Add latest changes from gitlab-org/gitlab@master

.rubocop_todo/layout/empty_line_after_magic_comment.yml

@@ -250,7 +250,6 @@ Layout/EmptyLineAfterMagicComment:
     - 'ee/spec/lib/gitlab/middleware/ip_restrictor_spec.rb'
     - 'ee/spec/lib/gitlab/search/client_spec.rb'
     - 'ee/spec/lib/gitlab/spdx/catalogue_spec.rb'
-    - 'ee/spec/lib/system_check/app/advanced_search_migrations_check_spec.rb'
     - 'ee/spec/lib/system_check/geo/http_connection_check_spec.rb'
     - 'ee/spec/models/analytics/cycle_analytics/aggregation_context_spec.rb'
     - 'ee/spec/models/ci/minutes/quota_spec.rb'

app/assets/javascripts/todos/components/todo_item.vue

@@ -1,10 +1,11 @@
 <script>
-import { GlLink, GlIcon } from '@gitlab/ui';
+import { GlLink, GlIcon, GlFormCheckbox } from '@gitlab/ui';
 import { s__, sprintf } from '~/locale';
 import dateFormat from '~/lib/dateformat';
 import { formatDate, getDayDifference, fallsBefore } from '~/lib/utils/datetime_utility';
 import { localeDateFormat } from '~/lib/utils/datetime/locale_dateformat';
 import timeagoMixin from '~/vue_shared/mixins/timeago';
+import glFeatureFlagMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
 import { INSTRUMENT_TODO_ITEM_FOLLOW, TODO_STATE_DONE } from '../constants';
 import TodoItemTitle from './todo_item_title.vue';
 import TodoItemBody from './todo_item_body.vue';
@@ -21,13 +22,14 @@ export default {
   components: {
     GlLink,
     GlIcon,
+    GlFormCheckbox,
     TodoItemTitle,
     TodoItemBody,
     TodoItemTimestamp,
     TodoItemActions,
     TodoItemTitleHiddenBySaml,
   },
-  mixins: [timeagoMixin],
+  mixins: [timeagoMixin, glFeatureFlagMixin()],
   inject: ['currentTab'],
   props: {
     currentUserId: {
@@ -38,6 +40,11 @@ export default {
       type: Object,
       required: true,
     },
+    selected: {
+      type: Boolean,
+      required: false,
+      default: false,
+    },
   },
   computed: {
     isHiddenBySaml() {
@@ -106,10 +113,17 @@ export default {
 
 <template>
   <li
-    class="gl-border-t gl-border-b gl-relative -gl-mt-px gl-flex gl-gap-3 gl-px-5 gl-py-3 hover:gl-z-1 hover:gl-cursor-pointer hover:gl-border-blue-200 hover:gl-bg-blue-50"
+    class="gl-border-t gl-border-b gl-relative -gl-mt-px gl-flex gl-gap-3 gl-px-5 gl-py-3 hover:gl-z-1 hover:gl-border-blue-200 hover:gl-bg-blue-50"
     :data-testid="`todo-item-${todo.id}`"
     :class="{ 'gl-bg-subtle': isDone }"
   >
+    <gl-form-checkbox
+      v-if="glFeatures.todosBulkActions"
+      class="gl-inline-block gl-pt-2"
+      :aria-label="__('Select')"
+      :checked="selected"
+      @change="(checked) => $emit('select-change', todo.id, checked)"
+    />
     <gl-link
       :href="targetUrl"
       :data-track-label="trackingLabel"

app/assets/javascripts/work_items/components/work_item_actions.vue

@@ -340,7 +340,7 @@ export default {
         : this.$options.i18n.confidentialityEnabled;
     },
     showChangeType() {
-      return !this.isEpic && this.glFeatures.workItemsBeta && this.$options.isLoggedIn;
+      return !this.isEpic && this.glFeatures.workItemsBeta && this.canUpdate;
     },
     allowedWorkItemTypes() {
       if (this.isGroup) {

app/graphql/resolvers/concerns/projects/look_ahead_preloads.rb

@@ -20,7 +20,9 @@ def preloads
         container_repositories: [:container_repositories],
         container_repositories_count: [:container_repositories],
         web_url: { namespace: [:route] },
-        is_catalog_resource: [:catalog_resource]
+        is_catalog_resource: [:catalog_resource],
+        open_merge_requests_count: [:project_feature],
+        organization_edit_path: [:organization]
       }
     end
   end

