root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2024-06-11 06:15:50 +00:00
parent 81ca8673dd
commit abca9ee505
40 changed files with 203 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
GITALY_SERVER_VERSION
View File

@ -1 +1 @@
28dfd63da1afe2128fd1dcfc5f6953302eab88f2
676cff8cddb9bf142cf00a712db75dbb69563b7e

2
app/assets/javascripts/packages_and_registries/settings/project/components/container_protection_rules.vue
View File

@ -48,7 +48,7 @@ export default {
i18n: {
settingBlockTitle: s__('ContainerRegistry|Protected containers'),
settingBlockDescription: s__(
'ContainerRegistry|When a container is protected then only certain user roles are able to push and delete the protected container image. This helps to avoid tampering with the container image.',
'ContainerRegistry|When a container is protected, only certain user roles can push and delete the protected container image, which helps to avoid tampering with the container image.',
),
protectionRuleDeletionConfirmModal: {
title: s__('ContainerRegistry|Delete container protection rule?'),

2
app/assets/javascripts/packages_and_registries/settings/project/components/packages_protection_rules.vue
View File

@ -46,7 +46,7 @@ export default {
i18n: {
settingBlockTitle: s__('PackageRegistry|Protected packages'),
settingBlockDescription: s__(
'PackageRegistry|When a package is protected then only certain user roles are able to update and delete the protected package. This helps to avoid tampering with the package.',
'PackageRegistry|When a package is protected, only certain user roles can push, update, and delete the protected package, which helps to avoid tampering with the package.',
),
protectionRuleDeletionConfirmModal: {
title: s__('PackageRegistry|Delete package protection rule?'),

36
app/assets/javascripts/token_access/components/inbound_token_access.vue
View File

@ -24,14 +24,11 @@ import TokenAccessTable from './token_access_table.vue';
export default {
i18n: {
toggleLabelTitle: s__('CICD|Allow CI/CD job token access'),
toggleLabelTitle: s__('CICD|Limit access %{italicStart}to%{italicEnd} this project'),
toggleDescription: s__(
`CICD|When enabled, groups and projects listed in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. %{linkStart}Learn more%{linkEnd}.`,
),
cardHeaderTitle: s__('CICD|Authorized groups and projects'),
cardHeaderDescription: s__(
`CICD|Ensure only groups and projects with members authorized to access sensitive project data are added to the allowlist.`,
`CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}.`,
),
cardHeaderTitle: s__('CICD|Groups and projects with access'),
settingDisabledMessage: s__(
'CICD|No access is currently allowed to this project. Enable feature to authorize access from groups or projects in the allowlist below.',
),
@ -261,25 +258,22 @@ export default {
<div>
<gl-card
class="gl-new-card"
header-class="gl-new-card-header gl-border-bottom-0 gl-flex-wrap gl-md-flex-nowrap"
header-class="gl-new-card-header gl-border-bottom-0"
body-class="gl-new-card-body gl-px-0"
>
<template #header>
<div class="gl-new-card-title-wrapper gl-flex-direction-column gl-flex-wrap">
<div class="gl-new-card-title">
<h5>{{ $options.i18n.cardHeaderTitle }}</h5>
<span class="gl-new-card-count">
<gl-icon name="group" class="gl-mr-2" />
{{ groups.length }}
</span>
<span class="gl-new-card-count">
<gl-icon name="project" class="gl-mr-2" />
{{ projects.length }}
</span>
</div>
<p class="gl-text-secondary">{{ $options.i18n.cardHeaderDescription }}</p>
<div class="gl-new-card-title-wrapper">
<h5 class="gl-new-card-title">{{ $options.i18n.cardHeaderTitle }}</h5>
<span class="gl-new-card-count">
<gl-icon name="group" class="gl-mr-2" />
{{ groups.length }}
</span>
<span class="gl-new-card-count">
<gl-icon name="project" class="gl-mr-2" />
{{ projects.length }}
</span>
</div>
<div class="gl-new-card-actions gl-w-full gl-md-w-auto gl-text-right">
<div class="gl-new-card-actions">
<gl-button
v-if="!isAddFormVisible"
size="small"

4
app/assets/javascripts/token_access/components/outbound_token_access.vue
View File

@ -20,7 +20,7 @@ import getCIJobTokenScopeQuery from '../graphql/queries/get_ci_job_token_scope.q
import getProjectsWithCIJobTokenScopeQuery from '../graphql/queries/get_projects_with_ci_job_token_scope.query.graphql';
import TokenAccessTable from './token_access_table.vue';
// Note: This component will be removed in 18.0, as the outbound access token is getting deprecated
// Note: This component will be removed in 17.0, as the outbound access token is getting deprecated
export default {
i18n: {
toggleLabelTitle: s__(
@ -39,7 +39,7 @@ export default {
projectsFetchError: __('There was a problem fetching the projects'),
scopeFetchError: __('There was a problem fetching the job token scope value'),
outboundTokenAlertDeprecationMessage: s__(
`CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Allow CI/CD job token access%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}`,
`CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}to%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}`,
),
disableToggleWarning: s__('CICD|Disabling this feature is a permanent change.'),
},

2
app/models/ci/runner.rb
View File

@ -67,7 +67,7 @@ module Ci
UPDATE_CONTACT_COLUMN_EVERY = ((40.minutes)..(55.minutes))
# The `STALE_TIMEOUT` constant defines the how far past the last contact or creation date a runner will be considered stale
STALE_TIMEOUT = 3.months
STALE_TIMEOUT = 7.days
# Only allow authentication token to be visible for a short while
REGISTRATION_AVAILABILITY_TIME = 1.hour

