Add latest changes from gitlab-org/gitlab@13-6-stable-eev13.6.0-rc42

19 files changed, 300 insertions, 61 deletions

diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS
index 5187ac01b58..a24fef5e44d 100644
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -207,6 +207,35 @@ Dangerfile @gl-quality/eng-prod
 /ee/lib/gitlab/ci/reports/license_scanning/ @gitlab-org/secure/composition-analysis-be
 /ee/lib/gitlab/ci/reports/security/ @gitlab-org/secure/composition-analysis-be @gitlab-org/secure/dynamic-analysis-be @gitlab-org/secure/static-analysis-be @gitlab-org/secure/fuzzing-be
 
+[Container Security]
+/ee/app/views/projects/threat_monitoring/** @gitlab-org/threat-management/defend/container-security/frontend
+/ee/app/assets/javascripts/pages/projects/threat_monitoring/** @gitlab-org/threat-management/defend/container-security/frontend
+/ee/app/assets/javascripts/threat_monitoring/** @gitlab-org/threat-management/defend/container-security/frontend
+/ee/spec/frontend/threat_monitoring/** @gitlab-org/threat-management/defend/container-security/frontend
+
+/ee/app/controllers/projects/threat_monitoring_controller.rb @gitlab-org/threat-management/defend/container-security/backend
+/ee/spec/controllers/projects/threat_monitoring_controller_spec.rb @gitlab-org/threat-management/defend/container-security/backend
+/lib/gitlab/kubernetes/cilium_network_policy.rb @gitlab-org/threat-management/defend/container-security/backend
+/spec/lib/gitlab/kubernetes/cilium_network_policy_spec.rb @gitlab-org/threat-management/defend/container-security/backend
+/lib/gitlab/kubernetes/network_policy_common.rb @gitlab-org/threat-management/defend/container-security/backend
+/spec/support/shared_examples/lib/gitlab/kubernetes/network_policy_common_shared_examples.rb @gitlab-org/threat-management/defend/container-security/backend
+/lib/gitlab/kubernetes/network_policy.rb @gitlab-org/threat-management/defend/container-security/backend
+/spec/lib/gitlab/kubernetes/network_policy_spec.rb @gitlab-org/threat-management/defend/container-security/backend
+/ee/app/services/network_policies/** @gitlab-org/threat-management/defend/container-security/backend
+/ee/spec/services/network_policies/** @gitlab-org/threat-management/defend/container-security/backend
+/ee/app/controllers/projects/security/waf_anomalies_controller.rb @gitlab-org/threat-management/defend/container-security/backend
+/ee/spec/controllers/projects/security/waf_anomalies_controller_spec.rb @gitlab-org/threat-management/defend/container-security/backend
+/app/models/clusters/applications/cilium.rb @gitlab-org/threat-management/defend/container-security/backend
+/spec/models/clusters/applications/cilium_spec.rb @gitlab-org/threat-management/defend/container-security/backend
+/ee/app/controllers/projects/security/network_policies_controller.rb @gitlab-org/threat-management/defend/container-security/backend
+/ee/spec/controllers/projects/security/network_policies_controller_spec.rb  @gitlab-org/threat-management/defend/container-security/backend
+/ee/app/workers/network_policy_metrics_worker.rb   @gitlab-org/threat-management/defend/container-security/backend
+/ee/spec/workers/network_policy_metrics_worker_spec.rb @gitlab-org/threat-management/defend/container-security/backend
+/ee/app/services/network_policies/** @gitlab-org/threat-management/defend/container-security/backend
+/ee/spec/services/network_policies/** @gitlab-org/threat-management/defend/container-security/backend
+/ee/lib/gitlab/usage_data_counters/network_policy_counter.rb @gitlab-org/threat-management/defend/container-security/backend
+/ee/spec/lib/gitlab/usage_data_counters/network_policy_counter_spec.rb @gitlab-org/threat-management/defend/container-security/backend
+
 [Code Owners]
 /ee/lib/gitlab/code_owners.rb @reprazent @kerrizor @garyh
 /ee/lib/gitlab/code_owners/ @reprazent @kerrizor @garyh
