Add latest changes from gitlab-org/gitlab@master

app/assets/javascripts/work_items/constants.js

@@ -249,7 +249,7 @@ export const FORM_TYPES = {
 
 export const DEFAULT_PAGE_SIZE_NOTES = 20; // Set to 20 to not exceed query complexity
 export const DEFAULT_PAGE_SIZE_EMOJIS = 100;
-export const DEFAULT_PAGE_SIZE_CHILD_ITEMS = 5;
+export const DEFAULT_PAGE_SIZE_CHILD_ITEMS = 50;
 
 export const WORK_ITEM_NOTES_SORT_ORDER_KEY = 'sort_direction_work_item';
 

app/views/groups/_import_group_from_another_instance_panel.html.haml

@@ -53,5 +53,5 @@
         title: s_('GroupsNew|Please fill in your personal access token.'),
         id: 'import_gitlab_token',
         data: { testid: 'import-gitlab-token' }
-  .gl-border-default.gl-border-solid.gl-border-1.gl-bg-gray-10.gl-p-5
+  .gl-border-default.gl-border-solid.gl-border-1.gl-p-5
     = f.submit s_('GroupsNew|Connect instance'), disabled: !bulk_imports_enabled, pajamas_button: true, data: { testid: 'connect-instance-button' }

app/views/groups/_import_group_from_file_panel.html.haml

@@ -21,5 +21,5 @@
         = s_('GroupsNew|To import a group, navigate to the group settings for the GitLab source instance, %{link_start}generate an export file%{link_end}, and upload it here.').html_safe % { link_start: import_export_link_start, link_end: '</a>'.html_safe }
       .gl-mt-3
         = render 'shared/file_picker_button', f: f, field: :file, help_text: nil
-  .gl-border-default.gl-border-solid.gl-border-1.gl-bg-gray-10.gl-p-5
+  .gl-border-default.gl-border-solid.gl-border-1.gl-p-5
     = f.submit _('Import'), pajamas_button: true

data/deprecations/16-9-deprecate-license-scanning-report-artifact-type.yml

@@ -2,6 +2,7 @@
   removal_milestone: "18.0"
   announcement_milestone: "16.9"
   breaking_change: true
+  window: 1
   reporter: gonzoyumo
   stage: secure
   issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/439301

db/docs/batched_background_migrations/backfill_events_sharding_key.yml

@@ -5,4 +5,4 @@ feature_category: database
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/123
 milestone: '17.5'
 queued_migration_version: 20241008030404
-finalized_by: # version of the migration that finalized this BBM
+finalized_by: 20250113222525

db/docs/events.yml

@@ -15,5 +15,8 @@ description: Stores events created by users interacting with various product fea
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/commit/a847501fd2ffc1c4becc7d0d352d80168d9b3568
 milestone: '2.2'
 gitlab_schema: gitlab_main_cell
-sharding_key_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/462801
+sharding_key:
+  project_id: projects
+  group_id: namespaces
+  personal_namespace_id: namespaces
 table_size: over_limit

db/post_migrate/20250113222525_finalize_events_sharding_key_backfill.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class FinalizeEventsShardingKeyBackfill < Gitlab::Database::Migration[2.2]
+  milestone '17.9'
+  disable_ddl_transaction!
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+  def up
+    ensure_batched_background_migration_is_finished(
+      job_class_name: 'BackfillEventsShardingKey',
+      table_name: :events,
+      column_name: :id,
+      job_arguments: [],
+      finalize: true
+    )
+  end
+
+  def down
+    # no-op
+  end
+end

db/post_migrate/20250113223107_validate_check_events_sharding_key_is_not_null.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class ValidateCheckEventsShardingKeyIsNotNull < Gitlab::Database::Migration[2.2]
+  milestone '17.9'
+
+  def up
+    validate_check_constraint(:events, :check_events_sharding_key_is_not_null)
+  end
+
+  def down
+    # no-op
+  end
+end

db/schema_migrations/20250113222525

@@ -0,0 +1 @@
+619fcb74d60ecaefbebb5c11915b9a6d5f0e5d5e47e0066fc7e728f56590eccd

db/schema_migrations/20250113223107

@@ -0,0 +1 @@
+ff42035f9a3f015a86cb7b326ca01a59a6aabc3ea19ff92a546534ed8b8b25c6

db/structure.sql

@@ -13035,7 +13035,8 @@ CREATE TABLE events (
     target_id bigint,
     imported_from smallint DEFAULT 0 NOT NULL,
     personal_namespace_id bigint,
-    CONSTRAINT check_97e06e05ad CHECK ((octet_length(fingerprint) <= 128))
+    CONSTRAINT check_97e06e05ad CHECK ((octet_length(fingerprint) <= 128)),
+    CONSTRAINT check_events_sharding_key_is_not_null CHECK (((group_id IS NOT NULL) OR (project_id IS NOT NULL) OR (personal_namespace_id IS NOT NULL)))
 );
 
 CREATE SEQUENCE events_id_seq
@@ -26361,9 +26362,6 @@ ALTER TABLE sprints
 ALTER TABLE web_hook_logs
     ADD CONSTRAINT check_df72cb58f5 CHECK ((char_length(url_hash) <= 44)) NOT VALID;
 