app/graphql/resolvers/work_items/description_template_content_resolver.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Resolvers
+  module WorkItems
+    class DescriptionTemplateContentResolver < BaseResolver
+      type ::Types::WorkItems::DescriptionTemplateType, null: true
+
+      argument :template_content_input, ::Types::WorkItems::DescriptionTemplateContentInputType,
+        required: true,
+        description: "Input for fetching a specific Descriptiontemplate."
+
+      def resolve(args)
+        project = Project.find(args[:template_content_input].project_id)
+
+        ::TemplateFinder.new(:issues, project, { name: args[:template_content_input].name }).execute
+
+      rescue Gitlab::Template::Finders::RepoTemplateFinder::FileNotFoundError, ActiveRecord::RecordNotFound
+        nil
+      end
+    end
+  end
+end

app/graphql/resolvers/work_items/description_templates_resolver.rb

@@ -7,7 +7,10 @@ class DescriptionTemplatesResolver < BaseResolver
 
       argument :name, GraphQL::Types::String,
         required: false,
-        description: "Fetches the specific DescriptionTemplate."
+        description: "Fetches the specific DescriptionTemplate.",
+        deprecated: { milestone: '17.9',
+                      reason: 'name and project ID are both required for fetching,
+                       use DescriptionTemplateContentInputType instead' }
 
       argument :search, GraphQL::Types::String,
         required: false,
@@ -16,29 +19,58 @@ class DescriptionTemplatesResolver < BaseResolver
 
       alias_method :namespace, :object
 
-      def resolve(**args)
-        project = fetch_templates_project(namespace)
-        return [] unless project
+      def resolve(**_args)
+        project = fetch_root_templates_project(namespace)
+        return unless project
 
-        template_name = args.delete(:name)
+        templates = Array.wrap(::TemplateFinder.new(:issues, project).execute)
 
-        Array.wrap(::TemplateFinder.new(:issues, project, { name: template_name }).execute)
+        filter_project_templates_for_group(templates) if namespace.is_a?(Group)
+
+        return if templates.blank?
+
+        templates
 
       rescue Gitlab::Template::Finders::RepoTemplateFinder::FileNotFoundError, ActiveRecord::RecordNotFound
-        []
       end
 
       private
 
-      def fetch_templates_project(namespace)
-        return namespace.project if namespace.is_a?(::Namespaces::ProjectNamespace)
+      # When we are at project level we return the project itself to fetch the description templates.
+      # When we are at group level we fetch first found file_template_project_id from the namespace or its ancestors
+
+      def fetch_root_templates_project(namespace)
+        if namespace.is_a?(::Namespaces::ProjectNamespace)
+          namespace.project
+        elsif namespace.is_a?(::Group)
+          Project.find(namespace.file_template_project_id)
+        end
+      end
+
+      def filter_project_templates_for_group(templates)
+        # Separate project templates from other templates
+        project_templates, other_templates = templates.partition { |t| t.category == "Project Templates" }
 
-        project = Project.find(namespace.file_template_project_id)
+        # Check if we have duplicate project and group templates from TemplateFinder where
+        # project/group results match on name + content + project_id, meaning they refer to the same file
+        # but the category returned refers to the parent group of the project
 
-        return unless current_user&.can?(:read_project, project)
+        has_equivalent_group_template = other_templates.any? do |other_template|
+          project_templates.any? do |project_template|
+            project_template.project_id == other_template.project_id &&
+              project_template.name == other_template.name &&
+              project_template.content == other_template.content &&
+              other_template.category == "Group #{Project.find(project_template.project_id)&.parent&.name}"
+          end
+        end
 
-        project
+        # If the duplicates in this case exist, we omit the project level duplicates
+        templates.reject! { |t| t.category == "Project Templates" } if has_equivalent_group_template
       end
     end
   end
 end
+
+# rubocop:disable Layout/LineLength -- prepend statement is too long
+Resolvers::WorkItems::DescriptionTemplatesResolver.prepend_mod_with('Resolvers::WorkItems::DescriptionTemplatesResolver')
+# rubocop:enable Layout/LineLength

app/graphql/types/query_type.rb

@@ -203,6 +203,13 @@ class QueryType < ::Types::BaseObject
       experiment: { milestone: '15.1' },
       description: 'Find a work item.'
 
+    field :work_item_description_template_content, WorkItems::DescriptionTemplateType,
+      null: true,
+      resolver: Resolvers::WorkItems::DescriptionTemplateContentResolver,
+      experiment: { milestone: '17.9' },
+      description: 'Find a work item description template.',
+      calls_gitaly: true
+
     field :audit_event_definitions,
       Types::AuditEvents::DefinitionType.connection_type,
       null: false,

app/graphql/types/work_items/description_template_content_input_type.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Types
+  module WorkItems
+    class DescriptionTemplateContentInputType < BaseInputObject
+      graphql_name 'WorkItemDescriptionTemplateContentInput'
+
+      argument :name, GraphQL::Types::String,
+        required: true,
+        description: 'Name of the description template.'
+      argument :project_id, GraphQL::Types::Int,
+        required: true,
+        description: 'ID of the project the template belongs to.'
+    end
+  end
+end

