Add latest changes from gitlab-org/gitlab@master

app/models/namespace/package_setting.rb

@@ -22,7 +22,7 @@ class Namespace::PackageSetting < ApplicationRecord
       duplicates_allowed = package.package_settings["#{package.package_type}_duplicates_allowed"]
       regex = ::Gitlab::UntrustedRegexp.new("\\A#{package.package_settings["#{package.package_type}_duplicate_exception_regex"]}\\z")
 
-      duplicates_allowed || regex.match?(package.name)
+      duplicates_allowed || regex.match?(package.name) || regex.match?(package.version)
     end
   end
 end

changelogs/unreleased/321772-version-dupe-check.yml

@@ -0,0 +1,5 @@
+---
+title: Check duplicate package regex against version as well as name
+merge_request: 60760
+author:
+type: fixed

doc/administration/gitaly/praefect.md

@@ -874,6 +874,27 @@ Particular attention should be shown to:
    repository that viewed. If the project is created, and you can see the
    README file, it works!
 
+#### Use TCP for existing GitLab instances
+
+When adding Gitaly Cluster to an existing Gitaly instance, the existing Gitaly storage
+must use a TCP address. If `gitaly_address` is not specified, then a Unix socket is used,
+which will prevent the communication with the cluster.
+
+For example:
+
+```ruby
+git_data_dirs({
+  'default' => { 'gitaly_address' => 'tcp://old-gitaly.internal:8075' },
+  'cluster' => {
+    'gitaly_address' => 'tcp://<load_balancer_server_address>:2305',
+    'gitaly_token' => '<praefect_external_token>'
+  }
+})
+```
+
+See [Mixed Configuration](configure_gitaly.md#mixed-configuration) for further information on
+running multiple Gitaly storages.
+
 ### Grafana
 
 Grafana is included with GitLab, and can be used to monitor your Praefect

doc/security/token_overview.md

@@ -106,3 +106,15 @@ This table shows available scopes per token. Scopes can be limited further on to
 1. Limited to the one project.
 1. Runner registration and authentication token don't provide direct access to repositories, but can be used to register and authenticate a new runner that may execute jobs which do have access to the repository
 1. Limited to certain [endpoints](../api/README.md#gitlab-cicd-job-token).
+
+## Security considerations
+
+Access tokens should be treated like passwords and kept secure.
+
+Adding them to URLs is a security risk. This is especially true when cloning or adding a remote, as Git then writes the URL to its `.git/config` file in plain text. URLs are also generally logged by proxies and application servers, which makes those credentials visible to system administrators.
+
+Instead, API calls can be passed an access token using headers, like [the `Private-Token` header](../api/README.md#personalproject-access-tokens).
+
+Tokens can also be stored using a [Git credential storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage).
+
+When creating a scoped token, consider using the most limited scope possible to reduce the impact of accidentally leaking the token.

doc/user/application_security/dependency_list/index.md

@@ -10,10 +10,11 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10075) in GitLab Ultimate 12.0.
 
 Use the dependency list to review your project's dependencies and key
-details about those dependencies, including their known vulnerabilities. To see the dependency list,
-in your project, go to **Security & Compliance > Dependency List**.
+details about those dependencies, including their known vulnerabilities. It is a collection of dependencies in your project, including existing and new findings. To see the dependency list, go to your project and select **Security & Compliance > Dependency List**.
 This information is sometimes referred to as a Software Bill of Materials or SBoM / BOM.
 
+The dependency list only shows the results of the last successful pipeline to run on the default branch. This is why we recommend not changing the default behavior of allowing the secure jobs to fail. 
+
 ## Prerequisites
 
 To view your project's dependencies, ensure you meet the following requirements:

doc/user/packages/maven_repository/index.md

@@ -625,7 +625,7 @@ In the UI:
 1. For your group, go to **Settings > Packages & Registries**.
 1. Expand the **Package Registry** section.
 1. Turn on the **Reject duplicates** toggle.
-1. Optional. To allow some duplicate packages, in the **Exceptions** box, enter a regex pattern that matches the names of packages you want to allow.
+1. Optional. To allow some duplicate packages, in the **Exceptions** box, enter a regex pattern that matches the names and/or versions of packages you want to allow.
 
 Your changes are automatically saved.
 

lib/banzai/filter/references/merge_request_reference_filter.rb

@@ -58,7 +58,7 @@ module Banzai
         end
 
         def data_attributes_for(text, parent, object, **data)
-          super.merge(project_path: current_parent_path, iid: object.iid, mr_title: object.title)
+          super.merge(project_path: parent.full_path, iid: object.iid, mr_title: object.title)
         end
 
         private

lib/gitlab/markdown_cache.rb

@@ -3,7 +3,7 @@
 module Gitlab
   module MarkdownCache
     # Increment this number every time the renderer changes its output
-    CACHE_COMMONMARK_VERSION        = 27
+    CACHE_COMMONMARK_VERSION        = 28
     CACHE_COMMONMARK_VERSION_START  = 10
 
     BaseError = Class.new(StandardError)

spec/lib/banzai/filter/references/merge_request_reference_filter_spec.rb

@@ -142,6 +142,17 @@ RSpec.describe Banzai::Filter::References::MergeRequestReferenceFilter do
       expect(doc.text).to eq("Merge (#{reference}.)")
     end
 
+    it 'has correct data attributes' do
+      doc = reference_filter("Merge (#{reference}.)")
+
+      link = doc.css('a').first
+
+      expect(link.attr('data-project')).to eq project2.id.to_s
+      expect(link.attr('data-project-path')).to eq project2.full_path
+      expect(link.attr('data-iid')).to eq merge.iid.to_s
+      expect(link.attr('data-mr-title')).to eq merge.title
+    end
+
     it 'ignores invalid merge IDs on the referenced project' do
       exp = act = "Merge #{invalidate_reference(reference)}"
 

spec/models/namespace/package_setting_spec.rb

@@ -42,7 +42,7 @@ RSpec.describe Namespace::PackageSetting do
     context 'package types with package_settings' do
       # As more package types gain settings they will be added to this list
       [:maven_package].each do |format|
-        let_it_be(:package) { create(format) } # rubocop:disable Rails/SaveBang
+        let_it_be(:package) { create(format, name: 'foo', version: 'beta') } # rubocop:disable Rails/SaveBang
         let_it_be(:package_type) { package.package_type }
         let_it_be(:package_setting) { package.project.namespace.package_settings }
 
@@ -50,6 +50,8 @@ RSpec.describe Namespace::PackageSetting do
           true  | ''   | true
           false | ''   | false
           false | '.*' | true
+          false | 'fo.*' | true
+          false | 'be.*' | true
         end
 
         with_them do

spec/services/packages/maven/find_or_create_package_service_spec.rb

@@ -130,7 +130,15 @@ RSpec.describe Packages::Maven::FindOrCreatePackageService do
 
       context 'when the package name matches the exception regex' do
         before do
-          package_settings.update!(maven_duplicate_exception_regex: '.*')
+          package_settings.update!(maven_duplicate_exception_regex: existing_package.name)
+        end
+
+        it_behaves_like 'reuse existing package'
+      end
+
+      context 'when the package version matches the exception regex' do
+        before do
+          package_settings.update!(maven_duplicate_exception_regex: existing_package.version)
         end
 
         it_behaves_like 'reuse existing package'