Add latest changes from gitlab-org/gitlab@15-2-stable-eev15.2.0-rc42

23 files changed, 303 insertions, 146 deletions

diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS
index 64955d67e34..777c5c54ea5 100644
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -642,7 +642,7 @@ lib/gitlab/checks/** @proglottis @toon @zj-gitlab
 /doc/user/admin_area/credentials_inventory.md @eread
 /doc/user/admin_area/custom_project_templates.md @eread
 /doc/user/admin_area/diff_limits.md @aqualls
-/doc/user/admin_area/geo_nodes.md @axil
+/doc/user/admin_area/geo_sites.md @axil
 /doc/user/admin_area/labels.md @msedlakjakubowski
 /doc/user/admin_area/license_file.md @sselhorn
 /doc/user/admin_area/license.md @sselhorn
@@ -809,7 +809,6 @@ lib/gitlab/checks/** @proglottis @toon @zj-gitlab
 /app/assets/javascripts/authentication/ @gitlab-org/manage/authentication-and-authorization
 /app/assets/javascripts/ide/components/shared/tokened_input.vue @gitlab-org/manage/authentication-and-authorization
 /app/assets/javascripts/invite_members/components/members_token_select.vue @gitlab-org/manage/authentication-and-authorization
-/app/assets/javascripts/logs/components/tokens/ @gitlab-org/manage/authentication-and-authorization
 /app/assets/javascripts/packages_and_registries/package_registry/components/list/tokens/ @gitlab-org/manage/authentication-and-authorization
 /app/assets/javascripts/pages/admin/impersonation_tokens/ @gitlab-org/manage/authentication-and-authorization
 /app/assets/javascripts/pages/groups/settings/access_tokens/ @gitlab-org/manage/authentication-and-authorization
@@ -929,16 +928,18 @@ lib/gitlab/checks/** @proglottis @toon @zj-gitlab
 /app/workers/authorized_projects_worker.rb @gitlab-org/manage/authentication-and-authorization
 /app/workers/personal_access_tokens/ @gitlab-org/manage/authentication-and-authorization
 /config/feature_flags/development/application_settings_tokens_optional_encryption.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/async_only_project_authorizations_refresh.yml @gitlab-org/manage/authentication-and-authorization
 /config/feature_flags/development/enforce_auth_checks_on_uploads.yml @gitlab-org/manage/authentication-and-authorization
 /config/feature_flags/development/forti_authenticator.yml @gitlab-org/manage/authentication-and-authorization
 /config/feature_flags/development/forti_token_cloud.yml @gitlab-org/manage/authentication-and-authorization
 /config/feature_flags/development/groups_tokens_optional_encryption.yml @gitlab-org/manage/authentication-and-authorization
-/config/feature_flags/development/omniauth_initializer_fullhost_proc.yml @gitlab-org/manage/authentication-and-authorization
 /config/feature_flags/development/omniauth_login_minimal_scopes.yml @gitlab-org/manage/authentication-and-authorization
 /config/feature_flags/development/personal_access_tokens_scoped_to_projects.yml @gitlab-org/manage/authentication-and-authorization
 /config/feature_flags/development/projects_tokens_optional_encryption.yml @gitlab-org/manage/authentication-and-authorization
 /config/feature_flags/development/refresh_authorizations_via_affected_projects_on_group_membership.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/skip_group_share_unlink_auth_refresh.yml @gitlab-org/manage/authentication-and-authorization
 /config/feature_flags/development/specialized_worker_for_group_lock_update_auth_recalculation.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/update_oauth_registration_flow.yml @gitlab-org/manage/authentication-and-authorization
 /config/feature_flags/development/webauthn.yml @gitlab-org/manage/authentication-and-authorization
 /config/feature_flags/ops/block_password_auth_for_saml_users.yml @gitlab-org/manage/authentication-and-authorization
 /config/initializers/01_secret_token.rb @gitlab-org/manage/authentication-and-authorization
@@ -975,6 +976,7 @@ lib/gitlab/checks/** @proglottis @toon @zj-gitlab
 /ee/app/helpers/ee/access_tokens_helper.rb @gitlab-org/manage/authentication-and-authorization
 /ee/app/helpers/ee/auth_helper.rb @gitlab-org/manage/authentication-and-authorization
 /ee/app/helpers/ee/personal_access_tokens_helper.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/models/concerns/password_complexity.rb @gitlab-org/manage/authentication-and-authorization
 /ee/app/models/ee/personal_access_token.rb @gitlab-org/manage/authentication-and-authorization
 /ee/app/models/ee/project_authorization.rb @gitlab-org/manage/authentication-and-authorization
 /ee/app/models/scim_oauth_access_token.rb @gitlab-org/manage/authentication-and-authorization
@@ -984,6 +986,7 @@ lib/gitlab/checks/** @proglottis @toon @zj-gitlab
 /ee/app/services/ee/resource_access_tokens/ @gitlab-org/manage/authentication-and-authorization
 /ee/app/services/personal_access_tokens/ @gitlab-org/manage/authentication-and-authorization
 /ee/app/services/security/token_revocation_service.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/validators/password/ @gitlab-org/manage/authentication-and-authorization
 /ee/app/views/admin/application_settings/_personal_access_token_expiration_policy.html.haml @gitlab-org/manage/authentication-and-authorization
 /ee/app/views/credentials_inventory_mailer/personal_access_token_revoked_email.html.haml @gitlab-org/manage/authentication-and-authorization
 /ee/app/views/credentials_inventory_mailer/personal_access_token_revoked_email.text.haml @gitlab-org/manage/authentication-and-authorization
@@ -996,6 +999,7 @@ lib/gitlab/checks/** @proglottis @toon @zj-gitlab
 /ee/app/views/shared/credentials_inventory/_project_access_tokens.html.haml @gitlab-org/manage/authentication-and-authorization
 /ee/app/views/shared/credentials_inventory/personal_access_tokens/ @gitlab-org/manage/authentication-and-authorization
 /ee/app/views/shared/credentials_inventory/project_access_tokens/ @gitlab-org/manage/authentication-and-authorization
+/ee/app/workers/auth/ @gitlab-org/manage/authentication-and-authorization
 /ee/app/workers/personal_access_tokens/ @gitlab-org/manage/authentication-and-authorization
 /ee/config/routes/oauth.rb @gitlab-org/manage/authentication-and-authorization
 /ee/lib/ee/gitlab/auth/ @gitlab-org/manage/authentication-and-authorization
@@ -1012,6 +1016,7 @@ lib/gitlab/checks/** @proglottis @toon @zj-gitlab
 /lib/api/entities/impersonation_token.rb @gitlab-org/manage/authentication-and-authorization
 /lib/api/entities/impersonation_token_with_token.rb @gitlab-org/manage/authentication-and-authorization
 /lib/api/entities/personal_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/personal_access_token_with_details.rb @gitlab-org/manage/authentication-and-authorization
 /lib/api/entities/personal_access_token_with_token.rb @gitlab-org/manage/authentication-and-authorization
 /lib/api/entities/resource_access_token.rb @gitlab-org/manage/authentication-and-authorization
 /lib/api/entities/resource_access_token_with_token.rb @gitlab-org/manage/authentication-and-authorization
diff --git a/.gitlab/ci/build-images.gitlab-ci.yml b/.gitlab/ci/build-images.gitlab-ci.yml
index 46d0bb2fb8f..3b360d66b7f 100644
--- a/.gitlab/ci/build-images.gitlab-ci.yml
+++ b/.gitlab/ci/build-images.gitlab-ci.yml
@@ -1,16 +1,9 @@
 .base-image-build:
   extends: .use-kaniko
+  variables:
+    GIT_LFS_SKIP_SMUDGE: 1
   script:
-    # With .git/hooks/post-checkout in place, Git tries to pull LFS objects, but the image doesn't have Git LFS, and we actually don't care about it for this specific so we just remove the file.
-    # Without removing the file, the error is as follows: "This repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting .git/hooks/post-checkout."
-    - rm -f .git/hooks/post-checkout
-    - if [ -n "$CI_MERGE_REQUEST_SOURCE_BRANCH_SHA" ]; then
-        echo "Checking out \$CI_MERGE_REQUEST_SOURCE_BRANCH_SHA ($CI_MERGE_REQUEST_SOURCE_BRANCH_SHA) instead of \$CI_COMMIT_SHA (merge result commit $CI_COMMIT_SHA) so that GitLab image built in omnibus-gitlab-mirror and QA image are in sync.";
-        git checkout -f ${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA};
-      else
-        echo "Building the image from \$CI_COMMIT_SHA ($CI_COMMIT_SHA) for this non-merge result pipeline.";
-      fi;
-    - echo "See https://docs.gitlab.com/ee/development/testing_guide/end_to_end/index.html#with-pipeline-for-merged-results for more details.";
+    - scripts/checkout-mr-source-sha
   retry: 2
 
