Merge branch 'master' into 'boards-bundle-refactor'

# Conflicts:
#   config/webpack.config.js

550 files changed, 7463 insertions, 3226 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c3bb93fbe3e..869884f8ca6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,202 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 10.5.1 (2018-02-22)
+
+- No changes.
+
+## 10.5.0 (2018-02-22)
+
+### Security (3 changes, 1 of them is from the community)
+
+- Update marked from 0.3.6 to 0.3.12. !16480 (Takuya Noguchi)
+- Update nokogiri to 1.8.2. !16807
+- Add verification for GitLab Pages custom domains.
+
+### Fixed (77 changes, 25 of them are from the community)
+
+- Fix the Projects API with_issues_enabled filter behaving incorrectly any user. !12724 (Jan Christophersen)
+- Hide pipeline schedule take ownership for current owner. !12986
+- Handle special characters on API request of issuable templates. !15323 (Takuya Noguchi)
+- Shows signin tab after new user email confirmation. !16174 (Jacopo Beschi @jacopo-beschi)
+- Make project README containers wider on fixed layout. !16181 (Takuya Noguchi)
+- Fix dashboard projects nav links height. !16204 (George Tsiolis)
+- Fix error on empty query for Members API. !16235
+- Issue board: fix for dragging an issue to the very bottom in long lists. !16250 (David Kuri)
+- Make rich blob viewer wider for PC. !16262 (Takuya Noguchi)
+- Substitute deprecated ui_charcoal with new default ui_indigo. !16271 (Takuya Noguchi)
+- Generate HTTP URLs for custom Pages domains when appropriate. !16279
+- Make modal dialog common for Groups tree app. !16311
+- Allow moving wiki pages from the UI. !16313
+- Filter groups and projects dropdowns of search page on backend. !16336
+- Adjust layout width for fixed layout. !16337 (George Tsiolis)
+- Fix custom header logo design nitpick: Remove unneeded margin on empty logo text. !16383 (Markus Doits)
+- File Upload UI can create LFS pointers based on .gitattributes. !16412
+- Fix Ctrl+Enter keyboard shortcut saving comment/note edit. !16415
+- Fix file search results when they match file contents with a number between two colons. !16462
+- Fix tooltip displayed for running manual actions. !16489
+- Allow trailing + on labels in board filters. !16490
+- Prevent JIRA issue identifier from being humanized. !16491 (Andrew McCallum)
+- Add horizontal scroll to wiki tables. !16527 (George Tsiolis)
+- Fix a bug calculating artifact size for project statistics. !16539
+- Stop loading spinner on error of issuable templates. !16600 (Takuya Noguchi)
+- Allows html text in commits atom feed. !16603 (Jacopo Beschi @jacopo-beschi)
+- Disable MR check out button when source branch is deleted. !16631 (Jacopo Beschi @jacopo-beschi)
+- Fix export removal for hashed-storage projects within a renamed or deleted namespace. !16658
+- Default to HTTPS for all Gravatar URLs. !16666
+- Login via OAuth now only marks new users as external. !16672
+- Fix default avatar icon missing when Gravatar is disabled. !16681 (Felix Geyer)
+- Change button group width on mobile. !16726 (George Tsiolis)
+- Fix version information not showing on help page if commercial content display was disabled. !16743
+- Adds spacing between edit and delete tag btn in tag list. !16757 (Jacopo Beschi @jacopo-beschi)
+- Fix 500 error when loading a merge request with an invalid comment. !16795
+- Deleting an upload will correctly clean up the filesystem. !16799
+- Cleanup new branch/merge request form in issues. !16854
+- Fix GitLab import leaving group_id on ProjectLabel. !16877
+- Fix forking projects when no restricted visibility levels are defined applicationwide. !16881
+- Trigger change event on filename input when file template is applied. !16911 (Sebastian Klingler)
+- Fixes different margins between buttons in tag list. !16927 (Jacopo Beschi @jacopo-beschi)
+- Close low level rugged repository in project cache worker. !16930 (Bastian Blank)
+- Override group sidebar links. !16942 (George Tsiolis)
+- Avoid running `PopulateForkNetworksRange`-migration multiple times. !16988
+- Resolve PrepareUntrackedUploads PostgreSQL syntax error. !17019
+- Fix monaco editor features which were incompatable with GitLab CDN settings. !17021
+- Fixed error 500 when removing an identity with synced attributes and visiting the profile page. !17054
+- Fix cnacel edit note button reverting changes. !42462
+- For issues display time of last edit of title or description instead of time of any attribute change.
+- Handle all Psych YAML parser exceptions (fixes #41209).
+- Fix validation of environment scope of variables.
+- Display user friendly error message if rebase fails.
+- Hide new branch and tag links for projects with an empty repo.
+- Fix protected branches API to accept name parameter with dot.
+- Closes #38540 - Remove .ssh/environment file that now breaks the gitlab:check rake task.
+- Keep subscribers when promoting labels to group labels.
+- Replace verified badge icons and uniform colors.
+- Fix error on changes tab when merge request cannot be created.
+- Ignore leading slashes when searching for files within context of repository. (Andrew McCallum)
+- Close and do not reload MR diffs when source branch is deleted.
+- Bypass commits title markdown on notes.
+- Reload MRs memoization after diffs creation.
+- Return more consistent values for merge_status on MR APIs.
+- Contribution calendar label was cut off. (Branka Martinovic)
+- LDAP Person no longer throws exception on invalid entry.
+- Fix bug where award emojis would be lost when moving issues between projects.
+- Fix not all events being shown in group dashboard.
+- Fix JIRA not working when a trailing slash is included.
+- Fix squash not working when diff contained non-ASCII data.
+- Remove erroneous text in shared runners page that suggested more runners available.
+- Execute system hooks after-commit when executing project hooks.
+- Makes forking protect default branch on completion.
+- Validate user, group and project paths consistently, and only once.
+- Validate user namespace before saving so that errors persist on model.
+- Permits 'password_authentication_enabled_for_git' parameter for ApplicationSettingsController.
+- Fix duplicate item in protected branch/tag dropdown.
+- Open visibility level help in a new tab. (Jussi Räsänen)
+
+### Deprecated (1 change)
+
+- Add note within ux documentation that further changes should be made within the design.gitlab project.
+
+### Changed (20 changes, 7 of them are from the community)
+
+- Show coverage to two decimal points in coverage badge. !10083 (Jeff Stubler)
+- Update 'removed assignee' note to include old assignee reference. !16301 (Maurizio De Santis)
+- Move row containing Projects, Users and Groups count to the top in admin dashboard. !16421
+- Add Auto DevOps Domain application setting. !16604
+- Changes Revert this merge request text. !16611 (Jacopo Beschi @jacopo-beschi)
+- Link Auto DevOps settings to Clusters page. !16641
+- Internationalize charts page. !16687 (selrahman)
+- Internationalize graph page selrahman. !16688 (Shah El-Rahman)
+- Save traces as artifacts. !16702
+- Hide variable values on pipeline schedule edit page. !16729
+- Update runner info on all authenticated requests. !16756
+- Improve issue note dropdown and mr button. !16758 (George Tsiolis)
+- Replace "cluster" with "Kubernetes cluster". !16778
+- Enable Prometheus metrics for deployed Ingresses. !16866 (joshlambert)
+- Rename button to enable CI/CD configuration to "Set up CI/CD". !16870
+- Double padding for file-content wiki class on larger screens.
+- Improve wording about additional costs for Ingress on custom clusters.
+- Last push widget will show banner for new pushes to previously merged branch.
+- Save user ID and username in Grape API log (api_json.log).
+- Include subgroup issues and merge requests on the group page.
+
+### Performance (14 changes, 1 of them is from the community)
+
+- Fix double query execution on groups page. !16314
+- Speed up loading merged merge requests when they contained a lot of commits before merging. !16320
+- Properly memoize some predicate methods. !16329
+- Reduce the number of Prometheus metrics. !16443
+- Only highlight search results under the highlighting size limit. !16462
+- Add fast-blank. !16468
+- Move BoardList vue component to vue file. !16888 (George Tsiolis)
+- Fix N+1 query problem for snippets dashboard. !16944
+- Optimize search queries on the search page by setting a limit for matching records.
+- Store number of commits in merge_request_diffs table.
+- Improve performance of target branch dropdown.
+- Remove duplicate calls of MergeRequest#can_be_reverted?.
+- Stop checking if discussions are in a mergeable state if the MR isn't.
+- Remove N+1 queries with /projects/:project_id/{access_requests,members} API endpoints.
+
+### Added (28 changes, 10 of them are from the community)
+
+- Add link on commit page to merge request that introduced that commit. !13713 (Hiroyuki Sato)
+- System hooks for Merge Requests. !14387 (Alexis Reigel)
+- Add `pipelines` endpoint to merge requests API. !15454 (Tony Rom <thetonyrom@gmail.com>)
+- Adds Rubocop rule for line break around conditionals. !15739 (Jacopo Beschi @jacopo-beschi)
+- Add Colors to GitLab Flavored Markdown. !16095 (Tony Rom <thetonyrom@gmail.com>)
+- Initial work to add notification reason to emails. !16160 (Mario de la Ossa)
+- Implement multi server support and use kube proxy to connect to Prometheus servers inside K8S cluster. !16182
+- Add ability to transfer a group into another group. !16302
+- Add blue dot feature highlight to make GKE Clusters more visible to users. !16379
+- Add section headers to plus button dropdown. !16394 (George Tsiolis)
+- Support PostgreSQL 10. !16471
+- Enables Project Milestone Deletion via the API. !16478 (Jacopo Beschi @jacopo-beschi)
+- Add realtime ci status for the repository -> files view. !16523
+- User can now git push to create a new project. !16547
+- Improve empty project overview. !16617 (George Tsiolis)
+- Added uploader metadata to the uploads. !16779
+- Added ldap config setting to lower case the username. !16791
+- Add search support into the API. !16878
+- Backport of LFS File Locking API. !16935
+- Add a link to documentation on how to get external ip in the Kubernetes cluster details page. !16937
+- Add sorting options for /users API (admin only). !16945
+- Adds sorting to deployments API. (Jacopo Beschi @jacopo-beschi)
+- Add rake task to check integrity of uploaded files.
+- Add backend for persistently dismissably callouts.
+- Track and act upon the number of executed queries.
+- Add a gRPC health check to ensure Gitaly is up.
+- Log and send a system hook if a blocked user attempts to login.
+- Add Gitaly Servers admin dashboard.
+
+### Other (25 changes, 7 of them are from the community)
+
+- Updated the katex library. !15864
+- Add modal for deleting a milestone. !16229
+- Remove unused CSS selectors for Cycle Analytics. !16270 (Takuya Noguchi)
+- Add reason to keep postgresql 9.2 for CI. !16277 (Takuya Noguchi)
+- Adjust modal style to new design. !16310
+- Default to Gitaly for 'git push' HTTP/SSH, and make Gitaly mandatory for SSH pull. !16586
+- Set timezone for karma to UTC. !16602 (Takuya Noguchi)
+- Make Gitaly RepositoryExists opt-out. !16680
+- Update minimum git version to 2.9.5. !16683
+- Disable throwOnError in KaTeX to reveal user where is the problem. !16684 (Jakub Jirutka)
+- fix documentation about node version. !16720 (Tobias Gurtzick)
+- Enable RuboCop Style/RegexpLiteral. !16752 (Takuya Noguchi)
+- Add confirmation-input component. !16816
+- Add unique constraint to trending_projects#project_id. !16846
+- Add foreign key and NOT NULL constraints to todos table. !16849
+- Include branch in mobile view for pipelines. !16910 (George Tsiolis)
+- Downgrade google-protobuf gem. !16941
+- Refactors mr widget components into vue files and adds i18n.
+- increase-readability-of-colored-text-in-job-output-log.
+- Finish any remaining jobs for issues.closed_at.
+- Translate issuable sidebar.
+- Set standard disabled state for all buttons.
+- Upgrade GitLab Workhorse to v3.6.0.
+- Improve readability of underlined links for dyslexic users.
+- Adds empty state illustration for pending job.
+
+
 ## 10.4.4 (2018-02-16)
 
 ### Security (1 change)
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index 9a55e28031d..92fc430ae8f 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-0.81.0
+0.82.0
diff --git a/VERSION b/VERSION
index 7f6774b38ba..f860e97e4cf 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-10.5.0-pre
+10.6.0-pre
diff --git a/app/assets/javascripts/api.js b/app/assets/javascripts/api.js
index 1f34c6b50c2..464611f66f0 100644
--- a/app/assets/javascripts/api.js
+++ b/app/assets/javascripts/api.js
@@ -9,7 +9,7 @@ const Api = {
   projectsPath: '/api/:version/projects.json',
   projectPath: '/api/:version/projects/:id',
   projectLabelsPath: '/:namespace_path/:project_path/labels',
-  groupLabelsPath: '/groups/:namespace_path/labels',
+  groupLabelsPath: '/groups/:namespace_path/-/labels',
   licensePath: '/api/:version/templates/licenses/:key',
   gitignorePath: '/api/:version/templates/gitignores/:key',
   gitlabCiYmlPath: '/api/:version/templates/gitlab_ci_ymls/:key',
@@ -32,7 +32,7 @@ const Api = {
   },
 
   // Return groups list. Filtered by query
-  groups(query, options, callback) {
+  groups(query, options, callback = $.noop) {
     const url = Api.buildUrl(Api.groupsPath);
     return axios.get(url, {
       params: Object.assign({
diff --git a/app/assets/javascripts/commit/pipelines/pipelines_table.vue b/app/assets/javascripts/commit/pipelines/pipelines_table.vue
index da0e8063ccb..ce19069f103 100644
--- a/app/assets/javascripts/commit/pipelines/pipelines_table.vue
+++ b/app/assets/javascripts/commit/pipelines/pipelines_table.vue
@@ -7,7 +7,6 @@
     mixins: [
       pipelinesMixin,
     ],
-
     props: {
       endpoint: {
         type: String,
diff --git a/app/assets/javascripts/cycle_analytics/components/stage_review_component.vue b/app/assets/javascripts/cycle_analytics/components/stage_review_component.vue
index 39b699a6395..34aa04083e6 100644
--- a/app/assets/javascripts/cycle_analytics/components/stage_review_component.vue
+++ b/app/assets/javascripts/cycle_analytics/components/stage_review_component.vue
@@ -37,7 +37,7 @@
       >
         <div class="item-details">
           <!-- FIXME: Pass an alt attribute here for accessibility -->
-          <user-avatar-image :img-src="mergeRequest.author.avatarUrl"/>
+          <user-avatar-image :img-src="mergeRequest.author.avatarUrl" />
           <h5 class="item-title merge-merquest-title">
             <a :href="mergeRequest.url">
               {{ mergeRequest.title }}
diff --git a/app/assets/javascripts/deploy_keys/index.js b/app/assets/javascripts/deploy_keys/index.js
index ca8798facc9..b727261648c 100644
--- a/app/assets/javascripts/deploy_keys/index.js
+++ b/app/assets/javascripts/deploy_keys/index.js
@@ -1,7 +1,7 @@
 import Vue from 'vue';
 import deployKeysApp from './components/app.vue';
 
-document.addEventListener('DOMContentLoaded', () => new Vue({
+export default () => new Vue({
   el: document.getElementById('js-deploy-keys'),
   components: {
     deployKeysApp,
@@ -18,4 +18,4 @@ document.addEventListener('DOMContentLoaded', () => new Vue({
       },
     });
   },
-}));
+});
diff --git a/app/assets/javascripts/diff_notes/diff_notes_bundle.js b/app/assets/javascripts/diff_notes/diff_notes_bundle.js
index 38c42a11b4e..679057e787c 100644
--- a/app/assets/javascripts/diff_notes/diff_notes_bundle.js
+++ b/app/assets/javascripts/diff_notes/diff_notes_bundle.js
@@ -71,7 +71,7 @@ export default () => {
     el: '#resolve-count-app',
     components: {
       'resolve-count': ResolveCount
-    }
+    },
   });
 
   $(window).trigger('resize.nav');
diff --git a/app/assets/javascripts/dispatcher.js b/app/assets/javascripts/dispatcher.js
index adfb11cb3c7..acf0effa00d 100644
--- a/app/assets/javascripts/dispatcher.js
+++ b/app/assets/javascripts/dispatcher.js
@@ -42,190 +42,34 @@ var Dispatcher;
         });
       });
 
-      switch (page) {
-        case 'projects:merge_requests:index':
-        case 'projects:issues:index':
-        case 'projects:issues:show':
-        case 'projects:issues:new':
-        case 'projects:issues:edit':
-        case 'projects:merge_requests:creations:new':
-        case 'projects:merge_requests:creations:diffs':
-        case 'projects:merge_requests:edit':
-        case 'projects:merge_requests:show':
-        case 'projects:commit:show':
-        case 'projects:activity':
-        case 'projects:commits:show':
-        case 'projects:show':
-          shortcut_handler = true;
-          break;
-        case 'groups:activity':
-          import('./pages/groups/activity')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'groups:show':
-          shortcut_handler = true;
-          break;
-        case 'groups:group_members:index':
-          import('./pages/groups/group_members/index')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'projects:project_members:index':
-          import('./pages/projects/project_members')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'groups:create':
-        case 'groups:new':
-          import('./pages/groups/new')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'groups:edit':
-          import('./pages/groups/edit')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'admin:groups:create':
-        case 'admin:groups:new':
-          import('./pages/admin/groups/new')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'admin:groups:edit':
-          import('./pages/admin/groups/edit')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'projects:tree:show':
-          import('./pages/projects/tree/show')
-            .then(callDefault)
-            .catch(fail);
-          shortcut_handler = true;
-          break;
-        case 'projects:find_file:show':
-          import('./pages/projects/find_file/show')
-            .then(callDefault)
-            .catch(fail);
-          shortcut_handler = true;
-          break;
-        case 'projects:blob:show':
-          import('./pages/projects/blob/show')
-            .then(callDefault)
-            .catch(fail);
-          shortcut_handler = true;
-          break;
-        case 'projects:blame:show':
-          import('./pages/projects/blame/show')
-            .then(callDefault)
-            .catch(fail);
-          shortcut_handler = true;
-          break;
-        case 'groups:labels:new':
-          import('./pages/groups/labels/new')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'groups:labels:edit':
-          import('./pages/groups/labels/edit')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'projects:labels:new':
-          import('./pages/projects/labels/new')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'projects:labels:edit':
-          import('./pages/projects/labels/edit')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'groups:labels:index':
-          import('./pages/groups/labels/index')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'projects:labels:index':
-          import('./pages/projects/labels/index')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'projects:network:show':
-          // Ensure we don't create a particular shortcut handler here. This is
-          // already created, where the network graph is created.
-          shortcut_handler = true;
-          break;
-        case 'projects:forks:new':
-          import('./pages/projects/forks/new')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'projects:artifacts:browse':
-          import('./pages/projects/artifacts/browse')
-            .then(callDefault)
-            .catch(fail);
-          shortcut_handler = true;
-          break;
-        case 'projects:artifacts:file':
-          import('./pages/projects/artifacts/file')
-            .then(callDefault)
-            .catch(fail);
-          shortcut_handler = true;
-          break;
-        case 'search:show':
-          import('./pages/search/show')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'projects:settings:repository:show':
-          import('./pages/projects/settings/repository/show')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'projects:settings:ci_cd:show':
-          import('./pages/projects/settings/ci_cd/show')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'groups:settings:ci_cd:show':
-          import('./pages/groups/settings/ci_cd/show')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'ci:lints:create':
-        case 'ci:lints:show':
-          import('./pages/ci/lints')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'admin:conversational_development_index:show':
-          import('./pages/admin/conversational_development_index/show')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'import:fogbugz:new_user_map':
-          import('./pages/import/fogbugz/new_user_map')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'profiles:personal_access_tokens:index':
-          import('./pages/profiles/personal_access_tokens')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'admin:impersonation_tokens:index':
-          import('./pages/admin/impersonation_tokens')
-            .then(callDefault)
-            .catch(fail);
-          break;
-        case 'dashboard:groups:index':
-          import('./pages/dashboard/groups/index')
-            .then(callDefault)
-            .catch(fail);
-          break;
+      const shortcutHandlerPages = [
+        'projects:activity',
+        'projects:artifacts:browse',
+        'projects:artifacts:file',
+        'projects:blame:show',
+        'projects:blob:show',
+        'projects:commit:show',
+        'projects:commits:show',
+        'projects:find_file:show',
+        'projects:issues:edit',
+        'projects:issues:index',
+        'projects:issues:new',
+        'projects:issues:show',
+        'projects:merge_requests:creations:diffs',
+        'projects:merge_requests:creations:new',
+        'projects:merge_requests:edit',
+        'projects:merge_requests:index',
+        'projects:merge_requests:show',
+        'projects:network:show',
+        'projects:show',
+        'projects:tree:show',
+        'groups:show',
+      ];
+
+      if (shortcutHandlerPages.indexOf(page) !== -1) {
+        shortcut_handler = true;
       }
+
       switch (path[0]) {
         case 'admin':
           switch (path[1]) {
diff --git a/app/assets/javascripts/filtered_search/dropdown_user.js b/app/assets/javascripts/filtered_search/dropdown_user.js
index 22421fc4868..d36f38a70b5 100644
--- a/app/assets/javascripts/filtered_search/dropdown_user.js
+++ b/app/assets/javascripts/filtered_search/dropdown_user.js
@@ -14,7 +14,6 @@ export default class DropdownUser extends FilteredSearchDropdown {
         endpoint: `${gon.relative_url_root || ''}/autocomplete/users.json`,
         searchKey: 'search',
         params: {
-          per_page: 20,
           active: true,
           group_id: this.getGroupId(),
           project_id: this.getProjectId(),
diff --git a/app/assets/javascripts/filtered_search/filtered_search_dropdown.js b/app/assets/javascripts/filtered_search/filtered_search_dropdown.js
index cfdd3380fc7..fb4ae1d17dd 100644
--- a/app/assets/javascripts/filtered_search/filtered_search_dropdown.js
+++ b/app/assets/javascripts/filtered_search/filtered_search_dropdown.js
@@ -111,6 +111,9 @@ export default class FilteredSearchDropdown {
 
     if (hook) {
       const data = hook.list.data || [];
+
+      if (!data) return;
+
       const results = data.map((o) => {
         const updated = o;
         updated.droplab_hidden = false;
diff --git a/app/assets/javascripts/gl_dropdown.js b/app/assets/javascripts/gl_dropdown.js
index e322756f256..6cf78bab6ad 100644
--- a/app/assets/javascripts/gl_dropdown.js
+++ b/app/assets/javascripts/gl_dropdown.js
@@ -607,7 +607,20 @@ GitLabDropdown = (function() {
   };
 
   GitLabDropdown.prototype.renderItem = function(data, group, index) {
-    var field, fieldName, html, selected, text, url, value;
+    var field, fieldName, html, selected, text, url, value, rowHidden;
+
+    if (!this.options.renderRow) {
+      value = this.options.id ? this.options.id(data) : data.id;
+
+      if (value) {
+        value = value.toString().replace(/'/g, '\\\'');
+      }
+    }
+
+    // Hide element
+    if (this.options.hideRow && this.options.hideRow(value)) {
+      rowHidden = true;
+    }
     if (group == null) {
       group = false;
     }
@@ -616,6 +629,7 @@ GitLabDropdown = (function() {
       index = false;
     }
     html = document.createElement('li');
+
     if (data === 'divider' || data === 'separator') {
       html.className = data;
       return html;
@@ -631,11 +645,9 @@ GitLabDropdown = (function() {
       html = this.options.renderRow.call(this.options, data, this);
     } else {
       if (!selected) {
-        value = this.options.id ? this.options.id(data) : data.id;
         fieldName = this.options.fieldName;
 
         if (value) {
-          value = value.toString().replace(/'/g, '\\\'');
           field = this.dropdown.parent().find(`input[name='${fieldName}'][value='${value}']`);
           if (field.length) {
             selected = true;
diff --git a/app/assets/javascripts/groups/components/item_stats_value.vue b/app/assets/javascripts/groups/components/item_stats_value.vue
index 08d0bf6e344..4d86ac8023c 100644
--- a/app/assets/javascripts/groups/components/item_stats_value.vue
+++ b/app/assets/javascripts/groups/components/item_stats_value.vue
@@ -30,11 +30,11 @@
         default: 'bottom',
       },
       /**
-      * value could either be number or string
-      * as `memberCount` is always passed as string
-      * while `subgroupCount` & `projectCount`
-      * are always number
-      */
+       * value could either be number or string
+       * as `memberCount` is always passed as string
+       * while `subgroupCount` & `projectCount`
+       * are always number
+       */
       value: {
         type: [Number, String],
         required: false,
diff --git a/app/assets/javascripts/labels_select.js b/app/assets/javascripts/labels_select.js
index dc1930a997f..5de48aa49a9 100644
--- a/app/assets/javascripts/labels_select.js
+++ b/app/assets/javascripts/labels_select.js
@@ -316,9 +316,9 @@ export default class LabelsSelect {
         },
         multiSelect: $dropdown.hasClass('js-multiselect'),
         vue: $dropdown.hasClass('js-issue-board-sidebar'),
-        clicked: function(options) {
-          const { $el, e, isMarking } = options;
-          const label = options.selectedObj;
+        clicked: function (clickEvent) {
+          const { $el, e, isMarking } = clickEvent;
+          const label = clickEvent.selectedObj;
 
           var isIssueIndex, isMRIndex, page, boardsModel;
           var fadeOutLoader = () => {
diff --git a/app/assets/javascripts/lib/utils/common_utils.js b/app/assets/javascripts/lib/utils/common_utils.js
index 7d2cf4b634f..017f3b986fd 100644
--- a/app/assets/javascripts/lib/utils/common_utils.js
+++ b/app/assets/javascripts/lib/utils/common_utils.js
@@ -418,6 +418,16 @@ export const convertObjectPropsToCamelCase = (obj = {}) => {
 
 export const imagePath = imgUrl => `${gon.asset_host || ''}${gon.relative_url_root || ''}/assets/${imgUrl}`;
 
+export const addSelectOnFocusBehaviour = (selector = '.js-select-on-focus') => {
+  // Click a .js-select-on-focus field, select the contents
+  // Prevent a mouseup event from deselecting the input
+  $(selector).on('focusin', function selectOnFocusCallback() {
+    $(this).select().one('mouseup', (e) => {
+      e.preventDefault();
+    });
+  });
+};
+
 window.gl = window.gl || {};
 window.gl.utils = {
   ...(window.gl.utils || {}),
diff --git a/app/assets/javascripts/main.js b/app/assets/javascripts/main.js
index dc9e5bb03f4..659dc9eaa1f 100644
--- a/app/assets/javascripts/main.js
+++ b/app/assets/javascripts/main.js
@@ -10,7 +10,7 @@ window.jQuery = jQuery;
 window.$ = jQuery;
 
 // lib/utils
-import { handleLocationHash } from './lib/utils/common_utils';
+import { handleLocationHash, addSelectOnFocusBehaviour } from './lib/utils/common_utils';
 import { localTimeAgo } from './lib/utils/datetime_utility';
 import { getLocationHash, visitUrl } from './lib/utils/url_utility';
 
@@ -104,13 +104,7 @@ document.addEventListener('DOMContentLoaded', () => {
     return true;
   });
 
-  // Click a .js-select-on-focus field, select the contents
-  // Prevent a mouseup event from deselecting the input
-  $('.js-select-on-focus').on('focusin', function selectOnFocusCallback() {
-    $(this).select().one('mouseup', (e) => {
-      e.preventDefault();
-    });
-  });
+  addSelectOnFocusBehaviour('.js-select-on-focus');
 
   $('.remove-row').on('ajax:success', function removeRowAjaxSuccessCallback() {
     $(this).tooltip('destroy')
diff --git a/app/assets/javascripts/pages/admin/conversational_development_index/show/index.js b/app/assets/javascripts/pages/admin/conversational_development_index/show/index.js
index 6e66ef69fe1..c1056537f90 100644
--- a/app/assets/javascripts/pages/admin/conversational_development_index/show/index.js
+++ b/app/assets/javascripts/pages/admin/conversational_development_index/show/index.js
@@ -1,3 +1,3 @@
-import UserCallout from '../../../../user_callout';
+import UserCallout from '~/user_callout';
 
-export default () => new UserCallout();
+document.addEventListener('DOMContentLoaded', () => new UserCallout());
diff --git a/app/assets/javascripts/pages/admin/groups/edit/index.js b/app/assets/javascripts/pages/admin/groups/edit/index.js
index ff9ef8d2449..d3d125a1859 100644
--- a/app/assets/javascripts/pages/admin/groups/edit/index.js
+++ b/app/assets/javascripts/pages/admin/groups/edit/index.js
@@ -1,3 +1,3 @@
-import groupAvatar from '../../../../group_avatar';
+import groupAvatar from '~/group_avatar';
 
-export default () => groupAvatar();
+document.addEventListener('DOMContentLoaded', groupAvatar);
diff --git a/app/assets/javascripts/pages/admin/groups/new/index.js b/app/assets/javascripts/pages/admin/groups/new/index.js
index fb5c46e4729..21f1ce222ac 100644
--- a/app/assets/javascripts/pages/admin/groups/new/index.js
+++ b/app/assets/javascripts/pages/admin/groups/new/index.js
@@ -2,8 +2,8 @@ import BindInOut from '../../../../behaviors/bind_in_out';
 import Group from '../../../../group';
 import groupAvatar from '../../../../group_avatar';
 
-export default () => {
+document.addEventListener('DOMContentLoaded', () => {
   BindInOut.initAll();
   new Group(); // eslint-disable-line no-new
   groupAvatar();
-};
+});
diff --git a/app/assets/javascripts/pages/admin/impersonation_tokens/index.js b/app/assets/javascripts/pages/admin/impersonation_tokens/index.js
index 030328a1363..78a5c4c27be 100644
--- a/app/assets/javascripts/pages/admin/impersonation_tokens/index.js
+++ b/app/assets/javascripts/pages/admin/impersonation_tokens/index.js
@@ -1,3 +1,3 @@
-import DueDateSelectors from '../../../due_date_select';
+import DueDateSelectors from '~/due_date_select';
 
-export default () => new DueDateSelectors();
+document.addEventListener('DOMContentLoaded', () => new DueDateSelectors());
diff --git a/app/assets/javascripts/pages/ci/lints/create/index.js b/app/assets/javascripts/pages/ci/lints/create/index.js
new file mode 100644
index 00000000000..8e8a843da0b
--- /dev/null
+++ b/app/assets/javascripts/pages/ci/lints/create/index.js
@@ -0,0 +1,3 @@
+import CILintEditor from '../ci_lint_editor';
+
+document.addEventListener('DOMContentLoaded', () => new CILintEditor());
diff --git a/app/assets/javascripts/pages/ci/lints/index.js b/app/assets/javascripts/pages/ci/lints/index.js
deleted file mode 100644
index 5cc66546109..00000000000
--- a/app/assets/javascripts/pages/ci/lints/index.js
+++ /dev/null
@@ -1,3 +0,0 @@
-import CILintEditor from './ci_lint_editor';
-
-export default () => new CILintEditor();
diff --git a/app/assets/javascripts/pages/ci/lints/show/index.js b/app/assets/javascripts/pages/ci/lints/show/index.js
new file mode 100644
index 00000000000..8e8a843da0b
--- /dev/null
+++ b/app/assets/javascripts/pages/ci/lints/show/index.js
@@ -0,0 +1,3 @@
+import CILintEditor from '../ci_lint_editor';
+
+document.addEventListener('DOMContentLoaded', () => new CILintEditor());
diff --git a/app/assets/javascripts/pages/dashboard/groups/index/index.js b/app/assets/javascripts/pages/dashboard/groups/index/index.js
index 9f235ed6a98..79987642796 100644
--- a/app/assets/javascripts/pages/dashboard/groups/index/index.js
+++ b/app/assets/javascripts/pages/dashboard/groups/index/index.js
@@ -1,3 +1,3 @@
 import initGroupsList from '~/groups';
 
-export default initGroupsList;
+document.addEventListener('DOMContentLoaded', initGroupsList);
diff --git a/app/assets/javascripts/pages/groups/activity/index.js b/app/assets/javascripts/pages/groups/activity/index.js
index 95faf1f1e98..1b887cad496 100644
--- a/app/assets/javascripts/pages/groups/activity/index.js
+++ b/app/assets/javascripts/pages/groups/activity/index.js
@@ -1,3 +1,3 @@
 import Activities from '~/activities';
 
-export default () => new Activities();
+document.addEventListener('DOMContentLoaded', () => new Activities());
diff --git a/app/assets/javascripts/pages/groups/edit/index.js b/app/assets/javascripts/pages/groups/edit/index.js
index 1aeec55a4be..d44874c8741 100644
--- a/app/assets/javascripts/pages/groups/edit/index.js
+++ b/app/assets/javascripts/pages/groups/edit/index.js
@@ -1,7 +1,7 @@
 import groupAvatar from '~/group_avatar';
 import TransferDropdown from '~/groups/transfer_dropdown';
 
-export default () => {
+document.addEventListener('DOMContentLoaded', () => {
   groupAvatar();
   new TransferDropdown(); // eslint-disable-line no-new
-};
+});
diff --git a/app/assets/javascripts/pages/groups/group_members/index/index.js b/app/assets/javascripts/pages/groups/group_members/index/index.js
index 29319b97ae2..c22a164cd4e 100644
--- a/app/assets/javascripts/pages/groups/group_members/index/index.js
+++ b/app/assets/javascripts/pages/groups/group_members/index/index.js
@@ -4,8 +4,8 @@ import memberExpirationDate from '~/member_expiration_date';
 import Members from '~/members';
 import UsersSelect from '~/users_select';
 
-export default () => {
+document.addEventListener('DOMContentLoaded', () => {
   memberExpirationDate();
   new Members();
   new UsersSelect();
-};
+});
diff --git a/app/assets/javascripts/pages/groups/labels/edit/index.js b/app/assets/javascripts/pages/groups/labels/edit/index.js
index 72c5e4744ac..fa81ad914ba 100644
--- a/app/assets/javascripts/pages/groups/labels/edit/index.js
+++ b/app/assets/javascripts/pages/groups/labels/edit/index.js
@@ -1,3 +1,3 @@
 import Labels from '~/labels';
 
-export default () => new Labels();
+document.addEventListener('DOMContentLoaded', () => new Labels());
diff --git a/app/assets/javascripts/pages/groups/labels/index/index.js b/app/assets/javascripts/pages/groups/labels/index/index.js
index 018345fa112..6e45de2a724 100644
--- a/app/assets/javascripts/pages/groups/labels/index/index.js
+++ b/app/assets/javascripts/pages/groups/labels/index/index.js
@@ -1,3 +1,3 @@
 import initLabels from '~/init_labels';
 
-export default initLabels;
+document.addEventListener('DOMContentLoaded', initLabels);
diff --git a/app/assets/javascripts/pages/groups/labels/new/index.js b/app/assets/javascripts/pages/groups/labels/new/index.js
index 72c5e4744ac..fa81ad914ba 100644
--- a/app/assets/javascripts/pages/groups/labels/new/index.js
+++ b/app/assets/javascripts/pages/groups/labels/new/index.js
@@ -1,3 +1,3 @@
 import Labels from '~/labels';
 
-export default () => new Labels();
+document.addEventListener('DOMContentLoaded', () => new Labels());
diff --git a/app/assets/javascripts/pages/groups/new/index.js b/app/assets/javascripts/pages/groups/new/index.js
index 7850b90d3d2..b2f275dc5ea 100644
--- a/app/assets/javascripts/pages/groups/new/index.js
+++ b/app/assets/javascripts/pages/groups/new/index.js
@@ -2,8 +2,8 @@ import BindInOut from '~/behaviors/bind_in_out';
 import Group from '~/group';
 import groupAvatar from '~/group_avatar';
 
-export default () => {
+document.addEventListener('DOMContentLoaded', () => {
   BindInOut.initAll();
   new Group(); // eslint-disable-line no-new
   groupAvatar();
-};
+});
diff --git a/app/assets/javascripts/pages/groups/settings/ci_cd/show/index.js b/app/assets/javascripts/pages/groups/settings/ci_cd/show/index.js
index ad79f7e09ac..04a0d8117cc 100644
--- a/app/assets/javascripts/pages/groups/settings/ci_cd/show/index.js
+++ b/app/assets/javascripts/pages/groups/settings/ci_cd/show/index.js
@@ -1,6 +1,6 @@
 import AjaxVariableList from '~/ci_variable_list/ajax_variable_list';
 
-export default () => {
+document.addEventListener('DOMContentLoaded', () => {
   const variableListEl = document.querySelector('.js-ci-variable-list-section');
   // eslint-disable-next-line no-new
   new AjaxVariableList({
@@ -9,4 +9,4 @@ export default () => {
     errorBox: variableListEl.querySelector('.js-ci-variable-error-box'),
     saveEndpoint: variableListEl.dataset.saveEndpoint,
   });
-};
+});
diff --git a/app/assets/javascripts/pages/import/fogbugz/new_user_map/index.js b/app/assets/javascripts/pages/import/fogbugz/new_user_map/index.js
index 5defea104d4..68d4c1f049f 100644
--- a/app/assets/javascripts/pages/import/fogbugz/new_user_map/index.js
+++ b/app/assets/javascripts/pages/import/fogbugz/new_user_map/index.js
@@ -1,3 +1,3 @@
-import UsersSelect from '../../../../users_select';
+import UsersSelect from '~/users_select';
 
-export default () => new UsersSelect();
+document.addEventListener('DOMContentLoaded', () => new UsersSelect());
diff --git a/app/assets/javascripts/pages/profiles/personal_access_tokens/index.js b/app/assets/javascripts/pages/profiles/personal_access_tokens/index.js
index 030328a1363..78a5c4c27be 100644
--- a/app/assets/javascripts/pages/profiles/personal_access_tokens/index.js
+++ b/app/assets/javascripts/pages/profiles/personal_access_tokens/index.js
@@ -1,3 +1,3 @@
-import DueDateSelectors from '../../../due_date_select';
+import DueDateSelectors from '~/due_date_select';
 
-export default () => new DueDateSelectors();
+document.addEventListener('DOMContentLoaded', () => new DueDateSelectors());
diff --git a/app/assets/javascripts/pages/projects/artifacts/browse/index.js b/app/assets/javascripts/pages/projects/artifacts/browse/index.js
index 02456071086..ea7458fe9b8 100644
--- a/app/assets/javascripts/pages/projects/artifacts/browse/index.js
+++ b/app/assets/javascripts/pages/projects/artifacts/browse/index.js
@@ -1,7 +1,7 @@
 import BuildArtifacts from '~/build_artifacts';
 import ShortcutsNavigation from '~/shortcuts_navigation';
 
-export default function () {
+document.addEventListener('DOMContentLoaded', () => {
   new ShortcutsNavigation(); // eslint-disable-line no-new
   new BuildArtifacts(); // eslint-disable-line no-new
-}
+});
diff --git a/app/assets/javascripts/pages/projects/artifacts/file/index.js b/app/assets/javascripts/pages/projects/artifacts/file/index.js
index 4cd67ac76e3..8484e5e9848 100644
--- a/app/assets/javascripts/pages/projects/artifacts/file/index.js
+++ b/app/assets/javascripts/pages/projects/artifacts/file/index.js
@@ -1,7 +1,7 @@
 import BlobViewer from '~/blob/viewer/index';
 import ShortcutsNavigation from '~/shortcuts_navigation';
 
-export default function () {
+document.addEventListener('DOMContentLoaded', () => {
   new ShortcutsNavigation(); // eslint-disable-line no-new
   new BlobViewer(); // eslint-disable-line no-new
-}
+});
diff --git a/app/assets/javascripts/pages/projects/blame/show/index.js b/app/assets/javascripts/pages/projects/blame/show/index.js
index 480357a309c..80d0bff92fa 100644
--- a/app/assets/javascripts/pages/projects/blame/show/index.js
+++ b/app/assets/javascripts/pages/projects/blame/show/index.js
@@ -1,3 +1,3 @@
 import initBlob from '~/pages/projects/init_blob';
 
-export default initBlob;
+document.addEventListener('DOMContentLoaded', initBlob);
diff --git a/app/assets/javascripts/pages/projects/blob/show/index.js b/app/assets/javascripts/pages/projects/blob/show/index.js
index a3eeb1cefb6..26cbb279d4a 100644
--- a/app/assets/javascripts/pages/projects/blob/show/index.js
+++ b/app/assets/javascripts/pages/projects/blob/show/index.js
@@ -1,7 +1,7 @@
 import BlobViewer from '~/blob/viewer/index';
 import initBlob from '~/pages/projects/init_blob';
 
-export default () => {
+document.addEventListener('DOMContentLoaded', () => {
   new BlobViewer(); // eslint-disable-line no-new
   initBlob();
-};
+});
diff --git a/app/assets/javascripts/pages/projects/find_file/show/index.js b/app/assets/javascripts/pages/projects/find_file/show/index.js
index 42bde0ff779..23d857d69ec 100644
--- a/app/assets/javascripts/pages/projects/find_file/show/index.js
+++ b/app/assets/javascripts/pages/projects/find_file/show/index.js
@@ -1,7 +1,7 @@
 import ProjectFindFile from '~/project_find_file';
 import ShortcutsFindFile from '~/shortcuts_find_file';
 
-export default () => {
+document.addEventListener('DOMContentLoaded', () => {
   const findElement = document.querySelector('.js-file-finder');
   const projectFindFile = new ProjectFindFile($('.file-finder-holder'), {
     url: findElement.dataset.fileFindUrl,
@@ -9,4 +9,4 @@ export default () => {
     blobUrlTemplate: findElement.dataset.blobUrlTemplate,
   });
   new ShortcutsFindFile(projectFindFile); // eslint-disable-line no-new
-};
+});
diff --git a/app/assets/javascripts/pages/projects/forks/new/index.js b/app/assets/javascripts/pages/projects/forks/new/index.js
index 7825eb01949..d80e27e9156 100644
--- a/app/assets/javascripts/pages/projects/forks/new/index.js
+++ b/app/assets/javascripts/pages/projects/forks/new/index.js
@@ -1,5 +1,3 @@
 import ProjectFork from '~/project_fork';
 
-export default () => {
-  new ProjectFork(); // eslint-disable-line no-new
-};
+document.addEventListener('DOMContentLoaded', () => new ProjectFork());
diff --git a/app/assets/javascripts/pages/projects/issues/show/index.js b/app/assets/javascripts/pages/projects/issues/show/index.js
index db064e3f801..1e56aa58da2 100644
--- a/app/assets/javascripts/pages/projects/issues/show/index.js
+++ b/app/assets/javascripts/pages/projects/issues/show/index.js
@@ -3,6 +3,7 @@ import Issue from '~/issue';
 import ShortcutsIssuable from '~/shortcuts_issuable';
 import ZenMode from '~/zen_mode';
 import '~/notes/index';
+import '~/issue_show/index';
 
 document.addEventListener('DOMContentLoaded', () => {
   new Issue(); // eslint-disable-line no-new
diff --git a/app/assets/javascripts/pages/projects/labels/edit/index.js b/app/assets/javascripts/pages/projects/labels/edit/index.js
index 72c5e4744ac..fa81ad914ba 100644
--- a/app/assets/javascripts/pages/projects/labels/edit/index.js
+++ b/app/assets/javascripts/pages/projects/labels/edit/index.js
@@ -1,3 +1,3 @@
 import Labels from '~/labels';
 
-export default () => new Labels();
+document.addEventListener('DOMContentLoaded', () => new Labels());
diff --git a/app/assets/javascripts/pages/projects/labels/index/index.js b/app/assets/javascripts/pages/projects/labels/index/index.js
index 018345fa112..6e45de2a724 100644
--- a/app/assets/javascripts/pages/projects/labels/index/index.js
+++ b/app/assets/javascripts/pages/projects/labels/index/index.js
@@ -1,3 +1,3 @@
 import initLabels from '~/init_labels';
 
-export default initLabels;
+document.addEventListener('DOMContentLoaded', initLabels);
diff --git a/app/assets/javascripts/pages/projects/labels/new/index.js b/app/assets/javascripts/pages/projects/labels/new/index.js
index 72c5e4744ac..fa81ad914ba 100644
--- a/app/assets/javascripts/pages/projects/labels/new/index.js
+++ b/app/assets/javascripts/pages/projects/labels/new/index.js
@@ -1,3 +1,3 @@
 import Labels from '~/labels';
 
-export default () => new Labels();
+document.addEventListener('DOMContentLoaded', () => new Labels());
diff --git a/app/assets/javascripts/pages/projects/project.js b/app/assets/javascripts/pages/projects/project.js
index 6e48d207571..d23ad9a92f4 100644
--- a/app/assets/javascripts/pages/projects/project.js
+++ b/app/assets/javascripts/pages/projects/project.js
@@ -50,7 +50,7 @@ export default class Project {
     Project.projectSelectDropdown();
   }
 
-  static projectSelectDropdown () {
+  static projectSelectDropdown() {
     projectSelect();
     $('.project-item-select').on('click', e => Project.changeProject($(e.currentTarget).val()));
   }
diff --git a/app/assets/javascripts/pages/projects/project_members/index.js b/app/assets/javascripts/pages/projects/project_members/index.js
index f4643e7dba0..adbe744290a 100644
--- a/app/assets/javascripts/pages/projects/project_members/index.js
+++ b/app/assets/javascripts/pages/projects/project_members/index.js
@@ -3,10 +3,10 @@ import UsersSelect from '../../../users_select';
 import groupsSelect from '../../../groups_select';
 import Members from '../../../members';
 
-export default () => {
+document.addEventListener('DOMContentLoaded', () => {
   memberExpirationDate('.js-access-expiration-date-groups');
   groupsSelect();
   memberExpirationDate();
   new Members(); // eslint-disable-line no-new
   new UsersSelect(); // eslint-disable-line no-new
-};
+});
diff --git a/app/assets/javascripts/pages/projects/settings/ci_cd/show/index.js b/app/assets/javascripts/pages/projects/settings/ci_cd/show/index.js
index a563d0f9961..6c2a785c0af 100644
--- a/app/assets/javascripts/pages/projects/settings/ci_cd/show/index.js
+++ b/app/assets/javascripts/pages/projects/settings/ci_cd/show/index.js
@@ -2,7 +2,7 @@ import initSettingsPanels from '~/settings_panels';
 import SecretValues from '~/behaviors/secret_values';
 import AjaxVariableList from '~/ci_variable_list/ajax_variable_list';
 
-export default function () {
+document.addEventListener('DOMContentLoaded', () => {
   // Initialize expandable settings panels
   initSettingsPanels();
 
@@ -22,4 +22,4 @@ export default function () {
     errorBox: variableListEl.querySelector('.js-ci-variable-error-box'),
     saveEndpoint: variableListEl.dataset.saveEndpoint,
   });
-}
+});
diff --git a/app/assets/javascripts/pages/projects/settings/repository/show/index.js b/app/assets/javascripts/pages/projects/settings/repository/show/index.js
index 83b5467fbc0..5a6f4138b10 100644
--- a/app/assets/javascripts/pages/projects/settings/repository/show/index.js
+++ b/app/assets/javascripts/pages/projects/settings/repository/show/index.js
@@ -1,3 +1,7 @@
 import initSettingsPanels from '~/settings_panels';
+import initDeployKeys from '~/deploy_keys';
 
-export default initSettingsPanels;
+document.addEventListener('DOMContentLoaded', () => {
+  initDeployKeys();
+  initSettingsPanels();
+});
diff --git a/app/assets/javascripts/pages/projects/tree/show/index.js b/app/assets/javascripts/pages/projects/tree/show/index.js
index f36a7a7139b..ed7d3f1747c 100644
--- a/app/assets/javascripts/pages/projects/tree/show/index.js
+++ b/app/assets/javascripts/pages/projects/tree/show/index.js
@@ -7,7 +7,7 @@ import BlobViewer from '../../../../blob/viewer';
 import NewCommitForm from '../../../../new_commit_form';
 import { ajaxGet } from '../../../../lib/utils/common_utils';
 
-export default () => {
+document.addEventListener('DOMContentLoaded', () => {
   new ShortcutsNavigation(); // eslint-disable-line no-new
   new TreeView(); // eslint-disable-line no-new
   new BlobViewer(); // eslint-disable-line no-new
@@ -35,5 +35,4 @@ export default () => {
       },
     });
   }
-};
-
+});
diff --git a/app/assets/javascripts/pages/search/show/index.js b/app/assets/javascripts/pages/search/show/index.js
index 4264c5c9dbe..85aaaa2c9da 100644
--- a/app/assets/javascripts/pages/search/show/index.js
+++ b/app/assets/javascripts/pages/search/show/index.js
@@ -1,3 +1,3 @@
 import Search from './search';
 
-export default () => new Search();
+document.addEventListener('DOMContentLoaded', () => new Search());
diff --git a/app/assets/javascripts/pipelines/components/async_button.vue b/app/assets/javascripts/pipelines/components/async_button.vue
index a5f22c4ec80..0cdffbde05b 100644
--- a/app/assets/javascripts/pipelines/components/async_button.vue
+++ b/app/assets/javascripts/pipelines/components/async_button.vue
@@ -31,10 +31,14 @@
         type: String,
         required: true,
       },
-      id: {
+      pipelineId: {
         type: Number,
         required: true,
       },
+      type: {
+        type: String,
+        required: true,
+      },
     },
     data() {
       return {
@@ -46,17 +50,27 @@
         return `btn ${this.cssClass}`;
       },
     },
+    created() {
+      // We're using eventHub to listen to the modal here instead of
+      // using props because it would would make the parent components
+      // much more complex to keep track of the loading state of each button
+      eventHub.$on('postAction', this.setLoading);
+    },
+    beforeDestroy() {
+      eventHub.$off('postAction', this.setLoading);
+    },
     methods: {
       onClick() {
-        eventHub.$emit('actionConfirmationModal', {
-          id: this.id,
-          callback: this.makeRequest,
+        eventHub.$emit('openConfirmationModal', {
+          pipelineId: this.pipelineId,
+          endpoint: this.endpoint,
+          type: this.type,
         });
       },
-      makeRequest() {
-        this.isLoading = true;
-
-        eventHub.$emit('postAction', this.endpoint);
+      setLoading(endpoint) {
+        if (endpoint === this.endpoint) {
+          this.isLoading = true;
+        }
       },
     },
   };
diff --git a/app/assets/javascripts/pipelines/components/graph/stage_column_component.vue b/app/assets/javascripts/pipelines/components/graph/stage_column_component.vue
index e027f08ff5c..7adcf4017b8 100644
--- a/app/assets/javascripts/pipelines/components/graph/stage_column_component.vue
+++ b/app/assets/javascripts/pipelines/components/graph/stage_column_component.vue
@@ -7,7 +7,6 @@
       jobComponent,
       dropdownJobComponent,
     },
-
     props: {
       title: {
         type: String,
diff --git a/app/assets/javascripts/pipelines/components/pipelines_table.vue b/app/assets/javascripts/pipelines/components/pipelines_table.vue
index 62fe479fdf4..c9028952ddd 100644
--- a/app/assets/javascripts/pipelines/components/pipelines_table.vue
+++ b/app/assets/javascripts/pipelines/components/pipelines_table.vue
@@ -1,7 +1,8 @@
 <script>
+  import modal from '~/vue_shared/components/modal.vue';
+  import { s__, sprintf } from '~/locale';
   import pipelinesTableRowComponent from './pipelines_table_row.vue';
-  import stopConfirmationModal from './stop_confirmation_modal.vue';
-  import retryConfirmationModal from './retry_confirmation_modal.vue';
+  import eventHub from '../event_hub';
 
   /**
    * Pipelines Table Component.
@@ -11,8 +12,7 @@
   export default {
     components: {
       pipelinesTableRowComponent,
-      stopConfirmationModal,
-      retryConfirmationModal,
+      modal,
     },
     props: {
       pipelines: {
@@ -33,6 +33,52 @@
         required: true,
       },
     },
+    data() {
+      return {
+        pipelineId: '',
+        endpoint: '',
+        type: '',
+      };
+    },
+    computed: {
+      modalTitle() {
+        return this.type === 'stop' ?
+          sprintf(s__('Pipeline|Stop pipeline #%{pipelineId}?'), {
+            pipelineId: `'${this.pipelineId}'`,
+          }, false) :
+          sprintf(s__('Pipeline|Retry pipeline #%{pipelineId}?'), {
+            pipelineId: `'${this.pipelineId}'`,
+          }, false);
+      },
+      modalText() {
+        return this.type === 'stop' ?
+          sprintf(s__('Pipeline|You’re about to stop pipeline %{pipelineId}.'), {
+            pipelineId: `<strong>#${this.pipelineId}</strong>`,
+          }, false) :
+          sprintf(s__('Pipeline|You’re about to retry pipeline %{pipelineId}.'), {
+            pipelineId: `<strong>#${this.pipelineId}</strong>`,
+          }, false);
+      },
+      primaryButtonLabel() {
+        return this.type === 'stop' ? s__('Pipeline|Stop pipeline') : s__('Pipeline|Retry pipeline');
+      },
+    },
+    created() {
+      eventHub.$on('openConfirmationModal', this.setModalData);
+    },
+    beforeDestroy() {
+      eventHub.$off('openConfirmationModal', this.setModalData);
+    },
+    methods: {
+      setModalData(data) {
+        this.pipelineId = data.pipelineId;
+        this.endpoint = data.endpoint;
+        this.type = data.type;
+      },
+      onSubmit() {
+        eventHub.$emit('postAction', this.endpoint);
+      },
+    },
   };
 </script>
 <template>
@@ -74,7 +120,20 @@
       :auto-devops-help-path="autoDevopsHelpPath"
       :view-type="viewType"
     />
-    <stop-confirmation-modal />
-    <retry-confirmation-modal />
+    <modal
+      id="confirmation-modal"
+      :title="modalTitle"
+      :text="modalText"
+      kind="danger"
+      :primary-button-label="primaryButtonLabel"
+      @submit="onSubmit"
+    >
+      <template
+        slot="body"
+        slot-scope="props"
+      >
+        <p v-html="props.text"></p>
+      </template>
+    </modal>
   </div>
 </template>
diff --git a/app/assets/javascripts/pipelines/components/pipelines_table_row.vue b/app/assets/javascripts/pipelines/components/pipelines_table_row.vue
index 0e3a10ed7f4..2ba59051773 100644
--- a/app/assets/javascripts/pipelines/components/pipelines_table_row.vue
+++ b/app/assets/javascripts/pipelines/components/pipelines_table_row.vue
@@ -223,7 +223,8 @@
     <div class="table-section section-10 commit-link">
       <div
         class="table-mobile-header"
-        role="rowheader">
+        role="rowheader"
+      >
         Status
       </div>
       <div class="table-mobile-content">
@@ -305,9 +306,10 @@
           css-class="js-pipelines-retry-button btn-default btn-retry"
           title="Retry"
           icon="repeat"
-          :id="pipeline.id"
+          :pipeline-id="pipeline.id"
           data-toggle="modal"
-          data-target="#retry-confirmation-modal"
+          data-target="#confirmation-modal"
+          type="retry"
         />
 
         <async-button-component
@@ -316,9 +318,10 @@
           css-class="js-pipelines-cancel-button btn-remove"
           title="Cancel"
           icon="close"
-          :id="pipeline.id"
+          :pipeline-id="pipeline.id"
           data-toggle="modal"
-          data-target="#stop-confirmation-modal"
+          data-target="#confirmation-modal"
+          type="stop"
         />
       </div>
     </div>
diff --git a/app/assets/javascripts/pipelines/components/retry_confirmation_modal.vue b/app/assets/javascripts/pipelines/components/retry_confirmation_modal.vue
deleted file mode 100644
index e2ac08d67bc..00000000000
--- a/app/assets/javascripts/pipelines/components/retry_confirmation_modal.vue
+++ /dev/null
@@ -1,65 +0,0 @@
-<script>
-  import modal from '~/vue_shared/components/modal.vue';
-  import { s__, sprintf } from '~/locale';
-  import eventHub from '../event_hub';
-
-  export default {
-    components: {
-      modal,
-    },
-    data() {
-      return {
-        id: '',
-        callback: () => {},
-      };
-    },
-    computed: {
-      title() {
-        return sprintf(s__('Pipeline|Retry pipeline #%{id}?'), {
-          id: `'${this.id}'`,
-        }, false);
-      },
-      text() {
-        return sprintf(s__('Pipeline|You’re about to retry pipeline %{id}.'), {
-          id: `<strong>#${this.id}</strong>`,
-        }, false);
-      },
-      primaryButtonLabel() {
-        return s__('Pipeline|Retry pipeline');
-      },
-    },
-    created() {
-      eventHub.$on('actionConfirmationModal', this.updateModal);
-    },
-    beforeDestroy() {
-      eventHub.$off('actionConfirmationModal', this.updateModal);
-    },
-    methods: {
-      updateModal(action) {
-        this.id = action.id;
-        this.callback = action.callback;
-      },
-      onSubmit() {
-        this.callback();
-      },
-    },
-  };
-</script>
-
-<template>
-  <modal
-    id="retry-confirmation-modal"
-    :title="title"
-    :text="text"
-    kind="danger"
-    :primary-button-label="primaryButtonLabel"
-    @submit="onSubmit"
-  >
-    <template
-      slot="body"
-      slot-scope="props"
-    >
-      <p v-html="props.text"></p>
-    </template>
-  </modal>
-</template>
diff --git a/app/assets/javascripts/pipelines/components/stage.vue b/app/assets/javascripts/pipelines/components/stage.vue
index 58806aa114a..ecf2b10486e 100644
--- a/app/assets/javascripts/pipelines/components/stage.vue
+++ b/app/assets/javascripts/pipelines/components/stage.vue
@@ -50,9 +50,7 @@
 
     computed: {
       dropdownClass() {
-        return this.dropdownContent.length > 0 ?
-          'js-builds-dropdown-container' :
-          'js-builds-dropdown-loading';
+        return this.dropdownContent.length > 0 ? 'js-builds-dropdown-container' : 'js-builds-dropdown-loading';
       },
 
       triggerButtonClass() {
diff --git a/app/assets/javascripts/pipelines/components/stop_confirmation_modal.vue b/app/assets/javascripts/pipelines/components/stop_confirmation_modal.vue
deleted file mode 100644
index d737d567787..00000000000
--- a/app/assets/javascripts/pipelines/components/stop_confirmation_modal.vue
+++ /dev/null
@@ -1,65 +0,0 @@
-<script>
-  import modal from '~/vue_shared/components/modal.vue';
-  import { s__, sprintf } from '~/locale';
-  import eventHub from '../event_hub';
-
-  export default {
-    components: {
-      modal,
-    },
-    data() {
-      return {
-        id: '',
-        callback: () => {},
-      };
-    },
-    computed: {
-      title() {
-        return sprintf(s__('Pipeline|Stop pipeline #%{id}?'), {
-          id: `'${this.id}'`,
-        }, false);
-      },
-      text() {
-        return sprintf(s__('Pipeline|You’re about to stop pipeline %{id}.'), {
-          id: `<strong>#${this.id}</strong>`,
-        }, false);
-      },
-      primaryButtonLabel() {
-        return s__('Pipeline|Stop pipeline');
-      },
-    },
-    created() {
-      eventHub.$on('actionConfirmationModal', this.updateModal);
-    },
-    beforeDestroy() {
-      eventHub.$off('actionConfirmationModal', this.updateModal);
-    },
-    methods: {
-      updateModal(action) {
-        this.id = action.id;
-        this.callback = action.callback;
-      },
-      onSubmit() {
-        this.callback();
-      },
-    },
-  };
-</script>
-
-<template>
-  <modal
-    id="stop-confirmation-modal"
-    :title="title"
-    :text="text"
-    kind="danger"
-    :primary-button-label="primaryButtonLabel"
-    @submit="onSubmit"
-  >
-    <template
-      slot="body"
-      slot-scope="props"
-    >
-      <p v-html="props.text"></p>
-    </template>
-  </modal>
-</template>
diff --git a/app/assets/javascripts/project_find_file.js b/app/assets/javascripts/project_find_file.js
index 586d188350f..4fd639cce8e 100644
--- a/app/assets/javascripts/project_find_file.js
+++ b/app/assets/javascripts/project_find_file.js
@@ -73,7 +73,7 @@ export default class ProjectFindFile {
   // find file
   }
 
