Add latest changes from gitlab-org/gitlab@14-10-stable-ee

16 files changed, 169 insertions, 51 deletions

diff --git a/app/helpers/workhorse_helper.rb b/app/helpers/workhorse_helper.rb
index f1ddc2e902e..70df696510a 100644
--- a/app/helpers/workhorse_helper.rb
+++ b/app/helpers/workhorse_helper.rb
@@ -38,8 +38,6 @@ module WorkhorseHelper
   # Send an entry from artifacts through Workhorse and set safe content type
   def send_artifacts_entry(file, entry)
     headers.store(*Gitlab::Workhorse.send_artifacts_entry(file, entry))
-    headers.store(*Gitlab::Workhorse.detect_content_type)
-
     head :ok
   end
 
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index a417ea35673..68b288bdc87 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -664,7 +664,7 @@ class ProjectPolicy < BasePolicy
     enable :read_security_configuration
   end
 
-  rule { can?(:guest_access) & can?(:read_commit_status) }.policy do
+  rule { can?(:guest_access) & can?(:download_code) }.policy do
     enable :create_merge_request_in
   end
 
diff --git a/app/views/notify/issue_due_email.html.haml b/app/views/notify/issue_due_email.html.haml
index 3208d061928..9dd501022dd 100644
--- a/app/views/notify/issue_due_email.html.haml
+++ b/app/views/notify/issue_due_email.html.haml
@@ -1,5 +1,5 @@
 %p.details
-  = sprintf(s_("Notify|%{author_link}'s issue %{issue_reference_link} is due soon."), { author_link: link_to(@issue.author_name, user_url(@issue.author)), issue_reference_link: issue_reference_link(@issue) })
+  = sprintf(s_("Notify|%{author_link}'s issue %{issue_reference_link} is due soon."), { author_link: link_to(@issue.author_name, user_url(@issue.author)), issue_reference_link: issue_reference_link(@issue) }).html_safe
 
 - if @issue.assignees.any?
   %p
diff --git a/data/whats_new/202204210001_14_10.yml b/data/whats_new/202204210001_14_10.yml
new file mode 100644
index 00000000000..162738661a2
--- /dev/null
+++ b/data/whats_new/202204210001_14_10.yml
@@ -0,0 +1,46 @@
+- title: "Compliance report individual violation reporting"
+  body: |
+    The compliance report now reports every individual merge request violation for the projects within a group. This is a huge improvement over the previous version, which only showed the latest MR that had one or more violations. The new version allows you to see history and patterns of violations over time.
+  stage: manage
+  self-managed: true
+  gitlab-com: true
+  packages: [Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/compliance/compliance_report/'
+  image_url: 'https://about.gitlab.com/images/14_10/manage_compliance_report_individual_violation.png'
+  published_at: 2022-04-22
+  release: 14.10
+- title: "Improved pipeline variables inheritance"
+  body: |
+    Previously, it was possible to pass some CI/CD variables to a downstream pipeline through a trigger job, but variables added in manual pipeline runs or by using the API could not be forwarded.
+
+    In this release we've added a new `trigger:forward` keyword to control what things you forward to downstream parent-child pipelines or multi-project pipelines, which provides a flexible way to handle variable inheritance in downstream pipelines.
+  stage: verify
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/ci/yaml/#triggerforward'
+  image_url: 'https://about.gitlab.com/images/growth/verify.png'
+  published_at: 2022-04-22
+  release: 14.10
+- title: "Escalating manually created incidents"
+  body: |
+    In GitLab 13.10, we [released](https://gitlab.com/gitlab-org/gl-openshift/gitlab-runner-operator/-/issues/6) the GitLab Runner Operator for the Red Hat OpenShift container platform for Kubernetes. That release provided OpenShift users with the automation and management capabilities of the Operator Framework and simplified the ongoing management of runners in an OpenShift Kubernetes cluster. Available starting in 14.10 is a GitLab Runner Operator v1.7.0 that you can use in non-OpenShift Kubernetes clusters. This GitLab Runner Operator is available on [OperatorHub.io](https://operatorhub.io/operator/gitlab-runner-operator).
+  stage: monitor
+  self-managed: true
+  gitlab-com: true
+  packages: [Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/operations/incident_management/paging.html#escalating-an-incident'
+  image_url: 'https://about.gitlab.com/images/14_10/manually_escalated_incident.png'
+  published_at: 2022-04-22
+  release: 14.10
+- title: "Expanded view of group runners"
+  body: |
+    Group runners are now displayed in an expanded view, where you can more easily administer and manage the runners associated with the namespace. To view the new UI, on the left sidebar, select **CI/CD**. This view includes the number of online, offline, and stale runners associated with the group and subgroups.
+  stage: verify
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/ci/runners/runners_scope.html#group-runners'
+  image_url: 'https://about.gitlab.com/images/14_10/group-runners-view-new-3.png'
+  published_at: 2022-04-22
+  release: 14.10
diff --git a/doc/administration/audit_events.md b/doc/administration/audit_events.md
index 955f7a6a830..36f3a71cd2e 100644
--- a/doc/administration/audit_events.md
+++ b/doc/administration/audit_events.md
@@ -167,6 +167,17 @@ From there, you can see the following actions:
 - Users and groups allowed to merge and push to protected branch added or removed ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338873) in GitLab 14.3)
 - Project deploy token was successfully created, revoked or deleted ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/353451) in GitLab 14.9)
 - Failed attempt to create a project deploy token ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/353451) in GitLab 14.9)
+- When merge method is updated ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) in GitLab 14.9)
+- Merged results pipelines enabled or disabled ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) in GitLab 14.9)
+- Merge trains enabled or disabled ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) in GitLab 14.9)
+- Automatically resolve merge request diff discussions enabled or disabled ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) in GitLab 14.9)
+- Show link to create or view a merge request when pushing from the command line enabled or disabled ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) in GitLab 14.9)
+- Delete source branch option by default enabled or disabled ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) in GitLab 14.9)
+- Squash commits when merging is updated ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) in GitLab 14.9)
+- Pipelines must succeed enabled or disabled ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) in GitLab 14.9)
+- Skipped pipelines are considered successful enabled or disabled ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) in GitLab 14.9)
+- All discussions must be resolved enabled or disabled ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) in GitLab 14.9)
+- Commit message suggestion is updated ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) in GitLab 14.9)
 
