From a57cec4bb89b61d210d4e413571b1d85d76179f6 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Tue, 16 Feb 2021 09:09:36 +0000
Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master

---
 .../javascripts/lib/utils/url_utility.js      | 44 +++++++++
 .../components/learn_gitlab_a.vue             | 27 ++++++
 .../components/learn_gitlab_b.vue             | 27 ++++++
 .../projects/learn_gitlab/constants/index.js  | 12 +++
 .../projects/learn_gitlab/index/index.js      | 25 +++++
 .../projects/settings/access_dropdown.js      | 79 +++++++---------
 .../content_viewer/viewers/image_viewer.vue   |  8 +-
 app/controllers/concerns/boards_responses.rb  |  6 +-
 .../projects/learn_gitlab_controller.rb       | 19 ++++
 .../settings/repository_controller.rb         |  1 -
 app/helpers/learn_gitlab_helper.rb            | 60 ++++++++++++
 app/helpers/projects_helper.rb                |  2 +
 .../clusters/applications/cert_manager.rb     |  2 +
 .../clusters/applications/crossplane.rb       |  2 +
 app/models/clusters/applications/ingress.rb   |  2 +
 app/models/clusters/applications/jupyter.rb   |  2 +
 app/models/clusters/applications/knative.rb   |  2 +
 app/models/onboarding_progress.rb             |  4 +
 .../protected_branch/push_access_level.rb     |  2 +-
 .../layouts/nav/sidebar/_project.html.haml    |  7 ++
 .../projects/learn_gitlab/index.html.haml     |  4 +
 .../_create_protected_branch.html.haml        |  4 +-
 .../_update_protected_branch.html.haml        |  4 +-
 changelogs/unreleased/deprecate_gma_apps.yml  |  5 +
 ...flag-deploy_keys_on_protected_branches.yml |  5 +
 ...defect-urlencode-image-diff-octothorpe.yml |  5 +
 .../learn_gitlab_a_experiment_percentage.yml} | 12 +--
 .../learn_gitlab_b_experiment_percentage.yml  |  8 ++
 config/routes/project.rb                      |  2 +
 danger/roulette/Dangerfile                    |  4 +-
 doc/user/project/protected_branches.md        |  1 +
 doc/user/project/requirements/index.md        | 10 +-
 lib/gitlab/experimentation.rb                 |  6 ++
 lib/gitlab/git_access.rb                      | 10 +-
 locale/gitlab.pot                             | 42 +++++++--
 .../projects/learn_gitlab_controller_spec.rb  | 44 +++++++++
 spec/features/protected_branches_spec.rb      |  6 +-
 spec/frontend/lib/utils/url_utility_spec.js   | 33 +++++++
 .../__snapshots__/learn_gitlab_a_spec.js.snap | 66 ++++++++++++++
 .../__snapshots__/learn_gitlab_b_spec.js.snap | 66 ++++++++++++++
 .../components/learn_gitlab_a_spec.js         | 63 +++++++++++++
 .../components/learn_gitlab_b_spec.js         | 63 +++++++++++++
 .../projects/settings/access_dropdown_spec.js |  1 -
 .../viewers/image_viewer_spec.js              | 10 ++
 spec/helpers/learn_gitlab_helper_spec.rb      | 91 +++++++++++++++++++
 spec/helpers/projects_helper_spec.rb          | 15 +++
 spec/models/onboarding_progress_spec.rb       | 16 ++++
 .../push_access_level_spec.rb                 | 10 --
 ...nches_access_control_ce_shared_examples.rb |  2 +
 ...cted_branches_with_deploy_keys_examples.rb |  3 +-
 50 files changed, 847 insertions(+), 97 deletions(-)
 create mode 100644 app/assets/javascripts/pages/projects/learn_gitlab/components/learn_gitlab_a.vue
 create mode 100644 app/assets/javascripts/pages/projects/learn_gitlab/components/learn_gitlab_b.vue
 create mode 100644 app/assets/javascripts/pages/projects/learn_gitlab/constants/index.js
 create mode 100644 app/assets/javascripts/pages/projects/learn_gitlab/index/index.js
 create mode 100644 app/controllers/projects/learn_gitlab_controller.rb
 create mode 100644 app/helpers/learn_gitlab_helper.rb
 create mode 100644 app/views/projects/learn_gitlab/index.html.haml
 create mode 100644 changelogs/unreleased/deprecate_gma_apps.yml
 create mode 100644 changelogs/unreleased/remove-feature-flag-deploy_keys_on_protected_branches.yml
 create mode 100644 changelogs/unreleased/tor-defect-urlencode-image-diff-octothorpe.yml
 rename config/feature_flags/{development/deploy_keys_on_protected_branches.yml => experiment/learn_gitlab_a_experiment_percentage.yml} (55%)
 create mode 100644 config/feature_flags/experiment/learn_gitlab_b_experiment_percentage.yml
 create mode 100644 spec/controllers/projects/learn_gitlab_controller_spec.rb
 create mode 100644 spec/frontend/pages/projects/learn_gitlab/components/__snapshots__/learn_gitlab_a_spec.js.snap
 create mode 100644 spec/frontend/pages/projects/learn_gitlab/components/__snapshots__/learn_gitlab_b_spec.js.snap
 create mode 100644 spec/frontend/pages/projects/learn_gitlab/components/learn_gitlab_a_spec.js
 create mode 100644 spec/frontend/pages/projects/learn_gitlab/components/learn_gitlab_b_spec.js
 create mode 100644 spec/helpers/learn_gitlab_helper_spec.rb

diff --git a/app/assets/javascripts/lib/utils/url_utility.js b/app/assets/javascripts/lib/utils/url_utility.js
index 0b920ba8e7a..cc2cf787a8f 100644
--- a/app/assets/javascripts/lib/utils/url_utility.js
+++ b/app/assets/javascripts/lib/utils/url_utility.js
@@ -16,6 +16,50 @@ function decodeUrlParameter(val) {
   return decodeURIComponent(val.replace(/\+/g, '%20'));
 }
 
