Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

.rubocop_todo/gitlab/bounded_contexts.yml

@@ -2553,7 +2553,6 @@ Gitlab/BoundedContexts:
     - 'ee/app/graphql/types/move_type_enum.rb'
     - 'ee/app/graphql/types/negated_iteration_wildcard_id_enum.rb'
     - 'ee/app/graphql/types/path_lock_type.rb'
-    - 'ee/app/graphql/types/pending_group_member_type.rb'
     - 'ee/app/graphql/types/permission_types/dast_site_profile.rb'
     - 'ee/app/graphql/types/permission_types/epic.rb'
     - 'ee/app/graphql/types/permission_types/pipeline_security_report_finding.rb'

GITALY_SERVER_VERSION

@@ -1 +1 @@
-7d588faba97dfbf48c39a3dc600eee66499cf065
+af0566ee3ca5075025da8442a44ba7e411caa530

GITLAB_KAS_VERSION

@@ -1 +1 @@
-449014dfd52c9b1e0f6e8f7b4158e17d20d36971
+65cc901765eab78be34876e6aed8b7857de7a5bf

app/assets/javascripts/graphql_shared/possible_types.json

@@ -90,6 +90,7 @@
   "MemberInterface": [
     "GroupMember",
     "PendingGroupMember",
+    "PendingProjectMember",
     "ProjectMember"
   ],
   "NoteableInterface": [
@@ -127,6 +128,10 @@
     "PypiMetadata",
     "TerraformModuleMetadata"
   ],
+  "PendingMemberInterface": [
+    "PendingGroupMember",
+    "PendingProjectMember"
+  ],
   "Registrable": [
     "CiSecureFileRegistry",
     "ContainerRepositoryRegistry",

app/models/ci/job_token/group_scope_link.rb

@@ -15,6 +15,8 @@ class GroupScopeLink < Ci::ApplicationRecord
       belongs_to :target_group, class_name: '::Group'
       belongs_to :added_by, class_name: 'User'
 
+      validates :job_token_policies, json_schema: { filename: 'ci_job_token_policies' }, allow_blank: true
+
       scope :with_source, ->(project) { where(source_project: project) }
       scope :with_target, ->(group) { where(target_group: group) }
 

app/models/ci/job_token/project_scope_link.rb

@@ -15,6 +15,8 @@ class ProjectScopeLink < Ci::ApplicationRecord
       belongs_to :target_project, class_name: 'Project'
       belongs_to :added_by, class_name: 'User'
 
+      validates :job_token_policies, json_schema: { filename: 'ci_job_token_policies' }, allow_blank: true
+
       scope :with_access_direction, ->(direction) { where(direction: direction) }
       scope :with_source, ->(project)   { where(source_project: project) }
       scope :with_target, ->(project)   { where(target_project: project) }

app/models/identity.rb

@@ -7,7 +7,12 @@ class Identity < ApplicationRecord
   belongs_to :user
 
   validates :provider, presence: true
-  validates :extern_uid, allow_blank: true, uniqueness: { scope: UniquenessScopes.scopes, case_sensitive: false }
+  validates :extern_uid, allow_blank: true, uniqueness: {
+    scope: UniquenessScopes.scopes,
+    case_sensitive: false,
+    message: "has already been taken. Please contact your administrator to generate a unique extern_uid / NameID"
+  }
+
   validates :user, uniqueness: { scope: UniquenessScopes.scopes }
 
   before_save :ensure_normalized_extern_uid, if: :extern_uid_changed?

