Add latest changes from gitlab-org/gitlab@12-7-stable-ee

18 files changed, 290 insertions, 219 deletions

diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS
index c8283326533..19aa96701d8 100644
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -3,7 +3,8 @@
 *.rake @gitlab-org/maintainers/rails-backend
 
 # Technical writing team are the default reviewers for everything in `doc/`
-/doc/ @gl-docsteam
+*.md @gl-docsteam
+doc/ @gl-docsteam
 
 # Frontend maintainers should see everything in `app/assets/`
 app/assets/ @gitlab-org/maintainers/frontend
diff --git a/.gitlab/ci/cache-repo.gitlab-ci.yml b/.gitlab/ci/cache-repo.gitlab-ci.yml
index f856afd3a02..1162e98e246 100644
--- a/.gitlab/ci/cache-repo.gitlab-ci.yml
+++ b/.gitlab/ci/cache-repo.gitlab-ci.yml
@@ -18,16 +18,23 @@
 # runner, or network egress charges will apply:
 # https://cloud.google.com/storage/pricing
 cache-repo:
-  extends:
-    - .only:variables_refs-canonical-dot-com-schedules
   image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
   stage: sync
   allow_failure: true
   variables:
-    GIT_DEPTH: 0
+    GIT_STRATEGY: none
     TAR_FILENAME: /tmp/gitlab-master.tar
   script:
+    - cd ..
+    - rm -rf $CI_PROJECT_NAME
+    - git clone --progress $CI_REPOSITORY_URL $CI_PROJECT_NAME
+    - cd $CI_PROJECT_NAME
     - gcloud auth activate-service-account --key-file=$CI_REPO_CACHE_CREDENTIALS
     - tar cf $TAR_FILENAME .
     - gzip $TAR_FILENAME
     - gsutil cp $TAR_FILENAME.gz gs://gitlab-ci-git-repo-cache/project-$CI_PROJECT_ID/gitlab-master.tar.gz
+  only:
+    variables:
+      - $CI_REPO_CACHE_CREDENTIALS
+    refs:
+      - schedules
diff --git a/.gitlab/ci/dev-fixtures.gitlab-ci.yml b/.gitlab/ci/dev-fixtures.gitlab-ci.yml
new file mode 100644
index 00000000000..a5dab5d8708
--- /dev/null
+++ b/.gitlab/ci/dev-fixtures.gitlab-ci.yml
@@ -0,0 +1,30 @@
+.run-dev-fixtures:
+  extends:
+    - .only-code-rails-job-base
+    - .use-pg9
+  stage: test
+  needs: ["setup-test-env"]
+  dependencies: ["setup-test-env"]
+  variables:
+    FIXTURE_PATH: "db/fixtures/development"
+    SEED_CYCLE_ANALYTICS: "true"
+    SEED_PRODUCTIVITY_ANALYTICS: "true"
+    CYCLE_ANALYTICS_ISSUE_COUNT: 1
+    SIZE: 0 # number of external projects to fork, requires network connection
+    # SEED_NESTED_GROUPS: "false" # requires network connection
+
+run-dev-fixtures-foss:
+  extends: .run-dev-fixtures
+  script:
+    - scripts/gitaly-test-spawn
+    - RAILS_ENV=test bundle exec rake db:seed_fu
+
+run-dev-fixtures-ee:
+  extends:
+    - .only-ee
+    - .use-pg9-ee
+    - .run-dev-fixtures
+  script:
+    - scripts/gitaly-test-spawn
+    - cp ee/db/fixtures/development/* $FIXTURE_PATH
+    - RAILS_ENV=test bundle exec rake db:seed_fu
diff --git a/.gitlab/ci/docs.gitlab-ci.yml b/.gitlab/ci/docs.gitlab-ci.yml
index cd0e4085e10..4acc3c7d1fe 100644
--- a/.gitlab/ci/docs.gitlab-ci.yml
+++ b/.gitlab/ci/docs.gitlab-ci.yml
@@ -11,7 +11,10 @@
   stage: review
   dependencies: []
   variables:
-    GIT_STRATEGY: none
+    # We're cloning the repo instead of downloading the script for now
+    # because some repos are private and CI_JOB_TOKEN cannot access files.
+    # See https://gitlab.com/gitlab-org/gitlab/issues/191273
+    GIT_DEPTH: 1
   environment:
     name: review-docs/$DOCS_GITLAB_REPO_SUFFIX-$CI_MERGE_REQUEST_IID
     # DOCS_REVIEW_APPS_DOMAIN and DOCS_GITLAB_REPO_SUFFIX are CI variables
@@ -19,11 +22,7 @@
     url: http://docs-preview-$DOCS_GITLAB_REPO_SUFFIX-$CI_MERGE_REQUEST_IID.$DOCS_REVIEW_APPS_DOMAIN/$DOCS_GITLAB_REPO_SUFFIX
     on_stop: review-docs-cleanup
   before_script:
-    # We don't clone the repo by using GIT_STRATEGY: none and only download the
-    # single script we need here so it's much faster than cloning.
     - apk add --update openssl
-    - wget $CI_PROJECT_URL/raw/$CI_COMMIT_SHA/scripts/trigger-build-docs
-    - chmod 755 trigger-build-docs
     - gem install httparty --no-document --version 0.17.3
     - gem install gitlab --no-document --version 4.13.0
 
