Add latest changes from gitlab-org/gitlab@master

.rubocop_todo/gitlab/service_response.yml

@@ -0,0 +1,80 @@
+---
+Gitlab/ServiceResponse:
+  Details: grace period
+  Exclude:
+    - 'app/services/alert_management/metric_images/upload_service.rb'
+    - 'app/services/analytics/cycle_analytics/stages/base_service.rb'
+    - 'app/services/boards/lists/base_update_service.rb'
+    - 'app/services/branches/delete_service.rb'
+    - 'app/services/bulk_imports/create_service.rb'
+    - 'app/services/bulk_imports/export_service.rb'
+    - 'app/services/ci/build_cancel_service.rb'
+    - 'app/services/ci/build_erase_service.rb'
+    - 'app/services/ci/build_unschedule_service.rb'
+    - 'app/services/ci/prometheus_metrics/observe_histograms_service.rb'
+    - 'app/services/ci/retry_pipeline_service.rb'
+    - 'app/services/ci/runners/assign_runner_service.rb'
+    - 'app/services/ci/runners/register_runner_service.rb'
+    - 'app/services/concerns/alert_management/responses.rb'
+    - 'app/services/concerns/services/return_service_responses.rb'
+    - 'app/services/container_expiration_policies/update_service.rb'
+    - 'app/services/dependency_proxy/group_settings/update_service.rb'
+    - 'app/services/dependency_proxy/image_ttl_group_policies/update_service.rb'
+    - 'app/services/groups/update_statistics_service.rb'
+    - 'app/services/incident_management/pager_duty/create_incident_issue_service.rb'
+    - 'app/services/incident_management/pager_duty/process_webhook_service.rb'
+    - 'app/services/issuable/bulk_update_service.rb'
+    - 'app/services/jira_import/start_import_service.rb'
+    - 'app/services/namespaces/package_settings/update_service.rb'
+    - 'app/services/packages/debian/create_distribution_service.rb'
+    - 'app/services/packages/mark_package_for_destruction_service.rb'
+    - 'app/services/packages/rubygems/dependency_resolver_service.rb'
+    - 'app/services/snippets/base_service.rb'
+    - 'app/services/snippets/bulk_destroy_service.rb'
+    - 'app/services/snippets/destroy_service.rb'
+    - 'app/services/snippets/repository_validation_service.rb'
+    - 'app/services/snippets/update_statistics_service.rb'
+    - 'app/services/timelogs/base_service.rb'
+    - 'app/services/work_items/create_and_link_service.rb'
+    - 'app/services/work_items/create_from_task_service.rb'
+    - 'app/services/work_items/delete_task_service.rb'
+    - 'ee/app/services/analytics/cycle_analytics/value_streams/create_service.rb'
+    - 'ee/app/services/app_sec/dast/profiles/destroy_service.rb'
+    - 'ee/app/services/app_sec/dast/scanner_profiles/destroy_service.rb'
+    - 'ee/app/services/app_sec/dast/scanner_profiles/update_service.rb'
+    - 'ee/app/services/app_sec/dast/site_profiles/destroy_service.rb'
+    - 'ee/app/services/ee/analytics/cycle_analytics/stages/base_service.rb'
+    - 'ee/app/services/ee/ci/retry_pipeline_service.rb'
+    - 'ee/app/services/external_status_checks/create_service.rb'
+    - 'ee/app/services/external_status_checks/destroy_service.rb'
+    - 'ee/app/services/external_status_checks/dispatch_service.rb'
+    - 'ee/app/services/external_status_checks/update_service.rb'
+    - 'ee/app/services/gitlab_subscriptions/create_trial_or_lead_service.rb'
+    - 'ee/app/services/group_saml/saml_group_links/create_service.rb'
+    - 'ee/app/services/iterations/cadences/create_iterations_in_advance_service.rb'
+    - 'ee/app/services/iterations/cadences/create_service.rb'
+    - 'ee/app/services/iterations/cadences/destroy_service.rb'
+    - 'ee/app/services/iterations/cadences/update_service.rb'
+    - 'ee/app/services/iterations/create_service.rb'
+    - 'ee/app/services/iterations/delete_service.rb'
+    - 'ee/app/services/iterations/roll_over_issues_service.rb'
+    - 'ee/app/services/iterations/update_service.rb'
+    - 'ee/app/services/security/findings/dismiss_service.rb'
+    - 'ee/app/services/vulnerabilities/finding_dismiss_service.rb'
+    - 'ee/app/services/vulnerability_issue_links/create_service.rb'
+    - 'ee/app/services/vulnerability_issue_links/delete_service.rb'
+    - 'ee/spec/graphql/mutations/security/finding/dismiss_spec.rb'
+    - 'spec/controllers/import/bulk_imports_controller_spec.rb'
+    - 'spec/controllers/import/fogbugz_controller_spec.rb'
+    - 'spec/controllers/projects/alerting/notifications_controller_spec.rb'
+    - 'spec/controllers/projects/pipelines_controller_spec.rb'
+    - 'spec/controllers/projects/prometheus/alerts_controller_spec.rb'
+    - 'spec/lib/gitlab/import_export/snippet_repo_restorer_spec.rb'
+    - 'spec/requests/api/ci/pipelines_spec.rb'
+    - 'spec/requests/api/ci/runner/runners_post_spec.rb'
+    - 'spec/requests/api/group_export_spec.rb'
+    - 'spec/requests/api/project_export_spec.rb'
+    - 'spec/requests/api/project_import_spec.rb'
+    - 'spec/requests/projects/incident_management/pagerduty_incidents_spec.rb'
+    - 'spec/services/bulk_imports/export_service_spec.rb'
+    - 'spec/support/shared_examples/requests/api/rubygems_packages_shared_examples.rb'

