diff --git a/Gemfile b/Gemfile
index 65b23684c57..af858e06f05 100644
--- a/Gemfile
+++ b/Gemfile
@@ -167,7 +167,7 @@ gem 'asciidoctor', '~> 2.0.10'
 gem 'asciidoctor-include-ext', '~> 0.4.0', require: false
 gem 'asciidoctor-plantuml', '~> 0.0.12'
 gem 'asciidoctor-kroki', '~> 0.5.0', require: false
-gem 'rouge', '~> 3.27.0'
+gem 'rouge', '~> 3.29.0'
 gem 'truncato', '~> 0.7.11'
 gem 'bootstrap_form', '~> 4.2.0'
 gem 'nokogiri', '~> 1.13.6'
diff --git a/Gemfile.lock b/Gemfile.lock
index d84ff5769f4..13468d804a0 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1090,7 +1090,7 @@ GEM
     rexml (3.2.5)
     rinku (2.0.0)
     rotp (6.2.0)
-    rouge (3.27.0)
+    rouge (3.29.0)
     rqrcode (0.7.0)
       chunky_png
     rqrcode-rails3 (0.1.7)
@@ -1663,7 +1663,7 @@ DEPENDENCIES
   responders (~> 3.0)
   retriable (~> 3.1.2)
   rexml (~> 3.2.5)
-  rouge (~> 3.27.0)
+  rouge (~> 3.29.0)
   rqrcode-rails3 (~> 0.1.7)
   rspec-benchmark (~> 0.6.0)
   rspec-parameterized
diff --git a/app/models/integration.rb b/app/models/integration.rb
index 47ed0632b54..c35713b4fc8 100644
--- a/app/models/integration.rb
+++ b/app/models/integration.rb
@@ -499,10 +499,7 @@ class Integration < ApplicationRecord
   end
 
   def api_field_names
-    fields
-      .reject { _1[:type] == 'password' }
-      .pluck(:name)
-      .grep_v(/password|token|key/)
+    fields.reject { _1[:type] == 'password' }.pluck(:name)
   end
 
   def global_fields
diff --git a/app/views/groups/projects.html.haml b/app/views/groups/projects.html.haml
index 3507f4574ab..d5c22d9b1f2 100644
--- a/app/views/groups/projects.html.haml
+++ b/app/views/groups/projects.html.haml
@@ -1,5 +1,6 @@
 - breadcrumb_title _("Projects")
 - page_title _("Projects")
+- @content_class = "limit-container-width" unless fluid_layout
 
 .card.gl-mt-3
   .card-header
diff --git a/app/views/projects/tags/new.html.haml b/app/views/projects/tags/new.html.haml
index 2960b236264..3b546888375 100644
--- a/app/views/projects/tags/new.html.haml
+++ b/app/views/projects/tags/new.html.haml
@@ -50,7 +50,9 @@
         = render 'shared/zen', attr: :release_description, classes: 'note-textarea', placeholder: s_('TagsPage|Write your release notes or drag files here…'), current_text: @release_description, qa_selector: 'release_notes_field'
         = render 'shared/notes/hints'
   .form-actions.gl-display-flex
-    = button_tag s_('TagsPage|Create tag'), class: 'gl-button btn btn-confirm gl-mr-3', data: { qa_selector: "create_tag_button" }
-    = link_to s_('TagsPage|Cancel'), project_tags_path(@project), class: 'gl-button btn btn-default btn-cancel'
+    = render Pajamas::ButtonComponent.new(variant: :confirm, button_options: { class: 'gl-mr-3', data: { qa_selector: "create_tag_button" }, type: 'submit' }) do
+      = s_('TagsPage|Create tag')
+    = render Pajamas::ButtonComponent.new(href: project_tags_path(@project)) do
+      = s_('TagsPage|Cancel')
 -# haml-lint:disable InlineJavaScript
 %script#availableRefs{ type: "application/json" }= @project.repository.ref_names.to_json.html_safe
diff --git a/app/views/shared/_label.html.haml b/app/views/shared/_label.html.haml
index 74541222fbf..4d49aa2c344 100644
--- a/app/views/shared/_label.html.haml
+++ b/app/views/shared/_label.html.haml
@@ -19,8 +19,7 @@
           button_options: { class: 'remove-priority has-tooltip', 'title': _('Remove priority'), 'aria_label': _('Deprioritize label'), data: { placement: 'bottom' } })
     - if can?(current_user, :admin_label, label)
       %li.gl-display-inline-block
-        = link_to label.edit_path, class: 'btn gl-button btn-default-tertiary btn-sm edit has-tooltip', title: _('Edit'), data: { placement: 'bottom' }, aria_label: _('Edit') do
-          = sprite_icon('pencil')
+        = render Pajamas::ButtonComponent.new(href: label.edit_path, category: :tertiary, icon: 'pencil', button_options: { class: 'edit has-tooltip', 'title': _('Edit'), 'aria_label': _('Edit'), data: { placement: 'bottom' } })
     - if can?(current_user, :admin_label, label)
       %li.gl-display-inline-block
         .dropdown
@@ -48,10 +47,9 @@
           %button.js-unsubscribe-button.gl-button.btn.btn-default.gl-w-full{ class: ('hidden' if status.unsubscribed?), data: { url: toggle_subscription_path, toggle: 'tooltip' }, title: tooltip_title }
             %span.gl-button-text= _('Unsubscribe')
           .dropdown.dropdown-group-label{ class: ('hidden' unless status.unsubscribed?) }
-            %button.gl-button.btn.btn-default.gl-w-full{ data: { toggle: 'dropdown' } }
-              %span.gl-button-text
-                = _('Subscribe')
-                = sprite_icon('chevron-down')
+            = render Pajamas::ButtonComponent.new(button_options: { class: 'gl-w-full', data: { toggle: 'dropdown' } }) do
+              = _('Subscribe')
+              = sprite_icon('chevron-down')
             .dropdown-menu.dropdown-open-left
               %ul
                 %li
diff --git a/doc/api/deploy_keys.md b/doc/api/deploy_keys.md
index 7f69d6933c1..adeda014af0 100644
--- a/doc/api/deploy_keys.md
+++ b/doc/api/deploy_keys.md
@@ -69,7 +69,7 @@ Example response:
 ]
 ```
 
-## List project deploy keys
+## List deploy keys for project
 
 Get a list of a project's deploy keys.
 
@@ -106,6 +106,62 @@ Example response:
 ]
 ```
 