app/validators/json_schemas/ci_job_token_policies.json

@@ -0,0 +1,46 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "description": "Policies that can be assigned to a CI_JOB_TOKEN",
+  "type": "array",
+  "items": {
+    "type": "string",
+    "enum": [
+      "admin_container_image",
+      "admin_secure_files",
+      "admin_terraform_state",
+      "build_create_container_image",
+      "build_destroy_container_image",
+      "build_download_code",
+      "build_push_code",
+      "build_read_container_image",
+      "create_deployment",
+      "create_environment",
+      "create_on_demand_dast_scan",
+      "create_package",
+      "create_release",
+      "destroy_container_image",
+      "destroy_deployment",
+      "destroy_environment",
+      "destroy_package",
+      "destroy_release",
+      "read_build",
+      "read_container_image",
+      "read_deployment",
+      "read_environment",
+      "read_group",
+      "read_job_artifacts",
+      "read_pipeline",
+      "read_project",
+      "read_release",
+      "read_secure_files",
+      "read_terraform_state",
+      "stop_environment",
+      "update_deployment",
+      "update_environment",
+      "update_pipeline",
+      "update_release"
+    ]
+  },
+  "uniqueItems": true,
+  "additionalItems": false
+}

config/initializers/0_marginalia.rb

@@ -13,8 +13,8 @@
 # matching against the raw SQL, and prepending the comment prevents color
 # coding from working in the development log.
 Marginalia::Comment.prepend_comment = true if Rails.env.production?
-Marginalia::Comment.components = [:application, :correlation_id, :jid, :endpoint_id, :db_config_name,
-  :console_hostname, :console_username]
+Marginalia::Comment.components = [:application, :correlation_id, :jid, :endpoint_id, :db_config_database,
+  :db_config_name, :console_hostname, :console_username]
 
 # As mentioned in https://github.com/basecamp/marginalia/pull/93/files,
 # adding :line has some overhead because a regexp on the backtrace has

data/deprecations/17-5-deprecate-merge-train-graphql-fields.yml

@@ -0,0 +1,40 @@
+- title: "`mergeTrainIndex` and `mergeTrainsCount` GraphQL fields deprecated"
+  # The milestones for the deprecation announcement, and the removal.
+  removal_milestone: "18.0"
+  announcement_milestone: "17.5"
+  # Change breaking_change to false if needed.
+  breaking_change: true
+  # The stage and GitLab username of the person reporting the change,
+  # and a link to the deprecation issue
+  reporter: rutshah
+  stage: verify
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/473759
+  # Use the impact calculator https://gitlab-com.gitlab.io/gl-infra/breaking-change-impact-calculator/?
+  impact: low  # Can be one of: [critical, high, medium, low]
+  scope: project  # Can be one or a combination of: [instance, group, project]
+  resolution_role: Developer  # Can be one of: [Admin, Owner, Maintainer, Developer]
+  manual_task: true  # Can be true or false. Use this to denote whether a resolution action must be performed manually (true), or if it can be automated by using the API or other automation (false).
+  body: |  # (required) Don't change this line.
+    The GraphQL field `mergeTrainIndex` and `mergeTrainsCount` in `MergeRequest` are deprecated. To
+    determine the position of the merge request on the merge train use the
+    `index` field in `MergeTrainCar` instead. To get the count of MRs in a merge train,
+    use `count` from `cars` in `MergeTrains::TrainType` instead.
+
+# ==============================
+# OPTIONAL END-OF-SUPPORT FIELDS
+# ==============================
+#
+# If an End of Support period applies:
+# 1) Share this announcement in the `#spt_managers` Support channel in Slack
+# 2) Mention `@gitlab-com/support` in this merge request.
+#
+  # When support for this feature ends, in XX.YY milestone format.
+  end_of_support_milestone:
+  # Array of tiers the feature is currently available to,
+  # like [Free, Silver, Gold, Core, Premium, Ultimate]
+  tiers:
+  # Links to documentation and thumbnail image
+  documentation_url:
+  image_url:
+  # Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
+  video_url:

db/migrate/20240920051810_add_policies_to_ci_project_scope_links.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddPoliciesToCiProjectScopeLinks < Gitlab::Database::Migration[2.2]
+  milestone '17.5'
+
+  def change
+    add_column :ci_job_token_project_scope_links, :job_token_policies, :jsonb, default: []
+  end
+end