app/views/notify/project_was_not_exported_email.html.haml

@@ -1,7 +1,7 @@
 %p
-  Project #{@project.name} couldn't be exported.
+  = s_("Notify|Project %{project_name} couldn't be exported.") % {project_name: @project.name}
 %p
-  The errors we encountered were:
+  = s_('Notify|The errors we encountered were:')
 
   %ul
   - @errors.each do |error|

db/migrate/20221009085130_add_mr_checks_columns_to_namespace_settings.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class AddMrChecksColumnsToNamespaceSettings < Gitlab::Database::Migration[2.0]
+  def change
+    add_column :namespace_settings, :only_allow_merge_if_pipeline_succeeds, :boolean, default: false, null: false
+    add_column :namespace_settings, :allow_merge_on_skipped_pipeline, :boolean, default: false, null: false
+    add_column :namespace_settings, :only_allow_merge_if_all_discussions_are_resolved, \
+               :boolean, default: false, null: false
+  end
+end

db/schema_migrations/20221009085130

@@ -0,0 +1 @@
+125ce9bf81966840774eb69be7995c1a8e2abd901fe5f19b73df43a577a9dc44

db/structure.sql

@@ -17925,6 +17925,9 @@ CREATE TABLE namespace_settings (
     include_for_free_user_cap_preview boolean DEFAULT false NOT NULL,
     unique_project_download_limit_allowlist text[] DEFAULT '{}'::text[] NOT NULL,
     auto_ban_user_on_excessive_projects_download boolean DEFAULT false NOT NULL,
+    only_allow_merge_if_pipeline_succeeds boolean DEFAULT false NOT NULL,
+    allow_merge_on_skipped_pipeline boolean DEFAULT false NOT NULL,
+    only_allow_merge_if_all_discussions_are_resolved boolean DEFAULT false NOT NULL,
     CONSTRAINT check_0ba93c78c7 CHECK ((char_length(default_branch_name) <= 255)),
     CONSTRAINT namespace_settings_unique_project_download_limit_allowlist_size CHECK ((cardinality(unique_project_download_limit_allowlist) <= 100))
 );

doc/user/application_security/configuration/index.md

@@ -19,19 +19,23 @@ The Security Configuration page lists the following for the security testing and
 - Whether or not it is available.
 - A configuration button or a link to its configuration guide.
 
