root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2024-11-22 00:28:39 +00:00
parent 57c3b1035a
commit ef55cde229
27 changed files with 424 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
app/assets/javascripts/admin/users/components/new_user_organization_field.vue
View File

@ -11,6 +11,8 @@ export default {
AVATAR_SHAPE_OPTION_RECT,
organizationsQuery,
organizationInputId: 'user_organization_id',
organizationUserInputId: 'user_organization_users_id',
organizationUserInputName: 'user[organization_users][][id]',
i18n: {
organizationSelectLabel: s__('Organization|Select an organization'),
},
@ -24,10 +26,12 @@ export default {
type: Object,
required: true,
},
initialAccessLevel: {
type: String,
organizationUser: {
type: Object,
required: false,
default: undefined,
default() {
return {};
},
},
organizationInputName: {
type: String,
@ -47,12 +51,22 @@ export default {
value: this.initialOrganization.id,
};
},
isOrganizationUserDefined() {
return Object.keys(this.organizationUser).length;
},
},
};
</script>
<template>
<div>
<input
v-if="isOrganizationUserDefined"
:id="$options.organizationUserInputId"
:name="$options.organizationUserInputName"
:value="organizationUser.id"
type="hidden"
/>
<organization-select
v-if="hasMultipleOrganizations"
:query="$options.organizationsQuery"
@ -86,7 +100,7 @@ export default {
/>
</div>
<organization-role-field
:initial-access-level="initialAccessLevel"
:initial-access-level="organizationUser.accessLevel"
:input-name="organizationRoleInputName"
/>
</div>

8
app/assets/javascripts/admin/users/edit.js
View File

@ -11,7 +11,7 @@ export const initAdminNewUserOrganizationField = () => {
dataset: { appData },
} = el;
const { initialAccessLevel, initialOrganization } = convertObjectPropsToCamelCase(
const { organizationUser, initialOrganization } = convertObjectPropsToCamelCase(
JSON.parse(appData),
{ deep: true },
);
@ -22,11 +22,11 @@ export const initAdminNewUserOrganizationField = () => {
render(createElement) {
return createElement(NewUserOrganizationField, {
props: {
initialAccessLevel,
organizationUser,
initialOrganization,
hasMultipleOrganizations: false,
organizationInputName: 'user[organization_user][][organization_id]',
organizationRoleInputName: 'user[organization_user][][access_level]',
organizationInputName: 'user[organization_users][][organization_id]',
organizationRoleInputName: 'user[organization_users][][access_level]',
},
});
},

2
app/helpers/admin/users_helper.rb
View File

@ -23,7 +23,7 @@ module Admin
organization_user = initial_organization.organization_users.by_user(user).first
{
initial_access_level: organization_user.access_level
organization_user: organization_user.slice(:id, :access_level)
}.merge(admin_user_organization_field_shared(initial_organization)).to_json
end

12
data/deprecations/17-8-deprecate-centos-7.yml Normal file
View File

@ -0,0 +1,12 @@
- title: "Support for CentOS 7" # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
announcement_milestone: "17.6" # (required) The milestone when this feature was first announced as deprecated.
removal_milestone: "17.8" # (required) The milestone when this feature is planned to be removed
breaking_change: false # (required) Change to false if this is not a breaking change.
reporter: clemensbeck # (required) GitLab username of the person reporting the change
stage: systems # (required) String value of the stage that the feature was created in. e.g., Growth
issue_url: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8714
body: | # (required) Do not modify this line, instead modify the lines below.
Long term service and support (LTSS) for [CentOS 7 ended in June 2024](https://www.redhat.com/en/topics/linux/centos-linux-eol).
Therefore, we will longer support the CentOS 7 distribution for Linux package installs. Users should upgrade to
another operating system for continued support.

12
data/deprecations/17-8-deprecate-oracle-linux-7.yml Normal file
View File

@ -0,0 +1,12 @@
- title: "Support for Oracle Linux 7" # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
announcement_milestone: "17.6" # (required) The milestone when this feature was first announced as deprecated.
removal_milestone: "17.8" # (required) The milestone when this feature is planned to be removed
breaking_change: false # (required) Change to false if this is not a breaking change.
reporter: clemensbeck # (required) GitLab username of the person reporting the change
stage: systems # (required) String value of the stage that the feature was created in. e.g., Growth
issue_url: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8746
body: | # (required) Do not modify this line, instead modify the lines below.
Long term service and support (LTSS) for [Oracle Linux 7 ends in December 2024](https://wiki.debian.org/LTS).
Therefore, we will longer support the Oracle Linux 7 distribution for Linux package installs. Users should upgrade to
Oracle Linux 8 for continued support.

12
data/deprecations/17-8-deprecate-pios-buster.yml Normal file
View File

@ -0,0 +1,12 @@
- title: "Support for Raspberry Pi OS Buster" # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
announcement_milestone: "17.6" # (required) The milestone when this feature was first announced as deprecated.
removal_milestone: "17.8" # (required) The milestone when this feature is planned to be removed
breaking_change: false # (required) Change to false if this is not a breaking change.
reporter: clemensbeck # (required) GitLab username of the person reporting the change
stage: systems # (required) String value of the stage that the feature was created in. e.g., Growth
issue_url: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8734
body: | # (required) Do not modify this line, instead modify the lines below.
Long term service and support (LTSS) for Raspberry Pi OS Buster (formerly known as Raspbian Buster) ended in June 2024.
Therefore, we will longer support the PiOS Buster distribution for Linux package installs. Users should upgrade to
PiOS Bullseye for continued support.