@@ -32,7 +31,7 @@
 review-docs-deploy:
   extends: .review-docs
   script:
-    - ./trigger-build-docs deploy
+    - ./scripts/trigger-build-docs deploy
   when: manual
 
 # Cleanup remote environment of gitlab-docs
@@ -42,7 +41,7 @@ review-docs-cleanup:
     name: review-docs/$DOCS_GITLAB_REPO_SUFFIX-$CI_MERGE_REQUEST_IID
     action: stop
   script:
-    - ./trigger-build-docs cleanup
+    - ./scripts/trigger-build-docs cleanup
   when: manual
 
 docs lint:
@@ -51,7 +50,7 @@ docs lint:
     - .default-retry
     - .default-only
     - .only:changes-docs
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-docs-lint"
+  image: "registry.gitlab.com/gitlab-org/gitlab-docs:docs-lint"
   stage: test
   dependencies: []
   script:
diff --git a/.gitlab/ci/frontend.gitlab-ci.yml b/.gitlab/ci/frontend.gitlab-ci.yml
index 6578eec8234..076de55014e 100644
--- a/.gitlab/ci/frontend.gitlab-ci.yml
+++ b/.gitlab/ci/frontend.gitlab-ci.yml
@@ -1,9 +1,46 @@
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-default: &if-default
+  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
+
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-default-ee: &if-default-ee
+  if: '($CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG) && $CI_PROJECT_NAME =~ /^gitlab(-ee)?$/'
+
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-master: &if-master
+  if: '$CI_COMMIT_REF_NAME == "master"'
+
+# Make sure to update all the similar patterns in other CI config files if you modify these patterns
+.code-backstage-patterns: &code-backstage-patterns
+  - ".gitlab/ci/**/*"
+  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".csscomb.json"
+  - "Dockerfile.assets"
+  - "*_VERSION"
+  - "Gemfile{,.lock}"
+  - "Rakefile"
+  - "{babel.config,jest.config}.js"
+  - "config.ru"
+  - "{package.json,yarn.lock}"
+  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
+  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
+  # Backstage changes
+  - "Dangerfile"
+  - "danger/**/*"
+  - "{,ee/}fixtures/**/*"
+  - "{,ee/}rubocop/**/*"
+  - "{,ee/}spec/**/*"
+  - "doc/README.md"  # Some RSpec test rely on this file
+
 .assets-compile-cache:
   cache:
     paths:
       - vendor/ruby/
       - .yarn-cache/
       - tmp/cache/assets/sprockets
+      - tmp/cache/babel-loader
+      - tmp/cache/vue-loader
 
 .gitlab:assets:compile-metadata:
   extends:
@@ -13,10 +50,8 @@
     - .default-before_script
     - .assets-compile-cache
     - .only:changes-code-backstage-qa
-  image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-graphicsmagick-1.3.33-docker-19.03.1
-  stage: test
-  dependencies: ["setup-test-env"]
-  needs: ["setup-test-env"]
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.5-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-graphicsmagick-1.3.33-docker-19.03.1
+  stage: prepare
   services:
     - docker:19.03.0-dind
   variables:
@@ -30,7 +65,7 @@
     DOCKER_DRIVER: overlay2
     DOCKER_HOST: tcp://docker:2375
   cache:
-    key: "assets-compile:production:vendor_ruby:.yarn-cache:tmp_cache_assets_sprockets:v6"
+    key: "assets-compile:production:vendor_ruby:.yarn-cache:tmp_cache_assets_sprockets:tmp_cache_webpack:v7"
   artifacts:
     name: webpack-report
     expire_in: 31d
@@ -86,7 +121,7 @@ gitlab:assets:compile pull-cache:
     # we override the max_old_space_size to prevent OOM errors
     NODE_OPTIONS: --max_old_space_size=3584
   cache:
-    key: "assets-compile:v7"
+    key: "assets-compile:v8"
   artifacts:
     expire_in: 7d
     paths:
@@ -108,7 +143,7 @@ compile-assets pull-push-cache foss:
       - master
   cache:
     policy: pull-push
-    key: "assets-compile:v7:foss"
+    key: "assets-compile:v8:foss"
 
 compile-assets pull-cache:
   extends: .compile-assets-metadata
@@ -119,7 +154,7 @@ compile-assets pull-cache foss:
   extends: [".compile-assets-metadata", ".only-ee-as-if-foss"]
   cache:
     policy: pull
-    key: "assets-compile:v7:foss"
+    key: "assets-compile:v8:foss"
 