+/**
+ * Safely encodes a string to be used as a path
+ *
+ * Note: This function DOES encode typical URL parts like ?, =, &, #, and +
+ * If you need to use search parameters or URL fragments, they should be
+ *     added AFTER calling this function, not before.
+ *
+ * Usecase: An image filename is stored verbatim, and you need to load it in
+ *     the browser.
+ *
+ * Example: /some_path/file #1.jpg      ==> /some_path/file%20%231.jpg
+ * Example: /some-path/file! Final!.jpg ==> /some-path/file%21%20Final%21.jpg
+ *
+ * Essentially, if a character *could* present a problem in a URL, it's escaped
+ *     to the hexadecimal representation instead. This means it's a bit more
+ *     aggressive than encodeURIComponent: that built-in function doesn't
+ *     encode some characters that *could* be problematic, so this function
+ *     adds them (#, !, ~, *, ', (, and )).
+ *     Additionally, encodeURIComponent *does* encode `/`, but we want safer
+ *     URLs, not non-functional URLs, so this function DEcodes slashes ('%2F').
+ *
+ * @param {String} potentiallyUnsafePath
+ * @returns {String}
+ */
+export function encodeSaferUrl(potentiallyUnsafePath) {
+  const unencode = ['%2F'];
+  const encode = ['#', '!', '~', '\\*', "'", '\\(', '\\)'];
+  let saferPath = encodeURIComponent(potentiallyUnsafePath);
+
+  unencode.forEach((code) => {
+    saferPath = saferPath.replace(new RegExp(code, 'g'), decodeURIComponent(code));
+  });
+  encode.forEach((code) => {
+    const encodedValue = code
+      .codePointAt(code.length - 1)
+      .toString(16)
+      .toUpperCase();
+
+    saferPath = saferPath.replace(new RegExp(code, 'g'), `%${encodedValue}`);
+  });
+
+  return saferPath;
+}
+
 export function cleanLeadingSeparator(path) {
   return path.replace(PATH_SEPARATOR_LEADING_REGEX, '');
 }
diff --git a/app/assets/javascripts/pages/projects/learn_gitlab/components/learn_gitlab_a.vue b/app/assets/javascripts/pages/projects/learn_gitlab/components/learn_gitlab_a.vue
new file mode 100644
index 00000000000..0393793bfe1
--- /dev/null
+++ b/app/assets/javascripts/pages/projects/learn_gitlab/components/learn_gitlab_a.vue
@@ -0,0 +1,27 @@
+<script>
+import { GlLink } from '@gitlab/ui';
+import { ACTION_TEXT } from '../constants';
+
+export default {
+  components: { GlLink },
+  i18n: {
+    ACTION_TEXT,
+  },
+  props: {
+    actions: {
+      required: true,
+      type: Object,
+    },
+  },
+};
+</script>
+<template>
+  <ul>
+    <li v-for="(value, action) in actions" :key="action">
+      <span v-if="value.completed">{{ $options.i18n.ACTION_TEXT[action] }}</span>
+      <span v-else>
+        <gl-link :href="value.url">{{ $options.i18n.ACTION_TEXT[action] }}</gl-link>
+      </span>
+    </li>
+  </ul>
+</template>
diff --git a/app/assets/javascripts/pages/projects/learn_gitlab/components/learn_gitlab_b.vue b/app/assets/javascripts/pages/projects/learn_gitlab/components/learn_gitlab_b.vue
new file mode 100644
index 00000000000..0393793bfe1
--- /dev/null
+++ b/app/assets/javascripts/pages/projects/learn_gitlab/components/learn_gitlab_b.vue
@@ -0,0 +1,27 @@
+<script>
+import { GlLink } from '@gitlab/ui';
+import { ACTION_TEXT } from '../constants';
+
+export default {
+  components: { GlLink },
+  i18n: {
+    ACTION_TEXT,
+  },
+  props: {
+    actions: {
+      required: true,
+      type: Object,
+    },
+  },
+};
+</script>
+<template>
+  <ul>
+    <li v-for="(value, action) in actions" :key="action">
+      <span v-if="value.completed">{{ $options.i18n.ACTION_TEXT[action] }}</span>
+      <span v-else>
+        <gl-link :href="value.url">{{ $options.i18n.ACTION_TEXT[action] }}</gl-link>
+      </span>
+    </li>
+  </ul>
+</template>
diff --git a/app/assets/javascripts/pages/projects/learn_gitlab/constants/index.js b/app/assets/javascripts/pages/projects/learn_gitlab/constants/index.js
new file mode 100644
index 00000000000..8606af29785
--- /dev/null
+++ b/app/assets/javascripts/pages/projects/learn_gitlab/constants/index.js
@@ -0,0 +1,12 @@
+import { s__ } from '~/locale';
+
+export const ACTION_TEXT = {
+  gitWrite: s__('LearnGitLab|Create a repository'),
+  userAdded: s__('LearnGitLab|Invite your colleagues'),
+  pipelineCreated: s__('LearnGitLab|Set-up CI/CD'),
+  trialStarted: s__('LearnGitLab|Start a free trial of GitLab Gold'),
+  codeOwnersEnabled: s__('LearnGitLab|Add code owners'),
+  requiredMrApprovalsEnabled: s__('LearnGitLab|Enable require merge approvals'),
+  mergeRequestCreated: s__('LearnGitLab|Submit a merge request (MR)'),
+  securityScanEnabled: s__('LearnGitLab|Run a Security scan using CI/CD'),
+};
diff --git a/app/assets/javascripts/pages/projects/learn_gitlab/index/index.js b/app/assets/javascripts/pages/projects/learn_gitlab/index/index.js
new file mode 100644
index 00000000000..c4dec89b984
--- /dev/null
+++ b/app/assets/javascripts/pages/projects/learn_gitlab/index/index.js
@@ -0,0 +1,25 @@
+import Vue from 'vue';
+import { convertObjectPropsToCamelCase } from '~/lib/utils/common_utils';
+import LearnGitlabA from '../components/learn_gitlab_a.vue';
+import LearnGitlabB from '../components/learn_gitlab_b.vue';
+
+function initLearnGitlab() {
+  const el = document.getElementById('js-learn-gitlab-app');
+
+  if (!el) {
+    return false;
+  }
+
+  const actions = convertObjectPropsToCamelCase(JSON.parse(el.dataset.actions));
+
+  const { learnGitlabA } = gon.experiments;
+
+  return new Vue({
+    el,
+    render(createElement) {
+      return createElement(learnGitlabA ? LearnGitlabA : LearnGitlabB, { props: { actions } });
+    },
+  });
+}
+
+initLearnGitlab();
diff --git a/app/assets/javascripts/projects/settings/access_dropdown.js b/app/assets/javascripts/projects/settings/access_dropdown.js
index 209ae9927cf..a5e53ee3927 100644
--- a/app/assets/javascripts/projects/settings/access_dropdown.js
+++ b/app/assets/javascripts/projects/settings/access_dropdown.js
@@ -11,7 +11,6 @@ export default class AccessDropdown {
     const { $dropdown, accessLevel, accessLevelsData, hasLicense = true } = options;
     this.options = options;
     this.hasLicense = hasLicense;
-    this.deployKeysOnProtectedBranchesEnabled = gon.features.deployKeysOnProtectedBranches;
     this.groups = [];
     this.accessLevel = accessLevel;
     this.accessLevelsData = accessLevelsData.roles;
@@ -330,11 +329,7 @@ export default class AccessDropdown {
           );
         })
         .catch(() => {
-          if (this.deployKeysOnProtectedBranchesEnabled) {
-            createFlash({ message: __('Failed to load groups, users and deploy keys.') });
-          } else {
-            createFlash({ message: __('Failed to load groups & users.') });
-          }
+          createFlash({ message: __('Failed to load groups, users and deploy keys.') });
         });
     } else {
       this.getDeployKeys(query)
@@ -445,35 +440,33 @@ export default class AccessDropdown {
       }
     }
 
-    if (this.deployKeysOnProtectedBranchesEnabled) {
-      const deployKeys = deployKeysResponse.map((response) => {
-        const {
-          id,
-          fingerprint,
-          title,
-          owner: { avatar_url, name, username },
-        } = response;
+    const deployKeys = deployKeysResponse.map((response) => {
+      const {
+        id,
+        fingerprint,
+        title,
+        owner: { avatar_url, name, username },
+      } = response;
 
-        const shortFingerprint = `(${fingerprint.substring(0, 14)}...)`;
+      const shortFingerprint = `(${fingerprint.substring(0, 14)}...)`;
 
-        return {
-          id,
-          title: title.concat(' ', shortFingerprint),
-          avatar_url,
-          fullname: name,
-          username,
-          type: LEVEL_TYPES.DEPLOY_KEY,
-        };
-      });
+      return {
+        id,
+        title: title.concat(' ', shortFingerprint),
+        avatar_url,
+        fullname: name,
+        username,
+        type: LEVEL_TYPES.DEPLOY_KEY,
+      };
+    });
 
-      if (this.accessLevel === ACCESS_LEVELS.PUSH) {
-        if (deployKeys.length) {
-          consolidatedData = consolidatedData.concat(
-            [{ type: 'divider' }],
-            [{ type: 'header', content: s__('AccessDropdown|Deploy Keys') }],
-            deployKeys,
-          );
-        }
+    if (this.accessLevel === ACCESS_LEVELS.PUSH) {
+      if (deployKeys.length) {
+        consolidatedData = consolidatedData.concat(
+          [{ type: 'divider' }],
+          [{ type: 'header', content: s__('AccessDropdown|Deploy Keys') }],
+          deployKeys,
+        );
       }
     }
 
