root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2024-04-24 21:11:40 +00:00
parent 39b47b75cf
commit bcc887fb11
109 changed files with 1156 additions and 497 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/assets/javascripts/boards/components/board_add_new_column_form.vue
View File

@ -41,7 +41,7 @@ export default {
<template>
<div
class="board-add-new-list board gl-display-inline-block gl-h-full gl-vertical-align-top gl-white-space-normal gl-flex-shrink-0 gl-rounded-base gl-px-3"
class="board-add-new-list board gl-display-inline-block gl-h-full gl-align-top gl-white-space-normal gl-flex-shrink-0 gl-rounded-base gl-px-3"
data-testid="board-add-new-column"
>
<div

4
app/assets/javascripts/boards/components/board_card_inner.vue
View File

@ -408,13 +408,13 @@ export default {
v-if="item.milestone"
data-testid="issue-milestone"
:milestone="item.milestone"
class="gl-display-inline-flex gl-align-items-center gl-max-w-15 gl-font-sm gl-text-gray-500! gl-cursor-help! gl-vertical-align-bottom gl-mr-3"
class="gl-display-inline-flex gl-align-items-center gl-max-w-15 gl-font-sm gl-text-gray-500! gl-cursor-help! gl-align-bottom gl-mr-3"
/>
<issue-iteration
v-if="item.iteration"
data-testid="issue-iteration"
:iteration="item.iteration"
class="gl-vertical-align-bottom gl-white-space-nowrap"
class="gl-align-bottom gl-white-space-nowrap"
/>
<issue-due-date
v-if="item.dueDate"

2
app/assets/javascripts/boards/components/board_column.vue
View File

@ -69,7 +69,7 @@ export default {
'board-type-assignee': list.listType === 'assignee',
}"
:data-list-id="list.id"
class="board gl-display-inline-block gl-h-full gl-px-3 gl-vertical-align-top gl-white-space-normal is-expandable"
class="board gl-display-inline-block gl-h-full gl-px-3 gl-align-top gl-white-space-normal is-expandable"
data-testid="board-list"
>
<div

2
app/assets/javascripts/ci/job_details/job_app.vue
View File

@ -284,7 +284,7 @@ export default {
:class="{ 'sticky-top gl-border-bottom-0': hasJobLog }"
data-testid="archived-job"
>
<gl-icon name="lock" class="gl-vertical-align-bottom" />
<gl-icon name="lock" class="gl-align-bottom" />
{{ __('This job is archived. Only the complete pipeline can be retried.') }}
</div>
<!-- job log -->

1
app/assets/javascripts/graphql_shared/possible_types.json
View File

@ -103,6 +103,7 @@
],
"OrchestrationPolicy": [
"ApprovalPolicy",
"PipelineExecutionPolicy",
"ScanExecutionPolicy",
"ScanResultPolicy"
],

2
app/assets/javascripts/issues/list/components/issue_card_time_info.vue
View File

@ -86,7 +86,7 @@ export default {
<span>
<span
v-if="milestone"
class="issuable-milestone gl-mr-3 gl-text-truncate gl-max-w-26 gl-display-inline-block gl-vertical-align-bottom"
class="issuable-milestone gl-mr-3 gl-text-truncate gl-max-w-26 gl-display-inline-block gl-align-bottom"
data-testid="issuable-milestone"
>
<gl-link

2
app/assets/javascripts/notes/components/discussion_filter.vue
View File

@ -163,7 +163,7 @@ export default {
v-if="displayFilters"
id="discussion-preferences"
data-testid="discussion-preferences"
class="gl-display-inline-block gl-vertical-align-bottom full-width-mobile"
class="gl-display-inline-block gl-align-bottom full-width-mobile"
>
<local-storage-sync
:value="sortDirection"

2
app/assets/javascripts/profile/components/user_achievements.vue
View File

@ -87,7 +87,7 @@ export default {
<div
v-for="userAchievement in userAchievements"
:key="userAchievement.id"
class="gl-mr-2 gl-display-inline-block gl-vertical-align-top gl-text-center"
class="gl-mr-2 gl-display-inline-block gl-align-top gl-text-center"
data-testid="user-achievement"
>
<gl-avatar

2
app/assets/javascripts/search/sidebar/components/label_filter/label_dropdown_items.vue
View File

@ -31,7 +31,7 @@ export default {
>
<span
data-testid="label-color-indicator"
class="gl-rounded-base gl-min-w-5 gl-h-5 gl-display-inline-block gl-vertical-align-bottom gl-mr-3"
class="gl-rounded-base gl-min-w-5 gl-h-5 gl-display-inline-block gl-align-bottom gl-mr-3"
:style="{ 'background-color': label.color }"
></span>
<span class="gl-reset-text-align gl-m-0 gl-p-0 label-title gl-word-break-all">{{

2
app/assets/javascripts/surveys/components/satisfaction_rate.vue
View File

@ -57,7 +57,7 @@ export default {
:aria-label="grade.title"
@click="$emit('rate', grade.value)"
>
<gl-icon class="gl-vertical-align-top" :name="grade.icon" :size="24" />
<gl-icon class="gl-align-top" :name="grade.icon" :size="24" />
</gl-button>
</li>
</ul>

2
app/assets/javascripts/vue_merge_request_widget/components/state_container.vue
View File

@ -127,7 +127,7 @@ export default {
:icon="collapsed ? 'chevron-lg-down' : 'chevron-lg-up'"
category="tertiary"
size="small"
class="gl-vertical-align-top"
class="gl-align-top"
data-testid="widget-toggle"
@click="() => $emit('toggle')"
/>

2
app/assets/javascripts/vue_merge_request_widget/components/states/unresolved_discussions.vue
View File

@ -42,7 +42,7 @@ export default {
<template #actions>
<gl-button
data-testid="jump-to-first"
class="gl-align-self-start gl-vertical-align-top"
class="gl-align-self-start gl-align-top"
size="small"
variant="confirm"
category="primary"

29
app/assets/javascripts/vue_shared/components/registry/registry_search.vue
View File

@ -46,12 +46,6 @@ export default {
isSortAscending() {
return this.sorting.sort === ASCENDING_ORDER;
},
baselineQueryStringFilters() {
return this.tokens.reduce((acc, curr) => {
acc[curr.type] = '';
return acc;
}, {});
},
sortDirectionData() {
return this.isSortAscending ? SORT_DIRECTION_UI.asc : SORT_DIRECTION_UI.desc;
},
@ -63,20 +57,25 @@ export default {
generateQueryData({ sorting = {}, filter = [] } = {}) {
// Ensure that we clean up the query when we remove a token from the search
const result = {
...this.baselineQueryStringFilters,
...sorting,
search: [],
search: null,
after: null,
before: null,
};
filter.forEach((f) => {
if (f.type === FILTERED_SEARCH_TERM) {
result.search.push(f.value.data);
} else {
result[f.type] = f.value.data;
}
});
filter
.filter((f) => f.value.data)
.forEach((f) => {
if (f.type === FILTERED_SEARCH_TERM) {
if (result.search === null) {
result.search = [f.value.data];
} else {
result.search.push(f.value.data);
}
} else {
result[f.type] = f.value.data;
}
});
return result;
},
onDirectionChange() {

2
app/assets/javascripts/work_items/components/notes/work_item_activity_sort_filter.vue
View File

@ -85,7 +85,7 @@ export default {
</script>
<template>
<div class="gl-display-inline-block gl-vertical-align-bottom">
<div class="gl-display-inline-block gl-align-bottom">
<local-storage-sync
:value="sortFilterProp"
:storage-key="storageKey"

32
app/controllers/concerns/dependency_proxy/group_access.rb
View File

@ -11,13 +11,45 @@ module DependencyProxy
private
def auth_user_or_token
if defined?(personal_access_token) && personal_access_token && auth_user.is_a?(::User) &&
(
(auth_user.project_bot? && auth_user.resource_bot_resource.is_a?(::Group)) ||
auth_user.human? ||
auth_user.service_account?
)
personal_access_token
else
auth_user
end
end
def verify_dependency_proxy_available!
render_404 unless group&.dependency_proxy_feature_available?
end
# TODO: Split the authorization logic into dedicated methods
# https://gitlab.com/gitlab-org/gitlab/-/issues/452145
def authorize_read_dependency_proxy!
if Feature.enabled?(:packages_dependency_proxy_pass_token_to_policy, group)
if auth_user_or_token.is_a?(User)
authorize_read_dependency_proxy_for_users!
else
authorize_read_dependency_proxy_for_tokens!
end
else
authorize_read_dependency_proxy_for_users!
end
end
def authorize_read_dependency_proxy_for_users!
access_denied! unless can?(auth_user, :read_dependency_proxy, group)
end
def authorize_read_dependency_proxy_for_tokens!
access_denied! unless can?(auth_user_or_token, :read_dependency_proxy,
group&.dependency_proxy_for_containers_policy_subject)
end
end
end

48
app/controllers/groups/dependency_proxy/application_controller.rb
View File

@ -3,6 +3,8 @@
module Groups
module DependencyProxy
class ApplicationController < ::ApplicationController
include Gitlab::Utils::StrongMemoize
EMPTY_AUTH_RESULT = Gitlab::Auth::Result.new(nil, nil, nil, nil).freeze
delegate :actor, to: :@authentication_result, allow_nil: true
@ -19,15 +21,18 @@ module Groups
authenticate_with_http_token do |token, _|
@authentication_result = EMPTY_AUTH_RESULT
user_or_deploy_token = ::DependencyProxy::AuthTokenService.user_or_deploy_token_from_jwt(token)
case user_or_deploy_token
when User
@authentication_result = Gitlab::Auth::Result.new(user_or_deploy_token, nil, :user, [])
sign_in(user_or_deploy_token) unless user_or_deploy_token.project_bot? ||
user_or_deploy_token.service_account?
when DeployToken
@authentication_result = Gitlab::Auth::Result.new(user_or_deploy_token, nil, :deploy_token, [])
if Feature.enabled?(:packages_dependency_proxy_pass_token_to_policy, group)
user_or_token = ::DependencyProxy::AuthTokenService.user_or_token_from_jwt(token)
sign_in_and_setup_authentication_result(user_or_token)
else
user_or_token = ::DependencyProxy::AuthTokenService.user_or_deploy_token_from_jwt(token)
case user_or_token
when User
@authentication_result = Gitlab::Auth::Result.new(user_or_token, nil, :user, [])
sign_in(user_or_token) unless user_or_token.project_bot? || user_or_token.service_account?
when DeployToken
@authentication_result = Gitlab::Auth::Result.new(user_or_token, nil, :deploy_token, [])
end
end
end
@ -36,11 +41,36 @@ module Groups
private
attr_reader :personal_access_token
# TODO: We only need this here to get the group for the Feature flag evaluation.
# Move this back to app/controllers/groups/dependency_proxy_for_containers_controller.rb
# when we rollout the FF packages_dependency_proxy_pass_token_to_policy
def group
Group.find_by_full_path(params[:group_id], follow_redirects: true)
end
strong_memoize_attr :group
def request_bearer_token!
# unfortunately, we cannot use https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html#method-i-authentication_request
response.headers['WWW-Authenticate'] = ::DependencyProxy::Registry.authenticate_header
render plain: '', status: :unauthorized
end
# When we rollout packages_dependency_proxy_pass_token_to_policy,
# we can move the body of this method inline, inside authenticate_user_from_jwt_token!
def sign_in_and_setup_authentication_result(user_or_token)
case user_or_token
when User
@authentication_result = Gitlab::Auth::Result.new(user_or_token, nil, :user, [])
sign_in(user_or_token)
when PersonalAccessToken
@authentication_result = Gitlab::Auth::Result.new(user_or_token.user, nil, :personal_access_token, [])
@personal_access_token = user_or_token
when DeployToken
@authentication_result = Gitlab::Auth::Result.new(user_or_token, nil, :deploy_token, [])
end
end
end
end
end

7
app/controllers/groups/dependency_proxy_for_containers_controller.rb
View File

@ -1,7 +1,6 @@
# frozen_string_literal: true
class Groups::DependencyProxyForContainersController < ::Groups::DependencyProxy::ApplicationController
include Gitlab::Utils::StrongMemoize
include DependencyProxy::GroupAccess
include SendFileUpload
include ::PackagesHelper # for event tracking
@ -124,12 +123,6 @@ class Groups::DependencyProxyForContainersController < ::Groups::DependencyProxy
@manifest_file_name ||= Gitlab::PathTraversal.check_path_traversal!("#{image}:#{tag}.json")
end
def group
strong_memoize(:group) do
Group.find_by_full_path(params[:group_id], follow_redirects: true)
end
end
def image
params[:image]
end

3
app/controllers/jwt_controller.rb
View File

@ -33,9 +33,10 @@ class JwtController < ApplicationController
@authentication_result = Gitlab::Auth::Result.new(nil, nil, :none, Gitlab::Auth.read_only_authentication_abilities)
authenticate_with_http_basic do |login, password|
@raw_token = password
@authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, request: request)
@raw_token = password if @authentication_result.type == :personal_access_token
if @authentication_result.failed?
log_authentication_failed(login, @authentication_result)
render_access_denied

6
app/models/ci/running_build.rb
View File

@ -21,11 +21,15 @@ module Ci
raise ArgumentError, 'build has not been picked by a runner'
end
# Owner namespace of the runner that executed the build
runner_owner_namespace_id = build.runner.owner_runner_namespace.namespace_id if build.runner.group_type?
entry = self.new(
build: build,
project: build.project,
runner: build.runner,
runner_type: build.runner.runner_type
runner_type: build.runner.runner_type,
runner_owner_namespace_xid: runner_owner_namespace_id
)
entry.validate!

