Add latest changes from gitlab-org/gitlab@master

.gitlab/ci/global.gitlab-ci.yml

@@ -179,11 +179,6 @@
   cache:
     - *ruby-coverage-gems-cache-push
 
-# This cache should eventually be replaced by .ruby-gems-coverage-cache.
-.coverage-cache:
-  cache:
-    - *ruby-gems-cache
-
 .ruby-node-cache:
   cache:
     - *ruby-gems-cache

.gitlab/ci/rails.gitlab-ci.yml

@@ -68,19 +68,17 @@ update-ruby-gems-coverage-cache-push:
     - bundle_install_script
 
 # Used in:
+#   - rspec:coverage
 #   - rspec:undercoverage
-#   - rspec:feature-flags
-#   - rspec:merge-auto-explain-logs
-#
-# TODO: Consider making rspec:coverage reuse this base job, or split into two base jobs.
 .coverage-base:
   extends:
     - .default-retry
-    # TODO: If applicable for all children jobs, delete/replace this cache with .ruby-gems-coverage-cache, as it is much smaller.
-    - .coverage-cache
+    - .ruby-gems-coverage-cache
+  variables:
+    BUNDLE_WITHOUT: "" # This is to override the variable defined in .gitlab-ci.yml
+    BUNDLE_ONLY: "coverage"
   before_script:
     - source scripts/utils.sh
-    - export BUNDLE_WITHOUT="${BUNDLE_WITHOUT}:default:test:puma:kerberos:metrics:omnibus:ed25519"
     - bundle_install_script
 
 rspec migration pg14:
@@ -463,8 +461,9 @@ rspec:artifact-collector ee:
     - !reference ['.rails:rules:ee-only-system', rules]
 
 rspec:coverage:
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-slim-ruby-${RUBY_VERSION}
   extends:
-    - .ruby-gems-coverage-cache
+    - .coverage-base
     - .rails:rules:rspec-coverage
   stage: post-test
   needs:
@@ -497,12 +496,6 @@ rspec:coverage:
     - job: memory-on-boot
       optional: true
       artifacts: false
-  variables:
-    BUNDLE_WITHOUT: "" # This is to override the variable defined in .gitlab-ci.yml
-    BUNDLE_ONLY: "coverage"
-  before_script:
-    - source scripts/utils.sh
-    - bundle_install_script
   script:
     - run_timed_command "bundle exec scripts/merge-simplecov"
   coverage: '/LOC \((\d+\.\d+%)\) covered.$/'
@@ -519,6 +512,7 @@ rspec:coverage:
         path: coverage/coverage.xml
 
 rspec:undercoverage:
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-slim-ruby-${RUBY_VERSION}
   extends:
     - .coverage-base
     - .rails:rules:rspec-undercoverage
@@ -539,7 +533,6 @@ rspec:undercoverage:
 
 rspec:feature-flags:
   extends:
-    - .coverage-base
     - .rails:rules:rspec-feature-flags
   stage: post-test
   needs:
@@ -547,11 +540,13 @@ rspec:feature-flags:
     - job: "haml-lint"
     - job: "haml-lint ee"
       optional: true
+  before_script:
+    - source scripts/utils.sh
   script:
     - if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then
-        run_timed_command "bundle exec scripts/used-feature-flags" || (scripts/slack master-broken "☠️ \`${CI_JOB_NAME}\` failed! ☠️ See ${CI_JOB_URL}" ci_failing "GitLab Bot" && exit 1);
+        run_timed_command "scripts/used-feature-flags" || (scripts/slack master-broken "☠️ \`${CI_JOB_NAME}\` failed! ☠️ See ${CI_JOB_URL}" ci_failing "GitLab Bot" && exit 1);
       else
-        run_timed_command "bundle exec scripts/used-feature-flags";
+        run_timed_command "scripts/used-feature-flags";
       fi
 
 rspec:flaky-tests-report:
@@ -572,7 +567,6 @@ rspec:flaky-tests-report:
 
 rspec:merge-auto-explain-logs:
   extends:
-    - .coverage-base
     - .rails:rules:rspec-merge-auto-explain-logs
   stage: post-test
   needs: !reference ["rspec:coverage", "needs"]