app/graphql/types/work_items/description_template_type.rb

@@ -9,9 +9,11 @@ class DescriptionTemplateType < BaseObject
       field :category, GraphQL::Types::String,
         description: 'Category of description template.', null: true, calls_gitaly: true
       field :content, GraphQL::Types::String,
-        description: 'Content of Description Template.', null: false, calls_gitaly: true
+        description: 'Content of Description Template.', null: true, calls_gitaly: true
       field :name, GraphQL::Types::String,
-        description: 'Name of Description Template.', null: false, calls_gitaly: true
+        description: 'Name of Description Template.', null: true, calls_gitaly: true
+      field :project_id, GraphQL::Types::Int,
+        description: 'ID of the description template project.', null: true, calls_gitaly: true
     end
     # rubocop: enable Graphql/AuthorizeTypes
   end

app/models/ci/runner.rb

@@ -331,14 +331,6 @@ def self.runner_matchers
       end
     end
 
-    # TODO: Remove once https://gitlab.com/gitlab-org/gitlab/-/issues/504277 is closed.
-    def self.sharded_table_proxy_model
-      @sharded_table_proxy_class ||= Class.new(self) do
-        self.table_name = :ci_runners_e59bb2812d
-        self.primary_key = :id
-      end
-    end
-
     def self.taggings_join_model
       ::Ci::RunnerTagging
     end
@@ -450,14 +442,6 @@ def has_tags?
       tag_list.any?
     end
 
-    # TODO: Remove once https://gitlab.com/gitlab-org/gitlab/-/issues/504277 is closed.
-    def ensure_partitioned_runner_record_exists
-      self.class.sharded_table_proxy_model.insert_all(
-        [attributes.except('tag_list')], unique_by: [:id, :runner_type],
-        returning: false, record_timestamps: false
-      )
-    end
-
     def predefined_variables
       Gitlab::Ci::Variables::Collection.new
         .append(key: 'CI_RUNNER_ID', value: id.to_s)
@@ -544,10 +528,6 @@ def compute_token_expiration
     def ensure_manager(system_xid)
       # rubocop: disable Performance/ActiveRecordSubtransactionMethods -- This is used only in API endpoints outside of transactions
       RunnerManager.safe_find_or_create_by!(runner_id: id, system_xid: system_xid.to_s) do |m|
-        # Avoid inserting partitioned runner managers that refer to a missing ci_runners partitioned record, since
-        # the backfill is not yet finalized.
-        ensure_partitioned_runner_record_exists
-
         m.runner_type = runner_type
         m.sharding_key_id = sharding_key_id
       end

config/feature_flags/gitlab_com_derisk/fe_search_build_by_name.yml → config/feature_flags/beta/fe_search_build_by_name.yml

@@ -5,5 +5,5 @@ introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/177192
 rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/512149
 milestone: '17.8'
 group: group::pipeline execution
-type: gitlab_com_derisk
+type: beta
 default_enabled: false

config/feature_flags/gitlab_com_derisk/populate_and_use_build_names_table.yml → config/feature_flags/beta/populate_and_use_build_names_table.yml

@@ -2,8 +2,8 @@
 name: populate_and_use_build_names_table
 feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/423904
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147699
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/451594
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/512149
 milestone: '16.11'
 group: group::pipeline execution
-type: gitlab_com_derisk
+type: beta
 default_enabled: false

data/deprecations/17-9-enable-gitlab-advanced-sast-by-default.yml

@@ -0,0 +1,22 @@
+- title: "GitLab Advanced SAST will be enabled by default"
+  removal_milestone: "18.0"
+  announcement_milestone: "17.9"
+  breaking_change: true
+  window: 1
+  reporter: adamcohen
+  stage: application security testing
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/513685
+  impact: medium
+  scope: instance
+  resolution_role: Developer
+  manual_task: true
+  body: |  # (required) Don't change this line.
+    In GitLab 18.0, we will update the [SAST CI/CD templates](https://docs.gitlab.com/ee/user/application_security/sast#stable-vs-latest-sast-templates) to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast) by default in projects with GitLab Ultimate.
+    Before this change, the GitLab Advanced SAST analyzer was enabled only if you set the CI/CD variable `GITLAB_ADVANCED_SAST_ENABLED` to `true`.
+
+    Advanced SAST delivers more accurate results by using cross-file, cross-function scanning and a new ruleset.
+    Advanced SAST takes over coverage for [supported languages](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast#supported-languages) and disables scanning for that language in the previous scanner.
+    An automated process migrates results from previous scanners after the first scan on each project's default branch, if they're still detected.
+
+    Because it scans your project in more detail, Advanced SAST may take more time to scan your project.
+    If needed, you can [disable GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast#disable-gitlab-advanced-sast-scanning) by setting the CI/CD variable `GITLAB_ADVANCED_SAST_ENABLED` to `false`.

