Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42

23 files changed, 339 insertions, 109 deletions

diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS
index b4fd436cc58..5187ac01b58 100644
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -184,7 +184,7 @@ Dangerfile @gl-quality/eng-prod
 /lib/gitlab/auth/ldap/ @dblessing @mkozono
 
 [Templates]
-/lib/gitlab/ci/templates/ @nolith @dosuken123
+/lib/gitlab/ci/templates/ @nolith @shinya.maeda
 /lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml @DylanGriffith @mayra-cabrera @tkuah
 /lib/gitlab/ci/templates/Security/ @plafoucriere @gonzoyumo @twoodham @sethgitlab
 
@@ -213,10 +213,10 @@ Dangerfile @gl-quality/eng-prod
 /ee/spec/lib/gitlab/code_owners/ @reprazent @kerrizor @garyh
 /doc/user/project/code_owners.md @reprazent @kerrizor @garyh
 
-[Telemetry]
-/ee/lib/gitlab/usage_data_counters/ @gitlab-org/growth/telemetry/engineers
-/ee/lib/ee/gitlab/usage_data.rb @gitlab-org/growth/telemetry/engineers
-/lib/gitlab/grafana_embed_usage_data.rb @gitlab-org/growth/telemetry/engineers
-/lib/gitlab/usage_data.rb @gitlab-org/growth/telemetry/engineers
-/lib/gitlab/cycle_analytics/usage_data.rb @gitlab-org/growth/telemetry/engineers
-/lib/gitlab/usage_data_counters/ @gitlab-org/growth/telemetry/engineers
+[Product Analytics]
+/ee/lib/gitlab/usage_data_counters/ @gitlab-org/growth/product_analytics/engineers
+/ee/lib/ee/gitlab/usage_data.rb @gitlab-org/growth/product_analytics/engineers
+/lib/gitlab/grafana_embed_usage_data.rb @gitlab-org/growth/product_analytics/engineers
+/lib/gitlab/usage_data.rb @gitlab-org/growth/product_analytics/engineers
+/lib/gitlab/cycle_analytics/usage_data.rb @gitlab-org/growth/product_analytics/engineers
+/lib/gitlab/usage_data_counters/ @gitlab-org/growth/product_analytics/engineers
diff --git a/.gitlab/ci/dast.gitlab-ci.yml b/.gitlab/ci/dast.gitlab-ci.yml
index 93f64930822..33778b9cbd0 100644
--- a/.gitlab/ci/dast.gitlab-ci.yml
+++ b/.gitlab/ci/dast.gitlab-ci.yml
@@ -28,6 +28,8 @@
     # Help pages are excluded from scan as they are static pages.
     # profile/two_factor_auth is excluded from scan to prevent 2FA from being turned on from user profile, which will reduce coverage.
     - 'export DAST_AUTH_EXCLUDE_URLS="${DAST_WEBSITE}/help/.*,${DAST_WEBSITE}/profile/two_factor_auth,${DAST_WEBSITE}/users/sign_out"'
+    # Exclude the automatically generated monitoring project from being tested due to https://gitlab.com/gitlab-org/gitlab/-/issues/260362
+    - 'DAST_AUTH_EXCLUDE_URLS="${DAST_AUTH_EXCLUDE_URLS},https://.*\.gitlab-review\.app/gitlab-instance-(administrators-)?[a-zA-Z0-9]{8}/.*"'
     - enable_rule () { read all_rules; rule=$1; echo $all_rules | sed -r "s/(,)?$rule(,)?/\1-1\2/" ; }
     # Sort ids in DAST_RULES ascendingly, which is required when using DAST_RULES as argument to enable_rule
     - 'DAST_RULES=$(echo $DAST_RULES | tr "," "\n" | sort -n | paste -sd ",")'
diff --git a/.gitlab/ci/dev-fixtures.gitlab-ci.yml b/.gitlab/ci/dev-fixtures.gitlab-ci.yml
index fc3678a7d17..4141cc7f071 100644
--- a/.gitlab/ci/dev-fixtures.gitlab-ci.yml
+++ b/.gitlab/ci/dev-fixtures.gitlab-ci.yml
@@ -14,14 +14,17 @@
     SIZE: 0  # number of external projects to fork, requires network connection
     # SEED_NESTED_GROUPS: "false" # requires network connection
 
+.run-dev-fixtures-script: &run-dev-fixtures-script
+  - run_timed_command "scripts/gitaly-test-build"
+  - run_timed_command "scripts/gitaly-test-spawn"
+  - run_timed_command "RAILS_ENV=test bundle exec rake db:seed_fu"
+
 run-dev-fixtures:
   extends:
     - .run-dev-fixtures
     - .dev-fixtures:rules:ee-and-foss
   script:
-    - run_timed_command "scripts/gitaly-test-build"
-    - run_timed_command "scripts/gitaly-test-spawn"
-    - run_timed_command "RAILS_ENV=test bundle exec rake db:seed_fu"
+    - *run-dev-fixtures-script
 
 run-dev-fixtures-ee:
   extends:
@@ -29,7 +32,5 @@ run-dev-fixtures-ee:
     - .dev-fixtures:rules:ee-only
     - .use-pg11-ee
   script:
-    - run_timed_command "scripts/gitaly-test-build"
-    - run_timed_command "scripts/gitaly-test-spawn"
     - cp ee/db/fixtures/development/* $FIXTURE_PATH
-    - run_timed_command "RAILS_ENV=test bundle exec rake db:seed_fu"
+    - *run-dev-fixtures-script
diff --git a/.gitlab/ci/docs.gitlab-ci.yml b/.gitlab/ci/docs.gitlab-ci.yml
index 0e0e156a64f..4b25908aa6a 100644
--- a/.gitlab/ci/docs.gitlab-ci.yml
+++ b/.gitlab/ci/docs.gitlab-ci.yml
@@ -4,7 +4,7 @@
     - .docs:rules:review-docs
   image: ruby:2.6-alpine
   stage: review
-  dependencies: []
+  needs: []
   variables:
     # We're cloning the repo instead of downloading the script for now
     # because some repos are private and CI_JOB_TOKEN cannot access files.
@@ -42,7 +42,7 @@ docs lint:
   extends:
     - .default-retry
     - .docs:rules:docs-lint
-  image: "registry.gitlab.com/gitlab-org/gitlab-docs/lint:vale-2.3.4-markdownlint-0.23.2"
+  image: "registry.gitlab.com/gitlab-org/gitlab-docs/lint:ruby-2.7.2-alpine-3.12-vale-2.4.3-markdownlint-0.24.0"
   stage: test
   needs: []
   script:
diff --git a/.gitlab/ci/frontend.gitlab-ci.yml b/.gitlab/ci/frontend.gitlab-ci.yml
index 27f56cd8667..e4c9f85cf62 100644
--- a/.gitlab/ci/frontend.gitlab-ci.yml
+++ b/.gitlab/ci/frontend.gitlab-ci.yml
@@ -7,19 +7,21 @@
     # we override the max_old_space_size to prevent OOM errors
     NODE_OPTIONS: --max_old_space_size=3584
 
