Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

.gitlab/issue_templates/GLAS Engine Limitation.md

@@ -26,4 +26,4 @@ Use this to raise cases where the GLAS engine's behavior does not align with the
 
 See [SAST Reaction rotation GLAS limitations](https://handbook.gitlab.com/handbook/engineering/development/sec/secure/static-analysis/reaction_rotation/#glas-limitations-issues) to traige this issue.
 
-/label ~"section::sec" ~"devops::application security testing" ~"group::static analysis" ~"Category:SAST" ~"GLAS::VR-Reported" ~"GLAS::EngineLimitation"
+/label ~"section::sec" ~"devops::application security testing" ~"group::static analysis" ~"Category:SAST" ~"GLAS::VR-Reported" ~"GLAS:EngineLimitation"

app/assets/javascripts/ci/admin/jobs_table/components/cells/project_cell.vue

@@ -1,9 +1,9 @@
 <script>
-import { GlLink } from '@gitlab/ui';
+import LinkCell from '~/ci/runner/components/cells/link_cell.vue';
 
 export default {
   components: {
-    GlLink,
+    LinkCell,
   },
   props: {
     job: {
@@ -23,6 +23,6 @@ export default {
 </script>
 <template>
   <div class="gl-truncate">
-    <gl-link :href="projectUrl" data-testid="job-project-link">{{ projectName }}</gl-link>
+    <link-cell :href="projectUrl" data-testid="job-project-link">{{ projectName }}</link-cell>
   </div>
 </template>

app/assets/javascripts/ci/jobs_page/components/job_cells/pipeline_cell.vue

@@ -1,6 +1,7 @@
 <script>
 import { GlAvatar, GlLink } from '@gitlab/ui';
 import { s__ } from '~/locale';
+import LinkCell from '~/ci/runner/components/cells/link_cell.vue';
 import { getIdFromGraphQLId } from '~/graphql_shared/utils';
 
 export default {
@@ -10,6 +11,7 @@ export default {
   components: {
     GlAvatar,
     GlLink,
+    LinkCell,
   },
   props: {
     job: {
@@ -41,9 +43,9 @@ export default {
 <template>
   <div>
     <div class="-gl-mx-3 -gl-mt-3 gl-p-3">
-      <gl-link class="gl-truncate" :href="pipelinePath" data-testid="pipeline-id">
+      <link-cell :href="pipelinePath" class="gl-truncate" data-testid="pipeline-id">
         {{ pipelineId }}
-      </gl-link>
+      </link-cell>
 
       <span class="gl-text-subtle">
         <span>{{ __('created by') }}</span>

app/assets/javascripts/design_management/components/upload/design_version_dropdown.vue

@@ -76,7 +76,6 @@ export default {
 <template>
   <gl-collapsible-listbox
     is-check-centered
-    class="gl-z-1"
     :items="allVersionsList"
     :toggle-text="dropdownText"
     :selected="designsVersion"

app/assets/javascripts/environments/graphql/queries/environment_details.query.graphql

@@ -52,10 +52,12 @@ query getEnvironmentDetails(
             ...DeploymentJob
             deploymentPipeline: pipeline {
               id
-              jobs(whenExecuted: ["manual"], retried: false) {
-                nodes {
-                  ...DeploymentJob
-                  scheduledAt
+              ... on Pipeline {
+                jobs(whenExecuted: ["manual"], retried: false) {
+                  nodes {
+                    ...DeploymentJob
+                    scheduledAt
+                  }
                 }
               }
             }

app/assets/javascripts/gfm_auto_complete.js

@@ -467,8 +467,11 @@ class GfmAutoComplete {
 
           // Cache assignees & reviewers list for easier filtering later
           if (instance.isWorkItemsView) {
-            const { workItemId } = this.$inputor.get(0).closest('.js-gfm-wrapper').dataset;
-            assignees = (currentAssignees()[`${workItemId}`] || []).map(createMemberSearchString);
+            const element = this.$inputor.get(0).closest('.js-gfm-wrapper');
+            if (element) {
+              const { workItemId } = element.dataset;
+              assignees = (currentAssignees()[`${workItemId}`] || []).map(createMemberSearchString);
+            }
           } else {
             assignees =
               SidebarMediator.singleton?.store?.assignees?.map(createMemberSearchString) || [];

