.codeclimate.yml

@@ -9,11 +9,6 @@ engines:
       - ruby
   fixme:
     enabled: true
-  rubocop:
-    enabled: true
 exclude_paths:
-- spec/
-- lib/vendor/
-- go/vendor/
 - tmp/
 - coverage/

.gitignore

-config.yml
-tmp/*
-.idea
 *.log
-/*.log*
-authorized_keys.lock
-coverage/
-.gitlab_shell_secret
+*.swp
+.DS_Store
+.GOPATH
 .bundle
-tags
 .bundle/
+.gitlab_shell_secret
+.idea
+/*.log*
+/bin/*
+/gl-code-quality-report.json
+/go_build
+/support/bin/golangci-*
+/support/bin/gotestsum-*
+authorized_keys.lock
+config.yml
+cover.out
+cover.xml
 custom_hooks
 hooks/*.d
-/go_build
-/bin/gitlab-shell
-/bin/gitaly-upload-pack
-/bin/gitaly-receive-pack
-/bin/gitaly-upload-archive
+tags
+tmp/*
+vendor

.gitlab-ci.yml

-image: "ruby:2.3"
+include:
+  - template: Code-Quality.gitlab-ci.yml
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Dependency-Scanning.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
+  - component: ${CI_SERVER_FQDN}/gitlab-org/components/danger-review/danger-review@2.0.0
+  - component: ${CI_SERVER_FQDN}/components/code-intelligence/golang-code-intel@v0.1.2
+    inputs:
+      golang_version: ${GO_VERSION}
+      stage: post-test
 
-before_script:
-  - export PATH=~/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/go/bin
-  - gem install --bindir /usr/local/bin bundler
-  - cp config.yml.example config.yml
-  - bundle install
+stages:
+  - prepare
+  - lint
+  - test
+  - post-test
 
-.rspec_definition: &rspec_definition
-  script:
-    # Skip the experimental Golang wrapper in the Ruby specs. These are now
-    # primarily regression tests for particular versions of Ruby.
-    #
-    # The full rspec suite is also run against each suppported golang version
-    - cp bin/gitlab-shell-ruby bin/gitlab-shell
-    - bundle exec rspec --color --format d spec
-
-rspec:
-  <<: *rspec_definition
-  tags:
-    - ruby
-  except:
-    - tags
+variables:
+  FF_USE_FASTZIP: 'true'
+  TRANSFER_METER_FREQUENCY: "1s"
+  DOCKER_VERSION: "20.10.15"
+  BUNDLE_FROZEN: "true"
+  GO_VERSION: "1.23"
+  GOPATH: $CI_PROJECT_DIR/.GOPATH
+  DEBIAN_VERSION: "bookworm"
+  RUBY_VERSION: "3.2.5"
+  BUNDLE_PATH: vendor/ruby
+  POLICY: pull
+  CI_DEBUG_SERVICES: 'true'
+  RUST_VERSION: "1.73"
+  UBI_VERSION: "8.6"
+  IMAGE_TAG: "rubygems-3.5-git-2.45-exiftool-12.60"
+  GITLAB_ADVANCED_SAST_ENABLED: 'true'
 
-rubocop:
-  script:
-    - bundle exec rubocop
-  tags:
-    - ruby
-  except:
-    - tags
-
-#ruby 2.2
-rspec:ruby2.2:
-  image: ruby:2.2
-  <<: *rspec_definition
+workflow:
+  rules: &workflow_rules
+    # For merge requests, create a pipeline.
+    - if: '$CI_MERGE_REQUEST_IID'
+    # For `main` branch, create a pipeline (this includes on schedules, pushes, merges, etc.).
+    - if: '$CI_COMMIT_BRANCH == "main"'
+    # For tags, create a pipeline.
+    - if: '$CI_COMMIT_TAG'
+
+.rules:go-changes:
+  rules:
+    - changes:
+        - 'go.mod'
+        - 'go.sum'
+        - '**/*.go'
+
+default:
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images/debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}-golang-${GO_VERSION}-rust-${RUST_VERSION}:${IMAGE_TAG}
   tags:
-    - ruby
-  except:
-    - tags
-
-#ruby 2.1
-rspec:ruby2.1:
-  image: ruby:2.1
-  <<: *rspec_definition
+    - gitlab-org
+
+.use-docker-in-docker:
+  image: docker:${DOCKER_VERSION}
+  services:
+    - docker:${DOCKER_VERSION}-dind
   tags:
-    - ruby
-  except:
-    - tags
+    # See https://gitlab.com/gitlab-com/www-gitlab-com/-/issues/7019 for tag descriptions
+    - gitlab-org-docker
 