@@ -501,19 +494,15 @@ export default class AccessDropdown {
   }
 
   getDeployKeys(query) {
-    if (this.deployKeysOnProtectedBranchesEnabled) {
-      return axios.get(this.buildUrl(gon.relative_url_root, this.deployKeysPath), {
-        params: {
-          search: query,
-          per_page: 20,
-          active: true,
-          project_id: gon.current_project_id,
-          push_code: true,
-        },
-      });
-    }
-
-    return Promise.resolve({ data: [] });
+    return axios.get(this.buildUrl(gon.relative_url_root, this.deployKeysPath), {
+      params: {
+        search: query,
+        per_page: 20,
+        active: true,
+        project_id: gon.current_project_id,
+        push_code: true,
+      },
+    });
   }
 
   buildUrl(urlRoot, url) {
diff --git a/app/assets/javascripts/vue_shared/components/content_viewer/viewers/image_viewer.vue b/app/assets/javascripts/vue_shared/components/content_viewer/viewers/image_viewer.vue
index 9ece6a52805..a49eb7fd611 100644
--- a/app/assets/javascripts/vue_shared/components/content_viewer/viewers/image_viewer.vue
+++ b/app/assets/javascripts/vue_shared/components/content_viewer/viewers/image_viewer.vue
@@ -1,6 +1,7 @@
 <script>
 import { throttle } from 'lodash';
-import { numberToHumanSize } from '../../../../lib/utils/number_utils';
+import { numberToHumanSize } from '~/lib/utils/number_utils';
+import { encodeSaferUrl } from '~/lib/utils/url_utility';
 
 export default {
   props: {
@@ -43,6 +44,9 @@ export default {
     hasDimensions() {
       return this.width && this.height;
     },
+    safePath() {
+      return encodeSaferUrl(this.path);
+    },
   },
   beforeDestroy() {
     window.removeEventListener('resize', this.resizeThrottled, false);
@@ -84,7 +88,7 @@ export default {
 <template>
   <div data-testid="image-viewer" data-qa-selector="image_viewer_container">
     <div :class="innerCssClasses" class="position-relative">
-      <img ref="contentImg" :src="path" @load="onImgLoad" />
+      <img ref="contentImg" :src="safePath" @load="onImgLoad" />
       <slot
         name="image-overlay"
         :rendered-width="renderedWidth"
diff --git a/app/controllers/concerns/boards_responses.rb b/app/controllers/concerns/boards_responses.rb
index d8bc1320db4..6e6686f225c 100644
--- a/app/controllers/concerns/boards_responses.rb
+++ b/app/controllers/concerns/boards_responses.rb
@@ -66,7 +66,11 @@ module BoardsResponses
   end
 
   def respond_with_board
-    respond_with(@board) # rubocop:disable Gitlab/ModuleWithInstanceVariables
+    # rubocop:disable Gitlab/ModuleWithInstanceVariables
+    return render_404 unless @board
+
+    respond_with(@board)
+    # rubocop:enable Gitlab/ModuleWithInstanceVariables
   end
 
   def serialize_as_json(resource)
diff --git a/app/controllers/projects/learn_gitlab_controller.rb b/app/controllers/projects/learn_gitlab_controller.rb
new file mode 100644
index 00000000000..162ba9bd5cb
--- /dev/null
+++ b/app/controllers/projects/learn_gitlab_controller.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class Projects::LearnGitlabController < Projects::ApplicationController
+  before_action :authenticate_user!
+  before_action :check_experiment_enabled?
+
+  feature_category :users
+
+  def index
+    push_frontend_experiment(:learn_gitlab_a, subject: current_user)
+    push_frontend_experiment(:learn_gitlab_b, subject: current_user)
+  end
+
+  private
+
+  def check_experiment_enabled?
+    return access_denied! unless helpers.learn_gitlab_experiment_enabled?(project)
+  end
+end
diff --git a/app/controllers/projects/settings/repository_controller.rb b/app/controllers/projects/settings/repository_controller.rb
index dd50ab1bc7a..821560e32ba 100644
--- a/app/controllers/projects/settings/repository_controller.rb
+++ b/app/controllers/projects/settings/repository_controller.rb
@@ -7,7 +7,6 @@ module Projects
       before_action :define_variables, only: [:create_deploy_token]
       before_action do
         push_frontend_feature_flag(:ajax_new_deploy_token, @project)
-        push_frontend_feature_flag(:deploy_keys_on_protected_branches, @project)
       end
 
       feature_category :source_code_management, [:show, :cleanup]
diff --git a/app/helpers/learn_gitlab_helper.rb b/app/helpers/learn_gitlab_helper.rb
new file mode 100644
index 00000000000..e72a9c83fc9
--- /dev/null
+++ b/app/helpers/learn_gitlab_helper.rb
@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module LearnGitlabHelper
+  def learn_gitlab_experiment_enabled?(project)
+    return false unless current_user
+    return false unless experiment_enabled_for_user?
+
+    learn_gitlab_onboarding_available?(project)
+  end
+
+  def onboarding_actions_data(project)
+    attributes = onboarding_progress(project).attributes.symbolize_keys
+
+    action_urls.map do |action, url|
+      [
+        action,
+        url: url,
+        completed: attributes[OnboardingProgress.column_name(action)].present?
+      ]
+    end.to_h
+  end
+
+  private
+
+  ACTION_ISSUE_IDS = {
+    git_write: 2,
+    pipeline_created: 4,
+    merge_request_created: 6,
+    user_added: 7,
+    trial_started: 13,
+    required_mr_approvals_enabled: 15,
+    code_owners_enabled: 16
+  }.freeze
+
+  ACTION_DOC_URLS = {
+    security_scan_enabled: 'https://docs.gitlab.com/ee/user/application_security/security_dashboard/#gitlab-security-dashboard-security-center-and-vulnerability-reports'
+  }.freeze
+
+  def action_urls
+    ACTION_ISSUE_IDS.transform_values { |id| project_issue_url(learn_gitlab_project, id) }.merge(ACTION_DOC_URLS)
+  end
+
+  def learn_gitlab_project
+    @learn_gitlab_project ||= LearnGitlab.new(current_user).project
+  end
+
+  def onboarding_progress(project)
+    OnboardingProgress.find_by(namespace: project.namespace) # rubocop: disable CodeReuse/ActiveRecord
+  end
+
+  def experiment_enabled_for_user?
+    Gitlab::Experimentation.in_experiment_group?(:learn_gitlab_a, subject: current_user) ||
+      Gitlab::Experimentation.in_experiment_group?(:learn_gitlab_b, subject: current_user)
+  end
+
+  def learn_gitlab_onboarding_available?(project)
+    OnboardingProgress.onboarding?(project.namespace) &&
+      LearnGitlab.new(current_user).available?
+  end
+end
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index a2e9952f350..f5cd89d96b4 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -433,6 +433,8 @@ module ProjectsHelper
 
     nav_tabs += package_nav_tabs(project, current_user)
 
+    nav_tabs << :learn_gitlab if learn_gitlab_experiment_enabled?(project)
+
     nav_tabs
   end
   # rubocop:enable Metrics/CyclomaticComplexity
diff --git a/app/models/clusters/applications/cert_manager.rb b/app/models/clusters/applications/cert_manager.rb
index 8560826928a..2a051233de2 100644
--- a/app/models/clusters/applications/cert_manager.rb
+++ b/app/models/clusters/applications/cert_manager.rb
@@ -2,6 +2,8 @@
 
 module Clusters
   module Applications
+    # DEPRECATED for removal in %14.0
+    # See https://gitlab.com/groups/gitlab-org/-/epics/4280
     class CertManager < ApplicationRecord
       VERSION = 'v0.10.1'
       CRD_VERSION = '0.10'
diff --git a/app/models/clusters/applications/crossplane.rb b/app/models/clusters/applications/crossplane.rb
index 2b1a86706a4..07378b4e8dc 100644
--- a/app/models/clusters/applications/crossplane.rb
+++ b/app/models/clusters/applications/crossplane.rb
@@ -2,6 +2,8 @@
 
 module Clusters
   module Applications
+    # DEPRECATED for removal in %14.0
+    # See https://gitlab.com/groups/gitlab-org/-/epics/4280
     class Crossplane < ApplicationRecord
       VERSION = '0.4.1'
 
diff --git a/app/models/clusters/applications/ingress.rb b/app/models/clusters/applications/ingress.rb
index 36324e7f3e0..e7d4d737b8e 100644
--- a/app/models/clusters/applications/ingress.rb
+++ b/app/models/clusters/applications/ingress.rb
@@ -2,6 +2,8 @@
 
