diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 35064e89941..ef28900bc08 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -220,7 +220,7 @@ variables:
   DOCS_REVIEW_APPS_DOMAIN: "docs.gitlab-review.app"
   DOCS_GITLAB_REPO_SUFFIX: "ee"
 
-  REVIEW_APPS_IMAGE: "${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bookworm-ruby-3.0:gcloud-383-kubectl-1.26-helm-3.9"
+  REVIEW_APPS_IMAGE: "${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bookworm-ruby-3.0:gcloud-383-kubectl-1.27-helm-3.9"
   REVIEW_APPS_DOMAIN: "gitlab-review.app"
   REVIEW_APPS_GCP_PROJECT: "gitlab-review-apps"
   REVIEW_APPS_GCP_REGION: "us-central1"
diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS
index 0a9f5bfad43..f55066fcddf 100644
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -7,7 +7,7 @@
 .gitlab/CODEOWNERS @gitlab-org/development-leaders @gitlab-org/tw-leadership
 
 ## Allows release tooling and Gitaly team members to update the Gitaly Version
-GITALY_SERVER_VERSION @project_278964_bot6 @gitlab-org/maintainers/rails-backend @gitlab-org/delivery @gl-gitaly
+/GITALY_SERVER_VERSION @project_278964_bot6 @gitlab-org/maintainers/rails-backend @gitlab-org/delivery @gl-gitaly
 
 ## Files that are excluded from required approval
 ## These rules override the * rule above, so that changes to docs and templates
diff --git a/.gitlab/ci/test-on-cng/main.gitlab-ci.yml b/.gitlab/ci/test-on-cng/main.gitlab-ci.yml
index a830dcb0343..0c07556322c 100644
--- a/.gitlab/ci/test-on-cng/main.gitlab-ci.yml
+++ b/.gitlab/ci/test-on-cng/main.gitlab-ci.yml
@@ -50,12 +50,8 @@ workflow:
     - export QA_GITLAB_URL="http://gitlab.${GITLAB_DOMAIN}"
     - source scripts/utils.sh
     - source scripts/rspec_helpers.sh
-    - source scripts/qa/cng_deploy/cng-kind.sh
     - cd qa && bundle install
-    - bundle exec cng create cluster --ci
-    # Currently this only performs pre-deploy setup
-    - bundle exec cng create deployment --ci
-    - deploy ${GITLAB_DOMAIN}
+    - bundle exec cng create deployment --gitlab-domain "${GITLAB_DOMAIN}" --ci --with-cluster ${EXTRA_DEPLOY_VALUES}
   script:
     - export QA_COMMAND="bundle exec bin/qa ${QA_SCENARIO:=Test::Instance::All} $QA_GITLAB_URL -- --force-color --order random --format documentation"
     - echo "Running - '$QA_COMMAND'"
@@ -120,7 +116,11 @@ cng-qa-min-redis-version:
   extends: .cng-base
   variables:
     QA_SCENARIO: Test::Instance::Smoke
-    REDIS_VERSION_TYPE: MIN_REDIS_VERSION
+  before_script:
+    - |
+      redis_version=$(awk -F "=" "/MIN_REDIS_VERSION =/ {print \$2}" $CI_PROJECT_DIR/lib/system_check/app/redis_version_check.rb | sed "s/['\" ]//g")
+      export EXTRA_DEPLOY_VALUES="--set redis.image.tag=${redis_version%.*}"
+    - !reference [.cng-base, before_script]
   after_script:
     - !reference [.set-suite-status, after_script]
     - !reference [.cng-base, after_script]
diff --git a/.rubocop_todo/layout/first_hash_element_indentation.yml b/.rubocop_todo/layout/first_hash_element_indentation.yml
index 02cb82c9f22..5e3cf9681ee 100644
--- a/.rubocop_todo/layout/first_hash_element_indentation.yml
+++ b/.rubocop_todo/layout/first_hash_element_indentation.yml
@@ -2,17 +2,6 @@
 # Cop supports --autocorrect.
 Layout/FirstHashElementIndentation:
   Exclude:
-    - 'ee/app/helpers/ee/geo_helper.rb'
-    - 'ee/app/helpers/ee/groups/group_members_helper.rb'
-    - 'ee/app/models/ee/list.rb'
-    - 'ee/app/services/app_sec/dast/profiles/update_service.rb'
-    - 'ee/app/services/elastic/cluster_reindexing_service.rb'
-    - 'ee/app/services/iterations/create_service.rb'
-    - 'ee/app/services/resource_events/change_iteration_service.rb'
-    - 'ee/app/services/security/token_revocation_service.rb'
-    - 'ee/app/services/timebox_report_service.rb'
-    - 'ee/lib/ee/gitlab/ci/parsers.rb'
-    - 'ee/lib/ee/gitlab/usage_data.rb'
     - 'ee/spec/factories/dependencies.rb'
     - 'ee/spec/finders/epics_finder_spec.rb'
     - 'ee/spec/finders/namespaces/free_user_cap/users_finder_spec.rb'
diff --git a/.rubocop_todo/layout/space_in_lambda_literal.yml b/.rubocop_todo/layout/space_in_lambda_literal.yml
index fa2afd02f84..88b4419d441 100644
--- a/.rubocop_todo/layout/space_in_lambda_literal.yml
+++ b/.rubocop_todo/layout/space_in_lambda_literal.yml
@@ -2,20 +2,6 @@
 # Cop supports --autocorrect.
 Layout/SpaceInLambdaLiteral:
   Exclude:
-    - 'app/serializers/deploy_keys/basic_deploy_key_entity.rb'
-    - 'app/serializers/deployment_cluster_entity.rb'
-    - 'app/serializers/deployment_entity.rb'
-    - 'app/serializers/detailed_status_entity.rb'
-    - 'app/serializers/diff_file_base_entity.rb'
-    - 'app/serializers/diff_file_entity.rb'
-    - 'app/serializers/diffs_entity.rb'
-    - 'app/serializers/discussion_entity.rb'
-    - 'app/serializers/draft_note_entity.rb'
-    - 'app/serializers/environment_entity.rb'
-    - 'app/serializers/feature_flag_entity.rb'
-    - 'app/serializers/issue_board_entity.rb'
-    - 'app/serializers/issue_entity.rb'
-    - 'app/serializers/issue_sidebar_basic_entity.rb'
     - 'ee/app/serializers/blocking_merge_request_entity.rb'
     - 'ee/app/serializers/clusters/environment_entity.rb'
     - 'ee/app/serializers/dashboard_operations_project_entity.rb'
diff --git a/app/assets/javascripts/admin/abuse_reports/components/app.vue b/app/assets/javascripts/admin/abuse_reports/components/app.vue
index 521634f7209..a9a6c3a63ad 100644
--- a/app/assets/javascripts/admin/abuse_reports/components/app.vue
+++ b/app/assets/javascripts/admin/abuse_reports/components/app.vue
@@ -40,7 +40,9 @@ export default {
 
     <gl-empty-state v-if="abuseReports.length == 0" :title="s__('AbuseReports|No reports found')" />
     <ul v-else class="gl-pl-0">
-      <abuse-report-row v-for="(report, index) in abuseReports" :key="index" :report="report" />
+      <li v-for="(report, index) in abuseReports" :key="index" class="gl-list-style-none">
+        <abuse-report-row :report="report" />
+      </li>
     </ul>
 
     <gl-pagination
diff --git a/app/assets/javascripts/custom_metrics/components/delete_custom_metric_modal.vue b/app/assets/javascripts/custom_metrics/components/delete_custom_metric_modal.vue
index 0f0cfce86a6..9d489ce387f 100644
--- a/app/assets/javascripts/custom_metrics/components/delete_custom_metric_modal.vue
+++ b/app/assets/javascripts/custom_metrics/components/delete_custom_metric_modal.vue
@@ -32,7 +32,7 @@ export default {
 };
 </script>
 <template>
-  <div class="d-inline-block gl-float-right mr-3">
+  <div class="gl-inline-block gl-float-right mr-3">
     <gl-button v-gl-modal="$options.modalId" variant="danger" category="primary">
       {{ __('Delete') }}
     </gl-button>
diff --git a/app/assets/javascripts/error_tracking/components/stacktrace_entry.vue b/app/assets/javascripts/error_tracking/components/stacktrace_entry.vue
index bf549063031..dc882c3ccb4 100644
--- a/app/assets/javascripts/error_tracking/components/stacktrace_entry.vue
+++ b/app/assets/javascripts/error_tracking/components/stacktrace_entry.vue
@@ -82,12 +82,12 @@ export default {
   <div class="file-holder">
     <div ref="header" class="file-title file-title-flex-parent">
       <div class="file-header-content d-flex align-content-center gl-flex-wrap overflow-hidden">
-        <div v-if="hasCode" class="d-inline-block cursor-pointer" @click="toggle()">
+        <div v-if="hasCode" class="gl-inline-block cursor-pointer" @click="toggle()">
           <gl-icon :name="collapseIcon" :size="16" class="gl-mr-2" />
         </div>
         <template v-if="filePath">
           <file-icon :file-name="filePath" :size="16" aria-hidden="true" css-classes="gl-mr-2" />
-          <strong class="file-title-name d-inline-block overflow-hidden limited-width">
+          <strong class="file-title-name gl-inline-block overflow-hidden limited-width">
             <gl-truncate with-tooltip :text="filePath" position="middle" />
           </strong>
           <clipboard-button
diff --git a/app/assets/javascripts/issuable/components/related_issuable_item.vue b/app/assets/javascripts/issuable/components/related_issuable_item.vue
index 1e55bba6aab..8026895fa30 100644
--- a/app/assets/javascripts/issuable/components/related_issuable_item.vue
+++ b/app/assets/javascripts/issuable/components/related_issuable_item.vue
@@ -180,7 +180,7 @@ export default {
               v-if="itemPath"
               v-gl-tooltip
               :title="itemPath"
-              class="path-id-text d-inline-block"
+              class="path-id-text gl-inline-block"
               >{{ itemPath }}</span
             >
             <span>{{ pathIdSeparator }}{{ itemId }}</span>
@@ -232,7 +232,7 @@ export default {
     <span
       v-if="isLocked"
       v-gl-tooltip
-      class="gl-display-inline-block gl-cursor-not-allowed"
+      class="gl-inline-block gl-cursor-not-allowed"
       :title="lockedMessage"
       data-testid="lockIcon"
     >
diff --git a/app/assets/javascripts/issues/new/components/title_suggestions_item.vue b/app/assets/javascripts/issues/new/components/title_suggestions_item.vue
index 932bcc856a1..47e9d86ae89 100644
--- a/app/assets/javascripts/issues/new/components/title_suggestions_item.vue
+++ b/app/assets/javascripts/issues/new/components/title_suggestions_item.vue
@@ -66,7 +66,7 @@ export default {
 
 <template>
   <div class="suggestion-item">
-    <div class="d-flex gl-align-items-center">
+    <div class="gl-flex gl-align-items-center">
       <gl-icon
         v-if="suggestion.confidential"
         v-gl-tooltip.bottom
@@ -85,7 +85,7 @@ export default {
     <div class="text-secondary suggestion-footer">
       <gl-icon ref="state" :name="stateIconName" :class="stateIconClass" class="gl-cursor-help" />
       <gl-tooltip :target="() => $refs.state" placement="bottom">
-        <span class="d-block">
+        <span class="gl-block">
           <span class="bold"> {{ stateTitle }} </span> {{ timeFormatted(closedOrCreatedDate) }}
         </span>
         <span class="text-tertiary">{{ tooltipTitle(closedOrCreatedDate) }}</span>
@@ -103,9 +103,9 @@ export default {
           :size="16"
           css-classes="mr-0 float-none"
           tooltip-placement="bottom"
-          class="d-inline-block"
+          class="gl-inline-block"
         >
-          <span class="bold d-block">{{ __('Author') }}</span> {{ suggestion.author.name }}
+          <span class="bold gl-block">{{ __('Author') }}</span> {{ suggestion.author.name }}
           <span class="text-tertiary">@{{ suggestion.author.username }}</span>
         </user-avatar-image>
       </gl-link>
diff --git a/app/assets/javascripts/observability/client.js b/app/assets/javascripts/observability/client.js
index 70b80a76653..5ea12bac991 100644
--- a/app/assets/javascripts/observability/client.js
+++ b/app/assets/javascripts/observability/client.js
@@ -217,9 +217,7 @@ function handleTracingPeriodFilter(rawValue, filterName, filterParams) {
  * @param {Object} filterObj : An Object representing filters
  * @returns URLSearchParams
  */
-function tracingFilterObjToQueryParams(filterObj) {
-  const filterParams = new URLSearchParams();
-
+function addTracingAttributesFiltersToQueryParams(filterObj, filterParams) {
   Object.keys(SUPPORTED_TRACING_FILTERS).forEach((filterName) => {
     const filterValues = Array.isArray(filterObj[filterName]) ? filterObj[filterName] : [];
     const validFilters = filterValues.filter((f) =>
@@ -266,7 +264,13 @@ async function fetchTraces(
   tracingUrl,
   { filters = {}, pageToken, pageSize, sortBy, abortController } = {},
 ) {
-  const params = tracingFilterObjToQueryParams(filters);
+  const params = new URLSearchParams();
+
+  const { attributes } = filters;
+  if (attributes) {
+    addTracingAttributesFiltersToQueryParams(attributes, params);
+  }
+
   if (pageToken) {
     params.append('page_token', pageToken);
   }
@@ -294,7 +298,12 @@ async function fetchTraces(
 }
 
 async function fetchTracesAnalytics(tracingAnalyticsUrl, { filters = {}, abortController } = {}) {
-  const params = tracingFilterObjToQueryParams(filters);
+  const params = new URLSearchParams();
+
+  const { attributes } = filters;
+  if (attributes) {
+    addTracingAttributesFiltersToQueryParams(attributes, params);
+  }
 
   try {
     const { data } = await axios.get(tracingAnalyticsUrl, {
diff --git a/app/assets/javascripts/packages_and_registries/container_registry/explorer/components/list_page/image_list.vue b/app/assets/javascripts/packages_and_registries/container_registry/explorer/components/list_page/image_list.vue
index 63216c009e6..169de969e85 100644
--- a/app/assets/javascripts/packages_and_registries/container_registry/explorer/components/list_page/image_list.vue
+++ b/app/assets/javascripts/packages_and_registries/container_registry/explorer/components/list_page/image_list.vue
@@ -27,13 +27,13 @@ export default {
 
 <template>
   <ul class="gl-pl-0">
-    <image-list-row
-      v-for="(listItem, index) in images"
-      :key="index"
-      :item="listItem"
-      :metadata-loading="metadataLoading"
-      :expiration-policy="expirationPolicy"
-      @delete="$emit('delete', $event)"
-    />
+    <li v-for="(listItem, index) in images" :key="index" class="gl-list-style-none">
+      <image-list-row
+        :item="listItem"
+        :metadata-loading="metadataLoading"
+        :expiration-policy="expirationPolicy"
+        @delete="$emit('delete', $event)"
+      />
+    </li>
   </ul>
 </template>
diff --git a/app/assets/javascripts/packages_and_registries/dependency_proxy/components/manifests_list.vue b/app/assets/javascripts/packages_and_registries/dependency_proxy/components/manifests_list.vue
index bbababcb77e..e4a0339f728 100644
--- a/app/assets/javascripts/packages_and_registries/dependency_proxy/components/manifests_list.vue
+++ b/app/assets/javascripts/packages_and_registries/dependency_proxy/components/manifests_list.vue
@@ -54,12 +54,12 @@ export default {
 
     <div v-else data-testid="main-area">
       <ul class="gl-pl-0">
-        <manifest-row
-          v-for="(manifest, index) in manifests"
-          :key="index"
-          :dependency-proxy-image-prefix="dependencyProxyImagePrefix"
-          :manifest="manifest"
-        />
+        <li v-for="(manifest, index) in manifests" :key="index">
+          <manifest-row
+            :dependency-proxy-image-prefix="dependencyProxyImagePrefix"
+            :manifest="manifest"
+          />
+        </li>
       </ul>
       <div class="gl-display-flex gl-justify-content-center">
         <gl-keyset-pagination
diff --git a/app/assets/javascripts/packages_and_registries/infrastructure_registry/details/components/app.vue b/app/assets/javascripts/packages_and_registries/infrastructure_registry/details/components/app.vue
index 3976bcea6b4..50bebfa6d7d 100644
--- a/app/assets/javascripts/packages_and_registries/infrastructure_registry/details/components/app.vue
+++ b/app/assets/javascripts/packages_and_registries/infrastructure_registry/details/components/app.vue
@@ -189,17 +189,17 @@ export default {
 
         <template v-else-if="hasVersions">
           <ul class="gl-pl-0">
-            <package-list-row
-              v-for="v in packageEntity.versions"
-              :key="v.id"
-              :package-entity="/* eslint-disable @gitlab/vue-no-new-non-primitive-in-template */ {
-                name: packageEntity.name,
-                ...v,
-              } /* eslint-enable @gitlab/vue-no-new-non-primitive-in-template */"
-              :package-link="v.id.toString()"
-              :disable-delete="true"
-              :show-package-type="false"
-            />
+            <li v-for="v in packageEntity.versions" :key="v.id" class="gl-list-style-none">
+              <package-list-row
+                :package-entity="/* eslint-disable @gitlab/vue-no-new-non-primitive-in-template */ {
+                  name: packageEntity.name,
+                  ...v,
+                } /* eslint-enable @gitlab/vue-no-new-non-primitive-in-template */"
+                :package-link="v.id.toString()"
+                :disable-delete="true"
+                :show-package-type="false"
+              />
+            </li>
           </ul>
         </template>
 
diff --git a/app/assets/javascripts/packages_and_registries/infrastructure_registry/list/components/packages_list.vue b/app/assets/javascripts/packages_and_registries/infrastructure_registry/list/components/packages_list.vue
index 6f644d7a8c3..93ea5db78ad 100644
--- a/app/assets/javascripts/packages_and_registries/infrastructure_registry/list/components/packages_list.vue
+++ b/app/assets/javascripts/packages_and_registries/infrastructure_registry/list/components/packages_list.vue
@@ -76,14 +76,14 @@ export default {
 
     <template v-else>
       <ul data-testid="packages-table" class="gl-pl-0">
-        <packages-list-row
-          v-for="packageEntity in list"
-          :key="packageEntity.id"
-          :package-entity="packageEntity"
-          :package-link="packageEntity._links.web_path"
-          :is-group="isGroupPage"
-          @packageToDelete="setItemToBeDeleted"
-        />
+        <li v-for="packageEntity in list" :key="packageEntity.id" class="gl-list-style-none">
+          <packages-list-row
+            :package-entity="packageEntity"
+            :package-link="packageEntity._links.web_path"
+            :is-group="isGroupPage"
+            @packageToDelete="setItemToBeDeleted"
+          />
+        </li>
       </ul>
 
       <gl-pagination
diff --git a/app/assets/javascripts/packages_and_registries/shared/components/registry_list.vue b/app/assets/javascripts/packages_and_registries/shared/components/registry_list.vue
index 47d881d7917..159011333fe 100644
--- a/app/assets/javascripts/packages_and_registries/shared/components/registry_list.vue
+++ b/app/assets/javascripts/packages_and_registries/shared/components/registry_list.vue
@@ -117,13 +117,15 @@ export default {
       </gl-button>
     </div>
 
-    <ul v-for="(item, index) in items" :key="index" class="gl-pl-0">
-      <slot
-        :select-item="selectItem"
-        :is-selected="isSelected"
-        :item="item"
-        :first="!hiddenDelete && index === 0"
-      ></slot>
+    <ul class="gl-pl-0">
+      <li v-for="(item, index) in items" :key="index" class="gl-list-style-none">
+        <slot
+          :select-item="selectItem"
+          :is-selected="isSelected"
+          :item="item"
+          :first="!hiddenDelete && index === 0"
+        ></slot>
+      </li>
     </ul>
 
     <div class="gl-display-flex gl-justify-content-center">
diff --git a/app/assets/javascripts/projects/settings_service_desk/components/service_desk_setting.vue b/app/assets/javascripts/projects/settings_service_desk/components/service_desk_setting.vue
index 077a7d7ad9c..28dc9759df6 100644
--- a/app/assets/javascripts/projects/settings_service_desk/components/service_desk_setting.vue
+++ b/app/assets/javascripts/projects/settings_service_desk/components/service_desk_setting.vue
@@ -195,7 +195,7 @@ export default {
       <gl-sprintf :message="$options.i18n.issueTrackerEnableMessage">
         <template #link="{ content }">
           <gl-link
-            class="gl-display-inline-block"
+            class="gl-inline-block"
             data-testid="issue-help-page"
             :href="issuesHelpPagePath"
             target="_blank"
@@ -209,7 +209,7 @@ export default {
       id="service-desk-checkbox"
       :value="isEnabled"
       :disabled="!isIssueTrackerEnabled"
-      class="d-inline-block align-middle mr-1"
+      class="!gl-inline-block align-middle mr-1"
       :label="$options.i18n.toggleLabel"
       label-position="hidden"
       @change="onCheckboxToggle"
@@ -241,7 +241,7 @@ export default {
             </template>
           </gl-form-input-group>
           <template v-if="email && hasServiceDeskEmail" #description>
-            <span class="gl-mt-2 gl-display-inline-block">
+            <span class="gl-mt-2 gl-inline-block">
               <gl-sprintf :message="__('Emails sent to %{email} are also supported.')">
                 <template #email>
                   <code>{{ incomingEmail }}</code>
diff --git a/app/assets/javascripts/repository/components/table/parent_row.vue b/app/assets/javascripts/repository/components/table/parent_row.vue
index 0bc22253bd2..82b36ed975b 100644
--- a/app/assets/javascripts/repository/components/table/parent_row.vue
+++ b/app/assets/javascripts/repository/components/table/parent_row.vue
@@ -59,7 +59,7 @@ export default {
         v-if="parentPath === loadingPath"
         size="sm"
         inline
-        class="d-inline-block align-text-bottom"
+        class="gl-inline-block align-text-bottom"
       />
       <router-link v-else :to="parentRoute" :aria-label="__('Go to parent')"> .. </router-link>
     </td>
diff --git a/app/assets/javascripts/sidebar/components/assignees/assignee_avatar_link.vue b/app/assets/javascripts/sidebar/components/assignees/assignee_avatar_link.vue
index 820d2e94016..d8894071842 100644
--- a/app/assets/javascripts/sidebar/components/assignees/assignee_avatar_link.vue
+++ b/app/assets/javascripts/sidebar/components/assignees/assignee_avatar_link.vue
@@ -42,17 +42,17 @@ export default {
 </script>
 
 <template>
-  <!-- must be `d-inline-block` or parent flex-basis causes width issues -->
+  <!-- must be `gl-inline-block` or parent flex-basis causes width issues -->
   <gl-link
     :href="assigneeUrl"
     :data-user-id="assigneeId"
     :data-username="user.username"
     :data-cannot-merge="cannotMerge"
     data-placement="left"
-    class="gl-display-inline-block js-user-link"
+    class="gl-inline-block js-user-link"
   >
-    <!-- use d-flex so that slot can be appropriately styled -->
-    <span class="gl-display-flex">
+    <!-- use gl-flex so that slot can be appropriately styled -->
+    <span class="gl-flex">
       <assignee-avatar :user="user" :img-size="24" :issuable-type="issuableType" />
       <slot></slot>
     </span>
diff --git a/app/assets/javascripts/sidebar/components/reviewers/reviewer_avatar_link.vue b/app/assets/javascripts/sidebar/components/reviewers/reviewer_avatar_link.vue
index ccff6ea6640..0da7344557e 100644
--- a/app/assets/javascripts/sidebar/components/reviewers/reviewer_avatar_link.vue
+++ b/app/assets/javascripts/sidebar/components/reviewers/reviewer_avatar_link.vue
@@ -46,17 +46,17 @@ export default {
 </script>
 
 <template>
-  <!-- must be `d-inline-block` or parent flex-basis causes width issues -->
+  <!-- must be `gl-inline-block` or parent flex-basis causes width issues -->
   <gl-link
     :href="reviewerUrl"
     :data-user-id="reviewerId"
     :data-username="user.username"
     :data-cannot-merge="cannotMerge"
     data-placement="left"
-    class="gl-display-inline-block js-user-link gl-reset-color! gl-hover-text-blue-800!"
+    class="gl-inline-block js-user-link gl-reset-color! gl-hover-text-blue-800!"
   >
     <!-- use d-flex so that slot can be appropriately styled -->
-    <span class="gl-display-flex">
+    <span class="gl-flex">
       <reviewer-avatar :user="user" :img-size="24" :issuable-type="issuableType" />
       <slot :user="user"></slot>
     </span>
diff --git a/app/assets/javascripts/vue_shared/components/changed_file_icon.vue b/app/assets/javascripts/vue_shared/components/changed_file_icon.vue
index 5a807d10f24..3777633a861 100644
--- a/app/assets/javascripts/vue_shared/components/changed_file_icon.vue
+++ b/app/assets/javascripts/vue_shared/components/changed_file_icon.vue
@@ -81,7 +81,7 @@ export default {
     v-gl-tooltip.right
     :title="tooltipTitle"
     :class="{ 'ml-auto': isCentered }"
-    class="file-changed-icon d-inline-block"
+    class="file-changed-icon gl-inline-block"
   >
     <gl-icon v-if="showIcon" :name="changedIcon" :size="size" :class="changedIconClass" />
   </span>
diff --git a/app/assets/javascripts/vue_shared/components/registry/list_item.vue b/app/assets/javascripts/vue_shared/components/registry/list_item.vue
index bd1269894ea..bb166ce6f22 100644
--- a/app/assets/javascripts/vue_shared/components/registry/list_item.vue
+++ b/app/assets/javascripts/vue_shared/components/registry/list_item.vue
@@ -58,7 +58,7 @@ export default {
 </script>
 
 <template>
-  <li
+  <div
     class="gl-display-flex gl-flex-direction-column gl-border-b-solid gl-border-t-solid gl-border-t-1 gl-border-b-1"
     :class="optionalClasses"
   >
@@ -159,5 +159,5 @@ export default {
       </div>
       <div class="gl-w-9"></div>
     </div>
-  </li>
+  </div>
 </template>
diff --git a/app/assets/javascripts/vue_shared/issuable/list/components/issuable_bulk_edit_sidebar.vue b/app/assets/javascripts/vue_shared/issuable/list/components/issuable_bulk_edit_sidebar.vue
index a9371740723..9e5c2bc78b5 100644
--- a/app/assets/javascripts/vue_shared/issuable/list/components/issuable_bulk_edit_sidebar.vue
+++ b/app/assets/javascripts/vue_shared/issuable/list/components/issuable_bulk_edit_sidebar.vue
@@ -34,9 +34,7 @@ export default {
     class="issues-bulk-update right-sidebar"
     aria-live="polite"
   >
-    <div
-      class="gl-display-flex gl-justify-content-space-between gl-p-4 gl-border-b-1 gl-border-b-solid gl-border-gray-100"
-    >
+    <div class="gl-display-flex gl-justify-content-space-between gl-p-4 gl-border-b">
       <slot name="bulk-edit-actions"></slot>
     </div>
     <slot name="sidebar-items"></slot>
diff --git a/app/assets/javascripts/vue_shared/issuable/list/components/issuable_item.vue b/app/assets/javascripts/vue_shared/issuable/list/components/issuable_item.vue
index efbaede01e6..ee5ecde27a7 100644
--- a/app/assets/javascripts/vue_shared/issuable/list/components/issuable_item.vue
+++ b/app/assets/javascripts/vue_shared/issuable/list/components/issuable_item.vue
@@ -255,7 +255,6 @@ export default {
   >
     <gl-form-checkbox
       v-if="showCheckbox"
-      class="issue-check gl-mr-0"
       :checked="checked"
       :data-id="issuableId"
       :data-iid="issuableIid"
diff --git a/app/assets/javascripts/vue_shared/issuable/list/components/issuable_list_root.vue b/app/assets/javascripts/vue_shared/issuable/list/components/issuable_list_root.vue
index d10e38e2cd3..d57aa4422ac 100644
--- a/app/assets/javascripts/vue_shared/issuable/list/components/issuable_list_root.vue
+++ b/app/assets/javascripts/vue_shared/issuable/list/components/issuable_list_root.vue
@@ -1,9 +1,7 @@
 <script>
 import { GlAlert, GlBadge, GlKeysetPagination, GlSkeletonLoader, GlPagination } from '@gitlab/ui';
-import { uniqueId } from 'lodash';
 import LocalStorageSync from '~/vue_shared/components/local_storage_sync.vue';
 import PageSizeSelector from '~/vue_shared/components/page_size_selector.vue';
-import { getIdFromGraphQLId } from '~/graphql_shared/utils';
 import { updateHistory, setUrlParams } from '~/lib/utils/url_utility';
 import { __ } from '~/locale';
 import { DRAG_DELAY } from '~/sortable/constants';
@@ -221,7 +219,7 @@ export default {
   },
   data() {
     return {
-      checkedIssuables: {},
+      checkedIssuableIds: [],
     };
   },
   computed: {
@@ -237,18 +235,10 @@ export default {
       return DEFAULT_SKELETON_COUNT;
     },
     allIssuablesChecked() {
-      return this.bulkEditIssuables.length === this.issuables.length;
+      return this.checkedIssuables.length === this.issuables.length;
     },
-    /**
-     * Returns all the checked issuables from `checkedIssuables` map.
-     */
-    bulkEditIssuables() {
-      return Object.keys(this.checkedIssuables).reduce((acc, issuableId) => {
-        if (this.checkedIssuables[issuableId].checked) {
-          acc.push(this.checkedIssuables[issuableId].issuable);
-        }
-        return acc;
-      }, []);
+    checkedIssuables() {
+      return this.issuables.filter((issuable) => this.checkedIssuableIds.includes(issuable.id));
     },
     issuablesWrapper() {
       return this.isManualOrdering ? VueDraggable : 'ul';
@@ -258,24 +248,6 @@ export default {
     },
   },
   watch: {
-    issuables(list) {
-      this.checkedIssuables = list.reduce((acc, issuable) => {
-        const id = this.issuableId(issuable);
-        acc[id] = {
-          // By default, an issuable is not checked,
-          // But if `checkedIssuables` is already
-          // populated, use existing value.
-          checked:
-            typeof this.checkedIssuables[id] !== 'boolean'
-              ? false
-              : this.checkedIssuables[id].checked,
-          // We're caching issuable reference here
-          // for ease of populating in `bulkEditIssuables`.
-          issuable,
-        };
-        return acc;
-      }, {});
-    },
     urlParams: {
       deep: true,
       immediate: true,
@@ -291,21 +263,28 @@ export default {
     },
   },
   methods: {
-    issuableId(issuable) {
-      return getIdFromGraphQLId(issuable.id) || issuable.iid || uniqueId();
+    isIssuableChecked(issuable) {
+      return this.checkedIssuableIds.includes(issuable.id);
     },
-    issuableChecked(issuable) {
-      return this.checkedIssuables[this.issuableId(issuable)]?.checked;
+    updateCheckedIssuableIds(issuable, toCheck) {
+      const isIdChecked = this.checkedIssuableIds.includes(issuable.id);
+      if (toCheck && !isIdChecked) {
+        this.checkedIssuableIds.push(issuable.id);
+      }
+      if (!toCheck && isIdChecked) {
+        const indexToDelete = this.checkedIssuableIds.findIndex((id) => id === issuable.id);
+        this.checkedIssuableIds.splice(indexToDelete, 1);
+      }
     },
     handleIssuableCheckedInput(issuable, value) {
-      this.checkedIssuables[this.issuableId(issuable)].checked = value;
+      this.updateCheckedIssuableIds(issuable, value);
+
       this.$emit('update-legacy-bulk-edit');
       issuableEventHub.$emit('issuables:issuableChecked', issuable, value);
     },
     handleAllIssuablesCheckedInput(value) {
-      Object.keys(this.checkedIssuables).forEach((issuableId) => {
-        this.checkedIssuables[issuableId].checked = value;
-      });
+      this.issuables.forEach((issuable) => this.updateCheckedIssuableIds(issuable, value));
+
       this.$emit('update-legacy-bulk-edit');
     },
     handleVueDraggableUpdate({ newIndex, oldIndex }) {
@@ -357,10 +336,10 @@ export default {
     <gl-alert v-if="error" variant="danger" @dismiss="$emit('dismiss-alert')">{{ error }}</gl-alert>
     <issuable-bulk-edit-sidebar :expanded="showBulkEditSidebar">
       <template #bulk-edit-actions>
-        <slot name="bulk-edit-actions" :checked-issuables="bulkEditIssuables"></slot>
+        <slot name="bulk-edit-actions" :checked-issuables="checkedIssuables"></slot>
       </template>
       <template #sidebar-items>
-        <slot name="sidebar-items" :checked-issuables="bulkEditIssuables"></slot>
+        <slot name="sidebar-items" :checked-issuables="checkedIssuables"></slot>
       </template>
     </issuable-bulk-edit-sidebar>
     <slot name="list-body"></slot>
@@ -380,7 +359,7 @@ export default {
       >
         <issuable-item
           v-for="issuable in issuables"
-          :key="issuableId(issuable)"
+          :key="issuable.id"
           :class="{ 'gl-cursor-grab': isManualOrdering }"
           data-testid="issuable-container"
           :data-qa-issuable-title="issuable.title"
@@ -389,7 +368,7 @@ export default {
           :issuable="issuable"
           :label-filter-param="labelFilterParam"
           :show-checkbox="showBulkEditSidebar"
-          :checked="issuableChecked(issuable)"
+          :checked="isIssuableChecked(issuable)"
           :show-work-item-type-icon="showWorkItemTypeIcon"
           :prevent-redirect="preventRedirect"
           :is-active="isIssuableActive(issuable)"
diff --git a/app/graphql/types/ci/catalog/resource_type.rb b/app/graphql/types/ci/catalog/resource_type.rb
index e4d0fff0f2e..f7b2449f69a 100644
--- a/app/graphql/types/ci/catalog/resource_type.rb
+++ b/app/graphql/types/ci/catalog/resource_type.rb
@@ -29,7 +29,7 @@ module Types
         field :icon, GraphQL::Types::String, null: true, description: 'Icon for the catalog resource.',
           method: :avatar_path, alpha: { milestone: '15.11' }
 
-        field :full_path, GraphQL::Types::String, null: true, description: 'Full project path of the catalog resource.',
+        field :full_path, GraphQL::Types::ID, null: true, description: 'Full project path of the catalog resource.',
           alpha: { milestone: '16.11' }
 
         field :web_path, GraphQL::Types::String, null: true, description: 'Web path of the catalog resource.',
diff --git a/app/graphql/types/design_management/design_fields.rb b/app/graphql/types/design_management/design_fields.rb
index ed135d16a64..d491d3b2eb6 100644
--- a/app/graphql/types/design_management/design_fields.rb
+++ b/app/graphql/types/design_management/design_fields.rb
@@ -11,7 +11,7 @@ module Types
       field :project, Types::ProjectType, null: false, description: 'Project the design belongs to.'
       field :issue, Types::IssueType, null: false, description: 'Issue the design belongs to.'
       field :filename, GraphQL::Types::String, null: false, description: 'Filename of the design.'
-      field :full_path, GraphQL::Types::String, null: false, description: 'Full path to the design file.'
+      field :full_path, GraphQL::Types::ID, null: false, description: 'Full path to the design file.'
       field :image, GraphQL::Types::String, null: false, extras: [:parent], description: 'URL of the full-sized image.'
       field :image_v432x230,
         GraphQL::Types::String,
diff --git a/app/models/container_repository.rb b/app/models/container_repository.rb
index b93f68b91ce..582cda39215 100644
--- a/app/models/container_repository.rb
+++ b/app/models/container_repository.rb
@@ -138,7 +138,7 @@ class ContainerRepository < ApplicationRecord
   # does a search of tags containing the name and we filter them
   # to find the exact match. Otherwise, we instantiate a tag.
   def tag(tag)
-    if can_access_the_gitlab_api?
+    if migrated_and_can_access_the_gitlab_api?
       page = tags_page(name: tag)
       return if page[:tags].blank?
 
