Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

.gitlab/CODEOWNERS

@@ -1653,8 +1653,9 @@ ee/lib/gitlab/llm/chain/agents/single_action_executor.rb
 ee/lib/gitlab/llm/chain/streamed_zero_shot_answer.rb
 ee/lib/gitlab/llm/completions/chat.rb
 
-[Code Suggestions] @code-creation-team/backend-engineers
+[Code Suggestions] @jprovaznik @ck3g @acook.gitlab @partiaga @lma-git @missy-gitlab @tgao3701908 @emeraldjayde @squadri
 ee/lib/api/code_suggestions.rb
+ee/lib/ai/additional_context.rb
 ee/lib/code_suggestions/
 ee/lib/ai/context/dependencies/
 ee/app/services/ai/repository_xray/

GITLAB_KAS_VERSION

@@ -1 +1 @@
-14515d822147fed159ea9d11ab04f097630ef075
+456a8af358cfde87bef3b63373bdf8b7b3ab9032

Gemfile.checksum

@@ -98,6 +98,7 @@
 {"name":"crystalball","version":"0.7.0","platform":"ruby","checksum":"6e729f372a5071daec877adb40c5df4cb25fe21f350635e2a9624373fc151ef2"},
 {"name":"css_parser","version":"1.14.0","platform":"ruby","checksum":"f2ce6148cd505297b07bdbe7a5db4cce5cf530071f9b732b9a23538d6cdc0113"},
 {"name":"cssbundling-rails","version":"1.4.1","platform":"ruby","checksum":"4b21273d627b21890da9155c88c67efc9274373d8b0add09149c262cf56c7ce1"},
+{"name":"csv","version":"3.3.0","platform":"ruby","checksum":"0bbd1defdc31134abefed027a639b3723c2753862150f4c3ee61cab71b20d67d"},
 {"name":"cvss-suite","version":"3.0.1","platform":"ruby","checksum":"b5ca9e9e94032a42fd0dc28c1e305378b62c949e35ed7111fc4a1d76f68ad3f9"},
 {"name":"danger","version":"9.4.2","platform":"ruby","checksum":"43e552c6731030235a30fdeafe703d2e2ab9c30917154489cb0ecd9ad3259d80"},
 {"name":"danger-gitlab","version":"8.0.0","platform":"ruby","checksum":"497dd7d0f6513913de651019223d8058cf494df10acbd17de92b175dfa04a3a8"},
@@ -334,7 +335,7 @@
 {"name":"ice_cube","version":"0.16.4","platform":"ruby","checksum":"da117e5de24bdc33931be629f9b55048641924442c7e9b72fedc05e5592531b7"},
 {"name":"ice_nine","version":"0.11.2","platform":"ruby","checksum":"5d506a7d2723d5592dc121b9928e4931742730131f22a1a37649df1c1e2e63db"},
 {"name":"imagen","version":"0.1.8","platform":"ruby","checksum":"fde7b727d4fe79c6bb5ac46c1f7184bf87a6d54df54d712ad2be039d2f93a162"},
-{"name":"influxdb-client","version":"3.1.0","platform":"ruby","checksum":"5e9dc505babd55352858e8a96fa42e152af37b22f1da83df02704405f3c801c8"},
+{"name":"influxdb-client","version":"3.2.0","platform":"ruby","checksum":"dc1e8ec80542f64c9f31af6d9bfa4c147474bf32b9179a7f0cab970793b8e1f2"},
 {"name":"invisible_captcha","version":"2.1.0","platform":"ruby","checksum":"02b452f3eb1b691d155ba3e8e97e1be0e6b6be62e8bc94957234b9cde0852b1e"},
 {"name":"io-event","version":"1.6.5","platform":"ruby","checksum":"5da4c044ac5f411563da1a4743d28c8d30d7802e29370db42139a52b807b4ce2"},
 {"name":"ipaddr","version":"1.2.5","platform":"ruby","checksum":"4e679c71d6d8ed99f925487082f70f9a958de155591caa0e7f6cef9aa160f17a"},

Gemfile.lock

@@ -473,6 +473,7 @@ GEM
       addressable
     cssbundling-rails (1.4.1)
       railties (>= 6.0.0)
+    csv (3.3.0)
     cvss-suite (3.0.1)
     danger (9.4.2)
       claide (~> 1.0)
@@ -1017,7 +1018,8 @@ GEM
     ice_nine (0.11.2)
     imagen (0.1.8)
       parser (>= 2.5, != 2.5.1.1)
-    influxdb-client (3.1.0)
+    influxdb-client (3.2.0)
+      csv
     invisible_captcha (2.1.0)
       rails (>= 5.2)
     io-event (1.6.5)