 module Clusters
   module Applications
+    # DEPRECATED for removal in %14.0
+    # See https://gitlab.com/groups/gitlab-org/-/epics/4280
     class Ingress < ApplicationRecord
       VERSION = '1.40.2'
       INGRESS_CONTAINER_NAME = 'nginx-ingress-controller'
diff --git a/app/models/clusters/applications/jupyter.rb b/app/models/clusters/applications/jupyter.rb
index ff907c6847f..8d7d9c20bfa 100644
--- a/app/models/clusters/applications/jupyter.rb
+++ b/app/models/clusters/applications/jupyter.rb
@@ -4,6 +4,8 @@ require 'securerandom'
 
 module Clusters
   module Applications
+    # DEPRECATED for removal in %14.0
+    # See https://gitlab.com/groups/gitlab-org/-/epics/4280
     class Jupyter < ApplicationRecord
       VERSION = '0.9.0'
 
diff --git a/app/models/clusters/applications/knative.rb b/app/models/clusters/applications/knative.rb
index 7c131e031c1..6867d7b6934 100644
--- a/app/models/clusters/applications/knative.rb
+++ b/app/models/clusters/applications/knative.rb
@@ -2,6 +2,8 @@
 
 module Clusters
   module Applications
+    # DEPRECATED for removal in %14.0
+    # See https://gitlab.com/groups/gitlab-org/-/epics/4280
     class Knative < ApplicationRecord
       VERSION = '0.10.0'
       REPOSITORY = 'https://charts.gitlab.io'
diff --git a/app/models/onboarding_progress.rb b/app/models/onboarding_progress.rb
index 38a9489a3ad..8a444f8934e 100644
--- a/app/models/onboarding_progress.rb
+++ b/app/models/onboarding_progress.rb
@@ -47,6 +47,10 @@ class OnboardingProgress < ApplicationRecord
       safe_find_or_create_by(namespace: namespace)
     end
 
+    def onboarding?(namespace)
+      where(namespace: namespace).any?
+    end
+
     def register(namespace, action)
       return unless root_namespace?(namespace) && ACTIONS.include?(action)
 
diff --git a/app/models/protected_branch/push_access_level.rb b/app/models/protected_branch/push_access_level.rb
index f28440f2444..ea51dca8a42 100644
--- a/app/models/protected_branch/push_access_level.rb
+++ b/app/models/protected_branch/push_access_level.rb
@@ -19,7 +19,7 @@ class ProtectedBranch::PushAccessLevel < ApplicationRecord
   end
 
   def check_access(user)
-    if Feature.enabled?(:deploy_keys_on_protected_branches, project) && user && deploy_key.present?
+    if user && deploy_key.present?
       return true if user.can?(:read_project, project) && enabled_deploy_key_for_user?(deploy_key, user)
     end
 
diff --git a/app/views/layouts/nav/sidebar/_project.html.haml b/app/views/layouts/nav/sidebar/_project.html.haml
index 2576caefdd4..8bb009bfd17 100644
--- a/app/views/layouts/nav/sidebar/_project.html.haml
+++ b/app/views/layouts/nav/sidebar/_project.html.haml
@@ -33,6 +33,13 @@
               = link_to project_releases_path(@project), title: _('Releases'), class: 'shortcuts-project-releases' do
                 %span= _('Releases')
 
+      - if project_nav_tab? :learn_gitlab
+        = nav_link(controller: :learn_gitlab, html_options: { class: 'home' }) do
+          = link_to project_learn_gitlab_path(@project) do
+            .nav-icon-container
+              = sprite_icon('home')
+            %span.nav-item-name
+              = _('Learn GitLab')
 
       - if project_nav_tab? :files
         = nav_link(controller: sidebar_repository_paths, unless: -> { current_path?('projects/graphs#charts') }) do
diff --git a/app/views/projects/learn_gitlab/index.html.haml b/app/views/projects/learn_gitlab/index.html.haml
new file mode 100644
index 00000000000..d5fdbc10eb4
--- /dev/null
+++ b/app/views/projects/learn_gitlab/index.html.haml
@@ -0,0 +1,4 @@
+- breadcrumb_title _("Learn GitLab")
+- page_title _("Learn GitLab")
+
+#js-learn-gitlab-app{ data: { actions: onboarding_actions_data(@project).to_json } }
diff --git a/app/views/projects/protected_branches/_create_protected_branch.html.haml b/app/views/projects/protected_branches/_create_protected_branch.html.haml
index 33be875d9a6..20cd45be6da 100644
--- a/app/views/projects/protected_branches/_create_protected_branch.html.haml
+++ b/app/views/projects/protected_branches/_create_protected_branch.html.haml
@@ -1,5 +1,3 @@
-- select_mode_for_dropdown = Feature.enabled?(:deploy_keys_on_protected_branches, @project) ? 'js-multiselect' : ''
-
 - content_for :merge_access_levels do
   .merge_access_levels-container
     = dropdown_tag('Select',
@@ -9,7 +7,7 @@
 - content_for :push_access_levels do
   .push_access_levels-container
     = dropdown_tag('Select',
-                    options: { toggle_class: "js-allowed-to-push qa-allowed-to-push-select #{select_mode_for_dropdown} wide",
+                    options: { toggle_class: "js-allowed-to-push qa-allowed-to-push-select js-multiselect wide",
                     dropdown_class: 'dropdown-menu-selectable qa-allowed-to-push-dropdown rspec-allowed-to-push-dropdown capitalize-header',
                     data: { field_name: 'protected_branch[push_access_levels_attributes][0][access_level]', input_id: 'push_access_levels_attributes' }})
 
diff --git a/app/views/shared/projects/protected_branches/_update_protected_branch.html.haml b/app/views/shared/projects/protected_branches/_update_protected_branch.html.haml
index cb954c20b48..d1b32df7139 100644
--- a/app/views/shared/projects/protected_branches/_update_protected_branch.html.haml
+++ b/app/views/shared/projects/protected_branches/_update_protected_branch.html.haml
@@ -1,5 +1,3 @@
-- select_mode_for_dropdown = Feature.enabled?(:deploy_keys_on_protected_branches, protected_branch.project) ? 'js-multiselect' : ''
-
 - merge_access_levels = protected_branch.merge_access_levels.for_role
 - push_access_levels = protected_branch.push_access_levels.for_role
 
