Add latest changes from gitlab-org/gitlab@master

Gemfile

@@ -538,7 +538,7 @@ gem 'json', '~> 2.5.1'
 gem 'json_schemer', '~> 0.2.18'
 gem 'oj', '~> 3.13.18'
 gem 'multi_json', '~> 1.14.1'
-gem 'yajl-ruby', '~> 1.4.1', require: 'yajl'
+gem 'yajl-ruby', '~> 1.4.3', require: 'yajl'
 
 gem 'webauthn', '~> 2.3'
 

Gemfile.lock

@@ -1467,7 +1467,7 @@ GEM
     xml-simple (1.1.5)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    yajl-ruby (1.4.1)
+    yajl-ruby (1.4.3)
     yard (0.9.26)
     zeitwerk (2.6.0)
 
@@ -1765,7 +1765,7 @@ DEPENDENCIES
   webmock (~> 3.9.1)
   webrick (~> 1.6.1)
   wikicloth (= 0.8.1)
-  yajl-ruby (~> 1.4.1)
+  yajl-ruby (~> 1.4.3)
 
 BUNDLED WITH
    2.3.15

app/assets/javascripts/persistent_user_callouts.js

@@ -16,6 +16,7 @@ const PERSISTENT_USER_CALLOUTS = [
   '.js-minute-limit-banner',
   '.js-submit-license-usage-data-banner',
   '.js-project-usage-limitations-callout',
+  '.js-namespace-storage-alert',
 ];
 
 const initCallouts = () => {

app/models/users/callout.rb

@@ -55,8 +55,12 @@ module Users
       preview_user_over_limit_free_plan_alert: 50, # EE-only
       user_reached_limit_free_plan_alert: 51, # EE-only
       submit_license_usage_data_banner: 52, # EE-only
-      personal_project_limitations_banner: 53,  # EE-only
-      mr_experience_survey: 54
+      personal_project_limitations_banner: 53, # EE-only
+      mr_experience_survey: 54,
+      namespace_storage_limit_banner_info_threshold: 55, # EE-only
+      namespace_storage_limit_banner_warning_threshold: 56, # EE-only
+      namespace_storage_limit_banner_alert_threshold: 57, # EE-only
+      namespace_storage_limit_banner_error_threshold: 58 # EE-only
     }
 
     validates :feature_name,

app/models/users/group_callout.rb

@@ -17,7 +17,11 @@ module Users
       storage_enforcement_banner_fourth_enforcement_threshold: 6,
       preview_user_over_limit_free_plan_alert: 7, # EE-only
       user_reached_limit_free_plan_alert: 8, # EE-only
-      free_group_limited_alert: 9 # EE-only
+      free_group_limited_alert: 9, # EE-only
+      namespace_storage_limit_banner_info_threshold: 10, # EE-only
+      namespace_storage_limit_banner_warning_threshold: 11, # EE-only
+      namespace_storage_limit_banner_alert_threshold: 12, # EE-only
+      namespace_storage_limit_banner_error_threshold: 13 # EE-only
     }
 
     validates :group, presence: true

doc/administration/gitaly/recovery.md

@@ -296,6 +296,7 @@ sudo /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.t
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitaly/-/merge_requests/3767) in GitLab 14.3.
 > - [Introduced](https://gitlab.com/gitlab-org/gitaly/-/merge_requests/4054) in GitLab 14.6, support for dry-run mode.
+> - [Introduced](https://gitlab.com/gitlab-org/gitaly/-/merge_requests/4715) in GitLab 15.3, support for removing repositories from Praefect's database.
 
 The `remove-repository` Praefect sub-command removes a repository from a Gitaly Cluster, and all state associated with a given repository including:
 
@@ -310,6 +311,9 @@ sudo /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.t
 
 - Replace `<virtual-storage>` with the name of the virtual storage containing the repository.
 - Replace `<repository>` with the relative path of the repository to remove.
+- In GitLab 15.3 and later, add `-db-only` to remove the Praefect database entry without removing the on-disk repository. Use this option to remove orphaned database entries and to
+  protect on-disk repository data from deletion when a valid repository is accidentally specified. If the database entry is accidentally deleted, re-track the repository with the
+  [`track-repository` command](#manually-track-repositories).
 - In GitLab 14.6 and later, add `-apply` to run the command outside of dry-run mode and remove the repository. For example:
 