-.go: &go_definition
-  before_script:
-  - apt-get update -qq && apt-get install -y ruby ruby-dev
-  - ruby -v
-  - export PATH=~/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/go/bin
-  - gem install --bindir /usr/local/bin bundler
-  - cp config.yml.example config.yml
-  - bundle install
+.cached-go: &cached_go
+  - key:
+      prefix: "golang-${GO_VERSION}-cache"
+      files:
+        - go.mod
+        - go.sum
+    policy: $POLICY
+    paths:
+      - .GOPATH/pkg/mod/
+
+.cached-ruby: &cached_ruby
+  - key:
+      prefix: "ruby-${RUBY_VERSION}-cache"
+      files:
+        - Gemfile.lock
+    policy: $POLICY
+    paths:
+      - ${BUNDLE_PATH}
+
+.cached-go-job:
+  variables:
+    CACHE_COMPRESSION_LEVEL: "fastest"
+  cache:
+    - *cached_go
+
+.cached-ruby-job:
+  cache:
+    - *cached_ruby
+
+.cached-job:
+  cache:
+    - *cached_go
+    - *cached_ruby
+
+.go-matrix-job:
+  parallel:
+    matrix:
+      - GO_VERSION: ["1.22", "1.23"]
+
+################################################################################
+# Prepare jobs
+################################################################################
+
+bundle:install:
+  stage: prepare
+  extends: .cached-ruby-job
+  variables:
+    POLICY: pull-push
+  script:
+    - bundle install --jobs $(nproc)
+
+modules:download:
+  stage: prepare
+  extends:
+    - .cached-go-job
+    - .go-matrix-job
+  variables:
+    POLICY: pull-push
   script:
+    - go mod download
+
+################################################################################
+# Test jobs
+################################################################################
+
+.test-job:
+  needs: ['bundle:install', 'modules:download']
+  rules: !reference [".rules:go-changes", rules]
+  variables:
+    GITALY_CONNECTION_INFO: '{"address":"tcp://gitaly:8075", "storage":"default"}'
+  before_script:
+    # Set up the environment to run integration tests (still written in Ruby)
+    - make build
+    - cp config.yml.example config.yml
     - go version
     - which go
-    - bin/compile
-    - support/go-test
-    - support/go-format check
-    # Run the full Ruby test suite in the "go" tests. As more functionality is
-    # migrated into these tests and out of Ruby, the amount of work here will
-    # reduce
-    - bundle exec rspec --color --format d spec
-
-go:1.9:
-  <<: *go_definition
-  image: golang:1.9
-
-go:1.10:
-  <<: *go_definition
-  image: golang:1.10
-
-go:1.11:
-  <<: *go_definition
-  image: golang:1.10
-
-codequality:
-  image: docker:stable
-  variables:
-    DOCKER_DRIVER: overlay2
-  allow_failure: true
   services:
-    - docker:stable-dind
-  before_script: []
+    - name: registry.gitlab.com/gitlab-org/build/cng/gitaly:master
+      # Disable the hooks so we don't have to stub the GitLab API
+      command: ["bash", "-c", "mkdir -p /home/git/repositories && rm -rf /srv/gitlab-shell/hooks/* && touch /srv/gitlab-shell/.gitlab_shell_secret && exec /usr/bin/env GITALY_TESTING_NO_GIT_HOOKS=1 /scripts/process-wrapper"]
+      alias: gitaly
+
+tests:
+  extends:
+    - .cached-job
+    - .go-matrix-job
+    - .test-job
   script:
-    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
-    - docker run
-        --env SOURCE_CODE="$PWD"
-        --volume "$PWD":/code
-        --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code
+    - make verify test_fancy
+  after_script:
+    - make coverage
+  coverage: '/\d+.\d+%/'
   artifacts:
-    paths: [codeclimate.json]
+    when: always
+    paths:
+      - cover.xml
+    reports:
+      junit: cover.xml
 
+tests_without_cgo:
+  extends:
+    - .cached-job
+    - .go-matrix-job
+    - .test-job
+  variables:
+    CGO_ENABLED: 0
+  script:
+    - make verify test_fancy
 
-sast:
-  image: docker:stable
+tests:fips:
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images/ubi-${UBI_VERSION}-ruby-${RUBY_VERSION}-golang-${GO_VERSION}-rust-${RUST_VERSION}:${IMAGE_TAG}
+  extends:
+    - .cached-job
+    - .test-job
   variables:
-    DOCKER_DRIVER: overlay2
-  allow_failure: true
-  services:
-    - docker:stable-dind
-  before_script: []
+    FIPS_MODE: 1
   script:
-    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
-    - docker run
-        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
-        --volume "$PWD:/code"
-        --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
-  artifacts:
-    paths: [gl-sast-report.json]
+    - make test_fancy
+
+race:
+  extends:
+    - .cached-go-job
+    - .go-matrix-job
+    - .test-job
+  script:
+    - make test_golang_race
+
+code_quality:
+  stage: lint
+  extends: .use-docker-in-docker
+  rules: *workflow_rules
+
+# SAST
+semgrep-sast:
+  stage: lint
+  rules: *workflow_rules
 
-dependency_scanning:
-  image: docker:stable
+gitlab-advanced-sast:
+  stage: lint
+  rules: *workflow_rules
+
+# Dependency Scanning
+gemnasium-dependency_scanning:
+  stage: lint
+  rules: *workflow_rules
+
+# Secret Detection
+secret_detection:
+  stage: lint
+  rules: *workflow_rules
+
+build-package-and-qa:
+  stage: post-test
+  trigger:
+    project: 'gitlab-org/build/omnibus-gitlab-mirror'
+    branch: 'master'
+    strategy: depend
+  inherit:
+    variables: false
   variables:
-    DOCKER_DRIVER: overlay2
-  allow_failure: true
-  services:
-    - docker:stable-dind
-  before_script: []
+    GITLAB_SHELL_VERSION: $CI_MERGE_REQUEST_SOURCE_BRANCH_SHA
+    TOP_UPSTREAM_SOURCE_PROJECT: $CI_PROJECT_PATH
+    TOP_UPSTREAM_SOURCE_REF: $CI_COMMIT_REF_NAME
+    TOP_UPSTREAM_SOURCE_JOB: $CI_JOB_URL
+    ee: "true"
+  rules:
+    # For MRs that change dependencies, we want to automatically ensure builds
+    # aren't broken. In such cases, we don't want the QA tests to be run
+    # automatically, but still available for developers to manually run.
+    - if: '$CI_MERGE_REQUEST_IID'
+      changes:
+        - go.sum
+      variables:
+        BUILD_ON_ALL_OS: "true"
+        MANUAL_QA_TEST: "true"
+      allow_failure: false
+    # For other MRs, we still provide this job as a manual job for developers
+    # to obtain a package for testing and run QA tests.
+    - if: '$CI_MERGE_REQUEST_IID'
+      when: manual
+      allow_failure: true
+  needs: []
+
+modules:tidy:
+  stage: lint
+  needs: ['modules:download']
   script:
-    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
-    - docker run
-        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
-        --volume "$PWD:/code"
-        --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
+    - go mod tidy
+    - git diff --exit-code go.mod go.sum
+
+lint:
+  stage: lint
+  script:
+    # Write the code coverage report to gl-code-quality-report.json
+    # and print linting issues to stdout in the format: path/to/file:line description
+    # remove `--issues-exit-code 0` or set to non-zero to fail the job if linting issues are detected
+    - apt update && apt install -y jq
+    - make lint GOLANGCI_LINT_ARGS="--out-format code-climate:gl-code-quality-report-temp.json,line-number"
+    - cat gl-code-quality-report-temp.json | jq '[ .[] | select(.severity == "warning").severity |= "minor" ]' > gl-code-quality-report.json
+    - rm -f gl-code-quality-report-temp.json
   artifacts:
-    paths: [gl-dependency-scanning-report.json]
+    reports:
+      codequality: gl-code-quality-report.json
+    paths:
+      - gl-code-quality-report.json
+
+nilaway:
+  stage: lint
+  rules: !reference [".rules:go-changes", rules]
+  before_script:
+    - go install go.uber.org/nilaway/cmd/nilaway@latest
+  script:
+    - ${GOPATH}/bin/nilaway ./... > /tmp/out.txt 2>&1 || true
+    - cat /tmp/out.txt
+  allow_failure: true

