Add latest changes from gitlab-org/gitlab@master

.gitlab/ci/rules.gitlab-ci.yml

@@ -1456,6 +1456,24 @@
     - <<: *if-merge-request
       changes: *ci-patterns
 
+.semgrep-appsec-custom-rules:rules:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-merge-request
+      changes: *code-backstage-qa-patterns
+
+.ping-appsec-for-sast-findings:rules:
+  rules:
+    # Requiring $CUSTOM_SAST_RULES_BOT_PAT prevents the bot from running on forks or CE
+    # Without it the script would fail too.
+    - if: "$CUSTOM_SAST_RULES_BOT_PAT == null"
+      when: never
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-merge-request
+      changes: *code-backstage-qa-patterns
+
 #######################
 # Vendored gems rules #
 #######################

.gitlab/ci/static-analysis.gitlab-ci.yml

@@ -152,3 +152,39 @@ feature-flags-usage:
     when: always
     paths:
       - tmp/feature_flags/
+
+semgrep-appsec-custom-rules:
+  stage: lint
+  extends:
+    - .semgrep-appsec-custom-rules:rules
+  image: returntocorp/semgrep
+  needs: []
+  script:
+    # Required to avoid a timeout https://github.com/returntocorp/semgrep/issues/5395
+    - git fetch origin master
+    # Include/exclude list isn't ideal https://github.com/returntocorp/semgrep/issues/5399
+    - |
+      semgrep ci --gitlab-sast --metrics off --config $CUSTOM_RULES_URL \
+        --include app --include lib --include workhorse \
+        --exclude '*_test.go' --exclude spec --exclude qa > gl-sast-report.json || true
+  variables:
+    CUSTOM_RULES_URL: https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/-/raw/main/appsec-pings/rules.yml
+  artifacts:
+    paths:
+      - gl-sast-report.json
+    reports:
+      sast: gl-sast-report.json
+
+ping-appsec-for-sast-findings:
+  stage: lint
+  image: alpine:latest
+  extends:
+    - .ping-appsec-for-sast-findings:rules
+  variables:
+    # Project Access Token bot ID for /gitlab-com/gl-security/appsec/sast-custom-rules
+    BOT_USER_ID: 11727358
+  needs:
+    - semgrep-appsec-custom-rules
+  script:
+    - apk add jq curl
+    - scripts/process_custom_semgrep_results.sh

.rubocop.yml

@@ -779,3 +779,6 @@ Migration/BackgroundMigrationBaseClass:
 
 Style/ClassAndModuleChildren:
   Enabled: true
+
+Fips/OpenSSL:
+  Enabled: false

