Add latest changes from gitlab-org/gitlab@master

Gemfile

@@ -73,7 +73,10 @@ gem 'omniauth-shibboleth', '~> 1.3.0'
 gem 'omniauth-twitter', '~> 1.4'
 gem 'omniauth_crowd', '~> 2.4.0', path: 'vendor/gems/omniauth_crowd' # See vendor/gems/omniauth_crowd/README.md
 gem 'omniauth-authentiq', '~> 0.3.3'
-gem 'gitlab-omniauth-openid-connect', '~> 0.10.0', require: 'omniauth_openid_connect'
+gem 'omniauth_openid_connect', '~> 0.6.0'
+# Locked until Ruby 3.0 upgrade since upgrading will pull in an updated net-smtp gem.
+# See https://docs.gitlab.com/ee/development/emails.html#rationale.
+gem 'openid_connect', '= 1.3.0'
 gem 'omniauth-salesforce', '~> 1.0.5', path: 'vendor/gems/omniauth-salesforce' # See gem README.md
 gem 'omniauth-atlassian-oauth2', '~> 0.2.0'
 gem 'rack-oauth2', '~> 1.21.3'

Gemfile.checksum

@@ -210,7 +210,6 @@
 {"name":"gitlab-mail_room","version":"0.0.9","platform":"ruby","checksum":"6700374b5c0aa9d9ad4e711aeb677f0b7d415a6d01d3baa699efab25349d851c"},
 {"name":"gitlab-markup","version":"1.8.1","platform":"ruby","checksum":"ab1f9fd016977497c2af25b76341dea670533014f406861834a0bd99f646707b"},
 {"name":"gitlab-net-dns","version":"0.9.1","platform":"ruby","checksum":"bcd1a08dcb31b731e8ff602d828de619d2d9f53f5812f6abacf11c720873d4cb"},
-{"name":"gitlab-omniauth-openid-connect","version":"0.10.0","platform":"ruby","checksum":"ea44a23ea93457057bba6a9912e883f5aefab36a941c6c58512c8a7095fb1153"},
 {"name":"gitlab-sidekiq-fetcher","version":"0.9.0","platform":"ruby","checksum":"54041aec059f20c8e6dfce394e1b60e0c0a9c7cef32da912a58abbd333e13897"},
 {"name":"gitlab-styles","version":"9.2.0","platform":"ruby","checksum":"7106e7fb2de01f0c4a8d074ccff5c1f37502eab98cc51c8b5dd72a081785cea4"},
 {"name":"gitlab_chronic_duration","version":"0.10.6.2","platform":"ruby","checksum":"6dda4cfe7dca9b958f163ac8835c3d9cc70cf8df8cbb89bb2fbf9ba4375105fb"},
@@ -401,6 +400,7 @@
 {"name":"omniauth-saml","version":"2.0.0","platform":"ruby","checksum":"02594fd6630de26a9e65a2e64223e9ad32324fa97a6c7f1f22a1553ea3dd44c7"},
 {"name":"omniauth-shibboleth","version":"1.3.0","platform":"ruby","checksum":"b0bb725ced5cb76fbfc187ddbb8ad6864d0cd5df714cab36a528df8ee4b1d113"},
 {"name":"omniauth-twitter","version":"1.4.0","platform":"ruby","checksum":"c5cc6c77cd767745ffa9ebbd5fbd694a3fa99d1d2d82a4d7def0bf3b6131b264"},
+{"name":"omniauth_openid_connect","version":"0.6.0","platform":"ruby","checksum":"b8e48ca67fdea2dff56cc161855b88707a290ae01125149dbe0f8c94e818cfd3"},
 {"name":"open4","version":"1.3.4","platform":"ruby","checksum":"a1df037310624ecc1ea1d81264b11c83e96d0c3c1c6043108d37d396dcd0f4b1"},
 {"name":"openid_connect","version":"1.3.0","platform":"ruby","checksum":"a796855096850cc01140e37ea6ae9fd14f2be818b9b5bc698418063dfe228770"},
 {"name":"openssl","version":"2.2.2","platform":"ruby","checksum":"53f72382bac046c36c37049c7ec9d5597d42628d140b5cfbcd61e0226c0ca077"},