   ```shell

doc/api/graphql/reference/index.md

@@ -20453,6 +20453,10 @@ Name of the feature that the callout is for.
 | <a id="usercalloutfeaturenameenumgke_cluster_integration"></a>`GKE_CLUSTER_INTEGRATION` | Callout feature name for gke_cluster_integration. |
 | <a id="usercalloutfeaturenameenumgold_trial_billings"></a>`GOLD_TRIAL_BILLINGS` | Callout feature name for gold_trial_billings. |
 | <a id="usercalloutfeaturenameenummr_experience_survey"></a>`MR_EXPERIENCE_SURVEY` | Callout feature name for mr_experience_survey. |
+| <a id="usercalloutfeaturenameenumnamespace_storage_limit_banner_alert_threshold"></a>`NAMESPACE_STORAGE_LIMIT_BANNER_ALERT_THRESHOLD` | Callout feature name for namespace_storage_limit_banner_alert_threshold. |
+| <a id="usercalloutfeaturenameenumnamespace_storage_limit_banner_error_threshold"></a>`NAMESPACE_STORAGE_LIMIT_BANNER_ERROR_THRESHOLD` | Callout feature name for namespace_storage_limit_banner_error_threshold. |
+| <a id="usercalloutfeaturenameenumnamespace_storage_limit_banner_info_threshold"></a>`NAMESPACE_STORAGE_LIMIT_BANNER_INFO_THRESHOLD` | Callout feature name for namespace_storage_limit_banner_info_threshold. |
+| <a id="usercalloutfeaturenameenumnamespace_storage_limit_banner_warning_threshold"></a>`NAMESPACE_STORAGE_LIMIT_BANNER_WARNING_THRESHOLD` | Callout feature name for namespace_storage_limit_banner_warning_threshold. |
 | <a id="usercalloutfeaturenameenumnew_user_signups_cap_reached"></a>`NEW_USER_SIGNUPS_CAP_REACHED` | Callout feature name for new_user_signups_cap_reached. |
 | <a id="usercalloutfeaturenameenumpersonal_access_token_expiry"></a>`PERSONAL_ACCESS_TOKEN_EXPIRY` | Callout feature name for personal_access_token_expiry. |
 | <a id="usercalloutfeaturenameenumpersonal_project_limitations_banner"></a>`PERSONAL_PROJECT_LIMITATIONS_BANNER` | Callout feature name for personal_project_limitations_banner. |

doc/ci/git_submodules.md

@@ -84,3 +84,9 @@ hidden files.
 
 If there is no `.gitmodules` file, it's possible the submodule settings are in a
 [`git config`](https://www.atlassian.com/git/tutorials/setting-up-a-repository/git-config) file.
+
+### `fatal: run_command returned non-zero status` error
+
+This error can happen in a job when working with submodules and the `GIT_STRATEGY` is set to `fetch`.
+
+Setting the `GIT_STRATEGY` to `clone` should resolve the issue.

doc/user/application_security/sast/index.md

@@ -455,7 +455,7 @@ spotbugs-sast:
   dependencies:
     - build
   variables:
-    MAVEN_REPO_PATH: ./.m2/repository
+    MAVEN_REPO_PATH: $CI_PROJECT_DIR/.m2/repository
     COMPILE: "false"
   artifacts:
     reports:

doc/user/project/members/share_project_with_groups.md

@@ -29,7 +29,7 @@ You can share a project only with:
 - Groups for which you have an explicitly defined [membership](index.md).
 - Groups that contain a nested subgroup or project for which you have an explicitly defined role.
 
-Administrators can share projects with any group in the namespace.
+Administrators can share projects with any group in the instance.
 
 The primary mechanism to give a group of users, say 'Engineering', access to a project,
 say 'Project Acme', in GitLab is to make the 'Engineering' group the owner of 'Project

lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml

@@ -40,6 +40,8 @@ dast:
     - if [ -z "$DAST_WEBSITE$DAST_API_SPECIFICATION" ]; then echo "Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set. See https://docs.gitlab.com/ee/user/application_security/dast/#configuration for more details." && exit 1; fi
     - /analyze
   artifacts:
+    paths:
+      - dast_artifacts/*
     reports:
       dast: gl-dast-report.json
   rules:
@@ -56,3 +58,7 @@ dast:
           $GITLAB_FEATURES =~ /\bdast\b/
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdast\b/
+  after_script:
+    # Remove any debug.log files because they might contain secrets.
+    - rm -f /zap/wrk/**/debug.log
+    - cp -r /zap/wrk dast_artifacts