5
app/models/clusters/agent.rb
View File

@ -36,6 +36,11 @@ module Clusters
scope :with_name, ->(name) { where(name: name) }
scope :has_vulnerabilities, ->(value = true) { where(has_vulnerabilities: value) }
enum connection_mode: {
outgoing: 0, # agentk -> kas
incoming: 1 # kas -> agentk
}, _prefix: true
validates :name,
presence: true,
length: { maximum: 63 },

4
app/views/projects/settings/ci_cd/show.html.haml
View File

@ -105,11 +105,11 @@
%section.settings.no-animate#js-token-access{ class: ('expanded' if expanded) }
.settings-header
%h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
= _("Job token permissions")
= _("Token Access")
= render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do
= expanded ? _('Collapse') : _('Expand')
%p.gl-text-secondary
= _("Control whether CI/CD job tokens can be used to authenticate with this project.")
= _("Control how the CI_JOB_TOKEN CI/CD variable is used for API access between projects.")
.settings-content
= render 'ci/token_access/index'

2
data/deprecations/15-9-insecure-ci-job-token.yml
View File

@ -20,8 +20,6 @@
To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or later can enable the **Allow access** setting now and add the other projects. It will not be possible to disable the setting in 18.0 or later.
In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**.
In 17.1, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**.
#
# OPTIONAL END OF SUPPORT FIELDS
#

2
data/deprecations/16-5-ci-job-token-limit-setting.yml
View File

@ -20,8 +20,6 @@
To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or later can enable the **Allow access** setting now and add the other projects. It will not be possible to disable the setting in 18.0 or later.
In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**.
In 17.1, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**.
#
# OPTIONAL END OF SUPPORT FIELDS
#

9
db/migrate/20240606051535_add_connection_mode_to_cluster_agents.rb Normal file
View File

@ -0,0 +1,9 @@
# frozen_string_literal: true
class AddConnectionModeToClusterAgents < Gitlab::Database::Migration[2.2]
milestone '17.1'
def change
add_column :cluster_agents, :connection_mode, :smallint, null: false, default: 0
end
end

1
db/schema_migrations/20240606051535 Normal file
View File

@ -0,0 +1 @@
5eedfd7d7b51e295550fe4d52a7cc1c3d67e17c516db880dc6deeac9f05fb7a2

1
db/structure.sql
View File

@ -7995,6 +7995,7 @@ CREATE TABLE cluster_agents (
name text NOT NULL,
created_by_user_id bigint,
has_vulnerabilities boolean DEFAULT false NOT NULL,
connection_mode smallint DEFAULT 0 NOT NULL,
CONSTRAINT check_3498369510 CHECK ((char_length(name) <= 255))
);

4
doc/administration/instance_limits.md
View File

@ -674,8 +674,10 @@ of extra Pages deployments permitted for a top-level namespace is 1000.
### Number of registered runners per scope
> - Runner stale timeout [changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155795) from 3 months to 7 days in GitLab 17.1.
The total number of registered runners is limited at the group and project levels. Each time a new runner is registered,
GitLab checks these limits against runners that have been active in the last 3 months.
GitLab checks these limits against runners that have been active in the last 7 days.
A runner's registration fails if it exceeds the limit for the scope determined by the runner registration token.
If the limit value is set to zero, the limit is disabled.

4
doc/api/graphql/reference/index.md
View File

@ -33295,10 +33295,10 @@ Values for sorting runners.
| ----- | ----------- |
| <a id="cirunnerstatusactive"></a>`ACTIVE` **{warning-solid}** | **Deprecated** in GitLab 14.6. This was renamed. Use: [`CiRunner.paused`](#cirunnerpaused). |
| <a id="cirunnerstatusnever_contacted"></a>`NEVER_CONTACTED` | Runner that has never contacted this instance. |
| <a id="cirunnerstatusoffline"></a>`OFFLINE` | Runner that has not contacted this instance within the last 2 hours. Will be considered `STALE` if offline for more than 3 months. |
| <a id="cirunnerstatusoffline"></a>`OFFLINE` | Runner that has not contacted this instance within the last 2 hours. Will be considered `STALE` if offline for more than 7 days. |
| <a id="cirunnerstatusonline"></a>`ONLINE` | Runner that contacted this instance within the last 2 hours. |
| <a id="cirunnerstatuspaused"></a>`PAUSED` **{warning-solid}** | **Deprecated** in GitLab 14.6. This was renamed. Use: [`CiRunner.paused`](#cirunnerpaused). |
| <a id="cirunnerstatusstale"></a>`STALE` | Runner that has not contacted this instance within the last 3 months. |
| <a id="cirunnerstatusstale"></a>`STALE` | Runner that has not contacted this instance within the last 7 days. |
### `CiRunnerType`

