Add latest changes from gitlab-org/gitlab@master

.rubocop_todo/migration/background_migration_base_class.yml

@@ -15,6 +15,7 @@ Migration/BackgroundMigrationBaseClass:
     - 'lib/gitlab/background_migration/backfill_namespace_id_for_project_route.rb'
     - 'lib/gitlab/background_migration/backfill_namespace_traversal_ids_children.rb'
     - 'lib/gitlab/background_migration/backfill_namespace_traversal_ids_roots.rb'
+    - 'lib/gitlab/background_migration/backfill_note_discussion_id.rb'
     - 'lib/gitlab/background_migration/backfill_projects_with_coverage.rb'
     - 'lib/gitlab/background_migration/backfill_project_repositories.rb'
     - 'lib/gitlab/background_migration/backfill_project_settings.rb'

GITLAB_SHELL_VERSION

@@ -1 +1 @@
-14.2.0
+14.3.0

app/assets/javascripts/pipelines/components/pipelines_list/pipeline_mini_graph.vue

@@ -36,7 +36,7 @@ export default {
 };
 </script>
 <template>
-  <div data-testid="pipeline-mini-graph" class="gl-display-inline-flex gl-flex-wrap gl-my-1">
+  <div data-testid="pipeline-mini-graph" class="gl-display-inline gl-vertical-align-middle gl-my-1">
     <div
       v-for="stage in stages"
       :key="stage.name"

app/assets/javascripts/pipelines/components/pipelines_list/pipelines_table.vue

@@ -169,7 +169,7 @@ export default {
       </template>
 
       <template #cell(stages)="{ item }">
-        <div class="gl-align-items-center gl-display-inline-flex gl-flex-wrap stage-cell">
+        <div class="stage-cell">
           <!-- This empty div should be removed, see https://gitlab.com/gitlab-org/gitlab/-/issues/323488 -->
           <div></div>
           <linked-pipelines-mini-list

app/assets/javascripts/projects/commit_box/info/components/commit_box_pipeline_mini_graph.vue

@@ -121,7 +121,7 @@ export default {
 </script>
 
 <template>
-  <div>
+  <div class="gl-pt-2">
     <gl-loading-icon v-if="$apollo.queries.pipeline.loading" />
     <div v-else class="gl-align-items-center gl-display-flex">
       <linked-pipelines-mini-list

app/assets/javascripts/vue_merge_request_widget/mr_widget_options.vue

@@ -533,7 +533,7 @@ export default {
     <header
       v-if="shouldRenderCollaborationStatus || !isUpdatedHeaderEnabled"
       :class="{ 'mr-widget-workflow gl-mt-0!': isUpdatedHeaderEnabled }"
-      class="gl-rounded-base gl-border-solid gl-border-1 gl-border-gray-100"
+      class="gl-rounded-base gl-border-solid gl-border-1 gl-border-gray-100 gl-overflow-hidden"
     >
       <mr-widget-alert-message v-if="shouldRenderCollaborationStatus" type="info">
         {{ s__('mrWidget|Members who can merge are allowed to add commits.') }}

config/initializers/content_security_policy.rb

@@ -7,8 +7,6 @@ csp_settings['report_only'] = false if csp_settings['report_only'].nil?
 csp_settings['directives'] ||= {}
 
 if csp_settings['enabled']
-  csp_settings['directives'] = ::Gitlab::ContentSecurityPolicy::ConfigLoader.default_directives if csp_settings['directives'].empty?
-
   # See https://guides.rubyonrails.org/security.html#content-security-policy
   Rails.application.config.content_security_policy do |policy|
     loader = ::Gitlab::ContentSecurityPolicy::ConfigLoader.new(csp_settings['directives'].to_h)