-The status of each security control is determined by the following process:
+To determine the status of each security control, GitLab checks for a [CI/CD pipeline](../../../ci/pipelines/index.md)
+in the most recent commit on the default branch.
 
-1. Check for a [CI pipeline](../../../ci/pipelines/index.md) in the most recent commit on the default branch. 
-1. If no CI pipelines exist, then consider all security scanners disabled. Show the **Not enabled** status.
-1. If a pipeline is found, then inspect the CI YAML for each job in the CI/CD pipeline. If a
-   job in the pipeline defines an [`artifacts:reports` keyword](../../../ci/yaml/artifacts_reports.md)
-   for a security scanner, then consider the security scanner enabled. Show the **Enabled** status.
+If GitLab finds a CI/CD pipeline, then it inspects each job in the `.gitlab-ci.yml` file.
+
+- If a job defines an [`artifacts:reports` keyword](../../../ci/yaml/artifacts_reports.md)
+  for a security scanner, then GitLab considers the security scanner enabled and shows the **Enabled** status.
+- If no jobs define an `artifacts:reports` keyword for a security scanner, then GitLab considers 
+  the security scanner disabled and shows the **Not enabled** status.
+
+If GitLab does not find a CI/CD pipeline, then it considers all security scanners disabled and shows the **Not enabled** status.
 
 Failed pipelines and jobs are included in this process. If a scanner is configured but the job fails,
 that scanner is still considered enabled. This process also determines the scanners and statuses
-returned through [our API](../../../api/graphql/reference/index.md#securityscanners).
+returned through the [API](../../../api/graphql/reference/index.md#securityscanners).
 
-If the latest pipeline used [Auto DevOps](../../../topics/autodevops/index.md),
+If the latest pipeline uses [Auto DevOps](../../../topics/autodevops/index.md),
 all security features are configured by default.
 
 To view a project's security configuration:

doc/user/application_security/vulnerabilities/severities.md

@@ -56,7 +56,9 @@ the following tables:
 
 | GitLab analyzer                                                                          | Outputs severity levels?     | Native severity level type | Native severity level example       |
 |------------------------------------------------------------------------------------------|------------------------------|----------------------------|-------------------------------------|
-| [`gemnasium`](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium)         | **{check-circle}** Yes       | CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)`, `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` |
+| [`gemnasium`](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium)         | **{check-circle}** Yes       | CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating <sup>1</sup> | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)`, `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` |
+
+1. The CVSS v3.1 rating is used to calculate the severity level. If it's not available, the CVSS v2.0 rating is used instead.
 
 ## Container Scanning
 

locale/gitlab.pot

@@ -27509,6 +27509,9 @@ msgstr ""
 msgid "Notify|Project %{old_path_with_namespace} was moved to another location."
 msgstr ""
 
+msgid "Notify|Project %{project_name} couldn't be exported."
+msgstr ""
+
 msgid "Notify|Project %{project_name} was exported successfully."
 msgstr ""
 
@@ -27530,6 +27533,9 @@ msgstr ""
 msgid "Notify|The download link will expire in 24 hours."
 msgstr ""
 
+msgid "Notify|The errors we encountered were:"
+msgstr ""
+
 msgid "Notify|The project is now located under %{project_full_name_link_start}%{project_full_name}%{link_end}."
 msgstr ""
 

rubocop/cop/gitlab/service_response.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require_relative '../../code_reuse_helpers'
+
+module RuboCop
+  module Cop
+    module Gitlab
+      class ServiceResponse < ::RuboCop::Cop::Base
+        include CodeReuseHelpers
+
+        # This cop checks that ServiceResponse object is not used with the
+        # deprecated attribute `http_status`.
+        #
+        # @example
+        #
+        #   # bad
+        #   ServiceResponse.error(message: "...", http_status: :forbidden)
+        #
+        #   # good
+        #   ServiceResponse.error(message: "...", reason: :insufficient_permissions)
+        MSG = 'Use `reason` instead of the deprecated `http_status`: https://gitlab.com/gitlab-org/gitlab/-/issues/356036'
+
+        RESTRICT_ON_SEND = %i[error success new].freeze
+        METHOD_NAMES = RESTRICT_ON_SEND.map(&:inspect).join(' ').freeze
+
+        def_node_matcher :service_response_with_http_status, <<~PATTERN
+          (send
+            (const {nil? cbase} :ServiceResponse)
+            {#{METHOD_NAMES}}
+            (hash <$(pair (sym :http_status) _) ...>)
+          )
+        PATTERN
+
+        def on_send(node)
+          pair = service_response_with_http_status(node)
+          return unless pair
+
+          add_offense(pair)
+        end
+      end
+    end
+  end
+end