Gemfile.next.checksum

@@ -98,6 +98,7 @@
 {"name":"crystalball","version":"0.7.0","platform":"ruby","checksum":"6e729f372a5071daec877adb40c5df4cb25fe21f350635e2a9624373fc151ef2"},
 {"name":"css_parser","version":"1.14.0","platform":"ruby","checksum":"f2ce6148cd505297b07bdbe7a5db4cce5cf530071f9b732b9a23538d6cdc0113"},
 {"name":"cssbundling-rails","version":"1.4.1","platform":"ruby","checksum":"4b21273d627b21890da9155c88c67efc9274373d8b0add09149c262cf56c7ce1"},
+{"name":"csv","version":"3.3.0","platform":"ruby","checksum":"0bbd1defdc31134abefed027a639b3723c2753862150f4c3ee61cab71b20d67d"},
 {"name":"cvss-suite","version":"3.0.1","platform":"ruby","checksum":"b5ca9e9e94032a42fd0dc28c1e305378b62c949e35ed7111fc4a1d76f68ad3f9"},
 {"name":"danger","version":"9.4.2","platform":"ruby","checksum":"43e552c6731030235a30fdeafe703d2e2ab9c30917154489cb0ecd9ad3259d80"},
 {"name":"danger-gitlab","version":"8.0.0","platform":"ruby","checksum":"497dd7d0f6513913de651019223d8058cf494df10acbd17de92b175dfa04a3a8"},
@@ -335,7 +336,7 @@
 {"name":"ice_cube","version":"0.16.4","platform":"ruby","checksum":"da117e5de24bdc33931be629f9b55048641924442c7e9b72fedc05e5592531b7"},
 {"name":"ice_nine","version":"0.11.2","platform":"ruby","checksum":"5d506a7d2723d5592dc121b9928e4931742730131f22a1a37649df1c1e2e63db"},
 {"name":"imagen","version":"0.1.8","platform":"ruby","checksum":"fde7b727d4fe79c6bb5ac46c1f7184bf87a6d54df54d712ad2be039d2f93a162"},
-{"name":"influxdb-client","version":"3.1.0","platform":"ruby","checksum":"5e9dc505babd55352858e8a96fa42e152af37b22f1da83df02704405f3c801c8"},
+{"name":"influxdb-client","version":"3.2.0","platform":"ruby","checksum":"dc1e8ec80542f64c9f31af6d9bfa4c147474bf32b9179a7f0cab970793b8e1f2"},
 {"name":"invisible_captcha","version":"2.1.0","platform":"ruby","checksum":"02b452f3eb1b691d155ba3e8e97e1be0e6b6be62e8bc94957234b9cde0852b1e"},
 {"name":"io-console","version":"0.7.2","platform":"java","checksum":"73aa382f8832b116613ceaf57b8ff5bf73dfedcaf39f0aa5420e10f63a4543ed"},
 {"name":"io-console","version":"0.7.2","platform":"ruby","checksum":"f0dccff252f877a4f60d04a4dc6b442b185ebffb4b320ab69212a92b48a7a221"},

Gemfile.next.lock

@@ -482,6 +482,7 @@ GEM
       addressable
     cssbundling-rails (1.4.1)
       railties (>= 6.0.0)
+    csv (3.3.0)
     cvss-suite (3.0.1)
     danger (9.4.2)
       claide (~> 1.0)
@@ -1027,7 +1028,8 @@ GEM
     ice_nine (0.11.2)
     imagen (0.1.8)
       parser (>= 2.5, != 2.5.1.1)
-    influxdb-client (3.1.0)
+    influxdb-client (3.2.0)
+      csv
     invisible_captcha (2.1.0)
       rails (>= 5.2)
     io-console (0.7.2)

app/assets/javascripts/lib/utils/error_utils.js

@@ -1,22 +1,6 @@
 import { isEmpty, isString, isObject } from 'lodash';
 import { sprintf, __ } from '~/locale';
 
