Add latest changes from gitlab-org/gitlab@master

.gitlab/ci/package-and-test/main.gitlab-ci.yml

@@ -7,7 +7,7 @@ include:
   - local: .gitlab/ci/package-and-test/rules.gitlab-ci.yml
   - local: .gitlab/ci/package-and-test/variables.gitlab-ci.yml
   - project: gitlab-org/quality/pipeline-common
-    ref: 1.3.0
+    ref: 1.5.0
     file:
       - /ci/base.gitlab-ci.yml
       - /ci/allure-report.yml

.gitlab/ci/review-apps/qa.gitlab-ci.yml

@@ -1,6 +1,6 @@
 include:
   - project: gitlab-org/quality/pipeline-common
-    ref: 1.3.0
+    ref: 1.5.0
     file:
       - /ci/base.gitlab-ci.yml
       - /ci/allure-report.yml
@@ -140,7 +140,7 @@ e2e-test-report:
   variables:
     ALLURE_JOB_NAME: e2e-review-qa
     ALLURE_PROJECT_PATH: $CI_PROJECT_PATH
-    ALLURE_RESULTS_GLOB: qa/tmp/allure-results/*
+    ALLURE_RESULTS_GLOB: qa/tmp/allure-results
     ALLURE_MERGE_REQUEST_IID: $CI_MERGE_REQUEST_IID
     GITLAB_AUTH_TOKEN: $GITLAB_QA_MR_ALLURE_REPORT_TOKEN
     GIT_STRATEGY: none

GITALY_SERVER_VERSION

@@ -1 +1 @@
-f94d4abfae5a3ee09caacd1b2dd28dca875eafa0
+aaf6f16ca40fdb671858e38662a72d96d51987df

app/policies/group_policy.rb

@@ -22,7 +22,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
   condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
   condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
-  condition(:migration_bot, scope: :user) { @user.migration_bot? }
+  condition(:migration_bot, scope: :user) { @user&.migration_bot? }
   condition(:can_read_group_member) { can_read_group_member? }
 
   desc "User is a project bot"

db/post_migrate/20221021160735_add_index_for_common_finder_query_desc_with_namespace_id.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class AddIndexForCommonFinderQueryDescWithNamespaceId < Gitlab::Database::Migration[2.0]
+  INDEX_NAME = 'index_group_vulnerability_reads_common_finder_query_desc'
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_index :vulnerability_reads,
+                         [:namespace_id, :state, :report_type, :severity, :vulnerability_id],
+                         name: INDEX_NAME,
+                         order: { severity: :desc, vulnerability_id: :desc }
+  end
+
+  def down
+    remove_concurrent_index_by_name :vulnerability_reads, INDEX_NAME
+  end
+end

db/schema_migrations/20221021160735

@@ -0,0 +1 @@
+0b7727e942f6e3fa2e1b0ed9e22c504a64aceac19adf25f126baba587db4b764

db/structure.sql

@@ -29113,6 +29113,8 @@ CREATE INDEX index_group_stages_on_stage_event_hash_id ON analytics_cycle_analyt
 
 CREATE UNIQUE INDEX index_group_user_callouts_feature ON user_group_callouts USING btree (user_id, feature_name, group_id);
 
+CREATE INDEX index_group_vulnerability_reads_common_finder_query_desc ON vulnerability_reads USING btree (namespace_id, state, report_type, severity DESC, vulnerability_id DESC);
+
 CREATE UNIQUE INDEX index_group_wiki_repositories_on_disk_path ON group_wiki_repositories USING btree (disk_path);
 
 CREATE INDEX index_group_wiki_repositories_on_shard_id ON group_wiki_repositories USING btree (shard_id);

doc/.vale/gitlab/InternalLinkCase.yml

@@ -6,7 +6,7 @@
 # For a list of all options, see https://vale.sh/docs/topics/styles/
 extends: existence
 message: 'Links to subheadings in GitLab docs must be in lower-case: "%s"'
-link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-within-the-same-repository
 level: error
 scope: raw
 raw:

doc/.vale/gitlab/InternalLinkExtension.yml

@@ -6,7 +6,7 @@
 # For a list of all options, see https://vale.sh/docs/topics/styles/
 extends: existence
 message: 'Link "%s" must link directly to a file and use the .md file extension.'
-link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-within-the-same-repository
 level: error
 scope: raw
 raw:

doc/.vale/gitlab/InternalLinkFormat.yml

@@ -6,8 +6,8 @@
 # For a list of all options, see https://vale.sh/docs/topics/styles/
 extends: existence
 message: 'Link "%s" must not start with "./".'
-link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-within-the-same-repository
 level: error
 scope: raw
 raw:
-  - '\[.+\]\(\.\/.*?\)'
+  - '\[[^\]]+\]\(\.\/.*?\)'

doc/.vale/gitlab/RelativeLinksDoubleSlashes.yml

@@ -6,7 +6,7 @@
 # For a list of all options, see https://vale.sh/docs/topics/styles/
 extends: existence
 message: 'Relative links must not include a double slash.'
-link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-within-the-same-repository
 level: error
 scope: raw
 raw:

doc/user/group/manage.md

@@ -66,6 +66,7 @@ This action removes the group. It also adds a background job to delete all proje
 Specifically:
 
 - In [GitLab 12.8 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/33257), on [GitLab Premium](https://about.gitlab.com/pricing/premium/) or higher tiers, this action adds a background job to mark a group for deletion. By default, the job schedules the deletion 7 days in the future. You can modify this waiting period through the [instance settings](../admin_area/settings/visibility_and_access_controls.md#deletion-protection).
+
 - In [GitLab 13.6 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/39504), if the user who sets up the deletion is removed from the group before the
 deletion happens, the job is cancelled, and the group is no longer scheduled for deletion.
 
@@ -262,6 +263,12 @@ If you are changing the path so it can be claimed by another group or user,
 you must rename the group too. Both names and paths must
 be unique.
 
+After you change the group path, the new group path is a new namespace and you must update the existing project URL in the following resources:
+
+- [Include statements](../../ci/yaml/includes.md#include-a-single-configuration-file).
+- Docker image references in CI files.
+- Variables that specify a project or namespace.
+
 To retain ownership of the original namespace and protect the URL redirects,
 create a new group and transfer projects to it instead.
 

doc/user/project/integrations/webhooks.md

@@ -177,9 +177,13 @@ that the request is legitimate.
 
 ## Filter push events by branch
 
-Push events can be filtered by branch using a branch name or wildcard pattern
-to limit which push events are sent to your webhook endpoint. By default,
-all push events are sent to your webhook endpoint. You can configure branch filtering
+You can filter push events by branch. Use one of the following options to filter which push events are sent to your webhook endpoint:
+
+- **All branches**: push events from all branches.
+- **Wildcard pattern**: push events from a branch that matches a wildcard pattern (for example, `*-stable` or `production/*`).
+- **Regular expression**: push events from a branch that matches a regular expression (for example, `(feature|hotfix)/*`).
+
+You can configure branch filtering
 in the [webhook settings](#configure-a-webhook-in-gitlab) in your project.
 
 ## How image URLs are displayed in the webhook body

qa/qa/specs/features/api/12_systems/gitaly/distributed_reads_spec.rb

@@ -45,7 +45,11 @@ module QA
         end
 
         it 'does not read from the unhealthy node',
-           testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347834' do
+           testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347834',
+           quarantine: {
+             issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/378174',
+             type: :flaky
+           } do
           pre_read_data = praefect_manager.query_read_distribution
 
           read_from_project(project, number_of_reads_per_loop * 10)

spec/lib/gitlab/ci/templates/Jobs/build_gitlab_ci_yaml_spec.rb

@@ -3,8 +3,20 @@
 require 'spec_helper'
 
 RSpec.describe 'Jobs/Build.gitlab-ci.yml' do
+  include Ci::TemplateHelpers
+
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Build') }
 
+  describe 'AUTO_BUILD_IMAGE_VERSION' do
+    it 'corresponds to a published image in the registry' do
+      registry = "https://#{template_registry_host}"
+      repository = "gitlab-org/cluster-integration/auto-build-image"
+      reference = YAML.safe_load(template.content).dig('variables', 'AUTO_BUILD_IMAGE_VERSION')
+
+      expect(public_image_exist?(registry, repository, reference)).to be true
+    end
+  end
+
   describe 'the created pipeline' do
     let_it_be(:project) { create(:project, :repository) }
     let_it_be(:user) { project.first_owner }

spec/lib/gitlab/ci/templates/Jobs/deploy_gitlab_ci_yaml_spec.rb

@@ -3,6 +3,8 @@
 require 'spec_helper'
 