.rubocop_todo/fips/open_ssl.yml

@@ -1,222 +0,0 @@
----
-# Cop supports --auto-correct.
-Fips/OpenSSL:
-  Exclude:
-    - 'app/controllers/application_controller.rb'
-    - 'app/controllers/concerns/authenticates_with_two_factor.rb'
-    - 'app/controllers/projects/merge_requests/diffs_controller.rb'
-    - 'app/controllers/projects/merge_requests_controller.rb'
-    - 'app/helpers/application_helper.rb'
-    - 'app/models/ci/artifact_blob.rb'
-    - 'app/models/concerns/analytics/cycle_analytics/stage.rb'
-    - 'app/models/concerns/checksummable.rb'
-    - 'app/models/concerns/token_authenticatable_strategies/encryption_helper.rb'
-    - 'app/models/diff_discussion.rb'
-    - 'app/models/discussion.rb'
-    - 'app/models/legacy_diff_note.rb'
-    - 'app/models/namespace.rb'
-    - 'app/models/note.rb'
-    - 'app/models/performance_monitoring/prometheus_panel.rb'
-    - 'app/models/protected_branch.rb'
-    - 'app/models/release_highlight.rb'
-    - 'app/models/repository.rb'
-    - 'app/models/resource_event.rb'
-    - 'app/models/snippet.rb'
-    - 'app/models/storage/hashed.rb'
-    - 'app/models/token_with_iv.rb'
-    - 'app/presenters/packages/composer/packages_presenter.rb'
-    - 'app/services/ci/build_report_result_service.rb'
-    - 'app/services/metrics/dashboard/transient_embed_service.rb'
-    - 'app/services/packages/debian/generate_distribution_service.rb'
-    - 'app/services/packages/go/create_package_service.rb'
-    - 'app/services/packages/maven/metadata/append_package_file_service.rb'
-    - 'app/services/packages/rubygems/create_gemspec_service.rb'
-    - 'app/services/pages/migrate_legacy_storage_to_deployment_service.rb'
-    - 'app/services/projects/lfs_pointers/lfs_download_service.rb'
-    - 'app/uploaders/ci/secure_file_uploader.rb'
-    - 'config/initializers/doorkeeper_openid_connect.rb'
-    - 'config/initializers/session_store.rb'
-    - 'config/settings.rb'
-    - 'db/post_migrate/20210731132939_backfill_stage_event_hash.rb'
-    - 'ee/app/models/storage_shard.rb'
-    - 'ee/app/services/elastic/bookkeeping_shard_service.rb'
-    - 'ee/app/services/security/track_scan_service.rb'
-    - 'ee/app/services/vulnerabilities/create_service_base.rb'
-    - 'ee/app/services/vulnerabilities/manually_create_service.rb'
-    - 'ee/app/services/vulnerabilities/starboard_vulnerability_create_service.rb'
-    - 'ee/lib/ee/gitlab/background_migration/populate_latest_pipeline_ids.rb'
-    - 'ee/lib/ee/gitlab/background_migration/populate_resolved_on_default_branch_column.rb'
-    - 'ee/lib/ee/gitlab/background_migration/recalculate_vulnerability_finding_signatures_for_findings.rb'
-    - 'ee/lib/gitlab/analytics/cycle_analytics/stage_events/label_based_stage_event.rb'
-    - 'ee/lib/gitlab/ci/reports/dependency_list/dependency.rb'
-    - 'ee/lib/gitlab/ci/reports/security/remediation.rb'
-    - 'ee/lib/gitlab/geo/replication/blob_downloader.rb'
-    - 'ee/spec/factories/vulnerabilities/feedback.rb'
-    - 'ee/spec/factories/vulnerabilities/finding_signatures.rb'
-    - 'ee/spec/factories/vulnerabilities/remediations.rb'
-    - 'ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb'
-    - 'ee/spec/lib/ee/gitlab/alert_management/payload/generic_spec.rb'
-    - 'ee/spec/lib/ee/gitlab/background_migration/populate_uuids_for_security_findings_spec.rb'
-    - 'ee/spec/lib/ee/gitlab/background_migration/recalculate_vulnerability_finding_signatures_for_findings_spec.rb'
-    - 'ee/spec/lib/ee/gitlab/background_migration/update_vulnerability_occurrences_location_spec.rb'
-    - 'ee/spec/lib/gitlab/analytics/cycle_analytics/stage_events/issue_label_added_spec.rb'
-    - 'ee/spec/lib/gitlab/analytics/cycle_analytics/stage_events/issue_label_removed_spec.rb'
-    - 'ee/spec/lib/gitlab/analytics/cycle_analytics/stage_events/merge_request_label_added_spec.rb'
-    - 'ee/spec/lib/gitlab/analytics/cycle_analytics/stage_events/merge_request_label_removed_spec.rb'
-    - 'ee/spec/lib/gitlab/ci/reports/security/locations/cluster_image_scanning_spec.rb'
-    - 'ee/spec/lib/gitlab/ci/reports/security/locations/container_scanning_spec.rb'
-    - 'ee/spec/lib/gitlab/ci/reports/security/locations/dast_spec.rb'
-    - 'ee/spec/lib/gitlab/ci/reports/security/locations/dependency_scanning_spec.rb'
-    - 'ee/spec/migrations/update_vulnerability_occurrences_location_spec.rb'
-    - 'ee/spec/models/merge_train_spec.rb'