@@ -158,7 +158,7 @@ class ContainerRepository < ApplicationRecord
 
   def tags
     strong_memoize(:tags) do
-      if can_access_the_gitlab_api?
+      if migrated_and_can_access_the_gitlab_api?
         result = []
         each_tags_page do |array_of_tags|
           result << array_of_tags
@@ -268,7 +268,7 @@ class ContainerRepository < ApplicationRecord
   end
 
   def last_published_at
-    return unless can_access_the_gitlab_api?
+    return unless migrated_and_can_access_the_gitlab_api?
 
     timestamp_string = gitlab_api_client_repository_details['last_published_at']
     DateTime.iso8601(timestamp_string)
@@ -321,8 +321,8 @@ class ContainerRepository < ApplicationRecord
 
   private
 
-  def can_access_the_gitlab_api?
-    migrated? && ContainerRegistry::GitlabApiClient.supports_gitlab_api?
+  def migrated_and_can_access_the_gitlab_api?
+    migrated? && gitlab_api_client.supports_gitlab_api?
   end
 
   def transform_tags_page(tags_response_body)
diff --git a/app/models/project.rb b/app/models/project.rb
index 03ac569280d..0485b4b93e5 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -542,6 +542,7 @@ class Project < ApplicationRecord
     delegate :job_token_scope_enabled, :job_token_scope_enabled=, prefix: :ci_outbound
 
     with_options prefix: :ci do
+      delegate :pipeline_variables_minimum_override_role, :pipeline_variables_minimum_override_role=
       delegate :default_git_depth, :default_git_depth=
       delegate :forward_deployment_enabled, :forward_deployment_enabled=
       delegate :forward_deployment_rollback_allowed, :forward_deployment_rollback_allowed=
@@ -3101,6 +3102,12 @@ class Project < ApplicationRecord
     ci_cd_settings.restrict_user_defined_variables?
   end
 
+  def override_pipeline_variables_allowed?(access_level)
+    return false unless ci_cd_settings
+
+    ci_cd_settings.override_pipeline_variables_allowed?(access_level)
+  end
+
   def keep_latest_artifacts_available?
     return false unless ci_cd_settings
 
diff --git a/app/models/project_ci_cd_setting.rb b/app/models/project_ci_cd_setting.rb
index 8d049b8d1b1..072b580c1a6 100644
--- a/app/models/project_ci_cd_setting.rb
+++ b/app/models/project_ci_cd_setting.rb
@@ -6,6 +6,17 @@ class ProjectCiCdSetting < ApplicationRecord
   belongs_to :project, inverse_of: :ci_cd_settings
 
   DEFAULT_GIT_DEPTH = 20
+  NO_ONE_ALLOWED_ROLE = 1
+  DEVELOPER_ROLE = 2
+  MAINTAINER_ROLE = 3
+  OWNER_ROLE = 4
+
+  enum pipeline_variables_minimum_override_role: {
+    no_one_allowed: NO_ONE_ALLOWED_ROLE,
+    developer: DEVELOPER_ROLE,
+    maintainer: MAINTAINER_ROLE,
+    owner: OWNER_ROLE
+  }, _prefix: true
 
   before_create :set_default_git_depth
 
@@ -28,8 +39,28 @@ class ProjectCiCdSetting < ApplicationRecord
     Gitlab::CurrentSettings.current_application_settings.keep_latest_artifact? && keep_latest_artifact?
   end
 
+  def override_pipeline_variables_allowed?(role_access_level)
+    return true unless restrict_user_defined_variables?
+
+    project_minimum_access_level = pipeline_variables_minimum_override_role_for_database
+
+    return false if project_minimum_access_level == NO_ONE_ALLOWED_ROLE
+
+    role_project_minimum_access_level = role_map_pipeline_variables_minimum_override_role[project_minimum_access_level]
+
+    role_access_level >= role_project_minimum_access_level
+  end
+
   private
 
+  def role_map_pipeline_variables_minimum_override_role
+    {
+      DEVELOPER_ROLE => Gitlab::Access::DEVELOPER,
+      MAINTAINER_ROLE => Gitlab::Access::MAINTAINER,
+      OWNER_ROLE => Gitlab::Access::OWNER
+    }
+  end
+
   def set_default_git_depth
     self.default_git_depth ||= DEFAULT_GIT_DEPTH
   end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 8e4f2b4b4c4..f47861ca914 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -68,6 +68,9 @@ class ProjectPolicy < BasePolicy
   desc "Project is archived"
   condition(:archived, scope: :subject, score: 0) { project.archived? }
 
+  desc "Project user pipeline variables minimum override role"
+  condition(:project_pipeline_override_role_owner) { project.ci_pipeline_variables_minimum_override_role == 'owner' }
+
   desc "Project is in the process of being deleted"
   condition(:pending_delete) { project.pending_delete? }
 
@@ -240,7 +243,11 @@ class ProjectPolicy < BasePolicy
   end
 
   condition(:user_defined_variables_allowed) do
-    !@subject.restrict_user_defined_variables?
+    if ::Feature.enabled?(:allow_user_variables_by_minimum_role, @subject)
+      @subject.override_pipeline_variables_allowed?(team_access_level)
+    else
+      !@subject.restrict_user_defined_variables? || can?(:maintainer_access)
+    end
   end
 
   condition(:packages_disabled, scope: :subject) { !@subject.packages_enabled }
@@ -309,6 +316,8 @@ class ProjectPolicy < BasePolicy
   rule { maintainer }.enable :maintainer_access
   rule { owner | admin | organization_owner }.enable :owner_access
 
+  rule { project_pipeline_override_role_owner & ~can?(:owner_access) }.prevent :change_restrict_user_defined_variables
+
   rule { can?(:owner_access) }.policy do
     enable :guest_access
     enable :reporter_access
@@ -607,6 +616,7 @@ class ProjectPolicy < BasePolicy
     enable :admin_push_rules
     enable :manage_deploy_tokens
     enable :manage_merge_request_settings
+    enable :change_restrict_user_defined_variables
   end
 
   rule { can?(:admin_build) }.enable :manage_trigger
@@ -943,7 +953,7 @@ class ProjectPolicy < BasePolicy
     prevent :manage_resource_access_tokens
   end
 
-  rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do
+  rule { user_defined_variables_allowed }.policy do
     enable :set_pipeline_variables
   end
 
diff --git a/app/serializers/deploy_keys/basic_deploy_key_entity.rb b/app/serializers/deploy_keys/basic_deploy_key_entity.rb
index 805d54d641a..59bf21b7224 100644
--- a/app/serializers/deploy_keys/basic_deploy_key_entity.rb
+++ b/app/serializers/deploy_keys/basic_deploy_key_entity.rb
@@ -15,16 +15,16 @@ module DeployKeys
     expose :expires_at
     expose :updated_at
     expose :can_edit
-    expose :user, as: :owner, using: ::API::Entities::UserBasic, if: -> (_, opts) { can_read_owner?(opts) }
-    expose :edit_path, if: -> (_, opts) { opts[:project] } do |deploy_key|
+    expose :user, as: :owner, using: ::API::Entities::UserBasic, if: ->(_, opts) { can_read_owner?(opts) }
+    expose :edit_path, if: ->(_, opts) { opts[:project] } do |deploy_key|
       edit_project_deploy_key_path(options[:project], deploy_key)
     end
 
-    expose :enable_path, if: -> (_, opts) { opts[:project] } do |deploy_key|
+    expose :enable_path, if: ->(_, opts) { opts[:project] } do |deploy_key|
       enable_project_deploy_key_path(options[:project], deploy_key)
     end
 
-    expose :disable_path, if: -> (_, opts) { opts[:project] } do |deploy_key|
+    expose :disable_path, if: ->(_, opts) { opts[:project] } do |deploy_key|
       disable_project_deploy_key_path(options[:project], deploy_key)
     end
 
diff --git a/app/serializers/deployment_cluster_entity.rb b/app/serializers/deployment_cluster_entity.rb
index 98736472b62..c460b9e7a5a 100644
--- a/app/serializers/deployment_cluster_entity.rb
+++ b/app/serializers/deployment_cluster_entity.rb
@@ -10,11 +10,11 @@ class DeploymentClusterEntity < Grape::Entity
     deployment.cluster.name
   end
 
-  expose :path, if: -> (deployment) { can?(request.current_user, :read_cluster, deployment.cluster) } do |deployment|
+  expose :path, if: ->(deployment) { can?(request.current_user, :read_cluster, deployment.cluster) } do |deployment|
     deployment.cluster.present(current_user: request.current_user).show_path
   end
 
-  expose :kubernetes_namespace, if: -> (deployment) { can?(request.current_user, :read_cluster, deployment.cluster) } do |deployment|
+  expose :kubernetes_namespace, if: ->(deployment) { can?(request.current_user, :read_cluster, deployment.cluster) } do |deployment|
     deployment.kubernetes_namespace
   end
 end
diff --git a/app/serializers/deployment_entity.rb b/app/serializers/deployment_entity.rb
index b32daa7d2d4..73a3338be0a 100644
--- a/app/serializers/deployment_entity.rb
+++ b/app/serializers/deployment_entity.rb
@@ -27,7 +27,7 @@ class DeploymentEntity < Grape::Entity
 
   expose :deployed_by, as: :user, using: UserEntity
 
-  expose :deployable, if: -> (deployment) { deployment.deployable.present? } do |deployment, opts|
+  expose :deployable, if: ->(deployment) { deployment.deployable.present? } do |deployment, opts|
     deployment.deployable.then do |deployable|
       if include_details?
         Ci::JobEntity.represent(deployable, opts)
@@ -38,10 +38,10 @@ class DeploymentEntity < Grape::Entity
     end
   end
 
-  expose :commit, using: CommitEntity, if: -> (*) { include_details? }
-  expose :manual_actions, using: Ci::JobEntity, if: -> (*) { include_details? && can_create_deployment? }
-  expose :scheduled_actions, using: Ci::JobEntity, if: -> (*) { include_details? && can_create_deployment? }
-  expose :playable_job, as: :playable_build, if: -> (deployment) { include_details? && can_create_deployment? && deployment.playable_job } do |deployment, options|
+  expose :commit, using: CommitEntity, if: ->(*) { include_details? }
+  expose :manual_actions, using: Ci::JobEntity, if: ->(*) { include_details? && can_create_deployment? }
+  expose :scheduled_actions, using: Ci::JobEntity, if: ->(*) { include_details? && can_create_deployment? }
+  expose :playable_job, as: :playable_build, if: ->(deployment) { include_details? && can_create_deployment? && deployment.playable_job } do |deployment, options|
     Ci::JobEntity.represent(deployment.playable_job, options.merge(only: [:play_path, :retry_path]))
   end
 
diff --git a/app/serializers/detailed_status_entity.rb b/app/serializers/detailed_status_entity.rb
index 3edc89be879..24bf5f35a71 100644
--- a/app/serializers/detailed_status_entity.rb
+++ b/app/serializers/detailed_status_entity.rb
@@ -38,7 +38,7 @@ class DetailedStatusEntity < Grape::Entity
     Gitlab::Favicon.ci_status_overlay(status.favicon)
   end
 
-  expose :action, if: -> (status, _) { status.has_action? } do
+  expose :action, if: ->(status, _) { status.has_action? } do
     expose :action_icon, as: :icon, documentation: { type: 'string', example: 'cancel' }
     expose :action_title, as: :title, documentation: { type: 'string', example: 'Cancel' }
     expose :action_path, as: :path, documentation: { type: 'string', example: '/namespace1/project1/-/jobs/2/cancel' }
diff --git a/app/serializers/diff_file_base_entity.rb b/app/serializers/diff_file_base_entity.rb
index 1409f023f21..f8cc3dab670 100644
--- a/app/serializers/diff_file_base_entity.rb
+++ b/app/serializers/diff_file_base_entity.rb
@@ -31,7 +31,7 @@ class DiffFileBaseEntity < Grape::Entity
     }
   end
 
-  expose :edit_path, if: -> (_, options) { options[:merge_request] } do |diff_file|
+  expose :edit_path, if: ->(_, options) { options[:merge_request] } do |diff_file|
     merge_request = options[:merge_request]
 
     next unless has_edit_path?(merge_request)
@@ -43,7 +43,7 @@ class DiffFileBaseEntity < Grape::Entity
     project_edit_blob_path(target_project, tree_join(target_branch, diff_file.new_path), options)
   end
 
-  expose :ide_edit_path, if: -> (_, options) { options[:merge_request] } do |diff_file|
+  expose :ide_edit_path, if: ->(_, options) { options[:merge_request] } do |diff_file|
     merge_request = options[:merge_request]
 
     next unless has_edit_path?(merge_request)
@@ -61,11 +61,11 @@ class DiffFileBaseEntity < Grape::Entity
     new_path
   end
 
-  expose :formatted_external_url, if: -> (_, options) { options[:environment] } do |diff_file|
+  expose :formatted_external_url, if: ->(_, options) { options[:environment] } do |diff_file|
     options[:environment].formatted_external_url
   end
 
-  expose :external_url, if: -> (_, options) { options[:environment] } do |diff_file|
+  expose :external_url, if: ->(_, options) { options[:environment] } do |diff_file|
     options[:environment].external_url_for(diff_file.new_path, diff_file.content_sha)
   end
 
diff --git a/app/serializers/diff_file_entity.rb b/app/serializers/diff_file_entity.rb
index 97ab9c83d71..d575fbf32c1 100644
--- a/app/serializers/diff_file_entity.rb
+++ b/app/serializers/diff_file_entity.rb
@@ -9,7 +9,7 @@ class DiffFileEntity < DiffFileBaseEntity
   expose :added_lines
   expose :removed_lines
 
-  expose :load_collapsed_diff_url, if: -> (diff_file, options) { options[:merge_request] } do |diff_file|
+  expose :load_collapsed_diff_url, if: ->(diff_file, options) { options[:merge_request] } do |diff_file|
     merge_request = options[:merge_request]
     project = merge_request.target_project
 
@@ -25,7 +25,7 @@ class DiffFileEntity < DiffFileBaseEntity
     )
   end
 
-  expose :view_path, if: -> (_, options) { options[:merge_request] } do |diff_file|
+  expose :view_path, if: ->(_, options) { options[:merge_request] } do |diff_file|
     merge_request = options[:merge_request]
 
     project = merge_request.target_project
@@ -36,7 +36,7 @@ class DiffFileEntity < DiffFileBaseEntity
     project_blob_path(project, tree_join(diff_file.content_sha, diff_file.new_path))
   end
 
-  expose :replaced_view_path, if: -> (_, options) { options[:merge_request] } do |diff_file|
+  expose :replaced_view_path, if: ->(_, options) { options[:merge_request] } do |diff_file|
     image_diff = diff_file.rich_viewer && diff_file.rich_viewer.partial_name == 'image'
     image_replaced = diff_file.old_content_sha && diff_file.old_content_sha != diff_file.content_sha
 
@@ -48,14 +48,14 @@ class DiffFileEntity < DiffFileBaseEntity
     project_blob_path(project, tree_join(diff_file.old_content_sha, diff_file.old_path)) if image_diff && image_replaced
   end
 
-  expose :context_lines_path, if: -> (diff_file, _) { diff_file.text? } do |diff_file|
+  expose :context_lines_path, if: ->(diff_file, _) { diff_file.text? } do |diff_file|
     next unless diff_file.content_sha
 
     project_blob_diff_path(diff_file.repository.project, tree_join(diff_file.content_sha, diff_file.file_path))
   end
 
   # Used for inline diffs
-  expose :diff_lines_for_serializer, as: :highlighted_diff_lines, using: DiffLineEntity, if: -> (diff_file, options) { display_highlighted_diffs?(diff_file, options) }
+  expose :diff_lines_for_serializer, as: :highlighted_diff_lines, using: DiffLineEntity, if: ->(diff_file, options) { display_highlighted_diffs?(diff_file, options) }
 
   expose :viewer do |diff_file, options|
     whitespace_only = if !display_highlighted_diffs?(diff_file, options)
@@ -72,9 +72,9 @@ class DiffFileEntity < DiffFileBaseEntity
   expose :fully_expanded?, as: :is_fully_expanded
 
   # Used for parallel diffs
-  expose :parallel_diff_lines, using: DiffLineParallelEntity, if: -> (diff_file, options) { parallel_diff_view?(options) && diff_file.text? }
+  expose :parallel_diff_lines, using: DiffLineParallelEntity, if: ->(diff_file, options) { parallel_diff_view?(options) && diff_file.text? }
 
-  expose :code_navigation_path, if: -> (diff_file) { options[:code_navigation_path] } do |diff_file|
+  expose :code_navigation_path, if: ->(diff_file) { options[:code_navigation_path] } do |diff_file|
     options[:code_navigation_path].full_json_path_for(diff_file.new_path)
   end
 
diff --git a/app/serializers/diffs_entity.rb b/app/serializers/diffs_entity.rb
index 5b48e274380..883875122a9 100644
--- a/app/serializers/diffs_entity.rb
+++ b/app/serializers/diffs_entity.rb
@@ -39,7 +39,7 @@ class DiffsEntity < Grape::Entity
     options[:latest_diff]
   end
 
-  expose :latest_version_path, if: -> (*) { merge_request } do |diffs|
+  expose :latest_version_path, if: ->(*) { merge_request } do |diffs|
     diffs_project_merge_request_path(merge_request&.project, merge_request)
   end
 
@@ -59,11 +59,11 @@ class DiffsEntity < Grape::Entity
     render_overflow_warning?(diffs)
   end
 
-  expose :email_patch_path, if: -> (*) { merge_request } do |diffs|
+  expose :email_patch_path, if: ->(*) { merge_request } do |diffs|
     merge_request_path(merge_request, format: :patch)
   end
 
-  expose :plain_diff_path, if: -> (*) { merge_request } do |diffs|
+  expose :plain_diff_path, if: ->(*) { merge_request } do |diffs|
     merge_request_path(merge_request, format: :diff)
   end
 
@@ -79,7 +79,7 @@ class DiffsEntity < Grape::Entity
     )
   end
 
-  expose :merge_request_diffs, using: MergeRequestDiffEntity, if: -> (_, options) { options[:merge_request_diffs]&.any? } do |diffs|
+  expose :merge_request_diffs, using: MergeRequestDiffEntity, if: ->(_, options) { options[:merge_request_diffs]&.any? } do |diffs|
     options[:merge_request_diffs]
   end
 
diff --git a/app/serializers/discussion_entity.rb b/app/serializers/discussion_entity.rb
index 9ee2e145cd5..adf80cc6b30 100644
--- a/app/serializers/discussion_entity.rb
+++ b/app/serializers/discussion_entity.rb
@@ -11,11 +11,11 @@ class DiscussionEntity < BaseDiscussionEntity
     )
   end
 
-  expose :positions, if: -> (d, _) { display_merge_ref_discussions?(d) } do |discussion|
+  expose :positions, if: ->(d, _) { display_merge_ref_discussions?(d) } do |discussion|
     discussion.diff_note_positions.map(&:position)
   end
 
-  expose :line_codes, if: -> (d, _) { display_merge_ref_discussions?(d) } do |discussion|
+  expose :line_codes, if: ->(d, _) { display_merge_ref_discussions?(d) } do |discussion|
     discussion.diff_note_positions.map(&:line_code)
   end
 
diff --git a/app/serializers/draft_note_entity.rb b/app/serializers/draft_note_entity.rb
index 97a889a1464..2dd8114f299 100644
--- a/app/serializers/draft_note_entity.rb
+++ b/app/serializers/draft_note_entity.rb
@@ -5,7 +5,7 @@ class DraftNoteEntity < Grape::Entity
   expose :id
   expose :author, using: NoteUserEntity
   expose :merge_request_id
-  expose :position, if: -> (note, _) { note.on_diff? }
+  expose :position, if: ->(note, _) { note.on_diff? }
   expose :line_code
   expose :file_identifier_hash
   expose :file_hash
diff --git a/app/serializers/environment_entity.rb b/app/serializers/environment_entity.rb
index b1f731cdd4d..26c737e8c90 100644
--- a/app/serializers/environment_entity.rb
+++ b/app/serializers/environment_entity.rb
@@ -19,10 +19,10 @@ class EnvironmentEntity < Grape::Entity
   expose :name_without_type
   expose :last_deployment, using: DeploymentEntity
   expose :stop_actions_available?, as: :has_stop_action
-  expose :rollout_status, if: -> (*) { can_read_deploy_board? }, using: RolloutStatusEntity
+  expose :rollout_status, if: ->(*) { can_read_deploy_board? }, using: RolloutStatusEntity
   expose :tier
 
-  expose :upcoming_deployment, if: -> (environment) { environment.upcoming_deployment } do |environment, ops|
+  expose :upcoming_deployment, if: ->(environment) { environment.upcoming_deployment } do |environment, ops|
     DeploymentEntity.represent(environment.upcoming_deployment,
       ops.merge(except: UNNECESSARY_ENTRIES_FOR_UPCOMING_DEPLOYMENT))
   end
@@ -35,7 +35,7 @@ class EnvironmentEntity < Grape::Entity
     stop_project_environment_path(environment.project, environment)
   end
 
-  expose :cancel_auto_stop_path, if: -> (*) { can_update_environment? } do |environment|
+  expose :cancel_auto_stop_path, if: ->(*) { can_update_environment? } do |environment|
     cancel_auto_stop_project_environment_path(environment.project, environment)
   end
 
diff --git a/app/serializers/feature_flag_entity.rb b/app/serializers/feature_flag_entity.rb
index 196a4cd504f..d3ad2a9f81f 100644
--- a/app/serializers/feature_flag_entity.rb
+++ b/app/serializers/feature_flag_entity.rb
@@ -12,15 +12,15 @@ class FeatureFlagEntity < Grape::Entity
   expose :description
   expose :version
 
-  expose :edit_path, if: -> (feature_flag, _) { can_update?(feature_flag) } do |feature_flag|
+  expose :edit_path, if: ->(feature_flag, _) { can_update?(feature_flag) } do |feature_flag|
     edit_project_feature_flag_path(feature_flag.project, feature_flag)
   end
 
-  expose :update_path, if: -> (feature_flag, _) { can_update?(feature_flag) } do |feature_flag|
+  expose :update_path, if: ->(feature_flag, _) { can_update?(feature_flag) } do |feature_flag|
     project_feature_flag_path(feature_flag.project, feature_flag)
   end
 
-  expose :destroy_path, if: -> (feature_flag, _) { can_destroy?(feature_flag) } do |feature_flag|
+  expose :destroy_path, if: ->(feature_flag, _) { can_destroy?(feature_flag) } do |feature_flag|
     project_feature_flag_path(feature_flag.project, feature_flag)
   end
 
diff --git a/app/serializers/issue_board_entity.rb b/app/serializers/issue_board_entity.rb
index c99a771bb11..b6aa421b603 100644
--- a/app/serializers/issue_board_entity.rb
+++ b/app/serializers/issue_board_entity.rb
@@ -24,7 +24,7 @@ class IssueBoardEntity < Grape::Entity
     API::Entities::Project.represent issue.project, only: [:id, :path, :path_with_namespace]
   end
 
-  expose :milestone, if: -> (issue) { issue.milestone } do |issue|
+  expose :milestone, if: ->(issue) { issue.milestone } do |issue|
     API::Entities::Milestone.represent issue.milestone, only: [:id, :title]
   end
 
@@ -36,23 +36,23 @@ class IssueBoardEntity < Grape::Entity
     LabelEntity.represent issue.labels, project: issue.project, only: [:id, :title, :description, :color, :priority, :text_color]
   end
 
-  expose :reference_path, if: -> (issue) { issue.project } do |issue, options|
+  expose :reference_path, if: ->(issue) { issue.project } do |issue, options|
     options[:include_full_project_path] ? issue.to_reference(full: true) : issue.to_reference
   end
 
-  expose :real_path, if: -> (issue) { issue.project } do |issue|
+  expose :real_path, if: ->(issue) { issue.project } do |issue|
     Gitlab::UrlBuilder.build(issue, only_path: true)
   end
 
-  expose :issue_sidebar_endpoint, if: -> (issue) { issue.project } do |issue|
+  expose :issue_sidebar_endpoint, if: ->(issue) { issue.project } do |issue|
     project_issue_path(issue.project, issue, format: :json, serializer: 'sidebar_extras')
   end
 
-  expose :toggle_subscription_endpoint, if: -> (issue) { issue.project } do |issue|
+  expose :toggle_subscription_endpoint, if: ->(issue) { issue.project } do |issue|
     toggle_subscription_project_issue_path(issue.project, issue)
   end
 
-  expose :assignable_labels_endpoint, if: -> (issue) { issue.project } do |issue|
+  expose :assignable_labels_endpoint, if: ->(issue) { issue.project } do |issue|
     project_labels_path(issue.project, format: :json, include_ancestor_groups: true)
   end
 
diff --git a/app/serializers/issue_entity.rb b/app/serializers/issue_entity.rb
index 9a55e761bf0..2e326e94c68 100644
--- a/app/serializers/issue_entity.rb
+++ b/app/serializers/issue_entity.rb
@@ -72,11 +72,11 @@ class IssueEntity < IssuableEntity
     preview_markdown_path(issue.project, target_type: 'Issue', target_id: issue.iid)
   end
 
-  expose :confidential_issues_docs_path, if: -> (issue) { issue.confidential? } do |issue|
+  expose :confidential_issues_docs_path, if: ->(issue) { issue.confidential? } do |issue|
     help_page_path('user/project/issues/confidential_issues')
   end
 
-  expose :locked_discussion_docs_path, if: -> (issue) { issue.discussion_locked? } do |issue|
+  expose :locked_discussion_docs_path, if: ->(issue) { issue.discussion_locked? } do |issue|
     help_page_path('user/discussions/index', anchor: 'prevent-comments-by-locking-an-issue')
   end
 
@@ -84,7 +84,7 @@ class IssueEntity < IssuableEntity
     issue.project.archived?
   end
 
-  expose :archived_project_docs_path, if: -> (issue) { issue.project.archived? } do |issue|
+  expose :archived_project_docs_path, if: ->(issue) { issue.project.archived? } do |issue|
     help_page_path('user/project/settings/index', anchor: 'archive-a-project')
   end
 
diff --git a/app/serializers/issue_sidebar_basic_entity.rb b/app/serializers/issue_sidebar_basic_entity.rb
index 2450c6a4d85..efb08fc08f1 100644
--- a/app/serializers/issue_sidebar_basic_entity.rb
+++ b/app/serializers/issue_sidebar_basic_entity.rb
@@ -6,7 +6,7 @@ class IssueSidebarBasicEntity < IssuableSidebarBasicEntity
   expose :severity
 
   expose :current_user, merge: true do
-    expose :can_update_escalation_status, if: -> (issue, _) { issue.supports_escalation? } do |issue|
+    expose :can_update_escalation_status, if: ->(issue, _) { issue.supports_escalation? } do |issue|
       can?(current_user, :update_escalation_status, issue.project)
     end
   end
diff --git a/app/services/concerns/base_service_utility.rb b/app/services/concerns/base_service_utility.rb
index 70b223a0289..e1bc59200e3 100644
--- a/app/services/concerns/base_service_utility.rb
+++ b/app/services/concerns/base_service_utility.rb
@@ -52,10 +52,10 @@ module BaseServiceUtility
   # message     - Error message to include in the Hash
   # http_status - Optional HTTP status code override (default: nil)
   # pass_back   - Additional attributes to be included in the resulting Hash
-  def error(message, http_status = nil, pass_back: {})
+  def error(message, http_status = nil, status: :error, pass_back: {})
     result = {
       message: message,
-      status: :error
+      status: status
     }.reverse_merge(pass_back)
 
     result[:http_status] = http_status if http_status
diff --git a/app/services/projects/update_service.rb b/app/services/projects/update_service.rb
index 8a691a86330..ce6d772831f 100644
--- a/app/services/projects/update_service.rb
+++ b/app/services/projects/update_service.rb
@@ -6,6 +6,7 @@ module Projects
     include ValidatesClassificationLabel
 
     ValidationError = Class.new(StandardError)
+    ApiError = Class.new(StandardError)
 
     def execute
       build_topics
@@ -40,6 +41,8 @@ module Projects
       end
     rescue ValidationError => e
       error(e.message)
+    rescue ApiError => e
+      error(e.message, status: :api_error)
     end
 
     def run_auto_devops_pipeline?
@@ -63,6 +66,22 @@ module Projects
 
       validate_default_branch_change
       validate_renaming_project_with_tags
+      validate_restrict_user_defined_variables_change
+    end
+
+    def validate_restrict_user_defined_variables_change
+      return if ::Feature.disabled?(:allow_user_variables_by_minimum_role, project)
+      return unless changing_restrict_user_defined_variables? || changing_pipeline_variables_minimum_override_role?
+
+      if changing_pipeline_variables_minimum_override_role? &&
+          params[:ci_pipeline_variables_minimum_override_role] == 'owner' &&
+          !can?(current_user, :owner_access, project)
+        raise_api_error(s_("UpdateProject|Changing the ci_pipeline_variables_minimum_override_role to the owner role is not allowed"))
+      end
+
+      return if can?(current_user, :change_restrict_user_defined_variables, project)
+
+      raise_api_error(s_("UpdateProject|Changing the restrict_user_defined_variables or ci_pipeline_variables_minimum_override_role is not allowed"))
     end
 
     def validate_default_branch_change
@@ -167,6 +186,10 @@ module Projects
       raise ValidationError, message
     end
 
+    def raise_api_error(message)
+      raise ApiError, message
+    end
+
     def update_failed!
       model_errors = project.errors.full_messages.to_sentence
       error_message = model_errors.presence || s_('UpdateProject|Project could not be updated!')
@@ -188,6 +211,20 @@ module Projects
         new_branch != project.default_branch
     end
 
+    def changing_restrict_user_defined_variables?
+      new_restrict_user_defined_variables = params[:restrict_user_defined_variables]
+      return false if new_restrict_user_defined_variables.nil?
+
+      project.restrict_user_defined_variables != new_restrict_user_defined_variables
+    end
+
+    def changing_pipeline_variables_minimum_override_role?
+      new_pipeline_variables_minimum_override_role = params[:ci_pipeline_variables_minimum_override_role]
+      return false if new_pipeline_variables_minimum_override_role.nil?
+
+      project.ci_pipeline_variables_minimum_override_role != new_pipeline_variables_minimum_override_role
+    end
+
     def enabling_wiki?
       return false if project.wiki_enabled?
 