+## List project deploy keys for user
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88917) in GitLab 15.1.
+
+Get a list of a specified user (requestee) and the authenticated user's (requester) common [project deploy keys](../user/project/deploy_keys/index.md#scope). It lists only the **enabled project keys from the common projects of requester and requestee**.
+
+```plaintext
+GET /users/:id_or_username/project_deploy_keys
+```
+
+Parameters:
+
+| Attribute          | Type   | Required | Description                                                        |
+|------------------- |--------|----------|------------------------------------------------------------------- |
+| `id_or_username`   | string | yes      | The ID or username of the user to get the project deploy keys for. |
+
+```json
+[
+    {
+        "id": 1,
+        "title": "Key A",
+        "created_at": "2022-05-30T12:28:27.855Z",
+        "expires_at": null,
+        "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTEVaAtU5wiVducsOa01InRFf7QSTxoAm6Xy0PGv/k48M6xCALa9nY+BzlOv47jUT57 Key",
+        "fingerprint": "60:8e:10:f0:6a:82:c8:29:5f:bf:c0:38:72:00:6f:8f"
+    },
+    {
+        "id": 2,
+        "title": "Key B",
+        "created_at": "2022-05-30T13:34:56.219Z",
+        "expires_at": null,
+        "key": "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=",
+        "fingerprint": "75:33:44:7e:55:84:dd:70:29:a3:8e:a3:c0:b9:8b:65"
+    }
+]
+```
+
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/users/20/project_deploy_keys"
+```
+
+Example response:
+
+```json
+[
+  {
+    "id": 1,
+    "title": "Key A",
+    "created_at": "2022-05-30T12:28:27.855Z",
+    "expires_at": "2022-10-30T12:28:27.855Z",
+    "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTEVaAtU5wiVducsOa01InRFf7QSTxoAm6Xy0PGv/k48M6xCALa9nY+BzlOv47jUT57 Key",
+    "fingerprint": "60:8e:10:f0:6a:82:c8:29:5f:bf:c0:38:72:00:6f:8f"
+  }
+]
+```
+
 ## Get a single deploy key
 
 Get a single key.
diff --git a/doc/ci/runners/index.md b/doc/ci/runners/index.md
index 038bda4ab09..729de4d99d3 100644
--- a/doc/ci/runners/index.md
+++ b/doc/ci/runners/index.md
@@ -12,7 +12,7 @@ No configuration is required. Your jobs can run on:
 
 - [Linux runners](saas/linux_saas_runner.md).
 - [Windows runners](saas/windows_saas_runner.md) ([Beta](../../policy/alpha-beta-support.md#beta-features)).
-- [macOS runners](saas/macos_saas_runner.md) ([Beta](../../policy/alpha-beta-support.md#beta-features)).
+- [macOS runners](saas/macos_saas_runner.md) ([Limited Availability](../../policy/alpha-beta-support.md#limited-availability-la)).
 
 The number of minutes you can use on these runners depends on the
 [maximum number of CI/CD minutes](../pipelines/cicd_minutes.md)
diff --git a/doc/ci/runners/saas/macos_saas_runner.md b/doc/ci/runners/saas/macos_saas_runner.md
index 3c79292f03a..65404c89f9a 100644
--- a/doc/ci/runners/saas/macos_saas_runner.md
+++ b/doc/ci/runners/saas/macos_saas_runner.md
@@ -6,7 +6,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 # SaaS runners on macOS (Limited Availability) **(PREMIUM SAAS)**
 
-SaaS runners on macOS are in [Beta](../../../policy/alpha-beta-support.md#limited-availability-la) for approved open source programs and customers in Premium and Ultimate plans.
+SaaS runners on macOS are in [Limited Availability](../../../policy/alpha-beta-support.md#limited-availability-la) for approved open source programs and customers in Premium and Ultimate plans.
 
 SaaS runners on macOS provide an on-demand macOS build environment integrated with
 GitLab SaaS [CI/CD](../../../ci/index.md).
diff --git a/doc/development/database/multiple_databases.md b/doc/development/database/multiple_databases.md
index 324d1a6c6ef..7badd7f76fa 100644
--- a/doc/development/database/multiple_databases.md
+++ b/doc/development/database/multiple_databases.md
@@ -23,7 +23,8 @@ Each table of GitLab needs to have a `gitlab_schema` assigned:
 
 - `gitlab_main`: describes all tables that are being stored in the `main:` database (for example, like `projects`, `users`).
 - `gitlab_ci`: describes all CI tables that are being stored in the `ci:` database (for example, `ci_pipelines`, `ci_builds`).
-- `gitlab_shared`: describe all application tables that contain data across all decomposed databases (for example, `loose_foreign_keys_deleted_records`).
+- `gitlab_shared`: describe all application tables that contain data across all decomposed databases (for example, `loose_foreign_keys_deleted_records`) for models that inherit from `Gitlab::Database::SharedModel`.
+- `gitlab_internal`: describe all internal tables of Rails and PostgreSQL (for example, `ar_internal_metadata`, `schema_migrations`, `pg_*`).
 - `...`: more schemas to be introduced with additional decomposed databases
 
 The usage of schema enforces the base class to be used:
@@ -44,10 +45,8 @@ This is used as a primary source of classification for:
 
 ### The special purpose of `gitlab_shared`
 
-`gitlab_shared` is a special case describing tables or views that by design contain data across
-all decomposed databases. This does describe application-defined tables (like `loose_foreign_keys_deleted_records`),
-Rails-defined tables (like `schema_migrations` or `ar_internal_metadata` as well as internal PostgreSQL tables
-(for example, `pg_attribute`).
+`gitlab_shared` is a special case that describes tables or views that, by design, contain data across
+all decomposed databases. This classification describes application-defined tables (like `loose_foreign_keys_deleted_records`).
 
 **Be careful** to use `gitlab_shared` as it requires special handling while accessing data.
 Since `gitlab_shared` shares not only structure but also data, the application needs to be written in a way
@@ -62,6 +61,11 @@ end
 As such, migrations modifying data of `gitlab_shared` tables are expected to run across
 all decomposed databases.
 