 Project events can also be accessed via the [Project Audit Events API](../api/audit_events.md#project-audit-events).
 
diff --git a/doc/administration/geo/replication/datatypes.md b/doc/administration/geo/replication/datatypes.md
index 5beb2479c57..83e207e7a8f 100644
--- a/doc/administration/geo/replication/datatypes.md
+++ b/doc/administration/geo/replication/datatypes.md
@@ -192,7 +192,7 @@ successfully, you must replicate their data using some other means.
 |[LFS objects](../../lfs/index.md)                                                                              | **Yes** (10.2)                                                          | **Yes** (14.6)                                                             | Via Object Storage provider if supported. Native Geo support (Beta).          | GitLab versions 11.11.x and 12.0.x are affected by [a bug that prevents any new LFS objects from replicating](https://gitlab.com/gitlab-org/gitlab/-/issues/32696).<br /><br />Replication is behind the feature flag `geo_lfs_object_replication`, enabled by default. Verification was behind the feature flag `geo_lfs_object_verification`, removed in 14.7. |
 |[Personal snippets](../../../user/snippets.md)                                                                 | **Yes** (10.2)                                                          | **Yes** (10.2)                                                             | No                                                                            |       |
 |[Project snippets](../../../user/snippets.md)                                                                  | **Yes** (10.2)                                                          | **Yes** (10.2)                                                             | No                                                                            |       |
-|[CI job artifacts](../../../ci/pipelines/job_artifacts.md)                                                     | **Yes** (10.4)                                                          | [No](https://gitlab.com/gitlab-org/gitlab/-/issues/8923)                   | Via Object Storage provider if supported. Native Geo support (Beta).          | Verified only manually using [Integrity Check Rake Task](../../raketasks/check.md) on both sites and comparing the output between them. Job logs also verified on transfer. |
+|[CI job artifacts](../../../ci/pipelines/job_artifacts.md)                                                     | **Yes** (10.4)                                                          | **Yes** (14.10)                                                            | Via Object Storage provider if supported. Native Geo support (Beta).          | Verification is behind the feature flag `geo_job_artifact_replication`, enabled by default in 14.10. |
 |[CI Pipeline Artifacts](https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/ci/pipeline_artifact.rb) | [**Yes** (13.11)](https://gitlab.com/gitlab-org/gitlab/-/issues/238464) | [**Yes** (13.11)](https://gitlab.com/gitlab-org/gitlab/-/issues/238464)    | Via Object Storage provider if supported. Native Geo support (Beta).          | Persists additional artifacts after a pipeline completes. |
 |[Container Registry](../../packages/container_registry.md)                                                     | **Yes** (12.3)                                                          | No                                                                         | No                                                                            | Disabled by default. See [instructions](docker_registry.md) to enable. |
 |[Content in object storage (beta)](object_storage.md)                                                          | **Yes** (12.4)                                                          | [No](https://gitlab.com/gitlab-org/gitlab/-/issues/13845)                  | No                                                                            |       |
diff --git a/doc/api/group_clusters.md b/doc/api/group_clusters.md
index 87829708d5e..dfb6e7e4778 100644
--- a/doc/api/group_clusters.md
+++ b/doc/api/group_clusters.md
@@ -315,7 +315,7 @@ Example response:
 
