Add latest changes from gitlab-org/gitlab@master

.gitlab/ci/global.gitlab-ci.yml

@@ -551,6 +551,28 @@
     CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
     CLICKHOUSE_DB: gitlab_clickhouse_test
 
+.use-pg16-clickhouse24:
+  extends: .use-pg16
+  services:
+    - !reference [.db-services-with-auto-explain, services]
+    - name: clickhouse/clickhouse-server:24.9.1.3278-alpine
+      alias: clickhouse
+  variables:
+    CLICKHOUSE_USER: default
+    CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
+    CLICKHOUSE_DB: gitlab_clickhouse_test
+
+.use-pg16-clickhouse25:
+  extends: .use-pg16
+  services:
+    - !reference [.db-services-with-auto-explain, services]
+    - name: clickhouse/clickhouse-server:25.4-alpine
+      alias: clickhouse
+  variables:
+    CLICKHOUSE_USER: default
+    CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
+    CLICKHOUSE_DB: gitlab_clickhouse_test
+
 .as-if-foss:
   variables:
     FOSS_ONLY: '1'

.gitlab/ci/rails.gitlab-ci.yml

@@ -393,17 +393,39 @@ rspec ci-config-validation mr-pipelines:
     - !reference [.base-script, script]
     - rspec_section rspec_simple_job "--tag ci_config_validation -- spec/dot_gitlab_ci/ci_configuration_validation/merge_request_pipeline_spec.rb"
 
-gitlab:clickhouse:rollback:main:
+gitlab:clickhouse-23:rollback:main:
   extends:
     - .rspec-base
-    - .production  # Disable webmock from test environment
+    - .production
     - .use-pg16-clickhouse23
     - .rails:rules:clickhouse-changes
   script:
-    - cp config/click_house.yml.example config/click_house.yml
-    - 'sed -i "s|url:.*$|url: http://clickhouse:8123|g" config/click_house.yml'
+    - !reference [.clickhouse-setup, script]
+    - 'sed -i "s|test:$|production:|g" config/click_house.yml'
+    - bundle exec rake gitlab:clickhouse:migrate &&
+      bundle exec rake gitlab:clickhouse:rollback:main VERSION=0
+
+gitlab:clickhouse-24:rollback:main:
+  extends:
+    - .rspec-base
+    - .production
+    - .use-pg16-clickhouse24
+    - .rails:rules:clickhouse-changes
+  script:
+    - !reference [.clickhouse-setup, script]
+    - 'sed -i "s|test:$|production:|g" config/click_house.yml'
+    - bundle exec rake gitlab:clickhouse:migrate &&
+      bundle exec rake gitlab:clickhouse:rollback:main VERSION=0
+
+gitlab:clickhouse-25:rollback:main:
+  extends:
+    - .rspec-base
+    - .production
+    - .use-pg16-clickhouse25
+    - .rails:rules:clickhouse-changes
+  script:
+    - !reference [.clickhouse-setup, script]
     - 'sed -i "s|test:$|production:|g" config/click_house.yml'
-    - !reference [.base-script, script]
     - bundle exec rake gitlab:clickhouse:migrate &&
       bundle exec rake gitlab:clickhouse:rollback:main VERSION=0
 

.gitlab/ci/rails/shared.gitlab-ci.yml

@@ -34,6 +34,12 @@ include:
   variables:
     USE_REDIS_CLUSTER: "false"
 
+.clickhouse-setup:
+  script:
+    - !reference [.base-script, script]
+    - cp config/click_house.yml.example config/click_house.yml
+    - 'sed -i "s|url:.*$|url: http://clickhouse:8123|g" config/click_house.yml'
+
 .single-db:
   variables:
     DECOMPOSED_DB: "false"
@@ -248,9 +254,23 @@ include:
     - .rspec-base
     - .use-pg16-clickhouse23
   script:
-    - cp config/click_house.yml.example config/click_house.yml
-    - 'sed -i "s|url:.*$|url: http://clickhouse:8123|g" config/click_house.yml'
-    - !reference [.base-script, script]
+    - !reference [.clickhouse-setup, script]
+    - rspec_section rspec_parallelized_job "--fail-fast=${RSPEC_FAIL_FAST_THRESHOLD} --tag click_house"
+
+.rspec-base-pg16-clickhouse24:
+  extends:
+    - .rspec-base
+    - .use-pg16-clickhouse24
+  script:
+    - !reference [.clickhouse-setup, script]
+    - rspec_section rspec_parallelized_job "--fail-fast=${RSPEC_FAIL_FAST_THRESHOLD} --tag click_house"
+
+.rspec-base-pg16-clickhouse25:
+  extends:
+    - .rspec-base
+    - .use-pg16-clickhouse25
+  script:
+    - !reference [.clickhouse-setup, script]
     - rspec_section rspec_parallelized_job "--fail-fast=${RSPEC_FAIL_FAST_THRESHOLD} --tag click_house"
 
 .rspec-base-pg14:

