diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index a547581f813..787b0d3e5a0 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-28dfd63da1afe2128fd1dcfc5f6953302eab88f2
+676cff8cddb9bf142cf00a712db75dbb69563b7e
diff --git a/app/assets/javascripts/packages_and_registries/settings/project/components/container_protection_rules.vue b/app/assets/javascripts/packages_and_registries/settings/project/components/container_protection_rules.vue
index 7e95207e9ff..7388130832a 100644
--- a/app/assets/javascripts/packages_and_registries/settings/project/components/container_protection_rules.vue
+++ b/app/assets/javascripts/packages_and_registries/settings/project/components/container_protection_rules.vue
@@ -48,7 +48,7 @@ export default {
   i18n: {
     settingBlockTitle: s__('ContainerRegistry|Protected containers'),
     settingBlockDescription: s__(
-      'ContainerRegistry|When a container is protected then only certain user roles are able to push and delete the protected container image. This helps to avoid tampering with the container image.',
+      'ContainerRegistry|When a container is protected, only certain user roles can push and delete the protected container image, which helps to avoid tampering with the container image.',
     ),
     protectionRuleDeletionConfirmModal: {
       title: s__('ContainerRegistry|Delete container protection rule?'),
diff --git a/app/assets/javascripts/packages_and_registries/settings/project/components/packages_protection_rules.vue b/app/assets/javascripts/packages_and_registries/settings/project/components/packages_protection_rules.vue
index be1a5e8d6db..5f3ffe49de6 100644
--- a/app/assets/javascripts/packages_and_registries/settings/project/components/packages_protection_rules.vue
+++ b/app/assets/javascripts/packages_and_registries/settings/project/components/packages_protection_rules.vue
@@ -46,7 +46,7 @@ export default {
   i18n: {
     settingBlockTitle: s__('PackageRegistry|Protected packages'),
     settingBlockDescription: s__(
-      'PackageRegistry|When a package is protected then only certain user roles are able to update and delete the protected package. This helps to avoid tampering with the package.',
+      'PackageRegistry|When a package is protected, only certain user roles can push, update, and delete the protected package, which helps to avoid tampering with the package.',
     ),
     protectionRuleDeletionConfirmModal: {
       title: s__('PackageRegistry|Delete package protection rule?'),
diff --git a/app/assets/javascripts/token_access/components/inbound_token_access.vue b/app/assets/javascripts/token_access/components/inbound_token_access.vue
index ae7158d73a0..6a28d2706a9 100644
--- a/app/assets/javascripts/token_access/components/inbound_token_access.vue
+++ b/app/assets/javascripts/token_access/components/inbound_token_access.vue
@@ -24,14 +24,11 @@ import TokenAccessTable from './token_access_table.vue';
 
 export default {
   i18n: {
-    toggleLabelTitle: s__('CICD|Allow CI/CD job token access'),
+    toggleLabelTitle: s__('CICD|Limit access %{italicStart}to%{italicEnd} this project'),
     toggleDescription: s__(
-      `CICD|When enabled, groups and projects listed in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. %{linkStart}Learn more%{linkEnd}.`,
-    ),
-    cardHeaderTitle: s__('CICD|Authorized groups and projects'),
-    cardHeaderDescription: s__(
-      `CICD|Ensure only groups and projects with members authorized to access sensitive project data are added to the allowlist.`,
+      `CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}.`,
     ),
+    cardHeaderTitle: s__('CICD|Groups and projects with access'),
     settingDisabledMessage: s__(
       'CICD|No access is currently allowed to this project. Enable feature to authorize access from groups or projects in the allowlist below.',
     ),
@@ -261,25 +258,22 @@ export default {
       <div>
         <gl-card
           class="gl-new-card"
-          header-class="gl-new-card-header gl-border-bottom-0 gl-flex-wrap gl-md-flex-nowrap"
+          header-class="gl-new-card-header gl-border-bottom-0"
           body-class="gl-new-card-body gl-px-0"
         >
           <template #header>
-            <div class="gl-new-card-title-wrapper gl-flex-direction-column gl-flex-wrap">
-              <div class="gl-new-card-title">
-                <h5>{{ $options.i18n.cardHeaderTitle }}</h5>
-                <span class="gl-new-card-count">
-                  <gl-icon name="group" class="gl-mr-2" />
-                  {{ groups.length }}
-                </span>
-                <span class="gl-new-card-count">
-                  <gl-icon name="project" class="gl-mr-2" />
-                  {{ projects.length }}
-                </span>
-              </div>
-              <p class="gl-text-secondary">{{ $options.i18n.cardHeaderDescription }}</p>
+            <div class="gl-new-card-title-wrapper">
+              <h5 class="gl-new-card-title">{{ $options.i18n.cardHeaderTitle }}</h5>
+              <span class="gl-new-card-count">
+                <gl-icon name="group" class="gl-mr-2" />
+                {{ groups.length }}
+              </span>
+              <span class="gl-new-card-count">
+                <gl-icon name="project" class="gl-mr-2" />
+                {{ projects.length }}
+              </span>
             </div>
-            <div class="gl-new-card-actions gl-w-full gl-md-w-auto gl-text-right">
+            <div class="gl-new-card-actions">
               <gl-button
                 v-if="!isAddFormVisible"
                 size="small"
diff --git a/app/assets/javascripts/token_access/components/outbound_token_access.vue b/app/assets/javascripts/token_access/components/outbound_token_access.vue
index dabfc799b8a..aad46e730d8 100644
--- a/app/assets/javascripts/token_access/components/outbound_token_access.vue
+++ b/app/assets/javascripts/token_access/components/outbound_token_access.vue
@@ -20,7 +20,7 @@ import getCIJobTokenScopeQuery from '../graphql/queries/get_ci_job_token_scope.q
 import getProjectsWithCIJobTokenScopeQuery from '../graphql/queries/get_projects_with_ci_job_token_scope.query.graphql';
 import TokenAccessTable from './token_access_table.vue';
 
-// Note: This component will be removed in 18.0, as the outbound access token is getting deprecated
+// Note: This component will be removed in 17.0, as the outbound access token is getting deprecated
 export default {
   i18n: {
     toggleLabelTitle: s__(
@@ -39,7 +39,7 @@ export default {
     projectsFetchError: __('There was a problem fetching the projects'),
     scopeFetchError: __('There was a problem fetching the job token scope value'),
     outboundTokenAlertDeprecationMessage: s__(
-      `CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Allow CI/CD job token access%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}`,
+      `CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}to%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}`,
     ),
     disableToggleWarning: s__('CICD|Disabling this feature is a permanent change.'),
   },
diff --git a/app/models/ci/runner.rb b/app/models/ci/runner.rb
index 0de61979347..57fbe482970 100644
--- a/app/models/ci/runner.rb
+++ b/app/models/ci/runner.rb
@@ -67,7 +67,7 @@ module Ci
     UPDATE_CONTACT_COLUMN_EVERY = ((40.minutes)..(55.minutes))
 
     # The `STALE_TIMEOUT` constant defines the how far past the last contact or creation date a runner will be considered stale
-    STALE_TIMEOUT = 3.months
+    STALE_TIMEOUT = 7.days
 