12
data/deprecations/17-8-deprecate-scientific-linux.yml Normal file
View File

@ -0,0 +1,12 @@
- title: "Support for Scientific Linux 7" # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
announcement_milestone: "17.6" # (required) The milestone when this feature was first announced as deprecated.
removal_milestone: "17.8" # (required) The milestone when this feature is planned to be removed
breaking_change: false # (required) Change to false if this is not a breaking change.
reporter: clemensbeck # (required) GitLab username of the person reporting the change
stage: systems # (required) String value of the stage that the feature was created in. e.g., Growth
issue_url: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8745
body: | # (required) Do not modify this line, instead modify the lines below.
Long term service and support (LTSS) for [Scientific Linux 7 ended in June 2024](https://scientificlinux.org/downloads/sl-versions/sl7/).
Therefore, we will longer support the Scientific Linux distribution for Linux package installs. Users should upgrade to
another RHEL-compatible operating system.

12
data/deprecations/17-9-deprecate-opensuse-15-5.yml Normal file
View File

@ -0,0 +1,12 @@
- title: "Support for openSUSE Leap 15.5" # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
announcement_milestone: "17.6" # (required) The milestone when this feature was first announced as deprecated.
removal_milestone: "17.9" # (required) The milestone when this feature is planned to be removed
breaking_change: false # (required) Change to false if this is not a breaking change.
reporter: clemensbeck # (required) GitLab username of the person reporting the change
stage: systems # (required) String value of the stage that the feature was created in. e.g., Growth
issue_url: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8778
body: | # (required) Do not modify this line, instead modify the lines below.
Long term service and support (LTSS) for [openSUSE Leap ends in December 2024](https://en.opensuse.org/Lifetime#openSUSE_Leap).
Therefore, we will longer support the openSUSE Leap 15.5 distribution for Linux package installs. Users should upgrade to
openSUSE Leap 15.6 for continued support.

22
db/migrate/20241112123436_update_seat_control_in_application_settings.rb Normal file
View File

@ -0,0 +1,22 @@
# frozen_string_literal: true
class UpdateSeatControlInApplicationSettings < Gitlab::Database::Migration[2.2]
milestone '17.7'
enable_lock_retries!
restrict_gitlab_migration gitlab_schema: :gitlab_main
def up
execute <<~SQL
UPDATE application_settings
SET user_seat_management = jsonb_build_object(
'seat_control', CASE WHEN new_user_signups_cap IS NULL THEN 0 ELSE 1 END
);
SQL
end
def down
# no-op
end
end

