Add latest changes from gitlab-org/gitlab@master

.gitlab/ci/qa-common/variables.gitlab-ci.yml

@@ -18,7 +18,7 @@ variables:
   # Helm chart ref used by test-on-cng pipeline
   GITLAB_HELM_CHART_REF: "074bb942c9c65613c2576ce418f59b8577fff37c"
   # Specific ref for cng-mirror project to trigger builds for
-  GITLAB_CNG_MIRROR_REF: "01f587c24c52e4bbf8a67135ae4f6adafa19fa2b"
+  GITLAB_CNG_MIRROR_REF: "56b6a062b05d549e0b69f79b759107e4956151eb"
   # Makes sure some of the common scripts from pipeline-common use bundler to execute commands
   RUN_WITH_BUNDLE: "true"
   # Makes sure reporting script defined in .gitlab-qa-report from pipeline-common is executed from correct folder

app/assets/javascripts/work_items/components/create_work_item.vue

@@ -36,6 +36,8 @@ import {
   I18N_WORK_ITEM_ERROR_CREATING,
   sprintfWorkItem,
   i18n,
+  NAME_TO_LOWERCASE_TEXT_MAP,
+  NAME_TO_TEXT_MAP,
   WIDGET_TYPE_ASSIGNEES,
   WIDGET_TYPE_COLOR,
   NEW_WORK_ITEM_IID,
@@ -52,8 +54,6 @@ import {
   WIDGET_TYPE_MILESTONE,
   DEFAULT_EPIC_COLORS,
   WIDGET_TYPE_HIERARCHY,
-  WORK_ITEM_TYPE_NAME_LOWERCASE_MAP,
-  WORK_ITEM_TYPE_NAME_MAP,
   WORK_ITEM_TYPE_NAME_INCIDENT,
   WORK_ITEM_TYPE_NAME_EPIC,
   WIDGET_TYPE_CUSTOM_FIELDS,
@@ -322,7 +322,7 @@ export default {
       return getDisplayReference(this.selectedProjectFullPath, this.relatedItem.reference);
     },
     relatedItemType() {
-      return WORK_ITEM_TYPE_NAME_LOWERCASE_MAP[this.relatedItem?.type];
+      return NAME_TO_LOWERCASE_TEXT_MAP[this.relatedItem?.type];
     },
     workItemAssignees() {
       return findWidget(WIDGET_TYPE_ASSIGNEES, this.workItem);
@@ -382,7 +382,7 @@ export default {
 
       return workItemTypes.map((workItemType) => ({
         value: workItemType.id,
-        text: WORK_ITEM_TYPE_NAME_MAP[workItemType.name],
+        text: NAME_TO_TEXT_MAP[workItemType.name],
       }));
     },
     selectedWorkItemType() {

app/assets/javascripts/work_items/components/create_work_item_cancel_confirmation_modal.vue

@@ -1,7 +1,7 @@
 <script>
 import { GlButton, GlModal } from '@gitlab/ui';
 import { s__, sprintf } from '~/locale';
-import { WORK_ITEM_TYPE_NAME_LOWERCASE_MAP } from '../constants';
+import { NAME_TO_LOWERCASE_TEXT_MAP } from '../constants';
 
 export default {
   components: {
@@ -22,7 +22,7 @@ export default {
     cancelConfirmationText() {
       return sprintf(
         s__('WorkItem|Are you sure you want to cancel creating this %{workItemType}?'),
-        { workItemType: WORK_ITEM_TYPE_NAME_LOWERCASE_MAP[this.workItemType] },
+        { workItemType: NAME_TO_LOWERCASE_TEXT_MAP[this.workItemType] },
       );
     },
   },

app/assets/javascripts/work_items/components/create_work_item_modal.vue

@@ -5,10 +5,10 @@ import { __, s__ } from '~/locale';
 import { isMetaClick } from '~/lib/utils/common_utils';
 import { convertTypeEnumToName, newWorkItemPath } from '~/work_items/utils';
 import {
+  NAME_TO_LOWERCASE_TEXT_MAP,
   sprintfWorkItem,
   ROUTES,
   RELATED_ITEM_ID_URL_QUERY_PARAM,
-  WORK_ITEM_TYPE_NAME_LOWERCASE_MAP,
   WORK_ITEM_TYPE_ENUM_INCIDENT,
   NAME_TO_ENUM_MAP,
 } from '../constants';
@@ -136,7 +136,7 @@ export default {
       });
     },
     selectedWorkItemTypeLowercase() {
-      return WORK_ITEM_TYPE_NAME_LOWERCASE_MAP[this.selectedWorkItemTypeName];
+      return NAME_TO_LOWERCASE_TEXT_MAP[this.selectedWorkItemTypeName];
     },
     newWorkItemButtonText() {
       return this.alwaysShowWorkItemTypeSelect && this.selectedWorkItemTypeName