     # Only allow authentication token to be visible for a short while
     REGISTRATION_AVAILABILITY_TIME = 1.hour
diff --git a/app/models/clusters/agent.rb b/app/models/clusters/agent.rb
index d0e9c3b9a59..1ec46589113 100644
--- a/app/models/clusters/agent.rb
+++ b/app/models/clusters/agent.rb
@@ -36,6 +36,11 @@ module Clusters
     scope :with_name, ->(name) { where(name: name) }
     scope :has_vulnerabilities, ->(value = true) { where(has_vulnerabilities: value) }
 
+    enum connection_mode: {
+      outgoing: 0, # agentk -> kas
+      incoming: 1  # kas -> agentk
+    }, _prefix: true
+
     validates :name,
       presence: true,
       length: { maximum: 63 },
diff --git a/app/views/projects/settings/ci_cd/show.html.haml b/app/views/projects/settings/ci_cd/show.html.haml
index 6df016c4ed2..f21386065bb 100644
--- a/app/views/projects/settings/ci_cd/show.html.haml
+++ b/app/views/projects/settings/ci_cd/show.html.haml
@@ -105,11 +105,11 @@
   %section.settings.no-animate#js-token-access{ class: ('expanded' if expanded) }
     .settings-header
       %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
-        = _("Job token permissions")
+        = _("Token Access")
       = render Pajamas::ButtonComponent.new(button_options: { class: 'js-settings-toggle' }) do
         = expanded ? _('Collapse') : _('Expand')
       %p.gl-text-secondary
-        = _("Control whether CI/CD job tokens can be used to authenticate with this project.")
+        = _("Control how the CI_JOB_TOKEN CI/CD variable is used for API access between projects.")
     .settings-content
       = render 'ci/token_access/index'
 
diff --git a/data/deprecations/15-9-insecure-ci-job-token.yml b/data/deprecations/15-9-insecure-ci-job-token.yml
index 705d508c16b..1be584b99de 100644
--- a/data/deprecations/15-9-insecure-ci-job-token.yml
+++ b/data/deprecations/15-9-insecure-ci-job-token.yml
@@ -20,8 +20,6 @@
     To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or later can enable the **Allow access** setting now and add the other projects. It will not be possible to disable the setting in 18.0 or later.
 
     In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**.
-
-    In 17.1, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**.
   #
   # OPTIONAL END OF SUPPORT FIELDS
   #
diff --git a/data/deprecations/16-5-ci-job-token-limit-setting.yml b/data/deprecations/16-5-ci-job-token-limit-setting.yml
index 014ea9e4a01..7a4b3af500b 100644
--- a/data/deprecations/16-5-ci-job-token-limit-setting.yml
+++ b/data/deprecations/16-5-ci-job-token-limit-setting.yml
@@ -20,8 +20,6 @@
     To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or later can enable the **Allow access** setting now and add the other projects. It will not be possible to disable the setting in 18.0 or later.
 
     In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**.
-
-    In 17.1, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**.
   #
   # OPTIONAL END OF SUPPORT FIELDS
   #
diff --git a/db/migrate/20240606051535_add_connection_mode_to_cluster_agents.rb b/db/migrate/20240606051535_add_connection_mode_to_cluster_agents.rb
new file mode 100644
index 00000000000..ea1b0d7e66b
--- /dev/null
+++ b/db/migrate/20240606051535_add_connection_mode_to_cluster_agents.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddConnectionModeToClusterAgents < Gitlab::Database::Migration[2.2]
+  milestone '17.1'
+
+  def change
+    add_column :cluster_agents, :connection_mode, :smallint, null: false, default: 0
+  end
+end
diff --git a/db/schema_migrations/20240606051535 b/db/schema_migrations/20240606051535
new file mode 100644
index 00000000000..9e2879f8a9b
--- /dev/null
+++ b/db/schema_migrations/20240606051535
@@ -0,0 +1 @@
+5eedfd7d7b51e295550fe4d52a7cc1c3d67e17c516db880dc6deeac9f05fb7a2
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 7338fdc4a9b..ec2b6ccf9d5 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -7995,6 +7995,7 @@ CREATE TABLE cluster_agents (
     name text NOT NULL,
     created_by_user_id bigint,
     has_vulnerabilities boolean DEFAULT false NOT NULL,
+    connection_mode smallint DEFAULT 0 NOT NULL,
     CONSTRAINT check_3498369510 CHECK ((char_length(name) <= 255))
 );
 
diff --git a/doc/administration/instance_limits.md b/doc/administration/instance_limits.md
index 8e7993f5cae..99712755bc2 100644
--- a/doc/administration/instance_limits.md
+++ b/doc/administration/instance_limits.md
@@ -674,8 +674,10 @@ of extra Pages deployments permitted for a top-level namespace is 1000.
 
 ### Number of registered runners per scope
 
+> - Runner stale timeout [changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155795) from 3 months to 7 days in GitLab 17.1.
+
 The total number of registered runners is limited at the group and project levels. Each time a new runner is registered,
-GitLab checks these limits against runners that have been active in the last 3 months.
+GitLab checks these limits against runners that have been active in the last 7 days.
 A runner's registration fails if it exceeds the limit for the scope determined by the runner registration token.
 If the limit value is set to zero, the limit is disabled.
 
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index ff150fa1a41..36f9ad6d4ad 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -33295,10 +33295,10 @@ Values for sorting runners.
 | ----- | ----------- |
 | <a id="cirunnerstatusactive"></a>`ACTIVE` **{warning-solid}** | **Deprecated** in GitLab 14.6. This was renamed. Use: [`CiRunner.paused`](#cirunnerpaused). |
 | <a id="cirunnerstatusnever_contacted"></a>`NEVER_CONTACTED` | Runner that has never contacted this instance. |
-| <a id="cirunnerstatusoffline"></a>`OFFLINE` | Runner that has not contacted this instance within the last 2 hours. Will be considered `STALE` if offline for more than 3 months. |
+| <a id="cirunnerstatusoffline"></a>`OFFLINE` | Runner that has not contacted this instance within the last 2 hours. Will be considered `STALE` if offline for more than 7 days. |
 | <a id="cirunnerstatusonline"></a>`ONLINE` | Runner that contacted this instance within the last 2 hours. |
 | <a id="cirunnerstatuspaused"></a>`PAUSED` **{warning-solid}** | **Deprecated** in GitLab 14.6. This was renamed. Use: [`CiRunner.paused`](#cirunnerpaused). |
-| <a id="cirunnerstatusstale"></a>`STALE` | Runner that has not contacted this instance within the last 3 months. |
+| <a id="cirunnerstatusstale"></a>`STALE` | Runner that has not contacted this instance within the last 7 days. |
 
 ### `CiRunnerType`
 
diff --git a/doc/api/project_job_token_scopes.md b/doc/api/project_job_token_scopes.md
index c5f6a9330bc..761820784c4 100644
--- a/doc/api/project_job_token_scopes.md
+++ b/doc/api/project_job_token_scopes.md
@@ -34,7 +34,7 @@ If successful, returns [`200`](rest/index.md#status-codes) and the following res
 
 | Attribute          | Type    | Description |
 |--------------------|---------|-------------|
-| `inbound_enabled`  | boolean | Indicates if the [**Grant access to this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) is enabled. |
+| `inbound_enabled`  | boolean | Indicates if the [**Limit access _to_ this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) is enabled. |
 | `outbound_enabled` | boolean | Indicates if the CI/CD job token generated in this project has access to other projects. [Deprecated and planned for removal in GitLab 18.0](../update/deprecations.md#default-cicd-job-token-ci_job_token-scope-changed). |
 
 Example request:
@@ -55,9 +55,8 @@ Example response:
 ## Patch a project's CI/CD job token access settings
 
 > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
-> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.1.
 
