Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

app/graphql/mutations/todos/delete_all_done.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Mutations
+  module Todos
+    class DeleteAllDone < ::Mutations::BaseMutation
+      graphql_name 'TodoDeleteAllDone'
+
+      def resolve
+        verify_rate_limit!
+
+        delete_until = Time.now.utc.to_datetime.to_s
+
+        ::Todos::DeleteAllDoneWorker.perform_async(current_user.id, delete_until) # rubocop:disable CodeReuse/Worker -- we need to do this asynchronously
+
+        {
+          message: format(_('Your request has succeeded. Results will be visible in a couple of minutes.')),
+          errors: []
+        }
+      end
+
+      private
+
+      def verify_rate_limit!
+        return unless Gitlab::ApplicationRateLimiter.throttled?(:delete_all_todos, scope: [current_user])
+
+        raise_resource_not_available_error!('This endpoint has been requested too many times. Try again later.')
+      end
+    end
+  end
+end

app/graphql/types/mutation_type.rb

@@ -153,6 +153,7 @@ class MutationType < BaseObject
     mount_mutation Mutations::Todos::SnoozeMany, experiment: { milestone: '17.9' }
     mount_mutation Mutations::Todos::UnsnoozeMany, experiment: { milestone: '17.9' }
     mount_mutation Mutations::Todos::DeleteMany, experiment: { milestone: '17.11' }
+    mount_mutation Mutations::Todos::DeleteAllDone, experiment: { milestone: '17.11' }
     mount_mutation Mutations::Snippets::Destroy
     mount_mutation Mutations::Snippets::Update
     mount_mutation Mutations::Snippets::Create

app/models/concerns/integrations/base_data_fields.rb

@@ -5,6 +5,8 @@ module BaseDataFields
     extend ActiveSupport::Concern
 
     included do
+      include Gitlab::EncryptedAttribute
+
       belongs_to :integration, inverse_of: self.table_name.to_sym, foreign_key: :integration_id, optional: true
 
       belongs_to :instance_integration,
@@ -21,7 +23,7 @@ module BaseDataFields
     class_methods do
       def encryption_options
         {
-          key: Settings.attr_encrypted_db_key_base_32,
+          key: :db_key_base_32,
           encode: true,
           mode: :per_attribute_iv,
           algorithm: 'aes-256-gcm'

app/models/note.rb

@@ -64,6 +64,9 @@ class Note < ApplicationRecord
   # Attribute used to determine whether keep_around_commits will be skipped for diff notes.
   attr_accessor :skip_keep_around_commits
 
+  # Attribute used to skip updates of `updated_at` for the noteable when it could impact database health.
+  attr_accessor :skip_touch_noteable
+
   attribute :system, default: false
 
   attr_spammable :note, spam_description: true
@@ -183,7 +186,7 @@ class Note < ApplicationRecord
   # https://gitlab.com/gitlab-org/gitlab/-/issues/367923
   before_create :set_internal_flag
   after_save :keep_around_commit, if: :for_project_noteable?, unless: -> { importing? || skip_keep_around_commits }
-  after_save :touch_noteable, unless: :importing?
+  after_save :touch_noteable, if: :touch_noteable?
   after_commit :notify_after_create, on: :create
   after_commit :notify_after_destroy, on: :destroy
 
@@ -715,6 +718,10 @@ def attribute_names_for_serialization
 
   private
 
+  def touch_noteable?
+    !importing? && !skip_touch_noteable
+  end
+
   def trigger_note_subscription?
     for_issue? && noteable
   end

app/models/todo.rb

@@ -58,6 +58,8 @@ class Todo < ApplicationRecord
     SSH_KEY_EXPIRING_SOON
   ].freeze
 