-    // files pathes load
+  // files pathes load
   load(url) {
     axios.get(url)
       .then(({ data }) => {
@@ -85,7 +85,7 @@ export default class ProjectFindFile {
       .catch(() => flash(__('An error occurred while loading filenames')));
   }
 
-    // render result
+  // render result
   renderList(filePaths, searchText) {
     var blobItemUrl, filePath, html, i, j, len, matches, results;
     this.element.find(".tree-table > tbody").empty();
diff --git a/app/assets/javascripts/projects/project_new.js b/app/assets/javascripts/projects/project_new.js
index f5133111d04..8da37d14f0b 100644
--- a/app/assets/javascripts/projects/project_new.js
+++ b/app/assets/javascripts/projects/project_new.js
@@ -1,3 +1,5 @@
+import { addSelectOnFocusBehaviour } from '../lib/utils/common_utils';
+
 let hasUserDefinedProjectPath = false;
 
 const deriveProjectPathFromUrl = ($projectImportUrl) => {
@@ -36,6 +38,7 @@ const bindEvents = () => {
   const $changeTemplateBtn = $('.change-template');
   const $selectedIcon = $('.selected-icon svg');
   const $templateProjectNameInput = $('#template-project-name #project_path');
+  const $pushNewProjectTipTrigger = $('.push-new-project-tip');
 
   if ($newProjectForm.length !== 1) {
     return;
@@ -55,6 +58,34 @@ const bindEvents = () => {
     $('.btn_import_gitlab_project').attr('href', `${importHref}?namespace_id=${$('#project_namespace_id').val()}&path=${$projectPath.val()}`);
   });
 
+  if ($pushNewProjectTipTrigger) {
+    $pushNewProjectTipTrigger
+      .removeAttr('rel')
+      .removeAttr('target')
+      .on('click', (e) => { e.preventDefault(); })
+      .popover({
+        title: $pushNewProjectTipTrigger.data('title'),
+        placement: 'auto bottom',
+        html: 'true',
+        content: $('.push-new-project-tip-template').html(),
+      })
+      .on('shown.bs.popover', () => {
+        $(document).on('click.popover touchstart.popover', (event) => {
+          if ($(event.target).closest('.popover').length === 0) {
+            $pushNewProjectTipTrigger.trigger('click');
+          }
+        });
+
+        const target = $(`#${$pushNewProjectTipTrigger.attr('aria-describedby')}`).find('.js-select-on-focus');
+        addSelectOnFocusBehaviour(target);
+
+        target.focus();
+      })
+      .on('hide.bs.popover', () => {
+        $(document).off('click.popover touchstart.popover');
+      });
+  }
+
   function chooseTemplate() {
     $('.template-option').hide();
     $projectFieldsForm.addClass('selected');
diff --git a/app/assets/javascripts/render_gfm.js b/app/assets/javascripts/render_gfm.js
index 5482c55f8bb..05a623ca6d9 100644
--- a/app/assets/javascripts/render_gfm.js
+++ b/app/assets/javascripts/render_gfm.js
@@ -1,6 +1,7 @@
 import renderMath from './render_math';
 import renderMermaid from './render_mermaid';
 import syntaxHighlight from './syntax_highlight';
+
 // Render Gitlab flavoured Markdown
 //
 // Delegates to syntax highlight and render math & mermaid diagrams.
diff --git a/app/assets/javascripts/sidebar/components/lock/lock_issue_sidebar.vue b/app/assets/javascripts/sidebar/components/lock/lock_issue_sidebar.vue
index 9d22b9d77be..0686910fc7e 100644
--- a/app/assets/javascripts/sidebar/components/lock/lock_issue_sidebar.vue
+++ b/app/assets/javascripts/sidebar/components/lock/lock_issue_sidebar.vue
@@ -1,5 +1,5 @@
 <script>
-  import Flash from '../../../flash';
+  import Flash from '~/flash';
   import editForm from './edit_form.vue';
   import issuableMixin from '../../../vue_shared/mixins/issuable';
   import Icon from '../../../vue_shared/components/icon.vue';
@@ -53,8 +53,7 @@
           discussion_locked: locked,
         })
         .then(() => location.reload())
-        .catch(() => Flash(this.__(`Something went wrong trying to
-  change the locked state of this ${this.issuableDisplayName}`)));
+        .catch(() => Flash(this.__(`Something went wrong trying to change the locked state of this ${this.issuableDisplayName}`)));
       },
     },
   };
diff --git a/app/assets/javascripts/users_select.js b/app/assets/javascripts/users_select.js
index 8958534689c..3385aba0279 100644
--- a/app/assets/javascripts/users_select.js
+++ b/app/assets/javascripts/users_select.js
@@ -39,7 +39,6 @@ function UsersSelect(currentUser, els, options = {}) {
       options.showCurrentUser = $dropdown.data('currentUser');
       options.todoFilter = $dropdown.data('todoFilter');
       options.todoStateFilter = $dropdown.data('todoStateFilter');
-      options.perPage = $dropdown.data('perPage');
       showNullUser = $dropdown.data('nullUser');
       defaultNullUser = $dropdown.data('nullUserDefault');
       showMenuAbove = $dropdown.data('showMenuAbove');
@@ -669,7 +668,6 @@ UsersSelect.prototype.users = function(query, options, callback) {
   const url = this.buildUrl(this.usersPath);
   const params = {
     search: query,
-    per_page: options.perPage || 20,
     active: true,
     project_id: options.projectId || null,
     group_id: options.groupId || null,
diff --git a/app/assets/javascripts/vue_merge_request_widget/components/states/mr_widget_rebase.vue b/app/assets/javascripts/vue_merge_request_widget/components/states/mr_widget_rebase.vue
index 2968af0d5cb..e9f23b0b113 100644
--- a/app/assets/javascripts/vue_merge_request_widget/components/states/mr_widget_rebase.vue
+++ b/app/assets/javascripts/vue_merge_request_widget/components/states/mr_widget_rebase.vue
@@ -107,7 +107,8 @@
       <template v-if="!mr.rebaseInProgress && mr.canPushToSourceBranch && !isMakingRequest">
         <div
           class="accept-merge-holder clearfix
-js-toggle-container accept-action media space-children">
+js-toggle-container accept-action media space-children"
+        >
           <button
             type="button"
             class="btn btn-sm btn-reopen btn-success"
diff --git a/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.js b/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.js
index d8f0442ef9d..797f0f6ec0f 100644
--- a/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.js
+++ b/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.js
@@ -96,9 +96,7 @@ export default {
             cb.call(null, data);
           }
         })
-        .catch(() => {
-          new Flash('Something went wrong. Please try again.'); // eslint-disable-line
-        });
+        .catch(() => new Flash('Something went wrong. Please try again.'));
     },
     initPolling() {
       this.pollingInterval = new SmartInterval({
@@ -146,9 +144,7 @@ export default {
             Project.initRefSwitcher();
           }
         })
-        .catch(() => {
-          new Flash('Something went wrong. Please try again.'); // eslint-disable-line
-        });
+        .catch(() => new Flash('Something went wrong. Please try again.'));
     },
     handleNotification(data) {
       if (data.ci_status === this.mr.ciStatus) return;
diff --git a/app/assets/javascripts/vue_merge_request_widget/stores/mr_widget_store.js b/app/assets/javascripts/vue_merge_request_widget/stores/mr_widget_store.js
index ed004b3bb08..9a750ce42bd 100644
--- a/app/assets/javascripts/vue_merge_request_widget/stores/mr_widget_store.js
+++ b/app/assets/javascripts/vue_merge_request_widget/stores/mr_widget_store.js
@@ -4,7 +4,6 @@ import { stateKey } from './state_maps';
 import { formatDate } from '../../lib/utils/datetime_utility';
 
 export default class MergeRequestStore {
-
   constructor(data) {
     this.sha = data.diff_head_sha;
     this.gitlabLogo = data.gitlabLogo;
@@ -169,5 +168,4 @@ export default class MergeRequestStore {
 
     return timeagoInstance.format(date);
   }
-
 }
diff --git a/app/assets/javascripts/vue_shared/components/header_ci_component.vue b/app/assets/javascripts/vue_shared/components/header_ci_component.vue
index 1f72dea1b33..a0cd0cbd200 100644
--- a/app/assets/javascripts/vue_shared/components/header_ci_component.vue
+++ b/app/assets/javascripts/vue_shared/components/header_ci_component.vue
@@ -6,12 +6,12 @@
   import userAvatarImage from './user_avatar/user_avatar_image.vue';
 
   /**
-  * Renders header component for job and pipeline page based on UI mockups
-  *
-  * Used in:
-  * - job show page
-  * - pipeline show page
-  */
+   * Renders header component for job and pipeline page based on UI mockups
+   *
+   * Used in:
+   * - job show page
+   * - pipeline show page
+   */
   export default {
     components: {
       ciIconBadge,
@@ -118,7 +118,8 @@
 
     <section
       class="header-action-buttons"
-      v-if="actions.length">
+      v-if="actions.length"
+    >
       <template
         v-for="(action, i) in actions"
       >
diff --git a/app/assets/javascripts/vue_shared/components/loading_button.vue b/app/assets/javascripts/vue_shared/components/loading_button.vue
index 6ae6b179f7f..e832d94d32f 100644
--- a/app/assets/javascripts/vue_shared/components/loading_button.vue
+++ b/app/assets/javascripts/vue_shared/components/loading_button.vue
@@ -1,6 +1,5 @@
 <script>
   /* eslint-disable vue/require-default-prop */
-
   /* This is a re-usable vue component for rendering a button
     that will probably be sending off ajax requests and need
     to show the loading status by setting the `loading` option.
diff --git a/app/assets/javascripts/vue_shared/components/markdown/header.vue b/app/assets/javascripts/vue_shared/components/markdown/header.vue
index f65eab11a27..177d2cfc8da 100644
--- a/app/assets/javascripts/vue_shared/components/markdown/header.vue
+++ b/app/assets/javascripts/vue_shared/components/markdown/header.vue
@@ -65,7 +65,8 @@
       </li>
       <li
         class="md-header-tab"
-        :class="{ active: previewMarkdown }">
+        :class="{ active: previewMarkdown }"
+      >
         <a
           class="js-preview-link"
           href="#md-preview-holder"
diff --git a/app/assets/javascripts/vue_shared/components/table_pagination.vue b/app/assets/javascripts/vue_shared/components/table_pagination.vue
index c44c606a8b2..22fc5757447 100644
--- a/app/assets/javascripts/vue_shared/components/table_pagination.vue
+++ b/app/assets/javascripts/vue_shared/components/table_pagination.vue
@@ -13,6 +13,12 @@
     props: {
       /**
         This function will take the information given by the pagination component
+
+        Here is an example `change` method:
+
+        change(pagenum) {
+          gl.utils.visitUrl(`?page=${pagenum}`);
+        },
       */
       change: {
         type: Function,
diff --git a/app/assets/stylesheets/framework/buttons.scss b/app/assets/stylesheets/framework/buttons.scss
index c4b046a6d68..6b89387ab5f 100644
--- a/app/assets/stylesheets/framework/buttons.scss
+++ b/app/assets/stylesheets/framework/buttons.scss
@@ -444,6 +444,19 @@
   }
 }
 
+.btn-missing {
+  color: $notes-light-color;
+  border: 1px dashed $border-gray-normal-dashed;
+  border-radius: $border-radius-default;
+
+  &:hover,
+  &:active,
+  &:focus {
+    color: $notes-light-color;
+    background-color: $white-normal;
+  }
+}
+
 .btn-svg svg {
   @include btn-svg;
 }
diff --git a/app/assets/stylesheets/framework/mobile.scss b/app/assets/stylesheets/framework/mobile.scss
index a12f28efce6..8604e753c18 100644
--- a/app/assets/stylesheets/framework/mobile.scss
+++ b/app/assets/stylesheets/framework/mobile.scss
@@ -63,10 +63,6 @@
     }
   }
 
-  .project-stats {
-    display: none;
-  }
-
   .group-buttons {
     display: none;
   }
diff --git a/app/assets/stylesheets/framework/sidebar.scss b/app/assets/stylesheets/framework/sidebar.scss
index d61809cb0a4..d1d98270ad9 100644
--- a/app/assets/stylesheets/framework/sidebar.scss
+++ b/app/assets/stylesheets/framework/sidebar.scss
@@ -3,7 +3,6 @@
   transition: padding $sidebar-transition-duration;
 
   .container-fluid {
-    background: $white-light;
     padding: 0 $gl-padding;
 
     &.container-blank {
diff --git a/app/assets/stylesheets/framework/typography.scss b/app/assets/stylesheets/framework/typography.scss
index d0999e60e65..294c59f037f 100644
--- a/app/assets/stylesheets/framework/typography.scss
+++ b/app/assets/stylesheets/framework/typography.scss
@@ -296,7 +296,7 @@ body {
   line-height: 1.3;
   font-size: 1.25em;
   font-weight: $gl-font-weight-bold;
-  margin: 12px 7px;
+  margin: 12px 0;
 }
 
 h1,
@@ -333,6 +333,10 @@ a > code {
   font-family: $monospace_font;
 }
 
+.weight-normal {
+  font-weight: $gl-font-weight-normal;
+}
+
 .commit-sha,
 .ref-name {
   @extend .monospace;
diff --git a/app/assets/stylesheets/framework/variables.scss b/app/assets/stylesheets/framework/variables.scss
index 54e13f9d95c..a5a8f6d2206 100644
--- a/app/assets/stylesheets/framework/variables.scss
+++ b/app/assets/stylesheets/framework/variables.scss
@@ -215,8 +215,8 @@ $tooltip-font-size: 12px;
  */
 $gl-padding: 16px;
 $gl-padding-8: 8px;
+$gl-padding-4: 4px;
 $gl-col-padding: 15px;
-$gl-btn-padding: 10px;
 $gl-input-padding: 10px;
 $gl-vert-padding: 6px;
 $gl-padding-top: 10px;
@@ -377,6 +377,10 @@ $inactive-badge-background: rgba(0, 0, 0, .08);
 $btn-active-gray: #ececec;
 $btn-active-gray-light: e4e7ed;
 $btn-white-active: #848484;
+$gl-btn-padding: 10px;
+$gl-btn-line-height: 16px;
+$gl-btn-vert-padding: 8px;
+$gl-btn-horz-padding: 12px;
 
 /*
 * Badges
diff --git a/app/assets/stylesheets/pages/projects.scss b/app/assets/stylesheets/pages/projects.scss
index bf41005b6d5..85de0d8e70f 100644
--- a/app/assets/stylesheets/pages/projects.scss
+++ b/app/assets/stylesheets/pages/projects.scss
@@ -678,6 +678,9 @@ a.deploy-project-label {
   }
 }
 
+.project-empty-note-panel {
+  border-bottom: 1px solid $border-color;
+}
 
 .project-stats {
   font-size: 0;
@@ -686,11 +689,13 @@ a.deploy-project-label {
   border-bottom: 1px solid $border-color;
 
   .nav {
-    padding-top: 12px;
-    padding-bottom: 12px;
+    margin-top: $gl-padding-8;
+    margin-bottom: $gl-padding-8;
 
     > li {
       display: inline-block;
+      margin-top: $gl-padding-4;
+      margin-bottom: $gl-padding-4;
 
       &:not(:last-child) {
         margin-right: $gl-padding;
@@ -704,36 +709,32 @@ a.deploy-project-label {
           float: right;
         }
       }
+    }
 
-      > a {
-        padding: 0;
-        background-color: transparent;
-        font-size: 14px;
-        line-height: 29px;
-        color: $notes-light-color;
+    .stat-text,
+    .stat-link {
+      padding: $gl-btn-vert-padding 0;
+      background-color: transparent;
+      font-size: $gl-font-size;
+      line-height: $gl-btn-line-height;
+      color: $notes-light-color;
+    }
 
-        &:hover,
-        &:focus {
-          color: $gl-text-color;
-          text-decoration: underline;
-        }
+    .stat-link {
+      &:hover,
+      &:focus {
+        color: $gl-text-color;
+        text-decoration: underline;
       }
     }
-  }
 
-  li.missing {
-    border: 1px dashed $border-gray-normal-dashed;
-    border-radius: $border-radius-default;
-
-    a {
-      padding-left: 10px;
-      padding-right: 10px;
-      color: $notes-light-color;
-      display: block;
+    .btn {
+      padding: $gl-btn-vert-padding $gl-btn-horz-padding;
+      line-height: $gl-btn-line-height;
     }
 
-    &:hover {
-      background-color: $gray-normal;
+    .btn-missing {
+      @extend .btn-missing;
     }
   }
 }
@@ -743,7 +744,7 @@ pre.light-well {
 }
 
 .git-empty {
-  margin: 0 7px 7px;
+  margin-bottom: 7px;
 
   h5 {
     color: $gl-text-color;
@@ -895,6 +896,12 @@ pre.light-well {
   }
 }
 
+.project-tip-command {
+  > .input-group-btn:first-child {
+    width: auto;
+  }
+}
+
 .protected-branches-list,
 .protected-tags-list {
   margin-bottom: 30px;
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index b04bfaf3e49..e6a41202f04 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -126,10 +126,15 @@ class ApplicationController < ActionController::Base
     Ability.allowed?(object, action, subject)
   end
 
-  def access_denied!
+  def access_denied!(message = nil)
     respond_to do |format|
-      format.json { head :not_found }
-      format.any { render "errors/access_denied", layout: "errors", status: 404 }
+      format.any { head :not_found }
+      format.html do
+        render "errors/access_denied",
+               layout: "errors",
+               status: 404,
+               locals: { message: message }
+      end
     end
   end
 
diff --git a/app/controllers/boards/issues_controller.rb b/app/controllers/boards/issues_controller.rb
index ee23ee0bcc3..352f12a89fd 100644
--- a/app/controllers/boards/issues_controller.rb
+++ b/app/controllers/boards/issues_controller.rb
@@ -55,7 +55,7 @@ module Boards
     end
 
     def issue
-      @issue ||= issues_finder.execute.find(params[:id])
+      @issue ||= issues_finder.find(params[:id])
     end
 
     def filter_params
diff --git a/app/controllers/concerns/controller_with_cross_project_access_check.rb b/app/controllers/concerns/controller_with_cross_project_access_check.rb
new file mode 100644
index 00000000000..a45c3384578
--- /dev/null
+++ b/app/controllers/concerns/controller_with_cross_project_access_check.rb
@@ -0,0 +1,24 @@
+module ControllerWithCrossProjectAccessCheck
+  extend ActiveSupport::Concern
+
+  included do
+    extend Gitlab::CrossProjectAccess::ClassMethods
+    before_action :cross_project_check
+  end
+
+  def cross_project_check
+    if Gitlab::CrossProjectAccess.find_check(self)&.should_run?(self)
+      authorize_cross_project_page!
+    end
+  end
+
+  def authorize_cross_project_page!
+    return if can?(current_user, :read_cross_project)
+
+    rejection_message = _(
+      "This page is unavailable because you are not allowed to read information "\
+      "across multiple projects."
+    )
+    access_denied!(rejection_message)
+  end
+end
diff --git a/app/controllers/concerns/routable_actions.rb b/app/controllers/concerns/routable_actions.rb
index f745deb083c..0931bdf4c04 100644
--- a/app/controllers/concerns/routable_actions.rb
+++ b/app/controllers/concerns/routable_actions.rb
@@ -3,16 +3,20 @@ module RoutableActions
 
   def find_routable!(routable_klass, requested_full_path, extra_authorization_proc: nil)
     routable = routable_klass.find_by_full_path(requested_full_path, follow_redirects: request.get?)
-
     if routable_authorized?(routable, extra_authorization_proc)
       ensure_canonical_path(routable, requested_full_path)
       routable
     else
-      route_not_found
+      handle_not_found_or_authorized(routable)
       nil
     end
   end
 
+  # This is overridden in gitlab-ee.
+  def handle_not_found_or_authorized(_routable)
+    route_not_found
+  end
+
   def routable_authorized?(routable, extra_authorization_proc)
     action = :"read_#{routable.class.to_s.underscore}"
     return false unless can?(current_user, action, routable)
diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb
index 7ad79a1e56c..3dbfabcae8a 100644
--- a/app/controllers/concerns/uploads_actions.rb
+++ b/app/controllers/concerns/uploads_actions.rb
@@ -24,7 +24,7 @@ module UploadsActions
   #   - or redirect to its URL
   #
   def show
-    return render_404 unless uploader.exists?
+    return render_404 unless uploader&.exists?
 
     if uploader.file_storage?
       disposition = uploader.image_or_video? ? 'inline' : 'attachment'
@@ -71,6 +71,9 @@ module UploadsActions
 
   def build_uploader_from_params
     uploader = uploader_class.new(model, secret: params[:secret])
+
+    return nil unless uploader.model_valid?
+
     uploader.retrieve_from_store!(params[:filename])
     uploader
   end
diff --git a/app/controllers/dashboard/application_controller.rb b/app/controllers/dashboard/application_controller.rb
index 9d3d1c23c28..9fb5c525425 100644
--- a/app/controllers/dashboard/application_controller.rb
+++ b/app/controllers/dashboard/application_controller.rb
@@ -1,6 +1,10 @@
 class Dashboard::ApplicationController < ApplicationController
+  include ControllerWithCrossProjectAccessCheck
+
   layout 'dashboard'
 
+  requires_cross_project_access
+
   private
 
   def projects
diff --git a/app/controllers/dashboard/groups_controller.rb b/app/controllers/dashboard/groups_controller.rb
index 025769f512a..79f563bef86 100644
--- a/app/controllers/dashboard/groups_controller.rb
+++ b/app/controllers/dashboard/groups_controller.rb
@@ -1,6 +1,8 @@
 class Dashboard::GroupsController < Dashboard::ApplicationController
   include GroupTree
 
+  skip_cross_project_access_check :index
+
   def index
     groups = GroupsFinder.new(current_user, all_available: false).execute
     render_group_tree(groups)
diff --git a/app/controllers/dashboard/projects_controller.rb b/app/controllers/dashboard/projects_controller.rb
index de9f8f9224a..4d4ac025f8c 100644
--- a/app/controllers/dashboard/projects_controller.rb
+++ b/app/controllers/dashboard/projects_controller.rb
@@ -4,6 +4,7 @@ class Dashboard::ProjectsController < Dashboard::ApplicationController
 
   before_action :set_non_archived_param
   before_action :default_sorting
+  skip_cross_project_access_check :index, :starred
 
   def index
     @projects = load_projects(params.merge(non_public: true)).page(params[:page])
diff --git a/app/controllers/dashboard/snippets_controller.rb b/app/controllers/dashboard/snippets_controller.rb
index 8dd91264451..0ba97e4fd59 100644
--- a/app/controllers/dashboard/snippets_controller.rb
+++ b/app/controllers/dashboard/snippets_controller.rb
@@ -1,4 +1,6 @@
 class Dashboard::SnippetsController < Dashboard::ApplicationController
+  skip_cross_project_access_check :index
+
   def index
     @snippets = SnippetsFinder.new(
       current_user,
diff --git a/app/controllers/groups/application_controller.rb b/app/controllers/groups/application_controller.rb
index 96ce686c989..4a2bfc1f887 100644
--- a/app/controllers/groups/application_controller.rb
+++ b/app/controllers/groups/application_controller.rb
@@ -1,10 +1,12 @@
 class Groups::ApplicationController < ApplicationController
   include RoutableActions
+  include ControllerWithCrossProjectAccessCheck
 
   layout 'group'
 
   skip_before_action :authenticate_user!
   before_action :group
+  requires_cross_project_access
 
   private
 
diff --git a/app/controllers/groups/avatars_controller.rb b/app/controllers/groups/avatars_controller.rb
index 735915abdaa..cc5ba5878f8 100644
--- a/app/controllers/groups/avatars_controller.rb
+++ b/app/controllers/groups/avatars_controller.rb
@@ -1,6 +1,8 @@
 class Groups::AvatarsController < Groups::ApplicationController
   before_action :authorize_admin_group!
 
+  skip_cross_project_access_check :destroy
+
   def destroy
     @group.remove_avatar!
     @group.save
diff --git a/app/controllers/groups/children_controller.rb b/app/controllers/groups/children_controller.rb
index b474f5d15ee..0e8125d6113 100644
--- a/app/controllers/groups/children_controller.rb
+++ b/app/controllers/groups/children_controller.rb
@@ -1,6 +1,7 @@
 module Groups
   class ChildrenController < Groups::ApplicationController
     before_action :group
+    skip_cross_project_access_check :index
 
     def index
       parent = if params[:parent_id].present?
diff --git a/app/controllers/groups/group_members_controller.rb b/app/controllers/groups/group_members_controller.rb
index 21e77431176..2c371e76313 100644
--- a/app/controllers/groups/group_members_controller.rb
+++ b/app/controllers/groups/group_members_controller.rb
@@ -6,6 +6,10 @@ class Groups::GroupMembersController < Groups::ApplicationController
   # Authorize
   before_action :authorize_admin_group_member!, except: [:index, :leave, :request_access]
 
+  skip_cross_project_access_check :index, :create, :update, :destroy, :request_access,
+                                  :approve_access_request, :leave, :resend_invite,
+                                  :override
+
   def index
     @sort = params[:sort].presence || sort_value_name
     @project = @group.projects.find(params[:project_id]) if params[:project_id]
diff --git a/app/controllers/groups/settings/ci_cd_controller.rb b/app/controllers/groups/settings/ci_cd_controller.rb
index 0142ad8278c..4bf6a2a3ad1 100644
--- a/app/controllers/groups/settings/ci_cd_controller.rb
+++ b/app/controllers/groups/settings/ci_cd_controller.rb
@@ -1,6 +1,7 @@
 module Groups
   module Settings
     class CiCdController < Groups::ApplicationController
+      skip_cross_project_access_check :show
       before_action :authorize_admin_pipeline!
 
       def show
diff --git a/app/controllers/groups/variables_controller.rb b/app/controllers/groups/variables_controller.rb
index 913e13bf734..cb8771bc97e 100644
--- a/app/controllers/groups/variables_controller.rb
+++ b/app/controllers/groups/variables_controller.rb
@@ -2,6 +2,8 @@ module Groups
   class VariablesController < Groups::ApplicationController
     before_action :authorize_admin_build!
 
+    skip_cross_project_access_check :show, :update
+
     def show
       respond_to do |format|
         format.json do
diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 7d129c5dece..14b9d6c22bd 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -19,6 +19,12 @@ class GroupsController < Groups::ApplicationController
 
   before_action :user_actions, only: [:show, :subgroups]
 
+  skip_cross_project_access_check :index, :new, :create, :edit, :update,
+                                  :destroy, :projects
+  # When loading show as an atom feed, we render events that could leak cross
+  # project information
+  skip_cross_project_access_check :show, if: -> { request.format.html? }
+
   layout :determine_layout
 
   def index
diff --git a/app/controllers/oauth/applications_controller.rb b/app/controllers/oauth/applications_controller.rb
index 6a21a3f77ad..a1fe02dc852 100644
--- a/app/controllers/oauth/applications_controller.rb
+++ b/app/controllers/oauth/applications_controller.rb
@@ -1,5 +1,6 @@
 class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
   include Gitlab::GonHelper
+  include Gitlab::Allowable
   include PageLayoutHelper
   include OauthApplications
 
@@ -8,6 +9,8 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
   before_action :add_gon_variables
   before_action :load_scopes, only: [:index, :create, :edit]
 
+  helper_method :can?
+
   layout 'profile'
 
   def index
diff --git a/app/controllers/projects/autocomplete_sources_controller.rb b/app/controllers/projects/autocomplete_sources_controller.rb
index 45c66b63ea5..992c8ea6992 100644
--- a/app/controllers/projects/autocomplete_sources_controller.rb
+++ b/app/controllers/projects/autocomplete_sources_controller.rb
@@ -34,9 +34,9 @@ class Projects::AutocompleteSourcesController < Projects::ApplicationController
   def target
     case params[:type]&.downcase
     when 'issue'
-      IssuesFinder.new(current_user, project_id: @project.id).execute.find_by(iid: params[:type_id])
+      IssuesFinder.new(current_user, project_id: @project.id).find_by(iid: params[:type_id])
     when 'mergerequest'
-      MergeRequestsFinder.new(current_user, project_id: @project.id).execute.find_by(iid: params[:type_id])
+      MergeRequestsFinder.new(current_user, project_id: @project.id).find_by(iid: params[:type_id])
     when 'commit'
       @project.commit(params[:type_id])
     end
diff --git a/app/controllers/projects/blob_controller.rb b/app/controllers/projects/blob_controller.rb
index 35e67730a27..74c25505e36 100644
--- a/app/controllers/projects/blob_controller.rb
+++ b/app/controllers/projects/blob_controller.rb
@@ -133,7 +133,7 @@ class Projects::BlobController < Projects::ApplicationController
   end
 
   def after_edit_path
-    from_merge_request = MergeRequestsFinder.new(current_user, project_id: @project.id).execute.find_by(iid: params[:from_merge_request_iid])
+    from_merge_request = MergeRequestsFinder.new(current_user, project_id: @project.id).find_by(iid: params[:from_merge_request_iid])
     if from_merge_request && @branch_name == @ref
       diffs_project_merge_request_path(from_merge_request.target_project, from_merge_request) +
         "##{hexdigest(@path)}"
diff --git a/app/controllers/projects/clusters/gcp_controller.rb b/app/controllers/projects/clusters/gcp_controller.rb
index 0f41af7d87b..6b0b22f8e73 100644
--- a/app/controllers/projects/clusters/gcp_controller.rb
+++ b/app/controllers/projects/clusters/gcp_controller.rb
@@ -40,9 +40,9 @@ class Projects::Clusters::GcpController < Projects::ApplicationController
   def verify_billing
     case google_project_billing_status
     when nil
-      flash[:alert] = _('We could not verify that one of your projects on GCP has billing enabled. Please try again.')
+      flash.now[:alert] = _('We could not verify that one of your projects on GCP has billing enabled. Please try again.')
     when false
-      flash[:alert] = _('Please <a href=%{link_to_billing} target="_blank" rel="noopener noreferrer">enable billing for one of your projects to be able to create a Kubernetes cluster</a>, then try again.').html_safe % { link_to_billing: "https://console.cloud.google.com/freetrial?utm_campaign=2018_cpanel&utm_source=gitlab&utm_medium=referral" }
+      flash.now[:alert] = _('Please <a href=%{link_to_billing} target="_blank" rel="noopener noreferrer">enable billing for one of your projects to be able to create a Kubernetes cluster</a>, then try again.').html_safe % { link_to_billing: "https://console.cloud.google.com/freetrial?utm_campaign=2018_cpanel&utm_source=gitlab&utm_medium=referral" }
     when true
       return
     end
diff --git a/app/controllers/projects/merge_requests/creations_controller.rb b/app/controllers/projects/merge_requests/creations_controller.rb
index a5a2d54ba82..a90030a8312 100644
--- a/app/controllers/projects/merge_requests/creations_controller.rb
+++ b/app/controllers/projects/merge_requests/creations_controller.rb
@@ -75,7 +75,7 @@ class Projects::MergeRequests::CreationsController < Projects::MergeRequests::Ap
   def branch_to
     @target_project = selected_target_project
 
-    if params[:ref].present?
+    if @target_project && params[:ref].present?
       @ref = params[:ref]
       @commit = @target_project.commit(Gitlab::Git::BRANCH_REF_PREFIX + @ref)
     end
@@ -85,7 +85,7 @@ class Projects::MergeRequests::CreationsController < Projects::MergeRequests::Ap
 
   def update_branches
     @target_project = selected_target_project
-    @target_branches = @target_project.repository.branch_names
+    @target_branches = @target_project ? @target_project.repository.branch_names : []
 
     render layout: false
   end
@@ -121,7 +121,7 @@ class Projects::MergeRequests::CreationsController < Projects::MergeRequests::Ap
       @project
     elsif params[:target_project_id].present?
       MergeRequestTargetProjectFinder.new(current_user: current_user, source_project: @project)
-        .execute.find(params[:target_project_id])
+        .find_by(id: params[:target_project_id])
     else
       @project.forked_from_project
     end
diff --git a/app/controllers/projects/pages_domains_controller.rb b/app/controllers/projects/pages_domains_controller.rb
index 15e77d854dc..b71f1e5fef4 100644
--- a/app/controllers/projects/pages_domains_controller.rb
+++ b/app/controllers/projects/pages_domains_controller.rb
@@ -3,7 +3,7 @@ class Projects::PagesDomainsController < Projects::ApplicationController
 
   before_action :require_pages_enabled!
   before_action :authorize_update_pages!, except: [:show]
-  before_action :domain, only: [:show, :destroy]
+  before_action :domain, only: [:show, :destroy, :verify]
 
   def show
   end
@@ -12,11 +12,23 @@ class Projects::PagesDomainsController < Projects::ApplicationController
     @domain = @project.pages_domains.new
   end
 
+  def verify
+    result = VerifyPagesDomainService.new(@domain).execute
+
+    if result[:status] == :success
+      flash[:notice] = 'Successfully verified domain ownership'
+    else
+      flash[:alert] = 'Failed to verify domain ownership'
+    end
+
+    redirect_to project_pages_domain_path(@project, @domain)
+  end
+
   def create
     @domain = @project.pages_domains.create(pages_domain_params)
 
     if @domain.valid?
-      redirect_to project_pages_path(@project)
+      redirect_to project_pages_domain_path(@project, @domain)
     else
       render 'new'
     end
@@ -46,6 +58,6 @@ class Projects::PagesDomainsController < Projects::ApplicationController
   end
 
   def domain
-    @domain ||= @project.pages_domains.find_by(domain: params[:id].to_s)
+    @domain ||= @project.pages_domains.find_by!(domain: params[:id].to_s)
   end
 end
diff --git a/app/controllers/projects/prometheus/metrics_controller.rb b/app/controllers/projects/prometheus/metrics_controller.rb
new file mode 100644
index 00000000000..b739d0f0f90
--- /dev/null
+++ b/app/controllers/projects/prometheus/metrics_controller.rb
@@ -0,0 +1,27 @@
+module Projects
+  module Prometheus
+    class MetricsController < Projects::ApplicationController
+      before_action :authorize_admin_project!
+
+      def active_common
+        respond_to do |format|
+          format.json do
+            matched_metrics = prometheus_service.matched_metrics || {}
+
+            if matched_metrics.any?
+              render json: matched_metrics
+            else
+              head :no_content
+            end
+          end
+        end
+      end
+
+      private
+
+      def prometheus_service
+        @prometheus_service ||= project.find_or_initialize_service('prometheus')
+      end
+    end
+  end
+end
diff --git a/app/controllers/projects/prometheus_controller.rb b/app/controllers/projects/prometheus_controller.rb
deleted file mode 100644
index 507468d7102..00000000000
--- a/app/controllers/projects/prometheus_controller.rb
+++ /dev/null
@@ -1,24 +0,0 @@
-class Projects::PrometheusController < Projects::ApplicationController
-  before_action :authorize_read_project!
-  before_action :require_prometheus_metrics!
-
-  def active_metrics
-    respond_to do |format|
-      format.json do
-        matched_metrics = project.prometheus_service.matched_metrics || {}
-
-        if matched_metrics.any?
-          render json: matched_metrics
-        else
-          head :no_content
-        end
-      end
-    end
-  end
-
-  private
-
-  def require_prometheus_metrics!
-    render_404 unless project.prometheus_service.present?
-  end
-end
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 0370edc6e20..913689a1e74 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -45,7 +45,7 @@ class ProjectsController < Projects::ApplicationController
         notice: _("Project '%{project_name}' was successfully created.") % { project_name: @project.name }
       )
     else
-      render 'new'
+      render 'new', locals: { active_tab: ('import' if project_params[:import_url].present?) }
     end
   end
 
@@ -114,6 +114,8 @@ class ProjectsController < Projects::ApplicationController
     respond_to do |format|
       format.html do
         @notification_setting = current_user.notification_settings_for(@project) if current_user
+        @project = @project.present(current_user: current_user)
+
         render_landing_page
       end
 
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index fbad9ba7db8..983f888b8ec 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -1,9 +1,14 @@
 class SearchController < ApplicationController
-  skip_before_action :authenticate_user!
-
+  include ControllerWithCrossProjectAccessCheck
   include SearchHelper
   include RendersCommits
 
+  skip_before_action :authenticate_user!
+  requires_cross_project_access if: -> do
+    search_term_present = params[:search].present? || params[:term].present?
+    search_term_present && !params[:project_id].present?
+  end
+
   layout 'search'
 
   def show
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 575ec5c20f0..956df4a0a16 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,6 +1,15 @@
 class UsersController < ApplicationController
   include RoutableActions
   include RendersMemberAccess
+  include ControllerWithCrossProjectAccessCheck
+
+  requires_cross_project_access show: false,
+                                groups: false,
+                                projects: false,
+                                contributed: false,
+                                snippets: true,
+                                calendar: false,
+                                calendar_activities: true
 
   skip_before_action :authenticate_user!
   before_action :user, except: [:exists]
@@ -103,12 +112,7 @@ class UsersController < ApplicationController
   end
 
   def load_events
-    # Get user activity feed for projects common for both users
-    @events = user.recent_events
-      .merge(projects_for_current_user)
-      .references(:project)
-      .with_associations
-      .limit_recent(20, params[:offset])
+    @events = UserRecentEventsFinder.new(current_user, user, params).execute
 
     Events::RenderService.new(current_user).execute(@events, atom_request: request.format.atom?)
   end
@@ -141,10 +145,6 @@ class UsersController < ApplicationController
     ).execute.page(params[:page])
   end
 
-  def projects_for_current_user
-    ProjectsFinder.new(current_user: current_user).execute
-  end
-
   def build_canonical_path(user)
     url_for(params.merge(username: user.to_param))
   end
diff --git a/app/finders/autocomplete_users_finder.rb b/app/finders/autocomplete_users_finder.rb
index c3f5358b577..e8a03947f59 100644
--- a/app/finders/autocomplete_users_finder.rb
+++ b/app/finders/autocomplete_users_finder.rb
@@ -1,6 +1,12 @@
 class AutocompleteUsersFinder
+  # The number of users to display in the results is hardcoded to 20, and
+  # pagination is not supported. This ensures that performance remains
+  # consistent and removes the need for implementing keyset pagination to ensure
+  # good performance.
+  LIMIT = 20
+
   attr_reader :current_user, :project, :group, :search, :skip_users,
-              :page, :per_page, :author_id, :params
+              :author_id, :params
 
   def initialize(params:, current_user:, project:, group:)
     @current_user = current_user
@@ -8,8 +14,6 @@ class AutocompleteUsersFinder
     @group = group
     @search = params[:search]
     @skip_users = params[:skip_users]
-    @page = params[:page]
-    @per_page = params[:per_page]
     @author_id = params[:author_id]
     @params = params
   end
@@ -20,7 +24,7 @@ class AutocompleteUsersFinder
     items = items.reorder(:name)
     items = items.search(search) if search.present?
     items = items.where.not(id: skip_users) if skip_users.present?
-    items = items.page(page).per(per_page)
+    items = items.limit(LIMIT)
 
     if params[:todo_filter].present? && current_user
       items = items.todo_authors(current_user.id, params[:todo_state_filter])
@@ -52,9 +56,13 @@ class AutocompleteUsersFinder
   end
 
   def users_from_project
-    user_ids = project.team.users.pluck(:id)
-    user_ids << author_id if author_id.present?
+    if author_id.present?
+      union = Gitlab::SQL::Union
+        .new([project.authorized_users, User.where(id: author_id)])
 
-    User.where(id: user_ids)
+      User.from("(#{union.to_sql}) #{User.table_name}")
+    else
+      project.authorized_users
+    end
   end
 end
diff --git a/app/finders/concerns/finder_methods.rb b/app/finders/concerns/finder_methods.rb
new file mode 100644
index 00000000000..2e905fa5750
--- /dev/null
+++ b/app/finders/concerns/finder_methods.rb
@@ -0,0 +1,51 @@
+module FinderMethods
+  def find_by!(*args)
+    raise_not_found_unless_authorized execute.find_by!(*args)
+  end
+
+  def find_by(*args)
+    if_authorized execute.find_by(*args)
+  end
+
+  def find(*args)
+    raise_not_found_unless_authorized model.find(*args)
+  end
+
+  private
+
+  def raise_not_found_unless_authorized(result)
+    result = if_authorized(result)
+
+    raise ActiveRecord::RecordNotFound.new("Couldn't find #{model}") unless result
+
+    result
+  end
+
+  def if_authorized(result)
+    # Return the result if the finder does not perform authorization checks.
+    # this is currently the case in the `MilestoneFinder`
+    return result unless respond_to?(:current_user)
+
+    if can_read_object?(result)
+      result
+    else
+      nil
+    end
+  end
+
+  def can_read_object?(object)
+    # When there's no policy, we'll allow the read, this is for example the case
+    # for Todos
+    return true unless DeclarativePolicy.has_policy?(object)
+
+    model_name = object&.model_name || model.model_name
+
+    Ability.allowed?(current_user, :"read_#{model_name.singular}", object)
+  end
+
+  # This fetches the model from the `ActiveRecord::Relation` but does not
+  # actually execute the query.
+  def model
+    execute.model
+  end
+end
diff --git a/app/finders/concerns/finder_with_cross_project_access.rb b/app/finders/concerns/finder_with_cross_project_access.rb
new file mode 100644
index 00000000000..92bf98d7cd2
--- /dev/null
+++ b/app/finders/concerns/finder_with_cross_project_access.rb
@@ -0,0 +1,70 @@
+# Module to prepend into finders to specify wether or not the finder requires
+# cross project access
+#
+# This module depends on the finder implementing the following methods:
+#
+# - `#execute` should return an `ActiveRecord::Relation`
+# - `#current_user` the user that requires access (or nil)
+module FinderWithCrossProjectAccess
+  extend ActiveSupport::Concern
+  extend ::Gitlab::Utils::Override
+
+  prepended do
+    extend Gitlab::CrossProjectAccess::ClassMethods
+  end
+
+  override :execute
+  def execute(*args)
+    check = Gitlab::CrossProjectAccess.find_check(self)
+    original = super
+
+    return original unless check
+    return original if should_skip_cross_project_check || can_read_cross_project?
+
+    if check.should_run?(self)
+      original.model.none
+    else
+      original
+    end
+  end
+
+  # We can skip the cross project check for finding indivitual records.
+  # this would be handled by the `can?(:read_*, result)` call in `FinderMethods`
+  # itself.
+  override :find_by!
+  def find_by!(*args)
+    skip_cross_project_check { super }
+  end
+
+  override :find_by
+  def find_by(*args)
+    skip_cross_project_check { super }
+  end
+
+  override :find
+  def find(*args)
+    skip_cross_project_check { super }
+  end
+
+  private
+
+  attr_accessor :should_skip_cross_project_check
+
+  def skip_cross_project_check
+    self.should_skip_cross_project_check = true
+
+    yield
+  ensure
+    # The find could raise an `ActiveRecord::RecordNotFound`, after which we
+    # still want to re-enable the check.
+    self.should_skip_cross_project_check = false
+  end
+
+  def can_read_cross_project?
+    Ability.allowed?(current_user, :read_cross_project)
+  end
+
+  def can_read_project?(project)
+    Ability.allowed?(current_user, :read_project, project)
+  end
+end
diff --git a/app/finders/events_finder.rb b/app/finders/events_finder.rb
index 46ecbaba73a..8676925a540 100644
--- a/app/finders/events_finder.rb
+++ b/app/finders/events_finder.rb
@@ -1,6 +1,10 @@
 class EventsFinder
+  prepend FinderMethods
+  prepend FinderWithCrossProjectAccess
   attr_reader :source, :params, :current_user
 
+  requires_cross_project_access unless: -> { source.is_a?(Project) }
+
   # Used to filter Events
   #
   # Arguments:
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index 384a336e2bb..9dd6634b38f 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -21,8 +21,12 @@
 #     my_reaction_emoji: string
 #
 class IssuableFinder
+  prepend FinderWithCrossProjectAccess
+  include FinderMethods
   include CreatedAtFilter
 
+  requires_cross_project_access unless: -> { project? }
+
   NONE = '0'.freeze
 
   attr_accessor :current_user, :params
@@ -87,14 +91,6 @@ class IssuableFinder
     by_my_reaction_emoji(items)
   end
 
-  def find(*params)
-    execute.find(*params)
-  end
-
-  def find_by(*params)
-    execute.find_by(*params)
-  end
-
   def row_count
     Gitlab::IssuablesCountForState.new(self).for_state_or_opened(params[:state])
   end
@@ -124,10 +120,6 @@ class IssuableFinder
     counts
   end
 
-  def find_by!(*params)
-    execute.find_by!(*params)
-  end
-
   def group
     return @group if defined?(@group)
 
diff --git a/app/finders/labels_finder.rb b/app/finders/labels_finder.rb
index 1427cdaa382..f013e177c5b 100644
--- a/app/finders/labels_finder.rb
+++ b/app/finders/labels_finder.rb
@@ -1,6 +1,10 @@
 class LabelsFinder < UnionFinder
+  prepend FinderWithCrossProjectAccess
+  include FinderMethods
   include Gitlab::Utils::StrongMemoize
 
+  requires_cross_project_access unless: -> { project? }
+
   def initialize(current_user, params = {})
     @current_user = current_user
     @params = params
diff --git a/app/finders/merge_request_target_project_finder.rb b/app/finders/merge_request_target_project_finder.rb
index 189eb3847eb..f358938344e 100644
--- a/app/finders/merge_request_target_project_finder.rb
+++ b/app/finders/merge_request_target_project_finder.rb
@@ -1,4 +1,6 @@
 class MergeRequestTargetProjectFinder
+  include FinderMethods
+
   attr_reader :current_user, :source_project
 
   def initialize(current_user: nil, source_project:)
diff --git a/app/finders/milestones_finder.rb b/app/finders/milestones_finder.rb
index b4605fca193..f5d2b9f253a 100644
--- a/app/finders/milestones_finder.rb
+++ b/app/finders/milestones_finder.rb
@@ -8,6 +8,8 @@
 #   state - filters by state.
 
 class MilestonesFinder
+  include FinderMethods
+
   attr_reader :params, :project_ids, :group_ids
 
   def initialize(params = {})
diff --git a/app/finders/snippets_finder.rb b/app/finders/snippets_finder.rb
index ec61fe1892e..a73c573736e 100644
--- a/app/finders/snippets_finder.rb
+++ b/app/finders/snippets_finder.rb
@@ -13,7 +13,9 @@
 # params are optional
 class SnippetsFinder < UnionFinder
   include Gitlab::Allowable
-  attr_accessor :current_user, :params, :project
+  include FinderMethods
+
+  attr_accessor :current_user, :project, :params
 
   def initialize(current_user, params = {})
     @current_user = current_user
@@ -52,10 +54,14 @@ class SnippetsFinder < UnionFinder
   end
 
   def authorized_snippets
-    Snippet.where(feature_available_projects.or(not_project_related)).public_or_visible_to_user(current_user)
+    Snippet.where(feature_available_projects.or(not_project_related))
+      .public_or_visible_to_user(current_user)
   end
 
   def feature_available_projects
+    # Don't return any project related snippets if the user cannot read cross project
+    return table[:id].eq(nil) unless Ability.allowed?(current_user, :read_cross_project)
+
     projects = Project.public_or_visible_to_user(current_user, use_where_in: false) do |part|
       part.with_feature_available_for_user(:snippets, current_user)
     end.select(:id)
diff --git a/app/finders/todos_finder.rb b/app/finders/todos_finder.rb
index 3502bf08971..edb17843002 100644
--- a/app/finders/todos_finder.rb
+++ b/app/finders/todos_finder.rb
@@ -13,6 +13,11 @@
 #
 
 class TodosFinder
+  prepend FinderWithCrossProjectAccess
+  include FinderMethods
+
+  requires_cross_project_access unless: -> { project? }
+
   NONE = '0'.freeze
 
   attr_accessor :current_user, :params
diff --git a/app/finders/user_recent_events_finder.rb b/app/finders/user_recent_events_finder.rb
new file mode 100644
index 00000000000..6f7f7c30d92
--- /dev/null
+++ b/app/finders/user_recent_events_finder.rb
@@ -0,0 +1,33 @@
+# Get user activity feed for projects common for a user and a logged in user
+#
+# - current_user: The user viewing the events
+# - user: The user for which to load the events
+# - params:
+#   - offset: The page of events to return
+class UserRecentEventsFinder
+  prepend FinderWithCrossProjectAccess
+  include FinderMethods
+
+  requires_cross_project_access
+
+  attr_reader :current_user, :target_user, :params
+
+  def initialize(current_user, target_user, params = {})
+    @current_user = current_user
+    @target_user = target_user
+    @params = params
+  end
+
+  def execute
+    target_user
+      .recent_events
+      .merge(projects_for_current_user)
+      .references(:project)
+      .with_associations
+      .limit_recent(20, params[:offset])
+  end
+
+  def projects_for_current_user
+    ProjectsFinder.new(current_user: current_user).execute
+  end
+end
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index a6011eb9f30..475341cf9b1 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -34,7 +34,7 @@ module ApplicationHelper
 
   def project_icon(project_id, options = {})
     project =
-      if project_id.is_a?(Project)
+      if project_id.respond_to?(:avatar_url)
         project_id
       else
         Project.find_by_full_path(project_id)
diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index e293b3ef329..ab68ecad2ba 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -199,6 +199,7 @@ module ApplicationSettingsHelper
       :metrics_port,
       :metrics_sample_interval,
       :metrics_timeout,
+      :pages_domain_verification_enabled,
       :password_authentication_enabled_for_web,
       :password_authentication_enabled_for_git,
       :performance_bar_allowed_group_id,
diff --git a/app/helpers/branches_helper.rb b/app/helpers/branches_helper.rb
index 2641a98e29e..00b9a0e00eb 100644
--- a/app/helpers/branches_helper.rb
+++ b/app/helpers/branches_helper.rb
@@ -10,12 +10,6 @@ module BranchesHelper
     project_branches_path(@project, @id, options)
   end
 
-  def can_push_branch?(project, branch_name)
-    return false unless project.repository.branch_exists?(branch_name)
-
-    ::Gitlab::UserAccess.new(current_user, project: project).can_push_to_branch?(branch_name)
-  end
-
   def project_branches
     options_for_select(@project.repository.branch_names, @project.default_branch)
   end
diff --git a/app/helpers/dashboard_helper.rb b/app/helpers/dashboard_helper.rb
index c25b54eadc6..19aa55a8d49 100644
--- a/app/helpers/dashboard_helper.rb
+++ b/app/helpers/dashboard_helper.rb
@@ -6,4 +6,28 @@ module DashboardHelper
   def assigned_mrs_dashboard_path
     merge_requests_dashboard_path(assignee_id: current_user.id)
   end
+
+  def dashboard_nav_links
+    @dashboard_nav_links ||= get_dashboard_nav_links
+  end
+
+  def dashboard_nav_link?(link)
+    dashboard_nav_links.include?(link)
+  end
+
+  def any_dashboard_nav_link?(links)
+    links.any? { |link| dashboard_nav_link?(link) }
+  end
+
+  private
+
+  def get_dashboard_nav_links
+    links = [:projects, :groups, :snippets]
+
+    if can?(current_user, :read_cross_project)
+      links += [:activity, :milestones]
+    end
+
+    links
+  end
 end
diff --git a/app/helpers/explore_helper.rb b/app/helpers/explore_helper.rb
index b981a1e8242..f062a91a166 100644
--- a/app/helpers/explore_helper.rb
+++ b/app/helpers/explore_helper.rb
@@ -25,8 +25,24 @@ module ExploreHelper
     controller.class.name.split("::").first == "Explore"
   end
 
+  def explore_nav_links
+    @explore_nav_links ||= get_explore_nav_links
+  end
+
+  def explore_nav_link?(link)
+    explore_nav_links.include?(link)
+  end
+
+  def any_explore_nav_link?(links)
+    links.any? { |link| explore_nav_link?(link) }
+  end
+
   private
 
+  def get_explore_nav_links
+    [:projects, :groups, :snippets]
+  end
+
   def request_path_with_options(options = {})
     request.path + "?#{options.to_param}"
   end
diff --git a/app/helpers/groups_helper.rb b/app/helpers/groups_helper.rb
index 23de3590b93..5fbaa17c40e 100644
--- a/app/helpers/groups_helper.rb
+++ b/app/helpers/groups_helper.rb
@@ -3,6 +3,14 @@ module GroupsHelper
     %w[groups#projects groups#edit ci_cd#show ldap_group_links#index hooks#index audit_events#index pipeline_quota#index]
   end
 
+  def group_sidebar_links
+    @group_sidebar_links ||= get_group_sidebar_links
+  end
+
+  def group_sidebar_link?(link)
+    group_sidebar_links.include?(link)
+  end
+
   def can_change_group_visibility_level?(group)
     can?(current_user, :change_visibility_level, group)
   end
@@ -107,6 +115,20 @@ module GroupsHelper
 
   private
 
+  def get_group_sidebar_links
+    links = [:overview, :group_members]
+
+    if can?(current_user, :read_cross_project)
+      links += [:activity, :issues, :labels, :milestones, :merge_requests]
+    end
+
+    if can?(current_user, :admin_group, @group)
+      links << :settings
+    end
+
+    links
+  end
+
   def group_title_link(group, hidable: false, show_avatar: false, for_dropdown: false)
     link_to(group_path(group), class: "group-path #{'breadcrumb-item-text' unless for_dropdown} js-breadcrumb-item-text #{'hidable' if hidable}") do
       output =
diff --git a/app/helpers/issues_helper.rb b/app/helpers/issues_helper.rb
index 64cd3032780..0f25d401406 100644
--- a/app/helpers/issues_helper.rb
+++ b/app/helpers/issues_helper.rb
@@ -47,27 +47,6 @@ module IssuesHelper
     end
   end
 
-  def milestone_options(object)
-    milestones = object.project.milestones.active.reorder(due_date: :asc, title: :asc).to_a
-    milestones.unshift(object.milestone) if object.milestone.present? && object.milestone.closed?
-    milestones.unshift(Milestone::None)
-
-    options_from_collection_for_select(milestones, 'id', 'title', object.milestone_id)
-  end
-
-  def project_options(issuable, current_user, ability: :read_project)
-    projects = current_user.authorized_projects.order_id_desc
-    projects = projects.select do |project|
-      current_user.can?(ability, project)
-    end
-
-    no_project = OpenStruct.new(id: 0, name_with_namespace: 'No project')
-    projects.unshift(no_project)
-    projects.delete(issuable.project)
-
-    options_from_collection_for_select(projects, :id, :name_with_namespace)
-  end
-
   def status_box_class(item)
     if item.try(:expired?)
       'status-box-expired'
diff --git a/app/helpers/nav_helper.rb b/app/helpers/nav_helper.rb
index 680ea96a556..56c88e6eab0 100644
--- a/app/helpers/nav_helper.rb
+++ b/app/helpers/nav_helper.rb
@@ -1,4 +1,12 @@
 module NavHelper
+  def header_links
+    @header_links ||= get_header_links
+  end
+
+  def header_link?(link)
+    header_links.include?(link)
+  end
+
   def page_with_sidebar_class
     class_name = page_gutter_class
     class_name << 'page-with-contextual-sidebar' if defined?(@left_sidebar) && @left_sidebar
@@ -38,4 +46,28 @@ module NavHelper
 
     class_names
   end
+
+  private
+
+  def get_header_links
+    links = if current_user
+              [:user_dropdown]
+            else
+              [:sign_in]
+            end
+
+    if can?(current_user, :read_cross_project)
+      links += [:issues, :merge_requests, :todos] if current_user.present?
+    end
+
+    if @project&.persisted? || can?(current_user, :read_cross_project)
+      links << :search
+    end
+
+    if session[:impersonator_id]
+      links << :admin_impersonation
+    end
+
+    links
+  end
 end
diff --git a/app/helpers/preferences_helper.rb b/app/helpers/preferences_helper.rb
index aaee6eaeedd..373dfd457f7 100644
--- a/app/helpers/preferences_helper.rb
+++ b/app/helpers/preferences_helper.rb
@@ -48,30 +48,4 @@ module PreferencesHelper
   def user_color_scheme
     Gitlab::ColorSchemes.for_user(current_user).css_class
   end
-
-  def default_project_view
-    return anonymous_project_view unless current_user
-
-    user_view = current_user.project_view
-
-    if can?(current_user, :download_code, @project)
-      user_view
-    elsif user_view == "activity"
-      "activity"
-    elsif can?(current_user, :read_wiki, @project)
-      "wiki"
-    elsif @project.feature_available?(:issues, current_user)
-      "projects/issues/issues"
-    else
-      "customize_workflow"
-    end
-  end
-
-  def anonymous_project_view
-    if !@project.empty_repo? && can?(current_user, :download_code, @project)
-      'files'
-    else
-      'activity'
-    end
-  end
 end
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index b97b72d62c3..cc1c69a1999 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -153,11 +153,6 @@ module ProjectsHelper
     end
   end
 
-  def license_short_name(project)
-    license = project.repository.license
-    license&.nickname || license&.name || 'LICENSE'
-  end
-
   def last_push_event
     current_user&.recent_push(@project)
   end
@@ -213,6 +208,7 @@ module ProjectsHelper
       controller.controller_name,
       controller.action_name,
       Gitlab::CurrentSettings.cache_key,
+      "cross-project:#{can?(current_user, :read_cross_project)}",
       'v2.5'
     ]
 
@@ -265,6 +261,17 @@ module ProjectsHelper
     !!(params[:personal] || params[:name] || any_projects?(projects))
   end
 
+  def push_to_create_project_command(user = current_user)
+    repository_url =
+      if Gitlab::CurrentSettings.current_application_settings.enabled_git_access_protocol == 'http'
+        user_url(user)
+      else
+        Gitlab.config.gitlab_shell.ssh_path_prefix + user.username
+      end
+
+    "git push --set-upstream #{repository_url}/$(git rev-parse --show-toplevel | xargs basename).git $(git rev-parse --abbrev-ref HEAD)"
+  end
+
   private
 
   def repo_children_classes(field)
@@ -390,55 +397,6 @@ module ProjectsHelper
     end
   end
 
-  def add_special_file_path(project, file_name:, commit_message: nil, branch_name: nil, context: nil)
-    commit_message ||= s_("CommitMessage|Add %{file_name}") % { file_name: file_name }
-    project_new_blob_path(
-      project,
-      project.default_branch || 'master',
-      file_name:      file_name,
-      commit_message: commit_message,
-      branch_name: branch_name,
-      context: context
-    )
-  end
-
-  def add_koding_stack_path(project)
-    project_new_blob_path(
-      project,
-      project.default_branch || 'master',
-      file_name:      '.koding.yml',
-      commit_message: "Add Koding stack script",
-      content: <<-CONTENT.strip_heredoc
-        provider:
-          aws:
-            access_key: '${var.aws_access_key}'
-            secret_key: '${var.aws_secret_key}'
-        resource:
-          aws_instance:
-            #{project.path}-vm:
-              instance_type: t2.nano
-              user_data: |-
-
-                # Created by GitLab UI for :>
-
-                echo _KD_NOTIFY_@Installing Base packages...@
-
-                apt-get update -y
-                apt-get install git -y
-
-                echo _KD_NOTIFY_@Cloning #{project.name}...@
-
-                export KODING_USER=${var.koding_user_username}
-                export REPO_URL=#{root_url}${var.koding_queryString_repo}.git
-                export BRANCH=${var.koding_queryString_branch}
-
-                sudo -i -u $KODING_USER git clone $REPO_URL -b $BRANCH
-
-                echo _KD_NOTIFY_@#{project.name} cloned.@
-      CONTENT
-    )
-  end
-
   def koding_project_url(project = nil, branch = nil, sha = nil)
     if project
       import_path = "/Home/Stacks/import"
@@ -455,36 +413,6 @@ module ProjectsHelper
     Gitlab::CurrentSettings.koding_url
   end
 
-  def contribution_guide_path(project)
-    if project && contribution_guide = project.repository.contribution_guide
-      project_blob_path(
-        project,
-        tree_join(project.default_branch,
-                  contribution_guide.name)
-      )
-    end
-  end
-
-  def readme_path(project)
-    filename_path(project, :readme)
-  end
-
-  def changelog_path(project)
-    filename_path(project, :changelog)
-  end
-
-  def license_path(project)
-    filename_path(project, :license_blob)
-  end
-
-  def version_path(project)
-    filename_path(project, :version)
-  end
-
-  def ci_configuration_path(project)
-    filename_path(project, :gitlab_ci_yml)
-  end
-
   def project_wiki_path_with_version(proj, page, version, is_newest)
     url_params = is_newest ? {} : { version_id: version }
     project_wiki_path(proj, page, url_params)
@@ -510,15 +438,6 @@ module ProjectsHelper
     @ref || @repository.try(:root_ref)
   end
 
-  def filename_path(project, filename)
-    if project && blob = project.repository.public_send(filename) # rubocop:disable GitlabSecurity/PublicSend
-      project_blob_path(
-        project,
-        tree_join(project.default_branch, blob.name)
-      )
-    end
-  end
-
   def sanitize_repo_path(project, message)
     return '' unless message.present?
 