.rubocop_todo/rspec/no_expectation_example.yml

@@ -47,9 +47,6 @@ RSpec/NoExpectationExample:
     - 'qa/qa/specs/features/browser_ui/4_verify/ci_variable/ui_variable_inheritable_when_forward_pipeline_variables_true_spec.rb'
     - 'qa/qa/specs/features/browser_ui/4_verify/ci_variable/ui_variable_non_inheritable_when_forward_pipeline_variables_false_spec.rb'
     - 'qa/qa/specs/features/ee/api/2_plan/epics_to_work_items_sync_spec.rb'
-    - 'qa/qa/specs/features/ee/browser_ui/10_govern/change_vulnerability_status_spec.rb'
-    - 'qa/qa/specs/features/ee/browser_ui/10_govern/group/group_ldap_sync_spec.rb'
-    - 'qa/qa/specs/features/ee/browser_ui/10_govern/security_reports_spec.rb'
     - 'qa/qa/specs/features/ee/browser_ui/12_systems/geo/wiki_ssh_push_spec.rb'
     - 'qa/spec/specs/helpers/context_selector_spec.rb'
     - 'qa/spec/specs/helpers/feature_flag_spec.rb'

DUO_WORKFLOW_EXECUTOR_VERSION

@@ -1 +1 @@
-0.0.35
+0.0.37

app/assets/javascripts/groups/your_work/constants.js

@@ -23,6 +23,7 @@ const baseTab = {
   query: groupsQuery,
   queryPath: 'groups',
   listComponent: NestedGroupsProjectsList,
+  queryErrorMessage: __("Your groups couldn't be loaded. Refresh the page to try again."),
 };
 
 export const MEMBER_TAB = {

app/assets/javascripts/groups_projects/components/tab_view.vue

@@ -21,11 +21,6 @@ export default {
   PAGINATION_TYPE_KEYSET,
   PAGINATION_TYPE_OFFSET,
   name: 'TabView',
-  i18n: {
-    errorMessage: __(
-      'An error occurred loading the projects. Please refresh the page to try again.',
-    ),
-  },
   components: {
     GlLoadingIcon,
     GlKeysetPagination,
@@ -131,7 +126,7 @@ export default {
           this.$emit('query-complete');
         },
         error(error) {
-          createAlert({ message: this.$options.i18n.errorMessage, error, captureError: true });
+          createAlert({ message: this.queryErrorMessage, error, captureError: true });
         },
       };
     },
@@ -207,6 +202,9 @@ export default {
 
       return baseProps;
     },
+    queryErrorMessage() {
+      return this.tab.queryErrorMessage || __('An error occurred. Refresh the page to try again.');
+    },
   },
   watch: {
     'items.count': function watchCount(newCount) {
@@ -275,7 +273,7 @@ export default {
 
         item.children = this.tab.formatter(nodes);
       } catch (error) {
-        createAlert({ message: this.$options.i18n.errorMessage, error, captureError: true });
+        createAlert({ message: this.queryErrorMessage, error, captureError: true });
       } finally {
         item.childrenLoading = false;
       }

app/assets/javascripts/projects/your_work/constants.js

@@ -26,6 +26,7 @@ const baseTab = {
     type: TYPES.filter,
   },
   formatter: formatProjects,
+  queryErrorMessage: __("Your projects couldn't be loaded. Refresh the page to try again."),
 };
 
 export const CONTRIBUTED_TAB = {

db/click_house/migrate/main/20240115122100_drop_audit_events.rb

@@ -28,10 +28,5 @@ class DropAuditEvents < ClickHouse::Migration
       PARTITION BY toYear(created_at)
       ORDER BY (entity_type, entity_id, author_id, created_at, id);
     SQL
-
-    execute <<~SQL
-      ALTER TABLE audit_events
-      ADD PROJECTION IF NOT EXISTS by_id (SELECT * ORDER BY id);
-    SQL
   end
 end

db/click_house/migrate/main/20240618120011_create_duo_chat_events_table.rb

@@ -17,7 +17,7 @@ class CreateDuoChatEventsTable < ClickHouse::Migration
 
   def down
     execute <<~SQL
-      DROP VIEW IF EXISTS duo_chat_events
+      DROP TABLE IF EXISTS duo_chat_events
     SQL
   end
 end

doc/ci/ci_cd_for_external_repos/bitbucket_integration.md

@@ -65,7 +65,7 @@ To use GitLab CI/CD with a Bitbucket Cloud repository:
 1. In GitLab, from **Settings > CI/CD > Variables**, add variables to allow
    communication with Bitbucket through the Bitbucket API:
 
-   - `BITBUCKET_ACCESS_TOKEN`: The Bitbucket app password created above. This variable should be [masked](../variables/_index.md#mask-a-cicd-variable).
+   - `BITBUCKET_ACCESS_TOKEN`: The Bitbucket app password created previously. This variable should be [masked](../variables/_index.md#mask-a-cicd-variable).
    - `BITBUCKET_USERNAME`: The username of the Bitbucket account.
    - `BITBUCKET_NAMESPACE`: Set this variable if your GitLab and Bitbucket namespaces differ.
    - `BITBUCKET_REPOSITORY`: Set this variable if your GitLab and Bitbucket project names differ.
@@ -128,7 +128,7 @@ To use GitLab CI/CD with a Bitbucket Cloud repository:
    ```
 
 1. In Bitbucket, create a `.gitlab-ci.yml` file to use the script to push
-   pipeline success and failures to Bitbucket. Similar to the script added above,
+   pipeline success and failures to Bitbucket. Similar to the script added previously,
    this file is copied to the GitLab repository as part of the mirroring process.
 
