diff --git a/.rubocop_todo/style/string_concatenation.yml b/.rubocop_todo/style/string_concatenation.yml
index 3dd708d2c49..ec15edbc206 100644
--- a/.rubocop_todo/style/string_concatenation.yml
+++ b/.rubocop_todo/style/string_concatenation.yml
@@ -263,6 +263,7 @@ Style/StringConcatenation:
     - 'spec/models/custom_emoji_spec.rb'
     - 'spec/models/grafana_integration_spec.rb'
     - 'spec/models/integrations/campfire_spec.rb'
+    - 'spec/models/integrations/datadog_spec.rb'
     - 'spec/models/integrations/chat_message/pipeline_message_spec.rb'
     - 'spec/models/integrations/chat_message/push_message_spec.rb'
     - 'spec/models/integrations/jenkins_spec.rb'
diff --git a/CHANGELOG.md b/CHANGELOG.md
index cebce972519..c0016f0f255 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,26 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 15.4.1 (2022-09-29)
+
+### Security (15 changes)
+
+- [Redact user's private email in group member event webhook](gitlab-org/security/gitlab@f556c625f37d1be801b54c5a1ff3dd37434d48e4) ([merge request](gitlab-org/security/gitlab!2809))
+- [Redact secrets from WebHookLogs](gitlab-org/security/gitlab@7101edbc7fc27e2d2d23b8f9f84611943b310b71) ([merge request](gitlab-org/security/gitlab!2805))
+- [Forbid creating a tag using default branch name](gitlab-org/security/gitlab@ba3e62fc30f475b9334440409f5bad481b3c5dd6) ([merge request](gitlab-org/security/gitlab!2798))
+- [Sanitize Url and check for valid numerical errorId in error tracking](gitlab-org/security/gitlab@fba573834091aec7bde7856bfddd080cc74fb3ae) ([merge request](gitlab-org/security/gitlab!2819))
+- [Add security protection for Github](gitlab-org/security/gitlab@6265bdb12496d34f30d9ae6889288c6857fd4fd0) ([merge request](gitlab-org/security/gitlab!2803))
+- [Fix leaking emails in WebHookLogs](gitlab-org/security/gitlab@7580a2d62cd421b5176a3ce7f23c7d192e69989e) ([merge request](gitlab-org/security/gitlab!2806))
+- [Restrict max duration to 1 year for trace display](gitlab-org/security/gitlab@e1162719cc9e62692c911c992175d6ef3b5f996f) ([merge request](gitlab-org/security/gitlab!2817))
+- [Use UntrustedRegexp for upload rewriter](gitlab-org/security/gitlab@fde2bb115242a9af3678e5c8547c7c9ccd2b0c1e) ([merge request](gitlab-org/security/gitlab!2790))
+- [Validate httpUrlToRepo to be http or https only](gitlab-org/security/gitlab@d56ebc1a207618ec846e6ee2c842d3a5019444b7) ([merge request](gitlab-org/security/gitlab!2811))
+- [Respect instance level rule for editing approval rules](gitlab-org/security/gitlab@dc5dd5be3f3f681ca499d3a59eb469bd12dad51b) ([merge request](gitlab-org/security/gitlab!2796))
+- [Prevent users creating issues in ay project via board/issues controller](gitlab-org/security/gitlab@e0b09653ff468b65a73155a2e28077a0e94dc7e8) ([merge request](gitlab-org/security/gitlab!2781))
+- [Prevent serialization of sensible attributes from JsonCache](gitlab-org/security/gitlab@d1842119756b8a69a5d1b14ebd902dc2f4b24dbf) ([merge request](gitlab-org/security/gitlab!2818))
+- [Update TodoPolicy to handle confidential notes](gitlab-org/security/gitlab@cddab943af028c4653dacdd832be5e3e8ac778d3) ([merge request](gitlab-org/security/gitlab!2833))
+- [Enforce group IP restriction on Dependency Proxy](gitlab-org/security/gitlab@fff740c7ab046c5e8ef6495ffa3b45228e11841a) ([merge request](gitlab-org/security/gitlab!2801))
+- [Fixes XSS in widget extensions](gitlab-org/security/gitlab@459becb7a1b0336ddf67f867eecbdf37d579f881) ([merge request](gitlab-org/security/gitlab!2832))
+
 ## 15.4.0 (2022-09-21)
 
 ### Added (162 changes)
@@ -634,6 +654,26 @@ entry.
 - [Improve specs with shared examples](gitlab-org/gitlab@dd3f2ecd882e89511eaa927102fc4101f684a38f) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95539)) **GitLab Enterprise Edition**
 - [Fix Style/Next offenses](gitlab-org/gitlab@bdf877063ba1d8d4df1216f7875905343d9e5e33) ([merge request](gitlab-org/gitlab!93329))
 
+## 15.3.4 (2022-09-29)
+
+### Security (15 changes)
+
+- [Redact user's private email in group member event webhook](gitlab-org/security/gitlab@172b8a57bd4acca14d65a4b7a5fd021babacb146) ([merge request](gitlab-org/security/gitlab!2794))
+- [Redact secrets from WebHookLogs](gitlab-org/security/gitlab@7394ab9b32a7bd83b98f93e904312e469f34cd9c) ([merge request](gitlab-org/security/gitlab!2737))
+- [Forbid creating a tag using default branch name](gitlab-org/security/gitlab@1b556c33aa11c32994be562cfea0ff2e5e13a54e) ([merge request](gitlab-org/security/gitlab!2799))
+- [Sanitize Url and check for valid numerical errorId in error tracking](gitlab-org/security/gitlab@2a5a51b5b2839963fe7084261c8a7fcc6f09f19c) ([merge request](gitlab-org/security/gitlab!2785))
+- [Add security protection for Github](gitlab-org/security/gitlab@bc23f46dba26bcdf0c773c24081e4ae3597bf751) ([merge request](gitlab-org/security/gitlab!2802))
+- [Fix leaking emails in WebHookLogs](gitlab-org/security/gitlab@a31a652c331877e0f97269310ec5f1bc6266398f) ([merge request](gitlab-org/security/gitlab!2807))
+- [Restrict max duration to 1 year for trace display](gitlab-org/security/gitlab@b62fd774b6f311988c7e10f3544f2aeabeab85d1) ([merge request](gitlab-org/security/gitlab!2815))
+- [Use UntrustedRegexp for upload rewriter](gitlab-org/security/gitlab@2eea36acbc5687aa9806946861e73f2fb11a9654) ([merge request](gitlab-org/security/gitlab!2791))
+- [Validate httpUrlToRepo to be http or https only](gitlab-org/security/gitlab@0b340ef6d6e54804445916f5b1fa53185de4b1f7) ([merge request](gitlab-org/security/gitlab!2760))
+- [Respect instance level rule for editing approval rules](gitlab-org/security/gitlab@2d2a7b8652dbd1085fe1bfc0b69138aecdeaf9c8) ([merge request](gitlab-org/security/gitlab!2782))
+- [Prevent users creating issues in ay project via board/issues controller](gitlab-org/security/gitlab@559b23e6942a650cafa358ea96b7ee549f76fbd6) ([merge request](gitlab-org/security/gitlab!2780))
+- [Prevent serialization of sensible attributes from JsonCache](gitlab-org/security/gitlab@f712d58af3aeb3f0fe1c56a290188e19fce72ad6) ([merge request](gitlab-org/security/gitlab!2771))
+- [Update TodoPolicy to handle confidential notes](gitlab-org/security/gitlab@6bd37cd0595bbf4c744a5b212fc41181c9dc88ef) ([merge request](gitlab-org/security/gitlab!2748))
+- [Enforce group IP restriction on Dependency Proxy](gitlab-org/security/gitlab@cc42b5e91e04e77ade63f1fdb91e88b998c156f7) ([merge request](gitlab-org/security/gitlab!2764))
+- [Fixes XSS in widget extensions](gitlab-org/security/gitlab@1d10849c7eee6207435bfd223e1f8639b2816c1e) ([merge request](gitlab-org/security/gitlab!2759))
+
 ## 15.3.3 (2022-09-01)
 
 ### Fixed (5 changes)
@@ -1277,6 +1317,27 @@ entry.
 - [Remove FF import_release_authors_from_github](gitlab-org/gitlab@c4d6871e4438a1626d688856903778623138f671) ([merge request](gitlab-org/gitlab!92686))
 - [Remove unused feature](gitlab-org/gitlab@0ef95d341e4a15150d6ccb3d104ebbe064aa062a) ([merge request](gitlab-org/gitlab!92753))
 
+## 15.2.5 (2022-09-29)
+
+### Security (16 changes)
+
+- [Geo: Do not delete object stored files when not GitLab managed](gitlab-org/security/gitlab@340554d933823b0424e16318673ccd6a82e87d35) ([merge request](gitlab-org/security/gitlab!2775))
+- [Redact user's private email in group member event webhook](gitlab-org/security/gitlab@dcc5fd6bcef40109c92e0faa34bf52b568465e80) ([merge request](gitlab-org/security/gitlab!2795))
+- [Redact secrets from WebHookLogs](gitlab-org/security/gitlab@e53429f776d06b9881f20a000d1a2b40e2f13a2c) ([merge request](gitlab-org/security/gitlab!2657))
+- [Forbid creating a tag using default branch name](gitlab-org/security/gitlab@ff172ca5d5550d3ff263efaef9ce18b6b78cbfbb) ([merge request](gitlab-org/security/gitlab!2800))
+- [Sanitize Url and check for valid numerical errorId in error tracking](gitlab-org/security/gitlab@2d983dc2b99f387c1e30312cb452cf21a4aa6f27) ([merge request](gitlab-org/security/gitlab!2786))
+- [Add security protection for Github](gitlab-org/security/gitlab@9f6d284039431f1376c4be03f5d364e12090fbc7) ([merge request](gitlab-org/security/gitlab!2804))
+- [Fix leaking emails in WebHookLogs](gitlab-org/security/gitlab@7e0e629f7559ad1ad7375a4ab94748febe5fd1ef) ([merge request](gitlab-org/security/gitlab!2808))
+- [Restrict max duration to 1 year for trace display](gitlab-org/security/gitlab@2df0b5b9978b09bbc95efbea5f227e3afaa220c7) ([merge request](gitlab-org/security/gitlab!2816))
+- [Use UntrustedRegexp for upload rewriter](gitlab-org/security/gitlab@c0bd5867a091ed7d04e19a6598c2e112daca4861) ([merge request](gitlab-org/security/gitlab!2792))
+- [Validate httpUrlToRepo to be http or https only](gitlab-org/security/gitlab@98ee48505898f3b5535587c0081292d82b94009e) ([merge request](gitlab-org/security/gitlab!2761))
+- [Respect instance level rule for editing approval rules](gitlab-org/security/gitlab@7157ddbaf6be664a708b24f59be541d7e16fbbd6) ([merge request](gitlab-org/security/gitlab!2783))
+- [Prevent users creating issues in ay project via board/issues controller](gitlab-org/security/gitlab@55b2ba96fa53b2aa3e8de889bc05671339f7aa76) ([merge request](gitlab-org/security/gitlab!2779))
+- [Prevent serialization of sensible attributes from JsonCache](gitlab-org/security/gitlab@809aff4805a2916425f7ec0cd995101140f663f8) ([merge request](gitlab-org/security/gitlab!2772))
+- [Update TodoPolicy to handle confidential notes](gitlab-org/security/gitlab@b95b1bc4ea7b5d69ff02283789c68f821ec54cee) ([merge request](gitlab-org/security/gitlab!2749))
+- [Enforce group IP restriction on Dependency Proxy](gitlab-org/security/gitlab@4342542081be434e013110f9dd456b5caf286464) ([merge request](gitlab-org/security/gitlab!2765))
+- [Fixes XSS in widget extensions](gitlab-org/security/gitlab@e3d4d46967e72f12645d08ef1879223a1ec2d398) ([merge request](gitlab-org/security/gitlab!2675))
+
 ## 15.2.4 (2022-08-30)
 
 ### Security (18 changes)
diff --git a/app/assets/javascripts/error_tracking/components/error_tracking_list.vue b/app/assets/javascripts/error_tracking/components/error_tracking_list.vue
index a07428dafea..de4b11699fc 100644
--- a/app/assets/javascripts/error_tracking/components/error_tracking_list.vue
+++ b/app/assets/javascripts/error_tracking/components/error_tracking_list.vue
@@ -22,12 +22,16 @@ import AccessorUtils from '~/lib/utils/accessor';
 import { __ } from '~/locale';
 import Tracking from '~/tracking';
 import TimeAgo from '~/vue_shared/components/time_ago_tooltip.vue';
+import { sanitizeUrl } from '~/lib/utils/url_utility';
 import { trackErrorListViewsOptions, trackErrorStatusUpdateOptions } from '../utils';
 import { I18N_ERROR_TRACKING_LIST } from '../constants';
 import ErrorTrackingActions from './error_tracking_actions.vue';
 
 export const tableDataClass = 'table-col d-flex d-md-table-cell align-items-center';
 
+const isValidErrorId = (errorId) => {
+  return /^[0-9]+$/.test(errorId);
+};
 export default {
   FIRST_PAGE: 1,
   PREV_PAGE: 1,
@@ -202,6 +206,9 @@ export default {
       this.searchByQuery(text);
     },
     getDetailsLink(errorId) {
+      if (!isValidErrorId(errorId)) {
+        return 'about:blank';
+      }
       return `error_tracking/${errorId}/details`;
     },
     goToNextPage() {
@@ -222,7 +229,10 @@ export default {
       return filter === this.statusFilter;
     },
     getIssueUpdatePath(errorId) {
-      return `/${this.projectPath}/-/error_tracking/${errorId}.json`;
+      if (!isValidErrorId(errorId)) {
+        return 'about:blank';
+      }
+      return sanitizeUrl(`/${this.projectPath}/-/error_tracking/${errorId}.json`);
     },
     filterErrors(status, label) {
       this.filterValue = label;
diff --git a/app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue b/app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue
index 52c9f047b76..a10e5efa0e7 100644
--- a/app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue
+++ b/app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue
@@ -1,5 +1,6 @@
 <script>
 import { GlBadge, GlLink, GlSafeHtmlDirective, GlModalDirective } from '@gitlab/ui';
+import { isArray } from 'lodash';
 import Actions from '../action_buttons.vue';
 import StatusIcon from './status_icon.vue';
 import { generateText } from './utils';
@@ -35,6 +36,20 @@ export default {
       required: true,
     },
   },
+  computed: {
+    subtext() {
+      const { subtext } = this.data;
+      if (subtext) {
+        if (isArray(subtext)) {
+          return subtext.map((t) => generateText(t)).join('<br />');
+        }
+
+        return generateText(subtext);
+      }
+
+      return null;
+    },
+  },
   methods: {
     isArray(arr) {
       return Array.isArray(arr);
@@ -93,11 +108,7 @@ export default {
             @clickedAction="onClickedAction"
           />
         </div>
-        <p
-          v-if="data.subtext"
-          v-safe-html="generateText(data.subtext)"
-          class="gl-m-0 gl-font-sm"
-        ></p>
+        <p v-if="subtext" v-safe-html="subtext" class="gl-m-0 gl-font-sm"></p>
       </div>
     </div>
     <template v-if="data.children && level === 2">
diff --git a/app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js b/app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js
index cba12507eba..757178ee336 100644
--- a/app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js
+++ b/app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js
@@ -35,6 +35,9 @@ const textStyleTags = {
   [getStartTag('small')]: '<span class="gl-font-sm gl-text-gray-700">',
 };
 
+const escapeText = (text) =>
+  document.createElement('div').appendChild(document.createTextNode(text)).parentNode.innerHTML;
+
 const createText = (text) => {
   return text
     .replace(
@@ -61,7 +64,7 @@ const createText = (text) => {
 
 export const generateText = (text) => {
   if (typeof text === 'string') {
-    return createText(text);
+    return createText(escapeText(text));
   } else if (
     typeof text === 'object' &&
     typeof text.text === 'string' &&
@@ -69,8 +72,8 @@ export const generateText = (text) => {
   ) {
     return createText(
       `${
-        text.prependText ? `${text.prependText} ` : ''
-      }<a class="gl-text-decoration-underline" href="${text.href}">${text.text}</a>`,
+        text.prependText ? `${escapeText(text.prependText)} ` : ''
+      }<a class="gl-text-decoration-underline" href="${text.href}">${escapeText(text.text)}</a>`,
     );
   }
 
diff --git a/app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js b/app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js
index 2477429af5b..68347ac269e 100644
--- a/app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js
+++ b/app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js
@@ -19,25 +19,23 @@ export default {
       if (errorSummary.errored >= 1 && errorSummary.resolved >= 1) {
         const improvements = sprintf(
           n__(
-            '%{strongOpen}%{errors}%{strongClose} point',
-            '%{strongOpen}%{errors}%{strongClose} points',
+            '%{strong_start}%{errors}%{strong_end} point',
+            '%{strong_start}%{errors}%{strong_end} points',
             resolvedErrors.length,
           ),
           {
             errors: resolvedErrors.length,
-            strongOpen: '<strong>',
-            strongClose: '</strong>',
           },
           false,
         );
 
         const degradations = sprintf(
           n__(
-            '%{strongOpen}%{errors}%{strongClose} point',
-            '%{strongOpen}%{errors}%{strongClose} points',
+            '%{strong_start}%{errors}%{strong_end} point',
+            '%{strong_start}%{errors}%{strong_end} points',
             newErrors.length,
           ),
-          { errors: newErrors.length, strongOpen: '<strong>', strongClose: '</strong>' },
+          { errors: newErrors.length },
           false,
         );
         return sprintf(
@@ -96,14 +94,11 @@ export default {
       this.collapsedData.resolvedErrors.map((e) => {
         return fullData.push({
           text: `${capitalizeFirstCharacter(e.severity)} - ${e.description}`,
-          subtext: sprintf(
-            s__(`ciReport|in %{open_link}${e.file_path}:${e.line}%{close_link}`),
-            {
-              open_link: `<a class="gl-text-decoration-underline" href="${e.urlPath}">`,
-              close_link: '</a>',
-            },
-            false,
-          ),
+          subtext: {
+            prependText: s__(`ciReport|in`),
+            text: `${e.file_path}:${e.line}`,
+            href: e.urlPath,
+          },
           icon: {
             name: SEVERITY_ICONS_EXTENSION[e.severity],
           },
diff --git a/app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js b/app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js
index 6611aedcb07..626a99f7d64 100644
--- a/app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js
+++ b/app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js
@@ -63,13 +63,16 @@ export default {
       if (valid.length) {
         title = validText;
         if (invalid.length) {
-          subtitle = sprintf(`<br>%{small_start}${invalidText}%{small_end}`);
+          subtitle = invalidText;
         }
       } else {
         title = invalidText;
       }
 
-      return `${title}${subtitle}`;
+      return {
+        subject: title,
+        meta: subtitle,
+      };
     },
     fetchCollapsedData() {
       return axios
@@ -152,9 +155,8 @@ export default {
       }
 
       return {
-        text: `${title}
-        <br>
-        ${subtitle}`,
+        text: title,
+        supportingText: subtitle,
         icon: { name: iconName },
         actions,
       };
diff --git a/app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js b/app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js
index 6896f8831e8..37f9964d23a 100644
--- a/app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js
+++ b/app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js
@@ -60,7 +60,7 @@ export const reportSubTextBuilder = ({ suite_errors: suiteErrors, summary }) =>
     if (suiteErrors?.base) {
       errors.push(`${i18n.baseReportParsingError} ${suiteErrors.base}`);
     }
-    return errors.join('<br />');
+    return errors;
   }
   return recentFailuresTextBuilder(summary);
 };
diff --git a/app/graphql/batch_loaders/award_emoji_votes_batch_loader.rb b/app/graphql/batch_loaders/award_emoji_votes_batch_loader.rb
new file mode 100644
index 00000000000..c1b35d3eaf7
--- /dev/null
+++ b/app/graphql/batch_loaders/award_emoji_votes_batch_loader.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module BatchLoaders
+  module AwardEmojiVotesBatchLoader
+    private
+
+    def load_votes(object, vote_type)
+      BatchLoader::GraphQL.for(object.id).batch(key: "#{object.issuing_parent_id}-#{vote_type}") do |ids, loader, args|
+        counts = AwardEmoji.votes_for_collection(ids, object.class.name).named(vote_type).index_by(&:awardable_id)
+
+        ids.each do |id|
+          loader.call(id, counts[id]&.count || 0)
+        end
+      end
+    end
+
+    def authorized_resource?(object)
+      Ability.allowed?(current_user, "read_#{object.to_ability_name}".to_sym, object)
+    end
+  end
+end
diff --git a/app/graphql/resolvers/down_votes_count_resolver.rb b/app/graphql/resolvers/down_votes_count_resolver.rb
new file mode 100644
index 00000000000..0e7772f988a
--- /dev/null
+++ b/app/graphql/resolvers/down_votes_count_resolver.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Resolvers
+  class DownVotesCountResolver < BaseResolver
+    include Gitlab::Graphql::Authorize::AuthorizeResource
+    include BatchLoaders::AwardEmojiVotesBatchLoader
+
+    type GraphQL::Types::Int, null: true
+
+    def resolve
+      authorize!(object)
+      load_votes(object, AwardEmoji::DOWNVOTE_NAME)
+    end
+  end
+end
diff --git a/app/graphql/resolvers/up_votes_count_resolver.rb b/app/graphql/resolvers/up_votes_count_resolver.rb
new file mode 100644
index 00000000000..1c78facb694
--- /dev/null
+++ b/app/graphql/resolvers/up_votes_count_resolver.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Resolvers
+  class UpVotesCountResolver < BaseResolver
+    include Gitlab::Graphql::Authorize::AuthorizeResource
+    include BatchLoaders::AwardEmojiVotesBatchLoader
+
+    type GraphQL::Types::Int, null: true
+
+    def resolve
+      authorize!(object)
+      load_votes(object, AwardEmoji::UPVOTE_NAME)
+    end
+  end
+end
diff --git a/app/graphql/types/issue_type.rb b/app/graphql/types/issue_type.rb
index d897f3cde48..ca4eb044bab 100644
--- a/app/graphql/types/issue_type.rb
+++ b/app/graphql/types/issue_type.rb
@@ -58,15 +58,20 @@ module Types
                                             description: 'Indicates the issue is hidden because the author has been banned. ' \
           'Will always return `null` if `ban_user_feature_flag` feature flag is disabled.'
 
-    field :downvotes, GraphQL::Types::Int, null: false,
-                                           description: 'Number of downvotes the issue has received.'
+    field :downvotes, GraphQL::Types::Int,
+          null: false,
+          description: 'Number of downvotes the issue has received.',
+          resolver: Resolvers::DownVotesCountResolver
     field :merge_requests_count, GraphQL::Types::Int, null: false,
                                                       description: 'Number of merge requests that close the issue on merge.',
                                                       resolver: Resolvers::MergeRequestsCountResolver
     field :relative_position, GraphQL::Types::Int, null: true,
                                                    description: 'Relative position of the issue (used for positioning in epic tree and issue boards).'
-    field :upvotes, GraphQL::Types::Int, null: false,
-                                         description: 'Number of upvotes the issue has received.'
+    field :upvotes, GraphQL::Types::Int,
+          null: false,
+          description: 'Number of upvotes the issue has received.',
+          resolver: Resolvers::UpVotesCountResolver
+
     field :user_discussions_count, GraphQL::Types::Int, null: false,
                                                         description: 'Number of user discussions in the issue.',
                                                         resolver: Resolvers::UserDiscussionsCountResolver
diff --git a/app/graphql/types/merge_request_type.rb b/app/graphql/types/merge_request_type.rb
index 399dcc8e03d..3a39236bafa 100644
--- a/app/graphql/types/merge_request_type.rb
+++ b/app/graphql/types/merge_request_type.rb
@@ -75,8 +75,12 @@ module Types
           null: false, calls_gitaly: true,
           method: :diverged_from_target_branch?,
           description: 'Indicates if the source branch is behind the target branch.'
-    field :downvotes, GraphQL::Types::Int, null: false,
-                                           description: 'Number of downvotes for the merge request.'
+
+    field :downvotes, GraphQL::Types::Int,
+          null: false,
+          description: 'Number of downvotes for the merge request.',
+          resolver: Resolvers::DownVotesCountResolver
+
     field :force_remove_source_branch, GraphQL::Types::Boolean, method: :force_remove_source_branch?, null: true,
                                                                 description: 'Indicates if the project settings will lead to source branch deletion after merge.'
     field :in_progress_merge_commit_sha, GraphQL::Types::String, null: true,
@@ -118,8 +122,12 @@ module Types
           null: false, calls_gitaly: true,
           method: :target_branch_exists?,
           description: 'Indicates if the target branch of the merge request exists.'
-    field :upvotes, GraphQL::Types::Int, null: false,
-                                         description: 'Number of upvotes for the merge request.'
+
+    field :upvotes, GraphQL::Types::Int,
+          null: false,
+          description: 'Number of upvotes for the merge request.',
+          resolver: Resolvers::UpVotesCountResolver
+
     field :user_discussions_count, GraphQL::Types::Int, null: true,
                                                         description: 'Number of user discussions in the merge request.',
                                                         resolver: Resolvers::UserDiscussionsCountResolver
diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index ddc682bc08a..21b18203677 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -441,7 +441,8 @@ module ApplicationSettingsHelper
       :group_runner_token_expiration_interval,
       :project_runner_token_expiration_interval,
       :pipeline_limit_per_project_user_sha,
-      :invitation_flow_enforcement
+      :invitation_flow_enforcement,
+      :can_create_group
     ].tap do |settings|
       next if Gitlab.com?
 
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 2dcee7f64d5..fa8951bf642 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -406,7 +406,7 @@ class ApplicationSetting < ApplicationRecord
   validates :invisible_captcha_enabled,
             inclusion: { in: [true, false], message: _('must be a boolean value') }
 
-  validates :invitation_flow_enforcement,
+  validates :invitation_flow_enforcement, :can_create_group,
             allow_nil: false,
             inclusion: { in: [true, false], message: _('must be a boolean value') }
 
@@ -792,6 +792,10 @@ class ApplicationSetting < ApplicationRecord
     ::AsciidoctorExtensions::Kroki::SUPPORTED_DIAGRAM_NAMES.include?(diagram_type)
   end
 
+  def personal_access_tokens_disabled?
+    false
+  end
+
   private
 
   def parsed_grafana_url
diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb
index 4d377855dea..dee4bd07fd9 100644
--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -240,7 +240,8 @@ module ApplicationSettingImplementation
         search_rate_limit: 30,
         search_rate_limit_unauthenticated: 10,
         users_get_by_id_limit: 300,
-        users_get_by_id_limit_allowlist: []
+        users_get_by_id_limit_allowlist: [],
+        can_create_group: true
       }
     end
 
diff --git a/app/models/ci/pipeline.rb b/app/models/ci/pipeline.rb
index fe2db8ed4ec..2631ed3f672 100644
--- a/app/models/ci/pipeline.rb
+++ b/app/models/ci/pipeline.rb
@@ -112,6 +112,8 @@ module Ci
 
     has_one :pipeline_config, class_name: 'Ci::PipelineConfig', inverse_of: :pipeline
 
+    has_one :pipeline_metadata, class_name: 'Ci::PipelineMetadata', inverse_of: :pipeline
+
     has_many :daily_build_group_report_results, class_name: 'Ci::DailyBuildGroupReportResult', foreign_key: :last_pipeline_id
     has_many :latest_builds_report_results, through: :latest_builds, source: :report_results
     has_many :pipeline_artifacts, class_name: 'Ci::PipelineArtifact', inverse_of: :pipeline, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
@@ -119,6 +121,7 @@ module Ci
     accepts_nested_attributes_for :variables, reject_if: :persisted?
 
     delegate :full_path, to: :project, prefix: true
+    delegate :title, to: :pipeline_metadata, allow_nil: true
 
     validates :sha, presence: { unless: :importing? }
     validates :ref, presence: { unless: :importing? }
diff --git a/app/models/ci/pipeline_metadata.rb b/app/models/ci/pipeline_metadata.rb
new file mode 100644
index 00000000000..c96b395b45f
--- /dev/null
+++ b/app/models/ci/pipeline_metadata.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Ci
+  class PipelineMetadata < Ci::ApplicationRecord
+    self.primary_key = :pipeline_id
+
+    belongs_to :pipeline, class_name: "Ci::Pipeline", inverse_of: :pipeline_metadata
+    belongs_to :project, class_name: "Project", inverse_of: :pipeline_metadata
+
+    validates :pipeline, presence: true
+    validates :project, presence: true
+    validates :title, presence: true, length: { minimum: 1, maximum: 255 }
+  end
+end
diff --git a/app/models/concerns/integrations/has_web_hook.rb b/app/models/concerns/integrations/has_web_hook.rb
index b5d69d1574d..e622faf4a51 100644
--- a/app/models/concerns/integrations/has_web_hook.rb
+++ b/app/models/concerns/integrations/has_web_hook.rb
@@ -14,6 +14,11 @@ module Integrations
       raise NotImplementedError
     end
 
+    # Return the url variables to be used for the webhook.
+    def url_variables
+      raise NotImplementedError
+    end
+
     # Return whether the webhook should use SSL verification.
     def hook_ssl_verification
       if respond_to?(:enable_ssl_verification)
@@ -26,7 +31,11 @@ module Integrations
     # Create or update the webhook, raising an exception if it cannot be saved.
     def update_web_hook!
       hook = service_hook || build_service_hook
-      hook.url = hook_url if hook.url != hook_url # avoid reencryption
+
+      # Avoid reencryption
+      hook.url = hook_url if hook.url != hook_url
+      hook.url_variables = url_variables if hook.url_variables != url_variables
+
       hook.enable_ssl_verification = hook_ssl_verification
       hook.save! if hook.changed?
       hook
diff --git a/app/models/concerns/safe_url.rb b/app/models/concerns/safe_url.rb
index 7dce05bddba..d6378e6ac6f 100644
--- a/app/models/concerns/safe_url.rb
+++ b/app/models/concerns/safe_url.rb
@@ -3,13 +3,16 @@
 module SafeUrl
   extend ActiveSupport::Concern
 
+  # Return the URL with obfuscated userinfo
+  # and keeping it intact
   def safe_url(allowed_usernames: [])
     return if url.nil?
 