@@ -608,4 +527,8 @@ module ProjectsHelper
 
     project_find_file_path(@project, ref)
   end
+
+  def can_show_last_commit_in_list?(project)
+    can?(current_user, :read_cross_project) && project.commit
+  end
 end
diff --git a/app/helpers/tree_helper.rb b/app/helpers/tree_helper.rb
index d39cac0f510..f5733b4b57c 100644
--- a/app/helpers/tree_helper.rb
+++ b/app/helpers/tree_helper.rb
@@ -55,7 +55,9 @@ module TreeHelper
   def tree_edit_branch(project = @project, ref = @ref)
     return unless can_edit_tree?(project, ref)
 
-    if can_push_branch?(project, ref)
+    project = project.present(current_user: current_user)
+
+    if project.can_current_user_push_to_branch?(ref)
       ref
     else
       project = tree_edit_project(project)
diff --git a/app/helpers/users_helper.rb b/app/helpers/users_helper.rb
index b5f54d3e154..01af68088df 100644
--- a/app/helpers/users_helper.rb
+++ b/app/helpers/users_helper.rb
@@ -14,4 +14,18 @@ module UsersHelper
       content_tag(:strong) { user.unconfirmed_email } + h('.') +
       content_tag(:p) { confirmation_link }
   end
+
+  def profile_tabs
+    @profile_tabs ||= get_profile_tabs
+  end
+
+  def profile_tab?(tab)
+    profile_tabs.include?(tab)
+  end
+
+  private
+
+  def get_profile_tabs
+    [:activity, :groups, :contributed, :projects, :snippets]
+  end
 end
diff --git a/app/mailers/emails/pages_domains.rb b/app/mailers/emails/pages_domains.rb
new file mode 100644
index 00000000000..0027dfdc36b
--- /dev/null
+++ b/app/mailers/emails/pages_domains.rb
@@ -0,0 +1,43 @@
+module Emails
+  module PagesDomains
+    def pages_domain_enabled_email(domain, recipient)
+      @domain = domain
+      @project = domain.project
+
+      mail(
+        to: recipient.notification_email,
+        subject: subject("GitLab Pages domain '#{domain.domain}' has been enabled")
+      )
+    end
+
+    def pages_domain_disabled_email(domain, recipient)
+      @domain = domain
+      @project = domain.project
+
+      mail(
+        to: recipient.notification_email,
+        subject: subject("GitLab Pages domain '#{domain.domain}' has been disabled")
+      )
+    end
+
+    def pages_domain_verification_succeeded_email(domain, recipient)
+      @domain = domain
+      @project = domain.project
+
+      mail(
+        to: recipient.notification_email,
+        subject: subject("Verification succeeded for GitLab Pages domain '#{domain.domain}'")
+      )
+    end
+
+    def pages_domain_verification_failed_email(domain, recipient)
+      @domain = domain
+      @project = domain.project
+
+      mail(
+        to: recipient.notification_email,
+        subject: subject("ACTION REQUIRED: Verification failed for GitLab Pages domain '#{domain.domain}'")
+      )
+    end
+  end
+end
diff --git a/app/mailers/notify.rb b/app/mailers/notify.rb
index eade0fe278f..45d4fb451d8 100644
--- a/app/mailers/notify.rb
+++ b/app/mailers/notify.rb
@@ -5,6 +5,7 @@ class Notify < BaseMailer
   include Emails::Issues
   include Emails::MergeRequests
   include Emails::Notes
+  include Emails::PagesDomains
   include Emails::Projects
   include Emails::Profile
   include Emails::Pipelines
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 0b6bcbde5d9..6dae49f38dc 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -22,12 +22,30 @@ class Ability
     #
     # issues - The issues to reduce down to those readable by the user.
     # user - The User for which to check the issues
-    def issues_readable_by_user(issues, user = nil)
+    # filters - A hash of abilities and filters to apply if the user lacks this
+    #           ability
+    def issues_readable_by_user(issues, user = nil, filters: {})
+      issues = apply_filters_if_needed(issues, user, filters)
+
       DeclarativePolicy.user_scope do
         issues.select { |issue| issue.visible_to_user?(user) }
       end
     end
 
+    # Returns an Array of MergeRequests that can be read by the given user.
+    #
+    # merge_requests - MRs out of which to collect mr's readable by the user.
+    # user - The User for which to check the merge_requests
+    # filters - A hash of abilities and filters to apply if the user lacks this
+    #           ability
+    def merge_requests_readable_by_user(merge_requests, user = nil, filters: {})
+      merge_requests = apply_filters_if_needed(merge_requests, user, filters)
+
+      DeclarativePolicy.user_scope do
+        merge_requests.select { |mr| allowed?(user, :read_merge_request, mr) }
+      end
+    end
+
     def can_edit_note?(user, note)
       allowed?(user, :edit_note, note)
     end
@@ -53,5 +71,15 @@ class Ability
       cache = RequestStore.active? ? RequestStore : {}
       DeclarativePolicy.policy_for(user, subject, cache: cache)
     end
+
+    private
+
+    def apply_filters_if_needed(elements, user, filters)
+      filters.each do |ability, filter|
+        elements = filter.call(elements) unless allowed?(user, ability)
+      end
+
+      elements
+    end
   end
 end
diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb
index ee987949080..b230b7f47ef 100644
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -467,7 +467,7 @@ module Ci
 
       if cache && project.jobs_cache_index
         cache = cache.merge(
-          key: "#{cache[:key]}_#{project.jobs_cache_index}")
+          key: "#{cache[:key]}-#{project.jobs_cache_index}")
       end
 
       [cache]
diff --git a/app/models/ci/pipeline.rb b/app/models/ci/pipeline.rb
index 2abe90dd181..a72a815bfe8 100644
--- a/app/models/ci/pipeline.rb
+++ b/app/models/ci/pipeline.rb
@@ -13,7 +13,7 @@ module Ci
     belongs_to :pipeline_schedule, class_name: 'Ci::PipelineSchedule'
 
     has_many :stages
-    has_many :statuses, class_name: 'CommitStatus', foreign_key: :commit_id
+    has_many :statuses, class_name: 'CommitStatus', foreign_key: :commit_id, inverse_of: :pipeline
     has_many :builds, foreign_key: :commit_id
     has_many :trigger_requests, dependent: :destroy, foreign_key: :commit_id # rubocop:disable Cop/ActiveRecordDependent
     has_many :variables, class_name: 'Ci::PipelineVariable'
diff --git a/app/models/concerns/protected_ref_access.rb b/app/models/concerns/protected_ref_access.rb
index 80c9f7d4eb4..bfda5b1678b 100644
--- a/app/models/concerns/protected_ref_access.rb
+++ b/app/models/concerns/protected_ref_access.rb
@@ -35,6 +35,7 @@ module ProtectedRefAccess
   def check_access(user)
     return true if user.admin?
 
-    project.team.max_member_access(user.id) >= access_level
+    user.can?(:push_code, project) &&
+      project.team.max_member_access(user.id) >= access_level
   end
 end
diff --git a/app/models/issue.rb b/app/models/issue.rb
index 93628b456f2..c81f7e52bb1 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -159,7 +159,18 @@ class Issue < ActiveRecord::Base
       object.all_references(current_user, extractor: ext)
     end
 
-    ext.merge_requests.sort_by(&:iid)
+    merge_requests = ext.merge_requests.sort_by(&:iid)
+
+    cross_project_filter = -> (merge_requests) do
+      merge_requests.select { |mr| mr.target_project == project }
+    end
+
+    Ability.merge_requests_readable_by_user(
+      merge_requests, current_user,
+      filters: {
+        read_cross_project: cross_project_filter
+      }
+    )
   end
 
   # All branches containing the current issue's ID, except for
diff --git a/app/models/notification_recipient.rb b/app/models/notification_recipient.rb
index 472b348a545..fd70e920c7e 100644
--- a/app/models/notification_recipient.rb
+++ b/app/models/notification_recipient.rb
@@ -85,6 +85,7 @@ class NotificationRecipient
       return false unless user.can?(:receive_notifications)
       return true if @skip_read_ability
 
+      return false if @target && !user.can?(:read_cross_project)
       return false if @project && !user.can?(:read_project, @project)
 
       return true unless read_ability
diff --git a/app/models/pages_domain.rb b/app/models/pages_domain.rb
index d8bf54e0c40..588bd50ed77 100644
--- a/app/models/pages_domain.rb
+++ b/app/models/pages_domain.rb
@@ -1,10 +1,14 @@
 class PagesDomain < ActiveRecord::Base
+  VERIFICATION_KEY = 'gitlab-pages-verification-code'.freeze
+  VERIFICATION_THRESHOLD = 3.days.freeze
+
   belongs_to :project
 
   validates :domain, hostname: { allow_numeric_hostname: true }
   validates :domain, uniqueness: { case_sensitive: false }
   validates :certificate, certificate: true, allow_nil: true, allow_blank: true
   validates :key, certificate_key: true, allow_nil: true, allow_blank: true
+  validates :verification_code, presence: true, allow_blank: false
 
   validate :validate_pages_domain
   validate :validate_matching_key, if: ->(domain) { domain.certificate.present? || domain.key.present? }
@@ -16,10 +20,32 @@ class PagesDomain < ActiveRecord::Base
     key: Gitlab::Application.secrets.db_key_base,
     algorithm: 'aes-256-cbc'
 
+  after_initialize :set_verification_code
   after_create :update_daemon
-  after_save :update_daemon
+  after_update :update_daemon, if: :pages_config_changed?
   after_destroy :update_daemon
 
+  scope :enabled, -> { where('enabled_until >= ?', Time.now ) }
+  scope :needs_verification, -> do
+    verified_at = arel_table[:verified_at]
+    enabled_until = arel_table[:enabled_until]
+    threshold = Time.now + VERIFICATION_THRESHOLD
+
+    where(verified_at.eq(nil).or(enabled_until.eq(nil).or(enabled_until.lt(threshold))))
+  end
+
+  def verified?
+    !!verified_at
+  end
+
+  def unverified?
+    !verified?
+  end
+
+  def enabled?
+    !Gitlab::CurrentSettings.pages_domain_verification_enabled? || enabled_until.present?
+  end
+
   def to_param
     domain
   end
@@ -84,12 +110,49 @@ class PagesDomain < ActiveRecord::Base
     @certificate_text ||= x509.try(:to_text)
   end
 
+  # Verification codes may be TXT records for domain or verification_domain, to
+  # support the use of CNAME records on domain.
+  def verification_domain
+    return unless domain.present?
+
+    "_#{VERIFICATION_KEY}.#{domain}"
+  end
+
+  def keyed_verification_code
+    return unless verification_code.present?
+
+    "#{VERIFICATION_KEY}=#{verification_code}"
+  end
+
   private
 
+  def set_verification_code
+    return if self.verification_code.present?
+
+    self.verification_code = SecureRandom.hex(16)
+  end
+
   def update_daemon
     ::Projects::UpdatePagesConfigurationService.new(project).execute
   end
 
+  def pages_config_changed?
+    project_id_changed? ||
+      domain_changed? ||
+      certificate_changed? ||
+      key_changed? ||
+      became_enabled? ||
+      became_disabled?
+  end
+
+  def became_enabled?
+    enabled_until.present? && !enabled_until_was.present?
+  end
+
+  def became_disabled?
+    !enabled_until.present? && enabled_until_was.present?
+  end
+
   def validate_matching_key
     unless has_matching_key?
       self.errors.add(:key, "doesn't match the certificate")
diff --git a/app/models/project.rb b/app/models/project.rb
index 79058d51af8..ba278a49688 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -15,6 +15,7 @@ class Project < ActiveRecord::Base
   include ValidAttribute
   include ProjectFeaturesCompatibility
   include SelectForProjectAuthorization
+  include Presentable
   include Routable
   include GroupDescendant
   include Gitlab::SQL::Pattern
@@ -1036,6 +1037,9 @@ class Project < ActiveRecord::Base
   end
 
   def user_can_push_to_empty_repo?(user)
+    return false unless empty_repo?
+    return false unless Ability.allowed?(user, :push_code, self)
+
     !ProtectedBranch.default_branch_protected? || team.max_member_access(user.id) > Gitlab::Access::DEVELOPER
   end
 
diff --git a/app/models/project_services/prometheus_service.rb b/app/models/project_services/prometheus_service.rb
index 1bb576ff971..58731451429 100644
--- a/app/models/project_services/prometheus_service.rb
+++ b/app/models/project_services/prometheus_service.rb
@@ -69,16 +69,16 @@ class PrometheusService < MonitoringService
     client.ping
 
     { success: true, result: 'Checked API endpoint' }
-  rescue Gitlab::PrometheusError => err
+  rescue Gitlab::PrometheusClient::Error => err
     { success: false, result: err }
   end
 
   def environment_metrics(environment)
-    with_reactive_cache(Gitlab::Prometheus::Queries::EnvironmentQuery.name, environment.id, &method(:rename_data_to_metrics))
+    with_reactive_cache(Gitlab::Prometheus::Queries::EnvironmentQuery.name, environment.id, &rename_field(:data, :metrics))
   end
 
   def deployment_metrics(deployment)
-    metrics = with_reactive_cache(Gitlab::Prometheus::Queries::DeploymentQuery.name, deployment.environment.id, deployment.id, &method(:rename_data_to_metrics))
+    metrics = with_reactive_cache(Gitlab::Prometheus::Queries::DeploymentQuery.name, deployment.environment.id, deployment.id, &rename_field(:data, :metrics))
     metrics&.merge(deployment_time: deployment.created_at.to_i) || {}
   end
 
@@ -107,7 +107,7 @@ class PrometheusService < MonitoringService
       data: data,
       last_update: Time.now.utc
     }
-  rescue Gitlab::PrometheusError => err
+  rescue Gitlab::PrometheusClient::Error => err
     { success: false, result: err.message }
   end
 
@@ -116,10 +116,10 @@ class PrometheusService < MonitoringService
       Gitlab::PrometheusClient.new(RestClient::Resource.new(api_url))
     else
       cluster = cluster_with_prometheus(environment_id)
-      raise Gitlab::PrometheusError, "couldn't find cluster with Prometheus installed" unless cluster
+      raise Gitlab::PrometheusClient::Error, "couldn't find cluster with Prometheus installed" unless cluster
 
       rest_client = client_from_cluster(cluster)
-      raise Gitlab::PrometheusError, "couldn't create proxy Prometheus client" unless rest_client
+      raise Gitlab::PrometheusClient::Error, "couldn't create proxy Prometheus client" unless rest_client
 
       Gitlab::PrometheusClient.new(rest_client)
     end
@@ -152,9 +152,11 @@ class PrometheusService < MonitoringService
     cluster.application_prometheus.proxy_client
   end
 
-  def rename_data_to_metrics(metrics)
-    metrics[:metrics] = metrics.delete :data
-    metrics
+  def rename_field(old_field, new_field)
+    -> (metrics) do
+      metrics[new_field] = metrics.delete(old_field)
+      metrics
+    end
   end
 
   def synchronize_service_state!
diff --git a/app/models/user.rb b/app/models/user.rb
index f5eeba27572..8610ca27b7f 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -327,8 +327,8 @@ class User < ActiveRecord::Base
       SQL
 
       where(
-        fuzzy_arel_match(:name, query)
-          .or(fuzzy_arel_match(:username, query))
+        fuzzy_arel_match(:name, query, lower_exact_match: true)
+          .or(fuzzy_arel_match(:username, query, lower_exact_match: true))
           .or(arel_table[:email].eq(query))
       ).reorder(order % { query: ActiveRecord::Base.connection.quote(query) }, :name)
     end
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 8fa7b2753c7..603218aa6df 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -15,4 +15,7 @@ class BasePolicy < DeclarativePolicy::Base
   condition(:restricted_public_level, scope: :global) do
     Gitlab::CurrentSettings.current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
   end
+
+  # This is prevented in some cases in `gitlab-ee`
+  rule { default }.enable :read_cross_project
 end
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index f0aa16d2ecf..3f6d7d04667 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -3,6 +3,19 @@ class IssuablePolicy < BasePolicy
 
   condition(:locked, scope: :subject, score: 0) { @subject.discussion_locked? }
 
+  # We aren't checking `:read_issue` or `:read_merge_request` in this case
+  # because it could be possible for a user to see an issuable-iid
+  # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be allowed
+  # to read the actual issue after a more expensive `:read_issue` check.
+  #
+  # `:read_issue` & `:read_issue_iid` could diverge in gitlab-ee.
+  condition(:visible_to_user, score: 4) do
+    Project.where(id: @subject.project)
+      .public_or_visible_to_user(@user)
+      .with_feature_available_for_user(@subject, @user)
+      .any?
+  end
+
   condition(:is_project_member) { @user && @subject.project && @subject.project.team.member?(@user) }
 
   desc "User is the assignee or author"
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index bd2d417b2a8..ed499511999 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -13,7 +13,10 @@ class IssuePolicy < IssuablePolicy
 
   rule { confidential & ~can_read_confidential }.policy do
     prevent :read_issue
+    prevent :read_issue_iid
     prevent :update_issue
     prevent :admin_issue
   end
+
+  rule { can?(:read_issue) | visible_to_user }.enable :read_issue_iid
 end
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index bc3afc626fb..e003376d219 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -1,3 +1,3 @@
 class MergeRequestPolicy < IssuablePolicy
-  # pass
+  rule { can?(:read_merge_request) | visible_to_user }.enable :read_merge_request_iid
 end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 61a7bf02675..3b0550b4dd6 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -80,8 +80,9 @@ class ProjectPolicy < BasePolicy
   rule { reporter }.enable :reporter_access
   rule { developer }.enable :developer_access
   rule { master }.enable :master_access
+  rule { owner | admin }.enable :owner_access
 
-  rule { owner | admin }.policy do
+  rule { can?(:owner_access) }.policy do
     enable :guest_access
     enable :reporter_access
     enable :developer_access
@@ -98,11 +99,6 @@ class ProjectPolicy < BasePolicy
     enable :remove_pages
   end
 
-  rule { owner | reporter }.policy do
-    enable :build_download_code
-    enable :build_read_container_image
-  end
-
   rule { can?(:guest_access) }.policy do
     enable :read_project
     enable :read_board
@@ -121,6 +117,11 @@ class ProjectPolicy < BasePolicy
     enable :read_cycle_analytics
   end
 
+  # These abilities are not allowed to admins that are not members of the project,
+  # that's why they are defined separatly.
+  rule { guest & can?(:download_code) }.enable :build_download_code
+  rule { guest & can?(:read_container_image) }.enable :build_read_container_image
+
   rule { can?(:reporter_access) }.policy do
     enable :download_code
     enable :download_wiki_code
@@ -140,12 +141,19 @@ class ProjectPolicy < BasePolicy
     enable :read_merge_request
   end
 
+  # We define `:public_user_access` separately because there are cases in gitlab-ee
+  # where we enable or prevent it based on other coditions.
   rule { (~anonymous & public_project) | internal_access }.policy do
     enable :public_user_access
   end
 
   rule { can?(:public_user_access) }.policy do
+    enable :public_access
     enable :guest_access
+
+    enable :fork_project
+    enable :build_download_code
+    enable :build_read_container_image
     enable :request_access
   end
 
@@ -196,14 +204,6 @@ class ProjectPolicy < BasePolicy
     enable :create_cluster
   end
 
-  rule { can?(:public_user_access) }.policy do
-    enable :public_access
-
-    enable :fork_project
-    enable :build_download_code
-    enable :build_read_container_image
-  end
-
   rule { archived }.policy do
     prevent :create_merge_request
     prevent :push_code
diff --git a/app/presenters/project_presenter.rb b/app/presenters/project_presenter.rb
new file mode 100644
index 00000000000..484ac64580d
--- /dev/null
+++ b/app/presenters/project_presenter.rb
@@ -0,0 +1,338 @@
+class ProjectPresenter < Gitlab::View::Presenter::Delegated
+  include ActionView::Helpers::NumberHelper
+  include ActionView::Helpers::UrlHelper
+  include GitlabRoutingHelper
+  include StorageHelper
+  include TreeHelper
+  include Gitlab::Utils::StrongMemoize
+
+  presents :project
+
+  def statistics_anchors(show_auto_devops_callout:)
+    [
+      files_anchor_data,
+      commits_anchor_data,
+      branches_anchor_data,
+      tags_anchor_data,
+      readme_anchor_data,
+      changelog_anchor_data,
+      license_anchor_data,
+      contribution_guide_anchor_data,
+      gitlab_ci_anchor_data,
+      autodevops_anchor_data(show_auto_devops_callout: show_auto_devops_callout),
+      kubernetes_cluster_anchor_data
+    ].compact.select { |item| item.enabled }
+  end
+
+  def statistics_buttons(show_auto_devops_callout:)
+    [
+      changelog_anchor_data,
+      license_anchor_data,
+      contribution_guide_anchor_data,
+      autodevops_anchor_data(show_auto_devops_callout: show_auto_devops_callout),
+      kubernetes_cluster_anchor_data,
+      gitlab_ci_anchor_data,
+      koding_anchor_data
+    ].compact.reject { |item| item.enabled }
+  end
+
+  def empty_repo_statistics_anchors
+    [
+      autodevops_anchor_data,
+      kubernetes_cluster_anchor_data
+    ].compact.select { |item| item.enabled }
+  end
+
+  def empty_repo_statistics_buttons
+    [
+      new_file_anchor_data,
+      readme_anchor_data,
+      license_anchor_data,
+      autodevops_anchor_data,
+      kubernetes_cluster_anchor_data
+    ].compact.reject { |item| item.enabled }
+  end
+
+  def default_view
+    return anonymous_project_view unless current_user
+
+    user_view = current_user.project_view
+
+    if can?(current_user, :download_code, project)
+      user_view
+    elsif user_view == "activity"
+      "activity"
+    elsif can?(current_user, :read_wiki, project)
+      "wiki"
+    elsif feature_available?(:issues, current_user)
+      "projects/issues/issues"
+    else
+      "customize_workflow"
+    end
+  end
+
+  def readme_path
+    filename_path(:readme)
+  end
+
+  def changelog_path
+    filename_path(:changelog)
+  end
+
+  def license_path
+    filename_path(:license_blob)
+  end
+
+  def ci_configuration_path
+    filename_path(:gitlab_ci_yml)
+  end
+
+  def contribution_guide_path
+    if project && contribution_guide = repository.contribution_guide
+      project_blob_path(
+        project,
+        tree_join(project.default_branch,
+                  contribution_guide.name)
+      )
+    end
+  end
+
+  def add_license_path
+    add_special_file_path(file_name: 'LICENSE')
+  end
+
+  def add_changelog_path
+    add_special_file_path(file_name: 'CHANGELOG')
+  end
+
+  def add_contribution_guide_path
+    add_special_file_path(file_name: 'CONTRIBUTING.md', commit_message: 'Add contribution guide')
+  end
+
+  def add_ci_yml_path
+    add_special_file_path(file_name: '.gitlab-ci.yml')
+  end
+
+  def add_readme_path
+    add_special_file_path(file_name: 'README.md')
+  end
+
+  def add_koding_stack_path
+    project_new_blob_path(
+      project,
+      default_branch || 'master',
+      file_name:      '.koding.yml',
+      commit_message: "Add Koding stack script",
+      content: <<-CONTENT.strip_heredoc
+        provider:
+          aws:
+            access_key: '${var.aws_access_key}'
+            secret_key: '${var.aws_secret_key}'
+        resource:
+          aws_instance:
+            #{project.path}-vm:
+              instance_type: t2.nano
+              user_data: |-
+
+                # Created by GitLab UI for :>
+
+                echo _KD_NOTIFY_@Installing Base packages...@
+
+                apt-get update -y
+                apt-get install git -y
+
+                echo _KD_NOTIFY_@Cloning #{project.name}...@
+
+                export KODING_USER=${var.koding_user_username}
+                export REPO_URL=#{root_url}${var.koding_queryString_repo}.git
+                export BRANCH=${var.koding_queryString_branch}
+
+                sudo -i -u $KODING_USER git clone $REPO_URL -b $BRANCH
+
+                echo _KD_NOTIFY_@#{project.name} cloned.@
+      CONTENT
+    )
+  end
+
+  def license_short_name
+    license = repository.license
+    license&.nickname || license&.name || 'LICENSE'
+  end
+
+  def can_current_user_push_code?
+    strong_memoize(:can_current_user_push_code) do
+      if empty_repo?
+        can?(current_user, :push_code, project)
+      else
+        can_current_user_push_to_branch?(default_branch)
+      end
+    end
+  end
+
+  def can_current_user_push_to_branch?(branch)
+    return false unless repository.branch_exists?(branch)
+
+    ::Gitlab::UserAccess.new(current_user, project: project).can_push_to_branch?(branch)
+  end
+
+  def files_anchor_data
+    OpenStruct.new(enabled: true,
+                   label: _('Files (%{human_size})') % { human_size: storage_counter(statistics.total_repository_size) },
+                   link: project_tree_path(project))
+  end
+
+  def commits_anchor_data
+    OpenStruct.new(enabled: true,
+                   label: n_('Commit (%{commit_count})', 'Commits (%{commit_count})', statistics.commit_count) % { commit_count: number_with_delimiter(statistics.commit_count) },
+                   link: project_commits_path(project, repository.root_ref))
+  end
+
+  def branches_anchor_data
+    OpenStruct.new(enabled: true,
+                   label: n_('Branch (%{branch_count})', 'Branches (%{branch_count})', repository.branch_count) % { branch_count: number_with_delimiter(repository.branch_count) },
+                   link: project_branches_path(project))
+  end
+
+  def tags_anchor_data
+    OpenStruct.new(enabled: true,
+                   label: n_('Tag (%{tag_count})', 'Tags (%{tag_count})', repository.tag_count) % { tag_count: number_with_delimiter(repository.tag_count) },
+                   link: project_tags_path(project))
+  end
+
+  def new_file_anchor_data
+    if current_user && can_current_user_push_code?
+      OpenStruct.new(enabled: false,
+                     label: _('New file'),
+                     link: project_new_blob_path(project, default_branch || 'master'),
+                     class_modifier: 'new')
+    end
+  end
+
+  def readme_anchor_data
+    if current_user && can_current_user_push_code? && repository.readme.blank?
+      OpenStruct.new(enabled: false,
+                     label: _('Add Readme'),
+                     link: add_readme_path)
+    elsif repository.readme.present?
+      OpenStruct.new(enabled: true,
+                     label: _('Readme'),
+                     link: default_view != 'readme' ? readme_path : '#readme')
+    end
+  end
+
+  def changelog_anchor_data
+    if current_user && can_current_user_push_code? && repository.changelog.blank?
+      OpenStruct.new(enabled: false,
+                     label: _('Add Changelog'),
+                     link: add_changelog_path)
+    elsif repository.changelog.present?
+      OpenStruct.new(enabled: true,
+                     label: _('Changelog'),
+                     link: changelog_path)
+    end
+  end
+
+  def license_anchor_data
+    if current_user && can_current_user_push_code? && repository.license_blob.blank?
+      OpenStruct.new(enabled: false,
+                     label: _('Add License'),
+                     link: add_license_path)
+    elsif repository.license_blob.present?
+      OpenStruct.new(enabled: true,
+                     label: license_short_name,
+                     link: license_path)
+    end
+  end
+
+  def contribution_guide_anchor_data
+    if current_user && can_current_user_push_code? && repository.contribution_guide.blank?
+      OpenStruct.new(enabled: false,
+                     label: _('Add Contribution guide'),
+                     link: add_contribution_guide_path)
+    elsif repository.contribution_guide.present?
+      OpenStruct.new(enabled: true,
+                     label: _('Contribution guide'),
+                     link: contribution_guide_path)
+    end
+  end
+
+  def autodevops_anchor_data(show_auto_devops_callout: false)
+    if current_user && can?(current_user, :admin_pipeline, project) && repository.gitlab_ci_yml.blank? && !show_auto_devops_callout
+      OpenStruct.new(enabled: auto_devops_enabled?,
+                     label: auto_devops_enabled? ? _('Auto DevOps enabled') : _('Enable Auto DevOps'),
+                     link: project_settings_ci_cd_path(project, anchor: 'js-general-pipeline-settings'))
+    elsif auto_devops_enabled?
+      OpenStruct.new(enabled: true,
+                     label: _('Auto DevOps enabled'),
+                     link: nil)
+    end
+  end
+
+  def kubernetes_cluster_anchor_data
+    if current_user && can?(current_user, :create_cluster, project)
+      cluster_link = clusters.count == 1 ? project_cluster_path(project, clusters.first) : project_clusters_path(project)
+
+      if clusters.empty?
+        cluster_link = new_project_cluster_path(project)
+      end
+
+      OpenStruct.new(enabled: !clusters.empty?,
+                     label: clusters.empty? ? _('Add Kubernetes cluster') : _('Kubernetes configured'),
+                     link: cluster_link)
+    end
+  end
+
+  def gitlab_ci_anchor_data
+    if current_user && can_current_user_push_code? && repository.gitlab_ci_yml.blank? && !auto_devops_enabled?
+      OpenStruct.new(enabled: false,
+                     label: _('Set up CI/CD'),
+                     link: add_ci_yml_path)
+    elsif repository.gitlab_ci_yml.present?
+      OpenStruct.new(enabled: true,
+                     label: _('CI/CD configuration'),
+                     link: ci_configuration_path)
+    end
+  end
+
+  def koding_anchor_data
+    if current_user && can_current_user_push_code? && koding_enabled? && repository.koding_yml.blank?
+      OpenStruct.new(enabled: false,
+                     label: _('Set up Koding'),
+                     link: add_koding_stack_path)
+    end
+  end
+
+  private
+
+  def filename_path(filename)
+    if blob = repository.public_send(filename) # rubocop:disable GitlabSecurity/PublicSend
+      project_blob_path(
+        project,
+        tree_join(default_branch, blob.name)
+      )
+    end
+  end
+
+  def anonymous_project_view
+    if !project.empty_repo? && can?(current_user, :download_code, project)
+      'files'
+    else
+      'activity'
+    end
+  end
+
+  def add_special_file_path(file_name:, commit_message: nil, branch_name: nil)
+    commit_message ||= s_("CommitMessage|Add %{file_name}") % { file_name: file_name }
+    project_new_blob_path(
+      project,
+      project.default_branch || 'master',
+      file_name:      file_name,
+      commit_message: commit_message,
+      branch_name:    branch_name
+    )
+  end
+
+  def koding_enabled?
+    Gitlab::CurrentSettings.koding_enabled?
+  end
+end
diff --git a/app/serializers/group_child_entity.rb b/app/serializers/group_child_entity.rb
index aca4e4ca488..15ec0f89bb2 100644
--- a/app/serializers/group_child_entity.rb
+++ b/app/serializers/group_child_entity.rb
@@ -11,9 +11,7 @@ class GroupChildEntity < Grape::Entity
   end
 
   expose :can_edit do |instance|
-    return false unless request.respond_to?(:current_user)
-
-    can?(request.current_user, "admin_#{type}", instance)
+    can_edit?
   end
 
   expose :edit_path do |instance|
@@ -83,4 +81,17 @@ class GroupChildEntity < Grape::Entity
   def markdown_description
     markdown_field(object, :description)
   end
+
+  def can_edit?
+    return false unless request.respond_to?(:current_user)
+
+    if project?
+      # Avoid checking rights for each project, as it might be expensive if the
+      # user cannot read cross project.
+      can?(request.current_user, :read_cross_project) &&
+        can?(request.current_user, :admin_project, object)
+    else
+      can?(request.current_user, :admin_group, object)
+    end
+  end
 end
diff --git a/app/services/clusters/gcp/finalize_creation_service.rb b/app/services/clusters/gcp/finalize_creation_service.rb
index cea56f4e849..15ab2d54404 100644
--- a/app/services/clusters/gcp/finalize_creation_service.rb
+++ b/app/services/clusters/gcp/finalize_creation_service.rb
@@ -30,10 +30,10 @@ module Clusters
           ca_cert: Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate),
           username: gke_cluster.master_auth.username,
           password: gke_cluster.master_auth.password,
-          token: request_kuberenetes_token)
+          token: request_kubernetes_token)
       end
 
-      def request_kuberenetes_token
+      def request_kubernetes_token
         Ci::FetchKubernetesTokenService.new(
           'https://' + gke_cluster.endpoint,
           Base64.decode64(gke_cluster.master_auth.cluster_ca_certificate),
diff --git a/app/services/issuable_base_service.rb b/app/services/issuable_base_service.rb
index e7463e6e25c..66a9b1f82e0 100644
--- a/app/services/issuable_base_service.rb
+++ b/app/services/issuable_base_service.rb
@@ -247,7 +247,7 @@ class IssuableBaseService < BaseService
     when 'add'
       todo_service.mark_todo(issuable, current_user)
     when 'done'
-      todo = TodosFinder.new(current_user).execute.find_by(target: issuable)
+      todo = TodosFinder.new(current_user).find_by(target: issuable)
       todo_service.mark_todos_as_done_by_ids(todo, current_user) if todo
     end
   end
diff --git a/app/services/notification_service.rb b/app/services/notification_service.rb
index 56e941d90ff..e07ecda27b5 100644
--- a/app/services/notification_service.rb
+++ b/app/services/notification_service.rb
@@ -339,6 +339,30 @@ class NotificationService
     end
   end
 
+  def pages_domain_verification_succeeded(domain)
+    recipients_for_pages_domain(domain).each do |user|
+      mailer.pages_domain_verification_succeeded_email(domain, user).deliver_later
+    end
+  end
+
+  def pages_domain_verification_failed(domain)
+    recipients_for_pages_domain(domain).each do |user|
+      mailer.pages_domain_verification_failed_email(domain, user).deliver_later
+    end
+  end
+
+  def pages_domain_enabled(domain)
+    recipients_for_pages_domain(domain).each do |user|
+      mailer.pages_domain_enabled_email(domain, user).deliver_later
+    end
+  end
+
+  def pages_domain_disabled(domain)
+    recipients_for_pages_domain(domain).each do |user|
+      mailer.pages_domain_disabled_email(domain, user).deliver_later
+    end
+  end
+
   protected
 
   def new_resource_email(target, method)
@@ -433,6 +457,14 @@ class NotificationService
 
   private
 
+  def recipients_for_pages_domain(domain)
+    project = domain.project
+
+    return [] unless project
+
+    notifiable_users(project.team.masters, :watch, target: project)
+  end
+
   def notifiable?(*args)
     NotificationRecipientService.notifiable?(*args)
   end
diff --git a/app/services/projects/autocomplete_service.rb b/app/services/projects/autocomplete_service.rb
index 1ae2c40872a..e61ecb696d0 100644
--- a/app/services/projects/autocomplete_service.rb
+++ b/app/services/projects/autocomplete_service.rb
@@ -50,16 +50,7 @@ module Projects
 
       return [] unless noteable&.is_a?(Issuable)
 
-      opts = {
-        project: project,
-        issuable: noteable,
-        current_user: current_user
-      }
-      QuickActions::InterpretService.command_definitions.map do |definition|
-        next unless definition.available?(opts)
-
-        definition.to_h(opts)
-      end.compact
+      QuickActions::InterpretService.new(project, current_user).available_commands(noteable)
     end
   end
 end
diff --git a/app/services/projects/update_pages_configuration_service.rb b/app/services/projects/update_pages_configuration_service.rb
index cacb74b1205..52ff64cc938 100644
--- a/app/services/projects/update_pages_configuration_service.rb
+++ b/app/services/projects/update_pages_configuration_service.rb
@@ -23,7 +23,7 @@ module Projects
     end
 
     def pages_domains_config
-      project.pages_domains.map do |domain|
+      enabled_pages_domains.map do |domain|
         {
           domain: domain.domain,
           certificate: domain.certificate,
@@ -32,6 +32,14 @@ module Projects
       end
     end
 
+    def enabled_pages_domains
+      if Gitlab::CurrentSettings.pages_domain_verification_enabled?
+        project.pages_domains.enabled
+      else
+        project.pages_domains
+      end
+    end
+
     def reload_daemon
       # GitLab Pages daemon constantly watches for modification time of `pages.path`
       # It reloads configuration when `pages.path` is modified
diff --git a/app/services/quick_actions/interpret_service.rb b/app/services/quick_actions/interpret_service.rb
index 669c1ba0a22..1e9bd84e749 100644
--- a/app/services/quick_actions/interpret_service.rb
+++ b/app/services/quick_actions/interpret_service.rb
@@ -7,6 +7,18 @@ module QuickActions
     SHRUG = '¯\\＿(ツ)＿/¯'.freeze
     TABLEFLIP = '(╯°□°)╯︵ ┻━┻'.freeze
 
+    # Takes an issuable and returns an array of all the available commands
+    # represented with .to_h
+    def available_commands(issuable)
+      @issuable = issuable
+
+      self.class.command_definitions.map do |definition|
+        next unless definition.available?(self)
+
+        definition.to_h(self)
+      end.compact
+    end
+
     # Takes a text and interprets the commands that are extracted from it.
     # Returns the content without commands, and hash of changes to be applied to a record.
     def execute(content, issuable)
@@ -15,8 +27,8 @@ module QuickActions
       @issuable = issuable
       @updates = {}
 
-      content, commands = extractor.extract_commands(content, context)
-      extract_updates(commands, context)
+      content, commands = extractor.extract_commands(content)
+      extract_updates(commands)
 
       [content, @updates]
     end
@@ -28,8 +40,8 @@ module QuickActions
 
       @issuable = issuable
 
-      content, commands = extractor.extract_commands(content, context)
-      commands = explain_commands(commands, context)
+      content, commands = extractor.extract_commands(content)
+      commands = explain_commands(commands)
       [content, commands]
     end
 
@@ -157,11 +169,11 @@ module QuickActions
     params '%"milestone"'
     condition do
       current_user.can?(:"admin_#{issuable.to_ability_name}", project) &&
-        project.milestones.active.any?
+        find_milestones(project, state: 'active').any?
     end
     parse_params do |milestone_param|
       extract_references(milestone_param, :milestone).first ||
-        project.milestones.find_by(title: milestone_param.strip)
+        find_milestones(project, title: milestone_param.strip).first
     end
     command :milestone do |milestone|
       @updates[:milestone_id] = milestone.id if milestone
@@ -544,6 +556,10 @@ module QuickActions
       users
     end
 
+    def find_milestones(project, params = {})
+      MilestonesFinder.new(params.merge(project_ids: [project.id], group_ids: [project.group&.id])).execute
+    end
+
     def find_labels(labels_param)
       extract_references(labels_param, :label) |
         LabelsFinder.new(current_user, project_id: project.id, name: labels_param.split).execute
@@ -557,21 +573,21 @@ module QuickActions
       find_labels(labels_param).map(&:id)
     end
 
-    def explain_commands(commands, opts)
+    def explain_commands(commands)
       commands.map do |name, arg|
         definition = self.class.definition_by_name(name)
         next unless definition
 
-        definition.explain(self, opts, arg)
+        definition.explain(self, arg)
       end.compact
     end
 
-    def extract_updates(commands, opts)
+    def extract_updates(commands)
       commands.each do |name, arg|
         definition = self.class.definition_by_name(name)
         next unless definition
 
-        definition.execute(self, opts, arg)
+        definition.execute(self, arg)
       end
     end
 
@@ -581,14 +597,5 @@ module QuickActions
 
       ext.references(type)
     end
-
-    def context
-      {
-        issuable: issuable,
-        current_user: current_user,
-        project: project,
-        params: params
-      }
-    end
   end
 end
diff --git a/app/services/verify_pages_domain_service.rb b/app/services/verify_pages_domain_service.rb
new file mode 100644
index 00000000000..86166047302
--- /dev/null
+++ b/app/services/verify_pages_domain_service.rb
@@ -0,0 +1,107 @@
+require 'resolv'
+
+class VerifyPagesDomainService < BaseService
+  # The maximum number of seconds to be spent on each DNS lookup
+  RESOLVER_TIMEOUT_SECONDS = 15
+
+  # How long verification lasts for
+  VERIFICATION_PERIOD = 7.days
+
+  attr_reader :domain
+
+  def initialize(domain)
+    @domain = domain
+  end
+
+  def execute
+    return error("No verification code set for #{domain.domain}") unless domain.verification_code.present?
+
+    if !verification_enabled? || dns_record_present?
+      verify_domain!
+    elsif expired?
+      disable_domain!
+    else
+      unverify_domain!
+    end
+  end
+
+  private
+
+  def verify_domain!
+    was_disabled = !domain.enabled?
+    was_unverified = domain.unverified?
+
+    # Prevent any pre-existing grace period from being truncated
+    reverify = [domain.enabled_until, VERIFICATION_PERIOD.from_now].compact.max
+
+    domain.update!(verified_at: Time.now, enabled_until: reverify)
+
+    if was_disabled
+      notify(:enabled)
+    elsif was_unverified
+      notify(:verification_succeeded)
+    end
+
+    success
+  end
+
+  def unverify_domain!
+    if domain.verified?
+      domain.update!(verified_at: nil)
+      notify(:verification_failed)
+    end
+
+    error("Couldn't verify #{domain.domain}")
+  end
+
+  def disable_domain!
+    domain.update!(verified_at: nil, enabled_until: nil)
+
+    notify(:disabled)
+
+    error("Couldn't verify #{domain.domain}. It is now disabled.")
+  end
+
+  # A domain is only expired until `disable!` has been called
+  def expired?
+    domain.enabled_until && domain.enabled_until < Time.now
+  end
+
+  def dns_record_present?
+    Resolv::DNS.open do |resolver|
+      resolver.timeouts = RESOLVER_TIMEOUT_SECONDS
+
+      check(domain.domain, resolver) || check(domain.verification_domain, resolver)
+    end
+  end
+
+  def check(domain_name, resolver)
+    records = parse(txt_records(domain_name, resolver))
+
+    records.any? do |record|
+      record == domain.keyed_verification_code || record == domain.verification_code
+    end
+  rescue => err
+    log_error("Failed to check TXT records on #{domain_name} for #{domain.domain}: #{err}")
+    false
+  end
+
+  def txt_records(domain_name, resolver)
+    resolver.getresources(domain_name, Resolv::DNS::Resource::IN::TXT)
+  end
+
+  def parse(records)
+    records.flat_map(&:strings).flat_map(&:split)
+  end
+
+  def verification_enabled?
+    Gitlab::CurrentSettings.pages_domain_verification_enabled?
+  end
+
+  def notify(type)
+    return unless verification_enabled?
+
+    Gitlab::AppLogger.info("Pages domain '#{domain.domain}' changed state to '#{type}'")
+    notification_service.public_send("pages_domain_#{type}", domain) # rubocop:disable GitlabSecurity/PublicSend
+  end
+end
diff --git a/app/uploaders/gitlab_uploader.rb b/app/uploaders/gitlab_uploader.rb
index a9e5c028b03..010100f2da1 100644
--- a/app/uploaders/gitlab_uploader.rb
+++ b/app/uploaders/gitlab_uploader.rb
@@ -67,6 +67,10 @@ class GitlabUploader < CarrierWave::Uploader::Base
     super || file&.filename
   end
 
+  def model_valid?
+    !!model
+  end
+
   private
 
   # Designed to be overridden by child uploaders that have a dynamic path
diff --git a/app/uploaders/personal_file_uploader.rb b/app/uploaders/personal_file_uploader.rb
index e7d9ecd3222..f2ad0badd53 100644
--- a/app/uploaders/personal_file_uploader.rb
+++ b/app/uploaders/personal_file_uploader.rb
@@ -14,6 +14,12 @@ class PersonalFileUploader < FileUploader
     File.join(model.class.to_s.underscore, model.id.to_s)
   end
 
+  # model_path_segment does not require a model to be passed, so we can always
+  # generate a path, even when there's no model.
+  def model_valid?
+    true
+  end
+
   # Revert-Override
   def store_dir
     File.join(base_dir, dynamic_segment)
diff --git a/app/views/admin/application_settings/_form.html.haml b/app/views/admin/application_settings/_form.html.haml
index 938185b6eba..20527d31870 100644
--- a/app/views/admin/application_settings/_form.html.haml
+++ b/app/views/admin/application_settings/_form.html.haml
@@ -237,6 +237,17 @@
       .col-sm-10
         = f.number_field :max_pages_size, class: 'form-control'
         .help-block 0 for unlimited
+    .form-group
+      .col-sm-offset-2.col-sm-10
+        .checkbox
+          = f.label :pages_domain_verification_enabled do
+            = f.check_box :pages_domain_verification_enabled
+            Require users to prove ownership of custom domains
+        .help-block
+          Domain verification is an essential security measure for public GitLab
+          sites. Users are required to demonstrate they control a domain before
+          it is enabled
+          = link_to icon('question-circle'), help_page_path('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
 
   %fieldset
     %legend Continuous Integration and Deployment
@@ -647,11 +658,8 @@
           = f.label :version_check_enabled do
             = f.check_box :version_check_enabled
             Version check enabled
-            = link_to icon('question-circle'), help_page_path("user/admin_area/settings/usage_statistics", anchor: "version-check")
           .help-block
-            Let GitLab inform you when an update is available. When
-            enabled, GitLab Inc. will collect info about your hostname
-            and version.
+            Let GitLab inform you when an update is available.
     .form-group
       .col-sm-offset-2.col-sm-10
         - can_be_configured = @application_setting.usage_ping_can_be_configured?
diff --git a/app/views/admin/runners/index.html.haml b/app/views/admin/runners/index.html.haml
index 1e52646b1cc..abec3607cab 100644
--- a/app/views/admin/runners/index.html.haml
+++ b/app/views/admin/runners/index.html.haml
@@ -35,9 +35,8 @@
           method: :put, class: 'btn btn-default',
           data: { confirm: _("Are you sure you want to reset registration token?") }
 
-  = render partial: 'ci/runner/how_to_setup_runner',
-           locals: { registration_token: Gitlab::CurrentSettings.runners_registration_token,
-                     type: 'shared' }
+  = render partial: 'ci/runner/how_to_setup_shared_runner',
+           locals: { registration_token: Gitlab::CurrentSettings.runners_registration_token }
 
   .append-bottom-20.clearfix
     .pull-left
diff --git a/app/views/ci/runner/_how_to_setup_runner.html.haml b/app/views/ci/runner/_how_to_setup_runner.html.haml
index 8db7727b80c..37fb8fbab26 100644
--- a/app/views/ci/runner/_how_to_setup_runner.html.haml
+++ b/app/views/ci/runner/_how_to_setup_runner.html.haml
@@ -1,16 +1,16 @@
 - link = link_to _("GitLab Runner section"), 'https://about.gitlab.com/gitlab-ci/#gitlab-runner', target: '_blank'
-.bs-callout.help-callout
-  %h4= _("How to setup a #{type} Runner for a new project")
+.append-bottom-10
+  %h4= _("Setup a #{type} Runner manually")
 
-  %ol
-    %li
-      = _("Install a Runner compatible with GitLab CI")
-      = (_("(checkout the %{link} for information on how to install it).") % { link: link }).html_safe
-    %li
-      = _("Specify the following URL during the Runner setup:")
-      %code#coordinator_address= root_url(only_path: false)
-    %li
-      = _("Use the following registration token during setup:")
-      %code#registration_token= registration_token
-    %li
-      = _("Start the Runner!")
+%ol
+  %li
+    = _("Install a Runner compatible with GitLab CI")
+    = (_("(checkout the %{link} for information on how to install it).") % { link: link }).html_safe
+  %li
+    = _("Specify the following URL during the Runner setup:")
+    %code#coordinator_address= root_url(only_path: false)
+  %li
+    = _("Use the following registration token during setup:")
+    %code#registration_token= registration_token
+  %li
+    = _("Start the Runner!")
diff --git a/app/views/ci/runner/_how_to_setup_shared_runner.html.haml b/app/views/ci/runner/_how_to_setup_shared_runner.html.haml
new file mode 100644
index 00000000000..2a190cb9250
--- /dev/null
+++ b/app/views/ci/runner/_how_to_setup_shared_runner.html.haml
@@ -0,0 +1,3 @@
+.bs-callout.help-callout
+  = render partial: 'ci/runner/how_to_setup_runner',
+           locals: { registration_token: registration_token, type: 'shared' }
diff --git a/app/views/ci/runner/_how_to_setup_specific_runner.html.haml b/app/views/ci/runner/_how_to_setup_specific_runner.html.haml
new file mode 100644
index 00000000000..e765a353fe4
--- /dev/null
+++ b/app/views/ci/runner/_how_to_setup_specific_runner.html.haml
@@ -0,0 +1,26 @@
+.bs-callout.help-callout
+  .append-bottom-10
+    %h4= _('Setup a specific Runner automatically')
+
+  %p
+    - link_to_help_page = link_to(_('Learn more about Kubernetes'),
+                                  help_page_path('user/project/clusters/index'),
+                                  target: '_blank',
+                                  rel: 'noopener noreferrer')
+
+    = _('You can easily install a Runner on a Kubernetes cluster. %{link_to_help_page}').html_safe % { link_to_help_page: link_to_help_page }
+
+  %ol
+    %li
+      = _('Click the button below to begin the install process by navigating to the Kubernetes page')
+    %li
+      = _('Select an existing Kubernetes cluster or create a new one')
+    %li
+      = _('From the Kubernetes cluster details view, install Runner from the applications list')
+
+  = link_to _('Install Runner on Kubernetes'),
+    project_clusters_path(@project),
+    class: 'btn btn-info'
+  %hr
+  = render partial: 'ci/runner/how_to_setup_runner',
+           locals: { registration_token: registration_token, type: 'specific' }
diff --git a/app/views/errors/access_denied.html.haml b/app/views/errors/access_denied.html.haml
index a97cbd4d4b3..bf540439c79 100644
--- a/app/views/errors/access_denied.html.haml
+++ b/app/views/errors/access_denied.html.haml
@@ -1,3 +1,5 @@
+- message = local_assigns.fetch(:message)
+
 - content_for(:title, 'Access Denied')
 %img{ :alt => "GitLab Logo", :src => image_path('logo.svg') }
   %h1
@@ -5,5 +7,9 @@
 .container
   %h3 Access Denied
   %hr
-  %p You are not allowed to access this page.
-  %p Read more about project permissions #{link_to "here", help_page_path("user/permissions"), class: "vlink"}
+  - if message
+    %p
+      = message
+  - else
+    %p You are not allowed to access this page.
+    %p Read more about project permissions #{link_to "here", help_page_path("user/permissions"), class: "vlink"}
diff --git a/app/views/help/ui.html.haml b/app/views/help/ui.html.haml
index 1c4d67a8d2c..ce09b44fbb2 100644
--- a/app/views/help/ui.html.haml
+++ b/app/views/help/ui.html.haml
@@ -1,7 +1,5 @@
 - page_title "UI Development Kit", "Help"
 - lorem = "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed fermentum nisi sapien, non consequat lectus aliquam ultrices. Suspendisse sodales est euismod nunc condimentum, a consectetur diam ornare."
-- content_for :page_specific_javascripts do
-  = webpack_bundle_tag('ui_development_kit')
 
 .gitlab-ui-dev-kit
   %h1 GitLab UI development kit
diff --git a/app/views/layouts/header/_default.html.haml b/app/views/layouts/header/_default.html.haml
index 1d00ae928f6..e6238c0dddb 100644
--- a/app/views/layouts/header/_default.html.haml
+++ b/app/views/layouts/header/_default.html.haml
@@ -20,29 +20,34 @@
         %ul.nav.navbar-nav
           - if current_user
             = render 'layouts/header/new_dropdown'
-          %li.hidden-sm.hidden-xs
-            = render 'layouts/search' unless current_controller?(:search)
-          %li.visible-sm-inline-block.visible-xs-inline-block
-            = link_to search_path, title: 'Search', aria: { label: "Search" }, data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
-              = sprite_icon('search', size: 16)
-          - if current_user
+          - if header_link?(:search)
+            %li.hidden-sm.hidden-xs
+              = render 'layouts/search' unless current_controller?(:search)
+            %li.visible-sm-inline-block.visible-xs-inline-block
+              = link_to search_path, title: 'Search', aria: { label: "Search" }, data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
+                = sprite_icon('search', size: 16)
+
+          - if header_link?(:issues)
             = nav_link(path: 'dashboard#issues', html_options: { class: "user-counter" }) do
               = link_to assigned_issues_dashboard_path, title: 'Issues', class: 'dashboard-shortcuts-issues', aria: { label: "Issues" }, data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
                 = sprite_icon('issues', size: 16)
                 - issues_count = assigned_issuables_count(:issues)
                 %span.badge.issues-count{ class: ('hidden' if issues_count.zero?) }
                   = number_with_delimiter(issues_count)
+          - if header_link?(:merge_requests)
             = nav_link(path: 'dashboard#merge_requests', html_options: { class: "user-counter" }) do
               = link_to assigned_mrs_dashboard_path, title: 'Merge requests', class: 'dashboard-shortcuts-merge_requests', aria: { label: "Merge requests" }, data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
                 = sprite_icon('git-merge', size: 16)
                 - merge_requests_count = assigned_issuables_count(:merge_requests)
                 %span.badge.merge-requests-count{ class: ('hidden' if merge_requests_count.zero?) }
                   = number_with_delimiter(merge_requests_count)
+          - if header_link?(:todos)
             = nav_link(controller: 'dashboard/todos', html_options: { class: "user-counter" }) do
               = link_to dashboard_todos_path, title: 'Todos', aria: { label: "Todos" }, class: 'shortcuts-todos', data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
                 = sprite_icon('todo-done', size: 16)
                 %span.badge.todos-count{ class: ('hidden' if todos_pending_count.zero?) }
                   = todos_count_format(todos_pending_count)
+          - if header_link?(:user_dropdown)
             %li.header-user.dropdown
               = link_to current_user, class: user_dropdown_class, data: { toggle: "dropdown" } do
                 = image_tag avatar_icon_for_user(current_user, 23), width: 23, height: 23, class: "header-user-avatar qa-user-avatar"
@@ -64,11 +69,11 @@
                   %li.divider
                   %li
                     = link_to "Sign out", destroy_user_session_path, class: "sign-out-link"
-            - if session[:impersonator_id]
-              %li.impersonation
-                = link_to admin_impersonation_path, class: 'impersonation-btn', method: :delete, title: "Stop impersonation", aria: { label: 'Stop impersonation' }, data: { toggle: 'tooltip', placement: 'bottom', container: 'body' } do
-                  = icon('user-secret')
-          - else
+          - if header_link?(:admin_impersonation)
+            %li.impersonation
+              = link_to admin_impersonation_path, class: 'impersonation-btn', method: :delete, title: "Stop impersonation", aria: { label: 'Stop impersonation' }, data: { toggle: 'tooltip', placement: 'bottom', container: 'body' } do
+                = icon('user-secret')
+          - if header_link?(:sign_in)
             %li
               %div
                 = link_to "Sign in / Register", new_session_path(:user, redirect_to_referer: 'yes'), class: 'btn btn-sign-in'
diff --git a/app/views/layouts/nav/_dashboard.html.haml b/app/views/layouts/nav/_dashboard.html.haml
index 74532eba298..f773bd0832d 100644
--- a/app/views/layouts/nav/_dashboard.html.haml
+++ b/app/views/layouts/nav/_dashboard.html.haml
@@ -1,53 +1,64 @@
 %ul.list-unstyled.navbar-sub-nav
-  = nav_link(path: ['root#index', 'projects#trending', 'projects#starred', 'dashboard/projects#index'], html_options: { id: 'nav-projects-dropdown', class: "home dropdown header-projects qa-projects-dropdown" }) do
-    %a{ href: "#", data: { toggle: "dropdown" } }
-      Projects
-      = sprite_icon('angle-down', css_class: 'caret-down')
-    .dropdown-menu.projects-dropdown-menu
-      = render "layouts/nav/projects_dropdown/show"
+  - if dashboard_nav_link?(:projects)
+    = nav_link(path: ['root#index', 'projects#trending', 'projects#starred', 'dashboard/projects#index'], html_options: { id: 'nav-projects-dropdown', class: "home dropdown header-projects qa-projects-dropdown" }) do
+      %a{ href: "#", data: { toggle: "dropdown" } }
+        Projects
+        = sprite_icon('angle-down', css_class: 'caret-down')
+      .dropdown-menu.projects-dropdown-menu
+        = render "layouts/nav/projects_dropdown/show"
 