+  BATCH_DELETE_SIZE = 100
+
   belongs_to :author, class_name: "User"
   belongs_to :note
   belongs_to :project

app/serializers/access_token_entity_base.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 # rubocop: disable Gitlab/NamespacedClass
-class AccessTokenEntityBase < API::Entities::PersonalAccessToken
+class AccessTokenEntityBase < API::Entities::PersonalAccessTokenWithLastUsedIps
   expose :expired?, as: :expired
   expose :expires_soon?, as: :expires_soon
 end

app/workers/all_queues.yml

@@ -2684,6 +2684,16 @@
   :idempotent: true
   :tags: []
   :queue_namespace: :terraform
+- :name: todos_destroyer:todos_delete_all_done
+  :worker_name: Todos::DeleteAllDoneWorker
+  :feature_category: :notifications
+  :has_external_dependencies: false
+  :urgency: :low
+  :resource_boundary: :unknown
+  :weight: 1
+  :idempotent: true
+  :tags: []
+  :queue_namespace: :todos_destroyer
 - :name: todos_destroyer:todos_destroyer_confidential_issue
   :worker_name: TodosDestroyer::ConfidentialIssueWorker
   :feature_category: :notifications

app/workers/todos/delete_all_done_worker.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Todos
+  class DeleteAllDoneWorker
+    include ApplicationWorker
+    include Gitlab::ExclusiveLeaseHelpers
+    include EachBatch
+
+    data_consistency :sticky
+    idempotent!
+
+    sidekiq_options retry: true
+    include TodosDestroyerQueue
+
+    LOCK_TIMEOUT = 1.hour
+    BATCH_DELETE_SIZE = 10_000
+    SUB_BATCH_DELETE_SIZE = 100
+    SLEEP_INTERVAL = 100
+    MAX_RUNTIME = 2.minutes
+
+    def perform(user_id, time)
+      runtime_limiter = Gitlab::Metrics::RuntimeLimiter.new(MAX_RUNTIME)
+      delete_until = time.to_datetime
+      pause_ms = SLEEP_INTERVAL
+      # rubocop: disable CodeReuse/ActiveRecord -- we need to keep the logic in the worker
+      in_lock("#{self.class.name.underscore}_#{user_id}", ttl: LOCK_TIMEOUT, retries: 0) do
+        Todo.where(user_id: user_id)
+            .with_state(:done)
+            .each_batch(of: BATCH_DELETE_SIZE) do |batch|
+          batch.each_batch(of: SUB_BATCH_DELETE_SIZE) do |sub_batch|
+            sql = <<~SQL
+              WITH sub_batch AS MATERIALIZED (
+                #{sub_batch.select(:id, :updated_at).limit(SUB_BATCH_DELETE_SIZE).to_sql}
+              ), filtered_relation AS MATERIALIZED (
+                SELECT id FROM sub_batch WHERE updated_at < '#{delete_until.to_fs(:db)}' LIMIT #{SUB_BATCH_DELETE_SIZE}
+              )
+              DELETE FROM todos WHERE id IN (SELECT id FROM filtered_relation)
+            SQL
+
+            Todo.connection.exec_query(sql)
+
+            sleep(pause_ms * 0.001) # Avoid hitting the database too hard
+          end
+
+          next unless runtime_limiter.over_time?
+
+          self.class.perform_in(MAX_RUNTIME, user_id, time)
+
+          break
+        end
+      end
+      # rubocop: enable CodeReuse/ActiveRecord
+    end
+  end
+end

config/sidekiq_queues.yml

@@ -1013,6 +1013,8 @@
   - 1
 - - vulnerabilities_process_bulk_dismissed_events
   - 1
+- - vulnerabilities_process_bulk_redetected_events
+  - 1
 - - vulnerabilities_process_transfer_events
   - 1
 - - vulnerabilities_remove_all_vulnerabilities

doc/administration/backup_restore/backup_gitlab.md

@@ -1119,7 +1119,7 @@ For self-compiled installations:
    If you are using [a managed identity](../object_storage.md#azure-workload-and-managed-identities), omit `azure_storage_access_key`:
 
    ```ruby
-   gitlab_rails['object_store']['connection'] = {
+   gitlab_rails['backup_upload_connection'] = {
      'provider' => 'AzureRM',
      'azure_storage_account_name' => '<AZURE STORAGE ACCOUNT NAME>',
      'azure_storage_domain' => '<AZURE STORAGE DOMAIN>' # Optional

doc/api/graphql/reference/_index.md

@@ -10977,6 +10977,28 @@ Input type: `TodoCreateInput`
 | <a id="mutationtodocreateerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
 | <a id="mutationtodocreatetodo"></a>`todo` | [`Todo`](#todo) | To-do item created. |
 