 .only-code-frontend-job-base:
   extends:
@@ -132,7 +167,6 @@ compile-assets pull-cache foss:
     - .use-pg9
   stage: test
   needs: ["setup-test-env", "compile-assets pull-cache"]
-  dependencies: ["setup-test-env", "compile-assets pull-cache"]
 
 .karma-base:
   extends: .only-code-frontend-job-base
@@ -204,9 +238,10 @@ jest-foss:
     - .default-tags
     - .default-retry
     - .default-cache
-    - .default-only
-    - .only:changes-code-backstage
   stage: test
+  rules:
+    - <<: *if-master
+      when: on_success
   dependencies: []
   cache:
     key: "$CI_JOB_NAME"
@@ -237,11 +272,12 @@ webpack-dev-server:
     - .default-tags
     - .default-retry
     - .default-cache
-    - .default-only
-    - .only:changes-code-backstage
   stage: test
+  rules:
+    - <<: *if-default
+      changes: *code-backstage-patterns
+      when: on_success
   needs: ["setup-test-env", "compile-assets pull-cache"]
-  dependencies: ["setup-test-env", "compile-assets pull-cache"]
   variables:
     WEBPACK_MEMORY_TEST: "true"
     WEBPACK_VENDOR_DLL: "true"
diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml
index 9ebd28c7258..4c407045411 100644
--- a/.gitlab/ci/global.gitlab-ci.yml
+++ b/.gitlab/ci/global.gitlab-ci.yml
@@ -22,7 +22,7 @@
 # Jobs that only need to pull cache
 .default-cache:
   cache:
-    key: "debian-stretch-ruby-2.6.3-node-12.x"
+    key: "debian-stretch-ruby-2.6.5-node-12.x"
     paths:
       - .go/pkg/mod
       - vendor/ruby
@@ -202,7 +202,7 @@
     - name: redis:alpine
 
 .use-pg10:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-10-graphicsmagick-1.3.33"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.5-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-10-graphicsmagick-1.3.33"
   services:
     - name: postgres:10.9
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -213,15 +213,15 @@
     - name: postgres:9.6
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
     - name: redis:alpine
-    - name: elasticsearch:5.6.12
+    - name: elasticsearch:6.4.2
 
 .use-pg10-ee:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-10-graphicsmagick-1.3.33"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.5-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-10-graphicsmagick-1.3.33"
   services:
     - name: postgres:10.9
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
     - name: redis:alpine
-    - name: elasticsearch:5.6.12
+    - name: elasticsearch:6.4.2
 
 .only-ee:
   only:
diff --git a/.gitlab/ci/notifications.gitlab-ci.yml b/.gitlab/ci/notifications.gitlab-ci.yml
deleted file mode 100644
index 4271e709f45..00000000000
--- a/.gitlab/ci/notifications.gitlab-ci.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-.notify:
-  image: ruby:2.6-alpine
-  stage: notification
-  dependencies: []
-  cache: {}
-  before_script:
-    - apk update && apk add git curl bash
-    - source scripts/utils.sh
-    - source scripts/notifications.sh
-    - install_gitlab_gem
-  variables:
-    COMMIT_NOTES_URL: "https://${CI_SERVER_HOST}/${CI_PROJECT_PATH}/commit/${CI_COMMIT_SHA}#notes-list"
-
-schedule:package-and-qa:notify-failure:
-  extends:
-    - .only:variables_refs-canonical-dot-com-schedules
-    - .notify
-  script:
-    - 'export NOTIFICATION_MESSAGE=":skull_and_crossbones: Scheduled QA against master failed! :skull_and_crossbones: See ${CI_PIPELINE_URL}. For downstream pipelines, see ${COMMIT_NOTES_URL}"'
-    - 'notify_on_job_failure schedule:package-and-qa qa-master "${NOTIFICATION_MESSAGE}" ci_failing'
-  needs: ["schedule:package-and-qa"]
-  allow_failure: true
-  when: always
diff --git a/.gitlab/ci/qa.gitlab-ci.yml b/.gitlab/ci/qa.gitlab-ci.yml
index 3cb5a40a8b5..5a58c3f9416 100644
--- a/.gitlab/ci/qa.gitlab-ci.yml
+++ b/.gitlab/ci/qa.gitlab-ci.yml
@@ -1,3 +1,32 @@
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-canonical-gitlab-schedule: &if-canonical-gitlab-schedule
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"'
+
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-canonical-gitlab-merge-request: &if-canonical-gitlab-merge-request
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID'
+
+# Make sure to update all the similar patterns in other CI config files if you modify these patterns
+.code-patterns: &code-patterns
+  - ".gitlab/ci/**/*"
+  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".csscomb.json"
+  - "Dockerfile.assets"
+  - "*_VERSION"
+  - "Gemfile{,.lock}"
+  - "Rakefile"
+  - "{babel.config,jest.config}.js"
+  - "config.ru"
+  - "{package.json,yarn.lock}"
+  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
+  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
+
+# Make sure to update all the similar patterns in other CI config files if you modify these patterns
+.qa-patterns: &qa-patterns
+  - ".dockerignore"
+  - "qa/**/*"
+
 .qa-job-base:
   extends:
     - .default-tags
@@ -40,30 +69,16 @@ qa:selectors-foss:
     - install_gitlab_gem
     - ./scripts/trigger-build omnibus
 