Gemfile.lock

@@ -599,10 +599,6 @@ GEM
     gitlab-mail_room (0.0.9)
     gitlab-markup (1.8.1)
     gitlab-net-dns (0.9.1)
-    gitlab-omniauth-openid-connect (0.10.0)
-      addressable (~> 2.7)
-      omniauth (>= 1.9, < 3)
-      openid_connect (~> 1.2)
     gitlab-sidekiq-fetcher (0.9.0)
       json (>= 2.5)
       sidekiq (~> 6.1)
@@ -1025,6 +1021,9 @@ GEM
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
+    omniauth_openid_connect (0.6.0)
+      omniauth (>= 1.9, < 3)
+      openid_connect (~> 1.1)
     open4 (1.3.4)
     openid_connect (1.3.0)
       activemodel
@@ -1679,7 +1678,6 @@ DEPENDENCIES
   gitlab-mail_room (~> 0.0.9)
   gitlab-markup (~> 1.8.0)
   gitlab-net-dns (~> 0.9.1)
-  gitlab-omniauth-openid-connect (~> 0.10.0)
   gitlab-sidekiq-fetcher (= 0.9.0)
   gitlab-styles (~> 9.2.0)
   gitlab_chronic_duration (~> 0.10.6.2)
@@ -1770,6 +1768,8 @@ DEPENDENCIES
   omniauth-shibboleth (~> 1.3.0)
   omniauth-twitter (~> 1.4)
   omniauth_crowd (~> 2.4.0)!
+  omniauth_openid_connect (~> 0.6.0)
+  openid_connect (= 1.3.0)
   openssl (= 2.2.2)
   org-ruby (~> 0.9.12)
   pact (~> 1.63)

app/helpers/issuables_helper.rb

@@ -242,7 +242,6 @@ module IssuablesHelper
       updateEndpoint: "#{issuable_path(issuable)}.json",
       canUpdate: can?(current_user, :"update_#{issuable.to_ability_name}", issuable),
       canDestroy: can?(current_user, :"destroy_#{issuable.to_ability_name}", issuable),
-      canUpdateTimelineEvent: can?(current_user, :admin_incident_management_timeline_event, issuable),
       issuableRef: issuable.to_reference,
       markdownPreviewPath: preview_markdown_path(parent, target_type: issuable.model_name, target_id: issuable.iid),
       markdownDocsPath: help_page_path('user/markdown'),
@@ -272,7 +271,17 @@ module IssuablesHelper
       sentryIssueIdentifier: SentryIssue.find_by(issue: issuable)&.sentry_issue_identifier, # rubocop:disable CodeReuse/ActiveRecord
       iid: issuable.iid.to_s,
       isHidden: issue_hidden?(issuable),
-      canCreateIncident: create_issue_type_allowed?(issuable.project, :incident)
+      canCreateIncident: create_issue_type_allowed?(issuable.project, :incident),
+      **incident_only_initial_data(issuable)
+    }
+  end
+
+  def incident_only_initial_data(issue)
+    return {} unless issue.incident?
+
+    {
+      hasLinkedAlerts: issue.alert_management_alerts.any?,
+      canUpdateTimelineEvent: can?(current_user, :admin_incident_management_timeline_event, issue)
     }
   end
 

app/models/repository.rb

@@ -603,10 +603,16 @@ class Repository
   cache_method_asymmetrically :has_visible_content?
 
   def avatar
-    # n+1: https://gitlab.com/gitlab-org/gitlab-foss/issues/38327
-    Gitlab::GitalyClient.allow_n_plus_1_calls do
-      if tree = file_on_head(:avatar)
-        tree.path
+    if Feature.enabled?(:readme_from_gitaly)
+      Gitlab::GitalyClient.allow_n_plus_1_calls do
+        avatar_path_gitaly
+      end
+    else
+      # n+1: https://gitlab.com/gitlab-org/gitlab-foss/issues/38327
+      Gitlab::GitalyClient.allow_n_plus_1_calls do
+        if tree = file_on_head(:avatar)
+          tree.path
+        end
       end
     end
   end
@@ -1247,19 +1253,31 @@ class Repository
   end
 
   def readme_path_gitaly
-    return if empty? || root_ref.nil?
-
     # (?i) to enable case-insensitive mode
     #
     # Note: `Gitlab::FileDetector::PATTERNS[:readme]#to_s` won't work because of
     # incompatibility of regex engines between Rails and Gitaly.
-    regex = "(?i)#{Gitlab::FileDetector::PATTERNS[:readme].source}"
+    pattern = "(?i)#{Gitlab::FileDetector::PATTERNS[:readme].source}"
 
-    readmes = search_files_by_regexp(regex, root_ref)
+    readmes = fetch_file_paths_from_gitaly(pattern)
 
     choose_readme_to_display(readmes)
   end
 
+  def avatar_path_gitaly
+    # Note: `Gitlab::FileDetector::PATTERNS[:avatar]#to_s` won't work because of
+    # incompatibility of regex engines between Rails and Gitaly.
+    pattern = Gitlab::FileDetector::PATTERNS[:avatar].source
+
+    fetch_file_paths_from_gitaly(pattern, limit: 1).first
+  end
+
+  def fetch_file_paths_from_gitaly(pattern, limit: 0)
+    return [] if empty? || root_ref.nil?
+
+    search_files_by_regexp(pattern, root_ref, limit: limit)
+  end
+
   # Extracted from Tree#readme_path
   def choose_readme_to_display(readmes)
     previewable_readme = readmes.find { |name| Gitlab::MarkupHelper.previewable?(name) }