app/assets/javascripts/work_items/components/work_item_change_type_modal.vue

@@ -6,13 +6,13 @@ import { __, s__, sprintf } from '~/locale';
 import { findDesignsWidget, getParentGroupName, isMilestoneWidget } from '~/work_items/utils';
 import glFeatureFlagMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
 import {
+  NAME_TO_TEXT_MAP,
   ALLOWED_CONVERSION_TYPES,
   sprintfWorkItem,
   WIDGET_TYPE_DESIGNS,
   WIDGET_TYPE_HIERARCHY,
   WIDGET_TYPE_MILESTONE,
   WORK_ITEM_TYPE_NAME_EPIC,
-  WORK_ITEM_TYPE_NAME_MAP,
   WORK_ITEM_WIDGETS_NAME_MAP,
 } from '../constants';
 
@@ -151,16 +151,15 @@ export default {
       );
     },
     selectOptions() {
-      return [
-        {
-          id: null,
-          name: __('Select type'),
-        },
-        ...this.allowedConversionTypes,
-      ].map((item) => ({
-        text: item.text || item.name,
+      const selectOptions = this.allowedConversionTypes.map((item) => ({
+        text: item.text || NAME_TO_TEXT_MAP[item.name],
         value: item.id,
       }));
+      selectOptions.unshift({
+        text: __('Select type'),
+        value: null,
+      });
+      return selectOptions;
     },
     workItemsAlphaEnabled() {
       return this.glFeatures.workItemsAlpha;
@@ -372,7 +371,7 @@ export default {
             'WorkItem|%{workItemType} does not support the %{childItemType} child item types. Remove child items to change type.',
           ),
           {
-            workItemType: WORK_ITEM_TYPE_NAME_MAP[this.selectedWorkItemType.name],
+            workItemType: NAME_TO_TEXT_MAP[this.selectedWorkItemType.name],
             childItemType: this.allowedChildTypes?.[0]?.name?.toLocaleLowerCase(),
           },
         );

app/assets/javascripts/work_items/constants.js

@@ -329,7 +329,7 @@ export const ALLOWED_CONVERSION_TYPES = [
   WORK_ITEM_TYPE_NAME_ISSUE,
 ];
 
-export const WORK_ITEM_TYPE_NAME_MAP = {
+export const NAME_TO_TEXT_MAP = {
   [WORK_ITEM_TYPE_NAME_EPIC]: s__('WorkItem|Epic'),
   [WORK_ITEM_TYPE_NAME_INCIDENT]: s__('WorkItem|Incident'),
   [WORK_ITEM_TYPE_NAME_ISSUE]: s__('WorkItem|Issue'),
@@ -341,7 +341,7 @@ export const WORK_ITEM_TYPE_NAME_MAP = {
   [WORK_ITEM_TYPE_NAME_TICKET]: s__('WorkItem|Ticket'),
 };
 
-export const WORK_ITEM_TYPE_NAME_LOWERCASE_MAP = {
+export const NAME_TO_LOWERCASE_TEXT_MAP = {
   [WORK_ITEM_TYPE_NAME_EPIC]: s__('WorkItem|epic'),
   [WORK_ITEM_TYPE_NAME_INCIDENT]: s__('WorkItem|incident'),
   [WORK_ITEM_TYPE_NAME_ISSUE]: s__('WorkItem|issue'),

app/controllers/glql/base_controller.rb

@@ -14,7 +14,10 @@ module Glql
     # failures within the time window trigger throttling.
     def execute
       start_time = Gitlab::Metrics::System.monotonic_time
-      super
+
+      ::Gitlab::Database::LoadBalancing::SessionMap.use_replica_if_available do
+        super
+      end
     rescue StandardError => error
       # We catch all errors here so they are tracked by SLIs.
       # But we only increment the rate limiter failure count for ActiveRecord::QueryAborted.

app/models/namespace.rb

@@ -22,11 +22,11 @@ class Namespace < ApplicationRecord
   include SafelyChangeColumnDefault
   include Todoable
 
-  ignore_column :unlock_membership_to_ldap, remove_with: '16.7', remove_after: '2023-11-16'
+  ignore_column :unlock_membership_to_ldap, remove_with: '18.1', remove_after: '2025-05-20'
 
   cross_database_ignore_tables %w[routes redirect_routes], url: 'https://gitlab.com/gitlab-org/gitlab/-/issues/424277'
 