 # This image is used by:
@@ -37,6 +30,7 @@ build-qa-image:
         --destination=${QA_IMAGE_BRANCH} \
         --build-arg=CHROME_VERSION=${CHROME_VERSION} \
         --build-arg=DOCKER_VERSION=${DOCKER_VERSION} \
+        --build-arg=QA_BUILD_TARGET=${QA_BUILD_TARGET:-qa} \
         --cache=true
 
 # This image is used by:
diff --git a/.gitlab/ci/frontend.gitlab-ci.yml b/.gitlab/ci/frontend.gitlab-ci.yml
index 8bfda0e6684..8c49d5c212a 100644
--- a/.gitlab/ci/frontend.gitlab-ci.yml
+++ b/.gitlab/ci/frontend.gitlab-ci.yml
@@ -11,7 +11,7 @@
     - .default-retry
     - .default-before_script
     - .assets-compile-cache
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}-git-2.33-lfs-2.9-node-16.14-yarn-1.22-graphicsmagick-1.3.36
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}-node-16.14:rubygems-3.2-git-2.33-lfs-2.9-yarn-1.22-graphicsmagick-1.3.36
   variables:
     SETUP_DB: "false"
     WEBPACK_VENDOR_DLL: "true"
@@ -43,13 +43,7 @@ compile-production-assets:
       - webpack-report/
     when: always
   before_script:
-    - if [ -n "$CI_MERGE_REQUEST_SOURCE_BRANCH_SHA" ]; then
-        echo "Checking out \$CI_MERGE_REQUEST_SOURCE_BRANCH_SHA ($CI_MERGE_REQUEST_SOURCE_BRANCH_SHA) instead of \$CI_COMMIT_SHA (merge result commit $CI_COMMIT_SHA) so that GitLab assets image tag actually reflect the commit for which assets were compiled.";
-        git checkout -f ${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA};
-      else
-        echo "Building the image from \$CI_COMMIT_SHA ($CI_COMMIT_SHA) for this non-merge result pipeline.";
-      fi;
-    - echo "See https://docs.gitlab.com/ee/development/testing_guide/end_to_end/index.html#with-pipeline-for-merged-results for more details.";
+    - scripts/checkout-mr-source-sha
     - !reference [.default-before_script, before_script]
   after_script:
     - rm -f /etc/apt/sources.list.d/google*.list  # We don't need to update Chrome here
@@ -186,6 +180,12 @@ graphql-schema-dump:
       - tmp/tests/graphql/gitlab_schema.graphql
       - tmp/tests/graphql/gitlab_schema.json
 
+graphql-schema-dump as-if-foss:
+  extends:
+    - graphql-schema-dump
+    - .frontend:rules:eslint-as-if-foss
+    - .as-if-foss
+
 .frontend-test-base:
   extends:
     - .default-retry
diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml
index 344a31b28d8..9c92b11d4fd 100644
--- a/.gitlab/ci/global.gitlab-ci.yml
+++ b/.gitlab/ci/global.gitlab-ci.yml
@@ -79,7 +79,7 @@
   policy: push  # We want to rebuild the cache from scratch to ensure stale dependencies are cleaned up.
 
 .assets-cache: &assets-cache
-  key: "assets-debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}-node-${NODE_ENV}"
+  key: "assets-debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}-node-${NODE_ENV}-v2"
   paths:
     - assets-hash.txt
     - public/assets/webpack/
@@ -179,11 +179,19 @@
     - *ruby-gems-cache
     - *node-modules-cache
 
+.qa-bundler-variables: &qa-bundler-variables
+  variables:
+    BUNDLE_SUPPRESS_INSTALL_USING_MESSAGES: "true"
+    BUNDLE_SILENCE_ROOT_WARNING: "true"
+    BUNDLE_PATH: vendor
+
 .qa-cache:
+  <<: *qa-bundler-variables
   cache:
     - *qa-ruby-gems-cache
 
 .qa-cache-push:
+  <<: *qa-bundler-variables
   cache:
     - *qa-ruby-gems-cache-push
 
diff --git a/.gitlab/ci/pages.gitlab-ci.yml b/.gitlab/ci/pages.gitlab-ci.yml
index 6f96d84b8e3..1f9f57cfc22 100644
--- a/.gitlab/ci/pages.gitlab-ci.yml
+++ b/.gitlab/ci/pages.gitlab-ci.yml
@@ -15,7 +15,7 @@ pages:
     - job: "compile-production-assets"
     - job: "compile-storybook"
     # `update-tests-metadata` only runs on GitLab.com's EE schedules pipelines
-    # while `pages` runs for all the 2-hourly schedules.
+    # while `pages` runs for all the maintenance scheduled pipelines.
     - job: "update-tests-metadata"
       optional: true
   before_script:
diff --git a/.gitlab/ci/qa.gitlab-ci.yml b/.gitlab/ci/qa.gitlab-ci.yml
index 5ca70da352a..12275260c0c 100644
--- a/.gitlab/ci/qa.gitlab-ci.yml
+++ b/.gitlab/ci/qa.gitlab-ci.yml
@@ -11,8 +11,7 @@
     QA_EXPORT_TEST_METRICS: "false"
   before_script:
     - !reference [.default-before_script, before_script]
-    - cd qa/
-    - bundle install
+    - cd qa && bundle install
 
 qa:internal:
   extends:
@@ -73,8 +72,7 @@ populate-qa-tests-var:
   image: ${GITLAB_DEPENDENCY_PROXY}ruby:2.7-alpine
   stage: prepare
   script:
-    - tooling/bin/qa/check_if_qa_only_spec_changes ${CHANGES_FILE} ${ONLY_QA_CHANGES_FILE}
-    - '[ -f $ONLY_QA_CHANGES_FILE ] && export QA_TESTS="`cat $ONLY_QA_CHANGES_FILE`"'
+    - export QA_TESTS=$(scripts/determine-qa-tests --files $CHANGES_FILE --labels "$CI_MERGE_REQUEST_LABELS")
     - 'echo "QA_TESTS=$QA_TESTS" >> qa_tests_var.env'
     - 'echo "QA_TESTS: $QA_TESTS"'
   artifacts:
@@ -83,11 +81,9 @@ populate-qa-tests-var:
       dotenv: qa_tests_var.env
     paths:
       - ${CHANGES_FILE}
-      - ${ONLY_QA_CHANGES_FILE}
       - qa_tests_var.env
   variables:
     CHANGES_FILE: tmp/changed_files.txt
-    ONLY_QA_CHANGES_FILE: tmp/qa_only_changed_files.txt
   needs:
     - detect-tests
 