data/removals/15_0/15-0-removal-artifacts-keyword.yml

@@ -1,15 +1,16 @@
 - name: "`artifacts:report:cobertura` keyword"
-  announcement_milestone: "14.8"
+  announcement_milestone: "14.7"
   announcement_date: "2022-02-22"
   removal_milestone: "15.0"
   removal_date: "2022-05-22"
   breaking_change: false
   body: |
-     As of GitLab 15.0, the `artifacts:report:cobertura` keyword has been replaced by
-     [`artifacts:reports:coverage_report`](https://gitlab.com/gitlab-org/gitlab/-/issues/344533). Cobertura is the only
-     supported report file, but this is the first step towards GitLab supporting other report types.
+     As of GitLab 15.0, the [`artifacts:report:cobertura`](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscobertura-removed)
+     keyword has been [replaced](https://gitlab.com/gitlab-org/gitlab/-/issues/344533) by
+     [`artifacts:reports:coverage_report`](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscoverage_report).
+     Cobertura is the only supported report file, but this is the first step towards GitLab supporting other report types.
 
 # The following items are not published on the docs page, but may be used in the future.
   stage: Verify
   issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/348980
-  documentation_url: https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscobertura
+  documentation_url: https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscobertura-removed

db/post_migrate/20220420061439_add_notes_null_discussion_id_temp_index.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class AddNotesNullDiscussionIdTempIndex < Gitlab::Database::Migration[2.0]
+  # Temporary index to be removed in 15.0 https://gitlab.com/gitlab-org/gitlab/-/issues/357581
+  INDEX_NAME = 'tmp_index_notes_on_id_where_discussion_id_is_null'
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_index :notes, :id, where: 'discussion_id IS NULL', name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index_by_name :notes, INDEX_NAME
+  end
+end

db/post_migrate/20220420061450_backfill_null_note_discussion_ids.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+class BackfillNullNoteDiscussionIds < Gitlab::Database::Migration[2.0]
+  MIGRATION = 'BackfillNoteDiscussionId'
+  DELAY_INTERVAL = 2.minutes
+  BATCH_SIZE = 10_000
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+  disable_ddl_transaction!
+
+  class Note < MigrationRecord
+    include EachBatch
+
+    self.table_name = 'notes'
+    self.inheritance_column = :_type_disabled
+  end
+
+  def up
+    queue_background_migration_jobs_by_range_at_intervals(
+      Note.where(discussion_id: nil),
+      MIGRATION,
+      DELAY_INTERVAL,
+      batch_size: BATCH_SIZE
+    )
+  end
+
+  def down
+    # no-op
+  end
+end

db/schema_migrations/20220420061439

@@ -0,0 +1 @@
+02ff5492367d5a0b0f6b1164c33a9fe0475e72b8fba5d2f8affc4c5a118d4192

db/schema_migrations/20220420061450

@@ -0,0 +1 @@
+17046780fbe87b7eab87034dfffed239b9da48b5ef78dd1c547575158fc1d37f

db/structure.sql

@@ -29768,6 +29768,8 @@ CREATE INDEX tmp_index_members_on_state ON members USING btree (state) WHERE (st
 
 CREATE INDEX tmp_index_merge_requests_draft_and_status ON merge_requests USING btree (id) WHERE ((draft = false) AND (state_id = 1) AND ((title)::text ~* '^(\[draft\]|\(draft\)|draft:|draft|\[WIP\]|WIP:|WIP)'::text));
 
+CREATE INDEX tmp_index_notes_on_id_where_discussion_id_is_null ON notes USING btree (id) WHERE (discussion_id IS NULL);
+
 CREATE UNIQUE INDEX tmp_index_on_tmp_project_id_on_namespaces ON namespaces USING btree (tmp_project_id);
 
 CREATE INDEX tmp_index_on_vulnerabilities_non_dismissed ON vulnerabilities USING btree (id) WHERE (state <> 2);

doc/api/personal_access_tokens.md

@@ -72,12 +72,17 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a
 
 ## Revoke a personal access token
 
-### Revoke a personal access token by ID
+Revoke a personal access token by either:
+
+- Using the ID of the personal access token.
+- Passing it to the API in a header.
+
+### Using a personal access token ID
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/216004) in GitLab 13.3.
 > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/270200) from GitLab Ultimate to GitLab Free in 13.6.
 
