpec.describe 'Clusterable > Show page', feature_category: :deployment_manageme
     it_behaves_like 'editing a user-provided cluster' do
       let(:cluster) { create(:cluster, :provided_by_user, :instance) }
     end
+
+    it_behaves_like 'migration tab'
   end
 
   private
@@ -168,4 +247,10 @@ RSpec.describe 'Clusterable > Show page', feature_category: :deployment_manageme
       expect(page).to have_content('Remove Kubernetes cluster integration')
     end
   end
+
+  def select_from_project_select
+    click_button('Search for project')
+    wait_for_requests
+    find('.gl-new-dropdown-item').click
+  end
 end
diff --git a/spec/frontend/content_editor/services/serializer/image_spec.js b/spec/frontend/content_editor/services/serializer/image_spec.js
index 32310ff265d..a1031d92953 100644
--- a/spec/frontend/content_editor/services/serializer/image_spec.js
+++ b/spec/frontend/content_editor/services/serializer/image_spec.js
@@ -28,6 +28,14 @@ it.each`
   },
 );
 
+it('correctly escapes image links', () => {
+  // no double slashes
+  expect(serialize(paragraph(image({ src: 'gitlab\\', alt: 'x' })))).toBe('![x](gitlab\\)');
+
+  expect(serialize(paragraph(image({ src: 'foo):', alt: 'x' })))).toBe('![x](foo\\):)');
+  expect(serialize(paragraph(image({ src: '(foo', alt: 'x' })))).toBe('![x](\\(foo)');
+});
+
 it('does not serialize an image when src and canonicalSrc are empty', () => {
   expect(serialize(paragraph(image({})))).toBe('');
 });
diff --git a/spec/frontend/content_editor/services/serializer/link_spec.js b/spec/frontend/content_editor/services/serializer/link_spec.js
index 8b811c9c06c..a8bdf21df19 100644
--- a/spec/frontend/content_editor/services/serializer/link_spec.js
+++ b/spec/frontend/content_editor/services/serializer/link_spec.js
@@ -20,6 +20,17 @@ it('correctly serializes a plain URL link', () => {
   );
 });
 
+it('correctly escapes URLs in links', () => {
+  // no double slashes
+  expect(serialize(paragraph(link({ href: 'gitlab\\' }, 'link')))).toBe('[link](gitlab\\)');
+
+  expect(serialize(paragraph(link({ href: 'foo):' }, 'link')))).toBe('[link](foo\\):)');
+  expect(serialize(paragraph(link({ href: '(foo' }, 'link')))).toBe('[link](\\(foo)');
+  expect(serialize(paragraph(link({ title: 'bar', href: 'foo%20"' }, 'link')))).toBe(
+    '[link](foo%20\\" "bar")',
+  );
+});
+
 it('correctly serializes a malformed URL-encoded link', () => {
   expect(
     serialize(
diff --git a/spec/frontend/popovers/index_spec.js b/spec/frontend/popovers/index_spec.js
index c82fe7b47d9..48727d2555e 100644
--- a/spec/frontend/popovers/index_spec.js
+++ b/spec/frontend/popovers/index_spec.js
@@ -36,6 +36,27 @@ describe('popovers/index.js', () => {
   });
 
   describe('initPopover', () => {
+    it('only initializes event listeners once', () => {
+      const addEventListenerSpy = jest.spyOn(document, 'addEventListener');
+
+      buildPopoversApp();
+      expect(addEventListenerSpy).toHaveBeenNthCalledWith(
+        1,
+        'mouseenter',
+        expect.any(Function),
+        true,
+      );
+      expect(addEventListenerSpy).toHaveBeenNthCalledWith(2, 'focus', expect.any(Function), true);
+      expect(addEventListenerSpy).toHaveBeenNthCalledWith(3, 'click', expect.any(Function), true);
+
+      addEventListenerSpy.mockClear();
+
+      buildPopoversApp();
+      expect(addEventListenerSpy).not.toHaveBeenCalled(); // Should not add listeners again
+
+      addEventListenerSpy.mockRestore();
+    });
+
     it('attaches a GlPopover for the elements specified in the selector', async () => {
       const target = createPopoverTarget();
 
diff --git a/spec/frontend/rapid_diffs/diff_file_spec.js b/spec/frontend/rapid_diffs/diff_file_spec.js
index 7e947f0cc3d..ce482aaa931 100644
--- a/spec/frontend/rapid_diffs/diff_file_spec.js
+++ b/spec/frontend/rapid_diffs/diff_file_spec.js
@@ -101,8 +101,9 @@ describe('DiffFile Web Component', () => {
 
     it('handles specific clicks', () => {
       triggerVisibility(true);
-      getDiffElement().querySelector('[data-click=foo]').click();
-      expect(adapter.clicks.foo).toHaveBeenCalledWith(expect.any(MouseEvent));
+      const clickTarget = getDiffElement().querySelector('[data-click=foo]');
+      clickTarget.click();
+      expect(adapter.clicks.foo).toHaveBeenCalledWith(expect.any(MouseEvent), clickTarget);
       expect(adapter.clicks.foo.mock.instances[0]).toStrictEqual(getContext());
     });
 