-  ignore_column :emails_disabled, remove_with: '17.0', remove_after: '2024-04-24'
+  ignore_column :emails_disabled, remove_with: '18.1', remove_after: '2025-05-20'
 
   columns_changing_default :organization_id
 

config/feature_flags/ops/batched_migrations_health_status_autovacuum.yml

@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/360331
 milestone: '15.2'
 type: ops
 group: group::database
-default_enabled: false
+default_enabled: true

config/initializers/1_settings.rb

@@ -1018,6 +1018,9 @@ Gitlab.ee do
   Settings.cron_jobs['delete_expired_vulnerability_exports_worker'] ||= {}
   Settings.cron_jobs['delete_expired_vulnerability_exports_worker']['cron'] ||= '0 4 * * *'
   Settings.cron_jobs['delete_expired_vulnerability_exports_worker']['job_class'] = 'Vulnerabilities::DeleteExpiredExportsWorker'
+  Settings.cron_jobs['ai_duo_workflows_fail_stuck_workflows_worker'] ||= {}
+  Settings.cron_jobs['ai_duo_workflows_fail_stuck_workflows_worker']['cron'] ||= '*/30 * * * *'
+  Settings.cron_jobs['ai_duo_workflows_fail_stuck_workflows_worker']['job_class'] ||= 'Ai::DuoWorkflows::FailStuckWorkflowsWorker'
 
   Gitlab.com do
     Settings.cron_jobs['disable_legacy_open_source_license_for_inactive_projects'] ||= {}

data/deprecations/17-3-codeclimate.yml

@@ -9,17 +9,17 @@
   stage: secure  # (required) String value of the stage that the feature was created in. e.g., Growth
   issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/471677  # (required) Link to the deprecation issue in GitLab
   body: |  # (required) Do not modify this line, instead modify the lines below.
-    In GitLab 18.0, we will remove CodeClimate-based Code Quality scanning.
+    In GitLab 19.0, we will remove CodeClimate-based Code Quality scanning.
     In its place, you should use quality tools directly in your CI/CD pipeline and [provide the tool's report as an artifact](https://docs.gitlab.com/ci/testing/code_quality/#import-code-quality-results-from-a-cicd-job).
     Many tools already support the required report format, and you can integrate them by following the [documented steps](https://docs.gitlab.com/ci/testing/code_quality/#integrate-common-tools-with-code-quality).
 
     We expect to implement this change by:
 
-    1. Changing the [`Code-Quality.gitlab-ci.yml` CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml) to no longer execute scans. Today, this template runs CodeClimate-based scans. (We plan to change the template rather than delete it to reduce the impact on any pipelines that still `include` the template after 18.0.)
+    1. Changing the [`Code-Quality.gitlab-ci.yml` CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml) to no longer execute scans. Today, this template runs CodeClimate-based scans. (We plan to change the template rather than delete it to reduce the impact on any pipelines that still `include` the template after 19.0.)
     1. No longer running CodeClimate-based scanning as part of Auto DevOps.
 
     Effective immediately, CodeClimate-based scanning will receive only [limited updates](https://docs.gitlab.com/update/terminology/#deprecation).
-    After End of Support in GitLab 18.0, we won't provide further updates.
+    After End of Support in GitLab 19.0, we won't provide further updates.
     However, we won't delete previously published container images or remove the ability to run them by using custom CI/CD pipeline job definitions.
 
     For more details, see [Scan code for quality violations](https://docs.gitlab.com/ci/testing/code_quality/#scan-code-for-quality-violations).

data/deprecations/17-9-enable-gitlab-advanced-sast-by-default.yml

@@ -7,6 +7,7 @@
   stage: application security testing
   issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/513685
   impact: medium
+  check_impact: Refer to the [Understanding this change](https://gitlab.com/gitlab-org/gitlab/-/issues/513685#understanding-this-change) section for details.
   scope: instance
   resolution_role: Developer
   manual_task: true

db/docs/namespaces.yml

@@ -1,8 +1,8 @@
 ---
 table_name: namespaces
 classes:
-- Group
 - Namespace
+- Group
 - Namespaces::ProjectNamespace
 - Namespaces::UserNamespace
 feature_categories:

db/post_migrate/20250411131429_remove_namespace_columns.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class RemoveNamespaceColumns < Gitlab::Database::Migration[2.2]
+  milestone '18.0'
+
+  def up
+    remove_column :namespaces, :unlock_membership_to_ldap
+    remove_column :namespaces, :emails_disabled
+  end
+
+  def down
+    add_column :namespaces, :unlock_membership_to_ldap, :boolean
+    add_column :namespaces, :emails_disabled, :boolean
+  end
+end

db/post_migrate/20250415152848_index_duo_workflows_workflows_status_updated_at_id.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# See https://docs.gitlab.com/ee/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class IndexDuoWorkflowsWorkflowsStatusUpdatedAtId < Gitlab::Database::Migration[2.2]
+  disable_ddl_transaction!
+  milestone '18.0'
+
+  INDEX_NAME = 'idx_workflows_status_updated_at_id'
+
+  def up
+    add_concurrent_index :duo_workflows_workflows, [:status, :updated_at, :id], name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index_by_name :duo_workflows_workflows, INDEX_NAME
+  end
+end