db/post_migrate/20250130100818_remove_cloud_connector_keys_from_application_settings_if_exists.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class RemoveCloudConnectorKeysFromApplicationSettingsIfExists < Gitlab::Database::Migration[2.2]
+  milestone '17.9'
+
+  # Follow-up to RemoveCloudConnectorKeysFromApplicationSettings.
+  #
+  # This actually removes a column that was added in a previous migration where we had
+  # to make this a no-op due to a production issue.
+  # See https://gitlab.com/gitlab-com/gl-infra/production/-/issues/19182
+  def up
+    remove_column(:application_settings, :cloud_connector_keys, if_exists: true)
+  end
+
+  def down
+    # no-op since the original migration was turned to a no-op and we don't want to
+    # add this column back. It was never used.
+  end
+end

db/schema_migrations/20250130100818

@@ -0,0 +1 @@
+27a9652609620958c529b36430e45199fcee17abfe6a1893719a7663dd48e508

doc/administration/incoming_email.md

@@ -121,7 +121,7 @@ and use [an application password](https://support.google.com/mail/answer/185833)
 
 If you want to use Office 365, and two-factor authentication is enabled, make sure
 you're using an
-[app password](https://support.microsoft.com/en-us/account-billing/manage-app-passwords-for-two-step-verification-d6dc8c6d-4bf7-4851-ad95-6d07799387e9)
+[app password](https://support.microsoft.com/en-us/account-billing/app-passwords-for-a-work-or-school-account-d6dc8c6d-4bf7-4851-ad95-6d07799387e9)
 instead of the regular password for the mailbox.
 
 To set up a basic Postfix mail server with IMAP access on Ubuntu, follow the
@@ -808,7 +808,7 @@ incoming_email:
 #### Microsoft Graph
 
 GitLab can read incoming email using the Microsoft Graph API instead of
-IMAP. Because [Microsoft is deprecating IMAP usage with Basic Authentication](https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-oauth-2-0-support-for-imap-and-smtp-auth-protocols-in/ba-p/1330432), the Microsoft Graph API is be required for new Microsoft Exchange Online mailboxes.
+IMAP. Because [Microsoft is deprecating IMAP usage with Basic Authentication](https://techcommunity.microsoft.com/blog/exchange/announcing-oauth-2-0-support-for-imap-and-smtp-auth-protocols-in-exchange-online/1330432), the Microsoft Graph API is be required for new Microsoft Exchange Online mailboxes.
 
 To configure GitLab for Microsoft Graph, you need to register an
 OAuth 2.0 application in your Azure Active Directory that has the

doc/administration/load_balancer.md

@@ -128,7 +128,7 @@ Using the `all=1` parameter with the readiness check in GitLab versions 15.4 to
 
 If you are using the [AWS Classic Load Balancer](https://docs.aws.amazon.com/en_en/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html#ssl-ciphers)
 in GitLab 15.0 or later, you must to enable the `AES256-GCM-SHA384` cipher in NGINX.
-See [AES256-GCM-SHA384 SSL cipher no longer allowed by default by NGINX](https://docs.gitlab.com/omnibus/update/gitlab_15_changes.html#aes256-gcm-sha384-ssl-cipher-no-longer-allowed-by-default-by-nginx)
+See [AES256-GCM-SHA384 SSL cipher no longer allowed by default by NGINX](../update/versions/gitlab_15_changes.md#1500)
 for more information.
 
 The default ciphers for a GitLab version can be

doc/administration/object_storage.md

@@ -257,7 +257,7 @@ To set up an instance profile:
 
 When configured either with an instance profile or with the consolidated
 form, GitLab Workhorse properly uploads files to S3
-buckets that have [SSE-S3 or SSE-KMS encryption enabled by default](https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html).
+buckets that have [SSE-S3 or SSE-KMS encryption enabled by default](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html).
 AWS KMS keys and SSE-C encryption are
 [not supported since this requires sending the encryption keys in every request](https://gitlab.com/gitlab-org/gitlab/-/issues/226006).
 
@@ -272,7 +272,7 @@ in the `storage_options` configuration section:
 | Setting                             | Description                              |
 |-------------------------------------|------------------------------------------|
 | `server_side_encryption`            | Encryption mode (`AES256` or `aws:kms`). |
-| `server_side_encryption_kms_key_id` | Amazon Resource Name. Only needed when `aws:kms` is used in `server_side_encryption`. See the [Amazon documentation on using KMS encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html). |
+| `server_side_encryption_kms_key_id` | Amazon Resource Name. Only needed when `aws:kms` is used in `server_side_encryption`. See the [Amazon documentation on using KMS encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html). |
 
 As with the case for default encryption, these options only work when
 the Workhorse S3 client is enabled. One of the following two conditions