+### The special purpose of `gitlab_internal`
+
+`gitlab_internal` describes Rails-defined tables (like `schema_migrations` or `ar_internal_metadata`), as well as internal PostgreSQL tables (for example, `pg_attribute`). Its primary purpose is to [support other databases](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/85842#note_943453682), like Geo, that
+might be missing some of those application-defined `gitlab_shared` tables (like `loose_foreign_keys_deleted_records`), but are valid Rails databases.
+
 ## Migrations
 
 Read [Migrations for Multiple Databases](migrations_for_multiple_databases.md).
diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md
index 9c605ca5b75..08e2dcd2e7e 100644
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -194,8 +194,16 @@ table.supported-languages ul {
     </tr>
     <tr>
       <td rowspan="2">Java</td>
-      <td rowspan="2">8, 11, 13, 14, 15, 16, or 17</td>
-      <td><a href="https://gradle.org/">Gradle</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-1">1</a></b></sup></td>
+      <td rowspan="2">
+        8,
+        11,
+        13<sup><b><a href="#notes-regarding-supported-languages-and-package-managers-1">1</a></b></sup>,
+        14<sup><b><a href="#notes-regarding-supported-languages-and-package-managers-1">1</a></b></sup>,
+        15<sup><b><a href="#notes-regarding-supported-languages-and-package-managers-1">1</a></b></sup>,
+        16<sup><b><a href="#notes-regarding-supported-languages-and-package-managers-1">1</a></b></sup>,
+        or 17
+      </td>
+      <td><a href="https://gradle.org/">Gradle</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-2">2</a></b></sup></td>
       <td>
         <ul>
             <li><code>build.gradle</code></li>
@@ -267,14 +275,14 @@ table.supported-languages ul {
       <td>
         <ul>
             <li><a href="https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock"><code>Pipfile</code></a></li>
-            <li><a href="https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock"><code>Pipfile.lock</code></a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-2">2</a></b></sup></li>
+            <li><a href="https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock"><code>Pipfile.lock</code></a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-3">3</a></b></sup></li>
         </ul>
       </td>
       <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
       <td>N</td>
     </tr>
     <tr>
-      <td><a href="https://python-poetry.org/">Poetry</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-4">4</a></b></sup></td>
+      <td><a href="https://python-poetry.org/">Poetry</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-5">5</a></b></sup></td>
       <td><code>poetry.lock</code></td>
       <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
       <td>N</td>
@@ -282,7 +290,7 @@ table.supported-languages ul {
     <tr>
       <td>Scala</td>
       <td>Not applicable</td>
-      <td><a href="https://www.scala-sbt.org/">sbt</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-3">3</a></b></sup></td>
+      <td><a href="https://www.scala-sbt.org/">sbt</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-4">4</a></b></sup></td>
       <td><code>build.sbt</code></td>
       <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
       <td>N</td>
@@ -293,6 +301,12 @@ table.supported-languages ul {
 <ol>
   <li>
     <a id="notes-regarding-supported-languages-and-package-managers-1"></a>
+    <p>
+      This version of Java is not supported by the FIPS-enabled image of <code>gemnasium-maven</code>.
+    </p>
+  </li>
+  <li>
+    <a id="notes-regarding-supported-languages-and-package-managers-2"></a>
     <p>
       Although Gradle with Java 8 is supported, there are other issues such that Android project builds are not supported at this time.
       Please see the backlog issue <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/336866">Android support for Dependency
@@ -300,7 +314,7 @@ table.supported-languages ul {
     </p>
   </li>
   <li>
-    <a id="notes-regarding-supported-languages-and-package-managers-2"></a>
+    <a id="notes-regarding-supported-languages-and-package-managers-3"></a>
     <p>
       The presence of a <code>Pipfile.lock</code> file alone will <i>not</i> trigger the analyzer; the presence of a <code>Pipfile</code> is
       still required in order for the analyzer to be executed. However, if a <code>Pipfile.lock</code> file is found, it will be used by
@@ -313,13 +327,13 @@ table.supported-languages ul {
     </p>
   </li>
   <li>
-    <a id="notes-regarding-supported-languages-and-package-managers-3"></a>
+    <a id="notes-regarding-supported-languages-and-package-managers-4"></a>
     <p>
       Support for <a href="https://www.scala-sbt.org/">sbt</a> 1.3 and above was added in GitLab 13.9.
     </p>
   </li>
   <li>
-    <a id="notes-regarding-supported-languages-and-package-managers-4"></a>
+    <a id="notes-regarding-supported-languages-and-package-managers-5"></a>
     <p>
       Support for <a href="https://python-poetry.org/">Poetry</a> projects with a <code>poetry.lock</code> file was <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/7006">added in GitLab 15.0</a>.
       Support for projects without a <code>poetry.lock</code> file is tracked in issue:
@@ -599,7 +613,7 @@ The following variables are used for configuring specific analyzers (used for a
 | `GEMNASIUM_DB_REF_NAME`              | `gemnasium`        | `master`                     | Branch name for remote repository database. `GEMNASIUM_DB_REMOTE_URL` is required. |
 | `DS_REMEDIATE`                       | `gemnasium`        | `"true"`                     | Enable automatic remediation of vulnerable dependencies. |
 | `GEMNASIUM_LIBRARY_SCAN_ENABLED`     | `gemnasium`        | `"true"`                     | Enable detecting vulnerabilities in vendored JavaScript libraries. For now, `gemnasium` leverages [`Retire.js`](https://github.com/RetireJS/retire.js) to do this job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350512) in GitLab 14.8. |
-| `DS_JAVA_VERSION`                    | `gemnasium-maven`  | `17`                         | Version of Java. Available versions: `8`, `11`, `13`, `14`, `15`, `16`, `17`. |
+| `DS_JAVA_VERSION`                    | `gemnasium-maven`  | `17`                         | Version of Java. Available versions: `8`, `11`, `13`, `14`, `15`, `16`, `17`. Available versions in FIPS-enabled image: `8`, `11`, `17`. |
 | `MAVEN_CLI_OPTS`                     | `gemnasium-maven`  | `"-DskipTests --batch-mode"` | List of command line arguments that are passed to `maven` by the analyzer. See an example for [using private repositories](../index.md#using-private-maven-repositories). |
 | `GRADLE_CLI_OPTS`                    | `gemnasium-maven`  |                              | List of command line arguments that are passed to `gradle` by the analyzer. |
 | `SBT_CLI_OPTS`                       | `gemnasium-maven`  |                              | List of command-line arguments that the analyzer passes to `sbt`. |
@@ -671,6 +685,9 @@ Gemnasium scanning jobs automatically use FIPS-enabled image when FIPS mode is e
 
 To manually switch to FIPS-enabled images, set the variable `DS_IMAGE_SUFFIX` to `"-fips"`.
 
+To ensure compliance with FIPS, the FIPS-enabled image of `gemnasium-maven` uses the OpenJDK packages for RedHat UBI.
+As a result, it only supports Java 8, 11, and 17.
+
 ## Interacting with the vulnerabilities
 
 Once a vulnerability is found, you can interact with it. Read more on how to
diff --git a/doc/user/group/index.md b/doc/user/group/index.md
index e8f5d4ac4d9..528cf3b5d46 100644
--- a/doc/user/group/index.md
+++ b/doc/user/group/index.md
@@ -770,8 +770,6 @@ By default, projects in a group can be forked.
 Optionally, on [GitLab Premium](https://about.gitlab.com/pricing/) or higher tiers,
 you can prevent the projects in a group from being forked outside of the current top-level group.
 