.gitlab/CODEOWNERS

+# https://gitlab.com/groups/gitlab-org/maintainers/gitlab-shell/-/group_members?with_inherited_permissions=exclude
+* @gitlab-org/maintainers/gitlab-shell
+
+[Documentation] @gl-docsteam
+*.md 
+/doc/

.golangci.yml

+# This file contains all available configuration options
+# with their default values.
+
+# options for analysis running
+run:
+  # default concurrency is a available CPU number
+  # concurrency: 4
+
+  # timeout for analysis, e.g. 30s, 5m, default is 1m
+  timeout: 30m
+
+  # exit code when at least one issue was found, default is 1
+  issues-exit-code: 1
+
+  # include test files or not, default is true
+  tests: true
+
+  # list of build tags, all linters use it. Default is empty list.
+  # build-tags:
+  #   - mytag
+
+  # which dirs to skip: issues from them won't be reported;
+  # can use regexp here: generated.*, regexp is applied on full path;
+  # default value is empty list, but default dirs are skipped independently
+  # from this option's value (see skip-dirs-use-default).
+  # skip-dirs:
+  #   - src/external_libs
+  #   - autogenerated_by_my_lib
+
+  # which files to skip: they will be analyzed, but issues from them
+  # won't be reported. Default value is empty list, but there is
+  # no need to include all autogenerated files, we confidently recognize
+  # autogenerated files. If it's not please let us know.
+  # skip-files:
+  #   - ".*\\.my\\.go$"
+  #   - lib/bad.go
+
+  # by default isn't set. If set we pass it to "go list -mod={option}". From "go help modules":
+  # If invoked with -mod=readonly, the go command is disallowed from the implicit
+  # automatic updating of go.mod described above. Instead, it fails when any changes
+  # to go.mod are needed. This setting is most useful to check that go.mod does
+  # not need updates, such as in a continuous integration and testing system.
+  # If invoked with -mod=vendor, the go command assumes that the vendor
+  # directory holds the correct copies of dependencies and ignores
+  # the dependency descriptions in go.mod.
+  # modules-download-mode: readonly|release|vendor
+
+# output configuration options
+output:
+  # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
+  formats:
+    - format: line-number
+
+  # print lines of code with issue, default is true
+  print-issued-lines: true
+
+  # print linter name in the end of issue text, default is true
+  print-linter-name: true
+
+  sort-results: true
+
+# all available settings of specific linters
+linters-settings:
+  errcheck:
+    # report about not checking of errors in type assetions: `a := b.(MyStruct)`;
+    # default is false: such cases aren't reported by default.
+    check-type-assertions: false
+
+    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
+    # default is false: such cases aren't reported by default.
+    check-blank: false
+
+    # [deprecated] comma-separated list of pairs of the form pkg:regex
+    # the regex is used to ignore names within pkg. (default "fmt:.*").
+    # see https://github.com/kisielk/errcheck#the-deprecated-method for details
+    # ignore: fmt:.*,io/ioutil:^Read.*
+    ignore: ''
+
+    # path to a file containing a list of functions to exclude from checking
+    # see https://github.com/kisielk/errcheck#excluding-functions for details
+    # exclude: /path/to/file.txt
+
+  # Disable error checking, as errorcheck detects more errors and is more configurable.
+  gosec:
+    exclude:
+    - "G104"
+
+  funlen:
+    lines: 60
+    statements: 40
+
+  govet:
+    # report about shadowed variables
+    enable:
+      - shadow
+
+    # settings per analyzer
+    settings:
+      printf: # analyzer name, run `go tool vet help` to see all analyzers
+        funcs: # run `go tool vet help printf` to see available settings for `printf` analyzer
+          - (github.com/golangci/golangci-lint/pkg/logutils.Log).Infof
+          - (github.com/golangci/golangci-lint/pkg/logutils.Log).Warnf
+          - (github.com/golangci/golangci-lint/pkg/logutils.Log).Errorf
+          - (github.com/golangci/golangci-lint/pkg/logutils.Log).Fatalf
+
+    # enable or disable analyzers by name
+    # enable:
+    #   - atomicalign
+    # enable-all: false
+    # disable:
+    #   - shadow
+    # disable-all: false
+  gofmt:
+    # simplify code: gofmt with `-s` option, true by default
+    simplify: true
+  goimports:
+    # put imports beginning with prefix after 3rd-party packages;
+    # it's a comma-separated list of prefixes
+    # local-prefixes: github.com/org/project
+  gocyclo:
+    # minimal code complexity to report, 30 by default (but we recommend 10-20)
+    min-complexity: 30
+  gocognit:
+    # minimal code complexity to report, 30 by default (but we recommend 10-20)
+    min-complexity: 20
+  maligned:
+    # print struct with more effective memory layout or not, false by default
+    suggest-new: true
+  dupl:
+    # tokens count to trigger issue, 150 by default
+    threshold: 100
+  goconst:
+    # minimal length of string constant, 3 by default
+    min-len: 3
+    # minimal occurrences count to trigger, 3 by default
+    min-occurrences: 3
+  depguard:
+    rules:
+      test:
+        files:
+          - $test
+        allow:
+          - $gostd
+          - github.com/stretchr/testify
+          - gitlab.com/gitlab-org/gitlab-shell
+          - gitlab.com/gitlab-org/labkit
+          - gitlab.com/gitlab-org/gitaly
+          - github.com/prometheus/client_golang/prometheus
+          - github.com/pires/go-proxyproto
+          - github.com/otiai10/copy
+          - github.com/hashicorp/go-retryablehttp
+          - github.com/golang-jwt/jwt
+          - github.com/mikesmitty/edkey
+          - github.com/sirupsen/logrus
+          - github.com/grpc-ecosystem/go-grpc-prometheus
+          - github.com/mattn/go-shellwords
+
+  #   list-type: blacklist
+  #   include-go-root: false
+  #   packages:
+  #     - github.com/sirupsen/logrus
+  #   packages-with-error-messages:
+  #     # specify an error message to output when a blacklisted package is used
+  #     github.com/sirupsen/logrus: "logging is allowed only by logutils.Log"
+  misspell:
+    # Correct spellings using locale preferences for US or UK.
+    # Default is to use a neutral variety of English.
+    # Setting locale to US will correct the British spelling of 'colour' to 'color'.
+    locale: US
+    ignore-words:
+      - GitLab
+  lll:
+    # max line length, lines longer will be reported. Default is 120.
+    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
+    line-length: 120
+    # tab width in spaces. Default to 1.
+    tab-width: 1
+  unused:
+    # treat code as a program (not a library) and report unused exported identifiers; default is false.
+    # XXX: if you enable this setting, unused will report a lot of false-positives in text editors:
+    # if it's called for subdir of a project it can't find funcs usages. All text editor integrations
+    # with golangci-lint call it on a directory with the changed file.
+    check-exported: false
+  unparam:
+    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
+    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
+    # if it's called for subdir of a project it can't find external interfaces. All text editor integrations
+    # with golangci-lint call it on a directory with the changed file.
+    check-exported: false
+  nakedret:
+    # make an issue if func has more lines of code than this setting and it has naked returns; default is 30
+    max-func-lines: 30
+  prealloc:
+    # XXX: we don't recommend using this linter before doing performance profiling.
+    # For most programs usage of prealloc will be a premature optimization.
+
+    # Report preallocation suggestions only on simple loops that have no returns/breaks/continues/gotos in them.
+    # True by default.
+    simple: true
+    range-loops: true # Report preallocation suggestions on range loops, true by default
+    for-loops: false # Report preallocation suggestions on for loops, false by default
+  gocritic:
+    # Which checks should be enabled; can't be combined with 'disabled-checks';
+    # See https://go-critic.github.io/overview#checks-overview
+    # To check which checks are enabled run `GL_DEBUG=gocritic golangci-lint run`
+    # By default list of stable checks is used.
+    # enabled-checks:
+    #   - rangeValCopy
+
+    # Which checks should be disabled; can't be combined with 'enabled-checks'; default is empty
+    # disabled-checks:
+    #   - regexpMust
+
+    # Enable multiple checks by tags, run `GL_DEBUG=gocritic golangci-lint run` to see all tags and checks.
+    # Empty list by default. See https://github.com/go-critic/go-critic#usage -> section "Tags".
+    # enabled-tags:
+    #   - performance
+
+    settings: # settings passed to gocritic
+      captLocal: # must be valid enabled check name
+        paramsOnly: true
+    # rangeValCopy:
+    #   sizeThreshold: 32
+  godox:
+    # report any comments starting with keywords, this is useful for TODO or FIXME comments that
+    # might be left in the code accidentally and should be resolved before merging
+    keywords: # default keywords are TODO, BUG, and FIXME, these can be overwritten by this setting
+      - TODO
+      - BUG
+      - FIXME
+      - NOTE
+      - OPTIMIZE # marks code that should be optimized before merging
+      - HACK # marks hack-arounds that should be removed before merging
+  dogsled:
+    # checks assignments with too many blank identifiers; default is 2
+    max-blank-identifiers: 2
+
+  whitespace:
+    multi-if: false   # Enforces newlines (or comments) after every multi-line if statement
+    multi-func: false # Enforces newlines (or comments) after every multi-line function signature
+  wsl:
+    # If true append is only allowed to be cuddled if appending value is
+    # matching variables, fields or types on line above. Default is true.
+    strict-append: true
+    # Allow calls and assignments to be cuddled as long as the lines have any
+    # matching variables, fields or types. Default is true.
+    allow-assign-and-call: true
+    # Allow multiline assignments to be cuddled. Default is true.
+    allow-multiline-assign: true
+    # Allow declarations (var) to be cuddled.
+    allow-cuddle-declarations: false
+    # Allow trailing comments in ending of blocks
+    allow-trailing-comment: false
+    # Force newlines in end of case at this limit (0 = never).
+    force-case-trailing-whitespace: 0
+
+linters:
+  # please, do not use `enable-all`: it's deprecated and will be removed soon.
+  # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
+  disable-all: true
+  enable:
+    - bodyclose
+    - copyloopvar
+    - depguard
+    - dogsled
+    - dupl
+    - errcheck
+    - funlen
+    - gocognit
+    - goconst
+    - gocritic
+    - godox
+    - gofmt
+    - goimports
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - misspell
+    - nakedret
+    - revive
+    - staticcheck
+    - stylecheck
+    - testifylint
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - whitespace
+  # don't enable:
+  # - deadcode
+  # - gochecknoglobals
+  # - gochecknoinits
+  # - gocyclo
+  # - lll
+  # - maligned
+  # - prealloc
+  # - varcheck
+
+issues:
+  # List of regexps of issue texts to exclude, empty list by default.
+  # But independently from this option we use default exclude patterns,
+  # it can be disabled by `exclude-use-default: false`. To list all
+  # excluded by default patterns execute `golangci-lint run --help`
+  # exclude:
+  #   - abcdef
+
+  # Excluding configuration per-path, per-linter, per-text and per-source
+  exclude-rules:
+    # Exclude some linters from running on tests files.
+    - path: _test\.go
+      linters:
+        - gocyclo
+        - errcheck
+        - dupl
+        - gosec
+        - funlen
+
+    # Exclude known linters from partially hard-vendored code,
+    # which is impossible to exclude via "nolint" comments.
+    # - path: internal/hmac/
+    #   text: "weak cryptographic primitive"
+    #   linters:
+    #     - gosec
+
+    # Exclude some staticcheck messages
+    # - linters:
+    #     - staticcheck
+    #   text: "SA9003:"
+
+    # Exclude lll issues for long lines with go:generate
+    - linters:
+        - lll
+      source: "^//go:generate "
+
+  # Independently from option `exclude` we use default exclude patterns,
+  # it can be disabled by this option. To list all
+  # excluded by default patterns execute `golangci-lint run --help`.
+  # Default value for this option is true.
+  exclude-use-default: false
+
+  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
+  max-issues-per-linter: 0
+
+  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
+  max-same-issues: 0
+
+  # Show only new issues: if there are unstaged changes or untracked files,
+  # only those changes are analyzed, else only changes in HEAD~ are analyzed.
+  # It's a super-useful option for integration of golangci-lint into existing
+  # large codebase. It's not practical to fix all existing issues at the moment
+  # of integration: much better don't allow issues in new code.
+  # Default is false.
+  new: false
+
+  # Show only new issues created after git revision `REV`
+  # This should be passed as flag during individual CI jobs.
+  # new-from-rev: REV
+
+  # Show only new issues created in git patch with set file path.
+  # new-from-patch: path/to/patch/file
+
+  # default is true. Enables skipping of directories:
+  #   vendor$, third_party$, testdata$, examples$, Godeps$, builtin$
+  exclude-dirs-use-default: true