-Revoke a personal access token by ID.
+Revoke a personal access token using its ID.
 
 ```plaintext
 DELETE /personal_access_tokens/:id
@@ -99,7 +104,7 @@ curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://git
 - `204: No Content` if successfully revoked.
 - `400: Bad Request` if not revoked successfully.
 
-### Revoke a personal access token using a header
+### Using a request header
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350240) in GitLab 15.0.
 

doc/ci/pipelines/settings.md

@@ -232,8 +232,8 @@ using the [`coverage`](../yaml/index.md#coverage) keyword.
 This feature is in its end-of-life process. It was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/17633)
 in GitLab 14.8. The feature is [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/17633) in GitLab 15.0.
 
-To migrate from project settings to `coverage` keyword settings, add the former project setting to a CI/CD job with the `coverage` keyword. For
-example:
+To migrate from a project setting to the `coverage` keyword, add the [former project setting](#locate-former-project-setting)
+to a CI/CD job. For example:
 
 - A Go test coverage project setting:  `coverage: \d+.\d+% of statements`.
 - A CI/CD job with `coverage` keyword setting:
@@ -246,13 +246,24 @@ example:
       - go test -cover
   ```
 
-The `.gitlab-ci.yml` job [`coverage`](../yaml/index.md#coverage) keyword must:
+The `.gitlab-ci.yml` job [`coverage`](../yaml/index.md#coverage) keyword must be:
 
-- Be a regular expression starts and ends with the `/` character.
-- Be defined as single-quoted string.
+- A regular expression starts and ends with the `/` character.
+- Defined as single-quoted string.
 
 You can verify correct syntax using the [pipeline editor](../pipeline_editor/index.md).
 
+#### Locate former project setting
+
+To migrate from the project coverage setting to the `coverage` keyword, use the
+regular expression displayed in the settings. Available in GitLab 14.10 and earlier:
+
+1. On the top bar, select **Menu > Projects** and find your project.
+1. On the left sidebar, select **Settings > CI/CD**.
+1. Expand **General pipelines**.
+
+The regular expression you need is in the **Test coverage parsing** field.
+
 <!-- end_remove -->
 
 ### Test coverage examples

doc/policy/maintenance.md

@@ -123,7 +123,8 @@ the current stable release, and two previous monthly releases. In rare cases a r
 For instance, if we release `13.2.1` with a fix for a severe bug introduced in
 `13.0.0`, we could backport the fix to a new `13.0.x`, and `13.1.x` patch release.
 
-Note that [severity] 3 and lower requests will be automatically turned down.
+Note that [severity](../development/contributing/issue_workflow.md#severity-labels) 3 and lower
+requests will be automatically turned down.
 
 To request backporting to more than one stable release for consideration, raise an issue in the
 [release/tasks](https://gitlab.com/gitlab-org/release/tasks/-/issues/new?issuable_template=Backporting-request) issue tracker.

doc/update/removals.md

@@ -630,9 +630,10 @@ The `Managed-Cluster-Applications.gitlab-ci.yml` CI/CD template is being removed
 
 ### `artifacts:report:cobertura` keyword
 
-As of GitLab 15.0, the `artifacts:report:cobertura` keyword has been replaced by
-[`artifacts:reports:coverage_report`](https://gitlab.com/gitlab-org/gitlab/-/issues/344533). Cobertura is the only
-supported report file, but this is the first step towards GitLab supporting other report types.
+As of GitLab 15.0, the [`artifacts:report:cobertura`](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscobertura-removed)
+keyword has been [replaced](https://gitlab.com/gitlab-org/gitlab/-/issues/344533) by
+[`artifacts:reports:coverage_report`](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscoverage_report).
+Cobertura is the only supported report file, but this is the first step towards GitLab supporting other report types.
 