-ALTER TABLE events
-    ADD CONSTRAINT check_events_sharding_key_is_not_null CHECK (((group_id IS NOT NULL) OR (project_id IS NOT NULL) OR (personal_namespace_id IS NOT NULL))) NOT VALID;
-
 ALTER TABLE projects
     ADD CONSTRAINT check_fa75869cb1 CHECK ((project_namespace_id IS NOT NULL)) NOT VALID;
 

doc/development/secure_coding_guidelines.md

@@ -1741,6 +1741,8 @@ This class of issue applies to more than just email; other examples might includ
 
 ### Related topics
 
+- [Watch a walkthrough video](https://www.youtube.com/watch?v=ydg95R2QKwM) for an instance of this issue causing vulnerability CVE-2023-7028.
+  The video covers what happened, how it worked, and what you need to know for the future.
 - Rails documentation for [ActionController::StrongParameters](https://api.rubyonrails.org/classes/ActionController/StrongParameters.html) and [ActionController::Parameters](https://api.rubyonrails.org/classes/ActionController/Parameters.html)
 
 ## Who to contact if you have questions

doc/update/breaking_windows.md

@@ -32,6 +32,7 @@ This window takes place on April 21 - 23, 2025 from 09:00 UTC to 22:00 UTC.
 | [GitLab Runner platforms and setup instructions in GraphQL API](https://gitlab.com/gitlab-org/gitlab/-/issues/387937) | Low | Verify | Instance, group, project |
 | [CI/CD job token - **Limit access from your project** setting removal](https://gitlab.com/gitlab-org/gitlab/-/issues/395708) | High | Verify | Project |
 | [CI/CD job token - **Authorized groups and projects** allowlist enforcement](https://gitlab.com/gitlab-org/gitlab/-/issues/383084) | High | Govern | Project |
+| [Deprecate License Scanning CI/CD artifact report type](https://gitlab.com/gitlab-org/gitlab/-/issues/439301) |  | Secure |  |
 | [OpenTofu CI/CD template](https://gitlab.com/components/opentofu/-/issues/43#note_1913822299) | Low | Depoy | Project |
 | [Replace `add_on_purchase` GraphQL field with `add_on_purchases`](https://gitlab.com/gitlab-org/gitlab/-/issues/476858) | Low | Fulfillment | Instance, group |
 | [Replace namespace `add_on_purchase` GraphQL field with `add_on_purchases`](https://gitlab.com/gitlab-org/gitlab/-/issues/489850) | Low | Fulfillment | Instance, group |

qa/Gemfile

@@ -2,7 +2,7 @@
 
 source 'https://rubygems.org'
 
-gem 'gitlab-qa', '~> 15', require: 'gitlab/qa'
+gem 'gitlab-qa', '~> 15', '>= 15.1.0', require: 'gitlab/qa'
 gem 'gitlab_quality-test_tooling', '~> 2.4.0', require: false
 gem 'gitlab-utils', path: '../gems/gitlab-utils'
 gem 'activesupport', '~> 7.0.8.7' # This should stay in sync with the root's Gemfile

qa/Gemfile.lock

@@ -118,7 +118,7 @@ GEM
     gitlab (4.19.0)
       httparty (~> 0.20)
       terminal-table (>= 1.5.1)
-    gitlab-qa (15.0.0)
+    gitlab-qa (15.1.0)
       activesupport (>= 6.1, < 7.2)
       ffi (~> 1.17)
       gitlab (~> 4.19)
@@ -366,7 +366,7 @@ DEPENDENCIES
   fog-core (= 2.1.0)
   fog-google (~> 1.24, >= 1.24.1)
   gitlab-cng!
-  gitlab-qa (~> 15)
+  gitlab-qa (~> 15, >= 15.1.0)
   gitlab-utils!
   gitlab_quality-test_tooling (~> 2.4.0)
   googleauth (~> 1.9.0)

qa/gdk/Dockerfile.gdk

@@ -1,4 +1,4 @@
-ARG GDK_SHA=ac07225dc7faa0b88559a91208e57cea83756cfe
+ARG GDK_SHA=cad123df4fb15986c883f0e90f166ac2b8df4d36
 # Use tag prefix when running on 'stable' branch to make sure 'protected' image is used which is not deleted by registry cleanup
 ARG GDK_BASE_TAG_PREFIX
 

spec/support/helpers/sharding_key_spec_helpers.rb

@@ -44,8 +44,14 @@ module ShardingKeySpecHelpers
   def has_multi_column_null_check_constraint?(table_name, column_names)
     # This regex searches for constraints that ensure at least one of a set of columns is NOT NULL.
     # It assumes the constraint was created using the #add_multi_column_not_null_constraint helper, which also
-    # sorts the list of columns.
-    regex = "\\ACHECK \\(\\(num_nonnulls\\(#{column_names.sort.join(', ')}\\) (> [0-9]{1,}|>?= [1-9]{1,})\\)\\)\\Z"
+    # sorts the list of columns. The constraint for `events` does not follow this convention hence the exception.
+    regex = {
+      events: '\\ACHECK \\(\\(\\(group_id IS NOT NULL\\) OR \\(project_id IS NOT NULL\\) ' \
+        'OR \\(personal_namespace_id IS NOT NULL\\)\\)\\)\\Z'
+    }.fetch(
+      table_name.to_sym,
+      "\\ACHECK \\(\\(num_nonnulls\\(#{column_names.sort.join(', ')}\\) (> [0-9]{1,}|>?= [1-9]{1,})\\)\\)\\Z"
+    )
 
     sql = <<~SQL
     SELECT 1