.gitlab/ci/rules.gitlab-ci.yml

@@ -2248,6 +2248,8 @@
       when: never
     - <<: *if-merge-request-labels-run-all-rspec
     - <<: *if-merge-request-labels-record-queries
+    - <<: *if-default-branch-refs
+      changes: *code-patterns
 
 .rails:rules:default-branch-schedule-nightly--code-backstage-default-rules:
   rules:

app/assets/javascripts/sidebar/components/labels/labels_select_widget/dropdown_contents_labels_view.vue

@@ -135,6 +135,16 @@ export default {
         this.handleLabelClick(this.visibleLabels[0]);
       }
     },
+    handleFocus(event, index) {
+      if (index === 0 && event.target.classList.contains('is-focused')) {
+        event.target.classList.remove('is-focused');
+
+        // Focus next element (if available) as the first item was already focused.
+        if (event.target.parentNode?.nextElementSibling?.querySelector('button')) {
+          event.target.parentNode.nextElementSibling.querySelector('button').focus();
+        }
+      }
+    },
   },
 };
 </script>
@@ -157,6 +167,7 @@ export default {
             :active="shouldHighlightFirstItem && index === 0"
             active-class="is-focused"
             data-testid="labels-list"
+            @focus.native.capture="handleFocus($event, index)"
             @click.native.capture.stop="handleLabelClick(label)"
           >
             <label-item :label="label" />

app/assets/javascripts/super_sidebar/components/nav_item.vue

@@ -162,6 +162,7 @@ export default {
           v-if="hasPill"
           size="sm"
           variant="neutral"
+          class="gl-bg-t-gray-a-08!"
           :class="{ 'nav-item-badge gl-absolute gl-right-0 gl-top-2': isPinnable }"
         >
           {{ pillData }}

app/assets/javascripts/super_sidebar/components/user_bar.vue

@@ -155,7 +155,7 @@ export default {
     </div>
     <div
       v-if="sidebarData.is_logged_in"
-      class="gl-display-flex gl-justify-content-space-between gl-px-3 gl-py-2 gl-gap-2"
+      class="gl-display-flex gl-justify-content-space-between gl-px-3 gl-pt-2 gl-pb-3 gl-gap-2"
     >
       <counter
         v-gl-tooltip:super-sidebar.hover.noninteractive.ds500.bottom="$options.i18n.issues"

app/graphql/resolvers/codequality_reports_comparer_resolver.rb

+# frozen_string_literal: true
+
+module Resolvers
+  class CodequalityReportsComparerResolver < BaseResolver
+    include Gitlab::Graphql::Authorize::AuthorizeResource
+
+    type ::Types::Security::CodequalityReportsComparerType, null: true
+
+    authorize :read_build
+
+    def resolve
+      return unless Feature.enabled?(:sast_reports_in_inline_diff, object.project)
+
+      authorize!(object.actual_head_pipeline)
+
+      object.compare_codequality_reports
+    end
+  end
+end

app/graphql/types/merge_request_type.rb

@@ -231,6 +231,14 @@ class MergeRequestType < BaseObject
     field :prepared_at, Types::TimeType, null: true,
                                          description: 'Timestamp of when the merge request was prepared.'
 
+    field :codequality_reports_comparer,
+      type: ::Types::Security::CodequalityReportsComparerType,
+      null: true,
+      alpha: { milestone: '16.4' },
+      description: 'Code quality reports comparison reported on the merge request. Returns `null` ' \
+                   'if `sast_reports_in_inline_diff` feature flag is disabled.',
+      resolver: ::Resolvers::CodequalityReportsComparerResolver
+
     markdown_field :title_html, null: true
     markdown_field :description_html, null: true
 