+.yarn-install: &yarn-install
+  - source scripts/utils.sh
+  - run_timed_command "retry yarn install --frozen-lockfile"
+
 .compile-assets-base:
   extends:
     - .frontend-base
     - .assets-compile-cache
-  image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-git-2.28-lfs-2.9-node-12.x-yarn-1.21-graphicsmagick-1.3.34
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-git-2.28-lfs-2.9-node-12.18-yarn-1.22-graphicsmagick-1.3.34
   variables:
     WEBPACK_VENDOR_DLL: "true"
   stage: prepare
   script:
-    - node --version
-    - run_timed_command "retry yarn install --frozen-lockfile"
-    - free -m
-    - run_timed_command "bin/rake gitlab:assets:compile > assets-compile.log 2>&1"
+    - *yarn-install
+    - run_timed_command "bin/rake gitlab:assets:compile"
     - run_timed_command "scripts/clean-old-cached-assets"
 
 compile-production-assets:
@@ -34,7 +36,6 @@ compile-production-assets:
     name: webpack-report
     expire_in: 31d
     paths:
-      - assets-compile.log
       # These assets are used in multiple locations:
       # - in `build-assets-image` job to create assets image for packaging systems
       # - GitLab UI for integration tests: https://gitlab.com/gitlab-org/gitlab-ui/-/blob/e88493b3c855aea30bf60baee692a64606b0eb1e/.storybook/preview-head.pug#L1
@@ -51,7 +52,6 @@ compile-test-assets:
   artifacts:
     expire_in: 7d
     paths:
-      - assets-compile.log
       - public/assets/
       - node_modules/@gitlab/svgs/dist/icons.json  # app/helpers/icons_helper.rb uses this file
     when: always
@@ -87,8 +87,7 @@ update-yarn-cache:
     - .shared:rules:update-cache
   stage: prepare
   script:
-    - source scripts/utils.sh
-    - run_timed_command "retry yarn install --frozen-lockfile"
+    - *yarn-install
   cache:
     policy: push
 
@@ -139,14 +138,14 @@ eslint-as-if-foss:
     - .as-if-foss
   needs: []
   script:
-    - run_timed_command "retry yarn install --frozen-lockfile"
-    - yarn run eslint
+    - *yarn-install
+    - run_timed_command "yarn run eslint"
 
 .karma-base:
   extends: .frontend-test-base
   script:
     - export BABEL_ENV=coverage CHROME_LOG_FILE=chrome_debug.log
-    - run_timed_command "retry yarn install --frozen-lockfile"
+    - *yarn-install
     - run_timed_command "yarn karma"
 
 karma:
@@ -177,7 +176,7 @@ karma-as-if-foss:
 .jest-base:
   extends: .frontend-test-base
   script:
-    - run_timed_command "retry yarn install --frozen-lockfile"
+    - *yarn-install
     - run_timed_command "yarn jest --ci --coverage --testSequencer ./scripts/frontend/parallel_ci_sequencer.js"
 
 jest:
@@ -202,7 +201,7 @@ jest-integration:
     - .frontend-test-base
     - .frontend:rules:default-frontend-jobs
   script:
-    - run_timed_command "retry yarn install --frozen-lockfile"
+    - *yarn-install
     - run_timed_command "yarn jest:integration --ci"
   needs: ["frontend-fixtures"]
 
@@ -222,8 +221,7 @@ coverage-frontend:
   needs: ["jest"]
   stage: post-test
   before_script:
-    - source scripts/utils.sh
-    - run_timed_command "retry yarn install --frozen-lockfile"
+    - *yarn-install
   script:
     - run_timed_command "yarn node scripts/frontend/merge_coverage_frontend.js"
   coverage: '/^Statements\s*:\s*?(\d+(?:\.\d+)?)%/'
@@ -243,9 +241,8 @@ coverage-frontend:
   stage: test
   dependencies: []
   script:
-    - source scripts/utils.sh
-    - run_timed_command "yarn install --frozen-lockfile"
-    - run_timed_command "yarn run webpack-prod"
+    - *yarn-install
+    - run_timed_command "retry yarn run webpack-prod"
 
 qa-frontend-node:10:
   extends: .qa-frontend-node
@@ -268,8 +265,7 @@ webpack-dev-server:
     WEBPACK_MEMORY_TEST: "true"
     WEBPACK_VENDOR_DLL: "true"
   script:
-    - source scripts/utils.sh
-    - run_timed_command "retry yarn install --frozen-lockfile"
+    - *yarn-install
     - run_timed_command "retry yarn webpack-vendor"
     - run_timed_command "node --expose-gc node_modules/.bin/webpack-dev-server --config config/webpack.config.js"
   artifacts:
diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml
index 238059bf972..fea3956bfe8 100644
--- a/.gitlab/ci/global.gitlab-ci.yml
+++ b/.gitlab/ci/global.gitlab-ci.yml
@@ -34,6 +34,13 @@
       - tmp/rubocop_cache/
     policy: pull
 
+.coverage-cache:
+  cache:
+    key: "coverage-cache-v1"
+    paths:
+      - vendor/ruby/
+    policy: pull
+
 .qa-cache:
   cache:
     key: "qa-v1"
@@ -64,7 +71,7 @@
     policy: pull
 
 .use-pg11:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-golang-1.14-git-2.28-lfs-2.9-chrome-84-node-12.x-yarn-1.21-postgresql-11-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-golang-1.14-git-2.28-lfs-2.9-chrome-85-node-12.18-yarn-1.22-postgresql-11-graphicsmagick-1.3.34"
   services:
     - name: postgres:11.6
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -73,7 +80,7 @@
     POSTGRES_HOST_AUTH_METHOD: trust
 
 .use-pg12:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-golang-1.14-git-2.28-lfs-2.9-chrome-84-node-12.x-yarn-1.21-postgresql-12-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-golang-1.14-git-2.28-lfs-2.9-chrome-85-node-12.18-yarn-1.22-postgresql-12-graphicsmagick-1.3.34"
   services:
     - name: postgres:12
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -82,22 +89,24 @@
     POSTGRES_HOST_AUTH_METHOD: trust
 