7
doc/api/project_job_token_scopes.md
View File

@ -34,7 +34,7 @@ If successful, returns [`200`](rest/index.md#status-codes) and the following res
| Attribute | Type | Description |
|--------------------|---------|-------------|
| `inbound_enabled` | boolean | Indicates if the [**Grant access to this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) is enabled. |
| `inbound_enabled` | boolean | Indicates if the [**Limit access _to_ this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) is enabled. |
| `outbound_enabled` | boolean | Indicates if the CI/CD job token generated in this project has access to other projects. [Deprecated and planned for removal in GitLab 18.0](../update/deprecations.md#default-cicd-job-token-ci_job_token-scope-changed). |
Example request:
@ -55,9 +55,8 @@ Example response:
## Patch a project's CI/CD job token access settings
> - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.1.
Patch the [**Grant access to this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) (job token scope) of a project.
Patch the [**Limit access _to_ this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) (job token scope) of a project.
```plaintext
PATCH /projects/:id/job_token_scope
@ -68,7 +67,7 @@ Supported attributes:
| Attribute | Type | Required | Description |
|-----------|----------------|----------|-------------|
| `id` | integer/string | Yes | ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding). |
| `enabled` | boolean | Yes | Indicates if the [**Grant access to this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) should be enabled. |
| `enabled` | boolean | Yes | Indicates if the [**Limit access _to_ this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) should be enabled. |
If successful, returns [`204`](rest/index.md#status-codes) and no response body.

3
doc/ci/debugging.md
View File

@ -438,7 +438,6 @@ Ensure that included configuration files do not create a loop of references to e
### `Failed to pull image` messages
> - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.1.
A runner might return a `Failed to pull image` message when trying to pull a container image
in a CI/CD job.
@ -462,7 +461,7 @@ For example:
These errors can happen if the following are both true:
- The [**Grant access to this project**](jobs/ci_job_token.md#limit-job-token-scope-for-public-or-internal-projects)
- The [**Limit access _to_ this project**](jobs/ci_job_token.md#limit-job-token-scope-for-public-or-internal-projects)
option is enabled in the private project hosting the image.
- The job attempting to fetch the image is running in a project that is not listed in
the private project's allowlist.

10
doc/ci/jobs/ci_job_token.md
View File

@ -88,7 +88,6 @@ with a job token from any project. These resources can also be [limited to only
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/346298/) in GitLab 15.10.
> - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
> - Adding groups to the job token allowlist [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0.
> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.1.
You can add groups or projects to your job token allowlist to allow access your project's resources
with a job token for authentication. By default, the allowlist of any project only includes itself.
@ -114,7 +113,7 @@ To add a group or project to the allowlist:
1. On the left sidebar, select **Search or go to** and find your project.
1. Select **Settings > CI/CD**.
1. Expand **Token Access**.
1. Ensure the **Grant access to this project** toggle is enabled. Enabled by default in new projects.
1. Ensure the **Limit access _to_ this project** toggle is enabled. Enabled by default in new projects.
It is a security risk to disable this feature, so project maintainers or owners should
keep this setting enabled at all times.
1. Select **Add group or project**.
@ -152,14 +151,13 @@ To set a feature to be only visible to project members:
### Allow any project to access your project
> - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.1.
WARNING:
It is a security risk to disable the token access limit and allowlist. A malicious user could try to compromise
a pipeline created in an unauthorized project. If the pipeline was created by one of
your maintainers, the job token could be used in an attempt to access your project.
If you disable the **Grant access to this project** setting, the allowlist is ignored.
If you disable the **Limit access _to_ this project** setting, the allowlist is ignored.
Jobs from any project could access your project with a job token if the user that
triggers the pipeline has permission to access your project.
@ -175,7 +173,7 @@ To disable the job token scope allowlist:
1. On the left sidebar, select **Search or go to** and find your project.
1. Select **Settings > CI/CD**.
1. Expand **Token Access**.
1. Toggle **Grant access to this project** to disabled.
1. Toggle **Limit access _to_ this project** to disabled.
Enabled by default in new projects.
You can also enable and disable the setting with the [GraphQL](../../api/graphql/reference/index.md#mutationprojectcicdsettingsupdate) (`inboundJobTokenScopeEnabled`) and [REST](../../api/project_job_token_scopes.md#patch-a-projects-cicd-job-token-access-settings) API.
@ -197,7 +195,7 @@ proposes to change this behavior.
NOTE:
The [**Limit access _from_ this project**](#configure-the-job-token-scope-deprecated)
setting is disabled by default for all new projects and is [scheduled for removal](https://gitlab.com/gitlab-org/gitlab/-/issues/383084)
in GitLab 18.0. Project maintainers or owners should configure the [**Grant access to this project**](#add-a-group-or-project-to-the-job-token-allowlist)
in GitLab 17.0. Project maintainers or owners should configure the [**Limit access _to_ this project**](#add-a-group-or-project-to-the-job-token-allowlist)
setting instead.
Control your project's job token scope by creating an allowlist of projects which

2
doc/ci/runners/runners_scope.md
View File

@ -584,7 +584,7 @@ A runner can have one of the following statuses.
|---------|-------------|
| `online` | The runner has contacted GitLab within the last 2 hours and is available to run jobs. |
| `offline` | The runner has not contacted GitLab in more than 2 hours and is not available to run jobs. Check the runner to see if you can bring it online. |
| `stale` | The runner has not contacted GitLab in more than 3 months. If the runner was created more than 3 months ago, but it never contacted the instance, it is also considered **stale**. |
| `stale` | The runner has not contacted GitLab in more than 7 days. If the runner was created more than 7 days ago, but it never contacted the instance, it is also considered **stale**. |
| `never_contacted` | The runner has never contacted GitLab. To make the runner contact GitLab, run `gitlab-runner run`. |
## View statistics for runner performance

4
doc/update/deprecations.md
View File

@ -195,8 +195,6 @@ To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or l
In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**.
In 17.1, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**.
</div>
<div class="deprecation breaking-change" data-milestone="18.0">
@ -2979,8 +2977,6 @@ To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or l
In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**.
In 17.1, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**.
</div>
<div class="deprecation breaking-change" data-milestone="16.0">

14
doc/user/application_security/api_fuzzing/configuration/customizing_analyzer_settings.md
View File

@ -420,9 +420,11 @@ container that has Python 3 and Bash installed.
You have to set the environment variable `FUZZAPI_OVERRIDES_CMD` to the program or script you would like
to execute. The provided command creates the overrides JSON file as defined previously.
You might want to install other scripting runtimes like NodeJS or Ruby, or maybe you need to install a dependency for
your overrides command. In this case, we recommend setting the `FUZZAPI_PRE_SCRIPT` to the file path of a script which
provides those prerequisites. The script provided by `FUZZAPI_PRE_SCRIPT` is executed once, before the analyzer starts.
You might want to install other scripting runtimes like NodeJS or Ruby, or maybe you need to install a dependency for your overrides command. In this case, you should set the `FUZZAPI_PRE_SCRIPT` to the file path of a script that provides those prerequisites. The script provided by `FUZZAPI_PRE_SCRIPT` is executed once, before the analyzer starts.
NOTE:
When performing actions that require elevated permissions, make use of the `sudo` command.
For example, `sudo apk add nodejs`.
See the [Alpine Linux package management](https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management)
page for information about installing Alpine Linux packages.
@ -438,7 +440,7 @@ Optionally:
- `FUZZAPI_PRE_SCRIPT`: Script to install runtimes or dependencies before the analyzer starts.
WARNING:
To execute scripts in Alpine Linux you must first use the command [`chmod`](https://www.gnu.org/software/coreutils/manual/html_node/chmod-invocation.html) to set the [execution permission](https://www.gnu.org/software/coreutils/manual/html_node/Setting-Permissions.html). For example, to set the execution permission of `script.py` for everyone, use the command: `chmod a+x script.py`. If needed, you can version your `script.py` with the execution permission already set.
To execute scripts in Alpine Linux you must first use the command [`chmod`](https://www.gnu.org/software/coreutils/manual/html_node/chmod-invocation.html) to set the [execution permission](https://www.gnu.org/software/coreutils/manual/html_node/Setting-Permissions.html). For example, to set the execution permission of `script.py` for everyone, use the command: `sudo chmod a+x script.py`. If needed, you can version your `script.py` with the execution permission already set.
```yaml
stages:
@ -582,9 +584,7 @@ As for example, the following script `user-pre-scan-set-up.sh`:
echo "**** install python dependencies ****"
python3 -m ensurepip
pip3 install --no-cache --upgrade \
pip \
sudo pip3 install --no-cache --upgrade --break-system-packages \
requests \
backoff