-    - 'ee/spec/models/resource_weight_event_spec.rb'
-    - 'ee/spec/models/vulnerabilities/finding_signature_spec.rb'
-    - 'ee/spec/models/vulnerabilities/finding_spec.rb'
-    - 'ee/spec/services/alert_management/process_prometheus_alert_service_spec.rb'
-    - 'ee/spec/services/merge_trains/check_status_service_spec.rb'
-    - 'ee/spec/services/projects/alerting/notify_service_spec.rb'
-    - 'ee/spec/services/security/ingestion/tasks/ingest_identifiers_spec.rb'
-    - 'ee/spec/services/security/ingestion/tasks/ingest_remediations_spec.rb'
-    - 'ee/spec/services/security/override_uuids_service_spec.rb'
-    - 'ee/spec/services/security/track_scan_service_spec.rb'
-    - 'ee/spec/services/vulnerabilities/manually_create_service_spec.rb'
-    - 'ee/spec/support/matchers/locked_schema.rb'
-    - 'lib/api/files.rb'
-    - 'lib/api/maven_packages.rb'
-    - 'lib/atlassian/jira_connect/serializers/branch_entity.rb'
-    - 'lib/container_registry/client.rb'
-    - 'lib/extracts_path.rb'
-    - 'lib/gitlab/alert_management/fingerprint.rb'
-    - 'lib/gitlab/analytics/cycle_analytics/stage_events/stage_event.rb'
-    - 'lib/gitlab/background_migration/backfill_note_discussion_id.rb'
-    - 'lib/gitlab/background_migration/backfill_project_repositories.rb'
-    - 'lib/gitlab/ci/pipeline/seed/build/cache.rb'
-    - 'lib/gitlab/ci/reports/security/finding.rb'
-    - 'lib/gitlab/ci/reports/security/finding_signature.rb'
-    - 'lib/gitlab/ci/reports/security/identifier.rb'
-    - 'lib/gitlab/ci/reports/security/locations/base.rb'
-    - 'lib/gitlab/ci/reports/test_case.rb'
-    - 'lib/gitlab/color.rb'
-    - 'lib/gitlab/composer/version_index.rb'
-    - 'lib/gitlab/crypto_helper.rb'
-    - 'lib/gitlab/database/migration_helpers.rb'
-    - 'lib/gitlab/database/migration_helpers/v2.rb'
-    - 'lib/gitlab/database/partitioning_migration_helpers/foreign_key_helpers.rb'
-    - 'lib/gitlab/database/schema_helpers.rb'
-    - 'lib/gitlab/database/schema_migrations/migrations.rb'
-    - 'lib/gitlab/database/unidirectional_copy_trigger.rb'
-    - 'lib/gitlab/diff/file.rb'
-    - 'lib/gitlab/diff/formatters/base_formatter.rb'
-    - 'lib/gitlab/diff/position.rb'
-    - 'lib/gitlab/experimentation/controller_concern.rb'
-    - 'lib/gitlab/git.rb'
-    - 'lib/gitlab/git/branch.rb'
-    - 'lib/gitlab/git/lfs_pointer_file.rb'
-    - 'lib/gitlab/git/tag.rb'
-    - 'lib/gitlab/hashed_path.rb'
-    - 'lib/gitlab/insecure_key_fingerprint.rb'
-    - 'lib/gitlab/sidekiq_middleware/duplicate_jobs/duplicate_job.rb'
-    - 'lib/gitlab/slug/environment.rb'
-    - 'lib/gitlab/verify/job_artifacts.rb'
-    - 'lib/json_web_token/rsa_token.rb'
-    - 'lib/tasks/gitlab/assets.rake'
-    - 'lib/tasks/tanuki_emoji.rake'
-    - 'qa/qa/service/praefect_manager.rb'
-    - 'qa/qa/specs/features/browser_ui/6_release/deploy_key/clone_using_deploy_key_spec.rb'
-    - 'qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_non_enforced_sso_spec.rb'
-    - 'scripts/security-harness'
-    - 'spec/components/diffs/stats_component_spec.rb'
-    - 'spec/controllers/projects/blob_controller_spec.rb'
-    - 'spec/factories/ci/job_artifacts.rb'
-    - 'spec/factories/ci/reports/security/finding_keys.rb'
-    - 'spec/factories/ci/unit_test.rb'
-    - 'spec/factories/commit_signature/gpg_signature.rb'
-    - 'spec/factories/commit_signature/ssh_signature.rb'
-    - 'spec/factories/commit_signature/x509_commit_signature.rb'
-    - 'spec/factories/design_management/designs.rb'
-    - 'spec/factories/diff_position.rb'
-    - 'spec/factories/gitaly/commit.rb'
-    - 'spec/factories/merge_request_context_commit.rb'
-    - 'spec/factories/merge_request_context_commit_diff_file.rb'
-    - 'spec/factories/merge_request_diff_commits.rb'
-    - 'spec/factories/merge_request_diffs.rb'
-    - 'spec/factories/pages_deployments.rb'
-    - 'spec/factories/sequences.rb'
-    - 'spec/factories/token_with_ivs.rb'
-    - 'spec/features/file_uploads/git_lfs_spec.rb'
-    - 'spec/features/merge_request/user_sees_diff_spec.rb'
-    - 'spec/features/merge_request/user_suggests_changes_on_diff_spec.rb'
-    - 'spec/finders/merge_requests/oldest_per_commit_finder_spec.rb'
-    - 'spec/lib/gitlab/alert_management/fingerprint_spec.rb'
-    - 'spec/lib/gitlab/alert_management/payload/base_spec.rb'
-    - 'spec/lib/gitlab/alert_management/payload/generic_spec.rb'