diff --git a/.gitlab/ci/rails.gitlab-ci.yml b/.gitlab/ci/rails.gitlab-ci.yml
index 0358fe8ec49..6fa9d14d47b 100644
--- a/.gitlab/ci/rails.gitlab-ci.yml
+++ b/.gitlab/ci/rails.gitlab-ci.yml
@@ -201,8 +201,9 @@ setup-test-env:
       - ${TMP_TEST_FOLDER}/gitlab-elasticsearch-indexer/bin/gitlab-elasticsearch-indexer
       - ${TMP_TEST_FOLDER}/gitlab-shell/
       - ${TMP_TEST_FOLDER}/gitlab-test-fork/
-      - ${TMP_TEST_FOLDER}/gitlab-test-fork_bare/
+      - ${TMP_TEST_FOLDER}/gitlab-test-fork.bundle
       - ${TMP_TEST_FOLDER}/gitlab-test/
+      - ${TMP_TEST_FOLDER}/gitlab-test.bundle
       - ${TMP_TEST_FOLDER}/repositories/
       - ${TMP_TEST_FOLDER}/second_storage/
       - ${TMP_TEST_GITLAB_WORKHORSE_PATH}/
@@ -609,17 +610,16 @@ rspec:undercoverage:
   stage: post-test
   needs: ["rspec:coverage"]
   script:
-    - if [ -n "$CI_MERGE_REQUEST_SOURCE_BRANCH_SHA" ]; then
-        echo "Checking out \$CI_MERGE_REQUEST_SOURCE_BRANCH_SHA ($CI_MERGE_REQUEST_SOURCE_BRANCH_SHA) instead of \$CI_COMMIT_SHA (merge result commit $CI_COMMIT_SHA) so we can use $CI_MERGE_REQUEST_DIFF_BASE_SHA for undercoverage in this merged result pipeline";
-        git checkout -f ${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA};
-        bundle_install_script;
+    - if [ -n "$CI_MERGE_REQUEST_TARGET_BRANCH_SHA" ]; then
+        echo "HEAD is $(git rev-parse HEAD). \$CI_MERGE_REQUEST_TARGET_BRANCH_SHA is ${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}";
       else
-        echo "Using \$CI_COMMIT_SHA ($CI_COMMIT_SHA) for this non-merge result pipeline.";
+        echo "HEAD is $(git rev-parse HEAD). \$CI_MERGE_REQUEST_DIFF_BASE_SHA is ${CI_MERGE_REQUEST_DIFF_BASE_SHA}";
       fi;
-    - UNDERCOVERAGE_COMPARE="${CI_MERGE_REQUEST_DIFF_BASE_SHA:-$(git merge-base origin/master HEAD)}"
-    - echo "Undercoverage comparing with ${UNDERCOVERAGE_COMPARE}"
+    - UNDERCOVERAGE_COMPARE="${CI_MERGE_REQUEST_TARGET_BRANCH_SHA:-$CI_MERGE_REQUEST_DIFF_BASE_SHA}"
+    - git diff ${UNDERCOVERAGE_COMPARE} --stat
+    - echo "Undercoverage comparing with ${UNDERCOVERAGE_COMPARE}."
     - if [ -f scripts/undercoverage ]; then
-        run_timed_command "scripts/undercoverage ${UNDERCOVERAGE_COMPARE}";
+        run_timed_command "bundle exec scripts/undercoverage ${UNDERCOVERAGE_COMPARE}";
       fi;
 
 rspec:feature-flags:
diff --git a/.gitlab/ci/review-apps/main.gitlab-ci.yml b/.gitlab/ci/review-apps/main.gitlab-ci.yml
index f3cde5d7318..7f3ae70da8c 100644
--- a/.gitlab/ci/review-apps/main.gitlab-ci.yml
+++ b/.gitlab/ci/review-apps/main.gitlab-ci.yml
@@ -20,7 +20,7 @@ review-build-cng-env:
   extends:
     - .default-retry
     - .review:rules:review-build-cng
-  image: ${GITLAB_DEPENDENCY_PROXY}ruby:${RUBY_VERSION}-alpine3.13
+  image: ${GITLAB_DEPENDENCY_PROXY}ruby:3.0-alpine3.13
   stage: prepare
   needs: []
   before_script:
@@ -77,9 +77,9 @@ review-build-cng:
   variables:
     HOST_SUFFIX: "${CI_ENVIRONMENT_SLUG}"
     DOMAIN: "-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}"
-    GITLAB_HELM_CHART_REF: "a6a609a19166f00b1a7774374041cd38a9f7e20d"
+    GITLAB_HELM_CHART_REF: "138c146a5ba787942f66d4c7d795d224d6ba206a"
   environment:
-    name: review/${CI_COMMIT_REF_SLUG}${FREQUENCY}
+    name: review/${CI_COMMIT_REF_SLUG}${SCHEDULE_TYPE} # No separator for SCHEDULE_TYPE so it's compatible as before and looks nice without it
     url: https://gitlab-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}
     on_stop: review-stop
     auto_stop_in: 48 hours
diff --git a/.gitlab/ci/review-apps/qa.gitlab-ci.yml b/.gitlab/ci/review-apps/qa.gitlab-ci.yml
index 07ad5a31135..8c48e803ad3 100644
--- a/.gitlab/ci/review-apps/qa.gitlab-ci.yml
+++ b/.gitlab/ci/review-apps/qa.gitlab-ci.yml
@@ -5,13 +5,7 @@ include:
       - /ci/allure-report.yml
       - /ci/knapsack-report.yml
 
-.bundler_variables:
-  variables:
-    BUNDLE_SUPPRESS_INSTALL_USING_MESSAGES: "true"
-    BUNDLE_SILENCE_ROOT_WARNING: "true"
-    BUNDLE_PATH: vendor
-
-.test_variables:
+.test-variables:
   variables:
     QA_GENERATE_ALLURE_REPORT: "true"
     COLORIZED_LOGS: "true"
@@ -22,13 +16,20 @@ include:
     GITLAB_QA_ADMIN_ACCESS_TOKEN: "${REVIEW_APPS_ROOT_TOKEN}"
     GITHUB_ACCESS_TOKEN: "${REVIEW_APPS_QA_GITHUB_ACCESS_TOKEN}"
 
