Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

GITALY_SERVER_VERSION

@@ -1 +1 @@
-3bec5af36c5d3304174566c706807806eee8996d
+f16c7c18016d6ffa5ef1cf5eedbf1c01f464ddad

app/assets/javascripts/diffs/components/app.vue

@@ -673,7 +673,7 @@ export default {
       if (delta >= 0 && delta < 1000) {
         this.disableVirtualScroller();
 
-        api.trackRedisHllUserEvent('i_code_review_user_searches_diff');
+        this.trackEvent('i_code_review_user_searches_diff');
         api.trackRedisCounterEvent('diff_searches');
       }
     },

app/assets/javascripts/projects/your_work/components/app.vue

@@ -129,11 +129,20 @@ export default {
       return this.$route.query.sort;
     },
     sort() {
-      if (this.sortQuery) {
+      const sortOptionValues = SORT_OPTIONS.flatMap(({ value }) => [
+        `${value}_${SORT_DIRECTION_ASC}`,
+        `${value}_${SORT_DIRECTION_DESC}`,
+      ]);
+
+      if (this.sortQuery && sortOptionValues.includes(this.sortQuery)) {
         return this.sortQuery;
       }
 
-      return this.initialSort || `${SORT_OPTION_UPDATED.value}_${SORT_DIRECTION_ASC}`;
+      if (sortOptionValues.includes(this.initialSort)) {
+        return this.initialSort;
+      }
+
+      return `${SORT_OPTION_UPDATED.value}_${SORT_DIRECTION_ASC}`;
     },
     activeSortOption() {
       return SORT_OPTIONS.find((sortItem) => this.sort.includes(sortItem.value));

app/graphql/resolvers/projects/user_contributed_projects_resolver.rb

@@ -29,6 +29,10 @@ class UserContributedProjectsResolver < BaseResolver
         required: false,
         description: 'Filter projects by programming language name (case insensitive). For example: "css" or "ruby".'
 
+      before_connection_authorization do |projects, current_user|
+        ::Preloaders::UserMaxAccessLevelInProjectsPreloader.new(projects, current_user).execute
+      end
+
       alias_method :user, :object
 
       def resolve_with_lookahead(**args)

app/graphql/resolvers/user_starred_projects_resolver.rb

@@ -23,6 +23,10 @@ class UserStarredProjectsResolver < BaseResolver
       required: false,
       description: 'Filter projects by programming language name (case insensitive). For example: "css" or "ruby".'
 
+    before_connection_authorization do |projects, current_user|
+      ::Preloaders::UserMaxAccessLevelInProjectsPreloader.new(projects, current_user).execute
+    end
+
     alias_method :user, :object
 
     def resolve_with_lookahead(**args)

config/events/i_code_review_user_searches_diff.yml

@@ -0,0 +1,17 @@
+---
+description: User searches a merge request diff by using the built-in search function in the browser
+internal_events: true
+action: i_code_review_user_searches_diff
+identifiers:
+- project
+- namespace
+- user
+product_group: code_review
+product_categories:
+- code_review_workflow
+milestone: '17.10'
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182580
+tiers:
+- free
+- premium
+- ultimate

config/metrics/counts_28d/20210720144005_i_code_review_user_searches_diff_monthly.yml

@@ -9,11 +9,10 @@ status: active
 milestone: '14.2'
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/66522
 time_frame: 28d
-data_source: redis_hll
-instrumentation_class: RedisHLLMetric
-options:
-  events:
-    - i_code_review_user_searches_diff
+data_source: internal_events
+events:
+  - name: i_code_review_user_searches_diff
+    unique: user.id
 data_category: optional
 tiers:
   - free

config/metrics/counts_7d/20210720144005_i_code_review_user_searches_diff_weekly.yml

@@ -9,11 +9,10 @@ status: active
 milestone: '14.2'
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/66522
 time_frame: 7d
-data_source: redis_hll
-instrumentation_class: RedisHLLMetric
-options:
-  events:
-    - i_code_review_user_searches_diff
+data_source: internal_events
+events:
+  - name: i_code_review_user_searches_diff
+    unique: user.id
 data_category: optional
 tiers:
   - free

doc/administration/gitlab_duo_self_hosted/configure_duo_features.md

@@ -93,7 +93,7 @@ To enable self-hosted [beta](../../policy/development_stages_support.md#beta) mo
 1. On the left sidebar, at the bottom, select **Admin**.
 1. Select **GitLab Duo**.
 1. In the **GitLab Duo** section, select **Change configuration**.
-1. Under **Self-hosted AI models**, select **Use self-hosted models features**.
+1. Under **Self-hosted AI models**, select **Use beta self-hosted models features**.
 1. Select **Save changes**.
 
