Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

app/assets/javascripts/vue_shared/components/upload_dropzone/upload_dropzone.vue

@@ -208,7 +208,7 @@ export default {
   >
     <slot>
       <button
-        class="card upload-dropzone-card upload-dropzone-border gl-mb-0 gl-h-full gl-w-full gl-items-center gl-justify-center gl-px-5 gl-py-4"
+        class="upload-dropzone-card upload-dropzone-border gl-mb-0 gl-h-full gl-w-full gl-items-center gl-justify-center gl-bg-default gl-px-5 gl-py-4"
         type="button"
         @click="openFileUpload"
         @mouseenter="onMouseEnter"
@@ -257,18 +257,17 @@ export default {
     <transition name="upload-dropzone-fade">
       <div
         v-show="showDropzoneOverlay"
-        class="card gl-absolute gl-flex gl-h-full gl-w-full gl-items-center gl-justify-center gl-p-4"
+        class="gl-absolute gl-flex gl-h-full gl-w-full gl-items-center gl-justify-center gl-p-4"
         :class="{
-          'design-upload-dropzone-overlay gl-z-200 gl-border-1 gl-border-dashed gl-border-blue-500':
-            showUploadDesignOverlay && isDragDataValid,
+          'design-upload-dropzone-overlay gl-z-200': showUploadDesignOverlay && isDragDataValid,
           'upload-dropzone-overlay upload-dropzone-border': !showUploadDesignOverlay,
         }"
       >
         <!-- Design Upload Overlay Style for Work Items -->
         <template v-if="showUploadDesignOverlay">
           <div
             v-if="isDragDataValid && !hideUploadTextOnDragging"
-            class="gl-absolute gl-bottom-6 gl-flex gl-items-center gl-rounded-base gl-bg-blue-950 gl-px-3 gl-py-2 gl-text-white"
+            class="gl-absolute gl-bottom-6 gl-flex gl-items-center gl-rounded-base gl-bg-feedback-strong gl-px-3 gl-py-2 gl-text-feedback-strong gl-shadow-sm"
             data-testid="design-upload-overlay"
           >
             <gl-animated-upload-icon :is-on="true" name="upload" />

app/assets/javascripts/work_items/components/create_work_item.vue

@@ -60,6 +60,7 @@ import {
   WIDGET_TYPE_CUSTOM_FIELDS,
   CUSTOM_FIELDS_TYPE_NUMBER,
   CUSTOM_FIELDS_TYPE_TEXT,
+  WORK_ITEM_TYPE_NAME_ISSUE,
 } from '../constants';
 import createWorkItemMutation from '../graphql/create_work_item.mutation.graphql';
 import namespaceWorkItemTypesQuery from '../graphql/namespace_work_item_types.query.graphql';
@@ -353,6 +354,14 @@ export default {
         return false;
       }
 
+      // Hide Parent widget on Epic or Issue creation according to license permissions
+      if (
+        this.selectedWorkItemTypeName === WORK_ITEM_TYPE_NAME_ISSUE ||
+        this.selectedWorkItemTypeName === WORK_ITEM_TYPE_NAME_EPIC
+      ) {
+        if (!this.validateAllowedParentTypes(this.selectedWorkItemTypeName).length) return false;
+      }
+
       return Boolean(this.workItemHierarchy);
     },
     workItemCrmContacts() {
@@ -578,6 +587,14 @@ export default {
     updateTitle(newValue) {
       this.workItemTitle = newValue;
     },
+    validateAllowedParentTypes(selectedWorkItemType) {
+      return (
+        this.workItemTypes
+          ?.find((type) => type.name === selectedWorkItemType)
+          ?.widgetDefinitions.find((widget) => widget.type === WIDGET_TYPE_HIERARCHY)
+          .allowedParentTypes?.nodes || []
+      );
+    },
     isWidgetSupported(widgetType) {
       const widgetDefinitions =
         this.selectedWorkItemType?.widgetDefinitions?.flatMap((i) => i.type) || [];

app/assets/stylesheets/components/upload_dropzone/upload_dropzone.scss

@@ -13,21 +13,21 @@
 
 .upload-dropzone-border {
   border: 0;
-  @include dropzone-background($gray-400, 2);
+  @include dropzone-background($gl-border-color-default, 2);
   border-radius: $gl-border-radius-base;
 }
 
 .upload-dropzone-card {
   @apply gl-transition-[background,border];
-
+  stroke: $gl-border-color-default;
   @apply gl-text-default;
 