 .use-pg11-ee:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-golang-1.14-git-2.28-lfs-2.9-chrome-84-node-12.x-yarn-1.21-postgresql-11-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-golang-1.14-git-2.28-lfs-2.9-chrome-85-node-12.18-yarn-1.22-postgresql-11-graphicsmagick-1.3.34"
   services:
     - name: postgres:11.6
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
     - name: redis:4.0-alpine
-    - name: elasticsearch:6.4.2
+    - name: elasticsearch:7.9.2
+      command: ["elasticsearch", "-E", "discovery.type=single-node"]
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
 
 .use-pg12-ee:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-golang-1.14-git-2.28-lfs-2.9-chrome-84-node-12.x-yarn-1.21-postgresql-12-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-golang-1.14-git-2.28-lfs-2.9-chrome-85-node-12.18-yarn-1.22-postgresql-12-graphicsmagick-1.3.34"
   services:
     - name: postgres:12
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
     - name: redis:4.0-alpine
-    - name: elasticsearch:6.4.2
+    - name: elasticsearch:7.9.2
+      command: ["elasticsearch", "-E", "discovery.type=single-node"]
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
 
diff --git a/.gitlab/ci/notify.gitlab-ci.yml b/.gitlab/ci/notify.gitlab-ci.yml
index 6dcf19da942..e18a092bb8f 100644
--- a/.gitlab/ci/notify.gitlab-ci.yml
+++ b/.gitlab/ci/notify.gitlab-ci.yml
@@ -3,6 +3,8 @@
   stage: notify
   dependencies: []
   cache: {}
+  variables:
+    MERGE_REQUEST_URL: ${CI_MERGE_REQUEST_PROJECT_URL}/-/merge_requests/${CI_MERGE_REQUEST_IID}
   before_script:
     - apk update && apk add git curl bash
 
@@ -16,8 +18,19 @@ notify-update-gitaly:
   variables:
     NOTIFY_CHANNEL: g_create_gitaly
     GITALY_UPDATE_BRANCH: release-tools/update-gitaly
-    MERGE_REQUEST_URL: ${CI_MERGE_REQUEST_PROJECT_URL}/-/merge_requests/${CI_MERGE_REQUEST_IID}
   script:
     - echo "NOTIFY_CHANNEL is ${NOTIFY_CHANNEL}"
     - echo "CI_PIPELINE_URL is ${CI_PIPELINE_URL}"
-    - scripts/slack ${NOTIFY_CHANNEL} "☠️ \`${GITALY_UPDATE_BRANCH}\` failed! ☠️ See ${CI_PIPELINE_URL} (triggered from ${MERGE_REQUEST_URL})" ci_failing
+    - scripts/slack ${NOTIFY_CHANNEL} "☠️ \`${GITALY_UPDATE_BRANCH}\` failed! ☠️ See ${CI_PIPELINE_URL} (triggered from ${MERGE_REQUEST_URL})" ci_failing "GitLab QA Bot"
+
+notify-security-pipeline:
+  extends:
+    - .notify-slack
+    - .delivery:rules:security-pipeline-merge-result-failure
+  variables:
+    NOTIFY_CHANNEL: f_upcoming_release
+  script:
+    - echo "NOTIFY_CHANNEL is ${NOTIFY_CHANNEL}"
+    - echo "CI_PIPELINE_URL is ${CI_PIPELINE_URL}"
+    # <!subteam^S0127FU8PDE> mentions the `@release-managers` group
+    - scripts/slack ${NOTIFY_CHANNEL} "<!subteam^S0127FU8PDE> ☠️  Pipeline for merged result failed! ☠️ See ${CI_PIPELINE_URL} (triggered from ${MERGE_REQUEST_URL})" ci_failing "GitLab Release Tools Bot"
diff --git a/.gitlab/ci/rails.gitlab-ci.yml b/.gitlab/ci/rails.gitlab-ci.yml
index 165476678bb..c4167ce7bcb 100644
--- a/.gitlab/ci/rails.gitlab-ci.yml
+++ b/.gitlab/ci/rails.gitlab-ci.yml
@@ -6,14 +6,23 @@
     - .default-before_script
     - .rails-cache
 
+.base-script: &base-script
+  # Only install knapsack after bundle install! Otherwise oddly some native
+  # gems could not be found under some circumstance. No idea why, hours wasted.
+  - run_timed_command "gem install knapsack --no-document"
+  - run_timed_command "scripts/gitaly-test-build"
+  - run_timed_command "scripts/gitaly-test-spawn"
+  - source ./scripts/rspec_helpers.sh
+
 .rspec-base:
   extends: .rails-job-base
   stage: test
+  variables:
+    RUBY_GC_MALLOC_LIMIT: 67108864
+    RUBY_GC_MALLOC_LIMIT_MAX: 134217728
   needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets"]
   script:
-    - run_timed_command "scripts/gitaly-test-build"
-    - run_timed_command "scripts/gitaly-test-spawn"
-    - source scripts/rspec_helpers.sh
+    - *base-script
     - rspec_paralellized_job "--tag ~quarantine --tag ~geo --tag ~level:migration"
   artifacts:
     expire_in: 31d
@@ -25,6 +34,7 @@
       - rspec_profiling/
       - tmp/capybara/
       - tmp/memory_test/
+      - tmp/feature_flags/
       - log/*.log
     reports:
       junit: junit_rspec.xml
@@ -32,9 +42,7 @@
 .rspec-base-migration:
   extends: .rails:rules:ee-and-foss-migration
   script:
-    - run_timed_command "scripts/gitaly-test-build"
-    - run_timed_command "scripts/gitaly-test-spawn"
-    - source scripts/rspec_helpers.sh
+    - *base-script
     - rspec_paralellized_job "--tag ~quarantine --tag ~geo --tag level:migration"
 
 .rspec-base-pg11:
@@ -67,9 +75,7 @@
 .rspec-ee-base-geo:
   extends: .rspec-base
   script:
-    - run_timed_command "scripts/gitaly-test-build"
-    - run_timed_command "scripts/gitaly-test-spawn"
-    - source scripts/rspec_helpers.sh
+    - *base-script
     - rspec_paralellized_job "--tag ~quarantine --tag geo"
 
 .rspec-ee-base-geo-pg11:
@@ -160,6 +166,25 @@ update-rails-cache:
   cache:
     policy: push  # We want to rebuild the cache from scratch to ensure stale dependencies are cleaned up.
 