diff --git a/.gitlab/ci/cache-repo.gitlab-ci.yml b/.gitlab/ci/cache-repo.gitlab-ci.yml
index a091785dec3..18e1ca1644d 100644
--- a/.gitlab/ci/cache-repo.gitlab-ci.yml
+++ b/.gitlab/ci/cache-repo.gitlab-ci.yml
@@ -23,14 +23,36 @@ cache-repo:
   stage: sync
   variables:
     GIT_STRATEGY: none
-    TAR_FILENAME: /tmp/gitlab-master.tar
+    SHALLOW_CLONE_TAR_FILENAME: gitlab-master-shallow.tar
+    FULL_CLONE_TAR_FILENAME: gitlab-master.tar
+  before_script:
+    - '[ -z "$CI_REPO_CACHE_CREDENTIALS" ] || gcloud auth activate-service-account --key-file=$CI_REPO_CACHE_CREDENTIALS'
   script:
-    - cd ..
-    - rm -rf $CI_PROJECT_NAME
-    - git clone --progress $CI_REPOSITORY_URL $CI_PROJECT_NAME
-    - cd $CI_PROJECT_NAME
-    - gcloud auth activate-service-account --key-file=$CI_REPO_CACHE_CREDENTIALS
-    - git remote rm origin
-    - tar cf $TAR_FILENAME .
-    - gzip $TAR_FILENAME
-    - gsutil cp $TAR_FILENAME.gz gs://gitlab-ci-git-repo-cache/project-$CI_PROJECT_ID/gitlab-master.tar.gz
+    # Enable shallow repo caching only if the $ENABLE_SHALLOW_REPO_CACHING variable exists
+    - if [ -n "$ENABLE_SHALLOW_REPO_CACHING" ]; then
+        cd .. && rm -rf $CI_PROJECT_NAME;
+        today=$(date +%Y-%m-%d);
+        year=$(date +%Y);
+        last_year=`expr $year - 1`;
+        one_year_ago=$(echo $today | sed "s/$year/$last_year/");
+        echo "Cloning $CI_REPOSITORY_URL into $CI_PROJECT_NAME with commits from $one_year_ago.";
+        time git clone --progress --no-checkout --shallow-since=$one_year_ago $CI_REPOSITORY_URL $CI_PROJECT_NAME;
+        cd $CI_PROJECT_NAME;
+        echo "Archiving $CI_PROJECT_NAME into /tmp/$SHALLOW_CLONE_TAR_FILENAME.";
+        time tar cf /tmp/$SHALLOW_CLONE_TAR_FILENAME .;
+        echo "GZipping /tmp/$SHALLOW_CLONE_TAR_FILENAME.";
+        time gzip /tmp/$SHALLOW_CLONE_TAR_FILENAME;
+        [ -z "$CI_REPO_CACHE_CREDENTIALS" ] || (echo "Uploading /tmp/$SHALLOW_CLONE_TAR_FILENAME.gz to GCloud." && time gsutil cp /tmp/$SHALLOW_CLONE_TAR_FILENAME.gz gs://gitlab-ci-git-repo-cache/project-$CI_PROJECT_ID/$SHALLOW_CLONE_TAR_FILENAME.gz);
+      fi
+    # By default, we want to cache the full repo, unless the $DISABLE_FULL_REPO_CACHING variable exists (in the case the shallow clone caching is working well)
+    - if [ -z "$DISABLE_FULL_REPO_CACHING" ]; then
+        cd .. && rm -rf $CI_PROJECT_NAME;
+        echo "Cloning $CI_REPOSITORY_URL into $CI_PROJECT_NAME.";
+        time git clone --progress $CI_REPOSITORY_URL $CI_PROJECT_NAME;
+        cd $CI_PROJECT_NAME;
+        echo "Archiving $CI_PROJECT_NAME into /tmp/$FULL_CLONE_TAR_FILENAME.";
+        time tar cf /tmp/$FULL_CLONE_TAR_FILENAME .;
+        echo "GZipping /tmp/$FULL_CLONE_TAR_FILENAME.";
+        time gzip /tmp/$FULL_CLONE_TAR_FILENAME;
+        [ -z "$CI_REPO_CACHE_CREDENTIALS" ] || (echo "Uploading /tmp/$FULL_CLONE_TAR_FILENAME.gz to GCloud." && time gsutil cp /tmp/$FULL_CLONE_TAR_FILENAME.gz gs://gitlab-ci-git-repo-cache/project-$CI_PROJECT_ID/$FULL_CLONE_TAR_FILENAME.gz);
+      fi
diff --git a/.gitlab/ci/cng.gitlab-ci.yml b/.gitlab/ci/cng.gitlab-ci.yml
index d7699de74e2..269996dfd09 100644
--- a/.gitlab/ci/cng.gitlab-ci.yml
+++ b/.gitlab/ci/cng.gitlab-ci.yml
@@ -1,6 +1,6 @@
 cloud-native-image:
   extends: .cng:rules
-  image: ruby:2.6-alpine
+  image: ruby:2.7-alpine
   dependencies: []
   stage: post-test
   variables:
diff --git a/.gitlab/ci/docs.gitlab-ci.yml b/.gitlab/ci/docs.gitlab-ci.yml
index 4b25908aa6a..b258eb73515 100644
--- a/.gitlab/ci/docs.gitlab-ci.yml
+++ b/.gitlab/ci/docs.gitlab-ci.yml
@@ -2,7 +2,7 @@
   extends:
     - .default-retry
     - .docs:rules:review-docs
-  image: ruby:2.6-alpine
+  image: ruby:2.7-alpine
   stage: review
   needs: []
   variables:
@@ -38,15 +38,25 @@ review-docs-cleanup:
   script:
     - ./scripts/trigger-build docs cleanup
 