1
db/schema_migrations/20241112123436 Normal file
View File

@ -0,0 +1 @@
8ab80b3dc0aa6b8f2ff59d075f91c033c4847f6293a7f860bac0206969ddcf99

1
doc/development/duo_workflow/index.md
View File

@ -42,6 +42,7 @@ This detailed guide describes setting up the local development environment for [
1. Set up [GitLab Runner with GDK](https://gitlab.com/gitlab-org/gitlab-development-kit/blob/main/doc/howto/runner.md) so you can create CI jobs locally to test Workflow.
1. Create a [personal access token](../../user/profile/personal_access_tokens.md) in your local GitLab instance with the `api` scope. Save this value and use it in the next step.
1. Run GDK with an Ultimate license.
1. If you're running GitLab in SaaS mode, you'll need to turn on the `beta and experimental features` functionality, as they are [turned off by default](../../user/gitlab_duo/turn_on_off.md#turn-on-beta-and-experimental-features). In the group settings for the project you'll run workflow against, ensure that the `Use experiment and beta Duo features` checkbox is checked.
1. Manually create a Workflow using the following `curl` request; the output will be a workflow ID that is referred to as `$WORKFLOW_ID` throughout the rest of these docs:
```shell

1
doc/policy/experiment-beta-support.md
View File

@ -45,6 +45,7 @@ Beta features:
or with less notice than for generally available features.
- Have a low risk of data loss.
- Have a user experience that is complete or near completion.
- Can be equivalent to partner "Public Preview" status.
## Generally available (GA)

105
doc/update/deprecations.md
View File

@ -1224,6 +1224,111 @@ We hope this will simplify infrastructure setup and add several improvements to
</div>
</div>
<div class="milestone-wrapper" data-milestone="17.9">
## GitLab 17.9
<div class="deprecation " data-milestone="17.9">
### Support for openSUSE Leap 15.5
<div class="deprecation-notes">
- Announced in GitLab <span class="milestone">17.6</span>
- Removal in GitLab <span class="milestone">17.9</span>
- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8778).
</div>
Long term service and support (LTSS) for [openSUSE Leap ends in December 2024](https://en.opensuse.org/Lifetime#openSUSE_Leap).
Therefore, we will longer support the openSUSE Leap 15.5 distribution for Linux package installs. Users should upgrade to
openSUSE Leap 15.6 for continued support.
</div>
</div>
<div class="milestone-wrapper" data-milestone="17.8">
## GitLab 17.8
<div class="deprecation " data-milestone="17.8">
### Support for CentOS 7
<div class="deprecation-notes">
- Announced in GitLab <span class="milestone">17.6</span>
- Removal in GitLab <span class="milestone">17.8</span>
- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8714).
</div>
Long term service and support (LTSS) for [CentOS 7 ended in June 2024](https://www.redhat.com/en/topics/linux/centos-linux-eol).
Therefore, we will longer support the CentOS 7 distribution for Linux package installs. Users should upgrade to
another operating system for continued support.
</div>
<div class="deprecation " data-milestone="17.8">
### Support for Oracle Linux 7
<div class="deprecation-notes">
- Announced in GitLab <span class="milestone">17.6</span>
- Removal in GitLab <span class="milestone">17.8</span>
- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8746).
</div>
Long term service and support (LTSS) for [Oracle Linux 7 ends in December 2024](https://wiki.debian.org/LTS).
Therefore, we will longer support the Oracle Linux 7 distribution for Linux package installs. Users should upgrade to
Oracle Linux 8 for continued support.
</div>
<div class="deprecation " data-milestone="17.8">
### Support for Raspberry Pi OS Buster
<div class="deprecation-notes">
- Announced in GitLab <span class="milestone">17.6</span>
- Removal in GitLab <span class="milestone">17.8</span>
- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8734).
</div>
Long term service and support (LTSS) for Raspberry Pi OS Buster (formerly known as Raspbian Buster) ended in June 2024.
Therefore, we will longer support the PiOS Buster distribution for Linux package installs. Users should upgrade to
PiOS Bullseye for continued support.
</div>
<div class="deprecation " data-milestone="17.8">
### Support for Scientific Linux 7
<div class="deprecation-notes">
- Announced in GitLab <span class="milestone">17.6</span>
- Removal in GitLab <span class="milestone">17.8</span>
- To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8745).
</div>
Long term service and support (LTSS) for [Scientific Linux 7 ended in June 2024](https://scientificlinux.org/downloads/sl-versions/sl7/).
Therefore, we will longer support the Scientific Linux distribution for Linux package installs. Users should upgrade to
another RHEL-compatible operating system.
</div>
</div>
<div class="milestone-wrapper" data-milestone="17.7">
## GitLab 17.7

8
doc/user/application_security/dependency_scanning/troubleshooting_dependency_scanning.md
View File

@ -328,3 +328,11 @@ The `permission denied` error on `gradlew` typically indicates that `gradlew` wa
```
Make the file executable by running `chmod +ux gradlew` locally and pushing it to your Git repository.
## Dependency Scanning scanner is no longer `Gemnasium`
Historically, the scanner used by Dependency Scanning is `Gemnasium` and this is what user can see on the [vulnerability page](../vulnerabilities/index.md).
With the rollout of [Dependency Scanning by using SBOM](dependency_scanning_sbom/index.md), we are replacing the `Gemnasium` scanner with the built-in `GitLab SBoM Vulnerability Scanner`. This new scanner is no longer executed in a CI/CD job but rather within the GitLab platform. While the two scanners are expected to provide the same results, because the SBOM scan happens after the existing Dependency Scanning CI/CD job, existing vulnerabilities have their scanner value updated with the new `GitLab SBoM Vulnerability Scanner`.
As we move forward with the rollout and ultimately replace the existing Gemnasium analyzer, the `GitLab SBoM Vulnerability Scanner` will be the only expected value for GitLab built-in Dependency Scanning feature.

2
doc/user/application_security/iac_scanning/index.md
View File

@ -186,7 +186,7 @@ In the following example `sast-ruleset.toml` file, rules are matched by the `typ
### Offline configuration
DETAILS:
**Tier:** PREMIUM
**Tier:** Premium, Ultimate
**Offering:** Self-managed
An offline environment has limited, restricted, or intermittent access to external resources through