   &:hover,
   &:focus,
   &:focus-within,
   &:active {
     outline: none;
-    @include dropzone-background($blue-500);
+    @include dropzone-background($gl-color-blue-500);
     @apply gl-text-default;
   }
 
@@ -37,9 +37,6 @@
     @apply gl-focus;
   }
 
-  &:hover {
-    border-color: $gray-300;
-  }
 }
 
 .upload-dropzone-overlay,
@@ -48,15 +45,18 @@
   left: 0;
   pointer-events: none;
   opacity: 1;
+  border: 0;
 }
 
 .upload-dropzone-overlay {
-  background-color: $blue-50;
-  @include dropzone-background($blue-500);
+  @apply gl-bg-feedback-info;
+  @include dropzone-background($gl-color-blue-500);
 }
 
 .design-upload-dropzone-overlay {
-  background-color: rgba($blue-500, 0.24);
+  background-color: color-mix(in srgb, var(--gl-color-blue-500) 24%, transparent);
+  @include dropzone-background($gl-color-blue-500);
+  border-radius: $gl-border-radius-base;
 }
 
 // These are composite classes for use with Vue Transition

app/views/admin/runners/_project.html.haml

@@ -3,13 +3,18 @@
 
 %li
   .gl-flex.gl-gap-3
-    .gl-w-6
-      - if assigned
+    - if assigned
+      .gl-min-w-6.gl-w-6
         = sprite_icon('status-success', variant: 'success', css_class: 'gl-mt-3')
+    - else
+      .gl-hidden.md:gl-block.gl-w-6
+
     = render Pajamas::AvatarComponent.new(project, size: 32, avatar_options: { aria: { hidden: "true" } })
-    .gl-flex.gl-flex-col.gl-gap-1.gl-grow
-      %h3.gl-text-base.gl-mt-1.gl-mb-0
+    .gl-grow.gl-self-center
+      %h3.gl-m-0.gl-text-base
         = project.full_name
-      %p.gl-text-sm.gl-text-subtle.gl-mb-0
-        = project.description
-    = yield
+      - if project.description
+        %p.gl-mb-0.gl-text-sm.gl-text-subtle
+          = project.description
+    .gl-self-start
+      = yield

db/post_migrate/20250320203919_schedule_rm_index_merge_request_diffs_on_project_id.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+# See https://docs.gitlab.com/ee/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class ScheduleRmIndexMergeRequestDiffsOnProjectId < Gitlab::Database::Migration[2.2]
+  INDEX_NAME = 'index_merge_request_diffs_on_project_id'
+
+  milestone '17.11'
+
+  def up
+    prepare_async_index_removal :merge_request_diffs, :project_id, name: INDEX_NAME
+  end
+
+  def down
+    unprepare_async_index :merge_request_diffs, :project_id, name: INDEX_NAME
+  end
+end

db/post_migrate/20250403212841_create_async_index_on_merge_request_diff_files_project_id.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class CreateAsyncIndexOnMergeRequestDiffFilesProjectId < Gitlab::Database::Migration[2.2]
+  disable_ddl_transaction!
+
+  milestone '17.11'
+
+  INDEX_NAME = 'index_merge_request_diff_files_on_project_id'
+
+  # rubocop:disable Migration/PreventIndexCreation -- https://gitlab.com/gitlab-org/gitlab/-/issues/512949
+  def up
+    add_concurrent_index :merge_request_diff_files, :project_id, name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index_by_name :merge_request_diff_files, INDEX_NAME
+  end
+end
+# rubocop:enable Migration/PreventIndexCreation

db/schema_migrations/20250320203919

@@ -0,0 +1 @@
+6b5fd827691104b82d1e7e25ef95b91eb9597d11ad386b7d7e0103f76e1c5b68

db/schema_migrations/20250403212841

@@ -0,0 +1 @@
+4664c89faa69430f14b458988b619c5ec93d267317dcfb304576aec13f4119ad

db/structure.sql

@@ -35754,6 +35754,8 @@ CREATE INDEX index_merge_request_diff_details_on_verification_state ON merge_req
 
 CREATE INDEX index_merge_request_diff_details_pending_verification ON merge_request_diff_details USING btree (verified_at NULLS FIRST) WHERE (verification_state = 0);
 
+CREATE INDEX index_merge_request_diff_files_on_project_id ON merge_request_diff_files USING btree (project_id);
+
 CREATE INDEX index_merge_request_diffs_by_id_partial ON merge_request_diffs USING btree (id) WHERE ((files_count > 0) AND ((NOT stored_externally) OR (stored_externally IS NULL)));
 