-  = nav_link(controller: ['dashboard/groups', 'explore/groups'], html_options: { class: "hidden-xs" }) do
-    = link_to dashboard_groups_path, class: 'dashboard-shortcuts-groups qa-groups-link', title: 'Groups' do
-      Groups
+  - if dashboard_nav_link?(:groups)
+    = nav_link(controller: ['dashboard/groups', 'explore/groups'], html_options: { class: "hidden-xs" }) do
+      = link_to dashboard_groups_path, class: 'dashboard-shortcuts-groups qa-groups-link', title: 'Groups' do
+        Groups
 
-  = nav_link(path: 'dashboard#activity', html_options: { class: "visible-lg" }) do
-    = link_to activity_dashboard_path, class: 'dashboard-shortcuts-activity', title: 'Activity' do
-      Activity
+  - if dashboard_nav_link?(:activity)
+    = nav_link(path: 'dashboard#activity', html_options: { class: "visible-lg" }) do
+      = link_to activity_dashboard_path, class: 'dashboard-shortcuts-activity', title: 'Activity' do
+        Activity
 
-  = nav_link(controller: 'dashboard/milestones', html_options: { class: "visible-lg" }) do
-    = link_to dashboard_milestones_path, class: 'dashboard-shortcuts-milestones', title: 'Milestones' do
-      Milestones
+  - if dashboard_nav_link?(:milestones)
+    = nav_link(controller: 'dashboard/milestones', html_options: { class: "visible-lg" }) do
+      = link_to dashboard_milestones_path, class: 'dashboard-shortcuts-milestones', title: 'Milestones' do
+        Milestones
 
-  = nav_link(controller: 'dashboard/snippets', html_options: { class: "visible-lg" }) do
-    = link_to dashboard_snippets_path, class: 'dashboard-shortcuts-snippets', title: 'Snippets' do
-      Snippets
+  - if dashboard_nav_link?(:snippets)
+    = nav_link(controller: 'dashboard/snippets', html_options: { class: "visible-lg" }) do
+      = link_to dashboard_snippets_path, class: 'dashboard-shortcuts-snippets', title: 'Snippets' do
+        Snippets
 
-  %li.header-more.dropdown.hidden-lg
-    %a{ href: "#", data: { toggle: "dropdown" } }
-      More
-      = sprite_icon('angle-down', css_class: 'caret-down')
-    .dropdown-menu
-      %ul
-        = nav_link(controller: ['dashboard/groups', 'explore/groups'], html_options: { class: "visible-xs" }) do
-          = link_to dashboard_groups_path, class: 'dashboard-shortcuts-groups', title: 'Groups' do
-            Groups
+  - if any_dashboard_nav_link?([:groups, :milestones, :activity, :snippets])
+    %li.header-more.dropdown.hidden-lg
+      %a{ href: "#", data: { toggle: "dropdown" } }
+        More
+        = sprite_icon('angle-down', css_class: 'caret-down')
+      .dropdown-menu
+        %ul
+          - if dashboard_nav_link?(:groups)
+            = nav_link(controller: ['dashboard/groups', 'explore/groups'], html_options: { class: "visible-xs" }) do
+              = link_to dashboard_groups_path, class: 'dashboard-shortcuts-groups', title: 'Groups' do
+                Groups
 
-        = nav_link(path: 'dashboard#activity') do
-          = link_to activity_dashboard_path, title: 'Activity' do
-            Activity
+          - if dashboard_nav_link?(:activity)
+            = nav_link(path: 'dashboard#activity') do
+              = link_to activity_dashboard_path, title: 'Activity' do
+                Activity
 
-        = nav_link(controller: 'dashboard/milestones') do
-          = link_to dashboard_milestones_path, class: 'dashboard-shortcuts-milestones', title: 'Milestones' do
-            Milestones
+          - if dashboard_nav_link?(:milestones)
+            = nav_link(controller: 'dashboard/milestones') do
+              = link_to dashboard_milestones_path, class: 'dashboard-shortcuts-milestones', title: 'Milestones' do
+                Milestones
 
-        = nav_link(controller: 'dashboard/snippets') do
-          = link_to dashboard_snippets_path, class: 'dashboard-shortcuts-snippets', title: 'Snippets' do
-            Snippets
+          - if dashboard_nav_link?(:snippets)
+            = nav_link(controller: 'dashboard/snippets') do
+              = link_to dashboard_snippets_path, class: 'dashboard-shortcuts-snippets', title: 'Snippets' do
+                Snippets
 
   -# Shortcut to Dashboard > Projects
-  %li.hidden
-    = link_to dashboard_projects_path, title: 'Projects', class: 'dashboard-shortcuts-projects' do
-      Projects
+  - if dashboard_nav_link?(:projects)
+    %li.hidden
+      = link_to dashboard_projects_path, title: 'Projects', class: 'dashboard-shortcuts-projects' do
+        Projects
 
   - if current_controller?('ide')
     %li.line-separator.hidden-xs
diff --git a/app/views/layouts/nav/_explore.html.haml b/app/views/layouts/nav/_explore.html.haml
index cd1c39f3226..50bde9d1754 100644
--- a/app/views/layouts/nav/_explore.html.haml
+++ b/app/views/layouts/nav/_explore.html.haml
@@ -1,12 +1,15 @@
 %ul.list-unstyled.navbar-sub-nav
-  = nav_link(path: ['dashboard#show', 'root#show', 'projects#trending', 'projects#starred', 'projects#index'], html_options: {class: 'home'}) do
-    = link_to explore_root_path, title: 'Projects', class: 'dashboard-shortcuts-projects' do
-      Projects
-  = nav_link(controller: [:groups, 'groups/milestones', 'groups/group_members']) do
-    = link_to explore_groups_path, title: 'Groups', class: 'dashboard-shortcuts-groups' do
-      Groups
-  = nav_link(controller: :snippets) do
-    = link_to explore_snippets_path, title: 'Snippets', class: 'dashboard-shortcuts-snippets' do
-      Snippets
+  - if explore_nav_link?(:projects)
+    = nav_link(path: ['dashboard#show', 'root#show', 'projects#trending', 'projects#starred', 'projects#index'], html_options: {class: 'home'}) do
+      = link_to explore_root_path, title: 'Projects', class: 'dashboard-shortcuts-projects' do
+        Projects
+  - if explore_nav_link?(:groups)
+    = nav_link(controller: [:groups, 'groups/milestones', 'groups/group_members']) do
+      = link_to explore_groups_path, title: 'Groups', class: 'dashboard-shortcuts-groups' do
+        Groups
+  - if explore_nav_link?(:snippets)
+    = nav_link(controller: :snippets) do
+      = link_to explore_snippets_path, title: 'Snippets', class: 'dashboard-shortcuts-snippets' do
+        Snippets
   %li
     = link_to "Help", help_path, title: 'About GitLab CE'
diff --git a/app/views/layouts/nav/sidebar/_group.html.haml b/app/views/layouts/nav/sidebar/_group.html.haml
index 09a43a2cac5..47ae79b7a69 100644
--- a/app/views/layouts/nav/sidebar/_group.html.haml
+++ b/app/views/layouts/nav/sidebar/_group.html.haml
@@ -1,6 +1,8 @@
 - issues_count = IssuesFinder.new(current_user, group_id: @group.id, state: 'opened').execute.count
 - merge_requests_count = MergeRequestsFinder.new(current_user, group_id: @group.id, state: 'opened', non_archived: true).execute.count
 
+- issues_sub_menu_items = ['groups#issues', 'labels#index', 'milestones#index']
+
 .nav-sidebar{ class: ("sidebar-collapsed-desktop" if collapsed_sidebar?) }
   .nav-sidebar-inner-scroll
     .context-header
@@ -10,84 +12,93 @@
         .sidebar-context-title
           = @group.name
     %ul.sidebar-top-level-items
-      = nav_link(path: ['groups#show', 'groups#activity', 'groups#subgroups'], html_options: { class: 'home' }) do
-        = link_to group_path(@group) do
-          .nav-icon-container
-            = sprite_icon('project')
-          %span.nav-item-name
-            Overview
+      - if group_sidebar_link?(:overview)
+        = nav_link(path: ['groups#show', 'groups#activity', 'groups#subgroups', 'analytics#show'], html_options: { class: 'home' }) do
+          = link_to group_path(@group) do
+            .nav-icon-container
+              = sprite_icon('project')
+            %span.nav-item-name
+              Overview
 
-        %ul.sidebar-sub-level-items
-          = nav_link(path: ['groups#show', 'groups#activity', 'groups#subgroups'], html_options: { class: "fly-out-top-item" } ) do
-            = link_to group_path(@group) do
-              %strong.fly-out-top-item-name
-                #{ _('Overview') }
-          %li.divider.fly-out-top-item
-          = nav_link(path: ['groups#show', 'groups#subgroups'], html_options: { class: 'home' }) do
-            = link_to group_path(@group), title: 'Group details' do
-              %span
-                Details
+          %ul.sidebar-sub-level-items
+            = nav_link(path: ['groups#show', 'groups#activity', 'groups#subgroups'], html_options: { class: "fly-out-top-item" } ) do
+              = link_to group_path(@group) do
+                %strong.fly-out-top-item-name
+                  #{ _('Overview') }
+            %li.divider.fly-out-top-item
+            = nav_link(path: ['groups#show', 'groups#subgroups'], html_options: { class: 'home' }) do
+              = link_to group_path(@group), title: 'Group details' do
+                %span
+                  Details
 
-          = nav_link(path: 'groups#activity') do
-            = link_to activity_group_path(@group), title: 'Activity' do
-              %span
-                Activity
+            - if group_sidebar_link?(:activity)
+              = nav_link(path: 'groups#activity') do
+                = link_to activity_group_path(@group), title: 'Activity' do
+                  %span
+                    Activity
 
-      = nav_link(path: ['groups#issues', 'labels#index', 'milestones#index']) do
-        = link_to issues_group_path(@group) do
-          .nav-icon-container
-            = sprite_icon('issues')
-          %span.nav-item-name
-            Issues
-          %span.badge.count= number_with_delimiter(issues_count)
+      - if group_sidebar_link?(:issues)
+        = nav_link(path: issues_sub_menu_items) do
+          = link_to issues_group_path(@group) do
+            .nav-icon-container
+              = sprite_icon('issues')
+            %span.nav-item-name
+              Issues
+            %span.badge.count= number_with_delimiter(issues_count)
 
-        %ul.sidebar-sub-level-items
-          = nav_link(path: ['groups#issues', 'labels#index', 'milestones#index'], html_options: { class: "fly-out-top-item" } ) do
-            = link_to issues_group_path(@group) do
-              %strong.fly-out-top-item-name
-                #{ _('Issues') }
-              %span.badge.count.issue_counter.fly-out-badge= number_with_delimiter(issues_count)
-          %li.divider.fly-out-top-item
-          = nav_link(path: 'groups#issues', html_options: { class: 'home' }) do
-            = link_to issues_group_path(@group), title: 'List' do
-              %span
-                List
+          %ul.sidebar-sub-level-items
+            = nav_link(path: ['groups#issues', 'labels#index', 'milestones#index'], html_options: { class: "fly-out-top-item" } ) do
+              = link_to issues_group_path(@group) do
+                %strong.fly-out-top-item-name
+                  #{ _('Issues') }
+                %span.badge.count.issue_counter.fly-out-badge= number_with_delimiter(issues_count)
+            %li.divider.fly-out-top-item
+            = nav_link(path: 'groups#issues', html_options: { class: 'home' }) do
+              = link_to issues_group_path(@group), title: 'List' do
+                %span
+                  List
+
+            - if group_sidebar_link?(:labels)
+              = nav_link(path: 'labels#index') do
+                = link_to group_labels_path(@group), title: 'Labels' do
+                  %span
+                    Labels
 
-          = nav_link(path: 'labels#index') do
-            = link_to group_labels_path(@group), title: 'Labels' do
-              %span
-                Labels
+            - if group_sidebar_link?(:milestones)
+              = nav_link(path: 'milestones#index') do
+                = link_to group_milestones_path(@group), title: 'Milestones' do
+                  %span
+                    Milestones
+
+      - if group_sidebar_link?(:merge_requests)
+        = nav_link(path: 'groups#merge_requests') do
+          = link_to merge_requests_group_path(@group) do
+            .nav-icon-container
+              = sprite_icon('git-merge')
+            %span.nav-item-name
+              Merge Requests
+            %span.badge.count= number_with_delimiter(merge_requests_count)
+          %ul.sidebar-sub-level-items.is-fly-out-only
+            = nav_link(path: 'groups#merge_requests', html_options: { class: "fly-out-top-item" } ) do
+              = link_to merge_requests_group_path(@group) do
+                %strong.fly-out-top-item-name
+                  #{ _('Merge Requests') }
+                %span.badge.count.merge_counter.js-merge-counter.fly-out-badge= number_with_delimiter(merge_requests_count)
 
-          = nav_link(path: 'milestones#index') do
-            = link_to group_milestones_path(@group), title: 'Milestones' do
-              %span
-                Milestones
+      - if group_sidebar_link?(:group_members)
+        = nav_link(path: 'group_members#index') do
+          = link_to group_group_members_path(@group) do
+            .nav-icon-container
+              = sprite_icon('users')
+            %span.nav-item-name
+              Members
+          %ul.sidebar-sub-level-items.is-fly-out-only
+            = nav_link(path: 'group_members#index', html_options: { class: "fly-out-top-item" } ) do
+              = link_to group_group_members_path(@group) do
+                %strong.fly-out-top-item-name
+                  #{ _('Members') }
 
-      = nav_link(path: 'groups#merge_requests') do
-        = link_to merge_requests_group_path(@group) do
-          .nav-icon-container
-            = sprite_icon('git-merge')
-          %span.nav-item-name
-            Merge Requests
-          %span.badge.count= number_with_delimiter(merge_requests_count)
-        %ul.sidebar-sub-level-items.is-fly-out-only
-          = nav_link(path: 'groups#merge_requests', html_options: { class: "fly-out-top-item" } ) do
-            = link_to merge_requests_group_path(@group) do
-              %strong.fly-out-top-item-name
-                #{ _('Merge Requests') }
-              %span.badge.count.merge_counter.js-merge-counter.fly-out-badge= number_with_delimiter(merge_requests_count)
-      = nav_link(path: 'group_members#index') do
-        = link_to group_group_members_path(@group) do
-          .nav-icon-container
-            = sprite_icon('users')
-          %span.nav-item-name
-            Members
-        %ul.sidebar-sub-level-items.is-fly-out-only
-          = nav_link(path: 'group_members#index', html_options: { class: "fly-out-top-item" } ) do
-            = link_to group_group_members_path(@group) do
-              %strong.fly-out-top-item-name
-                #{ _('Members') }
-      - if current_user && can?(current_user, :admin_group, @group)
+      - if group_sidebar_link?(:settings)
         = nav_link(path: group_nav_link_paths) do
           = link_to edit_group_path(@group) do
             .nav-icon-container
diff --git a/app/views/notify/pages_domain_disabled_email.html.haml b/app/views/notify/pages_domain_disabled_email.html.haml
new file mode 100644
index 00000000000..34ce4238a12
--- /dev/null
+++ b/app/views/notify/pages_domain_disabled_email.html.haml
@@ -0,0 +1,15 @@
+%p
+  Following a verification check, your GitLab Pages custom domain has been
+  %strong disabled.
+  This means that your content is no longer visible at #{link_to @domain.url, @domain.url}
+%p
+  Project: #{link_to @project.human_name, project_url(@project)}
+%p
+  Domain: #{link_to @domain.domain, project_pages_domain_url(@project, @domain)}
+%p
+  If this domain has been disabled in error, please follow
+  = link_to 'these instructions', help_page_url('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
+  to verify and re-enable your domain.
+%p
+  If you no longer wish to use this domain with GitLab Pages, please remove it
+  from your GitLab project and delete any related DNS records.
diff --git a/app/views/notify/pages_domain_disabled_email.text.haml b/app/views/notify/pages_domain_disabled_email.text.haml
new file mode 100644
index 00000000000..4e81b054b1f
--- /dev/null
+++ b/app/views/notify/pages_domain_disabled_email.text.haml
@@ -0,0 +1,13 @@
+Following a verification check, your GitLab Pages custom domain has been
+**disabled**. This means that your content is no longer visible at #{@domain.url}
+
+Project: #{@project.human_name} (#{project_url(@project)})
+Domain:  #{@domain.domain} (#{project_pages_domain_url(@project, @domain)})
+
+If this domain has been disabled in error, please follow these instructions
+to verify and re-enable your domain:
+
+= help_page_url('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
+
+If you no longer wish to use this domain with GitLab Pages, please remove it
+from your GitLab project and delete any related DNS records.
diff --git a/app/views/notify/pages_domain_enabled_email.html.haml b/app/views/notify/pages_domain_enabled_email.html.haml
new file mode 100644
index 00000000000..db09e503f65
--- /dev/null
+++ b/app/views/notify/pages_domain_enabled_email.html.haml
@@ -0,0 +1,11 @@
+%p
+  Following a verification check, your GitLab Pages custom domain has been
+  enabled. You should now be able to view your content at #{link_to @domain.url, @domain.url}
+%p
+  Project: #{link_to @project.human_name, project_url(@project)}
+%p
+  Domain: #{link_to @domain.domain, project_pages_domain_url(@project, @domain)}
+%p
+  Please visit
+  = link_to 'these instructions', help_page_url('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
+  for more information about custom domain verification.
diff --git a/app/views/notify/pages_domain_enabled_email.text.haml b/app/views/notify/pages_domain_enabled_email.text.haml
new file mode 100644
index 00000000000..1ed1dbb8315
--- /dev/null
+++ b/app/views/notify/pages_domain_enabled_email.text.haml
@@ -0,0 +1,9 @@
+Following a verification check, your GitLab Pages custom domain has been
+enabled. You should now be able to view your content at #{@domain.url}
+
+Project: #{@project.human_name} (#{project_url(@project)})
+Domain:  #{@domain.domain} (#{project_pages_domain_url(@project, @domain)})
+
+Please visit
+= help_page_url('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
+for more information about custom domain verification.
diff --git a/app/views/notify/pages_domain_verification_failed_email.html.haml b/app/views/notify/pages_domain_verification_failed_email.html.haml
new file mode 100644
index 00000000000..0bb0eb09fd5
--- /dev/null
+++ b/app/views/notify/pages_domain_verification_failed_email.html.haml
@@ -0,0 +1,17 @@
+%p
+  Verification has failed for one of your GitLab Pages custom domains!
+%p
+  Project: #{link_to @project.human_name, project_url(@project)}
+%p
+  Domain: #{link_to @domain.domain, project_pages_domain_url(@project, @domain)}
+%p
+  Unless you take action, it will be disabled on
+  %strong= @domain.enabled_until.strftime('%F %T.')
+  Until then, you can view your content at #{link_to @domain.url, @domain.url}
+%p
+  Please visit
+  = link_to 'these instructions', help_page_url('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
+  for more information about custom domain verification.
+%p
+  If you no longer wish to use this domain with GitLab Pages, please remove it
+  from your GitLab project and delete any related DNS records.
diff --git a/app/views/notify/pages_domain_verification_failed_email.text.haml b/app/views/notify/pages_domain_verification_failed_email.text.haml
new file mode 100644
index 00000000000..c14e0e0c24d
--- /dev/null
+++ b/app/views/notify/pages_domain_verification_failed_email.text.haml
@@ -0,0 +1,14 @@
+Verification has failed for one of your GitLab Pages custom domains!
+
+Project: #{@project.human_name} (#{project_url(@project)})
+Domain:  #{@domain.domain} (#{project_pages_domain_url(@project, @domain)})
+
+Unless you take action, it will be disabled on *#{@domain.enabled_until.strftime('%F %T')}*.
+Until then, you can view your content at #{@domain.url}
+
+Please visit
+= help_page_url('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
+for more information about custom domain verification.
+
+If you no longer wish to use this domain with GitLab Pages, please remove it
+from your GitLab project and delete any related DNS records.
diff --git a/app/views/notify/pages_domain_verification_succeeded_email.html.haml b/app/views/notify/pages_domain_verification_succeeded_email.html.haml
new file mode 100644
index 00000000000..2ead3187b10
--- /dev/null
+++ b/app/views/notify/pages_domain_verification_succeeded_email.html.haml
@@ -0,0 +1,13 @@
+%p
+  One of your GitLab Pages custom domains has been successfully verified!
+%p
+  Project: #{link_to @project.human_name, project_url(@project)}
+%p
+  Domain: #{link_to @domain.domain, project_pages_domain_url(@project, @domain)}
+%p
+  This is a notification. No action is required on your part. You can view your
+  content at #{link_to @domain.url, @domain.url}
+%p
+  Please visit
+  = link_to 'these instructions', help_page_url('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
+  for more information about custom domain verification.
diff --git a/app/views/notify/pages_domain_verification_succeeded_email.text.haml b/app/views/notify/pages_domain_verification_succeeded_email.text.haml
new file mode 100644
index 00000000000..e7cdbdee420
--- /dev/null
+++ b/app/views/notify/pages_domain_verification_succeeded_email.text.haml
@@ -0,0 +1,10 @@
+One of your GitLab Pages custom domains has been successfully verified!
+
+Project: #{@project.human_name} (#{project_url(@project)})
+Domain:  #{@domain.domain} (#{project_pages_domain_url(@project, @domain)})
+
+No action is required on your part. You can view your content at #{@domain.url}
+
+Please visit
+= help_page_url('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
+for more information about custom domain verification.
diff --git a/app/views/projects/_new_project_push_tip.html.haml b/app/views/projects/_new_project_push_tip.html.haml
new file mode 100644
index 00000000000..9bc69211d12
--- /dev/null
+++ b/app/views/projects/_new_project_push_tip.html.haml
@@ -0,0 +1,11 @@
+.push-to-create-popover
+  %p
+    = label_tag(:push_to_create_tip, _("Private projects can be created in your personal namespace with:"), class: "weight-normal")
+
+  %p.input-group.project-tip-command
+    %span.input-group-btn
+      = text_field_tag :push_to_create_tip, push_to_create_project_command, class: "js-select-on-focus form-control monospace", readonly: true, aria: { label: _("Push project from command line") }
+    %span.input-group-btn
+      = clipboard_button(text: push_to_create_project_command, title: _("Copy command to clipboard"), placement: "right")
+  %p
+    = link_to("What does this command do?", help_page_path("gitlab-basics/create-project", anchor: "push-to-create-a-new-project"), target: "_blank")
diff --git a/app/views/projects/_readme.html.haml b/app/views/projects/_readme.html.haml
index aebdfbc8218..705338c083e 100644
--- a/app/views/projects/_readme.html.haml
+++ b/app/views/projects/_readme.html.haml
@@ -20,4 +20,4 @@
         distributed with computer software, forming part of its documentation.
         GitLab will render it here instead of this message.
       %p
-        = link_to "Add Readme", add_special_file_path(@project, file_name: 'README.md'),  class: 'btn btn-new'
+        = link_to "Add Readme", @project.add_readme_path, class: 'btn btn-new'
diff --git a/app/views/projects/_stat_anchor_list.html.haml b/app/views/projects/_stat_anchor_list.html.haml
new file mode 100644
index 00000000000..a115b65938b
--- /dev/null
+++ b/app/views/projects/_stat_anchor_list.html.haml
@@ -0,0 +1,8 @@
+- anchors = local_assigns.fetch(:anchors, [])
+
+- return unless anchors.any?
+%ul.nav
+  - anchors.each do |anchor|
+    %li
+      = link_to_if anchor.link, anchor.label, anchor.link, class: anchor.enabled ? 'stat-link' : "btn btn-#{anchor.class_modifier || 'missing'}" do
+        %span.stat-text= anchor.label
diff --git a/app/views/projects/buttons/_koding.html.haml b/app/views/projects/buttons/_koding.html.haml
index de2d61d4aa3..e665ca61da8 100644
--- a/app/views/projects/buttons/_koding.html.haml
+++ b/app/views/projects/buttons/_koding.html.haml
@@ -1,3 +1,3 @@
-- if koding_enabled? && current_user && @repository.koding_yml && can_push_branch?(@project, @project.default_branch)
+- if koding_enabled? && current_user && @repository.koding_yml && @project.can_current_user_push_code?
   = link_to koding_project_url(@project), class: 'btn project-action-button inline', target: '_blank', rel: 'noopener noreferrer' do
     _('Run in IDE (Koding)')
diff --git a/app/views/projects/clusters/_empty_state.html.haml b/app/views/projects/clusters/_empty_state.html.haml
index 600d679b60c..112dde66ff7 100644
--- a/app/views/projects/clusters/_empty_state.html.haml
+++ b/app/views/projects/clusters/_empty_state.html.haml
@@ -4,7 +4,7 @@
   .col-xs-12
     .text-content
       %h4.text-center= s_('ClusterIntegration|Integrate Kubernetes cluster automation')
-      - link_to_help_page = link_to(s_('ClusterIntegration|Learn more about Kubernetes'), help_page_path('user/project/clusters/index'), target: '_blank', rel: 'noopener noreferrer')
+      - link_to_help_page = link_to(_('Learn more about Kubernetes'), help_page_path('user/project/clusters/index'), target: '_blank', rel: 'noopener noreferrer')
       %p= s_('ClusterIntegration|Kubernetes clusters allow you to use review apps, deploy your applications, run your pipelines, and much more in an easy way. %{link_to_help_page}').html_safe % { link_to_help_page: link_to_help_page}
 
       .text-center
diff --git a/app/views/projects/empty.html.haml b/app/views/projects/empty.html.haml
index ab225796b12..8a36fada389 100644
--- a/app/views/projects/empty.html.haml
+++ b/app/views/projects/empty.html.haml
@@ -5,38 +5,41 @@
 
 = render "home_panel"
 
-.row-content-block.second-block.center
-  %h4
-    The repository for this project is empty
+.project-empty-note-panel
+  %div{ class: [container_class, ("limit-container-width-sm" unless fluid_layout)] }
+    .prepend-top-20
+    %h4
+      = _('The repository for this project is empty')
+
+    - if @project.can_current_user_push_code?
+      %p
+        - link_to_cli = link_to _('command line instructions'), '#repo-command-line-instructions'
+        = _('If you already have files you can push them using the %{link_to_cli} below.').html_safe % { link_to_cli: link_to_cli }
+      %p
+        %em
+          - link_to_protected_branches = link_to _('Learn more about protected branches'), help_page_path('user/project/protected_branches')
+          = _('Note that the master branch is automatically protected. %{link_to_protected_branches}').html_safe % { link_to_protected_branches: link_to_protected_branches }
 
-  - if can?(current_user, :push_code, @project)
-    %p
-      If you already have files you can push them using command line instructions below.
-    %p
-      Otherwise you can start with adding a
-      = succeed ',' do
-        = link_to "README", add_special_file_path(@project, file_name: 'README.md')
-      a
-      = succeed ',' do
-        = link_to "LICENSE", add_special_file_path(@project, file_name: 'LICENSE')
-      or a
-      = link_to '.gitignore', add_special_file_path(@project, file_name: '.gitignore')
-      to this project.
-    %p
-      You will need to be owner or have the master permission level for the initial push, as the master branch is automatically protected.
+      %hr
+      %p
+        - link_to_auto_devops_settings = link_to(s_('AutoDevOps|enable Auto DevOps (Beta)'), project_settings_ci_cd_path(@project, anchor: 'js-general-pipeline-settings'))
+        - link_to_add_kubernetes_cluster = link_to(s_('AutoDevOps|add a Kubernetes cluster'), new_project_cluster_path(@project))
+        = s_('AutoDevOps|You can automatically build and test your application if you %{link_to_auto_devops_settings} for this project. You can automatically deploy it as well, if you %{link_to_add_kubernetes_cluster}.').html_safe % { link_to_auto_devops_settings: link_to_auto_devops_settings, link_to_add_kubernetes_cluster: link_to_add_kubernetes_cluster }
 
-    - if show_auto_devops_callout?(@project)
+      %hr
       %p
-        - link = link_to(s_('AutoDevOps|Auto DevOps (Beta)'), project_settings_ci_cd_path(@project, anchor: 'js-general-pipeline-settings'))
-        = s_('AutoDevOps|You can activate %{link_to_settings} for this project.').html_safe % { link_to_settings: link }
-      %p= s_('AutoDevOps|It will automatically build, test, and deploy your application based on a predefined CI/CD configuration.')
-      %p= link_to _('New file'), project_new_blob_path(@project, @project.default_branch || 'master'), class: 'btn btn-new'
+        = _('Otherwise it is recommended you start with one of the options below.')
+      .prepend-top-20
+
+%nav.project-stats{ class: container_class }
+  = render 'stat_anchor_list', anchors: @project.empty_repo_statistics_anchors
+  = render 'stat_anchor_list', anchors: @project.empty_repo_statistics_buttons
 
 - if can?(current_user, :push_code, @project)
-  %div{ class: container_class }
+  %div{ class: [container_class, ("limit-container-width-sm" unless fluid_layout)] }
     .prepend-top-20
     .empty_wrapper
-      %h3.page-title-empty
+      %h3#repo-command-line-instructions.page-title-empty
         Command line instructions
       .git-empty
         %fieldset
diff --git a/app/views/projects/issues/show.html.haml b/app/views/projects/issues/show.html.haml
index 91f68d8c419..7bc5c46d64a 100644
--- a/app/views/projects/issues/show.html.haml
+++ b/app/views/projects/issues/show.html.haml
@@ -82,6 +82,3 @@
     = render 'projects/issues/discussion'
 
 = render 'shared/issuable/sidebar', issuable: @issue
-
-= webpack_bundle_tag('common_vue')
-= webpack_bundle_tag('issue_show')
diff --git a/app/views/projects/new.html.haml b/app/views/projects/new.html.haml
index 61ae0ebbce6..679ba23a4db 100644
--- a/app/views/projects/new.html.haml
+++ b/app/views/projects/new.html.haml
@@ -4,6 +4,7 @@
 - page_title    'New Project'
 - header_title  "Projects", dashboard_projects_path
 - visibility_level = params.dig(:project, :visibility_level) || default_project_visibility
+- active_tab = local_assigns.fetch(:active_tab, 'blank')
 
 .project-edit-container
   .project-edit-errors
@@ -18,34 +19,41 @@
         All features are enabled when you create a project, but you can disable the ones you don’t need in the project settings.
       .md
         = brand_new_project_guidelines
+      %p
+        %strong= _("Tip:")
+        = _("You can also create a project from the command line.")
+        %a.push-new-project-tip{ data: { title: _("Push to create a project") }, href: help_page_path('gitlab-basics/create-project', anchor: 'push-to-create-a-new-project'), target: "_blank", rel: "noopener noreferrer" }
+          = _("Show command")
+        %template.push-new-project-tip-template= render partial: "new_project_push_tip"
+
     .col-lg-9.js-toggle-container
       %ul.nav-links.gitlab-tabs{ role: 'tablist' }
-        %li.active{ role: 'presentation' }
+        %li{ class: ('active' if active_tab == 'blank'), role: 'presentation' }
           %a{ href: '#blank-project-pane', id: 'blank-project-tab', data: { toggle: 'tab' }, role: 'tab' }
             %span.hidden-xs Blank project
             %span.visible-xs Blank
-        %li{ role: 'presentation' }
+        %li{ class: ('active' if active_tab == 'template'), role: 'presentation' }
           %a{ href: '#create-from-template-pane', id: 'create-from-template-tab', data: { toggle: 'tab' }, role: 'tab' }
             %span.hidden-xs Create from template
             %span.visible-xs Template
-        %li{ role: 'presentation' }
+        %li{ class: ('active' if active_tab == 'import'), role: 'presentation' }
           %a{ href: '#import-project-pane', id: 'import-project-tab', data: { toggle: 'tab' }, role: 'tab' }
             %span.hidden-xs Import project
             %span.visible-xs Import
 
       .tab-content.gitlab-tab-content
-        .tab-pane.active{ id: 'blank-project-pane', role: 'tabpanel' }
+        .tab-pane{ id: 'blank-project-pane', class: ('active' if active_tab == 'blank'), role: 'tabpanel' }
           = form_for @project, html: { class: 'new_project' } do |f|
             = render 'new_project_fields', f: f, project_name_id: "blank-project-name"
 
-        .tab-pane.no-padding{ id: 'create-from-template-pane', role: 'tabpanel' }
+        .tab-pane.no-padding{ id: 'create-from-template-pane', class: ('active' if active_tab == 'template'), role: 'tabpanel' }
           = form_for @project, html: { class: 'new_project' } do |f|
             .project-template
               .form-group
                 %div
                   = render 'project_templates', f: f
 
-        .tab-pane.import-project-pane{ id: 'import-project-pane', role: 'tabpanel' }
+        .tab-pane.import-project-pane{ id: 'import-project-pane', class: ('active' if active_tab == 'import'), role: 'tabpanel' }
           = form_for @project, html: { class: 'new_project' } do |f|
             - if import_sources_enabled?
               .project-import.row
@@ -92,7 +100,7 @@
                           %button.btn.js-toggle-button.import_git{ type: "button" }
                             = icon('git', text: 'Repo by URL')
                 .col-lg-12
-                  .js-toggle-content.hide.toggle-import-form
+                  .js-toggle-content.toggle-import-form{ class: ('hide' if active_tab != 'import') }
                     %hr
                       = render "shared/import_form", f: f
                       = render 'new_project_fields', f: f, project_name_id: "import-url-name"
diff --git a/app/views/projects/pages/_list.html.haml b/app/views/projects/pages/_list.html.haml
index a85cda407af..75df92b05a7 100644
--- a/app/views/projects/pages/_list.html.haml
+++ b/app/views/projects/pages/_list.html.haml
@@ -3,15 +3,26 @@
     .panel-heading
       Domains (#{@domains.count})
     %ul.well-list
+      - verification_enabled = Gitlab::CurrentSettings.pages_domain_verification_enabled?
       - @domains.each do |domain|
         %li
           .pull-right
             = link_to 'Details', project_pages_domain_path(@project, domain), class: "btn btn-sm btn-grouped"
             = link_to 'Remove', project_pages_domain_path(@project, domain), data: { confirm: 'Are you sure?'}, method: :delete, class: "btn btn-remove btn-sm btn-grouped"
           .clearfix
-            %span= link_to domain.domain, domain.url
+            - if verification_enabled
+              - tooltip, status = domain.unverified? ? ['Unverified', 'failed'] : ['Verified', 'success']
+              = link_to domain.url, title: tooltip, class: 'has-tooltip' do
+                = sprite_icon("status_#{status}", size: 16, css_class: "has-tooltip ci-status-icon ci-status-icon-#{status}")
+                = domain.domain
+            - else
+              = link_to domain.domain, domain.url
           %p
             - if domain.subject
               %span.label.label-gray Certificate: #{domain.subject}
             - if domain.expired?
               %span.label.label-danger Expired
+        - if verification_enabled && domain.unverified?
+          %li.warning-row
+            #{domain.domain} is not verified. To learn how to verify ownership, visit your
+            = link_to 'domain details', project_pages_domain_path(@project, domain)
diff --git a/app/views/projects/pages_domains/show.html.haml b/app/views/projects/pages_domains/show.html.haml
index 876cac0dacb..72e9203bdb0 100644
--- a/app/views/projects/pages_domains/show.html.haml
+++ b/app/views/projects/pages_domains/show.html.haml
@@ -1,4 +1,10 @@
 - page_title "#{@domain.domain}", 'Pages Domains'
+- verification_enabled = Gitlab::CurrentSettings.pages_domain_verification_enabled?
+- if verification_enabled && @domain.unverified?
+  %p.alert.alert-warning
+    %strong
+      This domain is not verified. You will need to verify ownership before
+      access is enabled.
 
 %h3.page-title
   Pages Domain
@@ -15,9 +21,26 @@
         DNS
       %td
         %p
-          To access the domain create a new DNS record:
+          To access this domain create a new DNS record:
         %pre
           #{@domain.domain} CNAME #{@domain.project.pages_subdomain}.#{Settings.pages.host}.
+    - if verification_enabled
+      %tr
+        %td
+          Verification status
+        %td
+          %p
+            - help_link = help_page_path('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
+            To #{link_to 'verify ownership', help_link} of your domain, create
+            this DNS record:
+          %pre
+            #{@domain.verification_domain} TXT #{@domain.keyed_verification_code}
+          %p
+            - if @domain.verified?
+              #{@domain.domain} has been successfully verified.
+            - else
+              = button_to 'Verify ownership', verify_project_pages_domain_path(@project, @domain), class: 'btn btn-save btn-sm'
+
     %tr
       %td
         Certificate
diff --git a/app/views/projects/runners/_shared_runners.html.haml b/app/views/projects/runners/_shared_runners.html.haml
index b037b57e78a..4fd4ca355a8 100644
--- a/app/views/projects/runners/_shared_runners.html.haml
+++ b/app/views/projects/runners/_shared_runners.html.haml
@@ -1,6 +1,6 @@
 %h3 Shared Runners
 
-.bs-callout.bs-callout-warning.shared-runners-description
+.bs-callout.shared-runners-description
   - if Gitlab::CurrentSettings.shared_runners_text.present?
     = markdown_field(Gitlab::CurrentSettings.current_application_settings, :shared_runners_text)
   - else
@@ -9,7 +9,7 @@
     on GitLab.com).
   %hr
   - if @project.shared_runners_enabled?
-    = link_to toggle_shared_runners_project_runners_path(@project), class: 'btn btn-warning', method: :post do
+    = link_to toggle_shared_runners_project_runners_path(@project), class: 'btn btn-close', method: :post do
       Disable shared Runners
   - else
     = link_to toggle_shared_runners_project_runners_path(@project), class: 'btn btn-success', method: :post do
diff --git a/app/views/projects/runners/_specific_runners.html.haml b/app/views/projects/runners/_specific_runners.html.haml
index 28ccbf7eb15..f0813e56b71 100644
--- a/app/views/projects/runners/_specific_runners.html.haml
+++ b/app/views/projects/runners/_specific_runners.html.haml
@@ -1,8 +1,7 @@
 %h3 Specific Runners
 
-= render partial: 'ci/runner/how_to_setup_runner',
-         locals: { registration_token: @project.runners_token,
-                   type: 'specific' }
+= render partial: 'ci/runner/how_to_setup_specific_runner',
+         locals: { registration_token: @project.runners_token }
 
 - if @project_runners.any?
   %h4.underlined-title Runners activated for this project
diff --git a/app/views/projects/services/prometheus/_show.html.haml b/app/views/projects/services/prometheus/_show.html.haml
index 5f38ecd6820..6dc2b85fd32 100644
--- a/app/views/projects/services/prometheus/_show.html.haml
+++ b/app/views/projects/services/prometheus/_show.html.haml
@@ -7,7 +7,7 @@
       = link_to s_('PrometheusService|More information'), help_page_path('user/project/integrations/prometheus')
 
   .col-lg-9
-    .panel.panel-default.js-panel-monitored-metrics{ data: { "active-metrics" => "#{project_prometheus_active_metrics_path(@project, :json)}" } }
+    .panel.panel-default.js-panel-monitored-metrics{ data: { active_metrics: active_common_project_prometheus_metrics_path(@project, :json) } }
       .panel-heading
         %h3.panel-title
           = s_('PrometheusService|Monitored')
diff --git a/app/views/projects/settings/repository/show.html.haml b/app/views/projects/settings/repository/show.html.haml
index 3077203c2a6..235d532bf98 100644
--- a/app/views/projects/settings/repository/show.html.haml
+++ b/app/views/projects/settings/repository/show.html.haml
@@ -4,7 +4,6 @@
 
 - content_for :page_specific_javascripts do
   = webpack_bundle_tag('common_vue')
-  = webpack_bundle_tag('deploy_keys')
 
 -# Protected branches & tags use a lot of nested partials.
 -# The shared parts of the views can be found in the `shared` directory.
diff --git a/app/views/projects/show.html.haml b/app/views/projects/show.html.haml
index 888d820b04e..fa281327eb7 100644
--- a/app/views/projects/show.html.haml
+++ b/app/views/projects/show.html.haml
@@ -1,6 +1,7 @@
 - @no_container = true
 - breadcrumb_title "Details"
 - @content_class = "limit-container-width" unless fluid_layout
+- show_auto_devops_callout = show_auto_devops_callout?(@project)
 
 = content_for :meta_tags do
   = auto_discovery_link_tag(:atom, project_path(@project, rss_url_options), title: "#{@project.name} activity")
@@ -14,65 +15,9 @@
 
 - if can?(current_user, :download_code, @project)
   %nav.project-stats{ class: container_class }
-    %ul.nav
-      %li
-        = link_to project_tree_path(@project) do
-          #{_('Files')} (#{storage_counter(@project.statistics.total_repository_size)})
-      %li
-        = link_to project_commits_path(@project, current_ref) do
-          #{n_('Commit', 'Commits', @project.statistics.commit_count)} (#{number_with_delimiter(@project.statistics.commit_count)})
-      %li
-        = link_to project_branches_path(@project) do
-          #{n_('Branch', 'Branches', @repository.branch_count)} (#{number_with_delimiter(@repository.branch_count)})
-      %li
-        = link_to project_tags_path(@project) do
-          #{n_('Tag', 'Tags', @repository.tag_count)} (#{number_with_delimiter(@repository.tag_count)})
+    = render 'stat_anchor_list', anchors: @project.statistics_anchors(show_auto_devops_callout: show_auto_devops_callout)
+    = render 'stat_anchor_list', anchors: @project.statistics_buttons(show_auto_devops_callout: show_auto_devops_callout)
 
-      - if @repository.readme
-        %li
-          = link_to _('Readme'),
-            default_project_view != 'readme' ? readme_path(@project) : '#readme'
-
-      - if @repository.changelog
-        %li
-          = link_to _('Changelog'), changelog_path(@project)
-
-      - if @repository.license_blob
-        %li
-          = link_to license_short_name(@project), license_path(@project)
-
-      - if @repository.contribution_guide
-        %li
-          = link_to _('Contribution guide'), contribution_guide_path(@project)
-
-      - if @repository.gitlab_ci_yml
-        %li
-          = link_to _('CI/CD configuration'), ci_configuration_path(@project)
-
-      - if current_user && can_push_branch?(@project, @project.default_branch)
-        - unless @repository.changelog
-          %li.missing
-            = link_to add_special_file_path(@project, file_name: 'CHANGELOG') do
-              #{ _('Add Changelog') }
-        - unless @repository.license_blob
-          %li.missing
-            = link_to add_special_file_path(@project, file_name: 'LICENSE') do
-              #{ _('Add License') }
-        - unless @repository.contribution_guide
-          %li.missing
-            = link_to add_special_file_path(@project, file_name: 'CONTRIBUTING.md', commit_message: 'Add contribution guide') do
-              #{ _('Add Contribution guide') }
-        - unless @repository.gitlab_ci_yml
-          %li.missing
-            = link_to add_special_file_path(@project, file_name: '.gitlab-ci.yml') do
-              #{ _('Set up CI/CD') }
-        - if koding_enabled? && @repository.koding_yml.blank?
-          %li.missing
-            = link_to  _('Set up Koding'), add_koding_stack_path(@project)
-        - if @repository.gitlab_ci_yml.blank? && @project.deployment_platform.present?
-          %li.missing
-            = link_to add_special_file_path(@project, file_name: '.gitlab-ci.yml', commit_message: 'Set up auto deploy', branch_name: 'auto-deploy', context: 'autodeploy') do
-              #{ _('Set up auto deploy') }
 
 %div{ class: [container_class, ("limit-container-width" unless fluid_layout)] }
   - if @project.archived?
@@ -81,7 +26,7 @@
         = icon("exclamation-triangle fw")
         #{ _('Archived project! Repository is read-only') }
 
-  - view_path = default_project_view
+  - view_path = @project.default_view
 
   - if show_auto_devops_callout?(@project)
     = render 'shared/auto_devops_callout'
diff --git a/app/views/shared/issuable/_form.html.haml b/app/views/shared/issuable/_form.html.haml
index 79021a08719..6dfabd7ba4c 100644
--- a/app/views/shared/issuable/_form.html.haml
+++ b/app/views/shared/issuable/_form.html.haml
@@ -69,7 +69,7 @@
     - else
       = form.submit 'Save changes', class: 'btn btn-save'
 
-  - if !issuable.persisted? && !issuable.project.empty_repo? && (guide_url = contribution_guide_path(issuable.project))
+  - if !issuable.persisted? && !issuable.project.empty_repo? && (guide_url = issuable.project.present.contribution_guide_path)
     .inline.prepend-top-10
       Please review the
       %strong= link_to('contribution guidelines', guide_url)
diff --git a/app/views/shared/projects/_project.html.haml b/app/views/shared/projects/_project.html.haml
index 33435216c14..0687f6d961d 100644
--- a/app/views/shared/projects/_project.html.haml
+++ b/app/views/shared/projects/_project.html.haml
@@ -6,7 +6,7 @@
 - user = local_assigns[:user]
 - access = user&.max_member_access_for_project(project.id) unless user.nil?
 - css_class = '' unless local_assigns[:css_class]
-- show_last_commit_as_description = false unless local_assigns[:show_last_commit_as_description] == true && project.commit
+- show_last_commit_as_description = false unless local_assigns[:show_last_commit_as_description] == true && can_show_last_commit_in_list?(project)
 - css_class += " no-description" if project.description.blank? && !show_last_commit_as_description
 - cache_key = project_list_cache_key(project)
 - updated_tooltip = time_ago_with_tooltip(project.last_activity_date)
@@ -47,7 +47,7 @@
       .prepend-top-0
         - if project.archived
           %span.prepend-left-10.label.label-warning archived
-        - if project.pipeline_status.has_status?
+        - if can?(current_user, :read_cross_project) && project.pipeline_status.has_status?
           %span.prepend-left-10
             = render_project_pipeline_status(project.pipeline_status)
         - if forks
diff --git a/app/views/users/show.html.haml b/app/views/users/show.html.haml
index a396d1007a7..4bf01ecb48c 100644
--- a/app/views/users/show.html.haml
+++ b/app/views/users/show.html.haml
@@ -82,47 +82,58 @@
       .fade-left= icon('angle-left')
       .fade-right= icon('angle-right')
       %ul.nav-links.user-profile-nav.scrolling-tabs
-        %li.js-activity-tab
-          = link_to user_path, data: { target: 'div#activity', action: 'activity', toggle: 'tab' } do
-            Activity
-        %li.js-groups-tab
-          = link_to user_groups_path, data: { target: 'div#groups', action: 'groups', toggle: 'tab', endpoint: user_groups_path(format: :json) } do
-            Groups
-        %li.js-contributed-tab
-          = link_to user_contributed_projects_path, data: { target: 'div#contributed', action: 'contributed', toggle: 'tab', endpoint: user_contributed_projects_path(format: :json) } do
-            Contributed projects
-        %li.js-projects-tab
-          = link_to user_projects_path, data: { target: 'div#projects', action: 'projects', toggle: 'tab', endpoint: user_projects_path(format: :json) } do
-            Personal projects
-        %li.js-snippets-tab
-          = link_to user_snippets_path, data: { target: 'div#snippets', action: 'snippets', toggle: 'tab', endpoint: user_snippets_path(format: :json) } do
-            Snippets
+        - if profile_tab?(:activity)
+          %li.js-activity-tab
+            = link_to user_path, data: { target: 'div#activity', action: 'activity', toggle: 'tab' } do
+              Activity
+        - if profile_tab?(:groups)
+          %li.js-groups-tab
+            = link_to user_groups_path, data: { target: 'div#groups', action: 'groups', toggle: 'tab', endpoint: user_groups_path(format: :json) } do
+              Groups
+        - if profile_tab?(:contributed)
+          %li.js-contributed-tab
+            = link_to user_contributed_projects_path, data: { target: 'div#contributed', action: 'contributed', toggle: 'tab', endpoint: user_contributed_projects_path(format: :json) } do
+              Contributed projects
+        - if profile_tab?(:projects)
+          %li.js-projects-tab
+            = link_to user_projects_path, data: { target: 'div#projects', action: 'projects', toggle: 'tab', endpoint: user_projects_path(format: :json) } do
+              Personal projects
+        - if profile_tab?(:snippets)
+          %li.js-snippets-tab
+            = link_to user_snippets_path, data: { target: 'div#snippets', action: 'snippets', toggle: 'tab', endpoint: user_snippets_path(format: :json) } do
+              Snippets
 
   %div{ class: container_class }
     .tab-content
-      #activity.tab-pane
-        .row-content-block.calender-block.white.second-block.hidden-xs
-          .user-calendar{ data: { calendar_path: user_calendar_path(@user, :json), calendar_activities_path: user_calendar_activities_path, utc_offset: Time.zone.utc_offset } }
-            %h4.center.light
-              %i.fa.fa-spinner.fa-spin
-          .user-calendar-activities
+      - if profile_tab?(:activity)
+        #activity.tab-pane
+          .row-content-block.calender-block.white.second-block.hidden-xs
+            .user-calendar{ data: { calendar_path: user_calendar_path(@user, :json), calendar_activities_path: user_calendar_activities_path, utc_offset: Time.zone.utc_offset } }
+              %h4.center.light
+                %i.fa.fa-spinner.fa-spin
+            .user-calendar-activities
 
-        %h4.prepend-top-20
-          Most Recent Activity
-        .content_list{ data: { href: user_path } }
-        = spinner
+          - if can?(current_user, :read_cross_project)
+            %h4.prepend-top-20
+              Most Recent Activity
+            .content_list{ data: { href: user_path } }
+            = spinner
 
-      #groups.tab-pane
-        -# This tab is always loaded via AJAX
+      - if profile_tab?(:groups)
+        #groups.tab-pane
+          -# This tab is always loaded via AJAX
 
-      #contributed.tab-pane
-        -# This tab is always loaded via AJAX
+      - if profile_tab?(:contributed)
+        #contributed.tab-pane
+          -# This tab is always loaded via AJAX
 
-      #projects.tab-pane
-        -# This tab is always loaded via AJAX
+      - if profile_tab?(:projects)
+        #projects.tab-pane
+          -# This tab is always loaded via AJAX
 
-      #snippets.tab-pane
-        -# This tab is always loaded via AJAX
+      - if profile_tab?(:snippets)
+        #snippets.tab-pane
+          -# This tab is always loaded via AJAX
 
     .loading-status
       = spinner
diff --git a/app/workers/all_queues.yml b/app/workers/all_queues.yml
index f2c20114534..28a5e5da037 100644
--- a/app/workers/all_queues.yml
+++ b/app/workers/all_queues.yml
@@ -3,6 +3,7 @@
 - cronjob:expire_build_artifacts
 - cronjob:gitlab_usage_ping
 - cronjob:import_export_project_cleanup
+- cronjob:pages_domain_verification_cron
 - cronjob:pipeline_schedule
 - cronjob:prune_old_events
 - cronjob:remove_expired_group_links
@@ -82,6 +83,7 @@
 - new_merge_request
 - new_note
 - pages
+- pages_domain_verification
 - post_receive
 - process_commit
 - project_cache
diff --git a/app/workers/pages_domain_verification_cron_worker.rb b/app/workers/pages_domain_verification_cron_worker.rb
new file mode 100644
index 00000000000..a3ff4bd2101
--- /dev/null
+++ b/app/workers/pages_domain_verification_cron_worker.rb
@@ -0,0 +1,10 @@
+class PagesDomainVerificationCronWorker
+  include ApplicationWorker
+  include CronjobQueue
+
+  def perform
+    PagesDomain.needs_verification.find_each do |domain|
+      PagesDomainVerificationWorker.perform_async(domain.id)
+    end
+  end
+end
diff --git a/app/workers/pages_domain_verification_worker.rb b/app/workers/pages_domain_verification_worker.rb
new file mode 100644
index 00000000000..2e93489113c
--- /dev/null
+++ b/app/workers/pages_domain_verification_worker.rb
@@ -0,0 +1,11 @@
+class PagesDomainVerificationWorker
+  include ApplicationWorker
+
+  def perform(domain_id)
+    domain = PagesDomain.find_by(id: domain_id)
+
+    return unless domain
+
+    VerifyPagesDomainService.new(domain).execute
+  end
+end
diff --git a/app/workers/stuck_import_jobs_worker.rb b/app/workers/stuck_import_jobs_worker.rb
index e0e6d1418de..fbb14efc525 100644
--- a/app/workers/stuck_import_jobs_worker.rb
+++ b/app/workers/stuck_import_jobs_worker.rb
@@ -16,43 +16,41 @@ class StuckImportJobsWorker
   private
 
   def mark_projects_without_jid_as_failed!
-    started_projects_without_jid.each do |project|
+    enqueued_projects_without_jid.each do |project|
       project.mark_import_as_failed(error_message)
     end.count
   end
 
   def mark_projects_with_jid_as_failed!
-    completed_jids_count = 0
+    jids_and_ids = enqueued_projects_with_jid.pluck(:import_jid, :id).to_h
 
-    started_projects_with_jid.find_in_batches(batch_size: 500) do |group|
-      jids = group.map(&:import_jid)
+    # Find the jobs that aren't currently running or that exceeded the threshold.
+    completed_jids = Gitlab::SidekiqStatus.completed_jids(jids_and_ids.keys)
+    return unless completed_jids.any?
 