diff --git a/spec/frontend/rapid_diffs/expand_lines/adapter_spec.js b/spec/frontend/rapid_diffs/expand_lines/adapter_spec.js
new file mode 100644
index 00000000000..3231fcfe290
--- /dev/null
+++ b/spec/frontend/rapid_diffs/expand_lines/adapter_spec.js
@@ -0,0 +1,81 @@
+import { ExpandLinesAdapter } from '~/rapid_diffs/expand_lines/adapter';
+import { setHTMLFixture } from 'helpers/fixtures';
+import { getLines } from '~/rapid_diffs/expand_lines/get_lines';
+import { DiffLineRow } from '~/rapid_diffs/expand_lines/diff_line_row';
+
+jest.mock('~/rapid_diffs/expand_lines/get_lines');
+
+describe('ExpandLinesAdapter', () => {
+  const getExpandButton = () => document.querySelector('[data-click="expandLines"]');
+  const getResultingHtml = () => document.querySelector('#response');
+  const getSurroundingLines = () => [
+    new DiffLineRow(document.querySelector('[data-hunk-lines="1"]')),
+    new DiffLineRow(document.querySelector('[data-hunk-lines="2"]')),
+  ];
+  const getDiffFileContext = () => {
+    return { data: { diffLinesPath: '/lines' }, viewer: 'text_parallel' };
+  };
+
+  beforeEach(() => {
+    setHTMLFixture(`
+      <table>
+        <tbody>
+          <tr data-hunk-lines="1">
+            <td>
+            </td>
+          </tr>
+          <tr>
+            <td>
+              <button data-click="expandLines" data-expand-direction="up"></button>
+            </td>
+          </tr>
+          <tr data-hunk-lines="2">
+            <td>
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    `);
+  });
+
+  it('expands lines', async () => {
+    getLines.mockResolvedValueOnce('<div id="response"></div>');
+    await ExpandLinesAdapter.clicks.expandLines.call(
+      getDiffFileContext(),
+      new MouseEvent('click'),
+      getExpandButton(),
+    );
+    expect(getLines).toHaveBeenCalledWith({
+      expandDirection: 'up',
+      surroundingLines: getSurroundingLines(),
+      diffLinesPath: '/lines',
+      view: 'parallel',
+    });
+    expect(getResultingHtml()).not.toBe(null);
+    expect(getExpandButton()).toBe(null);
+  });
+
+  it('prevents expansion while processing another expansion', () => {
+    let res;
+    getLines.mockImplementation(
+      jest.fn(
+        () =>
+          new Promise((resolve) => {
+            res = resolve;
+          }),
+      ),
+    );
+    ExpandLinesAdapter.clicks.expandLines.call(
+      getDiffFileContext(),
+      new MouseEvent('click'),
+      getExpandButton(),
+    );
+    ExpandLinesAdapter.clicks.expandLines.call(
+      getDiffFileContext(),
+      new MouseEvent('click'),
+      getExpandButton(),
+    );
+    expect(getLines).toHaveBeenCalledTimes(1);
+    res();
+  });
+});
diff --git a/spec/frontend/rapid_diffs/expand_lines/diff_line_row_spec.js b/spec/frontend/rapid_diffs/expand_lines/diff_line_row_spec.js
new file mode 100644
index 00000000000..3589b314356
--- /dev/null
+++ b/spec/frontend/rapid_diffs/expand_lines/diff_line_row_spec.js
@@ -0,0 +1,33 @@
+import { DiffLineRow } from '~/rapid_diffs/expand_lines/diff_line_row';
+import { setHTMLFixture } from 'helpers/fixtures';
+
+describe('DiffLineRow', () => {
+  const getRow = () => document.querySelector('tr');
+
+  beforeEach(() => {
+    setHTMLFixture(`
+      <table>
+        <tbody>
+          <tr>
+            <td>
+              <div data-position="old">
+                <div data-line-number="3"></div>
+              </div>
+              <div data-position="new">
+                <div data-line-number="4"></div>
+              </div>
+            </td>
+          </tr>
+        </tbody>
+      </table>
+    `);
+  });
+
+  it('#oldLineNumber', () => {
+    expect(new DiffLineRow(getRow()).oldLineNumber).toBe(3);
+  });
+
+  it('#newLineNumber', () => {
+    expect(new DiffLineRow(getRow()).newLineNumber).toBe(4);
+  });
+});
diff --git a/spec/frontend/rapid_diffs/expand_lines/get_lines_spec.js b/spec/frontend/rapid_diffs/expand_lines/get_lines_spec.js
new file mode 100644
index 00000000000..0cc1c2de0ca
--- /dev/null
+++ b/spec/frontend/rapid_diffs/expand_lines/get_lines_spec.js
@@ -0,0 +1,81 @@
+import MockAdapter from 'axios-mock-adapter';
+import axios from '~/lib/utils/axios_utils';
+import { HTTP_STATUS_OK } from '~/lib/utils/http_status';
+import { getLines } from '~/rapid_diffs/expand_lines/get_lines';
+
+describe('getLines', () => {
+  const diffLinesPath = '/lines';
+  const view = 'inline';
+  const surroundingLines = [
+    { newLineNumber: 10, oldLineNumber: 8 },
+    { newLineNumber: 20, oldLineNumber: 18 },
+  ];
+
+  it('sends correct params for up direction', async () => {
+    const mock = new MockAdapter(axios);
+    mock.onGet('/lines').reply((config) => {
+      expect(config.params).toEqual({
+        unfold: true,
+        since: 1,
+        to: 19,
+        closest_line_number: 10,
+        offset: 2,
+        bottom: false,
+        view: 'inline',
+      });
+      return [HTTP_STATUS_OK, []];
+    });
+
+    await getLines({
+      expandDirection: 'up',
+      surroundingLines,
+      diffLinesPath,
+      view,
+    });
+  });
+
+  it('sends correct params for down direction', async () => {
+    const mock = new MockAdapter(axios);
+    mock.onGet('/lines').reply((config) => {
+      expect(config.params).toEqual({
+        unfold: true,
+        since: 11,
+        to: 31,
+        closest_line_number: 20,
+        offset: 2,
+        bottom: true,
+        view: 'inline',
+      });
+      return [HTTP_STATUS_OK, []];
+    });
+
+    await getLines({
+      expandDirection: 'down',
+      surroundingLines,
+      diffLinesPath,
+      view,
+    });
+  });
+
+  it('sends correct params for both direction', async () => {
+    const mock = new MockAdapter(axios);
+    mock.onGet('/lines').reply((config) => {
+      expect(config.params).toEqual({
+        unfold: false,
+        since: 11,
+        to: 19,
+        bottom: false,
+        offset: 2,
+        view: 'inline',
+      });
+      return [HTTP_STATUS_OK, []];
+    });
+
+    await getLines({
+      expandDirection: 'both',
+      surroundingLines,
+      diffLinesPath,
+      view,
+    });
+  });
+});
diff --git a/spec/frontend/vue_shared/components/entity_select/project_select_spec.js b/spec/frontend/vue_shared/components/entity_select/project_select_spec.js
index 9113152c975..93bcb9a6dd7 100644
--- a/spec/frontend/vue_shared/components/entity_select/project_select_spec.js
+++ b/spec/frontend/vue_shared/components/entity_select/project_select_spec.js
@@ -24,6 +24,7 @@ describe('ProjectSelect', () => {
 