@@ -25,7 +23,7 @@
 %td.push_access_levels-container
   = hidden_field_tag "allowed_to_push_#{protected_branch.id}", push_access_levels.first&.access_level
   = dropdown_tag( (push_access_levels.first&.humanize || 'Select') ,
-    options: { toggle_class: "js-allowed-to-push #{select_mode_for_dropdown}", dropdown_class: 'dropdown-menu-selectable js-allowed-to-push-container capitalize-header',
+    options: { toggle_class: "js-allowed-to-push js-multiselect", dropdown_class: 'dropdown-menu-selectable js-allowed-to-push-container capitalize-header',
                  data: { field_name: "allowed_to_push_#{protected_branch.id}", preselected_items: access_levels_data(push_access_levels) }})
   - if user_push_access_levels.any?
     %p.small
diff --git a/changelogs/unreleased/deprecate_gma_apps.yml b/changelogs/unreleased/deprecate_gma_apps.yml
new file mode 100644
index 00000000000..4443ebd896b
--- /dev/null
+++ b/changelogs/unreleased/deprecate_gma_apps.yml
@@ -0,0 +1,5 @@
+---
+title: Deprecate GitLab-managed (v1) apps that will be removed in 14.0
+merge_request: 54162
+author:
+type: deprecated
diff --git a/changelogs/unreleased/remove-feature-flag-deploy_keys_on_protected_branches.yml b/changelogs/unreleased/remove-feature-flag-deploy_keys_on_protected_branches.yml
new file mode 100644
index 00000000000..458adc96b73
--- /dev/null
+++ b/changelogs/unreleased/remove-feature-flag-deploy_keys_on_protected_branches.yml
@@ -0,0 +1,5 @@
+---
+title: Allow deploy keys to push to a protected branch
+merge_request: 53812
+author:
+type: added
diff --git a/changelogs/unreleased/tor-defect-urlencode-image-diff-octothorpe.yml b/changelogs/unreleased/tor-defect-urlencode-image-diff-octothorpe.yml
new file mode 100644
index 00000000000..3ca89861bb3
--- /dev/null
+++ b/changelogs/unreleased/tor-defect-urlencode-image-diff-octothorpe.yml
@@ -0,0 +1,5 @@
+---
+title: Fix some image diff URLs with special characters causing the diff to not show
+merge_request: 53638
+author:
+type: fixed
diff --git a/config/feature_flags/development/deploy_keys_on_protected_branches.yml b/config/feature_flags/experiment/learn_gitlab_a_experiment_percentage.yml
similarity index 55%
rename from config/feature_flags/development/deploy_keys_on_protected_branches.yml
rename to config/feature_flags/experiment/learn_gitlab_a_experiment_percentage.yml
index 6306d5a63d4..54b7ea465f1 100644
--- a/config/feature_flags/development/deploy_keys_on_protected_branches.yml
+++ b/config/feature_flags/experiment/learn_gitlab_a_experiment_percentage.yml
@@ -1,8 +1,8 @@
 ---
-name: deploy_keys_on_protected_branches
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/35638
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/247866
-milestone: '13.5'
-type: development
-group: group::release
+name: learn_gitlab_a_experiment_percentage
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53089
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/281022
+milestone: '13.9'
+type: experiment
+group: group::conversion
 default_enabled: false
diff --git a/config/feature_flags/experiment/learn_gitlab_b_experiment_percentage.yml b/config/feature_flags/experiment/learn_gitlab_b_experiment_percentage.yml
new file mode 100644
index 00000000000..cca5d35baf3
--- /dev/null
+++ b/config/feature_flags/experiment/learn_gitlab_b_experiment_percentage.yml
@@ -0,0 +1,8 @@
+---
+name: learn_gitlab_b_experiment_percentage
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53089
+rollout_issue_url: https://gitlab.com/gitlab-org/growth/team-tasks/-/issues/306
+milestone: '13.9'
+type: experiment
+group: group::conversion
+default_enabled: false
diff --git a/config/routes/project.rb b/config/routes/project.rb
index e6df2532479..21dfe173715 100644
--- a/config/routes/project.rb
+++ b/config/routes/project.rb
@@ -87,6 +87,8 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
           end
         end
 
+        get :learn_gitlab, action: :index, controller: 'learn_gitlab'
+
         namespace :ci do
           resource :lint, only: [:show, :create]
           resource :pipeline_editor, only: [:show], controller: :pipeline_editor, path: 'editor'
diff --git a/danger/roulette/Dangerfile b/danger/roulette/Dangerfile
index 8289fb599a7..3096ef471dd 100644
--- a/danger/roulette/Dangerfile
+++ b/danger/roulette/Dangerfile
@@ -24,8 +24,8 @@ and [code review guidelines](https://docs.gitlab.com/ee/development/code_review.
 Please consider assigning a reviewer or maintainer who is a
 [domain expert](https://about.gitlab.com/handbook/engineering/projects/#gitlab) in the area of the merge request.
 
-Once you've decided who will review this merge request, mention them as you
-normally would! Danger does not automatically notify them for you.
+Once you've decided who will review this merge request, assign them as a reviewer!
+Danger does not automatically notify them for you.
 
 | Category | Reviewer | Maintainer |
 | -------- | -------- | ---------- |
diff --git a/doc/user/project/protected_branches.md b/doc/user/project/protected_branches.md
index 18168710a75..4629c87f41e 100644
--- a/doc/user/project/protected_branches.md
+++ b/doc/user/project/protected_branches.md
@@ -80,6 +80,7 @@ they are set to Maintainers by default.
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/30769) in GitLab 13.7.
 > - This feature is being selectively deployed in GitLab.com 13.7, and may not be available for all users.
+> - This feature is available for all users in GitLab 13.9.
 
 You can allow specific machines to access protected branches in your repository with
 [deploy keys](deploy_keys/index.md). This can be useful for your CI/CD workflow,
diff --git a/doc/user/project/requirements/index.md b/doc/user/project/requirements/index.md
index 4e239431d02..385231097df 100644
--- a/doc/user/project/requirements/index.md
+++ b/doc/user/project/requirements/index.md
@@ -262,6 +262,7 @@ For GitLab.com, it is set to 10 MB.
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/290813) in GitLab 13.8.
 > - Revised CSV column headers [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/299247) in GitLab 13.9.
+> - Ability to select which fields to export [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/290823) in GitLab 13.9.
 
 You can export GitLab requirements to a
 [CSV file](https://en.wikipedia.org/wiki/Comma-separated_values) sent to your default notification
@@ -276,7 +277,14 @@ Users with Reporter or higher [permissions](../../permissions.md) can export req
 To export requirements:
 
 1. In a project, go to **Requirements**.
-1. Select the **Export as CSV** icon (**{export}**) in the top right. A confirmation modal appears.
+1. In the top right, select the **Export as CSV** icon (**{export}**).
+
+   A confirmation modal appears.
+
+1. Under **Advanced export options**, select which fields to export.
+
+   All fields are selected by default. To exclude a field from being exported, clear the checkbox next to it.
+
 1. Select **Export requirements**. The exported CSV file is sent to the email address associated with your user.
 
 ### Exported CSV file format
diff --git a/lib/gitlab/experimentation.rb b/lib/gitlab/experimentation.rb
index 0deda3596f5..423f238a0a2 100644
--- a/lib/gitlab/experimentation.rb
+++ b/lib/gitlab/experimentation.rb
@@ -95,6 +95,12 @@ module Gitlab
       trial_onboarding_issues: {
         tracking_category: 'Growth::Conversion::Experiment::TrialOnboardingIssues'
       },
+      learn_gitlab_a: {
+        tracking_category: 'Growth::Conversion::Experiment::LearnGitLabA'
+      },
+      learn_gitlab_b: {
+        tracking_category: 'Growth::Activation::Experiment::LearnGitLabB'
+      },
       in_product_marketing_emails: {
         tracking_category: 'Growth::Activation::Experiment::InProductMarketingEmails'
       }
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index cc1f2fbd029..c5ca46827cb 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -319,10 +319,8 @@ module Gitlab
     end
 
     def check_change_access!
-      return if deploy_key? && !deploy_keys_on_protected_branches_enabled?
-
       if changes == ANY
-        can_push = (deploy_key? && deploy_keys_on_protected_branches_enabled?) ||
+        can_push = deploy_key? ||
                    user_can_push? ||
           project&.any_branch_allows_collaboration?(user_access.user)
 
@@ -453,7 +451,7 @@ module Gitlab
                          CiAccess.new
                        elsif user && request_from_ci_build?
                          BuildAccess.new(user, container: container)
-                       elsif deploy_key? && deploy_keys_on_protected_branches_enabled?
+                       elsif deploy_key?
                          DeployKeyAccess.new(deploy_key, container: container)
                        else
                          UserAccess.new(user, container: container)
@@ -532,10 +530,6 @@ module Gitlab
     def size_checker
       container.repository_size_checker
     end
-
-    def deploy_keys_on_protected_branches_enabled?
-      Feature.enabled?(:deploy_keys_on_protected_branches, project)
-    end
   end
 end
 
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 058018bc8d2..aaad0f13d45 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -738,9 +738,6 @@ msgstr ""
 msgid "%{reportType} detected %{totalStart}no%{totalEnd} vulnerabilities."
 msgstr ""
 
-msgid "%{requirementCount} requirements have been selected for export. These will be sent to %{email} as an attachment once finished."
-msgstr ""
-
 msgid "%{retryButtonStart}Try again%{retryButtonEnd} or %{newFileButtonStart}attach a new file%{newFileButtonEnd}."
 msgstr ""
 
@@ -2552,6 +2549,9 @@ msgstr ""
 msgid "Advanced Settings"
 msgstr ""
 