app/graphql/types/security/codequality_reports_comparer/degradation_type.rb

+# frozen_string_literal: true
+
+module Types
+  module Security
+    module CodequalityReportsComparer
+      # rubocop: disable Graphql/AuthorizeTypes (The resolver authorizes the request)
+      class DegradationType < BaseObject
+        graphql_name 'CodequalityReportsComparerReportDegradation'
+
+        description 'Represents a degradation on the compared codequality report.'
+
+        field :description, GraphQL::Types::String,
+          null: false,
+          description: 'Description of the code quality degradation.'
+
+        field :fingerprint, GraphQL::Types::String,
+          null: false,
+          description: 'Unique fingerprint to identify the code quality degradation. For example, an MD5 hash.'
+
+        field :severity, Types::Ci::CodeQualityDegradationSeverityEnum,
+          null: false,
+          description:
+            "Severity of the code quality degradation " \
+            "(#{::Gitlab::Ci::Reports::CodequalityReports::SEVERITY_PRIORITIES.keys.map(&:upcase).join(', ')})."
+
+        field :file_path, GraphQL::Types::String,
+          null: false,
+          description: 'Relative path to the file containing the code quality degradation.'
+
+        field :line, GraphQL::Types::Int,
+          null: false,
+          description: 'Line on which the code quality degradation occurred.'
+
+        field :web_url, GraphQL::Types::String,
+          null: true,
+          description: 'URL to the file along with line number.'
+
+        field :engine_name, GraphQL::Types::String,
+          null: false,
+          description: 'Code quality plugin that reported the degradation.'
+      end
+      # rubocop: enable Graphql/AuthorizeTypes
+    end
+  end
+end

app/graphql/types/security/codequality_reports_comparer/report_type.rb

+# frozen_string_literal: true
+
+module Types
+  module Security
+    module CodequalityReportsComparer
+      # rubocop: disable Graphql/AuthorizeTypes (Parent node applies authorization)
+      class ReportType < BaseObject
+        graphql_name 'CodequalityReportsComparerReport'
+
+        description 'Represents compared code quality report.'
+
+        field :status,
+          type: CodequalityReportsComparer::StatusEnum,
+          null: false,
+          description: 'Status of report.'
+
+        field :new_errors,
+          type: [CodequalityReportsComparer::DegradationType],
+          null: false,
+          description: 'New code quality degradations.'
+
+        field :resolved_errors,
+          type: [CodequalityReportsComparer::DegradationType],
+          null: true,
+          description: 'Resolved code quality degradations.'
+
+        field :existing_errors,
+          type: [CodequalityReportsComparer::DegradationType],
+          null: true,
+          description: 'All code quality degradations.'
+
+        field :summary,
+          type: CodequalityReportsComparer::SummaryType,
+          null: false,
+          description: 'Codequality report summary.'
+      end
+      # rubocop: enable Graphql/AuthorizeTypes
+    end
+  end
+end

app/graphql/types/security/codequality_reports_comparer/status_enum.rb

+# frozen_string_literal: true
+
+module Types
+  module Security
+    module CodequalityReportsComparer
+      class StatusEnum < BaseEnum
+        graphql_name 'CodequalityReportsComparerReportStatus'
+        description 'Report comparison status'
+
+        value 'SUCCESS', value: 'success', description: 'Report successfully generated.'
+        value 'FAILED', value: 'failed', description: 'Report failed to generate.'
+        value 'NOT_FOUND', value: 'not_found', description: 'Head report or base report not found.'
+      end
+    end
+  end
+end

app/graphql/types/security/codequality_reports_comparer/summary_type.rb

+# frozen_string_literal: true
+
+module Types
+  module Security
+    module CodequalityReportsComparer
+      # rubocop: disable Graphql/AuthorizeTypes (The resolver authorizes the request)
+      class SummaryType < BaseObject
+        graphql_name 'CodequalityReportsComparerReportSummary'
+
+        description 'Represents a summary of the compared codequality report.'
+
+        field :total,
+          type: GraphQL::Types::Int,
+          null: true,
+          description: 'Total count of code quality degradations.'
+
+        field :resolved,
+          type: GraphQL::Types::Int,
+          null: true,
+          description: 'Count of resolved code quality degradations.'
+
+        field :errored,
+          type: GraphQL::Types::Int,
+          null: true,
+          description: 'Count of code quality errors.'
+      end
+      # rubocop: enable Graphql/AuthorizeTypes
+    end
+  end
+end

