Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

app/services/audit_event_service.rb

@@ -6,6 +6,9 @@ class AuditEventService
 
   # Instantiates a new service
   #
+  # @deprecated This service is deprecated. Use Gitlab::Audit::Auditor instead.
+  # More information: https://docs.gitlab.com/ee/development/audit_event_guide/#how-to-instrument-new-audit-events
+  #
   # @param [User, token String] author the entity who authors the change
   # @param [User, Project, Group] entity the scope which audit event belongs to
   #   This param is also used to determine the visibility of the audit event.

doc/administration/gitaly/troubleshooting.md

@@ -242,8 +242,6 @@ update the secrets file on the Gitaly server to match the Gitaly client, then
 If you've confirmed that your `gitlab-secrets.json` file is the same on all Gitaly servers and clients,
 the application might be fetching this secret from a different file. Your Gitaly server's
 `config.toml file` indicates the secrets file in use.
-If that setting is missing, GitLab defaults to using `.gitlab_shell_secret` under
-`/opt/gitlab/embedded/service/gitlab-rails/.gitlab_shell_secret`.
 
 ## Repository pushes fail with `401 Unauthorized` and `JWT::VerificationError`
 

doc/development/fips_compliance.md

@@ -346,6 +346,23 @@ These are [consumed by the GitLab Environment Toolkit](#install-gitlab-with-fips
 
 See [the section on how FIPS builds are created](#how-fips-builds-are-created).
 
+### System Libgcrypt
+
+Because of a bug, FIPS Linux packages for GitLab 17.6 and earlier did not use the system
+[Libgcrypt](https://www.gnupg.org/software/libgcrypt/index.html), but the same Libgcrypt
+bundled with regular Linux packages.
+
+This issue is fixed for all FIPS Linux packages for GitLab 17.7, except for AmazonLinux 2.
+The Libgcrypt version of AmazonLinux 2 is not compatible with the
+[GPGME](https://gnupg.org/software/gpgme/index.html) and [GnuPG](https://gnupg.org/)
+versions shipped with the FIPS Linux packages.
+
+FIPS Linux packages for AmazonLinux 2 will continue to use the same Libgcrypt bundled with
+the regular Linux packages, otherwise we would have to downgrade GPGME and GnuPG.
+
+If you require full compliance, you must migrate to another operating
+system for which FIPS Linux packages are available.
+
 ### Nightly Omnibus FIPS builds
 
 The Distribution team has created [nightly FIPS Omnibus builds](https://packages.gitlab.com/gitlab/nightly-fips-builds),

doc/update/versions/gitlab_17_changes.md

@@ -186,6 +186,9 @@ For more information, see [issue 480328](https://gitlab.com/gitlab-org/gitlab/-/
 ## 17.7.0
 
 - Git 2.47.0 and later is required by Gitaly. For installations from source, you should use the [Git version provided by Gitaly](../../install/installation.md#git).
+- FIPS Linux packages now use the system Libgcrypt, except FIPS Linux packages for AmazonLinux 2. Previous versions of the FIPS Linux packages used the
+  same Libgcrypt used by the regular Linux packages, which was a bug. For more information, see
+  [the FIPS documentation](../../development/fips_compliance.md#system-libgcrypt).
 
 ### OpenSSL 3 upgrade
 

doc/user/application_security/vulnerability_report/index.md

@@ -95,7 +95,7 @@ You can filter by:
 - **Severity**: Critical, high, medium, low, info, unknown.
 - **Tool**: For more details, see [Tool filter](#tool-filter).
 - **Activity**: For more details, see [Activity filter](#activity-filter).
-- **Identifier**: Filter by the vulnerability's identifier. (available only for projects, groups is tracked in [issue 508713](https://gitlab.com/gitlab-org/gitlab/-/issues/508713).)
+- **Identifier**: Filter by the vulnerability's identifier (available only for projects, support for groups is proposed in [issue 508713](https://gitlab.com/gitlab-org/gitlab/-/issues/508713)).
 - **Project**: Filter vulnerabilities in specific projects (available only for groups).
 