.rubocop.yml

-# Exclude some of GitLab files
-AllCops:
-  Exclude:
-    - 'spec/**/*'
-    - 'vendor/**/*'
-    - 'tmp/**/*'
-    - 'bin/**/*'
-    - 'hooks/**/*'
-    - 'Guardfile'
-
-Layout/DotPosition:
-  Enabled: false
-
-Lint/AmbiguousBlockAssociation:
-  Enabled: false
-
-Metrics/LineLength:
-  Enabled: false
-
-Metrics/MethodLength:
-  Enabled: false
-
-Metrics/BlockLength:
-  Enabled: false
-
-Metrics/ParameterLists:
-  Enabled: false
-
-Metrics/AbcSize:
-  Enabled: false
-
-Metrics/CyclomaticComplexity:
-  Enabled: false
-
-Metrics/PerceivedComplexity:
-  Enabled: false
-
-Style/Documentation:
-  Enabled: false
-
-Style/StringLiterals:
-  Enabled: false
-
-Style/StringLiterals:
-  Enabled: false
-
-Style/GlobalVars:
-  Enabled: false
-
-Style/AccessorMethodName:
-  Enabled: false
-
-Style/GuardClause:
-  Enabled: false
-
-Style/RescueModifier:
-  Enabled: false
-
-Style/PercentLiteralDelimiters:
-  Enabled: false
-
-Style/IfUnlessModifier:
-  Enabled: false
-
-Style/RegexpLiteral:
-  Enabled: false
-
-Style/SpecialGlobalVars:
-  Enabled: false
-
-Style/FrozenStringLiteralComment:
-  Enabled: false

.ruby-version

-2.3.7
+3.3.7

.tool-versions

+ruby 3.4.2
+golang 1.24.1

CONTRIBUTING.md

@@ -6,10 +6,10 @@ all contributions. By participating in this project, you agree to abide by the
 
 ## Developer Certificate of Origin + License
 
-By contributing to GitLab B.V., You accept and agree to the following terms and
-conditions for Your present and future Contributions submitted to GitLab B.V.
-Except for the license granted herein to GitLab B.V. and recipients of software
-distributed by GitLab B.V., You reserve all right, title, and interest in and to
+By contributing to GitLab Inc., You accept and agree to the following terms and
+conditions for Your present and future Contributions submitted to GitLab Inc.
+Except for the license granted herein to GitLab Inc. and recipients of software
+distributed by GitLab Inc., You reserve all right, title, and interest in and to
 Your Contributions. All Contributions are subject to the following DCO + License
 terms.
 

Dangerfile

+# frozen_string_literal: true
+
+require 'gitlab-dangerfiles'
+
+Gitlab::Dangerfiles.for_project(self) do |gitlab_dangerfiles|
+  gitlab_dangerfiles.import_plugins
+
+  gitlab_dangerfiles.import_dangerfiles(except: %w[changelog commit_messages])
+end

Gemfile

 source 'https://rubygems.org'
 
 group :development, :test do
-  gem 'listen', '~> 0.5.0'
-  gem 'rspec', '~> 3.8.0'
-  gem 'rspec-parameterized', '~> 0.4.0'
-  gem 'rubocop', '0.49.1', require: false
-  gem 'simplecov', '~> 0.9.0', require: false
-  gem 'vcr', '~> 4.0.0'
-  gem 'webmock', '~> 3.4.0'
+  gem 'base64', '~> 0.2.0'
+  gem 'rspec', '~> 3.13.0'
+  gem 'webrick', '~> 1.9', '>= 1.9.1'
+end
+
+group :development, :danger do
+  gem 'gitlab-dangerfiles', '~> 4.8.1'
 end

Gemfile.lock

 GEM
   remote: https://rubygems.org/
   specs:
-    abstract_type (0.0.7)
-    adamantium (0.2.0)
-      ice_nine (~> 0.11.0)
-      memoizable (~> 0.4.0)
-    addressable (2.5.2)
-      public_suffix (>= 2.0.2, < 4.0)
-    ast (2.4.0)
-    binding_of_caller (0.8.0)
-      debug_inspector (>= 0.0.1)
-    coderay (1.1.2)
-    concord (0.1.5)
-      adamantium (~> 0.2.0)
-      equalizer (~> 0.0.9)
-    crack (0.4.3)
-      safe_yaml (~> 1.0.0)
-    debug_inspector (0.0.3)
-    diff-lcs (1.3)
-    docile (1.1.5)
-    equalizer (0.0.11)
-    hashdiff (0.3.7)
-    ice_nine (0.11.2)
-    listen (0.5.3)
-    memoizable (0.4.2)
-      thread_safe (~> 0.3, >= 0.3.1)
-    multi_json (1.13.1)