   // Props
   const label = 'label';
+  const description = 'description';
   const inputName = 'inputName';
   const inputId = 'inputId';
   const groupId = '22';
@@ -52,6 +53,7 @@ describe('ProjectSelect', () => {
     wrapper = mountExtended(ProjectSelect, {
       propsData: {
         label,
+        description,
         inputName,
         inputId,
         groupId,
@@ -97,6 +99,7 @@ describe('ProjectSelect', () => {
     it.each`
       prop                   | expectedValue
       ${'label'}             | ${label}
+      ${'description'}       | ${description}
       ${'inputName'}         | ${inputName}
       ${'inputId'}           | ${inputId}
       ${'defaultToggleText'} | ${PROJECT_TOGGLE_TEXT}
diff --git a/spec/frontend/work_items/components/shared/work_item_token_input_spec.js b/spec/frontend/work_items/components/shared/work_item_token_input_spec.js
index 57bb94c56cc..df8c5c2e367 100644
--- a/spec/frontend/work_items/components/shared/work_item_token_input_spec.js
+++ b/spec/frontend/work_items/components/shared/work_item_token_input_spec.js
@@ -1,7 +1,8 @@
 import Vue, { nextTick } from 'vue';
 import { GlTokenSelector, GlAlert } from '@gitlab/ui';
+import { escape } from 'lodash';
 import VueApollo from 'vue-apollo';
-import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
+import { shallowMountExtended, mountExtended } from 'helpers/vue_test_utils_helper';
 import createMockApollo from 'helpers/mock_apollo_helper';
 import waitForPromises from 'helpers/wait_for_promises';
 import WorkItemTokenInput from '~/work_items/components/shared/work_item_token_input.vue';
@@ -158,6 +159,15 @@ describe('WorkItemTokenInput', () => {
     confidential: false,
     __typename: 'WorkItem',
   };
+
+  const mockWorkItemWithHTMLInput = {
+    id: 'gid://gitlab/WorkItem/459',
+    iid: 'Task 2 <svg><use href=#/></svg>',
+    title: 'Task 2 <svg><use href=#/></svg>',
+    confidential: false,
+    __typename: 'WorkItem',
+  };
+
   const groupSearchedWorkItemResolver = jest.fn().mockResolvedValue(
     searchWorkItemsResponse({
       workItems: [mockWorkItem],
@@ -176,6 +186,7 @@ describe('WorkItemTokenInput', () => {
   const workItemAncestorsQueryHandler = jest.fn().mockResolvedValue(workItemAncestorsQueryResponse);
 
   const createComponent = async ({
+    mountFn = shallowMountExtended,
     workItemsToAdd = [],
     parentConfidential = false,
     parentWorkItemId = WORK_ITEM_ID,
@@ -185,7 +196,7 @@ describe('WorkItemTokenInput', () => {
     workItemsResolver = searchWorkItemTextResolver,
     isGroup = false,
   } = {}) => {
-    wrapper = shallowMountExtended(WorkItemTokenInput, {
+    wrapper = mountFn(WorkItemTokenInput, {
       apolloProvider: createMockApollo([
         [projectWorkItemsQuery, workItemsResolver],
         [groupWorkItemsQuery, groupSearchedWorkItemResolver],
@@ -258,6 +269,24 @@ describe('WorkItemTokenInput', () => {
     expect(findTokenSelector().props('containerClass')).toBe('!gl-shadow-inner-1-red-500');
   });
 