diff --git a/app/services/remote_mirrors/destroy_service.rb b/app/services/remote_mirrors/destroy_service.rb
new file mode 100644
index 00000000000..05e28e9ea99
--- /dev/null
+++ b/app/services/remote_mirrors/destroy_service.rb
@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module RemoteMirrors # rubocop:disable Gitlab/BoundedContexts -- https://gitlab.com/gitlab-org/gitlab/-/issues/462816
+  class DestroyService < BaseService
+    def execute(remote_mirror)
+      return ServiceResponse.error(message: _('Access Denied')) unless allowed?
+      return ServiceResponse.error(message: _('Remote mirror is missing')) unless remote_mirror
+      return ServiceResponse.error(message: _('Project mismatch')) unless remote_mirror.project == project
+
+      if remote_mirror.destroy
+        ServiceResponse.success
+      else
+        ServiceResponse.error(message: remote_mirror.errors)
+      end
+    end
+
+    private
+
+    def allowed?
+      Ability.allowed?(current_user, :admin_remote_mirror, project)
+    end
+  end
+end
diff --git a/app/services/work_items/parent_links/create_service.rb b/app/services/work_items/parent_links/create_service.rb
index f48c3f8c0f1..5f6389c81d8 100644
--- a/app/services/work_items/parent_links/create_service.rb
+++ b/app/services/work_items/parent_links/create_service.rb
@@ -9,7 +9,14 @@ module WorkItems
       def relate_issuables(work_item)
         link = set_parent(issuable, work_item)
 
-        link.move_to_end
+        # It's possible to force the relative_position. This is for example used when importing parent links from
+        # legacy epics.
+        if params[:relative_position]
+          link.relative_position = params[:relative_position]
+        else
+          link.move_to_end
+        end
+
         create_notes_and_resource_event(work_item, link) if link.changed? && link.save
 
         link
diff --git a/app/views/projects/issues/_new_branch.html.haml b/app/views/projects/issues/_new_branch.html.haml
index 27f62389f0c..08dc0adbddb 100644
--- a/app/views/projects/issues/_new_branch.html.haml
+++ b/app/views/projects/issues/_new_branch.html.haml
@@ -12,7 +12,7 @@
   - tracking_data = create_mr_tracking_data(can_create_merge_request, can_create_confidential_merge_request?)
   - default_create_mr_path = create_mr_path(from: @issue.to_branch_name, source_project: @project, to: default_project.default_branch, mr_params: { issue_iid: @issue.iid })
 
-  .create-mr-dropdown-wrap.d-inline-block.full-width-mobile.js-create-mr{ data: { project_path: @project.full_path, project_id: @project.id, can_create_path: can_create_path, create_mr_path: default_create_mr_path, create_branch_path: create_branch_path, refs_path: refs_path, is_confidential: can_create_confidential_merge_request?.to_s } }
+  .create-mr-dropdown-wrap.gl-inline-block.full-width-mobile.js-create-mr{ data: { project_path: @project.full_path, project_id: @project.id, can_create_path: can_create_path, create_mr_path: default_create_mr_path, create_branch_path: create_branch_path, refs_path: refs_path, is_confidential: can_create_confidential_merge_request?.to_s } }
     .btn-group.unavailable
       = render Pajamas::ButtonComponent.new(button_options: { disabled: 'disabled' }) do
         = gl_loading_icon(inline: true, css_class: 'js-create-mr-spinner gl-button-icon gl-hidden')
diff --git a/app/views/projects/merge_requests/_merge_request.html.haml b/app/views/projects/merge_requests/_merge_request.html.haml
index d1e24aa66b3..7be50ff3b2b 100644
--- a/app/views/projects/merge_requests/_merge_request.html.haml
+++ b/app/views/projects/merge_requests/_merge_request.html.haml
@@ -15,24 +15,24 @@
           = hidden_merge_request_icon(merge_request)
           = link_to merge_request.title, merge_request_path(merge_request), class: 'js-prefetch-document'
         - if merge_request.tasks?
-          %span.task-status.gl-display-inline-block.gl-font-sm
+          %span.task-status.gl-inline-block.gl-font-sm
             &nbsp;
             = merge_request.task_status
 
       .issuable-info
-        %span.issuable-reference.gl-display-inline-block
+        %span.issuable-reference.gl-inline-block
           #{issuable_reference(merge_request)}
-        %span.issuable-authored.gl-display-inline-block.gl-text-gray-500!
+        %span.issuable-authored.gl-inline-block.gl-text-gray-500!
           &middot;
           #{s_('IssueList|created %{timeAgoString} by %{user}').html_safe % { timeAgoString: time_ago_with_tooltip(merge_request.created_at, placement: 'bottom'), user: link_to_member(@project, merge_request.author, avatar: false, extra_class: 'gl-text-gray-500!') }}
         - if merge_request.milestone
-          %span.issuable-milestone.gl-display-inline-block.gl-text-truncate.gl-max-w-26.gl-align-bottom
+          %span.issuable-milestone.gl-inline-block.gl-text-truncate.gl-max-w-26.gl-align-bottom
             &nbsp;
             = link_to project_merge_requests_path(merge_request.project, milestone_title: merge_request.milestone.title), class: 'gl-text-gray-500!', data: { html: 'true', toggle: 'tooltip', title: milestone_tooltip_due_date(merge_request.milestone) } do
               = sprite_icon('milestone', size: 12, css_class: 'gl-vertical-align-text-bottom')
               = merge_request.milestone.title
         - if merge_request.target_project.default_branch != merge_request.target_branch
-          %span.project-ref-path.has-tooltip.d-inline-block.gl-text-truncate.gl-max-w-26.gl-align-bottom{ title: _('Target branch: %{target_branch}') % {target_branch: merge_request.target_branch} }
+          %span.project-ref-path.has-tooltip.gl-inline-block.gl-text-truncate.gl-max-w-26.gl-align-bottom{ title: _('Target branch: %{target_branch}') % {target_branch: merge_request.target_branch} }
             &nbsp;
             = link_to project_ref_path(merge_request.project, merge_request.target_branch), class: 'ref-name gl-text-gray-500!' do
               = sprite_icon('branch', size: 12, css_class: 'fork-sprite')
diff --git a/app/views/search/results/_issuable.html.haml b/app/views/search/results/_issuable.html.haml
index 37bff2d6717..1175b5273f5 100644
--- a/app/views/search/results/_issuable.html.haml
+++ b/app/views/search/results/_issuable.html.haml
@@ -10,7 +10,7 @@
       &middot;
       = sprintf(s_('created %{issuable_created} by %{author}'), { issuable_created: time_ago_with_tooltip(issuable.created_at, placement: 'bottom'), author: link_to_member(@project, issuable.author, avatar: false) }).html_safe
       - if (target_branch = issuable_visible_target_branch(issuable))
-        %span.project-ref-path.has-tooltip.d-inline-block.gl-text-truncate.gl-max-w-26.gl-align-bottom{ title: _('Target branch: %{target_branch}') % {target_branch: target_branch} }
+        %span.project-ref-path.has-tooltip.gl-inline-block.gl-text-truncate.gl-max-w-26.gl-align-bottom{ title: _('Target branch: %{target_branch}') % {target_branch: target_branch} }
           &nbsp;
           = link_to project_ref_path(issuable.project, target_branch), class: 'ref-name gl-text-secondary!' do
             = sprite_icon('branch', size: 12, css_class: 'fork-sprite')
diff --git a/app/views/user_settings/profiles/_private_profile.html.haml b/app/views/user_settings/profiles/_private_profile.html.haml
new file mode 100644
index 00000000000..d512fe29eaf
--- /dev/null
+++ b/app/views/user_settings/profiles/_private_profile.html.haml
@@ -0,0 +1,6 @@
+- form = local_assigns.fetch(:form)
+
+- private_profile_help_link = link_to _("Learn more"), help_page_path('user/profile/index', anchor: 'make-your-user-profile-page-private')
+- private_profile_label = safe_format(s_("Profiles|Don't display activity-related personal information on your profile. %{private_profile_help_link_start}Learn more%{private_profile_help_link_end}."), tag_pair(private_profile_help_link, :private_profile_help_link_start, :private_profile_help_link_end))
+
+= form.gitlab_ui_checkbox_component :private_profile, private_profile_label
diff --git a/app/views/user_settings/profiles/show.html.haml b/app/views/user_settings/profiles/show.html.haml
index d477f6277aa..b621b6204dd 100644
--- a/app/views/user_settings/profiles/show.html.haml
+++ b/app/views/user_settings/profiles/show.html.haml
@@ -158,9 +158,7 @@
         %fieldset.form-group.gl-form-group
           %legend.col-form-label
             = _('Private profile')
-          - private_profile_help_link = link_to _("Learn more"), help_page_path('user/profile/index', anchor: 'make-your-user-profile-page-private')
-          - private_profile_label = safe_format(s_("Profiles|Don't display activity-related personal information on your profile. %{private_profile_help_link_start}Learn more%{private_profile_help_link_end}."), tag_pair(private_profile_help_link, :private_profile_help_link_start, :private_profile_help_link_end))
-          = f.gitlab_ui_checkbox_component :private_profile, private_profile_label
+          = render_if_exists 'user_settings/profiles/private_profile', form: f, user: @user
         %fieldset.form-group.gl-form-group
           %legend.col-form-label
             = s_("Profiles|Private contributions")
diff --git a/config/feature_flags/development/allow_user_variables_by_minimum_role.yml b/config/feature_flags/development/allow_user_variables_by_minimum_role.yml
new file mode 100644
index 00000000000..0e6a037c04e
--- /dev/null
+++ b/config/feature_flags/development/allow_user_variables_by_minimum_role.yml
@@ -0,0 +1,8 @@
+---
+name: allow_user_variables_by_minimum_role
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149343
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/456284
+milestone: '17.1'
+type: development
+group: group::pipeline security
+default_enabled: false
\ No newline at end of file
diff --git a/config/feature_flags/gitlab_com_derisk/use_remote_mirror_destroy_service.yml b/config/feature_flags/gitlab_com_derisk/use_remote_mirror_destroy_service.yml
new file mode 100644
index 00000000000..e4e5ee6a7cd
--- /dev/null
+++ b/config/feature_flags/gitlab_com_derisk/use_remote_mirror_destroy_service.yml
@@ -0,0 +1,9 @@
+---
+name: use_remote_mirror_destroy_service
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/455518
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153845
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/463022
+milestone: '17.1'
+group: group::source code
+type: gitlab_com_derisk
+default_enabled: false
diff --git a/db/docs/batched_background_migrations/backfill_epic_issues_into_work_item_parent_links.yml b/db/docs/batched_background_migrations/backfill_epic_issues_into_work_item_parent_links.yml
new file mode 100644
index 00000000000..b5bb1eabf2f
--- /dev/null
+++ b/db/docs/batched_background_migrations/backfill_epic_issues_into_work_item_parent_links.yml
@@ -0,0 +1,9 @@
+---
+migration_job_name: BackfillEpicIssuesIntoWorkItemParentLinks
+description: Creates records in the work_item_parent_links table for each record in the epic_issues table
+feature_category: team_planning
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147509
+milestone: '17.1'
+queued_migration_version: 20240522183910
+finalize_after: '2024-06-20'
+finalized_by:
diff --git a/db/migrate/20240411204324_add_ci_pipeline_variables_minimum_role_enum.rb b/db/migrate/20240411204324_add_ci_pipeline_variables_minimum_role_enum.rb
new file mode 100644
index 00000000000..4732e498021
--- /dev/null
+++ b/db/migrate/20240411204324_add_ci_pipeline_variables_minimum_role_enum.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class AddCiPipelineVariablesMinimumRoleEnum < Gitlab::Database::Migration[2.2]
+  milestone '17.1'
+
+  def change
+    add_column :project_ci_cd_settings, :pipeline_variables_minimum_override_role,
+      :integer, default: ProjectCiCdSetting::MAINTAINER_ROLE, null: false, limit: 2
+  end
+end
diff --git a/db/post_migrate/20240515094240_delete_invalid_path_locks_records.rb b/db/post_migrate/20240515094240_delete_invalid_path_locks_records.rb
new file mode 100644
index 00000000000..3b2a68db3a5
--- /dev/null
+++ b/db/post_migrate/20240515094240_delete_invalid_path_locks_records.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class DeleteInvalidPathLocksRecords < Gitlab::Database::Migration[2.2]
+  milestone '17.1'
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+  disable_ddl_transaction!
+
+  BATCH_SIZE = 1000
+
+  def up
+    return if Gitlab.com?
+
+    relation = define_batchable_model('path_locks').where(project_id: nil)
+
+    loop do
+      batch = relation.limit(BATCH_SIZE)
+      delete_count = relation.where(id: batch.select(:id)).delete_all
+
+      break if delete_count == 0
+    end
+  end
+
+  def down
+    # no-op
+  end
+end
diff --git a/db/post_migrate/20240515094256_add_not_null_constraint_to_path_locks.rb b/db/post_migrate/20240515094256_add_not_null_constraint_to_path_locks.rb
new file mode 100644
index 00000000000..55373ba2058
--- /dev/null
+++ b/db/post_migrate/20240515094256_add_not_null_constraint_to_path_locks.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class AddNotNullConstraintToPathLocks < Gitlab::Database::Migration[2.2]
+  milestone '17.1'
+  disable_ddl_transaction!
+
+  def up
+    add_not_null_constraint :path_locks, :project_id
+  end
+
+  def down
+    remove_not_null_constraint :path_locks, :project_id
+  end
+end
diff --git a/db/post_migrate/20240522183910_queue_backfill_epic_issues_into_work_item_parent_links.rb b/db/post_migrate/20240522183910_queue_backfill_epic_issues_into_work_item_parent_links.rb
new file mode 100644
index 00000000000..b0653cd9960
--- /dev/null
+++ b/db/post_migrate/20240522183910_queue_backfill_epic_issues_into_work_item_parent_links.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+class QueueBackfillEpicIssuesIntoWorkItemParentLinks < Gitlab::Database::Migration[2.2]
+  milestone '17.1'
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+  MIGRATION = "BackfillEpicIssuesIntoWorkItemParentLinks"
+  DELAY_INTERVAL = 2.minutes
+  BATCH_SIZE = 10_000
+  SUB_BATCH_SIZE = 100
+  # not passing any group id, means we'd backfill everything. We still have the option to pass in a group id if we
+  # need to reschedule the backfilling for a single group
+  GROUP_ID = nil
+
+  def up
+    queue_batched_background_migration(
+      MIGRATION,
+      :epic_issues,
+      :id,
+      GROUP_ID,
+      job_interval: DELAY_INTERVAL,
+      batch_size: BATCH_SIZE,
+      sub_batch_size: SUB_BATCH_SIZE
+    )
+  end
+
+  def down
+    delete_batched_background_migration(MIGRATION, :epic_issues, :id, [GROUP_ID])
+  end
+end
diff --git a/db/schema_migrations/20240411204324 b/db/schema_migrations/20240411204324
new file mode 100644
index 00000000000..09944146cd6
--- /dev/null
+++ b/db/schema_migrations/20240411204324
@@ -0,0 +1 @@
+24d4e0a054fa3c52b1ce41c7a28cb759e711d1b7860caf934ddb93c7540ee8c5
\ No newline at end of file
diff --git a/db/schema_migrations/20240515094240 b/db/schema_migrations/20240515094240
new file mode 100644
index 00000000000..7d33454f0b5
--- /dev/null
+++ b/db/schema_migrations/20240515094240
@@ -0,0 +1 @@
+176ca5cc2642c0873366e46848a8040845cfbacb0080ea697a4dba82267d0ea0
\ No newline at end of file
diff --git a/db/schema_migrations/20240515094256 b/db/schema_migrations/20240515094256
new file mode 100644
index 00000000000..3815e683728
--- /dev/null
+++ b/db/schema_migrations/20240515094256
@@ -0,0 +1 @@
+cd33ac1a0bf63f127323f3e84913ddb9315aff5fc828d6bd5999d52857f1647e
\ No newline at end of file
diff --git a/db/schema_migrations/20240522183910 b/db/schema_migrations/20240522183910
new file mode 100644
index 00000000000..a5944ffee34
--- /dev/null
+++ b/db/schema_migrations/20240522183910
@@ -0,0 +1 @@
+d3f5bc2c43d871d32e6726e4b3f001a08a4de338dc5c17b7d1b0cf2d6747ee5a
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index df6af40fed5..36ee53b5065 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -13708,7 +13708,8 @@ CREATE TABLE path_locks (
     project_id integer,
     user_id integer,
     created_at timestamp without time zone NOT NULL,
-    updated_at timestamp without time zone NOT NULL
+    updated_at timestamp without time zone NOT NULL,
+    CONSTRAINT check_e1de2eb0f1 CHECK ((project_id IS NOT NULL))
 );
 
 CREATE SEQUENCE path_locks_id_seq
@@ -14507,7 +14508,8 @@ CREATE TABLE project_ci_cd_settings (
     inbound_job_token_scope_enabled boolean DEFAULT true NOT NULL,
     forward_deployment_rollback_allowed boolean DEFAULT true NOT NULL,
     merge_trains_skip_train_allowed boolean DEFAULT false NOT NULL,
-    restrict_pipeline_cancellation_role smallint DEFAULT 0 NOT NULL
+    restrict_pipeline_cancellation_role smallint DEFAULT 0 NOT NULL,
+    pipeline_variables_minimum_override_role smallint DEFAULT 3 NOT NULL
 );
 
 CREATE SEQUENCE project_ci_cd_settings_id_seq
diff --git a/doc/administration/admin_area.md b/doc/administration/admin_area.md
index b9fe858cdbd..a5bb04f55e9 100644
--- a/doc/administration/admin_area.md
+++ b/doc/administration/admin_area.md
@@ -21,7 +21,7 @@ If the GitLab instance uses Admin Mode, you must [enable Admin Mode for your ses
 the **Admin Area** button is visible.
 
 NOTE:
-Only administrators can access the Admin Area.
+Only administrators on GitLab self-managed can access the Admin Area. On GitLab.com the Admin Area feature is not available.
 
 ## Administering organizations
 
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 6dd43b098ee..8bb947c7d5b 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -17409,7 +17409,7 @@ Represents the total number of issues and their weights for a particular day.
 | Name | Type | Description |
 | ---- | ---- | ----------- |
 | <a id="cicatalogresourcedescription"></a>`description` **{warning-solid}** | [`String`](#string) | **Introduced** in GitLab 15.11. **Status**: Experiment. Description of the catalog resource. |
-| <a id="cicatalogresourcefullpath"></a>`fullPath` **{warning-solid}** | [`String`](#string) | **Introduced** in GitLab 16.11. **Status**: Experiment. Full project path of the catalog resource. |
+| <a id="cicatalogresourcefullpath"></a>`fullPath` **{warning-solid}** | [`ID`](#id) | **Introduced** in GitLab 16.11. **Status**: Experiment. Full project path of the catalog resource. |
 | <a id="cicatalogresourceicon"></a>`icon` **{warning-solid}** | [`String`](#string) | **Introduced** in GitLab 15.11. **Status**: Experiment. Icon for the catalog resource. |
 | <a id="cicatalogresourceid"></a>`id` **{warning-solid}** | [`ID!`](#id) | **Introduced** in GitLab 15.11. **Status**: Experiment. ID of the catalog resource. |
 | <a id="cicatalogresourcelast30dayusagecount"></a>`last30DayUsageCount` **{warning-solid}** | [`Int!`](#int) | **Introduced** in GitLab 17.0. **Status**: Experiment. Number of projects that used a component from this catalog resource in a pipeline, by using `include:component`, in the last 30 days. |
@@ -19708,7 +19708,7 @@ A single design.
 | <a id="designdiscussions"></a>`discussions` | [`DiscussionConnection!`](#discussionconnection) | All discussions on this noteable. (see [Connections](#connections)) |
 | <a id="designevent"></a>`event` | [`DesignVersionEvent!`](#designversionevent) | How this design was changed in the current version. |
 | <a id="designfilename"></a>`filename` | [`String!`](#string) | Filename of the design. |
-| <a id="designfullpath"></a>`fullPath` | [`String!`](#string) | Full path to the design file. |
+| <a id="designfullpath"></a>`fullPath` | [`ID!`](#id) | Full path to the design file. |
 | <a id="designid"></a>`id` | [`ID!`](#id) | ID of this design. |
 | <a id="designimage"></a>`image` | [`String!`](#string) | URL of the full-sized image. |
 | <a id="designimagev432x230"></a>`imageV432x230` | [`String`](#string) | The URL of the design resized to fit within the bounds of 432x230. This will be `null` if the image has not been generated. |
@@ -19782,7 +19782,7 @@ A design pinned to a specific version. The image field reflects the design as of
 | <a id="designatversiondiffrefs"></a>`diffRefs` | [`DiffRefs!`](#diffrefs) | Diff refs for this design. |
 | <a id="designatversionevent"></a>`event` | [`DesignVersionEvent!`](#designversionevent) | How this design was changed in the current version. |
 | <a id="designatversionfilename"></a>`filename` | [`String!`](#string) | Filename of the design. |
-| <a id="designatversionfullpath"></a>`fullPath` | [`String!`](#string) | Full path to the design file. |
+| <a id="designatversionfullpath"></a>`fullPath` | [`ID!`](#id) | Full path to the design file. |
 | <a id="designatversionid"></a>`id` | [`ID!`](#id) | ID of this design. |
 | <a id="designatversionimage"></a>`image` | [`String!`](#string) | URL of the full-sized image. |
 | <a id="designatversionimagev432x230"></a>`imageV432x230` | [`String`](#string) | The URL of the design resized to fit within the bounds of 432x230. This will be `null` if the image has not been generated. |
@@ -37048,7 +37048,7 @@ Implementations:
 | <a id="designfieldsdiffrefs"></a>`diffRefs` | [`DiffRefs!`](#diffrefs) | Diff refs for this design. |
 | <a id="designfieldsevent"></a>`event` | [`DesignVersionEvent!`](#designversionevent) | How this design was changed in the current version. |
 | <a id="designfieldsfilename"></a>`filename` | [`String!`](#string) | Filename of the design. |
-| <a id="designfieldsfullpath"></a>`fullPath` | [`String!`](#string) | Full path to the design file. |
+| <a id="designfieldsfullpath"></a>`fullPath` | [`ID!`](#id) | Full path to the design file. |
 | <a id="designfieldsid"></a>`id` | [`ID!`](#id) | ID of this design. |
 | <a id="designfieldsimage"></a>`image` | [`String!`](#string) | URL of the full-sized image. |
 | <a id="designfieldsimagev432x230"></a>`imageV432x230` | [`String`](#string) | The URL of the design resized to fit within the bounds of 432x230. This will be `null` if the image has not been generated. |
diff --git a/doc/api/openapi/openapi_v2.yaml b/doc/api/openapi/openapi_v2.yaml
index 61764bc063c..97842c0d23c 100644
--- a/doc/api/openapi/openapi_v2.yaml
+++ b/doc/api/openapi/openapi_v2.yaml
@@ -40826,6 +40826,8 @@ definitions:
         type: boolean
       restrict_user_defined_variables:
         type: boolean
+      ci_pipeline_variables_minimum_override_role:
+        type: string
       runners_token:
         type: string
         example: b8547b1dc37721d05889db52fa2f02
@@ -52502,6 +52504,8 @@ definitions:
         type: boolean
       restrict_user_defined_variables:
         type: boolean
+      ci_pipeline_variables_minimum_override_role:
+        type: string
       runners_token:
         type: string
         example: b8547b1dc37721d05889db52fa2f02
@@ -53075,7 +53079,16 @@ definitions:
         description: Enable or disable separated caches based on branch protection.
       restrict_user_defined_variables:
         type: boolean
-        description: Restrict use of user-defined variables when triggering a pipeline
+        description: Restrict ability to override variables when triggering a pipeline
+      ci_pipeline_variables_minimum_override_role:
+        type: string
+        description: Limit ability to override CI/CD variables when triggering a pipeline
+          to only users with at least the set minimum role
+        enum:
+        - no_one_allowed
+        - developer
+        - maintainer
+        - owner
       allow_pipeline_trigger_approve_deployment:
         type: boolean
         description: Allow pipeline triggerer to approve deployments
diff --git a/doc/ci/variables/index.md b/doc/ci/variables/index.md
index d1c5d1ff14e..c3b2d1a34ad 100644
--- a/doc/ci/variables/index.md
+++ b/doc/ci/variables/index.md
@@ -749,7 +749,7 @@ You should avoid overriding predefined variables in most cases, as it can cause
 
 ### Restrict who can override variables
 
-You can limit the ability to override variables to only users with the Maintainer role.
+You can limit the ability to override variables to only users with at least the Maintainer role.
 When other users try to run a pipeline with overridden variables, they receive the
 `Insufficient permissions to set pipeline variables` error message.
 
@@ -759,6 +759,28 @@ to enable the `restrict_user_defined_variables` setting. The setting is `disable
 If you [store your CI/CD configurations in a different repository](../../ci/pipelines/settings.md#specify-a-custom-cicd-configuration-file),
 use this setting for control over the environment the pipeline runs in.
 
+#### By minimum role
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/440338) in GitLab 17.1 [with a flag](../../administration/feature_flags.md) named `allow_user_variables_by_minimum_role`. Disabled by default.
+
+When the `restrict_user_defined_variables` option is enabled, you can specify which
+[roles](../../user/permissions.md#roles) can override variables with the
+`ci_pipeline_variables_minimum_override_role` setting.
+
+To change the setting, use [the projects API](../../api/projects.md#edit-project)
+to modify `ci_pipeline_variables_minimum_override_role` to one of:
+
+- `owner`: Only users with the Owner role can override variables. You must have the Owner
+  role in the project to change the setting to this value.
+- `maintainer`: Only users with at least the Maintainer role can override variables.
+  Default when not specified.
+- `developer`: Only users with at least the Developer role can override variables.
+- `no_one_allowed`: Users cannot override variables.
+
+If you set the minimum role to `owner`, only users with at least the `owner` role
+can update the `ci_pipeline_variables_minimum_override_role` and `restrict_user_defined_variables`
+settings.
+
 ## Exporting variables
 
 Scripts executed in separate shell contexts do not share exports, aliases,
diff --git a/doc/development/enabling_features_on_dedicated.md b/doc/development/enabling_features_on_dedicated.md
new file mode 100644
index 00000000000..655fa51f7e1
--- /dev/null
+++ b/doc/development/enabling_features_on_dedicated.md
@@ -0,0 +1,35 @@
+---
+stage: SaaS Platforms
+group: GitLab Dedicated
+info: Any user with at least the Maintainer role can merge updates to this content. For details, see https://docs.gitlab.com/ee/development/development_processes.html#development-guidelines-review.
+---
+
+# Enabling features for GitLab Dedicated
+
+## Versioning
+
+GitLab Dedicated is running the n-1 GitLab version to provide sufficient run-up time to make changes across many GitLab instances, and reduce the number of releases necessary to maintain GitLab in accordance with the security maintenance policy.
+
+GitLab Dedicated instances are automatically upgraded during scheduled maintenance windows throughout the week.
+
+The [release rollout schedule](../administration/dedicated/create_instance.md#gitlab-release-rollout-schedule) for GitLab Dedicated outlines when instances are expected to be upgraded to a new release.
+
+## Feature flags
+
+[Feature flags support the development and rollout of new or experimental features](https://handbook.gitlab.com/handbook/product-development-flow/feature-flag-lifecycle/#when-to-use-feature-flags) on GitLab.com. Feature flags are not tools for managing configuration.
+
+Due to the high risk of enabling experimental features on GitLab Dedicated, and the additional workload needed to manage these on a per-instance basis, feature flags are not supported on GitLab Dedicated.
+
+Instead, all per-instance configurations must be made using the application (UI or API) settings to allow customers to control them.
+
+## Enabling features
+
+All features need to be Generally Available before they can be deployed to GitLab Dedicated. In most cases, this means any feature flags are defaulted to on, and the feature is being used on GitLab.com and by Self-Managed users.
+
+New versions of GitLab and any other changes, are deployed using automation during scheduled maintenance windows. Because of the required automation and the timing of deployments, features must be safe for auto-rollout. This means that new features don't require any immediate manual adjustment from operators or customers.
+
+Features that require additional configuration after they have been deployed, must have API or UI settings to allow the customer to make the necessary changes.
+
+GitLab Dedicated is a single-tenant SaaS product. This means that one-off, customer-specific tasks cannot be supported.
+
+Features that may not be suitable or useful for every customer must be controlled using application settings to avoid creating unsustainable workloads.
diff --git a/gems/gitlab-cng/Gemfile.lock b/gems/gitlab-cng/Gemfile.lock
index bf86ae848c7..fdf46e19725 100644
--- a/gems/gitlab-cng/Gemfile.lock
+++ b/gems/gitlab-cng/Gemfile.lock
@@ -2,6 +2,7 @@ PATH
   remote: .
   specs:
     gitlab-cng (0.0.1)
+      activesupport (>= 7)
       rainbow (~> 3.1)
       require_all (~> 3.0)
       thor (~> 1.3)
diff --git a/gems/gitlab-cng/gitlab-cng.gemspec b/gems/gitlab-cng/gitlab-cng.gemspec
index 62306ce5c71..fa29f4ee304 100644
--- a/gems/gitlab-cng/gitlab-cng.gemspec
+++ b/gems/gitlab-cng/gitlab-cng.gemspec
@@ -19,6 +19,7 @@ Gem::Specification.new do |spec|
   spec.executables = "cng"
   spec.require_paths = ["lib"]
 
+  spec.add_dependency "activesupport", ">= 7"
   spec.add_dependency "rainbow", "~> 3.1"
   spec.add_dependency "require_all", "~> 3.0"
   spec.add_dependency "thor", "~> 1.3"
diff --git a/gems/gitlab-cng/lib/gitlab/cng/commands/create.rb b/gems/gitlab-cng/lib/gitlab/cng/commands/create.rb
index 3fa54ad48da..56ff6cc54fe 100644
--- a/gems/gitlab-cng/lib/gitlab/cng/commands/create.rb
+++ b/gems/gitlab-cng/lib/gitlab/cng/commands/create.rb
@@ -6,6 +6,9 @@ module Gitlab
       # Create command composed of subcommands that create various resources needed for CNG deployment
       #
       class Create < Command
+        # @return [Array] configurations that are used for kind cluster deployments
+        KIND_CLUSTER_CONFIGURATIONS = %w[kind].freeze
+
         desc "cluster", "Create kind cluster for local deployments"
         option :name,
           desc: "Cluster name",
@@ -29,6 +32,8 @@ module Gitlab
         long_desc <<~LONGDESC
           This command installs a GitLab chart archive and performs all additional pre-install and post-install setup.
           Argument NAME is helm install name and defaults to "gitlab".
+          Deployment has several optional environment variables it can read before performing chart install:
+            QA_EE_LICENSE|EE_LICENSE - gitlab test license, if present, will be added to deployment,
         LONGDESC
         option :configuration,
           desc: "Deployment configuration",
@@ -49,8 +54,21 @@ module Gitlab
           desc: "Use CI specific configuration",
           default: false,
           type: :boolean
+        option :gitlab_domain,
+          desc: "Domain for deployed app. Defaults to (your host IP).nip.io",
+          type: :string
+        option :with_cluster,
+          desc: "Create kind cluster for local deployments. \
+            Only valid for configurations designed to run against local kind cluster",
+          type: :boolean
         def deployment(name = "gitlab")
-          Deployment::Installation.new(name, **symbolized_options).create
+          if options[:with_cluster] && KIND_CLUSTER_CONFIGURATIONS.include?(options[:configuration])
+            invoke :cluster, [], ci: options[:ci]
+          end
+
+          Deployment::Installation
+            .new(name, **symbolized_options.slice(:configuration, :namespace, :set, :ci, :gitlab_domain))
+            .create
         end
       end
     end
diff --git a/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/configurations/_base.rb b/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/configurations/_base.rb
index 6083f8cc5aa..dc89fb30f82 100644
--- a/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/configurations/_base.rb
+++ b/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/configurations/_base.rb
@@ -20,9 +20,11 @@ module Gitlab
         class Base
           include Helpers::Output
 
-          def initialize(namespace, kubeclient)
+          def initialize(namespace, kubeclient, ci, gitlab_domain)
             @namespace = namespace
             @kubeclient = kubeclient
+            @ci = ci
+            @gitlab_domain = gitlab_domain
           end
 
           class << self
@@ -41,7 +43,7 @@ module Gitlab
             #
             # @return [void]
             def skip_post_deployment_setup!
-              @skip_pre_deployment_setup = true
+              @skip_post_deployment_setup = true
             end
           end
 
@@ -51,7 +53,7 @@ module Gitlab
           def run_pre_deployment_setup
             return if self.class.skip_pre_deployment_setup
 
-            raise(NoMethodError, 'run_pre_deployment_setup not implemented')
+            raise(NoMethodError, "run_pre_deployment_setup not implemented")
           end
 
           # Steps to be executed after helm deployment has been performed
@@ -60,19 +62,26 @@ module Gitlab
           def run_post_deployment_setup
             return if self.class.skip_post_deployment_setup
 
-            raise(NoMethodError, 'run_post_deployment_setup not implemented')
+            raise(NoMethodError, "run_post_deployment_setup not implemented")
           end
 