-Patch the [**Grant access to this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) (job token scope) of a project.
+Patch the [**Limit access _to_ this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) (job token scope) of a project.
 
 ```plaintext
 PATCH /projects/:id/job_token_scope
@@ -68,7 +67,7 @@ Supported attributes:
 | Attribute | Type           | Required | Description |
 |-----------|----------------|----------|-------------|
 | `id`      | integer/string | Yes      | ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding). |
-| `enabled` | boolean        | Yes      | Indicates if the [**Grant access to this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) should be enabled. |
+| `enabled` | boolean        | Yes      | Indicates if the [**Limit access _to_ this project** setting](../ci/jobs/ci_job_token.md#add-a-group-or-project-to-the-job-token-allowlist) should be enabled. |
 
 If successful, returns [`204`](rest/index.md#status-codes) and no response body.
 
diff --git a/doc/ci/debugging.md b/doc/ci/debugging.md
index 04ca7f35053..9636e65e865 100644
--- a/doc/ci/debugging.md
+++ b/doc/ci/debugging.md
@@ -438,7 +438,6 @@ Ensure that included configuration files do not create a loop of references to e
 ### `Failed to pull image` messages
 
 > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
-> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.1.
 
 A runner might return a `Failed to pull image` message when trying to pull a container image
 in a CI/CD job.
@@ -462,7 +461,7 @@ For example:
 
 These errors can happen if the following are both true:
 
-- The [**Grant access to this project**](jobs/ci_job_token.md#limit-job-token-scope-for-public-or-internal-projects)
+- The [**Limit access _to_ this project**](jobs/ci_job_token.md#limit-job-token-scope-for-public-or-internal-projects)
   option is enabled in the private project hosting the image.
 - The job attempting to fetch the image is running in a project that is not listed in
   the private project's allowlist.
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index 20914b0d828..1cfb6cb6a2d 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -88,7 +88,6 @@ with a job token from any project. These resources can also be [limited to only
 > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/346298/) in GitLab 15.10.
 > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
 > - Adding groups to the job token allowlist [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.0.
-> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.1.
 
 You can add groups or projects to your job token allowlist to allow access your project's resources
 with a job token for authentication. By default, the allowlist of any project only includes itself.
@@ -114,7 +113,7 @@ To add a group or project to the allowlist:
 1. On the left sidebar, select **Search or go to** and find your project.
 1. Select **Settings > CI/CD**.
 1. Expand **Token Access**.
-1. Ensure the **Grant access to this project** toggle is enabled. Enabled by default in new projects.
+1. Ensure the **Limit access _to_ this project** toggle is enabled. Enabled by default in new projects.
    It is a security risk to disable this feature, so project maintainers or owners should
    keep this setting enabled at all times.
 1. Select **Add group or project**.
@@ -152,14 +151,13 @@ To set a feature to be only visible to project members:
 ### Allow any project to access your project
 
 > - **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
-> - **Limit access _to_ this project** setting [renamed to **Grant access to this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/415519) in GitLab 17.1.
 
 WARNING:
 It is a security risk to disable the token access limit and allowlist. A malicious user could try to compromise
 a pipeline created in an unauthorized project. If the pipeline was created by one of
 your maintainers, the job token could be used in an attempt to access your project.
 
-If you disable the **Grant access to this project** setting, the allowlist is ignored.
+If you disable the **Limit access _to_ this project** setting, the allowlist is ignored.
 Jobs from any project could access your project with a job token if the user that
 triggers the pipeline has permission to access your project.
 
@@ -175,7 +173,7 @@ To disable the job token scope allowlist:
 1. On the left sidebar, select **Search or go to** and find your project.
 1. Select **Settings > CI/CD**.
 1. Expand **Token Access**.
-1. Toggle **Grant access to this project** to disabled.
+1. Toggle **Limit access _to_ this project** to disabled.
    Enabled by default in new projects.
 
 You can also enable and disable the setting with the [GraphQL](../../api/graphql/reference/index.md#mutationprojectcicdsettingsupdate) (`inboundJobTokenScopeEnabled`) and [REST](../../api/project_job_token_scopes.md#patch-a-projects-cicd-job-token-access-settings) API.
@@ -197,7 +195,7 @@ proposes to change this behavior.
 NOTE:
 The [**Limit access _from_ this project**](#configure-the-job-token-scope-deprecated)
 setting is disabled by default for all new projects and is [scheduled for removal](https://gitlab.com/gitlab-org/gitlab/-/issues/383084)
-in GitLab 18.0. Project maintainers or owners should configure the [**Grant access to this project**](#add-a-group-or-project-to-the-job-token-allowlist)
+in GitLab 17.0. Project maintainers or owners should configure the [**Limit access _to_ this project**](#add-a-group-or-project-to-the-job-token-allowlist)
 setting instead.
 
 Control your project's job token scope by creating an allowlist of projects which
diff --git a/doc/ci/runners/runners_scope.md b/doc/ci/runners/runners_scope.md
index a853c9978ef..78b72d63a2e 100644
--- a/doc/ci/runners/runners_scope.md
+++ b/doc/ci/runners/runners_scope.md
@@ -584,7 +584,7 @@ A runner can have one of the following statuses.
 |---------|-------------|
 | `online`  | The runner has contacted GitLab within the last 2 hours and is available to run jobs. |
 | `offline` | The runner has not contacted GitLab in more than 2 hours and is not available to run jobs. Check the runner to see if you can bring it online. |
-| `stale`   | The runner has not contacted GitLab in more than 3 months. If the runner was created more than 3 months ago, but it never contacted the instance, it is also considered **stale**. |
+| `stale`   | The runner has not contacted GitLab in more than 7 days. If the runner was created more than 7 days ago, but it never contacted the instance, it is also considered **stale**. |
 | `never_contacted` | The runner has never contacted GitLab. To make the runner contact GitLab, run `gitlab-runner run`. |
 
 ## View statistics for runner performance
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index 4b2e4b407c0..2f482adb22b 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -195,8 +195,6 @@ To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or l
 
 In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**.
 
-In 17.1, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**.
-
 </div>
 
 <div class="deprecation breaking-change" data-milestone="18.0">
@@ -2979,8 +2977,6 @@ To prepare for this change, users on GitLab.com or self-managed GitLab 15.9 or l
 
 In 16.3, the names of these settings were changed to clarify their meanings: the deprecated **Limit CI_JOB_TOKEN access** setting is now called **Limit access _from_ this project**, and the newer **Allow access to this project with a CI_JOB_TOKEN** setting is now called **Limit access _to_ this project**.
 
-In 17.1, the name of the **Limit access _to_ this project** setting was further clarified: it is now called **Grant access to this project**.
-
 </div>
 
 <div class="deprecation breaking-change" data-milestone="16.0">
diff --git a/doc/user/application_security/api_fuzzing/configuration/customizing_analyzer_settings.md b/doc/user/application_security/api_fuzzing/configuration/customizing_analyzer_settings.md
index 4838a33d9f4..961c9242aee 100644
--- a/doc/user/application_security/api_fuzzing/configuration/customizing_analyzer_settings.md
+++ b/doc/user/application_security/api_fuzzing/configuration/customizing_analyzer_settings.md
@@ -420,9 +420,11 @@ container that has Python 3 and Bash installed.
 You have to set the environment variable `FUZZAPI_OVERRIDES_CMD` to the program or script you would like
 to execute. The provided command creates the overrides JSON file as defined previously.
 
-You might want to install other scripting runtimes like NodeJS or Ruby, or maybe you need to install a dependency for
-your overrides command. In this case, we recommend setting the `FUZZAPI_PRE_SCRIPT` to the file path of a script which
-provides those prerequisites. The script provided by `FUZZAPI_PRE_SCRIPT` is executed once, before the analyzer starts.
+You might want to install other scripting runtimes like NodeJS or Ruby, or maybe you need to install a dependency for your overrides command. In this case, you should set the `FUZZAPI_PRE_SCRIPT` to the file path of a script that provides those prerequisites. The script provided by `FUZZAPI_PRE_SCRIPT` is executed once, before the analyzer starts.
+
+NOTE:
+When performing actions that require elevated permissions, make use of the `sudo` command.
+For example, `sudo apk add nodejs`.
 
 See the [Alpine Linux package management](https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management)
 page for information about installing Alpine Linux packages.
@@ -438,7 +440,7 @@ Optionally:
 - `FUZZAPI_PRE_SCRIPT`: Script to install runtimes or dependencies before the analyzer starts.
 
 WARNING:
-To execute scripts in Alpine Linux you must first use the command [`chmod`](https://www.gnu.org/software/coreutils/manual/html_node/chmod-invocation.html) to set the [execution permission](https://www.gnu.org/software/coreutils/manual/html_node/Setting-Permissions.html). For example, to set the execution permission of `script.py` for everyone, use the command: `chmod a+x script.py`. If needed, you can version your `script.py` with the execution permission already set.
+To execute scripts in Alpine Linux you must first use the command [`chmod`](https://www.gnu.org/software/coreutils/manual/html_node/chmod-invocation.html) to set the [execution permission](https://www.gnu.org/software/coreutils/manual/html_node/Setting-Permissions.html). For example, to set the execution permission of `script.py` for everyone, use the command: `sudo chmod a+x script.py`. If needed, you can version your `script.py` with the execution permission already set.
 