-docs lint:
+docs-lint markdown:
   extends:
     - .default-retry
     - .docs:rules:docs-lint
-  image: "registry.gitlab.com/gitlab-org/gitlab-docs/lint:ruby-2.7.2-alpine-3.12-vale-2.4.3-markdownlint-0.24.0"
+  # When updating the image version here, update it in /scripts/lint-doc.sh too.
+  image: "registry.gitlab.com/gitlab-org/gitlab-docs/lint-markdown:alpine-3.12-vale-2.6.1-markdownlint-0.24.0"
   stage: test
   needs: []
   script:
     - scripts/lint-doc.sh
+
+docs-lint links:
+  extends:
+    - .default-retry
+    - .docs:rules:docs-lint
+  image: "registry.gitlab.com/gitlab-org/gitlab-docs/lint:ruby-2.7.2-alpine-3.12-vale-2.4.3-markdownlint-0.24.0"
+  stage: test
+  needs: []
+  script:
     # Prepare docs for build
     # The path must be 'ee/' because we have hardcoded links relying on it
     # https://gitlab.com/gitlab-org/gitlab-docs/-/blob/887850752fc0e72856da6632db132f005ba77f16/content/index.erb#L44-63
diff --git a/.gitlab/ci/frontend.gitlab-ci.yml b/.gitlab/ci/frontend.gitlab-ci.yml
index e4c9f85cf62..0b921309ced 100644
--- a/.gitlab/ci/frontend.gitlab-ci.yml
+++ b/.gitlab/ci/frontend.gitlab-ci.yml
@@ -15,7 +15,7 @@
   extends:
     - .frontend-base
     - .assets-compile-cache
-  image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-git-2.28-lfs-2.9-node-12.18-yarn-1.22-graphicsmagick-1.3.34
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2-git-2.29-lfs-2.9-node-12.18-yarn-1.22-graphicsmagick-1.3.34
   variables:
     WEBPACK_VENDOR_DLL: "true"
   stage: prepare
@@ -97,32 +97,41 @@ update-yarn-cache:
     - .rails-cache
     - .use-pg11
   stage: fixtures
-  needs: ["setup-test-env", "compile-test-assets"]
+  needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets"]
   variables:
     SETUP_DB: "true"
     WEBPACK_VENDOR_DLL: "true"
   script:
+    - run_timed_command "gem install knapsack --no-document"
     - run_timed_command "scripts/gitaly-test-build"
     - run_timed_command "scripts/gitaly-test-spawn"
-    - run_timed_command "bin/rake frontend:fixtures"
+    - source ./scripts/rspec_helpers.sh
+    - rspec_paralellized_job "--tag frontend_fixture"
   artifacts:
     name: frontend-fixtures
     expire_in: 31d
     when: always
     paths:
       - tmp/tests/frontend/
+      - knapsack/
 
-frontend-fixtures:
+rspec frontend_fixture:
   extends:
     - .frontend-fixtures-base
     - .frontend:rules:default-frontend-jobs
 
-frontend-fixtures-as-if-foss:
+rspec frontend_fixture as-if-foss:
   extends:
     - .frontend-fixtures-base
     - .frontend:rules:default-frontend-jobs-as-if-foss
     - .as-if-foss
 
+rspec-ee frontend_fixture:
+  extends:
+    - .frontend-fixtures-base
+    - .frontend:rules:default-frontend-jobs
+  parallel: 2
+
 .frontend-test-base:
   extends:
     - .frontend-base
@@ -152,7 +161,8 @@ karma:
   extends:
     - .karma-base
     - .frontend:rules:default-frontend-jobs
-  needs: ["frontend-fixtures"]
+  # Don't use `needs` since `rspec-ee frontend_fixture` doesn't exist in `gitlab-foss` pipelines.
+  dependencies: ["rspec frontend_fixture", "rspec-ee frontend_fixture"]
   coverage: '/^Statements *: (\d+\.\d+%)/'
   artifacts:
     name: coverage-javascript
@@ -171,7 +181,7 @@ karma-as-if-foss:
     - .karma-base
     - .frontend:rules:default-frontend-jobs-as-if-foss
     - .as-if-foss
-  needs: ["frontend-fixtures-as-if-foss"]
+  needs: ["rspec frontend_fixture as-if-foss"]
 
 .jest-base:
   extends: .frontend-test-base
@@ -183,7 +193,8 @@ jest:
   extends:
     - .jest-base
     - .frontend:rules:default-frontend-jobs
-  needs: ["frontend-fixtures"]
+  # Don't use `needs` since `rspec-ee frontend_fixture` doesn't exist in `gitlab-foss` pipelines.
+  dependencies: ["rspec frontend_fixture", "rspec-ee frontend_fixture"]
   artifacts:
     name: coverage-frontend
     expire_in: 31d
@@ -203,14 +214,15 @@ jest-integration:
   script:
     - *yarn-install
     - run_timed_command "yarn jest:integration --ci"
-  needs: ["frontend-fixtures"]
+  # Don't use `needs` since `rspec-ee frontend_fixture` doesn't exist in `gitlab-foss` pipelines.
+  dependencies: ["rspec frontend_fixture", "rspec-ee frontend_fixture"]
 
 jest-as-if-foss:
   extends:
     - .jest-base
     - .frontend:rules:default-frontend-jobs-as-if-foss
     - .as-if-foss
-  needs: ["frontend-fixtures-as-if-foss"]
+  needs: ["rspec frontend_fixture as-if-foss"]
   parallel: 2
 
 coverage-frontend:
diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml
index fea3956bfe8..0fafd5869d9 100644
--- a/.gitlab/ci/global.gitlab-ci.yml
+++ b/.gitlab/ci/global.gitlab-ci.yml
@@ -18,7 +18,7 @@
 