-    uri = URI.parse(url)
+    escaped = Addressable::URI.escape(url)
+    uri = URI.parse(escaped)
     uri.password = '*****' if uri.password
     uri.user = '*****' if uri.user && allowed_usernames.exclude?(uri.user)
-    uri.to_s
-  rescue URI::Error
+    Addressable::URI.unescape(uri.to_s)
+  rescue URI::Error, TypeError
   end
 end
diff --git a/app/models/hooks/web_hook_log.rb b/app/models/hooks/web_hook_log.rb
index 3fc3f193f19..c32957fbef9 100644
--- a/app/models/hooks/web_hook_log.rb
+++ b/app/models/hooks/web_hook_log.rb
@@ -22,7 +22,7 @@ class WebHookLog < ApplicationRecord
   validates :web_hook, presence: true
 
   before_save :obfuscate_basic_auth
-  before_save :redact_author_email
+  before_save :redact_user_emails
 
   def self.recent
     where(created_at: 2.days.ago.beginning_of_day..Time.zone.now)
@@ -54,9 +54,9 @@ class WebHookLog < ApplicationRecord
     self.url = safe_url
   end
 
-  def redact_author_email
-    return unless self.request_data.dig('commit', 'author', 'email').present?
-
-    self.request_data['commit']['author']['email'] = _('[REDACTED]')
+  def redact_user_emails
+    self.request_data.deep_transform_values! do |value|
+      value =~ URI::MailTo::EMAIL_REGEXP ? _('[REDACTED]') : value
+    end
   end
 end
diff --git a/app/models/integrations/buildkite.rb b/app/models/integrations/buildkite.rb
index 7a48e71b934..f2d2aca3ffe 100644
--- a/app/models/integrations/buildkite.rb
+++ b/app/models/integrations/buildkite.rb
@@ -50,7 +50,11 @@ module Integrations
 
     override :hook_url
     def hook_url
-      "#{buildkite_endpoint('webhook')}/deliver/#{webhook_token}"
+      "#{buildkite_endpoint('webhook')}/deliver/{webhook_token}"
+    end
+
+    def url_variables
+      { 'webhook_token' => webhook_token }
     end
 
     def execute(data)
diff --git a/app/models/integrations/datadog.rb b/app/models/integrations/datadog.rb
index 4479725a33b..c9407aa738e 100644
--- a/app/models/integrations/datadog.rb
+++ b/app/models/integrations/datadog.rb
@@ -154,13 +154,17 @@ module Integrations
       url = api_url.presence || sprintf(URL_TEMPLATE, datadog_domain: datadog_domain)
       url = URI.parse(url)
       query = {
-        "dd-api-key" => api_key,
+        "dd-api-key" => 'THIS_VALUE_WILL_BE_REPLACED',
         service: datadog_service.presence,
         env: datadog_env.presence,
         tags: datadog_tags_query_param.presence
       }.compact
       url.query = query.to_query
-      url.to_s
+      url.to_s.gsub('THIS_VALUE_WILL_BE_REPLACED', '{api_key}')
+    end
+
+    def url_variables
+      { 'api_key' => api_key }
     end
 
     def execute(data)
diff --git a/app/models/integrations/drone_ci.rb b/app/models/integrations/drone_ci.rb
index de69afeba6a..d1a64aa96d4 100644
--- a/app/models/integrations/drone_ci.rb
+++ b/app/models/integrations/drone_ci.rb
@@ -106,7 +106,11 @@ module Integrations
 
     override :hook_url
     def hook_url
-      [drone_url, "/hook", "?owner=#{project.namespace.full_path}", "&name=#{project.path}", "&access_token=#{token}"].join
+      [drone_url, "/hook", "?owner=#{project.namespace.full_path}", "&name=#{project.path}", "&access_token={token}"].join
+    end
+
+    def url_variables
+      { 'token' => token }
     end
 
     override :update_web_hook!
diff --git a/app/models/integrations/jenkins.rb b/app/models/integrations/jenkins.rb
index c68b5fd2a96..74a6449f4f9 100644
--- a/app/models/integrations/jenkins.rb
+++ b/app/models/integrations/jenkins.rb
@@ -69,6 +69,10 @@ module Integrations
       url.to_s
     end
 
+    def url_variables
+      {}
+    end
+
     def self.supported_events
       %w(push merge_request tag_push)
     end
diff --git a/app/models/integrations/packagist.rb b/app/models/integrations/packagist.rb
index f91404dab23..7177c82a167 100644
--- a/app/models/integrations/packagist.rb
+++ b/app/models/integrations/packagist.rb
@@ -66,7 +66,11 @@ module Integrations
     override :hook_url
     def hook_url
       base_url = server.presence || 'https://packagist.org'
-      "#{base_url}/api/update-package?username=#{username}&apiToken=#{token}"
+      "#{base_url}/api/update-package?username={username}&apiToken={token}"
+    end
+
+    def url_variables
+      { 'username' => username, 'token' => token }
     end
   end
 end
diff --git a/app/models/issue.rb b/app/models/issue.rb
index 353e12b6c5c..9437a1a3363 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -112,6 +112,7 @@ class Issue < ApplicationRecord
   enum issue_type: WorkItems::Type.base_types
 
   alias_method :issuing_parent, :project
+  alias_attribute :issuing_parent_id, :project_id
 
   alias_attribute :external_author, :service_desk_reply_to
 
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index ad5ab48fbca..06abbece57f 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -445,6 +445,7 @@ class MergeRequest < ApplicationRecord
   # we'd eventually rename the column for avoiding confusions, but in the mean time
   # please use `auto_merge_enabled` alias instead of `merge_when_pipeline_succeeds`.
   alias_attribute :auto_merge_enabled, :merge_when_pipeline_succeeds
+  alias_attribute :issuing_parent_id, :target_project_id
   alias_method :issuing_parent, :target_project
 
   delegate :builds_with_coverage, to: :head_pipeline, prefix: true, allow_nil: true
diff --git a/app/models/project.rb b/app/models/project.rb
index 3387a55f20d..fcf7f71aa75 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -350,6 +350,7 @@ class Project < ApplicationRecord
   has_many :stages, class_name: 'Ci::Stage', inverse_of: :project
   has_many :ci_refs, class_name: 'Ci::Ref', inverse_of: :project
 
+  has_many :pipeline_metadata, class_name: 'Ci::PipelineMetadata', inverse_of: :project
   has_many :pending_builds, class_name: 'Ci::PendingBuild'
   has_many :builds, class_name: 'Ci::Build', inverse_of: :project
   has_many :processables, class_name: 'Ci::Processable', inverse_of: :project
diff --git a/app/models/user.rb b/app/models/user.rb
index 5c474ad0fa6..9fa9419cd37 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -60,7 +60,7 @@ class User < ApplicationRecord
 
   default_value_for :admin, false
   default_value_for(:external) { Gitlab::CurrentSettings.user_default_external }
-  default_value_for :can_create_group, gitlab_config.default_can_create_group
+  default_value_for(:can_create_group) { Gitlab::CurrentSettings.can_create_group }
   default_value_for :can_create_team, false
   default_value_for :hide_no_ssh_key, false
   default_value_for :hide_no_password, false
@@ -2153,6 +2153,10 @@ class User < ApplicationRecord
     (Date.current - created_at.to_date).to_i
   end
 
+  def webhook_email
+    public_email.presence || _('[REDACTED]')
+  end
+
   protected
 
   # override, from Devise::Validatable
@@ -2288,7 +2292,7 @@ class User < ApplicationRecord
       self.projects_limit   = 0
     else
       # Only revert these back to the default if they weren't specifically changed in this update.
-      self.can_create_group = gitlab_config.default_can_create_group unless can_create_group_changed?
+      self.can_create_group = Gitlab::CurrentSettings.can_create_group unless can_create_group_changed?
       self.projects_limit = Gitlab::CurrentSettings.default_projects_limit unless projects_limit_changed?
     end
   end
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index e5913bab726..e864ce8752a 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -22,6 +22,12 @@ class IssuablePolicy < BasePolicy
     enable :reopen_issue
   end
 
+  # This rule replicates permissions in NotePolicy#can_read_confidential and it's used in
+  # TodoPolicy for performance reasons
+  rule { can?(:reporter_access) | assignee_or_author | admin }.policy do
+    enable :read_confidential_notes
+  end
+
   rule { can?(:read_merge_request) & assignee_or_author }.policy do
     enable :update_merge_request
     enable :reopen_merge_request
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index e85f18f2d37..1bffcc5aea2 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -20,6 +20,7 @@ class NotePolicy < BasePolicy
 
   condition(:confidential, scope: :subject) { @subject.confidential? }
 
+  # If this condition changes IssuablePolicy#read_confidential_notes should be updated too
   condition(:can_read_confidential) do
     access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) || admin?
   end
diff --git a/app/policies/todo_policy.rb b/app/policies/todo_policy.rb
index 6237fbc50fa..5c24964f24a 100644
--- a/app/policies/todo_policy.rb
+++ b/app/policies/todo_policy.rb
@@ -5,10 +5,25 @@ class TodoPolicy < BasePolicy
   condition(:own_todo) do
     @user && @subject.user_id == @user.id
   end
+
+  desc "User can read the todo's target"
   condition(:can_read_target) do
     @user && @subject.target&.readable_by?(@user)
   end
 
+  desc "Todo has confidential note"
+  condition(:has_confidential_note, scope: :subject) { @subject&.note&.confidential? }
+
+  desc "User can read the todo's confidential note"
+  condition(:can_read_todo_confidential_note) do
+    @user && @user.can?(:read_confidential_notes, @subject.target)
+  end
+
   rule { own_todo & can_read_target }.enable :read_todo
-  rule { own_todo & can_read_target }.enable :update_todo
+  rule { can?(:read_todo) }.enable :update_todo
+
+  rule { has_confidential_note & ~can_read_todo_confidential_note }.policy do
+    prevent :read_todo
+    prevent :update_todo
+  end
 end
diff --git a/app/services/base_project_service.rb b/app/services/base_project_service.rb
index 1bf4a235a79..8cb6b632a9e 100644
--- a/app/services/base_project_service.rb
+++ b/app/services/base_project_service.rb
@@ -7,7 +7,9 @@ class BaseProjectService < ::BaseContainerService
   attr_accessor :project
 
   def initialize(project:, current_user: nil, params: {})
-    super(container: project, current_user: current_user, params: params)
+    # we need to exclude project params since they may come from external requests. project should always
+    # be passed as part of the service's initializer
+    super(container: project, current_user: current_user, params: params.except(:project, :project_id))
 
     @project = project
   end
diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb
index bf5be708060..7250ce5c0b0 100644
--- a/app/uploaders/file_uploader.rb
+++ b/app/uploaders/file_uploader.rb
@@ -14,7 +14,12 @@ class FileUploader < GitlabUploader
   include ObjectStorage::Concern
   prepend ObjectStorage::Extension::RecordsUploads
 
-  MARKDOWN_PATTERN = %r{\!?\[.*?\]\(/uploads/(?<secret>[0-9a-f]{32})/(?<file>.*?)\)}.freeze
+  # This pattern is vulnerable to malicious inputs, so use Gitlab::UntrustedRegexp
+  # to place bounds on execution time
+  MARKDOWN_PATTERN = Gitlab::UntrustedRegexp.new(
+    '!?\[.*?\]\(/uploads/(?P<secret>[0-9a-f]{32})/(?P<file>.*?)\)'
+  )
+
   DYNAMIC_PATH_PATTERN = %r{.*(?<secret>\b(\h{10}|\h{32}))\/(?<identifier>.*)}.freeze
   VALID_SECRET_PATTERN = %r{\A\h{10,32}\z}.freeze
 
diff --git a/app/views/admin/application_settings/_account_and_limit.html.haml b/app/views/admin/application_settings/_account_and_limit.html.haml
index c0e42f22119..e676dae37b3 100644
--- a/app/views/admin/application_settings/_account_and_limit.html.haml
+++ b/app/views/admin/application_settings/_account_and_limit.html.haml
@@ -67,6 +67,6 @@
       = f.gitlab_ui_checkbox_component :user_show_add_ssh_key_message, _("Inform users without uploaded SSH keys that they can't push over SSH until one is added")
 
     = render 'admin/application_settings/invitation_flow_enforcement', form: f
-    = render_if_exists 'admin/application_settings/updating_name_disabled_for_users', form: f
+    = render 'admin/application_settings/user_restrictions', form: f
     = render_if_exists 'admin/application_settings/availability_on_namespace_setting', form: f
   = f.submit _('Save changes'), class: 'qa-save-changes-button', pajamas_button: true
diff --git a/app/views/admin/application_settings/_user_restrictions.html.haml b/app/views/admin/application_settings/_user_restrictions.html.haml
new file mode 100644
index 00000000000..de8faa6705f
--- /dev/null
+++ b/app/views/admin/application_settings/_user_restrictions.html.haml
@@ -0,0 +1,6 @@
+- form = local_assigns.fetch(:form)
+
+.form-group
+  = label_tag _('User restrictions')
+  = render_if_exists 'admin/application_settings/updating_name_disabled_for_users', form: form
+  = form.gitlab_ui_checkbox_component :can_create_group, _("Allow users to create top-level groups")
diff --git a/config/feature_flags/development/audit_invalid_approver_rules.yml b/config/feature_flags/development/audit_invalid_approver_rules.yml
new file mode 100644
index 00000000000..eca5ffc25bb
--- /dev/null
+++ b/config/feature_flags/development/audit_invalid_approver_rules.yml
@@ -0,0 +1,8 @@
+---
+name: audit_invalid_approver_rules
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/98636
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/375060
+milestone: '15.5'
+type: development
+group: group::code review
+default_enabled: false
diff --git a/config/feature_flags/development/skip_default_scope_for_events.yml b/config/feature_flags/development/skip_default_scope_for_events.yml
index 041eca1d227..72957727fd3 100644
--- a/config/feature_flags/development/skip_default_scope_for_events.yml
+++ b/config/feature_flags/development/skip_default_scope_for_events.yml
@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/372464
 milestone: '15.4'
 type: development
 group: group::optimize
-default_enabled: false
+default_enabled: true
diff --git a/config/gitlab_loose_foreign_keys.yml b/config/gitlab_loose_foreign_keys.yml
index c5c2d0a61b9..1530c681eb0 100644
--- a/config/gitlab_loose_foreign_keys.yml
+++ b/config/gitlab_loose_foreign_keys.yml
@@ -70,6 +70,10 @@ ci_pipeline_chat_data:
   - table: chat_names
     column: chat_name_id
     on_delete: async_delete
+ci_pipeline_metadata:
+  - table: projects
+    column: project_id
+    on_delete: async_delete
 ci_pipeline_schedules:
   - table: users
     column: owner_id
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 3fc4b56f458..6c1021a6497 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -183,6 +183,7 @@ Settings.gitlab['default_project_creation'] ||= ::Gitlab::Access::DEVELOPER_MAIN
 Settings.gitlab['default_project_deletion_protection'] ||= false
 Settings.gitlab['default_projects_limit'] ||= 100000
 Settings.gitlab['default_branch_protection'] ||= 2
+# `default_can_create_group` is deprecated since GitLab 15.5 in favour of the `can_create_group` column on `ApplicationSetting`.
 Settings.gitlab['default_can_create_group'] = true if Settings.gitlab['default_can_create_group'].nil?
 Settings.gitlab['default_theme'] = Gitlab::Themes::APPLICATION_DEFAULT if Settings.gitlab['default_theme'].nil?
 Settings.gitlab['host'] ||= ENV['GITLAB_HOST'] || 'localhost'
@@ -1045,6 +1046,7 @@ Settings.shutdown['blackout_seconds'] ||= 10
 #
 if Rails.env.test?
   Settings.gitlab['default_projects_limit']   = 42
+  # `default_can_create_group` is deprecated since GitLab 15.5 in favour of the `can_create_group` column on `ApplicationSetting`.
   Settings.gitlab['default_can_create_group'] = true
   Settings.gitlab['default_can_create_team']  = false
 end
diff --git a/db/docs/ci_pipeline_metadata.yml b/db/docs/ci_pipeline_metadata.yml
new file mode 100644
index 00000000000..ed0bd896841
--- /dev/null
+++ b/db/docs/ci_pipeline_metadata.yml
@@ -0,0 +1,9 @@
+---
+table_name: ci_pipelines_metadata
+classes:
+- Ci::PipelineMetadata
+feature_categories:
+- continuous_integration
+description: 'Stores additional information about CI pipelines'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97139
+milestone: '15.5'
diff --git a/db/migrate/20220901090004_add_can_create_group_to_application_settings.rb b/db/migrate/20220901090004_add_can_create_group_to_application_settings.rb
new file mode 100644
index 00000000000..a61f7c9a080
--- /dev/null
+++ b/db/migrate/20220901090004_add_can_create_group_to_application_settings.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddCanCreateGroupToApplicationSettings < Gitlab::Database::Migration[2.0]
+  def change
+    add_column(:application_settings, :can_create_group, :boolean, default: true, null: false)
+  end
+end
diff --git a/db/migrate/20220901092853_update_can_create_group_application_setting.rb b/db/migrate/20220901092853_update_can_create_group_application_setting.rb
new file mode 100644
index 00000000000..42508184d62
--- /dev/null
+++ b/db/migrate/20220901092853_update_can_create_group_application_setting.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class UpdateCanCreateGroupApplicationSetting < Gitlab::Database::Migration[2.0]
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+  def up
+    value = gitlab_config.respond_to?(:default_can_create_group) ? gitlab_config.default_can_create_group : true
+    value = Gitlab::Utils.to_boolean(value, default: true)
+
+    execute_update(value: value)
+  end
+
+  def down
+    execute_update(value: true)
+  end
+
+  private
+
+  def execute_update(value:)
+    execute "UPDATE application_settings SET can_create_group = #{value}"
+  end
+
+  def gitlab_config
+    Gitlab.config.gitlab
+  end
+end
diff --git a/db/migrate/20220923103006_add_ci_pipeline_metadata_title.rb b/db/migrate/20220923103006_add_ci_pipeline_metadata_title.rb
new file mode 100644
index 00000000000..3b2f02924a1
--- /dev/null
+++ b/db/migrate/20220923103006_add_ci_pipeline_metadata_title.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+class AddCiPipelineMetadataTitle < Gitlab::Database::Migration[2.0]
+  enable_lock_retries!
+
+  def up
+    create_table :ci_pipeline_metadata, id: false do |t|
+      t.bigint :project_id, null: false
+
+      t.references :pipeline,
+                   null: false,
+                   primary_key: true,
+                   default: nil,
+                   index: false,
+                   foreign_key: { to_table: :ci_pipelines, on_delete: :cascade }
+
+      t.text :title, null: false, limit: 255
+
+      t.index [:pipeline_id, :title], name: 'index_ci_pipeline_metadata_on_pipeline_id_title'
+      t.index [:project_id], name: 'index_ci_pipeline_metadata_on_project_id'
+    end
+  end
+
+  def down
+    drop_table :ci_pipeline_metadata
+  end
+end
diff --git a/db/schema_migrations/20220901090004 b/db/schema_migrations/20220901090004
new file mode 100644
index 00000000000..a0302cfe1ed
--- /dev/null
+++ b/db/schema_migrations/20220901090004
@@ -0,0 +1 @@
+eab8630158a70df1246bf5c12c2d93d9fa855140c65bde4665d1d13f371b561c
\ No newline at end of file
diff --git a/db/schema_migrations/20220901092853 b/db/schema_migrations/20220901092853
new file mode 100644
index 00000000000..2ebe0b9ffee
--- /dev/null
+++ b/db/schema_migrations/20220901092853
@@ -0,0 +1 @@
+0d134b0f3ba5adcc515072a2c1f995f3f3a89f298ee84f1f58c2f7afb0b85a0f
\ No newline at end of file
diff --git a/db/schema_migrations/20220923103006 b/db/schema_migrations/20220923103006
new file mode 100644
index 00000000000..8a11ebc8f8f
--- /dev/null
+++ b/db/schema_migrations/20220923103006
@@ -0,0 +1 @@
+184e634f62549f3fa2f183003957a2f5a5c53b34394ec3430eb0293076ae177a
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index d6665c0999d..649e5191118 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -11484,6 +11484,7 @@ CREATE TABLE application_settings (
     dashboard_notification_limit integer DEFAULT 0 NOT NULL,
     dashboard_enforcement_limit integer DEFAULT 0 NOT NULL,
     dashboard_limit_new_namespace_creation_enforcement_date date,
+    can_create_group boolean DEFAULT true NOT NULL,
     CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
     CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)),
     CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),
@@ -13023,6 +13024,13 @@ CREATE SEQUENCE ci_pipeline_messages_id_seq
 
 ALTER SEQUENCE ci_pipeline_messages_id_seq OWNED BY ci_pipeline_messages.id;
 
+CREATE TABLE ci_pipeline_metadata (
+    project_id bigint NOT NULL,
+    pipeline_id bigint NOT NULL,
+    title text NOT NULL,
+    CONSTRAINT check_e6a636a3f3 CHECK ((char_length(title) <= 255))
+);
+
 CREATE TABLE ci_pipeline_schedule_variables (
     id integer NOT NULL,
     key character varying NOT NULL,
@@ -25083,6 +25091,9 @@ ALTER TABLE ONLY ci_pipeline_chat_data
 ALTER TABLE ONLY ci_pipeline_messages
     ADD CONSTRAINT ci_pipeline_messages_pkey PRIMARY KEY (id);
 
+ALTER TABLE ONLY ci_pipeline_metadata
+    ADD CONSTRAINT ci_pipeline_metadata_pkey PRIMARY KEY (pipeline_id);
+
 ALTER TABLE ONLY ci_pipeline_schedule_variables
     ADD CONSTRAINT ci_pipeline_schedule_variables_pkey PRIMARY KEY (id);
 
@@ -28155,6 +28166,10 @@ CREATE UNIQUE INDEX index_ci_pipeline_chat_data_on_pipeline_id ON ci_pipeline_ch
 
 CREATE INDEX index_ci_pipeline_messages_on_pipeline_id ON ci_pipeline_messages USING btree (pipeline_id);
 
+CREATE INDEX index_ci_pipeline_metadata_on_pipeline_id_title ON ci_pipeline_metadata USING btree (pipeline_id, title);
+
+CREATE INDEX index_ci_pipeline_metadata_on_project_id ON ci_pipeline_metadata USING btree (project_id);
+
 CREATE UNIQUE INDEX index_ci_pipeline_schedule_variables_on_schedule_id_and_key ON ci_pipeline_schedule_variables USING btree (pipeline_schedule_id, key);
 
 CREATE INDEX index_ci_pipeline_schedules_on_next_run_at_and_active ON ci_pipeline_schedules USING btree (next_run_at, active);
@@ -33729,6 +33744,9 @@ ALTER TABLE ONLY resource_iteration_events
 ALTER TABLE ONLY status_page_settings
     ADD CONSTRAINT fk_rails_506e5ba391 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
 
+ALTER TABLE ONLY ci_pipeline_metadata
+    ADD CONSTRAINT fk_rails_50c1e9ea10 FOREIGN KEY (pipeline_id) REFERENCES ci_pipelines(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY project_repository_storage_moves
     ADD CONSTRAINT fk_rails_5106dbd44a FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
 
diff --git a/doc/administration/audit_event_streaming.md b/doc/administration/audit_event_streaming.md
index 4dc91d0bac1..ca60b6142fe 100644
--- a/doc/administration/audit_event_streaming.md
+++ b/doc/administration/audit_event_streaming.md
@@ -831,3 +831,49 @@ X-Gitlab-Event-Streaming-Token: <DESTINATION_TOKEN>
   "event_type": "project_group_link_destroy"
 }
 ```
+
+## Audit event streaming on invalid merge request approver state
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/374566) in GitLab 15.5.
+
+Stream audit events that relate to invalid merge request approver states within a project.
+
+### Headers
+
+Headers are formatted as follows:
+
+```plaintext
+POST /logs HTTP/1.1
+Host: <DESTINATION_HOST>
+Content-Type: application/x-www-form-urlencoded
+X-Gitlab-Event-Streaming-Token: <DESTINATION_TOKEN>
+X-Gitlab-Audit-Event-Type: audit_operation
+```
+
+### Example payload
+
+```json
+{
+  "id": 1,
+  "author_id": 1,
+  "entity_id": 6,
+  "entity_type": "Project",
+  "details": {
+    "author_name": "example_username",
+    "target_id": 20,
+    "target_type": "MergeRequest",
+    "target_details": { title: "Merge request title", iid: "Merge request iid", id: "Merge request id" },
+    "custom_message": "Invalid merge request approver rules",
+    "ip_address": "127.0.0.1",
+    "entity_path": "example-group/example-project"
+  },
+  "ip_address": "127.0.0.1",
+  "author_name": "example_username",
+  "entity_path": "example-group/example-project",
+  "target_details": "merge request title",
+  "created_at": "2022-03-09T06:53:11.181Z",
+  "target_type": "MergeRequest",
+  "target_id": 20,
+  "event_type": "audit_operation"
+}
+```
diff --git a/doc/administration/auth/ldap/index.md b/doc/administration/auth/ldap/index.md
index 2a595a95635..3bb9350e960 100644
--- a/doc/administration/auth/ldap/index.md
+++ b/doc/administration/auth/ldap/index.md
@@ -13,7 +13,7 @@ to support user authentication.
 This integration works with most LDAP-compliant directory servers, including:
 
 - Microsoft Active Directory.
-  [Microsoft Active Directory Trusts](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771568(v=ws.10))
+  [Microsoft Active Directory Trusts](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771568(v=ws.10))
   are not supported.
 - Apple Open Directory.
 - Open LDAP.
@@ -312,7 +312,7 @@ To limit access to the nested members of an Active Directory group, use the foll
 ```
 
 For more information about `LDAP_MATCHING_RULE_IN_CHAIN` filters, see
-[Search Filter Syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax).
+[Search Filter Syntax](https://learn.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax).
 
 Support for nested members in the user filter shouldn't be confused with
 [group sync nested groups](ldap_synchronization.md#supported-ldap-group-typesattributes) support.
diff --git a/doc/administration/auth/oidc.md b/doc/administration/auth/oidc.md
index 5a19f05c7b2..e886c0f21f8 100644
--- a/doc/administration/auth/oidc.md
+++ b/doc/administration/auth/oidc.md
@@ -158,14 +158,14 @@ gitlab_rails['omniauth_providers'] = [
 
 ### Microsoft Azure
 
-The OpenID Connect (OIDC) protocol for Microsoft Azure uses the [Microsoft identity platform (v2) endpoints](https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison).
+The OpenID Connect (OIDC) protocol for Microsoft Azure uses the [Microsoft identity platform (v2) endpoints](https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison).
 To get started, sign in to the [Azure Portal](https://portal.azure.com). For your app, you need the
 following information:
 
 - A tenant ID. You may already have one. For more information, review the
-  [Microsoft Azure Tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) documentation.
+  [Microsoft Azure Tenant](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) documentation.
 - A client ID and a client secret. Follow the instructions in the
-  [Microsoft Quickstart Register an Application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) documentation
+  [Microsoft Quickstart Register an Application](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) documentation
   to obtain the tenant ID, client ID, and client secret for your app.
 