 {{< alert type="note" >}}

doc/ci/jobs/ci_job_token.md

@@ -19,7 +19,7 @@ is revoked and you cannot use the token anymore.
 
 Use a CI/CD job token to authenticate with certain GitLab features from running jobs.
 The token receives the same access level as the user that triggered the pipeline,
-but has [access to fewer resources](#job-token-feature-access) than a personal access token. A user can cause a job to run
+but has [access to fewer resources](#job-token-access) than a personal access token. A user can cause a job to run
 with an action like pushing a commit, triggering a manual job, or being the owner of a scheduled pipeline.
 This user must have a [role that has the required privileges](../../user/permissions.md#cicd)
 to access the resources.
@@ -31,30 +31,30 @@ If a project is public or internal, you can access some features without being o
 For example, you can fetch artifacts from the project's public pipelines.
 This access can also [be restricted](#limit-job-token-scope-for-public-or-internal-projects).
 
-## Job token feature access
-
-The CI/CD job token can only access the following features and API endpoints:
-
-| Feature                                                                                               | Additional details |
-|-------------------------------------------------------------------------------------------------------|--------------------|
-| [Container registry API](../../api/container_registry.md)                                             | The token is scoped to the container registry of the job's project only. |
-| [Container registry](../../user/packages/container_registry/build_and_push_images.md#use-gitlab-cicd) | The `$CI_REGISTRY_PASSWORD` [predefined variable](../variables/predefined_variables.md) is the CI/CD job token. Both are scoped to the container registry of the job's project only. |
-| [Deployments API](../../api/deployments.md)                                                           | `GET` requests are public by default. |
-| [Environments API](../../api/environments.md)                                                         | `GET` requests are public by default. |
-| [Job artifacts API](../../api/job_artifacts.md#get-job-artifacts)                                     | `GET` requests are public by default. |
-| [API endpoint to get the job of a job token](../../api/jobs.md#get-job-tokens-job)                    | To get the job token's job. |
-| [Package registry](../../user/packages/package_registry/_index.md#to-build-packages)                   |         |
-| [Packages API](../../api/packages.md)                                                                 | `GET` requests are public by default. |
-| [Pipeline triggers](../../api/pipeline_triggers.md)                                                   | Used with the `token=` parameter to [trigger a multi-project pipeline](../pipelines/downstream_pipelines.md#trigger-a-multi-project-pipeline-by-using-the-api). |
-| [Update pipeline metadata API endpoint](../../api/pipelines.md#update-pipeline-metadata)              | To update pipeline metadata. |
-| [Release links API](../../api/releases/links.md)                                                      |         |
-| [Releases API](../../api/releases/_index.md)                                                           | `GET` requests are public by default. |
-| [Repositories API](../../api/repositories.md#generate-changelog-data)                                 | Generates changelog data based on commits in a repository. |
-| [Secure files](../secure_files/_index.md#use-secure-files-in-cicd-jobs)                                | The `download-secure-files` tool authenticates with a CI/CD job token by default. |
-| [Terraform plan](../../user/infrastructure/_index.md)                                                  |         |
-
-Other API endpoints are not accessible using a job token. There is [a proposal](https://gitlab.com/groups/gitlab-org/-/epics/3559)
-to redesign the feature for more granular control of access permissions.
+## Job token access
+
+CI/CD job tokens can access the following resources:
+
+| Resource                                                                                              | Notes |
+| ----------------------------------------------------------------------------------------------------- | ----- |
+| [Container registry](../../user/packages/container_registry/build_and_push_images.md#use-gitlab-cicd) | Used as the `$CI_REGISTRY_PASSWORD` [predefined variable](../variables/predefined_variables.md) to authenticate with the container registry associated with the job's project. |
+| [Package registry](../../user/packages/package_registry/_index.md#to-build-packages)                  | Used to authenticate with the registry. |
+| [Terraform module registry](../../user/packages/terraform_module_registry/_index.md)                  | Used to authenticate with the registry. |
+| [Secure files](../secure_files/_index.md#use-secure-files-in-cicd-jobs)                               | Used by the [`download-secure-files`](https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files) tool to use secure files in jobs. |
+| [Container registry API](../../api/container_registry.md)                                             | Can authenticate only with the container registry associated with the job's project. |
+| [Deployments API](../../api/deployments.md)                                                           | Can access all endpoints in this API. |
+| [Environments API](../../api/environments.md)                                                         | Can access all endpoints in this API. |
+| [Jobs API](../../api/jobs.md#get-job-tokens-job)                                                      | Can access only the `GET /job` endpoint. |
+| [Job artifacts API](../../api/job_artifacts.md)                                                       | Can access all endpoints in this API. |
+| [Packages API](../../api/packages.md)                                                                 | Can access all endpoints in this API. |
+| [Pipeline trigger tokens API](../../api/pipeline_triggers.md#trigger-a-pipeline-with-a-token)         | Can access only the `POST /projects/:id/trigger/pipeline` endpoint. |
+| [Pipelines API](../../api/pipelines.md#update-pipeline-metadata)                                      | Can access only the `PUT /projects/:id/pipelines/:pipeline_id/metadata` endpoint. |
+| [Release links API](../../api/releases/links.md)                                                      | Can access all endpoints in this API. |
+| [Releases API](../../api/releases/_index.md)                                                          | Can access all endpoints in this API. |
+| [Repositories API](../../api/repositories.md#generate-changelog-data)                                 | Can access only the `GET /projects/:id/repository/changelog` endpoint. |
+
+An open [proposal](https://gitlab.com/groups/gitlab-org/-/epics/3559) exists to make permissions
+more granular.
 