-    - 'spec/lib/gitlab/alert_management/payload/prometheus_spec.rb'
-    - 'spec/lib/gitlab/background_migration/backfill_note_discussion_id_spec.rb'
-    - 'spec/lib/gitlab/background_migration/populate_vulnerability_reads_spec.rb'
-    - 'spec/lib/gitlab/ci/reports/security/finding_signature_spec.rb'
-    - 'spec/lib/gitlab/ci/reports/security/locations/sast_spec.rb'
-    - 'spec/lib/gitlab/ci/reports/security/locations/secret_detection_spec.rb'
-    - 'spec/lib/gitlab/ci/reports/test_case_spec.rb'
-    - 'spec/lib/gitlab/crypto_helper_spec.rb'
-    - 'spec/lib/gitlab/database/migration_helpers_spec.rb'
-    - 'spec/lib/gitlab/database/schema_migrations/migrations_spec.rb'
-    - 'spec/lib/gitlab/diff/file_spec.rb'
-    - 'spec/lib/gitlab/diff/position_spec.rb'
-    - 'spec/lib/gitlab/diff/position_tracer/image_strategy_spec.rb'
-    - 'spec/lib/gitlab/diff/position_tracer/line_strategy_spec.rb'
-    - 'spec/lib/gitlab/experimentation/controller_concern_spec.rb'
-    - 'spec/lib/gitlab/git/branch_spec.rb'
-    - 'spec/lib/gitlab/git/tag_spec.rb'
-    - 'spec/lib/gitlab/sidekiq_middleware/duplicate_jobs/duplicate_job_spec.rb'
-    - 'spec/lib/gitlab/slug/environment_spec.rb'
-    - 'spec/migrations/20220107064845_populate_vulnerability_reads_spec.rb'
-    - 'spec/migrations/20220524074947_finalize_backfill_null_note_discussion_ids_spec.rb'
-    - 'spec/migrations/delete_security_findings_without_uuid_spec.rb'
-    - 'spec/migrations/schedule_recalculate_vulnerability_finding_signatures_for_findings_spec.rb'
-    - 'spec/models/ci/artifact_blob_spec.rb'
-    - 'spec/models/ci/job_artifact_spec.rb'
-    - 'spec/models/ci/pipeline_spec.rb'
-    - 'spec/models/ci/secure_file_spec.rb'
-    - 'spec/models/ci/unit_test_spec.rb'
-    - 'spec/models/concerns/checksummable_spec.rb'
-    - 'spec/models/concerns/token_authenticatable_strategies/encryption_helper_spec.rb'
-    - 'spec/models/design_management/version_spec.rb'
-    - 'spec/models/diff_discussion_spec.rb'
-    - 'spec/models/discussion_spec.rb'
-    - 'spec/models/lfs_object_spec.rb'
-    - 'spec/models/merge_request_diff_spec.rb'
-    - 'spec/models/merge_request_spec.rb'
-    - 'spec/models/note_spec.rb'
-    - 'spec/models/pages_deployment_spec.rb'
-    - 'spec/models/performance_monitoring/prometheus_panel_spec.rb'
-    - 'spec/models/project_spec.rb'
-    - 'spec/models/release_highlight_spec.rb'
-    - 'spec/models/repository_spec.rb'
-    - 'spec/models/token_with_iv_spec.rb'
-    - 'spec/models/upload_spec.rb'
-    - 'spec/requests/api/ci/runner/jobs_artifacts_spec.rb'
-    - 'spec/requests/api/ci/secure_files_spec.rb'
-    - 'spec/requests/openid_connect_spec.rb'
-    - 'spec/services/dependency_proxy/find_cached_manifest_service_spec.rb'
-    - 'spec/services/dependency_proxy/head_manifest_service_spec.rb'
-    - 'spec/services/dependency_proxy/request_token_service_spec.rb'
-    - 'spec/services/import_export_clean_up_service_spec.rb'
-    - 'spec/services/pages/migrate_legacy_storage_to_deployment_service_spec.rb'
-    - 'spec/services/projects/after_rename_service_spec.rb'
-    - 'spec/services/projects/create_service_spec.rb'
-    - 'spec/services/projects/lfs_pointers/lfs_download_service_spec.rb'
-    - 'spec/support/helpers/workhorse_helpers.rb'
-    - 'spec/support/migrations_helpers/vulnerabilities_findings_helper.rb'
-    - 'spec/support/shared_examples/lib/gitlab/ci/ci_trace_shared_examples.rb'
-    - 'spec/support/shared_examples/lib/gitlab/cycle_analytics/event_shared_examples.rb'
-    - 'spec/support/shared_examples/lib/gitlab/position_formatters_shared_examples.rb'
-    - 'spec/support/shared_examples/services/alert_management/alert_processing/alert_firing_shared_examples.rb'
-    - 'spec/support/shared_examples/services/alert_management/alert_processing/alert_recovery_shared_examples.rb'
-    - 'spec/support/shared_examples/services/metrics/dashboard_shared_examples.rb'
-    - 'spec/support/shared_examples/services/packages/debian/generate_distribution_shared_examples.rb'
-    - 'spec/support/shared_examples/uploaders/object_storage_shared_examples.rb'
-    - 'spec/support/trace/trace_helpers.rb'
-    - 'spec/uploaders/ci/secure_file_uploader_spec.rb'
-    - 'spec/uploaders/job_artifact_uploader_spec.rb'
-    - 'spec/validators/sha_validator_spec.rb'
-    - 'spec/workers/update_head_pipeline_for_merge_request_worker_spec.rb'

