Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

.rubocop_todo/rspec/receive_messages.yml

@@ -109,7 +109,6 @@ RSpec/ReceiveMessages:
     - 'ee/spec/models/namespace_setting_spec.rb'
     - 'ee/spec/models/namespaces/storage/enforcement_spec.rb'
     - 'ee/spec/models/project_feature_spec.rb'
-    - 'ee/spec/models/search/zoekt/index_spec.rb'
     - 'ee/spec/models/security/scan_result_policy_read_spec.rb'
     - 'ee/spec/policies/global_policy_spec.rb'
     - 'ee/spec/policies/issue_policy_spec.rb'

CHANGELOG.md

@@ -2,6 +2,17 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 17.6.1 (2024-11-26)
+
+### Security (6 changes)
+
+- [Add size check for harbor registry](https://gitlab.com/gitlab-org/security/gitlab/-/commit/48579cdb744f994dc0fb2b4f96b1ada3e94a59e6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4614))
+- [Adding JobArtifactReport class to pre-emptively validate job artifacts](https://gitlab.com/gitlab-org/security/gitlab/-/commit/83f0e6c1ea1ea6a82e8cf7bdfec0944990f8ec23) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4616))
+- [Fix: unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/302ed663e0d9a68c413732e9d7a260b6be1b477d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4621))
+- [Allow a LFS token to be used only for LFS related requests](https://gitlab.com/gitlab-org/security/gitlab/-/commit/800c79606ab237536ea5cf9a29e541855fc01477) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4613))
+- [Fix possible DOS with TOML file parsing](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7b6057a43cd11aae5a5e8f2f91c76a90a4310ec2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4617))
+- [Move allow_access_with_scope to class level](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b70cb1e7d430bbbcd8da22b33e7d07cb136189d7) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4610))
+
 ## 17.6.0 (2024-11-20)
 
 ### Added (181 changes)
@@ -984,6 +995,21 @@ entry.
 - [Quarantine a flaky test](https://gitlab.com/gitlab-org/gitlab/-/commit/7427f68ca476bd1294900155a2a93b470ef888a6) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165742))
 - [Quarantine a flaky test](https://gitlab.com/gitlab-org/gitlab/-/commit/81ccade46593d99c938fd8ab03c2e299f6f62377) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164711))
 
+## 17.5.3 (2024-11-26)
+
+### Fixed (1 change)
+
+- [Ensure auto_merge_enabled is set when validating merge trains](https://gitlab.com/gitlab-org/security/gitlab/-/commit/91ef505e1e984525a22a92fefc6e88bfd6b55a14) **GitLab Enterprise Edition**
+
+### Security (6 changes)
+
+- [Add size check for harbor registry](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7aea8120573400b49f7cf99dfa775604a2c8255f) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4599))
+- [Adding JobArtifactReport class to pre-emptively validate job artifacts](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6702ca1b2f320429abf67741b70a969b8dee4185) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4568))
+- [Fix: unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/793476f8556c7db20633093e993298e8247ed1d4) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4550))
+- [Allow a LFS token to be used only for LFS related requests](https://gitlab.com/gitlab-org/security/gitlab/-/commit/bc1281f297568cffe9f9ef9c4ddfdeb819dbc319) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4582))
+- [Fix possible DOS with TOML file parsing](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7938b04aeae9ed9b6f75429367613df4b57d12b3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4590))
+- [Move allow_access_with_scope to class level](https://gitlab.com/gitlab-org/security/gitlab/-/commit/31ee3de85aa7a92e6ade8cb3a6dab69505d3cee6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4611))
+
 ## 17.5.2 (2024-11-12)
 
 ### Fixed (4 changes)
@@ -1738,6 +1764,17 @@ entry.
 - [Adjust signup page items for more clarity](https://gitlab.com/gitlab-org/gitlab/-/commit/e272c8a4c7b243758454d6f15363d0c13ca05c04) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165202)) **GitLab Enterprise Edition**
 - [Removes Unused CSS class](https://gitlab.com/gitlab-org/gitlab/-/commit/4e17154650ee4afc8b1ae4238d27efb908855a19) by @NIKU-SINGH ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164637))
 