-Previously, this setting was available only for groups enforcing a
-[Group Managed Account](saml_sso/group_managed_accounts.md) in SAML.
 This setting will be removed from the SAML setting page, and migrated to the
 group settings page. In the interim period, both of these settings are taken into consideration.
 If even one is set to `true`, then the group does not allow outside forks.
diff --git a/doc/user/group/saml_sso/group_managed_accounts.md b/doc/user/group/saml_sso/group_managed_accounts.md
index 64f292c18b3..0a00d0c1c1c 100644
--- a/doc/user/group/saml_sso/group_managed_accounts.md
+++ b/doc/user/group/saml_sso/group_managed_accounts.md
@@ -3,121 +3,12 @@ type: reference, howto
 stage: Manage
 group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+remove_date: '2022-06-13'
+redirect_to: 'index.md'
 ---
 
 # Group Managed Accounts **(PREMIUM)**
 
-WARNING:
-This [Closed Beta](https://about.gitlab.com/handbook/product/gitlab-the-product/#sts=Closed%20Beta) feature is being re-evaluated in favor of a different
-[approach](https://gitlab.com/groups/gitlab-org/-/epics/4786) that aligns more closely with our [Subscription Agreement](https://about.gitlab.com/handbook/legal/subscription-agreement/).
-We recommend that group owners who haven't yet implemented this feature wait for the new solution.
-
-> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/709) in GitLab 12.1.
-> - It's deployed behind a feature flag, disabled by default.
-
-When [SSO for Groups](index.md) is enforced, groups can enable an additional level of protection by enforcing the creation of dedicated user accounts to access the group.
-
-With group-managed accounts enabled, users are required to create a new, dedicated user linked to the group.
-The notification email address associated with the user is locked to the email address received from the configured identity provider.
-Without group-managed accounts, users can link their SAML identity with any existing user on the instance.
-
-When this option is enabled:
-
-- All users in the group are required to log in via the SSO URL associated with the group.
-- After the group-managed account has been created, group activity requires the use of this user account.
-- Users can't share a project in the group outside the top-level group (also applies to forked projects).
-
-Upon successful authentication, GitLab prompts the user with options, based on the email address received from the configured identity provider:
-
-- To create a unique account with the newly received email address.
-- If the received email address matches one of the user's verified GitLab email addresses, the option to convert the existing account to a group-managed account. ([Introduced in GitLab 12.9](https://gitlab.com/gitlab-org/gitlab/-/issues/13481).)
-
-Since use of the group-managed account requires the use of SSO, users of group-managed accounts lose access to these accounts when they are no longer able to authenticate with the connected identity provider. In the case of an offboarded employee who has been removed from your identity provider:
-
-- The user is unable to access the group (their credentials no longer work on the identity provider when prompted to use SSO).
-- Contributions in the group (for example, issues and merge requests) remains intact.
-
-Please refer to our [SAML SSO for Groups page](../index.md) for information on how to configure SAML.
-
-## Feature flag **(PREMIUM SELF)**
-
-The group-managed accounts feature is behind these feature flags: `group_managed_accounts`, `sign_up_on_sso` and `convert_user_to_group_managed_accounts`. The flags are disabled by default.
-To activate the feature, ask a GitLab administrator with Rails console access to run:
-
-```ruby
-Feature.enable(:group_managed_accounts)
-Feature.enable(:sign_up_on_sso)
-Feature.enable(:convert_user_to_group_managed_accounts)
-```
-
-## Project restrictions for Group-managed accounts
-
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12420) in GitLab 12.9.
-
-Projects within groups with enabled group-managed accounts are not to be shared with:
-
-- Groups outside of the parent group.
-- Members who are not users managed by this group.
-
-This restriction also applies to projects forked from or to those groups.
-
-## Outer forks restriction for Group-managed accounts
-
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/34648) in GitLab 12.9.
-
-Groups with group-managed accounts can prevent forking of projects to destinations outside the group.
-To do so, enable the "Prohibit outer forks" option in **Settings > SAML SSO**.
-When enabled **at the parent group level**, projects within the group can be forked
-only to other destinations within the group (including its subgroups).
-
-## Credentials inventory for Group-managed accounts **(ULTIMATE)**
-
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/38133) in GitLab 12.8.
-
-Owners who manage user accounts in a group can view the following details of personal access tokens and SSH keys:
-
-- Owners
-- Scopes
-- Usage patterns
-
-To access the Credentials inventory of a group, navigate to **{shield}** **Security & Compliance > Credentials** in your group's sidebar.
-
-This feature is similar to the [Credentials inventory for self-managed instances](../../admin_area/credentials_inventory.md).
-
-### Revoke a group-managed account's personal access token
-
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214811) in GitLab 13.5.
-> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/267184) in GitLab 13.10.
-
-Group owners can revoke the personal access tokens of accounts in their group. To do so, select
-the Personal Access Tokens tab, and select Revoke.
-
-When a personal access token is revoked, the group-managed account user is notified by email.
-
-## Limiting lifetime of personal access tokens of users in Group-managed accounts **(ULTIMATE)**
-
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/118893) in GitLab 12.10.
-
-Users in a group managed account can optionally specify an expiration date for
-[personal access tokens](../../profile/personal_access_tokens.md).
-This expiration date is not a requirement, and can be set to any arbitrary date.
-
-Since personal access tokens are the only token needed for programmatic access to GitLab, organizations with security requirements may want to enforce more protection to require regular rotation of these tokens.
-
-### Set a limit
-
-Only a GitLab administrator or an owner of a group-managed account can set a limit. When this field
-is left empty, the [instance-level restriction](../../admin_area/settings/account_and_limit_settings.md#limit-the-lifetime-of-access-tokens)
-on the lifetime of personal access tokens apply.
-
-To set a limit on how long personal access tokens are valid for users in a group managed account:
-
-1. Navigate to the **Settings > General** page in your group's sidebar.
-1. Expand the **Permissions and group features** section.
-1. Fill in the **Maximum allowable lifetime for access tokens (days)** field.
-1. Select **Save changes**.
-
-Once a lifetime for personal access tokens is set:
-
-- GitLab applies the lifetime for new personal access tokens and requires users managed by the group to set an expiration date that's no later than the allowed lifetime.
-- After three hours, revoke old tokens with no expiration date or with a lifetime longer than the allowed lifetime. Three hours is given to allow administrators/group owner to change the allowed lifetime, or remove it, before revocation takes place.
+This [closed beta](https://about.gitlab.com/handbook/product/gitlab-the-product/#sts=Closed%20Beta) feature was never enabled globally. See
+[this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/296544) for progress on removing the feature.
+Use [SAML SSO](index.md) instead.
diff --git a/lib/gitlab/database.rb b/lib/gitlab/database.rb
index 87ff2a53ac3..b42d164d9c4 100644
--- a/lib/gitlab/database.rb
+++ b/lib/gitlab/database.rb
@@ -68,7 +68,8 @@ module Gitlab
       @schemas_to_base_models ||= {
         gitlab_main: [self.database_base_models.fetch(:main)],
         gitlab_ci: [self.database_base_models[:ci] || self.database_base_models.fetch(:main)], # use CI or fallback to main
-        gitlab_shared: self.database_base_models.values # all models
+        gitlab_shared: self.database_base_models.values, # all models
+        gitlab_internal: self.database_base_models.values # all models
       }.with_indifferent_access.freeze
     end
 