-package-and-qa-manual:
-  extends:
-    - .package-and-qa-base
-    - .default-only
-    - .only:variables-canonical-dot-com
-    - .except:refs-deploy
-    - .only:changes-code
-  when: manual
-  needs: ["build-qa-image", "gitlab:assets:compile pull-cache"]
-
 package-and-qa:
-  extends:
-    - .package-and-qa-base
-    - .default-only
-    - .only:variables-canonical-dot-com
-    - .except:refs-master-tags-stable-deploy
-    - .only:changes-qa
-  needs: ["build-qa-image", "gitlab:assets:compile pull-cache"]
-  allow_failure: true
-
-schedule:package-and-qa:
-  extends:
-    - .package-and-qa-base
-    - .default-only
-    - .only:variables_refs-canonical-dot-com-schedules
+  extends: .package-and-qa-base
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *qa-patterns
+      when: on_success
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-patterns
+      when: manual
+    - <<: *if-canonical-gitlab-schedule
+      when: on_success
   needs: ["build-qa-image", "gitlab:assets:compile pull-cache"]
   allow_failure: true
diff --git a/.gitlab/ci/rails.gitlab-ci.yml b/.gitlab/ci/rails.gitlab-ci.yml
index 4ac187e1670..8c3df170f6d 100644
--- a/.gitlab/ci/rails.gitlab-ci.yml
+++ b/.gitlab/ci/rails.gitlab-ci.yml
@@ -57,7 +57,7 @@ setup-test-env:
   dependencies: ["setup-test-env", "retrieve-tests-metadata", "compile-assets pull-cache"]
   script:
     - source scripts/rspec_helpers.sh
-    - rspec_paralellized_job "--tag ~quarantine --tag ~geo"
+    - rspec_paralellized_job "--tag ~quarantine --tag ~geo --tag ~level:migration"
   artifacts:
     expire_in: 31d
     when: always
@@ -92,12 +92,21 @@ setup-test-env:
     - .use-pg10
     - .only-master
 
+.rspec-base-migration:
+  script:
+    - source scripts/rspec_helpers.sh
+    - rspec_paralellized_job "--tag ~quarantine --tag ~geo --tag level:migration"
+
 rspec migration pg9:
-  extends: .rspec-base-pg9
+  extends:
+    - .rspec-base-pg9
+    - .rspec-base-migration
   parallel: 4
 
 rspec migration pg9-foss:
-  extends: .rspec-base-pg9-foss
+  extends:
+    - .rspec-base-pg9-foss
+    - .rspec-base-migration
   parallel: 4
 
 rspec unit pg9:
@@ -149,7 +158,9 @@ rspec system pg10:
     - .use-pg10-ee
 
 rspec-ee migration pg9:
-  extends: .rspec-ee-base-pg9
+  extends:
+    - .rspec-ee-base-pg9
+    - .rspec-base-migration
   parallel: 2
 
 rspec-ee unit pg9:
@@ -167,6 +178,7 @@ rspec-ee system pg9:
 rspec-ee migration pg10:
   extends:
     - .rspec-ee-base-pg10
+    - .rspec-base-migration
     - .only-master
   parallel: 2
 