 ### `omniauth-kerberos` gem
 

doc/user/project/issues/confidential_issues.md

@@ -36,7 +36,7 @@ The second way is to locate the Confidentiality section in the sidebar and click
 
 | Turn off confidentiality | Turn on confidentiality |
 | :-----------: | :----------: |
-| ![Turn off confidentiality](img/turn_off_confidentiality.png) | ![Turn on confidentiality](img/turn_on_confidentiality.png) |
+| ![Turn off confidentiality](img/turn_off_confidentiality_v15_0.png) | ![Turn on confidentiality](img/turn_on_confidentiality_v15_0.png) |
 
 Every change from regular to confidential and vice versa, is indicated by a
 system note in the issue's comments.

lib/gitlab/background_migration/backfill_note_discussion_id.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    # Fixes notes with NULL discussion_ids due to a bug when importing from GitHub
+    # Bug was fixed in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/76517
+    class BackfillNoteDiscussionId
+      SUB_BATCH_SIZE = 300
+
+      # Migration only version of notes model
+      class Note < ApplicationRecord
+        include EachBatch
+
+        self.table_name = 'notes'
+
+        # Based on https://gitlab.com/gitlab-org/gitlab/blob/117c14d0c79403e169cf52922b48f69d1dcf6a85/app/models/discussion.rb#L62-74
+        def generate_discussion_id
+          Digest::SHA1.hexdigest(
+            [:discussion, noteable_type.try(:underscore), noteable_id || commit_id, SecureRandom.hex].join('-')
+          )
+        end
+      end
+
+      def perform(start_id, stop_id)
+        notes = Note.select(:id, :noteable_type, :noteable_id, :commit_id)
+                    .where(discussion_id: nil, id: start_id..stop_id)
+
+        notes.each_batch(of: SUB_BATCH_SIZE) do |relation|
+          update_discussion_ids(relation)
+        end
+      end
+
+      private
+
+      def update_discussion_ids(notes)
+        mapping = notes.each_with_object({}) do |note, hash|
+          hash[note] = { discussion_id: note.generate_discussion_id }
+        end
+
+        Gitlab::Database::BulkUpdate.execute(%i(discussion_id), mapping)
+      end
+    end
+  end
+end

lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml

@@ -8,7 +8,7 @@ variables:
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
   SECRET_DETECTION_IMAGE_SUFFIX: ""
 
-  SECRETS_ANALYZER_VERSION: "3"
+  SECRETS_ANALYZER_VERSION: "4"
   SECRET_DETECTION_EXCLUDED_PATHS: ""
 
 .secret-analyzer:
@@ -31,37 +31,4 @@ secret_detection:
       when: never
     - if: $CI_COMMIT_BRANCH
   script:
-    - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
-    # Historic scan
-    - if [ "$SECRET_DETECTION_HISTORIC_SCAN" == "true" ]; then echo "Running Secret Detection Historic Scan"; /analyzer run; exit; fi
-    # Default branch scan
-    - if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit; fi
-    # Push event
-    - |
-      if [ "$CI_COMMIT_BEFORE_SHA" == "0000000000000000000000000000000000000000" ];
-      then
-        # first commit on a new branch
-        echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt
-        git fetch --depth=2 origin $CI_COMMIT_REF_NAME
-      else
-        # determine commit range so that we can fetch the appropriate depth
-        # check the exit code to determine if we need to limit the commit_list.txt to CI_COMMIT_SHA.
-        if ! git log --pretty=format:"%H" ${CI_COMMIT_BEFORE_SHA}..${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt;
-        then
-          echo "unable to determine commit range, limiting to ${CI_COMMIT_SHA}"
-          echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt
-        else
-          # append newline to to list since `git log` does not end with a
-          # newline, this is to keep the log messages consistent
-          echo >> ${CI_COMMIT_SHA}_commit_list.txt
-        fi
-
-        # we need to extend the git fetch depth to the number of commits + 1 for the following reasons:
-        # to include the parent commit of the base commit in this MR/Push event. This is needed because
-        # `git diff -p` needs something to compare changes in that commit against
-        git fetch --depth=$(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) origin $CI_COMMIT_REF_NAME
-      fi
-      echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt))) commits for a push event"
-      export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt
     - /analyzer run
-    - rm "$CI_COMMIT_SHA"_commit_list.txt