app/views/import/github/new.html.haml

@@ -10,8 +10,9 @@
   = import_github_authorize_message
 
 - if github_import_configured? && !has_ci_cd_only_params?
-  = link_to status_import_github_path(namespace_id: params[:namespace_id]), class: 'gl-button btn btn-confirm' do
-    = sprite_icon('github', css_class: 'gl-mr-2')
+  = render Pajamas::ButtonComponent.new(variant: :confirm,
+    href: status_import_github_path(namespace_id: params[:namespace_id]),
+    icon: 'github') do
     = title
 
   %hr
@@ -31,5 +32,9 @@
   = render_if_exists 'import/github/ci_cd_only'
 
   .form-actions.gl-display-flex.gl-justify-content-end
-    = link_to _('Cancel'), new_project_path, class: 'gl-button btn btn-default'
-    = submit_tag _('Authenticate'), class: 'gl-button btn btn-confirm gl-ml-3', data: { qa_selector: 'authenticate_button' }
+    = render Pajamas::ButtonComponent.new(href: new_project_path) do
+      = _('Cancel')
+    = render Pajamas::ButtonComponent.new(variant: :confirm,
+      type: :submit,
+      button_options: { class: 'gl-ml-3', data: { qa_selector: 'authenticate_button' } }) do
+      = _('Authenticate')

config/routes/issues.rb

@@ -21,6 +21,12 @@ resources :issues, concerns: :awardable, constraints: { id: /\d+/ } do
     post :bulk_update
     post :import_csv
     post :export_csv
+
+    scope :incident do
+      get '/:id',
+        to: 'incidents#show',
+        as: :incident
+    end
   end
 
   resources :issue_links, only: [:index, :create, :destroy], as: 'links', path: 'links'

config/routes/project.rb

@@ -375,8 +375,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
           end
         end
 
-        get 'issues/incident/:id' => 'incidents#show', as: :issues_incident
-
         namespace :error_tracking do
           resources :projects, only: :index
         end

db/fixtures/development/33_triage_ops.rb

@@ -73,6 +73,8 @@ class Gitlab::Seeder::TriageOps
     pipeline:run-single-db
     pipeline:skip-undercoverage
     pipeline:update-cache
+    documentation
+    Community contribution
   LABELS
 
   def seed!

doc/administration/auth/cognito.md

@@ -33,7 +33,7 @@ To enable AWS Cognito as an authentication provider, complete the following step
    - **Enabled Identity Providers** - select all
    - **Callback URL** - `https://<your_gitlab_instance_url>/users/auth/cognito/callback`
    - **Allowed OAuth Flows** - Authorization code grant
-   - **Allowed OAuth2 Scopes** - `email`, `openid`, and `profile`
+   - **Allowed OAuth 2.0 Scopes** - `email`, `openid`, and `profile`
 
 1. Save changes for the app client settings.
 1. Under **Domain name**, include the AWS domain name for your AWS Cognito application.

doc/administration/gitaly/reference.md

@@ -26,7 +26,7 @@ At the top level, `config.toml` defines the items described on the table below.
 | `socket_path` | string | yes (if  `listen_addr` is not set) | A path which Gitaly should open a Unix socket. |
 | `listen_addr` | string | yes (if `socket_path` is not set) | TCP address for Gitaly to listen on. |
 | `tls_listen_addr` | string | no | TCP over TLS address for Gitaly to listen on. |
-| `bin_dir`    | string | yes    | Directory containing Gitaly's executables. |
+| `bin_dir`    | string | yes    | Directory containing Gitaly executables. |
 | `prometheus_listen_addr` | string | no | TCP listen address for Prometheus metrics. If not set, no Prometheus listener is started. |
 
 For example:
@@ -100,7 +100,7 @@ by GitLab with names, such as `default`.
 
 These names and paths are also defined in the `gitlab.yml` configuration file of
 GitLab. When you run Gitaly on the same machine as GitLab (the default
-and recommended configuration) storage paths defined in Gitaly's `config.toml`
+and recommended configuration) storage paths defined in the Gitaly `config.toml`
 must match those in `gitlab.yml`.
 
 | Name | Type | Required | Description |
@@ -146,7 +146,7 @@ The default limit is 100 `cat-file`s, which constitute a pair of
 you are seeing errors complaining about "too many open files", or an
 inability to create new processes, you may want to lower this limit.
 