4
app/models/group.rb
View File

@ -971,6 +971,10 @@ class Group < Namespace
::Packages::Policies::Group.new(self)
end
def dependency_proxy_for_containers_policy_subject
::Packages::Policies::DependencyProxy::Group.new(self)
end
def update_two_factor_requirement_for_members
hierarchy_members.find_each(&:update_two_factor_requirement)
end

23
app/models/packages/policies/dependency_proxy/group.rb Normal file
View File

@ -0,0 +1,23 @@
# frozen_string_literal: true
# We use this class, in conjunction with the
# Group#dependency_proxy_for_containers_policy_subject method,
# to specify a custom policy class for DependencyProxy.
# A similar pattern was used in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/90963
module Packages
module Policies
module DependencyProxy
class Group
attr_reader :group
delegate :dependency_proxy_feature_available?, :full_path, :licensed_feature_available?,
:max_member_access_for_user, :member?, :owned_by?, :public?, :root_ancestor,
:root_ancestor_ip_restrictions, to: :group
def initialize(group)
@group = group
end
end
end
end
end

2
app/policies/group_policy.rb
View File

@ -462,6 +462,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
resource_access_token_create_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
end
# TODO: Remove this when we rollout the feature flag packages_dependency_proxy_pass_token_to_policy
# https://gitlab.com/gitlab-org/gitlab/-/issues/441588
def valid_dependency_proxy_deploy_token
@user.is_a?(DeployToken) && @user&.valid_for_dependency_proxy? && @user&.has_access_to_group?(@subject)
end

67
app/policies/packages/policies/dependency_proxy/group_policy.rb Normal file
View File

@ -0,0 +1,67 @@
# frozen_string_literal: true
# The policies defined in GroupPolicy is used in GraphQL requests
# With a GraphQL request, the user is always a human User
#
# With JWT requests, we can be dealing with any of the following:
# - a PrAT for a human
# - a PrAT for a service account
# - a GrAT
# - a Group DeployToken
#
# We use this custom policy class for JWT requests
module Packages
module Policies
module DependencyProxy
class GroupPolicy < ::GroupPolicy
overrides(:read_dependency_proxy)
desc "Deploy token with read access to dependency proxy"
condition(:read_dependency_proxy_deploy_token) do
@user.is_a?(DeployToken) && @user&.valid_for_dependency_proxy? && @user&.has_access_to_group?(@subject.group)
end
desc "Personal access or group access token with read access to dependency proxy"
condition(:read_dependency_proxy_personal_access_token) do
user_is_personal_access_token? &&
(
user.user.human? ||
user.user.service_account? ||
(user.user.project_bot? && user.user.resource_bot_resource.is_a?(::Group))
) &&
(access_level(for_any_session: true) >= GroupMember::GUEST)
end
condition(:dependency_proxy_disabled, scope: :subject) do
!@subject.dependency_proxy_feature_available?
end
rule { dependency_proxy_disabled }.prevent :read_dependency_proxy
rule do
read_dependency_proxy_personal_access_token | read_dependency_proxy_deploy_token
end.enable :read_dependency_proxy
rule do
~read_dependency_proxy_personal_access_token & ~read_dependency_proxy_deploy_token
end.prevent :read_dependency_proxy
def access_level(for_any_session: false)
return GroupMember::NO_ACCESS if @user.nil?
@access_level ||= lookup_access_level!(for_any_session: for_any_session)
end
def lookup_access_level!(_)
@subject.max_member_access_for_user(@user.user)
end
def user_is_personal_access_token?
user.is_a?(PersonalAccessToken)
end
end
end
end
end
Packages::Policies::DependencyProxy::GroupPolicy.prepend_mod_with('Packages::Policies::DependencyProxy::GroupPolicy')

10
app/services/auth/dependency_proxy_authentication_service.rb
View File

@ -65,6 +65,8 @@ module Auth
JSONWebToken::HMACToken.new(self.class.secret).tap do |token|
token['user_id'] = current_user.id if current_user
token['deploy_token'] = deploy_token.token if deploy_token
token['personal_access_token'] = raw_token if personal_access_token_user?
token['group_access_token'] = raw_token if group_access_token_user?
token.expire_time = self.class.token_expire_at
end
end
@ -76,5 +78,13 @@ module Auth
def raw_token
params[:raw_token]
end
def group_access_token_user?
raw_token && current_user&.project_bot? && current_user.resource_bot_resource.is_a?(Group)
end
def personal_access_token_user?
raw_token && current_user && (current_user.human? || current_user.service_account?)
end
end
end

33
app/services/dependency_proxy/auth_token_service.rb
View File

@ -12,6 +12,10 @@ module DependencyProxy
JSONWebToken::HMACToken.decode(token, ::Auth::DependencyProxyAuthenticationService.secret).first
end
# TODO: Rename to make it obvious how it's used in Gitlab::Auth::RequestAuthenticator
# which is to return an <object>.<id> that is used as a rack-attack discriminator
# that way it cannot be confused with `.user_or_token_from_jwt`
# https://gitlab.com/gitlab-org/gitlab/-/issues/454518
def self.user_or_deploy_token_from_jwt(raw_jwt)
token_payload = self.new(raw_jwt).execute
@ -23,5 +27,34 @@ module DependencyProxy
rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::ImmatureSignature
nil
end
def self.user_or_token_from_jwt(raw_jwt)
token_payload = self.new(raw_jwt).execute
if token_payload['personal_access_token']
get_personal_access_token(token_payload['personal_access_token'])
elsif token_payload['group_access_token']
# a group access token is a personal access token in disguise
get_personal_access_token(token_payload['group_access_token'])
elsif token_payload['deploy_token']
get_deploy_token(token_payload['deploy_token'])
elsif token_payload['user_id']
get_user(token_payload['user_id'])
end
rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::ImmatureSignature
nil
end
def self.get_user(user_id)
User.find(user_id)
end
def self.get_personal_access_token(raw_token)
PersonalAccessTokensFinder.new(state: 'active').find_by_token(raw_token)
end
def self.get_deploy_token(raw_token)
DeployToken.active.find_by_token(raw_token)
end
end
end

2
app/views/groups/_home_panel.html.haml
View File

@ -17,7 +17,7 @@
- if current_user.admin?
= render Pajamas::ButtonComponent.new(href: [:admin, @group], icon: 'admin', button_options: { title: _('View group in admin area'), data: { toggle: 'tooltip', placement: 'bottom', container: 'body' } })
- if @notification_setting
.js-vue-notification-dropdown{ data: { disabled: emails_disabled.to_s, dropdown_items: notification_dropdown_items(@notification_setting).to_json, notification_level: @notification_setting.level, help_page_path: help_page_path('user/profile/notifications'), group_id: @group.id, container_class: 'gl-vertical-align-top' } }
.js-vue-notification-dropdown{ data: { disabled: emails_disabled.to_s, dropdown_items: notification_dropdown_items(@notification_setting).to_json, notification_level: @notification_setting.level, help_page_path: help_page_path('user/profile/notifications'), group_id: @group.id, container_class: 'gl-align-top' } }
- if can_create_subgroups
.gl-sm-w-auto.gl-w-full
= render Pajamas::ButtonComponent.new(href: new_group_path(parent_id: @group.id, anchor: 'create-group-pane'), button_options: { data: { testid: 'new-subgroup-button' }, class: 'gl-sm-w-auto gl-w-full'}) do

4
app/views/projects/merge_requests/_merge_request.html.haml
View File

@ -26,13 +26,13 @@
&middot;
#{s_('IssueList|created %{timeAgoString} by %{user}').html_safe % { timeAgoString: time_ago_with_tooltip(merge_request.created_at, placement: 'bottom'), user: link_to_member(@project, merge_request.author, avatar: false, extra_class: 'gl-text-gray-500!') }}
- if merge_request.milestone
%span.issuable-milestone.gl-display-none.gl-sm-display-inline-block.gl-text-truncate.gl-max-w-26.gl-vertical-align-bottom
%span.issuable-milestone.gl-display-none.gl-sm-display-inline-block.gl-text-truncate.gl-max-w-26.gl-align-bottom
&nbsp;
= link_to project_merge_requests_path(merge_request.project, milestone_title: merge_request.milestone.title), class: 'gl-text-gray-500!', data: { html: 'true', toggle: 'tooltip', title: milestone_tooltip_due_date(merge_request.milestone) } do
= sprite_icon('milestone', size: 12, css_class: 'gl-vertical-align-text-bottom')
= merge_request.milestone.title
- if merge_request.target_project.default_branch != merge_request.target_branch
%span.project-ref-path.has-tooltip.d-inline-block.gl-text-truncate.gl-max-w-26.gl-vertical-align-bottom{ title: _('Target branch: %{target_branch}') % {target_branch: merge_request.target_branch} }
%span.project-ref-path.has-tooltip.d-inline-block.gl-text-truncate.gl-max-w-26.gl-align-bottom{ title: _('Target branch: %{target_branch}') % {target_branch: merge_request.target_branch} }
&nbsp;
= link_to project_ref_path(merge_request.project, merge_request.target_branch), class: 'ref-name gl-text-gray-500!' do
= sprite_icon('branch', size: 12, css_class: 'fork-sprite')

2
app/views/search/results/_issuable.html.haml
View File

@ -10,7 +10,7 @@
&middot;
= sprintf(s_('created %{issuable_created} by %{author}'), { issuable_created: time_ago_with_tooltip(issuable.created_at, placement: 'bottom'), author: link_to_member(@project, issuable.author, avatar: false) }).html_safe
- if (target_branch = issuable_visible_target_branch(issuable))
%span.project-ref-path.has-tooltip.d-inline-block.gl-text-truncate.gl-max-w-26.gl-vertical-align-bottom{ title: _('Target branch: %{target_branch}') % {target_branch: target_branch} }
%span.project-ref-path.has-tooltip.d-inline-block.gl-text-truncate.gl-max-w-26.gl-align-bottom{ title: _('Target branch: %{target_branch}') % {target_branch: target_branch} }
&nbsp;
= link_to project_ref_path(issuable.project, target_branch), class: 'ref-name gl-text-gray-500!' do
= sprite_icon('branch', size: 12, css_class: 'fork-sprite')

2
app/views/search/results/_note.html.haml
View File

@ -4,7 +4,7 @@
.search-result-row
%h5.note-search-caption.gl-max-w-full
%span.gl-display-inline-block.gl-text-truncate.search-max-w-inherit.gl-vertical-align-bottom
%span.gl-display-inline-block.gl-text-truncate.search-max-w-inherit.gl-align-bottom
= sprite_icon('comment', css_class: 'gl-vertical-align-text-bottom')
= link_to_member(project, note.author, avatar: false)
= _("commented on %{link_to_project}").html_safe % { link_to_project: link_to(project.full_name, project) }

4
app/views/shared/projects/_project.html.haml
View File

@ -68,7 +68,7 @@
= render_if_exists 'shared/projects/removed', project: project
.gl-display-flex.gl-mt-3{ class: "#{css_class} gl-sm-display-none!" }
.gl-display-flex.gl-align-items-center.gl-mt-3{ class: "#{css_class} gl-sm-display-none!" }
.controls.gl-display-flex.gl-align-items-center
- if show_pipeline_status_icon && last_pipeline.present?
- pipeline_path = pipelines_project_commit_path(project.pipeline_status.project, project.pipeline_status.sha, ref: project.pipeline_status.ref)
@ -84,6 +84,7 @@
%span
= _('Updated')
= updated_tooltip
= render_if_exists 'shared/projects/actions', project: project
.project-cell.project-controls{ class: "#{css_class} gl-display-none! gl-sm-display-table-cell!", data: { testid: 'project_controls'} }
.controls.gl-display-flex.gl-align-items-center.gl-mb-2.gl-gap-4{ class: "#{css_controls_class} gl-pr-0! gl-justify-content-end!" }
@ -109,6 +110,7 @@
= link_to project_issues_path(project), class: "#{css_metadata_classes} issues", title: _('Issues'), data: { container: 'body', placement: 'top' } do
= sprite_icon('issues', size: 14, css_class: 'gl-mr-2')
= badge_count(project.open_issues_count)
= render_if_exists 'shared/projects/actions', project: project
.updated-note.gl-font-sm.gl-white-space-nowrap.gl-justify-content-end
%span
= _('Updated')

2
app/views/users/_profile_sidebar.html.haml
View File

@ -1,6 +1,6 @@
.user-profile-sidebar
.profile-header.gl-pb-5.gl-pt-3.gl-overflow-y-auto.gl-sm-pr-4
.gl-vertical-align-top.gl-text-left.gl-max-w-80.gl-overflow-wrap-anywhere
.gl-align-top.gl-text-left.gl-max-w-80.gl-overflow-wrap-anywhere
.user-info
- if @user.confirmed?
.gl-display-flex.gl-gap-4.gl-flex-direction-column

9
config/feature_flags/gitlab_com_derisk/packages_dependency_proxy_pass_token_to_policy.yml Normal file
View File

@ -0,0 +1,9 @@
---
name: packages_dependency_proxy_pass_token_to_policy
feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/434291
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/141358
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/441588
milestone: '17.0'
group: group::container registry
type: gitlab_com_derisk
default_enabled: false

15
db/migrate/20240419124207_add_runner_owner_namespace_id_column_to_ci_running_builds.rb Normal file
View File

@ -0,0 +1,15 @@
# frozen_string_literal: true
class AddRunnerOwnerNamespaceIdColumnToCiRunningBuilds < Gitlab::Database::Migration[2.2]
milestone '17.0'
enable_lock_retries!
def up
add_column :ci_running_builds, :runner_owner_namespace_xid, :bigint, null: true
end
def down
remove_column :ci_running_builds, :runner_owner_namespace_xid, if_exists: true
end
end

16
db/migrate/20240419134956_add_index_running_builds_on_runner_type_and_owner_namespace_id_and_id.rb Normal file
View File

@ -0,0 +1,16 @@
# frozen_string_literal: true
class AddIndexRunningBuildsOnRunnerTypeAndOwnerNamespaceIdAndId < Gitlab::Database::Migration[2.2]
disable_ddl_transaction!
milestone '17.0'
INDEX_NAME = 'idx_ci_running_builds_on_runner_type_and_owner_xid_and_id'
def up
add_concurrent_index(:ci_running_builds, [:runner_type, :runner_owner_namespace_xid, :runner_id], name: INDEX_NAME)
end
def down
remove_concurrent_index_by_name :ci_running_builds, INDEX_NAME, if_exists: true
end
end

1
db/schema_migrations/20240419124207 Normal file
View File

@ -0,0 +1 @@
1ccb744e72b4d4ace0ad9c31f3f9cd8fedf0cb82d5d7570737dd646c24e24a65

1
db/schema_migrations/20240419134956 Normal file
View File

@ -0,0 +1 @@
23540efe713468eb8bae788431a65f6336dd04be08e77b5d5047b8b303f5e24a

5
db/structure.sql
View File

@ -6856,7 +6856,8 @@ CREATE TABLE ci_running_builds (
runner_id bigint NOT NULL,
created_at timestamp with time zone DEFAULT now() NOT NULL,
runner_type smallint NOT NULL,
partition_id bigint NOT NULL
partition_id bigint NOT NULL,
runner_owner_namespace_xid bigint
);
CREATE SEQUENCE ci_running_builds_id_seq
@ -23997,6 +23998,8 @@ CREATE INDEX idx_ci_pipelines_on_user_id_and_id_and_cancelable_status_bigint ON
CREATE INDEX idx_ci_pipelines_on_user_id_and_user_not_verified_bigint ON ci_pipelines USING btree (user_id, id_convert_to_bigint DESC) WHERE (failure_reason = 3);
CREATE INDEX idx_ci_running_builds_on_runner_type_and_owner_xid_and_id ON ci_running_builds USING btree (runner_type, runner_owner_namespace_xid, runner_id);
CREATE INDEX idx_compliance_security_policies_on_policy_configuration_id ON compliance_framework_security_policies USING btree (policy_configuration_id);
CREATE UNIQUE INDEX idx_component_usages_on_component_used_by_project_and_used_date ON ONLY p_catalog_resource_component_usages USING btree (component_id, used_by_project_id, used_date);

2
doc/administration/auth/ldap/google_secure_ldap.md
View File

@ -10,8 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed
> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/46391) in GitLab 11.9.
[Google Cloud Identity](https://cloud.google.com/identity/) provides a Secure
LDAP service that can be configured with GitLab for authentication and group sync.

7
doc/administration/auth/ldap/index.md
View File

@ -54,8 +54,7 @@ Users are considered inactive in LDAP when they:
GitLab checks LDAP users' status:
- When signing in using any authentication provider. [In GitLab 14.4 and earlier](https://gitlab.com/gitlab-org/gitlab/-/issues/343298), status was
checked only when signing in using LDAP directly.
- When signing in using any authentication provider.
- Once per hour for active web sessions or Git requests using tokens or SSH keys.
- When performing Git over HTTP requests using LDAP username and password.
- Once per day during [User Sync](ldap_synchronization.md#user-sync).
@ -277,8 +276,6 @@ After configuring LDAP, to test the configuration, use the
### Basic configuration settings
> - The `hosts` configuration setting was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/139) in GitLab 14.7.
The following basic settings are available:
<!-- markdownlint-disable MD056 -->
@ -1245,8 +1242,6 @@ You can find more details on the expected behavior of user updates in our [LDAP
## Google Secure LDAP
> - Introduced in GitLab 11.9.
[Google Cloud Identity](https://cloud.google.com/identity/) provides a Secure
LDAP service that can be configured with GitLab for authentication and group sync.
See [Google Secure LDAP](google_secure_ldap.md) for detailed configuration instructions.

