Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

.rubocop_todo/gitlab/bounded_contexts.yml

@@ -3176,7 +3176,6 @@ Gitlab/BoundedContexts:
     - 'ee/app/services/ee/post_receive_service.rb'
     - 'ee/app/services/ee/preview_markdown_service.rb'
     - 'ee/app/services/ee/protected_branches/api_service.rb'
-    - 'ee/app/services/ee/protected_branches/base_service.rb'
     - 'ee/app/services/ee/protected_branches/create_service.rb'
     - 'ee/app/services/ee/protected_branches/destroy_service.rb'
     - 'ee/app/services/ee/protected_branches/legacy_api_update_service.rb'

GITLAB_KAS_VERSION

@@ -1 +1 @@
-7186455e61c1a6556cd6f0664a9c90c5da2e6bae
+da3a19a82c6c31f1dd1c29ce5ec48906d1594207

app/assets/javascripts/ml/experiment_tracking/components/performance_graph.vue

@@ -42,7 +42,8 @@ export default {
       return this.metricNames.map((metric) => {
         return {
           name: metric,
-          data: this.candidates
+          data: [...this.candidates]
+            .sort((a, b) => new Date(a.created_at) - new Date(b.created_at))
             .filter((candidate) => candidate[metric] !== undefined && candidate[metric] !== null)
             .map((candidate, index) => ({
               value: [index + 1, parseFloat(candidate[metric])],

app/assets/javascripts/pages/projects/shared/web_ide_link/index.js

@@ -49,6 +49,7 @@ export default ({ el, router }) => {
           projectPath,
           cssClasses,
           ...options,
+          gitRef: ref,
         },
       });
     },

app/assets/javascripts/repository/components/header_area.vue

@@ -275,6 +275,7 @@ export default {
           :gitpod-url="gitpodUrl"
           :user-preferences-gitpod-path="userPreferencesGitpodPath"
           :user-profile-enable-gitpod-path="userProfileEnableGitpodPath"
+          :git-ref="currentRef"
           disable-fork-modal
           v-on="$listeners"
         />

app/assets/javascripts/work_items/components/work_item_description_template_listbox.vue

@@ -74,7 +74,9 @@ export default {
     },
     items() {
       return this.descriptionTemplates
-        .filter(({ name }) => (this.searchTerm ? name.includes(this.searchTerm) : true))
+        .filter(({ name }) =>
+          this.searchTerm ? name.toLowerCase().includes(this.searchTerm.toLowerCase()) : true,
+        )
         .reduce((groups, current) => {
           const idx = groups.findIndex((group) => group.text === current.category);
           if (idx > -1) {

app/controllers/graphql_controller.rb

@@ -297,8 +297,11 @@ def append_info_to_payload(payload)
 
     # Merging to :metadata will ensure these are logged as top level keys
     payload[:metadata] ||= {}
+
     payload[:metadata][:graphql] = logs
 
+    payload[:metadata][:referer] = request.headers['Referer'] if logs.any? { |log| log[:operation_name] == 'GLQL' }
+
     payload[:exception_object] = @exception_object if @exception_object
   end
 

app/helpers/projects_helper.rb

@@ -674,10 +674,19 @@ def visibility_level_content(project, css_class: nil, icon_css_class: nil)
     end
 
     title = visibility_icon_description(project)
-    container_class = ['has-tooltip', css_class].compact.join(' ')
+    container_class = [
+      'has-tooltip gl-border-0 gl-bg-transparent gl-p-0 gl-leading-0 gl-text-inherit',
+      css_class
+    ].compact.join(' ')
     data = { container: 'body', placement: 'top' }
 
