16.0 Breaking Changes - Request for additional information

Team @gl-product, we are working to understand the impact of the breaking changes that are coming in 16.0 in partnership with #s_platforms #customer_success and support. PMs, please take a look at the following gdoc (https://docs.google.com/spreadsheets/d/1IPCtaVtCwLEm25AnzpOJIHSbWSZhNJ_SIcKoIvo0faA/edit#gid=0&fvid=133932296)

We have received a significant amount of reports of customers being surprised by breaking changes and our support organization requires better visibility into when changes are being rolled out. We fully understand that this is a suboptimal, manual mitigation. This is necessary to minimize customer disruption and help support handle incoming tickets.

This is because once you merge or flip the feature flag, things will break for customers on SaaS. That is a huge pain point for support because they have no idea when these things happen within the window of 2023-04-22 and approximately 2023-05-17.

Actions to take

• Please update Column B TARGET DATE with the anticipated merge date. I understand that this is an estimate.
• Please update Column C ROLLED OUT once all associated MRs with breaking changes are merged.

This is an urgent request. Please complete the TARGET DATE by 2023–05-03 17:00 UTC and update the ROLLED OUT column as soon as it, well, has been rolled out. Communicating potentially disruptive changes to customers is crucial in the lead up to a major release.

Important dates

For the 16.0 release, please check out gitlab-com/gl-infra/delivery#2924 (closed) for a summary of important dates.

The issue has also a lot of great additional information!

I filtered the doc on my id/stage - how do I get back to the summary view?

I’ve created a filter view that should make returning to the summary view easy if you load the sheet and it only contains one stage. Just apply the filter view back to your results.

Noteable breaking changes by stage (Not a complete list - gdoc is SSOT)

I have tagged the reporters from the gdoc so if you need to take action you should be pinged here. However, some of the reporter information is missing / will be out of date now so please double check your stage and forward to the right person as necessary.

Plan / Manage

• No Reporter
• @Andysoiron
• @adil.farrukh
• @hsutor
• @hsnir1
• @nicolasdular
• @m_frankiewicz

• environment_tier parameter for DORA API
• GraphQL field confidential changed to internal on notes
• Limit personal access token and deploy token's access with external authorization
• Test system hook endpoint
• Developer role providing the ability to import projects to a group
• Cookie authorization in the GitLab for Jira Cloud app
• Rake task for importing bare repositories
• GitLab.com importer
• Shimo integration
• ZenTao integration
• The Phabricator task importer is deprecated
• Non-expiring access tokens
• Atlassian Crowd OmniAuth provider pushed to %17.0
• CAS OmniAuth provider
• Jira GitHub Enterprise DVCS integration

Create

• @tlinz
  • Remove approvals_before_merge/approvals_require... (gitlab-org/gitlab#353097 - closed)
• @phikai / @mnohr
• Legacy URLs replaced or removed
• Approvers and Approver Group fields in Merge Request Approval API
• Single merge request changes API endpoint
• merge_status API field
• Toggle behavior of /draft quick action in merge requests
• merged_by API field
• Changing merge request approvals with the /approvals API endpoint

Verify

• @dhershkovitch
• @jreporter
• @tschmitke
• @ratchade
• @pedropombeiro
• @vshushlin

• HashiCorp Vault integration will no longer use CI_JOB_JWT by default. Affects customers using Vault integration. Each project with a Vault integration will need to modify the CI file.
  • Any projects that use the secrets:vault keyword to retrieve secrets from Vault will need to be configured to use ID tokens.
  • TODO: Develop script to analyze/modify each project ci file
• Toggle notes confidentiality on APIs
• Remove offset pagination from Jobs API
• Trigger jobs can mirror downstream pipeline status exactly
• Default CI/CD job token (CI_JOB_TOKEN) scope changed
• Enforced validation of CI/CD parameter character lengths
• Required Pipeline Configuration is deprecated
• Old versions of JSON web tokens are deprecated
• CI/CD jobs will fail when no secret is returned from Hashicorp Vault
• GraphQL: The DISABLED_WITH_OVERRIDE value of the SharedRunnersSetting enum is deprecated. Use DISABLED_AND_OVERRIDABLE instead
• POST ci/lint API endpoint deprecated
• Configuration fields in GitLab Runner Helm Chart
• Maximum number of active pipelines per project limit (ci_active_pipelines)
• Remove job_age parameter from POST /jobs/request Runner endpoint
• REST API Runner maintainer_note
• CiCdSettingsUpdate mutation renamed to ProjectCiCdSettingsUpdate
• GraphQL API legacyMode argument for Runner status
• GraphQL API Runner will not accept status filter values of active or paused
• CI_BUILD_* predefined variables
• REST and GraphQL API Runner usage of active replaced by paused
• GraphQL API Runner status will not return paused