4
doc/user/application_security/api_fuzzing/configuration/variables.md
View File

@ -33,8 +33,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w
|[`FUZZAPI_OVERRIDES_ENV`](customizing_analyzer_settings.md#overrides) | JSON string containing headers to override. |
|[`FUZZAPI_OVERRIDES_CMD`](customizing_analyzer_settings.md#overrides) | Overrides command. |
|[`FUZZAPI_OVERRIDES_CMD_VERBOSE`](customizing_analyzer_settings.md#overrides) | When set to any value. It shows overrides command output as part of the job output. |
|`FUZZAPI_PRE_SCRIPT` | Run user command or script before scan session starts. |
|`FUZZAPI_POST_SCRIPT` | Run user command or script after scan session has finished. |
|`FUZZAPI_PRE_SCRIPT` | Run user command or script before scan session starts. `sudo` must be used for privileged operations like installing packages. |
|`FUZZAPI_POST_SCRIPT` | Run user command or script after scan session has finished. `sudo` must be used for privileged operations like installing packages. |
|[`FUZZAPI_OVERRIDES_INTERVAL`](customizing_analyzer_settings.md#overrides) | How often to run overrides command in seconds. Defaults to `0` (once). |
|[`FUZZAPI_HTTP_USERNAME`](customizing_analyzer_settings.md#http-basic-authentication) | Username for HTTP authentication. |
|[`FUZZAPI_HTTP_PASSWORD`](customizing_analyzer_settings.md#http-basic-authentication) | Password for HTTP authentication. |

34
doc/user/application_security/api_fuzzing/troubleshooting.md
View File

@ -326,3 +326,37 @@ The following example uses the [statically defined credentials](../../../ci/dock
app@sha256:2b69fc7c3627dbd0ebaa17674c264fcd2f2ba21ed9552a472acf8b065d39039c ...
Waiting for services to be up and running (timeout 30 seconds)...
```
## `sudo: The "no new privileges" flag is set, which prevents sudo from running as root.`
Starting with v5 of the analyzer, a non-root user is used by default. This requires the use of `sudo` when performing privileged operations.
This error occurs with a specific container daemon setup that prevents running containers from obtaining new permissions. In most settings, this is not the default configuration, it's something specifically configured, often as part of a security hardening guide.
**Error message**
This issue can be identified by the error message generated when a `before_script` or `FUZZAPI_PRE_SCRIPT` is executed:
```shell
$ sudo apk add nodejs
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
```
**Solution**
This issue can be worked around in the following ways:
1. Run the container as the `root` user. This can be done by modifying the CICD configuration:
```yaml
api_security:
image:
name: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION$FUZZAPI_IMAGE_SUFFIX
docker:
user: root
```
1. Change the GitLab Runner configuration, disabling the no-new-privileges flag.

17
doc/user/application_security/api_security_testing/configuration/customizing_analyzer_settings.md
View File

@ -397,12 +397,13 @@ container that has Python 3 and Bash installed.
You have to set the environment variable `DAST_API_OVERRIDES_CMD` to the program or script you would like
to execute. The provided command creates the overrides JSON file as defined previously.
You might want to install other scripting runtimes like NodeJS or Ruby, or maybe you need to install a dependency for
your overrides command. In this case, we recommend setting the `DAST_API_PRE_SCRIPT` to the file path of a script which
provides those prerequisites. The script provided by `DAST_API_PRE_SCRIPT` is executed once, before the analyzer starts.
You might want to install other scripting runtimes like NodeJS or Ruby, or maybe you need to install a dependency for your overrides command. In this case, you should set the `DAST_API_PRE_SCRIPT` to the file path of a script which provides those prerequisites. The script provided by `DAST_API_PRE_SCRIPT` is executed once before the analyzer starts.
See the [Alpine Linux package management](https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management)
page for information about installing Alpine Linux packages.
NOTE:
When performing actions that require elevated permissions, make use of the `sudo` command.
For example, `sudo apk add nodejs`.
See the [Alpine Linux package management](https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management) page for information about installing Alpine Linux packages.
You must provide three CI/CD variables, each set for correct operation:
@ -415,7 +416,7 @@ Optionally:
- `DAST_API_PRE_SCRIPT`: Script to install runtimes or dependencies before the scan starts.
WARNING:
To execute scripts in Alpine Linux you must first use the command [`chmod`](https://www.gnu.org/software/coreutils/manual/html_node/chmod-invocation.html) to set the [execution permission](https://www.gnu.org/software/coreutils/manual/html_node/Setting-Permissions.html). For example, to set the execution permission of `script.py` for everyone, use the command: `chmod a+x script.py`. If needed, you can version your `script.py` with the execution permission already set.
To execute scripts in Alpine Linux you must first use the command [`chmod`](https://www.gnu.org/software/coreutils/manual/html_node/chmod-invocation.html) to set the [execution permission](https://www.gnu.org/software/coreutils/manual/html_node/Setting-Permissions.html). For example, to set the execution permission of `script.py` for everyone, use the command: `sudo chmod a+x script.py`. If needed, you can version your `script.py` with the execution permission already set.
```yaml
stages:
@ -559,9 +560,7 @@ As for example, the following script `user-pre-scan-set-up.sh`
echo "**** install python dependencies ****"
python3 -m ensurepip
pip3 install --no-cache --upgrade \
pip \
sudo pip3 install --no-cache --upgrade --break-system-packages \
backoff
echo "**** python dependencies installed ****"