@@ -261,7 +273,7 @@ static-analysis:
   script:
     - scripts/static-analysis
   cache:
-    key: "debian-stretch-ruby-2.6.3-and-rubocop"
+    key: "debian-stretch-ruby-2.6-and-rubocop"
     paths:
       - vendor/ruby
       - tmp/rubocop_cache
diff --git a/.gitlab/ci/releases.gitlab-ci.yml b/.gitlab/ci/releases.gitlab-ci.yml
index d4e0236f3a8..8ca4041e6be 100644
--- a/.gitlab/ci/releases.gitlab-ci.yml
+++ b/.gitlab/ci/releases.gitlab-ci.yml
@@ -9,7 +9,7 @@
   image: alpine:edge
   stage: sync
   before_script:
-    - apk add --no-cache --update curl bash
+    - apk add --no-cache --update curl bash jq
   after_script: []
   script:
     - bash scripts/sync-stable-branch.sh
diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml
index 4ff14b660b3..81cc3e7dd2f 100644
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -20,7 +20,7 @@ code_quality:
   variables:
     DOCKER_DRIVER: overlay2
     DOCKER_TLS_CERTDIR: ""
-    CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/security-products/codequality:12-5-stable"
+    CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/security-products/codequality:0.85.6"
   script:
     - |
       if ! docker info &>/dev/null; then
diff --git a/.gitlab/ci/review.gitlab-ci.yml b/.gitlab/ci/review.gitlab-ci.yml
index 1062f6b03a4..ad045d6c974 100644
--- a/.gitlab/ci/review.gitlab-ci.yml
+++ b/.gitlab/ci/review.gitlab-ci.yml
@@ -1,8 +1,34 @@
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-canonical-gitlab-schedule: &if-canonical-gitlab-schedule
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"'
+
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-canonical-gitlab-merge-request: &if-canonical-gitlab-merge-request
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID'
+
+# Make sure to update all the similar patterns in other CI config files if you modify these patterns
+.code-qa-patterns: &code-qa-patterns
+  - ".gitlab/ci/**/*"
+  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".csscomb.json"
+  - "Dockerfile.assets"
+  - "*_VERSION"
+  - "Gemfile{,.lock}"
+  - "Rakefile"
+  - "{babel.config,jest.config}.js"
+  - "config.ru"
+  - "{package.json,yarn.lock}"
+  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
+  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
+  # QA changes
+  - ".dockerignore"
+  - "qa/**/*"
+
 .review-docker:
   extends:
     - .default-tags
     - .default-retry
-    - .default-only
   image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine
   services:
     - docker:19.03.0-dind
@@ -15,12 +41,14 @@
     GITLAB_EDITION: "ce"
 
 build-qa-image:
-  extends:
-    - .review-docker
-    - .only:variables-canonical-dot-com
-    - .except:refs-deploy
-    - .only:changes-code-qa
+  extends: .review-docker
   stage: prepare
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: on_success
+    - <<: *if-canonical-gitlab-schedule
+      when: on_success
   script:
     - '[[ ! -d "ee/" ]] || export GITLAB_EDITION="ee"'
     - export QA_MASTER_IMAGE="${CI_REGISTRY}/${CI_PROJECT_PATH}/gitlab/gitlab-${GITLAB_EDITION}-qa:master"
@@ -90,7 +118,6 @@ schedule:review-build-cng:
   extends:
     - .default-tags
     - .default-retry
-    - .default-only
   image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base
   dependencies: []
   variables:
@@ -130,10 +157,11 @@ schedule:review-build-cng:
     when: always
 
 review-deploy:
-  extends:
-    - .review-deploy-base
-    - .only-review
-    - .only:changes-code-qa
+  extends: .review-deploy-base
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: on_success
 
 schedule:review-deploy:
   extends:
@@ -141,43 +169,45 @@ schedule:review-deploy:
     - .only-review-schedules
 
 .base-review-stop:
-  extends:
-    - .review-workflow-base
-    - .only-review
-    - .only:changes-code-qa
+  extends: .review-workflow-base
   environment:
     action: stop
   variables:
-    GIT_STRATEGY: none
+    # We're cloning the repo instead of downloading the script for now
+    # because some repos are private and CI_JOB_TOKEN cannot access files.
+    # See https://gitlab.com/gitlab-org/gitlab/issues/191273
+    GIT_DEPTH: 1
   before_script:
-    # We don't clone the repo by using GIT_STRATEGY: none and only download the
-    # single script we need here so it's much faster than cloning.
     - apk add --update openssl
-    - wget $CI_PROJECT_URL/raw/$CI_COMMIT_SHA/scripts/review_apps/review-apps.sh
-    - wget $CI_PROJECT_URL/raw/$CI_COMMIT_SHA/scripts/utils.sh
-    - source utils.sh
-    - source review-apps.sh
+    - source ./scripts/utils.sh
+    - source ./scripts/review_apps/review-apps.sh
 
 review-stop-failed-deployment:
   extends: .base-review-stop
   stage: prepare
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: on_success
   script:
     - delete_failed_release
 
 review-stop:
   extends: .base-review-stop
   stage: review
-  when: manual
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: manual
   allow_failure: true
   script:
     - delete_release
 