db/schema_migrations/20250411131429

@@ -0,0 +1 @@
+5fafe441c919ff606ae6d4c722ccd903961e7b00f83c5c8a1eb980a8c0c9910d

db/schema_migrations/20250415152848

@@ -0,0 +1 @@
+e512c30c9f9e54047be0f1d1d8a68bb1131766c68bb1c8d48cee8b92704f746e

db/structure.sql

@@ -231,12 +231,10 @@ CREATE TABLE namespaces (
     last_ci_minutes_notification_at timestamp with time zone,
     last_ci_minutes_usage_notification_level integer,
     subgroup_creation_level integer DEFAULT 1,
-    emails_disabled boolean,
     max_pages_size integer,
     max_artifacts_size integer,
     mentions_disabled boolean,
     default_branch_protection smallint,
-    unlock_membership_to_ldap boolean,
     max_personal_access_token_lifetime integer,
     push_rule_id bigint,
     shared_runners_enabled boolean DEFAULT true NOT NULL,
@@ -33621,6 +33619,8 @@ CREATE UNIQUE INDEX idx_wi_type_custom_lifecycles_on_namespace_type_lifecycle ON
 
 CREATE INDEX idx_wi_type_custom_lifecycles_on_work_item_type_id ON work_item_type_custom_lifecycles USING btree (work_item_type_id);
 
+CREATE INDEX idx_workflows_status_updated_at_id ON duo_workflows_workflows USING btree (status, updated_at, id);
+
 CREATE INDEX idx_zoekt_last_indexed_at_gt_used_storage_bytes_updated_at ON zoekt_indices USING btree (used_storage_bytes_updated_at) WHERE (last_indexed_at >= used_storage_bytes_updated_at);
 
 CREATE INDEX idx_zoekt_repositories_on_zoekt_index_id_and_size_bytes ON zoekt_repositories USING btree (zoekt_index_id, size_bytes);

doc/ci/testing/code_quality_codeclimate_scanning.md

@@ -16,7 +16,7 @@ title: Configure CodeClimate-based Code Quality scanning (deprecated)
 
 {{< alert type="warning" >}}
 
-This feature was [deprecated](../../update/deprecations.md#codeclimate-based-code-quality-scanning-will-be-removed) in GitLab 17.3 and is planned for removal in 18.0.
+This feature was [deprecated](../../update/deprecations.md#codeclimate-based-code-quality-scanning-will-be-removed) in GitLab 17.3 and is planned for removal in 19.0.
 [Integrate the results from a supported tool directly](code_quality.md#import-code-quality-results-from-a-cicd-job) instead. This change is a breaking change.
 
 {{< /alert >}}

doc/development/database/batched_background_migrations.md

@@ -203,7 +203,7 @@ These database indicators are checked to throttle a migration. Upon receiving a
 stop signal, the migration is paused for a set time (10 minutes):
 
 - WAL queue pending archival crossing the threshold.
-- Active autovacuum on the tables on which the migration works on.
+- Active autovacuum on the tables on which the migration works on (enabled by default as of GitLab 18.0).
 - Patroni apdex SLI dropping below the SLO.
 - WAL rate crossing the threshold.
 
@@ -211,6 +211,20 @@ There is an ongoing effort to add more indicators to further enhance the
 database health check framework. For more details, see
 [epic 7594](https://gitlab.com/groups/gitlab-org/-/epics/7594).
 
+#### How to disable/enable autovacuum indicator on tables
+
+As of GitLab 18.0, this health indicator is enabled by default. To disable it, please run the following command on the rails console:
+
+```ruby
+Feature.disable(:batched_migrations_health_status_autovacuum)
+```
+
+Alternatively, if you want to enable it again, run the following command in rails console:
+
+```ruby
+Feature.enable(:batched_migrations_health_status_autovacuum)
+```
+
 ### Isolation
 
 Batched background migrations must be isolated and cannot use application code (for example,

doc/development/integrations/jira_connect.md

@@ -5,9 +5,10 @@ info: Any user with at least the Maintainer role can merge updates to this conte
 title: GitLab for Jira Cloud app development
 ---
 
-Developers have two options for how set up a development environment for the GitLab for Jira Cloud app:
+Developers have several options for how set up a development environment for the GitLab for Jira Cloud app:
 
 1. A full environment [with Jira](#set-up-with-jira). Use this when you need to test interactions with Jira.
+1. A full environment [with a Jira Connect proxy](#setting-up-a-jira-connect-proxy). Use this when you need to test multiple GitLab instances connecting to Jira through a Jira Connect proxy, or when testing changes to the Jira Connect proxy itself.
 1. A local environment [without Jira](#setup-without-jira). You can use this quicker setup if you do not require Jira, for example when testing the GitLab frontend.
 