           # Values hash containing the values to be passed to helm chart install
           #
           # @return [Hash]
           def values
-            raise(NoMethodError, 'values not implemented')
+            {}
+          end
+
+          # Deployed app url
+          #
+          # @return [String]
+          def gitlab_url
+            "http://gitlab.#{gitlab_domain}"
           end
 
           private
 
-          attr_reader :namespace, :kubeclient
+          attr_reader :namespace, :kubeclient, :ci, :gitlab_domain
         end
       end
     end
diff --git a/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/configurations/kind.rb b/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/configurations/kind.rb
index 3916892ee7b..2a00e06dcf7 100644
--- a/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/configurations/kind.rb
+++ b/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/configurations/kind.rb
@@ -7,41 +7,118 @@ module Gitlab
         # Configuration for performing deployment setup on local kind cluster
         #
         class Kind < Base
+          # @return [String] secret name for initial admin password
           ADMIN_PASSWORD_SECRET = "gitlab-initial-root-password"
+          # @return [String] configmap name for pre-receive hook
           PRE_RECEIVE_HOOK_CONFIGMAP_NAME = "pre-receive-hook"
+          # @return [String] pre-receive hook script used by e2e tests
+          PRE_RECEIVE_HOOK = <<~'SH'
+            #!/usr/bin/env bash
 
-          skip_post_deployment_setup!
+            if [[ $GL_PROJECT_PATH =~ 'reject-prereceive' ]]; then
+              echo 'GL-HOOK-ERR: Custom error message rejecting prereceive hook for projects with GL_PROJECT_PATH matching pattern reject-prereceive'
+              exit 1
+            fi
+          SH
 
+          # Run pre-deployment setup
+          #
+          # @return [void]
           def run_pre_deployment_setup
             create_initial_root_password
             create_pre_receive_hook
           end
 
-          private
+          # Run post-deployment setup
+          #
+          # @return [void]
+          def run_post_deployment_setup
+            create_root_token
+          end
 
-          # Pre-receive hook script used by e2e tests to test global git hooks
+          # Helm chart values specific to kind deployment
+          #
+          # @return [Hash]
+          def values
+            {
+              global: {
+                initialRootPassword: {
+                  secret: ADMIN_PASSWORD_SECRET
+                },
+                gitaly: {
+                  hooks: {
+                    preReceive: {
+                      configmap: PRE_RECEIVE_HOOK_CONFIGMAP_NAME
+                    }
+                  }
+                }
+              },
+              "nginx-ingress": {
+                controller: {
+                  replicaCount: 1,
+                  minAavailable: 1,
+                  service: {
+                    type: "NodePort",
+                    nodePorts: {
+                      "gitlab-shell": 32022,
+                      http: 32080
+                    }
+                  }
+                }
+              }
+            }
+          end
+
+          # Gitlab url
           #
           # @return [String]
-          def pre_receive_hook
-            <<~SH
-              #!/usr/bin/env bash
+          def gitlab_url
+            "http://gitlab.#{gitlab_domain}#{ci ? '' : ':32080'}"
+          end
 
-              if [[ $GL_PROJECT_PATH =~ 'reject-prereceive' ]]; then
-                echo 'GL-HOOK-ERR: Custom error message rejecting prereceive hook for projects with GL_PROJECT_PATH matching pattern reject-prereceive'
-                exit 1
-              fi
-            SH
+          private
+
+          # Gitlab initial admin password, defaults to commonly used password across development environments
+          #
+          # @return [String]
+          def admin_password
+            @admin_password ||= ENV["GITLAB_ADMIN_PASSWORD"] || "5iveL!fe"
+          end
+
+          # Gitlab admin user personal access token, defaults to value used in development seed data
+          #
+          # @return [String]
+          def admin_token
+            @admin_token ||= ENV["GITLAB_ADMIN_ACCESS_TOKEN"] || "ypCa3Dzb23o5nvsixwPA"
+          end
+
+          # Token seed script for root user
+          #
+          # @return [String]
+          def admin_pat_seed
+            <<~RUBY
+              Gitlab::Seeder.quiet do
+                User.find_by(username: 'root').tap do |user|
+                  params = {
+                    scopes: Gitlab::Auth.all_available_scopes.map(&:to_s),
+                    name: 'seeded-api-token'
+                  }
+
+                  user.personal_access_tokens.build(params).tap do |pat|
+                    pat.expires_at = 365.days.from_now
+                    pat.set_token("#{admin_token}")
+                    pat.save!
+                  end
+                end
+              end
+            RUBY
           end
 
           # Create initial root password
           #
           # @return [void]
           def create_initial_root_password
-            admin_password = ENV["GITLAB_ADMIN_PASSWORD"]
-
-            log("Creating initial root password secret", :info)
-            return log("`GITLAB_ADMIN_PASSWORD` variable is not set, skipping", :warn) unless admin_password
-
+            log("Creating admin user initial password secret", :info)
             secret = Kubectl::Resources::Secret.new(ADMIN_PASSWORD_SECRET, "password", admin_password)
             puts mask_secrets(kubeclient.create_resource(secret), [admin_password, Base64.encode64(admin_password)])
           end
@@ -51,9 +128,20 @@ module Gitlab
           # @return [void]
           def create_pre_receive_hook
             log("Creating pre-receive hook", :info)
-            configmap = Kubectl::Resources::Configmap.new(PRE_RECEIVE_HOOK_CONFIGMAP_NAME, "hook.sh", pre_receive_hook)
+            configmap = Kubectl::Resources::Configmap.new(PRE_RECEIVE_HOOK_CONFIGMAP_NAME, "hook.sh", PRE_RECEIVE_HOOK)
             puts kubeclient.create_resource(configmap)
           end
+
+          # Create admin user personal access token
+          #
+          # @return [void]
+          def create_root_token
+            log("Creating admin user personal access token", :info)
+            puts mask_secrets(
+              kubeclient.execute("toolbox", ["gitlab-rails", "runner", admin_pat_seed], container: "toolbox"),
+              [admin_token]
+            ).strip
+          end
         end
       end
     end
diff --git a/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/default_values.rb b/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/default_values.rb
new file mode 100644
index 00000000000..508b8a5291f
--- /dev/null
+++ b/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/default_values.rb
@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Cng
+    module Deployment
+      # Helpers for common chart values
+      #
+      class DefaultValues
+        extend Helpers::CI
+
+        IMAGE_REPOSITORY = "registry.gitlab.com/gitlab-org/build/cng-mirror"
+
+        class << self
+          # Main common chart values
+          #
+          # @param [String] domain
+          # @return [Hash]
+          def common_values(domain)
+            {
+              global: {
+                hosts: {
+                  domain: domain,
+                  https: false
+                },
+                ingress: {
+                  configureCertmanager: false,
+                  tls: {
+                    enabled: false
+                  }
+                },
+                appConfig: {
+                  applicationSettingsCacheSeconds: 0
+                }
+              },
+              gitlab: { "gitlab-exporter": { enabled: false } },
+              redis: { metrics: { enabled: false } },
+              prometheus: { install: false },
+              certmanager: { install: false },
+              "gitlab-runner": { install: false }
+            }
+          end
+
+          # Key value pairs for ci specific component version values
+          #
+          # This is defined as key value pairs to allow constructing example cli args for easier reproducability
+          #
+          # @return [Hash]
+          def component_ci_versions
+            {
+              "gitaly.image.repository" => "#{IMAGE_REPOSITORY}/gitaly",
+              "gitaly.image.tag" => gitaly_version,
+              "gitlab-shell.image.repository" => "#{IMAGE_REPOSITORY}/gitlab-shell",
+              "gitlab-shell.image.tag" => "v#{gitlab_shell_version}",
+              "migrations.image.repository" => "#{IMAGE_REPOSITORY}/gitlab-toolbox-ee",
+              "migrations.image.tag" => commit_sha,
+              "toolbox.image.repository" => "#{IMAGE_REPOSITORY}/gitlab-toolbox-ee",
+              "toolbox.image.tag" => commit_sha,
+              "sidekiq.annotations.commit" => commit_short_sha,
+              "sidekiq.image.repository" => "#{IMAGE_REPOSITORY}/gitlab-sidekiq-ee",
+              "sidekiq.image.tag" => commit_sha,
+              "webservice.annotations.commit" => commit_short_sha,
+              "webservice.image.repository" => "#{IMAGE_REPOSITORY}/gitlab-webservice-ee",
+              "webservice.image.tag" => commit_sha,
+              "webservice.workhorse.image" => "#{IMAGE_REPOSITORY}/gitlab-workhorse-ee",
+              "webservice.workhorse.tag" => commit_sha
+            }
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/installation.rb b/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/installation.rb
index 3cced0fb48d..bfa0d5b139e 100644
--- a/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/installation.rb
+++ b/gems/gitlab-cng/lib/gitlab/cng/lib/deployment/installation.rb
@@ -1,21 +1,27 @@
 # frozen_string_literal: true
 
+require "socket"
+require "yaml"
+require "active_support/core_ext/hash"
+
 module Gitlab
   module Cng
     module Deployment
+      # Class handling all the pre and post deployment setup steps and gitlab helm chart installation
+      #
       class Installation
         include Helpers::Output
         include Helpers::Shell
 
         LICENSE_SECRET = "gitlab-license"
 
-        def initialize(name, configuration:, namespace:, ci:, set: [])
+        def initialize(name, configuration:, namespace:, ci:, gitlab_domain: nil, set: [])
           @name = name
           @configuration = configuration
           @namespace = namespace
           @ci = ci
+          @gitlab_domain = gitlab_domain
           @set = set
-          @kubeclient = Kubectl::Client.new(namespace)
         end
 
         # Perform deployment with all the additional setup
@@ -24,20 +30,69 @@ module Gitlab
         def create
           log("Creating CNG deployment '#{name}' using '#{configuration}' configuration", :info, bright: true)
           run_pre_deploy_setup
+          run_deploy
+          run_post_deploy_setup
         rescue Helpers::Shell::CommandFailure
           exit(1)
         end
 
         private
 
-        attr_reader :name, :configuration, :namespace, :ci, :set, :kubeclient
+        attr_reader :name, :configuration, :namespace, :ci, :set
         alias_method :cli_values, :set
 
+        # Kubectl client instance
+        #
+        # @return [Kubectl::Client]
+        def kubeclient
+          @kubeclient ||= Kubectl::Client.new(namespace)
+        end
+
+        # Gitlab app domain
+        #
+        # @return [String]
+        def gitlab_domain
+          @gitlab_domain ||= "#{Socket.ip_address_list.detect(&:ipv4_private?).ip_address}.nip.io"
+        end
+
         # Configuration class instance
         #
         # @return [Configuration::Base]
         def config_instance
-          @config_instance ||= Configurations.const_get(configuration.capitalize, false).new(namespace, kubeclient)
+          @config_instance ||= Configurations.const_get(configuration.capitalize, false).new(
+            namespace,
+            kubeclient,
+            ci,
+            gitlab_domain
+          )
+        end
+
+        # Gitlab license
+        #
+        # @return [String]
+        def license
+          @license ||= ENV["QA_EE_LICENSE"] || ENV["EE_LICENSE"]
+        end
+
+        # Helm values for license secret
+        #
+        # @return [Hash]
+        def license_values
+          return {} unless license
+
+          {
+            global: {
+              extraEnv: {
+                GITLAB_LICENSE_MODE: "test",
+                CUSTOMER_PORTAL_URL: "https://customers.staging.gitlab.com"
+              }
+            },
+            gitlab: {
+              license: {
+                secret: LICENSE_SECRET
+              }
+            }
+          }
         end
 
         # Execute pre-deployment setup
@@ -54,13 +109,34 @@ module Gitlab
           end
         end
 
+        # Run helm deployment
+        #
+        # @return [void]
+        def run_deploy
+          cmd = [
+            "upgrade",
+            "--install", name, "gitlab/gitlab",
+            "--namespace", namespace,
+            "--timeout", "5m",
+            "--wait"
+          ]
+          cmd.push(*DefaultValues.component_ci_versions.flat_map { |k, v| ["--set", "gitlab.#{k}=#{v}"] }) if ci
+          cmd.push(*cli_values.flat_map { |v| ["--set", v] })
+          cmd.push("--values", "-")
+          values = DefaultValues.common_values(gitlab_domain)
+            .deep_merge(license_values)
+            .deep_merge(config_instance.values)
+            .deep_stringify_keys
+
+          Helpers::Spinner.spin("running helm deployment") { puts run_helm_cmd(cmd, values.to_yaml) }
+          log("Deployment successfull and app is available via: #{config_instance.gitlab_url}", :success, bright: true)
+        end
+
         # Execute post-deployment setup
         #
         # @return [void]
         def run_post_deploy_setup
-          Helpers::Spinner.spin("running post-deployment setup") do
-            config_instance.run_pre_deployment_setup
-          end
+          Helpers::Spinner.spin("running post-deployment setup") { config_instance.run_post_deployment_setup }
         end
 
         # Add helm chart repo
@@ -99,12 +175,10 @@ module Gitlab
         #
         # @return [void]
         def create_license
-          license = ENV["QA_EE_LICENSE"]
-
           log("Creating gitlab license secret", :info)
-          return log("`QA_EE_LICENSE` variable is not set, skipping", :warn) unless license
+          return log("`QA_EE_LICENSE|EE_LICENSE` variable is not set, skipping", :warn) unless license
 
-          secret = Kubectl::Resources::Secret.new(LICENSE_SECRET, "license", ENV["QA_EE_LICENSE"])
+          secret = Kubectl::Resources::Secret.new(LICENSE_SECRET, "license", license)
           puts mask_secrets(kubeclient.create_resource(secret), [license, Base64.encode64(license)])
         end
 
@@ -112,8 +186,8 @@ module Gitlab
         #
         # @param [Array] cmd
         # @return [String]
-        def run_helm_cmd(cmd)
-          execute_shell(["helm", *cmd])
+        def run_helm_cmd(cmd, stdin = nil)
+          execute_shell(["helm", *cmd], stdin_data: stdin)
         end
       end
     end
diff --git a/gems/gitlab-cng/lib/gitlab/cng/lib/helpers/ci.rb b/gems/gitlab-cng/lib/gitlab/cng/lib/helpers/ci.rb
new file mode 100644
index 00000000000..85296827679
--- /dev/null
+++ b/gems/gitlab-cng/lib/gitlab/cng/lib/helpers/ci.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Cng
+    module Helpers
+      # Helper functions for fetching CI related information
+      #
+      module CI
+        extend self
+
+        def commit_sha
+          @commit_sha ||= ENV["CI_COMMIT_SHA"] || raise("CI_COMMIT_SHA is not set")
+        end
+
+        def commit_short_sha
+          @commit_short_sha ||= ENV["CI_COMMIT_SHORT_SHA"] || raise("CI_COMMIT_SHORT_SHA is not set")
+        end
+
+        def gitaly_version
+          @gitaly_version ||= File.read(File.join(ci_project_dir, "GITALY_SERVER_VERSION")).strip
+        end
+
+        def gitlab_shell_version
+          @gitlab_shell_version ||= File.read(File.join(ci_project_dir, "GITLAB_SHELL_VERSION")).strip
+        end
+
+        def ci_project_dir
+          @ci_project_dir ||= ENV["CI_PROJECT_DIR"] || raise("CI_PROJECT_DIR is not set")
+        end
+      end
+    end
+  end
+end
diff --git a/gems/gitlab-cng/lib/gitlab/cng/lib/kind/cluster.rb b/gems/gitlab-cng/lib/gitlab/cng/lib/kind/cluster.rb
index ffc0bb43437..41bc8bb1148 100644
--- a/gems/gitlab-cng/lib/gitlab/cng/lib/kind/cluster.rb
+++ b/gems/gitlab-cng/lib/gitlab/cng/lib/kind/cluster.rb
@@ -21,12 +21,12 @@ module Gitlab
         end
 
         def create
-          log "Creating cluster '#{name}'", :info
-          return log "  cluster '#{name}' already exists, skipping!" if cluster_exists?
+          log("Creating cluster '#{name}'", :info, bright: true)
+          return log("  cluster '#{name}' already exists, skipping!", :warn) if cluster_exists?
 
           create_cluster
           update_server_url
-          log "Cluster '#{name}' created", :success
+          log("Cluster '#{name}' created", :success)
         rescue Helpers::Shell::CommandFailure
           # Exit cleanly without stacktrace if shell command fails
           exit(1)
diff --git a/gems/gitlab-cng/lib/gitlab/cng/lib/kubectl/client.rb b/gems/gitlab-cng/lib/gitlab/cng/lib/kubectl/client.rb
index be812a4a6f2..3a252b850e4 100644
--- a/gems/gitlab-cng/lib/gitlab/cng/lib/kubectl/client.rb
+++ b/gems/gitlab-cng/lib/gitlab/cng/lib/kubectl/client.rb
@@ -8,6 +8,9 @@ module Gitlab
       class Client
         include Helpers::Shell
 
+        # Error raised by kubectl client class
+        Error = Class.new(StandardError)
+
         def initialize(namespace)
           @namespace = namespace
         end
@@ -24,12 +27,48 @@ module Gitlab
         # @param [Resources::Base] resource
         # @return [String] command output
         def create_resource(resource)
-          execute_shell(["kubectl", "apply", "-n", namespace, "-f", "-"], stdin_data: resource.json)
+          run_in_namespace("apply", args: ["-f", "-"], stdin_data: resource.json)
+        end
+
+        # Execute command in a pod
+        #
+        # @param [String] pod full or part of pod name
+        # @param [Array] command
+        # @param [String] container
+        # @return [String]
+        def execute(pod, command, container: nil)
+          args = ["--", *command]
+          args.unshift("-c", container) if container
+
+          run_in_namespace("exec", get_pod_name(pod), args: args)
         end
 
         private
 
         attr_reader :namespace
+
+        # Get full pod name
+        #
+        # @param [String] name
+        # @return [String]
+        def get_pod_name(name)
+          pod = run_in_namespace("get", "pods", args: ["--output", "jsonpath={.items[*].metadata.name}"])
+            .split(" ")
+            .find { |pod| pod.include?(name) }
+          raise Error, "Pod '#{name}' not found" unless pod
+
+          pod
+        end
+
+        # Run kubectl command in namespace
+        #
+        # @param [Array] *action
+        # @param [Array] args
+        # @param [String] stdin_data
+        # @return [String]
+        def run_in_namespace(*action, args:, stdin_data: nil)
+          execute_shell(["kubectl", *action, "-n", namespace, *args], stdin_data: stdin_data)
+        end
       end
     end
   end
diff --git a/gems/gitlab-cng/spec/fixture/GITALY_SERVER_VERSION b/gems/gitlab-cng/spec/fixture/GITALY_SERVER_VERSION
new file mode 100644
index 00000000000..4d8daed28d9
--- /dev/null
+++ b/gems/gitlab-cng/spec/fixture/GITALY_SERVER_VERSION
@@ -0,0 +1 @@
+7aa06a578d76bdc294ee8e9acb4f063e7d9f1d5f
diff --git a/gems/gitlab-cng/spec/fixture/GITLAB_SHELL_VERSION b/gems/gitlab-cng/spec/fixture/GITLAB_SHELL_VERSION
new file mode 100644
index 00000000000..aab9f557702
--- /dev/null
+++ b/gems/gitlab-cng/spec/fixture/GITLAB_SHELL_VERSION
@@ -0,0 +1 @@
+14.35.0
diff --git a/gems/gitlab-cng/spec/unit/gitlab/cng/commands/create_spec.rb b/gems/gitlab-cng/spec/unit/gitlab/cng/commands/create_spec.rb
index dc10917b986..e5e6a126790 100644
--- a/gems/gitlab-cng/spec/unit/gitlab/cng/commands/create_spec.rb
+++ b/gems/gitlab-cng/spec/unit/gitlab/cng/commands/create_spec.rb
@@ -3,13 +3,14 @@
 RSpec.describe Gitlab::Cng::Commands::Create do
   include_context "with command testing helper"
 
+  let(:kind_cluster) { instance_double(Gitlab::Cng::Kind::Cluster, create: nil) }
+
+  before do
+    allow(Gitlab::Cng::Kind::Cluster).to receive(:new).and_return(kind_cluster)
+  end
+
   describe "cluster command" do
     let(:command_name) { "cluster" }
-    let(:kind_cluster) { instance_double(Gitlab::Cng::Kind::Cluster, create: nil) }
-
-    before do
-      allow(Gitlab::Cng::Kind::Cluster).to receive(:new).and_return(kind_cluster)
-    end
 
     it "defines cluster command" do
       expect_command_to_include_attributes(command_name, {
@@ -38,7 +39,7 @@ RSpec.describe Gitlab::Cng::Commands::Create do
       allow(Gitlab::Cng::Deployment::Installation).to receive(:new).and_return(deployment_install)
     end
 
-    it "defines cluster command" do
+    it "defines deployment command" do
       expect_command_to_include_attributes(command_name, {
         description: "Create CNG deployment from official GitLab Helm chart",
         name: command_name,
@@ -47,15 +48,36 @@ RSpec.describe Gitlab::Cng::Commands::Create do
     end
 
     it "invokes kind cluster creation with correct arguments" do
-      invoke_command(command_name, [], { configuration: "kind", ci: true, namespace: "gitlab" })
+      invoke_command(command_name, [], {
+        configuration: "kind",
+        ci: true,
+        namespace: "gitlab",
+        gitlab_domain: "127.0.0.1.nip.io"
+      })
 
       expect(deployment_install).to have_received(:create)
       expect(Gitlab::Cng::Deployment::Installation).to have_received(:new).with(
         "gitlab",
         configuration: "kind",
         ci: true,
-        namespace: "gitlab"
+        namespace: "gitlab",
+        gitlab_domain: "127.0.0.1.nip.io"
       )
     end
+
+    it "invokes kind cluster creation when --with-cluster argument is passed" do
+      invoke_command(command_name, [], {
+        configuration: "kind",
+        ci: true,
+        with_cluster: true
+      })
+
+      expect(kind_cluster).to have_received(:create)
+      expect(Gitlab::Cng::Kind::Cluster).to have_received(:new).with({
+        ci: true,
+        name: "gitlab"
+      })
+      expect(deployment_install).to have_received(:create)
+    end
   end
 end
diff --git a/gems/gitlab-cng/spec/unit/gitlab/cng/deployment/configurations/base_spec.rb b/gems/gitlab-cng/spec/unit/gitlab/cng/deployment/configurations/base_spec.rb
new file mode 100644
index 00000000000..ae0271e6d0e
--- /dev/null
+++ b/gems/gitlab-cng/spec/unit/gitlab/cng/deployment/configurations/base_spec.rb
@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+RSpec.describe Gitlab::Cng::Deployment::Configurations::Base do
+  subject(:configuration) { Class.new(described_class) }
+
+  let(:config) do
+    configuration.new("gitlab", Gitlab::Cng::Kubectl::Client.new("gitlab"), false, "domain")
+  end
+
+  it "returns empty values by default" do
+    expect(config.values).to eq({})
+  end
+
+  it "returns correct default gitlab_url" do
+    expect(config.gitlab_url).to eq("http://gitlab.domain")
+  end
+
+  it "has setup hooks enabled by default", :aggregate_failures do
+    expect { config.run_pre_deployment_setup }.to raise_error(
+      NoMethodError,
+      "run_pre_deployment_setup not implemented"
+    )
+    expect { config.run_post_deployment_setup }.to raise_error(
+      NoMethodError,
+      "run_post_deployment_setup not implemented"
+    )
+  end
+
+  context "with disabled setup hooks" do
+    subject(:configuration) do
+      Class.new(described_class) do
+        skip_pre_deployment_setup!
+        skip_post_deployment_setup!
+      end
+    end
+
+    it "does not run setup hooks" do
+      expect(config.run_pre_deployment_setup).to be_nil
+      expect(config.run_post_deployment_setup).to be_nil
+    end
+  end
+end
diff --git a/gems/gitlab-cng/spec/unit/gitlab/cng/deployment/configurations/kind_spec.rb b/gems/gitlab-cng/spec/unit/gitlab/cng/deployment/configurations/kind_spec.rb
new file mode 100644
index 00000000000..d9c052488f0
--- /dev/null
+++ b/gems/gitlab-cng/spec/unit/gitlab/cng/deployment/configurations/kind_spec.rb
@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+RSpec.describe Gitlab::Cng::Deployment::Configurations::Kind do
+  subject(:configuration) { described_class.new("gitlab", kubeclient, true, "127.0.0.1.nip.io") }
+
+  let(:kubeclient) { instance_double(Gitlab::Cng::Kubectl::Client, create_resource: "", execute: "") }
+
+  let(:env) do
+    {
+      "GITLAB_ADMIN_PASSWORD" => "password",
+      "GITLAB_ADMIN_ACCESS_TOKEN" => "token"
+    }
+  end
+
+  around do |example|
+    ClimateControl.modify(env) { example.run }
+  end
+
+  it "runs pre-deployment setup", :aggregate_failures do
+    expect { configuration.run_pre_deployment_setup }.to output(/Creating admin user initial password secret/).to_stdout
+
+    expect(kubeclient).to have_received(:create_resource).with(
+      Gitlab::Cng::Kubectl::Resources::Secret.new("gitlab-initial-root-password", "password", "password")
+    )
+    expect(kubeclient).to have_received(:create_resource).with(
+      Gitlab::Cng::Kubectl::Resources::Configmap.new(
+        "pre-receive-hook",
+        "hook.sh",
+        <<~SH
+            #!/usr/bin/env bash
+
+            if [[ $GL_PROJECT_PATH =~ 'reject-prereceive' ]]; then
+              echo 'GL-HOOK-ERR: Custom error message rejecting prereceive hook for projects with GL_PROJECT_PATH matching pattern reject-prereceive'
+              exit 1
+            fi
+        SH
+      ))
+  end
+
+  it "runs post-deployment setup", :aggregate_failures do
+    expect { configuration.run_post_deployment_setup }.to output(/Creating admin user personal access token/).to_stdout
+
+    expect(kubeclient).to have_received(:execute).with(
+      "toolbox",
+      [
+        "gitlab-rails",
+        "runner",
+        <<~RUBY
+            Gitlab::Seeder.quiet do
+              User.find_by(username: 'root').tap do |user|
+                params = {
+                  scopes: Gitlab::Auth.all_available_scopes.map(&:to_s),
+                  name: 'seeded-api-token'
+                }
+
+                user.personal_access_tokens.build(params).tap do |pat|
+                  pat.expires_at = 365.days.from_now
+                  pat.set_token("token")
+                  pat.save!
+                end
+              end
+            end
+        RUBY
+      ],
+      container: "toolbox"
+    )
+  end
+
+  it "returns configuration specific values" do
+    expect(configuration.values).to eq({
+      global: {
+        initialRootPassword: {
+          secret: "gitlab-initial-root-password"
+        },
+        gitaly: {
+          hooks: {
+            preReceive: {
+              configmap: "pre-receive-hook"
+            }
+          }
+        }
+      },
+      "nginx-ingress": {
+        controller: {
+          replicaCount: 1,
+          minAavailable: 1,
+          service: {
+            type: "NodePort",
+            nodePorts: {
+              "gitlab-shell": 32022,
+              http: 32080
+            }
+          }
+        }
+      }
+    })
+  end
+
+  it "returns correct gitlab url" do
+    expect(configuration.gitlab_url).to eq("http://gitlab.127.0.0.1.nip.io")
+  end
+end
diff --git a/gems/gitlab-cng/spec/unit/gitlab/cng/deployment/installation_spec.rb b/gems/gitlab-cng/spec/unit/gitlab/cng/deployment/installation_spec.rb
index f5451d0fa48..9974af29ae5 100644
--- a/gems/gitlab-cng/spec/unit/gitlab/cng/deployment/installation_spec.rb
+++ b/gems/gitlab-cng/spec/unit/gitlab/cng/deployment/installation_spec.rb
@@ -1,58 +1,167 @@
 # frozen_string_literal: true
 
-RSpec.describe Gitlab::Cng::Deployment::Installation do
+RSpec.describe Gitlab::Cng::Deployment::Installation, :aggregate_failures do
   subject(:installation) do
     described_class.new(
       "gitlab",
       configuration: "kind",
       namespace: "gitlab",
-      ci: false
+      ci: ci
     )
   end
 
-  let(:command_status) { instance_double(Process::Status, success?: true) }
-  let(:kubeclient) { instance_double(Gitlab::Cng::Kubectl::Client, create_namespace: "", create_resource: "") }
-  let(:license_secret) { Gitlab::Cng::Kubectl::Resources::Secret.new("gitlab-license", "license", "test") }
+  let(:stdin) { StringIO.new }
+  let(:config_values) { { configuration_specific: true } }
 
-  let(:password_secret) do
-    Gitlab::Cng::Kubectl::Resources::Secret.new("gitlab-initial-root-password", "password", "test")
+  let(:ip) { instance_double(Addrinfo, ipv4_private?: true, ip_address: "127.0.0.1") }
+
+  let(:kubeclient) do
+    instance_double(Gitlab::Cng::Kubectl::Client, create_namespace: "", create_resource: "", execute: "")
   end
 
-  let(:hook_configmap) do
-    Gitlab::Cng::Kubectl::Resources::Configmap.new(
-      "pre-receive-hook",
-      "hook.sh",
-      <<~SH
-        #!/usr/bin/env bash
-
-        if [[ $GL_PROJECT_PATH =~ 'reject-prereceive' ]]; then
-          echo 'GL-HOOK-ERR: Custom error message rejecting prereceive hook for projects with GL_PROJECT_PATH matching pattern reject-prereceive'
-          exit 1
-        fi
-      SH
+  let(:configuration) do
+    instance_double(
+      Gitlab::Cng::Deployment::Configurations::Kind,
+      run_pre_deployment_setup: nil,
+      run_post_deployment_setup: nil,
+      values: config_values,
+      gitlab_url: "http://gitlab.#{ip.ip_address}.nip.io"
     )
   end
 
+  let(:env) do
+    {
+      "QA_EE_LICENSE" => "license",
+      "CI_PROJECT_DIR" => File.expand_path("../../../../fixture", __dir__),
+      "CI_COMMIT_SHA" => "0acb5ee6db0860436fafc2c31a2cd87849c51aa3",
+      "CI_COMMIT_SHORT_SHA" => "0acb5ee6db08"
+    }
+  end
+
+  let(:values_yml) do
+    {
+      global: {
+        hosts: {
+          domain: "#{ip.ip_address}.nip.io",
+          https: false
+        },
+        ingress: {
+          configureCertmanager: false,
+          tls: {
+            enabled: false
+          }
+        },
+        appConfig: {
+          applicationSettingsCacheSeconds: 0
+        },
+        extraEnv: {
+          GITLAB_LICENSE_MODE: "test",
+          CUSTOMER_PORTAL_URL: "https://customers.staging.gitlab.com"
+        }
+      },
+      gitlab: {
+        "gitlab-exporter": { enabled: false },
+        license: { secret: "gitlab-license" }
+      },
+      redis: { metrics: { enabled: false } },
+      prometheus: { install: false },
+      certmanager: { install: false },
+      "gitlab-runner": { install: false },
+      **config_values
+    }.deep_stringify_keys.to_yaml
+  end
+
   before do
     allow(Gitlab::Cng::Helpers::Spinner).to receive(:spin).and_yield
     allow(Gitlab::Cng::Kubectl::Client).to receive(:new).with("gitlab").and_return(kubeclient)
+    allow(Gitlab::Cng::Deployment::Configurations::Kind).to receive(:new).and_return(configuration)
 
-    allow(Open3).to receive(:popen2e).and_return(["", command_status])
+    allow(installation).to receive(:execute_shell)
+    allow(Socket).to receive(:ip_address_list).and_return([ip])
   end
 
   around do |example|
-    ClimateControl.modify({ "QA_EE_LICENSE" => "test", "GITLAB_ADMIN_PASSWORD" => "test" }) { example.run }
+    ClimateControl.modify(env) { example.run }
   end
 
-  it "runs setup and helm deployment", :aggregate_failures do
-    expect { installation.create }.to output(/Creating CNG deployment 'gitlab' using 'kind' configuration/).to_stdout
+  context "without ci" do
+    let(:ci) { false }
 
-    expect(Open3).to have_received(:popen2e).with({}, *%w[helm repo add gitlab https://charts.gitlab.io])
-    expect(Open3).to have_received(:popen2e).with({}, *%w[helm repo update gitlab])
+    it "runs setup and helm deployment" do
+      expect { installation.create }.to output(/Creating CNG deployment 'gitlab' using 'kind' configuration/).to_stdout
 