37
doc/user/application_security/sast/gitlab_advanced_sast.md
View File

@ -4,7 +4,7 @@ group: Static Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
---
# GitLab Advanced SAST analyzer
# GitLab Advanced SAST
DETAILS:
**Tier:** Ultimate
@ -142,25 +142,36 @@ Pipelines now include an Advanced SAST job.
## Vulnerability code flow
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/458062) in GitLab 17.2 [with a flag](../../../administration/feature_flags.md) named `vulnerability_code_flow`. Disabled by default.
> - [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/465776) in GitLab 17.4.
FLAG:
The availability of this feature is controlled by a feature flag.
For more information, see the history.
This feature is available for testing, but not ready for production use.
The availability of this feature is controlled by feature flags. For more information, see [Code flow feature availability](#code-flow-feature-availability).
For some vulnerabilities detected by Advanced SAST, a **Code flow** tab is available in the [Vulnerability Page](../vulnerabilities/index.md).
A vulnerability's code flow is the path the data takes from the user input (source) to the vulnerable line of code (sink),
through all assignments, manipulation, and sanitization. This information helps you understand and evaluate the
vulnerability's context, impact, and risk.
For specific types of vulnerabilities, GitLab Advanced SAST provides code flow information.
A vulnerability's code flow is the path the data takes from the user input (source) to the vulnerable line of code (sink), through all assignments, manipulation, and sanitization.
This information helps you understand and evaluate the vulnerability's context, impact, and risk.
Code flow information is available for vulnerabilities that are detected by tracing input from a source to a sink, including:
The **Code flow** tab shows:
- SQL injection
- Command injection
- Cross-site scripting (XSS)
- Path traversal
The code flow information is shown the **Code flow** tab and includes:
- The steps from source to sink.
- The relevant files, including code snippets.
![Vulnerability Code Flow](../vulnerabilities/img/example_code_flow_of_python_applications_v17_3.png)
![A code flow of a Python application across two files](../vulnerabilities/img/example_code_flow_of_python_applications_v17_3.png)
### Code flow feature availability
The code flow view is integrated into each view where vulnerability details are shown.
On GitLab self-managed, you can activate the view by [enabling the required feature flags](../../../administration/feature_flags.md#how-to-enable-and-disable-features-behind-flags) starting in the minimum version shown.
| Location | Availability on GitLab.com | Availability on GitLab self-managed | Feature flags required |
|-----------------------------------------------------------------|-----------------------------------|-----------------------------------------------------------------------|-----------------------------------------------------------------------|
| [Vulnerability Report](../vulnerability_report/index.md) | Enabled by default in GitLab 17.3 | Enabled by default in GitLab 17.6. Available in GitLab 17.3 or later. | `vulnerability_code_flow` |
| [Merge request widget](index.md#merge-request-widget) | Enabled by default in GitLab 17.6 | Enabled by default in GitLab 17.6. Available in GitLab 17.5 or later. | Both `vulnerability_code_flow` and `pipeline_vulnerability_code_flow` |
| [Pipeline security report](../vulnerability_report/pipeline.md) | Enabled by default in GitLab 17.6 | Enabled by default in GitLab 17.6. Available in GitLab 17.5 or later. | Both `vulnerability_code_flow` and `pipeline_vulnerability_code_flow` |
## Troubleshooting

2
doc/user/application_security/secret_detection/pipeline/index.md
View File

@ -810,7 +810,7 @@ In previous GitLab versions, the following variables were also available:
### Offline configuration
DETAILS:
**Tier:** PREMIUM
**Tier:** Premium, Ultimate
**Offering:** Self-managed
An offline environment has limited, restricted, or intermittent access to external resources through

17
doc/user/application_security/vulnerabilities/index.md
View File

@ -265,20 +265,11 @@ DETAILS:
**Tier:** Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
> - Introduced in GitLab 17.3 with a flag. Disabled by default.
> - Enabled on GitLab.com in GitLab 17.3.
> - Enabled on self-managed and GitLab Dedicated in GitLab 17.4.
> - Generally available in GitLab 17.4. Feature flag removed.
For specific types of vulnerabilities, GitLab Advanced SAST provides [code flow](../sast/gitlab_advanced_sast.md#vulnerability-code-flow) information.
A vulnerability's code flow is the path the data takes from the user input (source) to the vulnerable line of code (sink), through all assignments, manipulation, and sanitization.
For some vulnerabilities detected by Advanced SAST, a **Code flow** tab is available. A
vulnerability's code flow is the path the data takes from the user input (source) to the vulnerable
line of code (sink), through all assignments, manipulation, and sanitization. This information helps
you understand and evaluate the vulnerability's context, impact, and risk.
The **Code flow** tab shows:
- The steps from source to sink.
- The relevant files, including code snippets.
For details on how to view a vulnerability's code flow, see
[Vulnerability code flow](../sast/gitlab_advanced_sast.md#vulnerability-code-flow).
![A code flow of a Python application across two files](img/example_code_flow_of_python_applications_v17_3.png)

2
doc/user/packages/package_registry/index.md
View File

@ -87,7 +87,7 @@ For more information about using the GitLab package registry with CI/CD, see:
- [Maven](../maven_repository/index.md#create-maven-packages-with-gitlab-cicd)
- [npm](../npm_registry/index.md#publish-a-package-with-a-cicd-pipeline)
- [NuGet](../nuget_repository/index.md#publish-a-nuget-package-by-using-cicd)
- [PyPI](../pypi_repository/index.md#authenticate-with-a-ci-job-token)
- [PyPI](../pypi_repository/index.md#authenticate-with-the-gitlab-package-registry)
- [Terraform](../terraform_module_registry/index.md#authenticate-to-the-terraform-module-registry)
If you use CI/CD to build a package, extended activity information is displayed