-export class ActiveModelError extends Error {
-  constructor(errorAttributeMap = {}, ...params) {
-    // Pass remaining arguments (including vendor specific ones) to parent constructor
-    super(...params);
-
-    // Maintains proper stack trace for where our error was thrown (only available on V8)
-    if (Error.captureStackTrace) {
-      Error.captureStackTrace(this, ActiveModelError);
-    }
-
-    this.name = 'ActiveModelError';
-    // Custom debugging information
-    this.errorAttributeMap = errorAttributeMap;
-  }
-}
-
 const DEFAULT_ERROR = {
   message: __('Something went wrong. Please try again.'),
   links: {},
@@ -94,8 +78,7 @@ function getMessageFromErrorString(errorString, errorDictionary = {}) {
 }
 
 /**
- * Receives an Error and attempts to extract the `errorAttributeMap` in
- * case it is an `ActiveModelError` and returns the message if it exists.
+ * Receives an Error and attempts to extract the `errorAttributeMap`
  * If a match is not found it will attempt to map a message from the
  * Error.message to be returned.
  * Otherwise, it will return a general error message.

app/components/pajamas/single_stat_component.html.haml

@@ -1,10 +1,10 @@
-.gl-single-stat.gl-flex.gl-flex-col.gl-p-2
-  .gl-flex.gl-items-center.gl-text-gray-700.gl-mb-2
+.gl-single-stat.gl-flex.gl-flex-col.gl-py-2
+  .gl-flex.gl-items-center.gl-text-gray-700.gl-mb-4
     - if title_icon?
       = sprite_icon(@title_icon, css_class: 'gl-mr-2')
-    %span.gl-text-base.gl-font-normal{ data: { testid: 'title-text' } }
+    %span.gl-text-base.gl-font-normal.gl-text-subtle{ data: { testid: 'title-text' } }
       = title || @title
-  .gl-single-stat-content.gl-flex.gl-items-baseline.gl-font-bold.gl-text-gray-900
+  .gl-single-stat-content.gl-flex.gl-items-baseline.gl-font-bold.gl-text-gray-900.gl-mb-4
     %span.gl-single-stat-number.gl-leading-1{ class: unit_class, data: { testid: 'displayValue' } }
       %span{ data: { testid: @stat_value_testid } }
         = stat_value || @stat_value

app/controllers/concerns/groups/params.rb

@@ -19,7 +19,6 @@ def group_params_attributes
         :emails_disabled,
         :emails_enabled,
         :show_diff_preview_in_email,
-        :token_expiry_notify_inherited,
         :mentions_disabled,
         :lfs_enabled,
         :name,
@@ -51,6 +50,8 @@ def group_params_attributes
         :remove_dormant_members,
         :remove_dormant_members_period,
         :resource_access_token_creation_allowed,
+        :resource_access_token_notify_inherited,
+        :lock_resource_access_token_notify_inherited,
         :prevent_sharing_groups_outside_hierarchy,
         :setup_for_company,
         :jobs_to_be_done,

app/graphql/subscriptions/base_subscription.rb

@@ -5,6 +5,8 @@ class BaseSubscription < GraphQL::Schema::Subscription
     object_class Types::BaseObject
     field_class Types::BaseField
 
+    UNAUTHORIZED_ERROR_MESSAGE = 'Unauthorized subscription'
+
     def initialize(object:, context:, field:)
       super
 
@@ -33,7 +35,7 @@ def authorized?(*)
     def unauthorized!
       unsubscribe if context.query.subscription_update?
 
-      raise GraphQL::ExecutionError, 'Unauthorized subscription'
+      raise GraphQL::ExecutionError, UNAUTHORIZED_ERROR_MESSAGE
     end
 
     def current_user

app/helpers/application_settings_helper.rb

@@ -481,6 +481,8 @@ def visible_attributes
       :keep_latest_artifact,
       :whats_new_variant,
       :user_deactivation_emails_enabled,
+      :resource_access_token_notify_inherited,
+      :lock_resource_access_token_notify_inherited,
       :sentry_enabled,
       :sentry_dsn,
       :sentry_clientside_dsn,
@@ -512,7 +514,6 @@ def visible_attributes
       :allow_runner_registration_token,
       :user_defaults_to_private_profile,
       :deactivation_email_additional_text,
-      :resource_token_expiry_inherited_members,
       :projects_api_rate_limit_unauthenticated,
       :group_api_limit,
       :group_invited_groups_api_limit,

app/models/application_setting.rb

@@ -672,15 +672,16 @@ def self.kroki_formats_attributes
 
   validates :sign_in_restrictions, json_schema: { filename: 'application_setting_sign_in_restrictions' }
 