-    expect(kubeclient).to have_received(:create_namespace)
-    expect(kubeclient).to have_received(:create_resource).with(license_secret)
-    expect(kubeclient).to have_received(:create_resource).with(password_secret)
-    expect(kubeclient).to have_received(:create_resource).with(hook_configmap)
+      expect(Gitlab::Cng::Deployment::Configurations::Kind).to have_received(:new).with(
+        "gitlab",
+        kubeclient,
+        ci,
+        "#{ip.ip_address}.nip.io"
+      )
+      expect(installation).to have_received(:execute_shell).with(
+        %w[helm repo add gitlab https://charts.gitlab.io],
+        stdin_data: nil
+      )
+      expect(installation).to have_received(:execute_shell).with(
+        %w[helm repo add gitlab https://charts.gitlab.io],
+        stdin_data: nil
+      )
+      expect(installation).to have_received(:execute_shell).with(
+        %w[helm repo update gitlab],
+        stdin_data: nil
+      )
+      expect(installation).to have_received(:execute_shell).with(
+        %w[
+          helm upgrade
+          --install gitlab gitlab/gitlab
+          --namespace gitlab
+          --timeout 5m
+          --wait
+          --values -
+        ],
+        stdin_data: values_yml
+      )
+
+      expect(kubeclient).to have_received(:create_namespace)
+      expect(kubeclient).to have_received(:create_resource).with(
+        Gitlab::Cng::Kubectl::Resources::Secret.new("gitlab-license", "license", "license")
+      )
+      expect(configuration).to have_received(:run_pre_deployment_setup)
+      expect(configuration).to have_received(:run_post_deployment_setup)
+    end
+  end
+
+  context "with ci" do
+    let(:ci) { true }
+
+    it "runs helm install with correctly merged values and component versions" do
+      expect { installation.create }.to output(/Creating CNG deployment 'gitlab' using 'kind' configuration/).to_stdout
+
+      expect(installation).to have_received(:execute_shell).with(
+        %W[
+          helm upgrade
+          --install gitlab gitlab/gitlab
+          --namespace gitlab
+          --timeout 5m
+          --wait
+          --set gitlab.gitaly.image.repository=registry.gitlab.com/gitlab-org/build/cng-mirror/gitaly
+          --set gitlab.gitaly.image.tag=7aa06a578d76bdc294ee8e9acb4f063e7d9f1d5f
+          --set gitlab.gitlab-shell.image.repository=registry.gitlab.com/gitlab-org/build/cng-mirror/gitlab-shell
+          --set gitlab.gitlab-shell.image.tag=v14.35.0
+          --set gitlab.migrations.image.repository=registry.gitlab.com/gitlab-org/build/cng-mirror/gitlab-toolbox-ee
+          --set gitlab.migrations.image.tag=#{env['CI_COMMIT_SHA']}
+          --set gitlab.toolbox.image.repository=registry.gitlab.com/gitlab-org/build/cng-mirror/gitlab-toolbox-ee
+          --set gitlab.toolbox.image.tag=#{env['CI_COMMIT_SHA']}
+          --set gitlab.sidekiq.annotations.commit=#{env['CI_COMMIT_SHORT_SHA']}
+          --set gitlab.sidekiq.image.repository=registry.gitlab.com/gitlab-org/build/cng-mirror/gitlab-sidekiq-ee
+          --set gitlab.sidekiq.image.tag=#{env['CI_COMMIT_SHA']}
+          --set gitlab.webservice.annotations.commit=#{env['CI_COMMIT_SHORT_SHA']}
+          --set gitlab.webservice.image.repository=registry.gitlab.com/gitlab-org/build/cng-mirror/gitlab-webservice-ee
+          --set gitlab.webservice.image.tag=#{env['CI_COMMIT_SHA']}
+          --set gitlab.webservice.workhorse.image=registry.gitlab.com/gitlab-org/build/cng-mirror/gitlab-workhorse-ee
+          --set gitlab.webservice.workhorse.tag=#{env['CI_COMMIT_SHA']}
+          --values -
+        ],
+        stdin_data: values_yml
+      )
+    end
   end
 end
diff --git a/gems/gitlab-cng/spec/unit/gitlab/cng/kubectl/client_spec.rb b/gems/gitlab-cng/spec/unit/gitlab/cng/kubectl/client_spec.rb
index b657e94bfe2..a3ca54b1e5a 100644
--- a/gems/gitlab-cng/spec/unit/gitlab/cng/kubectl/client_spec.rb
+++ b/gems/gitlab-cng/spec/unit/gitlab/cng/kubectl/client_spec.rb
@@ -19,4 +19,15 @@ RSpec.describe Gitlab::Cng::Kubectl::Client do
     expect(client.create_resource(resource)).to eq("cmd-output")
     expect(Open3).to have_received(:popen2e).with({}, *%w[kubectl apply -n gitlab -f -])
   end
+
+  it "executes custom command in pod" do
+    allow(Open3).to receive(:popen2e).with({}, *%w[
+      kubectl get pods -n gitlab --output jsonpath={.items[*].metadata.name}
+    ]).and_return(["some-pod-123 test-pod-123", command_status])
+
+    expect(client.execute("test-pod", ["ls"], container: "toolbox")).to eq("cmd-output")
+    expect(Open3).to have_received(:popen2e).with({}, *%w[
+      kubectl exec test-pod-123 -n gitlab -c toolbox -- ls
+    ])
+  end
 end
diff --git a/gems/gitlab-secret_detection/spec/lib/gitlab/secret_detection/scan_spec.rb b/gems/gitlab-secret_detection/spec/lib/gitlab/secret_detection/scan_spec.rb
index 9b20eb3850e..03d4615179f 100644
--- a/gems/gitlab-secret_detection/spec/lib/gitlab/secret_detection/scan_spec.rb
+++ b/gems/gitlab-secret_detection/spec/lib/gitlab/secret_detection/scan_spec.rb
@@ -252,9 +252,23 @@ RSpec.describe Gitlab::SecretDetection::Scan, feature_category: :secret_detectio
       it "whole secret detection scan operation times out" do
         scan_timeout_secs = 0.000_001 # 1 micro-sec to intentionally timeout large blob
 
-        response = Gitlab::SecretDetection::Response.new(Gitlab::SecretDetection::Status::SCAN_TIMEOUT)
+        expected_response = Gitlab::SecretDetection::Response.new(Gitlab::SecretDetection::Status::SCAN_TIMEOUT)
 
-        expect(scan.secrets_scan(blobs, timeout: scan_timeout_secs)).to eq(response)
+        begin
+          response = scan.secrets_scan(blobs, timeout: scan_timeout_secs)
+          expect(response).to eq(expected_response)
+        rescue ArgumentError
+          # When RSpec's main process terminates and attempts to clean up child processes upon completion, it terminates
+          # subprocesses where the scans might be still ongoing. This behavior is not recognized by the
+          # upstream library (parallel), which manages all forked subprocesses it created for running scans. When the
+          # upstream library attempts to close its forked subprocesses which already terminated, it raises an
+          # 'ArgumentError' with the message 'bad signal type NilClass,' resulting in flaky failures in the test
+          # expectations.
+          #
+          # Example: https://gitlab.com/gitlab-org/gitlab/-/jobs/6935051992
+          #
+          puts "skipping the test since the subprocesses forked for SD scanning are terminated by main process"
+        end
       end
 
       it "one of the blobs times out while others continue to get scanned" do
diff --git a/lib/api/entities/project.rb b/lib/api/entities/project.rb
index 50074ca10d9..fcb7dee20b4 100644
--- a/lib/api/entities/project.rb
+++ b/lib/api/entities/project.rb
@@ -124,6 +124,7 @@ module API
         end
         expose :keep_latest_artifacts_available?, as: :keep_latest_artifact, documentation: { type: 'boolean' }
         expose :restrict_user_defined_variables, documentation: { type: 'boolean' }
+        expose :ci_pipeline_variables_minimum_override_role, documentation: { type: 'string' }
         expose :runners_token, documentation: { type: 'string', example: 'b8547b1dc37721d05889db52fa2f02' }
         expose :runner_token_expiration_interval, documentation: { type: 'integer', example: 3600 }
         expose :group_runners_enabled, documentation: { type: 'boolean' }
diff --git a/lib/api/helpers/projects_helpers.rb b/lib/api/helpers/projects_helpers.rb
index 19afbc2c6d4..e9aeb561384 100644
--- a/lib/api/helpers/projects_helpers.rb
+++ b/lib/api/helpers/projects_helpers.rb
@@ -116,6 +116,7 @@ module API
         optional :ci_allow_fork_pipelines_to_run_in_parent_project, type: Boolean, desc: 'Allow fork merge request pipelines to run in parent project'
         optional :ci_separated_caches, type: Boolean, desc: 'Enable or disable separated caches based on branch protection.'
         optional :restrict_user_defined_variables, type: Boolean, desc: 'Restrict use of user-defined variables when triggering a pipeline'
+        optional :ci_pipeline_variables_minimum_override_role, values: %w[no_one_allowed developer maintainer owner], type: String, desc: 'Limit ability to override CI/CD variables when triggering a pipeline to only users with at least the set minimum role'
       end
 
       params :optional_update_params_ee do
@@ -208,6 +209,7 @@ module API
           :model_experiments_access_level,
           :model_registry_access_level,
           :warn_about_potentially_unwanted_characters,
+          :ci_pipeline_variables_minimum_override_role,
 
           # TODO: remove in API v5, replaced by *_access_level
           :issues_enabled,
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 0d4cf549a19..4286cf29627 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -596,6 +596,8 @@ module API
           present_project user_project, with: Entities::Project,
             user_can_admin_project: can?(current_user, :admin_project, user_project),
             current_user: current_user
+        elsif result[:status] == :api_error
+          render_api_error!(result[:message], 400)
         else
           render_validation_error!(user_project)
         end
diff --git a/lib/api/remote_mirrors.rb b/lib/api/remote_mirrors.rb
index 5ffa3c7e9a0..525ae403bd9 100644
--- a/lib/api/remote_mirrors.rb
+++ b/lib/api/remote_mirrors.rb
@@ -178,16 +178,24 @@ module API
       delete ':id/remote_mirrors/:mirror_id' do
         mirror = find_remote_mirror
 
-        destroy_conditionally!(mirror) do
-          mirror_params = declared_params(include_missing: false).merge(_destroy: 1)
-          mirror_params[:id] = mirror_params.delete(:mirror_id)
-          update_params = { remote_mirrors_attributes: mirror_params }
+        if Feature.enabled?(:use_remote_mirror_destroy_service, user_project)
+          destroy_conditionally!(mirror) do
+            result = ::RemoteMirrors::DestroyService.new(user_project, current_user).execute(mirror)
 
-          # Note: We are using the update service to be consistent with how the controller handles deletion
-          result = ::Projects::UpdateService.new(user_project, current_user, update_params).execute
+            render_api_error!(result.message, 400) if result.error?
+          end
+        else
+          destroy_conditionally!(mirror) do
+            mirror_params = declared_params(include_missing: false).merge(_destroy: 1)
+            mirror_params[:id] = mirror_params.delete(:mirror_id)
+            update_params = { remote_mirrors_attributes: mirror_params }
 
-          if result[:status] != :success
-            render_api_error!(result[:message], 400)
+            # Note: We are using the update service to be consistent with how the controller handles deletion
+            result = ::Projects::UpdateService.new(user_project, current_user, update_params).execute
+
+            if result[:status] != :success
+              render_api_error!(result[:message], 400)
+            end
           end
         end
       end
diff --git a/lib/gitlab/background_migration/backfill_epic_issues_into_work_item_parent_links.rb b/lib/gitlab/background_migration/backfill_epic_issues_into_work_item_parent_links.rb
new file mode 100644
index 00000000000..6298fb06154
--- /dev/null
+++ b/lib/gitlab/background_migration/backfill_epic_issues_into_work_item_parent_links.rb
@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    # Backfill epic issues into work item parent links
+    # There are two ways to use this background migration
+    #
+    # 1. Backfill every epic_issues record by providing a nil `group_id` argument. batch_table must be
+    #    `epic_issues` and batch_column must be `id`.
+    # 2. Backfill epic_issues only for a specific group by providing a `group_id` argument. batch_table must be
+    #    `epics` and batch_column must be `iid`.
+    class BackfillEpicIssuesIntoWorkItemParentLinks < BatchedMigrationJob
+      operation_name :backfill_epic_issues_into_work_item_parent_links
+      feature_category :team_planning
+
+      job_arguments :group_id
+      scope_to ->(relation) { scope_by_arguments(relation) }
+
+      class ParentLink < ApplicationRecord
+        self.table_name = :work_item_parent_links
+        self.inheritance_column = :_type_disabled
+      end
+
+      def perform
+        if group_id.present? && (batch_table.to_sym != :epics || batch_column.to_sym != :iid)
+          raise 'when group_id is provided, use `epics` as batch_table and `iid` as batch_column'
+        end
+
+        if group_id.blank? && batch_table.to_sym == :epics
+          raise 'use `epic_issues` as batch_table when no group_id is provided'
+        end
+
+        each_sub_batch do |sub_batch|
+          ParentLink.transaction do
+            if batch_table.to_sym == :epic_issues
+              upsert_by_epic_issues(sub_batch)
+            else
+              upsert_by_epics(sub_batch)
+            end
+          end
+        end
+      end
+
+      private
+
+      def scope_by_arguments(relation)
+        return relation if group_id.blank?
+
+        relation.where(group_id: group_id)
+      end
+
+      def upsert_records(records)
+        ParentLink.upsert_all(
+          records,
+          on_duplicate: :update,
+          unique_by: :index_work_item_parent_links_on_work_item_id
+        )
+      end
+
+      def batch_attributes(sub_batch)
+        locked_batch = sub_batch.joins('INNER JOIN epics ON epics.id = epic_issues.epic_id')
+                                .select(:id, :epic_id, :issue_id, :relative_position)
+                                .select('epics.issue_id AS parent_issue_id')
+                                .lock!
+
+        locked_batch.map do |epic_issue|
+          {
+            work_item_parent_id: epic_issue.parent_issue_id,
+            work_item_id: epic_issue.issue_id,
+            relative_position: epic_issue.relative_position
+          }
+        end
+      end
+
+      def upsert_by_epics(sub_batch)
+        epic_issues.where(epic_id: sub_batch.select(:id)).each_batch(of: 100) do |batch|
+          upsert_records(
+            batch_attributes(batch)
+          )
+        end
+      end
+
+      def upsert_by_epic_issues(sub_batch)
+        upsert_records(
+          batch_attributes(sub_batch)
+        )
+      end
+
+      def epic_issues
+        @epic_issues ||= define_batchable_model(:epic_issues, connection: ApplicationRecord.connection)
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/graphql/query_analyzers/ast/logger_analyzer.rb b/lib/gitlab/graphql/query_analyzers/ast/logger_analyzer.rb
index dcc0ea0a965..95fce2b2435 100644
--- a/lib/gitlab/graphql/query_analyzers/ast/logger_analyzer.rb
+++ b/lib/gitlab/graphql/query_analyzers/ast/logger_analyzer.rb
@@ -25,6 +25,8 @@ module Gitlab
             complexity, depth, field_usages =
               GraphQL::Analysis::AST.analyze_query(@subject, ALL_ANALYZERS, multiplex_analyzers: [])
 
+            field_usages ||= {} # in various edge cases, #analyze_query returns []
+
             results[:depth] = depth
             results[:complexity] = complexity
             # This duration is not the execution time of the
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index a915637671d..a630b77808c 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -4703,6 +4703,9 @@ msgstr ""
 msgid "AiImpactAnalytics|Monthly user engagement with AI Code Suggestions. Percentage ratio calculated as monthly unique Code Suggestions users / total monthly unique code contributors."
 msgstr ""
 
+msgid "AiImpactAnalytics|Usage rate for Code Suggestions is calculated with data starting on %{startDate}"
+msgstr ""
+
 msgid "Akismet"
 msgstr ""
 
@@ -39990,6 +39993,9 @@ msgstr ""
 msgid "Profiles|Do not show on profile"
 msgstr ""
 
+msgid "Profiles|Don't display activity-related personal information on your profile."
+msgstr ""
+
 msgid "Profiles|Don't display activity-related personal information on your profile. %{private_profile_help_link_start}Learn more%{private_profile_help_link_end}."
 msgstr ""
 
@@ -49109,6 +49115,9 @@ msgstr ""
 msgid "Setting enforced"
 msgstr ""
 
+msgid "Setting locked. Profiles are required to be public in this instance."
+msgstr ""
+
 msgid "Settings"
 msgstr ""
 
@@ -56056,6 +56065,12 @@ msgstr ""
 msgid "UpdateProject|Cannot rename project, the container registry path rename validation failed: %{error}"
 msgstr ""
 
+msgid "UpdateProject|Changing the ci_pipeline_variables_minimum_override_role to the owner role is not allowed"
+msgstr ""
+
+msgid "UpdateProject|Changing the restrict_user_defined_variables or ci_pipeline_variables_minimum_override_role is not allowed"
+msgstr ""
+
 msgid "UpdateProject|Could not set the default branch"
 msgstr ""
 
diff --git a/qa/Gemfile.lock b/qa/Gemfile.lock
index e74fdb8f297..b20701876fb 100644
--- a/qa/Gemfile.lock
+++ b/qa/Gemfile.lock
@@ -2,6 +2,7 @@ PATH
   remote: ../gems/gitlab-cng
   specs:
     gitlab-cng (0.0.1)
+      activesupport (>= 7)
       rainbow (~> 3.1)
       require_all (~> 3.0)
       thor (~> 1.3)
diff --git a/qa/qa/service/docker_run/product_analytics/browser_sdk_app.rb b/qa/qa/service/docker_run/product_analytics/browser_sdk_app.rb
index e34768212d3..f3e5e6ec455 100644
--- a/qa/qa/service/docker_run/product_analytics/browser_sdk_app.rb
+++ b/qa/qa/service/docker_run/product_analytics/browser_sdk_app.rb
@@ -12,11 +12,13 @@ module QA
           def initialize(sdk_host, sdk_app_id)
             # Below is an image of a sample app that uses Product Analytics Browser SDK.
             # The image is created in https://gitlab.com/gitlab-org/analytics-section/product-analytics/gl-application-sdk-browser
-            # It's buit on every merge to main branch in the repository.
+            # It's built on every merge to main branch in the repository.
+            # @name should not contain _ (underscores) as it is used to generate host_name
+            # and _ are not allowed for domain names.
             # Note: set @host_name = 'localhost' here when running locally against GDK.
             @image = 'registry.gitlab.com/gitlab-org/analytics-section/product-analytics/' \
                      'gl-application-sdk-browser/example-app:main'
-            @name = 'browser_sdk'
+            @name = 'browser-sdk'
             @sdk_host = URI(sdk_host)
             @sdk_app_id = sdk_app_id
             @port = '8081'
diff --git a/qa/qa/service/docker_run/product_analytics/dotnet_sdk_app.rb b/qa/qa/service/docker_run/product_analytics/dotnet_sdk_app.rb
index a84e11d8773..6adae307622 100644
--- a/qa/qa/service/docker_run/product_analytics/dotnet_sdk_app.rb
+++ b/qa/qa/service/docker_run/product_analytics/dotnet_sdk_app.rb
@@ -10,11 +10,13 @@ module QA
           def initialize(sdk_host, sdk_app_id)
             # Below is an image of a sample app that uses Product Analytics .NET SDK.
             # The image is created in https://gitlab.com/gitlab-org/analytics-section/product-analytics/gl-application-sdk-dotnet
-            # It's buit on every merge to main branch in the repository.
+            # It's built on every merge to main branch in the repository.
+            # @name should not contain _ (underscores) as it is used to generate host_name
+            # and _ are not allowed for domain names.
             # Note: set @host_name = 'localhost' here when running locally against GDK.
             @image = 'registry.gitlab.com/gitlab-org/analytics-section/product-analytics/' \
                      'gl-application-sdk-dotnet/example-app:main'
-            @name = 'dotnet_sdk'
+            @name = 'dotnet-sdk'
             @sdk_host = URI(sdk_host)
             @sdk_app_id = sdk_app_id
             @port = '5171'
diff --git a/qa/qa/service/docker_run/product_analytics/ruby_sdk_app.rb b/qa/qa/service/docker_run/product_analytics/ruby_sdk_app.rb
new file mode 100644
index 00000000000..f750cef0bd1
--- /dev/null
+++ b/qa/qa/service/docker_run/product_analytics/ruby_sdk_app.rb
@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module QA
+  module Service
+    module DockerRun
+      module ProductAnalytics
+        class RubySdkApp < Base
+          include Support::API
+
+          def initialize(sdk_host)
+            # Below is an image of a sample app that uses Product Analytics ruby SDK.
+            # The image is created in https://gitlab.com/gitlab-org/analytics-section/product-analytics/gl-application-sdk-rb
+            # It's built on every merge to main branch in the repository.
+            # @name should not contain _ (underscores) as it is used to generate host_name
+            # and _ are not allowed for domain names.
+            # Note: set @host_name = 'localhost' here when running locally against GDK.
+            @image = 'registry.gitlab.com/gitlab-org/analytics-section/product-analytics/' \
+              'gl-application-sdk-rb/example-app:main'
+            @name = 'ruby-sdk'
+            @sdk_host = URI(sdk_host)
+            @port = '5172'
+
+            super()
+          end
+
+          def register!(sdk_app_id)
+            shell <<~CMD.tr("\n", ' ')
+              docker run -d --rm
+              --name #{@name}
+              --network #{network}
+              --hostname #{host_name}
+              -p #{@port}:#{@port}
+              -e PA_COLLECTOR_URL=#{@sdk_host}
+              -e PA_APPLICATION_ID=#{sdk_app_id}
+              #{@image}
+              -p #{@port}
+            CMD
+
+            wait_for_app_available
+          end
+
+          def trigger_event
+            get "http://#{host_name}:#{@port}/api/v1/send_event"
+            Runtime::Logger.info('Ruby SDK event is triggered!')
+          end
+
+          private
+
+          def wait_for_app_available
+            Runtime::Logger.info("Waiting for Ruby SDK sample app to become available at http://#{host_name}:#{@port}...")
+            Support::Waiter.wait_until(sleep_interval: 1,
+              message: "Wait for Ruby SDK sample app to become available at http://#{host_name}:#{@port}") { app_available? }
+            Runtime::Logger.info('Ruby SDK sample app is up!')
+          end
+
+          def app_available?
+            response = get "http://#{host_name}:#{@port}"
+            response.code == 200
+          rescue Errno::ECONNRESET, Errno::ECONNREFUSED, RestClient::ServerBrokeConnection => e
+            Runtime::Logger.debug("Ruby SDK sample app is not yet available: #{e.inspect}")
+            false
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/scripts/qa/cng_deploy/cng-kind.sh b/scripts/qa/cng_deploy/cng-kind.sh
index f1fb8af265f..9271cd13923 100644
--- a/scripts/qa/cng_deploy/cng-kind.sh
+++ b/scripts/qa/cng_deploy/cng-kind.sh
@@ -25,163 +25,6 @@ function log_with_header() {
   log_info "$delimiter"
 }
 
-#
-# Deploy functions
-#
-function get_redis_version() {
-  # version number is fetched from constant definition in redis_version_check.rb
-  local version_type=${1:-RECOMMENDED_REDIS_VERSION}
-
-  awk -F "=" "/${version_type} =/ {print \$2}" $CI_PROJECT_DIR/lib/system_check/app/redis_version_check.rb | sed "s/['\" ]//g"
-}
-
-function chart_values() {
-  local domain=$1
-  local values_file="cng-deploy-values.yml"
-
-  local gitlab_image_repository="registry.gitlab.com/gitlab-org/build/cng-mirror"
-  local gitlab_toolbox_image_repository="${gitlab_image_repository}/gitlab-toolbox-ee"
-  local gitlab_sidekiq_image_repository="${gitlab_image_repository}/gitlab-sidekiq-ee"
-  local gitlab_webservice_image_repository="${gitlab_image_repository}/gitlab-webservice-ee"
-  local gitlab_workhorse_image_repository="${gitlab_image_repository}/gitlab-workhorse-ee"
-  local gitlab_shell_image_repository="${gitlab_image_repository}/gitlab-shell"
-  local gitlab_shell_image_tag="$(cat $CI_PROJECT_DIR/GITLAB_SHELL_VERSION)"
-  local gitlab_gitaly_image_repository="${gitlab_image_repository}/gitaly"
-  local gitaly_image_tag="$(cat $CI_PROJECT_DIR/GITALY_SERVER_VERSION)"
-  local redis_version="$(get_redis_version $REDIS_VERSION_TYPE)"
-
-  cat > $values_file <<EOF
-global:
-  hosts:
-    domain: $domain
-    https: false
-  ingress:
-    configureCertmanager: false
-    tls:
-      enabled: false
-  extraEnv:
-    GITLAB_LICENSE_MODE: test
-    CUSTOMER_PORTAL_URL: https://customers.staging.gitlab.com
-  initialRootPassword:
-    secret: gitlab-initial-root-password
-  gitlab:
-    license:
-      secret: gitlab-license
-  gitaly:
-    hooks:
-      preReceive:
-        configmap: pre-receive-hook
-  appConfig:
-    applicationSettingsCacheSeconds: 0
-
-gitlab:
-  gitaly:
-    image:
-      repository: "${gitlab_gitaly_image_repository}"
-      tag: "${gitaly_image_tag}"
-  gitlab-shell:
-    image:
-      repository: "${gitlab_shell_image_repository}"
-      tag: "v${gitlab_shell_image_tag}"
-  migrations:
-    image:
-      repository: "${gitlab_toolbox_image_repository}"
-      tag: "${CI_COMMIT_SHA}"
-  sidekiq:
-    annotations:
-      commit: "${CI_COMMIT_SHORT_SHA}"
-    image:
-      repository: "${gitlab_sidekiq_image_repository}"
-      tag: "${CI_COMMIT_SHA}"
-  toolbox:
-    image:
-      repository: "${gitlab_toolbox_image_repository}"
-      tag: "${CI_COMMIT_SHA}"
-  webservice:
-    annotations:
-      commit: "${CI_COMMIT_SHORT_SHA}"
-    image:
-      repository: "${gitlab_webservice_image_repository}"
-      tag: "${CI_COMMIT_SHA}"
-    workhorse:
-      image: "${gitlab_workhorse_image_repository}"
-      tag: "${CI_COMMIT_SHA}"
-  gitlab-exporter:
-    enabled: false
-
-# Provision specific version of redis (either recommended or minimum supported)
-redis:
-  metrics:
-    enabled: false
-  image:
-    tag: "${redis_version%.*}"
-
-# Don't use certmanager, we'll self-sign or use http
-certmanager:
-  install: false
-
-# Specify NodePorts for NGINX and reduce replicas to 1
-nginx-ingress:
-  controller:
-    replicaCount: 1
-    minAavailable: 1
-    service:
-      type: NodePort
-      nodePorts:
-        # gitlab-shell port value below must match the KinD config file:
-        #   nodes[0].extraPortMappings[1].containerPort
-        gitlab-shell: 32022
-        # http port value below must match the KinD config file:
-        #   nodes[0].extraPortMappings[0].containerPort
-        http: 32080
-
-# Each test creates it's own runner, skip preinstalling runners
-gitlab-runner:
-  install: false
-
-# Disable metrics
-prometheus:
-  install: false
-EOF
-
-echo $values_file
-}
-
-function add_root_token() {
-  cmd=$(
-    cat <<EOF
-user = User.find_by_username('root');
-abort 'Error: Could not find root user. Check that the database was properly seeded' unless user;
-token = user.personal_access_tokens.create(scopes: [:api], name: 'Token to disable sign-ups', expires_at: 30.days.from_now);
-token.set_token('${GITLAB_QA_ADMIN_ACCESS_TOKEN}');
-token.save!;
-EOF
-  )
-
-  log_info "Add root user PAT"
-  local toolbox_pod=$(kubectl get pods --namespace ${NAMESPACE} -lapp=toolbox --no-headers -o=custom-columns=NAME:.metadata.name | tail -n 1)
-  kubectl exec --namespace "${NAMESPACE}" --container toolbox "${toolbox_pod}" -- gitlab-rails runner "${cmd}"
-  log "success!"
-}
-
-function deploy() {
-  local domain=$1
-  local values=$(chart_values $domain)
-
-  log_with_header "Install GitLab"
-  log_info "Using following values.yml"
-  cat $values
-
-  log_info "Running helm install"
-  helm install gitlab gitlab/gitlab \
-    --namespace "$NAMESPACE" \
-    --values $values \
-    --timeout 5m \
-    --wait
-
-  add_root_token
-}
-
 function save_install_logs() {
   log_with_header "Events of namespace ${NAMESPACE}"
   kubectl get events --output wide --namespace ${NAMESPACE}
diff --git a/scripts/qa/cng_deploy/config/hook.sh b/scripts/qa/cng_deploy/config/hook.sh
deleted file mode 100755
index de39f247bfb..00000000000
--- a/scripts/qa/cng_deploy/config/hook.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-
-if [[ $GL_PROJECT_PATH =~ 'reject-prereceive' ]]; then
-  echo 'GL-HOOK-ERR: Custom error message rejecting prereceive hook for projects with GL_PROJECT_PATH matching pattern reject-prereceive'
-  exit 1
-fi
diff --git a/scripts/qa/cng_deploy/config/kind-config.yml b/scripts/qa/cng_deploy/config/kind-config.yml
deleted file mode 100644
index fa568522b53..00000000000
--- a/scripts/qa/cng_deploy/config/kind-config.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-apiVersion: kind.x-k8s.io/v1alpha4
-kind: Cluster
-networking:
-  apiServerAddress: "0.0.0.0"
-nodes:
-  - role: control-plane
-    kubeadmConfigPatches:
-      - |
-        kind: InitConfiguration
-        nodeRegistration:
-          kubeletExtraArgs:
-            node-labels: "ingress-ready=true"
-      - |
-        kind: ClusterConfiguration
-        apiServer:
-          certSANs:
-            - "docker"
-    extraPortMappings:
-        # containerPort below must match the values file:
-        #   nginx-ingress.controller.service.nodePorts.http
-      - containerPort: 32080
-        hostPort: 80
-        listenAddress: "0.0.0.0"
-        # containerPort below must match the values file:
-        #   nginx-ingress.controller.service.nodePorts.gitlab-shell
-      - containerPort: 32022
-        hostPort: 22
-        listenAddress: "0.0.0.0"
diff --git a/spec/frontend/observability/client_spec.js b/spec/frontend/observability/client_spec.js
index f29431a4ea5..9a86ca9c316 100644
--- a/spec/frontend/observability/client_spec.js
+++ b/spec/frontend/observability/client_spec.js
@@ -271,28 +271,30 @@ describe('buildClient', () => {
       it('converts filter to proper query params', async () => {
         await client.fetchTraces({
           filters: {
-            durationMs: [
-              { operator: '>', value: '100' },
-              { operator: '<', value: '1000' },
-            ],
-            operation: [
-              { operator: '=', value: 'op' },
-              { operator: '!=', value: 'not-op' },
-            ],
-            service: [
-              { operator: '=', value: 'service' },
-              { operator: '!=', value: 'not-service' },
-            ],
-            period: [{ operator: '=', value: '5m' }],
-            status: [
-              { operator: '=', value: 'ok' },
-              { operator: '!=', value: 'error' },
-            ],
-            traceId: [
-              { operator: '=', value: 'trace-id' },
-              { operator: '!=', value: 'not-trace-id' },
-            ],
-            attribute: [{ operator: '=', value: 'name1=value1' }],
+            attributes: {
+              durationMs: [
+                { operator: '>', value: '100' },
+                { operator: '<', value: '1000' },
+              ],
+              operation: [
+                { operator: '=', value: 'op' },
+                { operator: '!=', value: 'not-op' },
+              ],
+              service: [
+                { operator: '=', value: 'service' },
+                { operator: '!=', value: 'not-service' },
+              ],
+              period: [{ operator: '=', value: '5m' }],
+              status: [
+                { operator: '=', value: 'ok' },
+                { operator: '!=', value: 'error' },
+              ],
+              traceId: [
+                { operator: '=', value: 'trace-id' },
+                { operator: '!=', value: 'not-trace-id' },
+              ],
+              attribute: [{ operator: '=', value: 'name1=value1' }],
+            },
           },
         });
         expect(getQueryParam()).toContain(
@@ -309,7 +311,9 @@ describe('buildClient', () => {
         it('handles custom date range period filter', async () => {
           await client.fetchTraces({
             filters: {
-              period: [{ operator: '=', value: '2023-01-01 - 2023-02-01' }],
+              attributes: {
+                period: [{ operator: '=', value: '2023-01-01 - 2023-02-01' }],
+              },
             },
           });
           expect(getQueryParam()).not.toContain('period=');
@@ -328,7 +332,9 @@ describe('buildClient', () => {
         ])('ignore invalid values', async (val) => {
           await client.fetchTraces({
             filters: {
-              period: [{ operator: '=', value: val }],
+              attributes: {
+                period: [{ operator: '=', value: val }],
+              },
             },
           });
 
@@ -341,10 +347,12 @@ describe('buildClient', () => {
       it('handles repeated params', async () => {
         await client.fetchTraces({
           filters: {
-            operation: [
-              { operator: '=', value: 'op' },
-              { operator: '=', value: 'op2' },
-            ],
+            attributes: {
+              operation: [
+                { operator: '=', value: 'op' },
+                { operator: '=', value: 'op2' },
+              ],
+            },
           },
         });
         expect(getQueryParam()).toContain('operation=op&operation=op2');
@@ -353,7 +361,9 @@ describe('buildClient', () => {
       it('ignores unsupported filters', async () => {
         await client.fetchTraces({
           filters: {
-            unsupportedFilter: [{ operator: '=', value: 'foo' }],
+            attributes: {
+              unsupportedFilter: [{ operator: '=', value: 'foo' }],
+            },
           },
         });
 