 Example Omnibus configuration block:
@@ -193,26 +193,26 @@ gitlab_rails['omniauth_providers'] = [
 ]
 ```
 
-Microsoft has documented how its platform works with [the OIDC protocol](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc).
+Microsoft has documented how its platform works with [the OIDC protocol](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc).
 
 ### Microsoft Azure Active Directory B2C
 
-While GitLab works with [Azure Active Directory B2C](https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview), it requires special
+While GitLab works with [Azure Active Directory B2C](https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview), it requires special
 configuration to work. To get started, sign in to the [Azure Portal](https://portal.azure.com).
 For your app, you need the following information from Azure:
 
 - A tenant ID. You may already have one. For more information, review the
-  [Microsoft Azure Tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) documentation.
+  [Microsoft Azure Tenant](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) documentation.
 - A client ID and a client secret. Follow the instructions in the
-  [Microsoft tutorial](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga) documentation to obtain the
+  [Microsoft tutorial](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga) documentation to obtain the
   client ID and client secret for your app.
-- The user flow or policy name. Follow the instructions in the [Microsoft tutorial](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-user-flow).
+- The user flow or policy name. Follow the instructions in the [Microsoft tutorial](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-user-flow).
 
 If your GitLab domain is `gitlab.example.com`, ensure the app has the following `Redirect URI`:
 
 `https://gitlab.example.com/users/auth/openid_connect/callback`
 
-In addition, ensure that [ID tokens are enabled](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#enable-id-token-implicit-grant).
+In addition, ensure that [ID tokens are enabled](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#enable-id-token-implicit-grant).
 
 Add the following API permissions to the app:
 
@@ -221,10 +221,10 @@ Add the following API permissions to the app:
 
 #### Configure custom policies
 
-Azure B2C [offers two ways of defining the business logic for logging in a user](https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview):
+Azure B2C [offers two ways of defining the business logic for logging in a user](https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview):
 
-- [User flows](https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview#user-flows)
-- [Custom policies](https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview#custom-policies)
+- [User flows](https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview#user-flows)
+- [Custom policies](https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview#custom-policies)
 
 While cumbersome to configure, custom policies are required because
 standard Azure B2C user flows [do not send the OpenID `email` claim](https://github.com/MicrosoftDocs/azure-docs/issues/16566). In
@@ -232,10 +232,10 @@ other words, they do not work with the [`allow_single_sign_on` or `auto_link_use
 With a standard Azure B2C policy, GitLab cannot create a new account or
 link to an existing one with an email address.
 
-Carefully follow the instructions for [creating a custom policy](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy).
+Carefully follow the instructions for [creating a custom policy](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy).
 
-The Microsoft instructions use `SocialAndLocalAccounts` in the [custom policy starter pack](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#custom-policy-starter-pack),
-but `LocalAccounts` works for authenticating against local, Active Directory accounts. Before you follow the instructions to [upload the polices](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#upload-the-policies), do the following:
+The Microsoft instructions use `SocialAndLocalAccounts` in the [custom policy starter pack](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#custom-policy-starter-pack),
+but `LocalAccounts` works for authenticating against local, Active Directory accounts. Before you follow the instructions to [upload the polices](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#upload-the-policies), do the following:
 
 1. To export the `email` claim, modify the `SignUpOrSignin.xml`. Replace the following line:
 
@@ -251,7 +251,7 @@ but `LocalAccounts` works for authenticating against local, Active Directory acc
 
 1. For OIDC discovery to work with B2C, the policy must be configured with an issuer compatible with the
   [OIDC specification](https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.4.3).
-   See the [token compatibility settings](https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#token-compatibility-settings).
+   See the [token compatibility settings](https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#token-compatibility-settings).
    In `TrustFrameworkBase.xml` under `JwtIssuer`, set `IssuanceClaimPattern` to `AuthorityWithTfp`:
 
    ```xml
@@ -267,7 +267,7 @@ but `LocalAccounts` works for authenticating against local, Active Directory acc
            ...
    ```
 
-1. Now [upload the policy](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#upload-the-policies). Overwrite
+1. Now [upload the policy](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#upload-the-policies). Overwrite
    the existing files if you are updating an existing policy.
 
 1. Determine the issuer URL using the sign-in policy. The issuer URL is in the form:
@@ -326,10 +326,10 @@ The trailing forward slash is required.
 
 - Ensure all occurrences of `yourtenant.onmicrosoft.com`, `ProxyIdentityExperienceFrameworkAppId`, and `IdentityExperienceFrameworkAppId` match your B2C tenant hostname and
   the respective client IDs in the XML policy files.
-- Add `https://jwt.ms` as a redirect URI to the app, and use the [custom policy tester](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#test-the-custom-policy).
+- Add `https://jwt.ms` as a redirect URI to the app, and use the [custom policy tester](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#test-the-custom-policy).
   Make sure the payload includes `email` that matches the user's email access.
 - After you enable the custom policy, users might see "Invalid username or password" after they try to sign in. This might be a configuration
-  issue with the `IdentityExperienceFramework` app. See [this Microsoft comment](https://docs.microsoft.com/en-us/answers/questions/50355/unable-to-sign-on-using-custom-policy.html?childToView=122370#comment-122370)
+  issue with the `IdentityExperienceFramework` app. See [this Microsoft comment](https://learn.microsoft.com/en-us/answers/questions/50355/unable-to-sign-on-using-custom-policy.html?childToView=122370#comment-122370)
   that suggests checking that the app manifest contains these settings:
 
   - `"accessTokenAcceptedVersion": null`
diff --git a/doc/administration/geo/disaster_recovery/index.md b/doc/administration/geo/disaster_recovery/index.md
index 59984f75b05..156a87614e6 100644
--- a/doc/administration/geo/disaster_recovery/index.md
+++ b/doc/administration/geo/disaster_recovery/index.md
@@ -340,7 +340,7 @@ with the **secondary** site:
 1. Promote the replica database associated with the **secondary** site. This
    sets the database to read-write. The instructions vary depending on where your database is hosted:
    - [Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html#USER_ReadRepl.Promote)
-   - [Azure PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/single-server/how-to-read-replicas-portal#stop-replication)
+   - [Azure PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-read-replicas-portal#stop-replication)
    - [Google Cloud SQL](https://cloud.google.com/sql/docs/mysql/replication/manage-replicas#promote-replica)
    - For other external PostgreSQL databases, save the following script in your
      secondary site, for example `/tmp/geo_promote.sh`, and modify the connection
@@ -411,7 +411,7 @@ required:
 1. Promote the replica database associated with the **secondary** site. This
    sets the database to read-write. The instructions vary depending on where your database is hosted:
    - [Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html#USER_ReadRepl.Promote)
-   - [Azure PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/single-server/how-to-read-replicas-portal#stop-replication)
+   - [Azure PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-read-replicas-portal#stop-replication)
    - [Google Cloud SQL](https://cloud.google.com/sql/docs/mysql/replication/manage-replicas#promote-replica)
    - For other external PostgreSQL databases, save the following script in your
      secondary site, for example `/tmp/geo_promote.sh`, and modify the connection
diff --git a/doc/administration/geo/setup/external_database.md b/doc/administration/geo/setup/external_database.md
index 3ab69115353..e4cd05a2b73 100644
--- a/doc/administration/geo/setup/external_database.md
+++ b/doc/administration/geo/setup/external_database.md
@@ -76,7 +76,7 @@ The following instructions detail how to create a read-only replica for common
 cloud providers:
 
 - Amazon RDS - [Creating a Read Replica](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html#USER_ReadRepl.Create)
-- Azure Database for PostgreSQL - [Create and manage read replicas in Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/single-server/how-to-read-replicas-portal)
+- Azure Database for PostgreSQL - [Create and manage read replicas in Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-read-replicas-portal)
 - Google Cloud SQL - [Creating read replicas](https://cloud.google.com/sql/docs/postgres/replication/create-replica)
 
 Once your read-only replica is set up, you can skip to [configure your secondary site](#configure-secondary-site-to-use-the-external-read-replica)
@@ -195,7 +195,7 @@ to grant additional roles to your tracking database user (by default, this is
 `gitlab_geo`):
 
 - Amazon RDS requires the [`rds_superuser`](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html#Appendix.PostgreSQL.CommonDBATasks.Roles) role.
-- Azure Database for PostgreSQL requires the [`azure_pg_admin`](https://docs.microsoft.com/en-us/azure/postgresql/single-server/how-to-create-users#how-to-create-additional-admin-users-in-azure-database-for-postgresql) role.
+- Azure Database for PostgreSQL requires the [`azure_pg_admin`](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-create-users#how-to-create-additional-admin-users-in-azure-database-for-postgresql) role.
 - Google Cloud SQL requires the [`cloudsqlsuperuser`](https://cloud.google.com/sql/docs/postgres/users#default-users) role.
 
 This is for the installation of extensions during installation and upgrades. As an alternative,
diff --git a/doc/administration/incoming_email.md b/doc/administration/incoming_email.md
index 3a1babd982c..4959bacaaa4 100644
--- a/doc/administration/incoming_email.md
+++ b/doc/administration/incoming_email.md
@@ -775,7 +775,7 @@ mailboxes.
 To configure GitLab for Microsoft Graph, you will need to register an
 OAuth2 application in your Azure Active Directory that has the
 `Mail.ReadWrite` permission for all mailboxes. See the [MailRoom step-by-step guide](https://github.com/tpitale/mail_room/#microsoft-graph-configuration)
-and [Microsoft instructions](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
+and [Microsoft instructions](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
 for more details.
 
 Record the following when you configure your OAuth2 application:
@@ -792,7 +792,7 @@ to read/write mail in *all* mailboxes.
 
 To mitigate security concerns, we recommend configuring an application access
 policy which limits the mailbox access for all accounts, as described in
-[Microsoft documentation](https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access).
+[Microsoft documentation](https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access).
 
 This example for Omnibus GitLab assumes you're using the following mailbox: `incoming@example.onmicrosoft.com`:
 
@@ -822,7 +822,7 @@ gitlab_rails['incoming_email_inbox_options'] = {
 }
 ```
 
-For Microsoft Cloud for US Government or [other Azure deployments](https://docs.microsoft.com/en-us/graph/deployments), configure the `azure_ad_endpoint` and `graph_endpoint` settings.
+For Microsoft Cloud for US Government or [other Azure deployments](https://learn.microsoft.com/en-us/graph/deployments), configure the `azure_ad_endpoint` and `graph_endpoint` settings.
 
 - Example for Microsoft Cloud for US Government:
 
diff --git a/doc/administration/logs/tracing_correlation_id.md b/doc/administration/logs/tracing_correlation_id.md
index 75b3b4f5e6a..6fb98dd354b 100644
--- a/doc/administration/logs/tracing_correlation_id.md
+++ b/doc/administration/logs/tracing_correlation_id.md
@@ -28,7 +28,7 @@ documentation for some popular browsers.
 - [Network Monitor - Firefox Developer Tools](https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor)
 - [Inspect Network Activity In Chrome DevTools](https://developer.chrome.com/docs/devtools/network/)
 - [Safari Web Development Tools](https://developer.apple.com/safari/tools/)
-- [Microsoft Edge Network panel](https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide-chromium/network/)
+- [Microsoft Edge Network panel](https://learn.microsoft.com/en-us/microsoft-edge/devtools-guide-chromium/network/)
 
 To locate a relevant request and view its correlation ID:
 
diff --git a/doc/administration/object_storage.md b/doc/administration/object_storage.md
index 5548d0bdc19..33efa773798 100644
--- a/doc/administration/object_storage.md
+++ b/doc/administration/object_storage.md
@@ -20,7 +20,7 @@ GitLab has been tested by vendors and customers on a number of object storage pr
 - [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
 - [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
 - [OpenStack Swift (S3 compatible mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
-- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
+- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
 - On-premises hardware and appliances from various storage vendors, whose list is not officially established.
 - MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
 
@@ -342,7 +342,7 @@ containers. The [storage-specific form](#storage-specific-configuration)
 is not supported. For more details, see [how to transition to consolidated form](#transition-to-consolidated-form).
 
 The following are the valid connection parameters for Azure. Read the
-[Azure Blob storage documentation](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
+[Azure Blob storage documentation](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
 to learn more.
 
 | Setting                      | Description    | Example   |
diff --git a/doc/administration/postgresql/external.md b/doc/administration/postgresql/external.md
index ddd910b8fe4..8605ee94255 100644
--- a/doc/administration/postgresql/external.md
+++ b/doc/administration/postgresql/external.md
@@ -21,7 +21,7 @@ If you use a cloud-managed service, or provide your own PostgreSQL instance:
 1. If you are using a cloud-managed service, you may need to grant additional
    roles to your `gitlab` user:
    - Amazon RDS requires the [`rds_superuser`](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html#Appendix.PostgreSQL.CommonDBATasks.Roles) role.
-   - Azure Database for PostgreSQL requires the [`azure_pg_admin`](https://docs.microsoft.com/en-us/azure/postgresql/single-server/how-to-create-users#how-to-create-additional-admin-users-in-azure-database-for-postgresql) role. Azure Database for PostgreSQL - Flexible Server requires [allow-listing extensions before they can be installed](https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-extensions#how-to-use-postgresql-extensions).
+   - Azure Database for PostgreSQL requires the [`azure_pg_admin`](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-create-users#how-to-create-additional-admin-users-in-azure-database-for-postgresql) role. Azure Database for PostgreSQL - Flexible Server requires [allow-listing extensions before they can be installed](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-extensions#how-to-use-postgresql-extensions).
    - Google Cloud SQL requires the [`cloudsqlsuperuser`](https://cloud.google.com/sql/docs/postgres/users#default-users) role.
 
    This is for the installation of extensions during installation and upgrades. As an alternative,
diff --git a/doc/administration/reference_architectures/10k_users.md b/doc/administration/reference_architectures/10k_users.md
index 667e4bf19ce..314819d9af7 100644
--- a/doc/administration/reference_architectures/10k_users.md
+++ b/doc/administration/reference_architectures/10k_users.md
@@ -163,8 +163,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
 Be aware of the following specific call outs:
 
 - [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
-- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
-- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
+- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
+- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
 
 ### Praefect PostgreSQL
 
@@ -2198,7 +2198,7 @@ GitLab has been tested on a number of object storage providers:
 - [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
 - [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
 - [OpenStack Swift (S3 compatibility mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
-- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
+- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
 - MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
 
 There are two ways of specifying object storage configuration in GitLab:
diff --git a/doc/administration/reference_architectures/1k_users.md b/doc/administration/reference_architectures/1k_users.md
index 8b72425d479..c32c6278785 100644
--- a/doc/administration/reference_architectures/1k_users.md
+++ b/doc/administration/reference_architectures/1k_users.md
@@ -87,8 +87,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
 Be aware of the following specific call outs:
 
 - [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
-- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
-- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
+- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
+- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
 
 ### Swap
 
diff --git a/doc/administration/reference_architectures/25k_users.md b/doc/administration/reference_architectures/25k_users.md
index 6431a1240dd..9b49bab2b40 100644
--- a/doc/administration/reference_architectures/25k_users.md
+++ b/doc/administration/reference_architectures/25k_users.md
@@ -163,8 +163,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
 Be aware of the following specific call outs:
 
 - [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
-- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
-- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
+- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
+- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
 
 ### Praefect PostgreSQL
 
@@ -2201,7 +2201,7 @@ GitLab has been tested on a number of object storage providers:
 - [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
 - [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
 - [OpenStack Swift (S3 compatibility mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
-- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
+- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
 - MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
 
 There are two ways of specifying object storage configuration in GitLab:
diff --git a/doc/administration/reference_architectures/2k_users.md b/doc/administration/reference_architectures/2k_users.md
index 6f911c679b0..81338c761eb 100644
--- a/doc/administration/reference_architectures/2k_users.md
+++ b/doc/administration/reference_architectures/2k_users.md
@@ -99,8 +99,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
 Be aware of the following specific call outs:
 
 - [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
-- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
-- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
+- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
+- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
 
 ## Setup components
 
@@ -908,7 +908,7 @@ GitLab has been tested on a number of object storage providers:
 - [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
 - [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
 - [OpenStack Swift (S3 compatibility mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
-- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
+- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
 - MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
 
 There are two ways of specifying object storage configuration in GitLab:
diff --git a/doc/administration/reference_architectures/3k_users.md b/doc/administration/reference_architectures/3k_users.md
index 7f112303110..d173db7b387 100644
--- a/doc/administration/reference_architectures/3k_users.md
+++ b/doc/administration/reference_architectures/3k_users.md
@@ -169,8 +169,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
 Be aware of the following specific call outs:
 
 - [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
-- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
-- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
+- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
+- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
 
 ### Praefect PostgreSQL
 
@@ -2139,7 +2139,7 @@ GitLab has been tested on a number of object storage providers:
 - [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
 - [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
 - [OpenStack Swift (S3 compatibility mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
-- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
+- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
 - MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
 
 There are two ways of specifying object storage configuration in GitLab:
diff --git a/doc/administration/reference_architectures/50k_users.md b/doc/administration/reference_architectures/50k_users.md
index c6b4a3eff96..1a4706a38b9 100644
--- a/doc/administration/reference_architectures/50k_users.md
+++ b/doc/administration/reference_architectures/50k_users.md
@@ -163,8 +163,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
 Be aware of the following specific call outs:
 
 - [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
-- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
-- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
+- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
+- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
 
 ### Praefect PostgreSQL
 
@@ -2218,7 +2218,7 @@ GitLab has been tested on a number of object storage providers:
 - [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
 - [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
 - [OpenStack Swift (S3 compatibility mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
-- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
+- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
 - MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
 
 There are two ways of specifying object storage configuration in GitLab:
diff --git a/doc/administration/reference_architectures/5k_users.md b/doc/administration/reference_architectures/5k_users.md
index 51c8d37e050..a954ce3e6b7 100644
--- a/doc/administration/reference_architectures/5k_users.md
+++ b/doc/administration/reference_architectures/5k_users.md
@@ -166,8 +166,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
 Be aware of the following specific call outs:
 
 - [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
-- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
-- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
+- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
+- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
 
 ### Praefect PostgreSQL
 
@@ -2137,7 +2137,7 @@ GitLab has been tested on a number of object storage providers:
 - [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
 - [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
 - [OpenStack Swift (S3 compatibility mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
-- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
+- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
 - MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
 
 There are two ways of specifying object storage configuration in GitLab:
diff --git a/doc/administration/troubleshooting/postgresql.md b/doc/administration/troubleshooting/postgresql.md
index 10a1d18f207..8a76d4f88ab 100644
--- a/doc/administration/troubleshooting/postgresql.md
+++ b/doc/administration/troubleshooting/postgresql.md
@@ -109,7 +109,7 @@ This section is for links to information elsewhere in the GitLab documentation.
 
 - Deploying PostgreSQL on Azure Database for PostgreSQL - Flexible Server may result in an error stating `extension "btree_gist" is not allow-listed for "azure_pg_admin" users in Azure Database for PostgreSQL`
 
-  To resolve the above error, [allow-list the extension](https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-extensions#how-to-use-postgresql-extensions) prior to install.
+  To resolve the above error, [allow-list the extension](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-extensions#how-to-use-postgresql-extensions) prior to install.
 
 ## Support topics
 
diff --git a/doc/administration/user_settings.md b/doc/administration/user_settings.md
index a2c398aef41..a767132db0f 100644
--- a/doc/administration/user_settings.md
+++ b/doc/administration/user_settings.md
@@ -8,10 +8,17 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 GitLab administrators can modify user settings for the entire GitLab instance.
 
-## Prevent new users from creating top-level groups
+## Use configuration files to prevent new users from creating top-level groups
 
 By default, new users can create top-level groups. To disable new users'
-ability to create top-level groups (does not affect existing users' setting):
+ability to create top-level groups (does not affect existing users' setting), GitLab administrators can modify this setting:
+
+- In GitLab 15.5 and later, using either:
+  - The [GitLab UI](../user/admin_area/settings/account_and_limit_settings.md#prevent-users-from-creating-top-level-groups).
+  - The [application setting API](../api/settings.md#change-application-settings).
+- In GitLab 15.4 and earlier, in a configuration file by following the steps in this section.
+
+To disable new users' ability to create top-level groups using the configuation file:
 
 **Omnibus GitLab installations**
 
diff --git a/doc/api/settings.md b/doc/api/settings.md
index a7ba642dca0..2054b4e9eea 100644
--- a/doc/api/settings.md
+++ b/doc/api/settings.md
@@ -216,7 +216,8 @@ Example response:
   "admin_mode": false,
   "external_pipeline_validation_service_timeout": null,
   "external_pipeline_validation_service_token": null,
-  "external_pipeline_validation_service_url": null
+  "external_pipeline_validation_service_url": null,
+  "can_create_group": false
 }
 ```
 
@@ -266,6 +267,7 @@ listed in the descriptions of the relevant settings.
 | `auto_devops_domain`                     | string           | no                                   | Specify a domain to use by default for every project's Auto Review Apps and Auto Deploy stages. |
 | `auto_devops_enabled`                    | boolean          | no                                   | Enable Auto DevOps for projects by default. It automatically builds, tests, and deploys applications based on a predefined CI/CD configuration. |
 | `automatic_purchased_storage_allocation` | boolean          | no                                   | Enabling this permits automatic allocation of purchased storage in a namespace. |
+| `can_create_group` | boolean | no | Indicates whether users can create top-level groups. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/367754) in GitLab 15.5. Defaults to `true`. |
 | `check_namespace_plan` **(PREMIUM)**     | boolean          | no                                   | Enabling this makes only licensed EE features available to projects if the project namespace's plan includes the feature or if the project is public. |
 | `commit_email_hostname`                  | string           | no                                   | Custom hostname (for private commit emails). |
 | `container_expiration_policies_enable_historic_entries`  | boolean | no                            | Enable [cleanup policies](../user/packages/container_registry/reduce_container_registry_storage.md#enable-the-cleanup-policy) for all projects. |
diff --git a/doc/ci/cloud_services/azure/index.md b/doc/ci/cloud_services/azure/index.md
index 058afa71a45..944f95c03e2 100644
--- a/doc/ci/cloud_services/azure/index.md
+++ b/doc/ci/cloud_services/azure/index.md
@@ -16,7 +16,7 @@ Prerequisites:
 
 - Access to an existing Azure Subscription with `Owner` access level.
 - Access to the corresponding Azure Active Directory Tenant with at least the `Application Developer` access level.
-- A local installation of the [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli).
+- A local installation of the [Azure CLI](https://learn.microsoft.com/cli/azure/install-azure-cli).
   Alternatively, you can follow all the steps below with the [Azure Cloud Shell](https://shell.azure.com/).
 - A GitLab project.
 
@@ -27,11 +27,11 @@ To complete this tutorial:
 1. [Grant permissions for the service principal](#grant-permissions-for-the-service-principal).
 1. [Retrieve a temporary credential](#retrieve-a-temporary-credential).
 
-For more information, review Azure's documentation on [Workload identity federation](https://docs.microsoft.com/azure/active-directory/develop/workload-identity-federation).
+For more information, review Azure's documentation on [Workload identity federation](https://learn.microsoft.com/azure/active-directory/develop/workload-identity-federation).
 
 ## Create Azure AD application and service principal
 
-To create an [Azure AD application](https://docs.microsoft.com/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-create)
+To create an [Azure AD application](https://learn.microsoft.com/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-create)
 and service principal:
 
 1. In the Azure CLI, create the AD application:
@@ -43,13 +43,13 @@ and service principal:
    Save the `appId` (Application client ID) output, as you need it later
    to configure your GitLab CI/CD pipeline.
 
-1. Create a corresponding [Service Principal](https://docs.microsoft.com/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create):
+1. Create a corresponding [Service Principal](https://learn.microsoft.com/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create):
 
    ```shell
    az ad sp create --id $appId --query appId -otsv
    ```
 
-Instead of the Azure CLI, you can [use the Azure Portal to create these resources](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal).
+Instead of the Azure CLI, you can [use the Azure Portal to create these resources](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal).
 
 ## Create Azure AD federated identity credentials
 
@@ -88,7 +88,7 @@ identity credentials from the Azure Portal:
 
 ## Grant permissions for the service principal
 
-After you create the credentials, use [`role assignment`](https://docs.microsoft.com/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-create)
+After you create the credentials, use [`role assignment`](https://learn.microsoft.com/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-create)
 to grant permissions to the above service principal to access to Azure resources:
 
 ```shell
@@ -97,13 +97,13 @@ az role assignment create --assignee $appId --role Reader --scope /subscriptions
 
 You can find your subscription ID in:
 
-- The [Azure Portal](https://docs.microsoft.com/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription).
-- The [Azure CLI](https://docs.microsoft.com/cli/azure/manage-azure-subscriptions-azure-cli#get-the-active-subscription).
+- The [Azure Portal](https://learn.microsoft.com/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription).
+- The [Azure CLI](https://learn.microsoft.com/cli/azure/manage-azure-subscriptions-azure-cli#get-the-active-subscription).
 