-      # Find the jobs that aren't currently running or that exceeded the threshold.
-      completed_jids = Gitlab::SidekiqStatus.completed_jids(jids).to_set
+    completed_project_ids = jids_and_ids.values_at(*completed_jids)
 
-      if completed_jids.any?
-        completed_jids_count += completed_jids.count
-        group.each do |project|
-          project.mark_import_as_failed(error_message) if completed_jids.include?(project.import_jid)
-        end
+    # We select the projects again, because they may have transitioned from
+    # scheduled/started to finished/failed while we were looking up their Sidekiq status.
+    completed_projects = enqueued_projects_with_jid.where(id: completed_project_ids)
 
-        Rails.logger.info("Marked stuck import jobs as failed. JIDs: #{completed_jids.to_a.join(', ')}")
-      end
-    end
+    Rails.logger.info("Marked stuck import jobs as failed. JIDs: #{completed_projects.map(&:import_jid).join(', ')}")
 
-    completed_jids_count
+    completed_projects.each do |project|
+      project.mark_import_as_failed(error_message)
+    end.count
   end
 
-  def started_projects
-    Project.with_import_status(:started)
+  def enqueued_projects
+    Project.with_import_status(:scheduled, :started)
   end
 
-  def started_projects_with_jid
-    started_projects.where.not(import_jid: nil)
+  def enqueued_projects_with_jid
+    enqueued_projects.where.not(import_jid: nil)
   end
 
-  def started_projects_without_jid
-    started_projects.where(import_jid: nil)
+  def enqueued_projects_without_jid
+    enqueued_projects.where(import_jid: nil)
   end
 
   def error_message
diff --git a/changelogs/unreleased-ee/bvl-external-policy-classification.yml b/changelogs/unreleased-ee/bvl-external-policy-classification.yml
new file mode 100644
index 00000000000..074629c8c12
--- /dev/null
+++ b/changelogs/unreleased-ee/bvl-external-policy-classification.yml
@@ -0,0 +1,5 @@
+---
+title: Authorize project access with an external service
+merge_request: 4675
+author:
+type: added
diff --git a/changelogs/unreleased/14256-upload-destroy-removes-file.yml b/changelogs/unreleased/14256-upload-destroy-removes-file.yml
deleted file mode 100644
index d97188e23f1..00000000000
--- a/changelogs/unreleased/14256-upload-destroy-removes-file.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Deleting an upload will correctly clean up the filesystem.
-merge_request: 16799
-author:
-type: fixed
diff --git a/changelogs/unreleased/16301-update-removed-assignee-note-to-include-old-assignee-reference.yml b/changelogs/unreleased/16301-update-removed-assignee-note-to-include-old-assignee-reference.yml
deleted file mode 100644
index e94b4f8bb26..00000000000
--- a/changelogs/unreleased/16301-update-removed-assignee-note-to-include-old-assignee-reference.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: "Update 'removed assignee' note to include old assignee reference"
-merge_request: 16301
-author: Maurizio De Santis
-type: changed
diff --git a/changelogs/unreleased/16468-add-fast-blank.yml b/changelogs/unreleased/16468-add-fast-blank.yml
deleted file mode 100644
index ef68888ae33..00000000000
--- a/changelogs/unreleased/16468-add-fast-blank.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: "Add fast-blank"
-merge_request: 16468
-author:
-type: performance
diff --git a/changelogs/unreleased/18040-line-breaks-around-conditional-blocks.yml b/changelogs/unreleased/18040-line-breaks-around-conditional-blocks.yml
deleted file mode 100644
index 447c65a3764..00000000000
--- a/changelogs/unreleased/18040-line-breaks-around-conditional-blocks.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Adds Rubocop rule for line break around conditionals
-merge_request: 15739
-author: Jacopo Beschi @jacopo-beschi
-type: added
diff --git a/changelogs/unreleased/19493-fork-does-not-protect-default-branch.yml b/changelogs/unreleased/19493-fork-does-not-protect-default-branch.yml
deleted file mode 100644
index 962f918e9db..00000000000
--- a/changelogs/unreleased/19493-fork-does-not-protect-default-branch.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Makes forking protect default branch on completion
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/21554-mark-new-user-as-external.yml b/changelogs/unreleased/21554-mark-new-user-as-external.yml
deleted file mode 100644
index fb0826fc176..00000000000
--- a/changelogs/unreleased/21554-mark-new-user-as-external.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Login via OAuth now only marks new users as external
-merge_request: 16672
-author:
-type: fixed
diff --git a/changelogs/unreleased/24035-api-create-application.yml b/changelogs/unreleased/24035-api-create-application.yml
deleted file mode 100644
index c583a020d9d..00000000000
--- a/changelogs/unreleased/24035-api-create-application.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: Add application create API
-merge_request: 8160
-author: Nicolas Merelli @PNSalocin
diff --git a/changelogs/unreleased/24167__color_label.yml b/changelogs/unreleased/24167__color_label.yml
deleted file mode 100644
index 68c6c731163..00000000000
--- a/changelogs/unreleased/24167__color_label.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add Colors to GitLab Flavored Markdown
-merge_request: 16095
-author: Tony Rom <thetonyrom@gmail.com>
-type: added
diff --git a/changelogs/unreleased/25327-coverage-badge-rounding.yml b/changelogs/unreleased/25327-coverage-badge-rounding.yml
deleted file mode 100644
index ea985689484..00000000000
--- a/changelogs/unreleased/25327-coverage-badge-rounding.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Show coverage to two decimal points in coverage badge
-merge_request: 10083
-author: Jeff Stubler
-type: changed
diff --git a/changelogs/unreleased/26296-update-styling-disabled-buttons.yml b/changelogs/unreleased/26296-update-styling-disabled-buttons.yml
deleted file mode 100644
index 5fa109d75e0..00000000000
--- a/changelogs/unreleased/26296-update-styling-disabled-buttons.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Set standard disabled state for all buttons
-merge_request:
-author:
-type: other
diff --git a/changelogs/unreleased/26388-push-to-create-a-new-project.yml b/changelogs/unreleased/26388-push-to-create-a-new-project.yml
deleted file mode 100644
index f641fcced37..00000000000
--- a/changelogs/unreleased/26388-push-to-create-a-new-project.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: User can now git push to create a new project
-merge_request: 16547
-author:
-type: added
diff --git a/changelogs/unreleased/26468-fix-sort-by-recent-sign-in.yml b/changelogs/unreleased/26468-fix-sort-by-recent-sign-in.yml
deleted file mode 100644
index a2c81f6c995..00000000000
--- a/changelogs/unreleased/26468-fix-sort-by-recent-sign-in.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-title: Fix Sort by Recent Sign-in in Admin Area
-merge_request: 13852
-author: Poornima M
diff --git a/changelogs/unreleased/28260-fix-pages-custom-domain-url.yml b/changelogs/unreleased/28260-fix-pages-custom-domain-url.yml
deleted file mode 100644
index edd63c4ea9c..00000000000
--- a/changelogs/unreleased/28260-fix-pages-custom-domain-url.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Generate HTTP URLs for custom Pages domains when appropriate
-merge_request: 16279
-author:
-type: fixed
diff --git a/changelogs/unreleased/29497-pages-custom-domain-dns-verification.yml b/changelogs/unreleased/29497-pages-custom-domain-dns-verification.yml
new file mode 100644
index 00000000000..f958f3f1272
--- /dev/null
+++ b/changelogs/unreleased/29497-pages-custom-domain-dns-verification.yml
@@ -0,0 +1,5 @@
+---
+title: Add verification for GitLab Pages custom domains
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/30106-group-issues.yml b/changelogs/unreleased/30106-group-issues.yml
deleted file mode 100644
index d24996e6087..00000000000
--- a/changelogs/unreleased/30106-group-issues.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Include subgroup issues and merge requests on the group page
-merge_request:
-author:
-type: changed
diff --git a/changelogs/unreleased/31885-ability-to-transfer-groups-to-another-group.yml b/changelogs/unreleased/31885-ability-to-transfer-groups-to-another-group.yml
deleted file mode 100644
index d2a5802af64..00000000000
--- a/changelogs/unreleased/31885-ability-to-transfer-groups-to-another-group.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add ability to transfer a group into another group
-merge_request: 16302
-author:
-type: added
diff --git a/changelogs/unreleased/32282-add-foreign-keys-to-todos.yml b/changelogs/unreleased/32282-add-foreign-keys-to-todos.yml
deleted file mode 100644
index e74c2a8b9ff..00000000000
--- a/changelogs/unreleased/32282-add-foreign-keys-to-todos.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add foreign key and NOT NULL constraints to todos table.
-merge_request: 16849
-author:
-type: other
diff --git a/changelogs/unreleased/32283-trending-projects-unique-constraint2.yml b/changelogs/unreleased/32283-trending-projects-unique-constraint2.yml
deleted file mode 100644
index 4fd6b6fddc4..00000000000
--- a/changelogs/unreleased/32283-trending-projects-unique-constraint2.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add unique constraint to trending_projects#project_id.
-merge_request: 16846
-author:
-type: other
diff --git a/changelogs/unreleased/34055-issues-enabled-filter-misbehavior.yml b/changelogs/unreleased/34055-issues-enabled-filter-misbehavior.yml
deleted file mode 100644
index 09e2af1e4d3..00000000000
--- a/changelogs/unreleased/34055-issues-enabled-filter-misbehavior.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Fix the Projects API with_issues_enabled filter behaving incorrectly
-  any user
-merge_request: 12724  
-author: Jan Christophersen
-type: fixed
diff --git a/changelogs/unreleased/34252-trailing-plus.yml b/changelogs/unreleased/34252-trailing-plus.yml
deleted file mode 100644
index fce17cb6ab9..00000000000
--- a/changelogs/unreleased/34252-trailing-plus.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Allow trailing + on labels in board filters
-merge_request: 16490
-author:
-type: fixed
diff --git a/changelogs/unreleased/34416-issue-i18n.yml b/changelogs/unreleased/34416-issue-i18n.yml
deleted file mode 100644
index 523073ee43b..00000000000
--- a/changelogs/unreleased/34416-issue-i18n.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Translate issuable sidebar
-merge_request:
-author:
-type: other
diff --git a/changelogs/unreleased/34733-fix-default-avatar-when-gravatar-disabled.yml b/changelogs/unreleased/34733-fix-default-avatar-when-gravatar-disabled.yml
deleted file mode 100644
index 0791847b64d..00000000000
--- a/changelogs/unreleased/34733-fix-default-avatar-when-gravatar-disabled.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix default avatar icon missing when Gravatar is disabled
-merge_request: 16681
-author: Felix Geyer
-type: fixed
diff --git a/changelogs/unreleased/35285-user-interface-bugs-for-schedule-pipelines.yml b/changelogs/unreleased/35285-user-interface-bugs-for-schedule-pipelines.yml
deleted file mode 100644
index f3a04469884..00000000000
--- a/changelogs/unreleased/35285-user-interface-bugs-for-schedule-pipelines.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Hide pipeline schedule take ownership for current owner
-merge_request: 12986
-author:
-type: fixed
diff --git a/changelogs/unreleased/35779-realtime-update-of-pipeline-status-in-files-view.yml b/changelogs/unreleased/35779-realtime-update-of-pipeline-status-in-files-view.yml
deleted file mode 100644
index 82df00fe631..00000000000
--- a/changelogs/unreleased/35779-realtime-update-of-pipeline-status-in-files-view.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add realtime ci status for the repository -> files view
-merge_request: 16523
-author:
-type: added
diff --git a/changelogs/unreleased/35856-implement-file-locking-api.yml b/changelogs/unreleased/35856-implement-file-locking-api.yml
deleted file mode 100644
index fa848ad9ed8..00000000000
--- a/changelogs/unreleased/35856-implement-file-locking-api.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Backport of LFS File Locking API
-merge_request: 16935
-author:
-type: added
diff --git a/changelogs/unreleased/36906-reordering-issues-to-the-bottom.yml b/changelogs/unreleased/36906-reordering-issues-to-the-bottom.yml
deleted file mode 100644
index 0ab765a43b7..00000000000
--- a/changelogs/unreleased/36906-reordering-issues-to-the-bottom.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: "Issue board: fix for dragging an issue to the very bottom in long lists"
-merge_request: 16250
-author: David Kuri
-type: fixed
\ No newline at end of file
diff --git a/changelogs/unreleased/37199-labels-fix.yml b/changelogs/unreleased/37199-labels-fix.yml
deleted file mode 100644
index bd70babb73d..00000000000
--- a/changelogs/unreleased/37199-labels-fix.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Keep subscribers when promoting labels to group labels
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/37898-increase-readability-of-colored-text-in-job-output-log.yml b/changelogs/unreleased/37898-increase-readability-of-colored-text-in-job-output-log.yml
deleted file mode 100644
index 813b9ab81fa..00000000000
--- a/changelogs/unreleased/37898-increase-readability-of-colored-text-in-job-output-log.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: increase-readability-of-colored-text-in-job-output-log
-merge_request:
-author:
-type: other
diff --git a/changelogs/unreleased/38068-commits-count.yml b/changelogs/unreleased/38068-commits-count.yml
deleted file mode 100644
index 3fbf554c98c..00000000000
--- a/changelogs/unreleased/38068-commits-count.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Store number of commits in merge_request_diffs table.
-merge_request:
-author:
-type: performance
diff --git a/changelogs/unreleased/38175-add-domain-field-to-auto-devops-application-setting.yml b/changelogs/unreleased/38175-add-domain-field-to-auto-devops-application-setting.yml
deleted file mode 100644
index 475e1dc12b5..00000000000
--- a/changelogs/unreleased/38175-add-domain-field-to-auto-devops-application-setting.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add Auto DevOps Domain application setting
-merge_request: 16604
-author:
-type: changed
diff --git a/changelogs/unreleased/38265-stuckcijobsworker-wrongly-detects-cancels-stuck-builds-when-per-job-timeout-is-more-than-an-hour.yml b/changelogs/unreleased/38265-stuckcijobsworker-wrongly-detects-cancels-stuck-builds-when-per-job-timeout-is-more-than-an-hour.yml
deleted file mode 100644
index 4d8e6acfcb7..00000000000
--- a/changelogs/unreleased/38265-stuckcijobsworker-wrongly-detects-cancels-stuck-builds-when-per-job-timeout-is-more-than-an-hour.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Update runner info on all authenticated requests
-merge_request: 16756
-author:
-type: changed
diff --git a/changelogs/unreleased/38540-ssh-env-file.yml b/changelogs/unreleased/38540-ssh-env-file.yml
deleted file mode 100644
index 5ada0ede76d..00000000000
--- a/changelogs/unreleased/38540-ssh-env-file.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: 'Closes #38540 - Remove .ssh/environment file that now breaks the gitlab:check
-  rake task'
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/39214__pipeline_api.yml b/changelogs/unreleased/39214__pipeline_api.yml
deleted file mode 100644
index 18ee2e43798..00000000000
--- a/changelogs/unreleased/39214__pipeline_api.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add `pipelines` endpoint to merge requests API
-merge_request: 15454
-author: Tony Rom <thetonyrom@gmail.com>
-type: added
diff --git a/changelogs/unreleased/39917-revert-this-merge-request-text.yml b/changelogs/unreleased/39917-revert-this-merge-request-text.yml
deleted file mode 100644
index 9a27be1f9c6..00000000000
--- a/changelogs/unreleased/39917-revert-this-merge-request-text.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Changes Revert this merge request text
-merge_request: 16611
-author: Jacopo Beschi @jacopo-beschi
-type: changed
diff --git a/changelogs/unreleased/39985-enable-prometheus-metrics-for-deployed-ingresses.yml b/changelogs/unreleased/39985-enable-prometheus-metrics-for-deployed-ingresses.yml
deleted file mode 100644
index 5c45d0db602..00000000000
--- a/changelogs/unreleased/39985-enable-prometheus-metrics-for-deployed-ingresses.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Enable Prometheus metrics for deployed Ingresses
-merge_request: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/16866
-author: joshlambert
-type: changed
diff --git a/changelogs/unreleased/39988-hide-new-branch-tag-empty-repo.yml b/changelogs/unreleased/39988-hide-new-branch-tag-empty-repo.yml
deleted file mode 100644
index 4f2c87c44b3..00000000000
--- a/changelogs/unreleased/39988-hide-new-branch-tag-empty-repo.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Hide new branch and tag links for projects with an empty repo
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/40028-special-characters-on-issuable-templates.yml b/changelogs/unreleased/40028-special-characters-on-issuable-templates.yml
deleted file mode 100644
index ffab28acbd5..00000000000
--- a/changelogs/unreleased/40028-special-characters-on-issuable-templates.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Handle special characters on API request of issuable templates
-merge_request: 15323
-author: Takuya Noguchi
-type: fixed
diff --git a/changelogs/unreleased/40029-better-error-handling-on-issuable-templates.yml b/changelogs/unreleased/40029-better-error-handling-on-issuable-templates.yml
deleted file mode 100644
index 519f411d642..00000000000
--- a/changelogs/unreleased/40029-better-error-handling-on-issuable-templates.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Stop loading spinner on error of issuable templates
-merge_request: 16600
-author: Takuya Noguchi
-type: fixed
diff --git a/changelogs/unreleased/4020-rebase-message.yml b/changelogs/unreleased/4020-rebase-message.yml
deleted file mode 100644
index 4793f3d9cb9..00000000000
--- a/changelogs/unreleased/4020-rebase-message.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Display user friendly error message if rebase fails.
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/40492-update-admin-dashboard-content-order.yml b/changelogs/unreleased/40492-update-admin-dashboard-content-order.yml
deleted file mode 100644
index 2416b15b6d5..00000000000
--- a/changelogs/unreleased/40492-update-admin-dashboard-content-order.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Move row containing Projects, Users and Groups count to the top in admin dashboard
-merge_request: 16421
-author:
-type: changed
diff --git a/changelogs/unreleased/40540-use-limit-for-global-search.yml b/changelogs/unreleased/40540-use-limit-for-global-search.yml
deleted file mode 100644
index 7d9612c16df..00000000000
--- a/changelogs/unreleased/40540-use-limit-for-global-search.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Optimize search queries on the search page by setting a limit for matching records.
-merge_request:
-author:
-type: performance
diff --git a/changelogs/unreleased/40755-snippets-author-n-1.yml b/changelogs/unreleased/40755-snippets-author-n-1.yml
deleted file mode 100644
index 6e09c8a54ec..00000000000
--- a/changelogs/unreleased/40755-snippets-author-n-1.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix N+1 query problem for snippets dashboard.
-merge_request: 16944
-author:
-type: performance
diff --git a/changelogs/unreleased/40793-fix-mr-title-for-jira.yml b/changelogs/unreleased/40793-fix-mr-title-for-jira.yml
deleted file mode 100644
index 69461510a87..00000000000
--- a/changelogs/unreleased/40793-fix-mr-title-for-jira.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Prevent JIRA issue identifier from being humanized.
-merge_request: 16491
-author: Andrew McCallum
-type: fixed
diff --git a/changelogs/unreleased/40818-last-push-widget-does-not-appear-after-pushing-new-commit.yml b/changelogs/unreleased/40818-last-push-widget-does-not-appear-after-pushing-new-commit.yml
deleted file mode 100644
index c57caf31d10..00000000000
--- a/changelogs/unreleased/40818-last-push-widget-does-not-appear-after-pushing-new-commit.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Last push widget will show banner for new pushes to previously merged branch
-merge_request:
-author:
-type: changed
diff --git a/changelogs/unreleased/41118-add-sorting-to-deployments-api.yml b/changelogs/unreleased/41118-add-sorting-to-deployments-api.yml
deleted file mode 100644
index a08f75f9fb9..00000000000
--- a/changelogs/unreleased/41118-add-sorting-to-deployments-api.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Adds sorting to deployments API
-merge_request: !16396
-author: Jacopo Beschi @jacopo-beschi
-type: added
diff --git a/changelogs/unreleased/41163-improve-cluster-ingress-extra-cost-language.yml b/changelogs/unreleased/41163-improve-cluster-ingress-extra-cost-language.yml
deleted file mode 100644
index 9c48831855c..00000000000
--- a/changelogs/unreleased/41163-improve-cluster-ingress-extra-cost-language.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Improve wording about additional costs for Ingress on custom clusters
-merge_request:
-author:
-type: changed
diff --git a/changelogs/unreleased/41206-show-signin-pane-after-email-confirmation.yml b/changelogs/unreleased/41206-show-signin-pane-after-email-confirmation.yml
deleted file mode 100644
index 5e706740962..00000000000
--- a/changelogs/unreleased/41206-show-signin-pane-after-email-confirmation.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Shows signin tab after new user email confirmation
-merge_request: 16174
-author: Jacopo Beschi @jacopo-beschi
-type: fixed
diff --git a/changelogs/unreleased/41208-commit-atom-feeds-double-escaped.yml b/changelogs/unreleased/41208-commit-atom-feeds-double-escaped.yml
deleted file mode 100644
index 76d3c6eda24..00000000000
--- a/changelogs/unreleased/41208-commit-atom-feeds-double-escaped.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Allows html text in commits atom feed
-merge_request: 16603
-author: Jacopo Beschi @jacopo-beschi
-type: fixed
diff --git a/changelogs/unreleased/41209-ci-linter-fails-on-gitlab-ci-blob-viewer.yml b/changelogs/unreleased/41209-ci-linter-fails-on-gitlab-ci-blob-viewer.yml
deleted file mode 100644
index 61d6bf8fd36..00000000000
--- a/changelogs/unreleased/41209-ci-linter-fails-on-gitlab-ci-blob-viewer.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: 'Handle all Psych YAML parser exceptions (fixes #41209)'
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/41247-timestamp.yml b/changelogs/unreleased/41247-timestamp.yml
deleted file mode 100644
index 65f1a7485ad..00000000000
--- a/changelogs/unreleased/41247-timestamp.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: For issues display time of last edit of title or description instead of time
-  of any attribute change
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/41476-enable-project-milestons-deletion-via-api.yml b/changelogs/unreleased/41476-enable-project-milestons-deletion-via-api.yml
deleted file mode 100644
index bb5c1fdf082..00000000000
--- a/changelogs/unreleased/41476-enable-project-milestons-deletion-via-api.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Enables Project Milestone Deletion via the API
-merge_request: 16478
-author: Jacopo Beschi @jacopo-beschi
-type: added
diff --git a/changelogs/unreleased/41532-email-reason.yml b/changelogs/unreleased/41532-email-reason.yml
deleted file mode 100644
index 83c28769217..00000000000
--- a/changelogs/unreleased/41532-email-reason.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Initial work to add notification reason to emails
-merge_request: 16160
-author: Mario de la Ossa
-type: added
diff --git a/changelogs/unreleased/41546-count-query-for-issues-and-mrs-runs-twice-on-group-index.yml b/changelogs/unreleased/41546-count-query-for-issues-and-mrs-runs-twice-on-group-index.yml
deleted file mode 100644
index 7e42dc20ae8..00000000000
--- a/changelogs/unreleased/41546-count-query-for-issues-and-mrs-runs-twice-on-group-index.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix double query execution on groups page
-merge_request: 16314
-author:
-type: performance
diff --git a/changelogs/unreleased/41600-wider-project-readme-on-fixed-layout.yml b/changelogs/unreleased/41600-wider-project-readme-on-fixed-layout.yml
deleted file mode 100644
index e50f6046b17..00000000000
--- a/changelogs/unreleased/41600-wider-project-readme-on-fixed-layout.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Make project README containers wider on fixed layout
-merge_request: 16181
-author: Takuya Noguchi
-type: fixed
diff --git a/changelogs/unreleased/41613-fix-redundant-modal.yml b/changelogs/unreleased/41613-fix-redundant-modal.yml
deleted file mode 100644
index 9e157b3065a..00000000000
--- a/changelogs/unreleased/41613-fix-redundant-modal.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Make modal dialog common for Groups tree app
-merge_request: 16311
-author:
-type: fixed
diff --git a/changelogs/unreleased/41619-turn-on-legacy-authorization-for-new-clusters-on-gke.yml b/changelogs/unreleased/41619-turn-on-legacy-authorization-for-new-clusters-on-gke.yml
new file mode 100644
index 00000000000..507367c98c4
--- /dev/null
+++ b/changelogs/unreleased/41619-turn-on-legacy-authorization-for-new-clusters-on-gke.yml
@@ -0,0 +1,5 @@
+---
+title: Enable Legacy Authorization by default on Cluster creations
+merge_request: 17302
+author:
+type: fixed
diff --git a/changelogs/unreleased/41666-cannot-search-with-keyword-merge-2.yml b/changelogs/unreleased/41666-cannot-search-with-keyword-merge-2.yml
deleted file mode 100644
index 48893862071..00000000000
--- a/changelogs/unreleased/41666-cannot-search-with-keyword-merge-2.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Only highlight search results under the highlighting size limit
-merge_request: 16462
-author:
-type: performance
diff --git a/changelogs/unreleased/41666-cannot-search-with-keyword-merge.yml b/changelogs/unreleased/41666-cannot-search-with-keyword-merge.yml
deleted file mode 100644
index 3a6fa425c9c..00000000000
--- a/changelogs/unreleased/41666-cannot-search-with-keyword-merge.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Fix file search results when they match file contents with a number between
-  two colons
-merge_request: 16462
-author:
-type: fixed
diff --git a/changelogs/unreleased/41672-emphasize-gke-cluster-to-new-users.yml b/changelogs/unreleased/41672-emphasize-gke-cluster-to-new-users.yml
deleted file mode 100644
index 6b0d443e097..00000000000
--- a/changelogs/unreleased/41672-emphasize-gke-cluster-to-new-users.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add blue dot feature highlight to make GKE Clusters more visible to users
-merge_request: 16379
-author:
-type: added
diff --git a/changelogs/unreleased/41673-blank-query-members-api.yml b/changelogs/unreleased/41673-blank-query-members-api.yml
deleted file mode 100644
index 677c5e250c8..00000000000
--- a/changelogs/unreleased/41673-blank-query-members-api.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix error on empty query for Members API
-merge_request: 16235
-author:
-type: fixed
diff --git a/changelogs/unreleased/41709-rich-blob-viewer-margins-for-pc.yml b/changelogs/unreleased/41709-rich-blob-viewer-margins-for-pc.yml
deleted file mode 100644
index 51285e5476f..00000000000
--- a/changelogs/unreleased/41709-rich-blob-viewer-margins-for-pc.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Make rich blob viewer wider for PC
-merge_request: 16262
-author: Takuya Noguchi
-type: fixed
diff --git a/changelogs/unreleased/41731-predicate-memoization.yml b/changelogs/unreleased/41731-predicate-memoization.yml
deleted file mode 100644
index 110f78063f4..00000000000
--- a/changelogs/unreleased/41731-predicate-memoization.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Properly memoize some predicate methods
-merge_request: 16329
-author:
-type: performance
diff --git a/changelogs/unreleased/41743-unused-selectors-for-cycle-analytics.yml b/changelogs/unreleased/41743-unused-selectors-for-cycle-analytics.yml
deleted file mode 100644
index 03060c357fe..00000000000
--- a/changelogs/unreleased/41743-unused-selectors-for-cycle-analytics.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Remove unused CSS selectors for Cycle Analytics
-merge_request: 16270
-author: Takuya Noguchi
-type: other
diff --git a/changelogs/unreleased/41744-substitute-ui-charcoal-with-ui-indigo.yml b/changelogs/unreleased/41744-substitute-ui-charcoal-with-ui-indigo.yml
deleted file mode 100644
index 593d3741a09..00000000000
--- a/changelogs/unreleased/41744-substitute-ui-charcoal-with-ui-indigo.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Substitute deprecated ui_charcoal with new default ui_indigo
-merge_request: 16271
-author: Takuya Noguchi
-type: fixed
diff --git a/changelogs/unreleased/41749-postgres-9-6-for-ci-tests.yml b/changelogs/unreleased/41749-postgres-9-6-for-ci-tests.yml
deleted file mode 100644
index 2a3d00f8e5f..00000000000
--- a/changelogs/unreleased/41749-postgres-9-6-for-ci-tests.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add reason to keep postgresql 9.2 for CI
-merge_request: 16277
-author: Takuya Noguchi
-type: other
diff --git a/changelogs/unreleased/41763-search-api.yml b/changelogs/unreleased/41763-search-api.yml
deleted file mode 100644
index 0a760a66510..00000000000
--- a/changelogs/unreleased/41763-search-api.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add search support into the API
-merge_request: 16878
-author:
-type: added
diff --git a/changelogs/unreleased/41771-reduce-cardinality-of-metrics.yml b/changelogs/unreleased/41771-reduce-cardinality-of-metrics.yml
deleted file mode 100644
index f64fd66ef79..00000000000
--- a/changelogs/unreleased/41771-reduce-cardinality-of-metrics.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Reduce the number of Prometheus metrics
-merge_request: 16443
-author:
-type: performance
diff --git a/changelogs/unreleased/41802-add-space-to-edit-delete-tag-btns.yml b/changelogs/unreleased/41802-add-space-to-edit-delete-tag-btns.yml
deleted file mode 100644
index f23a6452b0d..00000000000
--- a/changelogs/unreleased/41802-add-space-to-edit-delete-tag-btns.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Adds spacing between edit and delete tag btn in tag list
-merge_request: 16757
-author: Jacopo Beschi @jacopo-beschi
-type: fixed
diff --git a/changelogs/unreleased/41807-15665-consistently-502s-because-it-fetches-every-commit.yml b/changelogs/unreleased/41807-15665-consistently-502s-because-it-fetches-every-commit.yml
deleted file mode 100644
index 146ae12afbd..00000000000
--- a/changelogs/unreleased/41807-15665-consistently-502s-because-it-fetches-every-commit.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Speed up loading merged merge requests when they contained a lot of commits
-  before merging
-merge_request: 16320
-author:
-type: performance
diff --git a/changelogs/unreleased/41814-text-decoration-skip.yml b/changelogs/unreleased/41814-text-decoration-skip.yml
deleted file mode 100644
index 3e39d26be93..00000000000
--- a/changelogs/unreleased/41814-text-decoration-skip.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Improve readability of underlined links for dyslexic users
-merge_request:
-author:
-type: other
diff --git a/changelogs/unreleased/41956-fix-ctrl-enter-binding-to-save-comment.yml b/changelogs/unreleased/41956-fix-ctrl-enter-binding-to-save-comment.yml
deleted file mode 100644
index 32a6f87d98e..00000000000
--- a/changelogs/unreleased/41956-fix-ctrl-enter-binding-to-save-comment.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix Ctrl+Enter keyboard shortcut saving comment/note edit
-merge_request: 16415
-author:
-type: fixed
diff --git a/changelogs/unreleased/42044-osw-add-button-to-deploy-runner-to-kubernetes.yml b/changelogs/unreleased/42044-osw-add-button-to-deploy-runner-to-kubernetes.yml
new file mode 100644
index 00000000000..6cf0de5b3fa
--- /dev/null
+++ b/changelogs/unreleased/42044-osw-add-button-to-deploy-runner-to-kubernetes.yml
@@ -0,0 +1,5 @@
+---
+title: Add a button to deploy a runner to a Kubernetes cluster in the settings page
+merge_request: 17278
+author:
+type: changed
diff --git a/changelogs/unreleased/42047-pg-10-support.yml b/changelogs/unreleased/42047-pg-10-support.yml
deleted file mode 100644
index f98e59329c3..00000000000
--- a/changelogs/unreleased/42047-pg-10-support.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Support PostgreSQL 10
-merge_request: 16471
-author:
-type: added
diff --git a/changelogs/unreleased/42053-link-to-clusters-in-auto-devops-instead-of-kubernetes-service.yml b/changelogs/unreleased/42053-link-to-clusters-in-auto-devops-instead-of-kubernetes-service.yml
deleted file mode 100644
index 5cb5dc3ccd8..00000000000
--- a/changelogs/unreleased/42053-link-to-clusters-in-auto-devops-instead-of-kubernetes-service.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Link Auto DevOps settings to Clusters page
-merge_request: 16641
-author:
-type: changed
diff --git a/changelogs/unreleased/42055-update-marked-from-0-3-6-to-0-3-12.yml b/changelogs/unreleased/42055-update-marked-from-0-3-6-to-0-3-12.yml
deleted file mode 100644
index 2b043761856..00000000000
--- a/changelogs/unreleased/42055-update-marked-from-0-3-6-to-0-3-12.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Update marked from 0.3.6 to 0.3.12
-merge_request: 16480
-author: Takuya Noguchi
-type: security
diff --git a/changelogs/unreleased/42154-fix-artifact-size-calc.yml b/changelogs/unreleased/42154-fix-artifact-size-calc.yml
deleted file mode 100644
index 3d6911abf09..00000000000
--- a/changelogs/unreleased/42154-fix-artifact-size-calc.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix a bug calculating artifact size for project statistics
-merge_request: 16539
-author:
-type: fixed
diff --git a/changelogs/unreleased/42157-41989-fix-duplicate-in-create-item-dropdown.yml b/changelogs/unreleased/42157-41989-fix-duplicate-in-create-item-dropdown.yml
deleted file mode 100644
index ac8e4b034b5..00000000000
--- a/changelogs/unreleased/42157-41989-fix-duplicate-in-create-item-dropdown.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix duplicate item in protected branch/tag dropdown
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/42206-permit-password-for-git-param.yml b/changelogs/unreleased/42206-permit-password-for-git-param.yml
deleted file mode 100644
index 563dd528ad5..00000000000
--- a/changelogs/unreleased/42206-permit-password-for-git-param.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Permits 'password_authentication_enabled_for_git' parameter for ApplicationSettingsController
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/42220-add-pending-empty-state.yml b/changelogs/unreleased/42220-add-pending-empty-state.yml
deleted file mode 100644
index ad39578f2d9..00000000000
--- a/changelogs/unreleased/42220-add-pending-empty-state.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Adds empty state illustration for pending job
-merge_request:
-author:
-type: other
diff --git a/changelogs/unreleased/42231-protected-branches-api-route-returns-404-for-branches-with-dots.yml b/changelogs/unreleased/42231-protected-branches-api-route-returns-404-for-branches-with-dots.yml
deleted file mode 100644
index fbc589ea53d..00000000000
--- a/changelogs/unreleased/42231-protected-branches-api-route-returns-404-for-branches-with-dots.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix protected branches API to accept name parameter with dot
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/42251-explicit-timezone-for-karma.yml b/changelogs/unreleased/42251-explicit-timezone-for-karma.yml
deleted file mode 100644
index 25e0e774c48..00000000000
--- a/changelogs/unreleased/42251-explicit-timezone-for-karma.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Set timezone for karma to UTC
-merge_request: 16602
-author: Takuya Noguchi
-type: other
diff --git a/changelogs/unreleased/42255-disable-mr-checkout-button-when-source-branch-deleted.yml b/changelogs/unreleased/42255-disable-mr-checkout-button-when-source-branch-deleted.yml
deleted file mode 100644
index bd7e0d3a1b0..00000000000
--- a/changelogs/unreleased/42255-disable-mr-checkout-button-when-source-branch-deleted.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Disable MR check out button when source branch is deleted
-merge_request: 16631
-author: Jacopo Beschi @jacopo-beschi
-type: fixed
diff --git a/changelogs/unreleased/42270-fix-namespace-remove-exports-for-hashed-storage.yml b/changelogs/unreleased/42270-fix-namespace-remove-exports-for-hashed-storage.yml
deleted file mode 100644
index d7a8b6e6f81..00000000000
--- a/changelogs/unreleased/42270-fix-namespace-remove-exports-for-hashed-storage.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Fix export removal for hashed-storage projects within a renamed or deleted
-  namespace
-merge_request: 16658
-author:
-type: fixed
diff --git a/changelogs/unreleased/42285-not-found-status-icon.yml b/changelogs/unreleased/42285-not-found-status-icon.yml
deleted file mode 100644
index ea7ff9d6ae7..00000000000
--- a/changelogs/unreleased/42285-not-found-status-icon.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Replace verified badge icons and uniform colors
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/42332-actionview-template-error-366-524-out-of-range.yml b/changelogs/unreleased/42332-actionview-template-error-366-524-out-of-range.yml
new file mode 100644
index 00000000000..626c761bfbd
--- /dev/null
+++ b/changelogs/unreleased/42332-actionview-template-error-366-524-out-of-range.yml
@@ -0,0 +1,5 @@
+---
+title: Fix 500 error being shown when diff has context marker with invalid encoding
+merge_request:
+author:
+type: fixed
diff --git a/changelogs/unreleased/42431-add-auto-devops-and-clusters-button-to-projects.yml b/changelogs/unreleased/42431-add-auto-devops-and-clusters-button-to-projects.yml
new file mode 100644
index 00000000000..5613b2af763
--- /dev/null
+++ b/changelogs/unreleased/42431-add-auto-devops-and-clusters-button-to-projects.yml
@@ -0,0 +1,6 @@
+---
+title: Add a button on the project page to set up a Kubernetes cluster and enable
+  Auto DevOps
+merge_request: 16900
+author:
+type: added
diff --git a/changelogs/unreleased/42462-edit-note.yml b/changelogs/unreleased/42462-edit-note.yml
deleted file mode 100644
index 8df98f3ecef..00000000000
--- a/changelogs/unreleased/42462-edit-note.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix cnacel edit note button reverting changes
-merge_request: 42462
-author:
-type: fixed
diff --git a/changelogs/unreleased/42497-rubocop-style-regexpliteral.yml b/changelogs/unreleased/42497-rubocop-style-regexpliteral.yml
deleted file mode 100644
index 6053883bac4..00000000000
--- a/changelogs/unreleased/42497-rubocop-style-regexpliteral.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Enable RuboCop Style/RegexpLiteral
-merge_request: 16752
-author: Takuya Noguchi
-type: other
diff --git a/changelogs/unreleased/42545-milestion-quick-actions-for-groups.yml b/changelogs/unreleased/42545-milestion-quick-actions-for-groups.yml
new file mode 100644
index 00000000000..d29f79aaaf8
--- /dev/null
+++ b/changelogs/unreleased/42545-milestion-quick-actions-for-groups.yml
@@ -0,0 +1,5 @@
+---
+title: Allows the usage of /milestone quick action for group milestones
+merge_request: 17239
+author: Jacopo Beschi @jacopo-beschi
+type: fixed
diff --git a/changelogs/unreleased/42547-upload-store-mount-point.yml b/changelogs/unreleased/42547-upload-store-mount-point.yml
deleted file mode 100644
index 35ae022984e..00000000000
--- a/changelogs/unreleased/42547-upload-store-mount-point.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Added uploader metadata to the uploads.
-merge_request: 16779
-author:
-type: added
diff --git a/changelogs/unreleased/42584-fix-margins-in-tag-list.yml b/changelogs/unreleased/42584-fix-margins-in-tag-list.yml
deleted file mode 100644
index 38b3dd85fd8..00000000000
--- a/changelogs/unreleased/42584-fix-margins-in-tag-list.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fixes different margins between buttons in tag list
-merge_request: 16927
-author: Jacopo Beschi @jacopo-beschi
-type: fixed
diff --git a/changelogs/unreleased/42641-monaco-service-workers-do-not-work-with-cdn-enabled.yml b/changelogs/unreleased/42641-monaco-service-workers-do-not-work-with-cdn-enabled.yml
deleted file mode 100644
index 955a5a27e21..00000000000
--- a/changelogs/unreleased/42641-monaco-service-workers-do-not-work-with-cdn-enabled.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix monaco editor features which were incompatable with GitLab CDN settings
-merge_request: 17021
-author:
-type: fixed
diff --git a/changelogs/unreleased/42669-allow-order_by-users-in-gitlab-api.yml b/changelogs/unreleased/42669-allow-order_by-users-in-gitlab-api.yml
deleted file mode 100644
index 24fcc38ee0e..00000000000
--- a/changelogs/unreleased/42669-allow-order_by-users-in-gitlab-api.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add sorting options for /users API (admin only)
-merge_request: 16945
-author:
-type: added
diff --git a/changelogs/unreleased/42684-set-up-ci-set-up-ci-cd.yml b/changelogs/unreleased/42684-set-up-ci-set-up-ci-cd.yml
deleted file mode 100644
index 0ef28e2ee01..00000000000
--- a/changelogs/unreleased/42684-set-up-ci-set-up-ci-cd.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Rename button to enable CI/CD configuration to "Set up CI/CD"
-merge_request: 16870
-author:
-type: changed
diff --git a/changelogs/unreleased/42693-42693-add-a-link-to-documentation-on-how-to-get-external-ip-in-the-kubernetes-cluster-details-page.yml b/changelogs/unreleased/42693-42693-add-a-link-to-documentation-on-how-to-get-external-ip-in-the-kubernetes-cluster-details-page.yml
deleted file mode 100644
index aeadf8ffc4a..00000000000
--- a/changelogs/unreleased/42693-42693-add-a-link-to-documentation-on-how-to-get-external-ip-in-the-kubernetes-cluster-details-page.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add a link to documentation on how to get external ip in the Kubernetes cluster details page
-merge_request: 16937
-author:
-type: added
diff --git a/changelogs/unreleased/42730-close-rugged-repository.yml b/changelogs/unreleased/42730-close-rugged-repository.yml
deleted file mode 100644
index a632f5030a5..00000000000
--- a/changelogs/unreleased/42730-close-rugged-repository.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Close low level rugged repository in project cache worker
-merge_request: 16930
-author: Bastian Blank
-type: fixed
diff --git a/changelogs/unreleased/43134-reduce-queries-pipelines-controller-show.yml b/changelogs/unreleased/43134-reduce-queries-pipelines-controller-show.yml
new file mode 100644
index 00000000000..c1e9614b676
--- /dev/null
+++ b/changelogs/unreleased/43134-reduce-queries-pipelines-controller-show.yml
@@ -0,0 +1,5 @@
+---
+title: Improve performance of pipeline page by reducing DB queries
+merge_request: 17168
+author:
+type: performance
diff --git a/changelogs/unreleased/43261-fix-import-from-url-name-collision-active-tab.yml b/changelogs/unreleased/43261-fix-import-from-url-name-collision-active-tab.yml
new file mode 100644
index 00000000000..71073b2e214
--- /dev/null
+++ b/changelogs/unreleased/43261-fix-import-from-url-name-collision-active-tab.yml
@@ -0,0 +1,6 @@
+---
+title: Keep "Import project" tab/form active when validation fails trying to import
+  "Repo by URL"
+merge_request: 17136
+author:
+type: fixed
diff --git a/changelogs/unreleased/43373-fix-cache-index-appending.yml b/changelogs/unreleased/43373-fix-cache-index-appending.yml
new file mode 100644
index 00000000000..fdb293ea04d
--- /dev/null
+++ b/changelogs/unreleased/43373-fix-cache-index-appending.yml
@@ -0,0 +1,5 @@
+---
+title: Fix issue with cache key being empty when variable used as the key
+merge_request: 17260
+author:
+type: fixed
diff --git a/changelogs/unreleased/43496-error-message-for-gke-clusters-persists-in-the-next-page.yml b/changelogs/unreleased/43496-error-message-for-gke-clusters-persists-in-the-next-page.yml
new file mode 100644
index 00000000000..c10b0e7a3cf
--- /dev/null
+++ b/changelogs/unreleased/43496-error-message-for-gke-clusters-persists-in-the-next-page.yml
@@ -0,0 +1,5 @@
+---
+title: Do not persist Google Project verification flash errors after a page reload
+merge_request: 17299
+author:
+type: fixed
diff --git a/changelogs/unreleased/add-confirmation-input-for-modals.yml b/changelogs/unreleased/add-confirmation-input-for-modals.yml
deleted file mode 100644
index ff1027bc55a..00000000000
--- a/changelogs/unreleased/add-confirmation-input-for-modals.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add confirmation-input component
-merge_request: 16816
-author:
-type: other
diff --git a/changelogs/unreleased/bump-workhorse.yml b/changelogs/unreleased/bump-workhorse.yml
deleted file mode 100644
index 37ee402dac7..00000000000
--- a/changelogs/unreleased/bump-workhorse.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Upgrade GitLab Workhorse to v3.6.0
-merge_request:
-author:
-type: other
diff --git a/changelogs/unreleased/bvl-fix-concurrent-fork-network-migrations.yml b/changelogs/unreleased/bvl-fix-concurrent-fork-network-migrations.yml
deleted file mode 100644
index b2a77f75e55..00000000000
--- a/changelogs/unreleased/bvl-fix-concurrent-fork-network-migrations.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Avoid running `PopulateForkNetworksRange`-migration multiple times
-merge_request: 16988
-author:
-type: fixed
diff --git a/changelogs/unreleased/contribution_calendar_label_cut_off.yml b/changelogs/unreleased/contribution_calendar_label_cut_off.yml
deleted file mode 100644
index 0b4a746bab8..00000000000
--- a/changelogs/unreleased/contribution_calendar_label_cut_off.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Contribution calendar label was cut off
-merge_request:
-author: Branka Martinovic
-type: fixed
diff --git a/changelogs/unreleased/cs-fix-commercial-content-check.yml b/changelogs/unreleased/cs-fix-commercial-content-check.yml
deleted file mode 100644
index fec80e3ecd2..00000000000
--- a/changelogs/unreleased/cs-fix-commercial-content-check.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Fix version information not showing on help page if commercial content display
-  was disabled.
-merge_request: 16743
-author: 
-type: fixed
diff --git a/changelogs/unreleased/da-verify-integrity-of-uploaded-files.yml b/changelogs/unreleased/da-verify-integrity-of-uploaded-files.yml
deleted file mode 100644
index 5b850c92d17..00000000000
--- a/changelogs/unreleased/da-verify-integrity-of-uploaded-files.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add rake task to check integrity of uploaded files
-merge_request:
-author:
-type: added
diff --git a/changelogs/unreleased/default-to-https-for-gravatar-urls.yml b/changelogs/unreleased/default-to-https-for-gravatar-urls.yml
deleted file mode 100644
index 544c34fe31d..00000000000
--- a/changelogs/unreleased/default-to-https-for-gravatar-urls.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Default to HTTPS for all Gravatar URLs
-merge_request: 16666
-author:
-type: fixed
diff --git a/changelogs/unreleased/disable-throwOnError-in-katex.yml b/changelogs/unreleased/disable-throwOnError-in-katex.yml
deleted file mode 100644
index 0cd17bb29fe..00000000000
--- a/changelogs/unreleased/disable-throwOnError-in-katex.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Disable throwOnError in KaTeX to reveal user where is the problem
-merge_request: 16684
-author: Jakub Jirutka
-type: other
diff --git a/changelogs/unreleased/display-mr-in-commit-page.yml b/changelogs/unreleased/display-mr-in-commit-page.yml
deleted file mode 100644
index a9224c00b66..00000000000
--- a/changelogs/unreleased/display-mr-in-commit-page.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add link on commit page to merge request that introduced that commit
-merge_request: 13713
-author: Hiroyuki Sato
-type: added
diff --git a/changelogs/unreleased/36571-ignore-root-in-repo.yml b/changelogs/unreleased/dm-go-get-api-token.yml
index 396e82be51b..ad9cfe05849 100644
--- a/changelogs/unreleased/36571-ignore-root-in-repo.yml
+++ b/changelogs/unreleased/dm-go-get-api-token.yml
@@ -1,5 +1,5 @@
 ---
-title: Ignore leading slashes when searching for files within context of repository.
+title: Allow token authentication on go-get request
 merge_request:
-author: Andrew McCallum
-type: fixed
+author:
+type: changed
diff --git a/changelogs/unreleased/dm-project-system-hooks-in-transaction.yml b/changelogs/unreleased/dm-project-system-hooks-in-transaction.yml
deleted file mode 100644
index f59021c0ec9..00000000000
--- a/changelogs/unreleased/dm-project-system-hooks-in-transaction.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Execute system hooks after-commit when executing project hooks
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/dm-route-path-validation.yml b/changelogs/unreleased/dm-route-path-validation.yml
deleted file mode 100644
index df3ed1de1b9..00000000000
--- a/changelogs/unreleased/dm-route-path-validation.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Validate user, group and project paths consistently, and only once
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/dm-stuck-import-jobs-verify.yml b/changelogs/unreleased/dm-stuck-import-jobs-verify.yml
new file mode 100644
index 00000000000..ed2c2d30f0d
--- /dev/null
+++ b/changelogs/unreleased/dm-stuck-import-jobs-verify.yml
@@ -0,0 +1,5 @@
+---
+title: Verify project import status again before marking as failed
+merge_request:
+author:
+type: fixed
diff --git a/changelogs/unreleased/feat-add-section-headers-to-plus-button-dropdown.yml b/changelogs/unreleased/feat-add-section-headers-to-plus-button-dropdown.yml
deleted file mode 100644
index 3fce53bc941..00000000000
--- a/changelogs/unreleased/feat-add-section-headers-to-plus-button-dropdown.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add section headers to plus button dropdown
-merge_request: 16394
-author: George Tsiolis
-type: added
diff --git a/changelogs/unreleased/feat-add-section-headers-to-project-repo-buttons.yml b/changelogs/unreleased/feat-add-section-headers-to-project-repo-buttons.yml
deleted file mode 100644
index 8f3459a7381..00000000000
--- a/changelogs/unreleased/feat-add-section-headers-to-project-repo-buttons.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Improve empty project overview
-merge_request: 16617
-author: George Tsiolis
-type: added
diff --git a/changelogs/unreleased/feature-39591-visibility-level.yml b/changelogs/unreleased/feature-39591-visibility-level.yml
deleted file mode 100644
index 4bbc9bdbb2e..00000000000
--- a/changelogs/unreleased/feature-39591-visibility-level.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Open visibility level help in a new tab
-merge_request:
-author: Jussi Räsänen
-type: fixed
diff --git a/changelogs/unreleased/feature-merge-request-system-hook.yml b/changelogs/unreleased/feature-merge-request-system-hook.yml
deleted file mode 100644
index cfc4c4235d6..00000000000
--- a/changelogs/unreleased/feature-merge-request-system-hook.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: System hooks for Merge Requests
-merge_request: 14387
-author: Alexis Reigel
-type: added
diff --git a/changelogs/unreleased/feature-sm-artifacts-trace.yml b/changelogs/unreleased/feature-sm-artifacts-trace.yml
deleted file mode 100644
index 7654ce58aeb..00000000000
--- a/changelogs/unreleased/feature-sm-artifacts-trace.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Save traces as artifacts
-merge_request: 16702
-author:
-type: changed
diff --git a/changelogs/unreleased/file-content-large-screen-padding.yml b/changelogs/unreleased/file-content-large-screen-padding.yml
deleted file mode 100644
index 5691cd09b1f..00000000000
--- a/changelogs/unreleased/file-content-large-screen-padding.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Double padding for file-content wiki class on larger screens
-merge_request:
-author:
-type: changed
diff --git a/changelogs/unreleased/fix-500-for-invalid-upload-path.yml b/changelogs/unreleased/fix-500-for-invalid-upload-path.yml
new file mode 100644
index 00000000000..a4ce00c64c4
--- /dev/null
+++ b/changelogs/unreleased/fix-500-for-invalid-upload-path.yml
@@ -0,0 +1,5 @@
+---
+title: Fix 500 error when loading an invalid upload URL
+merge_request:
+author:
+type: fixed
diff --git a/changelogs/unreleased/fix-add-horizontal-scroll-to-wiki-tables.yml b/changelogs/unreleased/fix-add-horizontal-scroll-to-wiki-tables.yml
deleted file mode 100644
index d8e97b7ad04..00000000000
--- a/changelogs/unreleased/fix-add-horizontal-scroll-to-wiki-tables.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add horizontal scroll to wiki tables
-merge_request: 16527
-author: George Tsiolis
-type: fixed
diff --git a/changelogs/unreleased/fix-adjust-button-group-width-on-mobile.yml b/changelogs/unreleased/fix-adjust-button-group-width-on-mobile.yml
deleted file mode 100644
index b79ec2944fd..00000000000
--- a/changelogs/unreleased/fix-adjust-button-group-width-on-mobile.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Change button group width on mobile
-merge_request: 16726
-author: George Tsiolis
-type: fixed
diff --git a/changelogs/unreleased/fix-adjust-layout-width-for-fixed-layout.yml b/changelogs/unreleased/fix-adjust-layout-width-for-fixed-layout.yml
deleted file mode 100644
index 2e0f59f81e9..00000000000
--- a/changelogs/unreleased/fix-adjust-layout-width-for-fixed-layout.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Adjust layout width for fixed layout
-merge_request: 16337
-author: George Tsiolis
-type: fixed
diff --git a/changelogs/unreleased/fix-dashboard-projects-nav-links-height.yml b/changelogs/unreleased/fix-dashboard-projects-nav-links-height.yml
deleted file mode 100644
index 2f6a07bb234..00000000000
--- a/changelogs/unreleased/fix-dashboard-projects-nav-links-height.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix dashboard projects nav links height
-merge_request: 16204
-author: George Tsiolis
-type: fixed
diff --git a/changelogs/unreleased/fix-gb-improve-manual-action-tooltips.yml b/changelogs/unreleased/fix-gb-improve-manual-action-tooltips.yml
deleted file mode 100644
index 31b4734bc79..00000000000
--- a/changelogs/unreleased/fix-gb-improve-manual-action-tooltips.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix tooltip displayed for running manual actions
-merge_request: 16489
-author:
-type: fixed
diff --git a/changelogs/unreleased/fix-improve-issue-note-dropdown.yml b/changelogs/unreleased/fix-improve-issue-note-dropdown.yml
deleted file mode 100644
index aaf4811c64a..00000000000
--- a/changelogs/unreleased/fix-improve-issue-note-dropdown.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Improve issue note dropdown and mr button
-merge_request: 16758
-author: George Tsiolis
-type: changed
diff --git a/changelogs/unreleased/fix-install-docs.yml b/changelogs/unreleased/fix-install-docs.yml
deleted file mode 100644
index c2c0dd1364b..00000000000
--- a/changelogs/unreleased/fix-install-docs.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Update minimum git version to 2.9.5
-merge_request: 16683
-author:
-type: other
diff --git a/changelogs/unreleased/fix-show-sidebar-sub-level-items-for-billing.yml b/changelogs/unreleased/fix-show-sidebar-sub-level-items-for-billing.yml
deleted file mode 100644
index 883eecabe04..00000000000
--- a/changelogs/unreleased/fix-show-sidebar-sub-level-items-for-billing.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Override group sidebar links
-merge_request: 16942
-author: George Tsiolis
-type: fixed
diff --git a/changelogs/unreleased/fix-squash-with-renamed-files.yml b/changelogs/unreleased/fix-squash-with-renamed-files.yml
new file mode 100644
index 00000000000..f7cd3a84367
--- /dev/null
+++ b/changelogs/unreleased/fix-squash-with-renamed-files.yml
@@ -0,0 +1,5 @@
+---
+title: Fix squashing when a file is renamed
+merge_request:
+author:
+type: fixed
diff --git a/changelogs/unreleased/fix-validation-of-environment-scope-for-variables.yml b/changelogs/unreleased/fix-validation-of-environment-scope-for-variables.yml
deleted file mode 100644
index 5424c15a8ae..00000000000
--- a/changelogs/unreleased/fix-validation-of-environment-scope-for-variables.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix validation of environment scope of variables
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/fix_gitlab-ce-41891.yml b/changelogs/unreleased/fix_gitlab-ce-41891.yml
deleted file mode 100644
index 56bdc1a7c32..00000000000
--- a/changelogs/unreleased/fix_gitlab-ce-41891.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: 'Fix custom header logo design nitpick: Remove unneeded margin on empty logo text'
-merge_request: 16383
-author: Markus Doits
-type: fixed
diff --git a/changelogs/unreleased/fj-22607-lowercase-usernames-from-ldap.yml b/changelogs/unreleased/fj-22607-lowercase-usernames-from-ldap.yml
deleted file mode 100644
index 77142528be2..00000000000
--- a/changelogs/unreleased/fj-22607-lowercase-usernames-from-ldap.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Added ldap config setting to lower case the username
-merge_request: 16791
-author:
-type: added
diff --git a/changelogs/unreleased/fj-37273-moving-wiki-pages-from-the-ui.yml b/changelogs/unreleased/fj-37273-moving-wiki-pages-from-the-ui.yml
deleted file mode 100644
index 5b5310dcfef..00000000000
--- a/changelogs/unreleased/fj-37273-moving-wiki-pages-from-the-ui.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Allow moving wiki pages from the UI
-merge_request: 16313
-author:
-type: fixed
diff --git a/changelogs/unreleased/fl-mr-widget-refactor.yml b/changelogs/unreleased/fl-mr-widget-refactor.yml
deleted file mode 100644
index d59cca68409..00000000000
--- a/changelogs/unreleased/fl-mr-widget-refactor.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Refactors mr widget components into vue files and adds i18n
-merge_request:
-author:
-type: other
diff --git a/changelogs/unreleased/gitaly-git-http-ssh.yml b/changelogs/unreleased/gitaly-git-http-ssh.yml
deleted file mode 100644
index 98812e92e2a..00000000000
--- a/changelogs/unreleased/gitaly-git-http-ssh.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Default to Gitaly for 'git push' HTTP/SSH, and make Gitaly mandatory for SSH
-  pull
-merge_request: 16586
-author:
-type: other
diff --git a/changelogs/unreleased/gitaly-repo-exists.yml b/changelogs/unreleased/gitaly-repo-exists.yml
deleted file mode 100644
index a9eb42a2038..00000000000
--- a/changelogs/unreleased/gitaly-repo-exists.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Make Gitaly RepositoryExists opt-out
-merge_request: 16680
-author:
-type: other
diff --git a/changelogs/unreleased/internationalize-charts-page.yml b/changelogs/unreleased/internationalize-charts-page.yml
deleted file mode 100644
index 481b83fb059..00000000000
--- a/changelogs/unreleased/internationalize-charts-page.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Internationalize charts page
-merge_request: 16687
-author: selrahman
-type: changed
diff --git a/changelogs/unreleased/internationalize-graph-page.yml b/changelogs/unreleased/internationalize-graph-page.yml
deleted file mode 100644
index 904dbd606d7..00000000000
--- a/changelogs/unreleased/internationalize-graph-page.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Internationalize graph page selrahman
-merge_request: 16688
-author: Shah El-Rahman
-type: changed
diff --git a/changelogs/unreleased/issue-42689-new-file-template.yml b/changelogs/unreleased/issue-42689-new-file-template.yml
deleted file mode 100644
index d6b77b87605..00000000000
--- a/changelogs/unreleased/issue-42689-new-file-template.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Trigger change event on filename input when file template is applied
-merge_request: 16911
-author: Sebastian Klingler
-type: fixed
diff --git a/changelogs/unreleased/issue_41460.yml b/changelogs/unreleased/issue_41460.yml
deleted file mode 100644
index 24d3eae6bf8..00000000000
--- a/changelogs/unreleased/issue_41460.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix error on changes tab when merge request cannot be created
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/issues-closed-at-steal.yml b/changelogs/unreleased/issues-closed-at-steal.yml
deleted file mode 100644
index a5f0898995f..00000000000
--- a/changelogs/unreleased/issues-closed-at-steal.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Finish any remaining jobs for issues.closed_at
-merge_request:
-author:
-type: other
diff --git a/changelogs/unreleased/jej-upload-file-tracks-lfs.yml b/changelogs/unreleased/jej-upload-file-tracks-lfs.yml
deleted file mode 100644
index a7cf6b6ba2c..00000000000
--- a/changelogs/unreleased/jej-upload-file-tracks-lfs.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: File Upload UI can create LFS pointers based on .gitattributes
-merge_request: 16412
-author:
-type: fixed
diff --git a/changelogs/unreleased/jivl-update-katex.yml b/changelogs/unreleased/jivl-update-katex.yml
deleted file mode 100644
index 99b5fe49620..00000000000
--- a/changelogs/unreleased/jivl-update-katex.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Updated the katex library
-merge_request: 15864
-author:
-type: other
diff --git a/changelogs/unreleased/merge-request-target-branch-perf.yml b/changelogs/unreleased/merge-request-target-branch-perf.yml
deleted file mode 100644
index 37e326bfde3..00000000000
--- a/changelogs/unreleased/merge-request-target-branch-perf.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Improve performance of target branch dropdown
-merge_request:
-author:
-type: performance
diff --git a/changelogs/unreleased/move-board-list-vue-component.yml b/changelogs/unreleased/move-board-list-vue-component.yml
deleted file mode 100644
index 9c566b43cc2..00000000000
--- a/changelogs/unreleased/move-board-list-vue-component.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Move BoardList vue component to vue file
-merge_request: 16888
-author: George Tsiolis
-type: performance
diff --git a/changelogs/unreleased/osw-fix-lost-diffs-when-source-branch-deleted.yml b/changelogs/unreleased/osw-fix-lost-diffs-when-source-branch-deleted.yml
deleted file mode 100644
index 1cffb213f23..00000000000
--- a/changelogs/unreleased/osw-fix-lost-diffs-when-source-branch-deleted.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Close and do not reload MR diffs when source branch is deleted
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/osw-markdown-bypass-for-commit-messages.yml b/changelogs/unreleased/osw-markdown-bypass-for-commit-messages.yml
deleted file mode 100644
index b2c1cd9710a..00000000000
--- a/changelogs/unreleased/osw-markdown-bypass-for-commit-messages.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Bypass commits title markdown on notes
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/osw-remove-duplicate-can-be-reverted-calls.yml b/changelogs/unreleased/osw-remove-duplicate-can-be-reverted-calls.yml
deleted file mode 100644
index 03940555162..00000000000
--- a/changelogs/unreleased/osw-remove-duplicate-can-be-reverted-calls.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Remove duplicate calls of MergeRequest#can_be_reverted?
-merge_request:
-author:
-type: performance
diff --git a/changelogs/unreleased/osw-short-circuit-mergeable-disccusions-state.yml b/changelogs/unreleased/osw-short-circuit-mergeable-disccusions-state.yml
deleted file mode 100644
index 62931218861..00000000000
--- a/changelogs/unreleased/osw-short-circuit-mergeable-disccusions-state.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Stop checking if discussions are in a mergeable state if the MR isn't
-merge_request:
-author:
-type: performance
diff --git a/changelogs/unreleased/osw-system-notes-for-commits-regression.yml b/changelogs/unreleased/osw-system-notes-for-commits-regression.yml
deleted file mode 100644
index 6d0943c7716..00000000000
--- a/changelogs/unreleased/osw-system-notes-for-commits-regression.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Reload MRs memoization after diffs creation
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/osw-updates-merge-status-on-api-actions.yml b/changelogs/unreleased/osw-updates-merge-status-on-api-actions.yml
deleted file mode 100644
index 3854985e576..00000000000
--- a/changelogs/unreleased/osw-updates-merge-status-on-api-actions.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Return more consistent values for merge_status on MR APIs
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/pawel-connect_to_prometheus_through_proxy-30480.yml b/changelogs/unreleased/pawel-connect_to_prometheus_through_proxy-30480.yml
deleted file mode 100644
index b2bb173912a..00000000000
--- a/changelogs/unreleased/pawel-connect_to_prometheus_through_proxy-30480.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Implement multi server support and use kube proxy to connect to Prometheus
-  servers inside K8S cluster
-merge_request: 16182
-author:
-type: added
diff --git a/changelogs/unreleased/persistent-callouts.yml b/changelogs/unreleased/persistent-callouts.yml
deleted file mode 100644
index ca949a3b96c..00000000000
--- a/changelogs/unreleased/persistent-callouts.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add backend for persistently dismissably callouts
-merge_request:
-author:
-type: added
diff --git a/changelogs/unreleased/query-counts.yml b/changelogs/unreleased/query-counts.yml
deleted file mode 100644
index e01ff8a4ad8..00000000000
--- a/changelogs/unreleased/query-counts.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Track and act upon the number of executed queries
-merge_request:
-author:
-type: added
diff --git a/changelogs/unreleased/refactor-ci-variable-list-for-future-usage-in-4110.yml b/changelogs/unreleased/refactor-ci-variable-list-for-future-usage-in-4110.yml
deleted file mode 100644
index d43675e175d..00000000000
--- a/changelogs/unreleased/refactor-ci-variable-list-for-future-usage-in-4110.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Hide variable values on pipeline schedule edit page
-merge_request: 16729
-author:
-type: changed
diff --git a/changelogs/unreleased/sh-add-gitaly-health-check.yml b/changelogs/unreleased/sh-add-gitaly-health-check.yml
deleted file mode 100644
index 32c4c5362b4..00000000000
--- a/changelogs/unreleased/sh-add-gitaly-health-check.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add a gRPC health check to ensure Gitaly is up
-merge_request:
-author:
-type: added
diff --git a/changelogs/unreleased/sh-fix-award-emoji-move-issues.yml b/changelogs/unreleased/sh-fix-award-emoji-move-issues.yml
deleted file mode 100644
index c62fad927d0..00000000000
--- a/changelogs/unreleased/sh-fix-award-emoji-move-issues.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix bug where award emojis would be lost when moving issues between projects
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/sh-fix-events-collection.yml b/changelogs/unreleased/sh-fix-events-collection.yml
deleted file mode 100644
index 50af39d9caf..00000000000
--- a/changelogs/unreleased/sh-fix-events-collection.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix not all events being shown in group dashboard
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/sh-fix-project-members-api-perf.yml b/changelogs/unreleased/sh-fix-project-members-api-perf.yml
deleted file mode 100644
index c3fff933547..00000000000
--- a/changelogs/unreleased/sh-fix-project-members-api-perf.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Remove N+1 queries with /projects/:project_id/{access_requests,members} API
-  endpoints
-merge_request:
-author:
-type: performance
diff --git a/changelogs/unreleased/sh-fix-squash-rebase-utf8-data.yml b/changelogs/unreleased/sh-fix-squash-rebase-utf8-data.yml
deleted file mode 100644
index aa43487d741..00000000000
--- a/changelogs/unreleased/sh-fix-squash-rebase-utf8-data.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix squash not working when diff contained non-ASCII data
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/sh-log-when-user-blocked.yml b/changelogs/unreleased/sh-log-when-user-blocked.yml
deleted file mode 100644
index 9abf2017514..00000000000
--- a/changelogs/unreleased/sh-log-when-user-blocked.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Log and send a system hook if a blocked user attempts to login
-merge_request:
-author:
-type: added
diff --git a/changelogs/unreleased/sh-remove-shared-runners-and-more.yml b/changelogs/unreleased/sh-remove-shared-runners-and-more.yml
deleted file mode 100644
index cc079617883..00000000000
--- a/changelogs/unreleased/sh-remove-shared-runners-and-more.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Remove erroneous text in shared runners page that suggested more runners available
-merge_request:
-author:
-type: fixed
diff --git a/changelogs/unreleased/sh-store-user-in-api-logs.yml b/changelogs/unreleased/sh-store-user-in-api-logs.yml
deleted file mode 100644
index d904dcaf6d3..00000000000
--- a/changelogs/unreleased/sh-store-user-in-api-logs.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Save user ID and username in Grape API log (api_json.log)
-merge_request:
-author:
-type: changed
diff --git a/changelogs/unreleased/style-include-branch-in-mobile-view.yml b/changelogs/unreleased/style-include-branch-in-mobile-view.yml
deleted file mode 100644
index 5c8ef86992d..00000000000
--- a/changelogs/unreleased/style-include-branch-in-mobile-view.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Include branch in mobile view for pipelines
-merge_request: 16910
-author: George Tsiolis
-type: other
diff --git a/changelogs/unreleased/tc-info-version-check.yml b/changelogs/unreleased/tc-info-version-check.yml
deleted file mode 100644
index 9f20d03b864..00000000000
--- a/changelogs/unreleased/tc-info-version-check.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add more info about data collected when version check is enabled
-merge_request: 17257
-author:
-type: changed
diff --git a/changelogs/unreleased/update-node-docs.yml b/changelogs/unreleased/update-node-docs.yml
deleted file mode 100644
index a1d9d12f0ca..00000000000
--- a/changelogs/unreleased/update-node-docs.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: fix documentation about node version
-merge_request: 16720
-author: Tobias Gurtzick
-type: other
diff --git a/changelogs/unreleased/users-autocomplete.yml b/changelogs/unreleased/users-autocomplete.yml
new file mode 100644
index 00000000000..2cb078a3a7c
--- /dev/null
+++ b/changelogs/unreleased/users-autocomplete.yml
@@ -0,0 +1,5 @@
+---
+title: Improve performance of searching for and autocompleting of users
+merge_request:
+author:
+type: performance
diff --git a/changelogs/unreleased/ux-guide-deprecation.yml b/changelogs/unreleased/ux-guide-deprecation.yml
deleted file mode 100644
index 16477f59abf..00000000000
--- a/changelogs/unreleased/ux-guide-deprecation.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Add note within ux documentation that further changes should be made within
-  the design.gitlab project
-merge_request:
-author:
-type: deprecated
diff --git a/changelogs/unreleased/winh-delete-milestone-modal.yml b/changelogs/unreleased/winh-delete-milestone-modal.yml
deleted file mode 100644
index 6517fbd5f63..00000000000
--- a/changelogs/unreleased/winh-delete-milestone-modal.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add modal for deleting a milestone
-merge_request: 16229
-author:
-type: other
diff --git a/changelogs/unreleased/winh-kubernetes-clusters.yml b/changelogs/unreleased/winh-kubernetes-clusters.yml
deleted file mode 100644
index 387a719848d..00000000000
--- a/changelogs/unreleased/winh-kubernetes-clusters.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Replace "cluster" with "Kubernetes cluster"
-merge_request: 16778
-author:
-type: changed
diff --git a/changelogs/unreleased/winh-search-page-filters.yml b/changelogs/unreleased/winh-search-page-filters.yml
deleted file mode 100644
index 90c5cd8d818..00000000000
--- a/changelogs/unreleased/winh-search-page-filters.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Filter groups and projects dropdowns of search page on backend
-merge_request: 16336
-author:
-type: fixed
diff --git a/changelogs/unreleased/winh-style-modals.yml b/changelogs/unreleased/winh-style-modals.yml
deleted file mode 100644
index b7d0293960d..00000000000
--- a/changelogs/unreleased/winh-style-modals.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Adjust modal style to new design
-merge_request: 16310
-author:
-type: other
diff --git a/changelogs/unreleased/zj-branch-contains-git-message.yml b/changelogs/unreleased/zj-branch-contains-git-message.yml
new file mode 100644
index 00000000000..ce034e7ec87
--- /dev/null
+++ b/changelogs/unreleased/zj-branch-contains-git-message.yml
@@ -0,0 +1,5 @@
+---
+title: Allow branch names to be named the same as the sha it points to
+merge_request:
+author:
+type: fixed
diff --git a/changelogs/unreleased/zj-gitaly-server-info.yml b/changelogs/unreleased/zj-gitaly-server-info.yml
deleted file mode 100644
index cf6295f2bbc..00000000000
--- a/changelogs/unreleased/zj-gitaly-server-info.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add Gitaly Servers admin dashboard
-merge_request:
-author:
-type: added
diff --git a/changelogs/unreleased/zj-protobuf.yml b/changelogs/unreleased/zj-protobuf.yml
deleted file mode 100644
index 830c2e82da9..00000000000
--- a/changelogs/unreleased/zj-protobuf.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Downgrade google-protobuf gem
-merge_request: 16941
-author:
-type: other
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index bbc2bcfb0cc..bd696a7f2c5 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -214,6 +214,10 @@ production: &base
     repository_archive_cache_worker:
       cron: "0 * * * *"
 