 ## GitLab CI/CD job token security
 

lib/gitlab/usage_data_counters/hll_redis_key_overrides.yml

@@ -186,3 +186,4 @@ i_container_registry_delete_repository_user-user: i_container_registry_delete_re
 i_container_registry_delete_tag_user-user: i_container_registry_delete_tag_user
 i_container_registry_push_repository_user-user: i_container_registry_push_repository_user
 i_container_registry_push_tag_user-user: i_container_registry_push_tag_user
+i_code_review_user_searches_diff-user: i_code_review_user_searches_diff

lib/gitlab/usage_data_counters/hll_redis_legacy_events.yml

@@ -157,7 +157,6 @@
 - i_code_review_user_resolve_thread_in_issue
 - i_code_review_user_review_requested
 - i_code_review_user_reviewers_changed
-- i_code_review_user_searches_diff
 - i_code_review_user_single_file_diffs
 - i_code_review_user_time_estimate_changed
 - i_code_review_user_time_spent_changed

locale/gitlab.pot

@@ -5406,6 +5406,9 @@ msgstr ""
 msgid "AiPowered|Assign seats"
 msgstr ""
 
+msgid "AiPowered|Beta Self-hosted models"
+msgstr ""
+
 msgid "AiPowered|By turning on these features, you accept the %{linkStart}GitLab Testing Agreement%{linkEnd}."
 msgstr ""
 
@@ -5496,9 +5499,6 @@ msgstr ""
 msgid "AiPowered|Self-hosted AI models"
 msgstr ""
 
-msgid "AiPowered|Self-hosted models"
-msgstr ""
-
 msgid "AiPowered|Setting unavailable"
 msgstr ""
 
@@ -5514,7 +5514,7 @@ msgstr ""
 msgid "AiPowered|Turn on experiment and beta GitLab Duo features"
 msgstr ""
 
-msgid "AiPowered|Use self-hosted models features"
+msgid "AiPowered|Use beta self-hosted models features"
 msgstr ""
 
 msgid "AiPowered|View GitLab Duo settings"
@@ -19820,6 +19820,9 @@ msgstr ""
 msgid "Dependencies|Unknown path"
 msgstr ""
 
+msgid "Dependencies|View dependency paths"
+msgstr ""
+
 msgid "Dependencies|Vulnerabilities"
 msgstr ""
 
@@ -53534,6 +53537,9 @@ msgstr ""
 msgid "SecurityReports|Select dismissal reason"
 msgstr ""
 
+msgid "SecurityReports|Select project"
+msgstr ""
+
 msgid "SecurityReports|Select severity"
 msgstr ""
 

rubocop/cop/gitlab/mark_used_feature_flags.rb

@@ -12,8 +12,8 @@ module Gitlab
       class MarkUsedFeatureFlags < RuboCop::Cop::Base
         include RuboCop::CodeReuseHelpers
 
-        FEATURE_CALLERS = %w[Feature Config::FeatureFlags].freeze
-        FEATURE_METHODS = %i[enabled? disabled?].freeze
+        FEATURE_CALLERS = %w[Feature Config::FeatureFlags Gitlab::AiGateway].freeze
+        FEATURE_METHODS = %i[enabled? disabled? push_feature_flag].freeze
         EXPERIMENT_METHODS = %i[
           experiment
         ].freeze

scripts/undercoverage

@@ -23,8 +23,15 @@ compare_base = ARGV[0]
 compare_base ||= IO.popen(%w[git merge-base origin/master HEAD]) { |p| p.read.chomp }
 coverage_file_path = 'coverage/lcov/gitlab.lcov'
 
