Add latest changes from gitlab-org/gitlab@master

app/assets/javascripts/work_items/components/create_work_item.vue

@@ -52,6 +52,7 @@ import {
   WORK_ITEM_TYPE_NAME_LOWERCASE_MAP,
   WORK_ITEM_TYPE_NAME_MAP,
   WORK_ITEM_TYPE_VALUE_MAP,
+  WORK_ITEM_TYPE_VALUE_INCIDENT,
 } from '../constants';
 import createWorkItemMutation from '../graphql/create_work_item.mutation.graphql';
 import namespaceWorkItemTypesQuery from '../graphql/namespace_work_item_types.query.graphql';
@@ -321,6 +322,18 @@ export default {
     workItemHierarchy() {
       return findWidget(WIDGET_TYPE_HIERARCHY, this.workItem);
     },
+    showParentAttribute() {
+      // We use the work item create work flow for incidents although
+      // incidents haven't been migrated to work items and use the legacy
+      // detail view instead. Since the legacy view doesn't support setting a parent
+      // we need to hide this attribute here until the migration has been finished.
+      // https://gitlab.com/gitlab-org/gitlab/-/issues/502823
+      if (this.selectedWorkItemTypeName === WORK_ITEM_TYPE_VALUE_INCIDENT) {
+        return false;
+      }
+
+      return Boolean(this.workItemHierarchy);
+    },
     workItemCrmContacts() {
       return findWidget(WIDGET_TYPE_CRM_CONTACTS, this.workItem);
     },
@@ -939,7 +952,7 @@ export default {
               @error="$emit('error', $event)"
             />
             <work-item-parent
-              v-if="workItemHierarchy"
+              v-if="showParentAttribute"
               class="work-item-attributes-item"
               :can-update="canUpdate"
               :work-item-id="workItemId"

app/controllers/import/github_controller.rb

@@ -238,7 +238,7 @@ class Import::GithubController < Import::BaseController
   def provider_unauthorized
     session[access_token_key] = nil
     redirect_to new_import_url,
-      alert: "Access denied to your #{Gitlab::ImportSources.title(provider_name.to_s)} account."
+      alert: "Wrong credentials"
   end
 
   def provider_rate_limit(exception)

app/models/commit.rb

@@ -410,7 +410,7 @@ class Commit
   end
 
   def cherry_pick_description(user)
-    message_body = ["(cherry-picked from commit #{sha})"]
+    message_body = ["(cherry picked from commit #{sha})"]
 
     if merged_merge_request?(user)
       commits_in_merge_request = merged_merge_request(user).commits

config/feature_flags/development/snippet_ip_restrictions.yml

@@ -0,0 +1,9 @@
+---
+name: snippet_ip_restrictions
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/511506
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180331
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/517917
+milestone: '17.9'
+type: development
+group: group::source code
+default_enabled: false