 .rails-cache:
   cache:
-    key: "rails-v2"
+    key: "rails-v3"
     paths:
       - vendor/ruby/
       - vendor/gitaly-ruby/
@@ -27,7 +27,7 @@
 
 .static-analysis-cache:
   cache:
-    key: "static-analysis-v1"
+    key: "static-analysis-v2"
     paths:
       - vendor/ruby/
       - node_modules/
@@ -43,7 +43,7 @@
 
 .qa-cache:
   cache:
-    key: "qa-v1"
+    key: "qa-v2"
     paths:
       - qa/vendor/ruby/
     policy: pull
@@ -71,7 +71,7 @@
     policy: pull
 
 .use-pg11:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-golang-1.14-git-2.28-lfs-2.9-chrome-85-node-12.18-yarn-1.22-postgresql-11-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2-golang-1.14-git-2.29-lfs-2.9-chrome-85-node-12.18-yarn-1.22-postgresql-11-graphicsmagick-1.3.34"
   services:
     - name: postgres:11.6
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -80,7 +80,7 @@
     POSTGRES_HOST_AUTH_METHOD: trust
 
 .use-pg12:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-golang-1.14-git-2.28-lfs-2.9-chrome-85-node-12.18-yarn-1.22-postgresql-12-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2-golang-1.14-git-2.29-lfs-2.9-chrome-85-node-12.18-yarn-1.22-postgresql-12-graphicsmagick-1.3.34"
   services:
     - name: postgres:12
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -89,7 +89,7 @@
     POSTGRES_HOST_AUTH_METHOD: trust
 
 .use-pg11-ee:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-golang-1.14-git-2.28-lfs-2.9-chrome-85-node-12.18-yarn-1.22-postgresql-11-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2-golang-1.14-git-2.29-lfs-2.9-chrome-85-node-12.18-yarn-1.22-postgresql-11-graphicsmagick-1.3.34"
   services:
     - name: postgres:11.6
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -100,7 +100,7 @@
     POSTGRES_HOST_AUTH_METHOD: trust
 
 .use-pg12-ee:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.6-golang-1.14-git-2.28-lfs-2.9-chrome-85-node-12.18-yarn-1.22-postgresql-12-graphicsmagick-1.3.34"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.7.2-golang-1.14-git-2.29-lfs-2.9-chrome-85-node-12.18-yarn-1.22-postgresql-12-graphicsmagick-1.3.34"
   services:
     - name: postgres:12
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
diff --git a/.gitlab/ci/qa.gitlab-ci.yml b/.gitlab/ci/qa.gitlab-ci.yml
index 96a8f093fea..1dc403c9d06 100644
--- a/.gitlab/ci/qa.gitlab-ci.yml
+++ b/.gitlab/ci/qa.gitlab-ci.yml
@@ -7,7 +7,7 @@
   before_script:
     - '[ "$FOSS_ONLY" = "1" ] && rm -rf ee/ qa/spec/ee/ qa/qa/specs/features/ee/ qa/qa/ee/ qa/qa/ee.rb'
     - cd qa/
-    - bundle install --clean --jobs=$(nproc) --path=vendor --retry=3 --quiet
+    - bundle install --clean --jobs=$(nproc) --path=vendor --retry=3 --without=development --quiet
     - bundle check
 
 qa:internal:
@@ -47,7 +47,7 @@ update-qa-cache:
     policy: push  # We want to rebuild the cache from scratch to ensure stale dependencies are cleaned up.
 