-Ideally, the number should be large enough to handle normal
+Ideally, the number should be large enough to handle standard
 traffic. If you raise the limit, you should measure the cache hit ratio
 before and after. If the hit ratio does not improve, the higher limit is
 probably not making a meaningful difference. Here is an example

doc/administration/monitoring/prometheus/web_exporter.md

@@ -22,7 +22,7 @@ We provide two mechanisms by which web application metrics can be exported:
   makes metric data available via its own `/-/metrics` endpoint. This is the default,
   and is described in [GitLab Metrics](index.md#gitlab-metrics). We recommend this
   default for small GitLab installations where the amount of metrics collected is small.
-- Through a dedicated metrics server. Enabling this server will cause Puma to launch an
+- Through a dedicated metrics server. Enabling this server causes Puma to launch an
   additional process whose sole responsibility is to serve metrics. This approach leads
   to better fault isolation and performance for very large GitLab installations, but
   comes with additional memory use. We recommend this approach for medium to large
@@ -69,5 +69,5 @@ To serve metrics via HTTPS instead of HTTP, enable TLS in the exporter settings:
 1. Save the file and [reconfigure GitLab](../../restart_gitlab.md#omnibus-gitlab-reconfigure)
    for the changes to take effect.
 
-When TLS is enabled, the same `port` and `address` will be used as described above.
+When TLS is enabled, the same `port` and `address` is used as described above.
 The metrics server cannot serve both HTTP and HTTPS at the same time.

doc/api/groups.md

@@ -1201,7 +1201,8 @@ GET /groups?search=foobar
 
 > Introduced in GitLab 14.8.
 
-Get a list of users provisioned by a given group. Does not include users provisioned by subgroups.
+Get a list of users provisioned by a given group. Does not include subgroups.
+Users in this list are considered [enterprise users](../user/enterprise_user/index.md).
 
 Requires at least the Maintainer role on the group.
 

doc/api/members.md

@@ -29,8 +29,7 @@ In GitLab 14.8 and earlier, projects in personal namespaces have an `access_leve
 
 The `group_saml_identity` attribute is only visible to a group owner for [SSO enabled groups](../user/group/saml_sso/index.md).
 
-The `email` attribute is only visible to group owners when the user was provisioned by the group.
-Users are provisioned by the group when the account was created via [SCIM](../user/group/saml_sso/scim_setup.md) or by first sign-in with [SAML SSO for GitLab.com groups](../user/group/saml_sso/index.md).
+The `email` attribute is only visible to group Owners for any [enterprise user](../user/enterprise_user/index.md).
 
 ## List all members of a group or project
 

doc/architecture/blueprints/ci_data_decay/pipeline_partitioning.md

@@ -796,18 +796,16 @@ strategy here to share knowledge and solicit feedback from other team members.
 
 ## Who
 
-Authors:
+DRIs:
 
 <!-- vale gitlab.Spelling = NO -->
 
-| Role   | Who            |
-|--------|----------------|
-| Author | Grzegorz Bizon |
-
-Recommenders:
-
-| Role                          | Who             |
-|-------------------------------|-----------------|
-| Senior Distingiushed Engineer | Kamil Trzciński |
+| Role                | Who                                            |
+|---------------------|------------------------------------------------|
+| Author              | Grzegorz Bizon, Principal Engineer             |
+| Recommender         | Kamil Trzciński, Senior Distingiushed Engineer |
+| Product Manager     | James Heimbuck, Senior Product Manager         |
+| Engineering Manager | Scott Hampton, Engineering Manager             |
+| Lead Engineer       | Marius Bobin, Senior Backend Engineer          |
 
 <!-- vale gitlab.Spelling = YES -->

doc/ci/git_submodules.md

@@ -67,7 +67,7 @@ To make submodules work correctly in CI/CD jobs:
      GIT_SUBMODULE_DEPTH: 1
    ```
 
-1. You can filter or exclude specific submodules to control which submodules will be synced using
+1. You can filter or exclude specific submodules to control which submodules are synchronized using
    [`GIT_SUBMODULE_PATHS`](runners/configure_runners.md#sync-or-exclude-specific-submodules-from-ci-jobs).
 
    ```yaml

doc/ci/migration/jenkins.md

@@ -99,7 +99,7 @@ Some high level differences between the products worth mentioning are:
   feature.
 - The [`parallel`](../yaml/index.md#parallel) keyword can automatically parallelize tasks,
   like tests that support parallelization.
-- Normally all jobs in a single stage run in parallel, and all stages run in sequence.
+- Usually all jobs in a single stage run in parallel, and all stages run in sequence.
   Different [pipeline architectures](../pipelines/pipeline_architectures.md) allow you to change this behavior.
 - The new [`rules` syntax](../yaml/index.md#rules) is the recommended method of
   controlling when different jobs run. It is more powerful than the `only/except` syntax.

doc/ci/troubleshooting.md

@@ -324,6 +324,13 @@ On a self-managed instance, you can [increase the size limits](../administration
 A [loop of included configuration files](pipeline_editor/index.md#configuration-validation-currently-not-available-message)
 can cause a `500` error when editing the `.gitlab-ci.yml` file with the [web editor](../user/project/repository/web_editor.md).
 