spec/rubocop/cop/gitlab/service_response_spec.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'rubocop_spec_helper'
+require_relative '../../../../rubocop/cop/gitlab/service_response'
+
+RSpec.describe RuboCop::Cop::Gitlab::ServiceResponse do
+  subject(:cop) { described_class.new }
+
+  it 'does not flag the `http_status:` param on a homonym method' do
+    expect_no_offenses("MyClass.error(http_status: :ok)")
+  end
+
+  it 'does not flag calls without params' do
+    expect_no_offenses('ServiceResponse.error')
+  end
+
+  it 'does not flag the offense when `http_status` is not used' do
+    expect_no_offenses('ServiceResponse.error(message: "some error", reason: :bad_time)')
+  end
+
+  it 'flags the use of `http_status:` parameter in ServiceResponse in error' do
+    expect_offense(<<~CODE, msg: described_class::MSG)
+      ServiceResponse.error(message: "some error", http_status: :bad_request)
+                                                   ^^^^^^^^^^^^^^^^^^^^^^^^^ %{msg}
+    CODE
+  end
+
+  it 'flags the use of `http_status:` parameter in ServiceResponse in success' do
+    expect_offense(<<~CODE, msg: described_class::MSG)
+      ServiceResponse.success(message: "some error", http_status: :bad_request)
+                                                     ^^^^^^^^^^^^^^^^^^^^^^^^^ %{msg}
+    CODE
+  end
+
+  it 'flags the use of `http_status:` parameter in ServiceResponse in initializer' do
+    expect_offense(<<~CODE, msg: described_class::MSG)
+      ServiceResponse.new(message: "some error", http_status: :bad_request)
+                                                 ^^^^^^^^^^^^^^^^^^^^^^^^^ %{msg}
+    CODE
+  end
+end

vendor/gems/attr_encrypted/Gemfile.lock

@@ -100,9 +100,11 @@ GEM
     loofah (2.19.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
+    mini_portile2 (2.8.0)
     minitest (5.16.3)
     multi_json (1.15.0)
-    nokogiri (1.13.8-x86_64-linux)
+    nokogiri (1.13.8)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     public_suffix (5.0.0)
     racc (1.6.0)
@@ -124,15 +126,16 @@ GEM
     simplecov-rcov (0.3.1)
       simplecov (>= 0.4.1)
     simplecov_json_formatter (0.1.4)
-    sqlite3 (1.5.0-x86_64-linux)
+    sqlite3 (1.5.0)
+      mini_portile2 (~> 2.8.0)
     stringex (1.5.1)
     tzinfo (2.0.5)
       concurrent-ruby (~> 1.0)
     uuidtools (2.2.0)
-    zeitwerk (2.6.0)
+    zeitwerk (2.6.1)
 