 ```yaml
 stages:
@@ -582,9 +584,7 @@ As for example, the following script `user-pre-scan-set-up.sh`:
 
 echo "**** install python dependencies ****"
 
-python3 -m ensurepip
-pip3 install --no-cache --upgrade \
-    pip \
+sudo pip3 install --no-cache --upgrade --break-system-packages \
     requests \
     backoff
 
diff --git a/doc/user/application_security/api_fuzzing/configuration/variables.md b/doc/user/application_security/api_fuzzing/configuration/variables.md
index 84316fded3b..d709bf44118 100644
--- a/doc/user/application_security/api_fuzzing/configuration/variables.md
+++ b/doc/user/application_security/api_fuzzing/configuration/variables.md
@@ -33,8 +33,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 |[`FUZZAPI_OVERRIDES_ENV`](customizing_analyzer_settings.md#overrides)                        | JSON string containing headers to override. |
 |[`FUZZAPI_OVERRIDES_CMD`](customizing_analyzer_settings.md#overrides)                        | Overrides command. |
 |[`FUZZAPI_OVERRIDES_CMD_VERBOSE`](customizing_analyzer_settings.md#overrides)                | When set to any value. It shows overrides command output as part of the job output. |
-|`FUZZAPI_PRE_SCRIPT`                                         | Run user command or script before scan session starts. |
-|`FUZZAPI_POST_SCRIPT`                                        | Run user command or script after scan session has finished. |
+|`FUZZAPI_PRE_SCRIPT`                                         | Run user command or script before scan session starts. `sudo` must be used for privileged operations like installing packages. |
+|`FUZZAPI_POST_SCRIPT`                                        | Run user command or script after scan session has finished. `sudo` must be used for privileged operations like installing packages. |
 |[`FUZZAPI_OVERRIDES_INTERVAL`](customizing_analyzer_settings.md#overrides)                   | How often to run overrides command in seconds. Defaults to `0` (once). |
 |[`FUZZAPI_HTTP_USERNAME`](customizing_analyzer_settings.md#http-basic-authentication)        | Username for HTTP authentication. |
 |[`FUZZAPI_HTTP_PASSWORD`](customizing_analyzer_settings.md#http-basic-authentication)        | Password for HTTP authentication. |
diff --git a/doc/user/application_security/api_fuzzing/troubleshooting.md b/doc/user/application_security/api_fuzzing/troubleshooting.md
index 417b5a756bc..872b392be83 100644
--- a/doc/user/application_security/api_fuzzing/troubleshooting.md
+++ b/doc/user/application_security/api_fuzzing/troubleshooting.md
@@ -326,3 +326,37 @@ The following example uses the [statically defined credentials](../../../ci/dock
    app@sha256:2b69fc7c3627dbd0ebaa17674c264fcd2f2ba21ed9552a472acf8b065d39039c ...
    Waiting for services to be up and running (timeout 30 seconds)...
    ```
+
+## `sudo: The "no new privileges" flag is set, which prevents sudo from running as root.`
+
+Starting with v5 of the analyzer, a non-root user is used by default. This requires the use of `sudo` when performing privileged operations.
+
+This error occurs with a specific container daemon setup that prevents running containers from obtaining new permissions. In most settings, this is not the default configuration, it's something specifically configured, often as part of a security hardening guide.
+
+**Error message**
+
+This issue can be identified by the error message generated when a `before_script` or `FUZZAPI_PRE_SCRIPT` is executed:
+
+```shell
+$ sudo apk add nodejs
+
+sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
+
+sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
+```
+
+**Solution**
+
+This issue can be worked around in the following ways:
+
+1. Run the container as the `root` user. This can be done by modifying the CICD configuration:
+
+   ```yaml
+   api_security:
+     image:
+       name: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION$FUZZAPI_IMAGE_SUFFIX
+       docker:
+         user: root
+   ```
+
+1. Change the GitLab Runner configuration, disabling the no-new-privileges flag.
diff --git a/doc/user/application_security/api_security_testing/configuration/customizing_analyzer_settings.md b/doc/user/application_security/api_security_testing/configuration/customizing_analyzer_settings.md
index 12f40b1a704..ae1b897b89c 100644
--- a/doc/user/application_security/api_security_testing/configuration/customizing_analyzer_settings.md
+++ b/doc/user/application_security/api_security_testing/configuration/customizing_analyzer_settings.md
@@ -397,12 +397,13 @@ container that has Python 3 and Bash installed.
 You have to set the environment variable `DAST_API_OVERRIDES_CMD` to the program or script you would like
 to execute. The provided command creates the overrides JSON file as defined previously.
 