 .review-qa-base:
-  extends:
-    - .review-docker
-    - .only-review
-    - .only:changes-code-qa
+  extends: .review-docker
   stage: qa
+  needs: ["review-deploy"]
+  dependencies: ["review-deploy"]
   allow_failure: true
   variables:
     QA_ARTIFACTS_DIR: "${CI_PROJECT_DIR}/qa"
@@ -189,13 +219,6 @@ review-stop:
     GITLAB_ADMIN_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
     GITHUB_ACCESS_TOKEN: "${REVIEW_APPS_QA_GITHUB_ACCESS_TOKEN}"
     EE_LICENSE: "${REVIEW_APPS_EE_LICENSE}"
-  needs: ["review-deploy"]
-  dependencies: ["review-deploy"]
-  artifacts:
-    paths:
-      - ./qa/gitlab-qa-run-*
-    expire_in: 7 days
-    when: always
   before_script:
     - '[[ ! -d "ee/" ]] || export GITLAB_EDITION="ee"'
     - export QA_IMAGE="${CI_REGISTRY}/${CI_PROJECT_PATH}/gitlab/gitlab-${GITLAB_EDITION}-qa:${CI_COMMIT_REF_SLUG}"
@@ -205,15 +228,27 @@ review-stop:
     - source scripts/utils.sh
     - install_api_client_dependencies_with_apk
     - gem install gitlab-qa --no-document ${GITLAB_QA_VERSION:+ --version ${GITLAB_QA_VERSION}}
+  artifacts:
+    paths:
+      - ./qa/gitlab-qa-run-*
+    expire_in: 7 days
+    when: always
 
 review-qa-smoke:
   extends: .review-qa-base
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: on_success
   script:
     - gitlab-qa Test::Instance::Smoke "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}"
 
 review-qa-all:
   extends: .review-qa-base
-  when: manual
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: manual
   parallel: 5
   script:
     - export KNAPSACK_REPORT_PATH=knapsack/master_report.json
@@ -241,10 +276,11 @@ review-qa-all:
       performance: performance.json
 
 review-performance:
-  extends:
-    - .review-performance-base
-    - .only-review
-    - .only:changes-code-qa
+  extends: .review-performance-base
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: on_success
   needs: ["review-deploy"]
   dependencies: ["review-deploy"]
   before_script:
diff --git a/.gitlab/ci/yaml.gitlab-ci.yml b/.gitlab/ci/yaml.gitlab-ci.yml
index 323f94b6d04..4fcf940974b 100644
--- a/.gitlab/ci/yaml.gitlab-ci.yml
+++ b/.gitlab/ci/yaml.gitlab-ci.yml
@@ -10,5 +10,8 @@ lint-ci-gitlab:
       - "**/*.yml"
   image: sdesbure/yamllint:latest
   dependencies: []
+  variables:
+    LINT_PATHS: .gitlab-ci.yml .gitlab/ci lib/gitlab/ci/templates changelogs
   script:
-    - yamllint .gitlab-ci.yml .gitlab/ci lib/gitlab/ci/templates changelogs
+    - '[[ ! -d "ee/" ]] || export LINT_PATHS="$LINT_PATHS ee/changelogs"'
+    - yamllint $LINT_PATHS
diff --git a/.gitlab/issue_templates/Coding style proposal.md b/.gitlab/issue_templates/Coding style proposal.md
index a969c9b72ee..95f0fb5f366 100644
--- a/.gitlab/issue_templates/Coding style proposal.md
+++ b/.gitlab/issue_templates/Coding style proposal.md
@@ -5,7 +5,7 @@ Please describe the proposal and add a link to the source (for example, http://w
 -->
 
 - [ ] Mention the proposal in the next backend weekly call and the #backend channel to encourage contribution
-- [ ] Proceed with the proposal once 50% of the maintainers have weighed in, and 80% of the votes are :+1:
+- [ ] Proceed with the proposal once 50% of the maintainers have weighed in, and 80% of their votes are :+1:
 - [ ] Once approved, mention it again in the next backend weekly call and the #backend channel
 
 
diff --git a/.gitlab/issue_templates/Feature proposal.md b/.gitlab/issue_templates/Feature proposal.md
index 2d6d03c313c..45e9c58205f 100644
--- a/.gitlab/issue_templates/Feature proposal.md
+++ b/.gitlab/issue_templates/Feature proposal.md
@@ -6,6 +6,7 @@
 
 <!-- Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later.
 
+* [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager)
 * [Parker (Product Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#parker-product-manager)
 * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
 * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer)
diff --git a/.gitlab/issue_templates/Security developer workflow.md b/.gitlab/issue_templates/Security developer workflow.md
index e06a6fb0cff..1b6a1f87216 100644
--- a/.gitlab/issue_templates/Security developer workflow.md
+++ b/.gitlab/issue_templates/Security developer workflow.md
@@ -1,60 +1,59 @@
 <!--
 # Read me first!
 