+.coverage-base:
+  extends:
+    - .default-retry
+    - .default-before_script
+    - .coverage-cache
+  variables:
+    SETUP_DB: "false"
+    USE_BUNDLE_INSTALL: "false"
+
+update-coverage-cache:
+  extends:
+    - .coverage-base
+    - .shared:rules:update-cache
+  stage: prepare
+  script:
+    - run_timed_command "bundle install --jobs=$(nproc) --path=vendor --retry=3 --quiet --without default development test production puma unicorn kerberos metrics omnibus ed25519"
+  cache:
+    policy: push  # We want to rebuild the cache from scratch to ensure stale dependencies are cleaned up.
+
 .static-analysis-base:
   extends:
     - .default-retry
@@ -178,7 +203,7 @@ update-static-analysis-cache:
   script:
     - rm -rf ./node_modules  # We remove node_modules because there's no mechanism to remove stall entries.
     - run_timed_command "retry yarn install --frozen-lockfile"
-    - bundle exec rubocop --parallel  # For the moment we only cache `vendor/ruby/`, `node_modules/`, and `tmp/rubocop_cache` so we don't need to run all the tasks,
+    - run_timed_command "bundle exec rubocop --parallel"  # For the moment we only cache `vendor/ruby/`, `node_modules/`, and `tmp/rubocop_cache` so we don't need to run all the tasks,
   cache:
     # We want to rebuild the cache from scratch to ensure stale dependencies are cleaned up but RuboCop has a mechanism
     # for keeping only the N latest cache files, so we take advantage of it with `pull-push` and removing `node_modules` at the start of the job.
@@ -287,8 +312,7 @@ gitlab:setup:
     # db/fixtures/development/04_project.rb thanks to SIZE=1 below
     - git clone https://gitlab.com/gitlab-org/gitlab-test.git
        /home/git/repositories/gitlab-org/gitlab-test.git
-    - run_timed_command "scripts/gitaly-test-build"
-    - run_timed_command "scripts/gitaly-test-spawn"
+    - *base-script
     - force=yes SIZE=1 FIXTURE_PATH="db/fixtures/development" bundle exec rake gitlab:setup
   artifacts:
     when: on_failure
@@ -313,7 +337,7 @@ db:backup_and_restore:
 
 rspec:coverage:
   extends:
-    - .rails-job-base
+    - .coverage-base
     - .rails:rules:rspec-coverage
   stage: post-test
   # We cannot use needs since it would mean needing 84 jobs (since most are parallelized)
@@ -333,11 +357,10 @@ rspec:coverage:
     - rspec-ee system pg11 geo
     - memory-static
     - memory-on-boot
-  variables:
-    SETUP_DB: "false"
   script:
-    - bundle exec scripts/merge-simplecov
-    - bundle exec scripts/gather-test-memory-data
+    - run_timed_command "bundle install --jobs=$(nproc) --path=vendor --retry=3 --quiet --without default development test production puma unicorn kerberos metrics omnibus ed25519"
+    - run_timed_command "bundle exec scripts/merge-simplecov"
+    - run_timed_command "bundle exec scripts/gather-test-memory-data"
   coverage: '/LOC \((\d+\.\d+%)\) covered.$/'
   artifacts:
     name: coverage
@@ -348,6 +371,32 @@ rspec:coverage:
       - tmp/memory_test/
     reports:
       cobertura: coverage/coverage.xml
+
+rspec:feature-flags:
+  extends:
+    - .coverage-base
+    - .rails:rules:rspec-feature-flags
+  stage: post-test
+  # We cannot use needs since it would mean needing 84 jobs (since most are parallelized)
+  # so we use `dependencies` here.
+  dependencies:
+    - setup-test-env
+    - rspec migration pg11
+    - rspec unit pg11
+    - rspec integration pg11
+    - rspec system pg11
+    - rspec-ee migration pg11
+    - rspec-ee unit pg11
+    - rspec-ee integration pg11
+    - rspec-ee system pg11
+    - rspec-ee unit pg11 geo
+    - rspec-ee integration pg11 geo
+    - rspec-ee system pg11 geo
+    - memory-static
+    - memory-on-boot
+  script:
+    - run_timed_command "bundle install --jobs=$(nproc) --path=vendor --retry=3 --quiet --without default development test production puma unicorn kerberos metrics omnibus ed25519"
+    - run_timed_command "bundle exec scripts/used-feature-flags"
 # EE/FOSS: default refs (MRs, master, schedules) jobs #
 #######################################################
 
@@ -512,9 +561,7 @@ rspec fail-fast:
   stage: test
   needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets", "detect-tests"]
   script:
-    - run_timed_command "scripts/gitaly-test-build"
-    - run_timed_command "scripts/gitaly-test-spawn"
-    - source scripts/rspec_helpers.sh
+    - *base-script
     - rspec_fail_fast tmp/matching_tests.txt "--tag ~quarantine"
   artifacts:
     expire_in: 7d
@@ -527,9 +574,7 @@ rspec foss-impact:
     - .rails:rules:rspec-foss-impact
   needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets as-if-foss", "detect-tests as-if-foss"]
   script:
-    - run_timed_command "scripts/gitaly-test-build"
-    - run_timed_command "scripts/gitaly-test-spawn"
-    - source scripts/rspec_helpers.sh
+    - *base-script
     - rspec_matched_foss_tests tmp/matching_foss_tests.txt "--tag ~quarantine"
   artifacts:
     expire_in: 7d
diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml
index 0e2f12789db..168f60f0f65 100644
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -151,3 +151,20 @@ dependency_scanning:
     reports:
       dependency_scanning: gl-dependency-scanning-report.json
     expire_in: 1 week  # GitLab-specific
+
+license_scanning:
+  extends:
+    - .default-retry
+    - .reports:rules:license_scanning
+  stage: test
+  image:
+    name: "registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3"
+    entrypoint: [""]
+  needs: []
+  script:
+    - /run.sh analyze .
+  artifacts:
+    reports:
+      license_scanning: gl-license-scanning-report.json
+    expire_in: 1 week  # GitLab-specific
+  dependencies: []
diff --git a/.gitlab/ci/review.gitlab-ci.yml b/.gitlab/ci/review.gitlab-ci.yml
index d34687cfdad..46a1a957692 100644
--- a/.gitlab/ci/review.gitlab-ci.yml
+++ b/.gitlab/ci/review.gitlab-ci.yml
@@ -16,6 +16,11 @@ review-cleanup:
     - ruby -rrubygems scripts/review_apps/automated_cleanup.rb
     - gcp_cleanup
 