 ## Set up with Jira
@@ -122,6 +123,90 @@ If the app installation fails, you might need to delete `jira_connect_installati
 
 If you use Gitpod and you get an error about Jira not being able to access the descriptor file, you will need to [make GitPod port public](#setting-up-gitpod).
 
+## Setting up a Jira Connect Proxy
+
+When a self-managed instance [installs the GitLab for Jira app from the Atlassian Marketplace](../../administration/settings/jira_cloud_app.md#install-the-gitlab-for-jira-cloud-app-from-the-atlassian-marketplace), the self-managed instance must use GitLab.com as a Jira Connect proxy. You can emulate this setup if you need to develop or test features such as the [handling of Jira lifecycle events](../../administration/settings/jira_cloud_app.md#gitlabcom-handling-of-app-lifecycle-events) and [branch creation](../../administration/settings/jira_cloud_app.md#gitlabcom-handling-of-branch-creation). 
+
+To set up a development Jira Connect Proxy:
+
+- A Jira Cloud instance. Atlassian provides [free instances for development and testing](https://developer.atlassian.com/platform/marketplace/getting-started/#free-developer-instances-to-build-and-test-your-app).
+- Two GitLab instances available over the internet.
+  - One to serve as the **Jira Connect proxy** (simulating GitLab.com)
+  - One to serve as the **GitLab instance** that will connect to Jira through the Jira Connect proxy
+  - For the app to work, Jira Cloud should
+    be able to connect to the **Jira Connect proxy** instance through the internet. For this we
+    recommend using Gitpod or a similar cloud development environment. For more
+    information on using Gitpod with GDK, see the:
+
+    - [GDK with Gitpod](https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/gitpod.md)
+    documentation.
+    - [GDK in Gitpod](https://www.loom.com/share/9c9711d4876a40869b9294eecb24c54d)
+    video.
+
+    <!-- vale gitlab_base.Spelling = NO -->
+
+    GitLab team members **must not** use tunneling tools such as Serveo or `ngrok`. These are
+    security risks, and must not be run on GitLab developer laptops.
+
+    <!-- vale gitlab_base.Spelling = YES -->
+
+    Jira requires all connections to the app host to be over SSL. If you set up
+    your own environment, remember to enable SSL and an appropriate certificate.
+
+### Setting up GitPod
+
+If you are using [Gitpod](https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/gitpod.md)
+you must [make port `3000` public](https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/gitpod.md#make-the-rails-web-server-publicly-accessible).
+
+### Set up the Jira Connect proxy instance
+
+1. For the **Jira Connect proxy** instance, follow the [GDK with Gitpod](https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/gitpod.md) instructions to start a new Gitpod workspace.
+
+1. Set up OAuth authentication on the **Jira Connect proxy** by following the [Set up the GitLab OAuth authentication flow](#set-up-the-gitlab-oauth-authentication-flow) section.
+
+1. Configure the **Jira Connect proxy** [to serve as a proxy](../../administration/settings/jira_cloud_app.md#configure-your-gitlab-instance-to-serve-as-a-proxy).
+
+### Install the GitLab for Jira Cloud app in Jira
+
+Follow the [Install the app in Jira](#install-the-app-in-jira) section, but use the URL of your **Jira Connect proxy** instance for the app descriptor:
+
+```plaintext
+https://JIRA_CONNECT_PROXY_INSTANCE/-/jira_connect/app_descriptor.json
+```
+
+If the _Installed and ready to go!_ dialog opens, select **Close** (don't select **Get started** yet).
+
+### Set up the secondary GitLab instance
+
+1. Set up a second GitLab instance using Gitpod, following the same [GDK with Gitpod](https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/gitpod.md) instructions as for the proxy instance
+
+1. Set up OAuth authentication on this instance following the same steps as in [Set up the GitLab OAuth authentication flow](#set-up-the-gitlab-oauth-authentication-flow), but with a crucial difference:
+   - When setting the **Redirect URI**, use the URL of your **Jira Connect proxy** instance, not this secondary instance:
+
+     ```plaintext
+     https://JIRA_CONNECT_PROXY_INSTANCE/-/jira_connect/oauth_callbacks
+     ```
+
+1. Configure this GitLab instance to use the proxy:
+   1. Go to **Admin > Settings > General**
+   1. Expand **GitLab for Jira App**
+   1. Paste the **Application ID** value into **Jira Connect Application ID**
+   1. In **Jira Connect Proxy URL**, enter `JIRA_CONNECT_PROXY_INSTANCE` (for example, `https://xxxx.gitpod.io`)
+   1. Select **Save changes**
+
+### Complete the setup in Jira
+
+1. In Jira, go to **Jira settings > Apps > Manage apps**.
+1. Scroll to **User-installed apps**, find your GitLab for Jira Cloud app and expand it.
+1. Select **Get started**.
+1. To link the app to the secondary GitLab instance, select **Change GitLab version**.
+1. Select all checkboxes, then select Next.
+1. In **GitLab instance URL** ,enter `GITLAB_INSTANCE` (for example, `https://xxxx.gitpod.io`), then select Save.
+1. Select **Sign in to GitLab**.
+1. Select **Authorize**. A list of groups is now visible.
+1. Select **Link groups**.
+1. To link to a group, select **Link**.
+
 ## Setup without Jira
 