+  it('renders the escaped dropdown items', async () => {
+    createComponent({
+      mountFn: mountExtended,
+      workItemsResolver: jest.fn().mockResolvedValue(
+        searchWorkItemsResponse({
+          workItems: [mockWorkItemWithHTMLInput],
+        }),
+      ),
+    });
+    findTokenSelector().vm.$emit('focus');
+    await waitForPromises();
+
+    const renderedContent = findTokenSelector().html();
+
+    expect(renderedContent).toContain(escape(mockWorkItemWithHTMLInput.title));
+    expect(renderedContent).toContain(escape(mockWorkItemWithHTMLInput.id));
+  });
+
   describe('when input data is provided', () => {
     const fillWorkItemInput = (input) => {
       findTokenSelector().vm.$emit('focus');
diff --git a/spec/graphql/resolvers/repositories/commit_resolver_spec.rb b/spec/graphql/resolvers/repositories/commit_resolver_spec.rb
new file mode 100644
index 00000000000..bd100ec7abb
--- /dev/null
+++ b/spec/graphql/resolvers/repositories/commit_resolver_spec.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Resolvers::Repositories::CommitResolver, feature_category: :source_code_management do
+  include GraphqlHelpers
+
+  subject(:commit) { resolve(described_class, obj: repository, args: { ref: ref }) }
+
+  let_it_be(:repository) { create(:project, :repository).repository }
+
+  let(:ref) { 'master' }
+
+  it { expect(described_class).to have_nullable_graphql_type(Types::Repositories::CommitType) }
+
+  describe '#resolve' do
+    it 'resolves commit' do
+      expect(commit).to eq(repository.commit('master'))
+    end
+
+    context 'when ref is empty' do
+      let(:ref) { '' }
+
+      it { is_expected.to be_nil }
+    end
+
+    context 'when ref is not found' do
+      let(:ref) { 'unknown' }
+
+      it { is_expected.to be_nil }
+    end
+  end
+end
diff --git a/spec/graphql/types/repository_type_spec.rb b/spec/graphql/types/repository_type_spec.rb
index 4ff2cbcad46..285c482a4d0 100644
--- a/spec/graphql/types/repository_type_spec.rb
+++ b/spec/graphql/types/repository_type_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe GitlabSchema.types['Repository'] do
+RSpec.describe GitlabSchema.types['Repository'], feature_category: :source_code_management do
   specify { expect(described_class.graphql_name).to eq('Repository') }
 
   specify { expect(described_class).to require_graphql_authorizations(:read_code) }
@@ -20,4 +20,6 @@ RSpec.describe GitlabSchema.types['Repository'] do
   specify { expect(described_class).to have_graphql_field(:branch_names, calls_gitaly?: true, complexity: 170) }
 
   specify { expect(described_class).to have_graphql_field(:disk_path) }
+
+  specify { expect(described_class).to have_graphql_field(:commit, calls_gitaly?: true) }
 end
diff --git a/spec/helpers/clusters_helper_spec.rb b/spec/helpers/clusters_helper_spec.rb
index 3389766ee8f..14a8720dd0c 100644
--- a/spec/helpers/clusters_helper_spec.rb
+++ b/spec/helpers/clusters_helper_spec.rb
@@ -315,4 +315,60 @@ RSpec.describe ClustersHelper, feature_category: :deployment_management do
       end
     end
   end
+
+  describe '#migration_alert_config' do
+    let_it_be(:error_message) { 'Something went wrong' }
+
+    subject { helper.migration_alert_config(migration) }
+
+    context 'when migration is nil' do
+      let(:migration) { nil }
+
+      it { is_expected.to be_nil }
+    end
+
+    context 'when migration has in_progress status' do
+      let(:migration) { build(:cluster_agent_migration, agent_install_status: :in_progress) }
+
+      it 'returns info alert config' do
+        expect(subject).to match(
+          variant: :info,
+          message: 'Installing agent in progress.'
+        )
+      end
+    end
+
+    context 'when migration has success status' do
+      let(:migration) { build(:cluster_agent_migration, agent_install_status: :success) }
+
+      it 'returns success alert config' do
+        expect(subject).to match(
+          variant: :success,
+          message: 'The agent connection is set up.'
+        )
+      end
+    end
+
+    context 'when migration has error status' do
+      let(:migration) { build(:cluster_agent_migration, agent_install_status: :error, agent_install_message: error_message) }
+
+      it 'returns error alert config with details' do
+        expect(subject).to match(
+          variant: :warning,
+          title: 'Agent setup failed',
+          message: 'The agent was not installed in the cluster.',
+          details: error_message,
+          show_help: true
+        )
+      end
+
+      context 'when error message is nil' do
+        let(:migration) { build(:cluster_agent_migration, agent_install_status: :error, agent_install_message: nil) }
+
+        it 'returns error alert config without details' do
+          expect(subject[:details]).to be_nil
+        end
+      end
+    end
+  end
 end
diff --git a/spec/lib/gitlab/diff/viewer_hunk_spec.rb b/spec/lib/gitlab/diff/viewer_hunk_spec.rb
index 060ec670e36..512d5e79571 100644
--- a/spec/lib/gitlab/diff/viewer_hunk_spec.rb
+++ b/spec/lib/gitlab/diff/viewer_hunk_spec.rb
@@ -148,6 +148,12 @@ RSpec.describe Gitlab::Diff::ViewerHunk, feature_category: :code_review_workflow
       expect(instance.header.expand_directions).to eq([:both])
     end
 
+    it 'returns both for 20 lines in between' do
+      lines = [old_line(old_pos: 1), match_line, new_line(old_pos: 22)]
+      instance = described_class.init_from_diff_lines(lines)[1]
+      expect(instance.header.expand_directions).to eq([:both])
+    end
+
     it 'returns up' do
       lines = [match_line, new_line(old_pos: 5)]
       instance = described_class.init_from_diff_lines(lines)[0]
diff --git a/spec/lib/gitlab/tracking/destinations/snowplow_spec.rb b/spec/lib/gitlab/tracking/destinations/snowplow_spec.rb
index a940098eccf..975c7c747d0 100644
--- a/spec/lib/gitlab/tracking/destinations/snowplow_spec.rb
+++ b/spec/lib/gitlab/tracking/destinations/snowplow_spec.rb
@@ -208,4 +208,17 @@ RSpec.describe Gitlab::Tracking::Destinations::Snowplow, :do_not_stub_snowplow_b
       end
     end
   end
+
+  describe '#emit_event_payload' do
+    let(:payload) { { "event" => "page_view", "user_id" => "123" } }
+
+    before do
+      allow(SnowplowTracker::AsyncEmitter).to receive(:new).and_return(emitter)
+    end
+
+    it "forwards the payload to the emitter" do
+      expect(emitter).to receive(:input).with(payload)
+      subject.emit_event_payload(payload)
+    end
+  end
 end
diff --git a/spec/models/packages/conan/package_revision_spec.rb b/spec/models/packages/conan/package_revision_spec.rb
index 5be7b7b47ef..e0fa5ef214d 100644
--- a/spec/models/packages/conan/package_revision_spec.rb
+++ b/spec/models/packages/conan/package_revision_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe Packages::Conan::PackageRevision, type: :model, feature_category: :package_registry do
+  using RSpec::Parameterized::TableSyntax
+
   describe 'associations' do
     it 'belongs to package' do
       is_expected.to belong_to(:package).class_name('Packages::Conan::Package').inverse_of(:conan_package_revisions)
@@ -34,21 +36,27 @@ RSpec.describe Packages::Conan::PackageRevision, type: :model, feature_category:
       is_expected.to validate_uniqueness_of(:revision).scoped_to([:package_id, :package_reference_id]).case_insensitive
     end
 