+### A CI/CD job does not use newer configuration when run again
+
+The configuration for a pipeline is only fetched when the pipeline is created.
+When you rerun a job, uses the same configuration each time. If you update configuration files,
+including separate files added with [`include`](yaml/index.md#include), you must
+start a new pipeline to use the new configuration.
+
 ## Pipeline warnings
 
 Pipeline configuration warnings are shown when you:

doc/user/enterprise_user/index.md

@@ -0,0 +1,71 @@
+---
+stage: Manage
+group: Authentication and Authorization
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+type: reference
+---
+
+# Enterprise users **(PREMIUM SAAS)**
+
+Enterprise users have user accounts that are administered by an organization that
+has purchased a [GitLab subscription](../../subscriptions/index.md).
+
+Enterprise users are identified by the [**Enterprise** badge](../project/badges.md)
+next to their names on the [Members list](../group/manage.md#filter-and-sort-members-in-a-group).
+
+## Provision an enterprise user
+
+A user account is considered an enterprise account when:
+
+- A user without an existing GitLab user account uses the group's
+  [SAML SSO](../group/saml_sso/index.md) to sign in for the first time.
+- [SCIM](../group/saml_sso/scim_setup.md) creates the user account on behalf of
+  the group.
+
+A user can also [manually connect an identity provider (IdP) to a GitLab account whose email address matches the subscribing organization's domain](../group/saml_sso/index.md#linking-saml-to-your-existing-gitlabcom-account).
+By selecting **Authorize** when connecting these two accounts, the user account
+with the matching email address is classified as an enterprise user. However, this
+user account does not have an **Enterprise** badge in GitLab.
+
+Although a user can be a member of more than one group, each user account can be
+provisioned by only one group. As a result, a user is considered an enterprise
+user under one top-level group only.
+
+## Manage enterprise users in a namespace
+
+A top-level Owner of a namespace on a paid plan can retrieve information about and
+manage enterprise user accounts in that namespace.
+
+These enterprise user-specific actions are in addition to the standard
+[group member permissions](../permissions.md#group-members-permissions).
+
+### Disable two-factor authentication
+
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/9484) in GitLab 15.8.
+
+Top-level group Owners can disable two-factor authentication (2FA) for enterprise users.
+
+To disable 2FA:
+
+1. On the top bar, select **Main menu > Groups** and find your group.
+1. On the left sidebar, select **Group information > Members**.
+1. Find a user with the **Enterprise** and **2FA** badges.
+1. Select **More actions** (**{ellipsis_v}**) and select **Disable two-factor authentication**.
+
+### Prevent users from creating groups and projects outside the corporate group
+
+A SAML IdP administrator or a top-level group Owner can use a SAML response to set:
+
+- Whether users can create groups.
+- The maximum number of personal projects users can create.
+
+For more information, see the [supported user attributes for SAML responses](../group/saml_sso/index.md#supported-user-attributes).
+
+### Bypass email confirmation for provisioned users
+
+A top-level group Owner can [set up verified domains to bypass confirmation emails](../group/saml_sso/index.md#bypass-user-email-confirmation-with-verified-domains).
+
+### Get users' email addresses through the API
+
+A top-level group Owner can use the [group and project members API](../../api/members.md)
+to access users' information, including email addresses.

doc/user/group/manage.md

@@ -131,7 +131,7 @@ Filter a group to find members. By default, all members in the group and subgrou
 In lists of group members, entries can display the following badges:
 
 - **SAML**, to indicate the member has a [SAML account](saml_sso/index.md) connected to them.
-- **Enterprise**, to indicate that [SCIM created the account](saml_sso/scim_setup.md).
+- **Enterprise**, to indicate that the member is an [enterprise user](../enterprise_user/index.md).
 
 1. On the top bar, select **Main menu > Groups** and find your group.
 1. Above the list of members, in the **Filter members** box, enter filter criteria.

doc/user/group/saml_sso/index.md

@@ -333,7 +333,7 @@ To migrate users to a new email domain, users must:
 ## User access and management
 
 > - SAML user provisioning [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/268142) in GitLab 13.7.
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325712) in GitLab 14.0, GitLab users created by [SAML SSO](index.md#user-access-and-management) or SCIM provisioning are displayed with an **Enterprise** badge in the **Members** view.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325712) in GitLab 14.0, GitLab users created by [SAML SSO](index.md#user-access-and-management) or SCIM provisioning are displayed with an ][**Enterprise**](../../enterprise_user/index.md) badge in the **Members** view.
 
 After group SSO is configured and enabled, users can access the GitLab.com group through the identity provider's dashboard.
 If [SCIM](scim_setup.md) is configured, see [user access](scim_setup.md#user-access) on the SCIM page.
@@ -431,7 +431,7 @@ convert the information to XML. An example SAML response is shown here.
 