-    content_tag(:span, class: container_class, data: data, title: title) do
+    content_tag(
+      :button,
+      class: container_class,
+      data: data,
+      title: title,
+      type: 'button',
+      aria: { label: title }) do
       visibility_level_icon(project.visibility_level, options: { class: icon_css_class })
     end
   end

app/models/ci/runner.rb

@@ -331,7 +331,7 @@ def self.runner_matchers
       end
     end
 
-    # TODO: Remove once https://gitlab.com/gitlab-org/gitlab/-/issues/504277 is closed.
+    # TODO: Remove once https://gitlab.com/gitlab-org/gitlab/-/issues/516929 is closed.
     def self.sharded_table_proxy_model
       @sharded_table_proxy_class ||= Class.new(self) do
         self.table_name = :ci_runners_e59bb2812d
@@ -445,7 +445,7 @@ def has_tags?
       tag_list.any?
     end
 
-    # TODO: Remove once https://gitlab.com/gitlab-org/gitlab/-/issues/504277 is closed.
+    # TODO: Remove once https://gitlab.com/gitlab-org/gitlab/-/issues/516929 is closed.
     def ensure_partitioned_runner_record_exists
       self.class.sharded_table_proxy_model.insert_all(
         [attributes.except('tag_list')], unique_by: [:id, :runner_type],
@@ -541,7 +541,7 @@ def ensure_manager(system_xid)
       RunnerManager.safe_find_or_create_by!(runner_id: id, system_xid: system_xid.to_s) do |m|
         # Avoid inserting partitioned runner managers that refer to a missing ci_runners partitioned record, since
         # the backfill is not yet finalized.
-        ensure_partitioned_runner_record_exists
+        ensure_partitioned_runner_record_exists if Feature.disabled?(:reject_orphaned_runners, Feature.current_request)
 
         m.runner_type = runner_type
         m.sharding_key_id = sharding_key_id

app/models/virtual_registries/packages/maven/cache/entry.rb

@@ -28,6 +28,7 @@ class Entry < ApplicationRecord
           enum :status, default: 0, processing: 1, pending_destruction: 2, error: 3
 
           ignore_column :downloaded_at, remove_with: '17.9', remove_after: '2025-01-23'
+          ignore_column :file_final_path, remove_with: '17.11', remove_after: '2025-03-23'
 
           sha_attribute :file_sha1
           sha_attribute :file_md5
@@ -39,18 +40,19 @@ class Entry < ApplicationRecord
             :file_sha1,
             presence: true
           validates :upstream_etag, :content_type, length: { maximum: 255 }
-          validates :relative_path, :object_storage_key, :file_final_path, length: { maximum: 1024 }
+          validates :relative_path, :object_storage_key, length: { maximum: 1024 }
           validates :file_md5, length: { is: 32 }, allow_nil: true
           validates :file_sha1, length: { is: 40 }
           validates :relative_path,
             uniqueness: { scope: [:upstream_id, :status] },
             if: :default?
+          validates :object_storage_key, uniqueness: { scope: :relative_path }
           validates :file, presence: true
 
           mount_file_store_uploader ::VirtualRegistries::Cache::EntryUploader
 
           before_validation :set_object_storage_key,
-            if: -> { object_storage_key.blank? && relative_path && upstream && upstream.registry }
+            if: -> { object_storage_key.blank? && upstream && upstream.registry }
           attr_readonly :object_storage_key
 
           scope :search_by_relative_path, ->(query) do
@@ -106,18 +108,7 @@ def mark_as_pending_destruction
           private
 
           def set_object_storage_key
-            self.object_storage_key = Gitlab::HashedPath.new(
-              'virtual_registries',
-              'packages',
-              'maven',
-              upstream.registry.id,
-              'upstream',
-              upstream.id,
-              'cache',
-              'entry',
-              OpenSSL::Digest::SHA256.hexdigest(relative_path),
-              root_hash: upstream.registry.id
-            ).to_s
+            self.object_storage_key = upstream.object_storage_key_for(registry_id: upstream.registry.id)
           end
         end
       end

app/models/virtual_registries/packages/maven/upstream.rb

@@ -59,6 +59,24 @@ def default_cache_entries
           cache_entries.default
         end
 