 <!-- vale gitlab_base.SubstitutionWarning = YES -->

qa/qa/ce/strategy.rb

@@ -51,7 +51,13 @@ def initialize_admin_api_client!
           )
 
           Runtime::Browser.visit(:gitlab, Page::Main::Login)
-          Page::Main::Login.perform(&:sign_in_using_admin_credentials)
+          Page::Main::Login.perform do |login|
+            admin_user = Runtime::User::Store.admin_user
+            login.sign_in_using_credentials(user: admin_user)
+          rescue Runtime::User::ExpiredPasswordError
+            login.set_up_new_password(user: admin_user)
+          end
+
           Page::Main::Menu.perform(&:sign_out_if_signed_in)
 
           Runtime::User::Store.initialize_admin_api_client # re-initialize admin client after password reset

qa/qa/page/main/login.rb

@@ -81,8 +81,6 @@ def sign_in_using_credentials(user: nil, skip_page_validation: false, raise_on_i
                 raise_on_invalid_login: raise_on_invalid_login
               )
             end
-
-            set_up_new_password_if_required(user: test_user, skip_page_validation: skip_page_validation)
           end
         end
 
@@ -92,8 +90,6 @@ def sign_in_using_admin_credentials
             sign_in_using_gitlab_credentials(user: admin_user)
           end
 
-          set_up_new_password_if_required(user: admin_user, skip_page_validation: false)
-
           Page::Main::Menu.perform(&:has_personal_area?)
         end
 
@@ -194,23 +190,15 @@ def redirect_to_login_page(address)
           Runtime::Browser.visit(address, Page::Main::Login)
         end
 
-        private
-
-        # Handle request for password change
-        # Happens on clean GDK installations when seeded root admin password is expired
-        #
-        def set_up_new_password_if_required(user:, skip_page_validation:)
-          Support::WaitForRequests.wait_for_requests
-          return unless has_content?('Update password for', wait: 1)
-
+        def set_up_new_password(user:)
           Profile::Password.perform do |new_password_page|
             password = user.password
             new_password_page.set_new_password(password, password)
           end
-
-          sign_in_using_credentials(user: user, skip_page_validation: skip_page_validation)
         end
 
+        private
+
         def sign_in_using_gitlab_credentials(user:, skip_page_validation: false, raise_on_invalid_login: true)
           wait_if_retry_later
 
@@ -233,7 +221,9 @@ def sign_in_using_gitlab_credentials(user:, skip_page_validation: false, raise_o
 
           # Return if new password page is shown
           # Happens on clean GDK installations when seeded root admin password is expired
-          return if has_content?('Update password for', wait: 1)
+          if has_content?('Update password for', wait: 0)
+            raise Runtime::User::ExpiredPasswordError, "Password for #{user.username} is expired and must be reset"
+          end
 
           Page::Main::Terms.perform do |terms|
             terms.accept_terms if terms.visible?

qa/qa/specs/features/api/1_manage/import/import_github_repo_spec.rb

@@ -10,12 +10,7 @@ module QA
       end
 
       context 'when imported via api' do
-        it 'imports project', :blocking,
-          quarantine: {
-            issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/503715',
-            type: :stale
-          },
-          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347670' do
+        it 'imports project', :blocking, testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347670' do
           expect_project_import_finished_successfully
 
           aggregate_failures do
@@ -162,8 +157,8 @@ def verify_merge_requests_import
               "*Created by: gitlab-qa-github*\n\n```suggestion:-0+0\nProject for GitHub import test to GitLab\r\n```",
               "*Created by: gitlab-qa-github*\n\nSome test PR comment",
               "*Created by: gitlab-qa*\n\n**Review:** Approved",
-              "assigned to @#{user.username}",
-              "requested review from @#{user.username}"
+              "assigned to `@gitlab-qa-github`",
+              "requested review from `@gitlab-qa`"
             ]
           )
           expect(events).to match_array(