    ```yaml

doc/ci/cloud_services/azure/_index.md

@@ -67,7 +67,7 @@ Instead of the Azure CLI, you can [use the Azure Portal to create these resource
 
 ## Create Azure AD federated identity credentials
 
-To create the federated identity credentials for the above Azure AD application
+To create the federated identity credentials for the previous Azure AD application
 for a specific branch in `<mygroup>/<myproject>`:
 
 ```shell
@@ -157,7 +157,7 @@ az rest --method POST --uri "https://graph.microsoft.com/beta/applications/$obje
 ## Grant permissions for the service principal
 
 After you create the credentials, use [`role assignment`](https://learn.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-create)
-to grant permissions to the above service principal to access to Azure resources:
+to grant permissions to the previous service principal so it gets access to the Azure resources:
 
 ```shell
 az role assignment create --assignee $appId --role Reader --scope /subscriptions/<subscription-id>
@@ -168,7 +168,7 @@ You can find your subscription ID in:
 - The [Azure Portal](https://learn.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription).
 - The [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli#get-the-active-subscription).
 
-The command above grants read-only permissions to the entire subscription. For more information on applying the principle of least privilege in the context of your organization, read [Best practices for Azure AD roles](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices).
+The previous command grants read-only permissions to the entire subscription. For more information on applying the principle of least privilege in the context of your organization, read [Best practices for Azure AD roles](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices).
 
 ## Retrieve a temporary credential
 

doc/ci/docker/using_docker_build.md

@@ -364,7 +364,7 @@ To use Docker-in-Docker with TLS enabled in Kubernetes:
 
 ##### Docker-in-Docker with TLS disabled in Kubernetes
 
-To use Docker-in-Docker with TLS disabled in Kubernetes, you must adapt the example above to:
+To use Docker-in-Docker with TLS disabled in Kubernetes, you must adapt the previous example to:
 
 - Remove the `[[runners.kubernetes.volumes.empty_dir]]` section from the `values.yml` file.
 - Change the port from `2376` to `2375` with `DOCKER_HOST: tcp://docker:2375`.

doc/ci/docker/using_docker_images.md

@@ -355,11 +355,11 @@ follow these steps:
    image: registry.example.com:5000/namespace/image:tag
    ```
 
-   In the example above, GitLab Runner looks at `registry.example.com:5000` for the
+   In the previous example, GitLab Runner looks at `registry.example.com:5000` for the
    image `namespace/image:tag`.
 
 You can add configuration for as many registries as you want, adding more
-registries to the `"auths"` hash as described above.
+registries to the `"auths"` hash as described previously.
 
 The full `hostname:port` combination is required everywhere
 for the runner to match the `DOCKER_AUTH_CONFIG`. For example, if
@@ -418,7 +418,7 @@ To configure a Credentials Store:
        }
      ```
 
-   - Or, if you're running self-managed runners, add the above JSON to
+   - Or, if you're running self-managed runners, add the JSON to
      `${GITLAB_RUNNER_HOME}/.docker/config.json`. GitLab Runner reads this configuration file
      and uses the needed helper for this specific repository.
 

doc/ci/resource_groups/_index.md

@@ -249,7 +249,7 @@ first check that the resource group is working correctly:
    - If the status is `running` or `pending`, the feature is working correctly. Wait until the job finishes and releases the resource.
    - If the status is `created` and the [process mode](#process-modes) is either **Oldest first** or **Newest first**, the feature is working correctly.
      Visit the pipeline page of the job and check which upstream stage or job is blocking the execution.
-   - If none of the above conditions are met, the feature might not be working correctly. [Report the issue to GitLab](#report-an-issue).
+   - If none of the previous conditions are met, the feature might not be working correctly. [Report the issue to GitLab](#report-an-issue).
 
 1. If **View job currently using resource** is not available, the resource is not assigned to a job. Instead, check the resource's upcoming jobs.
 

doc/ci/secrets/convert-to-id-tokens.md

@@ -172,8 +172,8 @@ $ vault write auth/jwt/role/myproject-staging - <<EOF
 EOF
 ```
 
-You do not need to alter any existing role configurations except for the `bound_claims` section
-Make sure to add the `iss` configuration as shown above to ensure Vault accepts
+You do not need to alter any existing role configurations except for the `bound_claims` section.
+Make sure to add the `iss` configuration as shown previously, to ensure Vault accepts
 the prefixed and non-prefixed `iss` claim for this role.
 
 You must apply this change to all JWT roles used for the GitLab integration before moving on to the next step.

doc/ci/secrets/gcp_secret_manager.md

@@ -126,7 +126,7 @@ then you can access the secret with:
 
 ```yaml
 job_using_gcp_sm:
-  # ... configured as above ...
+  # ... as previously configured ...
   secrets:
     DATABASE_PASSWORD:
       gcp_secret_manager:

doc/ci/secrets/hashicorp_vault.md

@@ -265,7 +265,7 @@ specifies the name for the Identity alias created by Vault upon a successful log
 configures the interpretation of the `bound_claims` values. If set to `glob`, the values are interpreted as globs,
 with `*` matching any number of characters.
 