2
doc/administration/auth/ldap/ldap_synchronization.md
View File

@ -489,8 +489,6 @@ group, GitLab revokes their `admin` role when syncing.
### Global group memberships lock
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/4354) in GitLab 12.0.
GitLab administrators can prevent group members from inviting new members to subgroups that have their membership synchronized with LDAP.
Global group membership lock only applies to subgroups of the top-level group where LDAP synchronization is configured. No user can modify the

2
doc/administration/auth/oidc.md
View File

@ -463,8 +463,6 @@ gitlab_rails['omniauth_providers'] = [
#### Configure Keycloak with a symmetric key algorithm
> - Introduced in GitLab 14.2.
WARNING:
The following instructions are included for completeness, but only use symmetric key
encryption if absolutely necessary.

25
doc/administration/auth/smartcard.md
View File

@ -14,8 +14,6 @@ GitLab supports authentication using smart cards.
## Existing password authentication
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/33669) in GitLab 12.6.
By default, existing users can continue to sign in with a username and password when smart card
authentication is enabled.
@ -31,10 +29,8 @@ GitLab supports two authentication methods:
### Authentication against a local database with X.509 certificates
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/726) in GitLab 11.6 as an experimental feature.
WARNING:
Smart card authentication against local databases may change or be removed completely in future releases.
Smart card authentication against local databases is an experimental feature and may change or be removed completely in future releases.
Smart cards with X.509 certificates can be used to authenticate with GitLab.
@ -57,23 +53,19 @@ Certificate:
### Authentication against a local database with X.509 certificates and SAN extension
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/8605) in GitLab 12.3.
Smart cards with X.509 certificates using SAN extensions can be used to authenticate
with GitLab.
NOTE:
This is an experimental feature. Smart card authentication against local databases may
change or be removed completely in future releases.
Smart card authentication against local databases is an experimental feature and may change or be removed completely in future releases.
To use a smart card with an X.509 certificate to authenticate against a local
database with GitLab, in:
database with GitLab:
- GitLab 12.4 and later, at least one of the `subjectAltName` (SAN) extensions
need to define the user identity (`email`) within the GitLab instance (`URI`).
`URI`: needs to match `Gitlab.config.host.gitlab`.
- From [GitLab 12.5](https://gitlab.com/gitlab-org/gitlab/-/issues/33907),
if your certificate contains only **one** SAN email entry, you don't need to
- At least one of the `subjectAltName` (SAN) extensions
must define the user identity (`email`) within the GitLab instance (`URI`).
- The `URI` must match `Gitlab.config.host.gitlab`.
- If your certificate contains only **one** SAN email entry, you don't need to
add or modify it to match the `email` with the `URI`.
For example:
@ -100,7 +92,8 @@ Certificate:
### Authentication against an LDAP server
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7693) in GitLab 11.8 as an experimental feature. Smart card authentication against an LDAP server may change or be removed completely in the future.
NOTE:
Smart card authentication against an LDAP server is an experimental feature and may change or be removed completely in future releases.
GitLab implements a standard way of certificate matching following
[RFC4523](https://www.rfc-editor.org/rfc/rfc4523). It uses the

16
doc/administration/credentials_inventory.md
View File

@ -10,9 +10,6 @@ DETAILS:
**Tier:** Ultimate
**Offering:** Self-managed
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20912) in GitLab 12.6.
> - [Bot-created access tokens not displayed in personal access token list](https://gitlab.com/gitlab-org/gitlab/-/issues/351759) in GitLab 14.9.
As a GitLab administrator, you are responsible for the overall security of your instance.
To assist, GitLab provides an inventory of all the credentials that can be used to access
your self-managed instance.
@ -20,7 +17,7 @@ your self-managed instance.
In the credentials inventory, you can view all:
- Personal access tokens (PATs).
- Project access tokens (introduced in GitLab 14.8).
- Project access tokens
- Group access tokens ([introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/102959) in GitLab 15.6).
- SSH keys.
- GPG keys.
@ -30,14 +27,12 @@ You can also [revoke](#revoke-a-users-personal-access-token), [delete](#delete-a
- Who they belong to.
- Their access scope.
- Their usage pattern.
- [In GitLab 13.2 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/214809), when they:
- When they:
- Expire.
- Were revoked.
## Revoke a user's personal access token
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214811) in GitLab 13.4.
You can revoke a user's personal access token.
1. On the left sidebar, at the bottom, select **Admin Area**.
@ -58,8 +53,6 @@ When a PAT is revoked from the credentials inventory, the instance notifies the
## Revoke a user's project access token
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/243833) in GitLab 14.8.
1. On the left sidebar, at the bottom, select **Admin Area**.
1. Select **Credentials**.
1. Select the **Project Access Tokens** tab.
@ -71,8 +64,6 @@ The project access token is revoked and a background worker is queued to delete
## Delete a user's SSH key
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225248) in GitLab 13.5.
1. On the left sidebar, at the bottom, select **Admin Area**.
1. Select **Credentials**.
1. Select the **SSH Keys** tab.
@ -84,9 +75,6 @@ The instance notifies the user.
## Review existing GPG keys
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/282429) in GitLab 13.10.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/292961) in GitLab 13.12.
You can view all existing GPG in your GitLab instance by going to the
credentials inventory GPG Keys tab, as well as the following properties:

8
doc/administration/moderate_users.md
View File

@ -142,8 +142,6 @@ When you deactivate a user, their projects, groups, and history remain.
### Deactivate a user
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22257) in GitLab 12.4.
Prerequisites:
- The user has had no activity in the last 90 days.
@ -162,8 +160,6 @@ To deactivate users with the GitLab API, see [deactivate user](../api/users.md#d
### Automatically deactivate dormant users
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/320875) in GitLab 14.0.
> - Exclusion of GitLab generate bots [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/340346) in GitLab 14.5
> - Customizable time period [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/336747) in GitLab 15.4
> - The lower limit for inactive period set to 90 days [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/100793) in GitLab 15.5
@ -222,8 +218,6 @@ A maximum of 240,000 users can be deleted per day.
### Activate a user
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22257) in GitLab 12.4.
A deactivated user can be activated from the Admin Area.
To do this:
@ -242,8 +236,6 @@ Users can also be activated using the [GitLab API](../api/users.md#activate-user
## Ban and unban users
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327353) in GitLab 14.2 [with a flag](../administration/feature_flags.md) named `ban_user_feature_flag`. Disabled by default.
> - Ban and unban users [generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/327353) in GitLab 14.8. Feature flag `ban_user_feature_flag` removed.
> - Hiding merge requests of banned users [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107836) in GitLab 15.8 [with a flag](../administration/feature_flags.md) named `hide_merge_requests_from_banned_users`. Disabled by default.
> - Hiding comments of banned users [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/112973) in GitLab 15.11 [with a flag](../administration/feature_flags.md) named `hidden_notes`. Disabled by default.
> - Hiding projects of banned users [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121488) in GitLab 16.2 [with a flag](../administration/feature_flags.md) named `hide_projects_of_banned_users`. Disabled by default.

2
doc/administration/raketasks/ldap.md
View File

@ -44,8 +44,6 @@ DETAILS:
**Tier:** Premium, Ultimate
**Offering:** Self-managed
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/14735) in GitLab 12.2.
The following task runs a [group sync](../auth/ldap/ldap_synchronization.md#group-sync) immediately.
This is valuable when you'd like to update all configured group memberships against LDAP without
waiting for the next scheduled group sync to be run.

2
doc/administration/settings/rate_limit_on_users_api.md
View File

@ -10,8 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78364) in GitLab 14.8.
You can configure the per user rate limit for requests to [Users API](../../api/users.md).
To change the rate limit:

4
doc/api/access_requests.md
View File

@ -16,12 +16,12 @@ The access levels are defined in the `Gitlab::Access` module, and the
following levels are recognized:
- No access (`0`)
- Minimal access (`5`) ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/220203) in GitLab 13.5.)
- Minimal access (`5`)
- Guest (`10`)
- Reporter (`20`)
- Developer (`30`)
- Maintainer (`40`)
- Owner (`50`). Valid for projects in [GitLab 14.9 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/21432).
- Owner (`50`).
## List access requests for a group or project

2
doc/api/appearance.md
View File

@ -10,8 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed, GitLab Dedicated
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/16647) in GitLab 12.7.
The appearance API allows you to maintain the appearance of GitLab as if
you're using the GitLab UI at `/admin/appearance`. The API requires
administrator privileges.

2
doc/api/applications.md
View File

@ -10,8 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/8160) in GitLab 10.5.
The Applications API operates on instance-wide OAuth applications for:
- [Using GitLab as an authentication provider](../integration/oauth_provider.md).

2
doc/api/avatar.md
View File

@ -10,8 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/19121) in GitLab 11.0.
## Get a single avatar URL
Get a single [avatar](../user/profile/index.md#access-your-user-settings) URL for a user with the given email address.

89
doc/api/graphql/reference/index.md
View File

@ -13612,6 +13612,29 @@ The edge type for [`Pipeline`](#pipeline).
| <a id="pipelineedgecursor"></a>`cursor` | [`String!`](#string) | A cursor for use in pagination. |
| <a id="pipelineedgenode"></a>`node` | [`Pipeline`](#pipeline) | The item at the end of the edge. |
#### `PipelineExecutionPolicyConnection`
The connection type for [`PipelineExecutionPolicy`](#pipelineexecutionpolicy).
##### Fields
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="pipelineexecutionpolicyconnectionedges"></a>`edges` | [`[PipelineExecutionPolicyEdge]`](#pipelineexecutionpolicyedge) | A list of edges. |
| <a id="pipelineexecutionpolicyconnectionnodes"></a>`nodes` | [`[PipelineExecutionPolicy]`](#pipelineexecutionpolicy) | A list of nodes. |
| <a id="pipelineexecutionpolicyconnectionpageinfo"></a>`pageInfo` | [`PageInfo!`](#pageinfo) | Information to aid in pagination. |
#### `PipelineExecutionPolicyEdge`
The edge type for [`PipelineExecutionPolicy`](#pipelineexecutionpolicy).
##### Fields
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="pipelineexecutionpolicyedgecursor"></a>`cursor` | [`String!`](#string) | A cursor for use in pagination. |
| <a id="pipelineexecutionpolicyedgenode"></a>`node` | [`PipelineExecutionPolicy`](#pipelineexecutionpolicy) | The item at the end of the edge. |
#### `PipelineScheduleConnection`
The connection type for [`PipelineSchedule`](#pipelineschedule).
@ -21745,6 +21768,22 @@ four standard [pagination arguments](#pagination-arguments):
| <a id="grouppackagessort"></a>`sort` | [`PackageGroupSort`](#packagegroupsort) | Sort packages by this criteria. |
| <a id="grouppackagesstatus"></a>`status` | [`PackageStatus`](#packagestatus) | Filter a package by status. |
##### `Group.pipelineExecutionPolicies`
Pipeline Execution Policies of the namespace.
Returns [`PipelineExecutionPolicyConnection`](#pipelineexecutionpolicyconnection).
This field returns a [connection](#connections). It accepts the
four standard [pagination arguments](#pagination-arguments):
`before: String`, `after: String`, `first: Int`, and `last: Int`.
###### Arguments
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="grouppipelineexecutionpoliciesrelationship"></a>`relationship` | [`SecurityPolicyRelationType`](#securitypolicyrelationtype) | Filter policies by the given policy relationship. |
##### `Group.projectComplianceStandardsAdherence`
Compliance standards adherence for the projects in a group and its subgroups.
@ -25098,6 +25137,22 @@ four standard [pagination arguments](#pagination-arguments):
| <a id="namespacecomplianceframeworksids"></a>`ids` | [`[ComplianceManagementFrameworkID!]`](#compliancemanagementframeworkid) | List of Global IDs of compliance frameworks to return. |
| <a id="namespacecomplianceframeworkssearch"></a>`search` | [`String`](#string) | Search framework with most similar names. |
##### `Namespace.pipelineExecutionPolicies`
Pipeline Execution Policies of the namespace.
Returns [`PipelineExecutionPolicyConnection`](#pipelineexecutionpolicyconnection).
This field returns a [connection](#connections). It accepts the
four standard [pagination arguments](#pagination-arguments):
`before: String`, `after: String`, `first: Int`, and `last: Int`.
###### Arguments
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="namespacepipelineexecutionpoliciesrelationship"></a>`relationship` | [`SecurityPolicyRelationType`](#securitypolicyrelationtype) | Filter policies by the given policy relationship. |
##### `Namespace.projects`
Projects within this namespace.
@ -26039,6 +26094,23 @@ Represents pipeline counts for the project.
| <a id="pipelinecountspending"></a>`pending` | [`Int`](#int) | Number of pipelines with scope PENDING for the project. |
| <a id="pipelinecountsrunning"></a>`running` | [`Int`](#int) | Number of pipelines with scope RUNNING for the project. |
### `PipelineExecutionPolicy`
Represents the pipeline execution policy.
#### Fields
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="pipelineexecutionpolicydescription"></a>`description` | [`String!`](#string) | Description of the policy. |
| <a id="pipelineexecutionpolicyeditpath"></a>`editPath` | [`String!`](#string) | URL of policy edit page. |
| <a id="pipelineexecutionpolicyenabled"></a>`enabled` | [`Boolean!`](#boolean) | Indicates whether this policy is enabled. |
| <a id="pipelineexecutionpolicyname"></a>`name` | [`String!`](#string) | Name of the policy. |
| <a id="pipelineexecutionpolicypolicyscope"></a>`policyScope` | [`PolicyScope`](#policyscope) | Scope of the policy. |
| <a id="pipelineexecutionpolicysource"></a>`source` | [`SecurityPolicySource!`](#securitypolicysource) | Source of the policy. Its fields depend on the source type. |
| <a id="pipelineexecutionpolicyupdatedat"></a>`updatedAt` | [`Time!`](#time) | Timestamp of when the policy YAML was last updated. |
| <a id="pipelineexecutionpolicyyaml"></a>`yaml` | [`String!`](#string) | YAML definition of the policy. |
### `PipelineMessage`
#### Fields
@ -27508,6 +27580,22 @@ Returns [`PipelineCounts`](#pipelinecounts).
| <a id="projectpipelinecountssha"></a>`sha` | [`String`](#string) | Filter pipelines by the SHA of the commit they are run for. |
| <a id="projectpipelinecountssource"></a>`source` | [`String`](#string) | Filter pipelines by their source. |
##### `Project.pipelineExecutionPolicies`
Pipeline Execution Policies of the project.
Returns [`PipelineExecutionPolicyConnection`](#pipelineexecutionpolicyconnection).
This field returns a [connection](#connections). It accepts the
four standard [pagination arguments](#pagination-arguments):
`before: String`, `after: String`, `first: Int`, and `last: Int`.
###### Arguments
| Name | Type | Description |
| ---- | ---- | ----------- |
| <a id="projectpipelineexecutionpoliciesrelationship"></a>`relationship` | [`SecurityPolicyRelationType`](#securitypolicyrelationtype) | Filter policies by the given policy relationship. |
##### `Project.pipelineSchedules`
Pipeline schedules of the project. This field can only be resolved for one project per request.
@ -36000,6 +36088,7 @@ four standard [pagination arguments](#pagination-arguments):
Implementations:
- [`ApprovalPolicy`](#approvalpolicy)
- [`PipelineExecutionPolicy`](#pipelineexecutionpolicy)
- [`ScanExecutionPolicy`](#scanexecutionpolicy)
- [`ScanResultPolicy`](#scanresultpolicy)