207
doc/user/packages/pypi_repository/index.md
View File

@ -27,55 +27,55 @@ Learn how to [build a PyPI package](../workflows/build_packages.md#pypi).
## Authenticate with the GitLab package registry
Before you can publish to the GitLab package registry, you must authenticate.
Before you interact with the GitLab package registry, you must authenticate with it.
To do this, you can use:
You can authenticate with:
- A [personal access token](../../../user/profile/personal_access_tokens.md)
with the scope set to `api`.
- A [deploy token](../../project/deploy_tokens/index.md) with the scope set to
`read_package_registry`, `write_package_registry`, or both.
- A [CI job token](../../../ci/jobs/ci_job_token.md).
- A [CI/CD job token](../../../ci/jobs/ci_job_token.md).
Do not use authentication methods other than the methods documented here. Undocumented authentication methods might be removed in the future.
The `TWINE_USERNAME` and `TWINE_PASSWORD` environment variables are used to authenticate with a GitLab token.
To authenticate with a GitLab token:
### Authenticate with a personal access token
- Update the `TWINE_USERNAME` and `TWINE_PASSWORD` environment variables.
To authenticate with a personal access token, update the `TWINE_USERNAME` and `TWINE_PASSWORD` environment variables:
For example:
::Tabs
:::TabTitle With a personal access token
```yaml
run:
image: python:latest
variables:
TWINE_USERNAME: <your_personal_access_token_name>
TWINE_PASSWORD: <your_personal_access_token>
TWINE_USERNAME: <personal_access_token_name>
TWINE_PASSWORD: <personal_access_token>
script:
- pip install build twine
- python -m build
- python -m twine upload --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
```
### Authenticate with a deploy token
To authenticate with a deploy token, update the `TWINE_USERNAME` and `TWINE_PASSWORD` environment variables:
:::TabTitle With a deploy token
```yaml
run:
image: python:latest
variables:
TWINE_USERNAME: <deploy token username>
TWINE_PASSWORD: <deploy token>
TWINE_USERNAME: <deploy_token_username>
TWINE_PASSWORD: <deploy_token>
script:
- pip install build twine
- python -m build
- python -m twine upload --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
```
### Authenticate with a CI job token
To authenticate with a CI job token, update the `TWINE_USERNAME` and `TWINE_PASSWORD` environment variables:
:::TabTitle With a CI/CD job token
```yaml
run:
@ -89,9 +89,13 @@ run:
- python -m twine upload --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
```
### Authenticate to access packages within a group
::EndTabs
Follow the instructions above for the token type, but use the group URL in place of the project URL:
### Authenticate for a group
To authenticate with the package registry for a group:
- Authenticate to the package registry, but use the group URL instead of the project URL:
```shell
https://gitlab.example.com/api/v4/groups/<group_id>/-/packages/pypi
@ -99,72 +103,63 @@ https://gitlab.example.com/api/v4/groups/<group_id>/-/packages/pypi
## Publish a PyPI package
You can publish a package with twine.
Prerequisites:
- You must [authenticate with the package registry](#authenticate-with-the-gitlab-package-registry).
- Your [version string must be valid](#use-valid-version-strings).
- The maximum allowed package size is 5 GB.
- The maximum length of the `description` field is 4000 characters. Longer `description` strings are truncated.
- You can't upload the same version of a package multiple times. If you try,
you receive the error `400 Bad Request`.
- PyPI packages are published using your projectID.
- If your project is in a group, PyPI packages published to your project registry are also available
at the group-level registry (see [Install from the group level](#install-from-the-group-level)).
- The package:
- Is 5 GB or less.
- Has a `description` of 4000 characters or less. Longer `description` strings are truncated.
- Isn't already published to the package registry. Trying to publish the same version of a package returns `400 Bad Request`.
You can then [publish a package by using twine](#publish-a-pypi-package-by-using-twine).
PyPI packages are published using your project ID. If your project is in a group, PyPI packages published to the project registry
are also available in the group registry. For more information, see [Install from a group](#install-from-a-group).
### Publish a PyPI package by using twine
To publish a package:
Define your repository source, edit the `~/.pypirc` file and add:
1. Define your repository source, edit the `~/.pypirc` file and add:
```ini
[distutils]
index-servers =
gitlab
```ini
[distutils]
index-servers =
gitlab
[gitlab]
repository = https://gitlab.example.com/api/v4/projects/<project_id>/packages/pypi
```
[gitlab]
repository = https://gitlab.example.com/api/v4/projects/<project_id>/packages/pypi
```
To publish a PyPI package, run a command like:
1. Upload your package with twine:
```shell
python3 -m twine upload --repository gitlab dist/*
```
```shell
python3 -m twine upload --repository gitlab dist/*
```
This message indicates that the package was published successfully:
When a package is published successfully, a message like this is displayed:
```plaintext
Uploading distributions to https://gitlab.example.com/api/v4/projects/<your_project_id>/packages/pypi
Uploading mypypipackage-0.0.1-py3-none-any.whl
100%|███████████████████████████████████████████████████████████████████████████████████████████| 4.58k/4.58k [00:00<00:00, 10.9kB/s]
Uploading mypypipackage-0.0.1.tar.gz