+        def object_storage_key_for(registry_id:)
+          hash = Digest::SHA2.hexdigest(SecureRandom.uuid)
+          Gitlab::HashedPath.new(
+            'virtual_registries',
+            'packages',
+            'maven',
+            registry_id.to_s,
+            'upstream',
+            id.to_s,
+            'cache',
+            'entry',
+            hash[0..1],
+            hash[2..3],
+            hash[4..],
+            root_hash: registry_id
+          ).to_s
+        end
+
         private
 
         def reset_credentials

app/services/authz/applications/reset_secret_service.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Authz
+  module Applications
+    class ResetSecretService
+      attr_reader :application, :current_user
+
+      def initialize(application:, current_user:)
+        @application = application
+        @current_user = current_user
+      end
+
+      def execute
+        return error(message: "#{current_user.name} cannot reset secret") unless can_reset_secret?(current_user)
+
+        application.renew_secret
+
+        return ServiceResponse.success if application.save
+
+        error(message: "Couldn't save application")
+      end
+
+      private
+
+      def error(message:)
+        ServiceResponse.error(message: message)
+      end
+
+      def can_reset_secret?(current_user)
+        current_user.can_admin_all_resources?
+      end
+    end
+  end
+end

app/services/ci/job_artifacts/create_service.rb

@@ -27,7 +27,7 @@ def authorize(artifact_type:, filesize: nil)
           has_length: false,
           maximum_size: max_size(artifact_type),
           use_final_store_path: true,
-          final_store_path_root_id: project.id
+          final_store_path_config: { root_hash: project.id }
         )
 
         if lsif?(artifact_type)

app/services/protected_branches/create_service.rb

@@ -22,9 +22,29 @@ def save_protected_branch
       protected_branch.save.tap do
         # Refresh all_protected_branches association as it is not automatically updated
         project_or_group.all_protected_branches.reset if project_or_group.is_a?(Project)
+
+        publish_created_event
       end
     end
 
+    def publish_created_event
+      return unless protected_branch.id
+
+      parent_type = if project_or_group.is_a?(Project)
+                      ::Repositories::ProtectedBranchCreatedEvent::PARENT_TYPES[:project]
+                    else
+                      ::Repositories::ProtectedBranchCreatedEvent::PARENT_TYPES[:group]
+                    end
+
+      ::Gitlab::EventStore.publish(
+        ::Repositories::ProtectedBranchCreatedEvent.new(data: {
+          protected_branch_id: protected_branch.id,
+          parent_id: project_or_group.id,
+          parent_type: parent_type
+        })
+      )
+    end
+
     def protected_branch
       @protected_branch ||= project_or_group.protected_branches.new(params)
     end

app/services/protected_branches/destroy_service.rb

@@ -7,9 +7,24 @@ def execute(protected_branch)
 
       protected_branch.destroy.tap do
         refresh_cache
-        after_execute
+        publish_deleted_event
       end
     end
+
+    def publish_deleted_event
+      parent_type = if project_or_group.is_a?(Project)
+                      ::Repositories::ProtectedBranchDestroyedEvent::PARENT_TYPES[:project]
+                    else
+                      ::Repositories::ProtectedBranchDestroyedEvent::PARENT_TYPES[:group]
+                    end
+
+      ::Gitlab::EventStore.publish(
+        ::Repositories::ProtectedBranchDestroyedEvent.new(data: {
+          parent_id: project_or_group.id,
+          parent_type: parent_type
+        })
+      )
+    end
   end
 end
 

app/uploaders/object_storage.rb

@@ -177,7 +177,7 @@ def generate_remote_id
         [CarrierWave.generate_cache_id, SecureRandom.hex].join('-')
       end
 
-      def generate_final_store_path(root_id:)
+      def generate_final_store_path(root_hash:)
         hash = Digest::SHA2.hexdigest(SecureRandom.uuid)
 