7
doc/api/group_access_tokens.md
View File

@ -14,8 +14,6 @@ You can read more about [group access tokens](../user/group/settings/group_acces
## List group access tokens
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77236) in GitLab 14.7.
Get a list of [group access tokens](../user/group/settings/group_access_tokens.md).
```plaintext
@ -50,8 +48,6 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a
## Get a group access token
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82714) in GitLab 14.10.
Get a [group access token](../user/group/settings/group_access_tokens.md) by ID.
```plaintext
@ -85,7 +81,6 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a
## Create a group access token
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77236) in GitLab 14.7.
> - The `expires_at` attribute default was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/120213) in GitLab 16.0.
Create a [group access token](../user/group/settings/group_access_tokens.md). You must have the Owner role for the
@ -188,8 +183,6 @@ for more information.
## Revoke a group access token
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77236) in GitLab 14.7.
Revoke a [group access token](../user/group/settings/group_access_tokens.md).
```plaintext

24
doc/api/members.md
View File

@ -10,24 +10,18 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
> `created_by` field [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/28789) in GitLab 14.10.
## Roles
The [role](../user/permissions.md) assigned to a user or group is defined
in the `Gitlab::Access` module as `access_level`.
- No access (`0`)
- Minimal access (`5`) ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/220203) in GitLab 13.5.)
- Minimal access (`5`)
- Guest (`10`)
- Reporter (`20`)
- Developer (`30`)
- Maintainer (`40`)
- Owner (`50`). Valid for projects in [GitLab 14.9 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/21432).
NOTE:
In [GitLab 14.9](https://gitlab.com/gitlab-org/gitlab/-/issues/351211) and later, projects in personal namespaces have an `access_level` of `50`(Owner).
In GitLab 14.8 and earlier, projects in personal namespaces have an `access_level` of `40` (Maintainer) due to [an issue](https://gitlab.com/gitlab-org/gitlab/-/issues/219299)
- Owner (`50`)
## Limitations
@ -124,7 +118,6 @@ Gets a list of group or project members viewable by the authenticated user, incl
If a user is a member of this group or project and also of one or more ancestor groups,
only its membership with the highest `access_level` is returned.
([Improved](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/56677) in GitLab 13.11.)
This represents the effective permission of the user.
Members from an invited group are returned if either:
@ -334,16 +327,13 @@ Example response:
## List all billable members of a group
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/217384) in GitLab 13.5.
Gets a list of group members that count as billable. The list includes members in subgroups and projects.
This API endpoint works on top-level groups only. It does not work on subgroups.
This function takes [pagination](rest/index.md#pagination) parameters `page` and `per_page` to restrict the list of users.
[In GitLab 13.7 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/262875), use the `search` parameter
to search for billable group members by name and `sort` to sort the results.
Use the `search` parameter to search for billable group members by name and `sort` to sort the results.
```plaintext
GET /groups/:id/billable_members
@ -423,8 +413,6 @@ Example response:
## List memberships for a billable member of a group
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/321560) in GitLab 13.11.
Gets a list of memberships for a billable member of a group.
Lists all projects and groups a user is a member of. Only projects and groups within the group hierarchy are included.
@ -685,8 +673,6 @@ Example response:
### Set override flag for a member of a group
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/4875) in GitLab 13.0.
By default, the access level of LDAP group members is set to the value specified
by LDAP through Group Sync. You can allow access level overrides by calling this endpoint.
@ -731,8 +717,6 @@ Example response:
### Remove override for a member of a group
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/4875) in GitLab 13.0.
Sets the override flag to false and allows LDAP Group Sync to reset the access
level to the LDAP-prescribed value.
@ -842,8 +826,6 @@ curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitla
## List pending members of a group and its subgroups and projects
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/332596) in GitLab 14.6.
For a group and its subgroups and projects, get a list of all members in an `awaiting` state and those who are invited but do not have a GitLab account.
This request returns all matching group and project members from all groups and projects in the root group's hierarchy.

2
doc/api/plan_limits.md
View File

@ -10,8 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/54232) in GitLab 13.10.
The plan limits API allows you to maintain the application limits for the existing subscription plans.
The existing plans depend on the GitLab edition. In the Community Edition, only the plan `default`