-  validates :rate_limits, json_schema: { filename: "application_setting_rate_limits" }
-
-  validates :importers, json_schema: { filename: "application_setting_importers" }
-
   jsonb_accessor :transactional_emails,
-    resource_token_expiry_inherited_members: [:boolean, { default: true }]
+    resource_access_token_notify_inherited: [:boolean, { default: false }],
+    lock_resource_access_token_notify_inherited: [:boolean, { default: false }]
 
   validates :transactional_emails, json_schema: { filename: "application_setting_transactional_emails" }
 
+  validates :rate_limits, json_schema: { filename: "application_setting_rate_limits" }
+
+  validates :importers, json_schema: { filename: "application_setting_importers" }
+
   jsonb_accessor :package_registry, nuget_skip_metadata_url_validation: [:boolean, { default: false }]
 
   validates :package_registry, json_schema: { filename: 'application_setting_package_registry' }

app/models/application_setting_implementation.rb

@@ -168,8 +168,9 @@ def defaults # rubocop:disable Metrics/AbcSize
         repository_storages_weighted: { 'default' => 100 },
         require_admin_approval_after_user_signup: true,
         require_two_factor_authentication: false,
-        resource_token_expiry_inherited_members: true,
         resource_usage_limits: {},
+        resource_access_token_notify_inherited: false,
+        lock_resource_access_token_notify_inherited: false,
         restricted_visibility_levels: Settings.gitlab['restricted_visibility_levels'],
         rsa_key_restriction: default_min_key_size(:rsa),
         session_expire_delay: Settings.gitlab['session_expire_delay'],

app/models/ci/job_token/authorization.rb

@@ -9,6 +9,8 @@
 module Ci
   module JobToken
     class Authorization < Ci::ApplicationRecord
+      extend Gitlab::InternalEventsTracking
+
       self.table_name = 'ci_job_token_authorizations'
 
       belongs_to :origin_project, class_name: 'Project' # where the job token came from
@@ -22,9 +24,18 @@ class Authorization < Ci::ApplicationRecord
 
       # Record in SafeRequestStore a cross-project access attempt
       def self.capture(origin_project:, accessed_project:)
+        label = origin_project == accessed_project ? 'same-project' : 'cross-project'
+        track_internal_event(
+          'authorize_job_token_with_disabled_scope',
+          project: accessed_project,
+          additional_properties: {
+            label: label
+          }
+        )
+
         # Skip self-referential accesses as they are always allowed and don't need
         # to be logged neither added to the allowlist.
-        return if origin_project == accessed_project
+        return if label == 'same-project'
 
         # We are tracking an attempt of cross-project utilization but we
         # are not yet persisting this log until a request successfully

app/models/doorkeeper/access_grant.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Doorkeeper # rubocop:disable Gitlab/NamespacedClass,Gitlab/BoundedContexts -- Override from a gem
+  class AccessGrant < ApplicationRecord
+    include ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessGrant
+    include SafelyChangeColumnDefault
+
+    columns_changing_default :organization_id
+
+    belongs_to :organization, class_name: 'Organizations::Organization', optional: false
+    has_one :openid_request,
+      class_name: 'Doorkeeper::OpenidConnect::Request',
+      inverse_of: :access_grant
+  end
+end

app/models/doorkeeper/access_token.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+# Original file https://github.com/doorkeeper-gem/doorkeeper/blob/main/lib/doorkeeper/orm/active_record/access_token.rb
+
+module Doorkeeper # rubocop:disable Gitlab/NamespacedClass,Gitlab/BoundedContexts -- Override from a gem
+  class AccessToken < ::ApplicationRecord
+    include Doorkeeper::Orm::ActiveRecord::Mixins::AccessToken
+    include SafelyChangeColumnDefault
+
+    columns_changing_default :organization_id
+
+    belongs_to :organization, class_name: 'Organizations::Organization', optional: false
+  end
+end

app/models/doorkeeper/device_authorization_grant/device_grant.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Doorkeeper # rubocop:disable Gitlab/NamespacedClass,Gitlab/BoundedContexts -- Override from a gem
+  module DeviceAuthorizationGrant
+    class DeviceGrant < ApplicationRecord
+      include Doorkeeper::DeviceAuthorizationGrant::DeviceGrantMixin
+      include SafelyChangeColumnDefault
+
+      columns_changing_default :organization_id
+
+      belongs_to :organization, class_name: 'Organizations::Organization', optional: false
+    end
+  end
+end