+.bundle-base:
+  extends:
+    - .qa-cache
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-ruby-${RUBY_VERSION}:bundler-2.3
+  before_script:
+    - export QA_GITLAB_URL="$(cat environment_url.txt)"
+    - cd qa && bundle install
+
 .review-qa-base:
   extends:
     - .use-docker-in-docker
-    - .qa-cache
-    - .test_variables
-    - .bundler_variables
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-ruby-2.7:bundler-2.3-git-2.33-lfs-2.9-chrome-${CHROME_VERSION}-docker-${DOCKER_VERSION}-gcloud-383-kubectl-1.23
+    - .bundle-base
+    - .test-variables
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-ruby-${RUBY_VERSION}:bundler-2.3-git-2.33-lfs-2.9-chrome-${CHROME_VERSION}-docker-${DOCKER_VERSION}-gcloud-383-kubectl-1.23
   stage: qa
   needs:
     - review-deploy
@@ -38,11 +39,13 @@ include:
     DOCKER_TLS_CERTDIR: /certs
     DOCKER_CERT_PATH: /certs/client
     DOCKER_TLS_VERIFY: 1
+    GIT_LFS_SKIP_SMUDGE: 1
+    WD_INSTALL_DIR: /usr/local/bin
   before_script:
-    - export EE_LICENSE="$(cat $REVIEW_APPS_EE_LICENSE_FILE)"
-    - export QA_GITLAB_URL="$(cat environment_url.txt)"
-    - cd qa && bundle install
+    - scripts/checkout-mr-source-sha
+    - !reference [.bundle-base, before_script]
   script:
+    - export EE_LICENSE="$(cat $REVIEW_APPS_EE_LICENSE_FILE)"
     - qa_run_status=0
     - |
       bundle exec rake "knapsack:rspec[\
@@ -52,7 +55,6 @@ include:
         --tag ~skip_signup_disabled \
         --tag ~requires_git_protocol_v2 \
         --tag ~requires_praefect \
-        --tag ~sanity_feature_flags \
         --force-color \
         --order random \
         --format documentation \
@@ -82,16 +84,12 @@ include:
 
 # Store knapsack report as artifact so the same report is reused across all jobs
 download-knapsack-report:
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-ruby-2.7:bundler-2.3-git-2.33-chrome-${CHROME_VERSION}
   extends:
-    - .qa-cache
-    - .bundler_variables
+    - .bundle-base
     - .review:rules:review-qa-reliable
   stage: prepare
   variables:
     QA_KNAPSACK_REPORTS: review-qa-reliable,review-qa-all
-  before_script:
-    - cd qa && bundle install
   script:
     - bundle exec rake "knapsack:download"
   allow_failure: true
@@ -100,29 +98,6 @@ download-knapsack-report:
       - qa/knapsack/review-qa-*.json
     expire_in: 1 day
 
-review-qa-sanity:
-  extends:
-    - .review-qa-base
-    - .review:rules:review-qa-sanity
-  retry: 1
-  variables:
-    QA_RUN_TYPE: review-qa-sanity
-  script:
-    - qa_run_status=0
-    - |
-      bundle exec rake "knapsack:rspec[\
-        --tag sanity_feature_flags \
-        --force-color \
-        --order random \
-        --format documentation \
-        --format RspecJunitFormatter --out tmp/rspec.xml \
-      ]" || qa_run_status=$?
-    - if [ ${qa_run_status} -ne 0 ]; then
-        release_sha=$(echo "${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA:-${CI_COMMIT_SHA}}" | cut -c1-11);
-        echo "Errors can be found at https://sentry.gitlab.net/gitlab/gitlab-review-apps/releases/${release_sha}/all-events/.";
-      fi
-    - exit ${qa_run_status}
-
 review-qa-smoke:
   extends:
     - .review-qa-base
@@ -140,7 +115,7 @@ review-qa-reliable:
   parallel: 10
   variables:
     QA_RUN_TYPE: review-qa-reliable
-    RSPEC_TAGS: --tag reliable
+    RSPEC_TAGS: --tag reliable --tag sanity_feature_flags
 
 review-qa-all:
   extends:
@@ -149,7 +124,7 @@ review-qa-all:
   parallel: 5
   variables:
     QA_RUN_TYPE: review-qa-all
-    RSPEC_TAGS: --tag ~reliable --tag ~smoke
+    RSPEC_TAGS: --tag ~reliable --tag ~smoke --tag ~sanity_feature_flags
 
 review-performance:
   extends:
@@ -202,8 +177,21 @@ allure-report-qa-all:
 upload-knapsack-report:
   extends:
     - .generate-knapsack-report-base
+    - .bundle-base
   stage: post-qa
   variables:
-    # knapsack report upload uses gitlab-qa image with code already there
-    GIT_STRATEGY: none
     QA_KNAPSACK_REPORT_FILE_PATTERN: $CI_PROJECT_DIR/qa/tmp/knapsack/*/*.json
+
+delete-test-resources:
+  extends:
+    - .bundle-base
+    - .review:rules:review-qa-cleanup
+  stage: post-qa
+  variables:
+    QA_TEST_RESOURCES_FILE_PATTERN: $CI_PROJECT_DIR/qa/tmp/test-resources-*.json
+    GITLAB_QA_ACCESS_TOKEN: $REVIEW_APPS_ROOT_TOKEN
+    COLORIZED_LOGS: "true"
+  script:
+    - export GITLAB_ADDRESS="$QA_GITLAB_URL"
+    - bundle exec rake "test_resources:delete[$QA_TEST_RESOURCES_FILE_PATTERN]"
+  allow_failure: true
diff --git a/.gitlab/ci/review.gitlab-ci.yml b/.gitlab/ci/review.gitlab-ci.yml
index 26c7306c880..b2cd9d61fd8 100644
--- a/.gitlab/ci/review.gitlab-ci.yml
+++ b/.gitlab/ci/review.gitlab-ci.yml
@@ -5,10 +5,10 @@ review-cleanup:
   extends:
     - .default-retry
     - .review:rules:review-cleanup
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:gitlab-helm3.5-kubectl1.17
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/ruby-3.0:gcloud-383-kubectl-1.23-helm-3.5
   stage: prepare
   environment:
-    name: review/${CI_COMMIT_REF_SLUG}${FREQUENCY}
+    name: review/${CI_COMMIT_REF_SLUG}${SCHEDULE_TYPE} # No separator for SCHEDULE_TYPE so it's compatible as before and looks nice without it
     action: stop
   before_script:
     - source scripts/utils.sh
@@ -33,7 +33,7 @@ start-review-app-pipeline:
   # They need to be explicitly passed on to the child pipeline.
   # https://docs.gitlab.com/ee/ci/pipelines/multi_project_pipelines.html#pass-cicd-variables-to-a-downstream-pipeline-by-using-the-variables-keyword
   variables:
-    FREQUENCY: $FREQUENCY
+    SCHEDULE_TYPE: $SCHEDULE_TYPE
     DAST_RUN: $DAST_RUN
   trigger:
     include:
diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml
index ccdc2c1b90a..93790f431dd 100644
--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -49,6 +49,9 @@
 .if-merge-request-targeting-stable-branch: &if-merge-request-targeting-stable-branch
   if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^[\d-]+-stable(-ee)?$/'
 
+.if-merge-request-labels-run-in-ruby3: &if-merge-request-labels-run-in-ruby3
+  if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-in-ruby3/'
+
 .if-merge-request-labels-as-if-foss: &if-merge-request-labels-as-if-foss
   if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-as-if-foss/'
 
@@ -91,11 +94,11 @@
 .if-fork-merge-request: &if-fork-merge-request
   if: '$CI_PROJECT_NAMESPACE !~ /^gitlab(-org)?($|\/)/ && $CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_LABELS !~ /pipeline:run-all-rspec/'
 
-.if-default-branch-schedule-2-hourly: &if-default-branch-schedule-2-hourly
-  if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "schedule" && $FREQUENCY == "2-hourly"'
+.if-default-branch-schedule-maintenance: &if-default-branch-schedule-maintenance
+  if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_TYPE == "maintenance"'
 
 .if-default-branch-schedule-nightly: &if-default-branch-schedule-nightly
-  if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "schedule" && $FREQUENCY == "nightly"'
+  if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_TYPE == "nightly"'
 