 .package-and-qa-base:
-  image: ruby:2.6-alpine
+  image: ruby:2.7-alpine
   stage: qa
   retry: 0
   script:
diff --git a/.gitlab/ci/rails.gitlab-ci.yml b/.gitlab/ci/rails.gitlab-ci.yml
index c4167ce7bcb..14b07dd4a2a 100644
--- a/.gitlab/ci/rails.gitlab-ci.yml
+++ b/.gitlab/ci/rails.gitlab-ci.yml
@@ -1,4 +1,4 @@
-######################
+#######################
 # rspec job base specs
 .rails-job-base:
   extends:
@@ -20,6 +20,7 @@
   variables:
     RUBY_GC_MALLOC_LIMIT: 67108864
     RUBY_GC_MALLOC_LIMIT_MAX: 134217728
+    CRYSTALBALL: "true"
   needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets"]
   script:
     - *base-script
@@ -29,6 +30,7 @@
     when: always
     paths:
       - coverage/
+      - crystalball/
       - knapsack/
       - rspec_flaky/
       - rspec_profiling/
@@ -284,6 +286,9 @@ db:migrate-from-v12.10.0:
     - '[[ -d "ee/" ]] || export TAG_TO_CHECKOUT="v12.10.0"'
     - git fetch https://gitlab.com/gitlab-org/$PROJECT_TO_CHECKOUT.git $TAG_TO_CHECKOUT
     - git checkout -f FETCH_HEAD
+    - sed -i -e "s/gem 'grpc', '~> 1.24.0'/gem 'grpc', '~> 1.30.2'/" Gemfile  # Update gRPC for Ruby 2.7
+    - sed -i -e "s/gem 'google-protobuf', '~> 3.8.0'/gem 'google-protobuf', '~> 3.12.0'/" Gemfile
+    - gem install bundler:1.17.3
     - bundle update google-protobuf grpc bootsnap
     - bundle install $BUNDLE_INSTALL_FLAGS
     - date
@@ -556,7 +561,7 @@ rspec-ee system pg12 geo:
 # EE: Canonical MR pipelines
 rspec fail-fast:
   extends:
-    - .rspec-ee-base-pg11 # This job also runs EE spec which needs elasticsearch
+    - .rspec-ee-base-pg11  # This job also runs EE spec which needs elasticsearch
     - .rails:rules:rspec fail-fast
   stage: test
   needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets", "detect-tests"]
diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml
index 168f60f0f65..565ed93967c 100644
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -15,7 +15,7 @@ code_quality:
   stage: test
   needs: []
   variables:
-    CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/ci-cd/codequality:0.85.10-gitlab.1"
+    CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/ci-cd/codequality:0.85.18"
   script:
     - |
       if ! docker info &>/dev/null; then
@@ -152,6 +152,26 @@ dependency_scanning:
       dependency_scanning: gl-dependency-scanning-report.json
     expire_in: 1 week  # GitLab-specific
 
+# The job below analysis dependencies for malicous behavior
+package_hunter:
+  extends:
+    - .reports:schedule-dast
+  stage: test
+  image:
+    name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:latest
+    entrypoint: [""]
+  needs: []
+  script:
+    - rm -r spec locale .git app/assets/images doc/
+    - cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
+    - DEBUG=* HTR_user=$PACKAGE_HUNTER_USER HTR_pass=$PACKAGE_HUNTER_PASS node /usr/src/app/cli.js analyze --format gitlab gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
+  artifacts:
+    paths:
+      - gl-dependency-scanning-report.json  # GitLab-specific
+    reports:
+      dependency_scanning: gl-dependency-scanning-report.json
+    expire_in: 1 week  # GitLab-specific
+
 license_scanning:
   extends:
     - .default-retry
diff --git a/.gitlab/ci/review.gitlab-ci.yml b/.gitlab/ci/review.gitlab-ci.yml
index 46a1a957692..d3069657e88 100644
--- a/.gitlab/ci/review.gitlab-ci.yml
+++ b/.gitlab/ci/review.gitlab-ci.yml
@@ -25,7 +25,7 @@ review-build-cng:
   extends:
     - .default-retry
     - .review:rules:review-build-cng
-  image: ruby:2.6-alpine
+  image: ruby:2.7-alpine
   stage: review-prepare
   before_script:
     - source ./scripts/utils.sh
@@ -122,7 +122,7 @@ review-stop:
   extends:
     - .default-retry
     - .use-docker-in-docker
-  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine-ruby-2.6
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine-ruby-2.7
   stage: qa
   # This is needed so that manual jobs with needs don't block the pipeline.
   # See https://gitlab.com/gitlab-org/gitlab/-/issues/199979.
@@ -199,7 +199,7 @@ review-performance:
 parallel-spec-reports:
   extends:
     - .review:rules:mr-only-manual
-  image: ruby:2.6-alpine
+  image: ruby:2.7-alpine
   stage: post-qa
   dependencies: ["review-qa-all"]
   variables:
diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml
index 57d4a2a4cb7..7f469221da2 100644
--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -103,8 +103,11 @@
   - ".gitlab/ci/build-images.gitlab-ci.yml"
   - ".gitlab/ci/qa.gitlab-ci.yml"
 
-.yaml-patterns: &yaml-patterns
-  - "**/*.yml"
+.yaml-lint-patterns: &yaml-lint-patterns
+  - ".gitlab-ci.yml"
+  - ".gitlab/ci/**/*.yml"
+  - "lib/gitlab/ci/templates/**/*.yml"
+  - "{,ee/}changelogs/**/*.yml"
 