 CREATE INDEX index_merge_request_diffs_on_external_diff ON merge_request_diffs USING btree (external_diff);

doc/development/database/database_lab.md

@@ -142,7 +142,9 @@ You must have `AllFeaturesUser` [`psql` access](#access-database-lab-engine) to
 
 To access the database lab instances, you must:
 
-- File an [access request](https://handbook.gitlab.com/handbook/it/end-user-services/onboarding-access-requests/access-requests/#individual-or-bulk-access-request).
+- File an [access request](https://handbook.gitlab.com/handbook/it/end-user-services/onboarding-access-requests/access-requests/#individual-or-bulk-access-request), requesting the following:
+  - `AllFeaturesUser` role in Postgres.ai
+  - `db-lab` role in `chef-repo`
 - Have a user data bag entry in [chef-repo](https://gitlab.com/gitlab-com/gl-infra/chef-repo) with your SSH key and the `db-lab` role.
 - Configure `ssh` as follows:
 

doc/user/application_security/sast/_index.md

@@ -513,33 +513,63 @@ For example, to scan a Rust application, you must:
            # include any other file extensions you need to scan from the semgrep-sast template: Jobs/SAST.gitlab-ci.yml
    ```
 
-### Pre-compilation
+### Using pre-compilation with SpotBugs analyzer
 
-Most GitLab SAST analyzers directly scan your source code without compiling it first.
-However, for technical reasons, the SpotBugs-based analyzer scans compiled bytecode.
-
-By default, the SpotBugs-based analyzer automatically attempts to fetch dependencies and compile your code so it can be scanned.
+The SpotBugs-based analyzer scans compiled bytecode for `Groovy` projects. By default, it automatically attempts to fetch dependencies and compile your code so it can be scanned.
 Automatic compilation can fail if:
 
-- your project requires custom build configurations.
-- you use language versions that aren't built into the analyzer.
+- your project requires custom build configurations
+- you use language versions that aren't built into the analyzer
 
 To resolve these issues, you should skip the analyzer's compilation step and directly provide artifacts from an earlier stage in your pipeline instead.
 This strategy is called _pre-compilation_.
 
-To use pre-compilation:
+#### Sharing pre-compiled artifacts
+
+1. Use a compilation job (typically named `build`) to compile your project and store the compiled output as a `job artifact` using [`artifacts: paths`](../../../ci/yaml/_index.md#artifactspaths).
 
-1. Output your project's dependencies to a directory in the project's working directory, then save that directory as an artifact by [setting the `artifacts: paths` configuration](../../../ci/yaml/_index.md#artifactspaths).
-1. Provide the `COMPILE: "false"` CI/CD variable to the analyzer job to disable automatic compilation.
-1. Add your compilation stage as a dependency for the analyzer job.
+   - For `Maven` projects, the output folder is usually the `target` directory
+   - For `Gradle` projects, it's typically the `build` directory
+   - If your project uses a custom output location, set the artifacts path accordingly
 
-To allow the analyzer to recognize the compiled artifacts, you must explicitly specify the path to
-the vendored directory.
-This configuration can vary depending on how the project is set up.
-For Maven projects, you can use `MAVEN_REPO_PATH`.
-See [Analyzer settings](#analyzer-settings) for the complete list of available options.
+1. Disable automatic compilation by setting the `COMPILE: "false"` CI/CD variable in the `spotbugs-sast` job.
 
-The following example pre-compiles a Maven project and provides it to the SpotBugs-based SAST analyzer:
+1. Ensure the `spotbugs-sast` job depends on the compilation job by setting the `dependencies` keyword. This allows the `spotbugs-sast` job to download and use the artifacts created in the compilation job.
+
+The following example pre-compiles a Gradle project and provides the compiled bytecode to the analyzer:
+
+```yaml
+stages:
+  - build
+  - test
+
+include:
+  - template: Jobs/SAST.gitlab-ci.yml
+
+build:
+  image: gradle:7.6-jdk8
+  stage: build
+  script:
+    - gradle build
+  artifacts:
+    paths:
+      - build/
+
+spotbugs-sast:
+  dependencies:
+    - build
+  variables:
+    COMPILE: "false"
+    SECURE_LOG_LEVEL: debug
+```
+
+#### Specifying dependencies (Maven only)
+
+If your project requires external dependencies to be recognized by the analyzer and you're using Maven, you can specify the location of the local repository by using the `MAVEN_REPO_PATH` variable.
+
+Specifying dependencies is only supported for Maven-based projects. Other build tools (for example, Gradle) do not have an equivalent mechanism for specifying dependencies. In that case, ensure that your compiled artifacts include all necessary dependencies.
+
+The following example pre-compiles a Maven project and provides the compiled bytecode along with the dependencies to the analyzer:
 
 ```yaml
 stages:
@@ -565,9 +595,7 @@ spotbugs-sast:
   variables:
     MAVEN_REPO_PATH: $CI_PROJECT_DIR/.m2/repository
     COMPILE: "false"
-  artifacts:
-    reports:
-      sast: gl-sast-report.json
+    SECURE_LOG_LEVEL: debug
 ```
 