 RSpec.describe 'Jobs/Deploy.gitlab-ci.yml' do
+  include Ci::TemplateHelpers
+
   subject(:template) do
     <<~YAML
       stages:
@@ -26,6 +28,17 @@ RSpec.describe 'Jobs/Deploy.gitlab-ci.yml' do
     YAML
   end
 
+  describe 'AUTO_DEPLOY_IMAGE_VERSION' do
+    it 'corresponds to a published image in the registry' do
+      template = Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Deploy')
+      registry = "https://#{template_registry_host}"
+      repository = "gitlab-org/cluster-integration/auto-deploy-image"
+      reference = YAML.safe_load(template.content, aliases: true).dig('variables', 'AUTO_DEPLOY_IMAGE_VERSION')
+
+      expect(public_image_exist?(registry, repository, reference)).to be true
+    end
+  end
+
   describe 'the created pipeline' do
     let_it_be(:project, refind: true) { create(:project, :repository) }
 

spec/policies/group_policy_spec.rb

@@ -258,6 +258,19 @@ RSpec.describe GroupPolicy do
     it_behaves_like 'deploy token does not get confused with user' do
       let(:user_id) { migration_bot.id }
     end
+
+    context 'with no user' do
+      let(:current_user) { nil }
+
+      it :aggregate_failures do
+        expect_disallowed(:read_resource_access_tokens, :destroy_resource_access_tokens)
+        expect_disallowed(*guest_permissions)
+        expect_disallowed(*reporter_permissions)
+        expect_disallowed(*developer_permissions)
+        expect_disallowed(*maintainer_permissions)
+        expect_disallowed(*owner_permissions)
+      end
+    end
   end
 
   describe 'private nested group use the highest access level from the group and inherited permissions' do

spec/support/helpers/ci/template_helpers.rb

@@ -5,6 +5,51 @@ module Ci
     def template_registry_host
       'registry.gitlab.com'
     end
+
+    def public_image_exist?(registry, repository, image)
+      public_image_manifest(registry, repository, image).present?
+    end
+
+    def public_image_manifest(registry, repository, reference)
+      token = public_image_repository_token(registry, repository)
+
+      response = with_net_connect_allowed do
+        Gitlab::HTTP.get(image_manifest_url(registry, repository, reference),
+                         headers: { 'Authorization' => "Bearer #{token}" })
+      end
+
+      return unless response.success?
+
+      Gitlab::Json.parse(response.body)
+    end
+
+    def public_image_repository_token(registry, repository)
+      @public_image_repository_tokens ||= {}
+      @public_image_repository_tokens[[registry, repository]] ||=
+        begin
+          response = with_net_connect_allowed do
+            Gitlab::HTTP.get(image_manifest_url(registry, repository, 'latest'))
+          end
+
+          return unless response.unauthorized?
+
+          www_authenticate = response.headers['www-authenticate']
+          return unless www_authenticate
+
+          realm, service, scope = www_authenticate.split(',').map { |s| s[/\w+="(.*)"/, 1] }
+          token_response = with_net_connect_allowed do
+            Gitlab::HTTP.get(realm, query: { service: service, scope: scope })
+          end
+
+          return unless token_response.success?
+
+          token_response['token']
+        end
+    end
+
+    def image_manifest_url(registry, repository, reference)
+      "#{registry}/v2/#{repository}/manifests/#{reference}"
+    end
   end
 end
 

spec/support/webmock.rb

@@ -15,6 +15,13 @@ def webmock_allowed_hosts
   end.compact.uniq
 end
 
+def with_net_connect_allowed
+  WebMock.allow_net_connect!
+  yield
+ensure
+  webmock_enable!
+end
+
 # This prevents Selenium/WebMock from spawning thousands of connections
 # while waiting for an element to appear via Capybara's find:
 # https://github.com/teamcapybara/capybara/issues/2322#issuecomment-619321520