+.base-before_script: &base-before_script
+  - source ./scripts/utils.sh
+  - source ./scripts/review_apps/review-apps.sh
+  - install_api_client_dependencies_with_apk
+
 review-build-cng:
   extends:
     - .default-retry
@@ -23,7 +28,7 @@ review-build-cng:
   image: ruby:2.6-alpine
   stage: review-prepare
   before_script:
-    - source scripts/utils.sh
+    - source ./scripts/utils.sh
     - install_api_client_dependencies_with_apk
     - install_gitlab_gem
   needs:
@@ -62,9 +67,7 @@ review-deploy:
     - export GITALY_VERSION=$(<GITALY_SERVER_VERSION)
     - export GITLAB_WORKHORSE_VERSION=$(<GITLAB_WORKHORSE_VERSION)
     - echo "${CI_ENVIRONMENT_URL}" > environment_url.txt
-    - source ./scripts/utils.sh
-    - install_api_client_dependencies_with_apk
-    - source scripts/review_apps/review-apps.sh
+    - *base-before_script
   script:
     - check_kube_domain
     - ensure_namespace
@@ -72,7 +75,7 @@ review-deploy:
     - download_chart
     - date
     - deploy || (display_deployment_debug && exit 1)
-    - disable_sign_ups
+    - disable_sign_ups || (delete_release && exit 1)
     # When the job is manual, review-qa-smoke is also manual and we don't want people
     # to have to manually start the jobs in sequence, so we do it for them.
     - '[ -z $CI_JOB_MANUAL ] || play_job "review-qa-smoke"'
@@ -81,10 +84,9 @@ review-deploy:
     # Run seed-dast-test-data.sh only when DAST_RUN is set to true. This is to pupulate review app with data for DAST scan.
     # Set DAST_RUN to true when jobs are manually scheduled.
     - if [ "$DAST_RUN" == "true" ]; then source scripts/review_apps/seed-dast-test-data.sh; TRACE=1 trigger_proj_user_creation; fi
-
   artifacts:
     paths: [environment_url.txt]
-    expire_in: 2 days
+    expire_in: 7 days
     when: always
 
 .review-stop-base:
@@ -98,9 +100,7 @@ review-deploy:
     # See https://gitlab.com/gitlab-org/gitlab/issues/191273
     GIT_DEPTH: 1
   before_script:
-    - apk add --update openssl
-    - source ./scripts/utils.sh
-    - source ./scripts/review_apps/review-apps.sh
+    - *base-before_script
 
 review-stop-failed-deployment:
   extends:
@@ -143,8 +143,7 @@ review-stop:
     - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
     - echo "${CI_ENVIRONMENT_URL}"
     - echo "${QA_IMAGE}"
-    - source scripts/utils.sh
-    - install_api_client_dependencies_with_apk
+    - *base-before_script
     - gem install gitlab-qa --no-document ${GITLAB_QA_VERSION:+ --version ${GITLAB_QA_VERSION}}
   artifacts:
     paths:
@@ -174,7 +173,7 @@ review-performance:
     - .default-retry
     - .review:rules:review-performance
   image:
-    name: sitespeedio/sitespeed.io:6.3.1
+    name: sitespeedio/sitespeed.io
     entrypoint: [""]
   stage: qa
   # This is needed so that manual jobs with needs don't block the pipeline.
@@ -232,6 +231,6 @@ danger-review:
   stage: test
   needs: []
   script:
-    - source scripts/utils.sh
-    - retry yarn install --frozen-lockfile
+    - source ./scripts/utils.sh
+    - run_timed_command "retry yarn install --frozen-lockfile"
     - danger --fail-on-errors=true --verbose
diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml
index a8e0e1ccaaa..57d4a2a4cb7 100644
--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -73,6 +73,12 @@
 .if-rspec-fail-fast-skipped: &if-rspec-fail-fast-skipped
   if: '$CI_MERGE_REQUEST_TITLE =~ /SKIP RSPEC FAIL-FAST/'
 
+# For Security merge requests, the gitlab-release-tools-bot triggers a new
+# pipeline for the "Pipelines for merged results" feature. If the pipeline
+# fails, we notify release managers.
+.if-security-pipeline-merge-result: &if-security-pipeline-merge-result
+  if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH && $CI_PROJECT_NAMESPACE == "gitlab-org/security" && $GITLAB_USER_LOGIN == "gitlab-release-tools-bot"'
+
 ####################
 # Changes patterns #
 ####################
@@ -132,7 +138,10 @@
 
 .db-patterns: &db-patterns
   - "{,ee/}{,spec/}{db,migrations}/**/*"
+  - "{,ee/}{,spec/}lib/{,ee/}gitlab/database/**/*"
+  - "{,ee/}{,spec/}lib/{,ee/}gitlab/database{,_spec}.rb"
   - "{,ee/}{,spec/}lib/{,ee/}gitlab/background_migration/**/*"
+  - "{,ee/}{,spec/}lib/{,ee/}gitlab/background_migration{,_spec}.rb"
   - "config/prometheus/common_metrics.yml" # Used by Gitlab::DatabaseImporters::CommonMetrics::Importer
   - "{,ee/}app/models/project_statistics.rb" # Used to calculate sizes in migration specs
 
@@ -282,6 +291,14 @@
       when: manual
       allow_failure: true
 
+##################
+# Delivery rules #
+##################
+.delivery:rules:security-pipeline-merge-result-failure:
+  rules:
+    - <<: *if-security-pipeline-merge-result
+      when: on_failure
+
 ######################
 # Dev fixtures rules #
 ######################
@@ -336,6 +353,7 @@
 .frontend:rules:compile-test-assets:
   rules:
     - changes: *code-backstage-qa-patterns
+    - <<: *if-merge-request-title-run-all-rspec
 
 .frontend:rules:compile-test-assets-as-if-foss:
   rules:
@@ -483,6 +501,7 @@
   rules:
     - <<: *if-default-refs
       changes: *code-backstage-qa-patterns
+    - <<: *if-merge-request-title-run-all-rspec
 
 .rails:rules:ee-only-migration:
   rules:
@@ -628,6 +647,13 @@
     - <<: *if-master-schedule-2-hourly
     - <<: *if-merge-request-title-run-all-rspec
 
+.rails:rules:rspec-feature-flags:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-master-schedule-2-hourly
+    - <<: *if-merge-request-title-run-all-rspec
+
 .rails:rules:master-schedule-nightly--code-backstage:
   rules:
     - <<: *if-master-schedule-nightly
@@ -702,6 +728,14 @@
     - <<: *if-master-schedule-nightly
       allow_failure: true
 
+.reports:rules:license_scanning:
+  rules:
+    - if: '$LICENSE_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\blicense_scanning\b/'
+      when: never
+    - <<: *if-default-refs
+      changes: *code-backstage-qa-patterns
+      allow_failure: true
+
 ################
 # Review rules #
 ################
@@ -859,6 +893,7 @@
     - <<: *if-default-refs
       changes: *code-backstage-patterns
       when: on_success
+    - <<: *if-merge-request-title-run-all-rspec
 