diff --git a/lib/gitlab/database/gitlab_schema.rb b/lib/gitlab/database/gitlab_schema.rb
index d7ea614e2af..baf4cc48424 100644
--- a/lib/gitlab/database/gitlab_schema.rb
+++ b/lib/gitlab/database/gitlab_schema.rb
@@ -75,8 +75,8 @@ module Gitlab
           return gitlab_schema
         end
 
-        # All tables from `information_schema.` are `:gitlab_shared`
-        return :gitlab_shared if schema_name == 'information_schema'
+        # All tables from `information_schema.` are marked as `internal`
+        return :gitlab_internal if schema_name == 'information_schema'
 
         return :gitlab_main if table_name.start_with?('_test_gitlab_main_')
 
@@ -85,8 +85,8 @@ module Gitlab
         # All tables that start with `_test_` without a following schema are shared and ignored
         return :gitlab_shared if table_name.start_with?('_test_')
 
-        # All `pg_` tables are marked as `shared`
-        return :gitlab_shared if table_name.start_with?('pg_')
+        # All `pg_` tables are marked as `internal`
+        return :gitlab_internal if table_name.start_with?('pg_')
 
         # When undefined it's best to return a unique name so that we don't incorrectly assume that 2 undefined schemas belong on the same database
         :"undefined_#{table_name}"
diff --git a/lib/gitlab/database/gitlab_schemas.yml b/lib/gitlab/database/gitlab_schemas.yml
index 301f019d80c..71c323cb393 100644
--- a/lib/gitlab/database/gitlab_schemas.yml
+++ b/lib/gitlab/database/gitlab_schemas.yml
@@ -35,7 +35,7 @@ approval_project_rules_users: :gitlab_main
 approvals: :gitlab_main
 approver_groups: :gitlab_main
 approvers: :gitlab_main
-ar_internal_metadata: :gitlab_shared
+ar_internal_metadata: :gitlab_internal
 atlassian_identities: :gitlab_main
 audit_events_external_audit_event_destinations: :gitlab_main
 audit_events: :gitlab_main
@@ -467,7 +467,7 @@ routes: :gitlab_main
 saml_group_links: :gitlab_main
 saml_providers: :gitlab_main
 saved_replies: :gitlab_main
-schema_migrations: :gitlab_shared
+schema_migrations: :gitlab_internal
 scim_identities: :gitlab_main
 scim_oauth_access_tokens: :gitlab_main
 security_findings: :gitlab_main
diff --git a/lib/gitlab/database/query_analyzers/restrict_allowed_schemas.rb b/lib/gitlab/database/query_analyzers/restrict_allowed_schemas.rb
index 3f0176cb654..c51282c9a55 100644
--- a/lib/gitlab/database/query_analyzers/restrict_allowed_schemas.rb
+++ b/lib/gitlab/database/query_analyzers/restrict_allowed_schemas.rb
@@ -9,7 +9,7 @@ module Gitlab
         DMLNotAllowedError = Class.new(UnsupportedSchemaError)
         DMLAccessDeniedError = Class.new(UnsupportedSchemaError)
 
-        IGNORED_SCHEMAS = %i[gitlab_shared].freeze
+        IGNORED_SCHEMAS = %i[gitlab_shared gitlab_internal].freeze
 
         class << self
           def enabled?
diff --git a/lib/gitlab/database/shared_model.rb b/lib/gitlab/database/shared_model.rb
index f4c8fca8fa2..877866b9b23 100644
--- a/lib/gitlab/database/shared_model.rb
+++ b/lib/gitlab/database/shared_model.rb
@@ -20,6 +20,15 @@ module Gitlab
               "to '#{Gitlab::Database.db_config_name(connection)}'"
           end
 
+          # connection might not be yet adopted (returning nil, and no gitlab_schemas)
+          # in such cases it is fine to ignore such connections
+          gitlab_schemas = Gitlab::Database.gitlab_schemas_for_connection(connection)
+
+          unless gitlab_schemas.nil? || gitlab_schemas.include?(:gitlab_shared)
+            raise "Cannot set `SharedModel` to connection from `#{Gitlab::Database.db_config_name(connection)}` " \
+              "since this connection does not include `:gitlab_shared` schema."
+          end
+
           self.overriding_connection = connection
 
           yield
diff --git a/lib/tasks/gitlab/db.rake b/lib/tasks/gitlab/db.rake
index 5eb83346e90..a446a17dfc3 100644
--- a/lib/tasks/gitlab/db.rake
+++ b/lib/tasks/gitlab/db.rake
@@ -348,7 +348,13 @@ namespace :gitlab do
       Rake::Task['db:drop'].invoke
       Rake::Task['db:create'].invoke
       ActiveRecord::Base.configurations.configs_for(env_name: ActiveRecord::Tasks::DatabaseTasks.env).each do |db_config|
-        ActiveRecord::Base.establish_connection(db_config.configuration_hash.merge(username: username)) # rubocop: disable Database/EstablishConnection
+        config = ActiveRecord::DatabaseConfigurations::HashConfig.new(
+          db_config.env_name,
+          db_config.name,
+          db_config.configuration_hash.merge(username: username)
+        )
+
+        ActiveRecord::Base.establish_connection(config) # rubocop: disable Database/EstablishConnection
         Gitlab::Database.check_for_non_superuser
         Rake::Task['db:migrate'].invoke
       end
diff --git a/spec/graphql/features/authorization_spec.rb b/spec/graphql/features/authorization_spec.rb
index 5ae497f9d37..4f8ae92ff99 100644
--- a/spec/graphql/features/authorization_spec.rb
+++ b/spec/graphql/features/authorization_spec.rb
@@ -17,10 +17,7 @@ RSpec.describe 'DeclarativePolicy authorization in GraphQL ' do
   let(:permission_object_two) { authorizing_object }
 