-You might want to install other scripting runtimes like NodeJS or Ruby, or maybe you need to install a dependency for
-your overrides command. In this case, we recommend setting the `DAST_API_PRE_SCRIPT` to the file path of a script which
-provides those prerequisites. The script provided by `DAST_API_PRE_SCRIPT` is executed once, before the analyzer starts.
+You might want to install other scripting runtimes like NodeJS or Ruby, or maybe you need to install a dependency for your overrides command. In this case, you should set the `DAST_API_PRE_SCRIPT` to the file path of a script which provides those prerequisites. The script provided by `DAST_API_PRE_SCRIPT` is executed once before the analyzer starts.
 
-See the [Alpine Linux package management](https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management)
-page for information about installing Alpine Linux packages.
+NOTE:
+When performing actions that require elevated permissions, make use of the `sudo` command.
+For example, `sudo apk add nodejs`.
+
+See the [Alpine Linux package management](https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management) page for information about installing Alpine Linux packages.
 
 You must provide three CI/CD variables, each set for correct operation:
 
@@ -415,7 +416,7 @@ Optionally:
 - `DAST_API_PRE_SCRIPT`: Script to install runtimes or dependencies before the scan starts.
 
 WARNING:
-To execute scripts in Alpine Linux you must first use the command [`chmod`](https://www.gnu.org/software/coreutils/manual/html_node/chmod-invocation.html) to set the [execution permission](https://www.gnu.org/software/coreutils/manual/html_node/Setting-Permissions.html). For example, to set the execution permission of `script.py` for everyone, use the command: `chmod a+x script.py`. If needed, you can version your `script.py` with the execution permission already set.
+To execute scripts in Alpine Linux you must first use the command [`chmod`](https://www.gnu.org/software/coreutils/manual/html_node/chmod-invocation.html) to set the [execution permission](https://www.gnu.org/software/coreutils/manual/html_node/Setting-Permissions.html). For example, to set the execution permission of `script.py` for everyone, use the command: `sudo chmod a+x script.py`. If needed, you can version your `script.py` with the execution permission already set.
 
 ```yaml
 stages:
@@ -559,9 +560,7 @@ As for example, the following script `user-pre-scan-set-up.sh`
 
 echo "**** install python dependencies ****"
 
-python3 -m ensurepip
-pip3 install --no-cache --upgrade \
-    pip \
+sudo pip3 install --no-cache --upgrade --break-system-packages \
     backoff
 
 echo "**** python dependencies installed ****"
diff --git a/doc/user/application_security/api_security_testing/configuration/variables.md b/doc/user/application_security/api_security_testing/configuration/variables.md
index 2cd3b6daaee..9fa6f20705c 100644
--- a/doc/user/application_security/api_security_testing/configuration/variables.md
+++ b/doc/user/application_security/api_security_testing/configuration/variables.md
@@ -40,8 +40,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 |[`DAST_API_OVERRIDES_ENV`](customizing_analyzer_settings.md#overrides)                 | JSON string containing headers to override. |
 |[`DAST_API_OVERRIDES_CMD`](customizing_analyzer_settings.md#overrides)                 | Overrides command. |
 |[`DAST_API_OVERRIDES_CMD_VERBOSE`](customizing_analyzer_settings.md#overrides)         | When set to any value. It shows overrides command output as part of the job output. |
-|`DAST_API_PRE_SCRIPT`                                  | Run user command or script before scan session starts. |
-|`DAST_API_POST_SCRIPT`                                 | Run user command or script after scan session has finished. |
+|`DAST_API_PRE_SCRIPT`                                  | Run user command or script before scan session starts. `sudo` must be used for privileged operations like installing packages. |
+|`DAST_API_POST_SCRIPT`                                 | Run user command or script after scan session has finished. `sudo` must be used for privileged operations like installing packages. |
 |[`DAST_API_OVERRIDES_INTERVAL`](customizing_analyzer_settings.md#overrides)            | How often to run overrides command in seconds. Defaults to `0` (once). |
 |[`DAST_API_HTTP_USERNAME`](customizing_analyzer_settings.md#http-basic-authentication) | Username for HTTP authentication. |
 |[`DAST_API_HTTP_PASSWORD`](customizing_analyzer_settings.md#http-basic-authentication) | Password for HTTP authentication. Consider using `DAST_API_HTTP_PASSWORD_BASE64` instead. |
diff --git a/doc/user/application_security/api_security_testing/troubleshooting.md b/doc/user/application_security/api_security_testing/troubleshooting.md
index eb90a422b7f..4db754a3273 100644
--- a/doc/user/application_security/api_security_testing/troubleshooting.md
+++ b/doc/user/application_security/api_security_testing/troubleshooting.md
@@ -306,3 +306,37 @@ The following example uses the [statically defined credentials](../../../ci/dock
 It is possible that consecutive scans may return differing vulnerability findings in the absence of code or configuration changes. This is primarily due to the unpredictability associated with the target environment and its state, and the parallelization of requests sent by the scanner. Multiple requests are sent in parallel by the scanner to optimize scan time, which in turn means that the exact order the target server responds to the requests is not predetermined.
 
 Timing attack vulnerabilities that are detected by the length of time between request and response such as OS Command or SQL Injections may be detected if the server is under load and unable to service responses to the tests within their given thresholds. The same scan executions when the server is not under load may not return positive findings for these vulnerabilities, leading to differing results. Profiling the target server, [Performance tuning and testing speed](performance.md#performance-tuning-and-testing-speed), and establishing baselines for optimal server performance during testing may be helpful in identifying where false positives may appear due to the aforementioned factors.
+
+## `sudo: The "no new privileges" flag is set, which prevents sudo from running as root.`
+
+Starting with v5 of the analyzer, a non-root user is used by default. This requires the use of `sudo` when performing privileged operations.
+
+This error occurs with a specific container daemon setup that prevents running containers from obtaining new permissions. In most settings, this is not the default configuration, it's something specifically configured, often as part of a security hardening guide.
+
+**Error message**
+
+This issue can be identified by the error message generated when a `before_script` or `APISEC_PRE_SCRIPT` is executed:
+
+```shell
+$ sudo apk add nodejs
+
+sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
+
+sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
+```
+
+**Solution**
+
+This issue can be worked around in the following ways:
+
+1. Run the container as the `root` user. This can be done by modifying the CICD configuration:
+
+   ```yaml
+   api_security:
+     image:
+       name: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION$DAST_API_IMAGE_SUFFIX
+       docker:
+         user: root
+   ```
+
+1. Change the GitLab Runner configuration, disabling the no-new-privileges flag.
diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index 7dbbda61e60..f64d771309e 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -796,7 +796,7 @@ To resolve this, instead of binding the `/tmp` folder, bind specific files or fo
 
 ### Resolving `context deadline exceeded` error
 
-This error typically occurs when scanning images containing JAR files, as it takes longer to download the `trivy-java-db` vulnerability database. To resolve this, increase the `TRIVY_TIMEOUT` environment variable to a longer duration.
+This error means a timeout occurred. To resolve it, add the `TRIVY_TIMEOUT` environment variable to the `container_scanning` job with a sufficiently long duration.
 
 ## Changes
 
diff --git a/doc/user/packages/dependency_proxy/index.md b/doc/user/packages/dependency_proxy/index.md
index cf08f98ee4d..91d9431d2a8 100644
--- a/doc/user/packages/dependency_proxy/index.md
+++ b/doc/user/packages/dependency_proxy/index.md
@@ -376,3 +376,20 @@ docker pull ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/library/docker:20.10.3@sha
 ```
 