app/graphql/types/security/codequality_reports_comparer_type.rb

+# frozen_string_literal: true
+
+module Types
+  module Security
+    # rubocop: disable Graphql/AuthorizeTypes (The resolver authorizes the request)
+    class CodequalityReportsComparerType < BaseObject
+      graphql_name 'CodequalityReportsComparer'
+
+      description 'Represents reports comparison for code quality.'
+
+      field :report,
+        type: CodequalityReportsComparer::ReportType,
+        null: true,
+        hash_key: 'data',
+        description: 'Compared codequality report.'
+    end
+    # rubocop: enable Graphql/AuthorizeTypes
+  end
+end

app/models/application_setting.rb

@@ -20,6 +20,7 @@ class ApplicationSetting < MainClusterwide::ApplicationRecord
     dashboard_enforcement_limit
     dashboard_limit_new_namespace_creation_enforcement_date
   ], remove_with: '16.5', remove_after: '2023-08-22'
+  ignore_column :relay_state_domain_allowlist, remove_with: '16.6', remove_after: '2023-10-22'
 
   INSTANCE_REVIEW_MIN_USERS = 50
   GRAFANA_URL_ERROR_MESSAGE = 'Please check your Grafana URL setting in ' \

app/models/issue.rb

@@ -14,7 +14,6 @@ class Issue < ApplicationRecord
   include TimeTrackable
   include ThrottledTouch
   include LabelEventable
-  include IgnorableColumns
   include MilestoneEventable
   include WhereComposite
   include StateEventable
@@ -56,8 +55,6 @@ class Issue < ApplicationRecord
   # This default came from the enum `issue_type` column. Defined as default in the DB
   DEFAULT_ISSUE_TYPE = :issue
 
-  ignore_column :issue_type, remove_with: '16.4', remove_after: '2023-08-22'
-
   belongs_to :project
   belongs_to :namespace, inverse_of: :issues
 

app/serializers/codequality_degradation_entity.rb

@@ -2,6 +2,9 @@
 
 class CodequalityDegradationEntity < Grape::Entity
   expose :description
+  expose :fingerprint, if: ->(_, options) do
+    Feature.enabled?(:sast_reports_in_inline_diff, options[:request]&.project)
+  end
   expose :severity do |degradation|
     degradation.dig(:severity)&.downcase
   end

app/services/system_notes/issuables_service.rb

@@ -32,8 +32,7 @@ def self.issuable_events
     #
     # Returns the created Note object
     def relate_issuable(noteable_ref)
-      issuable_type = noteable.to_ability_name.humanize(capitalize: false)
-      body = "marked this #{issuable_type} as related to #{noteable_ref.to_reference(noteable.resource_parent)}"
+      body = "marked this #{noteable_name} as related to #{noteable_ref.to_reference(noteable.resource_parent)}"
 
       track_issue_event(:track_issue_related_action)
 
@@ -534,6 +533,12 @@ def track_issue_event(event_name)
 
       issue_activity_counter.public_send(event_name, author: author, project: project || noteable.project) # rubocop: disable GitlabSecurity/PublicSend
     end
+
+    def noteable_name
+      name = noteable.try(:issue_type) || noteable.to_ability_name
+
+      name.humanize(capitalize: false)
+    end
   end
 end
 

config/feature_flags/development/unbatch_graphql_queries.yml

@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/406765
 milestone: '16.0'
 type: development
 group: group::project management
-default_enabled: false
+default_enabled: true

config/sidekiq_queues.yml

@@ -597,6 +597,8 @@
   - 1
 - - security_refresh_project_policies
   - 1
+- - security_scan_execution_policies_rule_schedule
+  - 1
 - - security_scan_result_policies_sync_opened_merge_requests
   - 1
 - - security_scan_result_policies_sync_project

db/docs/batched_background_migrations/backfill_users_with_defaults.yml

+---
+migration_job_name: BackfillUsersWithDefaults
+description: Backfills the users table columns with their default values
+feature_category: user_profile
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125881
+milestone: 16.4