   let(:query_string) { '{ item { name } }' }
-  let(:result) do
-    schema = empty_schema
-    execute_query(query_type, schema: schema)
-  end
+  let(:result) { execute_query(query_type) }
 
   subject { result.dig('data', 'item') }
 
diff --git a/spec/lib/gitlab/asciidoc_spec.rb b/spec/lib/gitlab/asciidoc_spec.rb
index d86191ca0c2..66da5d86ed4 100644
--- a/spec/lib/gitlab/asciidoc_spec.rb
+++ b/spec/lib/gitlab/asciidoc_spec.rb
@@ -390,7 +390,7 @@ module Gitlab
             <div>class.cpp</div>
             <div>
             <div class="gl-relative markdown-code-block js-markdown-code">
-            <pre class="code highlight js-syntax-highlight language-cpp" lang="cpp" v-pre="true"><code><span id="LC1" class="line" lang="cpp"><span class="cp">#include &lt;stdio.h&gt;</span></span>
+            <pre class="code highlight js-syntax-highlight language-cpp" lang="cpp" v-pre="true"><code><span id="LC1" class="line" lang="cpp"><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span></span>
             <span id="LC2" class="line" lang="cpp"></span>
             <span id="LC3" class="line" lang="cpp"><span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="mi">5</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span></span>
             <span id="LC4" class="line" lang="cpp">  <span class="n">std</span><span class="o">::</span><span class="n">cout</span><span class="o">&lt;&lt;</span><span class="s">"*"</span><span class="o">&lt;&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span></span>
diff --git a/spec/lib/gitlab/database/each_database_spec.rb b/spec/lib/gitlab/database/each_database_spec.rb
index 191f7017b4c..8345cdfb8fb 100644
--- a/spec/lib/gitlab/database/each_database_spec.rb
+++ b/spec/lib/gitlab/database/each_database_spec.rb
@@ -61,7 +61,11 @@ RSpec.describe Gitlab::Database::EachDatabase do
 
     context 'when shared connections are not included' do
       it 'only yields the unshared connections' do
-        expect(Gitlab::Database).to receive(:db_config_share_with).twice.and_return(nil, 'main')
+        if Gitlab::Database.has_config?(:ci)
+          expect(Gitlab::Database).to receive(:db_config_share_with).exactly(3).times.and_return(nil, 'main', 'main')
+        else
+          expect(Gitlab::Database).to receive(:db_config_share_with).twice.and_return(nil, 'main')
+        end
 
         expect { |b| described_class.each_database_connection(include_shared: false, &b) }
           .to yield_successive_args([ActiveRecord::Base.connection, 'main'])
diff --git a/spec/lib/gitlab/database/gitlab_schema_spec.rb b/spec/lib/gitlab/database/gitlab_schema_spec.rb
index a5a67c2c918..611b2fbad72 100644
--- a/spec/lib/gitlab/database/gitlab_schema_spec.rb
+++ b/spec/lib/gitlab/database/gitlab_schema_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe Gitlab::Database::GitlabSchema do
 
     it 'all tables have assigned a known gitlab_schema' do
       is_expected.to all(
-        match([be_a(String), be_in([:gitlab_shared, :gitlab_main, :gitlab_ci])])
+        match([be_a(String), be_in([:gitlab_internal, :gitlab_shared, :gitlab_main, :gitlab_ci])])
       )
     end
 
@@ -42,12 +42,12 @@ RSpec.describe Gitlab::Database::GitlabSchema do
     where(:name, :classification) do
       'ci_builds'                       | :gitlab_ci
       'my_schema.ci_builds'             | :gitlab_ci
-      'information_schema.columns'      | :gitlab_shared
+      'information_schema.columns'      | :gitlab_internal
       'audit_events_part_5fc467ac26'    | :gitlab_main
       '_test_gitlab_main_table'         | :gitlab_main
       '_test_gitlab_ci_table'           | :gitlab_ci
       '_test_my_table'                  | :gitlab_shared
-      'pg_attribute'                    | :gitlab_shared
+      'pg_attribute'                    | :gitlab_internal
       'my_other_table'                  | :undefined_my_other_table
     end
 
diff --git a/spec/lib/gitlab/database/shared_model_spec.rb b/spec/lib/gitlab/database/shared_model_spec.rb
index 574111f4c01..c88edc17817 100644
--- a/spec/lib/gitlab/database/shared_model_spec.rb
+++ b/spec/lib/gitlab/database/shared_model_spec.rb
@@ -27,6 +27,19 @@ RSpec.describe Gitlab::Database::SharedModel do
       end
     end
 
+    it 'raises an error if the connection does not include `:gitlab_shared` schema' do
+      allow(Gitlab::Database)
+        .to receive(:gitlab_schemas_for_connection)
+        .with(new_connection)
+        .and_return([:gitlab_main])
+
+      expect_original_connection_around do
+        expect do
+          described_class.using_connection(new_connection) {}
+        end.to raise_error(/Cannot set `SharedModel` to connection/)
+      end
+    end
+
     context 'when multiple connection overrides are nested', :aggregate_failures do
       let(:second_connection) { double('connection') }
 
diff --git a/spec/lib/gitlab/graphql/markdown_field_spec.rb b/spec/lib/gitlab/graphql/markdown_field_spec.rb
index 4d38941a618..974951ab30c 100644
--- a/spec/lib/gitlab/graphql/markdown_field_spec.rb
+++ b/spec/lib/gitlab/graphql/markdown_field_spec.rb
@@ -27,8 +27,7 @@ RSpec.describe Gitlab::Graphql::MarkdownField do
     context 'resolving markdown' do
       let_it_be(:note) { build(:note, note: '# Markdown!') }
       let_it_be(:expected_markdown) { '<h1 data-sourcepos="1:1-1:11" dir="auto">Markdown!</h1>' }
-      let_it_be(:schema) { empty_schema }
-      let_it_be(:query) { GraphQL::Query.new(schema, document: nil, context: {}, variables: {}) }
+      let_it_be(:query) { GraphQL::Query.new(empty_schema, document: nil, context: {}, variables: {}) }
       let_it_be(:context) { GraphQL::Query::Context.new(query: query, values: {}, object: nil) }
 