 ## Retrieve a temporary credential
 
 After you configure the Azure AD application and federated identity credentials,
-the CI/CD job can retrieve a temporary credential by using the [Azure CLI](https://docs.microsoft.com/cli/azure/reference-index?view=azure-cli-latest#az-login):
+the CI/CD job can retrieve a temporary credential by using the [Azure CLI](https://learn.microsoft.com/cli/azure/reference-index?view=azure-cli-latest#az-login):
 
 ```yaml
 default:
@@ -123,7 +123,7 @@ The CI/CD variables are:
 
 - `AZURE_CLIENT_ID`: The [application client ID you saved earlier](#create-azure-ad-application-and-service-principal).
 - `AZURE_TENANT_ID`: Your Azure Active Directory. You can
-  [find it by using the Azure CLI or Azure Portal](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-how-to-find-tenant).
+  [find it by using the Azure CLI or Azure Portal](https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-how-to-find-tenant).
 - `CI_JOB_JWT_V2`: The JSON web token is a [predefined CI/CD variable](../../variables/predefined_variables.md).
 
 ## Troubleshooting
diff --git a/doc/development/documentation/styleguide/index.md b/doc/development/documentation/styleguide/index.md
index c7d75ce5ace..d629bc0b87e 100644
--- a/doc/development/documentation/styleguide/index.md
+++ b/doc/development/documentation/styleguide/index.md
@@ -19,7 +19,7 @@ In addition to this page, the following resources can help you craft and contrib
 - [Doc style and consistency testing](../testing.md)
 - [Guidelines for UI error messages](https://design.gitlab.com/content/error-messages/)
 - [GitLab Handbook style guidelines](https://about.gitlab.com/handbook/communication/#writing-style-guidelines)
-- [Microsoft Style Guide](https://docs.microsoft.com/en-us/style-guide/welcome/)
+- [Microsoft Style Guide](https://learn.microsoft.com/en-us/style-guide/welcome/)
 - [Google Developer Documentation Style Guide](https://developers.google.com/style)
 - [Recent updates to this guide](https://gitlab.com/dashboard/merge_requests?scope=all&state=merged&label_name[]=tw-style&not[label_name][]=docs%3A%3Afix)
 
@@ -333,7 +333,7 @@ When possible, try to avoid acronyms in headings.
 
 ### Numbers
 
-When using numbers in text, spell out zero through nine, and use numbers for 10 and greater. For details, see the [Microsoft Style Guide](https://docs.microsoft.com/en-us/style-guide/numbers).
+When using numbers in text, spell out zero through nine, and use numbers for 10 and greater. For details, see the [Microsoft Style Guide](https://learn.microsoft.com/en-us/style-guide/numbers).
 
 ## Text
 
diff --git a/doc/development/documentation/styleguide/word_list.md b/doc/development/documentation/styleguide/word_list.md
index b151eadde6e..1a13343d3e1 100644
--- a/doc/development/documentation/styleguide/word_list.md
+++ b/doc/development/documentation/styleguide/word_list.md
@@ -17,7 +17,7 @@ recommends these word choices. In addition:
 
 For guidance not on this page, we defer to these style guides:
 
-- [Microsoft Style Guide](https://docs.microsoft.com/en-us/style-guide/welcome/)
+- [Microsoft Style Guide](https://learn.microsoft.com/en-us/style-guide/welcome/)
 - [Google Developer Documentation Style Guide](https://developers.google.com/style)
 
 <!-- vale off -->
@@ -125,7 +125,7 @@ Instead of:
 - This feature enables users to add files to their repository.
 
 This phrasing is more active and is from the user perspective, rather than the person who implemented the feature.
-[View details in the Microsoft style guide](https://docs.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/a/allow-allows).
+[View details in the Microsoft style guide](https://learn.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/a/allow-allows).
 
 ## Alpha
 
@@ -141,7 +141,7 @@ Instead of **and/or**, use **or** or rewrite the sentence to spell out both opti
 ## and so on
 
 Do not use **and so on**. Instead, be more specific. For details, see
-[the Microsoft style guide](https://docs.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/a/and-so-on).
+[the Microsoft style guide](https://learn.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/a/and-so-on).
 
 ## area
 
@@ -316,7 +316,7 @@ Do not use **Developer permissions**. A user who is assigned the Developer role
 
 ## disable
 
-See [the Microsoft style guide](https://docs.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/d/disable-disabled) for guidance on **disable**.
+See [the Microsoft style guide](https://learn.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/d/disable-disabled) for guidance on **disable**.
 Use **inactive** or **off** instead. ([Vale](../testing.md#vale) rule: [`InclusionAbleism.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/.vale/gitlab/InclusionAbleism.yml))
 
 ## disallow
@@ -365,7 +365,7 @@ Do not use **e-mail** with a hyphen. When plural, use **emails** or **email mess
 
 ## enable
 
-See [the Microsoft style guide](https://docs.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/e/enable-enables) for guidance on **enable**.
+See [the Microsoft style guide](https://learn.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/e/enable-enables) for guidance on **enable**.
 Use **active** or **on** instead. ([Vale](../testing.md#vale) rule: [`InclusionAbleism.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/.vale/gitlab/InclusionAbleism.yml))
 
 ## enter
@@ -818,7 +818,7 @@ Use lowercase for **personal access token**.
 
 ## please
 
-Do not use **please**. For details, see the [Microsoft style guide](https://docs.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/p/please).
+Do not use **please**. For details, see the [Microsoft style guide](https://learn.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/p/please).
 
 ## press
 
diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md
index cb3c2d4f6e7..2f10d375f84 100644
--- a/doc/development/integrations/secure.md
+++ b/doc/development/integrations/secure.md
@@ -180,7 +180,7 @@ Here are some examples to get you started:
 
 As documented in the [Docker Official Images](https://github.com/docker-library/official-images#tags-and-aliases) project,
 it is strongly encouraged that version number tags be given aliases which allows the user to easily refer to the "most recent" release of a particular series.
-See also [Docker Tagging: Best practices for tagging and versioning Docker images](https://docs.microsoft.com/en-us/archive/blogs/stevelasker/docker-tagging-best-practices-for-tagging-and-versioning-docker-images).
+See also [Docker Tagging: Best practices for tagging and versioning Docker images](https://learn.microsoft.com/en-us/archive/blogs/stevelasker/docker-tagging-best-practices-for-tagging-and-versioning-docker-images).
 
 ## Command line
 
diff --git a/doc/development/windows.md b/doc/development/windows.md
index 9c586558a77..5f32848da79 100644
--- a/doc/development/windows.md
+++ b/doc/development/windows.md
@@ -76,7 +76,7 @@ Build a Google Cloud image with the above shared runners repository by doing the
 1. Copy and save the password as it is not shown again.
 1. Select **RDP** down arrow.
 1. Select **Download the RDP file**.
-1. Open the downloaded RDP file with the Windows remote desktop app (<https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients>).
+1. Open the downloaded RDP file with the Windows remote desktop app (<https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients>).
 1. Select **Continue** to accept the certificate.
 1. Enter the password and select **Next**.
 
diff --git a/doc/gitlab-basics/start-using-git.md b/doc/gitlab-basics/start-using-git.md
index 37f9ec6d58a..2afd9f66804 100644
--- a/doc/gitlab-basics/start-using-git.md
+++ b/doc/gitlab-basics/start-using-git.md
@@ -37,7 +37,7 @@ prompt, command shell, and command line). Here are some options:
   - [iTerm2](https://iterm2.com/). You can integrate it with [Zsh](https://git-scm.com/book/id/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Zsh) and [Oh My Zsh](https://ohmyz.sh/) for color highlighting and other advanced features.
 - For Windows users:
   - Built-in command line. On the Windows taskbar, select the search icon and type `cmd`.
-  - [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/installing-windows-powershell?view=powershell-7).
+  - [PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/windows-powershell/install/installing-windows-powershell?view=powershell-7).
   - Git Bash. It is built into [Git for Windows](https://gitforwindows.org/).
 - For Linux users:
   - Built-in [Linux Terminal](https://ubuntu.com/tutorials/command-line-for-beginners#3-opening-a-terminal).
diff --git a/doc/install/azure/index.md b/doc/install/azure/index.md
index e52293cbd51..21ae1b95f47 100644
--- a/doc/install/azure/index.md
+++ b/doc/install/azure/index.md
@@ -61,7 +61,7 @@ The first items you need to configure are the basic settings of the underlying v
 1. Enter a name for the VM, for example `GitLab`.
 1. Select a region.
 1. In **Availability options**, select **Availability zone** and set it to `1`.
-   Read more about the [availability zones](https://docs.microsoft.com/en-us/azure/virtual-machines/availability).
+   Read more about the [availability zones](https://learn.microsoft.com/en-us/azure/virtual-machines/availability).
 1. Ensure the selected image is set to **GitLab - Gen1**.
 1. Select the VM size based on the [hardware requirements](../requirements.md#hardware-requirements).
    Because the minimum system requirements to run a GitLab environment for up to 500 users
@@ -83,7 +83,7 @@ For the disks:
 1. For the OS disk type, select **Premium SSD**.
 1. Select the default encryption.
 
-[Read more about the types of disks](https://docs.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview) that Azure provides.
+[Read more about the types of disks](https://learn.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview) that Azure provides.
 
 Review your settings, and then proceed to the Networking tab.
 
@@ -159,7 +159,7 @@ to assign a descriptive DNS name to the VM:
 
 Eventually, most users want to use their own domain name. For you to do this, you need to add a DNS `A` record
 with your domain registrar that points to the public IP address of your Azure VM.
-You can use [Azure's DNS](https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns)
+You can use [Azure's DNS](https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns)
 or some [other registrar](https://docs.gitlab.com/omnibus/settings/dns.html).
 
 ### Change the GitLab external URL
@@ -185,7 +185,7 @@ To set up the GitLab external URL:
 
    NOTE:
    If you need to reset your credentials, read
-   [how to reset SSH credentials for a user on an Azure VM](https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-ssh-connection#reset-ssh-credentials-for-a-user).
+   [how to reset SSH credentials for a user on an Azure VM](https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-ssh-connection#reset-ssh-credentials-for-a-user).
 
 1. Open `/etc/gitlab/gitlab.rb` with your editor.
 1. Find `external_url` and replace it with your own domain name. For the sake
diff --git a/doc/integration/azure.md b/doc/integration/azure.md
index 15f8e7d01e5..856cf54a52d 100644
--- a/doc/integration/azure.md
+++ b/doc/integration/azure.md
@@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 You can enable the Microsoft Azure OAuth 2.0 OmniAuth provider and sign in to
 GitLab with your Microsoft Azure credentials. You can configure the provider that uses
-[the earlier Azure Active Directory v1.0 endpoint](https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-oauth-code),
+[the earlier Azure Active Directory v1.0 endpoint](https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-oauth-code),
 or the provider that uses the v2.0 endpoint.
 
 NOTE:
@@ -23,7 +23,7 @@ an Azure application and get a client ID and secret key.
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 1. If you have multiple Azure Active Directory tenants, switch to the desired tenant. Note the tenant ID.
-1. [Register an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
+1. [Register an application](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
    and provide the following information:
    - The redirect URI, which requires the URL of the Azure OAuth callback of your GitLab
      installation. For example:
@@ -33,7 +33,7 @@ an Azure application and get a client ID and secret key.
 1. Save the client ID and client secret. The client secret is only
    displayed once.
 
-   If required, you can [create a new application secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).
+   If required, you can [create a new application secret](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).
 
 `client ID` and `client secret` are terms associated with OAuth 2.0.
 In some Microsoft documentation, the terms are named `Application ID` and
@@ -41,7 +41,7 @@ In some Microsoft documentation, the terms are named `Application ID` and
 
 ## Add API permissions (scopes)
 
-If you're using the v2.0 endpoint, after you create the application, [configure it to expose a web API](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis).
+If you're using the v2.0 endpoint, after you create the application, [configure it to expose a web API](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis).
 Add the following delegated permissions under the Microsoft Graph API:
 
 - `email`
@@ -107,7 +107,7 @@ Alternatively, add the `User.Read.All` application permission.
      ]
      ```
 
-     For [alternative Azure clouds](https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud),
+     For [alternative Azure clouds](https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud),
      configure `base_azure_url` under the `args` section. For example, for Azure Government Community Cloud (GCC):
 
      ```ruby
@@ -147,7 +147,7 @@ Alternatively, add the `User.Read.All` application permission.
                  tenant_id: "<tenant_id>" } }
      ```
 
-     For [alternative Azure clouds](https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud),
+     For [alternative Azure clouds](https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud),
      configure `base_azure_url` under the `args` section. For example, for Azure Government Community Cloud (GCC):
 
      ```yaml
@@ -159,7 +159,7 @@ Alternatively, add the `User.Read.All` application permission.
                  base_azure_url: "https://login.microsoftonline.us" } }
      ```
 
-   You can also optionally add the `scope` for [OAuth 2.0 scopes](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow) parameter to the `args` section. The default is `openid profile email`.
+   You can also optionally add the `scope` for [OAuth 2.0 scopes](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow) parameter to the `args` section. The default is `openid profile email`.
 
 1. Save the configuration file.
 
diff --git a/doc/integration/saml.md b/doc/integration/saml.md
index da520d83b8c..0f7f3e336ef 100644
--- a/doc/integration/saml.md
+++ b/doc/integration/saml.md
@@ -795,7 +795,7 @@ documentation on how to use SAML to sign in to GitLab.
 
 Examples:
 
-- [ADFS (Active Directory Federation Services)](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust)
+- [ADFS (Active Directory Federation Services)](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust)
 - [Auth0](https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/configure-auth0-saml-identity-provider)
 
 GitLab provides the following setup notes for guidance only.
diff --git a/doc/user/admin_area/settings/account_and_limit_settings.md b/doc/user/admin_area/settings/account_and_limit_settings.md
index c651a1b0136..cd1f20a2f4e 100644
--- a/doc/user/admin_area/settings/account_and_limit_settings.md
+++ b/doc/user/admin_area/settings/account_and_limit_settings.md
@@ -288,6 +288,21 @@ When this ability is disabled, GitLab administrators can still use the
 [Admin Area](../index.md#administering-users) or the
 [API](../../../api/users.md#user-modification) to update usernames.
 
+## Prevent users from creating top-level groups
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/367754) in GitLab 15.5.
+
+By default, new users can create top-level groups. GitLab administrators can prevent users from creating top-level groups:
+
+- In GitLab 15.5 and later, using either:
+  - The GitLab UI using the steps in this section.
+  - The [application setting API](../../../api/settings.md#change-application-settings).
+- In GitLab 15.4 and earlier, a [configuration file](../../../administration/user_settings.md#use-configuration-files-to-prevent-new-users-from-creating-top-level-groups).
+
+1. On the top bar, select **Main menu > Admin**.
+1. On the left sidebar, select **Settings > General**, then expand **Account and limit**.
+1. Clear the **Allow users to create top-level groups** checkbox.
+
 ## Troubleshooting
 
 ### 413 Request Entity Too Large
diff --git a/doc/user/application_security/dast/checks/16.2.md b/doc/user/application_security/dast/checks/16.2.md
index 5ea7dcb3070..a317b9418a1 100644
--- a/doc/user/application_security/dast/checks/16.2.md
+++ b/doc/user/application_security/dast/checks/16.2.md
@@ -41,4 +41,4 @@ the `Server` header.
 - [CWE](https://cwe.mitre.org/data/definitions/16.html)
 - [Apache ServerTokens](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/)
 - [NGINX server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens)
-- [IIS 10 Remove Server Header](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/#attributes)
+- [IIS 10 Remove Server Header](https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/#attributes)
diff --git a/doc/user/application_security/dast/checks/548.1.md b/doc/user/application_security/dast/checks/548.1.md
index 2cb93d5fdea..b6907db5928 100644
--- a/doc/user/application_security/dast/checks/548.1.md
+++ b/doc/user/application_security/dast/checks/548.1.md
@@ -42,4 +42,4 @@ indexing.
 - [CWE](https://cwe.mitre.org/data/definitions/548.html)
 - [Apache Options](https://httpd.apache.org/docs/2.4/mod/core.html#options)
 - [NGINX autoindex](https://nginx.org/en/docs/http/ngx_http_autoindex_module.html)
-- [IIS directoryBrowse element](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/directorybrowse)
+- [IIS directoryBrowse element](https://learn.microsoft.com/en-us/iis/configuration/system.webserver/directorybrowse)
diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md
index d6ec8ec7a4b..5aa62d2f803 100644
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -237,7 +237,7 @@ table.supported-languages ul {
       <td>.NET</td>
       <td rowspan="2">All versions</td>
       <td rowspan="2"><a href="https://www.nuget.org/">NuGet</a></td>
-      <td rowspan="2"><a href="https://docs.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-lock-file"><code>packages.lock.json</code></a></td>
+      <td rowspan="2"><a href="https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-lock-file"><code>packages.lock.json</code></a></td>
       <td rowspan="2">Y</td>
     </tr>
     <tr>
diff --git a/doc/user/application_security/iac_scanning/index.md b/doc/user/application_security/iac_scanning/index.md
index b877497bcee..150c2b732d8 100644
--- a/doc/user/application_security/iac_scanning/index.md
+++ b/doc/user/application_security/iac_scanning/index.md
@@ -43,7 +43,7 @@ GitLab IaC scanning supports a variety of IaC configuration files. Our IaC secur
 | OpenAPI                                  | [KICS](https://kics.io/)         | 14.5                          |
 | Terraform <sup>2</sup>                   | [KICS](https://kics.io/)         | 14.5                          |
 
-1. IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the [Bicep](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview) language, you must use [the bicep CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-cli) to convert your Bicep files into JSON before GitLab IaC scanning can analyze them.
+1. IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the [Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview) language, you must use [the bicep CLI](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-cli) to convert your Bicep files into JSON before GitLab IaC scanning can analyze them.
 1. Terraform modules in a custom registry are not scanned for vulnerabilities. You can follow [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/357004) for the proposed feature.
 
 ### Supported distributions
diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md
index 09b83b3a457..70ab3f3a7b4 100644
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -138,7 +138,7 @@ The following analyzers have multi-project support:
 #### Enable multi-project support for Security Code Scan
 
 Multi-project support in the Security Code Scan requires a Solution (`.sln`) file in the root of
-the repository. For details on the Solution format, see the Microsoft reference [Solution (`.sln`) file](https://docs.microsoft.com/en-us/visualstudio/extensibility/internals/solution-dot-sln-file?view=vs-2019).
+the repository. For details on the Solution format, see the Microsoft reference [Solution (`.sln`) file](https://learn.microsoft.com/en-us/visualstudio/extensibility/internals/solution-dot-sln-file?view=vs-2019).
 
 ### Supported distributions
 
diff --git a/doc/user/compliance/license_compliance/index.md b/doc/user/compliance/license_compliance/index.md
index 993b6fa65ec..8b6df69730c 100644
--- a/doc/user/compliance/license_compliance/index.md
+++ b/doc/user/compliance/license_compliance/index.md
@@ -556,8 +556,8 @@ license_scanning:
 #### Using private NuGet registries
 
 If you have a private NuGet registry you can add it as a source
-by adding it to the [`packageSources`](https://docs.microsoft.com/en-us/nuget/reference/nuget-config-file#package-source-sections)
-section of a [`nuget.config`](https://docs.microsoft.com/en-us/nuget/reference/nuget-config-file) file.
+by adding it to the [`packageSources`](https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file#package-source-sections)
+section of a [`nuget.config`](https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file) file.
 
 For example:
 
diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md
index be1eb7a8ab1..42989ec9456 100644
--- a/doc/user/group/saml_sso/index.md
+++ b/doc/user/group/saml_sso/index.md
@@ -166,7 +166,7 @@ If you have any questions on configuring the SAML app, please contact your provi
 
 ### Azure setup notes
 
-Follow the Azure documentation on [configuring single sign-on to applications](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal) with the notes below for consideration.
+Follow the Azure documentation on [configuring single sign-on to applications](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal) with the notes below for consideration.
 
 <i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
 For a demo of the Azure SAML setup including SCIM, see [SCIM Provisioning on Azure Using SAML SSO for Groups Demo](https://youtu.be/24-ZxmTeEBU).
diff --git a/doc/user/group/saml_sso/scim_setup.md b/doc/user/group/saml_sso/scim_setup.md
index 99d6cb259da..6b64288f5af 100644
--- a/doc/user/group/saml_sso/scim_setup.md
+++ b/doc/user/group/saml_sso/scim_setup.md
@@ -50,7 +50,7 @@ Prerequisites:
 - [GitLab is configured](#configure-gitlab).
 
 The SAML application created during [single sign-on](index.md) set up for
-[Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal)
+[Azure Active Directory](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal)
 must be set up for SCIM. For an example, see [example configuration](example_saml_config.md#scim-mapping).
 
 To configure Azure Active Directory for SCIM:
diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md
index a22658bd602..64cbe68a9d4 100644
--- a/doc/user/group/settings/group_access_tokens.md
+++ b/doc/user/group/settings/group_access_tokens.md
@@ -48,6 +48,9 @@ You cannot use group access tokens to create other group, project, or personal a
 Group access tokens inherit the [default prefix setting](../../admin_area/settings/account_and_limit_settings.md#personal-access-token-prefix)
 configured for personal access tokens.
 
+NOTE:
+Group access tokens are not FIPS compliant and creation and use are disabled when [FIPS mode](../../../development/fips_compliance.md) is enabled.
+
 ## Create a group access token using UI
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214045) in GitLab 14.7.
diff --git a/doc/user/packages/nuget_repository/index.md b/doc/user/packages/nuget_repository/index.md
index 55729ad458d..d4b87d70447 100644
--- a/doc/user/packages/nuget_repository/index.md
+++ b/doc/user/packages/nuget_repository/index.md
@@ -15,8 +15,8 @@ packages whenever you need to use them as a dependency.
 
 The Package Registry works with:
 
-- [NuGet CLI](https://docs.microsoft.com/en-us/nuget/reference/nuget-exe-cli-reference)
-- [.NET Core CLI](https://docs.microsoft.com/en-us/dotnet/core/tools/)
+- [NuGet CLI](https://learn.microsoft.com/en-us/nuget/reference/nuget-exe-cli-reference)
+- [.NET Core CLI](https://learn.microsoft.com/en-us/dotnet/core/tools/)
 - [Visual Studio](https://visualstudio.microsoft.com/vs/)
 
 For documentation of the specific API endpoints that these
@@ -342,7 +342,7 @@ When publishing packages:
 
 Prerequisites:
 
-- [A NuGet package created with NuGet CLI](https://docs.microsoft.com/en-us/nuget/create-packages/creating-a-package).
+- [A NuGet package created with NuGet CLI](https://learn.microsoft.com/en-us/nuget/create-packages/creating-a-package).
 - Set a [project-level endpoint](#use-the-gitlab-endpoint-for-nuget-packages).
 
 Publish a package by running this command:
@@ -358,7 +358,7 @@ nuget push <package_file> -Source <source_name>
 
 Prerequisites:
 
-- [A NuGet package created with .NET CLI](https://docs.microsoft.com/en-us/nuget/create-packages/creating-a-package-dotnet-cli).
+- [A NuGet package created with .NET CLI](https://learn.microsoft.com/en-us/nuget/create-packages/creating-a-package-dotnet-cli).
 - Set a [project-level endpoint](#use-the-gitlab-endpoint-for-nuget-packages).
 
 Publish a package by running this command:
diff --git a/doc/user/packages/package_registry/reduce_package_registry_storage.md b/doc/user/packages/package_registry/reduce_package_registry_storage.md
index d50d9da42b0..e6996d9dc3e 100644
--- a/doc/user/packages/package_registry/reduce_package_registry_storage.md
+++ b/doc/user/packages/package_registry/reduce_package_registry_storage.md
@@ -71,9 +71,9 @@ To access these project settings, you must be at least a maintainer on the relat
 
 ### Available rules
 
-- `Number of duplicated assets to keep`. The number of duplicated assets to keep. Some package formats allow you
+- `Number of duplicated assets to keep`: The number of duplicated assets to keep. Some package formats allow you
   to upload more than one copy of an asset. You can limit the number of duplicated assets to keep and automatically
-  delete the oldest assets once the limit is reached.
+  delete the oldest assets once the limit is reached. Unique filenames, such as those produced by Maven snapshots, are not considered when evaluating the number of duplicated assets to keep.
 
 ### Set cleanup limits to conserve resources
 
diff --git a/doc/user/profile/personal_access_tokens.md b/doc/user/profile/personal_access_tokens.md
index 17c5e1dbfa7..29dce202a37 100644
--- a/doc/user/profile/personal_access_tokens.md
+++ b/doc/user/profile/personal_access_tokens.md
@@ -45,6 +45,9 @@ For examples of how you can use a personal access token to authenticate with the
 Alternately, GitLab administrators can use the API to create [impersonation tokens](../../api/index.md#impersonation-tokens).
 Use impersonation tokens to automate authentication as a specific user.
 
+NOTE:
+Personal access tokens are not FIPS compliant and creation and use are disabled when [FIPS mode](../../development/fips_compliance.md) is enabled.
+
 ## Create a personal access token
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/348660) in GitLab 15.3, default expiration of 30 days is populated in the UI.
diff --git a/doc/user/project/import/tfvc.md b/doc/user/project/import/tfvc.md
index 58f38e7c390..3625355340b 100644
--- a/doc/user/project/import/tfvc.md
+++ b/doc/user/project/import/tfvc.md
@@ -9,7 +9,7 @@ type: concepts
 
 Team Foundation Server (TFS), renamed [Azure DevOps Server](https://azure.microsoft.com/en-us/services/devops/server/)
 in 2019, is a set of tools developed by Microsoft which also includes
-[Team Foundation Version Control](https://docs.microsoft.com/en-us/azure/devops/repos/tfvc/what-is-tfvc?view=azure-devops)
+[Team Foundation Version Control](https://learn.microsoft.com/en-us/azure/devops/repos/tfvc/what-is-tfvc?view=azure-devops)
 (TFVC), a centralized version control system similar to Git.
 
 In this document, we focus on the TFVC to Git migration.
@@ -28,7 +28,7 @@ The main differences between TFVC and Git are:
 
 For more information, see:
 
-- Microsoft's [comparison of Git and TFVC](https://docs.microsoft.com/en-us/azure/devops/repos/tfvc/comparison-git-tfvc?view=azure-devops).
+- Microsoft's [comparison of Git and TFVC](https://learn.microsoft.com/en-us/azure/devops/repos/tfvc/comparison-git-tfvc?view=azure-devops).
 - The Wikipedia [comparison of version control software](https://en.wikipedia.org/wiki/Comparison_of_version_control_software).
 
 ## Why migrate
diff --git a/doc/user/project/integrations/microsoft_teams.md b/doc/user/project/integrations/microsoft_teams.md
index a2b401e6bca..ab755d3d444 100644
--- a/doc/user/project/integrations/microsoft_teams.md
+++ b/doc/user/project/integrations/microsoft_teams.md
@@ -58,4 +58,4 @@ GitLab to send the notifications:
 
 ## Related topics
 
-- [Setting up an incoming webhook on Microsoft Teams](https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using#setting-up-a-custom-incoming-webhook).
+- [Setting up an incoming webhook on Microsoft Teams](https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using#setting-up-a-custom-incoming-webhook).
diff --git a/doc/user/project/pages/custom_domains_ssl_tls_certification/dns_concepts.md b/doc/user/project/pages/custom_domains_ssl_tls_certification/dns_concepts.md
index da4f2dc42a4..1d32091b294 100644
--- a/doc/user/project/pages/custom_domains_ssl_tls_certification/dns_concepts.md
+++ b/doc/user/project/pages/custom_domains_ssl_tls_certification/dns_concepts.md
@@ -44,7 +44,7 @@ for the most popular hosting services:
 - [Hostgator](https://www.hostgator.com/help/article/changing-dns-records)
 - [Inmotion hosting](https://www.bluehost.com/help/article/dns-management-add-edit-or-delete-dns-entries)
 - [Media Temple](https://mediatemple.net/community/products/dv/204403794/how-can-i-change-the-dns-records-for-my-domain)
-- [Microsoft](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727018(v=technet.10))
+- [Microsoft](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727018(v=technet.10))
 - [Namecheap](https://www.namecheap.com/support/knowledgebase/subcategory/2237/host-records-setup/)
 
 <!-- vale gitlab.Spelling = YES -->
diff --git a/doc/user/project/service_desk.md b/doc/user/project/service_desk.md
index f04501b4eaa..199f25f1122 100644
--- a/doc/user/project/service_desk.md
+++ b/doc/user/project/service_desk.md
@@ -264,7 +264,7 @@ Graph API instead of IMAP. Follow the [documentation in the incoming email secti
   }
   ```
 
-For Microsoft Cloud for US Government or [other Azure deployments](https://docs.microsoft.com/en-us/graph/deployments), configure the `azure_ad_endpoint` and `graph_endpoint` settings.
+For Microsoft Cloud for US Government or [other Azure deployments](https://learn.microsoft.com/en-us/graph/deployments), configure the `azure_ad_endpoint` and `graph_endpoint` settings.
 
 - Example for Microsoft Cloud for US Government:
 
diff --git a/doc/user/project/settings/project_access_tokens.md b/doc/user/project/settings/project_access_tokens.md
index 16a884270ff..c1652251b9f 100644
--- a/doc/user/project/settings/project_access_tokens.md
+++ b/doc/user/project/settings/project_access_tokens.md
@@ -48,6 +48,9 @@ You cannot use project access tokens to create other group, project, or personal
 Project access tokens inherit the [default prefix setting](../../admin_area/settings/account_and_limit_settings.md#personal-access-token-prefix)
 configured for personal access tokens.
 
+NOTE:
+Project access tokens are not FIPS compliant and creation and use are disabled when [FIPS mode](../../../development/fips_compliance.md) is enabled.
+
 ## Create a project access token
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89114) in GitLab 15.1, Owners can select Owner role for project access tokens.
diff --git a/doc/user/ssh.md b/doc/user/ssh.md
index 8c81f3eeeb9..be76ce487b6 100644
--- a/doc/user/ssh.md
+++ b/doc/user/ssh.md
@@ -408,8 +408,8 @@ If you are using [EGit](https://www.eclipse.org/egit/), you can [add your SSH ke
 
 ## Use SSH on Microsoft Windows
 
-If you're running Windows 10, you can either use the [Windows Subsystem for Linux (WSL)](https://docs.microsoft.com/en-us/windows/wsl/install)
-with [WSL 2](https://docs.microsoft.com/en-us/windows/wsl/install#update-to-wsl-2) which
+If you're running Windows 10, you can either use the [Windows Subsystem for Linux (WSL)](https://learn.microsoft.com/en-us/windows/wsl/install)
+with [WSL 2](https://learn.microsoft.com/en-us/windows/wsl/install#update-to-wsl-2) which
 has both `git` and `ssh` preinstalled, or install [Git for Windows](https://gitforwindows.org) to
 use SSH through PowerShell.
 
@@ -421,7 +421,7 @@ as both have a different home directory:
 
 You can either copy over the `.ssh/` directory to use the same key, or generate a key in each environment.
 
-If you're running Windows 11 and using [OpenSSH for Windows](https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview), ensure the `HOME`
+If you're running Windows 11 and using [OpenSSH for Windows](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview), ensure the `HOME`
 environment variable is set correctly. Otherwise, your private SSH key might not be found.
 