 ## Delete group cluster
 
-Deletes an existing group cluster.
+Deletes an existing group cluster. Does not remove existing resources within the connected Kubernetes cluster.
 
 ```plaintext
 DELETE /groups/:id/clusters/:cluster_id
diff --git a/doc/api/instance_clusters.md b/doc/api/instance_clusters.md
index ab631757eab..137e8e3f25c 100644
--- a/doc/api/instance_clusters.md
+++ b/doc/api/instance_clusters.md
@@ -290,7 +290,7 @@ Example response:
 
 ## Delete instance cluster
 
-Deletes an existing instance cluster.
+Deletes an existing instance cluster. Does not remove existing resources within the connected Kubernetes cluster.
 
 ```plaintext
 DELETE /admin/clusters/:cluster_id
diff --git a/doc/api/project_clusters.md b/doc/api/project_clusters.md
index c1f59520bd7..437522b0946 100644
--- a/doc/api/project_clusters.md
+++ b/doc/api/project_clusters.md
@@ -388,7 +388,7 @@ Example response:
 
 ## Delete project cluster
 
-Deletes an existing project cluster.
+Deletes an existing project cluster. Does not remove existing resources within the connected Kubernetes cluster.
 
 ```plaintext
 DELETE /projects/:id/clusters/:cluster_id
diff --git a/doc/update/index.md b/doc/update/index.md
index 1e8badf59b4..a21b55b0205 100644
--- a/doc/update/index.md
+++ b/doc/update/index.md
@@ -192,9 +192,13 @@ pending_job_classes.each { |job_class| Gitlab::BackgroundMigration.steal(job_cla
 #### Background migrations stuck in 'pending' state
 
 GitLab 13.6 introduced an issue where a background migration named `BackfillJiraTrackerDeploymentType2` can be permanently stuck in a **pending** state across upgrades. To clean up this stuck migration, see the [13.6.0 version-specific instructions](#1360).
+
 GitLab 14.4 introduced an issue where a background migration named `PopulateTopicsTotalProjectsCountCache` can be permanently stuck in a **pending** state across upgrades when the instance lacks records that match the migration's target. To clean up this stuck migration, see the [14.4.0 version-specific instructions](#1440).
+
 GitLab 14.8 introduced an issue where a background migration named `PopulateTopicsNonPrivateProjectsCount` can be permanently stuck in a **pending** state across upgrades. To clean up this stuck migration, see the [14.8.0 version-specific instructions](#1480).
 
+GitLab 14.9 introduced an issue where a background migration named `ResetDuplicateCiRunnersTokenValuesOnProjects` can be permanently stuck in a **pending** state across upgrades when the instance lacks records that match the migration's target. To clean up this stuck migration, see the [14.9.0 version-specific instructions](#1490).
+
 For other background migrations stuck in pending, run the following check. If it returns non-zero and the count does not decrease over time, follow the rest of the steps in this section.
 
 ```shell
@@ -398,6 +402,35 @@ NOTE:
 Specific information that follow related to Ruby and Git versions do not apply to [Omnibus installations](https://docs.gitlab.com/omnibus/)
 and [Helm Chart deployments](https://docs.gitlab.com/charts/). They come with appropriate Ruby and Git versions and are not using system binaries for Ruby and Git. There is no need to install Ruby or Git when utilizing these two approaches.
 