100%|███████████████████████████████████████████████████████████████████████████████████████████| 4.24k/4.24k [00:00<00:00, 11.0kB/s]
```
```plaintext
Uploading distributions to https://gitlab.example.com/api/v4/projects/<project_id>/packages/pypi
Uploading mypypipackage-0.0.1-py3-none-any.whl
100%|███████████████████████████████████████████████████████████████████████████████████████████| 4.58k/4.58k [00:00<00:00, 10.9kB/s]
Uploading mypypipackage-0.0.1.tar.gz
100%|███████████████████████████████████████████████████████████████████████████████████████████| 4.24k/4.24k [00:00<00:00, 11.0kB/s]
```
To view the published package, go to your project's **Packages and registries**
page.
The package is published to the package registry, and is shown on the **Packages and registries** page.
### Publish with inline authentication
If you didn't use a `.pypirc` file to define your repository source, you can
publish to the repository with the authentication inline:
publish to the repository with inline authentication:
```shell
TWINE_PASSWORD=<personal_access_token or deploy_token or $CI_JOB_TOKEN> TWINE_USERNAME=<username or deploy_token_username or gitlab-ci-token> python3 -m twine upload --repository-url https://gitlab.example.com/api/v4/projects/<project_id>/packages/pypi dist/*
TWINE_PASSWORD=<personal_access_token, deploy_token, or $CI_JOB_TOKEN> \
TWINE_USERNAME=<username, deploy_token_username, or gitlab-ci-token> \
python3 -m twine upload --repository-url https://gitlab.example.com/api/v4/projects/<project_id>/packages/pypi dist/*
```
If you didn't follow the steps on this page, ensure your package was properly
built, and that you [created a PyPI package with `setuptools`](https://packaging.python.org/tutorials/packaging-projects/).
You can then upload your package by using the following command:
```shell
python -m twine upload --repository <source_name> dist/<package_file>
```
- `<package_file>` is your package filename, ending in `.tar.gz` or `.whl`.
- `<source_name>` is the [source name used during setup](#authenticate-with-the-gitlab-package-registry).
### Publishing packages with the same name or version
### Publishing packages with the same name and version
You cannot publish a package if a package of the same name and version already exists.
You must [delete the existing package](../../packages/package_registry/reduce_package_registry_storage.md#delete-a-package) first.
@ -177,12 +172,11 @@ When a PyPI package is not found in the package registry, the request is forward
Administrators can disable this behavior in the [Continuous Integration settings](../../../administration/settings/continuous_integration.md).
WARNING:
NOTE:
When you use the `--index-url` option, do not specify the port if it is a default
port, such as `80` for a URL starting with `http` or `443` for a URL starting
with `https`.
port. `http` URLs default to 80, and `https` URLs default to 443.
### Install from the project level
### Install from a project
To install the latest version of a package, use the following command:
@ -200,33 +194,20 @@ In these commands, you can use `--extra-index-url` instead of `--index-url`. If
`MyPyPiPackage` package, you can run:
```shell
pip install mypypipackage --no-deps --index-url https://<personal_access_token_name>:<personal_access_token>@gitlab.example.com/api/v4/projects/<your_project_id>/packages/pypi/simple
pip install mypypipackage --no-deps --index-url https://<personal_access_token_name>:<personal_access_token>@gitlab.example.com/api/v4/projects/<project_id>/packages/pypi/simple
```
This message indicates that the package was installed successfully:
```plaintext
Looking in indexes: https://<personal_access_token_name>:****@gitlab.example.com/api/v4/projects/<your_project_id>/packages/pypi/simple
Looking in indexes: https://<personal_access_token_name>:****@gitlab.example.com/api/v4/projects/<project_id>/packages/pypi/simple
Collecting mypypipackage
Downloading https://gitlab.example.com/api/v4/projects/<your_project_id>/packages/pypi/files/d53334205552a355fee8ca35a164512ef7334f33d309e60240d57073ee4386e6/mypypipackage-0.0.1-py3-none-any.whl (1.6 kB)
Downloading https://gitlab.example.com/api/v4/projects/<project_id>/packages/pypi/files/d53334205552a355fee8ca35a164512ef7334f33d309e60240d57073ee4386e6/mypypipackage-0.0.1-py3-none-any.whl (1.6 kB)
Installing collected packages: mypypipackage
Successfully installed mypypipackage-0.0.1
```
#### Security implications
The security implications of using `--extra-index-url` versus `--index-url` when installing PyPI
packages are significant and worth understanding in detail. If you use:
- `--index-url`: This option replaces the default [PyPI index](https://pypi.org)
with the specified URL. It's more secure because it only checks the specified index for packages.
Use this option when you want to ensure packages are only installed from a trusted, private source
(like the GitLab PyPI registry).
- `--extra-index-url`: This option adds an additional index to search, alongside the default PyPI index.
It's less secure and more open to dependency confusion attacks, because it checks both the default PyPI
and the additional index for packages.
### Install from the group level
### Install from a group
To install the latest version of a package from a group, use the following command:
@ -241,16 +222,11 @@ In this command:
- `<personal_access_token>` is a personal access token with the `read_api` scope.
- `<group_id>` is the group ID.
In these commands, you can use `--extra-index-url` instead of `--index-url`. However, using
`--extra-index-url` makes you vulnerable to dependency confusion attacks because it checks the PyPi