 .docs-patterns: &docs-patterns
   - ".gitlab/route-map.yml"
@@ -142,8 +145,8 @@
   - "{,ee/}{,spec/}lib/{,ee/}gitlab/database{,_spec}.rb"
   - "{,ee/}{,spec/}lib/{,ee/}gitlab/background_migration/**/*"
   - "{,ee/}{,spec/}lib/{,ee/}gitlab/background_migration{,_spec}.rb"
-  - "config/prometheus/common_metrics.yml" # Used by Gitlab::DatabaseImporters::CommonMetrics::Importer
-  - "{,ee/}app/models/project_statistics.rb" # Used to calculate sizes in migration specs
+  - "config/prometheus/common_metrics.yml"  # Used by Gitlab::DatabaseImporters::CommonMetrics::Importer
+  - "{,ee/}app/models/project_statistics.rb"  # Used to calculate sizes in migration specs
 
 .backstage-patterns: &backstage-patterns
   - "Dangerfile"
@@ -161,7 +164,7 @@
   - "vendor/assets/**/*"
   - ".gitlab/ci/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,rubocop_manual_todo,scss-lint}.yml"
   - "*_VERSION"
   - "Gemfile{,.lock}"
   - "Rakefile"
@@ -183,7 +186,7 @@
   - "vendor/assets/**/*"
   - ".gitlab/ci/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,rubocop_manual_todo,scss-lint}.yml"
   - "*_VERSION"
   - "Gemfile{,.lock}"
   - "Rakefile"
@@ -207,7 +210,7 @@
   - "vendor/assets/**/*"
   - ".gitlab/ci/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,rubocop_manual_todo,scss-lint}.yml"
   - "*_VERSION"
   - "Gemfile{,.lock}"
   - "Rakefile"
@@ -228,7 +231,7 @@
   - "vendor/assets/**/*"
   - ".gitlab/ci/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
-  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,rubocop_manual_todo,scss-lint}.yml"
   - "*_VERSION"
   - "Gemfile{,.lock}"
   - "Rakefile"
@@ -673,10 +676,14 @@
 ##################
 .releases:rules:canonical-dot-com-gitlab-stable-branch-only:
   rules:
+    - if: '$CI_COMMIT_MESSAGE =~ /\[merge-train skip\]/'
+      when: never
     - if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable-ee$/'
 
 .releases:rules:canonical-dot-com-security-gitlab-stable-branch-only:
   rules:
+    - if: '$CI_COMMIT_MESSAGE =~ /\[merge-train skip\]/'
+      when: never
     - if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/security/gitlab" && $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable-ee$/'
 
 #################
@@ -771,7 +778,7 @@
 
 .review:rules:review-performance:
   rules:
-    - if: '$DAST_RUN == "true"' # Skip this job when DAST is run
+    - if: '$DAST_RUN == "true"'  # Skip this job when DAST is run
       when: never
     - <<: *if-not-ee
       when: never
@@ -905,10 +912,10 @@
     - <<: *if-dot-com-ee-schedule
       changes: *code-backstage-patterns
 
-##############
-# YAML rules #
-##############
-.yaml:rules:
+###################
+# yaml-lint rules #
+###################
+.yaml-lint:rules:
   rules:
     - <<: *if-default-refs
-      changes: *yaml-patterns
+      changes: *yaml-lint-patterns
diff --git a/.gitlab/ci/setup.gitlab-ci.yml b/.gitlab/ci/setup.gitlab-ci.yml
index cf42d2a8a5e..abe7625c740 100644
--- a/.gitlab/ci/setup.gitlab-ci.yml
+++ b/.gitlab/ci/setup.gitlab-ci.yml
@@ -52,7 +52,7 @@ no_ee_check:
 verify-tests-yml:
   extends:
     - .setup:rules:verify-tests-yml
-  image: ruby:2.6-alpine
+  image: ruby:2.7-alpine
   stage: test
   needs: []
   script:
@@ -61,7 +61,7 @@ verify-tests-yml:
     - scripts/verify-tff-mapping
 
 .detect-test-base:
-  image: ruby:2.6-alpine
+  image: ruby:2.7-alpine
   needs: []
   stage: prepare
   script:
diff --git a/.gitlab/ci/test-metadata.gitlab-ci.yml b/.gitlab/ci/test-metadata.gitlab-ci.yml
index 2d83531e1db..e4b7047ef71 100644
--- a/.gitlab/ci/test-metadata.gitlab-ci.yml
+++ b/.gitlab/ci/test-metadata.gitlab-ci.yml
@@ -9,6 +9,7 @@
       - knapsack/
       - rspec_flaky/
       - rspec_profiling/
+      - crystalball/packed-mapping.json.gz
 