+### 14.9.0
+
+- Database changes made by the upgrade to GitLab 14.9 can take hours or days to complete on larger GitLab instances. 
+  These [batched background migrations](#batched-background-migrations) update whole database tables to ensure corresponding
+  records in `namespaces` table for each record in `projects` table.
+
+  After you update to 14.9.0 or a later 14.9 patch version,
+  [batched background migrations need to finish](#batched-background-migrations)
+  before you update to a later version.
+
+  If the migrations are not finished and you try to update to a later version,
+  you'll see an error like:
+
+  ```plaintext
+  Expected batched background migration for the given configuration to be marked as 'finished', but it is 'active':
+  ```
+
+- GitLab 14.9.0 includes a
+  [background migration `ResetDuplicateCiRunnersTokenValuesOnProjects`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79140)
+  that may remain stuck permanently in a **pending** state.
+
+  To clean up this stuck job, run the following in the [GitLab Rails Console](../administration/operations/rails_console.md):
+
+  ```ruby
+  Gitlab::Database::BackgroundMigrationJob.pending.where(class_name: "ResetDuplicateCiRunnersTokenValuesOnProjects").find_each do |job|
+    puts Gitlab::Database::BackgroundMigrationJob.mark_all_as_succeeded("ResetDuplicateCiRunnersTokenValuesOnProjects", job.arguments)
+  end
+  ```
+
 ### 14.8.0
 
 - If upgrading from a version earlier than 14.6.5, 14.7.4, or 14.8.2, please review the [Critical Security Release: 14.8.2, 14.7.4, and 14.6.5](https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/) blog post.
@@ -455,7 +488,7 @@ that may remain stuck permanently in a **pending** state.
   can override the behavior of `tmpfiles.d` for the Gitaly files and avoid this issue:
 
   ```shell
-  sudo echo "x /tmp/gitaly-hooks-*" > /etc/tmpfiles.d/gitaly-workaround.conf
+  sudo printf "x /tmp/gitaly-%s-*\n" hooks git-exec-path >/etc/tmpfiles.d/gitaly-workaround.conf
   ```
 
 ### 14.6.0
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index e4a7f2213ae..ee0520df8ff 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -714,7 +714,6 @@ module API
 
     def send_artifacts_entry(file, entry)
       header(*Gitlab::Workhorse.send_artifacts_entry(file, entry))
-      header(*Gitlab::Workhorse.detect_content_type)
 
       body ''
     end
diff --git a/lib/gitlab/workhorse.rb b/lib/gitlab/workhorse.rb
index d74efd458f6..19d30daa577 100644
--- a/lib/gitlab/workhorse.rb
+++ b/lib/gitlab/workhorse.rb
@@ -226,13 +226,6 @@ module Gitlab
         end
       end
 
-      def detect_content_type
-        [
-          Gitlab::Workhorse::DETECT_HEADER,
-          'true'
-        ]
-      end
-
       protected
 
       # This is the outermost encoding of a senddata: header. It is safe for
diff --git a/spec/controllers/projects/artifacts_controller_spec.rb b/spec/controllers/projects/artifacts_controller_spec.rb
index 958fcd4360c..9410fe08d0b 100644
--- a/spec/controllers/projects/artifacts_controller_spec.rb
+++ b/spec/controllers/projects/artifacts_controller_spec.rb
@@ -361,7 +361,6 @@ RSpec.describe Projects::ArtifactsController do
           subject
 
           expect(response).to have_gitlab_http_status(:ok)
-          expect(response.headers['Gitlab-Workhorse-Detect-Content-Type']).to eq('true')
           expect(send_data).to start_with('artifacts-entry:')
 
           expect(params.keys).to eq(%w(Archive Entry))
diff --git a/spec/lib/gitlab/workhorse_spec.rb b/spec/lib/gitlab/workhorse_spec.rb
index 91ab0a53c6c..3bab9aec454 100644
--- a/spec/lib/gitlab/workhorse_spec.rb
+++ b/spec/lib/gitlab/workhorse_spec.rb
@@ -448,14 +448,6 @@ RSpec.describe Gitlab::Workhorse do
     end
   end
 
-  describe '.detect_content_type' do
-    subject { described_class.detect_content_type }
-
-    it 'returns array setting detect content type in workhorse' do
-      expect(subject).to eq(%w[Gitlab-Workhorse-Detect-Content-Type true])
-    end
-  end
-
   describe '.send_git_blob' do
     include FakeBlobHelpers
 
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index bde83d647db..ca4ca2eb7a0 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -103,39 +103,89 @@ RSpec.describe ProjectPolicy do
   end
 
   context 'creating_merge_request_in' do
-    context 'when project is public' do
-      let(:project) { public_project }
+    context 'when the current_user can download_code' do
+      before do
+        expect(subject).to receive(:allowed?).with(:download_code).and_return(true)
+        allow(subject).to receive(:allowed?).with(any_args).and_call_original
+      end
 