+    # Verify custom GitLab Pages domains
+    pages_domain_verification_cron_worker:
+      cron: "*/15 * * * *"
+
   registry:
     # enabled: true
     # host: registry.example.com
diff --git a/config/initializers/0_as_concern.rb b/config/initializers/0_as_concern.rb
new file mode 100644
index 00000000000..40232bd6252
--- /dev/null
+++ b/config/initializers/0_as_concern.rb
@@ -0,0 +1,25 @@
+# This module is based on: https://gist.github.com/bcardarella/5735987
+
+module Prependable
+  def prepend_features(base)
+    if base.instance_variable_defined?(:@_dependencies)
+      base.instance_variable_get(:@_dependencies) << self
+      false
+    else
+      return false if base < self
+
+      super
+      base.singleton_class.send(:prepend, const_get('ClassMethods')) if const_defined?(:ClassMethods)
+      @_dependencies.each { |dep| base.send(:prepend, dep) } # rubocop:disable Gitlab/ModuleWithInstanceVariables
+      base.class_eval(&@_included_block) if instance_variable_defined?(:@_included_block) # rubocop:disable Gitlab/ModuleWithInstanceVariables
+    end
+  end
+end
+
+module ActiveSupport
+  module Concern
+    prepend Prependable
+
+    alias_method :prepended, :included
+  end
+end
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 17a8801f7bc..ea0dee7af53 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -427,6 +427,10 @@ Settings.cron_jobs['stuck_merge_jobs_worker'] ||= Settingslogic.new({})
 Settings.cron_jobs['stuck_merge_jobs_worker']['cron'] ||= '0 */2 * * *'
 Settings.cron_jobs['stuck_merge_jobs_worker']['job_class'] = 'StuckMergeJobsWorker'
 
+Settings.cron_jobs['pages_domain_verification_cron_worker'] ||= Settingslogic.new({})
+Settings.cron_jobs['pages_domain_verification_cron_worker']['cron'] ||= '*/15 * * * *'
+Settings.cron_jobs['pages_domain_verification_cron_worker']['job_class'] = 'PagesDomainVerificationCronWorker'
+
 #
 # GitLab Shell
 #
diff --git a/config/routes/project.rb b/config/routes/project.rb
index 1912808f9c0..8fe545b721e 100644
--- a/config/routes/project.rb
+++ b/config/routes/project.rb
@@ -55,7 +55,11 @@ constraints(ProjectUrlConstrainer.new) do
       end
 
       resource :pages, only: [:show, :destroy] do
-        resources :domains, only: [:show, :new, :create, :destroy], controller: 'pages_domains', constraints: { id: %r{[^/]+} }
+        resources :domains, only: [:show, :new, :create, :destroy], controller: 'pages_domains', constraints: { id: %r{[^/]+} } do
+          member do
+            post :verify
+          end
+        end
       end
 
       resources :snippets, concerns: :awardable, constraints: { id: /\d+/ } do
@@ -74,7 +78,9 @@ constraints(ProjectUrlConstrainer.new) do
       resource :mattermost, only: [:new, :create]
 
       namespace :prometheus do
-        get :active_metrics
+        resources :metrics, constraints: { id: %r{[^\/]+} }, only: [] do
+          get :active_common, on: :collection
+        end
       end
 
       resources :deploy_keys, constraints: { id: /\d+/ }, only: [:index, :new, :create, :edit, :update] do
diff --git a/config/sidekiq_queues.yml b/config/sidekiq_queues.yml
index 31a38f2b508..f037e3d1221 100644
--- a/config/sidekiq_queues.yml
+++ b/config/sidekiq_queues.yml
@@ -67,3 +67,4 @@
   - [gcp_cluster, 1]
   - [project_migrate_hashed_storage, 1]
   - [storage_migrator, 1]
+  - [pages_domain_verification, 1]
diff --git a/config/webpack.config.js b/config/webpack.config.js
index 13a6eaeecf7..be827903a6a 100644
--- a/config/webpack.config.js
+++ b/config/webpack.config.js
@@ -29,13 +29,15 @@ var pageEntries = glob.sync('pages/**/index.js', { cwd: path.join(ROOT_PATH, 'ap
 var dispatcher = fs.readFileSync(path.join(ROOT_PATH, 'app/assets/javascripts/dispatcher.js')).toString();
 var dispatcherChunks = dispatcher.match(/(?!import\(')\.\/pages\/[^']+/g);
 
-pageEntries.forEach(( path ) => {
-  let chunkPath = path.replace(/\/index\.js$/, '');
-  if (!dispatcherChunks.includes('./' + chunkPath)) {
-    let chunkName = chunkPath.replace(/\//g, '.');
-    autoEntries[chunkName] = './' + path;
+function generateAutoEntries(path, prefix = '.') {
+  const chunkPath = path.replace(/\/index\.js$/, '');
+  if (!dispatcherChunks.includes(`${prefix}/${chunkPath}`)) {
+    const chunkName = chunkPath.replace(/\//g, '.');
+    autoEntries[chunkName] = `${prefix}/${path}`;
   }
-});
+}
+
+pageEntries.forEach(( path ) => generateAutoEntries(path));
 
 // report our auto-generated bundle count
 var autoEntriesCount = Object.keys(autoEntries).length;
@@ -54,15 +56,11 @@ var config = {
     common_vue:           './vue_shared/vue_resource_interceptor.js',
     cycle_analytics:      './cycle_analytics/cycle_analytics_bundle.js',
     commit_pipelines:     './commit/pipelines/pipelines_bundle.js',
-    deploy_keys:          './deploy_keys/index.js',
     diff_notes:           './diff_notes/diff_notes_bundle.js',
     environments:         './environments/environments_bundle.js',
     environments_folder:  './environments/folder/environments_folder_bundle.js',
     filtered_search:      './filtered_search/filtered_search_bundle.js',
     help:                 './help/help.js',
-    issue_show:           './issue_show/index.js',
-    locale:               './locale/index.js',
-    main:                 './main.js',
     merge_conflicts:      './merge_conflicts/merge_conflicts_bundle.js',
     monitoring:           './monitoring/monitoring_bundle.js',
     network:              './network/network_bundle.js',
@@ -75,18 +73,24 @@ var config = {
     protected_branches:   './protected_branches',
     protected_tags:       './protected_tags',
     registry_list:        './registry/index.js',
-    ide:                  './ide/index.js',
     sidebar:              './sidebar/sidebar_bundle.js',
     snippet:              './snippet/snippet_bundle.js',
     sketch_viewer:        './blob/sketch_viewer.js',
     stl_viewer:           './blob/stl_viewer.js',
     terminal:             './terminal/terminal_bundle.js',
-    u2f:                  ['vendor/u2f'],
     ui_development_kit:   './ui_development_kit.js',
-    raven:                './raven/index.js',
     vue_merge_request_widget: './vue_merge_request_widget/index.js',
-    test:                 './test.js',
     two_factor_auth:      './two_factor_auth.js',
+
+
+    common:               './commons/index.js',
+    common_vue:           './vue_shared/vue_resource_interceptor.js',
+    locale:               './locale/index.js',
+    main:                 './main.js',
+    ide:                  './ide/index.js',
+    raven:                './raven/index.js',
+    test:                 './test.js',
+    u2f:                  ['vendor/u2f'],
     webpack_runtime:      './webpack.js',
   },
 
@@ -249,7 +253,6 @@ var config = {
         'environments_folder',
         'filtered_search',
         'groups',
-        'issue_show',
         'merge_conflicts',
         'monitoring',
         'notebook_viewer',
diff --git a/db/migrate/20180215181245_users_name_lower_index.rb b/db/migrate/20180215181245_users_name_lower_index.rb
new file mode 100644
index 00000000000..d3f68cb7d45
--- /dev/null
+++ b/db/migrate/20180215181245_users_name_lower_index.rb
@@ -0,0 +1,29 @@
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class UsersNameLowerIndex < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  # Set this constant to true if this migration requires downtime.
+  DOWNTIME = false
+  INDEX_NAME = 'index_on_users_name_lower'
+
+  disable_ddl_transaction!
+
+  def up
+    return unless Gitlab::Database.postgresql?
+
+    # On GitLab.com this produces an index with a size of roughly 60 MB.
+    execute "CREATE INDEX CONCURRENTLY #{INDEX_NAME} ON users (LOWER(name))"
+  end
+
+  def down
+    return unless Gitlab::Database.postgresql?
+
+    if supports_drop_index_concurrently?
+      execute "DROP INDEX CONCURRENTLY IF EXISTS #{INDEX_NAME}"
+    else
+      execute "DROP INDEX IF EXISTS #{INDEX_NAME}"
+    end
+  end
+end
diff --git a/db/migrate/20180216120000_add_pages_domain_verification.rb b/db/migrate/20180216120000_add_pages_domain_verification.rb
new file mode 100644
index 00000000000..8b7cae92285
--- /dev/null
+++ b/db/migrate/20180216120000_add_pages_domain_verification.rb
@@ -0,0 +1,8 @@
+class AddPagesDomainVerification < ActiveRecord::Migration
+  DOWNTIME = false
+
+  def change
+    add_column :pages_domains, :verified_at, :datetime_with_timezone
+    add_column :pages_domains, :verification_code, :string
+  end
+end
diff --git a/db/migrate/20180216120010_add_pages_domain_verified_at_index.rb b/db/migrate/20180216120010_add_pages_domain_verified_at_index.rb
new file mode 100644
index 00000000000..825dfb52dce
--- /dev/null
+++ b/db/migrate/20180216120010_add_pages_domain_verified_at_index.rb
@@ -0,0 +1,15 @@
+class AddPagesDomainVerifiedAtIndex < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_index :pages_domains, :verified_at
+  end
+
+  def down
+    remove_concurrent_index :pages_domains, :verified_at
+  end
+end
diff --git a/db/migrate/20180216120020_allow_domain_verification_to_be_disabled.rb b/db/migrate/20180216120020_allow_domain_verification_to_be_disabled.rb
new file mode 100644
index 00000000000..06d458028b3
--- /dev/null
+++ b/db/migrate/20180216120020_allow_domain_verification_to_be_disabled.rb
@@ -0,0 +1,7 @@
+class AllowDomainVerificationToBeDisabled < ActiveRecord::Migration
+  DOWNTIME = false
+
+  def change
+    add_column :application_settings, :pages_domain_verification_enabled, :boolean, default: true, null: false
+  end
+end
diff --git a/db/migrate/20180216120030_add_pages_domain_enabled_until.rb b/db/migrate/20180216120030_add_pages_domain_enabled_until.rb
new file mode 100644
index 00000000000..b40653044dd
--- /dev/null
+++ b/db/migrate/20180216120030_add_pages_domain_enabled_until.rb
@@ -0,0 +1,7 @@
+class AddPagesDomainEnabledUntil < ActiveRecord::Migration
+  DOWNTIME = false
+
+  def change
+    add_column :pages_domains, :enabled_until, :datetime_with_timezone
+  end
+end
diff --git a/db/migrate/20180216120040_add_pages_domain_enabled_until_index.rb b/db/migrate/20180216120040_add_pages_domain_enabled_until_index.rb
new file mode 100644
index 00000000000..00f6e4979da
--- /dev/null
+++ b/db/migrate/20180216120040_add_pages_domain_enabled_until_index.rb
@@ -0,0 +1,17 @@
+class AddPagesDomainEnabledUntilIndex < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_index :pages_domains, [:project_id, :enabled_until]
+    add_concurrent_index :pages_domains, [:verified_at, :enabled_until]
+  end
+
+  def down
+    remove_concurrent_index :pages_domains, [:verified_at, :enabled_until]
+    remove_concurrent_index :pages_domains, [:project_id, :enabled_until]
+  end
+end
diff --git a/db/migrate/20180216120050_pages_domains_verification_grace_period.rb b/db/migrate/20180216120050_pages_domains_verification_grace_period.rb
new file mode 100644
index 00000000000..d7f8634b536
--- /dev/null
+++ b/db/migrate/20180216120050_pages_domains_verification_grace_period.rb
@@ -0,0 +1,26 @@
+class PagesDomainsVerificationGracePeriod < ActiveRecord::Migration
+  DOWNTIME = false
+
+  class PagesDomain < ActiveRecord::Base
+    include EachBatch
+  end
+
+  # Allow this migration to resume if it fails partway through
+  disable_ddl_transaction!
+
+  def up
+    now = Time.now
+    grace = now + 30.days
+
+    PagesDomain.each_batch do |relation|
+      relation.update_all(verified_at: now, enabled_until: grace)
+
+      # Sleep 2 minutes between batches to not overload the DB with dead tuples
+      sleep(2.minutes) unless relation.reorder(:id).last == PagesDomain.reorder(:id).last
+    end
+  end
+
+  def down
+    # no-op
+  end
+end
diff --git a/db/post_migrate/20180216121020_fill_pages_domain_verification_code.rb b/db/post_migrate/20180216121020_fill_pages_domain_verification_code.rb
new file mode 100644
index 00000000000..d423673d2a5
--- /dev/null
+++ b/db/post_migrate/20180216121020_fill_pages_domain_verification_code.rb
@@ -0,0 +1,41 @@
+class FillPagesDomainVerificationCode < ActiveRecord::Migration
+  DOWNTIME = false
+
+  class PagesDomain < ActiveRecord::Base
+    include EachBatch
+  end
+
+  # Allow this migration to resume if it fails partway through
+  disable_ddl_transaction!
+
+  def up
+    PagesDomain.where(verification_code: [nil, '']).each_batch do |relation|
+      connection.execute(set_codes_sql(relation))
+
+      # Sleep 2 minutes between batches to not overload the DB with dead tuples
+      sleep(2.minutes) unless relation.reorder(:id).last == PagesDomain.reorder(:id).last
+    end
+
+    change_column_null(:pages_domains, :verification_code, false)
+  end
+
+  def down
+    change_column_null(:pages_domains, :verification_code, true)
+  end
+
+  private
+
+  def set_codes_sql(relation)
+    ids = relation.pluck(:id)
+    whens = ids.map { |id| "WHEN #{id} THEN '#{SecureRandom.hex(16)}'" }
+
+    <<~SQL
+      UPDATE pages_domains
+      SET verification_code =
+        CASE id
+        #{whens.join("\n")}
+        END
+      WHERE id IN(#{ids.join(',')})
+    SQL
+  end
+end
diff --git a/db/post_migrate/20180216121030_enqueue_verify_pages_domain_workers.rb b/db/post_migrate/20180216121030_enqueue_verify_pages_domain_workers.rb
new file mode 100644
index 00000000000..bf9bf4e660f
--- /dev/null
+++ b/db/post_migrate/20180216121030_enqueue_verify_pages_domain_workers.rb
@@ -0,0 +1,16 @@
+class EnqueueVerifyPagesDomainWorkers < ActiveRecord::Migration
+  class PagesDomain < ActiveRecord::Base
+    include EachBatch
+  end
+
+  def up
+    PagesDomain.each_batch do |relation|
+      ids = relation.pluck(:id).map { |id| [id] }
+      PagesDomainVerificationWorker.bulk_perform_async(ids)
+    end
+  end
+
+  def down
+    # no-op
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 409d1ac7644..5bb461169f1 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20180213131630) do
+ActiveRecord::Schema.define(version: 20180216121030) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -156,6 +156,7 @@ ActiveRecord::Schema.define(version: 20180213131630) do
     t.integer "gitaly_timeout_fast", default: 10, null: false
     t.boolean "authorized_keys_enabled", default: true, null: false
     t.string "auto_devops_domain"
+    t.boolean "pages_domain_verification_enabled", default: true, null: false
   end
 
   create_table "audit_events", force: :cascade do |t|
@@ -1313,10 +1314,16 @@ ActiveRecord::Schema.define(version: 20180213131630) do
     t.string "encrypted_key_iv"
     t.string "encrypted_key_salt"
     t.string "domain"
+    t.datetime_with_timezone "verified_at"
+    t.string "verification_code", null: false
+    t.datetime_with_timezone "enabled_until"
   end
 
   add_index "pages_domains", ["domain"], name: "index_pages_domains_on_domain", unique: true, using: :btree
+  add_index "pages_domains", ["project_id", "enabled_until"], name: "index_pages_domains_on_project_id_and_enabled_until", using: :btree
   add_index "pages_domains", ["project_id"], name: "index_pages_domains_on_project_id", using: :btree
+  add_index "pages_domains", ["verified_at", "enabled_until"], name: "index_pages_domains_on_verified_at_and_enabled_until", using: :btree
+  add_index "pages_domains", ["verified_at"], name: "index_pages_domains_on_verified_at", using: :btree
 
   create_table "personal_access_tokens", force: :cascade do |t|
     t.integer "user_id", null: false
diff --git a/doc/README.md b/doc/README.md
index c8b6b4f32b8..46fcb7c6baf 100644
--- a/doc/README.md
+++ b/doc/README.md
@@ -12,6 +12,10 @@ GitLab offers the most scalable Git-based fully integrated platform for software
 
 With GitLab self-hosted, you deploy your own GitLab instance on-premises or on a private cloud of your choice. GitLab self-hosted is available for [free and with paid subscriptions](https://about.gitlab.com/products/): Libre, Starter, Premium, and Ultimate.
 
+Every feature available in Libre is also available in Starter, Premium, and Ultimate.
+Starter features are also available in Premium and Ultimate, and Premium features are also
+available in Ultimate.
+
 GitLab.com is our SaaS offering. It's hosted, managed, and administered by GitLab, with [free and paid plans](https://about.gitlab.com/gitlab-com/) for individuals and teams: Free, Bronze, Silver, and Gold.
 
 ## Shortcuts to GitLab's most visited docs
@@ -124,8 +128,8 @@ Manage your [repositories](user/project/repository/index.md) from the UI (user i
 
 ## Administrator documentation
 
-[Administration documentation](administration/index.md) applies to admin users of [GitLab
-self-hosted instances](#self-hosted-gitlab): Libre, Starter, Premium, Ultimate.
+[Administration documentation](administration/index.md) applies to admin users of GitLab
+self-hosted instances.
 
 Learn how to install, configure, update, upgrade, integrate, and maintain your own instance.
 Regular users don't have access to GitLab administration tools and settings.
@@ -133,7 +137,7 @@ Regular users don't have access to GitLab administration tools and settings.
 ## Contributor documentation
 
 GitLab Community Edition is [open source](https://gitlab.com/gitlab-org/gitlab-ce/)
-and Enterprise Editions are [open-core](https://gitlab.com/gitlab-org/gitlab-ee/).
+and GitLab Enterprise Edition is [open-core](https://gitlab.com/gitlab-org/gitlab-ee/).
 Learn how to contribute to GitLab:
 
 - [Development](development/README.md): All styleguides and explanations how to contribute.
diff --git a/doc/administration/custom_hooks.md b/doc/administration/custom_hooks.md
index 4d35b20d0c3..960970aea30 100644
--- a/doc/administration/custom_hooks.md
+++ b/doc/administration/custom_hooks.md
@@ -4,8 +4,9 @@
 **Note:** Custom Git hooks must be configured on the filesystem of the GitLab
 server. Only GitLab server administrators will be able to complete these tasks.
 Please explore [webhooks] as an option if you do not
-have filesystem access. For a user configurable Git hook interface, please see
-[GitLab Enterprise Edition Git Hooks](http://docs.gitlab.com/ee/git_hooks/git_hooks.html).
+have filesystem access. For a user configurable Git hook interface, see
+[Push Rules](https://docs.gitlab.com/ee/push_rules/push_rules.html),
+available in GitLab Enterprise Edition.
 
 Git natively supports hooks that are executed on different actions.
 Examples of server-side git hooks include pre-receive, post-receive, and update.
diff --git a/doc/administration/index.md b/doc/administration/index.md
index e53268e5f3e..51444651bdb 100644
--- a/doc/administration/index.md
+++ b/doc/administration/index.md
@@ -1,9 +1,19 @@
 # Administrator documentation
 
 Learn how to administer your GitLab instance (Community Edition and
-[Enterprise Editions](https://about.gitlab.com/products/)).
+Enterprise Edition).
 Regular users don't have access to GitLab administration tools and settings.
 
+GitLab has two product distributions: the open source
+[GitLab Community Edition (CE)](https://gitlab.com/gitlab-org/gitlab-ce),
+and the open core [GitLab Enterprise Edition (EE)](https://gitlab.com/gitlab-org/gitlab-ee),
+available through [different subscriptions](https://about.gitlab.com/products/).
+
+You can [install GitLab CE or GitLab EE](https://about.gitlab.com/installation/ce-or-ee/),
+but the features you'll have access to depend on the subscription you choose
+(Libre, Starter, Premium, or Ultimate). GitLab Community Edition installations
+only have access to Libre features.
+
 GitLab.com is administered by GitLab, Inc., therefore, only GitLab team members have
 access to its admin configurations. If you're a GitLab.com user, please check the
 [user documentation](../user/index.html).
diff --git a/doc/administration/logs.md b/doc/administration/logs.md
index debaa2330d0..1b42d7979ed 100644
--- a/doc/administration/logs.md
+++ b/doc/administration/logs.md
@@ -32,6 +32,8 @@ In this example, you can see this was a GET request for a specific issue. Notice
 2. `view`: total time taken inside the Rails views
 3. `db`: total time to retrieve data from the database
 
+User clone/fetch activity using http transport appears in this log as `action: git_upload_pack`.
+
 In addition, the log contains the IP address from which the request originated
 (`remote_ip`) as well as the user's ID (`user_id`), and username (`username`).
 
@@ -157,6 +159,8 @@ I, [2015-02-13T06:17:00.671315 #9291]  INFO -- : Adding project root/example.git
 I, [2015-02-13T06:17:00.679433 #9291]  INFO -- : Moving existing hooks directory and symlinking global hooks directory for /var/opt/gitlab/git-data/repositories/root/example.git.
 ```
 
+User clone/fetch activity using ssh transport appears in this log as `executing git command <gitaly-upload-pack...`.
+
 ## `unicorn\_stderr.log`
 
 This file lives in `/var/log/gitlab/unicorn/unicorn_stderr.log` for
diff --git a/doc/administration/operations/fast_ssh_key_lookup.md b/doc/administration/operations/fast_ssh_key_lookup.md
index a795d5116ea..bd6c7bb07b5 100644
--- a/doc/administration/operations/fast_ssh_key_lookup.md
+++ b/doc/administration/operations/fast_ssh_key_lookup.md
@@ -1,7 +1,7 @@
 # Fast lookup of authorized SSH keys in the database
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/1631) in 
-> [GitLab Enterprise Edition Standard](https://about.gitlab.com/gitlab-ee) 9.3.
+> [GitLab Starter](https://about.gitlab.com/gitlab-ee) 9.3.
 >
 > [Available in](https://gitlab.com/gitlab-org/gitlab-ee/issues/3953) GitLab
 > Community Edition 10.4.
diff --git a/doc/administration/pages/index.md b/doc/administration/pages/index.md
index edb3e4c961e..00c631fdaae 100644
--- a/doc/administration/pages/index.md
+++ b/doc/administration/pages/index.md
@@ -226,6 +226,18 @@ world. Custom domains and TLS are supported.
 
 1. [Reconfigure GitLab][reconfigure]
 
+### Custom domain verification
+
+To prevent malicious users from hijacking domains that don't belong to them,
+GitLab supports [custom domain verification](../../user/project/pages/getting_started_part_three.md#dns-txt-record).
+When adding a custom domain, users will be required to prove they own it by
+adding a GitLab-controlled verification code to the DNS records for that domain.
+
+If your userbase is private or otherwise trusted, you can disable the
+verification requirement. Navigate to `Admin area ➔ Settings` and uncheck
+**Require users to prove ownership of custom domains** in the Pages section.
+This setting is enabled by default.
+
 ## Change storage path
 
 Follow the steps below to change the default path where GitLab Pages' contents
diff --git a/doc/customization/branded_login_page.md b/doc/customization/branded_login_page.md
index d4d9f5f7b5e..b892f59d777 100644
--- a/doc/customization/branded_login_page.md
+++ b/doc/customization/branded_login_page.md
@@ -1,6 +1,6 @@
 # Changing the appearance of the login page
 
-GitLab Community Edition offers a way to put your company's identity on the login page of your GitLab server and make it a branded login page.
+GitLab offers a way to put your company's identity on the login page of your GitLab server and make it a branded login page.
 
 By default, the page shows the GitLab logo and description.
 
diff --git a/doc/development/architecture.md b/doc/development/architecture.md
index d1ba7d3dfc3..31117b5e723 100644
--- a/doc/development/architecture.md
+++ b/doc/development/architecture.md
@@ -2,9 +2,11 @@
 
 ## Software delivery
 
-There are two editions of GitLab: [Enterprise Edition](https://about.gitlab.com/gitlab-ee/) (EE) and [Community Edition](https://about.gitlab.com/gitlab-ce/) (CE). GitLab CE is delivered via git from the [gitlabhq repository](https://gitlab.com/gitlab-org/gitlab-ce/tree/master). New versions of GitLab are released in stable branches and the master branch is for bleeding edge development.
+There are two software distributions of GitLab: the open source [Community Edition](https://gitlab.com/gitlab-org/gitlab-ce/) (CE), and the open core [Enterprise Edition](https://gitlab.com/gitlab-org/gitlab-ee/) (EE). GitLab is available under [different subscriptions](https://about.gitlab.com/products/).
 
-EE releases are available not long after CE releases. To obtain the GitLab EE there is a [repository at gitlab.com](https://gitlab.com/gitlab-org/gitlab-ee). For more information about the release process see the section 'New versions and upgrading' in the readme.
+New versions of GitLab are released in stable branches and the master branch is for bleeding edge development.
+
+For information, see the [GitLab Release Process](https://gitlab.com/gitlab-org/release/docs/tree/master#gitlab-release-process).
 
 Both EE and CE require some add-on components called gitlab-shell and Gitaly. These components are available from the [gitlab-shell](https://gitlab.com/gitlab-org/gitlab-shell/tree/master) and [gitaly](https://gitlab.com/gitlab-org/gitaly/tree/master) repositories respectively. New versions are usually tags but staying on the master branch will give you the latest stable version. New releases are generally around the same time as GitLab CE releases with exception for informal security updates deemed critical.
 
diff --git a/doc/development/doc_styleguide.md b/doc/development/doc_styleguide.md
index cfeeed2506d..6fe5f647d6c 100644
--- a/doc/development/doc_styleguide.md
+++ b/doc/development/doc_styleguide.md
@@ -236,6 +236,11 @@ Inside the document:
 
 ## New features
 
+New features must be shipped with its accompanying documentation and the doc
+reviewed by a technical writer.
+
+### Mentioning GitLab versions and tiers
+
 - Every piece of documentation that comes with a new feature should declare the
   GitLab version that feature got introduced. Right below the heading add a
   note:
@@ -244,7 +249,7 @@ Inside the document:
     > Introduced in GitLab 8.3.
     ```
 
-- If possible every feature should have a link to the MR that introduced it.
+- If possible every feature should have a link to the MR, issue, or epic that introduced it.
   The above note would be then transformed to:
 
     ```
@@ -254,11 +259,12 @@ Inside the document:
     , where the [link identifier](#links) is named after the repository (CE) and
     the MR number.
 
-- If the feature is only in GitLab Enterprise Edition, don't forget to mention
-  it, like:
+- If the feature is only available in GitLab Enterprise Edition, don't forget to mention
+  the [paid tier](https://about.gitlab.com/handbook/marketing/product-marketing/#tiers)
+  the feature is available in:
 
     ```
-    > Introduced in GitLab Enterprise Edition 8.3.
+    > [Introduced][ee-1234] in [GitLab Starter](https://about.gitlab.com/products/) 8.3.
     ```
 
     Otherwise, leave this mention out.
diff --git a/doc/development/i18n/proofreader.md b/doc/development/i18n/proofreader.md
index 795e1e83105..ece9a9bc0fe 100644
--- a/doc/development/i18n/proofreader.md
+++ b/doc/development/i18n/proofreader.md
@@ -37,12 +37,31 @@ are very appreciative of the work done by translators and proofreaders!
 > sure that you have a history of contributing translations to the GitLab
 > project.
 
-1. Once your translations have been accepted,
-   [open a merge request](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/new)
-   to request Proofreader permissions and add yourself to the list above.
+1. Contribute translations to GitLab. See instructions for
+   [translating GitLab](translation.md).
+
+    Translating GitLab is a community effort that requires team work and
+    attention to detail. Proofreaders play an important role helping new
+    contributors, and ensuring the consistency and quality of translations.
+    Your conduct and contributions as a translator should reflect this before
+    requesting to be a proofreader.
+
+1. Request proofreader permissions by opening a merge request to add yourself
+   to the list of proofreaders.
+
+    Open the [proofreader.md source file][proofreader-src] and click **Edit**.
+
+    Add your language in alphabetical order, and add yourself to the list
+    including:
+
+    - name
+    - link to your GitLab profile
+    - link to your CrowdIn profile
 
     In the merge request description, please include links to any projects you
     have previously translated.
 
 1. Your request to become a proofreader will be considered on the merits of
    your previous translations.
+
+[proofreader-src]: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/i18n/proofreader.md
diff --git a/doc/development/licensing.md b/doc/development/licensing.md
index 274923c2d43..c06bc0d4731 100644
--- a/doc/development/licensing.md
+++ b/doc/development/licensing.md
@@ -1,6 +1,6 @@
 # GitLab Licensing and Compatibility
 
-GitLab CE is licensed under the terms of the MIT License. GitLab EE is licensed under "The GitLab Enterprise Edition (EE) license" wherein there are more restrictions. See their respective LICENSE files ([CE][CE], [EE][EE]) for more information.
+[GitLab Community Edition](https://gitlab.com/gitlab-org/gitlab-ce/) (CE) is licensed [under the terms of the MIT License][CE]. [GitLab Enterprise Edition](https://gitlab.com/gitlab-org/gitlab-ee/) (EE) is licensed under "[The GitLab Enterprise Edition (EE) license][EE]" wherein there are more restrictions.
 
 ## Automated Testing
 
diff --git a/doc/gitlab-basics/create-project.md b/doc/gitlab-basics/create-project.md
index 7b87039da84..10e8059756d 100644
--- a/doc/gitlab-basics/create-project.md
+++ b/doc/gitlab-basics/create-project.md
@@ -41,16 +41,16 @@ When you create a new repo locally, instead of going to GitLab to manually
 create a new project and then push the repo, you can directly push it to
 GitLab to create the new project, all without leaving your terminal. If you have access to that
 namespace, we will automatically create a new project under that GitLab namespace with its 
-visibility set to private by default (you can later change it in the UI).
+visibility set to Private by default (you can later change it in the [project's settings](../public_access/public_access.md#how-to-change-project-visibility)).
 
 This can be done by using either SSH or HTTP:
 
 ```
 ## Git push using SSH
-git push git@gitlab.example.com:namespace/nonexistent-project.git
+git push --set-upstream git@gitlab.example.com:namespace/nonexistent-project.git master
 