+### `Mutation.todoDeleteAllDone`
+
+{{< details >}}
+**Introduced** in GitLab 17.11.
+**Status**: Experiment.
+{{< /details >}}
+
+Input type: `TodoDeleteAllDoneInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="mutationtododeletealldoneclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="mutationtododeletealldoneclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationtododeletealldoneerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
+
 ### `Mutation.todoDeleteMany`
 
 {{< details >}}
@@ -43313,9 +43335,10 @@ Types of add-ons.
 
 | Value | Description |
 | ----- | ----------- |
-| <a id="gitlabsubscriptionsaddontypecode_suggestions"></a>`CODE_SUGGESTIONS` | GitLab Duo Pro seat add-on. |
-| <a id="gitlabsubscriptionsaddontypeduo_amazon_q"></a>`DUO_AMAZON_Q` | GitLab Duo with Amazon Q seat add-on. |
-| <a id="gitlabsubscriptionsaddontypeduo_enterprise"></a>`DUO_ENTERPRISE` | GitLab Duo Enterprise seat add-on. |
+| <a id="gitlabsubscriptionsaddontypecode_suggestions"></a>`CODE_SUGGESTIONS` | GitLab Duo Pro add-on. |
+| <a id="gitlabsubscriptionsaddontypeduo_amazon_q"></a>`DUO_AMAZON_Q` | GitLab Duo with Amazon Q add-on. |
+| <a id="gitlabsubscriptionsaddontypeduo_enterprise"></a>`DUO_ENTERPRISE` | GitLab Duo Enterprise add-on. |
+| <a id="gitlabsubscriptionsaddontypeduo_nano"></a>`DUO_NANO` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 18.0. **Status**: Experiment. GitLab Duo Nano add-on. |
 
 ### `GitlabSubscriptionsUserRole`
 

doc/api/oauth2.md

@@ -414,7 +414,7 @@ detailed flow description.
 Resource owner password credentials are disabled for users with
 [two-factor authentication](../user/profile/account/two_factor_authentication.md) turned on
 and [enterprise users](../user/enterprise_user/_index.md)
-with [password authentication disabled for their group](../user/enterprise_user/_index.md#disable-password-authentication-for-enterprise-users).
+with [password authentication disabled for their group](../user/enterprise_user/_index.md#disable-authentication-methods).
 These users can access the API using [personal access tokens](../user/profile/personal_access_tokens.md)
 instead.
 {{< /alert >}}

doc/development/documentation/site_architecture/folder_structure.md

@@ -71,9 +71,9 @@ any stage in the process. The technical writing team reviews all
 documentation changes, regardless, and can move content if there is a better
 place for it.
 
-## Avoid duplication
+## Avoid duplication when possible
 
-Do not include the same information in multiple places.
+When possible, do not include the same information in multiple places.
 Link to a single source of truth instead.
 
 For example, if you have code in a repository other than the [primary repositories](https://gitlab.com/gitlab-org/technical-writing/docs-gitlab-com/-/blob/main/doc/architecture.md),

doc/development/documentation/styleguide/_index.md

@@ -25,9 +25,10 @@ The GitLab documentation is the SSoT for all product information related to impl
 use, and troubleshooting. The documentation evolves continuously. It is updated with
 new products and features, and with improvements for clarity, accuracy, and completeness.
 
-This policy prevents information silos, making it easier to find information
-about GitLab products. It also informs decisions about the kinds of content
-included in the documentation.
+This policy:
+
+- Prevents information silos and makes it easier to find information about GitLab products.
+- Does not mean that content cannot be duplicated in multiple places in the documentation.
 
 ## Topic types
 
@@ -869,10 +870,10 @@ If you use consecutive numbers, you must disable Markdown rule `029`:
 
 ## Links
 
-Links help the docs adhere to the
-[single source of truth](#documentation-is-the-single-source-of-truth-ssot) principle.
+Links are an important way to help readers find what they need.
 