 If you do not require Jira to test with, you can use the [Jira connect test tool](https://gitlab.com/gitlab-org/foundations/import-and-integrate/jira-connect-test-tool) and your local GDK.

doc/update/background_migrations.md

@@ -397,6 +397,34 @@ Gitlab::Database::SharedModel.using_connection(connection) do
 end
 ```
 
+#### Run all background migrations synchronously
+
+There may be cases where you want to force background migrations to run in the foreground during a maintenance window.
+
+Note that this script may timeout/exit before all migrations are completed. You can run it again until all migrations are complete.
+
+```ruby
+# Start the rails console
+
+databases = ActiveRecord::Tasks::DatabaseTasks.setup_initial_database_yaml
+
+Gitlab::Database.database_base_models.each do |database_name, model|
+  Gitlab::Database::SharedModel.using_connection(model.connection) do
+    Gitlab::Database::BackgroundMigration::BatchedMigration.with_status([:paused, :active]).find_each(batch_size: 100) do |migration|
+      puts "#{database_name}: Finalizing migration #{migration.job_class_name} (ID: #{migration.id})... "
+      Gitlab::Database::BackgroundMigration::BatchedMigrationRunner.finalize(
+        migration.job_class_name,
+        migration.table_name,
+        migration.column_name,
+        Gitlab::Json.parse(migration.job_arguments),
+        connection: model.connection
+      )
+      puts("done!\n")
+    end
+  end
+end
+```
+
 <!--- start_remove The following content will be removed on remove_date: '2025-05-10' -->
 <!-- This page needs significant revision after 15.0 becomes unsupported -->
 <!--- end_remove -->

doc/update/breaking_windows.md

@@ -32,7 +32,7 @@ This window takes place on April 21 - 23, 2025 from 09:00 UTC to 22:00 UTC.
 | [Deprecation of `STORAGE` enum in `NamespaceProjectSortEnum` GraphQL API](deprecations.md#deprecation-of-storage-enum-in-namespaceprojectsortenum-graphql-api) | Low | Fulfillment | Group |  |
 | [DAST `dast_devtools_api_timeout` will have a lower default value](deprecations.md#dast-dast_devtools_api_timeout-will-have-a-lower-default-value) | Low | Application security testing | Project |  |
 | [API Discovery will use branch pipelines by default](deprecations.md#api-discovery-will-use-branch-pipelines-by-default) | Low | Application_security_testing | Project |  |
-| [GitLab Advanced SAST will be enabled by default](deprecations.md#gitlab-advanced-sast-will-be-enabled-by-default) | Medium | Application security testing | Instance |  |
+| [GitLab Advanced SAST will be enabled by default](deprecations.md#gitlab-advanced-sast-will-be-enabled-by-default) | Medium | Application security testing | Instance | Refer to the [Understanding this change](https://gitlab.com/gitlab-org/gitlab/-/issues/513685#understanding-this-change) section for details. |
 | [Application Security Testing analyzers major version update](deprecations.md#application-security-testing-analyzers-major-version-update) | Low | Application security testing | Project |  |
 
 ## Window 2

doc/update/deprecations.md

@@ -358,17 +358,17 @@ If your pipeline relies on forwarding protected variables, update your configura
 
 </div>
 
-In GitLab 18.0, we will remove CodeClimate-based Code Quality scanning.
+In GitLab 19.0, we will remove CodeClimate-based Code Quality scanning.
 In its place, you should use quality tools directly in your CI/CD pipeline and [provide the tool's report as an artifact](https://docs.gitlab.com/ci/testing/code_quality/#import-code-quality-results-from-a-cicd-job).
 Many tools already support the required report format, and you can integrate them by following the [documented steps](https://docs.gitlab.com/ci/testing/code_quality/#integrate-common-tools-with-code-quality).
 
 We expect to implement this change by:
 
-1. Changing the [`Code-Quality.gitlab-ci.yml` CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml) to no longer execute scans. Today, this template runs CodeClimate-based scans. (We plan to change the template rather than delete it to reduce the impact on any pipelines that still `include` the template after 18.0.)
+1. Changing the [`Code-Quality.gitlab-ci.yml` CI/CD template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml) to no longer execute scans. Today, this template runs CodeClimate-based scans. (We plan to change the template rather than delete it to reduce the impact on any pipelines that still `include` the template after 19.0.)