-The claim fields listed in [the table above](#hashicorp-vault-secrets-integration) can also be accessed for
+The claim fields listed in [the previous table](#hashicorp-vault-secrets-integration) can also be accessed for
 [Vault's policy path templating](https://developer.hashicorp.com/vault/tutorials/policies/policy-templating?in=vault%2Fpolicies)
 purposes by using the accessor name of the JWT auth in Vault.
 The [mount accessor name](https://developer.hashicorp.com/vault/tutorials/auth-methods/identity#step-1-create-an-entity-with-alias)
@@ -279,7 +279,7 @@ path "secret/data/{{identity.entity.aliases.ACCESSOR_NAME.metadata.project_path}
 }
 ```
 
-Role example to support the templated policy above, mapping the claim field `project_path`
+Role example to support the previous templated policy mapping the claim field, `project_path`,
 as a metadata field through use of [`claim_mappings`](https://developer.hashicorp.com/vault/api-docs/auth/jwt#claim_mappings)
 configuration:
 

doc/development/go_guide/go_upgrade.md

@@ -68,89 +68,20 @@ The upgrade process involves several key steps:
 
 #### Tracking work
 
-Use [the product categories page](https://handbook.gitlab.com/handbook/product/categories/)
-if you need help finding the correct person or labels:
-
-1. Create the epic in `gitlab-org` group:
-   - Title the epic `Update Go version to <VERSION_NUMBER>`.
-   - Ping the engineering managers responsible for [the projects listed below](#known-dependencies-using-go).
-     - Most engineering managers can be identified on
-       [the product page](https://handbook.gitlab.com/handbook/product/categories/) or the
-       [feature page](https://handbook.gitlab.com/handbook/product/categories/features/).
-     - If you still can't find the engineering manager, use
-       [Git blame](../../user/project/repository/files/git_blame.md) to identify a maintainer
-       involved in the project.
-
-1. Create an upgrade issue for each dependency in the
-   [location indicated below](#known-dependencies-using-go) titled
-   `Support building with Go <VERSION_NUMBER>`. Add the proper labels to each issue
-   for easier triage. These should include the stage, group and section.
-   - The issue should be assigned by a member of the maintaining group.
-   - The milestone should be assigned by a member of the maintaining group.
-
-   {{< alert type="note" >}}
-
-   Some overlap exists between project dependencies. When creating an issue for a
-   dependency that is part of a larger product, note the relationship in the issue
-   body. For example: Projects built in the context of Omnibus GitLab have their
-   runtime Go version managed by Omnibus, but "support" and compatibility should
-   be a concern of the individual project. Issues in the parent project's dependencies
-   issue should be about adding support for the updated Go version.
-
-   {{< /alert >}}
-
-   {{< alert type="note" >}}
-
-   The upgrade issues must include [upgrade validation items](#upgrade-validation)
-   in their definition of done. Creating a second [performance testing issue](#upgrade-validation)
-   titled `Validate operation and performance at scale with Go <VERSION_NUMBER>`
-   is strongly recommended to help with scheduling tasks and managing workloads.
-   {{< /alert >}}
-
-1. Schedule an update with the [GitLab Development Kit](https://gitlab.com/gitlab-org/gitlab-development-kit/-/issues):
-   - Title the issue `Support using Go version <VERSION_NUMBER>`.
-   - Set the issue as related to every issue created in the previous step.
-1. Schedule one issue per Sec Section team that maintains Go based Security Analyzers and add the `section::sec` label to each:
-   - [Static Analysis tracker](https://gitlab.com/gitlab-org/gitlab/-/issues).
-   - [Composition Analysis tracker](https://gitlab.com/gitlab-org/gitlab/-/issues).
-   - [Container Security tracker](https://gitlab.com/gitlab-org/gitlab/-/issues).
-
-   {{< alert type="note" >}}
-
-   Updates to these Security analyzers should not block upgrades to Charts or Omnibus since
-   the analyzers are built independently as separate container images.
-
-   {{< /alert >}}
-
-1. Schedule builder updates with Distribution projects:
-   - Dependency and GitLab Development Kit issues created in previous steps should be set as blockers.
-   - Each issue should have the title `Support building with Go <VERSION_NUMBER>` and description as noted:
-     - [Cloud-Native GitLab](https://gitlab.com/gitlab-org/charts/gitlab/-/issues)
-
-       ```plaintext
-       Update the `GO_VERSION` in `ci_files/variables.yml`.
-       ```
-
-     - [Omnibus GitLab Builder](https://gitlab.com/gitlab-org/gitlab-omnibus-builder/-/issues)
-
-       ```plaintext
-       Update `GO_VERSION` in `docker/VERSIONS`.
-       ```
-
-     - [Omnibus GitLab](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues)
-
-       ```plaintext
-       Update `BUILDER_IMAGE_REVISION` in `.gitlab-ci.yml` to match tag from builder.
-       ```
-
-   {{< alert type="note" >}}
-
-   If the component is not automatically upgraded for [Omnibus GitLab](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues)
-   and [Cloud Native GitLab](https://gitlab.com/gitlab-org/charts/gitlab/-/issues),
-   issues should be opened in their respective trackers titled `Updated bundled version of COMPONENT_NAME`
-   and set as blocked by the component's upgrade issue.
-
-   {{< /alert >}}
+1. Navigate to the [Build Architecture Configuration pipelines page](https://gitlab.com/gitlab-org/distribution/build-architecture/framework/configuration/-/pipelines).
+1. Create a new pipeline for a dry run with these variables:
+   - Set `COMPONENT_UPGRADE` to `true`.
+   - Set `COMPONENT_NAME` to `golang.`
+   - Set `COMPONENT_VERSION` to the target upgrade version.