 By default, users provisioned with SAML or SCIM are sent a verification email to verify their identity. Instead, you can
 [configure GitLab with a custom domain](../../project/pages/custom_domains_ssl_tls_certification/index.md) and GitLab
-automatically confirms user accounts. Users still receive an enterprise user welcome email. Confirmation is bypassed for
+automatically confirms user accounts. Users still receive an [enterprise user](../../enterprise_user/index.md) welcome email. Confirmation is bypassed for
 users:
 
 - That are provisioned with SAML or SCIM.

doc/user/group/saml_sso/scim_setup.md

@@ -170,7 +170,7 @@ encounter issues.
 
 ## User access
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325712) in GitLab 14.0, GitLab users created by [SAML SSO](index.md#user-access-and-management) or SCIM provisioning are displayed with an **Enterprise** badge in the **Members** view.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325712) in GitLab 14.0, GitLab users created by [SAML SSO](index.md#user-access-and-management) or SCIM provisioning are displayed with an [**Enterprise**](../../enterprise_user/index.md) badge in the **Members** view.
 
 During the synchronization process, all new users:
 

doc/user/group/saml_sso/troubleshooting.md

@@ -58,6 +58,16 @@ You can use one of the following to troubleshoot SAML:
 
 For convenience, we've included some [example resources](../../../user/group/saml_sso/example_saml_config.md) used by our Support Team. While they may help you verify the SAML app configuration, they are not guaranteed to reflect the current state of third-party products.
 
+### Calculate the fingerprint
+
+If you use a `idp_cert_fingerprint`, it must be a SHA1 fingerprint. To calculate a SHA1 fingerprint, download the certificate file and run:
+
+```shell
+openssl x509 -in <filename.crt> -noout -fingerprint -sha1
+```
+
+Replace `filename.crt` with the name of the certificate file.
+
 ## Searching Rails log for a SAML response **(FREE SELF)**
 
 You can find the base64-encoded SAML Response in the [`production_json.log`](../../../administration/logs/index.md#production_jsonlog).
@@ -122,13 +132,17 @@ must be validated using either a fingerprint, a certificate, or a validator.
 
 For this requirement, be sure to take the following into account:
 
-- If a fingerprint is used, it must be the SHA1 fingerprint
+- If you use a fingerprint, it must be the correct SHA1 fingerprint. To confirm that you are using
+  the correct SHA1 fingerprint:
+  1. Re-download the certificate file.
+  1. [Calculate the fingerprint](#calculate-the-fingerprint).
+  1. Compare the fingerprint to the value provided in `idp_cert_fingerprint`. The values should be the same.
 - If no certificate is provided in the settings, a fingerprint or fingerprint
   validator needs to be provided and the response from the server must contain
-  a certificate (`<ds:KeyInfo><ds:X509Data><ds:X509Certificate>`)
+  a certificate (`<ds:KeyInfo><ds:X509Data><ds:X509Certificate>`).
 - If a certificate is provided in the settings, it is no longer necessary for
   the request to contain one. In this case the fingerprint or fingerprint
-  validators are optional
+  validators are optional.
 
 If none of the above described scenarios is valid, the request
 fails with one of the mentioned errors.

lib/gitlab/database.rb

@@ -34,10 +34,8 @@ module Gitlab
     # https://gitlab.com/gitlab-org/gitlab-foss/issues/61974
     MAX_TEXT_SIZE_LIMIT = 1_000_000
 
-    # Minimum schema version from which migrations are supported
     # Migrations before this version may have been removed
-    MIN_SCHEMA_VERSION = 20190506135400
-    MIN_SCHEMA_GITLAB_VERSION = '11.11.0'
+    MIN_SCHEMA_GITLAB_VERSION = '15.0'
 
     # Schema we store dynamically managed partitions in (e.g. for time partitioning)
     DYNAMIC_PARTITIONS_SCHEMA = :gitlab_partitions_dynamic
@@ -304,6 +302,14 @@ module Gitlab
       !read_only?
     end
 