 1. No longer running CodeClimate-based scanning as part of Auto DevOps.
 
 Effective immediately, CodeClimate-based scanning will receive only [limited updates](https://docs.gitlab.com/update/terminology/#deprecation).
-After End of Support in GitLab 18.0, we won't provide further updates.
+After End of Support in GitLab 19.0, we won't provide further updates.
 However, we won't delete previously published container images or remove the ability to run them by using custom CI/CD pipeline job definitions.
 
 For more details, see [Scan code for quality violations](https://docs.gitlab.com/ci/testing/code_quality/#scan-code-for-quality-violations).

doc/user/application_security/vulnerability_archival/_index.md

@@ -2,7 +2,7 @@
 stage: Security Risk Management
 group: Security Insights
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
-title: Vulnerability archive
+title: Vulnerability archival
 ---
 
 {{< details >}}

gems/gitlab-housekeeper/lib/gitlab/housekeeper/change.rb

@@ -59,7 +59,7 @@ module Gitlab
 
       def commit_message
         <<~MARKDOWN.chomp
-        #{title}
+        #{truncated_title}
 
         #{mr_description}
 
@@ -79,6 +79,16 @@ module Gitlab
       def valid?
         @identifiers && @title && @description && @changed_files.present?
       end
+
+      def truncated_title
+        truncate(title, 72)
+      end
+
+      def truncate(text, limit)
+        return text if text.length <= limit
+
+        text[0...limit]
+      end
     end
   end
 end

gems/gitlab-housekeeper/lib/gitlab/housekeeper/gitlab_client.rb

@@ -152,7 +152,7 @@ module Gitlab
         target_project_id:
       )
         request(:post, "/projects/#{source_project_id}/merge_requests", body: {
-          title: change.title,
+          title: change.truncated_title,
           description: change.mr_description,
           labels: Array(change.labels).join(','),
           source_branch: source_branch,

gems/gitlab-housekeeper/spec/gitlab/housekeeper/change_spec.rb

@@ -174,4 +174,13 @@ RSpec.describe ::Gitlab::Housekeeper::Change do
       expect(change).not_to be_valid
     end
   end
+
+  describe '#truncated_title' do
+    it 'truncates the title to 72 chars' do
+      change = create_change(title: 'some long title ' * 10)
+
+      expect(change.truncated_title).to eq('some long title some long title some long title some long title some lon')
+      expect(change.truncated_title.length).to eq(72)
+    end
+  end
 end

keeps/overdue_finalize_background_migration.rb

@@ -67,7 +67,7 @@ module Keeps
     def initialize_change(migration, migration_record, job_name, last_migration_file)
       # Finalize the migration
       change = ::Gitlab::Housekeeper::Change.new
-      change.title = "Finalize migration #{job_name}"
+      change.title = "Finalize BBM #{job_name}"
 
       change.identifiers = [self.class.name.demodulize, job_name]
       change.description = change_description(migration_record, job_name, last_migration_file)

lib/gitlab/database/load_balancing/session_map.rb

@@ -28,6 +28,10 @@ module Gitlab
           with_sessions(Gitlab::Database::LoadBalancing.base_models).ignore_writes(&)
         end
 
+        def self.use_replica_if_available(&)
+          with_sessions(Gitlab::Database::LoadBalancing.base_models).use_replicas_for_read_queries(&)
+        end
+
         def self.cached_instance
           RequestStore[CACHE_KEY] ||= new
         end

locale/gitlab.pot

@@ -53023,6 +53023,9 @@ msgstr ""
 msgid "ScanResultPolicy|Except"
 msgstr ""
 
+msgid "ScanResultPolicy|Exceptions that do not require approval"
+msgstr ""
+
 msgid "ScanResultPolicy|Exceptions that require approval"
 msgstr ""
 
@@ -54353,9 +54356,6 @@ msgstr ""
 msgid "SecurityOrchestration|Add project full path after @ to following branches: %{branches}"
 msgstr ""
 
-msgid "SecurityOrchestration|Add project full path after @ to following exceptions: %{exceptions}"
-msgstr ""
-
 msgid "SecurityOrchestration|Add protected branches"
 msgstr ""
 
@@ -55180,7 +55180,7 @@ msgstr ""
 msgid "SecurityOrchestration|Use default mode for scoping"
 msgstr ""
 
-msgid "SecurityOrchestration|Use the format %{schemaStart}path-to-package@package-version%{schemaEnd}. For multiple packages, separate paths with commas. For example: path/file1.yaml@1.1.1, path/file2.yaml@2.2.2"
+msgid "SecurityOrchestration|Use the format %{schemaStart}path-to-package@package-version%{schemaEnd}. For multiple packages, separate paths with commas. For example: npm/lodash@4.17.21, maven/org.apache.commons/commons-lang3@3.12.0, pypi/requests"