+1. Run the pipeline.
+1. Check for errors in the dry run pipeline. If any subscriber files throw errors because labels changed or directly responsible individuals are no
+   longer valid, contact the subscriber project and request they update their configuration.
+1. After a successful dry-run pipeline, create another pipeline with these variables to create the upgrade epic and all associated issues:
+   - Set `COMPONENT_UPGRADE` to `true`.
+   - Set `COMPONENT_NAME` to `golang.`
+   - Set `COMPONENT_VERSION` to the target upgrade version.
+   - Set `EPIC_DRY_RUN` to `false`.
+1. Run the pipeline.
 
 #### Known dependencies using Go
 

doc/user/application_security/dependency_scanning/static_reachability.md

@@ -54,16 +54,30 @@ Prerequisites:
   Make sure you follow the [pip](dependency_scanning_sbom/_index.md#pip) or [pipenv](dependency_scanning_sbom/_index.md#pipenv)
   related instructions for dependency scanning using SBOM. You can also use any other Python package manager that is [supported](https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning#supported-files) by the DS analyzer.
 
-To enable static reachability analysis:
+To enable static reachability analysis from GitLab 18.0 and later:
 
-- Set the CI/CD variable DS_STATIC_REACHABILITY_ENABLED to `true`
+- Set the CI/CD variable `DS_STATIC_REACHABILITY_ENABLED` to `true`
 
-<details><summary>If you are using GitLab release `17.11.x` continue with these instructions</summary>
+Static reachability is integrated into the `dependency-scanning` job of the latest Dependency-Scanning template.
+Alternatively you can enable Static Reachability by including the [Dependency Scanning component](https://gitlab.com/components/dependency-scanning) rather than using the standard Dependency-Scanning template.
+
+```yaml
+include:
+  - component: ${CI_SERVER_FQDN}/components/dependency-scanning/main@0
+    inputs:
+      enable_static_reachability: true
+    rules:
+      - if: $CI_SERVER_HOST == "gitlab.com"
+```
+
+Please notice that to use GitLab.com components on a GitLab Self-Managed instance, you [must mirror](../../../ci/components/_index.md#use-a-gitlabcom-component-on-gitlab-self-managed) the component project.
+
+Static reachability analysis functionality is supported in [Dependency Scanning analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning) version `0.23.0` and all subsequent versions.
+
+<details><summary>If you are using GitLab 17.11 follow these instructions to enable Static Reachability Analysis</summary>
 
 - Make sure you extend `dependency-scanning-with-reachability` needs section to depend on the build job that creates the artifact required by the DS analyzer.
 
-Enabling static reachability for non SaaS users using `17.11.x` release:
-
 ```yaml
 stages:
   - build
@@ -100,7 +114,7 @@ dependency-scanning-with-reachability:
       artifacts: true
 ```
 
-Static reachability introduces two key jobs:
+Static reachability in 17.11 introduces two key jobs:
 
 - `gitlab-static-reachability`: Performs Static Reachability Analysis (SRA) on your Python files.
 - `dependency-scanning-with-reachability`: Executes dependency scanning and generates an SBOM report enriched with reachability data. This job requires the artifact output from the `gitlab-static-reachability` job.
@@ -116,16 +130,6 @@ dependency scanning without adding reachability data to the SBOM.
 
 </details>
 
-Static reachability is currently integrated into the `dependency-scanning` job of the latest dependency scanning template for GitLab.com users, and will be available to all GitLab users with the 18.0 release.
-
-Static reachability analysis functionality is supported in [Dependency Scanning analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning) version `0.23.0` and all subsequent versions.
-
-{{< alert type="warning" >}}
-
-Changes to the CI/CD configuration for static reachability integration are proposed for the GA release.
-
-{{< /alert >}}
-
 ## How static reachability analysis works
 
 Static reachability analysis requires two key components:

gems/activerecord-gitlab/lib/active_record/gitlab_patches.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require "active_record"
+require_relative "gitlab_patches/abstract_adapter"
+require_relative "gitlab_patches/attribute_methods"
 require_relative "gitlab_patches/version"
 require_relative "gitlab_patches/rescue_from"
 require_relative "gitlab_patches/relation/find_or_create_by"

gems/activerecord-gitlab/lib/active_record/gitlab_patches/abstract_adapter.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+if defined?(Gitlab) && ActiveRecord.version.to_s != '7.1.5.1'
+  raise "This patch is only needed in Rails 7.1.5.1 for https://github.com/rails/rails/issues/51780"
+end
+
+# rubocop:disable Lint/RescueException -- This is copied directly from Rails.
+# rubocop:disable Lint/AmbiguousOperatorPrecedence -- This is a Rails patch.
+# rubocop:disable Naming/RescuedExceptionsVariableName -- This is a Rails patch.
+# rubocop:disable Style/NumericPredicate -- This is a Rails patch.
+# rubocop:disable Cop/AvoidReturnFromBlocks -- This is a Rails patch.
+# rubocop:disable Style/RescueStandardError -- This is a Rails patch.
+module ActiveRecord
+  module ConnectionAdapters
+    class AbstractAdapter
+      # Add the new method that wraps configure_connection with exception handling
+      def attempt_configure_connection
+        configure_connection
+      rescue Exception # Need to handle things such as Timeout::ExitException
+        disconnect!
+        raise
+      end
+
+      # Disconnects from the database if already connected, and establishes a new
+      # connection with the database. Implementors should define private #reconnect
+      # instead.