 .test-metadata:rules:update-tests-metadata:
   rules:
diff --git a/.gitlab/ci/test-metadata.gitlab-ci.yml b/.gitlab/ci/test-metadata.gitlab-ci.yml
index 1764e9136a1..2d83531e1db 100644
--- a/.gitlab/ci/test-metadata.gitlab-ci.yml
+++ b/.gitlab/ci/test-metadata.gitlab-ci.yml
@@ -38,6 +38,6 @@ update-tests-metadata:
     - rspec-ee integration pg11 geo
     - rspec-ee system pg11 geo
   script:
-    - retry gem install fog-aws mime-types activesupport rspec_profiling postgres-copy --no-document
-    - source scripts/rspec_helpers.sh
+    - run_timed_command "retry gem install fog-aws mime-types activesupport rspec_profiling postgres-copy --no-document"
+    - source ./scripts/rspec_helpers.sh
     - update_tests_metadata
diff --git a/.gitlab/issue_templates/Feature Flag Roll Out.md b/.gitlab/issue_templates/Feature Flag Roll Out.md
index 69053b396a4..788b610a982 100644
--- a/.gitlab/issue_templates/Feature Flag Roll Out.md
+++ b/.gitlab/issue_templates/Feature Flag Roll Out.md
@@ -30,14 +30,14 @@ If applicable, any groups/projects that are happy to have this feature turned on
 
 ## Roll Out Steps
 
-- [ ] Enable on staging
+- [ ] Enable on staging (`/chatops run feature set feature_name true --staging`)
 - [ ] Test on staging
 - [ ] Ensure that documentation has been updated
-- [ ] Enable on GitLab.com for individual groups/projects listed above and verify behaviour
+- [ ] Enable on GitLab.com for individual groups/projects listed above and verify behaviour  (`/chatops run feature set --project=gitlab-org/gitlab feature_name true`)
 - [ ] Coordinate a time to enable the flag with `#production` and `#g_delivery` on slack.
 - [ ] Announce on the issue an estimated time this will be enabled on GitLab.com
-- [ ] Enable on GitLab.com by running chatops command in `#production`
-- [ ] Cross post chatops slack command to `#support_gitlab-com` ([more guidance when this is necessary in the dev docs](https://docs.gitlab.com/ee/development/feature_flags/controls.html#where-to-run-commands)) and in your team channel
+- [ ] Enable on GitLab.com by running chatops command in `#production` (`/chatops run feature set feature_name true`)
+- [ ] Cross post chatops Slack command to `#support_gitlab-com` ([more guidance when this is necessary in the dev docs](https://docs.gitlab.com/ee/development/feature_flags/controls.html#where-to-run-commands)) and in your team channel
 - [ ] Announce on the issue that the flag has been enabled
 - [ ] Remove feature flag and add changelog entry
 - [ ] After the flag removal is deployed, [clean up the feature flag](https://docs.gitlab.com/ee/development/feature_flags/controls.html#cleaning-up) by running chatops command in `#production` channel
diff --git a/.gitlab/issue_templates/Feature proposal.md b/.gitlab/issue_templates/Feature proposal.md
index 0f19b7c75f5..c80305312c3 100644
--- a/.gitlab/issue_templates/Feature proposal.md
+++ b/.gitlab/issue_templates/Feature proposal.md
@@ -1,6 +1,6 @@
 <!-- The first section "Release notes" is required if you want to have your release post blog MR auto generated. Currently in BETA, details on the **release post item generator** can be found in the handbook:  https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator and this video: https://www.youtube.com/watch?v=rfn9ebgTwKg. The next four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended in your first draft, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. -->
 
-### Release notes 
+### Release notes
 
 <!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " -->
 
@@ -22,19 +22,19 @@ Personas are described at https://about.gitlab.com/handbook/marketing/product-ma
 * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer)
 * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator)
 * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)
-* [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager) 
+* [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager)
 * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer)
 * [Simone (Software Engineer in Test)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#simone-software-engineer-in-test)
-* [Allison (Application Ops)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#allison-application-ops) 
+* [Allison (Application Ops)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#allison-application-ops)
 * [Priyanka (Platform Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#priyanka-platform-engineer)
 * [Dana (Data Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#dana-data-analyst)
 -->
 
 ### User experience goal
 
-<!-- What is the single user experience workflow this problem addresses? 
+<!-- What is the single user experience workflow this problem addresses?
 For example, "The user should be able to use the UI/API/.gitlab-ci.yml with GitLab to <perform a specific task>"
-https://about.gitlab.com/handbook/engineering/ux/ux-research-training/user-story-mapping/ --> 
+https://about.gitlab.com/handbook/engineering/ux/ux-research-training/user-story-mapping/ -->
 
 
 ### Proposal
@@ -52,7 +52,7 @@ Consider adding checkboxes and expectations of users with certain levels of memb
 * [ ] Add expected impact to members with no access (0)
 * [ ] Add expected impact to Guest (10) members
 * [ ] Add expected impact to Reporter (20) members
-* [ ] Add expected impact to Developer (30) members 
+* [ ] Add expected impact to Developer (30) members
 * [ ] Add expected impact to Maintainer (40) members
 * [ ] Add expected impact to Owner (50) members -->
 
@@ -78,7 +78,11 @@ See the test engineering planning process and reach out to your counterpart Soft
 
 ### What does success look like, and how can we measure that?
 
-<!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. -->
+<!--
+Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this.
+
+Create tracking issue using the the Snowplow event tracking template. See https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Snowplow%20event%20tracking.md
+-->
 
 ### What is the type of buyer?
 
diff --git a/.gitlab/issue_templates/Implementation.md b/.gitlab/issue_templates/Implementation.md
new file mode 100644
index 00000000000..dc5eb18a25e
--- /dev/null
+++ b/.gitlab/issue_templates/Implementation.md
@@ -0,0 +1,62 @@
+<!--
+Implementation issues are used break-up a large piece of work into small, discrete tasks that can
+move independently through the build workflow steps. They're typically used to populate a Feature
+Epic. Once created, an implementation issue is usually refined in order to populate and review the
+implementation plan and weight.
+Example workflow: https://about.gitlab.com/handbook/engineering/development/threat-management/planning/diagram.html#plan
+-->
+
+## Why are we doing this work
+<!--
+A brief explanation of the why, not the what or how. Assume the reader doesn't know the
+background and won't have time to dig-up information from comment threads.
+-->
+
+
+## Relevant links
+<!--
+Information that the developer might need to refer to when implementing the issue.
+
+- [Design Issue](https://gitlab.com/gitlab-org/gitlab/-/issues/<id>)
+  - [Design 1](https://gitlab.com/gitlab-org/gitlab/-/issues/<id>/designs/<image>.png)
+  - [Design 2](https://gitlab.com/gitlab-org/gitlab/-/issues/<id>/designs/<image>.png)
+- [Similar implementation](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/<id>)
+-->
+
+
+## Non-functional requirements
+<!--
+Add details for required items and delete others.
+-->
+
+- [ ] Documentation:
+- [ ] Feature flag:
+- [ ] Performance:
+- [ ] Testing:
+
+
+## Implementation plan
+<!--
+Steps and the parts of the code that will need to get updated. The plan can also
+call-out responsibilities for other team members or teams.
+-->
+
+- [ ] ~frontend Step 1
+  - [ ] @person Step 1a
+- [ ] ~frontend Step 2
+
+
+<!--
+Workflow and other relevant labels
+
+~"group::" ~"Category:" ~"GitLab Ultimate"
+-->
+/label ~"workflow::refinement"
+
+<!--
+Other settings you might want to include when creating the issue.
+
+/milestone %"Next 1-3 releases"
+/assign @
+/epic &
+-->
diff --git a/.gitlab/issue_templates/Migrations.md b/.gitlab/issue_templates/Migrations.md
index 38fc7a31b24..822722a0f71 100644
--- a/.gitlab/issue_templates/Migrations.md
+++ b/.gitlab/issue_templates/Migrations.md
@@ -16,7 +16,7 @@ Please add information here about why you're planning on migrating. Include any
 <!-- Please complete as many items in this list as possible. If you're not sure yet, add "TBD" (To be Decided) or "Unknown" -->
 