 .if-security-schedule: &if-security-schedule
   if: '$CI_PROJECT_NAMESPACE == "gitlab-org/security" && $CI_PIPELINE_SOURCE == "schedule"'
@@ -106,17 +109,14 @@
 .if-dot-com-ee-schedule: &if-dot-com-ee-schedule
   if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "schedule"'
 
-.if-dot-com-ee-schedule-child-pipeline: &if-dot-com-ee-schedule-child-pipeline
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "parent_pipeline" && $FREQUENCY'
-
-.if-dot-com-ee-2-hourly-schedule: &if-dot-com-ee-2-hourly-schedule
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "schedule" && $FREQUENCY == "2-hourly"'
+.if-dot-com-ee-schedule-maintenance: &if-dot-com-ee-schedule-maintenance
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_TYPE == "maintenance"'
 
-.if-dot-com-ee-nightly-schedule: &if-dot-com-ee-nightly-schedule
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "schedule" && $FREQUENCY == "nightly"'
+.if-dot-com-ee-schedule-nightly: &if-dot-com-ee-schedule-nightly
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_TYPE == "nightly"'
 
-.if-dot-com-ee-nightly-schedule-child-pipeline: &if-dot-com-ee-nightly-schedule-child-pipeline
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "parent_pipeline" && $FREQUENCY == "nightly"'
+.if-dot-com-ee-schedule-nightly-child-pipeline: &if-dot-com-ee-schedule-nightly-child-pipeline
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "parent_pipeline" && $SCHEDULE_TYPE == "nightly"'
 
 .if-dot-com-gitlab-org-default-branch: &if-dot-com-gitlab-org-default-branch
   if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'
@@ -127,6 +127,9 @@
 .if-dot-com-gitlab-org-and-security-merge-request: &if-dot-com-gitlab-org-and-security-merge-request
   if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_MERGE_REQUEST_IID'
 
+.if-dot-com-gitlab-org-and-security-merge-request-and-qa-tests-specified: &if-dot-com-gitlab-org-and-security-merge-request-and-qa-tests-specified
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_MERGE_REQUEST_IID && $QA_TESTS'
+
 .if-dot-com-gitlab-org-and-security-merge-request-manual-ff-package-and-qa: &if-dot-com-gitlab-org-and-security-merge-request-manual-ff-package-and-qa
   if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_MERGE_REQUEST_IID && $QA_MANUAL_FF_PACKAGE_AND_QA'
 
@@ -325,7 +328,6 @@
   - "danger/**/*"
   - "{,ee/,jh/}fixtures/**/*"
   - "{,ee/,jh/}rubocop/**/*"
-  - ".rubocop_todo/**/*.yml"
   - "{,ee/,jh/}spec/**/*"
   - "{,spec/}tooling/**/*"
 
@@ -343,8 +345,7 @@
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo}.yml"
-  - ".rubocop_todo/**/*.yml"
+  - ".gitlab-ci.yml"
   - "*_VERSION"
   - "{,jh/}Gemfile{,.lock}"
   - "Rakefile"
@@ -368,8 +369,7 @@
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo}.yml"
-  - ".rubocop_todo/**/*.yml"
+  - ".gitlab-ci.yml"
   - "*_VERSION"
   - "{,jh/}Gemfile{,.lock}"
   - "Rakefile"
@@ -400,8 +400,7 @@
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo}.yml"
-  - ".rubocop_todo/**/*.yml"
+  - ".gitlab-ci.yml"
   - "*_VERSION"
   - "{,jh/}Gemfile{,.lock}"
   - "Rakefile"
@@ -428,8 +427,7 @@
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo}.yml"
-  - ".rubocop_todo/**/*.yml"
+  - ".gitlab-ci.yml"
   - "*_VERSION"
   - "{,jh/}Gemfile{,.lock}"
   - "Rakefile"
@@ -463,8 +461,7 @@
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo}.yml"
-  - ".rubocop_todo/**/*.yml"
+  - ".gitlab-ci.yml"
   - "*_VERSION"
   - "{,jh/}Gemfile{,.lock}"
   - "Rakefile"
@@ -494,6 +491,12 @@
   - "scripts/lint_templates_bash.rb"
   - "lib/gitlab/ci/templates/**/*.gitlab-ci.yml"
 
+.static-analysis-patterns: &static-analysis-patterns
+  - ".{codeclimate,eslintrc,haml-lint,haml-lint_todo}.yml"
+  - ".rubocop.yml"
+  - ".rubocop_todo.yml"
+  - ".rubocop_todo/**/*.yml"
+
 .danger-patterns: &danger-patterns
   - "Dangerfile"
   - "danger/**/*"
@@ -622,7 +625,7 @@
 ################
 .shared:rules:update-cache:
   rules:
-    - <<: *if-default-branch-schedule-2-hourly
+    - <<: *if-default-branch-schedule-maintenance
     - <<: *if-security-schedule
     - <<: *if-merge-request-labels-update-caches
 
@@ -828,9 +831,7 @@
 .frontend:rules:eslint-as-if-foss:
   rules:
     - !reference [".strict-ee-only-rules", rules]
-    # We already have `static-analysis as-if-foss` which already runs `lint:eslint:all` if the `pipeline:run-as-if-foss` label is set.
     - <<: *if-merge-request-labels-as-if-foss
-      when: never
     - <<: *if-merge-request
       changes: *frontend-patterns
 
@@ -881,7 +882,7 @@
 ###############
 .pages:rules:
   rules:
-    - <<: *if-dot-com-ee-2-hourly-schedule
+    - <<: *if-dot-com-ee-schedule-maintenance
 
 ############
 # QA rules #
@@ -943,6 +944,9 @@
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
       changes: *qa-patterns
       allow_failure: true
+    - <<: *if-dot-com-gitlab-org-and-security-merge-request-and-qa-tests-specified
+      changes: *code-patterns
+      allow_failure: true
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
       changes: *code-patterns
       when: manual
@@ -1378,7 +1382,7 @@
     - <<: *if-merge-request
       changes: *code-backstage-patterns
       when: always
-    - <<: *if-default-branch-schedule-2-hourly
+    - <<: *if-default-branch-schedule-maintenance
     - <<: *if-merge-request-labels-run-all-rspec
       when: always
 
@@ -1434,16 +1438,19 @@
 .static-analysis:rules:ee-and-foss:
   rules:
     - changes: *code-backstage-qa-patterns
+    - changes: *static-analysis-patterns
 
 .static-analysis:rules:ee-and-foss-qa:
   rules:
     - changes: *qa-patterns
+    - changes: *static-analysis-patterns
 
 .static-analysis:rules:ee:
   rules:
     - <<: *if-not-ee
       when: never
     - changes: *code-backstage-qa-patterns
+    - changes: *static-analysis-patterns
 
 .static-analysis:rules:as-if-foss:
   rules:
@@ -1455,6 +1462,8 @@
       changes: *code-backstage-qa-patterns
     - <<: *if-merge-request
       changes: *ci-patterns
+    - <<: *if-merge-request
+      changes: *static-analysis-patterns
 
 #######################
 # Vendored gems rules #
@@ -1466,6 +1475,31 @@
       changes: ["vendor/gems/mail-smtp_pool/**/*"]
     - <<: *if-merge-request-labels-run-all-rspec
 