-However, you should avoid putting too many links on any page. Too many links can hinder readability.
+However, most content is found by searching, and you should avoid putting too many links on any page.
+Too many links can hinder readability.
 
 - Do not duplicate links on the same page. For example, on **Page A**, do not link to **Page B** multiple times.
 - Do not use links in headings. Headings that contain links cause errors.

doc/development/documentation/topic_types/tutorial.md

@@ -20,9 +20,7 @@ In general, you might consider using a tutorial when:
   tutorial describes. If they can't replicate it exactly, they should be able
   to replicate something similar.
 - Tutorials do not introduce new features.
-- Tutorials do not need to adhere to the Single Source of Truth tenet. While it's not
-  ideal to duplicate content that is available elsewhere, it's worse to force the reader to
-  leave the page to find what they need.
+- Tutorials can include information that's also available elsewhere on the docs site.
 
 ## Tutorial filename and location
 

doc/user/duo_amazon_q/_index.md

@@ -10,14 +10,14 @@ title: GitLab Duo with Amazon Q
 - Tier: Ultimate
 - Add-on: GitLab Duo with Amazon Q
 - Offering: GitLab Self-Managed
-- Status: Preview/Beta
 
 {{< /details >}}
 
 {{< history >}}
 
 - Introduced as [beta](../../policy/development_stages_support.md#beta) in GitLab 17.7 [with a flag](../../administration/feature_flags.md) named `amazon_q_integration`. Disabled by default.
 - Feature flag `amazon_q_integration` removed in GitLab 17.8.
+- Generally available in GitLab 17.11.
 
 {{< /history >}}
 
@@ -30,12 +30,10 @@ If you have a GitLab Duo Pro or Duo Enterprise add-on, this feature is not avail
 At Re:Invent 2024, Amazon announced the GitLab Duo with Amazon Q integration.
 With this integration, you can automate tasks and increase productivity.
 
-Select GitLab customers have been invited to a test GitLab instance
-so they can start to experiment right away.
-
 ## Set up GitLab Duo with Amazon Q
 
 To access GitLab Duo with Amazon Q, request [access to a lab environment](https://about.gitlab.com/partners/technology-partners/aws/#interest).
+
 Alternately, if you have GitLab 17.8 or later, you can
 [set it up on your GitLab Self-Managed instance](setup.md).
 

doc/user/duo_amazon_q/setup.md

@@ -10,14 +10,14 @@ title: Set up GitLab Duo with Amazon Q
 - Tier: Ultimate
 - Add-on: GitLab Duo with Amazon Q
 - Offering: GitLab Self-Managed
-- Status: Preview/Beta
 
 {{< /details >}}
 
 {{< history >}}
 
 - Introduced as an [experiment](../../policy/development_stages_support.md#experiment) in GitLab 17.7 [with a flag](../../administration/feature_flags.md) named `amazon_q_integration`. Disabled by default.
 - Feature flag `amazon_q_integration` removed in GitLab 17.8.
+- Generally available in GitLab 17.11.
 
 {{< /history >}}
 

doc/user/enterprise_user/_index.md

@@ -307,9 +307,14 @@ includes users' email addresses.
 
 Changing an enterprise user's primary email to an email from a non-verified domain automatically removes the enterprise badge from the account. This does not alter any account roles or permissions for the user, but does limit the group Owner's ability to manage this account.
 
-### Disable password authentication for enterprise users
+### Disable authentication methods
 
-A top-level group Owner can [disable password authentication for enterprise users](../group/saml_sso/_index.md#disable-password-authentication-for-enterprise-users).
+A top-level group Owner can disable specific authentication methods to reduce the security footprint.
+
+Within the top-level group, the Owner can:
+
+- [Disable password authentication](../group/saml_sso/_index.md#disable-password-authentication-for-enterprise-users).
+- [Disable personal access tokens](../../user/profile/personal_access_tokens.md#disable-personal-access-tokens-for-enterprise-users).
 
 ## Related topics