+## 17.4.5 (2024-11-26)
+
+### Security (6 changes)
+
+- [Add size check for harbor registry](https://gitlab.com/gitlab-org/security/gitlab/-/commit/93805df2b9133610fe045d610c17bec383b990aa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4600))
+- [Adding JobArtifactReport class to pre-emptively validate job artifacts](https://gitlab.com/gitlab-org/security/gitlab/-/commit/abd3445326649da3da1a32e216f607545c6c9225) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4569))
+- [Fix: unsubscribe from actioncable channel when PAT is revoked](https://gitlab.com/gitlab-org/security/gitlab/-/commit/22187161c0d97776307d6693151495b340bb3824) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4554))
+- [Allow a LFS token to be used only for LFS related requests](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8f04fa2b2ad7366f657bd4b2b8c3924d8f151b59) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4583))
+- [Fix possible DOS with TOML file parsing](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4288df0f8fdd834a803295d0f9b3c8d2a8f1395e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4589))
+- [Move allow_access_with_scope to class level](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5fa7098500495b435f3de740e2768f5f6d24c8db) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4612))
+
 ## 17.4.4 (2024-11-12)
 
 ### Fixed (4 changes)

GITALY_SERVER_VERSION

@@ -1 +1 @@
-8772e7bbd79d8fd2ba9137eef510b22fa2f8382f
+275f2266ac911d785aaf7f5f79dd76240f372a7f

app/assets/javascripts/access_level/constants.js

@@ -116,6 +116,7 @@ export const ACCESS_LEVEL_LABELS = {
   [ACCESS_LEVEL_NO_ACCESS_INTEGER]: ACCESS_LEVEL_NO_ACCESS,
   [ACCESS_LEVEL_MINIMAL_ACCESS_INTEGER]: ACCESS_LEVEL_MINIMAL_ACCESS,
   [ACCESS_LEVEL_GUEST_INTEGER]: ACCESS_LEVEL_GUEST,
+  [ACCESS_LEVEL_PLANNER_INTEGER]: ACCESS_LEVEL_PLANNER,
   [ACCESS_LEVEL_REPORTER_INTEGER]: ACCESS_LEVEL_REPORTER,
   [ACCESS_LEVEL_DEVELOPER_INTEGER]: ACCESS_LEVEL_DEVELOPER,
   [ACCESS_LEVEL_MAINTAINER_INTEGER]: ACCESS_LEVEL_MAINTAINER,

app/assets/javascripts/ide/init_gitlab_web_ide.js

@@ -59,6 +59,8 @@ export const initGitlabWebIDE = async (el) => {
         'X-Requested-With': 'XMLHttpRequest',
       };
 
+  const isLanguageServerEnabled = gon.features.webIdeLanguageServer || false;
+
   try {
     // See ClientOnlyConfig https://gitlab.com/gitlab-org/gitlab-web-ide/-/blob/main/packages/web-ide-types/src/config.ts#L17
     await start(rootEl, {
@@ -80,6 +82,7 @@ export const initGitlabWebIDE = async (el) => {
       },
       featureFlags: {
         crossOriginExtensionHost: getCrossOriginExtensionHostFlagValue(extensionsGallerySettings),
+        languageServerWebIDE: isLanguageServerEnabled,
       },
       editorFont,
       extensionsGallerySettings,

