Add latest changes from gitlab-org/gitlab@master

.rubocop_todo/rspec/be_eq.yml

@@ -295,7 +295,6 @@ RSpec/BeEq:
     - 'ee/spec/models/scoped_label_set_spec.rb'
     - 'ee/spec/models/search/zoekt/node_spec.rb'
     - 'ee/spec/models/search/zoekt/task_spec.rb'
-    - 'ee/spec/models/search/zoekt_spec.rb'
     - 'ee/spec/models/security/orchestration_policy_configuration_spec.rb'
     - 'ee/spec/models/security/orchestration_policy_rule_schedule_spec.rb'
     - 'ee/spec/models/security/scan_result_policy_read_spec.rb'

GITALY_SERVER_VERSION

@@ -1 +1 @@
-166c17ea4189930bc910ee6b5a932640a344fe1a
+e700b8a008da9662f0620289f2a52018869a7260

Gemfile

@@ -63,7 +63,7 @@ gem 'responders', '~> 3.0' # rubocop:todo Gemfile/MissingFeatureCategory
 gem 'sprockets', '~> 3.7.0' # rubocop:todo Gemfile/MissingFeatureCategory
 gem 'sprockets-rails', '~>  3.5.1' # rubocop:todo Gemfile/MissingFeatureCategory
 
-gem 'view_component', '~> 3.20.0' # rubocop:todo Gemfile/MissingFeatureCategory
+gem 'view_component', '~> 3.21.0' # rubocop:todo Gemfile/MissingFeatureCategory
 
 # Supported DBs
 gem 'pg', '~> 1.5.6', feature_category: :database

Gemfile.checksum

@@ -763,7 +763,7 @@
 {"name":"validates_hostname","version":"1.0.13","platform":"ruby","checksum":"eac40178cc0b4f727df9cc6a5cb5bc2550718ad8d9bb3728df9aba6354bdda19"},
 {"name":"version_gem","version":"1.1.0","platform":"ruby","checksum":"6b009518020db57f51ec7b410213fae2bf692baea9f1b51770db97fbc93d9a80"},
 {"name":"version_sorter","version":"2.3.0","platform":"ruby","checksum":"2147f2a1a3804fbb8f60d268b7d7c1ec717e6dd727ffe2c165b4e05e82efe1da"},
-{"name":"view_component","version":"3.20.0","platform":"ruby","checksum":"ac3192b80c2936521e5e60e585960942f40f745cf0a78d037bf6d36e703e228b"},
+{"name":"view_component","version":"3.21.0","platform":"ruby","checksum":"7f5a77bca29e7385495fad2b7c1acdcd2c581b3cd2e573a831a9808f6710df5c"},
 {"name":"virtus","version":"2.0.0","platform":"ruby","checksum":"8841dae4eb7fcc097320ba5ea516bf1839e5d056c61ee27138aa4bddd6e3d1c2"},
 {"name":"vite_rails","version":"3.0.17","platform":"ruby","checksum":"b90e85a3e55802981cbdb43a4101d944b1e7055bfe85599d9cb7de0f1ea58bcc"},
 {"name":"vite_ruby","version":"3.8.2","platform":"ruby","checksum":"f3f1460d5b61d20be76270ceb61f1cde32f6d22ec954933a1391f742605690b9"},

Gemfile.lock

@@ -1918,7 +1918,7 @@ GEM
       activesupport (>= 3.0)
     version_gem (1.1.0)
     version_sorter (2.3.0)
-    view_component (3.20.0)
+    view_component (3.21.0)
       activesupport (>= 5.2.0, < 8.1)
       concurrent-ruby (~> 1.0)
       method_source (~> 1.0)
@@ -2337,7 +2337,7 @@ DEPENDENCIES
   valid_email (~> 0.1)
   validates_hostname (~> 1.0.13)
   version_sorter (~> 2.3)
-  view_component (~> 3.20.0)
+  view_component (~> 3.21.0)
   vite_rails (~> 3.0.17)
   vite_ruby (~> 3.8.0)
   vmstat (~> 2.3.0)