+      def reconnect!(restore_transactions: false)
+        retries_available = connection_retries
+        deadline = retry_deadline && Process.clock_gettime(Process::CLOCK_MONOTONIC) + retry_deadline
+
+        @lock.synchronize do
+          reconnect
+
+          enable_lazy_transactions!
+          @raw_connection_dirty = false
+          @verified = true
+
+          reset_transaction(restore: restore_transactions) do
+            clear_cache!(new_connection: true)
+            attempt_configure_connection
+          end
+        rescue => original_exception
+          translated_exception = translate_exception_class(original_exception, nil, nil)
+          retry_deadline_exceeded = deadline && deadline < Process.clock_gettime(Process::CLOCK_MONOTONIC)
+
+          if !retry_deadline_exceeded && retries_available > 0
+            retries_available -= 1
+
+            if retryable_connection_error?(translated_exception)
+              backoff(connection_retries - retries_available)
+              retry
+            end
+          end
+
+          @verified = false
+
+          raise translated_exception
+        end
+      end
+
+      # Reset the state of this connection, directing the DBMS to clear
+      # transactions and other connection-related server-side state. Usually a
+      # database-dependent operation.
+      #
+      # If a database driver or protocol does not support such a feature,
+      # implementors may alias this to #reconnect!. Otherwise, implementors
+      # should call super immediately after resetting the connection (and while
+      # still holding @lock).
+      def reset!
+        clear_cache!(new_connection: true)
+        reset_transaction
+        attempt_configure_connection
+      end
+
+      # Checks whether the connection to the database is still active (i.e. not stale).
+      # This is done under the hood by calling #active?. If the connection
+      # is no longer active, then this method will reconnect to the database.
+      def verify!
+        unless active?
+          @lock.synchronize do
+            if @unconfigured_connection
+              @raw_connection = @unconfigured_connection
+              @unconfigured_connection = nil
+              attempt_configure_connection
+              @verified = true
+              return
+            end
+
+            reconnect!(restore_transactions: true)
+          end
+        end
+
+        @verified = true
+      end
+    end
+  end
+end
+# rubocop:enable Lint/RescueException
+# rubocop:enable Lint/AmbiguousOperatorPrecedence
+# rubocop:enable Naming/RescuedExceptionsVariableName
+# rubocop:enable Style/NumericPredicate
+# rubocop:enable Cop/AvoidReturnFromBlocks
+# rubocop:enable Style/RescueStandardError

gems/activerecord-gitlab/lib/active_record/gitlab_patches/attribute_methods.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+if defined?(Gitlab) && ActiveRecord.version.to_s != '7.1.5.1'
+  raise "This patch is only needed in Rails 7.1.5.1 for https://github.com/rails/rails/issues/51780"
+end
+
+# rubocop:disable Layout/EmptyLinesAroundAccessModifier -- This is copied directly from Rails.
+# rubocop:disable Layout/IndentationWidth -- This is copied directly from Rails.
+# rubocop:disable Layout/IndentationConsistency -- This is copied directly from Rails.
+# rubocop:disable Style/MissingRespondToMissing -- This is copied directly from Rails.
+# rubocop:disable Cop/LineBreakAroundConditionalBlock -- This is copied directly from Rails.
+# rubocop:disable Style/IfUnlessModifier -- This is copied directly from Rails.
+# rubocop:disable GitlabSecurity/PublicSend -- This is copied directly from Rails.
+module ActiveRecord
+  module AttributeMethods
+    private
+      def method_missing(name, ...)
+        unless self.class.attribute_methods_generated?
+          if self.class.method_defined?(name)
+            # The method is explicitly defined in the model, but calls a generated
+            # method with super. So we must resume the call chain at the right setp.
+            last_method = method(name)
+            last_method = last_method.super_method while last_method.super_method
+            self.class.define_attribute_methods
+            if last_method.super_method
+              return last_method.super_method.call(...)
+            end
+          elsif self.class.define_attribute_methods | self.class.generate_alias_attributes
+            # Some attribute methods weren't generated yet, we retry the call
+            return public_send(name, ...)
+          end
+        end
+
+        super
+      end
+  end
+end
+# rubocop:enable Layout/EmptyLinesAroundAccessModifier
+# rubocop:enable Layout/IndentationWidth
+# rubocop:enable Layout/IndentationConsistency
+# rubocop:enable Style/MissingRespondToMissing
+# rubocop:enable Cop/LineBreakAroundConditionalBlock
+# rubocop:enable Style/IfUnlessModifier
+# rubocop:enable GitlabSecurity/PublicSend

locale/gitlab.pot

@@ -4048,6 +4048,9 @@ msgstr ""
 msgid "AdminAIPoweredFeatures|Feature"
 msgstr ""
 
+msgid "AdminAIPoweredFeatures|GitLab Default"
+msgstr ""
+
 msgid "AdminAIPoweredFeatures|GitLab Duo Chat"
 msgstr ""
 
@@ -6995,9 +6998,6 @@ msgstr ""
 msgid "An error occurred loading the project counts."
 msgstr ""
 
-msgid "An error occurred loading the projects. Please refresh the page to try again."
-msgstr ""
-
 msgid "An error occurred loading the tab counts."
 msgstr ""
 
@@ -7346,6 +7346,9 @@ msgstr ""
 msgid "An error occurred. Please try again."
 msgstr ""
 
+msgid "An error occurred. Refresh the page to try again."
+msgstr ""
+
 msgid "An error occurred. Unable to reopen this merge request."
 msgstr ""
 
@@ -35539,6 +35542,9 @@ msgstr ""
 msgid "LDAP|Default, minimum permission level for LDAP group members of %{group_name}."
 msgstr ""
 