4
doc/user/application_security/api_security_testing/configuration/variables.md
View File

@ -40,8 +40,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w
|[`DAST_API_OVERRIDES_ENV`](customizing_analyzer_settings.md#overrides) | JSON string containing headers to override. |
|[`DAST_API_OVERRIDES_CMD`](customizing_analyzer_settings.md#overrides) | Overrides command. |
|[`DAST_API_OVERRIDES_CMD_VERBOSE`](customizing_analyzer_settings.md#overrides) | When set to any value. It shows overrides command output as part of the job output. |
|`DAST_API_PRE_SCRIPT` | Run user command or script before scan session starts. |
|`DAST_API_POST_SCRIPT` | Run user command or script after scan session has finished. |
|`DAST_API_PRE_SCRIPT` | Run user command or script before scan session starts. `sudo` must be used for privileged operations like installing packages. |
|`DAST_API_POST_SCRIPT` | Run user command or script after scan session has finished. `sudo` must be used for privileged operations like installing packages. |
|[`DAST_API_OVERRIDES_INTERVAL`](customizing_analyzer_settings.md#overrides) | How often to run overrides command in seconds. Defaults to `0` (once). |
|[`DAST_API_HTTP_USERNAME`](customizing_analyzer_settings.md#http-basic-authentication) | Username for HTTP authentication. |
|[`DAST_API_HTTP_PASSWORD`](customizing_analyzer_settings.md#http-basic-authentication) | Password for HTTP authentication. Consider using `DAST_API_HTTP_PASSWORD_BASE64` instead. |

34
doc/user/application_security/api_security_testing/troubleshooting.md
View File

@ -306,3 +306,37 @@ The following example uses the [statically defined credentials](../../../ci/dock
It is possible that consecutive scans may return differing vulnerability findings in the absence of code or configuration changes. This is primarily due to the unpredictability associated with the target environment and its state, and the parallelization of requests sent by the scanner. Multiple requests are sent in parallel by the scanner to optimize scan time, which in turn means that the exact order the target server responds to the requests is not predetermined.
Timing attack vulnerabilities that are detected by the length of time between request and response such as OS Command or SQL Injections may be detected if the server is under load and unable to service responses to the tests within their given thresholds. The same scan executions when the server is not under load may not return positive findings for these vulnerabilities, leading to differing results. Profiling the target server, [Performance tuning and testing speed](performance.md#performance-tuning-and-testing-speed), and establishing baselines for optimal server performance during testing may be helpful in identifying where false positives may appear due to the aforementioned factors.
## `sudo: The "no new privileges" flag is set, which prevents sudo from running as root.`
Starting with v5 of the analyzer, a non-root user is used by default. This requires the use of `sudo` when performing privileged operations.
This error occurs with a specific container daemon setup that prevents running containers from obtaining new permissions. In most settings, this is not the default configuration, it's something specifically configured, often as part of a security hardening guide.
**Error message**
This issue can be identified by the error message generated when a `before_script` or `APISEC_PRE_SCRIPT` is executed:
```shell
$ sudo apk add nodejs
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
```
**Solution**
This issue can be worked around in the following ways:
1. Run the container as the `root` user. This can be done by modifying the CICD configuration:
```yaml
api_security:
image:
name: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION$DAST_API_IMAGE_SUFFIX
docker:
user: root
```
1. Change the GitLab Runner configuration, disabling the no-new-privileges flag.