app/models/doorkeeper/openid_connect/request.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Doorkeeper # rubocop:disable Gitlab/NamespacedClass,Gitlab/BoundedContexts -- Override from a gem
+  module OpenidConnect
+    class Request < ApplicationRecord
+      self.table_name = :"#{table_name_prefix}oauth_openid_requests#{table_name_suffix}"
+      include SafelyChangeColumnDefault
+
+      columns_changing_default :organization_id
+
+      validates :access_grant_id, :nonce, presence: true
+      belongs_to :access_grant,
+        class_name: 'Doorkeeper::AccessGrant',
+        inverse_of: :openid_request
+
+      belongs_to :organization, class_name: 'Organizations::Organization', optional: false
+    end
+  end
+end

app/models/namespace.rb

@@ -176,7 +176,6 @@ class Namespace < ApplicationRecord
     to: :namespace_settings
   delegate :emails_enabled, :emails_enabled=,
     to: :namespace_settings, allow_nil: true
-  delegate :token_expiry_notify_inherited, :token_expiry_notify_inherited=, to: :namespace_settings
   delegate :allow_runner_registration_token,
     :allow_runner_registration_token=,
     to: :namespace_settings
@@ -193,6 +192,15 @@ class Namespace < ApplicationRecord
     to: :namespace_settings
   delegate :add_creator, :pending_delete, :pending_delete=, :deleted_at, :deleted_at=,
     to: :namespace_details
+  delegate :resource_access_token_notify_inherited,
+    :resource_access_token_notify_inherited=,
+    :lock_resource_access_token_notify_inherited,
+    :lock_resource_access_token_notify_inherited=,
+    :resource_access_token_notify_inherited?,
+    :resource_access_token_notify_inherited_locked?,
+    :resource_access_token_notify_inherited_locked_by_ancestor?,
+    :resource_access_token_notify_inherited_locked_by_application_setting?,
+    to: :namespace_settings
 
   before_create :sync_share_with_group_lock_with_parent
   before_update :sync_share_with_group_lock_with_parent, if: :parent_changed?
@@ -623,14 +631,6 @@ def closest_setting(name)
       .try(name)
   end
 
-  def can_modify_token_expiry_notify_inherited?
-    ancestors.all?(&:token_expiry_notify_inherited)
-  end
-
-  def token_expiry_notify_inherited?
-    self_and_ancestors.all?(&:token_expiry_notify_inherited)
-  end
-
   def actual_plan
     Plan.default
   end

app/models/namespace_setting.rb

@@ -5,11 +5,12 @@ class NamespaceSetting < ApplicationRecord
   include Sanitizable
   include ChronicDurationAttribute
 
+  ignore_column :token_expiry_notify_inherited, remove_with: '17.9', remove_after: '2025-01-11'
   ignore_column :third_party_ai_features_enabled, remove_with: '16.11', remove_after: '2024-04-18'
   ignore_column :code_suggestions, remove_with: '17.8', remove_after: '2024-05-16'
   ignore_columns %i[toggle_security_policy_custom_ci lock_toggle_security_policy_custom_ci], remove_with: '17.6', remove_after: '2024-10-17'
 
-  cascading_attr :math_rendering_limits_enabled
+  cascading_attr :math_rendering_limits_enabled, :resource_access_token_notify_inherited
 
   scope :for_namespaces, ->(namespaces) { where(namespace: namespaces) }
 

app/presenters/ci/build_runner_presenter.rb

@@ -44,7 +44,7 @@ def runner_variables
 
     def refspecs
       specs = []
-      specs << refspec_for_persistent_ref if persistent_ref_exist?
+      specs << refspec_for_persistent_ref
 
       if git_depth > 0
         specs << refspec_for_branch(ref) if branch? || legacy_detached_merge_request_pipeline?
@@ -137,17 +137,6 @@ def refspec_for_persistent_ref
       "+#{pipeline.persistent_ref.path}:#{pipeline.persistent_ref.path}"
     end
 
-    def persistent_ref_exist?
-      ##
-      # Persistent refs for pipelines definitely exist from GitLab 12.4,
-      # hence, we don't need to check the ref existence before passing it to runners.
-      # Checking refs pressurizes gitaly node and should be avoided.
-      # Issue: https://gitlab.com/gitlab-com/gl-infra/production/-/issues/2143
-      return true if Feature.enabled?(:ci_skip_persistent_ref_existence_check)
-
-      pipeline.persistent_ref.exist?
-    end
-
     def git_depth_variable
       strong_memoize(:git_depth_variable) do
         variables&.find { |variable| variable[:key] == 'GIT_DEPTH' }