@@ -363,8 +373,10 @@ describe('buildClient', () => {
       it('ignores empty filters', async () => {
         await client.fetchTraces({
           filters: {
-            durationMs: null,
-            traceId: undefined,
+            attributes: {
+              durationMs: null,
+              traceId: undefined,
+            },
           },
         });
 
@@ -374,7 +386,9 @@ describe('buildClient', () => {
       it('ignores non-array filters', async () => {
         await client.fetchTraces({
           filters: {
-            traceId: { operator: '=', value: 'foo' },
+            attributes: {
+              traceId: { operator: '=', value: 'foo' },
+            },
           },
         });
 
@@ -384,24 +398,26 @@ describe('buildClient', () => {
       it('ignores unsupported operators', async () => {
         await client.fetchTraces({
           filters: {
-            durationMs: [
-              { operator: '*', value: 'foo' },
-              { operator: '=', value: 'foo' },
-              { operator: '!=', value: 'foo' },
-            ],
-            operation: [
-              { operator: '>', value: 'foo' },
-              { operator: '<', value: 'foo' },
-            ],
-            service: [
-              { operator: '>', value: 'foo' },
-              { operator: '<', value: 'foo' },
-            ],
-            period: [{ operator: '!=', value: 'foo' }],
-            traceId: [
-              { operator: '>', value: 'foo' },
-              { operator: '<', value: 'foo' },
-            ],
+            attributes: {
+              durationMs: [
+                { operator: '*', value: 'foo' },
+                { operator: '=', value: 'foo' },
+                { operator: '!=', value: 'foo' },
+              ],
+              operation: [
+                { operator: '>', value: 'foo' },
+                { operator: '<', value: 'foo' },
+              ],
+              service: [
+                { operator: '>', value: 'foo' },
+                { operator: '<', value: 'foo' },
+              ],
+              period: [{ operator: '!=', value: 'foo' }],
+              traceId: [
+                { operator: '>', value: 'foo' },
+                { operator: '<', value: 'foo' },
+              ],
+            },
           },
         });
 
@@ -475,28 +491,30 @@ describe('buildClient', () => {
       it('converts filter to proper query params', async () => {
         await client.fetchTracesAnalytics({
           filters: {
-            durationMs: [
-              { operator: '>', value: '100' },
-              { operator: '<', value: '1000' },
-            ],
-            operation: [
-              { operator: '=', value: 'op' },
-              { operator: '!=', value: 'not-op' },
-            ],
-            service: [
-              { operator: '=', value: 'service' },
-              { operator: '!=', value: 'not-service' },
-            ],
-            period: [{ operator: '=', value: '5m' }],
-            status: [
-              { operator: '=', value: 'ok' },
-              { operator: '!=', value: 'error' },
-            ],
-            traceId: [
-              { operator: '=', value: 'trace-id' },
-              { operator: '!=', value: 'not-trace-id' },
-            ],
-            attribute: [{ operator: '=', value: 'name1=value1' }],
+            attributes: {
+              durationMs: [
+                { operator: '>', value: '100' },
+                { operator: '<', value: '1000' },
+              ],
+              operation: [
+                { operator: '=', value: 'op' },
+                { operator: '!=', value: 'not-op' },
+              ],
+              service: [
+                { operator: '=', value: 'service' },
+                { operator: '!=', value: 'not-service' },
+              ],
+              period: [{ operator: '=', value: '5m' }],
+              status: [
+                { operator: '=', value: 'ok' },
+                { operator: '!=', value: 'error' },
+              ],
+              traceId: [
+                { operator: '=', value: 'trace-id' },
+                { operator: '!=', value: 'not-trace-id' },
+              ],
+              attribute: [{ operator: '=', value: 'name1=value1' }],
+            },
           },
         });
         expect(getQueryParam()).toContain(
@@ -513,7 +531,9 @@ describe('buildClient', () => {
         it('handles custom date range period filter', async () => {
           await client.fetchTracesAnalytics({
             filters: {
-              period: [{ operator: '=', value: '2023-01-01 - 2023-02-01' }],
+              attributes: {
+                period: [{ operator: '=', value: '2023-01-01 - 2023-02-01' }],
+              },
             },
           });
           expect(getQueryParam()).not.toContain('period=');
@@ -545,10 +565,12 @@ describe('buildClient', () => {
       it('handles repeated params', async () => {
         await client.fetchTracesAnalytics({
           filters: {
-            operation: [
-              { operator: '=', value: 'op' },
-              { operator: '=', value: 'op2' },
-            ],
+            attributes: {
+              operation: [
+                { operator: '=', value: 'op' },
+                { operator: '=', value: 'op2' },
+              ],
+            },
           },
         });
         expect(getQueryParam()).toContain('operation=op&operation=op2');
@@ -557,7 +579,9 @@ describe('buildClient', () => {
       it('ignores unsupported filters', async () => {
         await client.fetchTracesAnalytics({
           filters: {
-            unsupportedFilter: [{ operator: '=', value: 'foo' }],
+            attributes: {
+              unsupportedFilter: [{ operator: '=', value: 'foo' }],
+            },
           },
         });
 
@@ -567,7 +591,9 @@ describe('buildClient', () => {
       it('ignores empty filters', async () => {
         await client.fetchTracesAnalytics({
           filters: {
-            durationMs: null,
+            attributes: {
+              durationMs: null,
+            },
           },
         });
 
@@ -577,7 +603,9 @@ describe('buildClient', () => {
       it('ignores non-array filters', async () => {
         await client.fetchTracesAnalytics({
           filters: {
-            traceId: { operator: '=', value: 'foo' },
+            attributes: {
+              traceId: { operator: '=', value: 'foo' },
+            },
           },
         });
 
@@ -587,24 +615,26 @@ describe('buildClient', () => {
       it('ignores unsupported operators', async () => {
         await client.fetchTracesAnalytics({
           filters: {
-            durationMs: [
-              { operator: '*', value: 'foo' },
-              { operator: '=', value: 'foo' },
-              { operator: '!=', value: 'foo' },
-            ],
-            operation: [
-              { operator: '>', value: 'foo' },
-              { operator: '<', value: 'foo' },
-            ],
-            service: [
-              { operator: '>', value: 'foo' },
-              { operator: '<', value: 'foo' },
-            ],
-            period: [{ operator: '!=', value: 'foo' }],
-            traceId: [
-              { operator: '>', value: 'foo' },
-              { operator: '<', value: 'foo' },
-            ],
+            attributes: {
+              durationMs: [
+                { operator: '*', value: 'foo' },
+                { operator: '=', value: 'foo' },
+                { operator: '!=', value: 'foo' },
+              ],
+              operation: [
+                { operator: '>', value: 'foo' },
+                { operator: '<', value: 'foo' },
+              ],
+              service: [
+                { operator: '>', value: 'foo' },
+                { operator: '<', value: 'foo' },
+              ],
+              period: [{ operator: '!=', value: 'foo' }],
+              traceId: [
+                { operator: '>', value: 'foo' },
+                { operator: '<', value: 'foo' },
+              ],
+            },
           },
         });
 
diff --git a/spec/frontend/packages_and_registries/infrastructure_registry/components/shared/__snapshots__/package_list_row_spec.js.snap b/spec/frontend/packages_and_registries/infrastructure_registry/components/shared/__snapshots__/package_list_row_spec.js.snap
index e9875d7afd3..3fcd7371960 100644
--- a/spec/frontend/packages_and_registries/infrastructure_registry/components/shared/__snapshots__/package_list_row_spec.js.snap
+++ b/spec/frontend/packages_and_registries/infrastructure_registry/components/shared/__snapshots__/package_list_row_spec.js.snap
@@ -1,7 +1,7 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
 exports[`packages_list_row renders 1`] = `
-<li
+<div
   class="gl-border-b-1 gl-border-b-gray-100 gl-border-b-solid gl-border-t-1 gl-border-t-solid gl-border-t-transparent gl-display-flex gl-flex-direction-column"
   data-testid="package-row"
 >
@@ -87,5 +87,5 @@ exports[`packages_list_row renders 1`] = `
       />
     </div>
   </div>
-</li>
+</div>
 `;
diff --git a/spec/frontend/packages_and_registries/package_registry/components/list/__snapshots__/package_list_row_spec.js.snap b/spec/frontend/packages_and_registries/package_registry/components/list/__snapshots__/package_list_row_spec.js.snap
index c9cb6f8f4ce..0183449b8d2 100644
--- a/spec/frontend/packages_and_registries/package_registry/components/list/__snapshots__/package_list_row_spec.js.snap
+++ b/spec/frontend/packages_and_registries/package_registry/components/list/__snapshots__/package_list_row_spec.js.snap
@@ -1,7 +1,7 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
 exports[`packages_list_row renders 1`] = `
-<li
+<div
   class="gl-border-b-1 gl-border-b-gray-100 gl-border-b-solid gl-border-t-1 gl-border-t-solid gl-border-t-transparent gl-display-flex gl-flex-direction-column"
   data-testid="package-row"
 >
@@ -114,5 +114,5 @@ exports[`packages_list_row renders 1`] = `
       </gl-disclosure-dropdown-stub>
     </div>
   </div>
-</li>
+</div>
 `;
diff --git a/spec/frontend/vue_shared/issuable/list/components/issuable_list_root_spec.js b/spec/frontend/vue_shared/issuable/list/components/issuable_list_root_spec.js
index a2a059d5b18..b9fe254790e 100644
--- a/spec/frontend/vue_shared/issuable/list/components/issuable_list_root_spec.js
+++ b/spec/frontend/vue_shared/issuable/list/components/issuable_list_root_spec.js
@@ -1,472 +1,165 @@
-import { GlAlert, GlKeysetPagination, GlSkeletonLoader, GlPagination } from '@gitlab/ui';
+import { GlAlert, GlKeysetPagination, GlPagination, GlSkeletonLoader } from '@gitlab/ui';
 import { shallowMount } from '@vue/test-utils';
-import VueDraggable from 'vuedraggable';
-
 import { nextTick } from 'vue';
+import VueDraggable from 'vuedraggable';
 import { TEST_HOST } from 'helpers/test_constants';
 import { DRAG_DELAY } from '~/sortable/constants';
-
-import IssuableItem from '~/vue_shared/issuable/list/components/issuable_item.vue';
-import IssuableListRoot from '~/vue_shared/issuable/list/components/issuable_list_root.vue';
-import issuableGrid from '~/vue_shared/issuable/list/components/issuable_grid.vue';
-import IssuableTabs from '~/vue_shared/issuable/list/components/issuable_tabs.vue';
 import FilteredSearchBar from '~/vue_shared/components/filtered_search_bar/filtered_search_bar_root.vue';
 import PageSizeSelector from '~/vue_shared/components/page_size_selector.vue';
+import IssuableBulkEditSidebar from '~/vue_shared/issuable/list/components/issuable_bulk_edit_sidebar.vue';
+import IssuableGrid from '~/vue_shared/issuable/list/components/issuable_grid.vue';
+import IssuableItem from '~/vue_shared/issuable/list/components/issuable_item.vue';
+import IssuableListRoot from '~/vue_shared/issuable/list/components/issuable_list_root.vue';
+import IssuableTabs from '~/vue_shared/issuable/list/components/issuable_tabs.vue';
+import { mockIssuableListProps } from '../mock_data';
 
-import { mockIssuableListProps, mockIssuables } from '../mock_data';
-
-const createComponent = ({ props = {}, data = {} } = {}) =>
-  shallowMount(IssuableListRoot, {
-    propsData: {
-      ...mockIssuableListProps,
-      ...props,
-    },
-    data() {
-      return data;
-    },
-    slots: {
-      'nav-actions': `
-      <button class="js-new-issuable">New issuable</button>
-    `,
-      'empty-state': `
-      <p class="js-issuable-empty-state">Issuable empty state</p>
-    `,
-    },
-    stubs: {
-      IssuableTabs,
-    },
-  });
-
-describe('IssuableListRoot', () => {
+describe('IssuableListRoot component', () => {
+  /** @type {import('@vue/test-utils').Wrapper} */
   let wrapper;
 
   const findAlert = () => wrapper.findComponent(GlAlert);
+  const findAllIssuableItems = () => wrapper.findAllComponents(IssuableItem);
   const findFilteredSearchBar = () => wrapper.findComponent(FilteredSearchBar);
   const findGlKeysetPagination = () => wrapper.findComponent(GlKeysetPagination);
   const findGlPagination = () => wrapper.findComponent(GlPagination);
+  const findIssuableGrid = () => wrapper.findComponent(IssuableGrid);
   const findIssuableItem = () => wrapper.findComponent(IssuableItem);
-  const findIssuableGrid = () => wrapper.findComponent(issuableGrid);
   const findIssuableTabs = () => wrapper.findComponent(IssuableTabs);
-  const findVueDraggable = () => wrapper.findComponent(VueDraggable);
   const findPageSizeSelector = () => wrapper.findComponent(PageSizeSelector);
+  const findVueDraggable = () => wrapper.findComponent(VueDraggable);
 
-  describe('computed', () => {
-    beforeEach(() => {
-      wrapper = createComponent();
-    });
-
-    const mockCheckedIssuables = {
-      [mockIssuables[0].iid]: { checked: true, issuable: mockIssuables[0] },
-      [mockIssuables[1].iid]: { checked: true, issuable: mockIssuables[1] },
-      [mockIssuables[2].iid]: { checked: true, issuable: mockIssuables[2] },
-    };
-
-    const mIssuables = [mockIssuables[0], mockIssuables[1], mockIssuables[2]];
-
-    describe('skeletonItemCount', () => {
-      it.each`
-        totalItems | defaultPageSize | currentPage | returnValue
-        ${100}     | ${20}           | ${1}        | ${20}
-        ${105}     | ${20}           | ${6}        | ${5}
-        ${7}       | ${20}           | ${1}        | ${7}
-        ${0}       | ${20}           | ${1}        | ${5}
-      `(
-        'returns $returnValue when totalItems is $totalItems, defaultPageSize is $defaultPageSize and currentPage is $currentPage',
-        async ({ totalItems, defaultPageSize, currentPage, returnValue }) => {
-          wrapper.setProps({
-            totalItems,
-            defaultPageSize,
-            currentPage,
-          });
-
-          await nextTick();
-
-          expect(wrapper.vm.skeletonItemCount).toBe(returnValue);
-        },
-      );
-    });
-
-    describe('allIssuablesChecked', () => {
-      it.each`
-        checkedIssuables        | issuables     | specTitle        | returnValue
-        ${mockCheckedIssuables} | ${mIssuables} | ${'same as'}     | ${true}
-        ${{}}                   | ${mIssuables} | ${'not same as'} | ${false}
-      `(
-        'returns $returnValue when bulkEditIssuables count is $specTitle issuables count',
-        async ({ checkedIssuables, issuables, returnValue }) => {
-          wrapper.setProps({
-            issuables,
-          });
-
-          await nextTick();
-
-          // setData usage is discouraged. See https://gitlab.com/groups/gitlab-org/-/epics/7330 for details
-          // eslint-disable-next-line no-restricted-syntax
-          wrapper.setData({
-            checkedIssuables,
-          });
-
-          await nextTick();
-
-          expect(wrapper.vm.allIssuablesChecked).toBe(returnValue);
-        },
-      );
-    });
-
-    describe('bulkEditIssuables', () => {
-      it('returns array of issuables which have `checked` set to true within checkedIssuables map', async () => {
-        // setData usage is discouraged. See https://gitlab.com/groups/gitlab-org/-/epics/7330 for details
-        // eslint-disable-next-line no-restricted-syntax
-        wrapper.setData({
-          checkedIssuables: mockCheckedIssuables,
-        });
-
-        await nextTick();
-
-        expect(wrapper.vm.bulkEditIssuables).toHaveLength(mIssuables.length);
-      });
-    });
-  });
-
-  describe('watch', () => {
-    beforeEach(() => {
-      wrapper = createComponent();
-    });
-
-    describe('issuables', () => {
-      it('populates `checkedIssuables` prop with all issuables', async () => {
-        wrapper.setProps({
-          issuables: [mockIssuables[0]],
-        });
-
-        await nextTick();
-
-        expect(Object.keys(wrapper.vm.checkedIssuables)).toHaveLength(1);
-        expect(wrapper.vm.checkedIssuables[mockIssuables[0].iid]).toEqual({
-          checked: false,
-          issuable: mockIssuables[0],
-        });
-      });
-    });
-
-    describe('urlParams', () => {
-      it('updates window URL reflecting props within `urlParams`', async () => {
-        const urlParams = {
-          state: 'closed',
-          sort: 'updated_asc',
-          page: 1,
-          search: 'foo',
-        };
-
-        wrapper.setProps({
-          urlParams,
-        });
-
-        await nextTick();
-
-        expect(global.window.location.href).toBe(
-          `${TEST_HOST}/?state=${urlParams.state}&sort=${urlParams.sort}&page=${urlParams.page}&search=${urlParams.search}`,
-        );
-      });
-    });
-  });
-
-  describe('methods', () => {
-    beforeEach(() => {
-      wrapper = createComponent();
-    });
-
-    describe('issuableId', () => {
-      it('returns id value from provided issuable object', () => {
-        expect(wrapper.vm.issuableId({ id: 1 })).toBe(1);
-        expect(wrapper.vm.issuableId({ iid: 1 })).toBe(1);
-        expect(wrapper.vm.issuableId({})).toBeDefined();
-      });
-    });
-
-    describe('issuableChecked', () => {
-      it('returns boolean value representing checked status of issuable item', async () => {
-        // setData usage is discouraged. See https://gitlab.com/groups/gitlab-org/-/epics/7330 for details
-        // eslint-disable-next-line no-restricted-syntax
-        wrapper.setData({
-          checkedIssuables: {
-            [mockIssuables[0].iid]: { checked: true, issuable: mockIssuables[0] },
-          },
-        });
-
-        await nextTick();
-
-        expect(wrapper.vm.issuableChecked(mockIssuables[0])).toBe(true);
-      });
-    });
-  });
-
-  describe('template', () => {
-    it('renders component container element with class "issuable-list-container"', () => {
-      wrapper = createComponent();
-
-      expect(wrapper.classes()).toContain('issuable-list-container');
-    });
-
-    it('renders issuable-tabs component', () => {
-      wrapper = createComponent();
-
-      const tabsEl = findIssuableTabs();
-
-      expect(tabsEl.exists()).toBe(true);
-      expect(tabsEl.props()).toMatchObject({
-        tabs: wrapper.vm.tabs,
-        tabCounts: wrapper.vm.tabCounts,
-        currentTab: wrapper.vm.currentTab,
-      });
-    });
-
-    it('renders contents for slot "nav-actions" within issuable-tab component', () => {
-      wrapper = createComponent();
-
-      const buttonEl = findIssuableTabs().find('button.js-new-issuable');
-
-      expect(buttonEl.exists()).toBe(true);
-      expect(buttonEl.text()).toBe('New issuable');
-    });
-
-    it('renders filtered-search-bar component', () => {
-      wrapper = createComponent();
-
-      const searchEl = findFilteredSearchBar();
-      const {
-        namespace,
-        recentSearchesStorageKey,
-        searchInputPlaceholder,
-        searchTokens,
-        sortOptions,
-        initialFilterValue,
-        initialSortBy,
-      } = wrapper.vm;
-
-      expect(searchEl.exists()).toBe(true);
-      expect(searchEl.props()).toMatchObject({
-        namespace,
-        recentSearchesStorageKey,
-        searchInputPlaceholder,
-        tokens: searchTokens,
-        sortOptions,
-        initialFilterValue,
-        initialSortBy,
-      });
-    });
-
-    it('renders gl-loading-icon when `issuablesLoading` prop is true', () => {
-      wrapper = createComponent({ props: { issuablesLoading: true } });
-
-      expect(wrapper.findAllComponents(GlSkeletonLoader)).toHaveLength(
-        wrapper.vm.skeletonItemCount,
-      );
-    });
-
-    it('renders issuable-item component for each item within `issuables` array', () => {
-      wrapper = createComponent();
-
-      const itemsEl = wrapper.findAllComponents(IssuableItem);
-      const mockIssuable = mockIssuableListProps.issuables[0];
-
-      expect(itemsEl).toHaveLength(mockIssuableListProps.issuables.length);
-      expect(itemsEl.at(0).props()).toMatchObject({
-        issuableSymbol: wrapper.vm.issuableSymbol,
-        issuable: mockIssuable,
-      });
-    });
-
-    it('renders contents for slot "empty-state" when `issuablesLoading` is false and `issuables` is empty', () => {
-      wrapper = createComponent({ props: { issuables: [] } });
-
-      expect(wrapper.find('p.js-issuable-empty-state').exists()).toBe(true);
-      expect(wrapper.find('p.js-issuable-empty-state').text()).toBe('Issuable empty state');
-    });
-
-    it('renders only gl-pagination when `showPaginationControls` prop is true', () => {
-      wrapper = createComponent({
-        props: {
-          showPaginationControls: true,
-          totalItems: 10,
-        },
-      });
-
-      expect(findGlKeysetPagination().exists()).toBe(false);
-      expect(findPageSizeSelector().exists()).toBe(false);
-      expect(findGlPagination().props()).toMatchObject({
-        perPage: 20,
-        value: 1,
-        prevPage: 0,
-        nextPage: 2,
-        totalItems: 10,
-        align: 'center',
-      });
-    });
-
-    it('renders only gl-keyset-pagination when `showPaginationControls` and `useKeysetPagination` props are true', () => {
-      wrapper = createComponent({
-        props: {
-          hasNextPage: true,
-          hasPreviousPage: true,
-          showPaginationControls: true,
-          useKeysetPagination: true,
-        },
-      });
-
-      expect(findGlPagination().exists()).toBe(false);
-      expect(findGlKeysetPagination().props()).toMatchObject({
-        hasNextPage: true,
-        hasPreviousPage: true,
-      });
-    });
-
-    describe('showFilteredSearchFriendlyText prop', () => {
-      describe.each([true, false])('when %s', (showFilteredSearchFriendlyText) => {
-        it('passes its value to FilteredSearchBar', () => {
-          wrapper = createComponent({ props: { showFilteredSearchFriendlyText } });
-
-          expect(findFilteredSearchBar().props('showFriendlyText')).toBe(
-            showFilteredSearchFriendlyText,
-          );
-        });
-      });
-    });
-
-    describe('alert', () => {
-      const error = 'oopsie!';
-
-      it('shows an alert when there is an error', () => {
-        wrapper = createComponent({ props: { error } });
-
-        expect(findAlert().text()).toBe(error);
-      });
-
-      it('emits "dismiss-alert" event when dismissed', () => {
-        wrapper = createComponent({ props: { error } });
-
-        findAlert().vm.$emit('dismiss');
-
-        expect(wrapper.emitted('dismiss-alert')).toEqual([[]]);
-      });
-
-      it('does not render when there is no error', () => {
-        wrapper = createComponent();
-
-        expect(findAlert().exists()).toBe(false);
-      });
-    });
-  });
-
-  describe('events', () => {
-    const data = {
-      checkedIssuables: {
-        [mockIssuables[0].iid]: { checked: true, issuable: mockIssuables[0] },
+  const createComponent = (props = {}) => {
+    wrapper = shallowMount(IssuableListRoot, {
+      propsData: {
+        ...mockIssuableListProps,
+        ...props,
       },
-    };
+      slots: {
+        'nav-actions': `<button class="js-new-issuable">New issuable</button>`,
+        'empty-state': `<p class="js-issuable-empty-state">Issuable empty state</p>`,
+      },
+    });
+  };
 
-    it('issuable-tabs component emits `click-tab` event on `click-tab` event', () => {
-      wrapper = createComponent({ data });
+  describe('IssuableTabs component', () => {
+    beforeEach(() => {
+      createComponent();
+    });
 
+    it('renders', () => {
+      expect(findIssuableTabs().props()).toEqual({
+        tabs: mockIssuableListProps.tabs,
+        tabCounts: mockIssuableListProps.tabCounts,
+        currentTab: mockIssuableListProps.currentTab,
+        truncateCounts: false,
+      });
+    });
+
+    it('emits "click-tab" event on "click-tab" event', () => {
       findIssuableTabs().vm.$emit('click');
 
-      expect(wrapper.emitted('click-tab')).toHaveLength(1);
+      expect(wrapper.emitted('click-tab')).toEqual([[]]);
     });
 
-    it('sets all issuables as checked when filtered-search-bar component emits `checked-input` event', () => {
-      wrapper = createComponent({ data });
+    it('renders contents for slot "nav-actions" within IssuableTab component', () => {
+      expect(findIssuableTabs().find('.js-new-issuable').text()).toBe('New issuable');
+    });
+  });
 
-      const searchEl = findFilteredSearchBar();
+  describe('FilteredSearchBar component', () => {
+    beforeEach(() => {
+      createComponent();
+    });
 
-      searchEl.vm.$emit('checked-input', true);
-
-      expect(searchEl.emitted('checked-input')).toHaveLength(1);
-      expect(searchEl.emitted('checked-input').length).toBe(1);
-
-      expect(wrapper.vm.checkedIssuables[mockIssuables[0].iid]).toEqual({
-        checked: true,
-        issuable: mockIssuables[0],
+    it('renders', () => {
+      expect(findFilteredSearchBar().props()).toMatchObject({
+        namespace: 'gitlab-org/gitlab-test',
+        recentSearchesStorageKey: 'issues',
+        searchInputPlaceholder: 'Search issues',
+        sortOptions: mockIssuableListProps.sortOptions,
+        initialFilterValue: [],
+        initialSortBy: 'created_desc',
+        syncFilterAndSort: false,
+        showCheckbox: false,
+        checkboxChecked: false,
+        showFriendlyText: false,
+        termsAsTokens: true,
       });
     });
 
-    it('filtered-search-bar component emits `filter` event on `onFilter` & `sort` event on `onSort` events', () => {
-      wrapper = createComponent({ data });
+    describe('when "checked-input" event is emitted', () => {
+      it('sets all issuables to checked', async () => {
+        findFilteredSearchBar().vm.$emit('checked-input', true);
+        await nextTick();
 
-      const searchEl = findFilteredSearchBar();
+        expect(findFilteredSearchBar().props('checkboxChecked')).toBe(true);
+        expect(
+          findAllIssuableItems().filter((component) => component.props('checked') === true),
+        ).toHaveLength(5);
+      });
 
-      searchEl.vm.$emit('onFilter');
-      expect(wrapper.emitted('filter')).toHaveLength(1);
-      searchEl.vm.$emit('onSort');
-      expect(wrapper.emitted('sort')).toHaveLength(1);
-    });
+      it('emits "update-legacy-bulk-edit" event', () => {
+        findFilteredSearchBar().vm.$emit('checked-input', true);
 
-    it('sets an issuable as checked when issuable-item component emits `checked-input` event', () => {
-      wrapper = createComponent({ data });
-
-      const issuableItem = wrapper.findAllComponents(IssuableItem).at(0);
-
-      issuableItem.vm.$emit('checked-input', true);
-
-      expect(issuableItem.emitted('checked-input')).toHaveLength(1);
-      expect(issuableItem.emitted('checked-input').length).toBe(1);
-
-      expect(wrapper.vm.checkedIssuables[mockIssuables[0].iid]).toEqual({
-        checked: true,
-        issuable: mockIssuables[0],
+        expect(wrapper.emitted('update-legacy-bulk-edit')).toEqual([[]]);
       });
     });
 
-    it('emits `update-legacy-bulk-edit` when filtered-search-bar checkbox is checked', () => {
-      wrapper = createComponent({ data });
+    it('emits "filter" event when "onFilter" event is emitted', () => {
+      findFilteredSearchBar().vm.$emit('onFilter');
 
-      findFilteredSearchBar().vm.$emit('checked-input');
-
-      expect(wrapper.emitted('update-legacy-bulk-edit')).toEqual([[]]);
+      expect(wrapper.emitted('filter')).toEqual([[]]);
     });
 
-    it('emits `update-legacy-bulk-edit` when issuable-item checkbox is checked', () => {
-      wrapper = createComponent({ data });
+    it('emits "sort" event when "onSort" event is emitted', () => {
+      findFilteredSearchBar().vm.$emit('onSort');
 
-      findIssuableItem().vm.$emit('checked-input');
+      expect(wrapper.emitted('sort')).toEqual([[]]);
+    });
+  });
 
-      expect(wrapper.emitted('update-legacy-bulk-edit')).toEqual([[]]);
+  describe('alert', () => {
+    const error = 'oopsie!';
+
+    it('shows an alert when there is an error', () => {
+      createComponent({ error });
+
+      expect(findAlert().text()).toBe(error);
     });
 
-    it('gl-pagination component emits `page-change` event on `input` event', () => {
-      wrapper = createComponent({ data, props: { showPaginationControls: true } });
+    it('does not render when there is no error', () => {
+      createComponent();
 
-      findGlPagination().vm.$emit('input');
-      expect(wrapper.emitted('page-change')).toHaveLength(1);
+      expect(findAlert().exists()).toBe(false);
     });
 
-    it.each`
-      event              | glKeysetPaginationEvent
-      ${'next-page'}     | ${'next'}
-      ${'previous-page'} | ${'prev'}
-    `(
-      'emits `$event` event when gl-keyset-pagination emits `$glKeysetPaginationEvent` event',
-      ({ event, glKeysetPaginationEvent }) => {
-        wrapper = createComponent({
-          data,
-          props: { showPaginationControls: true, useKeysetPagination: true },
-        });
+    it('emits "dismiss-alert" event when dismissed', () => {
+      createComponent({ error });
 
-        findGlKeysetPagination().vm.$emit(glKeysetPaginationEvent);
+      findAlert().vm.$emit('dismiss');
 
-        expect(wrapper.emitted(event)).toEqual([[]]);
-      },
+      expect(wrapper.emitted('dismiss-alert')).toEqual([[]]);
+    });
+  });
+
+  it('renders IssuableBulkEditSidebar component', () => {
+    createComponent();
+
+    expect(wrapper.findComponent(IssuableBulkEditSidebar).exists()).toBe(true);
+  });
+
+  it('renders skeleton loader when in loading state', () => {
+    createComponent({ issuablesLoading: true });
+
+    expect(wrapper.findAllComponents(GlSkeletonLoader)).toHaveLength(
+      mockIssuableListProps.issuables.length,
     );
   });
 
-  describe('manual sorting', () => {
+  describe('manual ordering', () => {
     describe('when enabled', () => {
       beforeEach(() => {
-        wrapper = createComponent({
-          props: {
-            ...mockIssuableListProps,
-            isManualOrdering: true,
-          },
-        });
+        createComponent({ isManualOrdering: true });
       });
 
       it('renders VueDraggable component', () => {
@@ -493,71 +186,177 @@ describe('IssuableListRoot', () => {
     });
 
     describe('when disabled', () => {
-      beforeEach(() => {
-        wrapper = createComponent();
-      });
-
       it('does not render VueDraggable component', () => {
+        createComponent();
+
         expect(findVueDraggable().exists()).toBe(false);
       });
     });
   });
 
-  describe('page size selector', () => {
-    beforeEach(() => {
-      wrapper = createComponent({
-        props: {
-          showPageSizeChangeControls: true,
-        },
+  describe('IssuableItem component', () => {
+    it('renders for each issuable', () => {
+      createComponent();
+      const issuableItems = findAllIssuableItems();
+
+      expect(issuableItems).toHaveLength(mockIssuableListProps.issuables.length);
+      expect(issuableItems.at(0).props()).toEqual({
+        hasScopedLabelsFeature: false,
+        issuableSymbol: '#',
+        issuable: mockIssuableListProps.issuables[0],
+        labelFilterParam: 'label_name',
+        showCheckbox: false,
+        checked: false,
+        showWorkItemTypeIcon: false,
+        preventRedirect: false,
+        isActive: false,
       });
     });
 