2
doc/user/application_security/container_scanning/index.md
View File

@ -796,7 +796,7 @@ To resolve this, instead of binding the `/tmp` folder, bind specific files or fo
### Resolving `context deadline exceeded` error
This error typically occurs when scanning images containing JAR files, as it takes longer to download the `trivy-java-db` vulnerability database. To resolve this, increase the `TRIVY_TIMEOUT` environment variable to a longer duration.
This error means a timeout occurred. To resolve it, add the `TRIVY_TIMEOUT` environment variable to the `container_scanning` job with a sufficiently long duration.
## Changes

17
doc/user/packages/dependency_proxy/index.md
View File

@ -376,3 +376,20 @@ docker pull ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/library/docker:20.10.3@sha
```
In this example, `bc9dcf5c8e5908845acc6d34ab8824bca496d6d47d1b08af3baf4b3adb1bd8fe` is the SHA256 of the ARM based image.
### `MissingFile` errors after restoring a backup
If you encounter `MissingFile` or `Cannot read file` errors, it might be because
[backup archives](../../../administration/backup_restore/backup_gitlab.md)
do not include the contents of `gitlab-rails/shared/dependency_proxy/`.
To resolve this [known issue](https://gitlab.com/gitlab-org/gitlab/-/issues/354574),
you can use `rsync`, `scp`, or a similar tool to copy the affected files or the whole
`gitlab-rails/shared/dependency_proxy/` folder structure from the GitLab instance
that was the source of the backup.
If the data is not needed, you can delete the database entries with:
```shell
gitlab-psql -c "DELETE FROM dependency_proxy_blobs; DELETE FROM dependency_proxy_blob_states; DELETE FROM dependency_proxy_manifest_states; DELETE FROM dependency_proxy_manifests;"
```

27
locale/gitlab.pot
View File

@ -9991,10 +9991,7 @@ msgstr ""
msgid "CICD|Add an existing project to the scope"
msgstr ""
msgid "CICD|Allow CI/CD job token access"
msgstr ""
msgid "CICD|Authorized groups and projects"
msgid "CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}."
msgstr ""
msgid "CICD|Auto DevOps"
@ -10027,7 +10024,7 @@ msgstr ""
msgid "CICD|Enable feature to limit job token access to the following projects."
msgstr ""
msgid "CICD|Ensure only groups and projects with members authorized to access sensitive project data are added to the allowlist."
msgid "CICD|Groups and projects with access"
msgstr ""
msgid "CICD|Jobs"
@ -10039,6 +10036,9 @@ msgstr ""
msgid "CICD|Limit access %{italicStart}from%{italicEnd} this project (Deprecated)"
msgstr ""
msgid "CICD|Limit access %{italicStart}to%{italicEnd} this project"
msgstr ""
msgid "CICD|Maintainer"
msgstr ""
@ -10051,7 +10051,7 @@ msgstr ""
msgid "CICD|Prevent CI/CD job tokens from this project from being used to access other projects unless the other project is added to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}."
msgstr ""
msgid "CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Allow CI/CD job token access%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}"
msgid "CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}to%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}"
msgstr ""
msgid "CICD|The Auto DevOps pipeline runs by default in all projects with no CI/CD configuration file. %{link_start}What is Auto DevOps?%{link_end}"
@ -10069,9 +10069,6 @@ msgstr ""
msgid "CICD|Use separate caches for protected branches"
msgstr ""
msgid "CICD|When enabled, groups and projects listed in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. %{linkStart}Learn more%{linkEnd}."
msgstr ""
msgid "CICD|group enabled"
msgstr ""
@ -14416,7 +14413,7 @@ msgstr ""
msgid "ContainerRegistry|We are having trouble connecting to the Container Registry. Please try refreshing the page. If this error persists, please review %{docLinkStart}the troubleshooting documentation%{docLinkEnd}."
msgstr ""
msgid "ContainerRegistry|When a container is protected then only certain user roles are able to push and delete the protected container image. This helps to avoid tampering with the container image."
msgid "ContainerRegistry|When a container is protected, only certain user roles can push and delete the protected container image, which helps to avoid tampering with the container image."
msgstr ""
msgid "ContainerRegistry|While the rename is in progress, new uploads to the container registry are blocked. Ongoing uploads may fail and need to be retried."
@ -14794,7 +14791,7 @@ msgstr ""
msgid "Contributor analytics"
msgstr ""
msgid "Control whether CI/CD job tokens can be used to authenticate with this project."
msgid "Control how the CI_JOB_TOKEN CI/CD variable is used for API access between projects."
msgstr ""
msgid "Control whether to display customer experience improvement content and third-party offers in GitLab."
@ -29537,9 +29534,6 @@ msgstr ""
msgid "Job logs and artifacts"
msgstr ""
msgid "Job token permissions"
msgstr ""
msgid "Job was retried"
msgstr ""
@ -37428,7 +37422,7 @@ msgstr ""