Gemfile.next.checksum

@@ -776,7 +776,7 @@
 {"name":"validates_hostname","version":"1.0.13","platform":"ruby","checksum":"eac40178cc0b4f727df9cc6a5cb5bc2550718ad8d9bb3728df9aba6354bdda19"},
 {"name":"version_gem","version":"1.1.0","platform":"ruby","checksum":"6b009518020db57f51ec7b410213fae2bf692baea9f1b51770db97fbc93d9a80"},
 {"name":"version_sorter","version":"2.3.0","platform":"ruby","checksum":"2147f2a1a3804fbb8f60d268b7d7c1ec717e6dd727ffe2c165b4e05e82efe1da"},
-{"name":"view_component","version":"3.20.0","platform":"ruby","checksum":"ac3192b80c2936521e5e60e585960942f40f745cf0a78d037bf6d36e703e228b"},
+{"name":"view_component","version":"3.21.0","platform":"ruby","checksum":"7f5a77bca29e7385495fad2b7c1acdcd2c581b3cd2e573a831a9808f6710df5c"},
 {"name":"virtus","version":"2.0.0","platform":"ruby","checksum":"8841dae4eb7fcc097320ba5ea516bf1839e5d056c61ee27138aa4bddd6e3d1c2"},
 {"name":"vite_rails","version":"3.0.17","platform":"ruby","checksum":"b90e85a3e55802981cbdb43a4101d944b1e7055bfe85599d9cb7de0f1ea58bcc"},
 {"name":"vite_ruby","version":"3.8.2","platform":"ruby","checksum":"f3f1460d5b61d20be76270ceb61f1cde32f6d22ec954933a1391f742605690b9"},
@@ -788,8 +788,8 @@
 {"name":"webmock","version":"3.24.0","platform":"ruby","checksum":"be01357f6fc773606337ca79f3ba332b7d52cbe5c27587671abc0572dbec7122"},
 {"name":"webrick","version":"1.8.2","platform":"ruby","checksum":"431746a349199546ff9dd272cae10849c865f938216e41c402a6489248f12f21"},
 {"name":"websocket","version":"1.2.10","platform":"ruby","checksum":"2cc1a4a79b6e63637b326b4273e46adcddf7871caa5dc5711f2ca4061a629fa8"},
-{"name":"websocket-driver","version":"0.7.6","platform":"java","checksum":"bc894b9e9d5aee55ac04b61003e1957c4ef411a5a048199587d0499785b505c3"},
-{"name":"websocket-driver","version":"0.7.6","platform":"ruby","checksum":"f69400be7bc197879726ad8e6f5869a61823147372fd8928836a53c2c741d0db"},
+{"name":"websocket-driver","version":"0.7.7","platform":"java","checksum":"e2520a6049feb88691e042d631063fa96d50620fb7f53b30180ae6fb2cf75eb1"},
+{"name":"websocket-driver","version":"0.7.7","platform":"ruby","checksum":"056d99f2cd545712cfb1291650fde7478e4f2661dc1db6a0fa3b966231a146b4"},
 {"name":"websocket-extensions","version":"0.1.5","platform":"ruby","checksum":"1c6ba63092cda343eb53fc657110c71c754c56484aad42578495227d717a8241"},
 {"name":"wikicloth","version":"0.8.1","platform":"ruby","checksum":"7ac8a9ca0a948cf472851e521afc6c2a6b04a8f91ef1d824ba6a61ffbd60e6ca"},
 {"name":"wisper","version":"2.0.1","platform":"ruby","checksum":"ce17bc5c3a166f241a2e6613848b025c8146fce2defba505920c1d1f3f88fae6"},

Gemfile.next.lock

@@ -1950,7 +1950,7 @@ GEM
       activesupport (>= 3.0)
     version_gem (1.1.0)
     version_sorter (2.3.0)
-    view_component (3.20.0)
+    view_component (3.21.0)
       activesupport (>= 5.2.0, < 8.1)
       concurrent-ruby (~> 1.0)
       method_source (~> 1.0)
@@ -1988,7 +1988,8 @@ GEM
       hashdiff (>= 0.4.0, < 2.0.0)
     webrick (1.8.2)
     websocket (1.2.10)
-    websocket-driver (0.7.6)
+    websocket-driver (0.7.7)
+      base64
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     wikicloth (0.8.1)
@@ -2369,7 +2370,7 @@ DEPENDENCIES
   valid_email (~> 0.1)
   validates_hostname (~> 1.0.13)
   version_sorter (~> 2.3)
-  view_component (~> 3.20.0)
+  view_component (~> 3.21.0)
   vite_rails (~> 3.0.17)
   vite_ruby (~> 3.8.0)
   vmstat (~> 2.3.0)

app/assets/javascripts/ci/pipelines_page/components/pipeline_url.vue

@@ -123,13 +123,8 @@ export default {
     pipelineIdentifier() {
       const { name, path, pipeline_schedule: pipelineSchedule } = this.pipeline || {};
 