 Alternative tools include:
diff --git a/lib/bulk_imports/common/pipelines/wiki_pipeline.rb b/lib/bulk_imports/common/pipelines/wiki_pipeline.rb
index 6900835b14d..0f92c1f1210 100644
--- a/lib/bulk_imports/common/pipelines/wiki_pipeline.rb
+++ b/lib/bulk_imports/common/pipelines/wiki_pipeline.rb
@@ -22,7 +22,7 @@ module BulkImports
           wiki = context.portable.wiki
           url = data[:url].sub("://", "://oauth2:#{context.configuration.access_token}@")
 
-          Gitlab::UrlBlocker.validate!(url, allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)
+          Gitlab::UrlBlocker.validate!(url, schemes: %w[http https], allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)
 
           wiki.ensure_repository
           wiki.repository.fetch_as_mirror(url)
diff --git a/lib/bulk_imports/projects/pipelines/repository_pipeline.rb b/lib/bulk_imports/projects/pipelines/repository_pipeline.rb
index f5ccc1dd922..a2b1f8c5176 100644
--- a/lib/bulk_imports/projects/pipelines/repository_pipeline.rb
+++ b/lib/bulk_imports/projects/pipelines/repository_pipeline.rb
@@ -21,7 +21,7 @@ module BulkImports
           url = url.sub("://", "://oauth2:#{context.configuration.access_token}@")
           project = context.portable
 
-          Gitlab::UrlBlocker.validate!(url, allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)
+          Gitlab::UrlBlocker.validate!(url, schemes: %w[http https], allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)
 
           project.ensure_repository
           project.repository.fetch_as_mirror(url)
diff --git a/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline.rb b/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline.rb
index 6d423717a51..e29601927be 100644
--- a/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline.rb
+++ b/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline.rb
@@ -55,7 +55,9 @@ module BulkImports
           Gitlab::UrlBlocker.validate!(
             url,
             allow_local_network: allow_local_requests?,
-            allow_localhost: allow_local_requests?)
+            allow_localhost: allow_local_requests?,
+            schemes: %w[http https]
+          )
         end
 
         def cleanup_snippet_repository(snippet)
diff --git a/lib/error_tracking/sentry_client.rb b/lib/error_tracking/sentry_client.rb
index 029389ab5d6..713cec7a7d6 100644
--- a/lib/error_tracking/sentry_client.rb
+++ b/lib/error_tracking/sentry_client.rb
@@ -10,6 +10,7 @@ module ErrorTracking
 
     Error = Class.new(StandardError)
     MissingKeysError = Class.new(StandardError)
+    InvalidFieldValueError = Class.new(StandardError)
     ResponseInvalidSizeError = Class.new(StandardError)
 
     RESPONSE_SIZE_LIMIT = 1.megabyte
@@ -110,5 +111,15 @@ module ErrorTracking
     def raise_error(message)
       raise SentryClient::Error, message
     end
+
+    def ensure_numeric!(field, value)
+      return value if /\A\d+\z/.match?(value)
+
+      raise_invalid_field_value!(field, "#{value.inspect} is not numeric")
+    end
+
+    def raise_invalid_field_value!(field, message)
+      raise InvalidFieldValueError, %(Sentry API response contains invalid value for field "#{field}": #{message})
+    end
   end
 end
diff --git a/lib/error_tracking/sentry_client/event.rb b/lib/error_tracking/sentry_client/event.rb
index 1db31abeeb2..d8ae81f5411 100644
--- a/lib/error_tracking/sentry_client/event.rb
+++ b/lib/error_tracking/sentry_client/event.rb
@@ -16,7 +16,7 @@ module ErrorTracking
 
         Gitlab::ErrorTracking::ErrorEvent.new(
           project_id: event['projectID'],
-          issue_id: event['groupID'],
+          issue_id: ensure_numeric!('issue_id', event['groupID']),
           date_received: event['dateReceived'],
           stack_trace_entries: stack_trace
         )
diff --git a/lib/error_tracking/sentry_client/issue.rb b/lib/error_tracking/sentry_client/issue.rb
index 3c846eb0635..5e2e0787a3f 100644
--- a/lib/error_tracking/sentry_client/issue.rb
+++ b/lib/error_tracking/sentry_client/issue.rb
@@ -114,8 +114,10 @@ module ErrorTracking
       end
 
       def map_to_error(issue)
+        id = ensure_numeric!('id', issue.fetch('id'))
+
         Gitlab::ErrorTracking::Error.new(
-          id: issue.fetch('id'),
+          id: id,
           first_seen: issue.fetch('firstSeen', nil),
           last_seen: issue.fetch('lastSeen', nil),
           title: issue.fetch('title', nil),
@@ -124,7 +126,7 @@ module ErrorTracking
           count: issue.fetch('count', nil),
           message: issue.dig('metadata', 'value'),
           culprit: issue.fetch('culprit', nil),
-          external_url: issue_url(issue.fetch('id')),
+          external_url: issue_url(id),
           short_id: issue.fetch('shortId', nil),
           status: issue.fetch('status', nil),
           frequency: issue.dig('stats', '24h'),
@@ -135,8 +137,10 @@ module ErrorTracking
       end
 
       def map_to_detailed_error(issue)
+        id = ensure_numeric!('id', issue.fetch('id'))
+
         Gitlab::ErrorTracking::DetailedError.new(
-          id: issue.fetch('id'),
+          id: id,
           first_seen: issue.fetch('firstSeen', nil),
           last_seen: issue.fetch('lastSeen', nil),
           tags: extract_tags(issue),
@@ -146,7 +150,7 @@ module ErrorTracking
           count: issue.fetch('count', nil),
           message: issue.dig('metadata', 'value'),
           culprit: issue.fetch('culprit', nil),
-          external_url: issue_url(issue.fetch('id')),
+          external_url: issue_url(id),
           external_base_url: project_url,
           short_id: issue.fetch('shortId', nil),
           status: issue.fetch('status', nil),
diff --git a/lib/gitlab/checks/tag_check.rb b/lib/gitlab/checks/tag_check.rb
index 5dd7720b67d..007a775eaf5 100644
--- a/lib/gitlab/checks/tag_check.rb
+++ b/lib/gitlab/checks/tag_check.rb
@@ -9,11 +9,13 @@ module Gitlab
         delete_protected_tag: 'You are not allowed to delete protected tags from this project. '\
           'Only a project maintainer or owner can delete a protected tag.',
         delete_protected_tag_non_web: 'You can only delete protected tags using the web interface.',
-        create_protected_tag: 'You are not allowed to create this tag as it is protected.'
+        create_protected_tag: 'You are not allowed to create this tag as it is protected.',
+        default_branch_collision: 'You cannot use default branch name to create a tag'
       }.freeze
 
       LOG_MESSAGES = {
         tag_checks: "Checking if you are allowed to change existing tags...",
+        default_branch_collision_check: "Checking if you are providing a valid tag name...",
         protected_tag_checks: "Checking if you are creating, updating or deleting a protected tag..."
       }.freeze
 
@@ -26,6 +28,7 @@ module Gitlab
           end
         end
 
+        default_branch_collision_check
         protected_tag_checks
       end
 
@@ -52,6 +55,14 @@ module Gitlab
           end
         end
       end
+
+      def default_branch_collision_check
+        logger.log_timed(LOG_MESSAGES[:default_branch_collision_check]) do
+          if creation? && tag_name == project.default_branch
+            raise GitAccess::ForbiddenError, ERROR_MESSAGES[:default_branch_collision]
+          end
+        end
+      end
     end
   end
 end
diff --git a/lib/gitlab/ci/ansi2json/line.rb b/lib/gitlab/ci/ansi2json/line.rb
index e48080993ab..abe2f272ca7 100644
--- a/lib/gitlab/ci/ansi2json/line.rb
+++ b/lib/gitlab/ci/ansi2json/line.rb
@@ -80,7 +80,8 @@ module Gitlab
         end
 
         def set_section_duration(duration_in_seconds)
-          duration = ActiveSupport::Duration.build(duration_in_seconds.to_i)
+          normalized_duration_in_seconds = duration_in_seconds.to_i.clamp(0, 1.year)
+          duration = ActiveSupport::Duration.build(normalized_duration_in_seconds)
           hours = duration.in_hours.floor
           hours = hours > 0 ? "%02d" % hours : nil
           minutes = "%02d" % duration.parts[:minutes].to_i
diff --git a/lib/gitlab/database/gitlab_schemas.yml b/lib/gitlab/database/gitlab_schemas.yml
index 5725d7a4503..5c875628953 100644
--- a/lib/gitlab/database/gitlab_schemas.yml
+++ b/lib/gitlab/database/gitlab_schemas.yml
@@ -99,6 +99,7 @@ ci_pipeline_messages: :gitlab_ci
 ci_pipeline_schedules: :gitlab_ci
 ci_pipeline_schedule_variables: :gitlab_ci
 ci_pipelines_config: :gitlab_ci
+ci_pipeline_metadata: :gitlab_ci
 ci_pipelines: :gitlab_ci
 ci_pipeline_variables: :gitlab_ci
 ci_platform_metrics: :gitlab_ci
diff --git a/lib/gitlab/gfm/uploads_rewriter.rb b/lib/gitlab/gfm/uploads_rewriter.rb
index b0bf68f4204..58b46a85aae 100644
--- a/lib/gitlab/gfm/uploads_rewriter.rb
+++ b/lib/gitlab/gfm/uploads_rewriter.rb
@@ -23,33 +23,24 @@ module Gitlab
       def rewrite(target_parent)
         return @text unless needs_rewrite?
 
-        @text.gsub!(@pattern) do |markdown|
-          file = find_file($~[:secret], $~[:file])
-          # No file will be returned for a path traversal
-          next if file.nil?
+        @target_parent = target_parent
 
-          break markdown unless file.try(:exists?)
-
-          klass = target_parent.is_a?(Namespace) ? NamespaceFileUploader : FileUploader
-          moved = klass.copy_to(file, target_parent)
-
-          moved_markdown = moved.markdown_link
-
-          # Prevents rewrite of plain links as embedded
-          if was_embedded?(markdown)
-            moved_markdown
-          else
-            moved_markdown.delete_prefix('!')
-          end
+        rewritten_text = Gitlab::StringRegexMarker.new(@text).mark(@pattern) do |markdown, left:, right:, mode:|
+          transform_markdown(markdown)
         end
+
+        # MarkdownContentRewriterService relies on the text being changed _in place_.
+        @text.gsub!(@text, rewritten_text)
       end
 
       def needs_rewrite?
         strong_memoize(:needs_rewrite) do
-          FileUploader::MARKDOWN_PATTERN.match?(@text)
+          @pattern.match?(@text)
         end
       end
 
+      private
+
       def was_embedded?(markdown)
         markdown.starts_with?("!")
       end
@@ -57,6 +48,28 @@ module Gitlab
       def find_file(secret, file_name)
         UploaderFinder.new(@source_project, secret, file_name).execute
       end
+
+      def transform_markdown(markdown)
+        match = @pattern.match(markdown)
+        file = find_file(match[:secret], match[:file])
+
+        # No file will be returned for a path traversal
+        return '' if file.nil?
+
+        return markdown unless file.try(:exists?)
+
+        klass = @target_parent.is_a?(Namespace) ? NamespaceFileUploader : FileUploader
+        moved = klass.copy_to(file, @target_parent)
+
+        moved_markdown = moved.markdown_link
+
+        # Prevents rewrite of plain links as embedded
+        if was_embedded?(markdown)
+          moved_markdown
+        else
+          moved_markdown.delete_prefix('!')
+        end
+      end
     end
   end
 end
diff --git a/lib/gitlab/hook_data/group_member_builder.rb b/lib/gitlab/hook_data/group_member_builder.rb
index 2998550a4b5..d70885018e9 100644
--- a/lib/gitlab/hook_data/group_member_builder.rb
+++ b/lib/gitlab/hook_data/group_member_builder.rb
@@ -39,7 +39,7 @@ module Gitlab
           group_id: group_member.group.id,
           user_username: group_member.user.username,
           user_name: group_member.user.name,
-          user_email: group_member.user.email,
+          user_email: group_member.user.webhook_email,
           user_id: group_member.user.id,
           group_access: group_member.human_access,
           expires_at: group_member.expires_at&.xmlschema
diff --git a/lib/gitlab/import_export/project/import_export.yml b/lib/gitlab/import_export/project/import_export.yml
index 33e4823f192..fb44aaf094e 100644
--- a/lib/gitlab/import_export/project/import_export.yml
+++ b/lib/gitlab/import_export/project/import_export.yml
@@ -98,6 +98,7 @@ tree:
         - :statuses
       - :external_pull_request
       - :merge_request
+      - :pipeline_metadata
     - :auto_devops
     - :pipeline_schedules
     - :container_expiration_policy
@@ -582,6 +583,9 @@ included_attributes:
     - :iid
     - :source_sha
     - :target_sha
+  pipeline_metadata:
+    - :project_id
+    - :title
   stages:
     - :name
     - :status
@@ -971,6 +975,8 @@ excluded_attributes:
     - :external_pull_request_id
     - :ci_ref_id
     - :locked
+  pipeline_metadata:
+    - :pipeline_id
   stages:
     - :pipeline_id
   merge_access_levels:
diff --git a/lib/gitlab/import_export/project/relation_factory.rb b/lib/gitlab/import_export/project/relation_factory.rb
index c4b0e24e34a..568315930d8 100644
--- a/lib/gitlab/import_export/project/relation_factory.rb
+++ b/lib/gitlab/import_export/project/relation_factory.rb
@@ -13,6 +13,7 @@ module Gitlab
                       pipeline_schedules: 'Ci::PipelineSchedule',
                       builds: 'Ci::Build',
                       runners: 'Ci::Runner',
+                      pipeline_metadata: 'Ci::PipelineMetadata',
                       hooks: 'ProjectHook',
                       merge_access_levels: 'ProtectedBranch::MergeAccessLevel',
                       push_access_levels: 'ProtectedBranch::PushAccessLevel',
diff --git a/lib/gitlab/json_cache.rb b/lib/gitlab/json_cache.rb
index d5c018cfc68..d2916a01809 100644
--- a/lib/gitlab/json_cache.rb
+++ b/lib/gitlab/json_cache.rb
@@ -43,9 +43,7 @@ module Gitlab
     end
 
     def write(key, value, options = nil)
-      # As we use json as the serialization format, return everything from
-      # ActiveModel objects included encrypted values.
-      backend.write(cache_key(key), value.to_json(unsafe_serialization_hash: true), options)
+      backend.write(cache_key(key), value.to_json, options)
     end
 
     def fetch(key, options = {}, &block)
diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb
index 10c03103899..4f76cce2c7d 100644
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -414,8 +414,10 @@ module Gitlab
 
     # Based on Jira's project key format
     # https://confluence.atlassian.com/adminjiraserver073/changing-the-project-key-format-861253229.html
+    # Avoids linking CVE IDs (https://cve.mitre.org/cve/identifiers/syntaxchange.html#new) as Jira issues.
+    # CVE IDs use the format of CVE-YYYY-NNNNNNN
     def jira_issue_key_regex
-      @jira_issue_key_regex ||= /[A-Z][A-Z_0-9]+-\d+/
+      @jira_issue_key_regex ||= /(?!CVE-\d+-\d+)[A-Z][A-Z_0-9]+-\d+/
     end
 
     def jira_issue_key_project_key_extraction_regex
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 386b2db65e8..bb4155737b1 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -1029,11 +1029,6 @@ msgstr ""
 msgid "%{start} to %{end}"
 msgstr ""
 
-msgid "%{strongOpen}%{errors}%{strongClose} point"
-msgid_plural "%{strongOpen}%{errors}%{strongClose} points"
-msgstr[0] ""
-msgstr[1] ""
-
 msgid "%{strongOpen}Warning:%{strongClose} SAML group links can cause GitLab to automatically remove members from groups."
 msgstr ""
 
@@ -1070,6 +1065,11 @@ msgid_plural "%{strong_start}%{count} members%{strong_end} must approve to merge
 msgstr[0] ""
 msgstr[1] ""
 
+msgid "%{strong_start}%{errors}%{strong_end} point"
+msgid_plural "%{strong_start}%{errors}%{strong_end} points"
+msgstr[0] ""
+msgstr[1] ""
+
 msgid "%{strong_start}%{human_size}%{strong_end} Project Storage"
 msgstr ""
 
@@ -3977,6 +3977,9 @@ msgstr ""
 msgid "Allow use of licensed EE features"
 msgstr ""
 
+msgid "Allow users to create top-level groups"
+msgstr ""
+
 msgid "Allow users to dismiss the broadcast message"
 msgstr ""
 
@@ -7524,9 +7527,6 @@ msgstr ""
 msgid "Cannot assign a confidential epic to a non-confidential issue. Make the issue confidential and try again"
 msgstr ""
 
-msgid "Cannot assign an issue from same hierarchy that does not belong under the same group (or descendant) as the epic."
-msgstr ""
-
 msgid "Cannot assign an issue that does not belong under the same group (or descendant) as the epic."
 msgstr ""
 
diff --git a/qa/qa/specs/features/api/1_manage/import_large_github_repo_spec.rb b/qa/qa/specs/features/api/1_manage/import_large_github_repo_spec.rb
index b1c21ea87de..6b94408fed7 100644
--- a/qa/qa/specs/features/api/1_manage/import_large_github_repo_spec.rb
+++ b/qa/qa/specs/features/api/1_manage/import_large_github_repo_spec.rb
@@ -12,7 +12,7 @@ module QA
       let(:import_max_duration) { ENV['QA_LARGE_IMPORT_DURATION']&.to_i || 7200 }
       let(:logger) { Runtime::Logger.logger }
       let(:differ) { RSpec::Support::Differ.new(color: true) }
-      let(:gitlab_address) { QA::Runtime::Scenario.gitlab_address }
+      let(:gitlab_address) { QA::Runtime::Scenario.gitlab_address.chomp("/") }
       let(:dummy_url) { "https://example.com" }
       let(:api_request_params) { { auto_paginate: true, attempts: 2 } }
 
@@ -56,6 +56,10 @@ module QA
           "head_ref_deleted",
           "head_ref_force_pushed",
           "head_ref_restored",
+          "base_ref_force_pushed",
+          "base_ref_changed",
+          "review_request_removed",
+          "review_dismissed",
           "auto_squash_enabled",
           "auto_merge_disabled",
           "comment_deleted",
@@ -65,6 +69,7 @@ module QA
           "unsubscribed",
           "transferred",
           "locked",
+          "unlocked",
           # mentions are supported but they can be reported differently on gitlab's side
           # for example mention of issue creation in pr will be reported in the issue on gitlab side
           # or referenced in github will still create a 'mentioned in' comment in gitlab
@@ -197,6 +202,10 @@ module QA
         end
       end
 
+      before do
+        Runtime::Feature.enable(:github_importer_single_endpoint_issue_events_import)
+      end
+
       after do |example|
         next unless defined?(@import_time)
 
@@ -219,8 +228,10 @@ module QA
                 milestones: gh_milestones.length,
                 mrs: gh_prs.length,
                 mr_comments: gh_prs.sum { |_k, v| v[:comments].length },
+                mr_events: gh_prs.sum { |_k, v| v[:events].length },
                 issues: gh_issues.length,
-                issue_comments: gh_issues.sum { |_k, v| v[:comments].length }
+                issue_comments: gh_issues.sum { |_k, v| v[:comments].length },
+                issue_events: gh_issues.sum { |_k, v| v[:events].length }
               }
             },
             target: {
@@ -234,8 +245,10 @@ module QA
                 milestones: gl_milestones.length,
                 mrs: mrs.length,
                 mr_comments: mrs.sum { |_k, v| v[:comments].length },
+                mr_events: mrs.sum { |_k, v| v[:events].length },
                 issues: gl_issues.length,
-                issue_comments: gl_issues.sum { |_k, v| v[:comments].length }
+                issue_comments: gl_issues.sum { |_k, v| v[:comments].length },
+                issue_events: gl_issues.sum { |_k, v| v[:events].length }
               }
             },
             not_imported: {
@@ -252,8 +265,8 @@ module QA
       ) do
         start = Time.now
 
-        # import the project and log gitlab path
-        logger.info("== Importing project '#{github_repo}' in to '#{imported_project.reload!.full_path}' ==")
+        # trigger import and log project paths
+        logger.info("== Triggering import of project '#{github_repo}' in to '#{imported_project.reload!.full_path}' ==")
 
         # fetch all objects right after import has started
         fetch_github_objects
@@ -357,22 +370,23 @@ module QA
         count_msg = "Expected to contain same amount of #{type}s. Gitlab: #{expected.length}, Github: #{actual.length}"
         expect(expected.length).to eq(actual.length), count_msg
 
-        missing_comments = verify_comments(type, actual, expected)
+        missing_objects = (actual.keys - expected.keys).map { |it| actual[it].slice(:title, :url) }
+        missing_content = verify_comments_and_events(type, actual, expected)
 
         {
-          "#{type}s": (actual.keys - expected.keys).map { |it| actual[it].slice(:title, :url) },
-          "#{type}_comments": missing_comments
-        }
+          "#{type}s": missing_objects.empty? ? nil : missing_objects,
+          "#{type}_content": missing_content.empty? ? nil : missing_content
+        }.compact
       end
 
-      # Verify imported comments
+      # Verify imported comments and events
       #
       # @param [String] type verification object, 'mrs' or 'issues'
       # @param [Hash] actual
       # @param [Hash] expected
       # @return [Hash]
-      def verify_comments(type, actual, expected)
-        actual.each_with_object([]) do |(key, actual_item), missing_comments|
+      def verify_comments_and_events(type, actual, expected)
+        actual.each_with_object([]) do |(key, actual_item), missing_content|
           expected_item = expected[key]
           title = actual_item[:title]
           msg = "expected #{type} with iid '#{key}' to have"
@@ -409,17 +423,19 @@ module QA
           expect(expected_events.length).to eq(actual_events.length), event_count_msg
           expect(expected_events).to match_array(actual_events)
 
-          # Save missing comments
+          # Save missing comments and events
           #
           comment_diff = actual_comments - expected_comments
-          next if comment_diff.empty?
+          event_diff = actual_events - expected_events
+          next if comment_diff.empty? && event_diff.empty?
 
-          missing_comments << {
+          missing_content << {
             title: title,
             github_url: actual_item[:url],
             gitlab_url: expected_item[:url],
-            missing_comments: comment_diff
-          }
+            missing_comments: comment_diff.empty? ? nil : comment_diff,
+            missing_events: event_diff.empty? ? nil : event_diff
+          }.compact
         end
       end
 
diff --git a/spec/controllers/admin/application_settings_controller_spec.rb b/spec/controllers/admin/application_settings_controller_spec.rb
index ab0cad989cb..0ad0a111156 100644
--- a/spec/controllers/admin/application_settings_controller_spec.rb
+++ b/spec/controllers/admin/application_settings_controller_spec.rb
@@ -211,6 +211,13 @@ RSpec.describe Admin::ApplicationSettingsController, :do_not_mock_admin_mode_set
       expect(ApplicationSetting.current.valid_runner_registrars).to eq(['project'])
     end
 
+    it 'updates can_create_group setting' do
+      put :update, params: { application_setting: { can_create_group: false } }
+
+      expect(response).to redirect_to(general_admin_application_settings_path)
+      expect(ApplicationSetting.current.can_create_group).to eq(false)
+    end
+
     context "personal access token prefix settings" do
       let(:application_settings) { ApplicationSetting.current }
 
diff --git a/spec/controllers/boards/issues_controller_spec.rb b/spec/controllers/boards/issues_controller_spec.rb
index 6bf2f088ab9..380c42af857 100644
--- a/spec/controllers/boards/issues_controller_spec.rb
+++ b/spec/controllers/boards/issues_controller_spec.rb
@@ -427,6 +427,22 @@ RSpec.describe Boards::IssuesController do
   end
 
   describe 'POST create' do
+    context 'when trying to create issue on an unauthorized project' do
+      let(:unauthorized_project) { create(:project, :private) }
+      let(:issue_params) { { project_id: unauthorized_project.id } }
+
+      it 'creates the issue on the board\'s project' do
+        expect do
+          create_issue user: user, board: board, list: list1, title: 'New issue', additional_issue_params: issue_params
+        end.to change(Issue, :count).by(1)
+
+        created_issue = Issue.last
+
+        expect(created_issue.project).to eq(project)
+        expect(unauthorized_project.reload.issues.count).to eq(0)
+      end
+    end
+
     context 'with valid params' do
       before do
         create_issue user: user, board: board, list: list1, title: 'New issue'
@@ -517,13 +533,13 @@ RSpec.describe Boards::IssuesController do
       end
     end
 
-    def create_issue(user:, board:, list:, title:)
+    def create_issue(user:, board:, list:, title:, additional_issue_params: {})
       sign_in(user)
 
       post :create, params: {
                       board_id: board.to_param,
                       list_id: list.to_param,
-                      issue: { title: title, project_id: project.id }
+                      issue: { title: title, project_id: project.id }.merge(additional_issue_params)
                     },
                     format: :json
     end
diff --git a/spec/factories/ci/pipeline_metadata.rb b/spec/factories/ci/pipeline_metadata.rb
new file mode 100644
index 00000000000..600cfaa92c6
--- /dev/null
+++ b/spec/factories/ci/pipeline_metadata.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :ci_pipeline_metadata, class: 'Ci::PipelineMetadata' do
+    title { 'Pipeline title' }
+
+    pipeline factory: :ci_empty_pipeline
+    project
+  end
+end
diff --git a/spec/factories/ci/pipelines.rb b/spec/factories/ci/pipelines.rb
index d6b1da1d5c2..5b20010ef7e 100644
--- a/spec/factories/ci/pipelines.rb
+++ b/spec/factories/ci/pipelines.rb
@@ -18,6 +18,8 @@ FactoryBot.define do
     transient { child_of { nil } }
     transient { upstream_of { nil } }
 