lib/gitlab/content_security_policy/config_loader.rb

@@ -61,7 +61,9 @@ module Gitlab
       end
 
       def initialize(csp_directives)
-        @csp_directives = HashWithIndifferentAccess.new(csp_directives)
+        @merged_csp_directives =
+          HashWithIndifferentAccess.new(csp_directives)
+                                   .reverse_merge(::Gitlab::ContentSecurityPolicy::ConfigLoader.default_directives)
       end
 
       def load(policy)
@@ -77,8 +79,9 @@ module Gitlab
       private
 
       def arguments_for(directive)
-        arguments = @csp_directives[directive.to_s]
-
+        # In order to disable a directive, the user can explicitly
+        # set a falsy value like nil, false or empty string
+        arguments = @merged_csp_directives[directive]
         return unless arguments.present? && arguments.is_a?(String)
 
         arguments.strip.split(' ').map(&:strip)

spec/lib/gitlab/background_migration/backfill_note_discussion_id_spec.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::BackgroundMigration::BackfillNoteDiscussionId do
+  let(:migration) { described_class.new }
+  let(:notes_table) { table(:notes) }
+  let(:existing_discussion_id) { Digest::SHA1.hexdigest('test') }
+
+  before do
+    notes_table.create!(id: 1, noteable_type: 'Issue', noteable_id: 2, discussion_id: existing_discussion_id)
+    notes_table.create!(id: 2, noteable_type: 'Issue', noteable_id: 1, discussion_id: nil)
+    notes_table.create!(id: 3, noteable_type: 'MergeRequest', noteable_id: 1, discussion_id: nil)
+    notes_table.create!(id: 4, noteable_type: 'Commit', commit_id: RepoHelpers.sample_commit.id, discussion_id: nil)
+    notes_table.create!(id: 5, noteable_type: 'Issue', noteable_id: 2, discussion_id: nil)
+    notes_table.create!(id: 6, noteable_type: 'MergeRequest', noteable_id: 2, discussion_id: nil)
+  end
+
+  it 'updates records in the specified batch', :aggregate_failures do
+    migration.perform(1, 5)
+
+    expect(notes_table.where(discussion_id: nil).count).to eq(1)
+
+    expect(notes_table.find(1).discussion_id).to eq(existing_discussion_id)
+    notes_table.where(id: 2..5).each do |n|
+      expect(n.discussion_id).to match(/\A[0-9a-f]{40}\z/)
+    end
+  end
+end

spec/lib/gitlab/content_security_policy/config_loader_spec.rb

@@ -183,6 +183,8 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
   end
 
   describe '#load' do
+    let(:default_directives) { described_class.default_directives }
+
     subject { described_class.new(csp_config[:directives]) }
 
     def expected_config(directive)
@@ -207,5 +209,23 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
 
       expect(policy.directives['base-uri']).to be_nil
     end
+
+    it 'returns default values for directives not defined by the user' do
+      # Explicitly disabling script_src and setting report_uri
+      csp_config[:directives] = {
+        script_src: false,
+        report_uri: 'https://example.org'
+      }
+
+      subject.load(policy)
+
+      expected_policy = ActionDispatch::ContentSecurityPolicy.new
+      # Creating a policy from default settings and manually overriding the custom values
+      described_class.new(default_directives).load(expected_policy)
+      expected_policy.script_src(nil)
+      expected_policy.report_uri('https://example.org')
+
+      expect(policy.directives).to eq(expected_policy.directives)
+    end
   end
 end

spec/lib/gitlab/saas_spec.rb

@@ -3,11 +3,11 @@
 require 'spec_helper'
 
 RSpec.describe Gitlab::Saas do
+  include SaasTestHelper
+
   describe '.canary_toggle_com_url' do
     subject { described_class.canary_toggle_com_url }
 
-    let(:next_url) { 'https://next.gitlab.com' }
-
-    it { is_expected.to eq(next_url) }
+    it { is_expected.to eq(get_next_url) }
   end
 end

spec/support/helpers/saas_test_helper.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module SaasTestHelper
+  def get_next_url
+    "https://next.gitlab.com"
+  end
+end
+
+SaasTestHelper.prepend_mod