GITALY_SERVER_VERSION

@@ -1 +1 @@
-5caf724a8305ea04370dc49f0d9a7d5f3bc8dd4a
+2b069d8536df98547acba92719b7554d1c7f2262

Gemfile

@@ -407,7 +407,7 @@ group :development, :test do
 end
 
 group :development, :test, :danger do
-  gem 'gitlab-dangerfiles', '~> 3.4.0', require: false
+  gem 'gitlab-dangerfiles', '~> 3.3.0', require: false
 end
 
 group :development, :test, :coverage do

Gemfile.lock

@@ -475,7 +475,7 @@ GEM
       terminal-table (~> 1.5, >= 1.5.1)
     gitlab-chronic (0.10.5)
       numerizer (~> 0.2)
-    gitlab-dangerfiles (3.4.0)
+    gitlab-dangerfiles (3.3.0)
       danger (>= 8.4.5)
       danger-gitlab (>= 8.0.0)
       rake
@@ -1534,7 +1534,7 @@ DEPENDENCIES
   gitaly (~> 15.1.0.pre.rc1)
   github-markup (~> 1.7.0)
   gitlab-chronic (~> 0.10.5)
-  gitlab-dangerfiles (~> 3.4.0)
+  gitlab-dangerfiles (~> 3.3.0)
   gitlab-experiment (~> 0.7.1)
   gitlab-fog-azure-rm (~> 1.3.0)
   gitlab-labkit (~> 0.23.0)

app/assets/javascripts/diffs/components/commit_item.vue

@@ -134,7 +134,9 @@ export default {
             class="avatar-cell d-none d-sm-block"
           />
         </div>
-        <div class="commit-detail flex-list">
+        <div
+          class="commit-detail flex-list gl-display-flex gl-justify-content-space-between gl-align-items-flex-start gl-flex-grow-1 gl-min-w-0"
+        >
           <div class="commit-content" data-qa-selector="commit_content">
             <a
               v-safe-html:[$options.safeHtmlConfig]="commit.title_html"

app/assets/javascripts/repository/components/last_commit.vue

@@ -131,7 +131,9 @@ export default {
         :css-classes="'gl-mr-0!' /* NOTE: this is needed only while we migrate user-avatar-image to GlAvatar (7731 epics) */"
         :size="32"
       />
-      <div class="commit-detail flex-list">
+      <div
+        class="commit-detail flex-list gl-display-flex gl-justify-content-space-between gl-align-items-flex-start gl-flex-grow-1 gl-min-w-0"
+      >
         <div class="commit-content qa-commit-content">
           <gl-link
             v-safe-html:[$options.safeHtmlConfig]="commit.titleHtml"

app/assets/stylesheets/pages/branches.scss

@@ -1,9 +1,3 @@
-.content-list > .branch-item,
-.branch-title {
-  display: flex;
-  align-items: center;
-}
-
 .branch-info {
   flex: auto;
   min-width: 0;

app/assets/stylesheets/pages/commits.scss

@@ -133,18 +133,6 @@
   }
 }
 
-.commit-detail {
-  display: flex;
-  justify-content: space-between;
-  align-items: start;
-  flex-grow: 1;
-  min-width: 0;
-
-  .project-namespace {
-    color: $gl-text-color-tertiary;
-  }
-}
-
 .commit-content {
   padding-right: 10px;
   white-space: normal;

app/views/projects/branches/_branch.html.haml

@@ -1,9 +1,9 @@
 - merged = local_assigns.fetch(:merged, false)
 - commit = @repository.commit(branch.dereferenced_target)
 - merge_project = merge_request_source_project_for_project(@project)
-%li{ class: "branch-item js-branch-item js-branch-#{branch.name}", data: { name: branch.name } }
+%li{ class: "branch-item gl-display-flex! gl-align-items-center! js-branch-item js-branch-#{branch.name}", data: { name: branch.name } }
   .branch-info
-    .branch-title
+    .gl-display-flex.gl-align-items-center
       = sprite_icon('branch', size: 12, css_class: 'gl-flex-shrink-0')
       = link_to project_tree_path(@project, branch.name), class: 'item-title str-truncated-100 ref-name gl-ml-3 qa-branch-name' do
         = branch.name

app/views/projects/commits/_commit.html.haml

@@ -24,7 +24,7 @@
   .avatar-cell.d-none.d-sm-block
     = author_avatar(commit, size: 40, has_tooltip: false)
 