-    parallel (1.12.1)
-    parser (2.5.1.2)
-      ast (~> 2.4.0)
-    powerpack (0.1.2)
-    proc_to_ast (0.1.0)
-      coderay
-      parser
-      unparser
-    procto (0.0.3)
-    public_suffix (3.0.3)
-    rainbow (2.2.2)
-      rake
-    rake (12.3.1)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.1)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    base64 (0.2.0)
+    bigdecimal (3.1.9)
+    claide (1.1.0)
+    claide-plugins (0.9.2)
+      cork
+      nap
+      open4 (~> 1.3)
+    colored2 (3.1.2)
+    cork (0.3.0)
+      colored2 (~> 3.1)
+    csv (3.3.2)
+    danger (9.4.3)
+      claide (~> 1.0)
+      claide-plugins (>= 0.9.2)
+      colored2 (~> 3.1)
+      cork (~> 0.1)
+      faraday (>= 0.9.0, < 3.0)
+      faraday-http-cache (~> 2.0)
+      git (~> 1.13)
+      kramdown (~> 2.3)
+      kramdown-parser-gfm (~> 1.0)
+      no_proxy_fix
+      octokit (>= 4.0)
+      terminal-table (>= 1, < 4)
+    danger-gitlab (8.0.0)
+      danger
+      gitlab (~> 4.2, >= 4.2.0)
+    diff-lcs (1.5.1)
+    faraday (2.9.2)
+      faraday-net_http (>= 2.0, < 3.2)
+    faraday-http-cache (2.5.1)
+      faraday (>= 0.8)
+    faraday-net_http (3.1.1)
+      net-http
+    git (1.19.1)
+      addressable (~> 2.8)
+      rchardet (~> 1.8)
+    gitlab (4.20.1)
+      httparty (~> 0.20)
+      terminal-table (>= 1.5.1)
+    gitlab-dangerfiles (4.8.1)
+      danger (>= 9.3.0)
+      danger-gitlab (>= 8.0.0)
+      rake (~> 13.0)
+    httparty (0.22.0)
+      csv
+      mini_mime (>= 1.0.0)
+      multi_xml (>= 0.5.2)
+    kramdown (2.4.0)
+      rexml
+    kramdown-parser-gfm (1.1.0)
+      kramdown (~> 2.0)
+    mini_mime (1.1.5)
+    multi_xml (0.7.1)
+      bigdecimal (~> 3.1)
+    nap (1.1.0)
+    net-http (0.4.1)
+      uri
+    no_proxy_fix (0.1.2)
+    octokit (6.1.1)
+      faraday (>= 1, < 3)
+      sawyer (~> 0.9)
+    open4 (1.3.4)
+    public_suffix (5.1.1)
+    rake (13.2.1)
+    rchardet (1.8.0)
+    rexml (3.3.9)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-parameterized (0.4.0)
-      binding_of_caller
-      parser
-      proc_to_ast
-      rspec (>= 2.13, < 4)
-      unparser
-    rspec-support (3.8.0)
-    rubocop (0.49.1)
-      parallel (~> 1.10)
-      parser (>= 2.3.3.1, < 3.0)
-      powerpack (~> 0.1)
-      rainbow (>= 1.99.1, < 3.0)
-      ruby-progressbar (~> 1.7)
-      unicode-display_width (~> 1.0, >= 1.0.1)
-    ruby-progressbar (1.9.0)
-    safe_yaml (1.0.4)
-    simplecov (0.9.2)
-      docile (~> 1.1.0)
-      multi_json (~> 1.0)
-      simplecov-html (~> 0.9.0)
-    simplecov-html (0.9.0)
-    thread_safe (0.3.6)
-    unicode-display_width (1.4.0)
-    unparser (0.2.8)
-      abstract_type (~> 0.0.7)
-      adamantium (~> 0.2.0)
-      concord (~> 0.1.5)
-      diff-lcs (~> 1.3)
-      equalizer (~> 0.0.9)
-      parser (>= 2.3.1.2, < 2.6)
-      procto (~> 0.0.2)
-    vcr (4.0.0)
-    webmock (3.4.2)
-      addressable (>= 2.3.6)
-      crack (>= 0.3.2)
-      hashdiff
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.0)
+    sawyer (0.9.2)
+      addressable (>= 2.3.5)
+      faraday (>= 0.17.3, < 3)
+    terminal-table (3.0.2)
+      unicode-display_width (>= 1.1.1, < 3)
+    unicode-display_width (2.5.0)
+    uri (0.13.1)
+    webrick (1.9.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  listen (~> 0.5.0)
-  rspec (~> 3.8.0)
-  rspec-parameterized (~> 0.4.0)
-  rubocop (= 0.49.1)
-  simplecov (~> 0.9.0)
-  vcr (~> 4.0.0)
-  webmock (~> 3.4.0)
+  base64 (~> 0.2.0)
+  gitlab-dangerfiles (~> 4.8.1)
+  rspec (~> 3.13.0)
+  webrick (~> 1.9, >= 1.9.1)
 