-      if (pipelineSchedule) {
-        return {
-          text: pipelineSchedule.description,
-          link: pipelineSchedule.path,
-        };
-      }
-
+      // pipeline name should take priority over
+      // pipeline schedule description
       if (name) {
         return {
           text: name,
@@ -137,6 +132,13 @@ export default {
         };
       }
 
+      if (pipelineSchedule) {
+        return {
+          text: pipelineSchedule.description,
+          link: pipelineSchedule.path,
+        };
+      }
+
       return false;
     },
   },

app/assets/javascripts/merge_requests/list/components/merge_request_statistics.vue

@@ -20,11 +20,10 @@ export default {
 </script>
 
 <template>
-  <ul class="gl-contents">
+  <ul class="gl-list-none gl-gap-3 gl-p-0">
     <li
       v-if="mergeRequest.upvotes"
       v-gl-tooltip
-      class="gl-hidden sm:gl-block"
       :title="$options.i18n.upvotes"
       data-testid="issuable-upvotes"
     >
@@ -34,7 +33,6 @@ export default {
     <li
       v-if="mergeRequest.downvotes"
       v-gl-tooltip
-      class="gl-hidden sm:gl-block"
       :title="$options.i18n.downvotes"
       data-testid="issuable-downvotes"
     >

app/assets/javascripts/merge_requests/list/components/merge_requests_list_app.vue

@@ -830,8 +830,11 @@ export default {
       </template>
 
       <template #statistics="{ issuable = {} }">
-        <li v-if="issuable.upvotes || issuable.downvotes" class="!gl-mr-0">
-          <merge-request-statistics :merge-request="issuable" />
+        <li
+          v-if="issuable.upvotes || issuable.downvotes"
+          class="!gl-mr-0 gl-hidden sm:gl-inline-flex"
+        >
+          <merge-request-statistics :merge-request="issuable" class="gl-flex" />
         </li>
       </template>
 

app/workers/concerns/search/zoekt/event_worker.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Search
-  module Zoekt
-    module EventWorker
-      extend ActiveSupport::Concern
-
-      included do
-        include Search::Worker
-
-        pause_control :zoekt
-
-        private
-
-        def logger
-          @logger ||= ::Search::Zoekt::Logger.build
-        end
-      end
-    end
-  end
-end

db/migrate/20241211193923_add_optional_variables_to_dast_site_profiles.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddOptionalVariablesToDastSiteProfiles < Gitlab::Database::Migration[2.2]
+  milestone '17.8'
+
+  def change
+    add_column :dast_site_profiles, :optional_variables, :jsonb, default: [], null: false
+  end
+end

db/schema_migrations/20241211193923

@@ -0,0 +1 @@
+8a703606bd7637813f562b7f5b7c98e3a01f1f6f56ef313b5fe2fa4a886cf4e8

db/structure.sql

@@ -11403,6 +11403,7 @@ CREATE TABLE dast_site_profiles (
     scan_method smallint DEFAULT 0 NOT NULL,
     auth_submit_field text,
     scan_file_path text,
+    optional_variables jsonb DEFAULT '[]'::jsonb NOT NULL,
     CONSTRAINT check_5203110fee CHECK ((char_length(auth_username_field) <= 255)),
     CONSTRAINT check_6cfab17b48 CHECK ((char_length(name) <= 255)),
     CONSTRAINT check_8d2aa0f66d CHECK ((char_length(scan_file_path) <= 1024)),

doc/administration/packages/container_registry.md

@@ -1028,19 +1028,32 @@ projects_and_size = [["project_id", "creator_id", "registry_size_bytes", "projec
 # You need to specify the projects that you want to look through. You can get these in any manner.
 projects = Project.last(100)
 
-projects.each do |p|
-   project_total_size = 0
-   container_repositories = p.container_repositories
+registry_metadata_database = ContainerRegistry::GitlabApiClient.supports_gitlab_api?
 