 PLATFORMS
-  x86_64-linux
+  ruby
 
 DEPENDENCIES
   actionpack (~> 6.1)
@@ -149,4 +152,4 @@ DEPENDENCIES
   sqlite3
 
 BUNDLED WITH
-   2.3.19
+   2.3.22

vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.checksum

@@ -21,6 +21,7 @@
 {"name":"marcel","version":"1.0.2","platform":"ruby","checksum":"a013b677ef46cbcb49fd5c59b3d35803d2ee04dd75d8bfdc43533fc5a31f7e4e"},
 {"name":"method_source","version":"1.0.0","platform":"ruby","checksum":"d779455a2b5666a079ce58577bfad8534f571af7cec8107f4dce328f0981dede"},
 {"name":"mini_mime","version":"1.1.2","platform":"ruby","checksum":"a54aec0cc7438a03a850adb00daca2bdb60747f839e28186994df057cea87151"},
+{"name":"mini_portile2","version":"2.8.0","platform":"ruby","checksum":"1e06b286ff19b73cfc9193cb3dd2bd80416f8262443564b25b23baea74a05765"},
 {"name":"minitest","version":"5.16.2","platform":"ruby","checksum":"c1be0c6b57fab451faa08e74ffa71e7d6a259b90f4bacb881c7f4808ec8b4991"},
 {"name":"nio4r","version":"2.5.8","platform":"java","checksum":"b2b1800f6bf7ce4b797ca8b639ad278a99c9c904fb087a91d944f38e4bd71401"},
 {"name":"nio4r","version":"2.5.8","platform":"ruby","checksum":"3becb4ad95ab8ac0a9bd2e1b16466869402be62848082bf6329ae9091f276676"},

vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile.lock

@@ -76,11 +76,11 @@ GEM
     marcel (1.0.2)
     method_source (1.0.0)
     mini_mime (1.1.2)
+    mini_portile2 (2.8.0)
     minitest (5.16.2)
     nio4r (2.5.8)
-    nokogiri (1.13.8-arm64-darwin)
-      racc (~> 1.4)
-    nokogiri (1.13.8-x86_64-linux)
+    nokogiri (1.13.8)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     racc (1.6.0)
     rack (2.2.4)
@@ -129,11 +129,10 @@ GEM
     zeitwerk (2.6.0)
 
 PLATFORMS
-  arm64-darwin-21
-  x86_64-linux
+  ruby
 
 DEPENDENCIES
   rails (~> 6.1.6.1)
 
 BUNDLED WITH
-   2.3.19
+   2.3.22

vendor/gems/omniauth-google-oauth2/examples/Gemfile.lock

@@ -0,0 +1,72 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.2)
+    faraday (2.5.2)
+      faraday-net_http (>= 2.0, < 3.1)
+      ruby2_keywords (>= 0.0.4)
+    faraday-net_http (3.0.0)
+    hashie (5.0.0)
+    json (2.6.2)
+    jwt (2.5.0)
+    multi_json (1.15.0)
+    multi_xml (0.6.0)
+    oauth2 (1.4.11)
+      faraday (>= 0.17.3, < 3.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 4)
+    omniauth (1.9.2)
+      hashie (>= 3.4.6)
+      rack (>= 1.6.2, < 3)
+    omniauth-google-oauth2 (0.8.2)
+      jwt (>= 2.0)
+      oauth2 (~> 1.1)
+      omniauth (~> 1.1)
+      omniauth-oauth2 (>= 1.6)
+    omniauth-oauth2 (1.7.3)
+      oauth2 (>= 1.4, < 3)
+      omniauth (>= 1.9, < 3)
+    parallel (1.22.1)
+    parser (3.1.2.1)
+      ast (~> 2.4.1)
+    rack (1.6.13)
+    rack-protection (1.5.5)
+      rack
+    rainbow (3.1.1)
+    regexp_parser (2.6.0)
+    rexml (3.2.5)
+    rubocop (1.36.0)
+      json (~> 2.3)
+      parallel (~> 1.10)
+      parser (>= 3.1.2.1)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.20.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.21.0)
+      parser (>= 3.1.1.0)
+    ruby-progressbar (1.11.0)
+    ruby2_keywords (0.0.5)
+    sinatra (1.4.8)
+      rack (~> 1.5)
+      rack-protection (~> 1.4)
+      tilt (>= 1.3, < 3)
+    tilt (2.0.11)
+    unicode-display_width (2.3.0)
+    webrick (1.7.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  omniauth-google-oauth2 (~> 0.8.1)
+  rubocop
+  sinatra (~> 1.4)
+  webrick
+
+BUNDLED WITH
+   2.3.22