app/assets/javascripts/pages/projects/blob/show/index.js

@@ -1,11 +1,13 @@
 import Vue from 'vue';
 // eslint-disable-next-line no-restricted-imports
 import Vuex from 'vuex';
+import { GlButton } from '@gitlab/ui';
 import VueApollo from 'vue-apollo';
 import VueRouter from 'vue-router';
 import { provideWebIdeLink } from 'ee_else_ce/pages/projects/shared/web_ide_link/provide_web_ide_link';
 import TableOfContents from '~/blob/components/table_contents.vue';
 import { BlobViewer, initAuxiliaryViewer } from '~/blob/viewer/index';
+import { __ } from '~/locale';
 import GpgBadges from '~/gpg_badges';
 import createDefaultClient from '~/lib/graphql';
 import initBlob from '~/pages/projects/init_blob';
@@ -16,6 +18,7 @@ import BlobContentViewer from '~/repository/components/blob_content_viewer.vue';
 import '~/sourcegraph/load';
 import createStore from '~/code_navigation/store';
 import { generateRefDestinationPath } from '~/repository/utils/ref_switcher_utils';
+import { generateHistoryUrl } from '~/repository/utils/url_utility';
 import RefSelector from '~/ref/components/ref_selector.vue';
 import { joinPaths, visitUrl } from '~/lib/utils/url_utility';
 import { parseBoolean } from '~/lib/utils/common_utils';
@@ -205,3 +208,30 @@ if (tableContentsEl) {
     },
   });
 }
+
+const treeHistoryLinkEl = document.getElementById('js-commit-history-link');
+if (treeHistoryLinkEl) {
+  const { historyLink } = treeHistoryLinkEl.dataset;
+  // eslint-disable-next-line no-new
+  new Vue({
+    el: treeHistoryLinkEl,
+    router,
+    render(h) {
+      const url = generateHistoryUrl(
+        historyLink,
+        this.$route.params.path,
+        this.$route.meta.refType || this.$route.query.ref_type,
+      );
+      return h(
+        GlButton,
+        {
+          attrs: {
+            href: url.href,
+            category: 'tertiary',
+          },
+        },
+        [__('History')],
+      );
+    },
+  });
+}

app/assets/javascripts/repository/components/header_area.vue

@@ -8,7 +8,6 @@ import { sanitize } from '~/lib/dompurify';
 import { InternalEvents } from '~/tracking';
 import { FIND_FILE_BUTTON_CLICK } from '~/tracking/constants';
 import { visitUrl, joinPaths } from '~/lib/utils/url_utility';
-import { generateHistoryUrl } from '~/repository/utils/url_utility';
 import { generateRefDestinationPath } from '~/repository/utils/ref_switcher_utils';
 import RefSelector from '~/ref/components/ref_selector.vue';
 import Breadcrumbs from '~/repository/components/header_area/breadcrumbs.vue';
@@ -19,7 +18,6 @@ export default {
   i18n: {
     compare: __('Compare'),
     findFile: __('Find file'),
-    history: __('History'),
   },
   components: {
     GlButton,
@@ -63,10 +61,6 @@ export default {
       required: false,
       default: null,
     },
-    historyLink: {
-      type: String,
-      required: true,
-    },
     projectId: {
       type: String,
       required: true,
@@ -76,15 +70,6 @@ export default {
     isTreeView() {
       return this.$route.name !== 'blobPathDecoded';
     },
-    historyPath() {
-      const url = generateHistoryUrl(
-        this.historyLink,
-        this.$route.params.path,
-        this.$route.meta.refType || this.$route.query.ref_type,
-      );
-
-      return url.href;
-    },
     getRefType() {
       return this.$route.query.ref_type;
     },
@@ -166,9 +151,6 @@ export default {
         class="shortcuts-compare"
         >{{ $options.i18n.compare }}</gl-button
       >
-      <gl-button v-if="!isReadmeView" :href="historyPath" data-testid="tree-history-control">{{
-        $options.i18n.history
-      }}</gl-button>
       <gl-button
         v-gl-tooltip.html="findFileTooltip"
         :aria-keyshortcuts="findFileShortcutKey"

app/assets/javascripts/repository/components/header_area/blob_controls.vue

@@ -177,7 +177,12 @@ export default {
       {{ $options.i18n.blame }}
     </gl-button>
 