-    context 'when validating the byte size of revision' do
-      let(:invalid_revision) { 'a' * (Packages::Conan::PackageRevision::REVISION_LENGTH_MAX + 1) }
-
-      it 'is not valid if revision exceeds maximum byte size', :aggregate_failures do
-        package_revision.revision = invalid_revision
-
-        expect(package_revision).not_to be_valid
-        expect(package_revision.errors[:revision]).to include(
-          "is too long (#{Packages::Conan::PackageRevision::REVISION_LENGTH_MAX + 1} B). " \
-            "The maximum size is #{Packages::Conan::PackageRevision::REVISION_LENGTH_MAX} B.")
+    context 'when validating hex format and length' do
+      where(:revision, :valid, :error_message) do
+        OpenSSL::Digest.hexdigest('MD5', 'test string')  | true  | nil
+        OpenSSL::Digest.hexdigest('SHA1', 'test string') | true  | nil
+        'df28fd816be3a119de5ce4d374436b2g'               | false | 'Revision is invalid'
+        ('a' * 41)                                       | false | 'Revision is invalid'
       end
 
-      it 'is valid if revision is within byte size limit' do
-        # package revision is set correctly in the factory
-        expect(package_revision).to be_valid
+      with_them do
+        before do
+          package_revision.revision = revision
+        end
+
+        if params[:valid]
+          it { expect(package_revision).to be_valid }
+        else
+          it 'is invalid with the expected error message' do
+            expect(package_revision).not_to be_valid
+            expect(package_revision.errors).to contain_exactly(error_message)
+          end
+        end
       end
     end
   end
diff --git a/spec/models/packages/conan/recipe_revision_spec.rb b/spec/models/packages/conan/recipe_revision_spec.rb
index a3ee45e0341..1891871423a 100644
--- a/spec/models/packages/conan/recipe_revision_spec.rb
+++ b/spec/models/packages/conan/recipe_revision_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe Packages::Conan::RecipeRevision, type: :model, feature_category: :package_registry do
+  using RSpec::Parameterized::TableSyntax
+
   describe 'associations' do
     it 'belongs to package' do
       is_expected.to belong_to(:package).class_name('Packages::Conan::Package').inverse_of(:conan_recipe_revisions)
@@ -33,21 +35,27 @@ RSpec.describe Packages::Conan::RecipeRevision, type: :model, feature_category:
       is_expected.to validate_uniqueness_of(:revision).scoped_to(:package_id).case_insensitive
     end
 
-    context 'when validating the byte size of revision' do
-      let(:invalid_revision) { 'a' * (Packages::Conan::RecipeRevision::REVISION_LENGTH_MAX + 1) }
-
-      it 'is not valid if revision exceeds maximum byte size', :aggregate_failures do
-        recipe_revision.revision = invalid_revision
-
-        expect(recipe_revision).not_to be_valid
-        expect(recipe_revision.errors[:revision]).to include(
-          "is too long (#{Packages::Conan::RecipeRevision::REVISION_LENGTH_MAX + 1} B). " \
-            "The maximum size is #{Packages::Conan::RecipeRevision::REVISION_LENGTH_MAX} B.")
+    context 'when validating hex format and length' do
+      where(:revision, :valid, :error_message) do
+        OpenSSL::Digest.hexdigest('MD5', 'test string')  | true  | nil
+        OpenSSL::Digest.hexdigest('SHA1', 'test string') | true  | nil
+        'df28fd816be3a119de5ce4d374436b2g'               | false | 'Revision is invalid'
+        ('a' * 41)                                       | false | 'Revision is invalid'
       end
 