-   container_repositories.each do |c|
-       c.tags.each do |t|
-          project_total_size = project_total_size + t.total_size unless t.total_size.nil?
-       end
-   end
+if registry_metadata_database
+  projects.each do |project|
+    size = project.container_repositories_size
+    if size > 0
+      projects_and_size << [project.project_id, project.creator&.id, size, project.full_path]
+    end
+  end
+else
+  projects.each do |project|
+    project_layers = {}
+    
+    project.container_repositories.each do |repository|
+      repository.tags.each do |tag|
+        tag.layers.each do |layer|
+          project_layers[layer.digest] ||= layer.size
+        end
+      end
+    end
 
-   if project_total_size > 0
-      projects_and_size << [p.project_id, p.creator&.id, project_total_size, p.full_path]
-   end
+    total_size = project_layers.values.compact.sum
+    if total_size > 0
+      projects_and_size << [project.project_id, project.creator&.id, total_size, project.full_path]
+    end
+  end
 end
 
 # print it as comma separated output
@@ -1049,6 +1062,9 @@ projects_and_size.each do |ps|
 end
 ```
 
+NOTE:
+The script calculates size based on container image layers. Since layers can be shared across multiple projects, the results are approximate but give a good indication of relative disk usage between projects.
+
 To remove image tags by running the cleanup policy, run the following commands in the
 [GitLab Rails console](../operations/rails_console.md):
 

doc/api/graphql/reference/index.md

@@ -4402,6 +4402,7 @@ Input type: `DastSiteProfileCreateInput`
 | <a id="mutationdastsiteprofilecreateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
 | <a id="mutationdastsiteprofilecreateexcludedurls"></a>`excludedUrls` | [`[String!]`](#string) | URLs to skip during an authenticated scan. Defaults to `[]`. |
 | <a id="mutationdastsiteprofilecreatefullpath"></a>`fullPath` | [`ID!`](#id) | Project the site profile belongs to. |
+| <a id="mutationdastsiteprofilecreateoptionalvariables"></a>`optionalVariables` | [`[JSON!]`](#json) | Optional variables that can be configured for DAST scans. |
 | <a id="mutationdastsiteprofilecreateprofilename"></a>`profileName` | [`String!`](#string) | Name of the site profile. |
 | <a id="mutationdastsiteprofilecreaterequestheaders"></a>`requestHeaders` | [`String`](#string) | Comma-separated list of request header names and values to be added to every request made by DAST. |
 | <a id="mutationdastsiteprofilecreatescanfilepath"></a>`scanFilePath` | [`String`](#string) | File Path or URL used as input for the scan method. |
@@ -4450,6 +4451,7 @@ Input type: `DastSiteProfileUpdateInput`
 | <a id="mutationdastsiteprofileupdateexcludedurls"></a>`excludedUrls` | [`[String!]`](#string) | URLs to skip during an authenticated scan. |
 | <a id="mutationdastsiteprofileupdatefullpath"></a>`fullPath` **{warning-solid}** | [`ID`](#id) | **Deprecated:** Full path not required to qualify Global ID. Deprecated in GitLab 14.5. |
 | <a id="mutationdastsiteprofileupdateid"></a>`id` | [`DastSiteProfileID!`](#dastsiteprofileid) | ID of the site profile to be updated. |
+| <a id="mutationdastsiteprofileupdateoptionalvariables"></a>`optionalVariables` | [`[JSON!]`](#json) | Optional variables that can be configured for DAST scans. |
 | <a id="mutationdastsiteprofileupdateprofilename"></a>`profileName` | [`String!`](#string) | Name of the site profile. |
 | <a id="mutationdastsiteprofileupdaterequestheaders"></a>`requestHeaders` | [`String`](#string) | Comma-separated list of request header names and values to be added to every request made by DAST. |
 | <a id="mutationdastsiteprofileupdatescanfilepath"></a>`scanFilePath` | [`String`](#string) | File Path or URL used as input for the scan method. |
@@ -22629,6 +22631,7 @@ Represents a DAST Site Profile.
 | <a id="dastsiteprofileexcludedurls"></a>`excludedUrls` | [`[String!]`](#string) | URLs to skip during an authenticated scan. |
 | <a id="dastsiteprofileid"></a>`id` | [`DastSiteProfileID!`](#dastsiteprofileid) | ID of the site profile. |
 | <a id="dastsiteprofilenormalizedtargeturl"></a>`normalizedTargetUrl` | [`String`](#string) | Normalized URL of the target to be scanned. |
+| <a id="dastsiteprofileoptionalvariables"></a>`optionalVariables` | [`[JSON!]`](#json) | Optional variables that can be configured for DAST scans. |