-      context 'when the current_user is guest' do
-        let(:current_user) { guest }
+      context 'when project is public' do
+        let(:project) { public_project }
+
+        context 'when the current_user is guest' do
+          let(:current_user) { guest }
 
-        it { is_expected.to be_allowed(:create_merge_request_in) }
+          it { is_expected.to be_allowed(:create_merge_request_in) }
+        end
       end
-    end
 
-    context 'when project is internal' do
-      let(:project) { internal_project }
+      context 'when project is internal' do
+        let(:project) { internal_project }
 
-      context 'when the current_user is guest' do
-        let(:current_user) { guest }
+        context 'when the current_user is guest' do
+          let(:current_user) { guest }
 
-        it { is_expected.to be_allowed(:create_merge_request_in) }
+          it { is_expected.to be_allowed(:create_merge_request_in) }
+        end
+      end
+
+      context 'when project is private' do
+        let(:project) { private_project }
+
+        context 'when the current_user is guest' do
+          let(:current_user) { guest }
+
+          it { is_expected.not_to be_allowed(:create_merge_request_in) }
+        end
+
+        context 'when the current_user is reporter or above' do
+          let(:current_user) { reporter }
+
+          it { is_expected.to be_allowed(:create_merge_request_in) }
+        end
       end
     end
 
-    context 'when project is private' do
-      let(:project) { private_project }
+    context 'when the current_user can not download code' do
+      before do
+        expect(subject).to receive(:allowed?).with(:download_code).and_return(false)
+        allow(subject).to receive(:allowed?).with(any_args).and_call_original
+      end
 
-      context 'when the current_user is guest' do
-        let(:current_user) { guest }
+      context 'when project is public' do
+        let(:project) { public_project }
+
+        context 'when the current_user is guest' do
+          let(:current_user) { guest }
 
-        it { is_expected.not_to be_allowed(:create_merge_request_in) }
+          it { is_expected.not_to be_allowed(:create_merge_request_in) }
+        end
       end
 
-      context 'when the current_user is reporter or above' do
-        let(:current_user) { reporter }
+      context 'when project is internal' do
+        let(:project) { internal_project }
 
-        it { is_expected.to be_allowed(:create_merge_request_in) }
+        context 'when the current_user is guest' do
+          let(:current_user) { guest }
+
+          it { is_expected.not_to be_allowed(:create_merge_request_in) }
+        end
+      end
+
+      context 'when project is private' do
+        let(:project) { private_project }
+
+        context 'when the current_user is guest' do
+          let(:current_user) { guest }
+
+          it { is_expected.not_to be_allowed(:create_merge_request_in) }
+        end
+
+        context 'when the current_user is reporter or above' do
+          let(:current_user) { reporter }
+
+          it { is_expected.not_to be_allowed(:create_merge_request_in) }
+        end
       end
     end
   end
diff --git a/spec/requests/api/ci/job_artifacts_spec.rb b/spec/requests/api/ci/job_artifacts_spec.rb
index 5abff85af9c..68b44bb89e0 100644
--- a/spec/requests/api/ci/job_artifacts_spec.rb
+++ b/spec/requests/api/ci/job_artifacts_spec.rb
@@ -558,8 +558,7 @@ RSpec.describe API::Ci::JobArtifacts do
             expect(response).to have_gitlab_http_status(:ok)
             expect(response.headers.to_h)
               .to include('Content-Type' => 'application/json',
-                          'Gitlab-Workhorse-Send-Data' => /artifacts-entry/,
-                          'Gitlab-Workhorse-Detect-Content-Type' => 'true')
+                          'Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
           end
         end
 
@@ -629,8 +628,7 @@ RSpec.describe API::Ci::JobArtifacts do
           expect(response).to have_gitlab_http_status(:ok)
           expect(response.headers.to_h)
             .to include('Content-Type' => 'application/json',
-                        'Gitlab-Workhorse-Send-Data' => /artifacts-entry/,
-                        'Gitlab-Workhorse-Detect-Content-Type' => 'true')
+                        'Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
           expect(response.parsed_body).to be_empty
         end
       end
@@ -648,8 +646,7 @@ RSpec.describe API::Ci::JobArtifacts do
           expect(response).to have_gitlab_http_status(:ok)
           expect(response.headers.to_h)
             .to include('Content-Type' => 'application/json',
-                        'Gitlab-Workhorse-Send-Data' => /artifacts-entry/,
-                        'Gitlab-Workhorse-Detect-Content-Type' => 'true')
+                        'Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
         end
       end