+    transient { title { nil } }
+
     after(:build) do |pipeline, evaluator|
       if evaluator.child_of
         pipeline.project = evaluator.child_of.project
@@ -25,6 +27,10 @@ FactoryBot.define do
       end
 
       pipeline.ensure_project_iid!
+
+      if evaluator.title
+        pipeline.pipeline_metadata = build(:ci_pipeline_metadata, title: evaluator.title, project: pipeline.project, pipeline: pipeline)
+      end
     end
 
     after(:create) do |pipeline, evaluator|
diff --git a/spec/features/admin/users/users_spec.rb b/spec/features/admin/users/users_spec.rb
index 236327ea687..3660ca65ca0 100644
--- a/spec/features/admin/users/users_spec.rb
+++ b/spec/features/admin/users/users_spec.rb
@@ -366,7 +366,7 @@ RSpec.describe 'Admin::Users' do
       expect(user.projects_limit)
         .to eq(Gitlab.config.gitlab.default_projects_limit)
       expect(user.can_create_group)
-        .to eq(Gitlab.config.gitlab.default_can_create_group)
+        .to eq(Gitlab::CurrentSettings.can_create_group)
     end
 
     it 'creates user with valid data' do
diff --git a/spec/fixtures/lib/gitlab/import_export/complex/project.json b/spec/fixtures/lib/gitlab/import_export/complex/project.json
index f3fc69e4936..a03177ba85e 100644
--- a/spec/fixtures/lib/gitlab/import_export/complex/project.json
+++ b/spec/fixtures/lib/gitlab/import_export/complex/project.json
@@ -6957,6 +6957,12 @@
       "duration": null,
       "source": "push",
       "merge_request_id": null,
+      "pipeline_metadata": {
+        "id": 2,
+        "pipeline_id": 36,
+        "project_id": 5,
+        "title": "Build pipeline"
+      },
       "notes": [
         {
           "id": 2147483547,
diff --git a/spec/fixtures/lib/gitlab/import_export/complex/tree/project/ci_pipelines.ndjson b/spec/fixtures/lib/gitlab/import_export/complex/tree/project/ci_pipelines.ndjson
index a9d04ec5d6d..0c19f23cc24 100644
--- a/spec/fixtures/lib/gitlab/import_export/complex/tree/project/ci_pipelines.ndjson
+++ b/spec/fixtures/lib/gitlab/import_export/complex/tree/project/ci_pipelines.ndjson
@@ -1,7 +1,7 @@
 {"id":19,"project_id":5,"ref":"master","sha":"2ea1f3dec713d940208fb5ce4a38765ecb5d3f73","before_sha":null,"push_data":null,"created_at":"2016-03-22T15:20:35.763Z","updated_at":"2016-03-22T15:20:35.763Z","tag":null,"yaml_errors":null,"committed_at":null,"status":"failed","started_at":null,"finished_at":null,"duration":null,"stages":[{"id":24,"project_id":5,"pipeline_id":40,"name":"test","status":1,"created_at":"2016-03-22T15:44:44.772Z","updated_at":"2016-03-29T06:44:44.634Z","statuses":[{"id":79,"project_id":5,"status":"failed","finished_at":"2016-03-29T06:28:12.695Z","trace":"Sed culpa est et facere saepe vel id ab. Quas temporibus aut similique dolorem consequatur corporis aut praesentium. Cum officia molestiae sit earum excepturi.\n\nSint possimus aut ratione quia. Quis nesciunt ratione itaque illo. Tenetur est dolor assumenda possimus voluptatem quia minima. Accusamus reprehenderit ut et itaque non reiciendis incidunt.\n\nRerum suscipit quibusdam dolore nam omnis. Consequatur ipsa nihil ut enim blanditiis delectus. Nulla quis hic occaecati mollitia qui placeat. Quo rerum sed perferendis a accusantium consequatur commodi ut. Sit quae et cumque vel eius tempora nostrum.\n\nUllam dolorem et itaque sint est. Ea molestias quia provident dolorem vitae error et et. Ea expedita officiis iste non. Qui vitae odit saepe illum. Dolores enim ratione deserunt tempore expedita amet non neque.\n\nEligendi asperiores voluptatibus omnis repudiandae expedita distinctio qui aliquid. Autem aut doloremque distinctio ab. Nostrum sapiente repudiandae aspernatur ea et quae voluptas. Officiis perspiciatis nisi laudantium asperiores error eligendi ab. Eius quia amet magni omnis exercitationem voluptatum et.\n\nVoluptatem ullam labore quas dicta est ex voluptas. Pariatur ea modi voluptas consequatur dolores perspiciatis similique. Numquam in distinctio perspiciatis ut qui earum. Quidem omnis mollitia facere aut beatae. Ea est iure et voluptatem.","created_at":"2016-03-22T15:20:35.950Z","updated_at":"2016-03-29T06:28:12.696Z","started_at":null,"runner_id":null,"coverage":null,"commit_id":40,"commands":"$ build command","job_id":null,"name":"test build 1","deploy":false,"options":null,"allow_failure":false,"stage":"test","trigger_request_id":null,"stage_idx":1,"tag":null,"ref":"master","user_id":null,"target_url":null,"description":null,"erased_by_id":null,"erased_at":null},{"id":80,"project_id":5,"status":"success","finished_at":null,"trace":"Impedit et optio nemo ipsa. Non ad non quis ut sequi laudantium omnis velit. Corporis a enim illo eos. Quia totam tempore inventore ad est.\n\nNihil recusandae cupiditate eaque voluptatem molestias sint. Consequatur id voluptatem cupiditate harum. Consequuntur iusto quaerat reiciendis aut autem libero est. Quisquam dolores veritatis rerum et sint maxime ullam libero. Id quas porro ut perspiciatis rem amet vitae.\n\nNemo inventore minus blanditiis magnam. Modi consequuntur nostrum aut voluptatem ex. Sunt rerum rem optio mollitia qui aliquam officiis officia. Aliquid eos et id aut minus beatae reiciendis.\n\nDolores non in temporibus dicta. Fugiat voluptatem est aspernatur expedita voluptatum nam qui. Quia et eligendi sit quae sint tempore exercitationem eos. Est sapiente corrupti quidem at. Qui magni odio repudiandae saepe tenetur optio dolore.\n\nEos placeat soluta at dolorem adipisci provident. Quo commodi id reprehenderit possimus quo tenetur. Ipsum et quae eligendi laborum. Et qui nesciunt at quasi quidem voluptatem cum rerum. Excepturi non facilis aut sunt vero sed.\n\nQui explicabo ratione ut eligendi recusandae. Quis quasi quas molestiae consequatur voluptatem et voluptatem. Ex repellat saepe occaecati aperiam ea eveniet dignissimos facilis.","created_at":"2016-03-22T15:20:35.966Z","updated_at":"2016-03-22T15:20:35.966Z","started_at":null,"runner_id":null,"coverage":null,"commit_id":40,"commands":"$ build command","job_id":null,"name":"test build 2","deploy":false,"options":null,"allow_failure":false,"stage":"test","trigger_request_id":null,"stage_idx":1,"tag":null,"ref":"master","user_id":null,"target_url":null,"description":null,"erased_by_id":null,"erased_at":null}]}]}
 {"id":20,"project_id":5,"ref":"master","sha":"ce84140e8b878ce6e7c4d298c7202ff38170e3ac","before_sha":null,"push_data":null,"created_at":"2016-03-22T15:20:35.763Z","updated_at":"2016-03-22T15:20:35.763Z","tag":false,"yaml_errors":null,"committed_at":null,"status":"failed","started_at":null,"finished_at":null,"duration":null,"stages":[],"source":"external_pull_request_event","external_pull_request":{"id":3,"pull_request_iid":4,"source_branch":"feature","target_branch":"master","source_repository":"the-repository","target_repository":"the-repository","source_sha":"ce84140e8b878ce6e7c4d298c7202ff38170e3ac","target_sha":"a09386439ca39abe575675ffd4b89ae824fec22f","status":"open","created_at":"2016-03-22T15:20:35.763Z","updated_at":"2016-03-22T15:20:35.763Z"}}
 {"id":26,"project_id":5,"ref":"master","sha":"048721d90c449b244b7b4c53a9186b04330174ec","before_sha":null,"push_data":null,"created_at":"2016-03-22T15:20:35.757Z","updated_at":"2016-03-22T15:20:35.757Z","tag":false,"yaml_errors":null,"committed_at":null,"status":"failed","started_at":null,"finished_at":null,"duration":null,"source":"merge_request_event","merge_request_id":27,"stages":[{"id":21,"project_id":5,"pipeline_id":37,"name":"test","status":1,"created_at":"2016-03-22T15:44:44.772Z","updated_at":"2016-03-29T06:44:44.634Z","statuses":[{"id":74,"project_id":5,"status":"success","finished_at":null,"trace":"Ad ut quod repudiandae iste dolor doloribus. Adipisci consequuntur deserunt omnis quasi eveniet et sed fugit. Aut nemo omnis molestiae impedit ex consequatur ducimus. Voluptatum exercitationem quia aut est et hic dolorem.\n\nQuasi repellendus et eaque magni eum facilis. Dolorem aperiam nam nihil pariatur praesentium ad aliquam. Commodi enim et eos tenetur. Odio voluptatibus laboriosam mollitia rerum exercitationem magnam consequuntur. Tenetur ea vel eum corporis.\n\nVoluptatibus optio in aliquid est voluptates. Ad a ut ab placeat vero blanditiis. Earum aspernatur quia beatae expedita voluptatem dignissimos provident. Quis minima id nemo ut aut est veritatis provident.\n\nRerum voluptatem quidem eius maiores magnam veniam. Voluptatem aperiam aut voluptate et nulla deserunt voluptas. Quaerat aut accusantium laborum est dolorem architecto reiciendis. Aliquam asperiores doloribus omnis maxime enim nesciunt. Eum aut rerum repellendus debitis et ut eius.\n\nQuaerat assumenda ea sit consequatur autem in. Cum eligendi voluptatem quo sed. Ut fuga iusto cupiditate autem sint.\n\nOfficia totam officiis architecto corporis molestiae amet ut. Tempora sed dolorum rerum omnis voluptatem accusantium sit eum. Quia debitis ipsum quidem aliquam inventore sunt consequatur qui.","created_at":"2016-03-22T15:20:35.846Z","updated_at":"2016-03-22T15:20:35.846Z","started_at":null,"runner_id":null,"coverage":null,"commit_id":37,"commands":"$ build command","job_id":null,"name":"test build 2","deploy":false,"options":null,"allow_failure":false,"stage":"test","trigger_request_id":null,"stage_idx":1,"tag":null,"ref":"master","user_id":null,"target_url":null,"description":null,"erased_by_id":null,"erased_at":null},{"id":73,"project_id":5,"status":"canceled","finished_at":null,"trace":null,"created_at":"2016-03-22T15:20:35.842Z","updated_at":"2016-03-22T15:20:35.842Z","started_at":null,"runner_id":null,"coverage":null,"commit_id":37,"commands":"$ build command","job_id":null,"name":"test build 1","deploy":false,"options":null,"allow_failure":false,"stage":"test","trigger_request_id":null,"stage_idx":1,"tag":null,"ref":"master","user_id":null,"target_url":null,"description":null,"erased_by_id":null,"erased_at":null}]}],"merge_request":{"id":27,"target_branch":"feature","source_branch":"feature_conflict","source_project_id":2147483547,"author_id":1,"assignee_id":null,"title":"MR1","created_at":"2016-06-14T15:02:36.568Z","updated_at":"2016-06-14T15:02:56.815Z","state":"opened","merge_status":"unchecked","target_project_id":5,"iid":9,"description":null,"position":0,"updated_by_id":null,"merge_error":null,"diff_head_sha":"HEAD","source_branch_sha":"ABCD","target_branch_sha":"DCBA","merge_params":{"force_remove_source_branch":null}}}
-{"id":36,"project_id":5,"ref":null,"sha":"sha-notes","before_sha":null,"push_data":null,"created_at":"2016-03-22T15:20:35.755Z","updated_at":"2016-03-22T15:20:35.755Z","tag":null,"yaml_errors":null,"committed_at":null,"status":"failed","started_at":null,"finished_at":null,"user_id":2147483547,"duration":null,"source":"push","merge_request_id":null,"notes":[{"id":2147483547,"note":"Natus rerum qui dolorem dolorum voluptas.","noteable_type":"Commit","author_id":1,"created_at":"2016-03-22T15:19:59.469Z","updated_at":"2016-03-22T15:19:59.469Z","project_id":5,"attachment":{"url":null},"line_code":null,"commit_id":"be93687618e4b132087f430a4d8fc3a609c9b77c","noteable_id":36,"system":false,"st_diff":null,"updated_by_id":null,"author":{"name":"Administrator"}}],"stages":[{"id":11,"project_id":5,"pipeline_id":36,"name":"test","status":1,"created_at":"2016-03-22T15:44:44.772Z","updated_at":"2016-03-29T06:44:44.634Z","statuses":[{"id":71,"project_id":5,"status":"failed","finished_at":"2016-03-29T06:28:12.630Z","trace":null,"created_at":"2016-03-22T15:20:35.772Z","updated_at":"2016-03-29T06:28:12.634Z","started_at":null,"runner_id":null,"coverage":null,"commit_id":36,"commands":"$ build command","job_id":null,"name":"test build 1","deploy":false,"options":{"image":"busybox:latest"},"allow_failure":false,"stage":"test","trigger_request_id":null,"stage_idx":1,"stage_id":11,"tag":null,"ref":"master","user_id":null,"target_url":null,"description":null,"erased_by_id":null,"erased_at":null,"type":"Ci::Build","token":"abcd","artifacts_file_store":1,"artifacts_metadata_store":1,"artifacts_size":10},{"id":72,"project_id":5,"status":"success","finished_at":null,"trace":"Porro ea qui ut dolores. Labore ab nemo explicabo aspernatur quis voluptates corporis. Et quasi delectus est sit aperiam perspiciatis asperiores. Repudiandae cum aut consectetur accusantium officia sunt.\n\nQuidem dolore iusto quaerat ut aut inventore et molestiae. Libero voluptates atque nemo qui. Nulla temporibus ipsa similique facere.\n\nAliquam ipsam perferendis qui fugit accusantium omnis id voluptatum. Dignissimos aliquid dicta eos voluptatem assumenda quia. Sed autem natus unde dolor et non nisi et. Consequuntur nihil consequatur rerum est.\n\nSimilique neque est iste ducimus qui fuga cupiditate. Libero autem est aut fuga. Consectetur natus quis non ducimus ut dolore. Magni voluptatibus eius et maxime aut.\n\nAd officiis tempore voluptate vitae corrupti explicabo labore est. Consequatur expedita et sunt nihil aut. Deleniti porro iusto molestiae et beatae.\n\nDeleniti modi nulla qui et labore sequi corrupti. Qui voluptatem assumenda eum cupiditate et. Nesciunt ipsam ut ea possimus eum. Consectetur quidem suscipit atque dolore itaque voluptatibus et cupiditate.","created_at":"2016-03-22T15:20:35.777Z","updated_at":"2016-03-22T15:20:35.777Z","started_at":null,"runner_id":null,"coverage":null,"commit_id":36,"commands":"$ deploy command","job_id":null,"name":"test build 2","deploy":false,"options":null,"allow_failure":false,"stage":"deploy","trigger_request_id":null,"stage_idx":1,"stage_id":12,"tag":null,"ref":"master","user_id":null,"target_url":null,"description":null,"erased_by_id":null,"erased_at":null}]},{"id":12,"project_id":5,"pipeline_id":36,"name":"deploy","status":2,"created_at":"2016-03-22T15:45:45.772Z","updated_at":"2016-03-29T06:45:45.634Z"}]}
+{"id":36,"project_id":5,"ref":null,"sha":"sha-notes","before_sha":null,"push_data":null,"created_at":"2016-03-22T15:20:35.755Z","updated_at":"2016-03-22T15:20:35.755Z","tag":null,"yaml_errors":null,"committed_at":null,"status":"failed","started_at":null,"finished_at":null,"user_id":2147483547,"duration":null,"source":"push","merge_request_id":null,"pipeline_metadata": {"id":  2, "project_id": 5, "pipeline_id": 36, "title": "Build pipeline"},"notes":[{"id":2147483547,"note":"Natus rerum qui dolorem dolorum voluptas.","noteable_type":"Commit","author_id":1,"created_at":"2016-03-22T15:19:59.469Z","updated_at":"2016-03-22T15:19:59.469Z","project_id":5,"attachment":{"url":null},"line_code":null,"commit_id":"be93687618e4b132087f430a4d8fc3a609c9b77c","noteable_id":36,"system":false,"st_diff":null,"updated_by_id":null,"author":{"name":"Administrator"}}],"stages":[{"id":11,"project_id":5,"pipeline_id":36,"name":"test","status":1,"created_at":"2016-03-22T15:44:44.772Z","updated_at":"2016-03-29T06:44:44.634Z","statuses":[{"id":71,"project_id":5,"status":"failed","finished_at":"2016-03-29T06:28:12.630Z","trace":null,"created_at":"2016-03-22T15:20:35.772Z","updated_at":"2016-03-29T06:28:12.634Z","started_at":null,"runner_id":null,"coverage":null,"commit_id":36,"commands":"$ build command","job_id":null,"name":"test build 1","deploy":false,"options":{"image":"busybox:latest"},"allow_failure":false,"stage":"test","trigger_request_id":null,"stage_idx":1,"stage_id":11,"tag":null,"ref":"master","user_id":null,"target_url":null,"description":null,"erased_by_id":null,"erased_at":null,"type":"Ci::Build","token":"abcd","artifacts_file_store":1,"artifacts_metadata_store":1,"artifacts_size":10},{"id":72,"project_id":5,"status":"success","finished_at":null,"trace":"Porro ea qui ut dolores. Labore ab nemo explicabo aspernatur quis voluptates corporis. Et quasi delectus est sit aperiam perspiciatis asperiores. Repudiandae cum aut consectetur accusantium officia sunt.\n\nQuidem dolore iusto quaerat ut aut inventore et molestiae. Libero voluptates atque nemo qui. Nulla temporibus ipsa similique facere.\n\nAliquam ipsam perferendis qui fugit accusantium omnis id voluptatum. Dignissimos aliquid dicta eos voluptatem assumenda quia. Sed autem natus unde dolor et non nisi et. Consequuntur nihil consequatur rerum est.\n\nSimilique neque est iste ducimus qui fuga cupiditate. Libero autem est aut fuga. Consectetur natus quis non ducimus ut dolore. Magni voluptatibus eius et maxime aut.\n\nAd officiis tempore voluptate vitae corrupti explicabo labore est. Consequatur expedita et sunt nihil aut. Deleniti porro iusto molestiae et beatae.\n\nDeleniti modi nulla qui et labore sequi corrupti. Qui voluptatem assumenda eum cupiditate et. Nesciunt ipsam ut ea possimus eum. Consectetur quidem suscipit atque dolore itaque voluptatibus et cupiditate.","created_at":"2016-03-22T15:20:35.777Z","updated_at":"2016-03-22T15:20:35.777Z","started_at":null,"runner_id":null,"coverage":null,"commit_id":36,"commands":"$ deploy command","job_id":null,"name":"test build 2","deploy":false,"options":null,"allow_failure":false,"stage":"deploy","trigger_request_id":null,"stage_idx":1,"stage_id":12,"tag":null,"ref":"master","user_id":null,"target_url":null,"description":null,"erased_by_id":null,"erased_at":null}]},{"id":12,"project_id":5,"pipeline_id":36,"name":"deploy","status":2,"created_at":"2016-03-22T15:45:45.772Z","updated_at":"2016-03-29T06:45:45.634Z"}]}
 {"id":38,"iid":1,"project_id":5,"ref":"master","sha":"5f923865dde3436854e9ceb9cdb7815618d4e849","before_sha":null,"push_data":null,"created_at":"2016-03-22T15:20:35.759Z","updated_at":"2016-03-22T15:20:35.759Z","tag":null,"yaml_errors":null,"committed_at":null,"status":"failed","started_at":null,"finished_at":null,"duration":null,"stages":[{"id":22,"project_id":5,"pipeline_id":38,"name":"test","status":1,"created_at":"2016-03-22T15:44:44.772Z","updated_at":"2016-03-29T06:44:44.634Z","statuses":[{"id":76,"project_id":5,"status":"success","finished_at":null,"trace":"Et rerum quia ea cumque ut modi non. Libero eaque ipsam architecto maiores expedita deleniti. Ratione quia qui est id.\n\nQuod sit officiis sed unde inventore veniam quisquam velit. Ea harum cum quibusdam quisquam minima quo possimus non. Temporibus itaque aliquam aut rerum veritatis at.\n\nMagnam ipsum eius recusandae qui quis sit maiores eum. Et animi iusto aut itaque. Doloribus harum deleniti nobis accusantium et libero.\n\nRerum fuga perferendis magni commodi officiis id repudiandae. Consequatur ratione consequatur suscipit facilis sunt iure est dicta. Qui unde quasi facilis et quae nesciunt. Magnam iste et nobis officiis tenetur. Aspernatur quo et temporibus non in.\n\nNisi rerum velit est ad enim sint molestiae consequuntur. Quaerat nisi nesciunt quasi officiis. Possimus non blanditiis laborum quos.\n\nRerum laudantium facere animi qui. Ipsa est iusto magnam nihil. Enim omnis occaecati non dignissimos ut recusandae eum quasi. Qui maxime dolor et nemo voluptates incidunt quia.","created_at":"2016-03-22T15:20:35.882Z","updated_at":"2016-03-22T15:20:35.882Z","started_at":null,"runner_id":null,"coverage":null,"commit_id":38,"commands":"$ build command","job_id":null,"name":"test build 2","deploy":false,"options":null,"allow_failure":false,"stage":"test","trigger_request_id":null,"stage_idx":1,"tag":null,"ref":"master","user_id":null,"target_url":null,"description":null,"erased_by_id":null,"erased_at":null},{"id":75,"project_id":5,"status":"failed","finished_at":null,"trace":"Sed et iste recusandae dicta corporis. Sunt alias porro fugit sunt. Fugiat omnis nihil dignissimos aperiam explicabo doloremque sit aut. Harum fugit expedita quia rerum ut consequatur laboriosam aliquam.\n\nNatus libero ut ut tenetur earum. Tempora omnis autem omnis et libero dolores illum autem. Deleniti eos sunt mollitia ipsam. Cum dolor repellendus dolorum sequi officia. Ullam sunt in aut pariatur excepturi.\n\nDolor nihil debitis et est eos. Cumque eos eum saepe ducimus autem. Alias architecto consequatur aut pariatur possimus. Aut quos aut incidunt quam velit et. Quas voluptatum ad dolorum dignissimos.\n\nUt voluptates consectetur illo et. Est commodi accusantium vel quo. Eos qui fugiat soluta porro.\n\nRatione possimus alias vel maxime sint totam est repellat. Ipsum corporis eos sint voluptatem eos odit. Temporibus libero nulla harum eligendi labore similique ratione magnam. Suscipit sequi in omnis neque.\n\nLaudantium dolor amet omnis placeat mollitia aut molestiae. Aut rerum similique ipsum quod illo quas unde. Sunt aut veritatis eos omnis porro. Rem veritatis mollitia praesentium dolorem. Consequatur sequi ad cumque earum omnis quia necessitatibus.","created_at":"2016-03-22T15:20:35.864Z","updated_at":"2016-03-22T15:20:35.864Z","started_at":null,"runner_id":null,"coverage":null,"commit_id":38,"commands":"$ build command","job_id":null,"name":"test build 1","deploy":false,"options":null,"allow_failure":false,"stage":"test","trigger_request_id":null,"stage_idx":1,"tag":null,"ref":"master","user_id":null,"target_url":null,"description":null,"erased_by_id":null,"erased_at":null}]}]}
 {"id":39,"project_id":5,"ref":"master","sha":"d2d430676773caa88cdaf7c55944073b2fd5561a","before_sha":null,"push_data":null,"created_at":"2016-03-22T15:20:35.761Z","updated_at":"2016-03-22T15:20:35.761Z","tag":null,"yaml_errors":null,"committed_at":null,"status":"failed","started_at":null,"finished_at":null,"duration":null,"stages":[{"id":23,"project_id":5,"pipeline_id":39,"name":"test","status":1,"created_at":"2016-03-22T15:44:44.772Z","updated_at":"2016-03-29T06:44:44.634Z","statuses":[{"id":78,"project_id":5,"status":"success","finished_at":null,"trace":"Dolorem deserunt quas quia error hic quo cum vel. Natus voluptatem cumque expedita numquam odit. Eos expedita nostrum corporis consequatur est recusandae.\n\nCulpa blanditiis rerum repudiandae alias voluptatem. Velit iusto est ullam consequatur doloribus porro. Corporis voluptas consectetur est veniam et quia quae.\n\nEt aut magni fuga nesciunt officiis molestias. Quaerat et nam necessitatibus qui rerum. Architecto quia officiis voluptatem laborum est recusandae. Quasi ducimus soluta odit necessitatibus labore numquam dignissimos. Quia facere sint temporibus inventore sunt nihil saepe dolorum.\n\nFacere dolores quis dolores a. Est minus nostrum nihil harum. Earum laborum et ipsum unde neque sit nemo. Corrupti est consequatur minima fugit. Illum voluptatem illo error ducimus officia qui debitis.\n\nDignissimos porro a autem harum aut. Aut id reprehenderit et exercitationem. Est et quisquam ipsa temporibus molestiae. Architecto natus dolore qui fugiat incidunt. Autem odit veniam excepturi et voluptatibus culpa ipsum eos.\n\nAmet quo quisquam dignissimos soluta modi dolores. Sint omnis eius optio corporis dolor. Eligendi animi porro quia placeat ut.","created_at":"2016-03-22T15:20:35.927Z","updated_at":"2016-03-22T15:20:35.927Z","started_at":null,"runner_id":null,"coverage":null,"commit_id":39,"commands":"$ build command","job_id":null,"name":"test build 2","deploy":false,"options":null,"allow_failure":false,"stage":"test","trigger_request_id":null,"stage_idx":1,"tag":null,"ref":"master","user_id":null,"target_url":null,"description":null,"erased_by_id":null,"erased_at":null},{"id":77,"project_id":5,"status":"failed","finished_at":null,"trace":"Rerum ut et suscipit est perspiciatis. Inventore debitis cum eius vitae. Ex incidunt id velit aut quo nisi. Laboriosam repellat deserunt eius reiciendis architecto et. Est harum quos nesciunt nisi consectetur.\n\nAlias esse omnis sint officia est consequatur in nobis. Dignissimos dolorum vel eligendi nesciunt dolores sit. Veniam mollitia ducimus et exercitationem molestiae libero sed. Atque omnis debitis laudantium voluptatibus qui. Repellendus tempore est commodi pariatur.\n\nExpedita voluptate illum est alias non. Modi nesciunt ab assumenda laborum nulla consequatur molestias doloremque. Magnam quod officia vel explicabo accusamus ut voluptatem incidunt. Rerum ut aliquid ullam saepe. Est eligendi debitis beatae blanditiis reiciendis.\n\nQui fuga sit dolores libero maiores et suscipit. Consectetur asperiores omnis minima impedit eos fugiat. Similique omnis nisi sed vero inventore ipsum aliquam exercitationem.\n\nBlanditiis magni iure dolorum omnis ratione delectus molestiae. Atque officia dolor voluptatem culpa quod. Incidunt suscipit quidem possimus veritatis non vel. Iusto aliquid et id quia quasi.\n\nVel facere velit blanditiis incidunt cupiditate sed maiores consequuntur. Quasi quia dicta consequuntur et quia voluptatem iste id. Incidunt et rerum fuga esse sint.","created_at":"2016-03-22T15:20:35.905Z","updated_at":"2016-03-22T15:20:35.905Z","started_at":null,"runner_id":null,"coverage":null,"commit_id":39,"commands":"$ build command","job_id":null,"name":"test build 1","deploy":false,"options":null,"allow_failure":false,"stage":"test","trigger_request_id":null,"stage_idx":1,"tag":null,"ref":"master","user_id":null,"target_url":null,"description":null,"erased_by_id":null,"erased_at":null}]}]}
 {"id":41,"project_id":5,"ref":"master","sha":"2ea1f3dec713d940208fb5ce4a38765ecb5d3f73","before_sha":null,"push_data":null,"created_at":"2016-03-22T15:20:35.763Z","updated_at":"2016-03-22T15:20:35.763Z","tag":null,"yaml_errors":null,"committed_at":null,"status":"failed","started_at":null,"finished_at":null,"duration":null,"stages":[]}
diff --git a/spec/frontend/error_tracking/components/error_tracking_list_spec.js b/spec/frontend/error_tracking/components/error_tracking_list_spec.js
index 805ada54509..adb2eaaf04e 100644
--- a/spec/frontend/error_tracking/components/error_tracking_list_spec.js
+++ b/spec/frontend/error_tracking/components/error_tracking_list_spec.js
@@ -314,6 +314,43 @@ describe('ErrorTrackingList', () => {
     });
   });
 
+  describe('when the resolve button is clicked with non numberic error id', () => {
+    beforeEach(() => {
+      store.state.list.loading = false;
+      store.state.list.errors = [
+        {
+          id: 'abc',
+          title: 'PG::ConnectionBad: FATAL',
+          type: 'error',
+          userCount: 0,
+          count: '53',
+          firstSeen: '2019-05-30T07:21:46Z',
+          lastSeen: '2019-11-06T03:21:39Z',
+          status: 'unresolved',
+        },
+      ];
+
+      mountComponent({
+        stubs: {
+          GlTable: false,
+          GlLink: false,
+        },
+      });
+    });
+
+    it('should show about:blank link', () => {
+      findErrorActions().vm.$emit('update-issue-status', {
+        errorId: 'abc',
+        status: 'resolved',
+      });
+
+      expect(actions.updateStatus).toHaveBeenCalledWith(expect.anything(), {
+        endpoint: 'about:blank',
+        status: 'resolved',
+      });
+    });
+  });
+
   describe('When error tracking is disabled and user is not allowed to enable it', () => {
     beforeEach(() => {
       mountComponent({
diff --git a/spec/lib/bulk_imports/projects/pipelines/repository_pipeline_spec.rb b/spec/lib/bulk_imports/projects/pipelines/repository_pipeline_spec.rb
index 38b22538e70..a968104fc91 100644
--- a/spec/lib/bulk_imports/projects/pipelines/repository_pipeline_spec.rb
+++ b/spec/lib/bulk_imports/projects/pipelines/repository_pipeline_spec.rb
@@ -20,8 +20,9 @@ RSpec.describe BulkImports::Projects::Pipelines::RepositoryPipeline do
     )
   end
 
-  let_it_be(:tracker) { create(:bulk_import_tracker, entity: entity) }
-  let_it_be(:context) { BulkImports::Pipeline::Context.new(tracker) }
+  let_it_be_with_reload(:tracker) { create(:bulk_import_tracker, entity: entity) }
+
+  let(:context) { BulkImports::Pipeline::Context.new(tracker) }
 
   let(:extracted_data) { BulkImports::Pipeline::ExtractedData.new(data: project_data) }
 
@@ -61,7 +62,7 @@ RSpec.describe BulkImports::Projects::Pipelines::RepositoryPipeline do
     context 'blocked local networks' do
       let(:project_data) { { 'httpUrlToRepo' => 'http://localhost/foo.git' } }
 
-      it 'imports new repository into destination project' do
+      it 'prevents import' do
         allow(Gitlab.config.gitlab).to receive(:host).and_return('notlocalhost.gitlab.com')
         allow(Gitlab::CurrentSettings).to receive(:allow_local_requests_from_web_hooks_and_services?).and_return(false)
 