+msgid "LDAP|Group cn"
+msgstr ""
+
 msgid "LDAP|If you do not belong to this LDAP user filter you will lose ownership of %{group_name}."
 msgstr ""
 
@@ -35575,6 +35581,9 @@ msgstr ""
 msgid "LDAP|This query must use valid %{ldap_link_start}LDAP Search Filter Syntax%{ldap_link_end}. Synchronize %{group_name}'s members with this LDAP user filter."
 msgstr ""
 
+msgid "LDAP|User filter"
+msgstr ""
+
 msgid "LDAP|You can manage permission levels for individual group members in the Members tab."
 msgstr ""
 
@@ -39514,6 +39523,12 @@ msgstr ""
 msgid "ModelRegistry|versions"
 msgstr ""
 
+msgid "ModelSelection|Manage GitLab Duo by configuring and assigning models to AI-native features."
+msgstr ""
+
+msgid "ModelSelection|Model Selection"
+msgstr ""
+
 msgid "Modified"
 msgstr ""
 
@@ -71325,6 +71340,9 @@ msgstr[1] ""
 msgid "Your group %{group_name} has been marked for deletion and will be removed in %{days}."
 msgstr ""
 
+msgid "Your groups couldn't be loaded. Refresh the page to try again."
+msgstr ""
+
 msgid "Your instance has %{remaining_user_count} users remaining of the %{total_user_count} in your subscription. When there are no more seats, users cannot be invited or added to the instance."
 msgstr ""
 
@@ -71436,6 +71454,9 @@ msgstr ""
 msgid "Your projects"
 msgstr ""
 
+msgid "Your projects couldn't be loaded. Refresh the page to try again."
+msgstr ""
+
 msgid "Your public email will be displayed on your public profile."
 msgstr ""
 

qa/qa/specs/features/api/10_software_supply_chain_security/group_access_token_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern' do
+  RSpec.describe 'Software Supply Chain Security' do
     describe 'Group access token', product_group: :authentication do
       include QA::Support::Helpers::Project
 

qa/qa/specs/features/api/10_software_supply_chain_security/project_access_token_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern' do
+  RSpec.describe 'Software Supply Chain Security' do
     describe 'Project access token', product_group: :authentication do
       include QA::Support::Helpers::Project
 

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/group/group_access_token_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern' do
+  RSpec.describe 'Software Supply Chain Security' do
     describe 'Group access tokens', product_group: :authentication do
       let(:group_access_token) { QA::Resource::GroupAccessToken.fabricate_via_browser_ui! }
 

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/login/2fa_recovery_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern', :requires_admin, :skip_live_env do
+  RSpec.describe 'Software Supply Chain Security', :requires_admin, :skip_live_env do
     describe '2FA', product_group: :authentication do
       let(:owner_user) { Runtime::User::Store.test_user }
       let(:owner_api_client) { owner_user.api_client }

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/login/2fa_ssh_recovery_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern', :requires_admin, :skip_live_env,
+  RSpec.describe 'Software Supply Chain Security', :requires_admin, :skip_live_env,
     product_group: :authentication do
     describe '2FA' do
       let!(:user) { Runtime::User::Store.test_user }

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/login/log_in_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern', :smoke, :health_check, :mobile, product_group: :authentication do
+  RSpec.describe 'Software Supply Chain Security', :smoke, :health_check, :mobile, product_group: :authentication do
     describe 'basic user login' do
       it 'user logs in using basic credentials and logs out',
         testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347880' do

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/login/log_in_with_2fa_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern', :requires_admin, product_group: :authentication do
+  RSpec.describe 'Software Supply Chain Security', :requires_admin, product_group: :authentication do
     describe '2FA' do
       let!(:owner_user) { create(:user, :with_personal_access_token, username: "owner_user_#{SecureRandom.hex(4)}") }
       let!(:owner_api_client) { owner_user.api_client }

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/login/log_into_gitlab_via_ldap_spec.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern', :orchestrated, :ldap_no_tls, :ldap_tls, product_group: :authentication do
+  RSpec.describe 'Software Supply Chain Security', :orchestrated, :ldap_no_tls, :ldap_tls,
+    product_group: :authentication do
     describe 'LDAP login' do
       it 'user logs into GitLab using LDAP credentials',
         testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347892' do

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/login/log_into_mattermost_via_gitlab_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern', :orchestrated, :mattermost, product_group: :authentication do
+  RSpec.describe 'Software Supply Chain Security', :orchestrated, :mattermost, product_group: :authentication do
     describe 'Mattermost login' do
       it 'user logs into Mattermost using GitLab OAuth',
         testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347891' do

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/login/login_via_instance_wide_saml_sso_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern', :orchestrated, :instance_saml, product_group: :authentication do
+  RSpec.describe 'Software Supply Chain Security', :orchestrated, :instance_saml, product_group: :authentication do
     describe 'Instance wide SAML SSO' do
       it(
         'user logs in to gitlab with SAML SSO',