 In this example, `bc9dcf5c8e5908845acc6d34ab8824bca496d6d47d1b08af3baf4b3adb1bd8fe` is the SHA256 of the ARM based image.
+
+### `MissingFile` errors after restoring a backup
+
+If you encounter `MissingFile` or `Cannot read file` errors, it might be because
+[backup archives](../../../administration/backup_restore/backup_gitlab.md)
+do not include the contents of `gitlab-rails/shared/dependency_proxy/`.
+
+To resolve this [known issue](https://gitlab.com/gitlab-org/gitlab/-/issues/354574),
+you can use `rsync`, `scp`, or a similar tool to copy the affected files or the whole
+`gitlab-rails/shared/dependency_proxy/` folder structure from the GitLab instance
+that was the source of the backup.
+
+If the data is not needed, you can delete the database entries with:
+
+```shell
+gitlab-psql -c "DELETE FROM dependency_proxy_blobs; DELETE FROM dependency_proxy_blob_states; DELETE FROM dependency_proxy_manifest_states; DELETE FROM dependency_proxy_manifests;"
+```
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 338e3e6cb84..d11927ba8f8 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -9991,10 +9991,7 @@ msgstr ""
 msgid "CICD|Add an existing project to the scope"
 msgstr ""
 
-msgid "CICD|Allow CI/CD job token access"
-msgstr ""
-
-msgid "CICD|Authorized groups and projects"
+msgid "CICD|Allow access to this project from authorized groups or projects by adding them to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}."
 msgstr ""
 
 msgid "CICD|Auto DevOps"
@@ -10027,7 +10024,7 @@ msgstr ""
 msgid "CICD|Enable feature to limit job token access to the following projects."
 msgstr ""
 
-msgid "CICD|Ensure only groups and projects with members authorized to access sensitive project data are added to the allowlist."
+msgid "CICD|Groups and projects with access"
 msgstr ""
 
 msgid "CICD|Jobs"
@@ -10039,6 +10036,9 @@ msgstr ""
 msgid "CICD|Limit access %{italicStart}from%{italicEnd} this project (Deprecated)"
 msgstr ""
 
+msgid "CICD|Limit access %{italicStart}to%{italicEnd} this project"
+msgstr ""
+
 msgid "CICD|Maintainer"
 msgstr ""
 
@@ -10051,7 +10051,7 @@ msgstr ""
 msgid "CICD|Prevent CI/CD job tokens from this project from being used to access other projects unless the other project is added to the allowlist. It is a security risk to disable this feature, because unauthorized projects might attempt to retrieve an active token and access the API. %{linkStart}Learn more%{linkEnd}."
 msgstr ""
 
-msgid "CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Allow CI/CD job token access%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}"
+msgid "CICD|The %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}from%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting is deprecated and will be removed in the 18.0 milestone. Use the %{boldStart}Limit access %{boldEnd}%{italicAndBoldStart}to%{italicAndBoldEnd}%{boldStart} this project%{boldEnd} setting and allowlist instead. %{linkStart}How do I do this?%{linkEnd}"
 msgstr ""
 
 msgid "CICD|The Auto DevOps pipeline runs by default in all projects with no CI/CD configuration file. %{link_start}What is Auto DevOps?%{link_end}"
@@ -10069,9 +10069,6 @@ msgstr ""
 msgid "CICD|Use separate caches for protected branches"
 msgstr ""
 
-msgid "CICD|When enabled, groups and projects listed in the allowlist are authorized to use a CI/CD job token to authenticate requests to this project. %{linkStart}Learn more%{linkEnd}."
-msgstr ""
-
 msgid "CICD|group enabled"
 msgstr ""
 
@@ -14416,7 +14413,7 @@ msgstr ""
 msgid "ContainerRegistry|We are having trouble connecting to the Container Registry. Please try refreshing the page. If this error persists, please review  %{docLinkStart}the troubleshooting documentation%{docLinkEnd}."
 msgstr ""
 
-msgid "ContainerRegistry|When a container is protected then only certain user roles are able to push and delete the protected container image. This helps to avoid tampering with the container image."
+msgid "ContainerRegistry|When a container is protected, only certain user roles can push and delete the protected container image, which helps to avoid tampering with the container image."
 msgstr ""
 
 msgid "ContainerRegistry|While the rename is in progress, new uploads to the container registry are blocked. Ongoing uploads may fail and need to be retried."
@@ -14794,7 +14791,7 @@ msgstr ""
 msgid "Contributor analytics"
 msgstr ""
 
-msgid "Control whether CI/CD job tokens can be used to authenticate with this project."
+msgid "Control how the CI_JOB_TOKEN CI/CD variable is used for API access between projects."
 msgstr ""
 
 msgid "Control whether to display customer experience improvement content and third-party offers in GitLab."
@@ -29537,9 +29534,6 @@ msgstr ""
 msgid "Job logs and artifacts"
 msgstr ""
 
-msgid "Job token permissions"
-msgstr ""
-
 msgid "Job was retried"
 msgstr ""
 
@@ -37428,7 +37422,7 @@ msgstr ""
 msgid "PackageRegistry|Validate these URLs manually to ensure malicious packages are not uploaded to the NuGet package registry. Selecting and clearing the checkbox might lead to invalid records in the package registry that you cannot update."
 msgstr ""
 
-msgid "PackageRegistry|When a package is protected then only certain user roles are able to update and delete the protected package. This helps to avoid tampering with the package."
+msgid "PackageRegistry|When a package is protected, only certain user roles can push, update, and delete the protected package, which helps to avoid tampering with the package."
 msgstr ""
 
 msgid "PackageRegistry|When a package with same name and version is uploaded to the registry, more assets are added to the package. To save storage space, keep only the most recent assets."
@@ -55122,6 +55116,9 @@ msgstr ""
 msgid "Token"
 msgstr ""
 