msgid "PackageRegistry|Validate these URLs manually to ensure malicious packages are not uploaded to the NuGet package registry. Selecting and clearing the checkbox might lead to invalid records in the package registry that you cannot update."
msgstr ""
msgid "PackageRegistry|When a package is protected then only certain user roles are able to update and delete the protected package. This helps to avoid tampering with the package."
msgid "PackageRegistry|When a package is protected, only certain user roles can push, update, and delete the protected package, which helps to avoid tampering with the package."
msgstr ""
msgid "PackageRegistry|When a package with same name and version is uploaded to the registry, more assets are added to the package. To save storage space, keep only the most recent assets."
@ -55122,6 +55116,9 @@ msgstr ""
msgid "Token"
msgstr ""
msgid "Token Access"
msgstr ""
msgid "Token name"
msgstr ""

2
package.json
View File

@ -65,7 +65,7 @@
"@gitlab/cluster-client": "^2.2.0",
"@gitlab/favicon-overlay": "2.0.0",
"@gitlab/fonts": "^1.3.0",
"@gitlab/ui": "80.19.1",
"@gitlab/ui": "80.20.0",
"@gitlab/svgs": "3.101.0",
"@gitlab/web-ide": "^0.0.1-dev-20240531032328",
"@mattiasbuelens/web-streams-adapter": "^0.1.0",

2
spec/features/admin/admin_runners_spec.rb
View File

@ -62,8 +62,8 @@ RSpec.describe "Admin Runners", feature_category: :fleet_visibility do
context "with multiple runners" do
before do
create(:ci_runner, :instance, created_at: 1.year.ago, contacted_at: Time.zone.now)
create(:ci_runner, :instance, created_at: 1.year.ago, contacted_at: 1.day.ago)
create(:ci_runner, :instance, created_at: 1.year.ago, contacted_at: 1.week.ago)
create(:ci_runner, :instance, created_at: 1.year.ago, contacted_at: 1.year.ago)
visit admin_runners_path
end

2
spec/helpers/ci/runners_helper_spec.rb
View File

@ -147,7 +147,7 @@ RSpec.describe Ci::RunnersHelper, feature_category: :fleet_visibility do
group_full_path: group.full_path,
runner_install_help_page: 'https://docs.gitlab.com/runner/install/',
online_contact_timeout_secs: 7200,
stale_timeout_secs: 7889238
stale_timeout_secs: 604800
)
end
end

30
spec/models/ci/runner_spec.rb
View File

@ -474,10 +474,10 @@ RSpec.describe Ci::Runner, type: :model, feature_category: :runner do
describe '.recent' do
subject { described_class.recent }
let!(:runner1) { create(:ci_runner, :instance, contacted_at: nil, created_at: 2.months.ago) }
let!(:runner2) { create(:ci_runner, :instance, contacted_at: nil, created_at: 3.months.ago) }
let!(:runner3) { create(:ci_runner, :instance, contacted_at: 1.month.ago, created_at: 2.months.ago) }
let!(:runner4) { create(:ci_runner, :instance, contacted_at: 1.month.ago, created_at: 3.months.ago) }
let!(:runner1) { create(:ci_runner, contacted_at: nil, created_at: 6.days.ago) }
let!(:runner2) { create(:ci_runner, contacted_at: nil, created_at: 7.days.ago) }
let!(:runner3) { create(:ci_runner, contacted_at: 1.day.ago, created_at: 6.days.ago) }
let!(:runner4) { create(:ci_runner, contacted_at: 1.day.ago, created_at: 7.days.ago) }
it { is_expected.to contain_exactly(runner1, runner3, runner4) }
end
@ -569,11 +569,11 @@ RSpec.describe Ci::Runner, type: :model, feature_category: :runner do
using RSpec::Parameterized::TableSyntax
where(:created_at, :contacted_at, :expected_stale?) do
nil | nil | false
3.months.ago | 3.months.ago | true
3.months.ago | (3.months - 1.hour).ago | false
3.months.ago | nil | true
(3.months - 1.hour).ago | nil | false
nil | nil | false
7.days.ago | 7.days.ago | true
7.days.ago | (7.days - 1.hour).ago | false
7.days.ago | nil | true
(7.days - 1.hour).ago | nil | false
end
with_them do
@ -866,7 +866,7 @@ RSpec.describe Ci::Runner, type: :model, feature_category: :runner do
subject { runner.status }
context 'never connected' do
let(:runner) { build(:ci_runner, :instance, :unregistered, created_at: 3.months.ago) }
let(:runner) { build(:ci_runner, :instance, :unregistered, created_at: 7.days.ago) }
it { is_expected.to eq(:stale) }
@ -890,13 +890,13 @@ RSpec.describe Ci::Runner, type: :model, feature_category: :runner do
end
context 'contacted recently' do
let(:runner) { build(:ci_runner, :instance, contacted_at: (3.months - 1.second).ago) }
let(:runner) { build(:ci_runner, :instance, contacted_at: (7.days - 1.second).ago) }
it { is_expected.to eq(:offline) }
end
context 'contacted long time ago' do
let(:runner) { build(:ci_runner, :instance, created_at: 3.months.ago, contacted_at: 3.months.ago) }
let(:runner) { build(:ci_runner, :instance, created_at: 7.days.ago, contacted_at: 7.days.ago) }
it { is_expected.to eq(:stale) }
end
@ -925,8 +925,8 @@ RSpec.describe Ci::Runner, type: :model, feature_category: :runner do
context 'contacted long time ago' do
before do
runner.created_at = 3.months.ago
runner.contacted_at = 3.months.ago
runner.created_at = 7.days.ago
runner.contacted_at = 7.days.ago
end
it { is_expected.to eq(:stale) }
@ -2042,7 +2042,7 @@ RSpec.describe Ci::Runner, type: :model, feature_category: :runner do
describe '.stale_deadline', :freeze_time do
subject { described_class.stale_deadline }
it { is_expected.to eq(3.months.ago) }