-    <gl-button data-testid="history" :href="blobInfo.historyPath" :class="$options.buttonClassList">
+    <gl-button
+      data-testid="history"
+      :href="blobInfo.historyPath"
+      :class="$options.buttonClassList"
+      class="gl-block sm:gl-hidden"
+    >
       {{ $options.i18n.history }}
     </gl-button>
 

app/assets/javascripts/repository/components/last_commit.vue

@@ -67,6 +67,11 @@ export default {
       required: false,
       default: null,
     },
+    historyUrl: {
+      type: String,
+      required: false,
+      default: '',
+    },
   },
   data() {
     return {
@@ -108,17 +113,18 @@ export default {
 
 <template>
   <gl-loading-icon v-if="isLoading" size="md" color="dark" class="m-auto gl-min-h-8 gl-py-6" />
+
   <commit-info v-else-if="commit" :commit="commit">
-    <div class="commit-actions gl-flex-align gl-flex gl-flex-row gl-items-center">
+    <div class="commit-actions gl-flex gl-items-start">
       <signature-badge v-if="commit.signature" :signature="commit.signature" />
-      <div v-if="commit.pipeline" class="gl-ml-5">
+      <div v-if="commit.pipeline" class="gl-ml-5 gl-flex gl-h-7 gl-items-center">
         <ci-icon
           :status="commit.pipeline.detailedStatus"
           :aria-label="statusTitle"
           class="js-commit-pipeline"
         />
       </div>
-      <gl-button-group class="js-commit-sha-group gl-ml-4">
+      <gl-button-group class="js-commit-sha-group gl-ml-4 gl-flex gl-items-center">
         <gl-button label class="gl-font-monospace" data-testid="last-commit-id-label">{{
           showCommitId
         }}</gl-button>
@@ -128,6 +134,14 @@ export default {
           class="input-group-text"
         />
       </gl-button-group>
+      <gl-button
+        category="tertiary"
+        data-testid="last-commit-history"
+        :href="historyUrl"
+        class="gl-ml-4"
+      >
+        {{ __('History') }}
+      </gl-button>
     </div>
   </commit-info>
 </template>

app/assets/javascripts/repository/index.js

@@ -116,16 +116,24 @@ export default function setupVueRepositoryList() {
     });
   };
 
+  const lastCommitEl = document.getElementById('js-last-commit');
+
   const initLastCommitApp = () =>
     new Vue({
-      el: document.getElementById('js-last-commit'),
+      el: lastCommitEl,
       router,
       apolloProvider,
       render(h) {
+        const historyUrl = generateHistoryUrl(
+          lastCommitEl.dataset.historyLink,
+          this.$route.params.path,
+          this.$route.meta.refType || this.$route.query.ref_type,
+        );
         return h(LastCommit, {
           props: {
             currentPath: this.$route.params.path,
             refType: this.$route.meta.refType || this.$route.query.ref_type,
+            historyUrl: historyUrl.href,
           },
         });
       },

app/assets/javascripts/repository/init_header_app.js

@@ -8,7 +8,6 @@ export default function initHeaderApp(isReadmeView = false) {
   const headerEl = document.getElementById('js-repository-blob-header-app');
   if (headerEl) {
     const {
-      historyLink,
       ref,
       escapedRef,
       refType,
@@ -58,7 +57,6 @@ export default function initHeaderApp(isReadmeView = false) {
           props: {
             refType,
             currentRef: ref,
-            historyLink,
             // BlobControls:
             projectPath,
             // RefSelector:

app/assets/javascripts/repository/utils/url_utility.js

@@ -4,7 +4,10 @@ export function generateHistoryUrl(historyLink, path, refType) {
   const url = new URL(window.location.href);
 
   url.pathname = joinPaths(historyLink, path ? escapeFileUrl(path) : '');
-  url.searchParams.set('ref_type', refType);
+
+  if (refType) {
+    url.searchParams.set('ref_type', refType);
+  }
 
   return url;
 }

app/assets/javascripts/vue_merge_request_widget/components/states/commit_message_dropdown.vue

@@ -43,7 +43,6 @@ export default {
 
 <template>
   <gl-button-group>
-    {{ aiCommitMessageEnabled }}
     <ai-commit-message
       v-if="aiCommitMessageEnabled"
       :id="mrId"