app/assets/javascripts/graphql_shared/possible_types.json

@@ -171,6 +171,10 @@
     "PendingGroupMember",
     "PendingProjectMember"
   ],
+  "PipelineInterface": [
+    "Pipeline",
+    "PipelineMinimalAccess"
+  ],
   "ProjectInterface": [
     "Project",
     "ProjectMinimalAccess"

app/assets/javascripts/invite_members/constants.js

@@ -84,7 +84,7 @@ export const QUEUED_MESSAGE_SUCCESSFUL = s__(
 );
 export const INVALID_FEEDBACK_MESSAGE_DEFAULT = s__('InviteMembersModal|Something went wrong');
 export const READ_MORE_TEXT = s__(
-  `InviteMembersModal|Invited members are limited to this role or their current group role, whichever is higher. Learn more about %{linkStart}roles%{linkEnd}.`,
+  `InviteMembersModal|Invited members are assigned the selected role or the role they have in the group, whichever is lower. Learn more about %{linkStart}roles%{linkEnd}.`,
 );
 export const READ_MORE_ACCESS_EXPIRATION_TEXT = s__(
   `InviteMembersModal|From this date onward, the user can no longer access the group or project. Learn more about %{linkStart}access%{linkEnd}.`,

app/assets/javascripts/ml/model_registry/graphql/queries/get_model.query.graphql

@@ -62,19 +62,21 @@ query getModel($id: MlModelID!) {
           name
           pipeline {
             id
-            mergeRequest {
-              id
-              iid
-              title
-              webUrl
-            }
             user {
               id
               avatarUrl
               webUrl
               username
               name
             }
+            ... on Pipeline {
+              mergeRequest {
+                id
+                iid
+                title
+                webUrl
+              }
+            }
           }
         }
         _links {

app/assets/javascripts/ml/model_registry/graphql/queries/get_model_version.query.graphql

@@ -50,19 +50,21 @@ query getModelVersion($modelId: MlModelID!, $modelVersionId: MlModelVersionID!)
           name
           pipeline {
             id
-            mergeRequest {
-              id
-              iid
-              title
-              webUrl
-            }
             user {
               id
               avatarUrl
               webUrl
               username
               name
             }
+            ... on Pipeline {
+              mergeRequest {
+                id
+                iid
+                title
+                webUrl
+              }
+            }
           }
         }
         _links {

app/assets/javascripts/vue_shared/components/crud_component.vue

@@ -195,23 +195,14 @@ export default {
       ]"
     >
       <div class="gl-flex gl-grow gl-flex-col gl-self-center">
-        <button
-          v-if="isCollapsible"
-          tabindex="-1"
-          aria-hidden="true"
-          class="gl-z-0 gl-m-0 gl-h-0 gl-border-none gl-p-0"
-          @click="toggleCollapse"
-        >
-          <span class="gl-absolute gl-inset-0"></span>
-        </button>
         <h2
           class="gl-m-0 gl-inline-flex gl-items-center gl-gap-3 gl-text-base gl-font-bold gl-leading-normal"
           :class="titleClass"
           data-testid="crud-title"
         >
           <gl-link
             v-if="anchorId"
-            class="anchor gl-absolute gl-z-1 gl-no-underline"
+            class="anchor gl-absolute gl-no-underline"
             :href="`#${anchorId}`"
             :aria-labelledby="anchorId"
           />
@@ -240,7 +231,7 @@ export default {
           <template v-else>{{ description }}</template>
         </p>
       </div>
-      <div class="gl-z-1 gl-flex gl-items-center gl-gap-3" data-testid="crud-actions">
+      <div class="gl-flex gl-items-center gl-gap-3" data-testid="crud-actions">
         <slot name="actions" :show-form="showForm"></slot>
         <gl-button
           v-if="toggleText && !isFormUsedAndVisible"
@@ -252,7 +243,7 @@ export default {
         >
         <div
           v-if="isCollapsible"
-          class="gl-border-l gl-pointer-events-none gl-absolute gl-right-5 gl-top-4 gl-h-6 gl-border-l-section gl-pl-3"
+          class="gl-border-l gl-absolute gl-right-5 gl-top-4 gl-h-6 gl-border-l-section gl-pl-3"
         >
           <gl-button
             v-gl-tooltip
@@ -263,7 +254,7 @@ export default {
             :aria-label="toggleLabel"
             :aria-expanded="ariaExpandedAttr"
             :aria-controls="anchorId"
-            class="gl-pointer-events-auto -gl-mr-2 gl-self-start"
+            class="-gl-mr-2 gl-self-start"
             data-testid="crud-collapse-toggle"
             @click="toggleCollapse"
           />