db/migrate/20240923131448_add_policies_to_ci_group_scope_links.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddPoliciesToCiGroupScopeLinks < Gitlab::Database::Migration[2.2]
+  milestone '17.5'
+
+  def change
+    add_column :ci_job_token_group_scope_links, :job_token_policies, :jsonb, default: []
+  end
+end

db/post_migrate/20241007034738_cleanup_events_personal_namespace_id_gitlab_com.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+class CleanupEventsPersonalNamespaceIdGitlabCom < Gitlab::Database::Migration[2.2]
+  milestone '17.5'
+
+  disable_ddl_transaction!
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+  class PersonalNamespace < MigrationRecord
+    self.table_name = 'namespaces'
+  end
+
+  def up
+    return unless Gitlab.com_except_jh?
+
+    events_model = define_batchable_model('events')
+    events_model.where.not(personal_namespace_id: nil)
+      .distinct_each_batch(column: :personal_namespace_id, of: 100) do |batch|
+        namespace_ids = batch.pluck(:personal_namespace_id)
+        namespaces_query = PersonalNamespace
+          .where('events.personal_namespace_id = namespaces.id')
+          .select(1)
+
+        events_model
+          .where(personal_namespace_id: namespace_ids)
+          .where('NOT EXISTS (?)', namespaces_query)
+          .delete_all
+      end
+  end
+
+  def down
+    # no-op
+  end
+end

db/post_migrate/20241007034739_add_fk_on_events_personal_namespace_id_gitlab_com.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class AddFkOnEventsPersonalNamespaceIdGitlabCom < Gitlab::Database::Migration[2.2]
+  milestone '17.5'
+
+  disable_ddl_transaction!
+
+  def up
+    return unless Gitlab.com_except_jh?
+
+    add_concurrent_foreign_key :events, :namespaces, column: :personal_namespace_id, on_delete: :cascade
+  end
+
+  def down
+    return unless Gitlab.com_except_jh?
+
+    with_lock_retries { remove_foreign_key :events, column: :personal_namespace_id }
+  end
+end

db/schema_migrations/20240920051810

@@ -0,0 +1 @@
+cdd3fb27e7d2069f2a741000896bde16abe4b6ad16d40a52fb09e3f5584cb1f3

db/schema_migrations/20240923131448

@@ -0,0 +1 @@
+a01f8746b7774137081c6bf0aed7bd6d75764db0afddb294d57a93aef5857b81

db/schema_migrations/20241007034738

@@ -0,0 +1 @@
+e9f5a6fe9807a2d797aef9f12438e1d534d74d1f8851c41df79e3299b15d48a4

db/schema_migrations/20241007034739

@@ -0,0 +1 @@
+289b2660a1297489d0db86008e7ebe732e02ddd4a8f37184d2c2de05b097cfcf

db/structure.sql

@@ -8563,7 +8563,8 @@ CREATE TABLE ci_job_token_group_scope_links (
     source_project_id bigint NOT NULL,
     target_group_id bigint NOT NULL,
     added_by_id bigint,
-    created_at timestamp with time zone NOT NULL
+    created_at timestamp with time zone NOT NULL,
+    job_token_policies jsonb DEFAULT '[]'::jsonb
 );
 
 CREATE SEQUENCE ci_job_token_group_scope_links_id_seq
@@ -8581,7 +8582,8 @@ CREATE TABLE ci_job_token_project_scope_links (
     target_project_id bigint NOT NULL,
     added_by_id bigint,
     created_at timestamp with time zone NOT NULL,
-    direction smallint DEFAULT 0 NOT NULL
+    direction smallint DEFAULT 0 NOT NULL,
+    job_token_policies jsonb DEFAULT '[]'::jsonb
 );
 
 CREATE SEQUENCE ci_job_token_project_scope_links_id_seq