-  .commit-detail.flex-list
+  .commit-detail.flex-list.gl-display-flex.gl-justify-content-space-between.gl-align-items-flex-start.gl-flex-grow-1.gl-min-w-0
     .commit-content{ data: { qa_selector: 'commit_content' } }
       - if view_details && merge_request
         = link_to commit.title, project_commit_path(project, commit.id, merge_request_iid: merge_request.iid), class: ["commit-row-message item-title js-onboarding-commit-item", ("font-italic" if commit.message.empty?)]

app/views/projects/empty.html.haml

@@ -21,10 +21,10 @@
     = _('You can get started by cloning the repository or start adding files to it with one of the following options.')
 
 .project-buttons.qa-quick-actions
-  .project-clone-holder.d-block.d-md-none.mt-2.mr-2
+  .project-clone-holder.d-block.d-md-none.gl-mt-3.gl-mr-3
     = render "shared/mobile_clone_panel"
 
-  .project-clone-holder.d-none.d-md-inline-block.mb-2.mr-2.float-left
+  .project-clone-holder.d-none.d-md-inline-block.gl-mb-3.gl-mr-3.float-left
     = render "projects/buttons/clone"
   = render 'stat_anchor_list', anchors: @project.empty_repo_statistics_buttons, project_buttons: true
 

app/workers/projects/refresh_build_artifacts_size_statistics_worker.rb

@@ -5,10 +5,6 @@ module Projects
     include ApplicationWorker
     include LimitedCapacity::Worker
 
-    MAX_RUNNING_LOW = 2
-    MAX_RUNNING_MEDIUM = 20
-    MAX_RUNNING_HIGH = 50
-
     data_consistency :always
 
     feature_category :build_artifacts
@@ -37,12 +33,8 @@ module Projects
     end
 
     def max_running_jobs
-      if ::Feature.enabled?(:projects_build_artifacts_size_refresh_high)
-        MAX_RUNNING_HIGH
-      elsif ::Feature.enabled?(:projects_build_artifacts_size_refresh_medium)
-        MAX_RUNNING_MEDIUM
-      elsif ::Feature.enabled?(:projects_build_artifacts_size_refresh_low)
-        MAX_RUNNING_LOW
+      if ::Feature.enabled?(:projects_build_artifacts_size_refresh, type: :ops)
+        10
       else
         0
       end

config/feature_flags/development/group_name_path_vue.yml

@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/363623
 milestone: '15.1'
 type: development
 group: group::workspace
-default_enabled: false
+default_enabled: true

config/feature_flags/development/projects_build_artifacts_size_refresh_high.yml

@@ -1,8 +0,0 @@
----
-name: projects_build_artifacts_size_refresh_high
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81306
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356018
-milestone: '14.9'
-type: development
-group: group::pipeline insights
-default_enabled: false

config/feature_flags/development/projects_build_artifacts_size_refresh_low.yml

@@ -1,8 +0,0 @@
----
-name: projects_build_artifacts_size_refresh_low
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81306
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356018
-milestone: '14.9'
-type: development
-group: group::pipeline insights
-default_enabled: false

config/feature_flags/development/projects_build_artifacts_size_refresh_medium.yml

@@ -1,8 +0,0 @@
----
-name: projects_build_artifacts_size_refresh_medium
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81306
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356018
-milestone: '14.9'
-type: development
-group: group::pipeline insights
-default_enabled: false

config/feature_flags/ops/projects_build_artifacts_size_refresh.yml

@@ -0,0 +1,8 @@
+---
+name: projects_build_artifacts_size_refresh
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84701
+rollout_issue_url:
+milestone: '15.1'
+type: ops
+group: group::pipeline insights
+default_enabled: true

danger/roulette/Dangerfile

@@ -111,10 +111,6 @@ if changes.any?
     markdown_row_for_spin(spin.category, spin)
   end
 
-  roulette.required_approvals.each do |approval|
-    rows << markdown_row_for_spin(approval.category, approval.spin)
-  end
-
   markdown(REVIEW_ROULETTE_SECTION)
 
   if rows.empty?