-      it 'is valid if revision is within byte size limit' do
-        # recipe revision is set correclty in the factory
-        expect(recipe_revision).to be_valid
+      with_them do
+        before do
+          recipe_revision.revision = revision
+        end
+
+        if params[:valid]
+          it { expect(recipe_revision).to be_valid }
+        else
+          it 'is invalid with the expected error message' do
+            expect(recipe_revision).not_to be_valid
+            expect(recipe_revision.errors).to contain_exactly(error_message)
+          end
+        end
       end
     end
   end
diff --git a/spec/presenters/clusters/cluster_presenter_spec.rb b/spec/presenters/clusters/cluster_presenter_spec.rb
index 53b63f41c60..e8d000bc4ff 100644
--- a/spec/presenters/clusters/cluster_presenter_spec.rb
+++ b/spec/presenters/clusters/cluster_presenter_spec.rb
@@ -142,4 +142,33 @@ RSpec.describe Clusters::ClusterPresenter do
       it_behaves_like 'cluster health data'
     end
   end
+
+  describe '#agent_migration_for_display' do
+    shared_examples 'cluster agent migration' do |cluster_type|
+      let(:cluster) { create(:cluster, cluster_type) }
+      let(:presenter) { described_class.new(cluster, current_user: user) }
+
+      context 'when migration exists' do
+        let!(:migration) { create(:cluster_agent_migration, cluster: cluster) }
+
+        it 'returns existing migration' do
+          expect(presenter.agent_migration_for_display).to eq(migration)
+        end
+      end
+
+      context 'when migration does not exist' do
+        it 'returns new migration instance' do
+          migration = presenter.agent_migration_for_display
+
+          expect(migration).to be_a(Clusters::AgentMigration)
+          expect(migration).to be_new_record
+          expect(migration.cluster).to eq(cluster)
+        end
+      end
+    end
+
+    it_behaves_like 'cluster agent migration', :project
+    it_behaves_like 'cluster agent migration', :group
+    it_behaves_like 'cluster agent migration', :instance
+  end
 end
diff --git a/spec/requests/api/graphql/project/repository_spec.rb b/spec/requests/api/graphql/project/repository_spec.rb
index a75970c1d43..393d5233d19 100644
--- a/spec/requests/api/graphql/project/repository_spec.rb
+++ b/spec/requests/api/graphql/project/repository_spec.rb
@@ -105,4 +105,32 @@ RSpec.describe 'getting a repository in a project', feature_category: :source_co
       expect(graphql_data['project']['repository']['paginatedTree']).to be_present
     end
   end
+
+  context 'when commit is requested' do
+    let(:fields) do
+      %(
+        commit(ref: "#{ref}") {
+          sha
+        }
+      )
+    end
+
+    let(:ref) { 'b83d6e391c22777fca1ed3012fce84f633d7fed0' }
+
+    it 'returns requested commit' do
+      post_graphql(query, current_user: current_user)
+
+      expect(graphql_data.dig('project', 'repository', 'commit', 'sha')).to eq ref
+    end
+
+    context 'when ref does not point to an existing commit' do
+      let(:ref) { 'unknown' }
+
+      it 'returns nil' do
+        post_graphql(query, current_user: current_user)
+
+        expect(graphql_data.dig('project', 'repository', 'commit')).to be_nil
+      end
+    end
+  end
 end
diff --git a/spec/requests/event_forward/event_forward_controller_spec.rb b/spec/requests/event_forward/event_forward_controller_spec.rb
new file mode 100644
index 00000000000..203c2a88547
--- /dev/null
+++ b/spec/requests/event_forward/event_forward_controller_spec.rb
@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe EventForward::EventForwardController, feature_category: :product_analytics do
+  let(:tracker) { instance_double(Gitlab::Tracking::Destinations::Snowplow) }
+  let(:logger) { instance_double(Logger) }
+  let(:payload) do
+    {
+      'data' => [
+        { "event_name" => 'test_event' },
+        { "event_name" => 'another_event' }
+      ]
+    }
+  end
+
+  before do
+    allow(Gitlab::Tracking).to receive(:tracker).and_return(tracker)
+    allow(tracker).to receive(:emit_event_payload)
+    allow(EventForward::Logger).to receive(:build).and_return(logger)
+    allow(logger).to receive(:info)
+  end
+
+  describe 'POST #forward' do
+    let(:request) { post event_forwarding_path, params: payload, as: :json }
+
+    it 'forwards each event to the Snowplow tracker' do
+      payload['data'].each do |event|
+        expect(tracker).to receive(:emit_event_payload).with(event)
+      end
+
+      request
+    end
+
+    it 'logs the number of enqueued events' do
+      expect(logger).to receive(:info).with("Enqueued events for forwarding. Count: #{payload['data'].size}")
+
+      request
+    end
+
+    it 'returns successful response' do
+      request
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response.body).to be_empty
+    end
+  end
+end
diff --git a/spec/scripts/database/query_analyzers/jsonb_scan_detector_spec.rb b/spec/scripts/database/query_analyzers/jsonb_scan_detector_spec.rb
new file mode 100644
index 00000000000..78d4405e198
--- /dev/null
+++ b/spec/scripts/database/query_analyzers/jsonb_scan_detector_spec.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'fast_spec_helper'
+
+require_relative '../../../../scripts/database/query_analyzers/jsonb_scan_detector'
+
+RSpec.describe Database::QueryAnalyzers::JSONBScanDetector, feature_category: :database do
+  let(:invalid_query_string) do
+    <<~SQL
+      SELECT
+          *
+      FROM
+          member_roles
+      WHERE
+          member_roles.permissions @> ('{"admin_merge_request":true}')::jsonb
+    SQL
+  end
+
+  let(:invalid_query) { { 'query' => invalid_query_string, 'fingerprint' => '0000000000000001' } }
+
+  let(:valid_query_string) { "SELECT * FROM users WHERE name = 'bob'" }
+
+  let(:valid_query) { { 'query' => valid_query_string, 'fingerprint' => '0000000000000002' } }
+
+  let(:config) { {} }
+
+  subject(:analyzer) { described_class.new(config) }
+
+  it "initalizes" do
+    expect { analyzer }.not_to raise_error
+  end
+
+  context 'when no TODOs are defined' do
+    it 'finds the invalid query' do
+      [valid_query, invalid_query].each { |q| analyzer.analyze q }
+      expect(analyzer.output[:bad_queries].length).to eq 1
+    end
+  end
+
+  context 'when a TODO is defined' do
+    let(:config) do
+      {
+        "todos" => [
+          invalid_query['fingerprint']
+        ]
+      }
+    end
+
+    it 'does not find the invalid query' do
+      [valid_query, invalid_query].each { |q| analyzer.analyze q }
+      expect(analyzer.output[:bad_queries].length).to eq 0
+    end
+  end
+end
diff --git a/spec/services/clusters/migration/create_service_spec.rb b/spec/services/clusters/migration/create_service_spec.rb
index 4cfd3fe058e..c63fa4b05a5 100644
--- a/spec/services/clusters/migration/create_service_spec.rb
+++ b/spec/services/clusters/migration/create_service_spec.rb
@@ -8,12 +8,14 @@ RSpec.describe Clusters::Migration::CreateService, feature_category: :deployment
   let_it_be(:project) { create(:project, group: group) }
   let_it_be(:configuration_project) { project }
   let_it_be(:cluster_name) { '-Legacy cluster with invalid name #123-' }
+  let_it_be(:agent_name) { 'new-agent' }
 