@@ -70,6 +71,18 @@ RSpec.describe BulkImports::Projects::Pipelines::RepositoryPipeline do
         expect(context.entity.failed?).to eq(true)
       end
     end
+
+    context 'when scheme is blocked' do
+      let(:project_data) { { 'httpUrlToRepo' => 'file://example/tmp/foo.git' } }
+
+      it 'prevents import' do
+        pipeline.run
+
+        expect(context.entity.failed?).to eq(true)
+        expect(context.entity.failures.first).to be_present
+        expect(context.entity.failures.first.exception_message).to eq('Only allowed schemes are http, https')
+      end
+    end
   end
 
   describe '#after_run' do
diff --git a/spec/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline_spec.rb b/spec/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline_spec.rb
index 4d12b49e2c0..dfd01cdf4bb 100644
--- a/spec/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline_spec.rb
+++ b/spec/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline_spec.rb
@@ -135,9 +135,25 @@ RSpec.describe BulkImports::Projects::Pipelines::SnippetsRepositoryPipeline do
       end
 
       context 'when url is invalid' do
-        let(:http_url_to_repo) { 'http://0.0.0.0' }
+        context 'when not a real URL' do
+          let(:http_url_to_repo) { 'http://0.0.0.0' }
 
-        it_behaves_like 'skippable snippet'
+          it_behaves_like 'skippable snippet'
+        end
+
+        context 'when scheme is blocked' do
+          let(:http_url_to_repo) { 'file://example.com/foo/bar/snippets/42.git' }
+
+          it_behaves_like 'skippable snippet'
+
+          it 'logs the failure' do
+            pipeline.run
+
+            expect(tracker.failed?).to eq(true)
+            expect(tracker.entity.failures.first).to be_present
+            expect(tracker.entity.failures.first.exception_message).to eq('Only allowed schemes are http, https')
+          end
+        end
       end
 
       context 'when snippet is invalid' do
diff --git a/spec/lib/error_tracking/sentry_client/event_spec.rb b/spec/lib/error_tracking/sentry_client/event_spec.rb
index d65bfa31018..e7a9db771b6 100644
--- a/spec/lib/error_tracking/sentry_client/event_spec.rb
+++ b/spec/lib/error_tracking/sentry_client/event_spec.rb
@@ -72,5 +72,13 @@ RSpec.describe ErrorTracking::SentryClient do
         end
       end
     end
+
+    it_behaves_like 'non-numeric input handling in Sentry response', 'issue_id' do
+      let(:sentry_api_response) do
+        sample_response.tap do |event|
+          event[:groupID] = id_input
+        end
+      end
+    end
   end
 end
diff --git a/spec/lib/error_tracking/sentry_client/issue_spec.rb b/spec/lib/error_tracking/sentry_client/issue_spec.rb
index 1468a1ff7eb..ac6a4b9e8cd 100644
--- a/spec/lib/error_tracking/sentry_client/issue_spec.rb
+++ b/spec/lib/error_tracking/sentry_client/issue_spec.rb
@@ -199,6 +199,15 @@ RSpec.describe ErrorTracking::SentryClient::Issue do
       it_behaves_like 'issues have correct return type', Gitlab::ErrorTracking::Error
       it_behaves_like 'issues have correct length', 3
     end
+
+    it_behaves_like 'non-numeric input handling in Sentry response', 'id' do
+      let(:sentry_api_response) do
+        issues_sample_response.first(1).map do |issue|
+          issue[:id] = id_input
+          issue
+        end
+      end
+    end
   end
 
   describe '#issue_details' do
@@ -208,8 +217,8 @@ RSpec.describe ErrorTracking::SentryClient::Issue do
       )
     end
 
-    let(:sentry_request_url) { "#{sentry_url}/issues/#{issue_id}/" }
     let(:sentry_api_response) { issue_sample_response }
+    let(:sentry_request_url) { "#{sentry_url}/issues/#{issue_id}/" }
     let!(:sentry_api_request) { stub_sentry_request(sentry_request_url, body: sentry_api_response) }
 
     subject { client.issue_details(issue_id: issue_id) }
@@ -298,6 +307,14 @@ RSpec.describe ErrorTracking::SentryClient::Issue do
         expect(subject.tags).to eq({ level: issue_sample_response['level'], logger: issue_sample_response['logger'] })
       end
     end
+
+    it_behaves_like 'non-numeric input handling in Sentry response', 'id' do
+      let(:sentry_api_response) do
+        issue_sample_response.tap do |issue|
+          issue[:id] = id_input
+        end
+      end
+    end
   end
 
   describe '#update_issue' do
diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index d0b44135a2f..e2226952d15 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -188,7 +188,7 @@ RSpec.describe Gitlab::Auth::AuthFinders do
         end
 
         it 'returns nil if valid feed_token and disabled' do
-          stub_application_setting(disable_feed_token: true)
+          allow(Gitlab::CurrentSettings).to receive_messages(disable_feed_token: true)
           set_param(:feed_token, user.feed_token)
 
           expect(find_user_from_feed_token(:rss)).to be_nil
diff --git a/spec/lib/gitlab/checks/tag_check_spec.rb b/spec/lib/gitlab/checks/tag_check_spec.rb
index 6cd3a2d1c07..50ffa5fad10 100644
--- a/spec/lib/gitlab/checks/tag_check_spec.rb
+++ b/spec/lib/gitlab/checks/tag_check_spec.rb
@@ -81,6 +81,14 @@ RSpec.describe Gitlab::Checks::TagCheck do
           it 'allows tag creation' do
             expect { subject.validate! }.not_to raise_error
           end
+
+          context 'when tag name is the same as default branch' do
+            let(:ref) { "refs/tags/#{project.default_branch}" }
+
+            it 'is prevented' do
+              expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, /cannot use default branch name to create a tag/)
+            end
+          end
         end
       end
     end
diff --git a/spec/lib/gitlab/ci/ansi2json/line_spec.rb b/spec/lib/gitlab/ci/ansi2json/line_spec.rb
index d16750d19f1..b8563bb1d1c 100644
--- a/spec/lib/gitlab/ci/ansi2json/line_spec.rb
+++ b/spec/lib/gitlab/ci/ansi2json/line_spec.rb
@@ -87,6 +87,8 @@ RSpec.describe Gitlab::Ci::Ansi2json::Line do
       1.minute + 15.seconds                       | '01:15'
       13.hours + 14.minutes + 15.seconds          | '13:14:15'
       1.day + 13.hours + 14.minutes + 15.seconds  | '37:14:15'
+      Float::MAX                                  | '8765:00:00'
+      10**10000                                   | '8765:00:00'
     end
 
     with_them do
diff --git a/spec/lib/gitlab/gfm/uploads_rewriter_spec.rb b/spec/lib/gitlab/gfm/uploads_rewriter_spec.rb
index a16f96a7d11..b1bff242f33 100644
--- a/spec/lib/gitlab/gfm/uploads_rewriter_spec.rb
+++ b/spec/lib/gitlab/gfm/uploads_rewriter_spec.rb
@@ -23,8 +23,9 @@ RSpec.describe Gitlab::Gfm::UploadsRewriter do
     end
 
     def referenced_files(text, project)
-      referenced_files = text.scan(FileUploader::MARKDOWN_PATTERN).map do
-        UploaderFinder.new(project, $~[:secret], $~[:file]).execute
+      scanner = FileUploader::MARKDOWN_PATTERN.scan(text)
+      referenced_files = scanner.map do |match|
+        UploaderFinder.new(project, match[0], match[1]).execute
       end
 
       referenced_files.compact.select(&:exists?)
@@ -32,7 +33,9 @@ RSpec.describe Gitlab::Gfm::UploadsRewriter do
 
     shared_examples "files are accessible" do
       describe '#rewrite' do
-        let!(:new_text) { rewriter.rewrite(new_project) }
+        subject(:rewrite) { new_text }
+
+        let(:new_text) { rewriter.rewrite(new_project) }
 
         let(:old_files) { [image_uploader, zip_uploader] }
         let(:new_files) do
@@ -43,11 +46,15 @@ RSpec.describe Gitlab::Gfm::UploadsRewriter do
         let(:new_paths) { new_files.map(&:path) }
 
         it 'rewrites content' do
+          rewrite
+
           expect(new_text).not_to eq text
           expect(new_text.length).to eq text.length
         end
 
         it 'copies files' do
+          rewrite
+
           expect(new_files).to all(exist)
           expect(old_paths).not_to match_array new_paths
           expect(old_paths).to all(include(old_project.disk_path))
@@ -55,10 +62,14 @@ RSpec.describe Gitlab::Gfm::UploadsRewriter do
         end
 
         it 'does not remove old files' do
+          rewrite
+
           expect(old_files).to all(exist)
         end
 
         it 'generates a new secret for each file' do
+          rewrite
+
           expect(new_paths).not_to include image_uploader.secret
           expect(new_paths).not_to include zip_uploader.secret
         end
@@ -68,6 +79,8 @@ RSpec.describe Gitlab::Gfm::UploadsRewriter do
             allow(finder).to receive(:execute).and_return(nil)
           end
 
+          rewrite
+
           expect(new_files).to be_empty
         end
       end
@@ -84,6 +97,16 @@ RSpec.describe Gitlab::Gfm::UploadsRewriter do
       expect(moved_text.scan(/\A\[.*?\]/).count).to eq(1)
     end
 
+    it 'does not casue a timeout on pathological text' do
+      text = '[!l' * 30000
+
+      Timeout.timeout(3) do
+        moved_text = described_class.new(text, nil, old_project, user).rewrite(new_project)
+
+        expect(moved_text).to eq(text)
+      end
+    end
+
     context "file are stored locally" do
       include_examples "files are accessible"
     end
diff --git a/spec/lib/gitlab/hook_data/group_member_builder_spec.rb b/spec/lib/gitlab/hook_data/group_member_builder_spec.rb
index 35ce31ab897..1551bdbaa9c 100644
--- a/spec/lib/gitlab/hook_data/group_member_builder_spec.rb
+++ b/spec/lib/gitlab/hook_data/group_member_builder_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe Gitlab::HookData::GroupMemberBuilder do
           expect(data[:group_id]).to eq(group.id)
           expect(data[:user_username]).to eq(group_member.user.username)
           expect(data[:user_name]).to eq(group_member.user.name)
-          expect(data[:user_email]).to eq(group_member.user.email)
+          expect(data[:user_email]).to eq(group_member.user.webhook_email)
           expect(data[:user_id]).to eq(group_member.user.id)
           expect(data[:group_access]).to eq('Developer')
           expect(data[:created_at]).to eq(group_member.created_at&.xmlschema)
diff --git a/spec/lib/gitlab/import_export/all_models.yml b/spec/lib/gitlab/import_export/all_models.yml
index e270ca9ec6a..d8b699975ff 100644
--- a/spec/lib/gitlab/import_export/all_models.yml
+++ b/spec/lib/gitlab/import_export/all_models.yml
@@ -296,6 +296,10 @@ ci_pipelines:
 - package_build_infos
 - package_file_build_infos
 - build_trace_chunks
+- pipeline_metadata
+pipeline_metadata:
+- project
+- pipeline
 ci_refs:
 - project
 - ci_pipelines
@@ -632,6 +636,7 @@ project:
 - vulnerability_reads
 - build_artifacts_size_refresh
 - project_callouts
+- pipeline_metadata
 award_emoji:
 - awardable
 - user
diff --git a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
index a7beb391d3e..fae94a3b544 100644
--- a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
+++ b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
@@ -156,6 +156,15 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do
           end
         end
 
+        it 'restores pipeline metadata' do
+          pipeline = Ci::Pipeline.find_by_sha('sha-notes')
+          pipeline_metadata = pipeline.pipeline_metadata
+
+          expect(pipeline_metadata.title).to eq('Build pipeline')
+          expect(pipeline_metadata.pipeline_id).to eq(pipeline.id)
+          expect(pipeline_metadata.project_id).to eq(pipeline.project_id)
+        end
+
         it 'preserves updated_at on issues' do
           issue = Issue.find_by(description: 'Aliquam enim illo et possimus.')
 
diff --git a/spec/lib/gitlab/import_export/safe_model_attributes.yml b/spec/lib/gitlab/import_export/safe_model_attributes.yml
index e591cbd05a0..6a847e36851 100644
--- a/spec/lib/gitlab/import_export/safe_model_attributes.yml
+++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml
@@ -332,6 +332,11 @@ Ci::Pipeline:
 - iid
 - merge_request_id
 - external_pull_request_id
+Ci::PipelineMetadata:
+- id
+- project_id
+- pipeline_id
+- title
 Ci::Stage:
 - id
 - name
diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb
index b5f153e7add..db64e8439a5 100644
--- a/spec/models/application_setting_spec.rb
+++ b/spec/models/application_setting_spec.rb
@@ -1453,4 +1453,10 @@ RSpec.describe ApplicationSetting do
       expect(setting.personal_access_token_prefix).to eql('glpat-')
     end
   end
+
+  describe '.personal_access_tokens_disabled?' do
+    it 'is false' do
+      expect(setting.personal_access_tokens_disabled?).to eq(false)
+    end
+  end
 end
diff --git a/spec/models/ci/pipeline_metadata_spec.rb b/spec/models/ci/pipeline_metadata_spec.rb
new file mode 100644
index 00000000000..0704cbc8ec1
--- /dev/null
+++ b/spec/models/ci/pipeline_metadata_spec.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ci::PipelineMetadata do
+  it { is_expected.to belong_to(:project) }
+  it { is_expected.to belong_to(:pipeline) }
+
+  describe 'validations' do
+    it { is_expected.to validate_length_of(:title).is_at_least(1).is_at_most(255) }
+    it { is_expected.to validate_presence_of(:project) }
+    it { is_expected.to validate_presence_of(:pipeline) }
+  end
+end
diff --git a/spec/models/ci/pipeline_spec.rb b/spec/models/ci/pipeline_spec.rb
index 839e5ed03cc..3fc1883c1e6 100644
--- a/spec/models/ci/pipeline_spec.rb
+++ b/spec/models/ci/pipeline_spec.rb
@@ -43,12 +43,14 @@ RSpec.describe Ci::Pipeline, :mailer, factory_default: :keep do
   it { is_expected.to have_one(:triggered_by_pipeline) }
   it { is_expected.to have_one(:source_job) }
   it { is_expected.to have_one(:pipeline_config) }
+  it { is_expected.to have_one(:pipeline_metadata) }
 
   it { is_expected.to respond_to :git_author_name }
   it { is_expected.to respond_to :git_author_email }
   it { is_expected.to respond_to :git_author_full_text }
   it { is_expected.to respond_to :short_sha }
   it { is_expected.to delegate_method(:full_path).to(:project).with_prefix }
+  it { is_expected.to delegate_method(:title).to(:pipeline_metadata).allow_nil }
 
   describe 'validations' do
     it { is_expected.to validate_presence_of(:sha) }
diff --git a/spec/models/concerns/integrations/has_web_hook_spec.rb b/spec/models/concerns/integrations/has_web_hook_spec.rb
new file mode 100644
index 00000000000..9061cb90f90
--- /dev/null
+++ b/spec/models/concerns/integrations/has_web_hook_spec.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Integrations::HasWebHook do
+  let(:integration_class) do
+    Class.new(Integration) do
+      include Integrations::HasWebHook
+    end
+  end
+
+  let(:integration) { integration_class.new }
+
+  context 'when hook_url and url_variables are not implemented' do
+    it { expect { integration.hook_url }.to raise_error(NotImplementedError) }
+    it { expect { integration.url_variables }.to raise_error(NotImplementedError) }
+  end
+
+  context 'when integration does not respond to enable_ssl_verification' do
+    it { expect(integration.hook_ssl_verification).to eq true }
+  end
+
+  context 'when integration responds to enable_ssl_verification' do
+    let(:integration) { build(:drone_ci_integration) }
+
+    it { expect(integration.hook_ssl_verification).to eq true }
+  end
+end
diff --git a/spec/models/hooks/web_hook_log_spec.rb b/spec/models/hooks/web_hook_log_spec.rb
index 8ff8a1c3865..3441dfda7d6 100644
--- a/spec/models/hooks/web_hook_log_spec.rb
+++ b/spec/models/hooks/web_hook_log_spec.rb
@@ -44,26 +44,49 @@ RSpec.describe WebHookLog do
       end
     end
 
-    context 'with author email' do
+    context "with users' emails" do
       let(:author) { create(:user) }
+      let(:user) { create(:user) }
       let(:web_hook_log) { create(:web_hook_log, request_data: data) }
       let(:data) do
         {
-          commit: {
-            author: {
-              name: author.name,
-              email: author.email
+          user: {
+            name: user.name,
+            email: user.email
+          },
+          commits: [
+            {
+              user: {
+                name: author.name,
+                email: author.email
+              }
+            },
+            {
+              user: {
+                name: user.name,
+                email: user.email
+              }
             }
-          }
+          ]
         }.deep_stringify_keys
       end
 
-      it "redacts author's email" do
-        expect(web_hook_log.request_data['commit']).to match a_hash_including(
-          'author' => {
-            'name' => author.name,
-            'email' => _('[REDACTED]')
-          }
+      it "redacts users' emails" do
+        expect(web_hook_log.request_data['user']).to match a_hash_including(
+          'name' => user.name,
+          'email' => _('[REDACTED]')
+        )
+        expect(web_hook_log.request_data['commits'].pluck('user')).to match_array(
+          [
+            {
+              'name' => author.name,
+              'email' => _('[REDACTED]')
+            },
+            {
+              'name' => user.name,
+              'email' => _('[REDACTED]')
+            }
+          ]
         )
       end
     end
diff --git a/spec/models/integrations/buildkite_spec.rb b/spec/models/integrations/buildkite_spec.rb
index 38ceb5db49c..c720dc6d418 100644
--- a/spec/models/integrations/buildkite_spec.rb
+++ b/spec/models/integrations/buildkite_spec.rb
@@ -19,7 +19,7 @@ RSpec.describe Integrations::Buildkite, :use_clean_rails_memory_store_caching do
   end
 
   it_behaves_like Integrations::HasWebHook do
-    let(:hook_url) { 'https://webhook.buildkite.com/deliver/secret-sauce-webhook-token' }
+    let(:hook_url) { 'https://webhook.buildkite.com/deliver/{webhook_token}' }
   end
 
   describe 'Validations' do
@@ -68,7 +68,7 @@ RSpec.describe Integrations::Buildkite, :use_clean_rails_memory_store_caching do
     describe '#hook_url' do
       it 'returns the webhook url' do
         expect(integration.hook_url).to eq(
-          'https://webhook.buildkite.com/deliver/secret-sauce-webhook-token'
+          'https://webhook.buildkite.com/deliver/{webhook_token}'
         )
       end
     end
diff --git a/spec/models/integrations/datadog_spec.rb b/spec/models/integrations/datadog_spec.rb
index 4ac684e8ff0..b7da6a79e44 100644
--- a/spec/models/integrations/datadog_spec.rb
+++ b/spec/models/integrations/datadog_spec.rb
@@ -19,6 +19,7 @@ RSpec.describe Integrations::Datadog do
   let(:dd_tags) { '' }
 
   let(:expected_hook_url) { default_url + "?dd-api-key=#{api_key}&env=#{dd_env}&service=#{dd_service}" }
+  let(:hook_url) { default_url + "?dd-api-key={api_key}&env=#{dd_env}&service=#{dd_service}" }
 
   let(:instance) do
     described_class.new(
@@ -48,7 +49,7 @@ RSpec.describe Integrations::Datadog do
 
   it_behaves_like Integrations::HasWebHook do
     let(:integration) { instance }
-    let(:hook_url) { "#{described_class::URL_TEMPLATE % { datadog_domain: dd_site }}?dd-api-key=#{api_key}&env=#{dd_env}&service=#{dd_service}" }
+    let(:hook_url) { "#{described_class::URL_TEMPLATE % { datadog_domain: dd_site }}?dd-api-key={api_key}&env=#{dd_env}&service=#{dd_service}" }
   end
 
   describe 'validations' do
@@ -132,18 +133,18 @@ RSpec.describe Integrations::Datadog do
     subject { instance.hook_url }
 
     context 'with standard site URL' do
-      it { is_expected.to eq(expected_hook_url) }
+      it { is_expected.to eq(hook_url) }
     end
 
     context 'with custom URL' do
       let(:api_url) { 'https://webhook-intake.datad0g.com/api/v2/webhook' }
 
-      it { is_expected.to eq(api_url + "?dd-api-key=#{api_key}&env=#{dd_env}&service=#{dd_service}") }
+      it { is_expected.to eq(api_url + "?dd-api-key={api_key}&env=#{dd_env}&service=#{dd_service}") }
 
       context 'blank' do
         let(:api_url) { '' }
 
-        it { is_expected.to eq(expected_hook_url) }
+        it { is_expected.to eq(hook_url) }
       end
     end
 
@@ -152,19 +153,19 @@ RSpec.describe Integrations::Datadog do
       let(:dd_env) { '' }
       let(:dd_tags) { '' }
 
-      it { is_expected.to eq(default_url + "?dd-api-key=#{api_key}") }
+      it { is_expected.to eq(default_url + "?dd-api-key={api_key}") }
     end
 
     context 'with custom tags' do
       let(:dd_tags) { "key:value\nkey2:value, 2" }
       let(:escaped_tags) { CGI.escape("key:value,\"key2:value, 2\"") }
 
-      it { is_expected.to eq(expected_hook_url + "&tags=#{escaped_tags}") }
+      it { is_expected.to eq(hook_url + "&tags=#{escaped_tags}") }
 
       context 'and empty lines' do
         let(:dd_tags) { "key:value\r\n\n\n\nkey2:value, 2\n" }
 
-        it { is_expected.to eq(expected_hook_url + "&tags=#{escaped_tags}") }
+        it { is_expected.to eq(hook_url + "&tags=#{escaped_tags}") }
       end
     end
   end
diff --git a/spec/models/integrations/drone_ci_spec.rb b/spec/models/integrations/drone_ci_spec.rb
index 905fee075ad..f3203a6e69d 100644
--- a/spec/models/integrations/drone_ci_spec.rb
+++ b/spec/models/integrations/drone_ci_spec.rb
@@ -116,7 +116,7 @@ RSpec.describe Integrations::DroneCi, :use_clean_rails_memory_store_caching do
     include_context :drone_ci_integration
 
     let(:integration) { drone }
-    let(:hook_url) { "#{drone_url}/hook?owner=#{project.namespace.full_path}&name=#{project.path}&access_token=#{token}" }
+    let(:hook_url) { "#{drone_url}/hook?owner=#{project.namespace.full_path}&name=#{project.path}&access_token={token}" }
 
     it 'does not create a hook if project is not present' do
       integration.project = nil
diff --git a/spec/models/integrations/jira_spec.rb b/spec/models/integrations/jira_spec.rb
index 4dd6245fc2f..9f928442b28 100644
--- a/spec/models/integrations/jira_spec.rb
+++ b/spec/models/integrations/jira_spec.rb
@@ -214,6 +214,8 @@ RSpec.describe Integrations::Jira do
       'EXT_EXT-1234'       | 'EXT_EXT-1234'
       'EXT3_EXT-1234'      | 'EXT3_EXT-1234'
       '3EXT_EXT-1234'      | ''
+      'CVE-2022-123'       | ''
+      'CVE-123'            | 'CVE-123'
     end
 
     with_them do
diff --git a/spec/models/integrations/packagist_spec.rb b/spec/models/integrations/packagist_spec.rb
index d1976e73e2e..e078debd126 100644
--- a/spec/models/integrations/packagist_spec.rb
+++ b/spec/models/integrations/packagist_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe Integrations::Packagist do
 
   it_behaves_like Integrations::HasWebHook do
     let(:integration) { described_class.new(packagist_params) }
-    let(:hook_url) { "#{packagist_server}/api/update-package?username=#{packagist_username}&apiToken=#{packagist_token}" }
+    let(:hook_url) { "#{packagist_server}/api/update-package?username={username}&apiToken={token}" }
   end
 
   it_behaves_like Integrations::ResetSecretFields do
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index aef665bb585..6c85c66c6eb 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -149,6 +149,7 @@ RSpec.describe Project, factory_default: :keep do
     it { is_expected.to have_many(:secure_files).class_name('Ci::SecureFile').dependent(:restrict_with_error) }
     it { is_expected.to have_one(:build_artifacts_size_refresh).class_name('Projects::BuildArtifactsSizeRefresh') }
     it { is_expected.to have_many(:project_callouts).class_name('Users::ProjectCallout').with_foreign_key(:project_id) }
+    it { is_expected.to have_many(:pipeline_metadata).class_name('Ci::PipelineMetadata') }
 
     # GitLab Pages
     it { is_expected.to have_many(:pages_domains) }
diff --git a/spec/models/project_statistics_spec.rb b/spec/models/project_statistics_spec.rb
index 1a3283dfe51..2de7bd3696f 100644
--- a/spec/models/project_statistics_spec.rb
+++ b/spec/models/project_statistics_spec.rb
@@ -98,7 +98,7 @@ RSpec.describe ProjectStatistics do
   end
 
   describe '#refresh!' do
-    subject { statistics.refresh! }
+    subject(:refresh_statistics) { statistics.refresh! }
 
     before do
       allow(statistics).to receive(:update_commit_count)
@@ -113,7 +113,7 @@ RSpec.describe ProjectStatistics do
 
     context "without arguments" do
       before do
-        subject
+        refresh_statistics
       end
 
       it "sums all counters" do
@@ -148,7 +148,7 @@ RSpec.describe ProjectStatistics do
         expect(project.repository.exists?).to be_falsey
         expect(project.wiki.repository.exists?).to be_falsey
 
-        subject
+        refresh_statistics
 
         expect(statistics).to have_received(:update_commit_count)
         expect(statistics).to have_received(:update_repository_size)
@@ -176,7 +176,7 @@ RSpec.describe ProjectStatistics do
       end
 
       it 'does not crash' do
-        subject
+        refresh_statistics
 
         expect(statistics).to have_received(:update_commit_count)
         expect(statistics).to have_received(:update_repository_size)
@@ -211,7 +211,7 @@ RSpec.describe ProjectStatistics do
           expect(Namespaces::ScheduleAggregationWorker)
             .to receive(:perform_async)
 
-          subject
+          refresh_statistics
         end
       end
     end
@@ -240,7 +240,7 @@ RSpec.describe ProjectStatistics do
         expect(Namespaces::ScheduleAggregationWorker)
           .not_to receive(:perform_async)
 
-        subject
+        refresh_statistics
       end
     end
 
@@ -414,7 +414,7 @@ RSpec.describe ProjectStatistics do
   end
 
   describe '#refresh_storage_size!' do
-    subject { statistics.refresh_storage_size! }
+    subject(:refresh_storage_size) { statistics.refresh_storage_size! }
 
     it 'recalculates storage size from its components and save it' do
       statistics.update_columns(
@@ -430,7 +430,7 @@ RSpec.describe ProjectStatistics do
         storage_size: 0
       )
 
-      expect { subject }.to change { statistics.reload.storage_size }.from(0).to(28)
+      expect { refresh_storage_size }.to change { statistics.reload.storage_size }.from(0).to(28)
     end
 
     context 'when nullable columns are nil' do
@@ -443,11 +443,11 @@ RSpec.describe ProjectStatistics do
       end
 
       it 'does not raise any error' do
-        expect { subject }.not_to raise_error
+        expect { refresh_storage_size }.not_to raise_error
       end
 
       it 'recalculates storage size from its components' do
-        expect { subject }.to change { statistics.reload.storage_size }.from(0).to(2)
+        expect { refresh_storage_size }.to change { statistics.reload.storage_size }.from(0).to(2)
       end
     end
 
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index cff820eb88a..8d848ad528d 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1882,9 +1882,9 @@ RSpec.describe User do
       end
 
       it 'ensures correct rights and limits for user' do
-        stub_config_setting(default_can_create_group: true)
+        stub_application_setting(can_create_group: true)
 
-        expect { user.update!(external: false) }.to change { user.can_create_group }.to(true)
+        expect { user.update!(external: false) }.to change { user.can_create_group }.from(false).to(true)
           .and change { user.projects_limit }.to(Gitlab::CurrentSettings.default_projects_limit)
       end
     end
@@ -2604,7 +2604,7 @@ RSpec.describe User do
 
       it 'applies defaults to user' do
         expect(user.projects_limit).to eq(Gitlab.config.gitlab.default_projects_limit)
-        expect(user.can_create_group).to eq(Gitlab.config.gitlab.default_can_create_group)
+        expect(user.can_create_group).to eq(Gitlab::CurrentSettings.can_create_group)
         expect(user.theme_id).to eq(Gitlab.config.gitlab.default_theme)
         expect(user.external).to be_falsey
         expect(user.private_profile).to eq(false)
@@ -6849,6 +6849,25 @@ RSpec.describe User do
     end
   end
 