10
doc/api/project_access_tokens.md
View File

@ -14,8 +14,6 @@ You can read more about [project access tokens](../user/project/settings/project
## List project access tokens
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/238991) in GitLab 13.9.
Get a list of [project access tokens](../user/project/settings/project_access_tokens.md).
```plaintext
@ -50,8 +48,6 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a
## Get a project access token
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82714) in GitLab 14.10.
Get a [project access token](../user/project/settings/project_access_tokens.md) by ID.
```plaintext
@ -86,8 +82,6 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a
## Create a project access token
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/55408) in GitLab 13.10.
> - The `token` attribute was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/55408) in GitLab 13.10.
> - The `expires_at` attribute default was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/120213) in GitLab 16.0.
Create a [project access token](../user/project/settings/project_access_tokens.md).
@ -98,8 +92,6 @@ role that can be set is:
- Owner (`50`), if you have the Owner role for the project.
- Maintainer (`40`), if you have the Maintainer role on the project.
In GitLab 14.8 and earlier, project access tokens have a maximum role of Maintainer.
```plaintext
POST projects/:id/access_tokens
```
@ -197,8 +189,6 @@ for more information.
## Revoke a project access token
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/238991) in GitLab 13.9.
Revoke a [project access token](../user/project/settings/project_access_tokens.md).
```plaintext

18
doc/api/settings.md
View File

@ -386,7 +386,7 @@ listed in the descriptions of the relevant settings.
| `deactivate_dormant_users_period` | integer | no | Length of time (in days) after which a user is considered dormant. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/336747) in GitLab 15.3. |
| `decompress_archive_file_timeout` | integer | no | Default timeout for decompressing archived files, in seconds. Set to 0 to disable timeouts. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129161) in GitLab 16.4. |
| `default_artifacts_expire_in` | string | no | Set the default expiration time for each job's artifacts. |
| `default_branch_name` | string | no | [Instance-level custom initial branch name](../user/project/repository/branches/default.md#instance-level-custom-initial-branch-name). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225258) in GitLab 13.2. |
| `default_branch_name` | string | no | [Instance-level custom initial branch name](../user/project/repository/branches/default.md#instance-level-custom-initial-branch-name). |
| `default_branch_protection` | integer | no | Determine if developers can push to the default branch. Can take: `0` _(not protected, both users with the Developer role or Maintainer role can push new commits and force push)_, `1` _(partially protected, users with the Developer role or Maintainer role can push new commits, but cannot force push)_ or `2` _(fully protected, users with the Developer or Maintainer role cannot push new commits, but users with the Developer or Maintainer role can; no one can force push)_ as a parameter. Default is `2`. |
| `default_ci_config_path` | string | no | Default CI/CD configuration file and path for new projects (`.gitlab-ci.yml` if not set). |
| `default_group_visibility` | string | no | What visibility level new groups receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: cannot be set to any levels in `restricted_visibility_levels`.|
@ -405,7 +405,7 @@ listed in the descriptions of the relevant settings.
| `diff_max_files` | integer | no | Maximum [files in a diff](../administration/diff_limits.md). |
| `diff_max_lines` | integer | no | Maximum [lines in a diff](../administration/diff_limits.md). |
| `disable_admin_oauth_scopes` | boolean | no | Stops administrators from connecting their GitLab accounts to non-trusted OAuth 2.0 applications that have the `api`, `read_api`, `read_repository`, `write_repository`, `read_registry`, `write_registry`, or `sudo` scopes. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/375043) in GitLab 15.6. |
| `disable_feed_token` | boolean | no | Disable display of RSS/Atom and calendar feed tokens. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/231493) in GitLab 13.7. |
| `disable_feed_token` | boolean | no | Disable display of RSS/Atom and calendar feed tokens. |
| `disable_personal_access_tokens` | boolean | no | Disable personal access tokens. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/384201) in GitLab 15.7. Self-managed, Premium and Ultimate only. There is no method available to enable a personal access token that's been disabled through the API. This is a [known issue](https://gitlab.com/gitlab-org/gitlab/-/issues/399233). For more information about available workarounds, see [Workaround](https://gitlab.com/gitlab-org/gitlab/-/issues/399233#workaround). |
| `disabled_oauth_sign_in_sources` | array of strings | no | Disabled OAuth sign-in sources. |
| `dns_rebinding_protection_enabled` | boolean | no | Enforce DNS-rebinding attack protection. |
@ -507,12 +507,12 @@ listed in the descriptions of the relevant settings.
| `max_attachment_size` | integer | no | Limit attachment size in MB. |
| `max_decompressed_archive_size` | integer | no | Maximum decompressed file size for imported archives in MB. Set to `0` for unlimited. Default is `25600`. |
| `max_export_size` | integer | no | Maximum export size in MB. 0 for unlimited. Default = 0 (unlimited). |
| `max_import_size` | integer | no | Maximum import size in MB. 0 for unlimited. Default = 0 (unlimited). [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/251106) from 50 MB to 0 in GitLab 13.8. |
| `max_import_size` | integer | no | Maximum import size in MB. 0 for unlimited. Default = 0 (unlimited). |
| `max_import_remote_file_size` | integer | no | Maximum remote file size for imports from external object storages. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/384976) in GitLab 16.3. |
| `max_login_attempts` | integer | no | Maximum number of sign-in attempts before locking out the user. |
| `max_pages_size` | integer | no | Maximum size of pages repositories in MB. |
| `max_personal_access_token_lifetime` | integer | no | Maximum allowable lifetime for access tokens in days. When left blank, default value of 365 is applied. When set, value must be 365 or less. When changed, existing access tokens with an expiration date beyond the maximum allowable lifetime are revoked. Self-managed, Ultimate only.|
| `max_ssh_key_lifetime` | integer | no | Maximum allowable lifetime for SSH keys in days. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/1007) in GitLab 14.6. Self-managed, Ultimate only.|
| `max_ssh_key_lifetime` | integer | no | Maximum allowable lifetime for SSH keys in days. Self-managed, Ultimate only.|
| `max_terraform_state_size_bytes` | integer | no | Maximum size in bytes of the [Terraform state](../administration/terraform_state.md) files. Set this to 0 for unlimited file size. |
| `metrics_method_call_threshold` | integer | no | A method call is only tracked when it takes longer than the given amount of milliseconds. |
| `max_number_of_repository_downloads` | integer | no | Maximum number of unique repositories a user can download in the specified time period before they are banned. Default: 0, Maximum: 10,000 repositories. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87980) in GitLab 15.1. Self-managed, Ultimate only. |
@ -575,7 +575,7 @@ listed in the descriptions of the relevant settings.
| `remember_me_enabled` | boolean | no | Enable [**Remember me** setting](../administration/settings/account_and_limit_settings.md#turn-remember-me-on-or-off). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/369133) in GitLab 16.0. |
| `repository_checks_enabled` | boolean | no | GitLab periodically runs `git fsck` in all project and wiki repositories to look for silent disk corruption issues. |
| `repository_size_limit` | integer | no | Size limit per repository (MB). Premium and Ultimate only. |
| `repository_storages_weighted` | hash of strings to integers | no | (GitLab 13.1 and later) Hash of names of taken from `gitlab.yml` to [weights](../administration/repository_storage_paths.md#configure-where-new-repositories-are-stored). New projects are created in one of these stores, chosen by a weighted random selection. |
| `repository_storages_weighted` | hash of strings to integers | no | Hash of names of taken from `gitlab.yml` to [weights](../administration/repository_storage_paths.md#configure-where-new-repositories-are-stored). New projects are created in one of these stores, chosen by a weighted random selection. |
| `require_admin_approval_after_user_signup` | boolean | no | When enabled, any user that signs up for an account using the registration form is placed under a **Pending approval** state and has to be explicitly [approved](../administration/moderate_users.md) by an administrator. |
| `require_two_factor_authentication` | boolean | no | (**If enabled, requires:** `two_factor_grace_period`) Require all users to set up two-factor authentication. |
| `restricted_visibility_levels` | array of strings | no | Selected levels cannot be used by non-Administrator users for groups, projects or snippets. Can take `private`, `internal` and `public` as a parameter. Default is `null` which means there is no restriction.[Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: cannot select levels that are set as `default_project_visibility` and `default_group_visibility`. |
@ -671,10 +671,10 @@ You can configure inactive projects deletion or turn it off.
| Attribute | Type | Required | Description |
|------------------------------------------|------------------|:------------------------------------:|-------------|
| `delete_inactive_projects` | boolean | no | Enable [inactive project deletion](../administration/inactive_project_deletion.md). Default is `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84519) in GitLab 14.10. [Became operational without feature flag](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/96803) in GitLab 15.4. |
| `inactive_projects_delete_after_months` | integer | no | If `delete_inactive_projects` is `true`, the time (in months) to wait before deleting inactive projects. Default is `2`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84519) in GitLab 14.10. [Became operational](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/85689) in GitLab 15.0. |
| `inactive_projects_min_size_mb` | integer | no | If `delete_inactive_projects` is `true`, the minimum repository size for projects to be checked for inactivity. Default is `0`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84519) in GitLab 14.10. [Became operational](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/85689) in GitLab 15.0. |
| `inactive_projects_send_warning_email_after_months` | integer | no | If `delete_inactive_projects` is `true`, sets the time (in months) to wait before emailing maintainers that the project is scheduled be deleted because it is inactive. Default is `1`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84519) in GitLab 14.10. [Became operational](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/85689) in GitLab 15.0. |
| `delete_inactive_projects` | boolean | no | Enable [inactive project deletion](../administration/inactive_project_deletion.md). Default is `false`. [Became operational without feature flag](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/96803) in GitLab 15.4. |
| `inactive_projects_delete_after_months` | integer | no | If `delete_inactive_projects` is `true`, the time (in months) to wait before deleting inactive projects. Default is `2`. [Became operational](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/85689) in GitLab 15.0. |
| `inactive_projects_min_size_mb` | integer | no | If `delete_inactive_projects` is `true`, the minimum repository size for projects to be checked for inactivity. Default is `0`. [Became operational](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/85689) in GitLab 15.0. |
| `inactive_projects_send_warning_email_after_months` | integer | no | If `delete_inactive_projects` is `true`, sets the time (in months) to wait before emailing maintainers that the project is scheduled be deleted because it is inactive. Default is `1`. [Became operational](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/85689) in GitLab 15.0. |
## Housekeeping fields

29
doc/api/users.md
View File

@ -105,8 +105,7 @@ GET /users?external=true
GitLab supports bot users such as the [alert bot](../operations/incident_management/integrations.md)
or the [support bot](../user/project/service_desk/configure.md#support-bot-user).
You can exclude the following types of [internal users](../development/internal_users.md#internal-users)
from the users' list with the `exclude_internal=true` parameter
([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/241144) in GitLab 13.4):
from the users' list with the `exclude_internal=true` parameter:
- Alert bot
- Support bot
@ -138,7 +137,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed, GitLab Dedicated
> - The `namespace_id` field in the response was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82045) in GitLab 14.10.
> - The `created_by` field in the response was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/93092) in GitLab 15.6.
> - The `scim_identities` field in the response [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/324247) in GitLab 16.1.
> - The `auditors` field in the response [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418023) in GitLab 16.2.
@ -550,11 +548,9 @@ over `password`. In addition, `reset_password` and
`force_random_password` can be used together.
NOTE:
From [GitLab 12.1](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/29888/), `private_profile` defaults to `false`.
From [GitLab 15.8](https://gitlab.com/gitlab-org/gitlab/-/issues/231301), `private_profile` defaults to the value determined by [this](../administration/settings/account_and_limit_settings.md#set-profiles-of-new-users-to-private-by-default) setting.
NOTE:
From [GitLab 13.2](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/35604), `bio` defaults to `""` instead of `null`.
`private_profile` defaults to the value of the
[Set profiles of new users to private by default](../administration/settings/account_and_limit_settings.md#set-profiles-of-new-users-to-private-by-default) setting.
`bio` defaults to `""` instead of `null`.
```plaintext
POST /users
@ -1066,11 +1062,11 @@ Get the counts (same as in the upper-right menu) of the authenticated user.
| Attribute | Type | Description |
| --------------------------------- | ------ | ---------------------------------------------------------------------------- |
| `assigned_issues` | number | Number of issues that are open and assigned to the current user. [Added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/66909) in GitLab 14.2. |
| `assigned_merge_requests` | number | Number of merge requests that are active and assigned to the current user. [Added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50026) in GitLab 13.8. |
| `merge_requests` | number | [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50026) in GitLab 13.8. Equivalent to and replaced by `assigned_merge_requests`. |
| `review_requested_merge_requests` | number | Number of merge requests that the current user has been requested to review. [Added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50026) in GitLab 13.8. |
| `todos` | number | Number of pending to-do items for current user. [Added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/66909) in GitLab 14.2. |
| `assigned_issues` | number | Number of issues that are open and assigned to the current user. |
| `assigned_merge_requests` | number | Number of merge requests that are active and assigned to the current user. |
| `merge_requests` | number | [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50026) in GitLab 13.8. Equivalent to and replaced by `assigned_merge_requests`. |
| `review_requested_merge_requests` | number | Number of merge requests that the current user has been requested to review. |
| `todos` | number | Number of pending to-do items for current user. |
```plaintext
GET /user_counts
@ -1541,8 +1537,7 @@ Example response:
## Get a specific GPG key for a given user
Get a specific GPG key for a given user. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/43693)
in GitLab 13.5, this endpoint can be accessed without administrator authentication.
Get a specific GPG key for a given user. This endpoint can be accessed without administrator authentication.
```plaintext
GET /users/:id/gpg_keys/:key_id
@ -2040,8 +2035,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed, GitLab Dedicated
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/263107) in GitLab 13.7.
Approves the specified user. Available only for administrators.
```plaintext
@ -2245,8 +2238,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed, GitLab Dedicated
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/17176) in GitLab 13.6.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/267553) in GitLab 13.8.
> - The `expires_at` attribute default was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/120213) in GitLab 16.0.
Use this API to create a new personal access token. Token values are returned once so,

2
doc/development/cascading_settings.md
View File

@ -6,8 +6,6 @@ info: Any user with at least the Maintainer role can merge updates to this conte
# Cascading Settings
> - Introduced in [GitLab 13.11](https://gitlab.com/gitlab-org/gitlab/-/issues/321724).
The cascading settings framework allows groups to essentially inherit settings
values from ancestors (parent group on up the group hierarchy) and from
instance-level application settings. The framework also allows settings values

3
doc/development/permissions/predefined_roles.md
View File

@ -93,8 +93,7 @@ Project membership (where the group membership is already taken into account)
is stored in the `project_authorizations` table.
NOTE:
In [GitLab 14.9](https://gitlab.com/gitlab-org/gitlab/-/issues/351211) and later, projects in personal namespaces have a maximum role of Owner.
Because of a [known issue](https://gitlab.com/gitlab-org/gitlab/-/issues/219299) in GitLab 14.8 and earlier, projects in personal namespaces have a maximum role of Maintainer.
Projects in personal namespaces have a maximum role of Owner.
#### Guest role

1
doc/integration/ding_talk.md
View File

@ -10,7 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/341898) in GitLab 14.5.
> - [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/390855) in GitLab 15.10.
You can sign in to GitLab using your DingTalk account.

50
doc/integration/kerberos.md
View File

@ -188,8 +188,6 @@ LDAP Distinguished Names look like `sAMAccountName=foo,dc=ad,dc=example,dc=com`.
### Custom allowed realms
[Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/9962) in GitLab 13.5.
You can configure custom allowed realms when the user's Kerberos realm doesn't
match the domain from the user's LDAP DN. The configuration value must specify
all domains that users may be expected to have. Any other domains are
@ -311,53 +309,7 @@ Kerberos ticket-based authentication.
In previous versions of GitLab users had to submit their
Kerberos username and password to GitLab when signing in.
We [deprecated](../update/deprecations.md#omniauth-kerberos-gem) password-based
Kerberos sign-ins in GitLab 14.3 and [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/2908)
it in GitLab 15.0. You must switch to ticket-based sign in.
Depending on your existing GitLab configuration, **Sign in with:
Kerberos** may already be visible on your GitLab sign-in page.
If not, then add the settings [described above](#configuration).
To disable password-based Kerberos sign-ins, remove the OmniAuth provider
`kerberos` from your `gitlab.yml`/`gitlab.rb` file.
::Tabs
:::TabTitle Linux package (Omnibus)
1. Edit `/etc/gitlab/gitlab.rb` and remove the `{ "name" => "kerberos" }` line
under `gitlab_rails['omniauth_providers']`:
```ruby
gitlab_rails['omniauth_providers'] = [
{ "name" => "kerberos" } # <-- remove this entry
]
```
1. [Reconfigure GitLab](../administration/restart_gitlab.md#reconfigure-a-linux-package-installation) for the changes to take effect.
:::TabTitle Self-compiled (source)
1. Edit [`gitlab.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/gitlab.yml.example) and remove the `- { name: 'kerberos' }` line under OmniAuth
providers:
```yaml
omniauth:
# Rest of configuration omitted
# ...
providers:
- { name: 'kerberos' } # <-- remove this line
```
1. [Restart GitLab](../administration/restart_gitlab.md#self-compiled-installations) for the changes to take effect.
::EndTabs
NOTE:
Removing the `kerberos` OmniAuth provider can also resolve a rare
`Krb5Auth::Krb5::Exception (No credentials cache found)` error (`500` error in GitLab)
when trying to clone via HTTPS.
We [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/2908) password-based Kerberos sign-ins in GitLab 15.0.
## Support for Active Directory Kerberos environments

18
doc/integration/oauth_provider.md
View File

@ -45,16 +45,11 @@ To create a new application for your user:
1. Select **Save application**. GitLab provides:
- The OAuth 2 Client ID in the **Application ID** field.
- The OAuth 2 Client Secret, accessible:
- In the **Secret** field in GitLab 14.1 and earlier.
- By selecting **Copy** in the **Secret** field
[in GitLab 14.2 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/332844).
- The OAuth 2 Client Secret, accessible by selecting **Copy** in the **Secret** field.
- The **Renew secret** function in [GitLab 15.9 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/338243). Use this function to generate and copy a new secret for this application. Renewing a secret prevents the existing application from functioning until the credentials are updated.
## Create a group-owned application
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/16227) in GitLab 13.11.
To create a new application for a group:
1. Go to the desired group.
@ -65,10 +60,7 @@ To create a new application for a group:
1. Select **Save application**. GitLab provides:
- The OAuth 2 Client ID in the **Application ID** field.
- The OAuth 2 Client Secret, accessible:
- In the **Secret** field in GitLab 14.1 and earlier.
- By selecting **Copy** in the **Secret** field
[in GitLab 14.2 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/332844).
- The OAuth 2 Client Secret, accessible by selecting **Copy** in the **Secret** field.
- The **Renew secret** function in [GitLab 15.9 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/338243). Use this function to generate and copy a new secret for this application. Renewing a secret prevents the existing application from functioning until the credentials are updated.
## Create an instance-wide application
@ -120,13 +112,11 @@ At any time you can revoke any access by selecting **Revoke**.
## Access token expiration
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/21745) in GitLab 14.3, with the ability to opt out.
> - Ability to opt-out of expiring access token [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/340848) in GitLab 15.0.
> - Database validation on `expires_in` [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/112765) in GitLab 15.10. If your GitLab instance has any remaining OAuth Access Tokens without `expires_in` set when you are upgrading to 15.10 or later, the database migration will raise an error. For workaround instructions, see the [GitLab 15.10.0 upgrade documentation](../update/versions/gitlab_15_changes.md#15100).
WARNING:
The ability to opt out of expiring access tokens was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/340848)
in GitLab 14.3 and [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/340848) in 15.0. All
The ability to opt out of expiring access tokens was
[removed](https://gitlab.com/gitlab-org/gitlab/-/issues/340848) in GitLab 15.0. All
existing integrations must be updated to support access token refresh.
Access tokens expire after two hours. Integrations that use access tokens must

4
doc/integration/omniauth.md
View File

@ -292,8 +292,6 @@ omniauth:
## Link existing users to OmniAuth users
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/36664) in GitLab 13.4.
You can automatically link OmniAuth users with existing GitLab users if their email addresses match.
The following example enables automatic linking
@ -429,8 +427,6 @@ omniauth:
## Bypass two-factor authentication
> - Introduced in GitLab 12.3.
With certain OmniAuth providers, users can sign in without using two-factor authentication (2FA).
Because of a [known issue](https://gitlab.com/gitlab-org/gitlab/-/issues/196131) users must

4
doc/integration/saml.md
View File

@ -397,8 +397,6 @@ Your IdP may need additional configuration. For more information, see
### Configure GitLab to use multiple SAML IdPs
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14361) in GitLab 14.6.
You can configure GitLab to use multiple SAML IdPs if:
- Each provider has a unique name set that matches a name set in `args`. At least
@ -1260,8 +1258,6 @@ DETAILS:
**Tier:** Premium, Ultimate
**Offering:** Self-managed, GitLab Dedicated
> Introduced in GitLab 11.4.
Your IdP passes group information to GitLab in the SAML response. To use this
response, configure GitLab to identify:

2
doc/security/password_length_limits.md
View File

@ -21,8 +21,6 @@ during new user sign-ups and when an existing user performs a password reset.
## Modify minimum password length
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20661) in GitLab 12.6
The user password length is set to a minimum of 8 characters by default.
To change the minimum password length using GitLab UI:

12
doc/security/rate_limits.md
View File

@ -31,7 +31,7 @@ Most [brute-force attacks](https://en.wikipedia.org/wiki/Brute-force_attack) are
similarly mitigated by a rate limit.
NOTE:
[In GitLab 14.8 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/344807), the rate limits for API requests do not affect requests made by the frontend, because these requests are always counted as web traffic.
The rate limits for API requests do not affect requests made by the frontend, because these requests are always counted as web traffic.
## Configurable limits
@ -82,8 +82,6 @@ For configuration information, see
### Repository archives
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25750) in GitLab 12.9.
A rate limit for [downloading repository archives](../api/repositories.md#get-file-archive) is
available. The limit applies to the project and to the user initiating the download either through
the UI or the API.
@ -92,16 +90,12 @@ The **rate limit** is 5 requests per minute per user.
### Webhook Testing
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/commit/35bc85c3ca093fee58d60dacdc9ed1fd9a15adec) in GitLab 13.4.
There is a rate limit for [testing webhooks](../user/project/integrations/webhooks.md#test-a-webhook), which prevents abuse of the webhook functionality.
The **rate limit** is 5 requests per minute per user.
### Users sign up
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/339151) in GitLab 14.7.
There is a rate limit per IP address on the `/users/sign_up` endpoint. This is to mitigate attempts to misuse the endpoint. For example, to mass
discover usernames or email addresses in use.
@ -109,8 +103,6 @@ The **rate limit** is 20 calls per minute per IP address.
### Update username
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/339152) in GitLab 14.7.
There is a rate limit on how frequently a username can be changed. This is enforced to mitigate misuse of the feature. For example, to mass discover
which usernames are in use.
@ -118,8 +110,6 @@ The **rate limit** is 10 calls per minute per authenticated user.
### Username exists
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/29040) in GitLab 14.7.
There is a rate limit for the internal endpoint `/users/:username/exists`, used upon sign up to check if a chosen username has already been taken.
This is to mitigate the risk of misuses, such as mass discovery of usernames in use.

2
doc/security/reset_user_password.md
View File

@ -33,8 +33,6 @@ A confirmation is displayed.
## Use a Rake task
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/52347) in GitLab 13.9.
Use the following Rake task to reset a user's password.
::Tabs

6
doc/security/ssh_keys_restrictions.md
View File

@ -44,12 +44,12 @@ Hovering over this icon tells you why the key is restricted.
By default, the GitLab.com and self-managed settings for the
[supported key types](../user/ssh.md#supported-ssh-key-types) are:
- DSA SSH keys are forbidden.
- RSA SSH keys are allowed.
- DSA SSH keys are forbidden ([since GitLab 11.0](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys)).
- ECDSA SSH keys are allowed.
- ED25519 SSH keys are allowed.
- ECDSA_SK SSH keys are allowed (GitLab 14.8 and later).
- ED25519_SK SSH keys are allowed (GitLab 14.8 and later).
- ECDSA_SK SSH keys are allowed.
- ED25519_SK SSH keys are allowed.
## Block banned or compromised keys

6
doc/security/two_factor_authentication.md
View File

@ -84,8 +84,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/24965) in GitLab 12.0, 2FA settings for a group are also applied to subgroups.
Prerequisites:
- You must have the Maintainer or Owner role for the group.
@ -159,7 +157,7 @@ when they next sign in to GitLab.
#### Administrators
In GitLab 13.5 and later, use the [Rails console](../administration/operations/rails_console.md)
It is possible to use the [Rails console](../administration/operations/rails_console.md)
to disable 2FA for a single administrator:
```ruby
@ -203,8 +201,6 @@ DETAILS:
**Tier:** Premium, Ultimate
**Offering:** Self-managed
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/270554) in GitLab 13.7.
> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/299088) from GitLab Free to GitLab Premium in 13.9.
> - It's deployed behind a feature flag, disabled by default.
> - Push notification support [introduced](https://gitlab.com/gitlab-org/gitlab-shell/-/issues/506) in GitLab 15.3.

1
doc/security/user_file_uploads.md
View File

@ -19,7 +19,6 @@ GitLab generates direct URLs for these images with a random 32-character ID to p
## Access control for uploaded files
> - Enforced authorization checks [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/80117) in GitLab 14.8 [with a flag](../administration/feature_flags.md) named `enforce_auth_checks_on_uploads`. Disabled by default.
> - Enforced authorization checks became [generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/352291) in GitLab 15.3. Feature flag `enforce_auth_checks_on_uploads` removed.
> - Project settings in the user interface [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88567) in GitLab 15.3.

2
doc/security/webhooks.md
View File

@ -111,8 +111,6 @@ rules.
## Allow outbound requests to certain IP addresses and domains
> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/44496) in GitLab 12.2.
Prerequisites:
- You must have administrator access to the instance.