 retrieve-tests-metadata:
   extends:
@@ -27,6 +28,8 @@ update-tests-metadata:
   dependencies:
     - setup-test-env
     - rspec migration pg11
+    - rspec frontend_fixture
+    - rspec-ee frontend_fixture
     - rspec unit pg11
     - rspec integration pg11
     - rspec system pg11
@@ -41,3 +44,4 @@ update-tests-metadata:
     - run_timed_command "retry gem install fog-aws mime-types activesupport rspec_profiling postgres-copy --no-document"
     - source ./scripts/rspec_helpers.sh
     - update_tests_metadata
+    - update_tests_mapping
diff --git a/.gitlab/ci/yaml.gitlab-ci.yml b/.gitlab/ci/yaml.gitlab-ci.yml
index a650ee7e4b4..c597d992760 100644
--- a/.gitlab/ci/yaml.gitlab-ci.yml
+++ b/.gitlab/ci/yaml.gitlab-ci.yml
@@ -1,9 +1,9 @@
-# Yamllint of *.yml for .gitlab-ci.yml.
+# Yamllint of CI-related yaml and changelogs.
 # This uses rules from project root `.yamllint`.
-lint-ci-gitlab:
+lint-yaml:
   extends:
     - .default-retry
-    - .yaml:rules
+    - .yaml-lint:rules
   image: pipelinecomponents/yamllint:latest
   stage: test
   needs: []
diff --git a/.gitlab/issue_templates/Basic Proposal.md b/.gitlab/issue_templates/Basic Proposal.md
new file mode 100644
index 00000000000..4232561354c
--- /dev/null
+++ b/.gitlab/issue_templates/Basic Proposal.md
@@ -0,0 +1,11 @@
+<!-- This template is a great use for issues that are feature::additions or technical tasks for larger issues.-->
+
+### Proposal 
+
+<!-- Use this section to explain the feature and how it will work. It can be helpful to add technical details, design proposals, and links to related epics or issues. -->
+
+<!-- Consider adding related issues and epics to this issue. You can also reference the Feature Proposal Template (https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Feature%20proposal.md) for additional details to consider adding to this issue. Additionally, as a data oriented organization, when your feature exits planning breakdown, consider adding the `What does success look like, and how can we measure that?` section.
+
+/label ~"group::" ~"section::"  ~"Category::" ~"GitLab Core"/~"GitLab Starter"/~"GitLab Premium"/~"GitLab Ultimate" 
+
+-->
diff --git a/.gitlab/issue_templates/Feature Flag Roll Out.md b/.gitlab/issue_templates/Feature Flag Roll Out.md
index 788b610a982..a0b64b53250 100644
--- a/.gitlab/issue_templates/Feature Flag Roll Out.md
+++ b/.gitlab/issue_templates/Feature Flag Roll Out.md
@@ -34,7 +34,9 @@ If applicable, any groups/projects that are happy to have this feature turned on
 - [ ] Test on staging
 - [ ] Ensure that documentation has been updated
 - [ ] Enable on GitLab.com for individual groups/projects listed above and verify behaviour  (`/chatops run feature set --project=gitlab-org/gitlab feature_name true`)
-- [ ] Coordinate a time to enable the flag with `#production` and `#g_delivery` on slack.
+- [ ] Coordinate a time to enable the flag with the SRE oncall and release managers
+  - In `#production` by pinging `@sre-oncall`
+  - In `#g_delivery` by pinging `@release-managers`
 - [ ] Announce on the issue an estimated time this will be enabled on GitLab.com
 - [ ] Enable on GitLab.com by running chatops command in `#production` (`/chatops run feature set feature_name true`)
 - [ ] Cross post chatops Slack command to `#support_gitlab-com` ([more guidance when this is necessary in the dev docs](https://docs.gitlab.com/ee/development/feature_flags/controls.html#where-to-run-commands)) and in your team channel
@@ -42,4 +44,12 @@ If applicable, any groups/projects that are happy to have this feature turned on
 - [ ] Remove feature flag and add changelog entry
 - [ ] After the flag removal is deployed, [clean up the feature flag](https://docs.gitlab.com/ee/development/feature_flags/controls.html#cleaning-up) by running chatops command in `#production` channel
 
+## Rollback Steps
+
+- [ ] This feature can be disabled by running the following Chatops command:
+
+```
+/chatops run feature set --project=gitlab-org/gitlab feature_name false
+```
+
 /label ~"feature flag"
diff --git a/.gitlab/issue_templates/Feature proposal.md b/.gitlab/issue_templates/Feature proposal.md
index c80305312c3..b6f83be9121 100644
--- a/.gitlab/issue_templates/Feature proposal.md
+++ b/.gitlab/issue_templates/Feature proposal.md
@@ -4,7 +4,7 @@
 
 <!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " -->
 
-### Problem to solve
+### Problem to solve 
 
 <!-- What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)." -->
 
@@ -28,6 +28,7 @@ Personas are described at https://about.gitlab.com/handbook/marketing/product-ma
 * [Allison (Application Ops)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#allison-application-ops)
 * [Priyanka (Platform Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#priyanka-platform-engineer)
 * [Dana (Data Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#dana-data-analyst)
+* [Eddie (Content Editor)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#eddie-content-editor)
 -->
 
 ### User experience goal
@@ -95,7 +96,8 @@ In which enterprise tier should this feature go? See https://about.gitlab.com/ha
 