-Create this issue under https://dev.gitlab.org/gitlab/gitlabhq
+Create this issue under https://gitlab.com/gitlab-org/security
 
 Set the title to: `Description of the original issue`
 -->
 
-### Prior to starting the security release work
+## Prior to starting the security release work
 
 - [ ] Read the [security process for developers] if you are not familiar with it.
-- [ ] Link to the original issue adding it to the [links section](#links)
-- [ ] Run `scripts/security-harness` in the CE, EE, and/or Omnibus to prevent pushing to any remote besides `dev.gitlab.org`
-- [ ] Create a new branch prefixing it with `security-`
-- [ ] Create a MR targeting `dev.gitlab.org` `master`
-- [ ] Add a link to this issue in the original security issue on `gitlab.com`.
+- [ ] Link this issue in the Security Release issue on GitLab.com. You can find this issue in the topic of the `#releases` channel.
+- [ ] Add a link to the confidential `gitlab-org/gitlab` issue describing the vulnerability next to **Original issue** in the [links table](#links).
+- [ ] Add a link to the confidential `gitlab-org/gitlab` Security release issue next to **Security release issue** in the [links table](#links).
+- [ ] Run `scripts/security-harness` in your local repository to prevent accidentally pushing to any remote besides `gitlab.com/gitlab-org/security`.
 
-#### Backports
+## Development
 
-- [ ] Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches
-    - [ ] At this point, it might be easy to squash the commits from the MR into one
-    - You can use the script `bin/secpick` instead of the following steps, to help you cherry-picking. See the [secpick documentation]
-    - [ ] Create each MR targeting the stable branch `X-Y-stable`, using the "Security Release" merge request template.
-    - Every merge request will have its own set of TODOs, so make sure to
-      complete those.
-- [ ] Make sure all MRs have a link in the [links section](#links)
+- [ ] Create a new branch prefixing it with `security-`.
+- [ ] Create a merge request targeting `master` on `gitlab.com/gitlab-org/security` and use the [Security Release merge request template].
+- [ ] Follow the same [code review process]: Assign to a reviewer, then to a maintainer.
 
-[secpick documentation]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md#secpick-script
+After your merge request has being approved according to our [approval guidelines], you're ready to prepare the backports
+
+## Backports
 
-#### Documentation and final details
+- [ ] Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches
+   * At this point, it might be easy to squash the commits from the MR into one
+   * You can use the script `bin/secpick` instead of the following steps, to help you cherry-picking. See the [secpick documentation]
+- [ ] Create each MR targeting the stable branch `X-Y-stable`, using the [Security Release merge request template].
+   * Every merge request will have its own set of TODOs, so make sure to complete those.
+- [ ] Make sure all MRs are linked in the [Links section](#links)
+
+## Documentation and final details
 
-- [ ] Check the topic on #releases to see when the next release is going to happen and add a link to the [links section](#links)
-- [ ] Add links to this issue and your MRs in the description of the security release issue
+- [ ] Ensure the [Links section](#links) is completed.
 - [ ] Find out the versions affected (the Git history of the files affected may help you with this) and add them to the [details section](#details)
 - [ ] Fill in any upgrade notes that users may need to take into account in the [details section](#details)
 - [ ] Add Yes/No and further details if needed to the migration and settings columns in the [details section](#details)
 - [ ] Add the nickname of the external user who found the issue (and/or HackerOne profile) to the Thanks row in the [details section](#details)
 - [ ] Once your `master` MR is merged, comment on the original security issue with a link to that MR indicating the issue is fixed.
 
-### Summary
+## Summary
 
-#### Links
+### Links
 
 | Description | Link |
 | -------- | -------- |
 | Original issue   | #TODO  |
 | Security release issue   | #TODO  |
 | `master` MR | !TODO   |
-| `master` MR (EE) | !TODO   |
 | `Backport X.Y` MR | !TODO   |
 | `Backport X.Y` MR | !TODO   |
 | `Backport X.Y` MR | !TODO   |
-| `Backport X.Y` MR (EE) | !TODO   |
-| `Backport X.Y` MR (EE) | !TODO   |
-| `Backport X.Y` MR (EE) | !TODO   |
 
-#### Details
+### Details
 
 | Description | Details | Further details|
 | -------- | -------- | -------- |
@@ -65,6 +64,9 @@ Set the title to: `Description of the original issue`
 | Thanks | | |
 
 [security process for developers]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md
-[RM list]:  https://about.gitlab.com/release-managers/
+[secpick documentation]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md#secpick-script
+[security Release merge request template]: https://gitlab.com/gitlab-org/security/gitlab/blob/master/.gitlab/merge_request_templates/Security%20Release.md
+[code review process]: https://docs.gitlab.com/ee/development/code_review.html
+[approval guidelines]: https://docs.gitlab.com/ee/development/code_review.html#approval-guidelines
 