  * **Timeline.** - 
- * **Product.** - GitLab Gold/Ultimate or Commnunity Edition
+ * **Product.** - GitLab Gold/Ultimate or Community Edition
  * **Project's License.** What kind of OSI-approved license does your project use? 
 
 ## Current Tooling and Replacements
@@ -64,4 +64,4 @@ Here is an example of what this list might look like once populated: https://git
 ------
 
 /label ~"Open Source" ~movingtogitlab
-/cc @nuritzi 
\ No newline at end of file
+/cc @nuritzi 
diff --git a/.gitlab/issue_templates/Security Release Tracking Issue.md b/.gitlab/issue_templates/Security Release Tracking Issue.md
index d2de7462ecb..fce68d61204 100644
--- a/.gitlab/issue_templates/Security Release Tracking Issue.md
+++ b/.gitlab/issue_templates/Security Release Tracking Issue.md
@@ -31,7 +31,7 @@ Your Security Implementation Issue should have `4` merge requests associated:
 
 ## Blog post
 
-Dev: {https://dev.gitlab.org/gitlab/www-gitlab-com/merge_requests/ link}<br/>
+Security: {https://gitlab.com/gitlab-org/security/www-gitlab-com/merge_requests/ link}<br/>
 GitLab.com: {https://gitlab.com/gitlab-com/www-gitlab-com/merge_requests/ link}
 
 ## Email notification
diff --git a/.gitlab/issue_templates/Snowplow event tracking.md b/.gitlab/issue_templates/Snowplow event tracking.md
new file mode 100644
index 00000000000..47b97f377c2
--- /dev/null
+++ b/.gitlab/issue_templates/Snowplow event tracking.md
@@ -0,0 +1,42 @@
+<!--
+* Use this issue template for creating requests to track snowplow events
+* Snowplow events can be both Frontend (javascript) or Backend (Ruby)
+* Snowplow is currently not used for self-hosted instances of GitLab - Self-hosted still rely on usage ping for product analytics - Snowplow is used for GitLab SaaS
+* You do not need to create an issue to track generic front-end events, such as All page views, sessions, link clicks, some button clicks, etc.
+* What you should capture are specific events with defined business logic. For example, when a user creates an incident by escalating an existing alert, or when a user creates and pushes up a new Node package to the NPM registry.
+* For more details read https://about.gitlab.com/handbook/business-ops/data-team/programs/data-for-product-managers/
+ -->
+
+<!--
+We generally recommend events be tracked using a [structured event](https://docs.snowplowanalytics.com/docs/understanding-tracking-design/out-of-the-box-vs-custom-events-and-entities/#structured-events) which has 5 properties you can use. There may be instances where structured events are not sufficient. You may want to track an event where the property changes frequently or is general something very unique. In those cases, use a [self-describing event](https://docs.snowplowanalytics.com/docs/understanding-tracking-design/out-of-the-box-vs-custom-events-and-entities/#self-describing-events)
+
+-->
+
+## Structured Snowplow events to track
+
+* Category: The page or backend area of the application. Unless infeasible, please use the Rails page attribute by default in the frontend, and namespace + classname on the backend. If you're not sure what it is, work with your engineering manager to figure it out.
+* Action: A string that is used to define the user action. The first word should always describe the action or aspect: clicks should be `click`, activations should be `activate`, creations should be `create`, etc. Use underscores to describe what was acted on; for example, activating a form field would be `activate_form_input`. An interface action like clicking on a dropdown would be `click_dropdown`, while a behavior like creating a project record from the backend would be `create_project`
+* Label: Optional. The specific element, or object that's being acted on. This is either the label of the element (e.g. a tab labeled 'Create from template' may be `create_from_template`) or a unique identifier if no text is available (e.g. closing the Groups dropdown in the top navbar might be `groups_dropdown_close`), or it could be the name or title attribute of a record being created.
+* Property: Optional. Any additional property of the element, or object being acted on.
+* Value: Optional, numeric. Describes a numeric value or something directly related to the event. This could be the value of an input (e.g. `10` when clicking `internal` visibility)
+
+| Category | Action | Label | Property | Feature Issue | Additional Information |
+| ------ | ------ | ------ | ------ | ------ | ------ |
+| cell | cell | cell | cell | cell | cell |
+| cell | cell | cell | cell | cell | cell |
+
+<!--
+  Snowplow event tracking starts with instrumentation and completed after a chart is created in Sisense.
+
+  Use this checklist to ensure all steps are completed
+-->
+
+## Snowplow event tracking checklist
+* [ ] Engineering complete work and deploy changes to GitLab SaaS
+* [ ] Verify the new Snowplow events are listed in the [Snowplow Event Exploration](https://app.periscopedata.com/app/gitlab/539181/Snowplow-Event-Exploration---last-30-days) dashboard
+* [ ] Create chart(s) to track your event(s) in the relevant dashboard
+  * [ ] Use the [Chart Snowplow Actions](https://app.periscopedata.com/app/gitlab/snippet/Chart-Snowplow-Actions/5546da87ae2c4a3fbc98415c88b3eedd/edit) SQL snippet to quickly visualize usage. See [example](https://app.periscopedata.com/app/gitlab/737489/Health-Group-Dashboard?widget=9797112&udv=0)
+
+<!--  Label reminders - you should have one of each of the following labels if you can figure out the correct ones -->
+/label ~devops:: ~group: ~Category:
+/label ~"snowplow tracking events"
diff --git a/.gitlab/issue_templates/actionable_insight.md b/.gitlab/issue_templates/actionable_insight.md
index 7c65388eff4..68b2b153831 100644
--- a/.gitlab/issue_templates/actionable_insight.md
+++ b/.gitlab/issue_templates/actionable_insight.md
@@ -1,5 +1,5 @@
 ## Actionable Insights
-Actionable insights always have a follow-up action that needs to take place as a result of the research observation or data, and a clear recommendation or action associated with it. An actionable insight both defines the insight and clearly calls out the next step. These insights are tracked over time.
+Actionable insights always have a follow-up action that needs to take place as a result of the research observation or data, and a clear recommendation or action associated with it. An actionable insight both defines the insight and clearly calls out the next step. These insights are tracked over time and at the group level.
 