+msgid "Token Access"
+msgstr ""
+
 msgid "Token name"
 msgstr ""
 
diff --git a/package.json b/package.json
index 09348ce9a18..aa3fd7873e1 100644
--- a/package.json
+++ b/package.json
@@ -65,7 +65,7 @@
     "@gitlab/cluster-client": "^2.2.0",
     "@gitlab/favicon-overlay": "2.0.0",
     "@gitlab/fonts": "^1.3.0",
-    "@gitlab/ui": "80.19.1",
+    "@gitlab/ui": "80.20.0",
     "@gitlab/svgs": "3.101.0",
     "@gitlab/web-ide": "^0.0.1-dev-20240531032328",
     "@mattiasbuelens/web-streams-adapter": "^0.1.0",
diff --git a/spec/features/admin/admin_runners_spec.rb b/spec/features/admin/admin_runners_spec.rb
index 8eedd53e58f..ce520adb1de 100644
--- a/spec/features/admin/admin_runners_spec.rb
+++ b/spec/features/admin/admin_runners_spec.rb
@@ -62,8 +62,8 @@ RSpec.describe "Admin Runners", feature_category: :fleet_visibility do
       context "with multiple runners" do
         before do
           create(:ci_runner, :instance, created_at: 1.year.ago, contacted_at: Time.zone.now)
+          create(:ci_runner, :instance, created_at: 1.year.ago, contacted_at: 1.day.ago)
           create(:ci_runner, :instance, created_at: 1.year.ago, contacted_at: 1.week.ago)
-          create(:ci_runner, :instance, created_at: 1.year.ago, contacted_at: 1.year.ago)
 
           visit admin_runners_path
         end
diff --git a/spec/helpers/ci/runners_helper_spec.rb b/spec/helpers/ci/runners_helper_spec.rb
index 9252f765579..3f928667dad 100644
--- a/spec/helpers/ci/runners_helper_spec.rb
+++ b/spec/helpers/ci/runners_helper_spec.rb
@@ -147,7 +147,7 @@ RSpec.describe Ci::RunnersHelper, feature_category: :fleet_visibility do
           group_full_path: group.full_path,
           runner_install_help_page: 'https://docs.gitlab.com/runner/install/',
           online_contact_timeout_secs: 7200,
-          stale_timeout_secs: 7889238
+          stale_timeout_secs: 604800
         )
       end
     end
diff --git a/spec/models/ci/runner_spec.rb b/spec/models/ci/runner_spec.rb
index eb440dd7ddf..e1b47c6b17d 100644
--- a/spec/models/ci/runner_spec.rb
+++ b/spec/models/ci/runner_spec.rb
@@ -474,10 +474,10 @@ RSpec.describe Ci::Runner, type: :model, feature_category: :runner do
   describe '.recent' do
     subject { described_class.recent }
 
-    let!(:runner1) { create(:ci_runner, :instance, contacted_at: nil, created_at: 2.months.ago) }
-    let!(:runner2) { create(:ci_runner, :instance, contacted_at: nil, created_at: 3.months.ago) }
-    let!(:runner3) { create(:ci_runner, :instance, contacted_at: 1.month.ago, created_at: 2.months.ago) }
-    let!(:runner4) { create(:ci_runner, :instance, contacted_at: 1.month.ago, created_at: 3.months.ago) }
+    let!(:runner1) { create(:ci_runner, contacted_at: nil, created_at: 6.days.ago) }
+    let!(:runner2) { create(:ci_runner, contacted_at: nil, created_at: 7.days.ago) }
+    let!(:runner3) { create(:ci_runner, contacted_at: 1.day.ago, created_at: 6.days.ago) }
+    let!(:runner4) { create(:ci_runner, contacted_at: 1.day.ago, created_at: 7.days.ago) }
 
     it { is_expected.to contain_exactly(runner1, runner3, runner4) }
   end
@@ -569,11 +569,11 @@ RSpec.describe Ci::Runner, type: :model, feature_category: :runner do
       using RSpec::Parameterized::TableSyntax
 
       where(:created_at, :contacted_at, :expected_stale?) do
-        nil                     | nil                     | false
-        3.months.ago            | 3.months.ago            | true
-        3.months.ago            | (3.months - 1.hour).ago | false
-        3.months.ago            | nil                     | true
-        (3.months - 1.hour).ago | nil                     | false
+        nil                   | nil                   | false
+        7.days.ago            | 7.days.ago            | true
+        7.days.ago            | (7.days - 1.hour).ago | false
+        7.days.ago            | nil                   | true
+        (7.days - 1.hour).ago | nil                   | false
       end
 
       with_them do
@@ -866,7 +866,7 @@ RSpec.describe Ci::Runner, type: :model, feature_category: :runner do
     subject { runner.status }
 
     context 'never connected' do
-      let(:runner) { build(:ci_runner, :instance, :unregistered, created_at: 3.months.ago) }
+      let(:runner) { build(:ci_runner, :instance, :unregistered, created_at: 7.days.ago) }
 
       it { is_expected.to eq(:stale) }
 
@@ -890,13 +890,13 @@ RSpec.describe Ci::Runner, type: :model, feature_category: :runner do
     end
 
     context 'contacted recently' do
-      let(:runner) { build(:ci_runner, :instance, contacted_at: (3.months - 1.second).ago) }
+      let(:runner) { build(:ci_runner, :instance, contacted_at: (7.days - 1.second).ago) }
 
       it { is_expected.to eq(:offline) }
     end
 
     context 'contacted long time ago' do
-      let(:runner) { build(:ci_runner, :instance, created_at: 3.months.ago, contacted_at: 3.months.ago) }
+      let(:runner) { build(:ci_runner, :instance, created_at: 7.days.ago, contacted_at: 7.days.ago) }
 
       it { is_expected.to eq(:stale) }
     end
@@ -925,8 +925,8 @@ RSpec.describe Ci::Runner, type: :model, feature_category: :runner do
 
     context 'contacted long time ago' do
       before do
-        runner.created_at = 3.months.ago
-        runner.contacted_at = 3.months.ago
+        runner.created_at = 7.days.ago
+        runner.contacted_at = 7.days.ago
       end
 
       it { is_expected.to eq(:stale) }
@@ -2042,7 +2042,7 @@ RSpec.describe Ci::Runner, type: :model, feature_category: :runner do
   describe '.stale_deadline', :freeze_time do
     subject { described_class.stale_deadline }
 
-    it { is_expected.to eq(3.months.ago) }
+    it { is_expected.to eq(7.days.ago) }
   end
 
   describe '.with_runner_type' do
diff --git a/spec/models/clusters/agent_spec.rb b/spec/models/clusters/agent_spec.rb
index 062d5062658..1c07edfec1e 100644
--- a/spec/models/clusters/agent_spec.rb
+++ b/spec/models/clusters/agent_spec.rb
@@ -19,6 +19,8 @@ RSpec.describe Clusters::Agent, feature_category: :deployment_management do
   it { is_expected.to validate_length_of(:name).is_at_most(63) }
   it { is_expected.to validate_uniqueness_of(:name).scoped_to(:project_id) }
 
