Add latest changes from gitlab-org/gitlab@14-0-stable-ee

.eslintrc.yml

@@ -31,11 +31,6 @@ rules:
     - error
     - allowElseIf: true
   lines-between-class-members: off
-  # Disabled for now, to make the plugin-vue 4.5 -> 5.0 update smoother
-  vue/no-confusing-v-for-v-if: error
-  vue/no-use-v-if-with-v-for: off
-  vue/no-v-html: error
-  vue/use-v-on-exact: off
   # all offenses of no-jquery/no-animate-toggle are false positives ( $toast.show() )
   no-jquery/no-animate-toggle: off
   no-jquery/no-event-shorthand: off

.gitignore

@@ -42,6 +42,7 @@ eslint-report.html
 /config/redis.cache.yml
 /config/redis.queues.yml
 /config/redis.shared_state.yml
+/config/redis.trace_chunks.yml
 /config/unicorn.rb
 /config/puma.rb
 /config/puma_actioncable.rb

.gitlab-ci.yml

@@ -107,3 +107,4 @@ variables:
 
 include:
   - local: .gitlab/ci/*.gitlab-ci.yml
+  - remote: 'https://gitlab.com/gitlab-org/frontend/untamper-my-lockfile/-/raw/main/.gitlab-ci-template.yml'

.gitlab/CODEOWNERS

@@ -7,6 +7,8 @@
 *.rake @gitlab-org/maintainers/rails-backend
 
 [Documentation Directories]
+.markdownlint.yml @marcel.amirault @eread @aqualls @cnorris
+/doc/.markdownlint @marcel.amirault @eread @aqualls @cnorris
 /doc/ @gl-docsteam
 /doc/.vale/ @marcel.amirault @eread @aqualls @cnorris
 /doc/administration/geo/ @axil
@@ -21,18 +23,19 @@
 /doc/administration/redis/ @axil
 /doc/administration/reference_architectures/ @axil
 /doc/administration/snippets/ @aqualls
-/doc/administration/troubleshooting @axil @marcia
+/doc/administration/troubleshooting @axil @marcia @eread
 /doc/api/group_activity_analytics.md @msedlakjakubowski
 /doc/ci/ @marcel.amirault @sselhorn
 /doc/ci/environments/ @axil
 /doc/ci/services/ @sselhorn
 /doc/ci/test_cases/ @msedlakjakubowski
 /doc/development/ @marcia
 /doc/development/documentation/ @cnorris
+/doc/development/i18n/ @ngaskill
 /doc/development/value_stream_analytics.md @msedlakjakubowski
 /doc/gitlab-basics/ @marcia
 /doc/install/ @axil
-/doc/integration/ @aqualls
+/doc/integration/ @aqualls @eread
 /doc/operations/ @ngaskill @axil
 /doc/push_rules/ @aqualls
 /doc/ssh/ @eread
@@ -43,7 +46,7 @@
 /doc/user/analytics/ @msedlakjakubowski @ngaskill
 /doc/user/application_security @rdickenson
 /doc/user/clusters/ @marcia
-/doc/user/compliance/ @rdickenson
+/doc/user/compliance/ @rdickenson @eread
 /doc/user/group/ @msedlakjakubowski
 /doc/user/group/bulk_editing/ @msedlakjakubowski
 /doc/user/group/devops_adoption/ @msedlakjakubowski
@@ -54,18 +57,18 @@
 /doc/user/group/value_stream_analytics/ @msedlakjakubowski
 /doc/user/infrastructure/ @marcia
 /doc/user/packages/ @ngaskill
-/doc/user/profile/ @msedlakjakubowski
+/doc/user/profile/ @msedlakjakubowski @eread
 /doc/user/project/ @aqualls @axil @eread @msedlakjakubowski @ngaskill
 /doc/user/project/clusters/ @ngaskill
-/doc/user/project/import/ @msedlakjakubowski
+/doc/user/project/import/ @ngaskill @msedlakjakubowski
 /doc/user/project/integrations/ @aqualls
 /doc/user/project/integrations/prometheus_library/ @ngaskill
 /doc/user/project/issues/ @msedlakjakubowski
 /doc/user/project/merge_requests/ @aqualls @eread
 /doc/user/project/milestones/ @msedlakjakubowski
 /doc/user/project/pages/ @axil
 /doc/user/project/repository/ @aqualls
-/doc/user/project/settings/ @aqualls
+/doc/user/project/settings/ @aqualls @eread
 /doc/user/project/static_site_editor/index.md @aqualls
 /doc/user/project/web_ide/index.md @aqualls
 /doc/user/project/wiki/index.md @aqualls
@@ -200,7 +203,8 @@ Dangerfile @gl-quality/eng-prod
 [Templates]
 /lib/gitlab/ci/templates/ @nolith @shinya.maeda @matteeyah
 /lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml @DylanGriffith @mayra-cabrera @tkuah
-/lib/gitlab/ci/templates/Security/ @plafoucriere @gonzoyumo @twoodham @sethgitlab
+/lib/gitlab/ci/templates/Security/ @gonzoyumo @twoodham @sethgitlab @thiagocsf 
+/lib/gitlab/ci/templates/Security/Container-Scanning.*.yml @gitlab-org/protect/container-security-backend
 