4
doc/subscriptions/subscription-add-ons.md
View File

@ -66,10 +66,10 @@ Prerequisites:
#### Configure network and proxy settings
For all self-managed AI features:
For self-managed instances, to enable AI-powered features:
- Your firewalls and HTTP/S proxy servers must allow outbound connections
to `cloud.gitlab.com` on port `443`.
to `cloud.gitlab.com` and `customers.gitlab.com` on port `443` both with `https://` and `wws://`.
- Both `HTTP2` and the `'upgrade'` header must be allowed, because GitLab Duo
uses both REST and WebSockets.
- To use an HTTP/S proxy, both `gitLab_workhorse` and `gitLab_rails` must have the necessary

BIN
doc/topics/git/img/get_started_git_v16_11.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 16 KiB

4
doc/user/ai_features.md
View File

@ -63,10 +63,10 @@ To enable Beta and Experimental AI-powered features, use the [Experiment and Bet
To enable Beta and Experimental AI-powered features for GitLab versions where GitLab Duo Chat is not yet generally available, see the [GitLab Duo Chat documentation](gitlab_duo_chat.md#for-self-managed).
### Enable outbound connections to enable GitLab Duo features on Self-managed instances
### Enable outbound connections to enable GitLab Duo features on self-managed instances
- Your firewalls and HTTP/S proxy servers must allow outbound connections
to `cloud.gitlab.com` on port `443`.
to `cloud.gitlab.com` and `customers.gitlab.com` on port `443` both with `https://` and `wws://`.
- Both `HTTP2` and the `'upgrade'` header must be allowed, because GitLab Duo
uses both REST and WebSockets.
- To use an HTTP/S proxy, both `gitLab_workhorse` and `gitLab_rails` must have the necessary

36
doc/user/custom_roles.md
View File

@ -234,6 +234,23 @@ curl --request PUT --header "Content-Type: application/json" --header "Authoriza
curl --request PUT --header "Content-Type: application/json" --header "Authorization: Bearer <your_access_token>" --data '{"member_role_id": null, "access_level": 10}' "https://gitlab.example.com/api/v4/groups/<group_id>/members/<user_id>"
```
## Inheritance
If a user belongs to a group, they are a _direct member_ of the group
and an [inherited member](project/members/index.md#inherited-membership)
of any subgroups or projects. If a user is assigned a custom role
by the top-level group, the permissions of the role are also inherited by subgroups
and projects.
For example, assume the following structure exists:
- Group A
- Subgroup B
- Project 1
If a custom role with Developer + `Manage CI/CD variables` permission is assigned to Group A,
the user also has `Manage CI/CD variables` permission for Subgroup B and Project 1.
## Billing and seat usage
When you enable a custom role for a user with the Guest role, that user has
@ -246,9 +263,28 @@ This does not apply when the user's custom role only has the `read_code` permiss
enabled. Guest users with that specific permission only are not considered billable users
and do not use a seat.
## Supported objects
You can assign custom roles and permissions to the following:
| Object | Version | Issue |
| ---- | ---- | ---- |
| Users | 15.9 | Released |
| Groups | Not supported | [Issue 443369](https://gitlab.com/gitlab-org/gitlab/-/issues/443369) |
| Tokens | Not supported | [Issue 434354](https://gitlab.com/gitlab-org/gitlab/-/issues/434354) |
## Supported group links
You can sync users to custom roles with following authentication providers:
- See [Configure SAML Group Links](group/saml_sso/group_sync.md#configure-saml-group-links).
- LDAP Group Links are not supported, but [issue 435229](https://gitlab.com/gitlab-org/gitlab/-/issues/435229)
proposes to change this.
## Known issues
- If a user with a custom role is shared with a group or project, their custom
role is not transferred over with them. The user has the regular Guest role in
the new group or project.
- You cannot use an [Auditor user](../administration/auditor_users.md) as a template for a custom role.
- There can be only 10 custom roles on your instance or namespace. See [issue 450929](https://gitlab.com/gitlab-org/gitlab/-/issues/450929) for more details.

2
doc/user/group/saml_sso/group_sync.md
View File

@ -49,7 +49,7 @@ item in group **Settings > SAML Group Links**.
To link the SAML groups:
1. In **SAML Group Name**, enter the value of the relevant `saml:AttributeValue`. The value entered here must exactly match the value sent in the SAML response. For some IdPs, this may be a group ID or object ID (Azure AD) instead of a friendly group name.
1. Choose the role in **Access Level**.
1. Choose a [default role](../../permissions.md) or [custom role](../../custom_roles.md) in **Access Level**.
1. Select **Save**.
1. Repeat to add additional group links if required.

14
doc/user/group/saml_sso/index.md
View File

@ -10,8 +10,6 @@ DETAILS:
**Tier:** Premium, Ultimate
**Offering:** GitLab.com
> - Introduced in GitLab 11.0.
Users can sign in to GitLab through their SAML identity provider.
[SCIM](scim_setup.md) synchronizes users with the group on GitLab.com.
@ -258,9 +256,8 @@ After you set up your identity provider to work with GitLab, you must configure
select the role to assign to new users.
The default role is **Guest**. That role becomes the starting role of all users
added to the group:
- In [GitLab 13.3](https://gitlab.com/gitlab-org/gitlab/-/issues/214523) and
later, group Owners can set a default membership role other than **Guest**.
- In GitLab 16.7 and later, group Owners can set a [custom role](../../custom_roles.md)
- In GitLab 16.6 and earlier, group Owners can set a default membership role other than **Guest**.
as the default membership role.
1. Select the **Enable SAML authentication for this group** checkbox.
1. Optional. Select:
@ -276,8 +273,6 @@ If you are having issues configuring GitLab, see the [troubleshooting documentat
## User access and management
> - SAML user provisioning [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/268142) in GitLab 13.7.
After group SSO is configured and enabled, users can access the GitLab.com group through the identity provider's dashboard.
If [SCIM](scim_setup.md) is configured, see [user access](scim_setup.md#user-access) on the SCIM page.
@ -366,7 +361,6 @@ providers, see [set up your identity provider](#set-up-your-identity-provider).
### Configure enterprise user settings from SAML response
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/263661) in GitLab 13.7.
> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/412898) to configure only enterprise user settings in GitLab 16.7.
GitLab allows setting certain user attributes based on values from the SAML response.
@ -459,12 +453,6 @@ For example, to unlink the `MyOrg` account:
## SSO enforcement
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5291) in GitLab 11.8.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/9255) in GitLab 11.11 with ongoing enforcement in the GitLab UI.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/292811) in GitLab 13.8, with an updated timeout experience.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/211962) in GitLab 13.8 with allowing group owners to not go through SSO.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/9152) in GitLab 13.11 with enforcing open SSO session to use Git if this setting is switched on.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/339888) in GitLab 14.7 to not enforce SSO checks for Git activity originating from CI/CD jobs.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/215155) in GitLab 15.5 [with a flag](../../../administration/feature_flags.md) named `transparent_sso_enforcement` to include transparent enforcement even when SSO enforcement is not enabled. Disabled on GitLab.com.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/375788) in GitLab 15.8 by enabling transparent SSO by default on GitLab.com.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/389562) in GitLab 15.10. Feature flag `transparent_sso_enforcement` removed.

14
doc/user/group/settings/group_access_tokens.md
View File

@ -17,7 +17,7 @@ With group access tokens, you can use a single token to:
You can use a group access token to authenticate:
- With the [GitLab API](../../../api/rest/index.md#personalprojectgroup-access-tokens).
- In [GitLab 14.2](https://gitlab.com/gitlab-org/gitlab/-/issues/330718) and later, authenticate with Git over HTTPS.
- Authenticate with Git over HTTPS.
Use:
- Any non-blank value as a username.
@ -46,7 +46,6 @@ configured for personal access tokens.
## Create a group access token using UI
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214045) in GitLab 14.7.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/348660) in GitLab 15.3, default expiration of 30 days and default role of Guest is populated in the UI.
> - Ability to create non-expiring group access tokens [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/392855) in GitLab 16.0.
@ -74,8 +73,7 @@ A group access token is displayed. Save the group access token somewhere safe. A
## Create a group access token using Rails console
GitLab 14.6 and earlier doesn't support creating group access tokens using the UI
or API. However, administrators can use a workaround:
If you are an administrator, you can create group access tokens in the Rails console:
1. Run the following commands in a [Rails console](../../../administration/operations/rails_console.md):
@ -116,8 +114,6 @@ or API. However, administrators can use a workaround:
## Revoke a group access token using the UI
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214045) in GitLab 14.7.
To revoke a group access token:
1. On the left sidebar, select **Search or go to** and find your group.
@ -126,10 +122,8 @@ To revoke a group access token:
## Revoke a group access token using Rails console
GitLab 14.6 and earlier doesn't support revoking group access tokens using the UI
or API. However, administrators can use a workaround.
To revoke a group access token, run the following command in a [Rails console](../../../administration/operations/rails_console.md):
If you are a GitLab administrator, you can revoke a group access token.
Run this command in a [Rails console](../../../administration/operations/rails_console.md):
```ruby
bot = User.find_by(username: 'group_109_bot') # the owner of the token you want to revoke

40
doc/user/packages/container_registry/index.md
View File

@ -10,7 +10,9 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
You can use the integrated container registry to store container images for each GitLab project
> - Searching by image repository name was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/31322) in GitLab 13.0.
You can use the integrated container registry to store container images for each GitLab project.
To enable the container registry for your GitLab instance, see the [administrator documentation](../../../administration/packages/container_registry.md).
@ -169,3 +171,39 @@ and [Open Container Initiative (OCI)](https://github.com/opencontainers/image-sp
image formats. Additionally, the container registry [conforms to the OCI distribution specification](https://conformance.opencontainers.org/#gitlab-container-registry).
OCI support means that you can host OCI-based image formats in the registry, such as [Helm 3+ chart packages](https://helm.sh/docs/topics/registries/). There is no distinction between image formats in the GitLab [API](../../../api/container_registry.md) and the UI. [Issue 38047](https://gitlab.com/gitlab-org/gitlab/-/issues/38047) addresses this distinction, starting with Helm.
## Container image signatures
> - Container image signature display [introduced](https://gitlab.com/groups/gitlab-org/-/epics/7856) in GitLab 17.0.
In the GitLab container registry, you can use the [OCI 1.1 manifest `subject` field](https://github.com/opencontainers/image-spec/blob/v1.1.0/manifest.md)
to associate container images with [Cosign signatures](../../../ci/yaml/signing_examples.md).
You can then view signature information alongside its associated container image without having to
search for that signature's tag.
When [viewing a container image's tags](#view-the-tags-of-a-specific-container-image-in-the-container-registry), you see an icon displayed
next to each tag that has an associated signature. To see the details of the signature, select the icon.
Prerequisites:
- To sign container images, Cosign v2.0 or later.
- For self-managed GitLab instances, you need a
[GitLab container registry configured with a metadata database](../../../administration/packages/container_registry_metadata_database.md)
to display signatures.
### Sign container images with OCI referrer data
To add referrer data to signatures using Cosign, you must:
- Set the `COSIGN_EXPERIMENTAL` environment variable to `1`.
- Add `--registry-referrers-mode oci-1-1` to the signature command.
For example:
```shell
COSIGN_EXPERIMENTAL=1 cosign sign --registry-referrers-mode oci-1-1 <container image>
```
NOTE:
While the GitLab container registry supports the OCI 1.1 manifest `subject` field, it does not fully
implement the [OCI 1.1 Referrers API](https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers).

13
doc/user/packages/go_proxy/index.md
View File

@ -11,14 +11,13 @@ DETAILS:
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
**Status:** Experiment
> - It's deployed behind a feature flag, disabled by default.
> - It's disabled for GitLab.com.
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-the-go-proxy).
> - Introduced [with a flag](../../../administration/feature_flags.md) named `go_proxy`. Disabled by default.
WARNING:
The Go package registry for GitLab is under development and isn't ready for production use due to
limited functionality. This [epic](https://gitlab.com/groups/gitlab-org/-/epics/3043) details the remaining
work and timelines to make it production ready.
FLAG:
The availability of this feature is controlled by a feature flag.
For more information, see the history.
This feature is available for testing, but not ready for production use.
See [epic 3043](https://gitlab.com/groups/gitlab-org/-/epics/3043).
With the Go proxy for GitLab, every project in GitLab can be fetched with the
[Go proxy protocol](https://proxy.golang.org/).

8
doc/user/permissions.md
View File

@ -40,19 +40,16 @@ for the GitLab instance.
## Project members permissions
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/219299) in GitLab 14.8, personal namespace owners appear with Owner role in new projects in their namespace. Introduced [with a flag](../administration/feature_flags.md) named `personal_project_owner_with_owner_access`. Disabled by default.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/351919) in GitLab 14.9. Feature flag `personal_project_owner_with_owner_access` [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/219299).
A user's role determines what permissions they have on a project. The Owner role provides all permissions but is
available only:
- For group and project Owners. In GitLab 14.8 and earlier, the role is inherited for a group's projects.
- For group and project Owners.
- For Administrators.
Personal [namespace](namespace/index.md) owners:
- Are displayed as having the Maintainer role on projects in the namespace, but have the same permissions as a user with the Owner role.
- In GitLab 14.9 and later, for new projects in the namespace, are displayed as having the Owner role.
- For new projects in the namespace, are displayed as having the Owner role.
For more information about how to manage project members, see
[members of a project](project/members/index.md).
@ -382,7 +379,6 @@ DETAILS:
**Tier:** Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40942) in GitLab 13.4.
> - Support for inviting users with Minimal Access role [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106438) in GitLab 15.9.
Users with the Minimal Access role do not:

31
doc/user/profile/account/two_factor_authentication.md
View File

@ -52,15 +52,12 @@ git-credential-oauth is an open-source project supported by the community.
## Enable two-factor authentication
> - Account email confirmation requirement [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35102) in GitLab 14.3. [Deployed behind the `ensure_verified_primary_email_for_2fa` flag](../../../administration/feature_flags.md), enabled by default.
> - Account email confirmation requirement generally available and [feature flag `ensure_verified_primary_email_for_2fa` removed](https://gitlab.com/gitlab-org/gitlab/-/issues/340151) in GitLab 14.4.
You can enable 2FA using a:
- One-time password authenticator. After you enable 2FA, back up your [recovery codes](#recovery-codes).
- WebAuthn device.
In GitLab 14.3 and later, your account email must be confirmed to enable 2FA.
Your account email must be confirmed to enable 2FA.
### Enable one-time password
@ -98,12 +95,9 @@ in a safe place.
### Enable one-time password using FortiAuthenticator
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/212312) in GitLab 13.5 [with a flag](../../../administration/feature_flags.md) named `forti_authenticator`. Disabled by default.
FLAG:
On self-managed GitLab, by default this feature is not available. To make it available per user, an administrator can
[enable the feature flag](../../../administration/feature_flags.md) named `forti_authenticator`. On GitLab.com and GitLab Dedicated, this
feature is not available.
[enable the feature flag](../../../administration/feature_flags.md) named `forti_authenticator`.
On GitLab.com and GitLab Dedicated, this feature is not available.
You can use FortiAuthenticator as a one-time password (OTP) provider in GitLab. Users must:
@ -113,7 +107,7 @@ You can use FortiAuthenticator as a one-time password (OTP) provider in GitLab.
You need a username and access token for FortiAuthenticator. The `access_token` shown below is the FortAuthenticator
access key. To get the token, see the REST API Solution Guide at
[Fortinet Document Library](https://docs.fortinet.com/document/fortiauthenticator/6.2.0/rest-api-solution-guide/158294/the-fortiauthenticator-api).
GitLab 13.5 has been tested with FortAuthenticator version 6.2.0.
Tested with FortAuthenticator version 6.2.0.
Configure FortiAuthenticator in GitLab. On your GitLab server:
@ -235,12 +229,11 @@ On your GitLab server:
DETAILS:
**Offering:** Self-managed
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/212313) in GitLab 13.7 [with a flag](../../../administration/feature_flags.md) named `forti_token_cloud`. Disabled by default.
FLAG:
On self-managed GitLab, by default this feature is not available. To make it available per user, an administrator can
[enable the feature flag](../../../administration/feature_flags.md) named `forti_token_cloud`. On GitLab.com and GitLab Dedicated, this
feature is not available. This feature is not ready for production use.
[enable the feature flag](../../../administration/feature_flags.md) named `forti_token_cloud`.
On GitLab.com and GitLab Dedicated, this feature is not available.
This feature is not ready for production use.
You can use FortiToken Cloud as a one-time password (OTP) provider in GitLab. Users must:
@ -292,16 +285,8 @@ Configure FortiToken Cloud in GitLab. On your GitLab server:
### Set up a WebAuthn device
> - WebAuthn devices [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22506) in GitLab 13.4 [with a flag](../../../administration/feature_flags.md) named `webauthn`. Disabled by default.
> - WebAuthn devices [enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/232671) in GitLab 14.6.
> - Optional one-time password authentication for WebAuthn devices [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/378844) in GitLab 15.10 [with a flag](../../../administration/feature_flags.md) named `webauthn_without_topt`. [Enabled on GitLab.com and self-managed by default](https://gitlab.com/gitlab-org/gitlab/-/issues/232671).
FLAG:
On self-managed GitLab, by default, WebAuthn devices are available. To disable the feature, an administrator can
[disable the feature flag](../../../administration/feature_flags.md) named `webauthn`. If you disable the WebAuthn
feature flag after WebAuthn devices have been registered, these devices are not usable until you re-enable this feature.
On GitLab.com, WebAuthn devices are available.
FLAG:
On self-managed GitLab, by default, optional one-time password authentication for WebAuthn devices is not available. To enable the feature, an administrator can [enable the feature flag](../../../administration/feature_flags.md) named `webauthn_without_totp`.
On GitLab.com, this feature is available. On GitLab Dedicated, this feature is not available.
@ -348,8 +333,6 @@ You can lose access to your account if you clear your browser data.
## Recovery codes
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/267730) in GitLab 13.7, **Copy codes** and **Print codes** buttons.
Immediately after successfully enabling 2FA with a one-time password, you're prompted to download
a set of generated recovery codes. If you ever lose access to your one-time password authenticator, you can use one of
these recovery codes to sign in to your account.