+.vendor:rules:ipynbdiff:
+  rules:
+    - <<: *if-merge-request
+      changes: ["vendor/gems/ipynbdiff/**/*"]
+    - <<: *if-merge-request-labels-run-all-rspec
+
+.vendor:rules:omniauth_crowd:
+  rules:
+    - <<: *if-merge-request
+      changes: ["vendor/gems/omniauth_crowd/**/*"]
+    - <<: *if-merge-request-labels-run-all-rspec
+
+
+.vendor:rules:omniauth-gitlab:
+  rules:
+    - <<: *if-merge-request
+      changes: ["vendor/gems/omniauth-gitlab/**/*"]
+    - <<: *if-merge-request-labels-run-all-rspec
+
+.vendor:rules:devise-pbkdf2-encryptable:
+  rules:
+    - <<: *if-merge-request
+      changes: ["vendor/gems/devise-pbkdf2-encryptable/**/*"]
+    - <<: *if-merge-request-labels-run-all-rspec
+
 ##################
 # Releases rules #
 ##################
@@ -1524,6 +1558,7 @@
         - '**/*.tsx'
         - '**/*.c'
         - '**/*.go'
+        - '**/*.rb'
 
 .reports:rules:secret_detection:
   rules:
@@ -1561,13 +1596,13 @@
   rules:
     - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
       when: never
-    - <<: *if-dot-com-ee-nightly-schedule-child-pipeline
+    - <<: *if-dot-com-ee-schedule-nightly-child-pipeline
 
 .reports:rules:package_hunter-yarn:
   rules:
     - if: "$PACKAGE_HUNTER_USER == null || $PACKAGE_HUNTER_USER == ''"
       when: never
-    - <<: *if-default-branch-schedule-2-hourly
+    - <<: *if-default-branch-schedule-maintenance
     - <<: *if-merge-request
       changes: ["yarn.lock"]
 
@@ -1575,7 +1610,7 @@
   rules:
     - if: "$PACKAGE_HUNTER_USER == null || $PACKAGE_HUNTER_USER == ''"
       when: never
-    - <<: *if-default-branch-schedule-2-hourly
+    - <<: *if-default-branch-schedule-maintenance
     - <<: *if-merge-request
       changes: ["Gemfile.lock"]
 
@@ -1612,6 +1647,7 @@
       when: manual
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-schedule
+      allow_failure: true
       variables:
         KNAPSACK_GENERATE_REPORT: "true"
 
@@ -1637,10 +1673,6 @@
   rules:
     - when: on_success
 
-.review:rules:review-qa-sanity:
-  rules:
-    - when: on_success
-
 .review:rules:review-qa-smoke:
   rules:
     - when: on_success
@@ -1680,10 +1712,17 @@
     - when: on_success
     - when: on_failure
 
+.review:rules:review-qa-cleanup:
+  rules:
+    - when: always
+
 .review:rules:review-cleanup:
   rules:
     - <<: *if-not-ee
       when: never
+    - <<: *if-dot-com-gitlab-org-merge-request
+      when: manual
+      allow_failure: true
     - <<: *if-dot-com-gitlab-org-schedule
       allow_failure: true
 
@@ -1747,6 +1786,10 @@
     - <<: *if-default-refs
       changes: *code-backstage-patterns
 
+.setup:rules:verify-ruby-2.7:
+  rules:
+    - <<: *if-merge-request-labels-run-in-ruby3
+
 .setup:rules:verify-tests-yml:
   rules:
     - <<: *if-not-ee
@@ -1760,12 +1803,11 @@
       when: never
     - <<: *if-merge-request-labels-jh-contribution
 
-
 .setup:rules:generate-frontend-fixtures-mapping:
   rules:
     - <<: *if-not-ee
       when: never
-    - <<: *if-dot-com-ee-2-hourly-schedule
+    - <<: *if-dot-com-ee-schedule-maintenance
     - changes:
         - ".gitlab/ci/setup.gitlab-ci.yml"
         - ".gitlab/ci/test-metadata.gitlab-ci.yml"
@@ -1797,7 +1839,7 @@
   rules:
     - <<: *if-not-ee
       when: never
-    - <<: *if-dot-com-ee-2-hourly-schedule
+    - <<: *if-dot-com-ee-schedule-maintenance
     - changes:
         - ".gitlab/ci/test-metadata.gitlab-ci.yml"
         - "scripts/rspec_helpers.sh"
diff --git a/.gitlab/ci/setup.gitlab-ci.yml b/.gitlab/ci/setup.gitlab-ci.yml
index 505caeec837..2da397aaab8 100644
--- a/.gitlab/ci/setup.gitlab-ci.yml
+++ b/.gitlab/ci/setup.gitlab-ci.yml
@@ -23,13 +23,19 @@ cache gems:
     - .default-retry
   needs: []
 
-dont-interrupt-me:
-  extends: .setup:rules:dont-interrupt-me
-  stage: sync
+.absolutely-minimal-job:
+  extends:
+    - .minimal-job
   image: ${GITLAB_DEPENDENCY_PROXY}alpine:edge
-  interruptible: false
   variables:
     GIT_STRATEGY: none
+
+dont-interrupt-me:
+  extends:
+    - .absolutely-minimal-job
+    - .setup:rules:dont-interrupt-me
+  stage: sync
+  interruptible: false
   script:
     - echo "This jobs makes sure this pipeline won't be interrupted! See https://docs.gitlab.com/ee/ci/yaml/#interruptible."
 
@@ -57,6 +63,15 @@ no-jh-check:
   script:
     - scripts/no-dir-check jh
 
+verify-ruby-2.7:
+  extends:
+    - .absolutely-minimal-job
+    - .setup:rules:verify-ruby-2.7
+  stage: prepare
+  script:
+    - echo 'Please remove label ~"pipeline:run-in-ruby3" so we do test against Ruby 2.7 (default version) before merging the merge request'
+    - exit 1
+
 verify-tests-yml:
   extends:
     - .setup:rules:verify-tests-yml
@@ -70,8 +85,8 @@ verify-tests-yml:
 
 verify-approvals:
   extends:
+    - .minimal-job
     - .setup:rules:jh-contribution
-  needs: []
   script:
     - source scripts/utils.sh
     - install_gitlab_gem
diff --git a/.gitlab/ci/static-analysis.gitlab-ci.yml b/.gitlab/ci/static-analysis.gitlab-ci.yml
index e1257e778bd..b4efd9e49bf 100644
--- a/.gitlab/ci/static-analysis.gitlab-ci.yml
+++ b/.gitlab/ci/static-analysis.gitlab-ci.yml
@@ -7,7 +7,6 @@
   variables:
     SETUP_DB: "false"
     ENABLE_SPRING: "1"
-    SKIP_LOG_INITIALIZER_CONNECTIONS: "1"
     # Disable warnings in browserslist which can break on backports
     # https://github.com/browserslist/browserslist/blob/a287ec6/node.js#L367-L384
     BROWSERSLIST_IGNORE_OLD_DATA: "true"
@@ -49,7 +48,7 @@ static-verification-with-database:
   variables:
     SETUP_DB: "true"
 
-generate-apollo-graphl-schema:
+generate-apollo-graphql-schema:
   extends:
     - .static-analysis-base
     - .frontend:rules:default-frontend-jobs
@@ -66,12 +65,19 @@ generate-apollo-graphl-schema:
     paths:
       - "${GRAPHQL_SCHEMA_APOLLO_FILE}"
 