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/login/login_via_oauth_and_oidc_with_gitlab_as_idp_spec.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern', :skip_live_env, requires_admin: 'creates users and instance OAuth application',
+  RSpec.describe 'Software Supply Chain Security', :skip_live_env,
+    requires_admin: 'creates users and instance OAuth application',
     only: { condition: -> { Runtime::Env.release } },
     product_group: :authentication, quarantine: {
       type: :investigating,

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/login/oauth_login_with_github_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern', :orchestrated, :oauth, product_group: :authentication do
+  RSpec.describe 'Software Supply Chain Security', :orchestrated, :oauth, product_group: :authentication do
     describe 'OAuth' do
       it 'connects and logs in with GitHub OAuth',
         testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/402405' do

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/login/register_spec.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern', :skip_signup_disabled, :requires_admin, product_group: :authentication do
+  RSpec.describe 'Software Supply Chain Security', :skip_signup_disabled, :requires_admin,
+    product_group: :authentication do
     describe 'while LDAP is enabled', :orchestrated, :ldap_no_tls,
       testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347934' do
       it 'allows the user to register and login' do

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/project/project_access_token_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern' do
+  RSpec.describe 'Software Supply Chain Security' do
     describe 'Project access tokens', :smoke, :health_check, product_group: :authentication do
       let(:project_access_token) { QA::Resource::ProjectAccessToken.fabricate_via_browser_ui! }
 

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/user/impersonation_token_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern' do
+  RSpec.describe 'Software Supply Chain Security' do
     describe 'Impersonation tokens', :requires_admin, product_group: :authentication do
       let(:admin_api_client) { Runtime::API::Client.as_admin }
 

qa/qa/specs/features/browser_ui/10_software_supply_chain_security/user/user_access_termination_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Govern' do
+  RSpec.describe 'Software Supply Chain Security' do
     describe 'User', :requires_admin, :skip_live_env, product_group: :authentication do
       let!(:project) { create(:project, :with_readme, name: 'project-for-user-group-access-termination', group: group) }
 

spec/frontend/groups_projects/components/tab_view_spec.js

@@ -190,8 +190,7 @@ describe('TabView', () => {
 
         it('displays error alert', () => {
           expect(createAlert).toHaveBeenCalledWith({
-            message:
-              'An error occurred loading the projects. Please refresh the page to try again.',
+            message: "Your projects couldn't be loaded. Refresh the page to try again.",
             error,
             captureError: true,
           });
@@ -200,6 +199,26 @@ describe('TabView', () => {
     },
   );
 
+  describe('when queryErrorMessage is not defined', () => {
+    const error = new Error();
+
+    beforeEach(async () => {
+      createComponent({
+        handlers: [[CONTRIBUTED_TAB.query, jest.fn().mockRejectedValue(error)]],
+        propsData: { tab: { ...CONTRIBUTED_TAB, queryErrorMessage: undefined } },
+      });
+      await waitForPromises();
+    });
+
+    it('displays error alert with fallback message', () => {
+      expect(createAlert).toHaveBeenCalledWith({
+        message: 'An error occurred. Refresh the page to try again.',
+        error,
+        captureError: true,
+      });
+    });
+  });
+
   describe('when tab.listComponent is NestedGroupsProjectsList', () => {
     beforeEach(() => {
       mockAxios.onGet(endpoint).replyOnce(200, dashboardGroupsResponse);
@@ -290,8 +309,7 @@ describe('TabView', () => {
 
         it('displays error alert', () => {
           expect(createAlert).toHaveBeenCalledWith({
-            message:
-              'An error occurred loading the projects. Please refresh the page to try again.',
+            message: "Your groups couldn't be loaded. Refresh the page to try again.",
             error: new Error('Network Error'),
             captureError: true,
           });

spec/requests/api/users_spec.rb

@@ -5672,7 +5672,7 @@ RSpec.describe API::Users, '(API behavior when Current.organization is nil)', fe
       post api("/users", admin_no_org_context, admin_mode: true), params: user_creation_params
 
       expect(response).to have_gitlab_http_status(:internal_server_error)
-      expect(json_response['message']).to match(/NoMethodError \(undefined method `id' for nil\)/)
+      expect(json_response['message']).to match(/NoMethodError \(undefined method `id' for nil/)
     end
   end
 
@@ -5684,7 +5684,7 @@ RSpec.describe API::Users, '(API behavior when Current.organization is nil)', fe
         params: { name: 'Test Token For Target No Org', scopes: ['api'] }
 
       expect(response).to have_gitlab_http_status(:internal_server_error)
-      expect(json_response['message']).to match(/NoMethodError \(undefined method `id' for nil\)/)
+      expect(json_response['message']).to match(/NoMethodError \(undefined method `id' for nil/)
     end
   end
 
@@ -5699,7 +5699,7 @@ RSpec.describe API::Users, '(API behavior when Current.organization is nil)', fe
         }
 
       expect(response).to have_gitlab_http_status(:internal_server_error)
-      expect(json_response['message']).to match(/NoMethodError \(undefined method `id' for nil\)/)
+      expect(json_response['message']).to match(/NoMethodError \(undefined method `id' for nil/)
     end
   end
 end