   let(:service) do
     described_class.new(
       cluster,
       current_user: user,
-      configuration_project_id: configuration_project.id
+      configuration_project_id: configuration_project.id,
+      agent_name: agent_name
     )
   end
 
@@ -78,7 +80,7 @@ RSpec.describe Clusters::Migration::CreateService, feature_category: :deployment
 
     context 'when migration creation fails' do
       before do
-        create(:cluster_agent_migration, cluster: cluster)
+        create(:cluster_agent_migration, cluster: cluster, agent_name: 'existing-agent')
       end
 
       it 'returns an error' do
@@ -100,13 +102,13 @@ RSpec.describe Clusters::Migration::CreateService, feature_category: :deployment
       expect(migration.project).to eq(project)
 
       agent = migration.agent
-      expect(agent.name).to eq('legacy-cluster-with-invalid-name-123')
+      expect(agent.name).to eq(agent_name)
       expect(agent.project).to eq(project)
       expect(agent.created_by_user).to eq(user)
       expect(agent.agent_tokens.count).to eq(1)
 
       token = agent.agent_tokens.first
-      expect(token.name).to eq('legacy-cluster-with-invalid-name-123')
+      expect(token.name).to eq(agent_name)
       expect(token.created_by_user).to eq(user)
     end
   end
diff --git a/spec/support/shared_examples/lib/api/access_token_shared_examples.rb b/spec/support/shared_examples/lib/api/access_token_shared_examples.rb
new file mode 100644
index 00000000000..daa389ee259
--- /dev/null
+++ b/spec/support/shared_examples/lib/api/access_token_shared_examples.rb
@@ -0,0 +1,136 @@
+# frozen_string_literal: true
+
+# The context in which these shared examples are included
+# need to have the following variables/objects available
+#
+# - `path` - The path of the specific token API not including
+#          `/api/v4`.
+#          Example: '/groups/:id/manage/personal_access_tokens'
+# - `current_user_token` - The PAT of the user making the request
+# - All tokens in the `all_token_ids` variable below.
+# - `created_at_asc` - An array of tokens in ascending order of creation date
+#
+# It is recommended to create one or more tokens that should not match any of the filters.
+# For example, if testing resource access tokens, create a human user token and
+# service account token. The variable name does not matter as long as it
+# isn't one of the `all_token_ids` below.
+RSpec.shared_examples 'an access token GET API with access token params' do
+  let(:api_request) { api(path, personal_access_token: current_user_token) }
+  let_it_be(:created_at_desc) { created_at_asc.reverse }
+  let_it_be(:all_token_ids) do
+    [
+      active_token1.id,
+      active_token2.id,
+      expired_token1.id,
+      expired_token2.id,
+      revoked_token1.id,
+      revoked_token2.id,
+      named_token.id,
+      created_2_days_ago_token.id,
+      last_used_2_days_ago_token.id,
+      last_used_2_months_ago_token.id
+    ]
+  end
+
+  it 'returns all tokens by default' do
+    get api_request
+
+    expect(response).to have_gitlab_http_status(:ok)
+    expect_paginated_array_response_contain_exactly(*all_token_ids)
+    # Entities::PersonalAccessToken default response
+    expect(json_response[0].keys).to include(
+      'id', 'name', 'description', 'revoked', 'created_at', 'scopes', 'user_id', 'last_used_at', 'active', 'expires_at'
+    )
+  end
+
+  context 'when filtering by state' do
+    it 'returns active tokens when state is active' do
+      get api_request, params: { state: 'active' }
+
+      expect_paginated_array_response_contain_exactly(
+        *all_token_ids.excluding(expired_token1.id, expired_token2.id, revoked_token1.id, revoked_token2.id)
+      )
+    end
+
+    it 'returns inactive tokens when state is inactive' do
+      get api_request, params: { state: 'inactive' }
+
+      expect_paginated_array_response_contain_exactly(
+        expired_token1.id, expired_token2.id, revoked_token1.id, revoked_token2.id
+      )
+    end
+
+    it 'returns bad request when state is invalid' do
+      get api(path, personal_access_token: current_user_token), params: { state: 'invalid' }
+
+      expect(response).to have_gitlab_http_status(:bad_request)
+      expect(json_response['error']).to eq('state does not have a valid value')
+    end
+  end
+
+  context 'when filtering by revoked' do
+    it 'returns not-revoked tokens when revoked is false' do
+      get api_request, params: { revoked: false }
+
+      expect_paginated_array_response_contain_exactly(*all_token_ids.excluding(revoked_token1.id, revoked_token2.id))
+    end
+
+    it 'returns revoked tokens when revoked is true' do
+      get api_request, params: { revoked: true }
+
+      expect_paginated_array_response_contain_exactly(revoked_token1.id, revoked_token2.id)
+    end
+  end
+
+  context 'when filtering by created dates' do
+    it 'returns tokens created before specified date' do
+      get api_request, params: { created_before: 1.day.ago }
+
+      expect(json_response.pluck('id')).to match_array(created_2_days_ago_token.id)
+    end
+
+    it 'returns tokens created after specified date' do
+      get api_request, params: { created_after: 1.day.ago }
+
+      expect_paginated_array_response_contain_exactly(*all_token_ids.excluding(created_2_days_ago_token.id))
+    end
+  end
+
+  context 'when filtering by last used dates' do
+    it 'returns tokens last used before specified date' do
+      get api_request, params: { last_used_before: Time.current }
+
+      expect_paginated_array_response_contain_exactly(last_used_2_days_ago_token.id, last_used_2_months_ago_token.id)
+    end
+
+    it 'returns tokens last used after specified date' do
+      get api_request, params: { last_used_after: 1.week.ago }
+
+      expect_paginated_array_response_contain_exactly(last_used_2_days_ago_token.id)
+    end
+  end
+
+  context 'when searching by name' do
+    it 'returns tokens matching the search term' do
+      get api_request, params: { search: 'test' }
+
+      expect_paginated_array_response_contain_exactly(named_token.id)
+    end
+  end
+
+  context 'when sorting' do
+    it 'sorts tokens by created_at_desc when specified' do
+      get api_request, params: { sort: 'created_at_desc' }
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response.pluck('id')).to eq(created_at_desc.pluck('id')) # Use eq because order is important
+    end
+
+    it 'sorts tokens by created_at_asc when specified' do
+      get api_request, params: { sort: 'created_at_asc' }
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response.pluck('id')).to eq(created_at_asc.pluck('id')) # Use eq because order is important
+    end
+  end
+end
diff --git a/spec/workers/resource_access_tokens/inactive_tokens_deletion_cron_worker_spec.rb b/spec/workers/resource_access_tokens/inactive_tokens_deletion_cron_worker_spec.rb
index 307d0709e2f..bfb169e8302 100644
--- a/spec/workers/resource_access_tokens/inactive_tokens_deletion_cron_worker_spec.rb
+++ b/spec/workers/resource_access_tokens/inactive_tokens_deletion_cron_worker_spec.rb
@@ -10,6 +10,10 @@ RSpec.describe ResourceAccessTokens::InactiveTokensDeletionCronWorker, feature_c
   it_behaves_like 'worker with data consistency', described_class, data_consistency: :sticky
 