 | <a id="dastsiteprofileprofilename"></a>`profileName` | [`String`](#string) | Name of the site profile. |
 | <a id="dastsiteprofilereferencedinsecuritypolicies"></a>`referencedInSecurityPolicies` | [`[String!]`](#string) | List of security policy names that are referencing given project. |
 | <a id="dastsiteprofilerequestheaders"></a>`requestHeaders` | [`String`](#string) | Comma-separated list of request header names and values to be added to every request made by DAST. |

doc/development/api_styleguide.md

@@ -156,7 +156,7 @@ When the feature becomes [generally available](../policy/development_stages_supp
 
 - [Remove](feature_flags/controls.md#cleaning-up) the feature flag.
 - Remove the [experiment or beta status](documentation/experiment_beta.md) from the [API documentation](../api/api_resources.md).
-- Add the [OpenAPI documentation](../api/openapi/openapi_interactive.md) to make the changes programatically discoverable.
+- Add the [OpenAPI documentation](../api/openapi/openapi_interactive.md) to make the changes programmatically discoverable.
 
 ## Declared parameters
 

doc/development/contributing/first_contribution/mr-review.md

@@ -51,7 +51,8 @@ that runs tests, linting, security scans, and more.
 Your pipeline must be successful for your merge request to be merged.
 
 - To check the status of your pipeline, at the top of your merge request, select **Pipelines**.
-- If you need help understanding or fixing the pipeline, in a comment, use the `@gitlab-bot help` command.
+- If you need help understanding or fixing the pipeline, use the `@gitlab-bot help` command in a comment to tag an MR coach.
+  - For more on MR coaching, visit [How GitLab Merge Request Coaches Can Help You](../merge_request_coaches.md).
 
 ### Getting a review
 

doc/development/contributing/index.md

@@ -114,6 +114,9 @@ Follow [Configure GDK-in-a-box](first_contribution/configure-dev-env-gdk-in-a-bo
    Someone from GitLab will look at your request and let you know what the next steps are.
    For details, see the [merge request workflow](merge_request_workflow.md).
 
+   Have questions?
+   Use `@gitlab-bot help` to ping a GitLab Merge Request coach. For more information on MR coaches, visit [How GitLab Merge Request Coaches Can Help You](merge_request_coaches.md).
+
 ### How community merge requests are triaged
 
 When you create a merge request, a merge request coach will assign relevant reviewers or
@@ -164,6 +167,7 @@ Request an Enterprise Edition Developers License according to the [documented pr
 
 How to find help contributing to GitLab:
 
-- Type `@gitlab-bot help` in a comment on a merge request or issue.
+- Type `@gitlab-bot help` in a comment on a merge request or issue to tag a MR coach.
+  - See [How GitLab Merge Request Coaches Can Help You](merge_request_coaches.md) for more information.
 - Join the [GitLab Community Discord](https://discord.gg/gitlab) and ask for help in the `#contribute` channel.
 - Email the Contributor Success team at `contributors@gitlab.com`.

doc/development/contributing/merge_request_coaches.md

@@ -0,0 +1,61 @@
+---
+stage: none
+group: unassigned
+info: Any user with at least the Maintainer role can merge updates to this content. For details, see https://docs.gitlab.com/ee/development/development_processes.html#development-guidelines-review.
+---
+
+# How GitLab Merge Request Coaches can help you
+
+Welcome, GitLab contributor! As you work on your contributions, Merge Request (MR) Coaches are here to help you succeed. This guide explains how we can support you throughout your contribution journey.
+
+## What is a Merge Request Coach?
+
+MR Coaches are GitLab team members with a special interest in helping community contributors like you get their changes merged into GitLab. Think of us as your guides and advocates in the contribution process.
+
+## How we can help you
+
+### Getting started
+
+- We can help you understand GitLab contribution requirements
+- We can provide hints and guidance if you're new to Ruby, JavaScript, Go, or programming
+
+### During development
+
+- We can review your merge requests and provide constructive feedback
+- We can help you understand and resolve CI pipeline issues
+
+### Code review process
+
+- We can help find the right reviewers for your contribution
+- We can help you understand and address code review feedback