 BUNDLED WITH
-   1.16.3
+   2.5.11

LICENSE

-Copyright (c) 2011-2018 GitLab B.V.
+MIT License
 
-With regard to the GitLab Software:
+Copyright (c) 2011-present GitLab Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -9,17 +9,13 @@ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
-
-For all third party components incorporated into the GitLab Software, those
-components are licensed under the original license provided by the owner of the
-applicable component.
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

+.PHONY: validate verify verify_ruby verify_golang test test_ruby test_golang test_fancy test_golang_fancy coverage coverage_golang setup _script_install make_necessary_dirs build compile check clean install lint
+
+FIPS_MODE ?= 0
+OS := $(shell uname | tr A-Z a-z)
+GO_SOURCES := $(shell git ls-files \*.go)
+VERSION_STRING := $(shell git describe --match v* 2>/dev/null || awk '$$0="v"$$0' VERSION 2>/dev/null || echo unknown)
+BUILD_TIME := $(shell date -u +%Y%m%d.%H%M%S)
+GO_TAGS := tracer_static tracer_static_jaeger continuous_profiler_stackdriver
+
+ARCH ?= $(shell uname -m | sed -e 's/x86_64/amd64/' | sed -e 's/aarch64/arm64/')
+
+GOTESTSUM_VERSION := 1.12.0
+GOTESTSUM_FILE := support/bin/gotestsum-${GOTESTSUM_VERSION}
+
+GOLANGCI_LINT_VERSION := 1.64.5
+GOLANGCI_LINT_FILE := support/bin/golangci-lint-${GOLANGCI_LINT_VERSION}
+
+export GOFLAGS := -mod=readonly
+
+ifeq (${FIPS_MODE}, 1)
+    GO_TAGS += fips
+
+    # If the golang-fips compiler is built with CGO_ENABLED=0, this needs to be
+    # explicitly switched on.
+    export CGO_ENABLED=1
+
+    # Go 1.19 now requires GOEXPERIMENT=boringcrypto for FIPS compilation.
+    # See https://github.com/golang/go/issues/51940 for more details.
+    BORINGCRYPTO_SUPPORT := $(shell GOEXPERIMENT=boringcrypto go version > /dev/null 2>&1; echo $$?)
+    ifeq ($(BORINGCRYPTO_SUPPORT), 0)
+        export GOEXPERIMENT=boringcrypto
+    endif
+endif
+
+ifneq (${CGO_ENABLED}, 0)
+	GO_TAGS += gssapi
+endif
+
+ifeq (${OS}, darwin) # Mac OS
+    BREW_PREFIX := $(shell brew --prefix 2>/dev/null || echo "/opt/homebrew")
+
+    # To be able to compile gssapi library
+    export CGO_CFLAGS="-I$(BREW_PREFIX)/opt/heimdal/include"
+endif
+
+GOBUILD_FLAGS := -ldflags "-X main.Version=$(VERSION_STRING) -X main.BuildTime=$(BUILD_TIME)" -tags "$(GO_TAGS)" -mod=mod
+
+PREFIX ?= /usr/local
+
+build: compile
+
+validate: verify test
+
+verify: verify_golang
+
+verify_golang:
+	gofmt -s -l $(GO_SOURCES) | awk '{ print } END { if (NR > 0) { print "Please run make fmt"; exit 1 } }'
+
+fmt:
+	gofmt -w -s $(GO_SOURCES)
+
+test: test_ruby test_golang
+
+test_fancy: test_ruby test_golang_fancy
+
+# The Ruby tests are now all integration specs that test the Go implementation.
+test_ruby:
+	bundle exec rspec --color --format d spec
+
+test_golang:
+	go test -cover -coverprofile=cover.out -count 1 -tags "$(GO_TAGS)" ./...
+
+test_golang_fancy: ${GOTESTSUM_FILE}
+	@${GOTESTSUM_FILE} --version
+	@${GOTESTSUM_FILE} --junitfile ./cover.xml --format pkgname -- -coverprofile=./cover.out -covermode=atomic -count 1 -tags "$(GO_TAGS)" ./...
+
+${GOTESTSUM_FILE}:
+	mkdir -p $(shell dirname ${GOTESTSUM_FILE})
+	curl -L https://github.com/gotestyourself/gotestsum/releases/download/v${GOTESTSUM_VERSION}/gotestsum_${GOTESTSUM_VERSION}_${OS}_${ARCH}.tar.gz | tar -zOxf - gotestsum > ${GOTESTSUM_FILE} && chmod +x ${GOTESTSUM_FILE}
+
+test_golang_race:
+	go test -race -count 1 ./...
+
+coverage: coverage_golang
+
+coverage_golang:
+	[ -f cover.out ] && go tool cover -func cover.out
+
+lint:
+	@support/lint.sh ./...
+
+golangci: ${GOLANGCI_LINT_FILE}
+	@${GOLANGCI_LINT_FILE} run --issues-exit-code 0 --print-issued-lines=false ${GOLANGCI_LINT_ARGS}
+
+${GOLANGCI_LINT_FILE}:
+	@mkdir -p $(shell dirname ${GOLANGCI_LINT_FILE})
+	@curl -L https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-${OS}-${ARCH}.tar.gz | tar --strip-components 1 -zOxf - golangci-lint-${GOLANGCI_LINT_VERSION}-${OS}-${ARCH}/golangci-lint > ${GOLANGCI_LINT_FILE} && chmod +x ${GOLANGCI_LINT_FILE}
+
+setup: make_necessary_dirs bin/gitlab-shell
+
+make_necessary_dirs:
+	support/make_necessary_dirs
+
+compile: bin/gitlab-shell bin/gitlab-sshd
+
+bin:
+	mkdir -p bin
+
+bin/gitlab-shell: bin $(GO_SOURCES)
+	go build $(GOBUILD_FLAGS) -o $(CURDIR)/bin ./cmd/...
+
+bin/gitlab-sshd: bin $(GO_SOURCES)
+	go build $(GOBUILD_FLAGS) -o $(CURDIR)/bin/gitlab-sshd ./cmd/gitlab-sshd
+
+check:
+	bin/gitlab-shell-check
+
+clean:
+	rm -f bin/*
+
+install: compile
+	mkdir -p $(DESTDIR)$(PREFIX)/bin/
+	install -m755 bin/gitlab-shell-check $(DESTDIR)$(PREFIX)/bin/
+	install -m755 bin/gitlab-shell $(DESTDIR)$(PREFIX)/bin/
+	install -m755 bin/gitlab-shell-authorized-keys-check $(DESTDIR)$(PREFIX)/bin/
+	install -m755 bin/gitlab-shell-authorized-principals-check $(DESTDIR)$(PREFIX)/bin/
+	install -m755 bin/gitlab-sshd $(DESTDIR)$(PREFIX)/bin/

PROCESS.md

+# GitLab Shell process
+
+This page [has moved into the `gitlab` repository](https://docs.gitlab.com/ee/development/gitlab_shell/process.html).

README.md

-# GitLab Shell
-
-## GitLab Shell handles git SSH sessions for GitLab
-
-GitLab Shell handles git SSH sessions for GitLab and modifies the list of authorized keys.
-GitLab Shell is not a Unix shell nor a replacement for Bash or Zsh.
-
-When you access the GitLab server over SSH then GitLab Shell will:
-
-1. Limits you to predefined git commands (git push, git pull).
-1. Call the GitLab Rails API to check if you are authorized, and what Gitaly server your repository is on
-1. Copy data back and forth between the SSH client and the Gitaly server
-
-If you access a GitLab server over HTTP(S) you end up in [gitlab-workhorse](https://gitlab.com/gitlab-org/gitlab-workhorse).
-
-An overview of the four cases described above:
-
-1. git pull over ssh  -> gitlab-shell -> API call to gitlab-rails (Authorization) -> accept or decline -> establish Gitaly session
-1. git push over ssh  -> gitlab-shell (git command is not executed yet) -> establish Gitaly session -> (in Gitaly) gitlab-shell pre-receive hook -> API call to gitlab-rails (authorization) -> accept or decline push
-
-## Git hooks
-
-For historical reasons the gitlab-shell repository also contains the
-Git hooks that allow GitLab to validate Git pushes (e.g. "is this user
-allowed to push to this protected branch"). These hooks also trigger
-events in GitLab (e.g. to start a CI pipeline after a push). In
-GitLab's current architecture (Q4 2018) these hooks belong to Gitaly
-more than gitlab-shell. We [intend to move them to the Gitaly
-repository](https://gitlab.com/gitlab-org/gitaly/issues/1226).
-
-## Code status
-
-[![pipeline status](https://gitlab.com/gitlab-org/gitlab-shell/badges/master/pipeline.svg)](https://gitlab.com/gitlab-org/gitlab-shell/commits/master)
-[![coverage report](https://gitlab.com/gitlab-org/gitlab-shell/badges/master/coverage.svg)](https://gitlab.com/gitlab-org/gitlab-shell/commits/master)
+---
+stage: Create
+group: Source Code
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+[![pipeline status](https://gitlab.com/gitlab-org/gitlab-shell/badges/main/pipeline.svg)](https://gitlab.com/gitlab-org/gitlab-shell/-/pipelines?ref=main)
+[![coverage report](https://gitlab.com/gitlab-org/gitlab-shell/badges/main/coverage.svg)](https://gitlab.com/gitlab-org/gitlab-shell/-/pipelines?ref=main)
 [![Code Climate](https://codeclimate.com/github/gitlabhq/gitlab-shell.svg)](https://codeclimate.com/github/gitlabhq/gitlab-shell)
 