 [Project Alias]
 /ee/app/models/project_alias.rb @patrickbajao
@@ -216,6 +220,8 @@ Dangerfile @gl-quality/eng-prod
 /ee/app/policies/vulnerabilities/ @gitlab-org/secure/threat-insights-backend-team
 /ee/app/policies/vulnerability*.rb @gitlab-org/secure/threat-insights-backend-team
 /ee/lib/api/vulnerabilit*.rb @gitlab-org/secure/threat-insights-backend-team
+/ee/lib/gitlab/ci/reports/security/vulnerability_reports_comparer.rb @gitlab-org/secure/threat-insights-backend-team
+/ee/spec/lib/gitlab/ci/reports/security/vulnerability_reports_comparer_spec.rb @gitlab-org/secure/threat-insights-backend-team
 /ee/spec/policies/vulnerabilities/ @gitlab-org/secure/threat-insights-backend-team
 /ee/spec/policies/vulnerability*.rb @gitlab-org/secure/threat-insights-backend-team
 
@@ -333,3 +339,11 @@ Dangerfile @gl-quality/eng-prod
 
 [Application Security]
 /lib/gitlab/content_security_policy/ @gitlab-com/gl-security/appsec
+
+[Gitaly]
+lib/gitlab/git_access.rb @proglottis @toon @zj-gitlab
+lib/gitlab/git_access_*.rb @proglottis @toon @zj-gitlab
+ee/lib/ee/gitlab/git_access.rb @proglottis @toon @zj-gitlab
+ee/lib/ee/gitlab/git_access_*.rb @proglottis @toon @zj-gitlab
+ee/lib/ee/gitlab/checks/** @proglottis @toon @zj-gitlab
+lib/gitlab/checks/** @proglottis @toon @zj-gitlab

.gitlab/changelog_config.yml

@@ -36,3 +36,8 @@ template: |
   {% else %}
   No changes.
   {% end %}
+# The tag format for gitlab-org/gitlab is vX.Y.Z(-rcX)-ee. The -ee prefix would
+# be treated as a pre-release identifier, which can result in the wrong tag
+# being used as the starting point of a changelog commit range. The custom regex
+# here is used to ensure we find the correct tag.
+tag_regex: '^v(?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)-ee$'

.gitlab/ci/docs.gitlab-ci.yml

@@ -10,8 +10,8 @@
     # because some repos are private and CI_JOB_TOKEN cannot access files.
     # See https://gitlab.com/gitlab-org/gitlab/issues/191273
     GIT_DEPTH: 1
-    # By default, deploy the Review App using the `master` branch of the `gitlab-org/gitlab-docs` project
-    DOCS_BRANCH: master
+    # By default, deploy the Review App using the `main` branch of the `gitlab-org/gitlab-docs` project
+    DOCS_BRANCH: main
   environment:
     name: review-docs/mr-${CI_MERGE_REQUEST_IID}
     # DOCS_REVIEW_APPS_DOMAIN and DOCS_GITLAB_REPO_SUFFIX are CI variables
@@ -54,8 +54,6 @@ docs-lint links:
   extends:
     - .docs:rules:docs-lint
   image: registry.gitlab.com/gitlab-org/gitlab-docs/lint-html:alpine-3.13-ruby-2.7.2
-  # TODO: revert to .default-retry when https://gitlab.com/gitlab-org/gitlab/-/issues/331002 is fixed.
-  retry: 2
   stage: test
   needs: []
   script:

.gitlab/ci/frontend.gitlab-ci.yml

@@ -317,3 +317,30 @@ bundle-size-review:
     expire_in: 31d
     paths:
       - bundle-size-review
+
+.startup-css-check-base:
+  extends:
+    - .frontend-test-base
+  script:
+    - *yarn-install
+    - run_timed_command "yarn generate:startup_css"
+    - yarn check:startup_css
+
+startup-css-check:
+  extends:
+    - .startup-css-check-base
+    - .frontend:rules:default-frontend-jobs
+  needs:
+    - job: "compile-test-assets"
+    - job: "rspec frontend_fixture"
+    - job: "rspec-ee frontend_fixture"
+      optional: true
+
+startup-css-check as-if-foss:
+  extends:
+    - .startup-css-check-base
+    - .as-if-foss
+    - .frontend:rules:default-frontend-jobs-as-if-foss
+  needs:
+    - job: "compile-test-assets as-if-foss"
+    - job: "rspec frontend_fixture as-if-foss"

.gitlab/ci/global.gitlab-ci.yml

@@ -36,6 +36,23 @@
   <<: *gitaly-ruby-gems-cache
   policy: push  # We want to rebuild the cache from scratch to ensure stale dependencies are cleaned up.
 