app/assets/javascripts/work_items/components/design_management/design_version_dropdown.vue

@@ -113,7 +113,6 @@ export default {
 <template>
   <gl-collapsible-listbox
     is-check-centered
-    class="gl-z-1"
     :items="allVersionsList"
     :toggle-text="dropdownText"
     :selected="designsVersion"

app/graphql/types/ci/job_type.rb

@@ -26,7 +26,7 @@ class JobType < BaseObject
         description: 'Name of the job.'
       field :needs, BuildNeedType.connection_type, null: true,
         description: 'References to builds that must complete before the jobs run.'
-      field :pipeline, Types::Ci::PipelineType, null: true,
+      field :pipeline, Types::Ci::PipelineInterface, null: true,
         description: 'Pipeline the job belongs to.'
 
       field :runner, Types::Ci::RunnerType, null: true, description: 'Runner assigned to execute the job.'

app/graphql/types/ci/pipeline_base_field.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Types
+  module Ci
+    # rubocop: disable GraphQL/GraphqlName -- Not a type
+    # rubocop: disable Graphql/AuthorizeTypes -- Not a type
+    class PipelineBaseField < ::Types::BaseField
+      def initialize(**kwargs, &block)
+        kwargs[:authorize] = :read_pipeline
+
+        super
+      end
+    end
+    # rubocop: enable Graphql/AuthorizeTypes
+    # rubocop: enable GraphQL/GraphqlName
+  end
+end

app/graphql/types/ci/pipeline_interface.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Types
+  module Ci
+    # This inteface sets [authorize: :read_pipeline] (field-level authorization
+    # via PipelineBaseField) for all defined fields to ensure implementing types
+    # don't expose inherited fields without proper authorization.
+    #
+    # Implementing types can opt-out from this field-level auth and use
+    # type-level auth by re-defining the field without the authorize argument.
+    # For example, PipelineType uses :read_pipeline type-level auth and
+    # redefines all fields in this interface to opt-out while
+    # PipelineMinimalAccessType uses :read_pipeline_metadata type-level auth to
+    # expose a set of defined fields and leaves inherited fields it does not
+    # want to expose to use field-level auth using :read_pipeline.
+    module PipelineInterface
+      include BaseInterface
+
+      graphql_name 'PipelineInterface'
+
+      connection_type_class Types::CountableConnectionType
+
+      field_class ::Types::Ci::PipelineBaseField
+
+      field :id, GraphQL::Types::ID, null: true,
+        description: 'ID of the pipeline.'
+      field :iid, GraphQL::Types::String, null: true,
+        description: 'Internal ID of the pipeline.'
+      field :path, GraphQL::Types::String, null: true,
+        description: "Relative path to the pipeline's page."
+      field :project, Types::Projects::ProjectInterface, null: true,
+        description: 'Project the pipeline belongs to.'
+      field :user,
+        type: 'Types::UserType',
+        null: true,
+        description: 'Pipeline user.'
+
+      def self.resolve_type(_object, _context)
+        PipelineType
+      end
+
+      def path
+        ::Gitlab::Routing.url_helpers.project_pipeline_path(object.project, object)
+      end
+    end
+  end
+end
+
+Types::Ci::PipelineInterface.prepend_mod

app/graphql/types/ci/pipeline_type.rb

@@ -5,6 +5,8 @@ module Ci
     class PipelineType < BaseObject
       graphql_name 'Pipeline'
 