 ### Running jobs in merge request pipelines
@@ -796,7 +824,7 @@ Some analyzers can be customized with CI/CD variables.
 | `FAIL_NEVER`                | SpotBugs   | Set to `1` to ignore compilation failure.                                                                                                                                                                                          |
 | `SAST_SEMGREP_METRICS` | Semgrep | Set to `"false"` to disable sending anonymized scan metrics to [r2c](https://semgrep.dev). Default: `true`. |
 | `SAST_SCANNER_ALLOWED_CLI_OPTS`        | Semgrep | CLI options (arguments with value, or flags) that are passed to the underlying security scanner when running scan operation. Only a limited set of [options](#security-scanner-configuration) are accepted. Separate a CLI option and its value using either a blank space or equals (`=`) character. For example: `name1 value1` or `name1=value1`. Multiple options must be separated by blank spaces. For example: `name1 value1 name2 value2`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/368565) in GitLab 15.3. |
-| `SAST_RULESET_GIT_REFERENCE` | All     | Defines a path to a custom ruleset configuration. If a project has a `.gitlab/sast-ruleset.toml` file committed, that local configuration takes precedence and the file from `SAST_RULESET_GIT_REFERENCE` isn’t used. This variable is available for the Ultimate tier only.|
+| `SAST_RULESET_GIT_REFERENCE` | All     | Defines a path to a custom ruleset configuration. If a project has a `.gitlab/sast-ruleset.toml` file committed, that local configuration takes precedence and the file from `SAST_RULESET_GIT_REFERENCE` isn't used. This variable is available for the Ultimate tier only.|
 | `SECURE_ENABLE_LOCAL_CONFIGURATION` | All     | Enables the option to use custom ruleset configuration. If `SECURE_ENABLE_LOCAL_CONFIGURATION` is set to `false`, the project's custom ruleset configuration file at `.gitlab/sast-ruleset.toml` is ignored and the file from `SAST_RULESET_GIT_REFERENCE` or the default configuration takes precedence. |
 
 #### Security scanner configuration

doc/user/application_security/sast/troubleshooting.md

@@ -134,7 +134,7 @@ The SpotBugs-based analyzer is only used for scanning Groovy code, but it may tr
 The solution depends on whether you need to scan Groovy code:
 
 - If you don't have any Groovy code, or don't need to scan it, you should [disable the SpotBugs analyzer](analyzers.md#disable-specific-default-analyzers).
-- If you do need to scan Groovy code, you should use [pre-compilation](_index.md#pre-compilation).
+- If you do need to scan Groovy code, you should use [pre-compilation](_index.md#using-pre-compilation-with-spotbugs-analyzer).
   Pre-compilation avoids these failures by scanning an artifact you've already built in your pipeline, rather than trying to compile it in the `spotbugs-sast` job.
 
 ### Java out of memory error

doc/user/compliance/compliance_frameworks.md

@@ -72,6 +72,16 @@ compliance frameworks to a project.
 If you create compliance frameworks on subgroups with GraphQL, the framework is created on the root ancestor if the user
 has the correct permissions. The GitLab UI presents a read-only view to discourage this behavior.
 
+To apply a compliance framework to a project through a compliance framework:
+
+1. On the left sidebar, select **Search or go to** and find your group.
+1. Select **Secure > Compliance center**.
+1. On the page, select the **Projects** tab.
+1. Hover over a compliance framework, select the **Edit Framework** tab.
+1. Select **Projects** section.
+1. Select projects from the list.
+1. Select **Update Framework**.
+
 ## Default compliance frameworks
 
 {{< history >}}

spec/features/work_items/create_issue_work_item_spec.rb

@@ -24,7 +24,6 @@
         expect(page).to have_selector('[data-testid="work-item-assignees"]')
         expect(page).to have_selector('[data-testid="work-item-labels"]')
         expect(page).to have_selector('[data-testid="work-item-milestone"]')
-        expect(page).to have_selector('[data-testid="work-item-parent"]')
 
         send_keys 'I am a new issue'
         click_button 'Create issue'