doc/development/dangerbot.md

@@ -175,15 +175,7 @@ at GitLab so far:
 - Database review
 - Documentation review
 - Merge request metrics
-- Reviewer roulette. Reviewers and maintainers are chosen based on:
-  - Their roles (backend, frontend, database, etc).
-  - Their availability:
-    - No "OOO"/"PTO"/"Parental Leave" in their GitLab or Slack status.
-    - No `:red_circle:`/`:palm_tree:`/`:beach:`/`:beach_umbrella:`/`:beach_with_umbrella:` emojis in GitLab or Slack status.
-  - (Experimental) Their time zone: people for which the local hour is between
-    6 AM and 2 PM are eligible to be picked. This is to ensure they have a good
-    chance to get to perform a review during their current work day. The experimentation is tracked in
-    [this issue](https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/563)
+- [Reviewer roulette](code_review.md#reviewer-roulette)
 - Single codebase effort
 
 ## Limitations

lib/tasks/gitlab/db.rake

@@ -367,5 +367,68 @@ namespace :gitlab do
         Rake::Task['gitlab:db:execute_batched_migrations'].invoke
       end
     end
+
+    namespace :dictionary do
+      DB_DOCS_PATH = File.join(Rails.root, 'db', 'docs')
+
+      desc 'Generate database docs yaml'
+      task generate: :environment do
+        FileUtils.mkdir_p(DB_DOCS_PATH) unless Dir.exist?(DB_DOCS_PATH)
+
+        Rails.application.eager_load!
+
+        tables = Gitlab::Database.database_base_models.flat_map { |_, m| m.connection.tables }
+        classes = tables.to_h { |t| [t, []] }
+
+        Gitlab::Database.database_base_models.each do |_, model_class|
+          model_class
+            .descendants
+            .reject(&:abstract_class)
+            .reject { |c| c.name =~ /^(?:EE::)?Gitlab::(?:BackgroundMigration|DatabaseImporters)::/ }
+            .reject { |c| c.name =~ /^HABTM_/ }
+            .each { |c| classes[c.table_name] << c.name if classes.has_key?(c.table_name) }
+        end
+
+        version = Gem::Version.new(File.read('VERSION'))
+        milestone = version.release.segments[0..1].join('.')
+
+        tables.each do |table_name|
+          file = File.join(DB_DOCS_PATH, "#{table_name}.yml")
+
+          table_metadata = {
+            'table_name' => table_name,
+            'classes' => classes[table_name]&.sort&.uniq,
+            'feature_categories' => [],
+            'description' => nil,
+            'introduced_by_url' => nil,
+            'milestone' => milestone
+          }
+
+          if File.exist?(file)
+            outdated = false
+
+            existing_metadata = YAML.safe_load(File.read(file))
+
+            if existing_metadata['table_name'] != table_metadata['table_name']
+              existing_metadata['table_name'] = table_metadata['table_name']
+              outdated = true
+            end
+
+            if existing_metadata['classes'].difference(table_metadata['classes']).any?
+              existing_metadata['classes'] = table_metadata['classes']
+              outdated = true
+            end
+
+            File.write(file, existing_metadata.to_yaml) if outdated
+          else
+            File.write(file, table_metadata.to_yaml)
+          end
+        end
+      end
+
+      Rake::Task['db:migrate'].enhance do
+        Rake::Task['gitlab:db:dictionary:generate'].invoke if Rails.env.development?
+      end
+    end
   end
 end

locale/gitlab.pot

@@ -34110,6 +34110,9 @@ msgstr ""
 msgid "SecurityOrchestration|Enforce security for this project. %{linkStart}More information.%{linkEnd}"
 msgstr ""
 
+msgid "SecurityOrchestration|Failed to load cluster agents."
+msgstr ""
+
 msgid "SecurityOrchestration|If any scanner finds a newly detected critical vulnerability in an open merge request targeting the master branch, then require two approvals from any member of App security."
 msgstr ""
 
@@ -34401,6 +34404,9 @@ msgstr ""
 msgid "SecurityReports|Check the messages generated while parsing the following security reports, as they may prevent the results from being ingested by GitLab. Ensure the security report conforms to a supported %{helpPageLinkStart}JSON schema%{helpPageLinkEnd}."
 msgstr ""
 
+msgid "SecurityReports|Cluster"
+msgstr ""
+
 msgid "SecurityReports|Comment added to '%{vulnerabilityName}'"
 msgstr ""
 
@@ -44751,6 +44757,9 @@ msgstr ""
 msgid "ciReport|API fuzzing"
 msgstr ""
 