16
doc/user/profile/index.md
View File

@ -129,8 +129,6 @@ user profiles are only visible to authenticated users.
## Add details to your profile with a README
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/232157) in GitLab 14.5.
You can add more information to your profile page with a README file. When you populate
the README file with information, it's included on your profile page.
@ -194,8 +192,6 @@ To show private contributions:
## Add your gender pronouns
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/332405) in GitLab 14.0.
You can add your gender pronouns to your GitLab account to be displayed next to
your name in your profile.
@ -208,8 +204,6 @@ To specify your pronouns:
## Add your name pronunciation
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/25742) in GitLab 14.2.
You can add your name pronunciation to your GitLab account. This is displayed in your profile, below
your name.
@ -222,8 +216,6 @@ To add your name pronunciation:
## Set your current status
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/56649) in GitLab 13.10, users can schedule the clearing of their status.
You can provide a custom status message for your user profile along with an emoji that describes it.
This may be helpful when you are out of office or otherwise not available.
@ -244,11 +236,6 @@ If you select the **Busy** checkbox, remember to clear it when you become availa
## Set a busy status indicator
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/259649) in GitLab 13.6.
> - It was [deployed behind a feature flag](../feature_flags.md), disabled by default.
> - [Became enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/281073) in GitLab 13.8.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/329163) in GitLab 13.12.
To indicate to others that you are busy, you can set an indicator.
To set the busy status indicator, either:
@ -271,7 +258,6 @@ You can set your local time zone to:
- Display your local time on your profile, and in places where hovering over your name shows information about you.
- Align your contribution calendar with your local time to better reflect when your contributions were made
([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/335343) in GitLab 14.5).
To set your time zone:
@ -458,8 +444,6 @@ that require sessions to expire periodically for security or compliance purposes
### Cookies used for sign-in
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/20340) in GitLab 13.1.
When you sign in, three cookies are set:
- A session cookie called `_gitlab_session`.

11
doc/user/profile/personal_access_tokens.md
View File

@ -10,11 +10,6 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
> - Notifications for expiring tokens [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3649) in GitLab 12.6.
> - Token lifetime limits [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3649) in GitLab 12.6.
> - Additional notifications for expiring tokens [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214721) in GitLab 13.3.
> - Prefill for token name and scopes [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/334664) in GitLab 14.1.
Personal access tokens can be an alternative to [OAuth2](../../api/oauth2.md) and used to:
- Authenticate with the [GitLab API](../../api/rest/index.md#personalprojectgroup-access-tokens).
@ -129,7 +124,7 @@ To disable the enterprise users' personal access tokens:
## View the last time a token was used
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/33162) in GitLab 13.2. Token usage information is updated every 24 hours.
> - In GitLab 16.0 and earlier, token usage information is updated every 24 hours.
> - The frequency of token usage information updates [changed](https://gitlab.com/gitlab-org/gitlab/-/issues/410168) in GitLab 16.1 from 24 hours to 10 minutes.
Token usage information is updated every 10 minutes. GitLab considers a token used when the token is used to:
@ -157,11 +152,11 @@ A personal access token can perform actions based on the assigned scopes.
|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `api` | Grants complete read/write access to the API, including all groups and projects, the container registry, the dependency proxy, and the package registry. Also grants complete read/write access to the registry and repository using Git over HTTP. |
| `read_user` | Grants read-only access to the authenticated user's profile through the `/user` API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under [`/users`](../../api/users.md). |
| `read_api` | Grants read access to the API, including all groups and projects, the container registry, and the package registry. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28944) in GitLab 12.10.) |
| `read_api` | Grants read access to the API, including all groups and projects, the container registry, and the package registry. |
| `read_repository` | Grants read-only access to repositories on private projects using Git-over-HTTP or the Repository Files API. |
| `write_repository` | Grants read-write access to repositories on private projects using Git-over-HTTP (not using the API). |
| `read_registry` | Grants read-only (pull) access to [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. Available only when the container registry is enabled. |
| `write_registry` | Grants read-write (push) access to [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. Available only when the container registry is enabled. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28958) in GitLab 12.10.) |
| `write_registry` | Grants read-write (push) access to [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. Available only when the container registry is enabled. |
| `sudo` | Grants permission to perform API actions as any user in the system, when authenticated as an administrator. |
| `admin_mode` | Grants permission to perform API actions as an administrator, when Admin Mode is enabled. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107875) in GitLab 15.8.) |
| `create_runner` | Grants permission to create runners. |

9
doc/user/project/settings/project_access_tokens.md
View File

@ -6,10 +6,6 @@ info: "To determine the technical writer assigned to the Stage/Group associated
# Project access tokens
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/210181) in GitLab 13.0.
> - [Became available on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/235765) in GitLab 13.5 for paid groups only.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/235765) in GitLab 13.5.
> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/342327) in GitLab 14.5. Default prefix added.
> - [Became available in trial subscriptions](https://gitlab.com/gitlab-org/gitlab/-/issues/386041) in GitLab 16.1. Default prefix added.
Project access tokens are similar to passwords, except you can [limit access to resources](#scopes-for-a-project-access-token),
@ -101,8 +97,6 @@ See the warning in [create a project access token](#create-a-project-access-toke
## Enable or disable project access token creation
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/287707) in GitLab 13.11.
To enable or disable project access token creation for all projects in a top-level group:
1. On the left sidebar, select **Search or go to** and find your group.
@ -114,9 +108,6 @@ Even when creation is disabled, you can still use and revoke existing project ac
## Bot users for projects
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/210181) in GitLab 13.0.
> - [Excluded from license seat use](https://gitlab.com/gitlab-org/gitlab/-/issues/223695) in GitLab 13.5.
Bot users for projects are [GitLab-created service accounts](../../../subscriptions/self_managed/index.md#billable-users).
Each time you create a project access token, a bot user is created and added to the project.
This user is not a billable user, so it does not count toward the license limit.

17
doc/user/ssh.md
View File

@ -46,10 +46,9 @@ To view the version of SSH installed on your system, run `ssh -V`.
To communicate with GitLab, you can use the following SSH key types:
- [ED25519](#ed25519-ssh-keys)
- [ED25519_SK](#ed25519_sk-ssh-keys) (Available in GitLab 14.8 and later.)
- [ECDSA_SK](#ecdsa_sk-ssh-keys) (Available in GitLab 14.8 and later.)
- [ED25519_SK](#ed25519_sk-ssh-keys)
- [ECDSA_SK](#ecdsa_sk-ssh-keys)
- [RSA](#rsa-ssh-keys)
- DSA ([Deprecated](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys) in GitLab 11.0.)
- ECDSA (As noted in [Practical Cryptography With Go](https://leanpub.com/gocrypto/read#leanpub-auto-ecdsa), the security issues related to DSA also apply to ECDSA.)
Administrators can [restrict which keys are permitted and their minimum lengths](../security/ssh_keys_restrictions.md).
@ -64,15 +63,11 @@ operating systems.
### ED25519_SK SSH keys
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78934) in GitLab 14.8.
To use ED25519_SK SSH keys on GitLab, your local client and GitLab server
must have [OpenSSH 8.2](https://www.openssh.com/releasenotes.html#8.2) or later installed.
### ECDSA_SK SSH keys
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78934) in GitLab 14.8.
To use ECDSA_SK SSH keys on GitLab, your local client and GitLab server
must have [OpenSSH 8.2](https://www.openssh.com/releasenotes.html#8.2) or later installed.
@ -344,12 +339,10 @@ To use SSH with GitLab, copy your public key to your GitLab account:
`Home Workstation`.
1. Optional. Select the **Usage type** of the key. It can be used either for `Authentication` or `Signing` or both. `Authentication & Signing` is the default value.
1. Optional. Update **Expiration date** to modify the default expiration date.
In:
- GitLab 13.12 and earlier, the expiration date is informational only. It doesn't prevent
you from using the key. Administrators can view expiration dates and use them for
- Administrators can view expiration dates and use them for
guidance when [deleting keys](../administration/credentials_inventory.md#delete-a-users-ssh-key).
- GitLab checks all SSH keys at 02:00 AM UTC every day. It emails an expiration notice for all SSH keys that expire on the current date. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/322637) in GitLab 13.11.)
- GitLab checks all SSH keys at 01:00 AM UTC every day. It emails an expiration notice for all SSH keys that are scheduled to expire seven days from now. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/322637) in GitLab 13.11.)
- GitLab checks all SSH keys at 01:00 AM UTC every day. It emails an expiration notice for all SSH keys that are scheduled to expire seven days from now.
- GitLab checks all SSH keys at 02:00 AM UTC every day. It emails an expiration notice for all SSH keys that expire on the current date.
1. Select **Add key**.
## Verify that you can connect

21
keeps/helpers/groups.rb
View File

@ -7,6 +7,8 @@ module Keeps
Error = Class.new(StandardError)
def group_for_feature_category(category)
return unless category
groups.find do |_, group|
group['categories'].present? && group['categories'].include?(category)
end&.last
@ -19,13 +21,32 @@ module Keeps
end
def pick_reviewer(group, identifiers)
return unless group
return if group['backend_engineers'].empty?
# Use the change identifiers as a stable way to pick the same reviewer. Otherwise we'd assign a new reviewer
# every time we re-ran housekeeper.
random_engineer = Digest::SHA256.hexdigest(identifiers.join).to_i(16) % group['backend_engineers'].size
group['backend_engineers'][random_engineer]
end
def pick_reviewer_for_feature_category(category, identifiers, fallback_feature_category: nil)
pick_reviewer(
group_for_feature_category(category),
identifiers
) || pick_reviewer(
group_for_feature_category(fallback_feature_category),
identifiers
)
end
def labels_for_feature_category(category)
Array(
group_for_feature_category(category)&.dig('label')
)
end
private
def groups

78
keeps/overdue_finalize_background_migration.rb
View File

@ -3,6 +3,7 @@
require_relative '../config/environment'
require_relative '../lib/generators/post_deployment_migration/post_deployment_migration_generator'
require_relative './helpers/postgres_ai'
require_relative 'helpers/groups'
require 'rubocop'
module Keeps
@ -30,48 +31,18 @@ module Keeps
next unless before_cuttoff_milestone?(migration['milestone'])
job_name = migration['migration_job_name']
next if migration_finalized?(job_name)
migration_record = fetch_migration_status(job_name)
next unless migration_record
# Finalize the migration
change = ::Gitlab::Housekeeper::Change.new
change.title = "Finalize migration #{job_name}"
change.identifiers = [self.class.name.demodulize, job_name]
last_migration_file = last_migration_for_job(job_name)
next unless last_migration_file
# rubocop:disable Gitlab/DocUrl -- Not running inside rails application
change.description = <<~MARKDOWN
This migration was finished at `#{migration_record.finished_at || migration_record.updated_at}`, you can confirm
the status using our
[batched background migration chatops commands](https://docs.gitlab.com/ee/development/database/batched_background_migrations.html#monitor-the-progress-and-status-of-a-batched-background-migration).
To confirm it is finished you can run:
```
/chatops run batched_background_migrations status #{migration_record.id}
```
The last time this background migration was triggered was in [#{last_migration_file}](https://gitlab.com/gitlab-org/gitlab/-/blob/master/#{last_migration_file})
You can read more about the process for finalizing batched background migrations in
https://docs.gitlab.com/ee/development/database/batched_background_migrations.html .
As part of our process we want to ensure all batched background migrations have had at least one
[required stop](https://docs.gitlab.com/ee/development/database/required_stops.html)
to process the migration. Therefore we can finalize any batched background migration that was added before the
last required stop.
MARKDOWN
# rubocop:enable Gitlab/DocUrl
change = initialize_change(migration, migration_record, job_name, last_migration_file)
queue_method_node = find_queue_method_node(last_migration_file)
# TODO: Can runner figure out what changed during this block?
migration_name = truncate_migration_name("Finalize#{migration['migration_job_name']}")
PostDeploymentMigration::PostDeploymentMigrationGenerator
.source_root('generator_templates/post_deployment_migration/post_deployment_migration/')
@ -95,6 +66,47 @@ module Keeps
end
end
def initialize_change(migration, migration_record, job_name, last_migration_file)
# Finalize the migration
change = ::Gitlab::Housekeeper::Change.new
change.title = "Finalize migration #{job_name}"
change.identifiers = [self.class.name.demodulize, job_name]
# rubocop:disable Gitlab/DocUrl -- Not running inside rails application
change.description = <<~MARKDOWN
This migration was finished at `#{migration_record.finished_at || migration_record.updated_at}`, you can confirm
the status using our
[batched background migration chatops commands](https://docs.gitlab.com/ee/development/database/batched_background_migrations.html#monitor-the-progress-and-status-of-a-batched-background-migration).
To confirm it is finished you can run:
```
/chatops run batched_background_migrations status #{migration_record.id}
```
The last time this background migration was triggered was in [#{last_migration_file}](https://gitlab.com/gitlab-org/gitlab/-/blob/master/#{last_migration_file})
You can read more about the process for finalizing batched background migrations in
https://docs.gitlab.com/ee/development/database/batched_background_migrations.html .
As part of our process we want to ensure all batched background migrations have had at least one
[required stop](https://docs.gitlab.com/ee/development/database/required_stops.html)
to process the migration. Therefore we can finalize any batched background migration that was added before the
last required stop.
MARKDOWN
# rubocop:enable Gitlab/DocUrl
feature_category = migration['feature_category']
change.labels = groups_helper.labels_for_feature_category(feature_category) + [
'maintenance::removal'
]
change.reviewers = groups_helper.pick_reviewer_for_feature_category(feature_category, change.identifiers)
change
end
def truncate_migration_name(migration_name)
# File names not allowed to exceed 100 chars due to Cop/FilenameLength so we truncate to 70 because there will be
# underscores added.
@ -218,5 +230,9 @@ module Keeps
def all_batched_background_migration_files
Dir.glob("db/docs/batched_background_migrations/*.yml")
end
def groups_helper
@groups_helper ||= ::Keeps::Helpers::Groups.new
end
end
end