 msgstr ""
 
 msgid "SecurityOrchestration|Users can skip pipelines"

qa/Gemfile

@@ -2,7 +2,7 @@
 
 source 'https://rubygems.org'
 
-gem 'gitlab-qa', '~> 15', '>= 15.3.0', require: 'gitlab/qa'
+gem 'gitlab-qa', '~> 15', '>= 15.4.0', require: 'gitlab/qa'
 gem 'gitlab_quality-test_tooling', '~> 2.9.0', require: false
 gem 'gitlab-utils', path: '../gems/gitlab-utils'
 gem 'activesupport', '~> 7.0.8.7' # This should stay in sync with the root's Gemfile

qa/Gemfile.lock

@@ -118,7 +118,7 @@ GEM
     gitlab (4.19.0)
       httparty (~> 0.20)
       terminal-table (>= 1.5.1)
-    gitlab-qa (15.3.0)
+    gitlab-qa (15.4.0)
       activesupport (>= 6.1, < 7.2)
       ffi (~> 1.17)
       gitlab (~> 4.19)
@@ -367,7 +367,7 @@ DEPENDENCIES
   fog-core (= 2.1.0)
   fog-google (~> 1.24, >= 1.24.1)
   gitlab-orchestrator!
-  gitlab-qa (~> 15, >= 15.3.0)
+  gitlab-qa (~> 15, >= 15.4.0)
   gitlab-utils!
   gitlab_quality-test_tooling (~> 2.9.0)
   googleauth (~> 1.9.0)

spec/controllers/glql/base_controller_spec.rb

@@ -164,6 +164,15 @@ RSpec.describe Glql::BaseController, feature_category: :integrations do
         expect(current_rate_limit_value(query_sha)).to be_nil
       end
     end
+
+    context 'when load balancing enabled', :db_load_balancing do
+      it 'uses the replica' do
+        expect(Gitlab::Database::LoadBalancing::SessionMap)
+          .to receive(:with_sessions).with(Gitlab::Database::LoadBalancing.base_models).and_call_original
+
+        execute_request
+      end
+    end
   end
 
   describe '#append_info_to_payload' do

spec/keeps/overdue_finalize_background_migration_spec.rb

@@ -36,7 +36,7 @@ RSpec.describe Keeps::OverdueFinalizeBackgroundMigration, feature_category: :too
 
     it 'returns a Gitlab::Housekeeper::Change', :aggregate_failures do
       expect(change).to be_a(::Gitlab::Housekeeper::Change)
-      expect(change.title).to eq("Finalize migration #{job_name}")
+      expect(change.title).to eq("Finalize BBM #{job_name}")
       expect(change.identifiers).to eq(identifiers)
       expect(change.labels).to eq(['maintenance::removal'])
       expect(change.reviewers).to eq(['random-engineer'])

spec/lib/gitlab/database/load_balancing/session_map_spec.rb

@@ -114,7 +114,7 @@ RSpec.describe Gitlab::Database::LoadBalancing::SessionMap, feature_category: :d
     end
   end
 
-  describe '.without_sticky_writes' do
+  context 'when wrapping queries with load balancing sessions' do
     let(:dbs) { Gitlab::Database.database_base_models.values }
     let(:names) { dbs.map { |m| m.load_balancer.name }.uniq }
 
@@ -125,16 +125,28 @@ RSpec.describe Gitlab::Database::LoadBalancing::SessionMap, feature_category: :d
       # This makes the spec more robust in single-db scenarios
       allow(Gitlab::Database::LoadBalancing).to receive(:names).and_return([:main, :ci])
       described_class.current(::ApplicationRecord.load_balancer)
+
+      allow(Gitlab::Database::LoadBalancing::ScopedSessions)
+        .to receive(:new).with(names, RequestStore[described_class::CACHE_KEY].session_map).and_return(scoped_session)
     end
 
-    it 'initialises ScopedSessions with all valid lb names and calls ignore_writes' do
-      expect(Gitlab::Database::LoadBalancing::ScopedSessions)
-        .to receive(:new).with(names, RequestStore[described_class::CACHE_KEY].session_map).and_return(scoped_session)
+    describe '.without_sticky_writes' do
+      it 'initialises ScopedSessions with all valid lb names and calls ignore_writes' do
+        expect(scoped_session).to receive(:ignore_writes).and_yield
 
-      expect(scoped_session).to receive(:ignore_writes).and_yield
+        described_class.without_sticky_writes do
+          # exact logic for ignore_writes is tested in `.with_sessions` test suite
+        end
+      end
+    end
 
-      described_class.without_sticky_writes do
-        # exact logic for ignore_writes is tested in `.with_sessions` test suite
+    describe '.use_replica_if_available' do
+      it 'initialises ScopedSessions with all valid lb names and calls use_replicas_for_read_queries' do
+        expect(scoped_session).to receive(:use_replicas_for_read_queries).and_yield
+
+        described_class.use_replica_if_available do
+          # exact logic for use_replicas_for_read_queries is tested in `.with_sessions` test suite
+        end
       end
     end
   end