         # We prefix '@final' to prevent clashes and make the files easily recognizable
@@ -186,21 +186,26 @@ def generate_final_store_path(root_id:)
 
         # We generate a hashed path of the root ID (e.g. Project ID) to distribute directories instead of
         # filling up one root directory with a bunch of files.
-        Gitlab::HashedPath.new(sub_path, root_hash: root_id).to_s
+        Gitlab::HashedPath.new(sub_path, root_hash: root_hash).to_s
       end
 
+      # final_store_path_config is only used if use_final_store_path is set to true
+      # Two keys are available:
+      # - :root_hash. The root hash used in Gitlab::HashedPath for the path generation.
+      # - :override_path. If set, the path generation is skipped and this value is used instead.
+      #                   Make sure that this value is unique for each upload.
       def workhorse_authorize(
         has_length:,
         maximum_size: nil,
         use_final_store_path: false,
-        final_store_path_root_id: nil)
+        final_store_path_config: {})
         {}.tap do |hash|
           if self.direct_upload_to_object_store?
             hash[:RemoteObject] = workhorse_remote_upload_options(
               has_length: has_length,
               maximum_size: maximum_size,
               use_final_store_path: use_final_store_path,
-              final_store_path_root_id: final_store_path_root_id
+              final_store_path_config: final_store_path_config
             )
           else
             hash[:TempPath] = workhorse_local_upload_path
@@ -231,13 +236,18 @@ def workhorse_remote_upload_options(
         has_length:,
         maximum_size: nil,
         use_final_store_path: false,
-        final_store_path_root_id: nil)
+        final_store_path_config: {})
         return unless direct_upload_to_object_store?
 
         if use_final_store_path
-          raise MissingFinalStorePathRootId unless final_store_path_root_id.present?
+          id = if final_store_path_config[:override_path].present?
+                 final_store_path_config[:override_path]
+               else
+                 raise MissingFinalStorePathRootId unless final_store_path_config[:root_hash].present?
+
+                 generate_final_store_path(root_hash: final_store_path_config[:root_hash])
+               end
 
-          id = generate_final_store_path(root_id: final_store_path_root_id)
           upload_path = with_bucket_prefix(id)
           prepare_pending_direct_upload(id)
         else

app/uploaders/virtual_registries/cache/entry_uploader.rb

@@ -28,6 +28,11 @@ def sync_model_object_store?
         true
       end
 
+      override :direct_upload_final_path_attribute_name
+      def direct_upload_final_path_attribute_name
+        :object_storage_key
+      end
+
       private
 
       def set_content_type(file)

config/feature_flags/gitlab_com_derisk/reject_orphaned_runners.yml

@@ -0,0 +1,9 @@
+---
+name: reject_orphaned_runners
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/516862
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180163
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/516929
+milestone: '17.9'
+group: group::runner
+type: gitlab_com_derisk
+default_enabled: false

db/post_migrate/20250128153614_add_object_storage_key_unique_to_v_regs_packages_maven_cache_entries.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+class AddObjectStorageKeyUniqueToVRegsPackagesMavenCacheEntries < Gitlab::Database::Migration[2.2]
+  include Gitlab::Database::PartitioningMigrationHelpers
+
+  milestone '17.9'
+
+  disable_ddl_transaction!
+
+  TABLE_NAME = :virtual_registries_packages_maven_cache_entries
+  COLUMNS = [:relative_path, :object_storage_key]
+  INDEX_NAME = :idx_vregs_pkgs_mvn_cache_entries_on_uniq_object_storage_key
+
+  def up
+    truncate_tables!(TABLE_NAME.to_s)
+    add_concurrent_partitioned_index TABLE_NAME, COLUMNS, unique: true, name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_partitioned_index_by_name TABLE_NAME, INDEX_NAME
+  end
+end

db/schema_migrations/20250128153614

@@ -0,0 +1 @@
+d43f2fa892bb1a4b268197cd6c83b6f1437c80677fae1caadc61b52caf45f2e5