+      implements PipelineInterface
+
       connection_type_class Types::CountableConnectionType
 
       authorize :read_pipeline
@@ -239,10 +241,6 @@ def commit_path
         ::Gitlab::Routing.url_helpers.project_commit_path(object.project, object.sha)
       end
 
-      def path
-        ::Gitlab::Routing.url_helpers.project_pipeline_path(object.project, object)
-      end
-
       def warning_messages
         BatchLoader::GraphQL.for(object).batch do |pipelines, loader|
           # rubocop: disable CodeReuse/ActiveRecord -- context specific

app/graphql/types/projects/project_interface.rb

@@ -2,7 +2,7 @@
 
 module Types
   module Projects
-    # This inteface sets [authorize: :read_project] (field-level authorization via
+    # This interface sets [authorize: :read_project] (field-level authorization via
     # ProjectBaseField) for all defined fields to ensure implementing types don't
     # expose inherited fields without proper authorization.
     #
@@ -29,6 +29,9 @@ module ProjectInterface
       field :description, GraphQL::Types::String,
         null: true,
         description: 'Short description of the project.'
+      field :full_path, GraphQL::Types::ID,
+        null: true,
+        description: 'Full path of the project.'
       field :id, GraphQL::Types::ID, null: true,
         description: 'ID of the project.'
       field :name, GraphQL::Types::String,

app/models/protected_branch.rb

@@ -83,6 +83,12 @@ def self.downcase_humanized_name
     name.underscore.humanize.downcase
   end
 
+  def self.default_branch_for(project)
+    return unless project&.default_branch
+
+    project.protected_branches.detect { |branch| branch.name == project.default_branch }
+  end
+
   def default_branch?
     return false unless project.present?
 

app/policies/ci/pipeline_policy.rb

@@ -2,7 +2,7 @@
 
 module Ci
   class PipelinePolicy < BasePolicy
-    delegate { @subject.project }
+    delegate(:project) { @subject.project }
 
     condition(:protected_ref) { ref_protected?(@user, @subject.project, @subject.tag?, @subject.ref) }
 
@@ -63,6 +63,10 @@ class PipelinePolicy < BasePolicy
       enable :read_pipeline_variable
     end
 
+    rule { can?(:read_pipeline) }.policy do
+      enable :read_pipeline_metadata
+    end
+
     rule { project_allows_read_dependency }.policy do
       enable :read_dependency
     end

app/services/system_notes/issuables_service.rb

@@ -179,15 +179,16 @@ def change_issuable_contacts(added_count, removed_count)
     #   "changed title from **Old** to **New**"
     #
     # Returns the created Note object
-    def change_title(old_title)
-      new_title = noteable.title.dup
+    def change_title(org_title)
+      new_title = ERB::Util.html_escape(noteable.title)
+      old_title = ERB::Util.html_escape(org_title)
 
       old_diffs, new_diffs = Gitlab::Diff::InlineDiff.new(old_title, new_title).inline_diffs
 
-      marked_old_title = Gitlab::Diff::InlineDiffMarkdownMarker.new(old_title).mark(old_diffs)
-      marked_new_title = Gitlab::Diff::InlineDiffMarkdownMarker.new(new_title).mark(new_diffs)
+      marked_old_title = Gitlab::Diff::InlineDiffMarker.new(old_title).mark(old_diffs)
+      marked_new_title = Gitlab::Diff::InlineDiffMarker.new(new_title).mark(new_diffs)
 
-      body = "changed title from **#{marked_old_title}** to **#{marked_new_title}**"
+      body = "<div>changed title from <code class=\"idiff\">#{marked_old_title}</code> to <code class=\"idiff\">#{marked_new_title}</code></div>"
 
       track_issue_event(:track_issue_title_changed_action)
       work_item_activity_counter.track_work_item_title_changed_action(author: author) if noteable.is_a?(WorkItem)