-    it('has the page size change component', () => {
+    describe('isActive prop', () => {
+      it('is false if there is no active issuable', () => {
+        createComponent();
+
+        expect(findIssuableItem().props('isActive')).toBe(false);
+      });
+
+      it('is true if active issuable matches issuable item', () => {
+        createComponent({ activeIssuable: mockIssuableListProps.issuables[0] });
+
+        expect(findIssuableItem().props('isActive')).toBe(true);
+      });
+    });
+
+    it('emits "update-legacy-bulk-edit" event when "checked-input" event is emitted', () => {
+      createComponent();
+
+      findIssuableItem().vm.$emit('checked-input');
+
+      expect(wrapper.emitted('update-legacy-bulk-edit')).toEqual([[]]);
+    });
+
+    it('emits "select-issuable" event when "select-issuable" event is emitted', () => {
+      const issuable = mockIssuableListProps.issuables[0];
+      createComponent();
+
+      findIssuableItem().vm.$emit('select-issuable', issuable);
+
+      expect(wrapper.emitted('select-issuable')).toEqual([[issuable]]);
+    });
+  });
+
+  it('renders IssuableGrid component when in grid view context', () => {
+    createComponent({ isGridView: true });
+
+    expect(findIssuableGrid().exists()).toBe(true);
+  });
+
+  it('renders contents for slot "empty-state" when there are no issuables', () => {
+    createComponent({ issuables: [] });
+
+    expect(wrapper.find('p.js-issuable-empty-state').text()).toBe('Issuable empty state');
+  });
+
+  describe('pagination', () => {
+    describe('GlKeysetPagination component', () => {
+      it('renders only when "showPaginationControls" and "useKeysetPagination" props are true', () => {
+        createComponent({
+          hasNextPage: true,
+          hasPreviousPage: true,
+          showPaginationControls: true,
+          useKeysetPagination: true,
+        });
+
+        expect(findGlPagination().exists()).toBe(false);
+        expect(findGlKeysetPagination().props()).toMatchObject({
+          hasNextPage: true,
+          hasPreviousPage: true,
+        });
+      });
+
+      it.each`
+        event              | glKeysetPaginationEvent
+        ${'next-page'}     | ${'next'}
+        ${'previous-page'} | ${'prev'}
+      `(
+        'emits "$event" event when "$glKeysetPaginationEvent" event is emitted',
+        ({ event, glKeysetPaginationEvent }) => {
+          createComponent({ showPaginationControls: true, useKeysetPagination: true });
+
+          findGlKeysetPagination().vm.$emit(glKeysetPaginationEvent);
+
+          expect(wrapper.emitted(event)).toEqual([[]]);
+        },
+      );
+    });
+
+    describe('GlPagination component', () => {
+      it('renders only when "showPaginationControls" prop is true', () => {
+        createComponent({
+          showPaginationControls: true,
+          totalItems: 10,
+        });
+
+        expect(findGlKeysetPagination().exists()).toBe(false);
+        expect(findPageSizeSelector().exists()).toBe(false);
+        expect(findGlPagination().props()).toMatchObject({
+          perPage: 20,
+          value: 1,
+          prevPage: 0,
+          nextPage: 2,
+          totalItems: 10,
+          align: 'center',
+        });
+      });
+
+      it('emits "page-change" event when "input" event is emitted', () => {
+        createComponent({ showPaginationControls: true });
+
+        findGlPagination().vm.$emit('input');
+
+        expect(wrapper.emitted('page-change')).toEqual([[]]);
+      });
+    });
+  });
+
+  describe('PageSizeSelector component', () => {
+    beforeEach(() => {
+      createComponent({ showPageSizeChangeControls: true });
+    });
+
+    it('renders', () => {
       expect(findPageSizeSelector().exists()).toBe(true);
     });
 
-    it('emits "page-size-change" event when its input is changed', () => {
+    it('emits "page-size-change" event when "input" event is emitted', () => {
       const pageSize = 123;
+
       findPageSizeSelector().vm.$emit('input', pageSize);
+
       expect(wrapper.emitted('page-size-change')).toEqual([[pageSize]]);
     });
   });
 
-  describe('grid view issue', () => {
-    beforeEach(() => {
-      wrapper = createComponent({
-        props: {
-          isGridView: true,
-        },
+  describe('watchers', () => {
+    describe('urlParams', () => {
+      beforeEach(() => {
+        createComponent();
+      });
+
+      it('updates URL when "urlParams" prop updates', async () => {
+        const urlParams = {
+          state: 'closed',
+          sort: 'updated_asc',
+          page: 1,
+          search: 'foo',
+        };
+
+        await wrapper.setProps({ urlParams });
+
+        expect(global.window.location.href).toBe(
+          `${TEST_HOST}/?state=${urlParams.state}&sort=${urlParams.sort}&page=${urlParams.page}&search=${urlParams.search}`,
+        );
       });
     });
-
-    it('renders issuableGrid', () => {
-      expect(findIssuableGrid().exists()).toBe(true);
-    });
-  });
-
-  it('passes `isActive` prop as false if there is no active issuable', () => {
-    wrapper = createComponent({});
-
-    expect(findIssuableItem().props('isActive')).toBe(false);
-  });
-
-  it('passes `isActive` prop as true if active issuable matches issuable item', () => {
-    wrapper = createComponent({
-      props: {
-        activeIssuable: mockIssuableListProps.issuables[0],
-      },
-    });
-
-    expect(findIssuableItem().props('isActive')).toBe(true);
-  });
-
-  it('emits `select-issuable` event on emitting `select-issuable` from issuable item', () => {
-    const mockIssuable = mockIssuableListProps.issuables[0];
-    wrapper = createComponent({});
-    findIssuableItem().vm.$emit('select-issuable', mockIssuable);
-
-    expect(wrapper.emitted('select-issuable')).toEqual([[mockIssuable]]);
   });
 });
diff --git a/spec/lib/gitlab/background_migration/backfill_epic_issues_into_work_item_parent_links_spec.rb b/spec/lib/gitlab/background_migration/backfill_epic_issues_into_work_item_parent_links_spec.rb
new file mode 100644
index 00000000000..9cb381c6381
--- /dev/null
+++ b/spec/lib/gitlab/background_migration/backfill_epic_issues_into_work_item_parent_links_spec.rb
@@ -0,0 +1,218 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::BackgroundMigration::BackfillEpicIssuesIntoWorkItemParentLinks, feature_category: :team_planning do
+  let(:author) { table(:users).create!(username: 'tester', projects_limit: 100) }
+  let(:epic_issues) { table(:epic_issues) }
+  let(:work_item_parent_links) { table(:work_item_parent_links) }
+  let(:group1) { table(:namespaces).create!(name: 'my test group 1', path: 'my-test-group1', type: 'Group') }
+  let(:group2) { table(:namespaces).create!(name: 'my test group 2', path: 'my-test-group2', type: 'Group') }
+  let(:epics) { table(:epics) }
+  let(:issues) { table(:issues) }
+  let(:start_id) { epic_issues.minimum(:id) }
+  let(:end_id) { epic_issues.maximum(:id) }
+  let(:batch_column) { 'id' }
+  let(:epic_work_item_type_enum) { 7 }
+  let(:epic_work_item_type_id) { table(:work_item_types).where(base_type: epic_work_item_type_enum).first.id }
+  let(:issue_work_item_type_enum) { 0 }
+  let(:issue_work_item_type_id) { table(:work_item_types).where(base_type: issue_work_item_type_enum).first.id }
+  let!(:issue_epic1) do
+    issues.create!(
+      title: 'Epic 1', namespace_id: group1.id, author_id: author.id, work_item_type_id: epic_work_item_type_id
+    )
+  end
+
+  let!(:issue_epic2) do
+    issues.create!(
+      title: 'Epic 2', namespace_id: group1.id, author_id: author.id, work_item_type_id: epic_work_item_type_id
+    )
+  end
+
+  let!(:epic1) do
+    epics.create!(
+      title: 'test epic1',
+      title_html: 'Epic 1',
+      group_id: group1.id,
+      author_id: author.id,
+      iid: 1,
+      issue_id: issue_epic1.id
+    )
+  end
+
+  let!(:epic2) do
+    epics.create!(
+      title: 'test epic2',
+      title_html: 'Epic 2',
+      group_id: group1.id,
+      author_id: author.id,
+      iid: 2,
+      issue_id: issue_epic2.id
+    )
+  end
+
+  let(:issues1) do
+    (1..5).map do |i|
+      issues.create!(
+        title: "Issue #{i}", namespace_id: group1.id, author_id: author.id, work_item_type_id: issue_work_item_type_id
+      )
+    end
+  end
+
+  let(:issues2) do
+    (1..5).map do |i|
+      issues.create!(
+        title: "Issue #{i}", namespace_id: group1.id, author_id: author.id, work_item_type_id: issue_work_item_type_id
+      )
+    end
+  end
+
+  let(:group2_issue_epic) do
+    issues.create!(
+      title: 'Epic 1',
+      namespace_id: group2.id,
+      author_id: author.id,
+      work_item_type_id: epic_work_item_type_id
+    )
+  end
+
+  let!(:group2_epic_issue) do
+    issue = issues.create!(
+      title: 'Issue',
+      namespace_id: group2.id,
+      author_id: author.id,
+      work_item_type_id: issue_work_item_type_id
+    )
+    epic = epics.create!(
+      title: 'test epic1',
+      title_html: 'Epic 1',
+      group_id: group2.id,
+      author_id: author.id,
+      iid: 1,
+      issue_id: group2_issue_epic.id
+    )
+    epic_issues.create!(epic_id: epic.id, issue_id: issue.id, relative_position: 1)
+  end
+
+  let(:migration) do
+    described_class.new(
+      start_id: start_id,
+      end_id: end_id,
+      batch_table: batch_table,
+      batch_column: batch_column,
+      job_arguments: job_arguments,
+      sub_batch_size: 2,
+      pause_ms: 2,
+      connection: ::ApplicationRecord.connection
+    )
+  end
+
+  before do
+    issues1.each_with_index do |issue, index|
+      epic_issues.create!(epic_id: epic1.id, issue_id: issue.id, relative_position: index)
+    end
+
+    issues2.each_with_index do |issue, index|
+      epic_issues.create!(epic_id: epic2.id, issue_id: issue.id, relative_position: index)
+    end
+  end
+
+  RSpec::Matchers.define :have_synced_work_item_epic_issue_link do
+    match do |epic_issue|
+      parent_epic = epics.find(epic_issue.epic_id)
+      parent_work_item = issues.find(parent_epic.issue_id)
+      child_work_item = issues.find(epic_issue.issue_id)
+
+      work_item_parent_links.exists?(
+        work_item_parent_id: parent_work_item.id,
+        work_item_id: child_work_item.id,
+        relative_position: epic_issue.relative_position,
+        namespace_id: parent_work_item.namespace_id
+      )
+    end
+  end
+
+  context 'when epic_issues table is used to go through all records' do
+    let(:batch_table) { 'epic_issues' }
+
+    context 'when no group id is provided' do
+      let(:job_arguments) { [nil] }
+
+      it 'backfills all records' do
+        expect do
+          migration.perform
+        end.to change { work_item_parent_links.count }.by(11) # 10 records for group 1 and 1 record for group 2
+
+        expect(epic_issues.all).to all(have_synced_work_item_epic_issue_link)
+      end
+
+      it 'upserts records if any of them already exist' do
+        existing_epic_issue = epic_issues.first
+        existing_epic = epics.find(existing_epic_issue.epic_id)
+        existing_work_item_parent_link = work_item_parent_links.create!(
+          work_item_parent_id: existing_epic.issue_id,
+          work_item_id: existing_epic_issue.issue_id,
+          relative_position: -100
+        )
+
+        expect do
+          migration.perform
+        end.to change { work_item_parent_links.count }.by(10).and( # only 10 as 1 already exists
+          change { existing_work_item_parent_link.reload.relative_position }
+            .from(-100)
+            .to(existing_epic_issue.relative_position)
+        )
+      end
+    end
+
+    context 'when a group id is provided' do
+      let(:job_arguments) { [group2.id] }
+
+      it 'raises an error' do
+        expect do
+          migration.perform
+        end.to raise_error('when group_id is provided, use `epics` as batch_table and `iid` as batch_column')
+      end
+    end
+  end
+
+  context 'when epics table is used to go through all records' do
+    let(:batch_table) { 'epics' }
+    let(:batch_column) { 'iid' }
+    let(:start_id) { epics.minimum(:iid) }
+    let(:end_id) { epics.maximum(:iid) }
+
+    context 'when a group id is provided' do
+      let(:job_arguments) { [group2.id] }
+
+      it 'backfills records only for the specified group' do
+        expect do
+          migration.perform
+        end.to change { work_item_parent_links.count }.by(1) # Only 1 record for group 2
+
+        expect(group2_epic_issue).to have_synced_work_item_epic_issue_link
+      end
+    end
+
+    context 'when no group_id is provided' do
+      let(:job_arguments) { [nil] }
+
+      it 'raises an error' do
+        expect do
+          migration.perform
+        end.to raise_error('use `epic_issues` as batch_table when no group_id is provided')
+      end
+    end
+
+    context 'when batch column is not iid' do
+      let(:job_arguments) { [group2.id] }
+      let(:batch_column) { 'id' }
+
+      it 'raises an error' do
+        expect do
+          migration.perform
+        end.to raise_error('when group_id is provided, use `epics` as batch_table and `iid` as batch_column')
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/database/sharding_key_spec.rb b/spec/lib/gitlab/database/sharding_key_spec.rb
index 7e8d022c402..ca30262ec22 100644
--- a/spec/lib/gitlab/database/sharding_key_spec.rb
+++ b/spec/lib/gitlab/database/sharding_key_spec.rb
@@ -38,7 +38,6 @@ RSpec.describe 'new tables missing sharding_key', feature_category: :cell do
       'member_roles.namespace_id', # https://gitlab.com/gitlab-org/gitlab/-/issues/444161
       *['milestones.project_id', 'milestones.group_id'],
       'pages_domains.project_id', # https://gitlab.com/gitlab-org/gitlab/-/issues/442178,
-      'path_locks.project_id', # https://gitlab.com/gitlab-org/gitlab/-/issues/444643
       'releases.project_id',
       'remote_mirrors.project_id', # https://gitlab.com/gitlab-org/gitlab/-/issues/444643
       'sprints.group_id',
diff --git a/spec/lib/gitlab/graphql/query_analyzers/ast/logger_analyzer_spec.rb b/spec/lib/gitlab/graphql/query_analyzers/ast/logger_analyzer_spec.rb
index ea52bf2e080..90326521379 100644
--- a/spec/lib/gitlab/graphql/query_analyzers/ast/logger_analyzer_spec.rb
+++ b/spec/lib/gitlab/graphql/query_analyzers/ast/logger_analyzer_spec.rb
@@ -46,5 +46,14 @@ RSpec.describe Gitlab::Graphql::QueryAnalyzers::AST::LoggerAnalyzer do
 
       expect(RequestStore.store[:graphql_logs]).to match([request])
     end
+
+    it 'does not crash when #analyze_query returns []' do
+      stub_const('Gitlab::Graphql::QueryAnalyzers::AST::LoggerAnalyzer::ALL_ANALYZERS', [])
+      results = GraphQL::Analysis::AST.analyze_query(query, [described_class], multiplex_analyzers: [])
+      result = results.first
+
+      expect(result[:duration_s]).to eq monotonic_time_duration
+      expect(RequestStore.store[:graphql_logs]).to match([hash_including(operation_name: 'createNote')])
+    end
   end
 end
diff --git a/spec/migrations/20240320193910_queue_backfill_epic_issues_into_work_item_parent_links_spec.rb b/spec/migrations/20240320193910_queue_backfill_epic_issues_into_work_item_parent_links_spec.rb
new file mode 100644
index 00000000000..99453c427c8
--- /dev/null
+++ b/spec/migrations/20240320193910_queue_backfill_epic_issues_into_work_item_parent_links_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!
+
+RSpec.describe QueueBackfillEpicIssuesIntoWorkItemParentLinks, feature_category: :team_planning do
+  let!(:batched_migration) { described_class::MIGRATION }
+
+  it 'schedules a new batched migration' do
+    reversible_migration do |migration|
+      migration.before -> {
+        expect(batched_migration).not_to have_scheduled_batched_migration
+      }
+
+      migration.after -> {
+        expect(batched_migration).to have_scheduled_batched_migration(
+          table_name: :epic_issues,
+          column_name: :id,
+          job_arguments: [nil],
+          interval: described_class::DELAY_INTERVAL,
+          batch_size: described_class::BATCH_SIZE,
+          sub_batch_size: described_class::SUB_BATCH_SIZE
+        )
+      }
+    end
+  end
+end
diff --git a/spec/migrations/20240515094240_delete_invalid_path_locks_records_spec.rb b/spec/migrations/20240515094240_delete_invalid_path_locks_records_spec.rb
new file mode 100644
index 00000000000..0845da6b559
--- /dev/null
+++ b/spec/migrations/20240515094240_delete_invalid_path_locks_records_spec.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!
+
+RSpec.describe DeleteInvalidPathLocksRecords, feature_category: :source_code_management do
+  let!(:path_locks) { table(:path_locks) }
+
+  let!(:namespace) { table(:namespaces).create!(name: 'namespace', path: 'namespace') }
+  let!(:user) { table(:users).create!(email: 'test@example.com', projects_limit: 10) }
+  let!(:project) { table(:projects).create!(namespace_id: namespace.id, project_namespace_id: namespace.id) }
+
+  describe '#up' do
+    before do
+      path_locks.create!(project_id: project.id, user_id: user.id, path: 'path1')
+      path_locks.create!(project_id: nil, user_id: user.id, path: 'path2')
+      path_locks.create!(project_id: nil, user_id: user.id, path: 'path3')
+
+      stub_const("#{described_class}::BATCH_SIZE", 1)
+    end
+
+    it 'deletes records without a project_id' do
+      migrate!
+
+      expect(path_locks.count).to eq(1)
+      expect(path_locks.first).to have_attributes(
+        project_id: project.id,
+        user_id: user.id,
+        path: 'path1'
+      )
+    end
+
+    it 'does nothing on gitlab.com' do
+      allow(Gitlab).to receive(:com?).and_return(true)
+
+      migrate!
+
+      expect(path_locks.count).to eq(3)
+    end
+  end
+end
diff --git a/spec/models/container_repository_spec.rb b/spec/models/container_repository_spec.rb
index ae8a4830bf1..0984258cf7b 100644
--- a/spec/models/container_repository_spec.rb
+++ b/spec/models/container_repository_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe ContainerRepository, :aggregate_failures, feature_category: :container_registry do
+  include_context 'container registry client stubs'
+
   using RSpec::Parameterized::TableSyntax
 
   let(:group) { create(:group, name: 'group') }
@@ -54,7 +56,7 @@ RSpec.describe ContainerRepository, :aggregate_failures, feature_category: :cont
     context 'on GitLab.com', :saas do
       context 'supports gitlab api' do
         before do
-          allow(ContainerRegistry::GitlabApiClient).to receive(:supports_gitlab_api?).and_return(true)
+          stub_container_registry_gitlab_api_support(supported: true)
           expect(repository.gitlab_api_client).to receive(:repository_details).with(repository.path, sizing: :self).and_return(response)
         end
 
@@ -80,7 +82,7 @@ RSpec.describe ContainerRepository, :aggregate_failures, feature_category: :cont
 
       context 'does not support gitlab api' do
         before do
-          allow(ContainerRegistry::GitlabApiClient).to receive(:supports_gitlab_api?).and_return(false)
+          stub_container_registry_gitlab_api_support(supported: false)
           expect(repository.gitlab_api_client).not_to receive(:repository_details)
         end
 
@@ -116,7 +118,7 @@ RSpec.describe ContainerRepository, :aggregate_failures, feature_category: :cont
     context 'when the repository is migrated', :saas do
       context 'when Gitlab API is supported' do
         before do
-          allow(ContainerRegistry::GitlabApiClient).to receive(:supports_gitlab_api?).and_return(true)
+          stub_container_registry_gitlab_api_support(supported: true)
         end
 
         shared_examples 'returning an instantiated tag from the API response' do
@@ -199,7 +201,7 @@ RSpec.describe ContainerRepository, :aggregate_failures, feature_category: :cont
 
       context 'when the Gitlab API is not supported' do
         before do
-          allow(ContainerRegistry::GitlabApiClient).to receive(:supports_gitlab_api?).and_return(false)
+          stub_container_registry_gitlab_api_support(supported: false)
         end
 
         it_behaves_like 'returning an instantiated tag'
@@ -264,7 +266,7 @@ RSpec.describe ContainerRepository, :aggregate_failures, feature_category: :cont
     context 'when the repository is migrated', :saas do
       context 'when Gitlab API is supported' do
         before do
-          allow(ContainerRegistry::GitlabApiClient).to receive(:supports_gitlab_api?).and_return(true)
+          stub_container_registry_gitlab_api_support(supported: true)
         end
 
         context 'when the Gitlab API returns tags' do
@@ -309,7 +311,7 @@ RSpec.describe ContainerRepository, :aggregate_failures, feature_category: :cont
 
       context 'when the Gitlab API is not supported' do
         before do
-          allow(ContainerRegistry::GitlabApiClient).to receive(:supports_gitlab_api?).and_return(false)
+          stub_container_registry_gitlab_api_support(supported: false)
         end
 
         it_behaves_like 'returning the non-empty tags list'
diff --git a/spec/models/project_ci_cd_setting_spec.rb b/spec/models/project_ci_cd_setting_spec.rb
index 1c53f6eae52..93c26afadbe 100644
--- a/spec/models/project_ci_cd_setting_spec.rb
+++ b/spec/models/project_ci_cd_setting_spec.rb
@@ -15,6 +15,12 @@ RSpec.describe ProjectCiCdSetting, feature_category: :continuous_integration do
     end
   end
 
+  describe '#pipeline_variables_minimum_override_role' do
+    it 'is maintainer by default' do
+      expect(described_class.new.pipeline_variables_minimum_override_role).to eq('maintainer')
+    end
+  end
+
   describe '#forward_deployment_enabled' do
     it 'is true by default' do
       expect(described_class.new.forward_deployment_enabled).to be_truthy
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index be486fb5676..50baa68a808 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -1241,6 +1241,7 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr
           'forward_deployment_rollback_allowed' => 'ci_',
           'keep_latest_artifact' => '',
           'restrict_user_defined_variables' => '',
+          'pipeline_variables_minimum_override_role' => 'ci_',
           'runner_token_expiration_interval' => '',
           'separated_caches' => 'ci_',
           'allow_fork_pipelines_to_run_in_parent_project' => 'ci_',
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 364c9b4d2b4..cf849e9d3d9 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -855,44 +855,236 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
     end
   end
 
-  describe 'set_pipeline_variables' do
-    context 'when user is developer' do
-      let(:current_user) { developer }
+  describe 'change_restrict_user_defined_variables' do
+    using RSpec::Parameterized::TableSyntax
 
-      context 'when project allows user defined variables' do
-        before do
-          project.update!(restrict_user_defined_variables: false)
-        end
+    where(:user_role, :minimum_role, :allowed) do
+      :guest      | :developer      | false
+      :reporter   | :developer      | false
+      :developer  | :developer      | false
+      :maintainer | :developer      | true
+      :maintainer | :maintainer     | true
+      :maintainer | :no_one_allowed | true
+      :owner      | :owner          | true
+      :developer  | :owner          | false
+      :maintainer | :owner          | false
+    end
 
-        it { is_expected.to be_allowed(:set_pipeline_variables) }
+    with_them do
+      let(:current_user) { public_send(user_role) }
+
+      before do
+        ci_cd_settings = project.ci_cd_settings
+        ci_cd_settings.pipeline_variables_minimum_override_role = minimum_role
+        ci_cd_settings.save!
       end
 
-      context 'when project restricts use of user defined variables' do
+      it 'allows/disallows change_restrict_user_defined_variables variables based on project defined minimum role' do
+        if allowed
+          is_expected.to be_allowed(:change_restrict_user_defined_variables)
+        else
+          is_expected.to be_disallowed(:change_restrict_user_defined_variables)
+        end
+      end
+    end
+  end
+
+  describe 'set_pipeline_variables' do
+    context 'when `pipeline_variables_minimum_override_role` is defined' do
+      using RSpec::Parameterized::TableSyntax
+
+      where(:user_role, :minimum_role, :restrict_variables, :allowed) do
+        :developer   | :no_one_allowed | true | false
+        :maintainer  | :no_one_allowed | true | false
+        :owner       | :no_one_allowed | true | false
+        :guest       | :no_one_allowed | true | false
+        :reporter    | :no_one_allowed | true | false
+        :anonymous   | :no_one_allowed | true | false
+        :developer   | :developer      | true | true
+        :maintainer  | :developer      | true | true
+        :owner       | :developer      | true | true
+        :guest       | :developer      | true | false
+        :reporter    | :developer      | true | false
+        :anonymous   | :developer      | true | false
+        :developer   | :maintainer     | true | false
+        :maintainer  | :maintainer     | true | true
+        :owner       | :maintainer     | true | true
+        :guest       | :maintainer     | true | false
+        :reporter    | :maintainer     | true | false
+        :anonymous   | :maintainer     | true | false
+        :developer   | :owner          | true | false
+        :maintainer  | :owner          | true | false
+        :owner       | :owner          | true | true
+        :guest       | :owner          | true | false
+        :reporter    | :owner          | true | false
+        :anonymous   | :owner          | true | false
+        :developer   | :no_one_allowed | false | true
+        :maintainer  | :no_one_allowed | false | true
+        :owner       | :no_one_allowed | false | true
+        :guest       | :no_one_allowed | false | true
+        :reporter    | :no_one_allowed | false | true
+        :anonymous   | :no_one_allowed | false | true
+        :developer   | :developer      | false | true
+        :maintainer  | :developer      | false | true
+        :owner       | :developer      | false | true
+        :guest       | :developer      | false | true
+        :reporter    | :developer      | false | true
+        :anonymous   | :developer      | false | true
+        :developer   | :maintainer     | false | true
+        :maintainer  | :maintainer     | false | true
+        :owner       | :maintainer     | false | true
+        :guest       | :maintainer     | false | true
+        :reporter    | :maintainer     | false | true
+        :anonymous   | :maintainer     | false | true
+        :developer   | :owner          | false | true
+        :maintainer  | :owner          | false | true
+        :owner       | :owner          | false | true
+        :guest       | :owner          | false | true
+        :reporter    | :owner          | false | true
+        :anonymous   | :owner          | false | true
+      end
+      with_them do
+        let(:current_user) { public_send(user_role) }
+
         before do
-          project.update!(restrict_user_defined_variables: true)
+          ci_cd_settings = project.ci_cd_settings
+          ci_cd_settings.restrict_user_defined_variables = restrict_variables
+          ci_cd_settings.pipeline_variables_minimum_override_role = minimum_role
+          ci_cd_settings.save!
         end
 
-        it { is_expected.not_to be_allowed(:set_pipeline_variables) }
+        it 'allows/disallows set pipeline variables based on project defined minimum role' do
+          if allowed
+            is_expected.to be_allowed(:set_pipeline_variables)
+          else
+            is_expected.to be_disallowed(:set_pipeline_variables)
+          end
+        end
       end
     end
 
-    context 'when user is maintainer' do
-      let(:current_user) { maintainer }
+    shared_examples 'set_pipeline_variables only on restrict_user_defined_variables' do
+      context 'when user is developer' do
+        let(:current_user) { developer }
 
-      context 'when project allows user defined variables' do
-        before do
-          project.update!(restrict_user_defined_variables: false)
+        context 'when project allows user defined variables' do
+          before do
+            project.update!(restrict_user_defined_variables: false)
+          end
+
+          it { is_expected.to be_allowed(:set_pipeline_variables) }
         end
 
-        it { is_expected.to be_allowed(:set_pipeline_variables) }
+        context 'when project restricts use of user defined variables' do
+          before do
+            project.update!(restrict_user_defined_variables: true)
+          end
+
+          it { is_expected.not_to be_allowed(:set_pipeline_variables) }
+        end
       end
 
-      context 'when project restricts use of user defined variables' do
-        before do
-          project.update!(restrict_user_defined_variables: true)
+      context 'when user is maintainer' do
+        let(:current_user) { maintainer }
+
+        context 'when project allows user defined variables' do
+          before do
+            project.update!(restrict_user_defined_variables: false)
+          end
+
+          it { is_expected.to be_allowed(:set_pipeline_variables) }
         end
 
-        it { is_expected.to be_allowed(:set_pipeline_variables) }
+        context 'when project restricts use of user defined variables' do
+          before do
+            project.update!(restrict_user_defined_variables: true)
+          end
+
+          it { is_expected.to be_allowed(:set_pipeline_variables) }
+        end
+      end
+    end
+
+    it_behaves_like 'set_pipeline_variables only on restrict_user_defined_variables'
+
+    context 'when feature flag allow_user_variables_by_minimum_role is disabled' do
+      before do
+        stub_feature_flags(allow_user_variables_by_minimum_role: false)
+      end
+
+      it_behaves_like 'set_pipeline_variables only on restrict_user_defined_variables'
+
+      context 'when `pipeline_variables_minimum_override_role` is defined' do
+        using RSpec::Parameterized::TableSyntax
+
+        where(:user_role, :minimum_role, :restrict_variables, :allowed) do
+          :developer  | :no_one_allowed       | false | true
+          :maintainer | :no_one_allowed       | false | true
+          :owner      | :no_one_allowed       | false | true
+          :guest      | :no_one_allowed       | false | true
+          :reporter   | :no_one_allowed       | false | true
+          :anonymous  | :no_one_allowed       | false | true
+          :developer  | :developer            | false | true
+          :maintainer | :developer            | false | true
+          :owner      | :developer            | false | true
+          :guest      | :developer            | false | true
+          :reporter   | :developer            | false | true
+          :anonymous  | :developer            | false | true
+          :developer  | :maintainer           | false | true
+          :maintainer | :maintainer           | false | true
+          :owner      | :maintainer           | false | true
+          :guest      | :maintainer           | false | true
+          :reporter   | :maintainer           | false | true
+          :anonymous  | :maintainer           | false | true
+          :developer  | :owner                | false | true
+          :maintainer | :owner                | false | true
+          :owner      | :owner                | false | true
+          :guest      | :owner                | false | true
+          :reporter   | :owner                | false | true
+          :anonymous  | :owner                | false | true
+          :developer  | :no_one_allowed       | true  | false
+          :maintainer | :no_one_allowed       | true  | true
+          :owner      | :no_one_allowed       | true  | true
+          :guest      | :no_one_allowed       | true  | false
+          :reporter   | :no_one_allowed       | true  | false
+          :anonymous  | :no_one_allowed       | true  | false
+          :developer  | :developer            | true  | false
+          :maintainer | :developer            | true  | true
+          :owner      | :developer            | true  | true
+          :guest      | :developer            | true  | false
+          :reporter   | :developer            | true  | false
+          :anonymous  | :developer            | true  | false
+          :developer  | :maintainer           | true  | false
+          :maintainer | :maintainer           | true  | true
+          :owner      | :maintainer           | true  | true
+          :guest      | :maintainer           | true  | false
+          :reporter   | :maintainer           | true  | false
+          :anonymous  | :maintainer           | true  | false
+          :developer  | :owner                | true  | false
+          :maintainer | :owner                | true  | true
+          :owner      | :owner                | true  | true
+          :guest      | :owner                | true  | false
+          :reporter   | :owner                | true  | false
+          :anonymous  | :owner                | true  | false
+        end
+        with_them do
+          let(:current_user) { public_send(user_role) }
+
+          before do
+            ci_cd_settings = project.ci_cd_settings
+            ci_cd_settings.restrict_user_defined_variables = restrict_variables
+            ci_cd_settings.pipeline_variables_minimum_override_role = minimum_role
+            ci_cd_settings.save!
+          end
+
+          it 'allows/disallows set pipeline variables based on restrict_user_defined_variables' do
+            if allowed
+              is_expected.to be_allowed(:set_pipeline_variables)
+            else
+              is_expected.to be_disallowed(:set_pipeline_variables)
+            end
+          end
+        end
       end
     end
   end
diff --git a/spec/requests/api/container_repositories_spec.rb b/spec/requests/api/container_repositories_spec.rb
index 76e2d42b78e..3966c713f34 100644
--- a/spec/requests/api/container_repositories_spec.rb
+++ b/spec/requests/api/container_repositories_spec.rb
@@ -91,18 +91,14 @@ RSpec.describe API::ContainerRepositories, feature_category: :container_registry
         context 'when the repository is migrated', :saas do
           context 'when the GitLab API is supported' do
             before do
-              allow(ContainerRegistry::GitlabApiClient).to receive(:supports_gitlab_api?).and_return(true)
+              stub_container_registry_gitlab_api_support(supported: true) do |client|
+                allow(client).to receive(:tags).and_return(response_body)
+              end
             end
 
             context 'when the Gitlab API returns tags' do
               include_context 'with the container registry GitLab API returning tags'
 
-              before do
-                allow_next_instance_of(ContainerRegistry::GitlabApiClient) do |client|
-                  allow(client).to receive(:tags).and_return(response_body)
-                end
-              end
-
               it 'returns instantiated tags from the response' do
                 expect_any_instance_of(ContainerRepository) do |repository|
                   expect(repository).to receive(:each_tags_page).and_call_original
@@ -124,11 +120,7 @@ RSpec.describe API::ContainerRepositories, feature_category: :container_registry
             end
 
             context 'when the Gitlab API does not return any tags' do
-              before do
-                allow_next_instance_of(ContainerRegistry::GitlabApiClient) do |client|
-                  allow(client).to receive(:tags).and_return({ pagination: {}, response_body: {} })
-                end
-              end
+              let(:response_body) { { pagination: {}, response_body: {} } }
 
               it 'returns an instantiated tag from the response' do
                 subject
@@ -143,7 +135,7 @@ RSpec.describe API::ContainerRepositories, feature_category: :container_registry
 
           context 'when the GitLab API is not supported' do
             before do
-              allow(ContainerRegistry::GitlabApiClient).to receive(:supports_gitlab_api?).and_return(false)
+              stub_container_registry_gitlab_api_support(supported: false)
             end
 
             it_behaves_like 'returning a repository and its tags'
diff --git a/spec/requests/api/graphql/container_repository/container_repository_details_spec.rb b/spec/requests/api/graphql/container_repository/container_repository_details_spec.rb
index fa0d5c2c635..417472ca03a 100644
--- a/spec/requests/api/graphql/container_repository/container_repository_details_spec.rb
+++ b/spec/requests/api/graphql/container_repository/container_repository_details_spec.rb
@@ -331,30 +331,45 @@ RSpec.describe 'container repository details', feature_category: :container_regi
       GQL
     end
 