-## Requirements
-
-**GitLab shell will always use your system ruby (normally located at /usr/bin/ruby) and will not use the ruby your installed with a ruby version manager (such as RVM).**
-It requires ruby 2.0 or higher.
-Please uninstall any old ruby versions from your system:
-
-```
-sudo apt-get remove ruby1.8
-```
-
-Download Ruby and compile it with:
-
-```
-mkdir /tmp/ruby && cd /tmp/ruby
-curl -L --progress http://cache.ruby-lang.org/pub/ruby/2.1/ruby-2.1.5.tar.gz | tar xz
-cd ruby-2.1.5
-./configure --disable-install-rdoc
-make
-sudo make install
-```
-
-To install gitlab-shell you also need a Go compiler version 1.8 or newer. https://golang.org/dl/
-
-## Setup
-
-    ./bin/install
-    ./bin/compile
-
-## Check
-
-    ./bin/check
-
-## Keys
-
-Add key:
-
-    ./bin/gitlab-keys add-key key-782 "ssh-rsa AAAAx321..."
-
-Remove key:
-
-    ./bin/gitlab-keys rm-key key-23 "ssh-rsa AAAAx321..."
-
-List all keys:
-
-    ./bin/gitlab-keys list-keys
-
-
-Remove all keys from authorized_keys file:
-
-    ./bin/gitlab-keys clear
-
-## Git LFS remark
-
-Starting with GitLab 8.12, GitLab supports Git LFS authentication through ssh.
+# GitLab Shell
 
-## Releasing a new version
+GitLab Shell handles Git SSH sessions for GitLab and modifies the list of
+authorized keys. GitLab Shell is not a Unix shell nor a replacement for Bash or Zsh.
 
-GitLab Shell is versioned by git tags, and the version used by the Rails
-application is stored in
-[`GITLAB_SHELL_VERSION`](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/GITLAB_SHELL_VERSION).
+GitLab supports Git LFS authentication through SSH.
 
-For each version, there is a raw version and a tag version:
+## Development Documentation
 
-- The **raw version** is the version number. For instance, `15.2.8`.
-- The **tag version** is the raw version prefixed with `v`. For instance, `v15.2.8`.
+Development documentation for GitLab Shell [has moved into the `gitlab` repository](https://docs.gitlab.com/ee/development/gitlab_shell/).
 
-To release a new version of GitLab Shell and have that version available to the
-Rails application:
+## Project structure
 
-1. Update the [`CHANGELOG`](CHANGELOG) with the **tag version** and the
-   [`VERSION`](VERSION) file with the **raw version**.
-2. Add a new git tag with the **tag version**.
-3. Update `GITLAB_SHELL_VERSION` in the Rails application to the **raw
-   version**. (Note: this can be done as a separate MR to that, or in and MR
-   that will make use of the latest GitLab Shell changes.)
+| Directory | Description |
+|-----------|-------------|
+| `cmd/` | 'Commands' that will ultimately be compiled into binaries. |
+| `internal/` | Internal Go source code that is not intended to be used outside of the project/module. |
+| `client/` | HTTP and GitLab client logic that is used internally and by other modules, e.g. Gitaly. |
+| `bin/` | Compiled binaries are created here. |
+| `support/` | Scripts and tools that assist in development and/or testing. |
+| `spec/` | Ruby based integration tests. |
 
-## Updating VCR fixtures
+## Building
 
-In order to generate new VCR fixtures you need to have a local GitLab instance 
-running and have next data: 
+Run `make` or `make build`.
 
-1. gitlab-org/gitlab-test project.
-2. SSH key with access to the project and ID 1 that belongs to Administrator.
-3. SSH key without access to the project and ID 2.
+## Testing
 
-You also need to modify `secret` variable at `spec/gitlab_net_spec.rb` so tests 
-can connect to your local instance.
+Run `make test`.
 
-## Contributing
+## Release Process
 
-See [CONTRIBUTING.md](./CONTRIBUTING.md).
+1. Create a `gitlab-org/gitlab-shell` MR to update [`VERSION`](https://gitlab.com/gitlab-org/gitlab-shell/-/blob/main/VERSION) and [`CHANGELOG`](https://gitlab.com/gitlab-org/gitlab-shell/-/blob/main/CHANGELOG) files, e.g. [Release v14.39.0](https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/1123).
+2. Once `gitlab-org/gitlab-shell` MR is merged, create the corresponding git tag, e.g. https://gitlab.com/gitlab-org/gitlab-shell/-/tags/v14.39.0.
+3. Create a `gitlab-org/gitlab` MR to update [`GITLAB_SHELL_VERSION`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/GITLAB_SHELL_VERSION) to the proposed tag, e.g. [Bump GitLab Shell to 14.39.0](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162661).
+4. Announce in `#gitlab-shell` a new version has been created.
 
-## License
+## Licensing
 
-See [LICENSE](./LICENSE).
+See the `LICENSE` file for licensing information as it pertains to files in
+this repository.

VERSION

-8.4.3
+14.41.0

bin/authorized_keys

-#!/usr/bin/env ruby
-
-#
-# GitLab shell authorized_keys. Query GitLab API to get the authorized command for a given ssh key fingerprint
-#
-# Ex.
-#   /bin/authorized_keys BASE64-KEY
-#
-# Returns
-#   command="/bin/gitlab-shell key-#",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQA...
-#
-
-key = ARGV[0]
-abort "# No key provided" if key.nil? || key.empty?
-
-require_relative "../lib/gitlab_init"
-require_relative "../lib/gitlab_net"
-require_relative "../lib/gitlab_keys"
-
-authorized_key = GitlabNet.new.authorized_key(key)
-if authorized_key.nil?
-  puts "# No key was found for #{key}"
-else
-  puts GitlabKeys.key_line("key-#{authorized_key['id']}", authorized_key["key"])
-end

bin/check

-#!/usr/bin/env ruby
-
-require_relative '../lib/gitlab_init'
-require_relative '../lib/gitlab_net'
-
-#
-# GitLab shell check task
-#
-
-print "Check GitLab API access: "
-begin
-  resp = GitlabNet.new.check
-
-  if resp.code != "200"
-    abort "FAILED. code: #{resp.code}"
-  end
-
-  puts 'OK'
-
-  check_values = JSON.parse(resp.body)
-
-  print 'Redis available via internal API: '
-  if check_values['redis']
-    puts 'OK'
-  else
-    abort 'FAILED'
-  end
-rescue GitlabNet::ApiUnreachableError
-  abort "FAILED: Failed to connect to internal API"
-end
-
-config = GitlabConfig.new
-
-abort("ERROR: missing option in config.yml") unless config.auth_file
-
-print "\nAccess to #{config.auth_file}: "
-if system(File.dirname(__FILE__) + '/gitlab-keys', 'check-permissions')
-  print 'OK'
-else
-  abort "FAILED"
-end
-puts "\n"