doc/development/database/add_foreign_key_to_existing_column.md

@@ -69,6 +69,8 @@ Migration file for adding `NOT VALID` foreign key:
 
 ```ruby
 class AddNotValidForeignKeyToEmailsUser < Gitlab::Database::Migration[2.1]
+  disable_ddl_transaction!
+
   def up
     add_concurrent_foreign_key :emails, :users, column: :user_id, on_delete: :cascade, validate: false
   end
@@ -84,10 +86,6 @@ short lock on the table before being able to enforce the constraint on new data.
 We do still want to enable lock retries for high traffic and large tables.
 `add_concurrent_foreign_key` does this for us, and also checks if the foreign key already exists.
 
-WARNING:
-Avoid using `add_foreign_key` or `add_concurrent_foreign_key` constraints more than
-once per migration file, unless the source and target tables are identical.
-
 #### Data migration to fix existing records
 
 The approach here depends on the data volume and the cleanup strategy. If we can find "invalid"

doc/user/application_security/api_security_testing/_index.md

@@ -9,8 +9,8 @@ DETAILS:
 **Tier:** Ultimate
 **Offering:** GitLab.com, GitLab Self-Managed, GitLab Dedicated
 
-> - API security testing analyzer [became the default analyzer for on-demand API security testing scans](https://gitlab.com/groups/gitlab-org/-/epics/4254) in GitLab 15.6.
-> - [Renamed](https://gitlab.com/gitlab-org/gitlab/-/issues/457449) from **DAST API analyzer** to **API security testing analyzer** in GitLab 17.0.
+> - [Changed](https://gitlab.com/groups/gitlab-org/-/epics/4254) in GitLab 15.6 to the default analyzer for on-demand API security testing scans.
+> - [Renamed](https://gitlab.com/gitlab-org/gitlab/-/issues/457449) in GitLab 17.0 from "DAST API analyzer" to "API security testing analyzer".
 
 Perform Dynamic Application Security Testing (DAST) of web APIs to help discover bugs and potential
 security issues that other QA processes may miss. Use API security testing in addition to

doc/user/application_security/vulnerability_report/pipeline.md

@@ -9,6 +9,12 @@ DETAILS:
 **Tier:** Ultimate
 **Offering:** GitLab.com, GitLab Self-Managed, GitLab Dedicated
 
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/490334) in GitLab 17.9 [with a flag](../../../administration/feature_flags.md) named `dependency_scanning_for_pipelines_with_cyclonedx_reports`. Disabled by default.
+> - [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/490332) in GitLab 17.9.
+
+FLAG:
+This feature flag controls the recently added support for pipeline security findings based on [CycloneDX reports](../dependency_scanning/dependency_scanning_sbom/_index.md#cyclonedx-software-bill-of-materials).
+
 All enabled security analyzers run in the pipeline and output their results as artifacts. These
 artifacts are processed, including [deduplication](#deduplication-process), and the results are
 listed on the pipeline **Security** tab. By identifying vulnerability

lib/api/helpers/import_github_helpers.rb

@@ -19,7 +19,7 @@ module API
       end
 
       def provider_unauthorized
-        error!("Access denied to your #{Gitlab::ImportSources.title(provider.to_s)} account.", 401)
+        error!("Wrong credentials", 401)
       end
 
       def too_many_requests

qa/Gemfile

@@ -3,7 +3,7 @@
 source 'https://rubygems.org'
 
 gem 'gitlab-qa', '~> 15', '>= 15.2.0', require: 'gitlab/qa'
-gem 'gitlab_quality-test_tooling', '~> 2.6.0', require: false
+gem 'gitlab_quality-test_tooling', '~> 2.7.0', require: false
 gem 'gitlab-utils', path: '../gems/gitlab-utils'
 gem 'activesupport', '~> 7.0.8.7' # This should stay in sync with the root's Gemfile
 gem 'allure-rspec', '~> 2.25.0'

qa/Gemfile.lock

@@ -128,7 +128,7 @@ GEM
       rainbow (>= 3, < 4)
       table_print (= 1.5.7)
       zeitwerk (>= 2, < 3)
-    gitlab_quality-test_tooling (2.6.0)
+    gitlab_quality-test_tooling (2.7.0)
       activesupport (>= 7.0, < 7.2)
       amatch (~> 0.4.1)
       fog-google (~> 1.24, >= 1.24.1)
@@ -369,7 +369,7 @@ DEPENDENCIES
   gitlab-cng!
   gitlab-qa (~> 15, >= 15.2.0)
   gitlab-utils!
-  gitlab_quality-test_tooling (~> 2.6.0)
+  gitlab_quality-test_tooling (~> 2.7.0)
   googleauth (~> 1.9.0)
   influxdb-client (~> 3.2)
   junit_merge (~> 0.1.2)

qa/qa/page/project/web_ide/vscode.rb

@@ -119,9 +119,9 @@ module QA
             has_element?('input[aria-label="input"]')
           end
 
-          def has_committed_successfully?