repository for the package before it checks the custom repository. `--extra-index-url` adds the
provided URL as an additional registry which the client checks if the package is present.
`--index-url` tells the client to check for the package at the provided URL only.
In these commands, you can use `--extra-index-url` instead of `--index-url`.
If you're following the guide and want to install the `MyPyPiPackage` package, you can run:
```shell
pip install mypypipackage --no-deps --index-url https://<personal_access_token_name>:<personal_access_token>@gitlab.example.com/api/v4/groups/<your_group_id>/-/packages/pypi/simple
pip install mypypipackage --no-deps --index-url https://<personal_access_token_name>:<personal_access_token>@gitlab.example.com/api/v4/groups/<group_id>/-/packages/pypi/simple
```
### Package names
@ -263,6 +239,19 @@ characters are removed.
A `pip install` request for `my.package` looks for packages that match any of
the three characters, such as `my-package`, `my_package`, and `my....package`.
### Security implications
The security implications of using `--extra-index-url` versus `--index-url` when installing PyPI
packages are significant and worth understanding in detail. If you use:
- `--index-url`: This option replaces the default [PyPI index](https://pypi.org)
with the specified URL. It's more secure because it only checks the specified index for packages.
Use this option when you want to ensure packages are only installed from a trusted, private source
(like the GitLab PyPI registry).
- `--extra-index-url`: This option adds an additional index to search, alongside the default PyPI index.
It's less secure and more open to dependency confusion attacks, because it checks both the default PyPI
and the additional index for packages.
## Using `requirements.txt`
If you want pip to access your public registry, add the `--extra-index-url` parameter along with the URL for your registry to your `requirements.txt` file.
@ -276,18 +265,18 @@ If this is a private registry, you can authenticate in a couple of ways. For exa
- Using your `requirements.txt` file:
```plaintext
--extra-index-url https://__token__:<your_personal_token>@gitlab.example.com/api/v4/projects/<project_id>/packages/pypi/simple
package-name==1.0.0
```
```plaintext
--extra-index-url https://__token__:<personal_token>@gitlab.example.com/api/v4/projects/<project_id>/packages/pypi/simple
package-name==1.0.0
```
- Using a `~/.netrc` file:
```plaintext
machine gitlab.example.com
login __token__
password <your_personal_token>
```
```plaintext
machine gitlab.example.com
login __token__
password <personal_token>
```
## Versioning PyPI packages
@ -303,8 +292,6 @@ Adopt semantic versioning for your packages. The version number should be in the
For example: 1.0.0, 1.1.0, 1.1.1.
#### Start with 0.1.0
For new projects, start with version 0.1.0. This indicates an initial development phase where the API is not yet stable.
### Use valid version strings
@ -328,6 +315,13 @@ You can experiment with the regex and try your version strings by using this
For more details about the regex, see the [Python documentation](https://www.python.org/dev/peps/pep-0440/#appendix-b-parsing-version-strings-with-regular-expressions).
## Supported CLI commands
The GitLab PyPI repository supports the following CLI commands:
- `twine upload`: Upload a package to the registry.
- `pip install`: Install a PyPI package from the registry.
## Troubleshooting
To improve performance, the pip command caches files related to a package. Pip doesn't remove data by
@ -349,10 +343,3 @@ tokens, `pip` may not be able to find your packages. This problem is due to how
To workaround this issue, you can use a [group deploy token](../../project/deploy_tokens/index.md) with the
scope `read_package_registry` from a common parent group for all projects or groups targeted by the
`index-url` and `extra-index-url` values.
## Supported CLI commands
The GitLab PyPI repository supports the following CLI commands:
- `twine upload`: Upload a package to the registry.
- `pip install`: Install a PyPI package from the registry.

2
doc/user/packages/workflows/build_packages.md
View File

@ -498,7 +498,7 @@ After you create a project, you can create a package.
about this file, see [creating `pyproject.toml`](https://packaging.python.org/en/latest/tutorials/packaging-projects/#creating-pyproject-toml).
Because GitLab identifies packages based on
[Python normalized names (PEP-503)](https://www.python.org/dev/peps/pep-0503/#normalized-names),
ensure your package name meets these requirements. See the [installation section](../pypi_repository/index.md#authenticate-with-a-ci-job-token)
ensure your package name meets these requirements. See the [installation section](../pypi_repository/index.md#authenticate-with-the-gitlab-package-registry)
for details.
1. Open the `pyproject.toml` file, and then add basic information:

9
locale/gitlab.pot
View File

@ -3932,6 +3932,9 @@ msgstr ""
msgid "AdminSelfHostedModels|Model family"
msgstr ""
msgid "AdminSelfHostedModels|Model identifier"
msgstr ""
msgid "AdminSelfHostedModels|Model identifier (optional)"
msgstr ""
@ -35342,9 +35345,6 @@ msgstr ""
msgid "Model experiments"
msgstr ""
msgid "Model identifier"
msgstr ""
msgid "Model registry"
msgstr ""
@ -50157,6 +50157,9 @@ msgstr ""
msgid "SecurityOrchestration|Merge request approval policies allow a maximum 1 bot message action."
msgstr ""
msgid "SecurityOrchestration|Merge request approval policies allow a maximum of 1 approver action."
msgstr ""
msgid "SecurityOrchestration|Merge request approval policies allow a maximum of 5 approver actions."