Secure

• @gonzoyumo
• @connorgilbert
• @sam.white
• @derekferguson

• License Compliance CI Template
• Dependency Scanning support for Java 13, 14, 15, and 16
• Container Scanning variables that reference Docker
• Starboard directive in the config for the GitLab Agent for Kubernetes
• The change in behavior for the SAST_DISABLED and other vars disabling scanners is huge and will have a positive impact for compliance enforcement; up to this point there was no ability to prevent projects from using these vars to bypass security scans mandated by a compliance pipeline or scan execution policy. This change doesn’t fully resolve that, but it opens the ability for true enforcement with some additional CI template modifications.
• SAST analyzer coverage changing in GitLab 16.0
• DAST API variables
• DAST ZAP advanced configuration variables deprecation
• DAST report variables deprecation
• DAST API scans using DAST template is deprecated
• Use of id field in vulnerabilityFindingDismiss mutation
• Security report schemas version 14.x.x
• project.pipeline.securityReportFindings GraphQL query
• PipelineSecurityReportFinding projectFingerprint GraphQL field
• PipelineSecurityReportFinding name GraphQL field

Package

• @trizzi

• Azure Storage Driver defaults to the correct root prefix
• Maintainer role providing the ability to change Package settings using GraphQL API
• Conan project-level search endpoint returns project-specific results
• Container Registry pull-through cache
• Support for third party registries
• Package pipelines in API payload is paginated

Release

• @ahmed.hemdan
• @cbalane

• External field in GraphQL ReleaseAssetLink type
• External field in Releases and Release Links APIs
• Projects API field operations_access_level is deprecated
• Deployment API returns error when updated_at and updated_at are not used together

Configure

• @tigerwnz

• @nagyv-gitlab

• @timofurrer

• Auto DevOps no longer provisions a PostgreSQL database by default

  • Low impact - changes default behavior - customers can still opt in

• The API no longer returns revoked tokens for the agent for Kubernetes

• The latest Terraform templates will overwrite current stable templates

• KAS Metrics Port in GitLab Helm Chart

• Support for periods (.) in Terraform state names might break existing states

Monitor

• @kbychu

• Embedding Grafana panels in Markdown is deprecated
• Error Tracking UI in GitLab Rails is deprecated
• Embedding Grafana panels in Markdown is removed
• GitLab self-monitoring project
• Monitor performance metrics through Prometheus

Govern

• @sam.white

• @abellucci

• License-Check and the Policies tab on the License Compliance page

• Managed Licenses API

• vulnerabilityFindingDismiss GraphQL mutation

• Vulnerability confidence field

Enablement

• @tnir

• @rogerwoo

• @lohrc

• @arturoherrero

• Null value for private_profile attribute in User API is deprecated

• Option to delete projects immediately is deprecated from deletion protection settings

• Redis 5 deprecated

• PostgreSQL 12 deprecated

Gitaly

• @mjwood

• Support for Praefect custom metrics endpoint configuration

• Legacy Praefect configuration method

• Deprecate legacy Gitaly configuration methods

• Deprecate Gitaly legacy config

Platforms

• @jacobvosmaer-gitlab @rnienaber
• @lmcandrew

• Configuring Redis config file paths using environment variables is deprecated
• Non-standard default Redis ports are deprecated

Breaking changes spreadsheet

https://docs.google.com/spreadsheets/d/1IPCtaVtCwLEm25AnzpOJIHSbWSZhNJ_SIcKoIvo0faA/edit#gid=0

/cc @lyle @mbruemmer @fzimmer @justinfarris @oheigre @lstahlman @rachel_fuerst

Please leave any feedback you have to this issue as a comment - tag @swiskow or @fzimmer so we see it