+          def commit_shows_message?(expected_message)
             within_vscode_editor do
-              has_text?('Success! Your changes have been committed.')
+              has_text?(expected_message)
             end
           end
 
@@ -201,9 +201,9 @@ module QA
             Support::Waiter.wait_until { !has_text?("Loading GitLab Web IDE...", wait: 1) }
           end
 
-          def commit_and_push_to_existing_branch(file_name)
+          def commit_and_push_to_existing_branch(file_name, message: 'Success! Your changes have been committed.')
             commit_toggle(file_name)
-            push_to_existing_branch
+            push_to_existing_branch(message)
             Support::Waiter.wait_until { !has_text?("Loading GitLab Web IDE...", wait: 1) }
           end
 
@@ -223,11 +223,16 @@ module QA
             end
           end
 
-          def push_to_existing_branch
+          def commit_blocked_by_secret_detection(file_name)
+            commit_and_push_to_existing_branch(file_name,
+              message: 'The secret detection scan encountered one or more findings.')
+          end
+
+          def push_to_existing_branch(message)
             within_vscode_editor do
               click_continue_with_existing_branch
             end
-            raise "failed to push_to_existing_branch" unless has_committed_successfully?
+            raise "failed to push_to_existing_branch" unless commit_shows_message?(message)
           end
 
           def push_to_new_branch
@@ -237,7 +242,10 @@ module QA
               # Typing enter to 'New branch name' popup to take the default branch name
               send_keys(:enter)
             end
-            raise "failed to push_to_new_branch" unless has_committed_successfully?
+
+            return if commit_shows_message?('Success! Your changes have been committed.')
+
+            raise "failed to push_to_new_branch"
           end
 
           def create_merge_request
@@ -278,15 +286,22 @@ module QA
           end
 
           def add_prompt_into_a_file(file_name, prompt_data, wait_for_code_suggestions: true)
+            add_text_to_a_file(file_name, prompt_data) do
+              wait_until_code_suggestions_enabled if wait_for_code_suggestions
+            end
+          end
+
+          def add_text_to_a_file(file_name, file_text)
             within_vscode_editor do
               open_file_from_explorer(file_name)
               click_inside_editor_frame
               within_file_editor do
-                wait_until_code_suggestions_enabled if wait_for_code_suggestions
+                yield if block_given?
+
                 send_keys(:enter, :enter)
 
-                # Send keys one at a time to allow suggestions request to be triggered
-                prompt_data.each_char { |c| send_keys(c) }
+                # Send keys one at a time to simulate typing
+                file_text.each_char { |c| send_keys(c) }
               end
             end
           end

spec/controllers/import/github_controller_spec.rb

@@ -59,7 +59,7 @@ RSpec.describe Import::GithubController, feature_category: :importers do
         get :callback
 
         expect(controller).to redirect_to(new_import_url)
-        expect(flash[:alert]).to eq('Access denied to your GitHub account.')
+        expect(flash[:alert]).to eq('Wrong credentials')
       end
     end
 
@@ -77,7 +77,7 @@ RSpec.describe Import::GithubController, feature_category: :importers do
         get :callback, params: { state: "different-state" }
 
         expect(controller).to redirect_to(new_import_url)
-        expect(flash[:alert]).to eq('Access denied to your GitHub account.')
+        expect(flash[:alert]).to eq('Wrong credentials')
       end
 
       it "updates access token if state param is valid" do
@@ -180,7 +180,7 @@ RSpec.describe Import::GithubController, feature_category: :importers do
 
         expect(session[:"#{provider}_access_token"]).to be_nil
         expect(controller).to redirect_to(new_import_url)
-        expect(flash[:alert]).to eq("Access denied to your #{Gitlab::ImportSources.title(provider.to_s)} account.")
+        expect(flash[:alert]).to eq("Wrong credentials")
       end
     end
 

spec/frontend/work_items/components/create_work_item_spec.js

@@ -20,6 +20,7 @@ import TitleSuggestions from '~/issues/new/components/title_suggestions.vue';
 import {