+# By default undercover includes Ruby related files and only excludes common paths
+# like test, spec, *_spec.rb
+exclude_file_globs = Undercover::Options::DEFAULT_FILE_EXCLUDE_GLOBS.dup
+# We need to exclude more folders:
+exclude_file_globs.concat %w[ee/spec/* jh/spec/*] # These are specs too
+exclude_file_globs.concat %w[qa/* gem/* vendor/*] # These have own specs
+
 result = if File.exist?(coverage_file_path)
-           Undercover::CLI.run(%W[-c #{compare_base}])
+           Undercover::CLI.run(%W[-c #{compare_base} --exclude-files #{exclude_file_globs.join(',')}])
          else
            warn "#{coverage_file_path} doesn't exist"
            0

spec/frontend/diffs/components/app_spec.js

@@ -39,6 +39,7 @@ import { getDiffFileMock } from 'jest/diffs/mock_data/diff_file';
 import waitForPromises from 'helpers/wait_for_promises';
 import { diffMetadata } from 'jest/diffs/mock_data/diff_metadata';
 import { pinia } from '~/pinia/instance';
+import { useMockInternalEventsTracking } from 'helpers/tracking_internal_events_helper';
 import createDiffsStore from '../create_diffs_store';
 import diffsMockData from '../mock_data/merge_request_diffs';
 
@@ -1158,9 +1159,11 @@ describe('diffs/components/app', () => {
     });
   });
 
-  describe('track "trackRedisHllUserEvent" and "trackRedisCounterEvent" metrics', () => {
+  describe('event tracking', () => {
     let mockGetTime;
 
+    const { bindInternalEventDocument } = useMockInternalEventsTracking();
+
     beforeEach(() => {
       jest.clearAllMocks();
       mockGetTime = jest.spyOn(Date.prototype, 'getTime');
@@ -1178,16 +1181,20 @@ describe('diffs/components/app', () => {
     };
 
     it('should not track metrics if keydownTime is not set', async () => {
+      const { trackEventSpy } = bindInternalEventDocument(wrapper.element);
+
       createComponent({ props: { shouldShow: true } });
 
       await nextTick();
       window.dispatchEvent(new Event('blur'));
 
-      expect(api.trackRedisHllUserEvent).not.toHaveBeenCalled();
+      expect(trackEventSpy).not.toHaveBeenCalled();
       expect(api.trackRedisCounterEvent).not.toHaveBeenCalled();
     });
 
     it('should track metrics if delta is between 0 and 1000ms', async () => {
+      const { trackEventSpy } = bindInternalEventDocument(wrapper.element);
+
       createComponent({ props: { shouldShow: true } });
 
       // delta 500 ms
@@ -1196,11 +1203,13 @@ describe('diffs/components/app', () => {
 
       window.dispatchEvent(new Event('blur'));
 
-      expect(api.trackRedisHllUserEvent).toHaveBeenCalledWith('i_code_review_user_searches_diff');
+      expect(trackEventSpy).toHaveBeenCalledWith('i_code_review_user_searches_diff', {}, undefined);
       expect(api.trackRedisCounterEvent).toHaveBeenCalledWith('diff_searches');
     });
 
     it('should not track metrics if delta is greater than or equal to 1000ms', async () => {
+      const { trackEventSpy } = bindInternalEventDocument(wrapper.element);
+
       createComponent({ props: { shouldShow: true } });
 
       // delta 1050 ms
@@ -1209,11 +1218,13 @@ describe('diffs/components/app', () => {
 
       window.dispatchEvent(new Event('blur'));
 
-      expect(api.trackRedisHllUserEvent).not.toHaveBeenCalled();
+      expect(trackEventSpy).not.toHaveBeenCalled();
       expect(api.trackRedisCounterEvent).not.toHaveBeenCalled();
     });
 
     it('should not track metrics if delta is negative', async () => {
+      const { trackEventSpy } = bindInternalEventDocument(wrapper.element);
+
       createComponent({ props: { shouldShow: true } });
 
       // delta -500 ms
@@ -1222,7 +1233,7 @@ describe('diffs/components/app', () => {
 
       window.dispatchEvent(new Event('blur'));
 
-      expect(api.trackRedisHllUserEvent).not.toHaveBeenCalled();
+      expect(trackEventSpy).not.toHaveBeenCalled();
       expect(api.trackRedisCounterEvent).not.toHaveBeenCalled();
     });
   });