+msgid "Advanced export options"
+msgstr ""
+
 msgid "Advanced permissions, Large File Storage and Two-Factor authentication settings."
 msgstr ""
 
@@ -12125,6 +12125,9 @@ msgstr ""
 msgid "Export"
 msgstr ""
 
+msgid "Export %{requirementsCount} requirements?"
+msgstr ""
+
 msgid "Export as CSV"
 msgstr ""
 
@@ -12320,9 +12323,6 @@ msgstr ""
 msgid "Failed to load group activity metrics. Please try again."
 msgstr ""
 
-msgid "Failed to load groups & users."
-msgstr ""
-
 msgid "Failed to load groups, users and deploy keys."
 msgstr ""
 
@@ -17445,6 +17445,30 @@ msgstr ""
 msgid "Learn more."
 msgstr ""
 
+msgid "LearnGitLab|Add code owners"
+msgstr ""
+
+msgid "LearnGitLab|Create a repository"
+msgstr ""
+
+msgid "LearnGitLab|Enable require merge approvals"
+msgstr ""
+
+msgid "LearnGitLab|Invite your colleagues"
+msgstr ""
+
+msgid "LearnGitLab|Run a Security scan using CI/CD"
+msgstr ""
+
+msgid "LearnGitLab|Set-up CI/CD"
+msgstr ""
+
+msgid "LearnGitLab|Start a free trial of GitLab Gold"
+msgstr ""
+
+msgid "LearnGitLab|Submit a merge request (MR)"
+msgstr ""
+
 msgid "Leave"
 msgstr ""
 
@@ -22166,6 +22190,9 @@ msgstr ""
 msgid "Please select at least one filter to see results"
 msgstr ""
 
+msgid "Please select what should be included in each exported requirement."
+msgstr ""
+
 msgid "Please set a new password before proceeding."
 msgstr ""
 
@@ -29784,6 +29811,9 @@ msgstr ""
 msgid "These variables are inherited from the parent group."
 msgstr ""
 
+msgid "These will be sent to %{email} in an attachment once finished."
+msgstr ""
+
 msgid "Third Party Advisory Link"
 msgstr ""
 
diff --git a/spec/controllers/projects/learn_gitlab_controller_spec.rb b/spec/controllers/projects/learn_gitlab_controller_spec.rb
new file mode 100644
index 00000000000..f633f7aa246
--- /dev/null
+++ b/spec/controllers/projects/learn_gitlab_controller_spec.rb
@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::LearnGitlabController do
+  describe 'GET #index' do
+    let_it_be(:user) { create(:user) }
+    let_it_be(:project) { create(:project, namespace: user.namespace) }
+
+    let(:learn_gitlab_experiment_enabled) { true }
+    let(:params) { { namespace_id: project.namespace.to_param, project_id: project } }
+
+    subject { get :index, params: params }
+
+    before do
+      allow(controller.helpers).to receive(:learn_gitlab_experiment_enabled?).and_return(learn_gitlab_experiment_enabled)
+    end
+
+    context 'unauthenticated user' do
+      it { is_expected.to have_gitlab_http_status(:redirect) }
+    end
+
+    context 'authenticated user' do
+      before do
+        sign_in(user)
+      end
+
+      it { is_expected.to render_template(:index) }
+
+      it 'pushes experiment to frontend' do
+        expect(controller).to receive(:push_frontend_experiment).with(:learn_gitlab_a, subject: user)
+        expect(controller).to receive(:push_frontend_experiment).with(:learn_gitlab_b, subject: user)
+
+        subject
+      end
+
+      context 'learn_gitlab experiment not enabled' do
+        let(:learn_gitlab_experiment_enabled) { false }
+
+        it { is_expected.to have_gitlab_http_status(:not_found) }
+      end
+    end
+  end
+end
diff --git a/spec/features/protected_branches_spec.rb b/spec/features/protected_branches_spec.rb
index 95d268ab1be..eb099359df9 100644
--- a/spec/features/protected_branches_spec.rb
+++ b/spec/features/protected_branches_spec.rb
@@ -9,10 +9,6 @@ RSpec.describe 'Protected Branches', :js do
   let(:admin) { create(:admin) }
   let(:project) { create(:project, :repository) }
 
-  before do
-    stub_feature_flags(deploy_keys_on_protected_branches: false)
-  end
-
   context 'logged in as developer' do
     before do
       project.add_developer(user)
@@ -174,7 +170,7 @@ RSpec.describe 'Protected Branches', :js do
       stub_licensed_features(protected_refs_for_users: false)
     end
 