   WORK_ITEM_TYPE_ENUM_EPIC,
   WORK_ITEM_TYPE_ENUM_ISSUE,
+  WORK_ITEM_TYPE_ENUM_INCIDENT,
   WORK_ITEM_TYPE_VALUE_INCIDENT,
   WORK_ITEM_TYPE_VALUE_ISSUE,
   WORK_ITEM_TYPE_VALUE_MAP,
@@ -545,6 +546,43 @@ describe('Create work item component', () => {
     });
   });
 
+  describe('Create work item widgets for Incident work item type', () => {
+    describe('default', () => {
+      beforeEach(async () => {
+        createComponent({ workItemTypeName: WORK_ITEM_TYPE_ENUM_INCIDENT });
+        await waitForPromises();
+      });
+
+      it('renders the work item title widget', () => {
+        expect(findTitleInput().exists()).toBe(true);
+      });
+
+      it('renders the work item description widget', () => {
+        expect(findDescriptionWidget().exists()).toBe(true);
+      });
+
+      it('renders the work item assignees widget', () => {
+        expect(findAssigneesWidget().exists()).toBe(true);
+      });
+
+      it('renders the work item labels widget', () => {
+        expect(findLabelsWidget().exists()).toBe(true);
+      });
+
+      it('renders the work item CRM contacts widget', () => {
+        expect(findCrmContactsWidget().exists()).toBe(true);
+      });
+
+      it('renders the work item milestone widget', () => {
+        expect(findMilestoneWidget().exists()).toBe(true);
+      });
+
+      it('does not renders the work item parent widget', () => {
+        expect(findParentWidget().exists()).toBe(false);
+      });
+    });
+  });
+
   describe('With related item', () => {
     const id = 'gid://gitlab/WorkItem/1';
     const type = 'Epic';

spec/lib/api/helpers/import_github_helpers_spec.rb

@@ -32,7 +32,7 @@ RSpec.describe API::Helpers::ImportGithubHelpers, feature_category: :importers d
 
   describe '#provider_unauthorized' do
     it 'raises an error' do
-      expect(subject).to receive(:error!).with('Access denied to your GitHub account.', 401)
+      expect(subject).to receive(:error!).with('Wrong credentials', 401)
       subject.provider_unauthorized
     end
   end

spec/models/commit_spec.rb

@@ -556,7 +556,7 @@ EOS
     context 'of a regular commit' do
       let(:commit) { project.commit('video') }
 
-      it { expect(commit.cherry_pick_message(user)).to include("\n\n(cherry-picked from commit 88790590ed1337ab189bccaa355f068481c90bec)") }
+      it { expect(commit.cherry_pick_message(user)).to include("\n\n(cherry picked from commit 88790590ed1337ab189bccaa355f068481c90bec)") }
     end
 
     context 'of a merge commit' do
@@ -592,7 +592,7 @@ EOS
         it do
           expected_appended_text = <<~STR.rstrip
 
-            (cherry-picked from commit #{merge_commit.sha})
+            (cherry picked from commit #{merge_commit.sha})
 
             467dc98f Add new 'videos' directory
             88790590 Upload new video file
@@ -604,7 +604,7 @@ EOS
 
       context "that is existing but not found" do
         it 'does not include details of the merged commits' do
-          expect(merge_commit.cherry_pick_message(user)).to end_with("(cherry-picked from commit #{merge_commit.sha})")
+          expect(merge_commit.cherry_pick_message(user)).to end_with("(cherry picked from commit #{merge_commit.sha})")
         end
       end
     end

spec/services/commits/cherry_pick_service_spec.rb

@@ -51,7 +51,7 @@ RSpec.describe Commits::CherryPickService, feature_category: :source_code_manage
         commit = branch.dereferenced_target
         expect(commit.author_name).to eq(user.name)
         expect(commit.author_email).to eq(user.email)
-        expect(commit.message).to include("(cherry-picked from commit #{merge_commit_sha})")
+        expect(commit.message).to include("(cherry picked from commit #{merge_commit_sha})")
         expect(commit.message).to include(
           "Co-authored-by: #{source_commit.author_name} <#{source_commit.author_email}>"
         )

spec/support/shared_examples/controllers/githubish_import_controller_shared_examples.rb

@@ -116,7 +116,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: GET status' do
 
     expect(session[:"#{provider}_access_token"]).to be_nil
     expect(controller).to redirect_to(new_import_url)
-    expect(flash[:alert]).to eq("Access denied to your #{Gitlab::ImportSources.title(provider.to_s)} account.")
+    expect(flash[:alert]).to eq("Wrong credentials")
   end
 
   it "does not produce N+1 database queries" do