+- We can provide technical guidance on implementing requested changes
+
+## If you're stuck
+
+Don't hesitate to ask for help if:
+
+- You're unsure how to implement something
+- The CI pipeline is failing
+- You don't understand review feedback
+- You need help with Git or the development process
+
+## Where to find us
+
+You can reach MR Coaches by commenting `@gitlab-bot help` on your merge request or issue
+
+## What we look for in contributions
+
+To help your MR succeed, we check for:
+
+- Adherence to GitLab [contribution acceptance criteria](merge_request_workflow.md#contribution-acceptance-criteria)
+- Test coverage
+- Documentation updates when needed
+
+## Tips for working with MR Coaches
+
+1. **Be Responsive**: Even a quick update helps us help you
+1. **Ask Questions Early**: We'd rather help prevent issues than fix them later
+1. **Share Your Constraints**: Let us know if you have limited time or specific challenges
+1. **Be Open to Feedback**: We aim to help your code meet GitLab quality standards
+
+Remember: No question is "stupid". We're here to help you succeed. Your contributions make GitLab better, and we appreciate your efforts to improve the product and grow your skills.

doc/user/application_security/detect/index.md

@@ -6,19 +6,42 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 # Detect
 
-Detect vulnerabilities throughout your application's development lifecycle. GitLab scans your
-application's code and tests its behavior for vulnerabilities.
+Detect vulnerabilities in your project's repository and your application's behavior. Enable GitLab
+security tools for your project's entire lifecycle, starting before the first commit.
 
 ## Detection coverage
 
-Scan your repository's content and application's behavior for vulnerabilities:
+Scan your project's repository and test your application's behavior for vulnerabilities:
 
 - Repository scanning can detect vulnerabilities in your project's repository. Coverage includes
   your application's source code, also the libraries and container images it's dependent on.
 - Behavioral testing of your application and its API can detect vulnerabilities that occur only at
   runtime.
 
-For more details, see [Security scanning](security_scanning.md).
+### Repository scanning
+
+Your project's repository may contain source code, dependency declarations, and infrastructure
+definitions. Repository scanning can detect vulnerabilities in each of these.
+
+Repository scanning tools include:
+
+- Static Application Security Testing (SAST): Analyze source code for vulnerabilities.
+- Infrastructure as Code (IaC) scanning: Detect vulnerabilities in your application's infrastructure
+  definitions.
+- Secret detection: Detect and block secrets from being committed to the repository.
+- Dependency scanning: Detect vulnerabilities in your application's dependencies and container
+  images.
+
+### Behavioral testing
+
+Behavioral testing requires a deployable application to test for known vulnerabilities and
+unexpected behavior.
+
+Behavioral testing tools include:
+
+- Dynamic Application Security Testing (DAST): Test your application for known attack vectors.
+- API security testing: Test your application's API for known attacks and vulnerabilities to input.
+- Coverage-guided fuzz testing: Test your application for unexpected behavior.
 
 ## Lifecycle coverage
 

doc/user/application_security/detect/security_scanning.md

@@ -1,35 +0,0 @@
----
-stage: Application Security Testing
-group: Static Analysis
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
----
-
-# Security scanning
-
-Scan your repository's content and application's behavior for vulnerabilities. GitLab security
-scanners scan your application's code and tests its behavior for vulnerabilities.
-
-## Repository scanning
-
-Your application's repository may contain its source code, dependency declarations, and
-Infrastructure as Code definitions. Repository scanning can detect vulnerabilities in each of these.
-
-Repository scanning tools include:
-
-- Static Application Security Testing: Analyze source code for vulnerabilities.
-- Infrastructure as Code (IaC) scanning: Detect vulnerabilities in your application's deployment
-  environment.
-- Secret detection: Detect and block secrets being committed to the repository.