it { is_expected.to eq(7.days.ago) }
end
describe '.with_runner_type' do

2
spec/models/clusters/agent_spec.rb
View File

@ -19,6 +19,8 @@ RSpec.describe Clusters::Agent, feature_category: :deployment_management do
it { is_expected.to validate_length_of(:name).is_at_most(63) }
it { is_expected.to validate_uniqueness_of(:name).scoped_to(:project_id) }
it { is_expected.to define_enum_for(:connection_mode).with_values(outgoing: 0, incoming: 1).with_prefix }
describe 'scopes' do
describe '.ordered_by_name' do
let(:names) { %w[agent-d agent-b agent-a agent-c] }

2
spec/requests/api/graphql/ci/runner_spec.rb
View File

@ -689,7 +689,7 @@ RSpec.describe 'Query.runner(id)', :freeze_time, feature_category: :fleet_visibi
end
let_it_be(:never_contacted_instance_runner) do
create(:ci_runner, :unregistered, description: 'Missing runner 1', created_at: 1.month.ago)
create(:ci_runner, :unregistered, description: 'Missing runner 1', created_at: 6.days.ago)
end
let(:query) do

2
spec/services/ci/runners/register_runner_service_spec.rb
View File

@ -246,7 +246,7 @@ RSpec.describe ::Ci::Runners::RegisterRunnerService, '#execute', feature_categor
context 'when it exceeds the application limits' do
before do
create(:ci_runner, :unregistered, runner_type: :group_type, groups: [group], created_at: 1.month.ago)
create(:ci_runner, :unregistered, runner_type: :group_type, groups: [group], created_at: 6.days.ago)
create(:plan_limits, :default_plan, ci_registered_group_runners: 1)
end

2
spec/support/shared_examples/helpers/runners_shared_examples.rb
View File

@ -6,7 +6,7 @@ RSpec.shared_examples 'admin_runners_data_attributes contains data' do
runner_install_help_page: 'https://docs.gitlab.com/runner/install/',
registration_token: Gitlab::CurrentSettings.runners_registration_token,
online_contact_timeout_secs: 7200,
stale_timeout_secs: 7889238
stale_timeout_secs: 604800
)
end
end

4
workhorse/go.mod
View File

@ -8,7 +8,7 @@ require (
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.2
github.com/BurntSushi/toml v1.4.0
github.com/alecthomas/chroma/v2 v2.14.0
github.com/aws/aws-sdk-go v1.51.14
github.com/aws/aws-sdk-go v1.53.7
github.com/disintegration/imaging v1.6.2
github.com/getsentry/raven-go v0.2.0
github.com/golang-jwt/jwt/v5 v5.2.1
@ -24,7 +24,7 @@ require (
github.com/sirupsen/logrus v1.9.3
github.com/smartystreets/goconvey v1.8.1
github.com/stretchr/testify v1.9.0
gitlab.com/gitlab-org/gitaly/v16 v16.11.2
gitlab.com/gitlab-org/gitaly/v16 v16.11.3
gitlab.com/gitlab-org/labkit v1.21.0
gocloud.dev v0.37.0
golang.org/x/image v0.16.0

8
workhorse/go.sum
View File

@ -96,8 +96,8 @@ github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc
github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
github.com/aws/aws-sdk-go v1.44.256/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
github.com/aws/aws-sdk-go v1.51.14 h1:qedX6zZEO1a+5kra+D4ythOYR3TgaROC0hTPxhTFh8I=
github.com/aws/aws-sdk-go v1.51.14/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
github.com/aws/aws-sdk-go v1.53.7 h1:ZSsRYHLRxsbO2rJR2oPMz0SUkJLnBkN+1meT95B6Ixs=
github.com/aws/aws-sdk-go v1.53.7/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
github.com/aws/aws-sdk-go-v2 v1.25.3 h1:xYiLpZTQs1mzvz5PaI6uR0Wh57ippuEthxS4iK5v0n0=
github.com/aws/aws-sdk-go-v2 v1.25.3/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I=
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 h1:gTK2uhtAPtFcdRRJilZPx8uJLL2J85xK11nKtWL0wfU=
@ -483,8 +483,8 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg=
github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
gitlab.com/gitlab-org/gitaly/v16 v16.11.2 h1:Kr9ogL2FMmC57+LFI33omUpYOUYtBIhbrAtKlPrBAQM=
gitlab.com/gitlab-org/gitaly/v16 v16.11.2/go.mod h1:lJizRUtXRd1SBHjNbbbL9OsGN4TiugvfRBd8bIsdWI0=
gitlab.com/gitlab-org/gitaly/v16 v16.11.3 h1:WkcRKQ8lO22FeXe54RCE4+7YnLh3irisu63pbtc45hw=
gitlab.com/gitlab-org/gitaly/v16 v16.11.3/go.mod h1:lJizRUtXRd1SBHjNbbbL9OsGN4TiugvfRBd8bIsdWI0=
gitlab.com/gitlab-org/labkit v1.21.0 h1:hLmdBDtXjD1yOmZ+uJOac3a5Tlo83QaezwhES4IYik4=
gitlab.com/gitlab-org/labkit v1.21.0/go.mod h1:zeATDAaSBelPcPLbTTq8J3ZJEHyPTLVBM1q3nva+/W4=
go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=

8
yarn.lock
View File

@ -1331,10 +1331,10 @@
resolved "https://registry.yarnpkg.com/@gitlab/svgs/-/svgs-3.101.0.tgz#a8769490eecd03b8cc2403f5b7faab34a4ad0d82"
integrity sha512-X/3oLr969A9dzVaTD2JfG6EmxadEQwCPXcfn1A6Y+AAI0PLkBgjDXUz0yo1tXJOF6nqOmYpBiUM6uOon3i5N4A==
"@gitlab/ui@80.19.1":
version "80.19.1"
resolved "https://registry.yarnpkg.com/@gitlab/ui/-/ui-80.19.1.tgz#22abdd4cd3a05e773df85c0f475f4db2efd7d789"
integrity sha512-D1+QBZ7EQY+HAPaMQDQ39uemnEYJg8tDno0kcd7jlbcnCxzzk1tRi+CoYO530k2dKLvnmx8EFyvCnpCdAydISw==
"@gitlab/ui@80.20.0":
version "80.20.0"
resolved "https://registry.yarnpkg.com/@gitlab/ui/-/ui-80.20.0.tgz#58b50f2727e8fdc81561ae5b4be0fa8fded01db6"
integrity sha512-QkFBKkDcBnzmFE4dOOPElsaDa13+FNr4Oaz1SEgVd6YGzCKC6ZNP/wfFGF6mg0jqSRukIRLgFljS7jiIhQnp5g==
dependencies:
"@floating-ui/dom" "1.4.3"
bootstrap-vue "2.23.1"