+msgid "ciReport|All clusters"
+msgstr ""
+
 msgid "ciReport|All projects"
 msgstr ""
 

scripts/process_custom_semgrep_results.sh

@@ -0,0 +1,55 @@
+# This script requires BOT_USER_ID, CUSTOM_SAST_RULES_BOT_PAT and CI_MERGE_REQUEST_IID variables to be set
+
+echo "Processing vuln report"
+
+# Preparing the message for the comment that will be posted by the bot
+# Empty string if there are no findings
+jq -crM '.vulnerabilities |
+  map( select( .identifiers[0].name | test( "glappsec_" ) ) |
+  "- `" + .location.file + "` line " + ( .location.start_line | tostring ) +
+    (
+      if .location.start_line = .location.end_line then ""
+      else ( " to " + ( .location.end_line | tostring ) ) end
+    ) + ": " + .message
+  ) |
+  sort |
+  if length > 0 then
+    { body: ("The findings below have been detected based on the [AppSec custom Semgrep rules](https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/) and need attention:\n\n" + join("\n") + "\n\n/cc @gitlab-com/gl-security/appsec") }
+  else
+    empty
+  end' gl-sast-report.json >findings.txt
+
+echo "Resulting file:"
+cat findings.txt
+
+EXISTING_COMMENT_ID=$(curl "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes" \
+  --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" |
+  jq -crM 'map( select( .author.id == (env.BOT_USER_ID | tonumber) ) | .id ) | first')
+
+echo "EXISTING_COMMENT_ID: $EXISTING_COMMENT_ID"
+
+if [ "$EXISTING_COMMENT_ID" == "null" ]; then
+  if [ -s findings.txt ]; then
+    echo "No existing comment and there are findings: a new comment will be posted"
+    curl "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes" \
+      --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \
+      --header 'Content-Type: application/json' \
+      --data '@findings.txt'
+  else
+    echo "No existing comment and no findings: nothing to do"
+  fi
+else
+  if [ -s findings.txt ]; then
+    echo "There is an existing comment and there are findings: the existing comment will be updated"
+    curl --request PUT "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes/$EXISTING_COMMENT_ID" \
+      --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \
+      --header 'Content-Type: application/json' \
+      --data '@findings.txt'
+  else
+    echo "There is an existing comment but no findings: the existing comment will be updated to mention everything is resolved"
+    curl --request PUT "https://gitlab.com/api/v4/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes/$EXISTING_COMMENT_ID" \
+      --header "Private-Token: $CUSTOM_SAST_RULES_BOT_PAT" \
+      --header 'Content-Type: application/json' \
+      --data '{"body":"All findings based on the [AppSec custom Semgrep rules](https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/) have been resolved! :tada:"}'
+  fi
+fi

spec/frontend/repository/components/__snapshots__/last_commit_spec.js.snap

@@ -17,7 +17,7 @@ exports[`Repository last commit component renders commit widget 1`] = `
   />
    
   <div
-    class="commit-detail flex-list"
+    class="commit-detail flex-list gl-display-flex gl-justify-content-space-between gl-align-items-flex-start gl-flex-grow-1 gl-min-w-0"
   >
     <div
       class="commit-content qa-commit-content"

spec/workers/projects/refresh_build_artifacts_size_statistics_worker_spec.rb

@@ -62,32 +62,11 @@ RSpec.describe Projects::RefreshBuildArtifactsSizeStatisticsWorker do
   describe '#max_running_jobs' do
     subject { worker.max_running_jobs }
 
-    context 'when all projects_build_artifacts_size_refresh flags are enabled' do
-      it { is_expected.to eq(described_class::MAX_RUNNING_HIGH) }
-    end
+    it { is_expected.to eq(10) }
 
-    context 'when projects_build_artifacts_size_refresh_high flags is disabled' do
+    context 'when projects_build_artifacts_size_refresh flag is disabled' do
       before do
-        stub_feature_flags(projects_build_artifacts_size_refresh_high: false)
-      end
-
-      it { is_expected.to eq(described_class::MAX_RUNNING_MEDIUM) }
-    end
-
-    context 'when projects_build_artifacts_size_refresh_high and projects_build_artifacts_size_refresh_medium flags are disabled' do
-      before do
-        stub_feature_flags(projects_build_artifacts_size_refresh_high: false)
-        stub_feature_flags(projects_build_artifacts_size_refresh_medium: false)
-      end
-
-      it { is_expected.to eq(described_class::MAX_RUNNING_LOW) }
-    end
-
-    context 'when all projects_build_artifacts_size_refresh flags are disabled' do
-      before do
-        stub_feature_flags(projects_build_artifacts_size_refresh_low: false)
-        stub_feature_flags(projects_build_artifacts_size_refresh_medium: false)
-        stub_feature_flags(projects_build_artifacts_size_refresh_high: false)
+        stub_feature_flags(projects_build_artifacts_size_refresh: false)
       end
 
       it { is_expected.to eq(0) }