+.gitaly-binaries-cache: &gitaly-binaries-cache
+  key:
+    files:
+      - GITALY_SERVER_VERSION
+    prefix: "gitaly-binaries"
+  paths:
+    - tmp/tests/gitaly/_build/bin/
+    - tmp/tests/gitaly/config.toml
+    - tmp/tests/gitaly/gitaly2.config.toml
+    - tmp/tests/gitaly/internal/
+    - tmp/tests/gitaly/internal_gitaly2/
+    - tmp/tests/gitaly/internal_sockets/
+    - tmp/tests/gitaly/Makefile
+    - tmp/tests/gitaly/praefect.config.toml
+    - tmp/tests/gitaly/ruby/
+  policy: pull
+
 .go-pkg-cache: &go-pkg-cache
   key: "go-pkg-v1"
   paths:
@@ -81,7 +98,7 @@
   <<: *rubocop-cache
   # We want to rebuild the cache from scratch to ensure stale dependencies are cleaned up but RuboCop has a mechanism
   # for keeping only the N latest cache files, so we take advantage of it with `pull-push`.
-  policy: pull-push
+  policy: push
 
 .qa-ruby-gems-cache: &qa-ruby-gems-cache
   key: "qa-ruby-gems-v1"
@@ -97,6 +114,7 @@
   cache:
     - *ruby-gems-cache
     - *gitaly-ruby-gems-cache
+    - *gitaly-binaries-cache
     - *go-pkg-cache
 
 .setup-test-env-cache-push:
@@ -105,6 +123,11 @@
     - *gitaly-ruby-gems-cache-push
     - *go-pkg-cache-push
 
+.gitaly-binaries-cache-push:
+  cache:
+    - <<: *gitaly-binaries-cache
+      policy: push  # We want to rebuild the cache from scratch to ensure stale dependencies are cleaned up.
+
 .rails-cache:
   cache:
     - *ruby-gems-cache
@@ -159,7 +182,7 @@
     - *assets-cache-push
 
 .use-pg11:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-11-graphicsmagick-1.3.36"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.16-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-11-graphicsmagick-1.3.36"
   services:
     - name: postgres:11.6
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -168,7 +191,7 @@
     POSTGRES_HOST_AUTH_METHOD: trust
 
 .use-pg12:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-12-graphicsmagick-1.3.36"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.16-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-12-graphicsmagick-1.3.36"
   services:
     - name: postgres:12
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -177,7 +200,7 @@
     POSTGRES_HOST_AUTH_METHOD: trust
 
 .use-pg11-ee:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-11-graphicsmagick-1.3.36"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.16-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-11-graphicsmagick-1.3.36"
   services:
     - name: postgres:11.6
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -188,7 +211,7 @@
     POSTGRES_HOST_AUTH_METHOD: trust
 
 .use-pg12-ee:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.14-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-12-graphicsmagick-1.3.36"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2.patched-golang-1.16-git-2.31-lfs-2.9-chrome-89-node-14.15-yarn-1.22-postgresql-12-graphicsmagick-1.3.36"
   services:
     - name: postgres:12
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]

.gitlab/ci/rails.gitlab-ci.yml

@@ -8,7 +8,7 @@
 
 .minimal-bundle-install:
   script:
-    - export BUNDLE_WITHOUT="${BUNDLE_WITHOUT}:default:test:puma:unicorn:kerberos:metrics:omnibus:ed25519"
+    - export BUNDLE_WITHOUT="${BUNDLE_WITHOUT}:default:test:puma:kerberos:metrics:omnibus:ed25519"
     - bundle_install_script
 
 .base-script:
@@ -192,6 +192,14 @@ update-setup-test-env-cache:
   artifacts:
     paths: []  # This job's purpose is only to update the cache.
 
+update-gitaly-binaries-cache:
+  extends:
+    - setup-test-env
+    - .gitaly-binaries-cache-push
+    - .shared:rules:update-gitaly-binaries-cache
+  artifacts:
+    paths: []  # This job's purpose is only to update the cache.
+
 .coverage-base:
   extends:
     - .default-retry

.gitlab/ci/reports.gitlab-ci.yml

@@ -27,7 +27,7 @@ code_quality:
   variables:
     SAST_BRAKEMAN_LEVEL: 2  # GitLab-specific
     SAST_EXCLUDED_PATHS: "qa, spec, doc, ee/spec, config/gitlab.yml.example, tmp"  # GitLab-specific
-    SAST_DISABLE_BABEL: "true"
+    SAST_EXCLUDED_ANALYZERS: bandit, flawfinder, phpcs-security-audit, pmd-apex, security-code-scan, spotbugs
 
 brakeman-sast:
   rules: !reference [".reports:rules:sast", rules]