+generate-apollo-graphql-schema as-if-foss:
+  extends:
+    - generate-apollo-graphql-schema
+    - .frontend:rules:eslint-as-if-foss
+    - .as-if-foss
+  needs: ['graphql-schema-dump as-if-foss']
+
 eslint:
   extends:
     - .static-analysis-base
     - .yarn-cache
     - .frontend:rules:default-frontend-jobs
-  needs: ['generate-apollo-graphl-schema']
+  needs: ['generate-apollo-graphql-schema']
   variables:
     USE_BUNDLE_INSTALL: "false"
   script:
@@ -83,6 +89,7 @@ eslint as-if-foss:
     - eslint
     - .frontend:rules:eslint-as-if-foss
     - .as-if-foss
+  needs: ['generate-apollo-graphql-schema as-if-foss']
 
 haml-lint foss:
   extends:
diff --git a/.gitlab/ci/vendored-gems.gitlab-ci.yml b/.gitlab/ci/vendored-gems.gitlab-ci.yml
index a39c4307c13..8596d770a87 100644
--- a/.gitlab/ci/vendored-gems.gitlab-ci.yml
+++ b/.gitlab/ci/vendored-gems.gitlab-ci.yml
@@ -5,3 +5,35 @@ vendor mail-smtp_pool:
   trigger:
     include: vendor/gems/mail-smtp_pool/.gitlab-ci.yml
     strategy: depend
+
+vendor ipynbdiff:
+  extends:
+    - .vendor:rules:ipynbdiff
+  needs: []
+  trigger:
+    include: vendor/gems/ipynbdiff/.gitlab-ci.yml
+    strategy: depend
+
+vendor omniauth_crowd:
+  extends:
+    - .vendor:rules:omniauth_crowd
+  needs: []
+  trigger:
+    include: vendor/gems/omniauth_crowd/.gitlab-ci.yml
+    strategy: depend
+
+vendor omniauth-gitlab:
+  extends:
+    - .vendor:rules:omniauth-gitlab
+  needs: []
+  trigger:
+    include: vendor/gems/omniauth-gitlab/.gitlab-ci.yml
+    strategy: depend
+
+vendor devise-pbkdf2-encryptable:
+  extends:
+    - .vendor:rules:devise-pbkdf2-encryptable
+  needs: []
+  trigger:
+    include: vendor/gems/devise-pbkdf2-encryptable/.gitlab-ci.yml
+    strategy: depend
diff --git a/.gitlab/ci/workhorse.gitlab-ci.yml b/.gitlab/ci/workhorse.gitlab-ci.yml
index 6db3582bdab..ade2f65441f 100644
--- a/.gitlab/ci/workhorse.gitlab-ci.yml
+++ b/.gitlab/ci/workhorse.gitlab-ci.yml
@@ -23,3 +23,9 @@ workhorse:verify:
 workhorse:test using go 1.17:
   extends: .workhorse:test
   image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}-golang-1.17-git-2.31
+
+workhorse:test using go 1.17 with FIPS:
+  extends: .workhorse:test
+  variables:
+    WORKHORSE_TEST_FIPS_ENABLED: 1
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}-golang-1.17-git-2.31
diff --git a/.gitlab/issue_templates/Broken Master - Flaky.md b/.gitlab/issue_templates/Broken Master - Flaky.md
new file mode 100644
index 00000000000..6b56845ba8c
--- /dev/null
+++ b/.gitlab/issue_templates/Broken Master - Flaky.md
@@ -0,0 +1,25 @@
+<!---
+This issue template is for a master pipeline is failing for a flaky reason that cannot be reliably reproduced.
+
+Please read the below documentations for a workflow of triaging and resolving broken master.
+
+- https://about.gitlab.com/handbook/engineering/workflow/#triage-broken-master
+- https://gitlab.com/gitlab-org/quality/engineering-productivity/team/-/blob/main/runbooks/master-broken.md
+- https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/development/testing_guide/flaky_tests.md
+--->
+
+### Summary
+
+<!-- Link to the failing master build and add the build failure output in the below code block section. -->
+
+### Steps to reproduce
+
+<!-- If the pipeline failure is reproducible, provide steps to recreate the issue locally. Please use an ordered list. -->
+
+### Proposed Resolution
+
+<!-- Describe the proposed change to restore master stability. -->
+
+Please refer to the [Resolution guidance](https://about.gitlab.com/handbook/engineering/workflow/#resolution-of-broken-master) to learn more about resolution of broken master.
+
+/label ~"failure::flaky-test" ~"Engineering Productivity" ~"priority::2" ~"severity::2"
diff --git a/.gitlab/issue_templates/Broken Master - Non-flaky.md b/.gitlab/issue_templates/Broken Master - Non-flaky.md
new file mode 100644
index 00000000000..97a34aa759d
--- /dev/null
+++ b/.gitlab/issue_templates/Broken Master - Non-flaky.md
@@ -0,0 +1,24 @@
+<!---
+This issue template is for a master pipeline is failing for a non-flaky reason.
+
+Please read the below documentations for a workflow of triaging and resolving broken master.
+
+- https://about.gitlab.com/handbook/engineering/workflow/#triage-broken-master
+- https://gitlab.com/gitlab-org/quality/engineering-productivity/team/-/blob/main/runbooks/master-broken.md
+--->
+
+### Summary
+
+<!-- Link to the failing master build and add the build failure output in the below code block section. -->
+
+### Steps to reproduce
+
+<!-- If the pipeline failure is reproducible, provide steps to recreate the issue locally. Please use an ordered list. -->
+
+### Proposed Resolution
+
+<!-- Describe the proposed change to restore master stability. -->
+
+Please refer to the [Resolution guidance](https://about.gitlab.com/handbook/engineering/workflow/#resolution-of-broken-master) to learn more about resolution of broken master.
+
+/label ~"master:broken" ~"Engineering Productivity" ~"priority::1" ~"severity::1"
diff --git a/.gitlab/issue_templates/Feature Flag Roll Out.md b/.gitlab/issue_templates/Feature Flag Roll Out.md
index 1b3d82cf522..f3830a5cc10 100644
--- a/.gitlab/issue_templates/Feature Flag Roll Out.md
+++ b/.gitlab/issue_templates/Feature Flag Roll Out.md
@@ -62,7 +62,7 @@ _Consider adding links to check for Sentry errors, Production logs for 5xx, 302s
 - Ensure that the feature MRs have been deployed to non-production environments.
     - [ ] `/chatops run auto_deploy status <merge-commit-of-your-feature>`
 - [ ] Enable the feature globally on non-production environments.
-    - [ ] `/chatops run feature set <feature-flag-name> true --dev --staging`
+    - [ ] `/chatops run feature set <feature-flag-name> true --dev --staging --staging-ref`
 - [ ] Verify that the feature works as expected. Posting the QA result in this issue is preferable.
       The best environment to validate the feature in is [staging-canary](https://about.gitlab.com/handbook/engineering/infrastructure/environments/#staging-canary)
       as this is the first environment deployed to. Note you will need to make sure you are configured to use canary as outlined [here](https://about.gitlab.com/handbook/engineering/infrastructure/environments/canary-stage/)
@@ -120,7 +120,7 @@ To do so, follow these steps:
       the feature can be officially announced in a release blog post.
     - [ ] `/chatops run release check <merge-request-url> <milestone>`
 - [ ] Consider cleaning up the feature flag from all environments by running these chatops command in `#production` channel. Otherwise these settings may override the default enabled.
-    - [ ] `/chatops run feature delete <feature-flag-name> --dev --staging --production`
+    - [ ] `/chatops run feature delete <feature-flag-name> --dev --staging --staging-ref --production`
 - [ ] Close [the feature issue](ISSUE LINK) to indicate the feature will be released in the current milestone.
 - [ ] Set the next milestone to this rollout issue for scheduling [the flag removal](#release-the-feature).
 - [ ] (Optional) You can [create a separate issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new?issuable_template=Feature%20Flag%20Cleanup) for scheduling the steps below to [Release the feature](#release-the-feature).
@@ -156,7 +156,7 @@ You can either [create a follow-up issue for Feature Flag Cleanup](https://gitla
     - [ ] `/chatops run release check <merge-request-url> <milestone>`
 - [ ] Close [the feature issue](ISSUE LINK) to indicate the feature will be released in the current milestone.
 - [ ] If not already done, clean up the feature flag from all environments by running these chatops command in `#production` channel:
-    - [ ] `/chatops run feature delete <feature-flag-name> --dev --staging --production`
+    - [ ] `/chatops run feature delete <feature-flag-name> --dev --staging --staging-ref --production`
 - [ ] Close this rollout issue.
 