-    include_examples 'when the deploy_keys_on_protected_branches FF is turned on' do
+    include_examples 'Deploy keys with protected branches' do
       let(:all_dropdown_sections) { %w(Roles Deploy\ Keys) }
     end
   end
diff --git a/spec/frontend/lib/utils/url_utility_spec.js b/spec/frontend/lib/utils/url_utility_spec.js
index 61df3aa19c2..b60ddea81ee 100644
--- a/spec/frontend/lib/utils/url_utility_spec.js
+++ b/spec/frontend/lib/utils/url_utility_spec.js
@@ -880,4 +880,37 @@ describe('URL utility', () => {
       expect(urlUtils.getURLOrigin(url)).toBe(expectation);
     });
   });
+
+  describe('encodeSaferUrl', () => {
+    it.each`
+      character | input                 | output
+      ${' '}    | ${'/url/hello 1.jpg'} | ${'/url/hello%201.jpg'}
+      ${'#'}    | ${'/url/hello#1.jpg'} | ${'/url/hello%231.jpg'}
+      ${'!'}    | ${'/url/hello!.jpg'}  | ${'/url/hello%21.jpg'}
+      ${'~'}    | ${'/url/hello~.jpg'}  | ${'/url/hello%7E.jpg'}
+      ${'*'}    | ${'/url/hello*.jpg'}  | ${'/url/hello%2A.jpg'}
+      ${"'"}    | ${"/url/hello'.jpg"}  | ${'/url/hello%27.jpg'}
+      ${'('}    | ${'/url/hello(.jpg'}  | ${'/url/hello%28.jpg'}
+      ${')'}    | ${'/url/hello).jpg'}  | ${'/url/hello%29.jpg'}
+      ${'?'}    | ${'/url/hello?.jpg'}  | ${'/url/hello%3F.jpg'}
+      ${'='}    | ${'/url/hello=.jpg'}  | ${'/url/hello%3D.jpg'}
+      ${'+'}    | ${'/url/hello+.jpg'}  | ${'/url/hello%2B.jpg'}
+      ${'&'}    | ${'/url/hello&.jpg'}  | ${'/url/hello%26.jpg'}
+    `(
+      'properly escapes `$character` characters while retaining the integrity of the URL',
+      ({ input, output }) => {
+        expect(urlUtils.encodeSaferUrl(input)).toBe(output);
+      },
+    );
+
+    it.each`
+      character | input
+      ${'/, .'} | ${'/url/hello.png'}
+      ${'\\d'}  | ${'/url/hello123.png'}
+      ${'-'}    | ${'/url/hello-123.png'}
+      ${'_'}    | ${'/url/hello_123.png'}
+    `('makes no changes to unproblematic characters ($character)', ({ input }) => {
+      expect(urlUtils.encodeSaferUrl(input)).toBe(input);
+    });
+  });
 });
diff --git a/spec/frontend/pages/projects/learn_gitlab/components/__snapshots__/learn_gitlab_a_spec.js.snap b/spec/frontend/pages/projects/learn_gitlab/components/__snapshots__/learn_gitlab_a_spec.js.snap
new file mode 100644
index 00000000000..c9141d13a46
--- /dev/null
+++ b/spec/frontend/pages/projects/learn_gitlab/components/__snapshots__/learn_gitlab_a_spec.js.snap
@@ -0,0 +1,66 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`Learn GitLab Design A should render the loading state 1`] = `
+<ul>
+  <li>
+    <span>
+      Create a repository
+    </span>
+  </li>
+  <li>
+    <span>
+      Invite your colleagues
+    </span>
+  </li>
+  <li>
+    <span>
+      Set-up CI/CD
+    </span>
+  </li>
+  <li>
+    <span>
+      <gl-link-stub
+        href="http://example.com/"
+      >
+        Start a free trial of GitLab Gold
+      </gl-link-stub>
+    </span>
+  </li>
+  <li>
+    <span>
+      <gl-link-stub
+        href="http://example.com/"
+      >
+        Add code owners
+      </gl-link-stub>
+    </span>
+  </li>
+  <li>
+    <span>
+      <gl-link-stub
+        href="http://example.com/"
+      >
+        Enable require merge approvals
+      </gl-link-stub>
+    </span>
+  </li>
+  <li>
+    <span>
+      <gl-link-stub
+        href="http://example.com/"
+      >
+        Submit a merge request (MR)
+      </gl-link-stub>
+    </span>
+  </li>
+  <li>
+    <span>
+      <gl-link-stub
+        href="http://example.com/"
+      >
+        Run a Security scan using CI/CD
+      </gl-link-stub>
+    </span>
+  </li>
+</ul>
+`;
diff --git a/spec/frontend/pages/projects/learn_gitlab/components/__snapshots__/learn_gitlab_b_spec.js.snap b/spec/frontend/pages/projects/learn_gitlab/components/__snapshots__/learn_gitlab_b_spec.js.snap
new file mode 100644
index 00000000000..85e3b675e5b
--- /dev/null
+++ b/spec/frontend/pages/projects/learn_gitlab/components/__snapshots__/learn_gitlab_b_spec.js.snap
@@ -0,0 +1,66 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`Learn GitLab Design B should render the loading state 1`] = `
+<ul>
+  <li>
+    <span>
+      Create a repository
+    </span>
+  </li>
+  <li>
+    <span>
+      Invite your colleagues
+    </span>
+  </li>
+  <li>
+    <span>
+      Set-up CI/CD
+    </span>
+  </li>
+  <li>
+    <span>
+      <gl-link-stub
+        href="http://example.com/"
+      >
+        Start a free trial of GitLab Gold
+      </gl-link-stub>
+    </span>
+  </li>
+  <li>
+    <span>
+      <gl-link-stub
+        href="http://example.com/"
+      >
+        Add code owners
+      </gl-link-stub>
+    </span>
+  </li>
+  <li>
+    <span>
+      <gl-link-stub
+        href="http://example.com/"
+      >
+        Enable require merge approvals
+      </gl-link-stub>
+    </span>
+  </li>
+  <li>
+    <span>
+      <gl-link-stub
+        href="http://example.com/"
+      >
+        Submit a merge request (MR)
+      </gl-link-stub>
+    </span>
+  </li>
+  <li>
+    <span>
+      <gl-link-stub
+        href="http://example.com/"
+      >
+        Run a Security scan using CI/CD
+      </gl-link-stub>
+    </span>
+  </li>
+</ul>
+`;
diff --git a/spec/frontend/pages/projects/learn_gitlab/components/learn_gitlab_a_spec.js b/spec/frontend/pages/projects/learn_gitlab/components/learn_gitlab_a_spec.js
new file mode 100644
index 00000000000..ddc5339e7e0
--- /dev/null
+++ b/spec/frontend/pages/projects/learn_gitlab/components/learn_gitlab_a_spec.js
@@ -0,0 +1,63 @@
+import { shallowMount } from '@vue/test-utils';
+import { extendedWrapper } from 'helpers/vue_test_utils_helper';
+import LearnGitlabA from '~/pages/projects/learn_gitlab/components/learn_gitlab_a.vue';
+
+const TEST_ACTIONS = {
+  gitWrite: {
+    url: 'http://example.com/',
+    completed: true,
+  },
+  userAdded: {
+    url: 'http://example.com/',
+    completed: true,
+  },
+  pipelineCreated: {
+    url: 'http://example.com/',
+    completed: true,
+  },
+  trialStarted: {
+    url: 'http://example.com/',
+    completed: false,
+  },
+  codeOwnersEnabled: {
+    url: 'http://example.com/',
+    completed: false,
+  },
+  requiredMrApprovalsEnabled: {
+    url: 'http://example.com/',
+    completed: false,
+  },
+  mergeRequestCreated: {
+    url: 'http://example.com/',
+    completed: false,
+  },
+  securityScanEnabled: {
+    url: 'http://example.com/',
+    completed: false,
+  },
+};
+
+describe('Learn GitLab Design A', () => {
+  let wrapper;
+
+  afterEach(() => {
+    wrapper.destroy();
+    wrapper = null;
+  });
+
+  const createWrapper = () => {
+    wrapper = extendedWrapper(
+      shallowMount(LearnGitlabA, {
+        propsData: {
+          actions: TEST_ACTIONS,
+        },
+      }),
+    );
+  };
+
+  it('should render the loading state', () => {
+    createWrapper();
+
+    expect(wrapper.element).toMatchSnapshot();
+  });
+});
diff --git a/spec/frontend/pages/projects/learn_gitlab/components/learn_gitlab_b_spec.js b/spec/frontend/pages/projects/learn_gitlab/components/learn_gitlab_b_spec.js
new file mode 100644
index 00000000000..be4f5768402
--- /dev/null
+++ b/spec/frontend/pages/projects/learn_gitlab/components/learn_gitlab_b_spec.js
@@ -0,0 +1,63 @@
+import { shallowMount } from '@vue/test-utils';
+import { extendedWrapper } from 'helpers/vue_test_utils_helper';
+import LearnGitlabA from '~/pages/projects/learn_gitlab/components/learn_gitlab_a.vue';
+
+const TEST_ACTIONS = {
+  gitWrite: {
+    url: 'http://example.com/',
+    completed: true,
+  },
+  userAdded: {
+    url: 'http://example.com/',
+    completed: true,
+  },
+  pipelineCreated: {
+    url: 'http://example.com/',
+    completed: true,
+  },
+  trialStarted: {
+    url: 'http://example.com/',
+    completed: false,
+  },
+  codeOwnersEnabled: {
+    url: 'http://example.com/',
+    completed: false,
+  },
+  requiredMrApprovalsEnabled: {
+    url: 'http://example.com/',
+    completed: false,
+  },
+  mergeRequestCreated: {
+    url: 'http://example.com/',
+    completed: false,
+  },
+  securityScanEnabled: {
+    url: 'http://example.com/',
+    completed: false,
+  },
+};
+
+describe('Learn GitLab Design B', () => {
+  let wrapper;
+
+  afterEach(() => {
+    wrapper.destroy();
+    wrapper = null;
+  });
+
+  const createWrapper = () => {
+    wrapper = extendedWrapper(
+      shallowMount(LearnGitlabA, {
+        propsData: {
+          actions: TEST_ACTIONS,
+        },
+      }),
+    );
+  };
+
+  it('should render the loading state', () => {
+    createWrapper();
+
+    expect(wrapper.element).toMatchSnapshot();
+  });
+});
diff --git a/spec/frontend/projects/settings/access_dropdown_spec.js b/spec/frontend/projects/settings/access_dropdown_spec.js
index 8a57930ac83..236968a3736 100644
--- a/spec/frontend/projects/settings/access_dropdown_spec.js
+++ b/spec/frontend/projects/settings/access_dropdown_spec.js
@@ -14,7 +14,6 @@ describe('AccessDropdown', () => {
     `);
     const $dropdown = $('#dummy-dropdown');
     $dropdown.data('defaultLabel', defaultLabel);
-    gon.features = { deployKeysOnProtectedBranches: true };
     const options = {
       $dropdown,
       accessLevelsData: {
diff --git a/spec/frontend/vue_shared/components/content_viewer/viewers/image_viewer_spec.js b/spec/frontend/vue_shared/components/content_viewer/viewers/image_viewer_spec.js
index 31e843297fa..af3b63ad7e5 100644
--- a/spec/frontend/vue_shared/components/content_viewer/viewers/image_viewer_spec.js
+++ b/spec/frontend/vue_shared/components/content_viewer/viewers/image_viewer_spec.js
@@ -33,4 +33,14 @@ describe('Image Viewer', () => {
       },
     );
   });
+
+  describe('file path', () => {
+    it('should output a valid URL path for the image', () => {
+      wrapper = mount(ImageViewer, {
+        propsData: { path: '/url/hello#1.jpg' },
+      });
+
+      expect(wrapper.find('img').attributes('src')).toBe('/url/hello%231.jpg');
+    });
+  });
 });
diff --git a/spec/helpers/learn_gitlab_helper_spec.rb b/spec/helpers/learn_gitlab_helper_spec.rb
new file mode 100644
index 00000000000..f789eb9d940
--- /dev/null
+++ b/spec/helpers/learn_gitlab_helper_spec.rb
@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe LearnGitlabHelper do
+  include AfterNextHelpers
+  include Devise::Test::ControllerHelpers
+
+  let_it_be(:user) { create(:user) }
+  let_it_be(:project) { create(:project, name: LearnGitlab::PROJECT_NAME, namespace: user.namespace) }
+  let_it_be(:namespace) { project.namespace }
+
+  before do
+    project.add_developer(user)
+
+    allow(helper).to receive(:user).and_return(user)
+    allow_next_instance_of(LearnGitlab) do |learn_gitlab|
+      allow(learn_gitlab).to receive(:project).and_return(project)
+    end
+
+    OnboardingProgress.onboard(namespace)
+    OnboardingProgress.register(namespace, :git_write)
+  end
+
+  describe '.onboarding_actions_data' do
+    subject(:onboarding_actions_data) { helper.onboarding_actions_data(project) }
+
+    it 'has all actions' do
+      expect(onboarding_actions_data.keys).to contain_exactly(
+        :git_write,
+        :pipeline_created,
+        :merge_request_created,
+        :user_added,
+        :trial_started,
+        :required_mr_approvals_enabled,
+        :code_owners_enabled,
+        :security_scan_enabled
+      )
+    end
+
+    it 'sets correct path and completion status' do
+      expect(onboarding_actions_data[:git_write]).to eq({
+        url: project_issue_url(project, LearnGitlabHelper::ACTION_ISSUE_IDS[:git_write]),
+        completed: true
+      })
+      expect(onboarding_actions_data[:pipeline_created]).to eq({
+        url: project_issue_url(project, LearnGitlabHelper::ACTION_ISSUE_IDS[:pipeline_created]),
+        completed: false
+      })
+    end
+  end
+
+  describe '.learn_gitlab_experiment_enabled?' do
+    using RSpec::Parameterized::TableSyntax
+
+    let_it_be(:user) { create(:user) }
+    let_it_be(:project) { create(:project, namespace: user.namespace) }
+
+    let(:params) { { namespace_id: project.namespace.to_param, project_id: project } }
+
+    subject { helper.learn_gitlab_experiment_enabled?(project) }
+
+    where(:experiment_a, :experiment_b, :onboarding, :learn_gitlab_available, :result) do
+      true        | false         | true        | true                  | true
+      false       | true          | true        | true                  | true
+      false       | false         | true        | true                  | false
+      true        | true          | true        | false                 | false
+      true        | true          | false       | true                  | false
+    end
+
+    with_them do
+      before do
+        stub_experiment_for_subject(learn_gitlab_a: experiment_a, learn_gitlab_b: experiment_b)
+        allow(OnboardingProgress).to receive(:onboarding?).with(project.namespace).and_return(onboarding)
+        allow_next(LearnGitlab, user).to receive(:available?).and_return(learn_gitlab_available)
+      end
+
+      context 'when signed in' do
+        before do
+          sign_in(user)
+        end
+
+        it { is_expected.to eq(result) }
+      end
+
+      context 'when not signed in' do
+        it { is_expected.to eq(false) }
+      end
+    end
+  end
+end
diff --git a/spec/helpers/projects_helper_spec.rb b/spec/helpers/projects_helper_spec.rb
index b61db537159..303e3c78153 100644
--- a/spec/helpers/projects_helper_spec.rb
+++ b/spec/helpers/projects_helper_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'
 