 /label ~security
diff --git a/.gitlab/merge_request_templates/Database changes.md b/.gitlab/merge_request_templates/Database changes.md
deleted file mode 100644
index 89c8c7a5d07..00000000000
--- a/.gitlab/merge_request_templates/Database changes.md
+++ /dev/null
@@ -1,50 +0,0 @@
-## What does this MR do?
-
-<!--
-Describe in detail what your merge request does, why it does that, etc. Merge
-requests without an adequate description will not be reviewed until one is
-added.
-
-Please also keep this description up-to-date with any discussion that takes
-place so that reviewers can understand your intent. This is especially
-important if they didn't participate in the discussion.
-
-Make sure to remove this comment when you are done.
--->
-
-Add a description of your merge request here.
-
-## Database checklist
-
-- [ ] Conforms to the [database guides](https://docs.gitlab.com/ee/development/README.html#database-guides)
-
-When adding migrations:
-
-- [ ] Updated `db/schema.rb`
-- [ ] Added a `down` method so the migration can be reverted
-- [ ] Added the output of the migration(s) to the MR body
-- [ ] Added tests for the migration in `spec/migrations` if necessary (e.g. when migrating data)
-- [ ] Added rollback procedure. Include either a rollback procedure or description how to rollback changes 
-
-When adding or modifying queries to improve performance:
-
-- [ ] Included data that shows the performance improvement, preferably in the form of a benchmark
-- [ ] Included the output of `EXPLAIN (ANALYZE, BUFFERS)` of the relevant queries
-
-When adding foreign keys to existing tables:
-
-- [ ] Included a migration to remove orphaned rows in the source table before adding the foreign key
-- [ ] Removed any instances of `dependent: ...` that may no longer be necessary
-
-When adding tables:
-
-- [ ] Ordered columns based on the [Ordering Table Columns](https://docs.gitlab.com/ee/development/ordering_table_columns.html) guidelines
-- [ ] Added foreign keys to any columns pointing to data in other tables
-- [ ] Added indexes for fields that are used in statements such as `WHERE`, `ORDER BY`, `GROUP BY`, and `JOIN`s
-
-When removing columns, tables, indexes or other structures:
-
-- [ ] Removed these in a post-deployment migration
-- [ ] Made sure the application no longer uses (or ignores) these structures
-
-/label ~database ~"database::review pending"
diff --git a/.gitlab/merge_request_templates/Security Release.md b/.gitlab/merge_request_templates/Security Release.md
index 42314f9b2dd..cccfafe397e 100644
--- a/.gitlab/merge_request_templates/Security Release.md
+++ b/.gitlab/merge_request_templates/Security Release.md
@@ -1,35 +1,37 @@
 <!--
 # README first!
-This MR should be created on `dev.gitlab.org`.
+This MR should be created on `gitlab.com/gitlab-org/security/gitlab`.
 
 See [the general developer security release guidelines](https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md).
 
-This merge request _must not_ close the corresponding security issue _unless_ it
-targets master.
-
-When submitting a merge request for CE, a corresponding EE merge request is
-always required. This makes it easier to merge security merge requests, as
-manually merging CE into EE is no longer required.
-
 -->
+
 ## Related issues
 
 <!-- Mention the issue(s) this MR is related to -->
 
 ## Developer checklist
 
-- [ ] Link to the developer security workflow issue on `dev.gitlab.org`
-- [ ] MR targets `master`, or `X-Y-stable` for backports
-- [ ] Milestone is set for the version this MR applies to
-- [ ] Title of this MR is the same as for all backports
+- [ ] Link this MR in the `links` section of the related issue on [GitLab Security].
+- [ ] Merge request targets `master`, or `X-Y-stable` for backports.
+- [ ] Milestone is set for the version this merge request applies to. A closed milestone can be assigned via [quick actions].
+- [ ] Title of this merge request is the same as for all backports.
 - [ ] A [CHANGELOG entry](https://docs.gitlab.com/ee/development/changelog.html) is added without a `merge_request` value, with `type` set to `security`
-- [ ] Add a link to this MR in the `links` section of related issue
-- [ ] Set up an EE MR (always required for CE merge requests): EE_MR_LINK_HERE
-- [ ] Assign to a reviewer (that is not a release manager)
+- [ ] Assign to a reviewer and maintainer, per our [Code Review process].
+- [ ] For the MR targeting `master`:
+  - [ ] Ping appsec team member who created the issue and ask for a non-blocking review with `Please review this MR`.
+  - [ ] Ensure it's approved according to our [Approval Guidelines].
+- [ ] Merge request _must not_ close the corresponding security issue, _unless_ it targets `master`.
 
-## Reviewer checklist
+**Note:** Reviewer/maintainer should not be a Release Manager
 
+## Maintainer checklist
 - [ ] Correct milestone is applied and the title is matching across all backports
 - [ ] Assigned to `@gitlab-release-tools-bot` with passing CI pipelines
 
 /label ~security
+
+[GitLab Security]: https://gitlab.com/gitlab-org/security/gitlab
+[approval guidelines]: https://docs.gitlab.com/ee/development/code_review.html#approval-guidelines
+[Code Review process]: https://docs.gitlab.com/ee/development/code_review.html
+[quick actions]: https://docs.gitlab.com/ee/user/project/quick_actions.html#quick-actions-for-issues-merge-requests-and-epics