 ### Links / references
 
-<!--  Label reminders - you should have one of each of the following labels if you can figure out the correct ones -->
+<!--  Label reminders - you should have one of each of the following labels.
+Read the descriptions on https://gitlab.com/gitlab-org/gitlab/-/labels to find the correct ones -->
 /label ~devops:: ~group: ~Category:
 
 /label ~feature
diff --git a/.gitlab/issue_templates/Lean Feature Proposal.md b/.gitlab/issue_templates/Lean Feature Proposal.md
new file mode 100644
index 00000000000..b1cb98ba5e9
--- /dev/null
+++ b/.gitlab/issue_templates/Lean Feature Proposal.md
@@ -0,0 +1,99 @@
+<!-- This issue template can be used a great starting point for feature requests. The last section "Release notes" can be used as a summary of the feature and is also required if you want to have your release post blog MR auto generated using the release post item generator:  https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator. The remaining sections are the backbone for every feature in GitLab. -->
+
+### Release notes 
+
+<!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " -->
+
+### Problem to solve 
+
+<!-- What is the user problem you are trying to solve with this issue? -->
+
+### Proposal 
+
+<!-- Use this section to explain the feature and how it will work. It can be helpful to add technical details, design proposals, and links to related epics or issues. -->
+
+
+
+/label ~"feature" ~"group::" ~"section::"  ~"Category::" ~"GitLab Core"/~"GitLab Starter"/~"GitLab Premium"/~"GitLab Ultimate"
+
+
+<!-- Read the labels descriptions on https://gitlab.com/gitlab-org/gitlab/-/labels to find the appropriate labels. Consider adding related issues and epics to this issue. You can also reference the Feature Proposal Template (https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Feature%20proposal.md) for additional details to consider adding to this issue. Additionally, as a data oriented organization, when your feature exits planning breakdown, consider adding the `What does success look like, and how can we measure that?` section.
+
+Other sections to consider adding: 
+
+### Intended users
+
+Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later.
+
+Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
+
+* [Cameron (Compliance Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#cameron-compliance-manager)
+* [Parker (Product Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#parker-product-manager)
+* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
+* [Presley (Product Designer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#presley-product-designer)
+* [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer)
+* [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer)
+* [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator)
+* [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)
+* [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager) 
+* [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer)
+* [Simone (Software Engineer in Test)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#simone-software-engineer-in-test)
+* [Allison (Application Ops)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#allison-application-ops) 
+* [Priyanka (Platform Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#priyanka-platform-engineer)
+* [Dana (Data Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#dana-data-analyst)
+
+
+### User experience goal
+
+What is the single user experience workflow this problem addresses? 
+For example, "The user should be able to use the UI/API/.gitlab-ci.yml with GitLab to <perform a specific task>"
+https://about.gitlab.com/handbook/engineering/ux/ux-research-training/user-story-mapping/ 
+
+
+### Further details
+
+Include use cases, benefits, goals, or any other details that will help us understand the problem better. 
+
+### Permissions and Security
+
+<!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)?
+Consider adding checkboxes and expectations of users with certain levels of membership https://docs.gitlab.com/ee/user/permissions.html
+* [ ] Add expected impact to members with no access (0)
+* [ ] Add expected impact to Guest (10) members
+* [ ] Add expected impact to Reporter (20) members
+* [ ] Add expected impact to Developer (30) members 
+* [ ] Add expected impact to Maintainer (40) members
+* [ ] Add expected impact to Owner (50) members 
+
+### Documentation
+
+ See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/workflow.html#for-a-product-change
+
+* Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements
+* If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html 
+
+### Availability & Testing
+
+This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier.
+
+What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing?
+
+Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance.
+* Unit test changes
+* Integration test changes
+* End-to-end test change
+
+See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning 
+
+### What does success look like, and how can we measure that?
+
+Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. 
+
+### What is the type of buyer?
+
+What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/
+In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers
+
+### Is this a cross-stage feature?
+
+Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features -->
diff --git a/.gitlab/merge_request_templates/Documentation.md b/.gitlab/merge_request_templates/Documentation.md
index 8713405033b..b059c1f68ad 100644
--- a/.gitlab/merge_request_templates/Documentation.md
+++ b/.gitlab/merge_request_templates/Documentation.md
@@ -55,6 +55,14 @@ All reviewers can help ensure accuracy, clarity, completeness, and adherence to
 
 For more information about labels, see [Technical Writing workflows - Labels](https://about.gitlab.com/handbook/engineering/ux/technical-writing/workflow/#labels).
 
+For suggestions that you are confident don't need to be reviewed, change them locally
+and push a commit directly to save others from unneeded reviews. For example:
+
+- Clear typos, like `this is a typpo`.
+- Minor issues, like single quotes instead of double quotes, Oxford commas, and periods.
+
+For more information, see our documentation on [Merging a merge request](https://docs.gitlab.com/ee/development/code_review.html#merging-a-merge-request).
+
 **3. Maintainer**
 
 1. [ ] Review by assigned maintainer, who can always request/require the above reviews. Maintainer's review can occur before or after a technical writer review.