 RSpec.describe ProjectsHelper do
   include ProjectForksHelper
+  include AfterNextHelpers
 
   let_it_be_with_reload(:project) { create(:project) }
   let_it_be_with_refind(:project_with_repo) { create(:project, :repository) }
@@ -498,6 +499,20 @@ RSpec.describe ProjectsHelper do
       it { is_expected.not_to include(:confluence) }
       it { is_expected.to include(:wiki) }
     end
+
+    context 'learn gitlab experiment' do
+      context 'when it is enabled' do
+        before do
+          expect(helper).to receive(:learn_gitlab_experiment_enabled?).with(project).and_return(true)
+        end
+
+        it { is_expected.to include(:learn_gitlab) }
+      end
+
+      context 'when it is not enabled' do
+        it { is_expected.not_to include(:learn_gitlab) }
+      end
+    end
   end
 
   describe '#can_view_operations_tab?' do
diff --git a/spec/models/onboarding_progress_spec.rb b/spec/models/onboarding_progress_spec.rb
index 02fe0015a14..0aa19345a25 100644
--- a/spec/models/onboarding_progress_spec.rb
+++ b/spec/models/onboarding_progress_spec.rb
@@ -114,6 +114,22 @@ RSpec.describe OnboardingProgress do
     end
   end
 
+  describe '.onboarding?' do
+    subject(:onboarding?) { described_class.onboarding?(namespace) }
+
+    context 'when onboarded' do
+      before do
+        described_class.onboard(namespace)
+      end
+
+      it { is_expected.to eq true }
+    end
+
+    context 'when not onboarding' do
+      it { is_expected.to eq false }
+    end
+  end
+
   describe '.register' do
     subject(:register_action) { described_class.register(namespace, action) }
 
diff --git a/spec/models/protected_branch/push_access_level_spec.rb b/spec/models/protected_branch/push_access_level_spec.rb
index 051cb78a6b6..17a589f0485 100644
--- a/spec/models/protected_branch/push_access_level_spec.rb
+++ b/spec/models/protected_branch/push_access_level_spec.rb
@@ -54,16 +54,6 @@ RSpec.describe ProtectedBranch::PushAccessLevel do
         specify do
           expect(push_access_level.check_access(user)).to be_truthy
         end
-
-        context 'when the deploy_keys_on_protected_branches FF is false' do
-          before do
-            stub_feature_flags(deploy_keys_on_protected_branches: false)
-          end
-
-          it 'is false' do
-            expect(push_access_level.check_access(user)).to be_falsey
-          end
-        end
       end
 
       context 'when the deploy key is not among the active keys of this project' do
diff --git a/spec/support/shared_examples/features/protected_branches_access_control_ce_shared_examples.rb b/spec/support/shared_examples/features/protected_branches_access_control_ce_shared_examples.rb
index a46382bc292..56154c7cd03 100644
--- a/spec/support/shared_examples/features/protected_branches_access_control_ce_shared_examples.rb
+++ b/spec/support/shared_examples/features/protected_branches_access_control_ce_shared_examples.rb
@@ -56,6 +56,8 @@ RSpec.shared_examples "protected branches > access control > CE" do
           expect(first("li")).to have_content("Roles")
           find(:link, access_type_name).click
         end
+
+        find(".js-allowed-to-push").click
       end
 
       wait_for_requests
diff --git a/spec/support/shared_examples/features/protected_branches_with_deploy_keys_examples.rb b/spec/support/shared_examples/features/protected_branches_with_deploy_keys_examples.rb
index a2d2143271c..28fe198c9c3 100644
--- a/spec/support/shared_examples/features/protected_branches_with_deploy_keys_examples.rb
+++ b/spec/support/shared_examples/features/protected_branches_with_deploy_keys_examples.rb
@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
-RSpec.shared_examples 'when the deploy_keys_on_protected_branches FF is turned on' do
+RSpec.shared_examples 'Deploy keys with protected branches' do
   before do
-    stub_feature_flags(deploy_keys_on_protected_branches: true)
     project.add_maintainer(user)
     sign_in(user)
   end