19
keeps/remove_duplicated_indexes.rb
View File

@ -23,9 +23,9 @@ module Keeps
# ```
class RemoveDuplicatedIndexes < ::Gitlab::Housekeeper::Keep
MIGRATION_TEMPLATE = 'generator_templates/active_record/migration/'
DEFAULT_REVIEWER_GROUP = 'database'
FALLBACK_REVIEWER_FEATURE_CATEGORY = 'database'
def initialize
def initialize(...)
::Gitlab::Application.load_tasks
::ActiveRecord::Generators::MigrationGenerator.source_root(MIGRATION_TEMPLATE)
@ -162,19 +162,16 @@ module Keeps
table_info = Gitlab::Database::Dictionary.entries.find_by_table_name(table_name)
table_info.feature_categories.map do |feature_category|
group = groups_helper.group_for_feature_category(feature_category)
group = groups_helper.group_for_feature_category(DEFAULT_REVIEWER_GROUP) if group['backend_engineers'].empty?
groups_helper.pick_reviewer(group, identifiers)
groups_helper.pick_reviewer_for_feature_category(feature_category, identifiers,
fallback_feature_category: FALLBACK_REVIEWER_FEATURE_CATEGORY)
end
end
def labels(table_name)
table_info = Gitlab::Database::Dictionary.entries.find_by_table_name(table_name)
group_labels = table_info.feature_categories.map do |feature_category|
groups_helper.group_for_feature_category(feature_category)['label']
group_labels = table_info.feature_categories.flat_map do |feature_category|
groups_helper.labels_for_feature_category(feature_category)
end
group_labels + %w[maintenance::scalability type::maintenance Category:Database]
@ -188,11 +185,11 @@ module Keeps
def reset_db
ApplicationRecord.clear_all_connections!
::Gitlab::Housekeeper::Shell.execute({ 'RAILS_ENV' => 'test' }, 'rails', 'db:reset')
::Gitlab::Housekeeper::Shell.execute('rails', 'db:reset', env: { 'RAILS_ENV' => 'test' })
end
def migrate
::Gitlab::Housekeeper::Shell.execute({ 'RAILS_ENV' => 'test' }, 'rails', 'db:migrate')
::Gitlab::Housekeeper::Shell.execute('rails', 'db:migrate', env: { 'RAILS_ENV' => 'test' })
end
def groups_helper

6
lib/api/helpers.rb
View File

@ -384,10 +384,14 @@ module API
authorize! :admin_group, user_group
end
def authorize_admin_member_role!
def authorize_admin_member_role_on_group!
authorize! :admin_member_role, user_group
end
def authorize_admin_member_role_on_instance!
authorize! :admin_member_role
end
def authorize_read_builds!
authorize! :read_build, user_project
end

28
lib/gitlab/ci/project_config.rb
View File

@ -24,8 +24,22 @@ module Gitlab
def initialize(
project:, sha:, custom_content: nil, pipeline_source: nil, pipeline_source_bridge: nil,
triggered_for_branch: nil, ref: nil)
@config = find_config(project, sha, custom_content, pipeline_source, pipeline_source_bridge,
triggered_for_branch, ref)
@config = nil
sources.each do |source|
source_config = source.new(project: project,
sha: sha,
custom_content: custom_content,
pipeline_source: pipeline_source,
pipeline_source_bridge: pipeline_source_bridge,
triggered_for_branch: triggered_for_branch,
ref: ref)
if source_config.exists?
@config = source_config
break
end
end
end
delegate :content, :source, :url, to: :@config, allow_nil: true
@ -37,16 +51,6 @@ module Gitlab
private
def find_config(project, sha, custom_content, pipeline_source, pipeline_source_bridge, triggered_for_branch, ref)
sources.each do |source|
config = source.new(project, sha, custom_content, pipeline_source, pipeline_source_bridge,
triggered_for_branch, ref)
return config if config.exists?
end
nil
end
def sources
SOURCES
end

4
lib/gitlab/ci/project_config/source.rb
View File

@ -7,8 +7,8 @@ module Gitlab
include Gitlab::Utils::StrongMemoize
def initialize(
project, sha, custom_content, pipeline_source, pipeline_source_bridge,
triggered_for_branch = false, ref = nil)
project:, sha:, custom_content: nil, pipeline_source: nil, pipeline_source_bridge: nil,
triggered_for_branch: false, ref: nil)
@project = project
@sha = sha
@custom_content = custom_content

48
spec/controllers/groups/dependency_proxy_auth_controller_spec.rb
View File

@ -2,7 +2,7 @@
require 'spec_helper'
RSpec.describe Groups::DependencyProxyAuthController do
RSpec.describe Groups::DependencyProxyAuthController, feature_category: :container_registry do
include DependencyProxyHelpers
describe 'GET #authenticate' do
@ -33,21 +33,57 @@ RSpec.describe Groups::DependencyProxyAuthController do
end
context 'group bot user' do
let_it_be(:user) { create(:user, :project_bot) }
context 'with packages_dependency_proxy_pass_token_to_policy disabled' do
let_it_be(:user) { create(:user, :project_bot) }
it { is_expected.to have_gitlab_http_status(:success) }
before do
stub_feature_flags(packages_dependency_proxy_pass_token_to_policy: false)
end
it { is_expected.to have_gitlab_http_status(:success) }
end
context 'with packages_dependency_proxy_pass_token_to_policy enabled' do
let_it_be(:bot_user) { create(:user, :project_bot) }
let_it_be(:user) { create(:personal_access_token, user: bot_user) }
it { is_expected.to have_gitlab_http_status(:success) }
end
end
context 'service account user' do
let_it_be(:user) { create(:user, :service_account) }
context 'with packages_dependency_proxy_pass_token_to_policy disabled' do
let_it_be(:user) { create(:user, :service_account) }
it { is_expected.to have_gitlab_http_status(:success) }
before do
stub_feature_flags(packages_dependency_proxy_pass_token_to_policy: false)
end
it { is_expected.to have_gitlab_http_status(:success) }
end
context 'with packages_dependency_proxy_pass_token_to_policy enabled' do
let_it_be(:service_account_user) { create(:user, :service_account) }
let_it_be(:user) { create(:personal_access_token, user: service_account_user) }
it { is_expected.to have_gitlab_http_status(:success) }
end
end
context 'deploy token' do
let_it_be(:user) { create(:deploy_token) }
it { is_expected.to have_gitlab_http_status(:success) }
context 'with packages_dependency_proxy_pass_token_to_policy disabled' do
before do
stub_feature_flags(packages_dependency_proxy_pass_token_to_policy: false)
end
it { is_expected.to have_gitlab_http_status(:success) }
end
context 'with packages_dependency_proxy_pass_token_to_policy enabled' do
it { is_expected.to have_gitlab_http_status(:success) }
end
end
end

60
spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
View File

@ -62,6 +62,8 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category:
context 'with invalid group access token' do
let_it_be(:user) { create(:user, :project_bot) }
let_it_be(:token) { create(:personal_access_token, user: user, scopes: [Gitlab::Auth::READ_API_SCOPE]) }
let_it_be(:jwt) { build_jwt(token) }
context 'not under the group' do
it { is_expected.to have_gitlab_http_status(:not_found) }
@ -82,8 +84,6 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category:
end
context 'with insufficient scopes' do
let_it_be(:pat) { create(:personal_access_token, user: user, scopes: [Gitlab::Auth::READ_API_SCOPE]) }
it { is_expected.to have_gitlab_http_status(:not_found) }
context 'packages_dependency_proxy_containers_scope_check disabled' do
@ -193,7 +193,19 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category:
token.update_column(:scopes, Gitlab::Auth::REGISTRY_SCOPES)
end
it_behaves_like 'sends Workhorse instructions'
context 'with packages_dependency_proxy_pass_token_to_policy disabled' do
before do
stub_feature_flags(packages_dependency_proxy_pass_token_to_policy: false)
end
it_behaves_like 'sends Workhorse instructions'
end
context 'with packages_dependency_proxy_pass_token_to_policy enabled' do
let_it_be(:jwt) { build_jwt(token) }
it_behaves_like 'sends Workhorse instructions'
end
end
context 'with a deploy token' do
@ -293,6 +305,15 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category:
it_behaves_like 'a successful manifest pull'
it_behaves_like 'a package tracking event', described_class.name, 'pull_manifest', false
context 'when packages_dependency_proxy_pass_token_to_policy is disabled' do
before do
stub_feature_flags(packages_dependency_proxy_containers_scope_check: false)
end
it_behaves_like 'a successful manifest pull'
it_behaves_like 'a package tracking event', described_class.name, 'pull_manifest', false
end
context 'with workhorse response' do
let(:pull_response) { { status: :success, manifest: nil, from_cache: false } }
@ -324,6 +345,14 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category:
it_behaves_like 'a successful manifest pull'
context 'when packages_dependency_proxy_pass_token_to_policy is disabled' do
before do
stub_feature_flags(packages_dependency_proxy_containers_scope_check: false)
end
it_behaves_like 'a successful manifest pull'
end
context 'pulling from a subgroup' do
let_it_be_with_reload(:parent_group) { create(:group) }
let_it_be_with_reload(:group) { create(:group, parent: parent_group) }
@ -344,8 +373,21 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category:
group.add_guest(user)
end
it_behaves_like 'a successful manifest pull'
it_behaves_like 'a package tracking event', described_class.name, 'pull_manifest', false
context 'when packages_dependency_proxy_pass_token_to_policy is disabled' do
before do
stub_feature_flags(packages_dependency_proxy_pass_token_to_policy: false)
end
it_behaves_like 'a successful manifest pull'
it_behaves_like 'a package tracking event', described_class.name, 'pull_manifest', false
end
context 'when packages_dependency_proxy_pass_token_to_policy is enabled' do
let_it_be(:jwt) { build_jwt(token) }
it_behaves_like 'a successful manifest pull'
it_behaves_like 'a package tracking event', described_class.name, 'pull_manifest', false
end
end
end
@ -367,6 +409,14 @@ RSpec.describe Groups::DependencyProxyForContainersController, feature_category:
it_behaves_like 'without a token'
it_behaves_like 'without permission'
context 'when packages_dependency_proxy_pass_token_to_policy is disabled' do
before do
stub_feature_flags(packages_dependency_proxy_containers_scope_check: false)
end
it { is_expected.to have_gitlab_http_status(:not_found) }
end
context 'a valid user' do
before do
group.add_guest(user)

7
spec/features/groups/packages_spec.rb
View File

@ -72,6 +72,13 @@ RSpec.describe 'Group Packages', feature_category: :package_registry do
let(:packages) { [npm_package, maven_package] }
end
end
context 'filtering' do
it_behaves_like 'shared package filtering' do
let_it_be(:package_one) { maven_package }
let_it_be(:package_two) { npm_package }
end
end
end
it_behaves_like 'when there are no packages'

7
spec/features/projects/packages_spec.rb
View File

@ -62,6 +62,13 @@ RSpec.describe 'Packages', feature_category: :package_registry do
let_it_be(:package_one) { maven_package }
let_it_be(:package_two) { npm_package }
end
context 'filtering' do
it_behaves_like 'shared package filtering' do
let_it_be(:package_one) { maven_package }
let_it_be(:package_two) { npm_package }
end
end
end
it_behaves_like 'when there are no packages'

11
spec/frontend/vue_shared/components/registry/registry_search_spec.js
View File

@ -20,9 +20,8 @@ describe('Registry Search', () => {
};
const defaultQueryChangedPayload = {
foo: '',
orderBy: 'name',
search: [],
search: null,
sort: 'asc',
after: null,
before: null,
@ -47,7 +46,7 @@ describe('Registry Search', () => {
expect(findFilteredSearch().props()).toMatchObject({
value: [],
placeholder: 'Filter results',
availableTokens: wrapper.vm.tokens,
availableTokens: defaultProps.tokens,
});
});
@ -76,12 +75,6 @@ describe('Registry Search', () => {
expect(wrapper.emitted('filter:submit')).toEqual([[]]);
expect(wrapper.emitted('query:changed')).toEqual([[defaultQueryChangedPayload]]);
});
it('binds tokens prop', () => {
mountComponent();
expect(findFilteredSearch().props('availableTokens')).toEqual(defaultProps.tokens);
});
});
describe('sorting', () => {

70
spec/keeps/helpers/groups_spec.rb
View File

@ -16,6 +16,17 @@ RSpec.describe Keeps::Helpers::Groups, feature_category: :tooling do
'slack_channel' => 'g_tenant_scale',
'backend_engineers' => %w[be1 be2 be3 be4 be5],
'triage_ops_config' => nil
},
'group_b' => {
'name' => 'Group B',
'section' => 'core_platform',
'stage' => 'data_stores',
'categories' => %w[category_b],
'label' => 'group::group b',
'extra_labels' => [],
'slack_channel' => 'g_group_b',
'backend_engineers' => %w[],
'triage_ops_config' => nil
}
}
end
@ -37,6 +48,12 @@ RSpec.describe Keeps::Helpers::Groups, feature_category: :tooling do
it { is_expected.to eq(nil) }
end
context 'when given nil' do
let(:category) { nil }
it { is_expected.to eq(nil) }
end
context 'when the request to fetch groups fails' do
before do
stub_request(:get, "https://about.gitlab.com/groups.json").to_return(status: 404, body: '')
@ -56,5 +73,58 @@ RSpec.describe Keeps::Helpers::Groups, feature_category: :tooling do
subject { described_class.new.pick_reviewer(group, identifiers) }
it { is_expected.to eq(group['backend_engineers'][expected_index]) }
context 'when given nil' do
let(:group) { nil }
it { is_expected.to eq(nil) }
end
end
describe '#pick_reviewer_for_feature_category' do
let(:group) { groups['tenant_scale'] }
let(:identifiers) { %w[example identifier] }
let(:expected_index) { Digest::SHA256.hexdigest(identifiers.join).to_i(16) % group['backend_engineers'].size }
let(:category) { 'organization' }
let(:fallback_feature_category) { nil }
subject(:reviewer) do
described_class.new.pick_reviewer_for_feature_category(category, identifiers,
fallback_feature_category: fallback_feature_category)
end
it 'finds a matching group and picks a reviewer from the group owning that feature category' do
expect(reviewer).to eq(group['backend_engineers'][expected_index])
end
context 'when the matching group does not have backend_engineers' do
let(:category) { 'category_b' }
it { is_expected.to eq(nil) }
context 'when a fallback_feature_category is passed' do
let(:fallback_feature_category) { 'organization' }
it 'returns a reviewer from that fallback_feature_category' do
expect(reviewer).to eq(group['backend_engineers'][expected_index])
end
end
end
end
describe '#labels_for_feature_category' do
let(:category) { 'organization' }
subject(:labels) { described_class.new.labels_for_feature_category(category) }
it 'returns the group label for the matching group' do
expect(labels).to eq(['group::tenant scale'])
end
context 'when there is no matching group' do
let(:category) { 'not_a_category' }
it { is_expected.to eq([]) }
end
end
end

3
spec/lib/gitlab/ci/project_config/repository_spec.rb
View File

@ -8,8 +8,7 @@ RSpec.describe Gitlab::Ci::ProjectConfig::Repository, feature_category: :continu
let(:files) { { 'README.md' => 'hello' } }
subject(:config) do
described_class.new(project, sha, nil, nil, nil,
nil)
described_class.new(project: project, sha: sha)
end
describe '#content' do

2
spec/lib/gitlab/ci/project_config/source_spec.rb
View File

@ -7,7 +7,7 @@ RSpec.describe Gitlab::Ci::ProjectConfig::Source, feature_category: :continuous_
let_it_be(:project) { build_stubbed(:project) }
let_it_be(:sha) { '123456' }
subject(:custom_config) { custom_config_class.new(project, sha, nil, nil, nil) }
subject(:custom_config) { custom_config_class.new(project: project, sha: sha) }
describe '#content' do
subject(:content) { custom_config.content }

Some files were not shown because too many files have changed in this diff Show More