msgstr ""

2
qa/qa/support/formatters/coverband_formatter.rb
View File

@ -55,7 +55,7 @@ module QA
return if example_notification.example.metadata[:skip] || example_failed?(example_notification)
response = nil
QA::Support::Retrier.retry_until(max_attempts: 10, sleep_interval: 2) do
QA::Support::Retrier.retry_until(max_attempts: 1, sleep_interval: 2) do
response = get(cov_api_endpoint, headers: headers_access_token)
coverage = JSON.parse(response.body)
next true if response.code == 200 && coverage.any?

4
spec/features/projects/pipelines/pipelines_spec.rb
View File

@ -353,8 +353,8 @@ RSpec.describe 'Pipelines', :js, feature_category: :continuous_integration do
wait_for_all_requests
end
it 'enqueues manual action job', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/409984' do
expect(page).to have_selector('[data-testid="pipelines-manual-actions-dropdown"] .gl-dropdown-toggle:disabled')
it 'enqueues manual action job' do
expect(manual.reload).to be_pending
end
end
end

38
spec/frontend/admin/users/components/new_user_organization_field_spec.js
View File

@ -5,7 +5,7 @@ import OrganizationRoleField from '~/admin/users/components/organization_role_fi
import { AVATAR_SHAPE_OPTION_RECT } from '~/vue_shared/constants';
import OrganizationSelect from '~/vue_shared/components/entity_select/organization_select.vue';
import organizationsQuery from '~/organizations/shared/graphql/queries/organizations.query.graphql';
import { ACCESS_LEVEL_OWNER } from '~/organizations/shared/constants';
import { ACCESS_LEVEL_OWNER, ACCESS_LEVEL_DEFAULT } from '~/organizations/shared/constants';
describe('NewUserOrganizationField', () => {
let wrapper;
@ -27,7 +27,10 @@ describe('NewUserOrganizationField', () => {
};
const findAvatar = () => wrapper.findComponent(GlAvatarLabeled);
const findHiddenOrganizationField = () => wrapper.find('input[type="hidden"]');
const findHiddenOrganizationField = () =>
wrapper.find('input[name="user[organization_id]"][type="hidden"]');
const findHiddenOrganizationUserField = () =>
wrapper.find('input[name="user[organization_users][][id]"][type="hidden"]');
const findOrganizationSelect = () => wrapper.findComponent(OrganizationSelect);
const findOrganizationRoleField = () => wrapper.findComponent(OrganizationRoleField);
@ -50,7 +53,6 @@ describe('NewUserOrganizationField', () => {
expect(findHiddenOrganizationField().element.value).toBe(
`${defaultPropsData.initialOrganization.id}`,
);
expect(findHiddenOrganizationField().attributes('name')).toBe('user[organization_id]');
});
});
@ -80,9 +82,9 @@ describe('NewUserOrganizationField', () => {
});
it('passes initialAccessLevel prop to role field', () => {
createComponent({ propsData: { initialAccessLevel: ACCESS_LEVEL_OWNER } });
createComponent();
expect(findOrganizationRoleField().props('initialAccessLevel')).toBe(ACCESS_LEVEL_OWNER);
expect(findOrganizationRoleField().props('initialAccessLevel')).toBe(ACCESS_LEVEL_DEFAULT);
});
it('passes organizationRoleInputName prop to role field', () => {
@ -94,4 +96,30 @@ describe('NewUserOrganizationField', () => {
'user[organization_user][][access_level]',
);
});
it('does not render hidden input with organization user id', () => {
createComponent();
expect(findHiddenOrganizationUserField().exists()).toBe(false);
});
describe('when organizationUser prop is passed', () => {
const organizationUser = { id: 1, accessLevel: ACCESS_LEVEL_OWNER };
beforeEach(() => {
createComponent({
propsData: { organizationUser },
});
});
it('renders hidden input with organization user id', () => {
expect(findHiddenOrganizationUserField().element.value).toBe(organizationUser.id.toString());
});
it('passes initialAccessLevel prop to role field', () => {
expect(findOrganizationRoleField().props('initialAccessLevel')).toBe(
organizationUser.accessLevel,
);
});
});
});

6
spec/helpers/admin/users_helper_spec.rb
View File

@ -94,12 +94,16 @@ RSpec.describe Admin::UsersHelper, feature_category: :user_management do
describe 'admin_edit_user_organization_field_app_data' do
let_it_be(:organization) { create(:organization) } # rubocop:disable RSpec/FactoryBot/AvoidCreate -- spec needs organization persisted to database
let_it_be(:user) { create(:user, organizations: [organization]) } # rubocop:disable RSpec/FactoryBot/AvoidCreate -- spec needs organization persisted to database
let_it_be(:organization_user) { user.organization_users.first }
subject { Gitlab::Json.parse(helper.admin_edit_user_organization_field_app_data(user)) }
it do
is_expected.to eq({
"initial_access_level" => 'default',
'organization_user' => {
'access_level' => organization_user.access_level,
'id' => organization_user.id
},
'initial_organization' => {
'id' => organization.id,
'name' => organization.name,

27
spec/migrations/20241112123436_update_seat_control_in_application_settings_spec.rb Normal file
View File

@ -0,0 +1,27 @@
# frozen_string_literal: true
require 'spec_helper'
require_migration!
RSpec.describe UpdateSeatControlInApplicationSettings, :migration, feature_category: :seat_cost_management do
let(:application_settings) { table(:application_settings) }
describe '#up' do
it 'updates seat control to 0 when new_user_signups_cap is NULL' do
application_settings.create!(new_user_signups_cap: nil)
migrate!
expect(application_settings.first.user_seat_management).to eq({ 'seat_control' => 0 })
end
it 'updates seat control to 1 when new_user_signups_cap is not NULL' do
application_settings.create!(new_user_signups_cap: 10)
migrate!
expect(application_settings.first.user_seat_management).to eq({ 'seat_control' => 1 })
end
end
end