       let(:type_class) { class_with_markdown_field(:note_html, null: false) }
diff --git a/spec/lib/gitlab/graphql/pagination/keyset/connection_generic_keyset_spec.rb b/spec/lib/gitlab/graphql/pagination/keyset/connection_generic_keyset_spec.rb
index 13079150a81..97613edee5e 100644
--- a/spec/lib/gitlab/graphql/pagination/keyset/connection_generic_keyset_spec.rb
+++ b/spec/lib/gitlab/graphql/pagination/keyset/connection_generic_keyset_spec.rb
@@ -9,8 +9,7 @@ RSpec.describe Gitlab::Graphql::Pagination::Keyset::Connection do
   # The spec will be merged with connection_spec.rb in the future.
   let(:nodes) { Project.all.order(id: :asc) }
   let(:arguments) { {} }
-  let(:schema) { empty_schema }
-  let(:context) { GraphQL::Query::Context.new(query: query_double(schema: schema), values: nil, object: nil) }
+  let(:context) { GraphQL::Query::Context.new(query: query_double, values: nil, object: nil) }
 
   let_it_be(:column_order_id) { Gitlab::Pagination::Keyset::ColumnOrderDefinition.new(attribute_name: 'id', order_expression: Project.arel_table[:id].asc) }
   let_it_be(:column_order_id_desc) { Gitlab::Pagination::Keyset::ColumnOrderDefinition.new(attribute_name: 'id', order_expression: Project.arel_table[:id].desc) }
diff --git a/spec/lib/gitlab/graphql/pagination/keyset/connection_spec.rb b/spec/lib/gitlab/graphql/pagination/keyset/connection_spec.rb
index 5e00d2eceab..61a79d90546 100644
--- a/spec/lib/gitlab/graphql/pagination/keyset/connection_spec.rb
+++ b/spec/lib/gitlab/graphql/pagination/keyset/connection_spec.rb
@@ -7,8 +7,7 @@ RSpec.describe Gitlab::Graphql::Pagination::Keyset::Connection do
 
   let(:nodes) { Project.all.order(id: :asc) }
   let(:arguments) { {} }
-  let(:schema) { empty_schema }
-  let(:context) { GraphQL::Query::Context.new(query: query_double(schema: schema), values: nil, object: nil) }
+  let(:context) { GraphQL::Query::Context.new(query: query_double, values: nil, object: nil) }
 
   subject(:connection) do
     described_class.new(nodes, **{ context: context, max_page_size: 3 }.merge(arguments))
diff --git a/spec/lib/gitlab/seeder_spec.rb b/spec/lib/gitlab/seeder_spec.rb
index a22d47cbfb3..a94ae2bca7a 100644
--- a/spec/lib/gitlab/seeder_spec.rb
+++ b/spec/lib/gitlab/seeder_spec.rb
@@ -24,7 +24,7 @@ RSpec.describe Gitlab::Seeder do
   describe '.quiet' do
     let(:database_base_models) do
       {
-        main: ApplicationRecord,
+        main: ActiveRecord::Base,
         ci: Ci::ApplicationRecord
       }
     end
diff --git a/spec/models/integration_spec.rb b/spec/models/integration_spec.rb
index c4175518295..038018fbd0c 100644
--- a/spec/models/integration_spec.rb
+++ b/spec/models/integration_spec.rb
@@ -812,14 +812,14 @@ RSpec.describe Integration do
         Class.new(Integration) do
           def fields
             [
-              { name: 'token' },
-              { name: 'api_token' },
-              { name: 'token_api' },
-              { name: 'safe_token' },
-              { name: 'key' },
-              { name: 'api_key' },
-              { name: 'password' },
-              { name: 'password_field' },
+              { name: 'token', type: 'password' },
+              { name: 'api_token', type: 'password' },
+              { name: 'token_api', type: 'password' },
+              { name: 'safe_token', type: 'password' },
+              { name: 'key', type: 'password' },
+              { name: 'api_key', type: 'password' },
+              { name: 'password', type: 'password' },
+              { name: 'password_field', type: 'password' },
               { name: 'some_safe_field' },
               { name: 'safe_field' },
               { name: 'url' },
@@ -837,15 +837,14 @@ RSpec.describe Integration do
     context 'when the class uses the field DSL' do
       let(:fake_integration) do
         Class.new(described_class) do
-          field :token
-          field :token
-          field :api_token
-          field :token_api
-          field :safe_token
-          field :key
-          field :api_key
-          field :password
-          field :password_field
+          field :token, type: 'password'
+          field :api_token, type: 'password'
+          field :token_api, type: 'password'
+          field :safe_token, type: 'password'
+          field :key, type: 'password'
+          field :api_key, type: 'password'
+          field :password, type: 'password'
+          field :password_field, type: 'password'
           field :some_safe_field
           field :safe_field
           field :url
diff --git a/spec/requests/admin/background_migrations_controller_spec.rb b/spec/requests/admin/background_migrations_controller_spec.rb
index 0fd2ba26cb8..884448fdd95 100644
--- a/spec/requests/admin/background_migrations_controller_spec.rb
+++ b/spec/requests/admin/background_migrations_controller_spec.rb
@@ -40,15 +40,17 @@ RSpec.describe Admin::BackgroundMigrationsController, :enable_admin_mode do
 
   describe 'GET #index' do
     let(:default_model) { ActiveRecord::Base }
+    let(:db_config) { instance_double(ActiveRecord::DatabaseConfigurations::HashConfig, name: 'fake_db') }
 
     before do
+      allow(Gitlab::Database).to receive(:db_config_for_connection).and_return(db_config)
       allow(Gitlab::Database).to receive(:database_base_models).and_return(base_models)
     end
 
     let!(:main_database_migration) { create(:batched_background_migration, :active) }
 
     context 'when no database is provided' do
-      let(:base_models) { { 'fake_db' => default_model } }
+      let(:base_models) { { 'fake_db' => default_model }.with_indifferent_access }
 
       before do
         stub_const('Gitlab::Database::MAIN_DATABASE_NAME', 'fake_db')
@@ -68,7 +70,7 @@ RSpec.describe Admin::BackgroundMigrationsController, :enable_admin_mode do
     end
 
     context 'when multiple database is enabled', :add_ci_connection do
-      let(:base_models) { { 'fake_db' => default_model, 'ci' => ci_model } }
+      let(:base_models) { { 'fake_db' => default_model, 'ci' => ci_model }.with_indifferent_access }
       let(:ci_model) { Ci::ApplicationRecord }
 