 ## Git push using HTTP
-git push https://gitlab.example.com/namespace/nonexistent-project.git
+git push --set-upstream https://gitlab.example.com/namespace/nonexistent-project.git master
 ```
 
 Once the push finishes successfully, a remote message will indicate
diff --git a/doc/install/azure/index.md b/doc/install/azure/index.md
index 7afe338ae8b..b0c3ad960bb 100644
--- a/doc/install/azure/index.md
+++ b/doc/install/azure/index.md
@@ -38,9 +38,10 @@ create SQL Databases, author websites, and perform lots of other cloud tasks.
 ## Create New VM
 
 The [Azure Marketplace][Azure-Marketplace] is an online store for pre-configured applications and 
-services which have been optimized for the cloud by software vendors like GitLab, and both 
-the [Community Edition ("CE")][CE] and the [Enterprise Edition ("EE")][EE] versions of GitLab are 
-available on the Azure Marketplace as pre-configured solutions.
+services which have been optimized for the cloud by software vendors like GitLab,
+available on the Azure Marketplace as pre-configured solutions. In this tutorial
+we will install GitLab Community Edition, but for GitLab Enterprise Edition you
+can follow the same process.
 
 To begin creating a new GitLab VM, click on the **+ New** icon, type "GitLab" into the search 
 box, and then click the **"GitLab Community Edition"** search result:
diff --git a/doc/user/admin_area/settings/usage_statistics.md b/doc/user/admin_area/settings/usage_statistics.md
index 81b135a5b37..d874688cc29 100644
--- a/doc/user/admin_area/settings/usage_statistics.md
+++ b/doc/user/admin_area/settings/usage_statistics.md
@@ -10,9 +10,8 @@ under **Admin area > Settings > Usage statistics**.
 
 GitLab can inform you when an update is available and the importance of it.
 
-GitLab Inc. collects version statistics, but no information other than
-the GitLab version and the instance's hostname (through the HTTP
-referer) is collected.
+No information other than the GitLab version and the instance's hostname (through the HTTP referer)
+are collected.
 
 In the **Overview** tab you can see if your GitLab version is up to date. There
 are three cases: 1) you are up to date (green), 2) there is an update available
diff --git a/doc/user/markdown.md b/doc/user/markdown.md
index ac8ff67f622..ea7b1c9a0ed 100644
--- a/doc/user/markdown.md
+++ b/doc/user/markdown.md
@@ -750,7 +750,7 @@ This line is separated from the one above by two newlines, so it will be a *sepa
 This line is also a separate paragraph, but...
 This line is only separated by a single newline, so it *does not break* and just follows the previous line in the *same paragraph*.
 
-This line is also a separate paragraph, and...
+This line is also a separate paragraph, and...  
 This line is *on its own line*, because the previous line ends with two spaces. (but still in the *same paragraph*)
 
 spaces.
@@ -763,7 +763,7 @@ This line is separated from the one above by two newlines, so it will be a *sepa
 This line is also a separate paragraph, but...
 This line is only separated by a single newline, so it *does not break* and just follows the previous line in the *same paragraph*.
 
-This line is also a separate paragraph, and...
+This line is also a separate paragraph, and...  
 This line is *on its own line*, because the previous line ends with two spaces. (but still in the *same paragraph*)
 
 spaces.
diff --git a/doc/user/project/issues/issues_functionalities.md b/doc/user/project/issues/issues_functionalities.md
index 0bef83d18e8..f2ca6a6822e 100644
--- a/doc/user/project/issues/issues_functionalities.md
+++ b/doc/user/project/issues/issues_functionalities.md
@@ -50,8 +50,8 @@ Often multiple people likely work on the same issue together,
 which can especially be difficult to track in large teams
 where there is shared ownership of an issue.
 
-In GitLab Enterprise Edition, you can also select multiple assignees
-to an issue.
+In [GitLab Starter](https://about.gitlab.com/products/), you can also
+select multiple assignees to an issue.
 
 Learn more on the [Multiple Assignees documentation](https://docs.gitlab.com/ee/user/project/issues/multiple_assignees_for_issues.html).
 
diff --git a/doc/user/project/milestones/img/milestone_create.png b/doc/user/project/milestones/img/milestone_create.png
deleted file mode 100644
index beb2caa897f..00000000000
--- a/doc/user/project/milestones/img/milestone_create.png
+++ /dev/null
diff --git a/doc/user/project/milestones/img/milestone_group_create.png b/doc/user/project/milestones/img/milestone_group_create.png
deleted file mode 100644
index 7aaa7c56c15..00000000000
--- a/doc/user/project/milestones/img/milestone_group_create.png
+++ /dev/null
diff --git a/doc/user/project/milestones/img/milestones_new_group_milestone.png b/doc/user/project/milestones/img/milestones_new_group_milestone.png
new file mode 100644
index 00000000000..8780394d72e
--- /dev/null
+++ b/doc/user/project/milestones/img/milestones_new_group_milestone.png
diff --git a/doc/user/project/milestones/img/milestones_new_project_milestone.png b/doc/user/project/milestones/img/milestones_new_project_milestone.png
new file mode 100644
index 00000000000..ba058428dfa
--- /dev/null
+++ b/doc/user/project/milestones/img/milestones_new_project_milestone.png
diff --git a/doc/user/project/milestones/img/milestones_project_milestone_page.png b/doc/user/project/milestones/img/milestones_project_milestone_page.png
new file mode 100644
index 00000000000..9717075b8d0
--- /dev/null
+++ b/doc/user/project/milestones/img/milestones_project_milestone_page.png
diff --git a/doc/user/project/milestones/img/milestones_promote_milestone.png b/doc/user/project/milestones/img/milestones_promote_milestone.png
new file mode 100644
index 00000000000..99bee1240d4
--- /dev/null
+++ b/doc/user/project/milestones/img/milestones_promote_milestone.png
diff --git a/doc/user/project/milestones/img/sidebar.png b/doc/user/project/milestones/img/sidebar.png
deleted file mode 100644
index 274962a936c..00000000000
--- a/doc/user/project/milestones/img/sidebar.png
+++ /dev/null
diff --git a/doc/user/project/milestones/index.md b/doc/user/project/milestones/index.md
index 27832b0fa2b..10e6321eb82 100644
--- a/doc/user/project/milestones/index.md
+++ b/doc/user/project/milestones/index.md
@@ -1,63 +1,111 @@
 # Milestones
 
-Milestones allow you to organize issues and merge requests into a cohesive group,
-optionally setting a due date. A common use is keeping track of an upcoming
-software version. Milestones can be created per-project or per-group.
+## Overview
 
-## Creating a project milestone
+Milestones in GitLab are a way to track issues and merge requests created to achieve a broader goal in a certain period of time.
+
+Milestones allow you to organize issues and merge requests into a cohesive group, with an optional start date and an optional due date.
+
+## Project milestones and group milestones
+
+- **Project milestones** can be assigned to issues or merge requests in that project only.
+- **Group milestones** can be assigned to any issue or merge request of any project in that group.
+- In the [future](https://gitlab.com/gitlab-org/gitlab-ce/issues/36862), you will be able to assign group milestones to issues and merge reqeusts of projects in [subgroups](../../group/subgroups/index.md).
+
+## Creating milestones
+
+>**Note:**
+A permission level of `Developer` or higher is required to create milestones.
+
+### New project milestone
+
+To create a **project milestone**, navigate to **Issues > Milestones** in the project.
+
+Click the **New milestone** button. Enter the title, an optional description, an optional start date, and an optional due date. Click **Create milestone** to create the milestone.
+
+![New project milestone](img/milestones_new_project_milestone.png)
+
+### New group milestone
+
+To create a **group milestone**, follow similar steps from above to project milestones. Navigate to **Issues > Milestones** in the group and create it from there.
+
+![New group milestone](img/milestones_new_group_milestone.png)
+
+## Editing milestones
 
 >**Note:**
-You need [Master permissions](../../permissions.md) in order to create a milestone.
+A permission level of `Developer` or higher is required to edit milestones.
+
+You can update a milestone by navigating to **Issues > Milestones** in the project or group and clicking the **Edit** button.
 
-You can find the milestones page under your project's **Issues ➔ Milestones**.
-To create a new milestone, simply click the **New milestone** button when in the
-milestones page. A milestone can have a title, a description and start/due dates.
-Once you fill in all the details, hit the **Create milestone** button.
+You can delete a milestone by clicking the **Delete** button.
 
-![Creating a milestone](img/milestone_create.png)
+### Promoting project milestones to group milestones
 
-## Creating a group milestone
+If you are expanding from a few projects to a larger number of projects within the same group, you may want to share the same milestone among multiple projects in the same group. If you previously created a project milestone and now want to make it available for other milestones, you can promote it to a group milestone.
+
+From the project milestone list page, you can promote a project milestone to a group milestone. This will merge all project milestones across all projects in this group with the same name into a single group milestones. All issues and merge requests that previously were assigned one of these project milestones will now be assigned the new group milestones. This action cannot be reversed and the changes are permanent.
 
 >**Note:**
-You need [Master permissions](../../permissions.md) in order to create a milestone.
+Not all features on the project milestone view are available on the group milestone view. If you promote a project milestone to a group milestone, you will lose these features. See [Milestone view](#milestone-view) to see which features are missing from the group milestone view.
+
+![Promote milestone](img/milestones_promote_milestone.png)
+
+## Assigning milestones from the sidebar
+
+Every issue and merge request can be assigned a milestone. The milestones are visible on every issue and merge request page, in the sidebar. They are also visible in the issue board. From the sidebar, you can assign or unassign a milestones to the object. You can also perform this as a [quick action](../quick_actions.md) in a comment. [As mentioned](#project-milestones-and-group-milestones), for a given issue or merge request, both project milestones and group milestones can be selected and assigned to the object.
+
+## Filtering issues and merge requests by milestone
+
+### Filtering in list pages
+
+From the project issue/merge request list pages and the group issue/merge request list pages, you can [filter](../../search/index.md#issues-and-merge-requests) by both group milestones and project milestones.
+
+### Filtering in issue boards
+
+From [project issue boards](../issue_board.md), you can filter by both group milestones and project milestones in the [search and filter bar](../../search/index.md#issue-boards).
+
+### Special milestone filters
+
+When filtering by milestone, in addition to choosing a specific project milestone or group milestone, you can choose a special milestone filter.
 
-You can create a milestone for a group that will be shared across group projects.
-On the group's **Issues ➔ Milestones** page, you will be able to see the state
-of that milestone and the issues/merge requests count that it shares across the group projects. To create a new milestone click the **New milestone** button. The form is the same as when creating a milestone for a specific project which you can find in the previous item.
+- **No Milestone**: Show issues or merge requests with no assigned milestone.
+- **Upcoming**: Show issues or merge requests that have been assigned the open milestone that has the next upcoming due date (i.e. nearest due date in the future).
+- **Started**: Show issues or merge requests that have an assigned milestone with a start date that is before today.
 
-In addition to that you will be able to filter issues or merge requests by group milestones in all projects that belongs to the milestone group.
+## Milestone view
 
-## Milestone promotion
+Not all features in the project milestone view are available in the group milestone view. This table summarizes the differences:
 
-Project milestones can be promoted to group milestones if its project belongs to a group. When a milestone is promoted all other milestones across the group projects with the same title will be merged into it, which means all milestone's children like issues, merge requests and boards will be moved into the new promoted milestone.
-The promote button can be found in the milestone view or milestones list.
+| Feature | Project milestone view | Group milestone view |
+|---|:---:|:---:|
+| Title an description | ✓ | ✓ |
+| Issues assigned to milestone | ✓ |  |
+| Merge requests assigned to milestone | ✓ |  |
+| Participants and labels used | ✓ |  |
+| Percentage complete | ✓ | ✓ |
+| Start date and due date | ✓ | ✓ |
+| Total issue time spent | ✓ | ✓ |
+| Total issue weight | ✓ |  |
 
-## Special milestone filters
+The milestone view shows the title and description.
 
-In addition to the milestones that exist in the project or group, there are some
-special options available when filtering by milestone:
+### Project milestone features
 
-* **No Milestone** - only show issues or merge requests without a milestone.
-* **Upcoming** - show issues or merge request that belong to the next open
-  milestone with a due date, by project. (For example: if project A has
-  milestone v1 due in three days, and project B has milestone v2 due in a week,
-  then this will show issues or merge requests from milestone v1 in project A
-  and milestone v2 in project B.)
-* **Started** - show issues or merge requests from any milestone with a start
-  date less than today. Note that this can return results from several
-  milestones in the same project.
+These features are only available for project milestones and not group milestones.
 
-## Milestone sidebar
+- Issues assigned to the milestone are displayed in three columns: Unstarted issues, ongoing issues, and completed issues.
+- Merge requests assigned to the milestone are displayed in four columns: Work in progress merge requests, waiting for merge, rejected, and closed.
+- Participants and labels that are used in issues and merge requests that have the milestone assigned are displayed.
 
-The milestone sidebar shows percentage complete, start date and due date,
-issues, total issue weight, total issue time spent, and merge requests.
+### Milestone sidebar
 
-The percentage complete is calculated as: Closed and merged merge requests plus all closed issues divided by
-total merge requests and issues.
+The milestone sidebar on the milestone view shows the following:
 
-![Milestone sidebar](img/sidebar.png)
+- Percentage complete, which is calculated as number of closed issues plus number of closed/merged merge requests divided by total number issues and merge requests.
+- The start date and due date.
+- The total time spent on all issues that have the milestone assigned.
 
-## Quick actions
+For project milestones only, the milestone sidebar shows the total issue weight of all issues that have the milestone assigned.
 
-[Quick actions](../quick_actions.md) are available for assigning and removing
-project and group milestones.
+![Project milestone page](img/milestones_project_milestone_page.png)
diff --git a/doc/user/project/pages/getting_started_part_three.md b/doc/user/project/pages/getting_started_part_three.md
index b6cf68a02a2..430fe3af1f8 100644
--- a/doc/user/project/pages/getting_started_part_three.md
+++ b/doc/user/project/pages/getting_started_part_three.md
@@ -62,7 +62,7 @@ for the most popular hosting services:
 - [Microsoft](https://msdn.microsoft.com/en-us/library/bb727018.aspx)
 
 If your hosting service is not listed above, you can just try to
-search the web for "how to add dns record on <my hosting service>".
+search the web for `how to add dns record on <my hosting service>`.
 
 ### DNS A record
 
@@ -95,12 +95,32 @@ without any `/project-name`.
 
 ![DNS CNAME record pointing to GitLab.com project](img/dns_cname_record_example.png)
 
-### TL;DR
+#### DNS TXT record
+
+Unless your GitLab administrator has [disabled custom domain verification](../../../administration/pages/index.md#custom-domain-verification),
+you'll have to prove that you own the domain by creating a `TXT` record
+containing a verification code. The code will be displayed after you
+[add your custom domain to GitLab Pages settings](#add-your-custom-domain-to-gitlab-pages-settings).
+
+If using a [DNS A record](#dns-a-record), you can place the TXT record directly
+under the domain. If using a [DNS CNAME record](#dns-cname-record), the two record types won't
+co-exist, so you need to place the TXT record in a special subdomain of its own.
+
+#### TL;DR
+
+If the domain has multiple uses (e.g., you host email on it as well):
 
 | From | DNS Record | To |
 | ---- | ---------- | -- |
 | domain.com | A | 52.167.214.135 |
-| subdomain.domain.com | CNAME | namespace.gitlab.io |
+| domain.com | TXT | gitlab-pages-verification-code=00112233445566778899aabbccddeeff |
+
+If the domain is dedicated to GitLab Pages use and no other services run on it:
+
+| From | DNS Record | To |
+| ---- | ---------- | -- |
+| subdomain.domain.com | CNAME | gitlab.io |
+| _gitlab-pages-verification-code.subdomain.domain.com | TXT | gitlab-pages-verification-code=00112233445566778899aabbccddeeff |
 
 > **Notes**:
 >
@@ -121,6 +141,17 @@ your site will be accessible only via HTTP:
 
 ![Add new domain](img/add_certificate_to_pages.png)
 
+Once you have added a new domain, you will need to **verify your ownership**
+(unless the GitLab administrator has disabled this feature). A verification code
+will be shown to you; add it as a [DNS TXT record](#dns-txt-record), then press
+the "Verify ownership" button to activate your new domain:
+
+![Verify your domain](img/verify_your_domain.png)
+
+Once your domain has been verified, leave the verification record in place -
+your domain will be periodically reverified, and may be disabled if the record
+is removed.
+
 You can add more than one alias (custom domains and subdomains) to the same project.
 An alias can be understood as having many doors leading to the same room.
 
@@ -128,8 +159,8 @@ All the aliases you've set to your site will be listed on **Setting > Pages**.
 From that page, you can view, add, and remove them.
 
 Note that [DNS propagation may take some time (up to 24h)](http://www.inmotionhosting.com/support/domain-names/dns-nameserver-changes/domain-names-dns-changes),
-although it's usually a matter of minutes to complete. Until it does, visit attempts
-to your domain will respond with a 404.
+although it's usually a matter of minutes to complete. Until it does, verification
+will fail and attempts to visit your domain will respond with a 404.
 
 Read through the [general documentation on GitLab Pages](introduction.md#add-a-custom-domain-to-your-pages-website) to learn more about adding
 custom domains to GitLab Pages sites.
diff --git a/doc/user/project/pages/img/verify_your_domain.png b/doc/user/project/pages/img/verify_your_domain.png
new file mode 100644
index 00000000000..89c69cac9a5
--- /dev/null
+++ b/doc/user/project/pages/img/verify_your_domain.png
diff --git a/doc/user/project/repository/index.md b/doc/user/project/repository/index.md
index da3c30a8eaf..e6aede7f46e 100644
--- a/doc/user/project/repository/index.md
+++ b/doc/user/project/repository/index.md
@@ -66,8 +66,7 @@ your implementation with your team.
 You can live preview changes submitted to a new branch with
 [Review Apps](../../../ci/review_apps/index.md).
 
-With [GitLab Enterprise Edition](https://about.gitlab.com/products/)
-subscriptions, you can also request
+With [GitLab Starter](https://about.gitlab.com/products/), you can also request
 [approval](https://docs.gitlab.com/ee/user/project/merge_requests/merge_request_approvals.html) from your managers.
 
 To create, delete, and [branches](branches/index.md) via GitLab's UI:
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 45c737c6c29..167878ba600 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -1154,6 +1154,10 @@ module API
       expose :domain
       expose :url
       expose :project_id
+      expose :verified?, as: :verified
+      expose :verification_code, as: :verification_code
+      expose :enabled_until
+
       expose :certificate,
         as: :certificate_expiration,
         if: ->(pages_domain, _) { pages_domain.certificate? },
@@ -1165,6 +1169,10 @@ module API
     class PagesDomain < Grape::Entity
       expose :domain
       expose :url
+      expose :verified?, as: :verified
+      expose :verification_code, as: :verification_code
+      expose :enabled_until
+
       expose :certificate,
         if: ->(pages_domain, _) { pages_domain.certificate? },
         using: PagesDomainCertificate do |pages_domain|
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 6134ad2bfc7..e4fca77ab5d 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -172,7 +172,7 @@ module API
 
     def find_project_snippet(id)
       finder_params = { project: user_project }
-      SnippetsFinder.new(current_user, finder_params).execute.find(id)
+      SnippetsFinder.new(current_user, finder_params).find(id)
     end
 
     def find_merge_request_with_access(iid, access_level = :read_merge_request)
diff --git a/lib/api/settings.rb b/lib/api/settings.rb
index cee4d309816..152df23a327 100644
--- a/lib/api/settings.rb
+++ b/lib/api/settings.rb
@@ -147,7 +147,7 @@ module API
         attrs[:password_authentication_enabled_for_web] = attrs.delete(:password_authentication_enabled)
       end
 
-      if current_settings.update_attributes(attrs)
+      if ApplicationSettings::UpdateService.new(current_settings, current_user, attrs).execute
         present current_settings, with: Entities::ApplicationSetting
       else
         render_validation_error!(current_settings)
diff --git a/lib/banzai/filter/issuable_state_filter.rb b/lib/banzai/filter/issuable_state_filter.rb
index 327ea9449a1..77299abe324 100644
--- a/lib/banzai/filter/issuable_state_filter.rb
+++ b/lib/banzai/filter/issuable_state_filter.rb
@@ -15,6 +15,8 @@ module Banzai
         issuables = extractor.extract([doc])
 
         issuables.each do |node, issuable|
+          next if !can_read_cross_project? && issuable.project != project
+
           if VISIBLE_STATES.include?(issuable.state) && node.inner_html == issuable.reference_link_text(project)
             node.content += " (#{issuable.state})"
           end
@@ -25,6 +27,10 @@ module Banzai
 
       private
 
+      def can_read_cross_project?
+        Ability.allowed?(current_user, :read_cross_project)
+      end
+
       def current_user
         context[:current_user]
       end
diff --git a/lib/banzai/filter/milestone_reference_filter.rb b/lib/banzai/filter/milestone_reference_filter.rb
index 2a6b0964ac5..8ec696ce5fc 100644
--- a/lib/banzai/filter/milestone_reference_filter.rb
+++ b/lib/banzai/filter/milestone_reference_filter.rb
@@ -64,7 +64,7 @@ module Banzai
           finder_params[:group_ids] = [project.group.id]
         end
 
-        MilestonesFinder.new(finder_params).execute.find_by(params)
+        MilestonesFinder.new(finder_params).find_by(params)
       end
 
       def url_for_object(milestone, project)
diff --git a/lib/banzai/redactor.rb b/lib/banzai/redactor.rb
index de3ebe72720..827df7c08ae 100644
--- a/lib/banzai/redactor.rb
+++ b/lib/banzai/redactor.rb
@@ -19,8 +19,9 @@ module Banzai
     #
     # Returns the documents passed as the first argument.
     def redact(documents)
-      all_document_nodes = document_nodes(documents)
+      redact_cross_project_references(documents) unless can_read_cross_project?
 
+      all_document_nodes = document_nodes(documents)
       redact_document_nodes(all_document_nodes)
     end
 
@@ -51,6 +52,18 @@ module Banzai
       metadata
     end
 
+    def redact_cross_project_references(documents)
+      extractor = Banzai::IssuableExtractor.new(project, user)
+      issuables = extractor.extract(documents)
+
+      issuables.each do |node, issuable|
+        next if issuable.project == project
+
+        node['class'] = node['class'].gsub('has-tooltip', '')
+        node['title'] = nil
+      end
+    end
+
     # Returns the nodes visible to the current user.
     #
     # nodes - The input nodes to check.
@@ -78,5 +91,11 @@ module Banzai
         { document: document, nodes: Querying.css(document, 'a.gfm[data-reference-type]') }
       end
     end
+
+    private
+
+    def can_read_cross_project?
+      Ability.allowed?(user, :read_cross_project)
+    end
   end
 end
diff --git a/lib/banzai/reference_parser/issuable_parser.rb b/lib/banzai/reference_parser/issuable_parser.rb
index 3953867eb83..fad127d7e5b 100644
--- a/lib/banzai/reference_parser/issuable_parser.rb
+++ b/lib/banzai/reference_parser/issuable_parser.rb
@@ -18,7 +18,7 @@ module Banzai
       end
 
       def can_read_reference?(user, issuable)
-        can?(user, "read_#{issuable.class.to_s.underscore}".to_sym, issuable)
+        can?(user, "read_#{issuable.class.to_s.underscore}_iid".to_sym, issuable)
       end
     end
   end
diff --git a/lib/banzai/reference_parser/issue_parser.rb b/lib/banzai/reference_parser/issue_parser.rb
index 38d4e3f3e44..230827129b6 100644
--- a/lib/banzai/reference_parser/issue_parser.rb
+++ b/lib/banzai/reference_parser/issue_parser.rb
@@ -5,12 +5,31 @@ module Banzai
 
       def nodes_visible_to_user(user, nodes)
         issues = records_for_nodes(nodes)
+        issues_to_check = issues.values
 
-        readable_issues = Ability
-          .issues_readable_by_user(issues.values, user).to_set
+        unless can?(user, :read_cross_project)
+          issues_to_check, cross_project_issues = issues_to_check.partition do |issue|
+            issue.project == project
+          end
+        end
+
+        readable_issues = Ability.issues_readable_by_user(issues_to_check, user).to_set
 
         nodes.select do |node|
-          readable_issues.include?(issues[node])
+          issue_in_node = issues[node]
+
+          # We check the inclusion of readable issues first because it's faster.
+          #
+          # But we need to fall back to `read_issue_iid` if the user cannot read
+          # cross project, since it might be possible the user can see the IID
+          # but not the issue.
+          if readable_issues.include?(issue_in_node)
+            true
+          elsif cross_project_issues&.include?(issue_in_node)
+            can_read_reference?(user, issue_in_node)
+          else
+            false
+          end
         end
       end
 
diff --git a/lib/gitlab/auth/request_authenticator.rb b/lib/gitlab/auth/request_authenticator.rb
index 46ec040ce92..a0b5cd868c3 100644
--- a/lib/gitlab/auth/request_authenticator.rb
+++ b/lib/gitlab/auth/request_authenticator.rb
@@ -20,6 +20,14 @@ module Gitlab
       rescue Gitlab::Auth::AuthenticationError
         nil
       end
+
+      def valid_access_token?(scopes: [])
+        validate_access_token!(scopes: scopes)
+
+        true
+      rescue Gitlab::Auth::AuthenticationError
+        false
+      end
     end
   end
 end
diff --git a/lib/gitlab/background_migration/populate_untracked_uploads.rb b/lib/gitlab/background_migration/populate_untracked_uploads.rb
index ee55fabd6f0..9232f20a063 100644
--- a/lib/gitlab/background_migration/populate_untracked_uploads.rb
+++ b/lib/gitlab/background_migration/populate_untracked_uploads.rb
@@ -5,157 +5,10 @@ module Gitlab
     # This class processes a batch of rows in `untracked_files_for_uploads` by
     # adding each file to the `uploads` table if it does not exist.
     class PopulateUntrackedUploads # rubocop:disable Metrics/ClassLength
-      # This class is responsible for producing the attributes necessary to
-      # track an uploaded file in the `uploads` table.
-      class UntrackedFile < ActiveRecord::Base # rubocop:disable Metrics/ClassLength, Metrics/LineLength
-        self.table_name = 'untracked_files_for_uploads'
-
-        # Ends with /:random_hex/:filename
-        FILE_UPLOADER_PATH = %r{/\h+/[^/]+\z}
-        FULL_PATH_CAPTURE = /\A(.+)#{FILE_UPLOADER_PATH}/
-
-        # These regex patterns are tested against a relative path, relative to
-        # the upload directory.
-        # For convenience, if there exists a capture group in the pattern, then
-        # it indicates the model_id.
-        PATH_PATTERNS = [
-          {
-            pattern: %r{\A-/system/appearance/logo/(\d+)/},
-            uploader: 'AttachmentUploader',
-            model_type: 'Appearance'
-          },
-          {
-            pattern: %r{\A-/system/appearance/header_logo/(\d+)/},
-            uploader: 'AttachmentUploader',
-            model_type: 'Appearance'
-          },
-          {
-            pattern: %r{\A-/system/note/attachment/(\d+)/},
-            uploader: 'AttachmentUploader',
-            model_type: 'Note'
-          },
-          {
-            pattern: %r{\A-/system/user/avatar/(\d+)/},
-            uploader: 'AvatarUploader',
-            model_type: 'User'
-          },
-          {
-            pattern: %r{\A-/system/group/avatar/(\d+)/},
-            uploader: 'AvatarUploader',
-            model_type: 'Namespace'
-          },
-          {
-            pattern: %r{\A-/system/project/avatar/(\d+)/},
-            uploader: 'AvatarUploader',
-            model_type: 'Project'
-          },
-          {
-            pattern: FILE_UPLOADER_PATH,
-            uploader: 'FileUploader',
-            model_type: 'Project'
-          }
-        ].freeze
-
-        def to_h
-          @upload_hash ||= {
-            path: upload_path,
-            uploader: uploader,
-            model_type: model_type,
-            model_id: model_id,
-            size: file_size,
-            checksum: checksum
-          }
-        end
-
-        def upload_path
-          # UntrackedFile#path is absolute, but Upload#path depends on uploader
-          @upload_path ||=
-            if uploader == 'FileUploader'
-              # Path relative to project directory in uploads
-              matchd = path_relative_to_upload_dir.match(FILE_UPLOADER_PATH)
-              matchd[0].sub(%r{\A/}, '') # remove leading slash
-            else
-              path
-            end
-        end
-
-        def uploader
-          matching_pattern_map[:uploader]
-        end
-
-        def model_type
-          matching_pattern_map[:model_type]
-        end
-
-        def model_id
-          return @model_id if defined?(@model_id)
-
-          pattern = matching_pattern_map[:pattern]
-          matchd = path_relative_to_upload_dir.match(pattern)
-
-          # If something is captured (matchd[1] is not nil), it is a model_id
-          # Only the FileUploader pattern will not match an ID
-          @model_id = matchd[1] ? matchd[1].to_i : file_uploader_model_id
-        end
-
-        def file_size
-          File.size(absolute_path)
-        end
-
-        def checksum
-          Digest::SHA256.file(absolute_path).hexdigest
-        end
-
-        private
-
-        def matching_pattern_map
-          @matching_pattern_map ||= PATH_PATTERNS.find do |path_pattern_map|
-            path_relative_to_upload_dir.match(path_pattern_map[:pattern])
-          end
-
-          unless @matching_pattern_map
-            raise "Unknown upload path pattern \"#{path}\""
-          end
-
-          @matching_pattern_map
-        end
-
-        def file_uploader_model_id
-          matchd = path_relative_to_upload_dir.match(FULL_PATH_CAPTURE)
-          not_found_msg = <<~MSG
-            Could not capture project full_path from a FileUploader path:
-              "#{path_relative_to_upload_dir}"
-          MSG
-          raise not_found_msg unless matchd
-
-          full_path = matchd[1]
-          project = Project.find_by_full_path(full_path)
-          return nil unless project
-
-          project.id
-        end
-
-        # Not including a leading slash
-        def path_relative_to_upload_dir
-          upload_dir = Gitlab::BackgroundMigration::PrepareUntrackedUploads::RELATIVE_UPLOAD_DIR # rubocop:disable Metrics/LineLength
-          base = %r{\A#{Regexp.escape(upload_dir)}/}
-          @path_relative_to_upload_dir ||= path.sub(base, '')
-        end
-
-        def absolute_path
-          File.join(Gitlab.config.uploads.storage_path, path)
-        end
-      end
-
-      # This class is used to query the `uploads` table.
-      class Upload < ActiveRecord::Base
-        self.table_name = 'uploads'
-      end
-
       def perform(start_id, end_id)
         return unless migrate?
 
-        files = UntrackedFile.where(id: start_id..end_id)
+        files = Gitlab::BackgroundMigration::PopulateUntrackedUploadsDependencies::UntrackedFile.where(id: start_id..end_id)
         processed_files = insert_uploads_if_needed(files)
         processed_files.delete_all
 
@@ -165,7 +18,8 @@ module Gitlab
       private
 
       def migrate?
-        UntrackedFile.table_exists? && Upload.table_exists?
+        Gitlab::BackgroundMigration::PopulateUntrackedUploadsDependencies::UntrackedFile.table_exists? &&
+          Gitlab::BackgroundMigration::PopulateUntrackedUploadsDependencies::Upload.table_exists?
       end
 
       def insert_uploads_if_needed(files)
@@ -197,7 +51,7 @@ module Gitlab
 
       def filter_existing_uploads(files)
         paths = files.map(&:upload_path)
-        existing_paths = Upload.where(path: paths).pluck(:path).to_set
+        existing_paths = Gitlab::BackgroundMigration::PopulateUntrackedUploadsDependencies::Upload.where(path: paths).pluck(:path).to_set
 
         files.reject do |file|
           existing_paths.include?(file.upload_path)
@@ -229,7 +83,7 @@ module Gitlab
         end
 
         ids.each do |model_type, model_ids|
-          model_class = Object.const_get(model_type)
+          model_class = "Gitlab::BackgroundMigration::PopulateUntrackedUploadsDependencies::#{model_type}".constantize
           found_ids = model_class.where(id: model_ids.uniq).pluck(:id)
           deleted_ids = ids[model_type] - found_ids
           ids[model_type] = deleted_ids
@@ -249,8 +103,8 @@ module Gitlab
       end
 
       def drop_temp_table_if_finished
-        if UntrackedFile.all.empty? && !Rails.env.test? # Dropping a table intermittently breaks test cleanup
-          UntrackedFile.connection.drop_table(:untracked_files_for_uploads,
+        if Gitlab::BackgroundMigration::PopulateUntrackedUploadsDependencies::UntrackedFile.all.empty? && !Rails.env.test? # Dropping a table intermittently breaks test cleanup
+          Gitlab::BackgroundMigration::PopulateUntrackedUploadsDependencies::UntrackedFile.connection.drop_table(:untracked_files_for_uploads,
                                               if_exists: true)
         end
       end
diff --git a/lib/gitlab/background_migration/populate_untracked_uploads_dependencies.rb b/lib/gitlab/background_migration/populate_untracked_uploads_dependencies.rb
new file mode 100644
index 00000000000..a2c5acbde71
--- /dev/null
+++ b/lib/gitlab/background_migration/populate_untracked_uploads_dependencies.rb
@@ -0,0 +1,201 @@
+# frozen_string_literal: true
+module Gitlab
+  module BackgroundMigration
+    module PopulateUntrackedUploadsDependencies
+      # This class is responsible for producing the attributes necessary to
+      # track an uploaded file in the `uploads` table.
+      class UntrackedFile < ActiveRecord::Base # rubocop:disable Metrics/ClassLength, Metrics/LineLength
+        self.table_name = 'untracked_files_for_uploads'
+
+        # Ends with /:random_hex/:filename
+        FILE_UPLOADER_PATH = %r{/\h+/[^/]+\z}
+        FULL_PATH_CAPTURE = /\A(.+)#{FILE_UPLOADER_PATH}/
+
+        # These regex patterns are tested against a relative path, relative to
+        # the upload directory.
+        # For convenience, if there exists a capture group in the pattern, then
+        # it indicates the model_id.
+        PATH_PATTERNS = [
+          {
+            pattern: %r{\A-/system/appearance/logo/(\d+)/},
+            uploader: 'AttachmentUploader',
+            model_type: 'Appearance'
+          },
+          {
+            pattern: %r{\A-/system/appearance/header_logo/(\d+)/},
+            uploader: 'AttachmentUploader',
+            model_type: 'Appearance'
+          },
+          {
+            pattern: %r{\A-/system/note/attachment/(\d+)/},
+            uploader: 'AttachmentUploader',
+            model_type: 'Note'
+          },
+          {
+            pattern: %r{\A-/system/user/avatar/(\d+)/},
+            uploader: 'AvatarUploader',
+            model_type: 'User'
+          },
+          {
+            pattern: %r{\A-/system/group/avatar/(\d+)/},
+            uploader: 'AvatarUploader',
+            model_type: 'Namespace'
+          },
+          {
+            pattern: %r{\A-/system/project/avatar/(\d+)/},
+            uploader: 'AvatarUploader',
+            model_type: 'Project'
+          },
+          {
+            pattern: FILE_UPLOADER_PATH,
+            uploader: 'FileUploader',
+            model_type: 'Project'
+          }
+        ].freeze
+
+        def to_h
+          @upload_hash ||= {
+            path: upload_path,
+            uploader: uploader,
+            model_type: model_type,
+            model_id: model_id,
+            size: file_size,
+            checksum: checksum
+          }
+        end
+
+        def upload_path
+          # UntrackedFile#path is absolute, but Upload#path depends on uploader
+          @upload_path ||=
+            if uploader == 'FileUploader'
+              # Path relative to project directory in uploads
+              matchd = path_relative_to_upload_dir.match(FILE_UPLOADER_PATH)
+              matchd[0].sub(%r{\A/}, '') # remove leading slash
+            else
+              path
+            end
+        end
+
+        def uploader
+          matching_pattern_map[:uploader]
+        end
+
+        def model_type
+          matching_pattern_map[:model_type]
+        end
+
+        def model_id
+          return @model_id if defined?(@model_id)
+
+          pattern = matching_pattern_map[:pattern]
+          matchd = path_relative_to_upload_dir.match(pattern)
+
+          # If something is captured (matchd[1] is not nil), it is a model_id
+          # Only the FileUploader pattern will not match an ID
+          @model_id = matchd[1] ? matchd[1].to_i : file_uploader_model_id
+        end
+
+        def file_size
+          File.size(absolute_path)
+        end
+
+        def checksum
+          Digest::SHA256.file(absolute_path).hexdigest
+        end
+
+        private
+
+        def matching_pattern_map
+          @matching_pattern_map ||= PATH_PATTERNS.find do |path_pattern_map|
+            path_relative_to_upload_dir.match(path_pattern_map[:pattern])
+          end
+
+          unless @matching_pattern_map
+            raise "Unknown upload path pattern \"#{path}\""
+          end
+
+          @matching_pattern_map
+        end
+
+        def file_uploader_model_id
+          matchd = path_relative_to_upload_dir.match(FULL_PATH_CAPTURE)
+          not_found_msg = <<~MSG
+            Could not capture project full_path from a FileUploader path:
+              "#{path_relative_to_upload_dir}"
+          MSG
+          raise not_found_msg unless matchd
+
+          full_path = matchd[1]
+          project = Gitlab::BackgroundMigration::PopulateUntrackedUploadsDependencies::Project.find_by_full_path(full_path)
+          return nil unless project
+
+          project.id
+        end
+
+        # Not including a leading slash
+        def path_relative_to_upload_dir
+          upload_dir = Gitlab::BackgroundMigration::PrepareUntrackedUploads::RELATIVE_UPLOAD_DIR # rubocop:disable Metrics/LineLength
+          base = %r{\A#{Regexp.escape(upload_dir)}/}
+          @path_relative_to_upload_dir ||= path.sub(base, '')
+        end
+
+        def absolute_path
+          File.join(Gitlab.config.uploads.storage_path, path)
+        end
+      end
+
+      # Avoid using application code
+      class Upload < ActiveRecord::Base
+        self.table_name = 'uploads'
+      end
+
+      # Avoid using application code
+      class Appearance < ActiveRecord::Base
+        self.table_name = 'appearances'
+      end
+
+      # Avoid using application code
+      class Namespace < ActiveRecord::Base
+        self.table_name = 'namespaces'
+      end
+
+      # Avoid using application code
+      class Note < ActiveRecord::Base
+        self.table_name = 'notes'
+      end
+
+      # Avoid using application code
+      class User < ActiveRecord::Base
+        self.table_name = 'users'
+      end
+
+      # Since project Markdown upload paths don't contain the project ID, we have to find the
+      # project by its full_path. Due to MySQL/PostgreSQL differences, and historical reasons,
+      # the logic is somewhat complex, so I've mostly copied it in here.
+      class Project < ActiveRecord::Base
+        self.table_name = 'projects'
+
+        def self.find_by_full_path(path)
+          binary = Gitlab::Database.mysql? ? 'BINARY' : ''
+          order_sql = "(CASE WHEN #{binary} routes.path = #{connection.quote(path)} THEN 0 ELSE 1 END)"
+          where_full_path_in(path).reorder(order_sql).take
+        end
+
+        def self.where_full_path_in(path)
+          cast_lower = Gitlab::Database.postgresql?
+
+          path = connection.quote(path)
+
+          where =
+            if cast_lower
+              "(LOWER(routes.path) = LOWER(#{path}))"
+            else
+              "(routes.path = #{path})"
+            end
+
+          joins("INNER JOIN routes ON routes.source_id = projects.id AND routes.source_type = 'Project'").where(where)
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/contributions_calendar.rb b/lib/gitlab/contributions_calendar.rb
index 0735243e021..9576d5a3fd8 100644
--- a/lib/gitlab/contributions_calendar.rb
+++ b/lib/gitlab/contributions_calendar.rb
@@ -34,6 +34,8 @@ module Gitlab
     end
 
     def events_by_date(date)
+      return Event.none unless can_read_cross_project?
+
       events = Event.contributions.where(author_id: contributor.id)
         .where(created_at: date.beginning_of_day..date.end_of_day)
         .where(project_id: projects)
@@ -53,6 +55,10 @@ module Gitlab
 
     private
 
+    def can_read_cross_project?
+      Ability.allowed?(current_user, :read_cross_project)
+    end
+
     def event_counts(date_from, feature)
       t = Event.arel_table
 
diff --git a/lib/gitlab/cross_project_access.rb b/lib/gitlab/cross_project_access.rb
new file mode 100644
index 00000000000..6eaed51b64c
--- /dev/null
+++ b/lib/gitlab/cross_project_access.rb
@@ -0,0 +1,67 @@
+module Gitlab
+  class CrossProjectAccess
+    class << self
+      delegate :add_check, :find_check, :checks,
+               to: :instance
+    end
+
+    def self.instance
+      @instance ||= new
+    end
+
+    attr_reader :checks
+
+    def initialize
+      @checks = {}
+    end
+
+    def add_check(
+          klass,
+          actions: {},
+          positive_condition: nil,
+          negative_condition: nil,
+          skip: false)
+
+      new_check = CheckInfo.new(actions,
+                                positive_condition,
+                                negative_condition,
+                                skip
+                               )
+
+      @checks[klass] ||= Gitlab::CrossProjectAccess::CheckCollection.new
+      @checks[klass].add_check(new_check)
+      recalculate_checks_for_class(klass)
+
+      @checks[klass]
+    end
+
+    def find_check(object)
+      @cached_checks ||= Hash.new do |cache, new_class|
+        parent_classes = @checks.keys.select { |existing_class| new_class <= existing_class }
+        closest_class = closest_parent(parent_classes, new_class)
+        cache[new_class] = @checks[closest_class]
+      end
+
+      @cached_checks[object.class]
+    end
+
+    private
+
+    def recalculate_checks_for_class(klass)
+      new_collection = @checks[klass]
+
+      @checks.each do |existing_class, existing_check_collection|
+        if existing_class < klass
+          existing_check_collection.add_collection(new_collection)
+        elsif klass < existing_class
+          new_collection.add_collection(existing_check_collection)
+        end
+      end
+    end
+
+    def closest_parent(classes, subject)
+      relevant_ancestors = subject.ancestors & classes
+      relevant_ancestors.first
+    end
+  end
+end
diff --git a/lib/gitlab/cross_project_access/check_collection.rb b/lib/gitlab/cross_project_access/check_collection.rb
new file mode 100644
index 00000000000..88376232065
--- /dev/null
+++ b/lib/gitlab/cross_project_access/check_collection.rb
@@ -0,0 +1,47 @@
+module Gitlab
+  class CrossProjectAccess
+    class CheckCollection
+      attr_reader :checks
+
+      def initialize
+        @checks = []
+      end
+
+      def add_collection(collection)
+        @checks |= collection.checks
+      end
+
+      def add_check(check)
+        @checks << check
+      end
+
+      def should_run?(object)
+        skips, runs = arranged_checks
+
+        # If one rule tells us to skip, we skip the cross project check
+        return false if skips.any? { |check| check.should_skip?(object) }
+
+        # If the rule isn't skipped, we run it if any of the checks says we
+        # should run
+        runs.any? { |check| check.should_run?(object) }
+      end
+
+      def arranged_checks
+        return [@skips, @runs] if @skips && @runs
+
+        @skips = []
+        @runs = []
+
+        @checks.each do |check|
+          if check.skip
+            @skips << check
+          else
+            @runs << check
+          end
+        end
+
+        [@skips, @runs]
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/cross_project_access/check_info.rb b/lib/gitlab/cross_project_access/check_info.rb
new file mode 100644
index 00000000000..e8a845c7f1e
--- /dev/null
+++ b/lib/gitlab/cross_project_access/check_info.rb
@@ -0,0 +1,66 @@
+module Gitlab
+  class CrossProjectAccess
+    class CheckInfo
+      attr_accessor :actions, :positive_condition, :negative_condition, :skip
+
+      def initialize(actions, positive_condition, negative_condition, skip)
+        @actions = actions
+        @positive_condition = positive_condition
+        @negative_condition = negative_condition
+        @skip = skip
+      end
+
+      def should_skip?(object)
+        return !should_run?(object) unless @skip
+
+        skip_for_action = @actions[current_action(object)]
+        skip_for_action = false if @actions[current_action(object)].nil?
+
+        # We need to do the opposite of what was defined in the following cases:
+        # - skip_cross_project_access_check index: true, if: -> { false }
+        # - skip_cross_project_access_check index: true, unless: -> { true }
+        if positive_condition_is_false?(object)
+          skip_for_action = !skip_for_action
+        end
+
+        if negative_condition_is_true?(object)
+          skip_for_action = !skip_for_action
+        end
+
+        skip_for_action
+      end
+
+      def should_run?(object)
+        return !should_skip?(object) if @skip
+
+        run_for_action = @actions[current_action(object)]
+        run_for_action = true if @actions[current_action(object)].nil?
+
+        # We need to do the opposite of what was defined in the following cases:
+        # - requires_cross_project_access index: true, if: -> { false }
+        # - requires_cross_project_access index: true, unless: -> { true }
+        if positive_condition_is_false?(object)
+          run_for_action = !run_for_action
+        end
+
+        if negative_condition_is_true?(object)
+          run_for_action = !run_for_action
+        end
+
+        run_for_action
+      end
+
+      def positive_condition_is_false?(object)
+        @positive_condition && !object.instance_exec(&@positive_condition)
+      end
+
+      def negative_condition_is_true?(object)
+        @negative_condition && object.instance_exec(&@negative_condition)
+      end
+
+      def current_action(object)
+        object.respond_to?(:action_name) ? object.action_name.to_sym : nil
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/cross_project_access/class_methods.rb b/lib/gitlab/cross_project_access/class_methods.rb
new file mode 100644
index 00000000000..90eac94800c
--- /dev/null
+++ b/lib/gitlab/cross_project_access/class_methods.rb
@@ -0,0 +1,48 @@
+module Gitlab
+  class CrossProjectAccess
+    module ClassMethods
+      def requires_cross_project_access(*args)
+        positive_condition, negative_condition, actions = extract_params(args)
+
+        Gitlab::CrossProjectAccess.add_check(
+          self,
+          actions: actions,
+          positive_condition: positive_condition,
+          negative_condition: negative_condition
+        )
+      end
+
+      def skip_cross_project_access_check(*args)
+        positive_condition, negative_condition, actions = extract_params(args)
+
+        Gitlab::CrossProjectAccess.add_check(
+          self,
+          actions: actions,
+          positive_condition: positive_condition,
+          negative_condition: negative_condition,
+          skip: true
+        )
+      end
+
+      private
+
+      def extract_params(args)
+        actions = {}
+        positive_condition = nil
+        negative_condition = nil
+
+        args.each do |argument|
+          if argument.is_a?(Hash)
+            positive_condition = argument.delete(:if)
+            negative_condition = argument.delete(:unless)
+            actions.merge!(argument)
+          else
+            actions[argument] = true
+          end
+        end
+
+        [positive_condition, negative_condition, actions]
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/diff/highlight.rb b/lib/gitlab/diff/highlight.rb
index 0f897e6316c..269016daac2 100644
--- a/lib/gitlab/diff/highlight.rb
+++ b/lib/gitlab/diff/highlight.rb
@@ -27,7 +27,17 @@ module Gitlab
           rich_line = highlight_line(diff_line) || diff_line.text
 
           if line_inline_diffs = inline_diffs[i]
-            rich_line = InlineDiffMarker.new(diff_line.text, rich_line).mark(line_inline_diffs)
+            begin
+              rich_line = InlineDiffMarker.new(diff_line.text, rich_line).mark(line_inline_diffs)
+            # This should only happen when the encoding of the diff doesn't
+            # match the blob, which is a bug. But we shouldn't fail to render
+            # completely in that case, even though we want to report the error.
+            rescue RangeError => e
+              if Gitlab::Sentry.enabled?
+                Gitlab::Sentry.context
+                Raven.capture_exception(e)
+              end
+            end
           end
 
           diff_line.text = rich_line
diff --git a/lib/gitlab/git/repository.rb b/lib/gitlab/git/repository.rb
index a10bc0dd32b..e3cbf017e55 100644
--- a/lib/gitlab/git/repository.rb
+++ b/lib/gitlab/git/repository.rb
@@ -1234,7 +1234,13 @@ module Gitlab
       end
 
       def squash_in_progress?(squash_id)
-        fresh_worktree?(worktree_path(SQUASH_WORKTREE_PREFIX, squash_id))
+        gitaly_migrate(:squash_in_progress) do |is_enabled|
+          if is_enabled
+            gitaly_repository_client.squash_in_progress?(squash_id)
+          else
+            fresh_worktree?(worktree_path(SQUASH_WORKTREE_PREFIX, squash_id))
+          end
+        end
       end
 
       def push_remote_branches(remote_name, branch_names, forced: true)
@@ -1349,7 +1355,7 @@ module Gitlab
           if is_enabled
             gitaly_ref_client.branch_names_contains_sha(sha)
           else
-            refs_contains_sha(:branch, sha)
+            refs_contains_sha('refs/heads/', sha)
           end
         end
       end
@@ -1359,7 +1365,7 @@ module Gitlab
           if is_enabled
             gitaly_ref_client.tag_names_contains_sha(sha)
           else
-            refs_contains_sha(:tag, sha)
+            refs_contains_sha('refs/tags/', sha)
           end
         end
       end
@@ -1458,19 +1464,25 @@ module Gitlab
         end
       end
 
-      def refs_contains_sha(ref_type, sha)
-        args = %W(#{ref_type} --contains #{sha})
-        names = run_git(args).first
+      def refs_contains_sha(refs_prefix, sha)
+        refs_prefix << "/" unless refs_prefix.ends_with?('/')
+
+        # By forcing the output to %(refname) each line wiht a ref will start with
+        # the ref prefix. All other lines can be discarded.
+        args = %W(for-each-ref --contains=#{sha} --format=%(refname) #{refs_prefix})
+        names, code = run_git(args)
 
-        return [] unless names.respond_to?(:split)
+        return [] unless code.zero?
 
-        names = names.split("\n").map(&:strip)
+        refs = []
+        left_slice_count = refs_prefix.length
+        names.lines.each do |line|
+          next unless line.start_with?(refs_prefix)
 
-        names.each do |name|
-          name.slice! '* '
+          refs << line.rstrip[left_slice_count..-1]
         end
 
-        names
+        refs
       end
 
       def rugged_write_config(full_path:)
@@ -2188,7 +2200,7 @@ module Gitlab
         )
         diff_range = "#{start_sha}...#{end_sha}"
         diff_files = run_git!(
-          %W(diff --name-only --diff-filter=a --binary #{diff_range})
+          %W(diff --name-only --diff-filter=ar --binary #{diff_range})
         ).chomp
 
         with_worktree(squash_path, branch, sparse_checkout_files: diff_files, env: env) do
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 9ec3858b493..bbdb593d4e2 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -198,7 +198,7 @@ module Gitlab
     end
 
     def check_repository_existence!
-      unless project.repository.exists?
+      unless repository.exists?
         raise UnauthorizedError, ERROR_MESSAGES[:no_repo]
       end
     end
@@ -327,5 +327,9 @@ module Gitlab
     def push_to_read_only_message
       ERROR_MESSAGES[:cannot_push_to_read_only]
     end
+
+    def repository
+      project.repository
+    end
   end
 end
diff --git a/lib/gitlab/git_access_wiki.rb b/lib/gitlab/git_access_wiki.rb
index 84d6e1490c3..a5b3902ebf4 100644
--- a/lib/gitlab/git_access_wiki.rb
+++ b/lib/gitlab/git_access_wiki.rb
@@ -28,5 +28,11 @@ module Gitlab
     def push_to_read_only_message
       ERROR_MESSAGES[:read_only]
     end
+
+    private
+
+    def repository
+      project.wiki.repository
+    end
   end
 end
diff --git a/lib/gitlab/gitaly_client/repository_service.rb b/lib/gitlab/gitaly_client/repository_service.rb
index 60706b4f0d8..603457d0664 100644
--- a/lib/gitlab/gitaly_client/repository_service.rb
+++ b/lib/gitlab/gitaly_client/repository_service.rb
@@ -134,6 +134,23 @@ module Gitlab
         response.in_progress
       end
 
+      def squash_in_progress?(squash_id)
+        request = Gitaly::IsSquashInProgressRequest.new(
+          repository: @gitaly_repo,
+          squash_id: squash_id.to_s
+        )
+
+        response = GitalyClient.call(
+          @storage,
+          :repository_service,
+          :is_squash_in_progress,
+          request,
+          timeout: GitalyClient.default_timeout
+        )
+
+        response.in_progress
+      end
+
       def fetch_source_branch(source_repository, source_branch, local_ref)
         request = Gitaly::FetchSourceBranchRequest.new(
           repository: @gitaly_repo,
diff --git a/lib/gitlab/middleware/go.rb b/lib/gitlab/middleware/go.rb
index 1a570f480c6..1fd8f147b44 100644
--- a/lib/gitlab/middleware/go.rb
+++ b/lib/gitlab/middleware/go.rb
@@ -114,7 +114,15 @@ module Gitlab
       end
 
       def current_user(request)
-        request.env['warden']&.authenticate
+        authenticator = Gitlab::Auth::RequestAuthenticator.new(request)
+        user = authenticator.find_user_from_access_token || authenticator.find_user_from_warden
+
+        return unless user&.can?(:access_api)
+
+        # Right now, the `api` scope is the only one that should be able to determine private project existence.
+        return unless authenticator.valid_access_token?(scopes: [:api])
+
+        user
       end
     end
   end
diff --git a/lib/gitlab/prometheus/metric_group.rb b/lib/gitlab/prometheus/metric_group.rb
index 729fef34b35..e91c6fb2e27 100644
--- a/lib/gitlab/prometheus/metric_group.rb
+++ b/lib/gitlab/prometheus/metric_group.rb
@@ -6,9 +6,14 @@ module Gitlab
       attr_accessor :name, :priority, :metrics
       validates :name, :priority, :metrics, presence: true
 
-      def self.all
+      def self.common_metrics
         AdditionalMetricsParser.load_groups_from_yaml
       end
+
+      # EE only
+      def self.for_project(_)
+        common_metrics
+      end
     end
   end
 end
diff --git a/lib/gitlab/prometheus/queries/additional_metrics_deployment_query.rb b/lib/gitlab/prometheus/queries/additional_metrics_deployment_query.rb
index 294a6ae34ca..972ab75d1d5 100644
--- a/lib/gitlab/prometheus/queries/additional_metrics_deployment_query.rb
+++ b/lib/gitlab/prometheus/queries/additional_metrics_deployment_query.rb
@@ -7,6 +7,7 @@ module Gitlab
         def query(environment_id, deployment_id)
           Deployment.find_by(id: deployment_id).try do |deployment|
             query_metrics(
+              deployment.project,
               common_query_context(
                 deployment.environment,
                 timeframe_start: (deployment.created_at - 30.minutes).to_f,
diff --git a/lib/gitlab/prometheus/queries/additional_metrics_environment_query.rb b/lib/gitlab/prometheus/queries/additional_metrics_environment_query.rb
index 32fe8201a8d..9273e69e158 100644
--- a/lib/gitlab/prometheus/queries/additional_metrics_environment_query.rb
+++ b/lib/gitlab/prometheus/queries/additional_metrics_environment_query.rb
@@ -7,6 +7,7 @@ module Gitlab
         def query(environment_id)
           ::Environment.find_by(id: environment_id).try do |environment|
             query_metrics(
+              environment.project,
               common_query_context(environment, timeframe_start: 8.hours.ago.to_f, timeframe_end: Time.now.to_f)
             )
           end
diff --git a/lib/gitlab/prometheus/queries/matched_metrics_query.rb b/lib/gitlab/prometheus/queries/matched_metrics_query.rb
index 4c3edccc71a..5710ad47c1a 100644
--- a/lib/gitlab/prometheus/queries/matched_metrics_query.rb
+++ b/lib/gitlab/prometheus/queries/matched_metrics_query.rb
@@ -18,7 +18,7 @@ module Gitlab
         private
 
         def groups_data
-          metrics_groups = groups_with_active_metrics(Gitlab::Prometheus::MetricGroup.all)
+          metrics_groups = groups_with_active_metrics(Gitlab::Prometheus::MetricGroup.common_metrics)
           lookup = active_series_lookup(metrics_groups)
 
           groups = {}
diff --git a/lib/gitlab/prometheus/queries/query_additional_metrics.rb b/lib/gitlab/prometheus/queries/query_additional_metrics.rb
index 5cddc96a643..0c280dc9a3c 100644
--- a/lib/gitlab/prometheus/queries/query_additional_metrics.rb
+++ b/lib/gitlab/prometheus/queries/query_additional_metrics.rb
@@ -2,10 +2,10 @@ module Gitlab
   module Prometheus
     module Queries
       module QueryAdditionalMetrics
-        def query_metrics(query_context)
+        def query_metrics(project, query_context)
           query_processor = method(:process_query).curry[query_context]
 
-          groups = matched_metrics.map do |group|
+          groups = matched_metrics(project).map do |group|
             metrics = group.metrics.map do |metric|
               {
                 title: metric.title,
@@ -60,8 +60,8 @@ module Gitlab
           @available_metrics ||= client_label_values || []
         end
 
-        def matched_metrics
-          result = Gitlab::Prometheus::MetricGroup.all.map do |group|
+        def matched_metrics(project)
+          result = Gitlab::Prometheus::MetricGroup.for_project(project).map do |group|
             group.metrics.select! do |metric|
               metric.required_metrics.all?(&available_metrics.method(:include?))
             end
diff --git a/lib/gitlab/prometheus_client.rb b/lib/gitlab/prometheus_client.rb
index 10527972663..659021c9ac9 100644
--- a/lib/gitlab/prometheus_client.rb
+++ b/lib/gitlab/prometheus_client.rb
@@ -1,8 +1,9 @@
 module Gitlab
-  PrometheusError = Class.new(StandardError)
-
   # Helper methods to interact with Prometheus network services & resources
   class PrometheusClient
+    Error = Class.new(StandardError)
+    QueryError = Class.new(Gitlab::PrometheusClient::Error)
+
     attr_reader :rest_client, :headers
 
     def initialize(rest_client)
@@ -22,10 +23,10 @@ module Gitlab
     def query_range(query, start: 8.hours.ago, stop: Time.now)
       get_result('matrix') do
         json_api_get('query_range',
-          query: query,
-          start: start.to_f,
-          end: stop.to_f,
-          step: 1.minute.to_i)
+                     query: query,
+                     start: start.to_f,
+                     end: stop.to_f,
+                     step: 1.minute.to_i)
       end
     end
 
@@ -43,22 +44,22 @@ module Gitlab
       path = ['api', 'v1', type].join('/')
       get(path, args)
     rescue JSON::ParserError
-      raise PrometheusError, 'Parsing response failed'
+      raise PrometheusClient::Error, 'Parsing response failed'
     rescue Errno::ECONNREFUSED
-      raise PrometheusError, 'Connection refused'
+      raise PrometheusClient::Error, 'Connection refused'
     end
 
     def get(path, args)
       response = rest_client[path].get(params: args)
       handle_response(response)
     rescue SocketError
-      raise PrometheusError, "Can't connect to #{rest_client.url}"
+      raise PrometheusClient::Error, "Can't connect to #{rest_client.url}"
     rescue OpenSSL::SSL::SSLError
-      raise PrometheusError, "#{rest_client.url} contains invalid SSL data"
+      raise PrometheusClient::Error, "#{rest_client.url} contains invalid SSL data"
     rescue RestClient::ExceptionWithResponse => ex
       handle_exception_response(ex.response)
     rescue RestClient::Exception
-      raise PrometheusError, "Network connection error"
+      raise PrometheusClient::Error, "Network connection error"
     end
 
     def handle_response(response)
@@ -66,16 +67,18 @@ module Gitlab
       if response.code == 200 && json_data['status'] == 'success'
         json_data['data'] || {}
       else
-        raise PrometheusError, "#{response.code} - #{response.body}"
+        raise PrometheusClient::Error, "#{response.code} - #{response.body}"
       end
     end
 
     def handle_exception_response(response)
-      if response.code == 400
+      if response.code == 200 && response['status'] == 'success'
+        response['data'] || {}
+      elsif response.code == 400
         json_data = JSON.parse(response.body)
-        raise PrometheusError, json_data['error'] || 'Bad data received'
+        raise PrometheusClient::QueryError, json_data['error'] || 'Bad data received'
       else
-        raise PrometheusError, "#{response.code} - #{response.body}"
+        raise PrometheusClient::Error, "#{response.code} - #{response.body}"
       end
     end
 
diff --git a/lib/gitlab/quick_actions/command_definition.rb b/lib/gitlab/quick_actions/command_definition.rb
index 3937d9c153a..96415271316 100644
--- a/lib/gitlab/quick_actions/command_definition.rb
+++ b/lib/gitlab/quick_actions/command_definition.rb
@@ -24,15 +24,14 @@ module Gitlab
         action_block.nil?
       end
 
-      def available?(opts)
+      def available?(context)
         return true unless condition_block
 
-        context = OpenStruct.new(opts)
         context.instance_exec(&condition_block)
       end
 
-      def explain(context, opts, arg)
-        return unless available?(opts)
+      def explain(context, arg)
+        return unless available?(context)
 
         if explanation.respond_to?(:call)
           execute_block(explanation, context, arg)
@@ -41,15 +40,13 @@ module Gitlab
         end
       end
 
-      def execute(context, opts, arg)
-        return if noop? || !available?(opts)
+      def execute(context, arg)
+        return if noop? || !available?(context)
 
         execute_block(action_block, context, arg)
       end
 
-      def to_h(opts)
-        context = OpenStruct.new(opts)
-
+      def to_h(context)
         desc = description
         if desc.respond_to?(:call)
           desc = context.instance_exec(&desc) rescue ''
diff --git a/lib/gitlab/quick_actions/dsl.rb b/lib/gitlab/quick_actions/dsl.rb
index 536765305e1..d82dccd0db5 100644
--- a/lib/gitlab/quick_actions/dsl.rb
+++ b/lib/gitlab/quick_actions/dsl.rb
@@ -62,9 +62,8 @@ module Gitlab
 
         # Allows to define conditions that must be met in order for the command
         # to be returned by `.command_names` & `.command_definitions`.
-        # It accepts a block that will be evaluated with the context given to
-        # `CommandDefintion#to_h`.
-        #
+        # It accepts a block that will be evaluated with the context
+        # of a QuickActions::InterpretService instance
         # Example:
         #
         #   condition do
diff --git a/lib/gitlab/quick_actions/extractor.rb b/lib/gitlab/quick_actions/extractor.rb
index c0878a34fb1..075ff91700c 100644
--- a/lib/gitlab/quick_actions/extractor.rb
+++ b/lib/gitlab/quick_actions/extractor.rb
@@ -29,7 +29,7 @@ module Gitlab
       # commands = extractor.extract_commands(msg) #=> [['labels', '~foo ~"bar baz"']]
       # msg #=> "hello\nworld"
       # ```
-      def extract_commands(content, opts = {})
+      def extract_commands(content)
         return [content, []] unless content
 
         content = content.dup
@@ -37,7 +37,7 @@ module Gitlab
         commands = []
 
         content.delete!("\r")
-        content.gsub!(commands_regex(opts)) do
+        content.gsub!(commands_regex) do
           if $~[:cmd]
             commands << [$~[:cmd], $~[:arg]].reject(&:blank?)
             ''
@@ -60,8 +60,8 @@ module Gitlab
       # It looks something like:
       #
       #   /^\/(?<cmd>close|reopen|...)(?:( |$))(?<arg>[^\/\n]*)(?:\n|$)/
-      def commands_regex(opts)
-        names = command_names(opts).map(&:to_s)
+      def commands_regex
+        names = command_names.map(&:to_s)
 
         @commands_regex ||= %r{
             (?<code>
@@ -133,7 +133,7 @@ module Gitlab
         [content, commands]
       end
 
-      def command_names(opts)
+      def command_names
         command_definitions.flat_map do |command|
           next if command.noop?
 
diff --git a/lib/gitlab/sql/pattern.rb b/lib/gitlab/sql/pattern.rb
index 5f0c98cb5a4..53744bad1f4 100644
--- a/lib/gitlab/sql/pattern.rb
+++ b/lib/gitlab/sql/pattern.rb
@@ -25,7 +25,11 @@ module Gitlab
           query.length >= MIN_CHARS_FOR_PARTIAL_MATCHING
         end
 
-        def fuzzy_arel_match(column, query)
+        # column - The column name to search in.
+        # query - The text to search for.
+        # lower_exact_match - When set to `true` we'll fall back to using
+        #                     `LOWER(column) = query` instead of using `ILIKE`.
+        def fuzzy_arel_match(column, query, lower_exact_match: false)
           query = query.squish
           return nil unless query.present?
 
@@ -36,7 +40,13 @@ module Gitlab
           else
             # No words of at least 3 chars, but we can search for an exact
             # case insensitive match with the query as a whole
-            arel_table[column].matches(sanitize_sql_like(query))
+            if lower_exact_match
+              Arel::Nodes::NamedFunction
+                .new('LOWER', [arel_table[column]])
+                .eq(query)
+            else
+              arel_table[column].matches(sanitize_sql_like(query))
+            end
           end
         end
 
diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb
index 15eb1c41213..ff4dc29efea 100644
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -65,7 +65,7 @@ module Gitlab
       return false unless can_access_git?
 
       if protected?(ProtectedBranch, project, ref)
-        return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)
+        return true if project.user_can_push_to_empty_repo?(user)
 
         protected_branch_accessible_to?(ref, action: :push)
       else
diff --git a/lib/google_api/cloud_platform/client.rb b/lib/google_api/cloud_platform/client.rb
index ff638c07755..f30dd995695 100644
--- a/lib/google_api/cloud_platform/client.rb
+++ b/lib/google_api/cloud_platform/client.rb
@@ -76,9 +76,13 @@ module GoogleApi
               "initial_node_count": cluster_size,
               "node_config": {
                 "machine_type": machine_type
+              },
+              "legacy_abac": {
+                "enabled": true
               }
             }
-          } )
+          }
+        )
 
         service.create_cluster(project_id, zone, request_body, options: user_agent_header)
       end
diff --git a/lib/tasks/migrate/setup_postgresql.rake b/lib/tasks/migrate/setup_postgresql.rake
index 31cbd651edb..1c7a8a90f5c 100644
--- a/lib/tasks/migrate/setup_postgresql.rake
+++ b/lib/tasks/migrate/setup_postgresql.rake
@@ -8,6 +8,7 @@ task setup_postgresql: :environment do
   require Rails.root.join('db/migrate/20170503185032_index_redirect_routes_path_for_like')
   require Rails.root.join('db/migrate/20171220191323_add_index_on_namespaces_lower_name.rb')
   require Rails.root.join('db/migrate/20180113220114_rework_redirect_routes_indexes.rb')