   describe '#perform' do
+    before do
+      stub_application_setting(require_personal_access_token_expiry: false)
+    end
+
     it(
       'initiates deletion for project_bot users whose all tokens became inactive before cut_off date or without tokens',
       :aggregate_failures,
@@ -21,6 +25,12 @@ RSpec.describe ResourceAccessTokens::InactiveTokensDeletionCronWorker, feature_c
 
       active_personal_access_token =
         create(:personal_access_token)
+      active_personal_access_token_without_expiration_date =
+        create(:personal_access_token, expires_at: nil)
+      active_personal_access_token_with_revoked_attribute_set_to_nil =
+        create(:personal_access_token, revoked: nil)
+      active_personal_access_token_without_expiration_date_and_with_revoked_attribute_set_to_nil =
+        create(:personal_access_token, expires_at: nil, revoked: nil)
       personal_access_token_expired_before_cut_off =
         create(:personal_access_token, expires_at: cut_off - 1.day)
       personal_access_token_expired_at_cut_off =
@@ -42,6 +52,12 @@ RSpec.describe ResourceAccessTokens::InactiveTokensDeletionCronWorker, feature_c
 
       active_resource_access_token =
         create(:resource_access_token)
+      active_resource_access_token_without_expiration_date =
+        create(:resource_access_token, expires_at: nil)
+      active_resource_access_token_with_revoked_attribute_set_to_nil =
+        create(:resource_access_token, revoked: nil)
+      active_resource_access_token_without_expiration_date_and_with_revoked_attribute_set_to_nil =
+        create(:resource_access_token, expires_at: nil, revoked: nil)
       resource_access_token_expired_before_cut_off =
         create(:resource_access_token, expires_at: cut_off - 1.day)
       resource_access_token_expired_at_cut_off =
@@ -75,6 +91,9 @@ RSpec.describe ResourceAccessTokens::InactiveTokensDeletionCronWorker, feature_c
 
       tokens_to_keep = [
         active_personal_access_token,
+        active_personal_access_token_without_expiration_date,
+        active_personal_access_token_with_revoked_attribute_set_to_nil,
+        active_personal_access_token_without_expiration_date_and_with_revoked_attribute_set_to_nil,
         personal_access_token_expired_before_cut_off,
         personal_access_token_expired_at_cut_off,
         personal_access_token_expired_after_cut_off,
@@ -86,6 +105,9 @@ RSpec.describe ResourceAccessTokens::InactiveTokensDeletionCronWorker, feature_c
         non_revoked_personal_access_token_updated_after_cut_off,
 
         active_resource_access_token,
+        active_resource_access_token_without_expiration_date,
+        active_resource_access_token_with_revoked_attribute_set_to_nil,
+        active_resource_access_token_without_expiration_date_and_with_revoked_attribute_set_to_nil,
         resource_access_token_expired_at_cut_off,
         resource_access_token_expired_after_cut_off,
         resource_access_token_revoked_at_cut_off,
diff --git a/tooling/lib/tooling/test_map_generator.rb b/tooling/lib/tooling/test_map_generator.rb
index ff1d39eb8ed..f7b6b326a5c 100644
--- a/tooling/lib/tooling/test_map_generator.rb
+++ b/tooling/lib/tooling/test_map_generator.rb
@@ -30,7 +30,7 @@ module Tooling
     end
 
     def mapping
-      @mapping.transform_values { |set| set.to_a }
+      @mapping.transform_values(&:to_a)
     end
 
     private