       context 'when CI database is provided' do
diff --git a/spec/requests/admin/batched_jobs_controller_spec.rb b/spec/requests/admin/batched_jobs_controller_spec.rb
index 9a0654c64b4..fb51b3bce88 100644
--- a/spec/requests/admin/batched_jobs_controller_spec.rb
+++ b/spec/requests/admin/batched_jobs_controller_spec.rb
@@ -42,7 +42,7 @@ RSpec.describe Admin::BatchedJobsController, :enable_admin_mode do
     end
 
     context 'when multiple database is enabled', :add_ci_connection do
-      let(:base_models) { { 'fake_db' => default_model, 'ci' => ci_model } }
+      let(:base_models) { { 'main' => default_model, 'ci' => ci_model }.with_indifferent_access }
       let(:ci_model) { Ci::ApplicationRecord }
 
       before do
diff --git a/spec/support/helpers/graphql_helpers.rb b/spec/support/helpers/graphql_helpers.rb
index 6cdd8a9446e..10a16e00103 100644
--- a/spec/support/helpers/graphql_helpers.rb
+++ b/spec/support/helpers/graphql_helpers.rb
@@ -425,7 +425,7 @@ module GraphqlHelpers
     end
   end
 
-  def query_double(schema:)
+  def query_double(schema: empty_schema)
     double('query', schema: schema, warden: GraphQL::Schema::Warden::PassThruWarden)
   end
 
diff --git a/spec/tasks/gitlab/background_migrations_rake_spec.rb b/spec/tasks/gitlab/background_migrations_rake_spec.rb
index 36623e86f27..bbd33f71e60 100644
--- a/spec/tasks/gitlab/background_migrations_rake_spec.rb
+++ b/spec/tasks/gitlab/background_migrations_rake_spec.rb
@@ -112,7 +112,7 @@ RSpec.describe 'gitlab:background_migrations namespace rake tasks' do
     let(:main_database_name) { Gitlab::Database::MAIN_DATABASE_NAME }
     let(:model) { Gitlab::Database.database_base_models[main_database_name] }
     let(:connection) { double(:connection) }
-    let(:base_models) { { 'main' => model } }
+    let(:base_models) { { 'main' => model }.with_indifferent_access }
 
     around do |example|
       Gitlab::Database::SharedModel.using_connection(model.connection) do
diff --git a/spec/tasks/gitlab/db_rake_spec.rb b/spec/tasks/gitlab/db_rake_spec.rb
index e340d568269..d8199c09ca1 100644
--- a/spec/tasks/gitlab/db_rake_spec.rb
+++ b/spec/tasks/gitlab/db_rake_spec.rb
@@ -822,18 +822,20 @@ RSpec.describe 'gitlab:db namespace rake task', :silence_stdout do
     let(:connection_pool) { instance_double(ActiveRecord::ConnectionAdapters::ConnectionPool ) }
     let(:connection) { instance_double(ActiveRecord::ConnectionAdapters::PostgreSQLAdapter) }
     let(:configurations) { double(ActiveRecord::DatabaseConfigurations) }
-    let(:configuration) { instance_double(ActiveRecord::DatabaseConfigurations::HashConfig) }
+    let(:configuration) { instance_double(ActiveRecord::DatabaseConfigurations::HashConfig, env_name: 'test', name: 'main') }
     let(:config_hash) { { username: 'foo' } }
 
-    it 'migrate as nonsuperuser check with default username' do
+    before do
       allow(Rake::Task['db:drop']).to receive(:invoke)
       allow(Rake::Task['db:create']).to receive(:invoke)
       allow(ActiveRecord::Base).to receive(:configurations).and_return(configurations)
       allow(configurations).to receive(:configs_for).and_return([configuration])
       allow(configuration).to receive(:configuration_hash).and_return(config_hash)
       allow(ActiveRecord::Base).to receive(:establish_connection).and_return(connection_pool)
+    end
 
-      expect(config_hash).to receive(:merge).with({ username: 'gitlab' })
+    it 'migrate as nonsuperuser check with default username' do
+      expect(config_hash).to receive(:merge).with({ username: 'gitlab' }).and_call_original
       expect(Gitlab::Database).to receive(:check_for_non_superuser)
       expect(Rake::Task['db:migrate']).to receive(:invoke)
 
@@ -841,14 +843,7 @@ RSpec.describe 'gitlab:db namespace rake task', :silence_stdout do
     end
 
     it 'migrate as nonsuperuser check with specified username' do
-      allow(Rake::Task['db:drop']).to receive(:invoke)
-      allow(Rake::Task['db:create']).to receive(:invoke)
-      allow(ActiveRecord::Base).to receive(:configurations).and_return(configurations)
-      allow(configurations).to receive(:configs_for).and_return([configuration])
-      allow(configuration).to receive(:configuration_hash).and_return(config_hash)
-      allow(ActiveRecord::Base).to receive(:establish_connection).and_return(connection_pool)
-
-      expect(config_hash).to receive(:merge).with({ username: 'foo' })
+      expect(config_hash).to receive(:merge).with({ username: 'foo' }).and_call_original
       expect(Gitlab::Database).to receive(:check_for_non_superuser)
       expect(Rake::Task['db:migrate']).to receive(:invoke)
 
diff --git a/spec/workers/loose_foreign_keys/cleanup_worker_spec.rb b/spec/workers/loose_foreign_keys/cleanup_worker_spec.rb
index 1814abfac1d..632e4fb3071 100644
--- a/spec/workers/loose_foreign_keys/cleanup_worker_spec.rb
+++ b/spec/workers/loose_foreign_keys/cleanup_worker_spec.rb
@@ -157,10 +157,10 @@ RSpec.describe LooseForeignKeys::CleanupWorker do
 
   describe 'multi-database support' do
     where(:current_minute, :configured_base_models, :expected_connection_model) do
-      2 | { main: 'ApplicationRecord', ci: 'Ci::ApplicationRecord' } | 'ApplicationRecord'
-      3 | { main: 'ApplicationRecord', ci: 'Ci::ApplicationRecord' } | 'Ci::ApplicationRecord'
-      2 | { main: 'ApplicationRecord' } | 'ApplicationRecord'
-      3 | { main: 'ApplicationRecord' } | 'ApplicationRecord'
+      2 | { main: 'ActiveRecord::Base', ci: 'Ci::ApplicationRecord' } | 'ActiveRecord::Base'
+      3 | { main: 'ActiveRecord::Base', ci: 'Ci::ApplicationRecord' } | 'Ci::ApplicationRecord'
+      2 | { main: 'ActiveRecord::Base' } | 'ActiveRecord::Base'
+      3 | { main: 'ActiveRecord::Base' } | 'ActiveRecord::Base'
     end
 
     with_them do