-- Dependency scanning: Detect vulnerabilities in your application's dependencies and container
-  images.
-
-## Behavioral testing
-
-Behavioral testing requires a deployable application to test for known vulnerabilities and
-unexpected behavior.
-
-Behavioral testing tools include:
-
-- Dynamic Application Security Testing: Test your application for known attack vectors.
-- API security testing: Test your application's API for known attacks and vulnerabilities to input.
-- Coverage-guided fuzz testing: Test your application for unexpected behavior.

doc/user/group/settings/group_access_tokens.md

@@ -122,7 +122,7 @@ If you are an administrator, you can create group access tokens in the Rails con
    1. Use the group token to [clone a group's project](../../../topics/git/clone.md#clone-with-https)
       using HTTPS.
 
-## Revoke a group access token
+## Revoke or rotate a group access token
 
 > - Ability to view revoked tokens [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/462217) in GitLab 17.3 [with a flag](../../../administration/feature_flags.md) named `retain_resource_access_token_user_after_revoke`. Disabled by default.
 
@@ -146,11 +146,12 @@ the active tokens. The inactive group access tokens table:
 
 ### Use the UI
 
-To revoke a group access token:
+To revoke or rotate a group access token:
 
 1. On the left sidebar, select **Search or go to** and find your group.
 1. Select **Settings > Access tokens**.
-1. Next to the group access token to revoke, select **Revoke** (**{remove}**).
+1. For the relevant token, select **Revoke** (**{remove}**) or **Rotate** (**{retry}**).
+1. On the confirmation dialog, select **Revoke** or **Rotate**.
 
 ## Scopes for a group access token
 

doc/user/project/settings/project_access_tokens.md

@@ -75,19 +75,13 @@ Project access tokens are treated as [internal users](../../../administration/in
 If an internal user creates a project access token, that token is able to access
 all projects that have visibility level set to [Internal](../../public_access.md).
 
-## Revoke a project access token
+## Revoke or rotate a project access token
 
 > - Ability to view revoked tokens [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/462217) in GitLab 17.3 [with a flag](../../../administration/feature_flags.md) named `retain_resource_access_token_user_after_revoke`. Disabled by default.
 
 FLAG:
 The availability of being able to view revoked tokens is controlled by a feature flag. For more information, see the history.
 
-To revoke a project access token:
-
-1. On the left sidebar, select **Search or go to** and find your project.
-1. Select **Settings > Access tokens**.
-1. Next to the project access token to revoke, select **Revoke** (**{remove}**).
-
 In GitLab 17.3 and later, if you enable the `retain_resource_access_token_user_after_revoke`
 feature flag, you can view both active and inactive revoked project access tokens
 on the access tokens page. If you do not enable the feature flag, you can only view
@@ -103,6 +97,15 @@ the active tokens. The inactive project access tokens table:
   - Tokens that have already expired or been revoked.
   - Existing tokens that expire in the future or have not been revoked.
 
+### Use the UI
+
+To revoke or rotate a project access token:
+
+1. On the left sidebar, select **Search or go to** and find your project.
+1. Select **Settings > Access tokens**.
+1. For the relevant token, select **Revoke** (**{remove}**) or **Rotate** (**{retry}**).
+1. On the confirmation dialog, select **Revoke** or **Rotate**.
+
 ## Scopes for a project access token
 
 > - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default.
@@ -214,7 +217,7 @@ Bot users for projects:
 - Can have a maximum role of Owner for a project. For more information, see
   [Create a project access token](../../../api/project_access_tokens.md#create-a-project-access-token).
 
-When the project access token is [revoked](#revoke-a-project-access-token):
+When the project access token is [revoked](#revoke-or-rotate-a-project-access-token):
 
 - The bot user is deleted.
 - All records are moved to a system-wide user with the username [Ghost User](../../profile/account/delete_account.md#associated-records).

locale/gitlab.pot

@@ -43616,6 +43616,9 @@ msgstr ""
 msgid "Project avatar"
 msgstr ""
 
+msgid "Project cannot be deleted because it is linked as Security Policy Project"