 ## Rollback Steps
diff --git a/.gitlab/issue_templates/Feature proposal - detailed.md b/.gitlab/issue_templates/Feature proposal - detailed.md
index 9f8a0a92a58..48052ed49ea 100644
--- a/.gitlab/issue_templates/Feature proposal - detailed.md
+++ b/.gitlab/issue_templates/Feature proposal - detailed.md
@@ -81,7 +81,9 @@ Please list the test areas (unit, integration and end-to-end) that needs to be a
 * Integration test changes
 * End-to-end test change
 
-See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning -->
+See the Quality Engineering quad planning and test planning processes and reach out to your counterpart Software Engineer in Test for assistance. 
+Quad Planning: https://about.gitlab.com/handbook/engineering/quality/quality-engineering/quad-planning 
+Test Planning: https://about.gitlab.com/handbook/engineering/quality/quality-engineering/test-engineering/#test-planning -->
 
 ### Available Tier
 
diff --git a/.gitlab/issue_templates/Geo Replicate a new Git repository type.md b/.gitlab/issue_templates/Geo Replicate a new Git repository type.md
index 34e6e70015b..e1c5928b950 100644
--- a/.gitlab/issue_templates/Geo Replicate a new Git repository type.md
+++ b/.gitlab/issue_templates/Geo Replicate a new Git repository type.md
@@ -64,7 +64,7 @@ For more information, see the [Enable Geo migrations to use Migration[2.0]](http
     disable_ddl_transaction!
 
     def up
-      ActiveRecord::Base.transaction do
+      ApplicationRecord.transaction do
         create_table :cool_widget_registry, id: :bigserial, force: :cascade do |t|
           t.bigint :cool_widget_id, null: false
           t.datetime_with_timezone :created_at, null: false
@@ -128,7 +128,7 @@ The Geo primary site needs to checksum every replicable so secondaries can verif
   ```ruby
   # frozen_string_literal: true
 
-  class CreateCoolWidgetStates < Gitlab::Database::Migration[1.0]
+  class CreateCoolWidgetStates < Gitlab::Database::Migration[2.0]
     VERIFICATION_STATE_INDEX_NAME = "index_cool_widget_states_on_verification_state"
     PENDING_VERIFICATION_INDEX_NAME = "index_cool_widget_states_pending_verification"
     FAILED_VERIFICATION_INDEX_NAME = "index_cool_widget_states_failed_verification"
diff --git a/.gitlab/issue_templates/Geo Replicate a new blob type.md b/.gitlab/issue_templates/Geo Replicate a new blob type.md
index e6f96c575d2..9158885262d 100644
--- a/.gitlab/issue_templates/Geo Replicate a new blob type.md
+++ b/.gitlab/issue_templates/Geo Replicate a new blob type.md
@@ -66,7 +66,7 @@ For more information, see the [Enable Geo migrations to use Migration[2.0]](http
     disable_ddl_transaction!
 
     def up
-      ActiveRecord::Base.transaction do
+      ApplicationRecord.transaction do
         create_table :cool_widget_registry, id: :bigserial, force: :cascade do |t|
           t.bigint :cool_widget_id, null: false
           t.datetime_with_timezone :created_at, null: false
@@ -130,7 +130,7 @@ The Geo primary site needs to checksum every replicable so secondaries can verif
   ```ruby
   # frozen_string_literal: true
 
-  class CreateCoolWidgetStates < Gitlab::Database::Migration[1.0]
+  class CreateCoolWidgetStates < Gitlab::Database::Migration[2.0]
     VERIFICATION_STATE_INDEX_NAME = "index_cool_widget_states_on_verification_state"
     PENDING_VERIFICATION_INDEX_NAME = "index_cool_widget_states_pending_verification"
     FAILED_VERIFICATION_INDEX_NAME = "index_cool_widget_states_failed_verification"
diff --git a/.gitlab/merge_request_templates/New End To End Test.md b/.gitlab/merge_request_templates/New End To End Test.md
index 4c42b324553..46ccdb1cb0c 100644
--- a/.gitlab/merge_request_templates/New End To End Test.md
+++ b/.gitlab/merge_request_templates/New End To End Test.md
@@ -10,7 +10,10 @@ Please link to the respective test case in the testcases project
 - [ ] Note if the test is intended to run in specific scenarios. If a scenario is new, add a link to the MR that adds the new scenario.
 - [ ] Follow the end-to-end tests [style guide](https://docs.gitlab.com/ee/development/testing_guide/end_to_end/style_guide.html) and [best practices](https://docs.gitlab.com/ee/development/testing_guide/end_to_end/best_practices.html).
 - [ ] Use the appropriate [RSpec metadata tag(s)](https://docs.gitlab.com/ee/development/testing_guide/end_to_end/rspec_metadata_tests.html#rspec-metadata-for-end-to-end-tests).
-- [ ] Ensure that a created resource is removed after test execution. A `Group` resource can be shared between multiple tests. Do not remove it unless it has a unique path. Note that we have a cleanup job that periodically removes groups under `gitlab-qa-sandbox-group`.
+- Most resources will be cleaned up via the general [cleanup task](https://gitlab.com/gitlab-org/gitlab/-/blob/44345381e89d6bbd440f7b4c680d03e8b75b86de/qa/qa/tools/test_resources_handler.rb#L44). Check that is successful, or ensure resources are cleaned up in the test:
+  - [ ] New resources have `api_get_path` and `api_delete_path` implemented if possible.
+  - [ ] If any resource cannot be deleted in the general delete task, make sure it is [ignored](https://gitlab.com/gitlab-org/gitlab/-/blob/44345381e89d6bbd440f7b4c680d03e8b75b86de/qa/qa/tools/test_resources_handler.rb#L29).
+  - [ ] If any resource cannot be deleted in the general delete task, remove it in the test (e.g., in an `after` block).
 - [ ] Ensure that no [transient bugs](https://about.gitlab.com/handbook/engineering/quality/issue-triage/#transient-bugs) are hidden accidentally due to the usage of `waits` and `reloads`.
 - [ ] Verify the tags to ensure it runs on the desired test environments.
 - [ ] If this MR has a dependency on another MR, such as a GitLab QA MR, specify the order in which the MRs should be merged.
diff --git a/.gitlab/sast-ruleset.toml b/.gitlab/sast-ruleset.toml
new file mode 100644
index 00000000000..6bfb4618b73
--- /dev/null
+++ b/.gitlab/sast-ruleset.toml
@@ -0,0 +1,10 @@
+[semgrep]
+  description = 'semgrep custom rules configuration'
+  targetdir = "/sgrules"
+  validate = true
+
+  [[semgrep.passthrough]]
+    type  = "git"
+    value = "https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules.git"
+    ref = "refs/heads/main"
+    subdir = "appsec-pings"