+  it { is_expected.to define_enum_for(:connection_mode).with_values(outgoing: 0, incoming: 1).with_prefix }
+
   describe 'scopes' do
     describe '.ordered_by_name' do
       let(:names) { %w[agent-d agent-b agent-a agent-c] }
diff --git a/spec/requests/api/graphql/ci/runner_spec.rb b/spec/requests/api/graphql/ci/runner_spec.rb
index fc5aa59b731..437a56b3cd3 100644
--- a/spec/requests/api/graphql/ci/runner_spec.rb
+++ b/spec/requests/api/graphql/ci/runner_spec.rb
@@ -689,7 +689,7 @@ RSpec.describe 'Query.runner(id)', :freeze_time, feature_category: :fleet_visibi
     end
 
     let_it_be(:never_contacted_instance_runner) do
-      create(:ci_runner, :unregistered, description: 'Missing runner 1', created_at: 1.month.ago)
+      create(:ci_runner, :unregistered, description: 'Missing runner 1', created_at: 6.days.ago)
     end
 
     let(:query) do
diff --git a/spec/services/ci/runners/register_runner_service_spec.rb b/spec/services/ci/runners/register_runner_service_spec.rb
index 7c7c27a3d19..1dc6e760c08 100644
--- a/spec/services/ci/runners/register_runner_service_spec.rb
+++ b/spec/services/ci/runners/register_runner_service_spec.rb
@@ -246,7 +246,7 @@ RSpec.describe ::Ci::Runners::RegisterRunnerService, '#execute', feature_categor
 
       context 'when it exceeds the application limits' do
         before do
-          create(:ci_runner, :unregistered, runner_type: :group_type, groups: [group], created_at: 1.month.ago)
+          create(:ci_runner, :unregistered, runner_type: :group_type, groups: [group], created_at: 6.days.ago)
           create(:plan_limits, :default_plan, ci_registered_group_runners: 1)
         end
 
diff --git a/spec/support/shared_examples/helpers/runners_shared_examples.rb b/spec/support/shared_examples/helpers/runners_shared_examples.rb
index e509f7a65a5..01f38d13c06 100644
--- a/spec/support/shared_examples/helpers/runners_shared_examples.rb
+++ b/spec/support/shared_examples/helpers/runners_shared_examples.rb
@@ -6,7 +6,7 @@ RSpec.shared_examples 'admin_runners_data_attributes contains data' do
       runner_install_help_page: 'https://docs.gitlab.com/runner/install/',
       registration_token: Gitlab::CurrentSettings.runners_registration_token,
       online_contact_timeout_secs: 7200,
-      stale_timeout_secs: 7889238
+      stale_timeout_secs: 604800
     )
   end
 end
diff --git a/workhorse/go.mod b/workhorse/go.mod
index 6a0fec26974..dcdc5dbb221 100644
--- a/workhorse/go.mod
+++ b/workhorse/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.2
 	github.com/BurntSushi/toml v1.4.0
 	github.com/alecthomas/chroma/v2 v2.14.0
-	github.com/aws/aws-sdk-go v1.51.14
+	github.com/aws/aws-sdk-go v1.53.7
 	github.com/disintegration/imaging v1.6.2
 	github.com/getsentry/raven-go v0.2.0
 	github.com/golang-jwt/jwt/v5 v5.2.1
@@ -24,7 +24,7 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/smartystreets/goconvey v1.8.1
 	github.com/stretchr/testify v1.9.0
-	gitlab.com/gitlab-org/gitaly/v16 v16.11.2
+	gitlab.com/gitlab-org/gitaly/v16 v16.11.3
 	gitlab.com/gitlab-org/labkit v1.21.0
 	gocloud.dev v0.37.0
 	golang.org/x/image v0.16.0
diff --git a/workhorse/go.sum b/workhorse/go.sum
index 04b6d25441d..37e02c96d37 100644
--- a/workhorse/go.sum
+++ b/workhorse/go.sum
@@ -96,8 +96,8 @@ github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc
 github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/aws/aws-sdk-go v1.44.256/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
-github.com/aws/aws-sdk-go v1.51.14 h1:qedX6zZEO1a+5kra+D4ythOYR3TgaROC0hTPxhTFh8I=
-github.com/aws/aws-sdk-go v1.51.14/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go v1.53.7 h1:ZSsRYHLRxsbO2rJR2oPMz0SUkJLnBkN+1meT95B6Ixs=
+github.com/aws/aws-sdk-go v1.53.7/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/aws/aws-sdk-go-v2 v1.25.3 h1:xYiLpZTQs1mzvz5PaI6uR0Wh57ippuEthxS4iK5v0n0=
 github.com/aws/aws-sdk-go-v2 v1.25.3/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 h1:gTK2uhtAPtFcdRRJilZPx8uJLL2J85xK11nKtWL0wfU=
@@ -483,8 +483,8 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg=
 github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-gitlab.com/gitlab-org/gitaly/v16 v16.11.2 h1:Kr9ogL2FMmC57+LFI33omUpYOUYtBIhbrAtKlPrBAQM=
-gitlab.com/gitlab-org/gitaly/v16 v16.11.2/go.mod h1:lJizRUtXRd1SBHjNbbbL9OsGN4TiugvfRBd8bIsdWI0=
+gitlab.com/gitlab-org/gitaly/v16 v16.11.3 h1:WkcRKQ8lO22FeXe54RCE4+7YnLh3irisu63pbtc45hw=
+gitlab.com/gitlab-org/gitaly/v16 v16.11.3/go.mod h1:lJizRUtXRd1SBHjNbbbL9OsGN4TiugvfRBd8bIsdWI0=
 gitlab.com/gitlab-org/labkit v1.21.0 h1:hLmdBDtXjD1yOmZ+uJOac3a5Tlo83QaezwhES4IYik4=
 gitlab.com/gitlab-org/labkit v1.21.0/go.mod h1:zeATDAaSBelPcPLbTTq8J3ZJEHyPTLVBM1q3nva+/W4=
 go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
diff --git a/yarn.lock b/yarn.lock
index 0c9a0da2b30..bba361b9add 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1331,10 +1331,10 @@
   resolved "https://registry.yarnpkg.com/@gitlab/svgs/-/svgs-3.101.0.tgz#a8769490eecd03b8cc2403f5b7faab34a4ad0d82"
   integrity sha512-X/3oLr969A9dzVaTD2JfG6EmxadEQwCPXcfn1A6Y+AAI0PLkBgjDXUz0yo1tXJOF6nqOmYpBiUM6uOon3i5N4A==
 
-"@gitlab/ui@80.19.1":
-  version "80.19.1"
-  resolved "https://registry.yarnpkg.com/@gitlab/ui/-/ui-80.19.1.tgz#22abdd4cd3a05e773df85c0f475f4db2efd7d789"
-  integrity sha512-D1+QBZ7EQY+HAPaMQDQ39uemnEYJg8tDno0kcd7jlbcnCxzzk1tRi+CoYO530k2dKLvnmx8EFyvCnpCdAydISw==
+"@gitlab/ui@80.20.0":
+  version "80.20.0"
+  resolved "https://registry.yarnpkg.com/@gitlab/ui/-/ui-80.20.0.tgz#58b50f2727e8fdc81561ae5b4be0fa8fded01db6"
+  integrity sha512-QkFBKkDcBnzmFE4dOOPElsaDa13+FNr4Oaz1SEgVd6YGzCKC6ZNP/wfFGF6mg0jqSRukIRLgFljS7jiIhQnp5g==
   dependencies:
     "@floating-ui/dom" "1.4.3"
     bootstrap-vue "2.23.1"