 #### Link
 
@@ -10,6 +10,10 @@ Actionable insights always have a follow-up action that needs to take place as a
 
 - [ ] Assign this issue to the appropriate Product Manager, Product Designer, or UX Researcher
 
+#### Group label
+
+- [ ] Add the appropriate `Group` (such as `~"group::source code"`) label to the issue.  This is done to identify and track actionable insights at the group level.
+
 #### Description
 
 - [ ] Provide some brief details on the actionable insight and the action to take
diff --git a/.gitlab/merge_request_templates/Change Documentation Location.md b/.gitlab/merge_request_templates/Change Documentation Location.md
index f18957fdaaa..1197c6adc40 100644
--- a/.gitlab/merge_request_templates/Change Documentation Location.md
+++ b/.gitlab/merge_request_templates/Change Documentation Location.md
@@ -15,18 +15,16 @@ Closes
 ## Moving docs to a new location?
 
 Read the guidelines:
-https://docs.gitlab.com/ee/development/documentation/index.html#changing-document-location
+https://docs.gitlab.com/ee/development/documentation/index.html#move-or-rename-a-page
 
 - [ ] Make sure the old link is not removed and has its contents replaced with
       a link to the new location.
 - [ ] Make sure internal links pointing to the document in question are not broken.
 - [ ] Search and replace any links referring to old docs in GitLab Rails app,
-      specifically under the `app/views/` and `ee/app/views` (for GitLab EE)  directories.
-- [ ] Make sure to add [`redirect_from`](https://docs.gitlab.com/ce/development/documentation/index.html#redirections-for-pages-with-disqus-comments)
+      specifically under the `app/views/` and `ee/app/views` (for GitLab EE) directories.
+- [ ] Make sure to add [`redirect_from`](https://docs.gitlab.com/ee/development/documentation/index.html#redirections-for-pages-with-disqus-comments)
       to the new document if there are any Disqus comments on the old document thread.
 - [ ] Update the link in `features.yml` (if applicable)
-- [ ] If working on CE and the `ee-compat-check` jobs fails, submit an MR to EE
-      with the changes as well (https://docs.gitlab.com/ce/development/documentation/index.html#cherry-picking-from-ce-to-ee).
-- [ ] Ping one of the technical writers for review.
+- [ ] Assign one of the technical writers for review.
 
 /label ~documentation
diff --git a/.gitlab/merge_request_templates/Documentation.md b/.gitlab/merge_request_templates/Documentation.md
index b17043fd3b9..8713405033b 100644
--- a/.gitlab/merge_request_templates/Documentation.md
+++ b/.gitlab/merge_request_templates/Documentation.md
@@ -48,10 +48,13 @@ All reviewers can help ensure accuracy, clarity, completeness, and adherence to
 - [ ] Technical writer review. If not requested for this MR, must be scheduled post-merge. To request for this MR, assign the writer listed for the applicable [DevOps stage](https://about.gitlab.com/handbook/product/product-categories/#devops-stages).
   - [ ] Ensure docs metadata are present and up-to-date.
   - [ ] Ensure ~"Technical Writing" and ~"documentation" are added.
-  - [ ] Add the corresponding `docs::` scoped label.
+  - [ ] Add the corresponding `docs::` [scoped label](https://gitlab.com/groups/gitlab-org/-/labels?utf8=%E2%9C%93&subscribed=&search=docs%3A%3A).
+  - [ ] If working on UI text, add the corresponding `UI Text` [scoped label](https://gitlab.com/groups/gitlab-org/-/labels?utf8=%E2%9C%93&subscribed=&search=ui+text).
   - [ ] Add ~"tw::doing" when starting work on the MR.
   - [ ] Add ~"tw::finished" if Technical Writing team work on the MR is complete but it remains open.
 
+For more information about labels, see [Technical Writing workflows - Labels](https://about.gitlab.com/handbook/engineering/ux/technical-writing/workflow/#labels).
+
 **3. Maintainer**
 
 1. [ ] Review by assigned maintainer, who can always request/require the above reviews. Maintainer's review can occur before or after a technical writer review.
diff --git a/.gitlab/merge_request_templates/New Static Analysis Check.md b/.gitlab/merge_request_templates/New Static Analysis Check.md
index 8bbb3effb1c..5fd2d31767a 100644
--- a/.gitlab/merge_request_templates/New Static Analysis Check.md
+++ b/.gitlab/merge_request_templates/New Static Analysis Check.md
@@ -22,6 +22,6 @@ Please describe the proposal and add a link to the source (for example, http://w
   - [ ] In the relevant Slack channels (e.g. `#development`, `#backend`, `#frontend`)
   - [ ] (Optional depending on the impact of the change) In the Engineering Week in Review
 
-/label ~"Engineering Productivity" ~"Style decision" ~"development guidelines" ~"static analysis"
+/label ~"Engineering Productivity" ~"development guidelines" ~"static code analysis"
 
 /cc @gitlab-org/maintainers/rails-backend
diff --git a/.gitlab/merge_request_templates/Security Release.md b/.gitlab/merge_request_templates/Security Release.md
index eda16747c13..fccfad18ef0 100644
--- a/.gitlab/merge_request_templates/Security Release.md
+++ b/.gitlab/merge_request_templates/Security Release.md
@@ -21,7 +21,7 @@ See [the general developer security release guidelines](https://gitlab.com/gitla
   - [ ] Assign to a reviewer and maintainer, per our [Code Review process].
   - [ ] Ensure it's approved according to our [Approval Guidelines].
   - [ ] Ensure it's approved by an AppSec engineer.
-    - If you're unsure who should approve, find the AppSec engineer associated to the issue in the [Canonical repository], or ask #sec-appsec on Slack.
+    - Please see the security release [Code reviews and Approvals](https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md#code-reviews-and-approvals) documentation for details on which AppSec team member to ping for approval.
     - Trigger the [`package-and-qa` build]. The docker image generated will be used by the AppSec engineer to validate the security vulnerability has been remediated.
 - [ ] For a backport MR targeting a versioned stable branch (`X-Y-stable-ee`)
   - [ ] Ensure it's approved by a maintainer.