+msgstr ""
+
 msgid "Project cannot be shared with the group it is in or one of its ancestors."
 msgstr ""
 

spec/frontend/ci/pipelines_page/components/pipeline_url_spec.js

@@ -51,7 +51,7 @@ describe('Pipeline Url Component', () => {
     expect(findPipelineUrlLink().text()).toBe('#1');
   });
 
-  it('should render the pipeline schedule identifier instead of pipeline name', () => {
+  it('should render the pipeline name identifier instead of pipeline schedule', () => {
     createComponent(
       merge(mockPipeline(projectPath), {
         pipeline: {
@@ -61,6 +61,23 @@ describe('Pipeline Url Component', () => {
       }),
     );
 
+    expect(findCommitTitleContainer().exists()).toBe(false);
+    expect(findPipelineIdentifierContainer().exists()).toBe(true);
+    expect(findRefName().exists()).toBe(true);
+    expect(findCommitShortSha().exists()).toBe(true);
+    expect(findPipelineIdentifierLink().text()).toBe('Build pipeline');
+    expect(findPipelineIdentifierLink().attributes('href')).toBe('foo');
+  });
+
+  it('should render the pipeline schedule identifier when pipeline has no name but schedule', () => {
+    createComponent(
+      merge(mockPipeline(projectPath), {
+        pipeline: {
+          pipeline_schedule: { id: 1, description: 'Schedule', path: 'schedule/path' },
+        },
+      }),
+    );
+
     expect(findCommitTitleContainer().exists()).toBe(false);
     expect(findPipelineIdentifierContainer().exists()).toBe(true);
     expect(findRefName().exists()).toBe(true);

spec/lib/bulk_imports/common/pipelines/members_pipeline_spec.rb

@@ -3,7 +3,6 @@
 require 'spec_helper'
 
 RSpec.describe BulkImports::Common::Pipelines::MembersPipeline, feature_category: :importers do
-  let_it_be(:default_organization) { create(:organization, :default) }
   let_it_be(:user) { create(:user) }
   let_it_be(:bulk_import) { create(:bulk_import, :with_configuration, user: user) }
   let_it_be(:member_user1) { create(:user, email: 'email1@email.com') }

spec/lib/bulk_imports/groups/pipelines/group_pipeline_spec.rb

@@ -66,7 +66,7 @@ RSpec.describe BulkImports::Groups::Pipelines::GroupPipeline, feature_category:
       expect(imported_group.mentions_disabled?).to eq(group_data['mentions_disabled'])
     end
 
-    it 'skips duplicates on pipeline rerun' do
+    it 'skips duplicates on pipeline rerun', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/509519' do
       expect { subject.run }.to change { Group.count }.by(1)
       expect { subject.run }.not_to change { Group.count }
     end

spec/lib/import/bulk_imports/common/transformers/source_user_member_attributes_transformer_spec.rb

@@ -3,8 +3,7 @@
 require 'spec_helper'
 
 RSpec.describe Import::BulkImports::Common::Transformers::SourceUserMemberAttributesTransformer,
-  :with_current_organization, feature_category: :importers do
-  let_it_be(:default_organization) { create(:organization, :default) }
+  feature_category: :importers do
   let_it_be(:user) { create(:user) }
   let_it_be(:bulk_import) { create(:bulk_import, :with_configuration, user: user) }
 

spec/workers/every_sidekiq_worker_spec.rb

@@ -441,6 +441,20 @@ RSpec.describe 'Every Sidekiq worker', feature_category: :shared do
         'ScanSecurityReportSecretsWorker' => 17,
         'Search::ElasticGroupAssociationDeletionWorker' => 3,
         'Search::Elastic::DeleteWorker' => 3,
+        'Search::Zoekt::AdjustIndicesReservedStorageBytesEventWorker' => 1,
+        'Search::Zoekt::DeleteProjectEventWorker' => 1,
+        'Search::Zoekt::IndexMarkedAsToDeleteEventWorker' => 1,
+        'Search::Zoekt::IndexOverWatermarkEventWorker' => 1,
+        'Search::Zoekt::IndexToEvictEventWorker' => 1,
+        'Search::Zoekt::IndexWatermarkChangedEventWorker' => 1,
+        'Search::Zoekt::InitialIndexingEventWorker' => 1,
+        'Search::Zoekt::LostNodeEventWorker' => 1,
+        'Search::Zoekt::NodeWithNegativeUnclaimedStorageEventWorker' => 1,
+        'Search::Zoekt::OrphanedIndexEventWorker' => 1,
+        'Search::Zoekt::OrphanedRepoEventWorker' => 1,
+        'Search::Zoekt::RepoMarkedAsToDeleteEventWorker' => 1,
+        'Search::Zoekt::RepoToIndexEventWorker' => 1,
+        'Search::Zoekt::TaskFailedEventWorker' => 1,
         'Security::StoreScansWorker' => 3,
         'Security::TrackSecureScansWorker' => 1,
         'ServiceDeskEmailReceiverWorker' => 3,