-    it 'returns the last_published_at', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/463763' do
-      stub_container_registry_gitlab_api_support(supported: true) do |client|
-        stub_container_registry_gitlab_api_repository_details(client, path: container_repository.path, last_published_at: '2024-04-30T06:07:36.225Z')
-      end
-
-      subject
-
-      expect(last_published_at_response).to eq('2024-04-30T06:07:36+00:00')
-    end
-
-    context 'with a network error' do
-      it 'returns an error', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/463764' do
-        stub_container_registry_gitlab_api_network_error
+    context 'on Gitlab.com', :saas do
+      it 'returns the last_published_at' do
+        stub_container_registry_gitlab_api_support(supported: true) do |client|
+          stub_container_registry_gitlab_api_repository_details(
+            client,
+            path: container_repository.path,
+            sizing: :self,
+            last_published_at: '2024-04-30T06:07:36.225Z'
+          )
+        end
 
         subject
 
-        expect_graphql_errors_to_include("Can't connect to the Container Registry. If this error persists, please review the troubleshooting documentation.")
+        expect(last_published_at_response).to eq('2024-04-30T06:07:36+00:00')
+      end
+
+      context 'with not supporting the gitlab api' do
+        it 'returns nil' do
+          stub_container_registry_gitlab_api_support(supported: false)
+
+          subject
+
+          expect(last_published_at_response).to eq(nil)
+        end
+      end
+
+      context 'with a network error' do
+        it 'returns an error' do
+          stub_container_registry_gitlab_api_network_error
+
+          subject
+
+          expect_graphql_errors_to_include("Can't connect to the Container Registry. If this error persists, please review the troubleshooting documentation.")
+        end
       end
     end
 
-    context 'with not supporting the gitlab api' do
+    context 'when not on Gitlab.com' do
       it 'returns nil' do
-        stub_container_registry_gitlab_api_support(supported: false)
-
         subject
 
         expect(last_published_at_response).to eq(nil)
diff --git a/spec/requests/api/project_attributes.yml b/spec/requests/api/project_attributes.yml
index e1937a08e01..60aa7d51060 100644
--- a/spec/requests/api/project_attributes.yml
+++ b/spec/requests/api/project_attributes.yml
@@ -101,6 +101,7 @@ ci_cd_settings:
     - inbound_job_token_scope_enabled
     - restrict_pipeline_cancellation_role
   remapped_attributes:
+    pipeline_variables_minimum_override_role: ci_pipeline_variables_minimum_override_role
     default_git_depth: ci_default_git_depth
     forward_deployment_enabled: ci_forward_deployment_enabled
     forward_deployment_rollback_allowed: ci_forward_deployment_rollback_allowed
diff --git a/spec/requests/api/project_container_repositories_spec.rb b/spec/requests/api/project_container_repositories_spec.rb
index bbeb56045d4..3588196e9d8 100644
--- a/spec/requests/api/project_container_repositories_spec.rb
+++ b/spec/requests/api/project_container_repositories_spec.rb
@@ -5,6 +5,8 @@ require 'spec_helper'
 RSpec.describe API::ProjectContainerRepositories, feature_category: :container_registry do
   include ExclusiveLeaseHelpers
 
+  include_context 'container registry client stubs'
+
   let_it_be(:project) { create(:project, :private) }
   let_it_be(:project2) { create(:project, :public) }
   let_it_be(:maintainer) { create(:user, maintainer_of: [project, project2]) }
@@ -201,9 +203,7 @@ RSpec.describe API::ProjectContainerRepositories, feature_category: :container_r
               end
 
               before do
-                allow(ContainerRegistry::GitlabApiClient).to receive(:supports_gitlab_api?).and_return(true)
-
-                allow_next_instance_of(ContainerRegistry::GitlabApiClient) do |client|
+                stub_container_registry_gitlab_api_support(supported: true) do |client|
                   allow(client).to receive(:tags).and_return(response_body)
                 end
               end
@@ -476,7 +476,16 @@ RSpec.describe API::ProjectContainerRepositories, feature_category: :container_r
           context 'when the repository is migrated', :saas do
             context 'when the Gitlab API is supported' do
               before do
-                allow(ContainerRegistry::GitlabApiClient).to receive(:supports_gitlab_api?).and_return(true)
+                stub_container_registry_gitlab_api_support(supported: true) do |client|
+                  allow(client).to receive(:tags).and_return(response_body)
+                end
+              end
+
+              let(:response_body) do
+                {
+                  pagination: {},
+                  response_body: ::Gitlab::Json.parse(tags_response.to_json)
+                }
               end
 
               context 'when the Gitlab API returns a tag' do
@@ -492,19 +501,6 @@ RSpec.describe API::ProjectContainerRepositories, feature_category: :container_r
                   ]
                 end
 
-                let_it_be(:response_body) do
-                  {
-                    pagination: {},
-                    response_body: ::Gitlab::Json.parse(tags_response.to_json)
-                  }
-                end
-
-                before do
-                  allow_next_instance_of(ContainerRegistry::GitlabApiClient) do |client|
-                    allow(client).to receive(:tags).and_return(response_body)
-                  end
-                end
-
                 it_behaves_like 'returning the tag'
               end
 
@@ -535,28 +531,11 @@ RSpec.describe API::ProjectContainerRepositories, feature_category: :container_r
                   ]
                 end
 
-                let_it_be(:response_body) do
-                  {
-                    pagination: {},
-                    response_body: ::Gitlab::Json.parse(tags_response.to_json)
-                  }
-                end
-
-                before do
-                  allow_next_instance_of(ContainerRegistry::GitlabApiClient) do |client|
-                    allow(client).to receive(:tags).and_return(response_body)
-                  end
-                end
-
                 it_behaves_like 'returning the tag'
               end
 
               context 'when the Gitlab API does not return a tag' do
-                before do
-                  allow_next_instance_of(ContainerRegistry::GitlabApiClient) do |client|
-                    allow(client).to receive(:tags).and_return({ pagination: {}, response_body: {} })
-                  end
-                end
+                let_it_be(:tags_response) { {} }
 
                 it 'returns not found' do
                   subject
@@ -569,7 +548,7 @@ RSpec.describe API::ProjectContainerRepositories, feature_category: :container_r
 
             context 'when the Gitlab API is not supported' do
               before do
-                allow(ContainerRegistry::GitlabApiClient).to receive(:supports_gitlab_api?).and_return(false)
+                stub_container_registry_gitlab_api_support(supported: false)
                 stub_container_registry_tags(repository: root_repository.path, tags: %w[rootA], with_manifest: true)
               end
 
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index 5fb48de01af..78aec3c2b84 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -2790,6 +2790,7 @@ RSpec.describe API::Projects, :aggregate_failures, feature_category: :groups_and
         expect(json_response['only_allow_merge_if_pipeline_succeeds']).to eq(project.only_allow_merge_if_pipeline_succeeds)
         expect(json_response['allow_merge_on_skipped_pipeline']).to eq(project.allow_merge_on_skipped_pipeline)
         expect(json_response['restrict_user_defined_variables']).to eq(project.restrict_user_defined_variables?)
+        expect(json_response['ci_pipeline_variables_minimum_override_role']).to eq(project.ci_pipeline_variables_minimum_override_role.to_s)
         expect(json_response['only_allow_merge_if_all_discussions_are_resolved']).to eq(project.only_allow_merge_if_all_discussions_are_resolved)
         expect(json_response['security_and_compliance_access_level']).to be_present
         expect(json_response['releases_access_level']).to be_present
@@ -3297,6 +3298,7 @@ RSpec.describe API::Projects, :aggregate_failures, feature_category: :groups_and
           'build_git_strategy',
           'keep_latest_artifact',
           'restrict_user_defined_variables',
+          'ci_pipeline_variables_minimum_override_role',
           'runners_token',
           'runner_token_expiration_interval',
           'group_runners_enabled',
@@ -4301,6 +4303,118 @@ RSpec.describe API::Projects, :aggregate_failures, feature_category: :groups_and
         expect(response).to have_gitlab_http_status(:bad_request)
       end
 
+      context 'when ci_pipeline_variables_minimum_override_role is owner' do
+        before do
+          project3.add_maintainer(user2)
+          ci_cd_settings = project3.ci_cd_settings
+          ci_cd_settings.restrict_user_defined_variables = false
+          ci_cd_settings.pipeline_variables_minimum_override_role = 'owner'
+          ci_cd_settings.save!
+        end
+
+        context 'and current user is maintainer' do
+          let_it_be(:current_user) { user2 }
+
+          it 'rejects to change restrict_user_defined_variables' do
+            project_param = { restrict_user_defined_variables: true }
+
+            put api("/projects/#{project3.id}", current_user), params: project_param
+
+            expect(response).to have_gitlab_http_status(:bad_request)
+          end
+
+          it 'rejects to change ci_pipeline_variables_minimum_override_role' do
+            project_param = { ci_pipeline_variables_minimum_override_role: 'developer' }
+
+            put api("/projects/#{project3.id}", current_user), params: project_param
+
+            expect(response).to have_gitlab_http_status(:bad_request)
+          end
+        end
+
+        context 'and current user is owner' do
+          let_it_be(:current_user) { user }
+
+          it 'successfully changes restrict_user_defined_variables' do
+            project_param = { restrict_user_defined_variables: true }
+
+            put api("/projects/#{project3.id}", current_user), params: project_param
+
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+
+          it 'successfully changes ci_pipeline_variables_minimum_override_role' do
+            project_param = { ci_pipeline_variables_minimum_override_role: 'developer' }
+
+            put api("/projects/#{project3.id}", current_user), params: project_param
+
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+        end
+      end
+
+      context 'when ci_pipeline_variables_minimum_override_role is set to maintainer' do
+        before do
+          project3.add_maintainer(user2)
+          ci_cd_settings = project3.ci_cd_settings
+          ci_cd_settings.restrict_user_defined_variables = false
+          ci_cd_settings.pipeline_variables_minimum_override_role = 'maintainer'
+          ci_cd_settings.save!
+        end
+
+        context 'and current user is maintainer' do
+          let_it_be(:current_user) { user2 }
+
+          it 'sucessfully changes restrict_user_defined_variables' do
+            project_param = { restrict_user_defined_variables: true }
+
+            put api("/projects/#{project3.id}", current_user), params: project_param
+
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+
+          it 'successfully changes ci_pipeline_variables_minimum_override_role' do
+            project_param = { ci_pipeline_variables_minimum_override_role: 'developer' }
+
+            put api("/projects/#{project3.id}", current_user), params: project_param
+
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+
+          it 'rejects to ci_pipeline_variables_minimum_override_role to owner' do
+            project_param = { ci_pipeline_variables_minimum_override_role: 'owner' }
+
+            put api("/projects/#{project3.id}", current_user), params: project_param
+
+            expect(response).to have_gitlab_http_status(:bad_request)
+          end
+        end
+
+        context 'and current user is developer' do
+          let_it_be(:current_user) { user3 }
+
+          before do
+            project3.add_developer(user3)
+          end
+
+          it 'fails to change restrict_user_defined_variables' do
+            project_param = { restrict_user_defined_variables: true }
+
+            put api("/projects/#{project3.id}", current_user), params: project_param
+
+            expect(response).to have_gitlab_http_status(:forbidden)
+          end
+
+          it 'fails to change ci_pipeline_variables_minimum_override_role' do
+            project_param = { ci_pipeline_variables_minimum_override_role: 'developer' }
+
+            put api("/projects/#{project3.id}", current_user), params: project_param
+
+            expect(response).to have_gitlab_http_status(:forbidden)
+          end
+        end
+      end
+
       it 'updates restrict_user_defined_variables' do
         project_param = { restrict_user_defined_variables: true }
 
@@ -4313,6 +4427,34 @@ RSpec.describe API::Projects, :aggregate_failures, feature_category: :groups_and
         end
       end
 
+      it 'updates ci_pipeline_variables_minimum_override_role' do
+        project_param = { ci_pipeline_variables_minimum_override_role: 'owner' }
+
+        put api("/projects/#{project3.id}", user), params: project_param
+
+        expect(response).to have_gitlab_http_status(:ok)
+
+        project_param.each_pair do |k, v|
+          expect(json_response[k.to_s]).to eq(v)
+        end
+      end
+
+      it 'rejects updating ci_pipeline_variables_minimum_override_role when an invalid role is provided' do
+        project_param = { ci_pipeline_variables_minimum_override_role: 'wrong' }
+
+        put api("/projects/#{project3.id}", user), params: project_param
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+
+      it 'rejects updating ci_pipeline_variables_minimum_override_role when an existing but not allowed role is provided' do
+        project_param = { ci_pipeline_variables_minimum_override_role: 'guest' }
+
+        put api("/projects/#{project3.id}", user), params: project_param
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+
       it 'updates public_builds (deprecated)' do
         project3.update!({ public_builds: false })
         project_param = { public_builds: 'true' }
diff --git a/spec/requests/api/remote_mirrors_spec.rb b/spec/requests/api/remote_mirrors_spec.rb
index 77f30122414..7930605eb57 100644
--- a/spec/requests/api/remote_mirrors_spec.rb
+++ b/spec/requests/api/remote_mirrors_spec.rb
@@ -305,15 +305,15 @@ RSpec.describe API::RemoteMirrors, feature_category: :source_code_management do
         expect(response).to have_gitlab_http_status(:not_found)
       end
 
-      it 'returns bad request if the update service fails' do
-        expect_next_instance_of(Projects::UpdateService) do |service|
-          expect(service).to receive(:execute).and_return(status: :error, message: 'message')
+      it 'returns bad request if the destroy service fails' do
+        expect_next_instance_of(RemoteMirrors::DestroyService) do |service|
+          expect(service).to receive(:execute).and_return(ServiceResponse.error(message: 'error'))
         end
 
         expect { delete api(route[mirror.id], user) }.not_to change { project.remote_mirrors.count }
 
         expect(response).to have_gitlab_http_status(:bad_request)
-        expect(json_response).to eq({ 'message' => 'message' })
+        expect(json_response).to eq({ 'message' => 'error' })
       end
 
       it 'deletes a remote mirror' do
@@ -321,6 +321,35 @@ RSpec.describe API::RemoteMirrors, feature_category: :source_code_management do
 
         expect(response).to have_gitlab_http_status(:no_content)
       end
+
+      context 'when feature flag "use_remote_mirror_destroy_service" is disabled' do
+        before do
+          stub_feature_flags(use_remote_mirror_destroy_service: false)
+        end
+
+        it 'returns 404 for non existing id' do
+          delete api(route[non_existing_record_id], user)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+
+        it 'returns bad request if the destroy service fails' do
+          expect_next_instance_of(Projects::UpdateService) do |service|
+            expect(service).to receive(:execute).and_return(status: :error, message: 'message')
+          end
+
+          expect { delete api(route[mirror.id], user) }.not_to change { project.remote_mirrors.count }
+
+          expect(response).to have_gitlab_http_status(:bad_request)
+          expect(json_response).to eq({ 'message' => 'message' })
+        end
+
+        it 'deletes a remote mirror' do
+          expect { delete api(route[mirror.id], user) }.to change { project.remote_mirrors.count }.from(1).to(0)
+
+          expect(response).to have_gitlab_http_status(:no_content)
+        end
+      end
     end
   end
 end
diff --git a/spec/services/projects/update_service_spec.rb b/spec/services/projects/update_service_spec.rb
index 51b966c3acb..a11e1ae0342 100644
--- a/spec/services/projects/update_service_spec.rb
+++ b/spec/services/projects/update_service_spec.rb
@@ -26,6 +26,109 @@ RSpec.describe Projects::UpdateService, feature_category: :groups_and_projects d
   describe '#execute' do
     let(:admin) { create(:admin) }
 
+    let_it_be(:maintainer) { create(:user) }
+    let_it_be(:developer) { create(:user) }
+    let_it_be(:owner) { create(:user) }
+
+    context 'when changing restrict_user_defined_variables' do
+      using RSpec::Parameterized::TableSyntax
+
+      where(:current_user_role, :project_minimum_role, :from_value, :to_value, :status) do
+        :owner      | :developer  | true  | false | :success
+        :owner      | :maintainer | true  | false | :success
+        :owner      | :developer  | false | true  | :success
+        :owner      | :maintainer | false | true  | :success
+        :maintainer | :developer  | true  | false | :success
+        :maintainer | :maintainer | true  | false | :success
+        :maintainer | :owner      | true  | false | :api_error
+        :maintainer | :owner      | false | true  | :api_error
+        :maintainer | :owner      | true  | true  | :success
+        :developer  | :owner      | true  | false | :api_error
+        :developer  | :developer  | true  | false | :api_error
+        :developer  | :maintainer | true  | false | :api_error
+      end
+
+      with_them do
+        let(:current_user) { public_send(current_user_role) }
+
+        before do
+          project.add_maintainer(maintainer)
+          project.add_developer(developer)
+          project.add_owner(owner)
+
+          ci_cd_settings = project.ci_cd_settings
+          ci_cd_settings.pipeline_variables_minimum_override_role = project_minimum_role
+          ci_cd_settings.restrict_user_defined_variables = from_value
+          ci_cd_settings.save!
+        end
+
+        it 'allows/disallows to change restrict_user_defined_variables' do
+          result = update_project(project, current_user, restrict_user_defined_variables: to_value)
+          expect(result[:status]).to eq(status)
+        end
+
+        context 'when feature flag allow_user_variables_by_minimum_role is disabled`' do
+          before do
+            stub_feature_flags(allow_user_variables_by_minimum_role: false)
+          end
+
+          it 'allows to change restrict_user_defined_variables' do
+            result = update_project(project, current_user, restrict_user_defined_variables: to_value)
+            expect(result[:status]).to eq(:success)
+          end
+        end
+      end
+    end
+
+    context 'when changing ci_pipeline_variables_minimum_override_role' do
+      using RSpec::Parameterized::TableSyntax
+
+      where(:current_user_role, :restrict_user_defined_variables, :from_value, :to_value, :status) do
+        :owner      | true  | :owner      | :developer  | :success
+        :owner      | true  | :owner      | :maintainer | :success
+        :owner      | true  | :developer  | :maintainer | :success
+        :owner      | true  | :maintainer | :owner      | :success
+        :maintainer | true  | :owner      | :developer  | :api_error
+        :maintainer | true  | :owner      | :maintainer | :api_error
+        :maintainer | true  | :developer  | :maintainer | :success
+        :maintainer | true  | :maintainer | :owner      | :api_error
+        :owner      | false | :owner      | :maintainer | :success
+        :maintainer | false | :owner      | :developer  | :api_error
+        :maintainer | false | :maintainer | :owner      | :api_error
+      end
+
+      with_them do
+        let(:current_user) { public_send(current_user_role) }
+
+        before do
+          project.add_maintainer(maintainer)
+          project.add_developer(developer)
+          project.add_owner(owner)
+
+          ci_cd_settings = project.ci_cd_settings
+          ci_cd_settings.pipeline_variables_minimum_override_role = from_value
+          ci_cd_settings.restrict_user_defined_variables = restrict_user_defined_variables
+          ci_cd_settings.save!
+        end
+
+        it 'allows/disallows to change ci_pipeline_variables_minimum_override_role' do
+          result = update_project(project, current_user, ci_pipeline_variables_minimum_override_role: to_value.to_s)
+          expect(result[:status]).to eq(status)
+        end
+
+        context 'when feature flag allow_user_variables_by_minimum_role is disabled`' do
+          before do
+            stub_feature_flags(allow_user_variables_by_minimum_role: false)
+          end
+
+          it 'allows to change ci_pipeline_variables_minimum_override_role' do
+            result = update_project(project, current_user, ci_pipeline_variables_minimum_override_role: to_value.to_s)
+            expect(result[:status]).to eq(:success)
+          end
+        end
+      end
+    end
+
     context 'when changing visibility level' do
       it_behaves_like 'publishing Projects::ProjectAttributesChangedEvent',
         params: { visibility_level: Gitlab::VisibilityLevel::INTERNAL },
diff --git a/spec/services/remote_mirrors/destroy_service_spec.rb b/spec/services/remote_mirrors/destroy_service_spec.rb
new file mode 100644
index 00000000000..af939008a98
--- /dev/null
+++ b/spec/services/remote_mirrors/destroy_service_spec.rb
@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe RemoteMirrors::DestroyService, feature_category: :source_code_management do
+  subject(:service) { described_class.new(project, user) }
+
+  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { create(:user, maintainer_of: project) }
+
+  let!(:remote_mirror) { create(:remote_mirror, project: project) }
+
+  describe '#execute', :aggregate_failures do
+    subject(:execute) { service.execute(remote_mirror) }
+
+    it 'destroys a push mirror' do
+      expect { execute }.to change { project.remote_mirrors.count }.from(1).to(0)
+
+      is_expected.to be_success
+    end
+
+    context 'when user does not have permissions' do
+      let(:user) { nil }
+
+      it 'returns an error' do
+        expect { execute }.not_to change { RemoteMirror.count }
+
+        is_expected.to be_error
+        expect(execute.message).to eq('Access Denied')
+      end
+    end
+
+    context 'when remote mirror is missing' do
+      let(:remote_mirror) { nil }
+
+      it 'returns an error' do
+        is_expected.to be_error
+        expect(execute.message).to eq('Remote mirror is missing')
+      end
+    end
+
+    context 'when mirror does not match the project' do
+      let!(:remote_mirror) { create(:remote_mirror) }
+
+      it 'returns an error' do
+        expect { execute }.not_to change { RemoteMirror.count }
+
+        is_expected.to be_error
+        expect(execute.message).to eq('Project mismatch')
+      end
+    end
+
+    context 'when destroy process fails' do
+      before do
+        allow(remote_mirror).to receive(:destroy) do
+          remote_mirror.errors.add(:base, 'destroy error')
+        end.and_return(nil)
+      end
+
+      it 'returns an error' do
+        expect { execute }.not_to change { RemoteMirror.count }
+
+        is_expected.to be_error
+        expect(execute.message.full_messages).to include('destroy error')
+      end
+    end
+  end
+end
diff --git a/spec/services/work_items/parent_links/create_service_spec.rb b/spec/services/work_items/parent_links/create_service_spec.rb
index 4a45d52d9ee..4a7ef1f7d5e 100644
--- a/spec/services/work_items/parent_links/create_service_spec.rb
+++ b/spec/services/work_items/parent_links/create_service_spec.rb
@@ -118,6 +118,17 @@ RSpec.describe WorkItems::ParentLinks::CreateService, feature_category: :portfol
         expect(tasks_parent).to match_array([work_item])
       end
 
+      context 'when relative_position is set' do
+        let(:params) { { issuable_references: [task1, task2], relative_position: 1337 } }
+
+        it 'creates relationships with given relative_position' do
+          result = subject
+
+          expect(result[:created_references].first.relative_position).to eq(1337)
+          expect(result[:created_references].second.relative_position).to eq(1337)
+        end
+      end
+
       it 'returns success status and created links', :aggregate_failures do
         expect(subject.keys).to match_array([:status, :created_references])
         expect(subject[:status]).to eq(:success)
diff --git a/spec/views/user_settings/profiles/show.html.haml_spec.rb b/spec/views/user_settings/profiles/show.html.haml_spec.rb
index 4c246c301aa..0e9059c0cc0 100644
--- a/spec/views/user_settings/profiles/show.html.haml_spec.rb
+++ b/spec/views/user_settings/profiles/show.html.haml_spec.rb
@@ -11,6 +11,7 @@ RSpec.describe 'user_settings/profiles/show', feature_category: :user_profile do
     allow(controller).to receive(:current_user).and_return(user)
     allow(view).to receive(:experiment_enabled?)
     stub_feature_flags(edit_user_profile_vue: false)
+    allow(view).to receive(:can?)
   end
 
   context 'when the profile page is opened' do
@@ -50,5 +51,19 @@ RSpec.describe 'user_settings/profiles/show', feature_category: :user_profile do
         type: :hidden
       )
     end
+
+    describe 'private profile', feature_category: :user_management do
+      before do
+        allow(view).to receive(:can?).with(user, :make_profile_private, user).and_return(true)
+      end
+
+      it 'renders correct CE partial' do
+        render
+
+        expect(rendered).to render_template('user_settings/profiles/_private_profile')
+        expect(rendered).to have_link 'Learn more',
+          href: help_page_path('user/profile/index', anchor: 'make-your-user-profile-page-private')
+      end
+    end
   end
 end
diff --git a/workhorse/go.mod b/workhorse/go.mod
index 0096208f274..1646fa776b7 100644
--- a/workhorse/go.mod
+++ b/workhorse/go.mod
@@ -27,7 +27,7 @@ require (
 	gitlab.com/gitlab-org/gitaly/v16 v16.11.2
 	gitlab.com/gitlab-org/labkit v1.21.0
 	gocloud.dev v0.37.0
-	golang.org/x/image v0.15.0
+	golang.org/x/image v0.16.0
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
 	golang.org/x/net v0.23.0
 	golang.org/x/oauth2 v0.20.0
@@ -121,7 +121,7 @@ require (
 	golang.org/x/mod v0.16.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/api v0.169.0 // indirect
diff --git a/workhorse/go.sum b/workhorse/go.sum
index cd5d5f6287c..04b6d25441d 100644
--- a/workhorse/go.sum
+++ b/workhorse/go.sum
@@ -547,8 +547,8 @@ golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a/go.mod h1:AbB0pIl
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.15.0 h1:kOELfmgrmJlw4Cdb7g/QGuB3CvDrXbqEIww/pNtNBm8=
-golang.org/x/image v0.15.0/go.mod h1:HUYqC05R2ZcZ3ejNQsIHQDQiwWM4JBqmm6MKANTp4LE=
+golang.org/x/image v0.16.0 h1:9kloLAKhUufZhA12l5fwnx2NZW39/we1UhBesW433jw=
+golang.org/x/image v0.16.0/go.mod h1:ugSZItdV4nOxyqp56HmXwH0Ry0nBCpjnZdpDaIHdoPs=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -743,8 +743,9 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20170424234030-8be79e1e0910/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
diff --git a/workhorse/internal/helper/command/command.go b/workhorse/internal/helper/command/command.go
index 67d6838b170..7970d016170 100644
--- a/workhorse/internal/helper/command/command.go
+++ b/workhorse/internal/helper/command/command.go
@@ -1,3 +1,4 @@
+// Package command provides helper functions for working with commands and processes
 package command
 
 import (
@@ -5,16 +6,17 @@ import (
 	"syscall"
 )
 
+// ExitStatus returns the exit code of an error if it implements the ExitCode() method
 func ExitStatus(err error) (int, bool) {
 	if v, ok := err.(interface{ ExitCode() int }); ok {
 		return v.ExitCode(), true
 	} else if err != nil {
 		return -1, false
-	} else {
-		return 0, false
 	}
+	return 0, false
 }
 
+// KillProcessGroup sends a SIGTERM signal to the process group of the given command
 func KillProcessGroup(cmd *exec.Cmd) error {
 	if cmd == nil {
 		return nil
@@ -22,7 +24,7 @@ func KillProcessGroup(cmd *exec.Cmd) error {
 
 	if p := cmd.Process; p != nil && p.Pid > 0 {
 		// Send SIGTERM to the process group of cmd
-		syscall.Kill(-p.Pid, syscall.SIGTERM)
+		_ = syscall.Kill(-p.Pid, syscall.SIGTERM)
 	}
 
 	// reap our child process
diff --git a/workhorse/internal/helper/countingresponsewriter.go b/workhorse/internal/helper/countingresponsewriter.go
index 9bcecf2d9b1..7cdb0c87b6c 100644
--- a/workhorse/internal/helper/countingresponsewriter.go
+++ b/workhorse/internal/helper/countingresponsewriter.go
@@ -1,9 +1,11 @@
+// Package helper provides various helper functions and types for HTTP handling
 package helper
 
 import (
 	"net/http"
 )
 
+// CountingResponseWriter is an interface that wraps http.ResponseWriter
 type CountingResponseWriter interface {
 	http.ResponseWriter
 	Count() int64
@@ -16,6 +18,7 @@ type countingResponseWriter struct {
 	count  int64
 }
 
+// NewCountingResponseWriter creates a new CountingResponseWriter
 func NewCountingResponseWriter(rw http.ResponseWriter) CountingResponseWriter {
 	return &countingResponseWriter{rw: rw}
 }
diff --git a/workhorse/internal/helper/countingresponsewriter_test.go b/workhorse/internal/helper/countingresponsewriter_test.go
index d070b215b90..fbe8aa112cd 100644
--- a/workhorse/internal/helper/countingresponsewriter_test.go
+++ b/workhorse/internal/helper/countingresponsewriter_test.go
@@ -52,8 +52,9 @@ func TestCountingResponseWriterWrite(t *testing.T) {
 
 func TestCountingResponseWriterFlushable(t *testing.T) {
 	rw := httptest.NewRecorder()
+
 	crw := countingResponseWriter{rw: rw}
-	rc := http.NewResponseController(&crw)
+	rc := http.NewResponseController(&crw) //nolint:bodyclose // false-positive https://github.com/timakin/bodyclose/issues/52
 
 	err := rc.Flush()
 	require.NoError(t, err, "the underlying response writer is not flushable")
diff --git a/workhorse/internal/helper/exception/exception.go b/workhorse/internal/helper/exception/exception.go
index 9b1628ffecb..ba7ef05e7e4 100644
--- a/workhorse/internal/helper/exception/exception.go
+++ b/workhorse/internal/helper/exception/exception.go
@@ -1,3 +1,4 @@
+// Package exception provides utility functions for handling exceptions
 package exception
 
 import (
@@ -17,6 +18,7 @@ var ravenHeaderBlacklist = []string{
 	"Private-Token",
 }
 
+// Track captures and reports an exception
 func Track(r *http.Request, err error, fields log.Fields) {
 	client := raven.DefaultClient
 	extra := raven.Extra{}
@@ -45,6 +47,7 @@ func Track(r *http.Request, err error, fields log.Fields) {
 	client.Capture(packet, nil)
 }
 
+// CleanHeaders redacts sensitive headers in the request
 func CleanHeaders(r *http.Request) {
 	if r == nil {
 		return
diff --git a/workhorse/internal/helper/fail/fail.go b/workhorse/internal/helper/fail/fail.go
index 32c2940a0cc..8b6c828bba6 100644
--- a/workhorse/internal/helper/fail/fail.go
+++ b/workhorse/internal/helper/fail/fail.go
@@ -1,3 +1,4 @@
+// Package fail provides functionality for handling failure responses in HTTP requests
 package fail
 
 import (
@@ -12,6 +13,7 @@ type failure struct {
 	fields log.Fields
 }
 
+// Option represents a function that modifies a failure object
 type Option func(*failure)
 
 // WithStatus sets the HTTP status and body text of the failure response.
diff --git a/workhorse/internal/helper/helpers.go b/workhorse/internal/helper/helpers.go
index a4a91901ea9..29a6fe04b2e 100644
--- a/workhorse/internal/helper/helpers.go
+++ b/workhorse/internal/helper/helpers.go
@@ -1,3 +1,4 @@
+// Package helper provides utility functions for various tasks
 package helper
 
 import (
@@ -5,19 +6,21 @@ import (
 	"mime"
 	"net/url"
 	"os"
+	"path/filepath"
 
 	"gitlab.com/gitlab-org/gitlab/workhorse/internal/log"
 )
 
+// OpenFile opens a file at the specified path and returns its properties
 func OpenFile(path string) (file *os.File, fi os.FileInfo, err error) {
-	file, err = os.Open(path)
+	file, err = os.Open(filepath.Clean(path))
 	if err != nil {
 		return
 	}
 
 	defer func() {
 		if err != nil {
-			file.Close()
+			_ = file.Close()
 		}
 	}()
 
@@ -39,6 +42,7 @@ func OpenFile(path string) (file *os.File, fi os.FileInfo, err error) {
 	return
 }
 
+// URLMustParse parses the given string as a URL
 func URLMustParse(s string) *url.URL {
 	u, err := url.Parse(s)
 	if err != nil {
@@ -47,6 +51,7 @@ func URLMustParse(s string) *url.URL {
 	return u
 }
 
+// IsContentType checks if the actual content type matches the expected content type
 func IsContentType(expected, actual string) bool {
 	parsed, _, err := mime.ParseMediaType(actual)
 	return err == nil && parsed == expected
diff --git a/workhorse/internal/helper/nginx/nginx.go b/workhorse/internal/helper/nginx/nginx.go
index ca7c8543f75..101b1f9e9b4 100644
--- a/workhorse/internal/helper/nginx/nginx.go
+++ b/workhorse/internal/helper/nginx/nginx.go
@@ -1,13 +1,17 @@
+// Package nginx provides helper functions for interacting with NGINX
 package nginx
 
 import "net/http"
 
+// ResponseBufferHeader is the HTTP header used to control response buffering in NGINX
 const ResponseBufferHeader = "X-Accel-Buffering"
 
+// DisableResponseBuffering disables response buffering in NGINX for the provided HTTP response writer
 func DisableResponseBuffering(w http.ResponseWriter) {
 	w.Header().Set(ResponseBufferHeader, "no")
 }
 
+// AllowResponseBuffering enables response buffering in NGINX for the provided HTTP response writer
 func AllowResponseBuffering(w http.ResponseWriter) {
 	w.Header().Del(ResponseBufferHeader)
 }