+    # Determines minimum viable migration version, determined by the timestamp
+    # of the earliest migration file.
+    def self.read_minimum_migration_version
+      Dir.open(
+        Rails.root.join('db/migrate')
+      ).filter_map { |f| /\A\d{14}/.match(f)&.to_s }.map(&:to_i).min
+    end
+
     # Monkeypatch rails with upgraded database observability
     def self.install_transaction_metrics_patches!
       ActiveRecord::Base.prepend(ActiveRecordBaseTransactionMetrics)

lib/tasks/migrate/schema_check.rake

@@ -6,10 +6,14 @@ task schema_version_check: :environment do
 
   schema_version = ActiveRecord::Migrator.current_version
 
+  minimum_migration_version = Gitlab::Database.read_minimum_migration_version
+
+  raise 'Unable to find any migration files in db/migrate.' if minimum_migration_version.nil?
+
   # Ensure migrations are being run from a supported schema version
   # A schema verison of 0 is a fresh db, and should be safe to run migrations
   # But a database with existing migrations less than our min version is not
-  if schema_version > 0 && schema_version < Gitlab::Database::MIN_SCHEMA_VERSION
+  if schema_version > 0 && schema_version < minimum_migration_version
     raise "Your current database version is too old to be migrated. " \
           "You should upgrade to GitLab #{Gitlab::Database::MIN_SCHEMA_GITLAB_VERSION} before moving to this version. " \
           "Please see https://docs.gitlab.com/ee/policy/maintenance.html#upgrade-recommendations"

qa/qa/service/cluster_provider/gcloud.rb

@@ -55,7 +55,7 @@ module QA
           shell <<~CMD.tr("\n", ' ')
             curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 &&
             chmod 700 get_helm.sh &&
-            ./get_helm.sh
+            DESIRED_VERSION=3.7.0 ./get_helm.sh
           CMD
         end
 

spec/features/abuse_report_spec.rb

@@ -56,7 +56,7 @@ RSpec.describe 'Abuse reports', :js, feature_category: :insider_threat do
       let_it_be(:incident) { create(:incident, project: project, author: abusive_user) }
 
       before do
-        visit project_issues_incident_path(project, incident)
+        visit incident_project_issues_path(project, incident)
         click_button 'Incident actions'
       end
 

spec/features/incidents/incident_details_spec.rb

@@ -19,7 +19,7 @@ RSpec.describe 'Incident details', :js, feature_category: :incident_management d
 
   context 'when a developer+ displays the incident' do
     before do
-      visit project_issues_incident_path(project, incident)
+      visit incident_project_issues_path(project, incident)
       wait_for_requests
     end
 
@@ -108,7 +108,7 @@ RSpec.describe 'Incident details', :js, feature_category: :incident_management d
   end
 
   it 'routes the user to the issue details page when the `issue_type` is set to issue' do
-    visit project_issues_incident_path(project, incident)
+    visit incident_project_issues_path(project, incident)
     wait_for_requests
 
     project_path = "/#{project.full_path}"

spec/features/incidents/incident_timeline_events_spec.rb

@@ -14,7 +14,7 @@ RSpec.describe 'Incident timeline events', :js, feature_category: :incident_mana
   before do
     sign_in(developer)
 
-    visit project_issues_incident_path(project, incident)
+    visit incident_project_issues_path(project, incident)
     wait_for_requests
     click_link s_('Incident|Timeline')
   end

spec/features/incidents/user_views_incident_spec.rb

@@ -19,7 +19,7 @@ RSpec.describe "User views incident", feature_category: :incident_management do
   before do
     sign_in(user)
 
-    visit(project_issues_incident_path(project, incident))
+    visit(incident_project_issues_path(project, incident))
   end
 
   specify do
@@ -75,7 +75,7 @@ RSpec.describe "User views incident", feature_category: :incident_management do
 
   describe 'user status' do
     context 'when showing status of the author of the incident' do
-      subject { visit(project_issues_incident_path(project, incident)) }
+      subject { visit(incident_project_issues_path(project, incident)) }
 
       it_behaves_like 'showing user status' do
         let(:user_with_status) { user }

spec/features/issues/incident_issue_spec.rb

@@ -29,7 +29,7 @@ RSpec.describe 'Incident Detail', :js, feature_category: :team_planning do
       project.add_developer(user)
       sign_in(user)
 
-      visit project_issues_incident_path(project, incident)
+      visit incident_project_issues_path(project, incident)
       wait_for_requests
     end
 

spec/features/issues/issue_detail_spec.rb

@@ -130,7 +130,7 @@ RSpec.describe 'Issue Detail', :js, feature_category: :team_planning do
           page.within('[data-testid="issuable-form"]') do
             update_type_select('Issue', 'Incident')
 
-            expect(page).to have_current_path(project_issues_incident_path(project, issue))
+            expect(page).to have_current_path(incident_project_issues_path(project, issue))
           end
         end
       end

spec/helpers/issuables_helper_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe IssuablesHelper do
+RSpec.describe IssuablesHelper, feature_category: :team_planning do
   let(:label)  { build_stubbed(:label) }
   let(:label2) { build_stubbed(:label) }
 
@@ -387,6 +387,32 @@ RSpec.describe IssuablesHelper do
       expect(helper.issuable_initial_data(issue)).to match(hash_including(expected_data))
     end
 