+  describe '#webhook_email' do
+    let(:user) { build(:user, public_email: nil) }
+
+    context 'when public email is present' do
+      before do
+        user.public_email = "hello@hello.com"
+      end
+      it 'returns public email' do
+        expect(user.webhook_email).to eq(user.public_email)
+      end
+    end
+
+    context 'when public email is nil' do
+      it 'returns [REDACTED]' do
+        expect(user.webhook_email).to eq(_('[REDACTED]'))
+      end
+    end
+  end
+
   describe 'user credit card validation' do
     context 'when user is initialized' do
       let(:user) { build(:user) }
diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb
index fd7ec5917d6..c02294571ff 100644
--- a/spec/policies/issuable_policy_spec.rb
+++ b/spec/policies/issuable_policy_spec.rb
@@ -31,6 +31,10 @@ RSpec.describe IssuablePolicy, models: true do
         expect(policies).to be_allowed(:resolve_note)
       end
 
+      it 'allows reading confidential notes' do
+        expect(policies).to be_allowed(:read_confidential_notes)
+      end
+
       context 'when user is able to read project' do
         it 'enables user to read and update issuables' do
           expect(policies).to be_allowed(:read_issue, :update_issue, :reopen_issue, :read_merge_request, :update_merge_request, :reopen_merge_request)
@@ -86,6 +90,15 @@ RSpec.describe IssuablePolicy, models: true do
       end
     end
 
+    context 'when user is assignee of issuable' do
+      let(:issue) { create(:issue, project: project, assignees: [user]) }
+      let(:policies) { described_class.new(user, issue) }
+
+      it 'allows reading confidential notes' do
+        expect(policies).to be_allowed(:read_confidential_notes)
+      end
+    end
+
     context 'when discussion is locked for the issuable' do
       let(:issue) { create(:issue, project: project, discussion_locked: true) }
 
@@ -138,6 +151,10 @@ RSpec.describe IssuablePolicy, models: true do
       it 'does not allow timelogs creation' do
         expect(permissions(guest, issue)).to be_disallowed(:create_timelog)
       end
+
+      it 'does not allow reading confidential notes' do
+        expect(permissions(guest, issue)).to be_disallowed(:read_confidential_notes)
+      end
     end
 
     context 'when user is a guest member of the project and the author of the issuable' do
@@ -152,6 +169,10 @@ RSpec.describe IssuablePolicy, models: true do
       it 'allows timelogs creation' do
         expect(permissions(reporter, issue)).to be_allowed(:create_timelog)
       end
+
+      it 'allows reading confidential notes' do
+        expect(permissions(reporter, issue)).to be_allowed(:read_confidential_notes)
+      end
     end
 
     context 'when subject is a Merge Request' do
diff --git a/spec/policies/todo_policy_spec.rb b/spec/policies/todo_policy_spec.rb
index 16435b21666..34ba7bf9276 100644
--- a/spec/policies/todo_policy_spec.rb
+++ b/spec/policies/todo_policy_spec.rb
@@ -3,53 +3,100 @@
 require 'spec_helper'
 
 RSpec.describe TodoPolicy do
-  let_it_be(:author) { create(:user) }
-
-  let_it_be(:user1) { create(:user) }
-  let_it_be(:user2) { create(:user) }
-  let_it_be(:user3) { create(:user) }
+  using RSpec::Parameterized::TableSyntax
 
   let_it_be(:project) { create(:project) }
   let_it_be(:issue) { create(:issue, project: project) }
-
-  let_it_be(:todo1) { create(:todo, author: author, user: user1, issue: issue) }
-  let_it_be(:todo2) { create(:todo, author: author, user: user2, issue: issue) }
-  let_it_be(:todo3) { create(:todo, author: author, user: user2) }
-  let_it_be(:todo4) { create(:todo, author: author, user: user3, issue: issue) }
+  let_it_be(:author) { create(:user) }
 
   def permissions(user, todo)
     described_class.new(user, todo)
   end
 
-  before_all do
-    project.add_developer(user1)
-    project.add_developer(user2)
+  shared_examples 'grants the expected permissions' do |policy|
+    it do
+      if allowed
+        expect(permissions(user, todo)).to be_allowed(policy)
+      else
+        expect(permissions(user, todo)).to be_disallowed(policy)
+      end
+    end
   end
 
   describe 'own_todo' do
-    it 'allows owners to access their own todos if they can read todo target' do
-      [
-        [user1, todo1],
-        [user2, todo2]
-      ].each do |user, todo|
-        expect(permissions(user, todo)).to be_allowed(:read_todo)
-      end
+    let_it_be(:user1) { create(:user) }
+    let_it_be(:user2) { create(:user) }
+    let_it_be(:user3) { create(:user) }
+
+    let_it_be(:todo1) { create(:todo, author: author, user: user1, issue: issue) }
+    let_it_be(:todo2) { create(:todo, author: author, user: user2, issue: issue) }
+    let_it_be(:todo3) { create(:todo, author: author, user: user2) }
+    let_it_be(:todo4) { create(:todo, author: author, user: user3, issue: issue) }
+
+    where(:user, :todo, :allowed) do
+      ref(:user1) | ref(:todo1) | true
+      ref(:user2) | ref(:todo2) | true
+      ref(:user1) | ref(:todo2) | false
+      ref(:user1) | ref(:todo3) | false
+      ref(:user2) | ref(:todo1) | false
+      ref(:user2) | ref(:todo4) | false
+      ref(:user3) | ref(:todo1) | false
+      ref(:user3) | ref(:todo2) | false
+      ref(:user3) | ref(:todo3) | false
+      ref(:user3) | ref(:todo4) | false
+      ref(:user2) | ref(:todo3) | false
     end
 
-    it 'does not allow users to access todos of other users' do
-      [
-        [user1, todo2],
-        [user1, todo3],
-        [user2, todo1],
-        [user2, todo4],
-        [user3, todo1],
-        [user3, todo2],
-        [user3, todo3],
-        [user2, todo3],
-        [user3, todo4]
-      ].each do |user, todo|
-        expect(permissions(user, todo)).to be_disallowed(:read_todo)
-      end
+    before_all do
+      project.add_developer(user1)
+      project.add_developer(user2)
+    end
+
+    with_them do
+      it_behaves_like 'grants the expected permissions', :read_todo
+    end
+  end
+
+  describe 'read_note' do
+    let_it_be(:non_member) { create(:user) }
+    let_it_be(:guest) { create(:user) }
+    let_it_be(:reporter) { create(:user) }
+
+    let_it_be(:note) { create(:note, noteable: issue, project: project) }
+    let_it_be(:internal) { create(:note, :confidential, noteable: issue, project: project) }
+
+    let_it_be(:no_note_todo1) { create(:todo, author: author, user: reporter, issue: issue) }
+    let_it_be(:note_todo1) { create(:todo, note: note, author: author, user: reporter, issue: issue) }
+    let_it_be(:internal_note_todo1) { create(:todo, note: internal, author: author, user: reporter, issue: issue) }
+
+    let_it_be(:no_note_todo2) { create(:todo, author: author, user: guest, issue: issue) }
+    let_it_be(:note_todo2) { create(:todo, note: note, author: author, user: guest, issue: issue) }
+    let_it_be(:internal_note_todo2) { create(:todo, note: internal, author: author, user: guest, issue: issue) }
+
+    let_it_be(:no_note_todo3) { create(:todo, author: author, user: non_member, issue: issue) }
+    let_it_be(:note_todo3) { create(:todo, note: note, author: author, user: non_member, issue: issue) }
+    let_it_be(:internal_note_todo3) { create(:todo, note: internal, author: author, user: non_member, issue: issue) }
+
+    where(:user, :todo, :allowed) do
+      ref(:reporter)   | ref(:no_note_todo1)       | true
+      ref(:reporter)   | ref(:note_todo1)          | true
+      ref(:reporter)   | ref(:internal_note_todo1) | true
+      ref(:guest)      | ref(:no_note_todo2)       | true
+      ref(:guest)      | ref(:note_todo2)          | true
+      ref(:guest)      | ref(:internal_note_todo2) | false
+      ref(:non_member) | ref(:no_note_todo3)       | false
+      ref(:non_member) | ref(:note_todo3)          | false
+      ref(:non_member) | ref(:internal_note_todo3) | false
+    end
+
+    before_all do
+      project.add_guest(guest)
+      project.add_reporter(reporter)
+    end
+
+    with_them do
+      it_behaves_like 'grants the expected permissions', :read_todo
+      it_behaves_like 'grants the expected permissions', :update_todo
     end
   end
 end
diff --git a/spec/requests/api/graphql/project/issues_spec.rb b/spec/requests/api/graphql/project/issues_spec.rb
index 28282860416..fe885c3cea7 100644
--- a/spec/requests/api/graphql/project/issues_spec.rb
+++ b/spec/requests/api/graphql/project/issues_spec.rb
@@ -662,6 +662,7 @@ RSpec.describe 'getting an issue list for a project' do
 
       include_examples 'N+1 query check'
     end
+
     context 'when requesting `closed_as_duplicate_of`' do
       let(:requested_fields) { 'closedAsDuplicateOf { id }' }
       let(:issue_a_dup) { create(:issue, project: project) }
@@ -674,6 +675,17 @@ RSpec.describe 'getting an issue list for a project' do
 
       include_examples 'N+1 query check'
     end
+
+    context 'when award emoji votes' do
+      let(:requested_fields) { [:upvotes, :downvotes] }
+
+      before do
+        create_list(:award_emoji, 2, name: 'thumbsup', awardable: issue_a)
+        create_list(:award_emoji, 2, name: 'thumbsdown', awardable: issue_b)
+      end
+
+      include_examples 'N+1 query check'
+    end
   end
 
   def issues_ids
diff --git a/spec/requests/api/graphql/project/merge_requests_spec.rb b/spec/requests/api/graphql/project/merge_requests_spec.rb
index 5daec5543c0..76660d510b4 100644
--- a/spec/requests/api/graphql/project/merge_requests_spec.rb
+++ b/spec/requests/api/graphql/project/merge_requests_spec.rb
@@ -327,6 +327,17 @@ RSpec.describe 'getting merge request listings nested in a project' do
 
       include_examples 'N+1 query check'
     end
+
+    context 'when award emoji votes' do
+      let(:requested_fields) { [:upvotes, :downvotes] }
+
+      before do
+        create_list(:award_emoji, 2, name: 'thumbsup', awardable: merge_request_a)
+        create_list(:award_emoji, 2, name: 'thumbsdown', awardable: merge_request_b)
+      end
+
+      include_examples 'N+1 query check'
+    end
   end
 
   describe 'performance' do
diff --git a/spec/requests/api/settings_spec.rb b/spec/requests/api/settings_spec.rb
index 315c76c8ac3..3a9b2d02af5 100644
--- a/spec/requests/api/settings_spec.rb
+++ b/spec/requests/api/settings_spec.rb
@@ -60,6 +60,7 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
       expect(json_response['inactive_projects_delete_after_months']).to eq(2)
       expect(json_response['inactive_projects_min_size_mb']).to eq(0)
       expect(json_response['inactive_projects_send_warning_email_after_months']).to eq(1)
+      expect(json_response['can_create_group']).to eq(true)
     end
   end
 
@@ -156,7 +157,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
             delete_inactive_projects: true,
             inactive_projects_delete_after_months: 24,
             inactive_projects_min_size_mb: 10,
-            inactive_projects_send_warning_email_after_months: 12
+            inactive_projects_send_warning_email_after_months: 12,
+            can_create_group: false
           }
 
         expect(response).to have_gitlab_http_status(:ok)
@@ -217,6 +219,7 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
         expect(json_response['inactive_projects_delete_after_months']).to eq(24)
         expect(json_response['inactive_projects_min_size_mb']).to eq(10)
         expect(json_response['inactive_projects_send_warning_email_after_months']).to eq(12)
+        expect(json_response['can_create_group']).to eq(false)
       end
     end
 
diff --git a/spec/requests/api/todos_spec.rb b/spec/requests/api/todos_spec.rb
index aa7f45d1102..0fcb6412a2d 100644
--- a/spec/requests/api/todos_spec.rb
+++ b/spec/requests/api/todos_spec.rb
@@ -254,7 +254,7 @@ RSpec.describe API::Todos do
                project: project_1,
                target: create(:design, issue: issue),
                author: create(:user),
-               note: create(:note, project: project_1, note: "I am note, hear me roar"))
+               note: create(:note, :confidential, project: project_1, note: "I am note, hear me roar"))
       end
 
       def api_request
diff --git a/spec/services/issues/create_service_spec.rb b/spec/services/issues/create_service_spec.rb
index 2fede4f065a..f41fb9f9a4f 100644
--- a/spec/services/issues/create_service_spec.rb
+++ b/spec/services/issues/create_service_spec.rb
@@ -62,6 +62,19 @@ RSpec.describe Issues::CreateService do
           due_date: Date.tomorrow }
       end
 
+      context 'when an unauthorized project_id is provided' do
+        let(:unauthorized_project) { create(:project) }
+
+        before do
+          opts[:project_id] = unauthorized_project.id
+        end
+
+        it 'ignores the project_id param and creates issue in the given project' do
+          expect(issue.project).to eq(project)
+          expect(unauthorized_project.reload.issues.count).to eq(0)
+        end
+      end
+
       describe 'authorization' do
         let_it_be(:project) { create(:project, :private, group: group).tap { |project| project.add_guest(user) } }
 
diff --git a/spec/services/issues/update_service_spec.rb b/spec/services/issues/update_service_spec.rb
index 2cc3d50f290..1b7d0de7f44 100644
--- a/spec/services/issues/update_service_spec.rb
+++ b/spec/services/issues/update_service_spec.rb
@@ -69,6 +69,23 @@ RSpec.describe Issues::UpdateService, :mailer do
         }
       end
 
+      context 'when an unauthorized project_id is provided' do
+        let(:unauthorized_project) { create(:project) }
+
+        before do
+          opts[:project_id] = unauthorized_project.id
+        end
+
+        it 'ignores the project_id param and does not update the issue\'s project' do
+          expect do
+            update_issue(opts)
+            unauthorized_project.reload
+          end.to not_change { unauthorized_project.issues.count }
+
+          expect(issue.project).to eq(project)
+        end
+      end
+
       it 'updates the issue with the given params' do
         expect(TodosDestroyer::ConfidentialIssueWorker).not_to receive(:perform_in)
 
diff --git a/spec/services/notes/copy_service_spec.rb b/spec/services/notes/copy_service_spec.rb
index f146a49e929..2fa9a462bb9 100644
--- a/spec/services/notes/copy_service_spec.rb
+++ b/spec/services/notes/copy_service_spec.rb
@@ -146,8 +146,10 @@ RSpec.describe Notes::CopyService do
           new_note = to_noteable.notes.first
 
           aggregate_failures do
-            expect(note.note).to match(/Simple text with image: #{FileUploader::MARKDOWN_PATTERN}/o)
-            expect(new_note.note).to match(/Simple text with image: #{FileUploader::MARKDOWN_PATTERN}/o)
+            expect(note.note).to match(/Simple text with image:/o)
+            expect(FileUploader::MARKDOWN_PATTERN.match(note.note)).not_to be_nil
+            expect(new_note.note).to match(/Simple text with image:/o)
+            expect(FileUploader::MARKDOWN_PATTERN.match(new_note.note)).not_to be_nil
             expect(note.note).not_to eq(new_note.note)
             expect(note.note_html).not_to eq(new_note.note_html)
           end
diff --git a/spec/services/todos/allowed_target_filter_service_spec.rb b/spec/services/todos/allowed_target_filter_service_spec.rb
index 707df8e8514..1d2b1b044db 100644
--- a/spec/services/todos/allowed_target_filter_service_spec.rb
+++ b/spec/services/todos/allowed_target_filter_service_spec.rb
@@ -10,14 +10,23 @@ RSpec.describe Todos::AllowedTargetFilterService do
   let_it_be(:unauthorized_group) { create(:group, :private) }
   let_it_be(:unauthorized_project) { create(:project, group: unauthorized_group) }
   let_it_be(:user) { create(:user) }
+
   let_it_be(:authorized_issue) { create(:issue, project: authorized_project) }
   let_it_be(:authorized_issue_todo) { create(:todo, project: authorized_project, target: authorized_issue, user: user) }
+  let_it_be(:authorized_note) { create(:note, noteable: authorized_issue, project: authorized_project) }
+  let_it_be(:authorized_note_todo) { create(:todo, project: authorized_project, target: authorized_issue, note: authorized_note, user: user) }
+  let_it_be(:confidential_issue) { create(:issue, :confidential, project: authorized_project) }
+  let_it_be(:confidential_issue_todo) { create(:todo, project: authorized_project, target: confidential_issue, user: user) }
+  let_it_be(:confidential_note) { create(:note, :confidential, noteable: confidential_issue, project: authorized_project) }
+  let_it_be(:confidential_note_todo) { create(:todo, project: authorized_project, target: authorized_issue, note: confidential_note, user: user) }
   let_it_be(:unauthorized_issue) { create(:issue, project: unauthorized_project) }
   let_it_be(:unauthorized_issue_todo) { create(:todo, project: unauthorized_project, target: unauthorized_issue, user: user) }
   let_it_be(:authorized_design) { create(:design, issue: authorized_issue) }
   let_it_be(:authorized_design_todo) { create(:todo, project: authorized_project, target: authorized_design, user: user) }
   let_it_be(:unauthorized_design) { create(:design, issue: unauthorized_issue) }
   let_it_be(:unauthorized_design_todo) { create(:todo, project: unauthorized_project, target: unauthorized_design, user: user) }
+  let_it_be(:unauthorized_note) { create(:note, noteable: unauthorized_issue, project: unauthorized_project) }
+  let_it_be(:unauthorized_note_todo) { create(:todo, project: unauthorized_project, target: unauthorized_issue, note: unauthorized_note, user: user) }
 
   # Cannot use let_it_be with MRs
   let(:authorized_mr) { create(:merge_request, source_project: authorized_project) }
@@ -25,35 +34,91 @@ RSpec.describe Todos::AllowedTargetFilterService do
   let(:unauthorized_mr) { create(:merge_request, source_project: unauthorized_project) }
   let(:unauthorized_mr_todo) { create(:todo, project: unauthorized_project, user: user, target: unauthorized_mr) }
 
-  before_all do
-    authorized_group.add_developer(user)
-  end
-
   describe '#execute' do
+    let(:all_todos) { authorized_todos + unauthorized_todos }
+
     subject(:execute_service) { described_class.new(all_todos, user).execute }
 
-    let!(:all_todos) { authorized_todos + unauthorized_todos }
+    shared_examples 'allowed Todos filter' do
+      before do
+        enable_design_management
+      end
 
-    let(:authorized_todos) do
-      [
-        authorized_mr_todo,
-        authorized_issue_todo,
-        authorized_design_todo
-      ]
+      it { is_expected.to match_array(authorized_todos) }
     end
 
-    let(:unauthorized_todos) do
-      [
-        unauthorized_mr_todo,
-        unauthorized_issue_todo,
-        unauthorized_design_todo
-      ]
+    context 'with reporter user' do
+      before_all do
+        authorized_group.add_reporter(user)
+      end
+
+      it_behaves_like 'allowed Todos filter' do
+        let(:authorized_todos) do
+          [
+            authorized_mr_todo,
+            authorized_issue_todo,
+            confidential_issue_todo,
+            confidential_note_todo,
+            authorized_design_todo
+          ]
+        end
+
+        let(:unauthorized_todos) do
+          [
+            unauthorized_mr_todo,
+            unauthorized_issue_todo,
+            unauthorized_note_todo,
+            unauthorized_design_todo
+          ]
+        end
+      end
     end
 
-    before do
-      enable_design_management
+    context 'with guest user' do
+      before_all do
+        authorized_group.add_guest(user)
+      end
+
+      it_behaves_like 'allowed Todos filter' do
+        let(:authorized_todos) do
+          [
+            authorized_issue_todo,
+            authorized_design_todo
+          ]
+        end
+
+        let(:unauthorized_todos) do
+          [
+            authorized_mr_todo,
+            confidential_issue_todo,
+            confidential_note_todo,
+            unauthorized_mr_todo,
+            unauthorized_issue_todo,
+            unauthorized_note_todo,
+            unauthorized_design_todo
+          ]
+        end
+      end
     end
 
-    it { is_expected.to match_array(authorized_todos) }
+    context 'with a non-member user' do
+      it_behaves_like 'allowed Todos filter' do
+        let(:authorized_todos) { [] }
+
+        let(:unauthorized_todos) do
+          [
+            authorized_issue_todo,
+            authorized_design_todo,
+            authorized_mr_todo,
+            confidential_issue_todo,
+            confidential_note_todo,
+            unauthorized_mr_todo,
+            unauthorized_issue_todo,
+            unauthorized_note_todo,
+            unauthorized_design_todo
+          ]
+        end
+      end
+    end
   end
 end
diff --git a/spec/support/database/multiple_databases.rb b/spec/support/database/multiple_databases.rb
index 05f26e57e9c..96bdab5171d 100644
--- a/spec/support/database/multiple_databases.rb
+++ b/spec/support/database/multiple_databases.rb
@@ -87,6 +87,16 @@ module Database
 end
 
 RSpec.configure do |config|
+  # Ensure database versions are memoized to prevent query counts from
+  # being affected by version checks. Note that
+  # Gitlab::Database.check_postgres_version_and_print_warning is called
+  # at startup, but that generates its own
+  # `Gitlab::Database::Reflection` so the result is not memoized by
+  # callers of `ApplicationRecord.database.version`, such as
+  # `Gitlab::Database::AsWithMaterialized.materialized_supported?`.
+  # TODO This can be removed once https://gitlab.com/gitlab-org/gitlab/-/issues/325639 is completed.
+  [ApplicationRecord, ::Ci::ApplicationRecord].each { |record| record.database.version }
+
   config.around(:each, :reestablished_active_record_base) do |example|
     with_reestablished_active_record_base(reconnect: example.metadata.fetch(:reconnect, true)) do
       example.run
diff --git a/spec/support/rspec_order_todo.yml b/spec/support/rspec_order_todo.yml
index 304b473e55c..d2e9313f660 100644
--- a/spec/support/rspec_order_todo.yml
+++ b/spec/support/rspec_order_todo.yml
@@ -2015,7 +2015,6 @@
 - './ee/spec/models/milestone_spec.rb'
 - './ee/spec/models/namespace_limit_spec.rb'
 - './ee/spec/models/namespace_setting_spec.rb'
-- './ee/spec/models/namespaces/free_user_cap/preview_spec.rb'
 - './ee/spec/models/namespaces/free_user_cap_spec.rb'
 - './ee/spec/models/namespaces/free_user_cap/standard_spec.rb'
 - './ee/spec/models/namespaces/storage/root_excess_size_spec.rb'
diff --git a/spec/support/shared_examples/bulk_imports/common/pipelines/wiki_pipeline_examples.rb b/spec/support/shared_examples/bulk_imports/common/pipelines/wiki_pipeline_examples.rb
index 06800f7cded..7e7460cd602 100644
--- a/spec/support/shared_examples/bulk_imports/common/pipelines/wiki_pipeline_examples.rb
+++ b/spec/support/shared_examples/bulk_imports/common/pipelines/wiki_pipeline_examples.rb
@@ -4,8 +4,9 @@ RSpec.shared_examples 'wiki pipeline imports a wiki for an entity' do
   describe '#run' do
     let_it_be(:bulk_import_configuration) { create(:bulk_import_configuration, bulk_import: bulk_import) }
 
-    let_it_be(:tracker) { create(:bulk_import_tracker, entity: entity) }
-    let_it_be(:context) { BulkImports::Pipeline::Context.new(tracker) }
+    let_it_be_with_reload(:tracker) { create(:bulk_import_tracker, entity: entity) }
+
+    let(:context) { BulkImports::Pipeline::Context.new(tracker) }
 
     let(:extracted_data) { BulkImports::Pipeline::ExtractedData.new(data: {}) }
 
@@ -40,5 +41,21 @@ RSpec.shared_examples 'wiki pipeline imports a wiki for an entity' do
         expect { subject.run }.not_to raise_error
       end
     end
+
+    context 'when scheme is blocked' do
+      it 'prevents import' do
+        # Force bulk_import_configuration to have a file:// URL
+        bulk_import_configuration.url = 'file://example.com'
+        bulk_import_configuration.save!(validate: false)
+
+        expect(subject).to receive(:source_wiki_exists?).and_return(true)
+
+        subject.run
+
+        expect(tracker.failed?).to eq(true)
+        expect(tracker.entity.failures.first).to be_present
+        expect(tracker.entity.failures.first.exception_message).to eq('Only allowed schemes are http, https')
+      end
+    end
   end
 end
diff --git a/spec/support/shared_examples/controllers/concerns/web_hooks/integrations_hook_log_actions_shared_examples.rb b/spec/support/shared_examples/controllers/concerns/web_hooks/integrations_hook_log_actions_shared_examples.rb
index 62c9c3508a8..56a5dcb10b2 100644
--- a/spec/support/shared_examples/controllers/concerns/web_hooks/integrations_hook_log_actions_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/concerns/web_hooks/integrations_hook_log_actions_shared_examples.rb
@@ -26,7 +26,7 @@ RSpec.shared_examples WebHooks::HookLogActions do
 
   describe 'POST #retry' do
     it 'executes the hook and redirects to the service form' do
-      stub_request(:post, web_hook.url)
+      stub_request(:post, web_hook.interpolated_url)
 
       expect_next_found_instance_of(web_hook.class) do |hook|
         expect(hook).to receive(:execute).and_call_original
diff --git a/spec/support/shared_examples/lib/sentry/client_shared_examples.rb b/spec/support/shared_examples/lib/sentry/client_shared_examples.rb
index 1c0e0061385..71b32005c55 100644
--- a/spec/support/shared_examples/lib/sentry/client_shared_examples.rb
+++ b/spec/support/shared_examples/lib/sentry/client_shared_examples.rb
@@ -59,6 +59,22 @@ RSpec.shared_examples 'maps Sentry exceptions' do |http_method|
   end
 end
 
+RSpec.shared_examples 'non-numeric input handling in Sentry response' do |field|
+  context 'with non-numeric error id' do
+    where(:id_input) do
+      ['string', '-1', '1\n2']
+    end
+
+    with_them do
+      it 'raises exception' do
+        message = %(Sentry API response contains invalid value for field "#{field}": #{id_input.inspect} is not numeric)
+
+        expect { subject }.to raise_error(ErrorTracking::SentryClient::InvalidFieldValueError, message)
+      end
+    end
+  end
+end
+
 # Expects to following variables:
 #   - subject
 #   - sentry_api_response
diff --git a/spec/support/shared_examples/models/integrations/has_web_hook_shared_examples.rb b/spec/support/shared_examples/models/integrations/has_web_hook_shared_examples.rb
index a341497a456..31ec25249d7 100644
--- a/spec/support/shared_examples/models/integrations/has_web_hook_shared_examples.rb
+++ b/spec/support/shared_examples/models/integrations/has_web_hook_shared_examples.rb
@@ -37,6 +37,12 @@ RSpec.shared_examples Integrations::HasWebHook do
     end
   end
 
+  describe '#url_variables' do
+    it 'returns a string' do
+      expect(integration.url_variables).to be_a(Hash)
+    end
+  end
+
   describe '#hook_ssl_verification' do
     it 'returns a boolean' do
       expect(integration.hook_ssl_verification).to be_in([true, false])
diff --git a/spec/support_specs/database/multiple_databases_spec.rb b/spec/support_specs/database/multiple_databases_spec.rb
index b4cfa253813..0b019462077 100644
--- a/spec/support_specs/database/multiple_databases_spec.rb
+++ b/spec/support_specs/database/multiple_databases_spec.rb
@@ -3,6 +3,28 @@
 require 'spec_helper'
 
 RSpec.describe 'Database::MultipleDatabases' do
+  let(:query) do
+    <<~SQL
+      WITH cte AS #{Gitlab::Database::AsWithMaterialized.materialized_if_supported} (SELECT 1) SELECT 1;
+    SQL
+  end
+
+  it 'preloads database version for ApplicationRecord' do
+    counts = ActiveRecord::QueryRecorder
+    .new { ApplicationRecord.connection.execute(query) }
+    .count
+
+    expect(counts).to eq(1)
+  end
+
+  it 'preloads database version for Ci::ApplicationRecord' do
+    counts = ActiveRecord::QueryRecorder
+    .new { Ci::ApplicationRecord.connection.execute(query) }
+    .count
+
+    expect(counts).to eq(1)
+  end
+
   describe '.with_reestablished_active_record_base' do
     context 'when doing establish_connection' do
       context 'on ActiveRecord::Base' do