+    context 'for incident tab' do
+      let(:incident) { create(:incident) }
+      let(:params) do
+        ActionController::Parameters.new({
+          controller: "projects/incidents",
+          action: "show",
+          namespace_id: "foo",
+          project_id: "bar",
+          id: incident.iid
+        }).permit!
+      end
+
+      it 'includes incident attributes' do
+        @project = incident.project
+        allow(helper).to receive(:safe_params).and_return(params)
+
+        expected_data = {
+          issueType: 'incident',
+          hasLinkedAlerts: false,
+          canUpdateTimelineEvent: true
+        }
+
+        expect(helper.issuable_initial_data(incident)).to match(hash_including(expected_data))
+      end
+    end
+
     describe '#sentryIssueIdentifier' do
       let(:issue) { create(:issue, author: user) }
 

spec/lib/gitlab/database_spec.rb

@@ -516,4 +516,33 @@ RSpec.describe Gitlab::Database do
       end
     end
   end
+
+  describe '.read_minimum_migration_version' do
+    before do
+      allow(Dir).to receive(:open).with(Rails.root.join('db/migrate')).and_return(migration_files)
+    end
+
+    context 'valid migration files exist' do
+      let(:migration_files) do
+        [
+          '20211004170422_init_schema.rb',
+          '20211005182304_add_users.rb'
+        ]
+      end
+
+      let(:valid_schema) { 20211004170422 }
+
+      it 'finds the correct ID' do
+        expect(described_class.read_minimum_migration_version).to eq valid_schema
+      end
+    end
+
+    context 'no valid migration files exist' do
+      let(:migration_files) { ['readme.txt', 'INSTALL'] }
+
+      it 'returns nil' do
+        expect(described_class.read_minimum_migration_version).to be_nil
+      end
+    end
+  end
 end

spec/models/repository_spec.rb

@@ -2572,28 +2572,52 @@ RSpec.describe Repository, feature_category: :source_code_management do
   describe '#avatar' do
     let(:project) { create(:project, :repository) }
 
-    it 'returns nil if repo does not exist' do
-      allow(repository).to receive(:root_ref).and_raise(Gitlab::Git::Repository::NoRepository)
+    it 'returns nil if repo is empty' do
+      allow(repository).to receive(:empty).and_return(true)
 
       expect(repository.avatar).to be_nil
     end
 
     it 'returns the first avatar file found in the repository' do
-      expect(repository).to receive(:file_on_head)
-        .with(:avatar)
-        .and_return(double(:tree, path: 'logo.png'))
+      expect(repository).to receive(:search_files_by_regexp).and_return(['logo.png'])
 
       expect(repository.avatar).to eq('logo.png')
     end
 
     it 'caches the output' do
-      expect(repository).to receive(:file_on_head)
-        .with(:avatar)
-        .once
-        .and_return(double(:tree, path: 'logo.png'))
+      expect(repository).to receive(:search_files_by_regexp).once.and_return(['logo.png'])
 
       2.times { expect(repository.avatar).to eq('logo.png') }
     end
+
+    context 'when feature flag readme_from_gitaly is disabled' do
+      before do
+        stub_feature_flags(readme_from_gitaly: false)
+      end
+
+      it 'returns nil if repo does not exist' do
+        allow(repository).to receive(:root_ref).and_raise(Gitlab::Git::Repository::NoRepository)
+
+        expect(repository.avatar).to be_nil
+      end
+
+      it 'returns the first avatar file found in the repository' do
+        expect(repository).to receive(:file_on_head)
+          .with(:avatar)
+          .and_return(double(:tree, path: 'logo.png'))
+
+        expect(repository.avatar).to eq('logo.png')
+      end
+
+      it 'caches the output' do
+        expect(repository).to receive(:file_on_head)
+          .with(:avatar)
+          .once
+          .and_return(double(:tree, path: 'logo.png'))
+
+        2.times { expect(repository.avatar).to eq('logo.png') }
+      end
+    end
   end
 
   describe '#expire_exists_cache' do

spec/tasks/migrate/schema_check_rake_spec.rb

@@ -5,6 +5,7 @@ require 'rake'
 
 RSpec.describe 'schema_version_check rake task', :silence_stdout do
   include StubENV
+  let(:valid_schema_version) { 20211004170422 }
 
   before :all do
     Rake.application.rake_require 'active_record/railties/databases'
@@ -15,8 +16,8 @@ RSpec.describe 'schema_version_check rake task', :silence_stdout do
   end
 
   before do
-    allow(ActiveRecord::Migrator).to receive(:current_version).and_return(Gitlab::Database::MIN_SCHEMA_VERSION)
-
+    allow(ActiveRecord::Migrator).to receive(:current_version).and_return(valid_schema_version)
+    allow(Gitlab::Database).to receive(:read_minimum_migration_version).and_return(valid_schema_version)
     # Ensure our check can re-run each time
     Rake::Task[:schema_version_check].reenable
   end