+  require Rails.root.join('db/migrate/20180215181245_users_name_lower_index.rb')
 
   NamespacesProjectsPathLowerIndexes.new.up
   AddUsersLowerUsernameEmailIndexes.new.up
@@ -17,4 +18,5 @@ task setup_postgresql: :environment do
   IndexRedirectRoutesPathForLike.new.up
   AddIndexOnNamespacesLowerName.new.up
   ReworkRedirectRoutesIndexes.new.up
+  UsersNameLowerIndex.new.up
 end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index fadc17a659d..889a03e7859 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -8,8 +8,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gitlab 1.0.0\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2018-02-07 11:38-0600\n"
-"PO-Revision-Date: 2018-02-07 11:38-0600\n"
+"POT-Creation-Date: 2018-02-20 10:26+0100\n"
+"PO-Revision-Date: 2018-02-20 10:26+0100\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: \n"
@@ -150,6 +150,39 @@ msgstr ""
 msgid "AdminHealthPageLink|health page"
 msgstr ""
 
+msgid "AdminProjects|Delete"
+msgstr ""
+
+msgid "AdminProjects|Delete Project %{projectName}?"
+msgstr ""
+
+msgid "AdminProjects|Delete project"
+msgstr ""
+
+msgid "AdminSettings|Specify a domain to use by default for every project's Auto Review Apps and Auto Deploy stages."
+msgstr ""
+
+msgid "AdminUsers|Block user"
+msgstr ""
+
+msgid "AdminUsers|Delete User %{username} and contributions?"
+msgstr ""
+
+msgid "AdminUsers|Delete User %{username}?"
+msgstr ""
+
+msgid "AdminUsers|Delete user"
+msgstr ""
+
+msgid "AdminUsers|Delete user and contributions"
+msgstr ""
+
+msgid "AdminUsers|To confirm, type %{projectName}"
+msgstr ""
+
+msgid "AdminUsers|To confirm, type %{username}"
+msgstr ""
+
 msgid "Advanced settings"
 msgstr ""
 
@@ -177,9 +210,21 @@ msgstr ""
 msgid "An error occurred while getting projects"
 msgstr ""
 
+msgid "An error occurred while importing project"
+msgstr ""
+
+msgid "An error occurred while loading commits"
+msgstr ""
+
+msgid "An error occurred while loading diff"
+msgstr ""
+
 msgid "An error occurred while loading filenames"
 msgstr ""
 
+msgid "An error occurred while loading the file"
+msgstr ""
+
 msgid "An error occurred while rendering KaTeX"
 msgstr ""
 
@@ -192,6 +237,9 @@ msgstr ""
 msgid "An error occurred while retrieving diff"
 msgstr ""
 
+msgid "An error occurred while saving assignees"
+msgstr ""
+
 msgid "An error occurred while validating username"
 msgstr ""
 
@@ -1018,6 +1066,9 @@ msgstr ""
 msgid "Create a personal access token on your account to pull or push via %{protocol}."
 msgstr ""
 
+msgid "Create branch"
+msgstr ""
+
 msgid "Create directory"
 msgstr ""
 
@@ -1033,6 +1084,9 @@ msgstr ""
 msgid "Create merge request"
 msgstr ""
 
+msgid "Create merge request and branch"
+msgstr ""
+
 msgid "Create new branch"
 msgstr ""
 
@@ -1290,9 +1344,15 @@ msgstr ""
 msgid "Failed to change the owner"
 msgstr ""
 
+msgid "Failed to remove issue from board, please try again."
+msgstr ""
+
 msgid "Failed to remove the pipeline schedule"
 msgstr ""
 
+msgid "Failed to update issues, please try again."
+msgstr ""
+
 msgid "Feb"
 msgstr ""
 
@@ -1985,6 +2045,24 @@ msgstr ""
 msgid "Pipelines|Get started with Pipelines"
 msgstr ""
 
+msgid "Pipeline|Retry pipeline"
+msgstr ""
+
+msgid "Pipeline|Retry pipeline #%{id}?"
+msgstr ""
+
+msgid "Pipeline|Stop pipeline"
+msgstr ""
+
+msgid "Pipeline|Stop pipeline #%{id}?"
+msgstr ""
+
+msgid "Pipeline|You’re about to retry pipeline %{id}."
+msgstr ""
+
+msgid "Pipeline|You’re about to stop pipeline %{id}."
+msgstr ""
+
 msgid "Pipeline|all"
 msgstr ""
 
@@ -2144,12 +2222,30 @@ msgstr ""
 msgid "ProjectsDropdown|This feature requires browser localStorage support"
 msgstr ""
 
+msgid "PrometheusService|Active"
+msgstr ""
+
+msgid "PrometheusService|Auto configuration"
+msgstr ""
+
+msgid "PrometheusService|Automatically deploy and configure Prometheus on your clusters to monitor your project’s environments"
+msgstr ""
+
 msgid "PrometheusService|By default, Prometheus listens on ‘http://localhost:9090’. It’s not recommended to change the default address and port as this might affect or conflict with other services running on the GitLab server."
 msgstr ""
 
 msgid "PrometheusService|Finding and configuring metrics..."
 msgstr ""
 
+msgid "PrometheusService|Install Prometheus on clusters"
+msgstr ""
+
+msgid "PrometheusService|Manage clusters"
+msgstr ""
+
+msgid "PrometheusService|Manual configuration"
+msgstr ""
+
 msgid "PrometheusService|Metrics"
 msgstr ""
 
@@ -2171,9 +2267,18 @@ msgstr ""
 msgid "PrometheusService|Prometheus API Base URL, like http://prometheus.example.com/"
 msgstr ""
 
+msgid "PrometheusService|Prometheus is being automatically managed on your clusters"
+msgstr ""
+
 msgid "PrometheusService|Time-series monitoring service"
 msgstr ""
 
+msgid "PrometheusService|To enable manual configuration, uninstall Prometheus from your clusters"
+msgstr ""
+
+msgid "PrometheusService|To enable the installation of Prometheus on your clusters, deactivate the manual configuration below"
+msgstr ""
+
 msgid "PrometheusService|View environments"
 msgstr ""
 
@@ -2376,12 +2481,18 @@ msgstr ""
 msgid "Something went wrong when toggling the button"
 msgstr ""
 
+msgid "Something went wrong while closing the issue. Please try again later"
+msgstr ""
+
 msgid "Something went wrong while fetching the projects."
 msgstr ""
 
 msgid "Something went wrong while fetching the registry list."
 msgstr ""
 
+msgid "Something went wrong while reopening the issue. Please try again later"
+msgstr ""
+
 msgid "Something went wrong. Please try again."
 msgstr ""
 
@@ -2478,6 +2589,9 @@ msgstr ""
 msgid "Source"
 msgstr ""
 
+msgid "Source (branch or tag)"
+msgstr ""
+
 msgid "Source code"
 msgstr ""
 
@@ -2738,6 +2852,9 @@ msgstr ""
 msgid "This merge request is locked."
 msgstr ""
 
+msgid "This page is unavailable because you are not allowed to read information across multiple projects."
+msgstr ""
+
 msgid "This project"
 msgstr ""
 
@@ -2934,9 +3051,6 @@ msgstr ""
 msgid "Trigger this manual action"
 msgstr ""
 
-msgid "Type %{value} to confirm:"
-msgstr ""
-
 msgid "Unable to reset project cache."
 msgstr ""
 
@@ -3229,6 +3343,9 @@ msgid_plural "merge requests"
 msgstr[0] ""
 msgstr[1] ""
 
+msgid "mrWidget| Please restore it or use a different %{missingBranchName} branch"
+msgstr ""
+
 msgid "mrWidget|Cancel automatic merge"
 msgstr ""
 
@@ -3262,6 +3379,9 @@ msgstr ""
 msgid "mrWidget|If the %{branch} branch exists in your local repository, you can merge this merge request manually using the"
 msgstr ""
 
+msgid "mrWidget|If the %{missingBranchName} branch exists in your local repository, you can merge this merge request manually using the command line"
+msgstr ""
+
 msgid "mrWidget|Mentions"
 msgstr ""
 
@@ -3349,6 +3469,9 @@ msgstr ""
 msgid "mrWidget|You can remove source branch now"
 msgstr ""
 
+msgid "mrWidget|branch does not exist."
+msgstr ""
+
 msgid "mrWidget|command line"
 msgstr ""
 
diff --git a/spec/controllers/autocomplete_controller_spec.rb b/spec/controllers/autocomplete_controller_spec.rb
index 73fff6eb5ca..b7257fac608 100644
--- a/spec/controllers/autocomplete_controller_spec.rb
+++ b/spec/controllers/autocomplete_controller_spec.rb
@@ -109,15 +109,17 @@ describe AutocompleteController do
     end
 
     context 'limited users per page' do
-      let(:per_page) { 2 }
-
       before do
+        25.times do
+          create(:user)
+        end
+
         sign_in(user)
-        get(:users, per_page: per_page)
+        get(:users)
       end
 
       it { expect(json_response).to be_kind_of(Array) }
-      it { expect(json_response.size).to eq(per_page) }
+      it { expect(json_response.size).to eq(20) }
     end
 
     context 'unauthenticated user' do
diff --git a/spec/controllers/boards/issues_controller_spec.rb b/spec/controllers/boards/issues_controller_spec.rb
index 79bbc29e80d..4770e187db6 100644
--- a/spec/controllers/boards/issues_controller_spec.rb
+++ b/spec/controllers/boards/issues_controller_spec.rb
@@ -86,6 +86,7 @@ describe Boards::IssuesController do
 
     context 'with unauthorized user' do
       before do
+        allow(Ability).to receive(:allowed?).and_call_original
         allow(Ability).to receive(:allowed?).with(user, :read_project, project).and_return(true)
         allow(Ability).to receive(:allowed?).with(user, :read_issue, project).and_return(false)
       end
diff --git a/spec/controllers/concerns/controller_with_cross_project_access_check_spec.rb b/spec/controllers/concerns/controller_with_cross_project_access_check_spec.rb
new file mode 100644
index 00000000000..27f558e1b5d
--- /dev/null
+++ b/spec/controllers/concerns/controller_with_cross_project_access_check_spec.rb
@@ -0,0 +1,146 @@
+require 'spec_helper'
+
+describe ControllerWithCrossProjectAccessCheck do
+  let(:user) { create(:user) }
+
+  before do
+    sign_in user
+  end
+
+  render_views
+
+  context 'When reading cross project is not allowed' do
+    before do
+      allow(Ability).to receive(:allowed).and_call_original
+      allow(Ability).to receive(:allowed?)
+                          .with(user, :read_cross_project, :global)
+                          .and_return(false)
+    end
+
+    describe '#requires_cross_project_access' do
+      controller(ApplicationController) do
+        # `described_class` is not available in this context
+        include ControllerWithCrossProjectAccessCheck # rubocop:disable RSpec/DescribedClass
+
+        requires_cross_project_access :index, show: false,
+                                              unless: -> { unless_condition },
+                                              if: -> { if_condition }
+
+        def index
+          render nothing: true
+        end
+
+        def show
+          render nothing: true
+        end
+
+        def unless_condition
+          false
+        end
+
+        def if_condition
+          true
+        end
+      end
+
+      it 'renders a 404 with trying to access a cross project page' do
+        message = "This page is unavailable because you are not allowed to read "\
+                  "information across multiple projects."
+
+        get :index
+
+        expect(response).to have_gitlab_http_status(404)
+        expect(response.body).to match(/#{message}/)
+      end
+
+      it 'is skipped when the `if` condition returns false' do
+        expect(controller).to receive(:if_condition).and_return(false)
+
+        get :index
+
+        expect(response).to have_gitlab_http_status(200)
+      end
+
+      it 'is skipped when the `unless` condition returns true' do
+        expect(controller).to receive(:unless_condition).and_return(true)
+
+        get :index
+
+        expect(response).to have_gitlab_http_status(200)
+      end
+
+      it 'correctly renders an action that does not require cross project access' do
+        get :show, id: 'nothing'
+
+        expect(response).to have_gitlab_http_status(200)
+      end
+    end
+
+    describe '#skip_cross_project_access_check' do
+      controller(ApplicationController) do
+        # `described_class` is not available in this context
+        include ControllerWithCrossProjectAccessCheck # rubocop:disable RSpec/DescribedClass
+
+        requires_cross_project_access
+
+        skip_cross_project_access_check index: true, show: false,
+                                        unless: -> { unless_condition },
+                                        if: -> { if_condition }
+
+        def index
+          render nothing: true
+        end
+
+        def show
+          render nothing: true
+        end
+
+        def edit
+          render nothing: true
+        end
+
+        def unless_condition
+          false
+        end
+
+        def if_condition
+          true
+        end
+      end
+
+      it 'renders a success when the check is skipped' do
+        get :index
+
+        expect(response).to have_gitlab_http_status(200)
+      end
+
+      it 'is executed when the `if` condition returns false' do
+        expect(controller).to receive(:if_condition).and_return(false)
+
+        get :index
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+
+      it 'is executed when the `unless` condition returns true' do
+        expect(controller).to receive(:unless_condition).and_return(true)
+
+        get :index
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+
+      it 'does not skip the check on an action that is not skipped' do
+        get :show, id: 'hello'
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+
+      it 'does not skip the check on an action that was not defined to skip' do
+        get :edit, id: 'hello'
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+  end
+end
diff --git a/spec/controllers/projects/clusters/gcp_controller_spec.rb b/spec/controllers/projects/clusters/gcp_controller_spec.rb
index 775f9db1c6e..e14ba29fa70 100644
--- a/spec/controllers/projects/clusters/gcp_controller_spec.rb
+++ b/spec/controllers/projects/clusters/gcp_controller_spec.rb
@@ -161,7 +161,7 @@ describe Projects::Clusters::GcpController do
           it 'renders the cluster form with an error' do
             go
 
-            expect(response).to set_flash[:alert]
+            expect(response).to set_flash.now[:alert]
             expect(response).to render_template('new')
           end
         end
diff --git a/spec/controllers/projects/merge_requests/creations_controller_spec.rb b/spec/controllers/projects/merge_requests/creations_controller_spec.rb
index 92db7284e0e..24310b847e8 100644
--- a/spec/controllers/projects/merge_requests/creations_controller_spec.rb
+++ b/spec/controllers/projects/merge_requests/creations_controller_spec.rb
@@ -17,7 +17,7 @@ describe Projects::MergeRequests::CreationsController do
 
   before do
     fork_project.add_master(user)
-
+    Projects::ForkService.new(project, user).execute(fork_project)
     sign_in(user)
   end
 
@@ -125,4 +125,66 @@ describe Projects::MergeRequests::CreationsController do
       end
     end
   end
+
+  describe 'GET #branch_to' do
+    before do
+      allow(Ability).to receive(:allowed?).and_call_original
+    end
+
+    it 'fetches the commit if a user has access' do
+      expect(Ability).to receive(:allowed?).with(user, :read_project, project) { true }
+
+      get :branch_to,
+          namespace_id: fork_project.namespace,
+          project_id: fork_project,
+          target_project_id: project.id,
+          ref: 'master'
+
+      expect(assigns(:commit)).not_to be_nil
+      expect(response).to have_gitlab_http_status(200)
+    end
+
+    it 'does not load the commit when the user cannot read the project' do
+      expect(Ability).to receive(:allowed?).with(user, :read_project, project) { false }
+
+      get :branch_to,
+          namespace_id: fork_project.namespace,
+          project_id: fork_project,
+          target_project_id: project.id,
+          ref: 'master'
+
+      expect(assigns(:commit)).to be_nil
+      expect(response).to have_gitlab_http_status(200)
+    end
+  end
+
+  describe 'GET #update_branches' do
+    before do
+      allow(Ability).to receive(:allowed?).and_call_original
+    end
+
+    it 'lists the branches of another fork if the user has access' do
+      expect(Ability).to receive(:allowed?).with(user, :read_project, project) { true }
+
+      get :update_branches,
+          namespace_id: fork_project.namespace,
+          project_id: fork_project,
+          target_project_id: project.id
+
+      expect(assigns(:target_branches)).not_to be_empty
+      expect(response).to have_gitlab_http_status(200)
+    end
+
+    it 'does not list branches when the user cannot read the project' do
+      expect(Ability).to receive(:allowed?).with(user, :read_project, project) { false }
+
+      get :update_branches,
+          namespace_id: fork_project.namespace,
+          project_id: fork_project,
+          target_project_id: project.id
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(assigns(:target_branches)).to eq([])
+    end
+  end
 end
diff --git a/spec/controllers/projects/pages_domains_controller_spec.rb b/spec/controllers/projects/pages_domains_controller_spec.rb
index e9e7d357d9c..2192fd5cae2 100644
--- a/spec/controllers/projects/pages_domains_controller_spec.rb
+++ b/spec/controllers/projects/pages_domains_controller_spec.rb
@@ -46,7 +46,46 @@ describe Projects::PagesDomainsController do
         post(:create, request_params.merge(pages_domain: pages_domain_params))
       end.to change { PagesDomain.count }.by(1)
 
-      expect(response).to redirect_to(project_pages_path(project))
+      created_domain = PagesDomain.reorder(:id).last
+
+      expect(created_domain).to be_present
+      expect(response).to redirect_to(project_pages_domain_path(project, created_domain))
+    end
+  end
+
+  describe 'POST verify' do
+    let(:params) { request_params.merge(id: pages_domain.domain) }
+
+    def stub_service
+      service = double(:service)
+
+      expect(VerifyPagesDomainService).to receive(:new) { service }
+
+      service
+    end
+
+    it 'handles verification success' do
+      expect(stub_service).to receive(:execute).and_return(status: :success)
+
+      post :verify, params
+
+      expect(response).to redirect_to project_pages_domain_path(project, pages_domain)
+      expect(flash[:notice]).to eq('Successfully verified domain ownership')
+    end
+
+    it 'handles verification failure' do
+      expect(stub_service).to receive(:execute).and_return(status: :failed)
+
+      post :verify, params
+
+      expect(response).to redirect_to project_pages_domain_path(project, pages_domain)
+      expect(flash[:alert]).to eq('Failed to verify domain ownership')
+    end
+
+    it 'returns a 404 response for an unknown domain' do
+      post :verify, request_params.merge(id: 'unknown-domain')
+
+      expect(response).to have_gitlab_http_status(404)
     end
   end
 
diff --git a/spec/controllers/projects/prometheus_controller_spec.rb b/spec/controllers/projects/prometheus/metrics_controller_spec.rb
index bbfe78d305a..f17f819feee 100644
--- a/spec/controllers/projects/prometheus_controller_spec.rb
+++ b/spec/controllers/projects/prometheus/metrics_controller_spec.rb
@@ -1,20 +1,20 @@
-require('spec_helper')
+require 'spec_helper'
 
-describe Projects::PrometheusController do
+describe Projects::Prometheus::MetricsController do
   let(:user) { create(:user) }
-  let!(:project) { create(:project) }
+  let(:project) { create(:project) }
 
   let(:prometheus_service) { double('prometheus_service') }
 
   before do
     allow(controller).to receive(:project).and_return(project)
-    allow(project).to receive(:prometheus_service).and_return(prometheus_service)
+    allow(project).to receive(:find_or_initialize_service).with('prometheus').and_return(prometheus_service)
 
     project.add_master(user)
     sign_in(user)
   end
 
-  describe 'GET #active_metrics' do
+  describe 'GET #active_common' do
     context 'when prometheus metrics are enabled' do
       context 'when data is not present' do
         before do
@@ -22,7 +22,7 @@ describe Projects::PrometheusController do
         end
 
         it 'returns no content response' do
-          get :active_metrics, project_params(format: :json)
+          get :active_common, project_params(format: :json)
 
           expect(response).to have_gitlab_http_status(204)
         end
@@ -36,7 +36,7 @@ describe Projects::PrometheusController do
         end
 
         it 'returns no content response' do
-          get :active_metrics, project_params(format: :json)
+          get :active_common, project_params(format: :json)
 
           expect(response).to have_gitlab_http_status(200)
           expect(json_response).to eq(sample_response.deep_stringify_keys)
@@ -45,7 +45,7 @@ describe Projects::PrometheusController do
 
       context 'when requesting non json response' do
         it 'returns not found response' do
-          get :active_metrics, project_params
+          get :active_common, project_params
 
           expect(response).to have_gitlab_http_status(404)
         end
diff --git a/spec/controllers/projects/uploads_controller_spec.rb b/spec/controllers/projects/uploads_controller_spec.rb
index d572085661d..eca9baed9c9 100644
--- a/spec/controllers/projects/uploads_controller_spec.rb
+++ b/spec/controllers/projects/uploads_controller_spec.rb
@@ -7,4 +7,12 @@ describe Projects::UploadsController do
   end
 
   it_behaves_like 'handle uploads'
+
+  context 'when the URL the old style, without /-/system' do
+    it 'responds with a redirect to the login page' do
+      get :show, namespace_id: 'project', project_id: 'avatar', filename: 'foo.png', secret: 'bar'
+
+      expect(response).to redirect_to(new_user_session_path)
+    end
+  end
 end
diff --git a/spec/controllers/search_controller_spec.rb b/spec/controllers/search_controller_spec.rb
index 37f961d0c94..30c06ddf744 100644
--- a/spec/controllers/search_controller_spec.rb
+++ b/spec/controllers/search_controller_spec.rb
@@ -16,6 +16,32 @@ describe SearchController do
     expect(assigns[:search_objects].first).to eq note
   end
 
+  context 'when the user cannot read cross project' do
+    before do
+      allow(Ability).to receive(:allowed?).and_call_original
+      allow(Ability).to receive(:allowed?)
+                          .with(user, :read_cross_project, :global) { false }
+    end
+
+    it 'still allows accessing the search page' do
+      get :show
+
+      expect(response).to have_gitlab_http_status(200)
+    end
+
+    it 'still blocks searches without a project_id' do
+      get :show, search: 'hello'
+
+      expect(response).to have_gitlab_http_status(404)
+    end
+
+    it 'allows searches with a project_id' do
+      get :show, search: 'hello', project_id: create(:project, :public).id
+
+      expect(response).to have_gitlab_http_status(200)
+    end
+  end
+
   context 'on restricted projects' do
     context 'when signed out' do
       before do
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index 2898c4b119e..b0acf4a49ac 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -74,6 +74,31 @@ describe UsersController do
         end
       end
     end
+
+    context 'json with events' do
+      let(:project) { create(:project) }
+      before do
+        project.add_developer(user)
+        Gitlab::DataBuilder::Push.build_sample(project, user)
+
+        sign_in(user)
+      end
+
+      it 'loads events' do
+        get :show, username: user, format: :json
+
+        expect(assigns(:events)).not_to be_empty
+      end
+
+      it 'hides events if the user cannot read cross project' do
+        allow(Ability).to receive(:allowed?).and_call_original
+        expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+
+        get :show, username: user, format: :json
+
+        expect(assigns(:events)).to be_empty
+      end
+    end
   end
 
   describe 'GET #calendar' do
diff --git a/spec/factories/pages_domains.rb b/spec/factories/pages_domains.rb
index 61b04708da2..35b44e1c52e 100644
--- a/spec/factories/pages_domains.rb
+++ b/spec/factories/pages_domains.rb
@@ -1,6 +1,25 @@
 FactoryBot.define do
   factory :pages_domain, class: 'PagesDomain' do
-    domain 'my.domain.com'
+    sequence(:domain) { |n| "my#{n}.domain.com" }
+    verified_at { Time.now }
+    enabled_until { 1.week.from_now }
+
+    trait :disabled do
+      verified_at nil
+      enabled_until nil
+    end
+
+    trait :unverified do
+      verified_at nil
+    end
+
+    trait :reverify do
+      enabled_until { 1.hour.from_now }
+    end
+
+    trait :expired do
+      enabled_until { 1.hour.ago }
+    end
 
     trait :with_certificate do
       certificate '-----BEGIN CERTIFICATE-----
diff --git a/spec/features/admin/admin_runners_spec.rb b/spec/features/admin/admin_runners_spec.rb
index a01c129defd..7eeed7da998 100644
--- a/spec/features/admin/admin_runners_spec.rb
+++ b/spec/features/admin/admin_runners_spec.rb
@@ -19,7 +19,7 @@ describe "Admin Runners" do
       end
 
       it 'has all necessary texts' do
-        expect(page).to have_text "How to setup"
+        expect(page).to have_text "Setup a shared Runner manually"
         expect(page).to have_text "Runners with last contact more than a minute ago: 1"
       end
 
@@ -54,7 +54,7 @@ describe "Admin Runners" do
       end
 
       it 'has all necessary texts including no runner message' do
-        expect(page).to have_text "How to setup"
+        expect(page).to have_text "Setup a shared Runner manually"
         expect(page).to have_text "Runners with last contact more than a minute ago: 0"
         expect(page).to have_text 'No runners found'
       end
diff --git a/spec/features/auto_deploy_spec.rb b/spec/features/auto_deploy_spec.rb
deleted file mode 100644
index 9aef68b7156..00000000000
--- a/spec/features/auto_deploy_spec.rb
+++ /dev/null
@@ -1,77 +0,0 @@
-require 'spec_helper'
-
-describe 'Auto deploy' do
-  let(:user) { create(:user) }
-  let(:project) { create(:project, :repository) }
-
-  shared_examples 'same behavior between KubernetesService and Platform::Kubernetes' do
-    context 'when no deployment service is active' do
-      before do
-        trun_off
-      end
-
-      it 'does not show a button to set up auto deploy' do
-        visit project_path(project)
-        expect(page).to have_no_content('Set up auto deploy')
-      end
-    end
-
-    context 'when a deployment service is active' do
-      before do
-        trun_on
-        visit project_path(project)
-      end
-
-      it 'shows a button to set up auto deploy' do
-        expect(page).to have_link('Set up auto deploy')
-      end
-
-      it 'includes OpenShift as an available template', :js do
-        click_link 'Set up auto deploy'
-        click_button 'Apply a GitLab CI Yaml template'
-
-        within '.gitlab-ci-yml-selector' do
-          expect(page).to have_content('OpenShift')
-        end
-      end
-
-      it 'creates a merge request using "auto-deploy" branch', :js do
-        click_link 'Set up auto deploy'
-        click_button 'Apply a GitLab CI Yaml template'
-        within '.gitlab-ci-yml-selector' do
-          click_on 'OpenShift'
-        end
-        wait_for_requests
-        click_button 'Commit changes'
-
-        expect(page).to have_content('New Merge Request From auto-deploy into master')
-      end
-    end
-  end
-
-  context 'when user configured kubernetes from Integration > Kubernetes' do
-    before do
-      create :kubernetes_service, project: project
-      project.add_master(user)
-      sign_in user
-    end
-
-    let(:trun_on) { project.deployment_platform.update!(active: true) }
-    let(:trun_off) { project.deployment_platform.update!(active: false) }
-
-    it_behaves_like 'same behavior between KubernetesService and Platform::Kubernetes'
-  end
-
-  context 'when user configured kubernetes from CI/CD > Clusters' do
-    before do
-      create(:cluster, :provided_by_gcp, projects: [project])
-      project.add_master(user)
-      sign_in user
-    end
-
-    let(:trun_on) { project.deployment_platform.cluster.update!(enabled: true) }
-    let(:trun_off) { project.deployment_platform.cluster.update!(enabled: false) }
-
-    it_behaves_like 'same behavior between KubernetesService and Platform::Kubernetes'
-  end
-end
diff --git a/spec/features/projects/files/project_owner_sees_link_to_create_license_file_in_empty_project_spec.rb b/spec/features/projects/files/project_owner_sees_link_to_create_license_file_in_empty_project_spec.rb
index 8ac9821b879..7f1d1934103 100644
--- a/spec/features/projects/files/project_owner_sees_link_to_create_license_file_in_empty_project_spec.rb
+++ b/spec/features/projects/files/project_owner_sees_link_to_create_license_file_in_empty_project_spec.rb
@@ -11,7 +11,7 @@ feature 'project owner sees a link to create a license file in empty project', :
 
   scenario 'project master creates a license file from a template' do
     visit project_path(project)
-    click_on 'LICENSE'
+    click_on 'Add License'
     expect(page).to have_content('New file')
 
     expect(current_path).to eq(
diff --git a/spec/features/projects/new_project_spec.rb b/spec/features/projects/new_project_spec.rb
index 6f097ad16c7..b5104747d00 100644
--- a/spec/features/projects/new_project_spec.rb
+++ b/spec/features/projects/new_project_spec.rb
@@ -140,7 +140,7 @@ feature 'New project' do
       find('#import-project-tab').click
     end
 
-    context 'from git repository url' do
+    context 'from git repository url, "Repo by URL"' do
       before do
         first('.import_git').click
       end
@@ -157,6 +157,18 @@ feature 'New project' do
         expect(git_import_instructions).to be_visible
         expect(git_import_instructions).to have_content 'Git repository URL'
       end
+
+      it 'keeps "Import project" tab open after form validation error' do
+        collision_project = create(:project, name: 'test-name-collision', namespace: user.namespace)
+
+        fill_in 'project_import_url', with: collision_project.http_url_to_repo
+        fill_in 'project_path', with: collision_project.path
+
+        click_on 'Create project'
+
+        expect(page).to have_css('#import-project-pane.active')
+        expect(page).not_to have_css('.toggle-import-form.hide')
+      end
     end
 
     context 'from GitHub' do
diff --git a/spec/features/projects/pages_spec.rb b/spec/features/projects/pages_spec.rb
index 3f1ef0b2a47..a96f2c186a4 100644
--- a/spec/features/projects/pages_spec.rb
+++ b/spec/features/projects/pages_spec.rb
@@ -60,7 +60,6 @@ feature 'Pages' do
             fill_in 'Domain', with: 'my.test.domain.com'
             click_button 'Create New Domain'
 
-            expect(page).to have_content('Domains (1)')
             expect(page).to have_content('my.test.domain.com')
           end
         end
@@ -159,7 +158,6 @@ feature 'Pages' do
           fill_in 'Key (PEM)', with: certificate_key
           click_button 'Create New Domain'
 
-          expect(page).to have_content('Domains (1)')
           expect(page).to have_content('my.test.domain.com')
         end
       end
diff --git a/spec/features/projects/show_project_spec.rb b/spec/features/projects/show_project_spec.rb
index 0b94c9eae5d..0a014e9f080 100644
--- a/spec/features/projects/show_project_spec.rb
+++ b/spec/features/projects/show_project_spec.rb
@@ -17,4 +17,321 @@ describe 'Project show page', :feature do
       expect(page).to have_content("This project was scheduled for deletion, but failed with the following message: #{project.delete_error}")
     end
   end
+
+  describe 'stat button existence' do
+    # For "New file", "Add License" functionality,
+    # see spec/features/projects/files/project_owner_creates_license_file_spec.rb
+    # see spec/features/projects/files/project_owner_sees_link_to_create_license_file_in_empty_project_spec.rb
+
+    let(:user) { create(:user) }
+
+    describe 'empty project' do
+      let(:project) { create(:project, :public, :empty_repo) }
+      let(:presenter) { project.present(current_user: user) }
+
+      describe 'as a normal user' do
+        before do
+          sign_in(user)
+
+          visit project_path(project)
+        end
+
+        it 'no Auto DevOps button if can not manage pipelines' do
+          page.within('.project-stats') do
+            expect(page).not_to have_link('Enable Auto DevOps')
+            expect(page).not_to have_link('Auto DevOps enabled')
+          end
+        end
+
+        it '"Auto DevOps enabled" button not linked' do
+          project.create_auto_devops!(enabled: true)
+
+          visit project_path(project)
+
+          page.within('.project-stats') do
+            expect(page).to have_text('Auto DevOps enabled')
+          end
+        end
+      end
+
+      describe 'as a master' do
+        before do
+          project.add_master(user)
+          sign_in(user)
+
+          visit project_path(project)
+        end
+
+        it '"New file" button linked to new file page' do
+          page.within('.project-stats') do
+            expect(page).to have_link('New file', href: project_new_blob_path(project, project.default_branch || 'master'))
+          end
+        end
+
+        it '"Add Readme" button linked to new file populated for a readme' do
+          page.within('.project-stats') do
+            expect(page).to have_link('Add Readme', href: presenter.add_readme_path)
+          end
+        end
+
+        it '"Add License" button linked to new file populated for a license' do
+          page.within('.project-stats') do
+            expect(page).to have_link('Add License', href: presenter.add_license_path)
+          end
+        end
+
+        describe 'Auto DevOps button' do
+          it '"Enable Auto DevOps" button linked to settings page' do
+            page.within('.project-stats') do
+              expect(page).to have_link('Enable Auto DevOps', href: project_settings_ci_cd_path(project, anchor: 'js-general-pipeline-settings'))
+            end
+          end
+
+          it '"Auto DevOps enabled" anchor linked to settings page' do
+            project.create_auto_devops!(enabled: true)
+
+            visit project_path(project)
+
+            page.within('.project-stats') do
+              expect(page).to have_link('Auto DevOps enabled', href: project_settings_ci_cd_path(project, anchor: 'js-general-pipeline-settings'))
+            end
+          end
+        end
+
+        describe 'Kubernetes cluster button' do
+          it '"Add Kubernetes cluster" button linked to clusters page' do
+            page.within('.project-stats') do
+              expect(page).to have_link('Add Kubernetes cluster', href: new_project_cluster_path(project))
+            end
+          end
+
+          it '"Kubernetes cluster" anchor linked to cluster page' do
+            cluster = create(:cluster, :provided_by_gcp, projects: [project])
+
+            visit project_path(project)
+
+            page.within('.project-stats') do
+              expect(page).to have_link('Kubernetes configured', href: project_cluster_path(project, cluster))
+            end
+          end
+        end
+      end
+    end
+
+    describe 'populated project' do
+      let(:project) { create(:project, :public, :repository) }
+      let(:presenter) { project.present(current_user: user) }
+
+      describe 'as a normal user' do
+        before do
+          sign_in(user)
+
+          visit project_path(project)
+        end
+
+        it 'no Auto DevOps button if can not manage pipelines' do
+          page.within('.project-stats') do
+            expect(page).not_to have_link('Enable Auto DevOps')
+            expect(page).not_to have_link('Auto DevOps enabled')
+          end
+        end
+
+        it '"Auto DevOps enabled" button not linked' do
+          project.create_auto_devops!(enabled: true)
+
+          visit project_path(project)
+
+          page.within('.project-stats') do
+            expect(page).to have_text('Auto DevOps enabled')
+          end
+        end
+
+        it 'no Kubernetes cluster button if can not manage clusters' do
+          page.within('.project-stats') do
+            expect(page).not_to have_link('Add Kubernetes cluster')
+            expect(page).not_to have_link('Kubernetes configured')
+          end
+        end
+      end
+
+      describe 'as a master' do
+        before do
+          allow_any_instance_of(AutoDevopsHelper).to receive(:show_auto_devops_callout?).and_return(false)
+          project.add_master(user)
+          sign_in(user)
+
+          visit project_path(project)
+        end
+
+        it 'no "Add Changelog" button if the project already has a changelog' do
+          expect(project.repository.changelog).not_to be_nil
+
+          page.within('.project-stats') do
+            expect(page).not_to have_link('Add Changelog')
+          end
+        end
+
+        it 'no "Add License" button if the project already has a license' do
+          expect(project.repository.license_blob).not_to be_nil
+
+          page.within('.project-stats') do
+            expect(page).not_to have_link('Add License')
+          end
+        end
+
+        it 'no "Add Contribution guide" button if the project already has a contribution guide' do
+          expect(project.repository.contribution_guide).not_to be_nil
+
+          page.within('.project-stats') do
+            expect(page).not_to have_link('Add Contribution guide')
+          end
+        end
+
+        describe 'GitLab CI configuration button' do
+          it '"Set up CI/CD" button linked to new file populated for a .gitlab-ci.yml' do
+            expect(project.repository.gitlab_ci_yml).to be_nil
+
+            page.within('.project-stats') do
+              expect(page).to have_link('Set up CI/CD', href: presenter.add_ci_yml_path)
+            end
+          end
+
+          it 'no "Set up CI/CD" button if the project already has a .gitlab-ci.yml' do
+            Files::CreateService.new(
+              project,
+              project.creator,
+              start_branch: 'master',
+              branch_name: 'master',
+              commit_message: "Add .gitlab-ci.yml",
+              file_path: '.gitlab-ci.yml',
+              file_content: File.read(Rails.root.join('spec/support/gitlab_stubs/gitlab_ci.yml'))
+            ).execute
+
+            expect(project.repository.gitlab_ci_yml).not_to be_nil
+
+            visit project_path(project)
+
+            page.within('.project-stats') do
+              expect(page).not_to have_link('Set up CI/CD')
+            end
+          end
+
+          it 'no "Set up CI/CD" button if the project has Auto DevOps enabled' do
+            project.create_auto_devops!(enabled: true)
+
+            visit project_path(project)
+
+            page.within('.project-stats') do
+              expect(page).not_to have_link('Set up CI/CD')
+            end
+          end
+        end
+
+        describe 'Auto DevOps button' do
+          it '"Enable Auto DevOps" button linked to settings page' do
+            page.within('.project-stats') do
+              expect(page).to have_link('Enable Auto DevOps', href: project_settings_ci_cd_path(project, anchor: 'js-general-pipeline-settings'))
+            end
+          end
+
+          it '"Enable Auto DevOps" button linked to settings page' do
+            project.create_auto_devops!(enabled: true)
+
+            visit project_path(project)
+
+            page.within('.project-stats') do
+              expect(page).to have_link('Auto DevOps enabled', href: project_settings_ci_cd_path(project, anchor: 'js-general-pipeline-settings'))
+            end
+          end
+
+          it 'no Auto DevOps button if Auto DevOps callout is shown' do
+            allow_any_instance_of(AutoDevopsHelper).to receive(:show_auto_devops_callout?).and_return(true)
+
+            visit project_path(project)
+
+            expect(page).to have_selector('.js-autodevops-banner')
+
+            page.within('.project-stats') do
+              expect(page).not_to have_link('Enable Auto DevOps')
+              expect(page).not_to have_link('Auto DevOps enabled')
+            end
+          end
+
+          it 'no "Enable Auto DevOps" button when .gitlab-ci.yml already exists' do
+            Files::CreateService.new(
+              project,
+              project.creator,
+              start_branch: 'master',
+              branch_name: 'master',
+              commit_message: "Add .gitlab-ci.yml",
+              file_path: '.gitlab-ci.yml',
+              file_content: File.read(Rails.root.join('spec/support/gitlab_stubs/gitlab_ci.yml'))
+            ).execute
+
+            expect(project.repository.gitlab_ci_yml).not_to be_nil
+
+            visit project_path(project)
+
+            page.within('.project-stats') do
+              expect(page).not_to have_link('Enable Auto DevOps')
+              expect(page).not_to have_link('Auto DevOps enabled')
+            end
+          end
+        end
+
+        describe 'Kubernetes cluster button' do
+          it '"Add Kubernetes cluster" button linked to clusters page' do
+            page.within('.project-stats') do
+              expect(page).to have_link('Add Kubernetes cluster', href: new_project_cluster_path(project))
+            end
+          end
+
+          it '"Kubernetes cluster" button linked to cluster page' do
+            cluster = create(:cluster, :provided_by_gcp, projects: [project])
+
+            visit project_path(project)
+
+            page.within('.project-stats') do
+              expect(page).to have_link('Kubernetes configured', href: project_cluster_path(project, cluster))
+            end
+          end
+        end
+
+        describe '"Set up Koding" button' do
+          it 'no "Set up Koding" button if Koding disabled' do
+            stub_application_setting(koding_enabled?: false)
+
+            visit project_path(project)
+
+            page.within('.project-stats') do
+              expect(page).not_to have_link('Set up Koding')
+            end
+          end
+
+          it 'no "Set up Koding" button if the project already has a .koding.yml' do
+            stub_application_setting(koding_enabled?: true)
+            allow(Gitlab::CurrentSettings.current_application_settings).to receive(:koding_url).and_return('http://koding.example.com')
+            expect(project.repository.changelog).not_to be_nil
+            allow_any_instance_of(Repository).to receive(:koding_yml).and_return(project.repository.changelog)
+
+            visit project_path(project)
+
+            page.within('.project-stats') do
+              expect(page).not_to have_link('Set up Koding')
+            end
+          end
+
+          it '"Set up Koding" button linked to new file populated for a .koding.yml' do
+            stub_application_setting(koding_enabled?: true)
+
+            visit project_path(project)
+
+            page.within('.project-stats') do
+              expect(page).to have_link('Set up Koding', href: presenter.add_koding_stack_path)
+            end
+          end
+        end
+      end
+    end
+  end
 end
diff --git a/spec/features/projects_spec.rb b/spec/features/projects_spec.rb
index b66a7dea598..645d12da09f 100644
--- a/spec/features/projects_spec.rb
+++ b/spec/features/projects_spec.rb
@@ -25,6 +25,24 @@ feature 'Project' do
     end
   end
 
+  describe 'shows tip about push to create git command' do
+    let(:user)    { create(:user) }
+
+    before do
+      sign_in user
+      visit new_project_path
+    end
+
+    it 'shows the command in a popover', :js do
+      page.within '.profile-settings-sidebar' do
+        click_link 'Show command'
+      end
+
+      expect(page).to have_css('.popover .push-to-create-popover #push_to_create_tip')
+      expect(page).to have_content 'Private projects can be created in your personal namespace with:'
+    end
+  end
+
   describe 'description' do
     let(:project) { create(:project, :repository) }
     let(:path)    { project_path(project) }
diff --git a/spec/features/runners_spec.rb b/spec/features/runners_spec.rb
index aec9de6c7ca..df65c2d2f83 100644
--- a/spec/features/runners_spec.rb
+++ b/spec/features/runners_spec.rb
@@ -7,6 +7,20 @@ feature 'Runners' do
     sign_in(user)
   end
 
+  context 'when user opens runners page' do
+    given(:project) { create(:project) }
+
+    background do
+      project.add_master(user)
+    end
+
+    scenario 'user can see a button to install runners on kubernetes clusters' do
+      visit runners_path(project)
+
+      expect(page).to have_link('Install Runner on Kubernetes', href: project_clusters_path(project))
+    end
+  end
+
   context 'when a project has enabled shared_runners' do
     given(:project) { create(:project) }
 
diff --git a/spec/features/signup_spec.rb b/spec/features/signup_spec.rb
deleted file mode 100644
index 917fad74ef1..00000000000
--- a/spec/features/signup_spec.rb
+++ /dev/null
@@ -1,103 +0,0 @@
-require 'spec_helper'
-
-feature 'Signup' do
-  describe 'signup with no errors' do
-    context "when sending confirmation email" do
-      before do
-        stub_application_setting(send_user_confirmation_email: true)
-      end
-
-      it 'creates the user account and sends a confirmation email' do
-        user = build(:user)
-
-        visit root_path
-
-        fill_in 'new_user_name',                with: user.name
-        fill_in 'new_user_username',            with: user.username
-        fill_in 'new_user_email',               with: user.email
-        fill_in 'new_user_email_confirmation',  with: user.email
-        fill_in 'new_user_password',            with: user.password
-        click_button "Register"
-
-        expect(current_path).to eq users_almost_there_path
-        expect(page).to have_content("Please check your email to confirm your account")
-      end
-    end
-
-    context "when sigining up with different cased emails" do
-      it "creates the user successfully" do
-        user = build(:user)
-
-        visit root_path
-
-        fill_in 'new_user_name',                with: user.name
-        fill_in 'new_user_username',            with: user.username
-        fill_in 'new_user_email',               with: user.email
-        fill_in 'new_user_email_confirmation',  with: user.email.capitalize
-        fill_in 'new_user_password',            with: user.password
-        click_button "Register"
-
-        expect(current_path).to eq dashboard_projects_path
-        expect(page).to have_content("Welcome! You have signed up successfully.")
-      end
-    end
-
-    context "when not sending confirmation email" do
-      before do
-        stub_application_setting(send_user_confirmation_email: false)
-      end
-
-      it 'creates the user account and goes to dashboard' do
-        user = build(:user)
-
-        visit root_path
-
-        fill_in 'new_user_name',                with: user.name
-        fill_in 'new_user_username',            with: user.username
-        fill_in 'new_user_email',               with: user.email
-        fill_in 'new_user_email_confirmation',  with: user.email
-        fill_in 'new_user_password',            with: user.password
-        click_button "Register"
-
-        expect(current_path).to eq dashboard_projects_path
-        expect(page).to have_content("Welcome! You have signed up successfully.")
-      end
-    end
-  end
-
-  describe 'signup with errors' do
-    it "displays the errors" do
-      existing_user = create(:user)
-      user = build(:user)
-
-      visit root_path
-
-      fill_in 'new_user_name',     with: user.name
-      fill_in 'new_user_username', with: user.username
-      fill_in 'new_user_email',    with: existing_user.email
-      fill_in 'new_user_password', with: user.password
-      click_button "Register"
-
-      expect(current_path).to eq user_registration_path
-      expect(page).to have_content("errors prohibited this user from being saved")
-      expect(page).to have_content("Email has already been taken")
-      expect(page).to have_content("Email confirmation doesn't match")
-    end
-
-    it 'does not redisplay the password' do
-      existing_user = create(:user)
-      user = build(:user)
-
-      visit root_path
-
-      fill_in 'new_user_name',     with: user.name
-      fill_in 'new_user_username', with: user.username
-      fill_in 'new_user_email',    with: existing_user.email
-      fill_in 'new_user_password', with: user.password
-      click_button "Register"
-
-      expect(current_path).to eq user_registration_path
-      expect(page.body).not_to match(/#{user.password}/)
-    end
-  end
-end
diff --git a/spec/features/tags/master_views_tags_spec.rb b/spec/features/tags/master_views_tags_spec.rb
index 4662367d843..b625e7065cc 100644
--- a/spec/features/tags/master_views_tags_spec.rb
+++ b/spec/features/tags/master_views_tags_spec.rb
@@ -13,7 +13,7 @@ feature 'Master views tags' do
 
     before do
       visit project_path(project)
-      click_on 'README'
+      click_on 'Add Readme'
       fill_in :commit_message, with: 'Add a README file', visible: true
       click_button 'Commit changes'
       visit project_tags_path(project)
diff --git a/spec/features/login_spec.rb b/spec/features/users/login_spec.rb
index 6dfabcc7225..6ef235cf870 100644
--- a/spec/features/login_spec.rb
+++ b/spec/features/users/login_spec.rb
@@ -1,6 +1,26 @@
 require 'spec_helper'
 
 feature 'Login' do
+  scenario 'Successful user signin invalidates password reset token' do
+    user = create(:user)
+
+    expect(user.reset_password_token).to be_nil
+
+    visit new_user_password_path
+    fill_in 'user_email', with: user.email
+    click_button 'Reset password'
+
+    user.reload
+    expect(user.reset_password_token).not_to be_nil
+
+    find('a[href="#login-pane"]').click
+    gitlab_sign_in(user)
+    expect(current_path).to eq root_path
+
+    user.reload
+    expect(user.reset_password_token).to be_nil
+  end
+
   describe 'initial login after setup' do
     it 'allows the initial admin to create a password' do
       # This behavior is dependent on there only being one user
diff --git a/spec/features/logout_spec.rb b/spec/features/users/logout_spec.rb
index 635729efa53..635729efa53 100644
--- a/spec/features/logout_spec.rb
+++ b/spec/features/users/logout_spec.rb
diff --git a/spec/features/users/projects_spec.rb b/spec/features/users/projects_spec.rb
deleted file mode 100644
index f079771cee1..00000000000
--- a/spec/features/users/projects_spec.rb
+++ /dev/null
@@ -1,29 +0,0 @@
-require 'spec_helper'
-
-describe 'Projects tab on a user profile', :js do
-  let(:user) { create(:user) }
-  let!(:project) { create(:project, namespace: user.namespace) }
-  let!(:project2) { create(:project, namespace: user.namespace) }
-
-  before do
-    allow(Project).to receive(:default_per_page).and_return(1)
-
-    sign_in(user)
-
-    visit user_path(user)
-
-    page.within('.user-profile-nav') do
-      click_link('Personal projects')
-    end
-
-    wait_for_requests
-  end
-
-  it 'paginates results' do
-    expect(page).to have_content(project2.name)
-
-    click_link('Next')
-
-    expect(page).to have_content(project.name)
-  end
-end
diff --git a/spec/features/users/show_spec.rb b/spec/features/users/show_spec.rb
new file mode 100644
index 00000000000..b5bbb2c0ea5
--- /dev/null
+++ b/spec/features/users/show_spec.rb
@@ -0,0 +1,17 @@
+require 'spec_helper'
+
+describe 'User page' do
+  let(:user) { create(:user) }
+
+  it 'shows all the tabs' do
+    visit(user_path(user))
+
+    page.within '.nav-links' do
+      expect(page).to have_link('Activity')
+      expect(page).to have_link('Groups')
+      expect(page).to have_link('Contributed projects')
+      expect(page).to have_link('Personal projects')
+      expect(page).to have_link('Snippets')
+    end
+  end
+end
diff --git a/spec/features/users/signup_spec.rb b/spec/features/users/signup_spec.rb
new file mode 100644
index 00000000000..5d539f0ccbe
--- /dev/null
+++ b/spec/features/users/signup_spec.rb
@@ -0,0 +1,135 @@
+require 'spec_helper'
+
+describe 'Signup' do
+  let(:new_user) { build_stubbed(:user) }
+
+  describe 'username validation', :js do
+    before do
+      visit root_path
+      click_link 'Register'
+    end
+
+    it 'does not show an error border if the username is available' do
+      fill_in 'new_user_username', with: 'new-user'
+      wait_for_requests
+
+      expect(find('.username')).not_to have_css '.gl-field-error-outline'
+    end
+
+    it 'does not show an error border if the username contains dots (.)' do
+      fill_in 'new_user_username', with: 'new.user.username'
+      wait_for_requests
+
+      expect(find('.username')).not_to have_css '.gl-field-error-outline'
+    end
+
+    it 'shows an error border if the username already exists' do
+      existing_user = create(:user)
+
+      fill_in 'new_user_username', with: existing_user.username
+      wait_for_requests
+
+      expect(find('.username')).to have_css '.gl-field-error-outline'
+    end
+
+    it 'shows an  error border if the username contains special characters' do
+      fill_in 'new_user_username', with: 'new$user!username'
+      wait_for_requests
+
+      expect(find('.username')).to have_css '.gl-field-error-outline'
+    end
+  end
+
+  context 'with no errors' do
+    context "when sending confirmation email" do
+      before do
+        stub_application_setting(send_user_confirmation_email: true)
+      end
+
+      it 'creates the user account and sends a confirmation email' do
+        visit root_path
+
+        fill_in 'new_user_name',                with: new_user.name
+        fill_in 'new_user_username',            with: new_user.username
+        fill_in 'new_user_email',               with: new_user.email
+        fill_in 'new_user_email_confirmation',  with: new_user.email
+        fill_in 'new_user_password',            with: new_user.password
+
+        expect { click_button 'Register' }.to change { User.count }.by(1)
+
+        expect(current_path).to eq users_almost_there_path
+        expect(page).to have_content("Please check your email to confirm your account")
+      end
+    end
+
+    context "when sigining up with different cased emails" do
+      it "creates the user successfully" do
+        visit root_path
+
+        fill_in 'new_user_name',                with: new_user.name
+        fill_in 'new_user_username',            with: new_user.username
+        fill_in 'new_user_email',               with: new_user.email
+        fill_in 'new_user_email_confirmation',  with: new_user.email.capitalize
+        fill_in 'new_user_password',            with: new_user.password
+        click_button "Register"
+
+        expect(current_path).to eq dashboard_projects_path
+        expect(page).to have_content("Welcome! You have signed up successfully.")
+      end
+    end
+
+    context "when not sending confirmation email" do
+      before do
+        stub_application_setting(send_user_confirmation_email: false)
+      end
+
+      it 'creates the user account and goes to dashboard' do
+        visit root_path
+
+        fill_in 'new_user_name',                with: new_user.name
+        fill_in 'new_user_username',            with: new_user.username
+        fill_in 'new_user_email',               with: new_user.email
+        fill_in 'new_user_email_confirmation',  with: new_user.email
+        fill_in 'new_user_password',            with: new_user.password
+        click_button "Register"
+
+        expect(current_path).to eq dashboard_projects_path
+        expect(page).to have_content("Welcome! You have signed up successfully.")
+      end
+    end
+  end
+
+  context 'with errors' do
+    it "displays the errors" do
+      existing_user = create(:user)
+
+      visit root_path
+
+      fill_in 'new_user_name',     with: new_user.name
+      fill_in 'new_user_username', with: new_user.username
+      fill_in 'new_user_email',    with: existing_user.email
+      fill_in 'new_user_password', with: new_user.password
+      click_button "Register"
+
+      expect(current_path).to eq user_registration_path
+      expect(page).to have_content("errors prohibited this user from being saved")
+      expect(page).to have_content("Email has already been taken")
+      expect(page).to have_content("Email confirmation doesn't match")
+    end
+
+    it 'does not redisplay the password' do
+      existing_user = create(:user)
+
+      visit root_path
+
+      fill_in 'new_user_name',     with: new_user.name
+      fill_in 'new_user_username', with: new_user.username
+      fill_in 'new_user_email',    with: existing_user.email
+      fill_in 'new_user_password', with: new_user.password
+      click_button "Register"
+
+      expect(current_path).to eq user_registration_path
+      expect(page.body).not_to match(/#{new_user.password}/)
+    end
+  end
+end
diff --git a/spec/features/user_page_spec.rb b/spec/features/users/user_browses_projects_on_user_page_spec.rb
index 19c587e53c8..a70637c8370 100644
--- a/spec/features/user_page_spec.rb
+++ b/spec/features/users/user_browses_projects_on_user_page_spec.rb
@@ -1,6 +1,6 @@
 require 'spec_helper'
 
-describe 'User page', :js do
+describe 'Users > User browses projects on user page', :js do
   let!(:user) { create :user }
   let!(:private_project) do
     create :project, :private, name: 'private', namespace: user.namespace do |project|
@@ -26,6 +26,28 @@ describe 'User page', :js do
     end
   end
 
+  it 'paginates projects', :js do
+    project = create(:project, namespace: user.namespace)
+    project2 = create(:project, namespace: user.namespace)
+    allow(Project).to receive(:default_per_page).and_return(1)
+
+    sign_in(user)
+
+    visit user_path(user)
+
+    page.within('.user-profile-nav') do
+      click_link('Personal projects')
+    end
+
+    wait_for_requests
+
+    expect(page).to have_content(project2.name)
+
+    click_link('Next')
+
+    expect(page).to have_content(project.name)
+  end
+
   context 'when not signed in' do
     it 'renders user public project' do
       visit user_path(user)
diff --git a/spec/features/users_spec.rb b/spec/features/users_spec.rb
deleted file mode 100644
index a9973cdf214..00000000000
--- a/spec/features/users_spec.rb
+++ /dev/null
@@ -1,114 +0,0 @@
-require 'spec_helper'
-
-feature 'Users', :js do
-  let(:user) { create(:user, username: 'user1', name: 'User 1', email: 'user1@gitlab.com') }
-
-  scenario 'GET /users/sign_in creates a new user account' do
-    visit new_user_session_path
-    click_link 'Register'
-    fill_in 'new_user_name',                with: 'Name Surname'
-    fill_in 'new_user_username',            with: 'Great'
-    fill_in 'new_user_email',               with: 'name@mail.com'
-    fill_in 'new_user_email_confirmation',  with: 'name@mail.com'
-    fill_in 'new_user_password',            with: 'password1234'
-    expect { click_button 'Register' }.to change { User.count }.by(1)
-  end
-
-  scenario 'Successful user signin invalidates password reset token' do
-    expect(user.reset_password_token).to be_nil
-
-    visit new_user_password_path
-    fill_in 'user_email', with: user.email
-    click_button 'Reset password'
-
-    user.reload
-    expect(user.reset_password_token).not_to be_nil
-
-    find('a[href="#login-pane"]').click
-    gitlab_sign_in(user)
-    expect(current_path).to eq root_path
-
-    user.reload
-    expect(user.reset_password_token).to be_nil
-  end
-
-  scenario 'Should show one error if email is already taken' do
-    visit new_user_session_path
-    click_link 'Register'
-    fill_in 'new_user_name',                with: 'Another user name'
-    fill_in 'new_user_username',            with: 'anotheruser'
-    fill_in 'new_user_email',               with: user.email
-    fill_in 'new_user_email_confirmation',  with: user.email
-    fill_in 'new_user_password',            with: '12341234'
-    expect { click_button 'Register' }.to change { User.count }.by(0)
-    expect(page).to have_text('Email has already been taken')
-    expect(number_of_errors_on_page(page)).to be(1), 'errors on page:\n #{errors_on_page page}'
-  end
-
-  describe 'redirect alias routes' do
-    before do
-      expect(user).to be_persisted
-    end
-
-    scenario '/u/user1 redirects to user page' do
-      visit '/u/user1'
-
-      expect(current_path).to eq user_path(user)
-      expect(page).to have_text(user.name)
-    end
-
-    scenario '/u/user1/groups redirects to user groups page' do
-      visit '/u/user1/groups'
-
-      expect(current_path).to eq user_groups_path(user)
-    end
-
-    scenario '/u/user1/projects redirects to user projects page' do
-      visit '/u/user1/projects'
-
-      expect(current_path).to eq user_projects_path(user)
-    end
-  end
-
-  feature 'username validation' do
-    let(:loading_icon) { '.fa.fa-spinner' }
-    let(:username_input) { 'new_user_username' }
-
-    before do
-      visit new_user_session_path
-      click_link 'Register'
-    end
-
-    scenario 'doesn\'t show an error border if the username is available' do
-      fill_in username_input, with: 'new-user'
-      wait_for_requests
-      expect(find('.username')).not_to have_css '.gl-field-error-outline'
-    end
-
-    scenario 'does not show an error border if the username contains dots (.)' do
-      fill_in username_input, with: 'new.user.username'
-      wait_for_requests
-      expect(find('.username')).not_to have_css '.gl-field-error-outline'
-    end
-
-    scenario 'shows an error border if the username already exists' do
-      fill_in username_input, with: user.username
-      wait_for_requests
-      expect(find('.username')).to have_css '.gl-field-error-outline'
-    end
-
-    scenario 'shows an  error border if the username contains special characters' do
-      fill_in username_input, with: 'new$user!username'
-      wait_for_requests
-      expect(find('.username')).to have_css '.gl-field-error-outline'
-    end
-  end
-
-  def errors_on_page(page)
-    page.find('#error_explanation').find('ul').all('li').map { |item| item.text }.join("\n")
-  end
-
-  def number_of_errors_on_page(page)
-    page.find('#error_explanation').find('ul').all('li').count
-  end
-end
diff --git a/spec/finders/concerns/finder_methods_spec.rb b/spec/finders/concerns/finder_methods_spec.rb
new file mode 100644
index 00000000000..a4ad331f613
--- /dev/null
+++ b/spec/finders/concerns/finder_methods_spec.rb
@@ -0,0 +1,70 @@
+require 'spec_helper'
+
+describe FinderMethods do
+  let(:finder_class) do
+    Class.new do
+      include FinderMethods
+
+      attr_reader :current_user
+
+      def initialize(user)
+        @current_user = user
+      end
+
+      def execute
+        Project.all
+      end
+    end
+  end
+
+  let(:user) { create(:user) }
+  let(:finder) { finder_class.new(user) }
+  let(:authorized_project) { create(:project) }
+  let(:unauthorized_project) { create(:project) }
+
+  before do
+    authorized_project.add_developer(user)
+  end
+
+  describe '#find_by!' do
+    it 'returns the project if the user has access' do
+      expect(finder.find_by!(id: authorized_project.id)).to eq(authorized_project)
+    end
+
+    it 'raises not found when the project is not found' do
+      expect { finder.find_by!(id: 0) }.to raise_error(ActiveRecord::RecordNotFound)
+    end
+
+    it 'raises not found the user does not have access' do
+      expect { finder.find_by!(id: unauthorized_project.id) }.to raise_error(ActiveRecord::RecordNotFound)
+    end
+  end
+
+  describe '#find' do
+    it 'returns the project if the user has access' do
+      expect(finder.find(authorized_project.id)).to eq(authorized_project)
+    end
+
+    it 'raises not found when the project is not found' do
+      expect { finder.find(0) }.to raise_error(ActiveRecord::RecordNotFound)
+    end
+
+    it 'raises not found the user does not have access' do
+      expect { finder.find(unauthorized_project.id) }.to raise_error(ActiveRecord::RecordNotFound)
+    end
+  end
+
+  describe '#find_by' do
+    it 'returns the project if the user has access' do
+      expect(finder.find_by(id: authorized_project.id)).to eq(authorized_project)
+    end
+
+    it 'returns nil when the project is not found' do
+      expect(finder.find_by(id: 0)).to be_nil
+    end
+
+    it 'returns nil when the user does not have access' do
+      expect(finder.find_by(id: unauthorized_project.id)).to be_nil
+    end
+  end
+end
diff --git a/spec/finders/concerns/finder_with_cross_project_access_spec.rb b/spec/finders/concerns/finder_with_cross_project_access_spec.rb
new file mode 100644
index 00000000000..c784fb87972
--- /dev/null
+++ b/spec/finders/concerns/finder_with_cross_project_access_spec.rb
@@ -0,0 +1,118 @@
+require 'spec_helper'
+
+describe FinderWithCrossProjectAccess do
+  let(:finder_class) do
+    Class.new do
+      prepend FinderWithCrossProjectAccess
+      include FinderMethods
+
+      requires_cross_project_access if: -> { requires_access? }
+
+      attr_reader :current_user
+
+      def initialize(user)
+        @current_user = user
+      end
+
+      def execute
+        Issue.all
+      end
+    end
+  end
+
+  let(:user) { create(:user) }
+  subject(:finder) { finder_class.new(user) }
+  let!(:result) { create(:issue) }
+
+  before do
+    result.project.add_master(user)
+  end
+
+  def expect_access_check_on_result
+    expect(finder).not_to receive(:requires_access?)
+    expect(Ability).to receive(:allowed?).with(user, :read_issue, result).and_call_original
+  end
+
+  context 'when the user cannot read cross project' do
+    before do
+      allow(Ability).to receive(:allowed?).and_call_original
+      allow(Ability).to receive(:allowed?).with(user, :read_cross_project)
+                          .and_return(false)
+    end
+
+    describe '#execute' do
+      it 'returns a issue if the check is disabled' do
+        expect(finder).to receive(:requires_access?).and_return(false)
+
+        expect(finder.execute).to include(result)
+      end
+
+      it 'returns an empty relation when the check is enabled' do
+        expect(finder).to receive(:requires_access?).and_return(true)
+
+        expect(finder.execute).to be_empty
+      end
+
+      it 'only queries once when check is enabled' do
+        expect(finder).to receive(:requires_access?).and_return(true)
+
+        expect { finder.execute }.not_to exceed_query_limit(1)
+      end
+
+      it 'only queries once when check is disabled' do
+        expect(finder).to receive(:requires_access?).and_return(false)
+
+        expect { finder.execute }.not_to exceed_query_limit(1)
+      end
+    end
+
+    describe '#find' do
+      it 'checks the accessibility of the subject directly' do
+        expect_access_check_on_result
+
+        finder.find(result.id)
+      end
+
+      it 'returns the issue' do
+        expect(finder.find(result.id)).to eq(result)
+      end
+    end
+
+    describe '#find_by' do
+      it 'checks the accessibility of the subject directly' do
+        expect_access_check_on_result
+
+        finder.find_by(id: result.id)
+      end
+    end
+
+    describe '#find_by!' do
+      it 'checks the accessibility of the subject directly' do
+        expect_access_check_on_result
+
+        finder.find_by!(id: result.id)
+      end
+
+      it 're-enables the check after the find failed' do
+        finder.find_by!(id: 9999) rescue ActiveRecord::RecordNotFound
+
+        expect(finder.instance_variable_get(:@should_skip_cross_project_check))
+          .to eq(false)
+      end
+    end
+  end
+
+  context 'when the user can read cross project' do
+    before do
+      allow(Ability).to receive(:allowed?).and_call_original
+      allow(Ability).to receive(:allowed?).with(user, :read_cross_project)
+                          .and_return(true)
+    end
+
+    it 'returns the result' do
+      expect(finder).not_to receive(:requires_access?)
+
+      expect(finder.execute).to include(result)
+    end
+  end
+end
diff --git a/spec/finders/events_finder_spec.rb b/spec/finders/events_finder_spec.rb
index 18d6c0cfd74..62968e83292 100644
--- a/spec/finders/events_finder_spec.rb
+++ b/spec/finders/events_finder_spec.rb
@@ -26,6 +26,14 @@ describe EventsFinder do
 
       expect(events).not_to include(opened_merge_request_event)
     end
+
+    it 'returns nothing when the current user cannot read cross project' do
+      expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+
+      events = described_class.new(source: user, current_user: user).execute
+
+      expect(events).to be_empty
+    end
   end
 
   context 'when targeting a project' do
diff --git a/spec/finders/milestones_finder_spec.rb b/spec/finders/milestones_finder_spec.rb
index 0b3cf7ece5f..656d120311a 100644
--- a/spec/finders/milestones_finder_spec.rb
+++ b/spec/finders/milestones_finder_spec.rb
@@ -70,4 +70,12 @@ describe MilestonesFinder do
       expect(result.to_a).to contain_exactly(milestone_1)
     end
   end
+
+  describe '#find_by' do
+    it 'finds a single milestone' do
+      finder = described_class.new(project_ids: [project_1.id], state: 'all')
+
+      expect(finder.find_by(iid: milestone_3.iid)).to eq(milestone_3)
+    end
+  end
 end
diff --git a/spec/finders/snippets_finder_spec.rb b/spec/finders/snippets_finder_spec.rb
index 54a07eccaba..1ae0bd988f2 100644
--- a/spec/finders/snippets_finder_spec.rb
+++ b/spec/finders/snippets_finder_spec.rb
@@ -162,8 +162,26 @@ describe SnippetsFinder do
     end
   end
 
-  describe "#execute" do
-    # Snippet visibility scenarios are included in more details in spec/support/snippet_visibility.rb
-    include_examples 'snippet visibility', described_class
+  describe '#execute' do
+    let(:project) { create(:project, :public) }
+    let!(:project_snippet) { create(:project_snippet, :public, project: project) }
+    let!(:personal_snippet) { create(:personal_snippet, :public) }
+    let(:user) { create(:user) }
+    subject(:finder) { described_class.new(user) }
+
+    it 'returns project- and personal snippets' do
+      expect(finder.execute).to contain_exactly(project_snippet, personal_snippet)
+    end
+
+    context 'when the user cannot read cross project' do
+      before do
+        allow(Ability).to receive(:allowed?).and_call_original
+        allow(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+      end
+
+      it 'returns only personal snippets when the user cannot read cross project' do
+        expect(finder.execute).to contain_exactly(personal_snippet)
+      end
+    end
   end
 end
diff --git a/spec/finders/user_recent_events_finder_spec.rb b/spec/finders/user_recent_events_finder_spec.rb
new file mode 100644
index 00000000000..3ca0f7c3c89
--- /dev/null
+++ b/spec/finders/user_recent_events_finder_spec.rb
@@ -0,0 +1,31 @@
+require 'spec_helper'
+
+describe UserRecentEventsFinder do
+  let(:user) { create(:user) }
+  let(:project) { create(:project) }
+  let(:project_owner) { project.creator }
+  let!(:event) { create(:event, project: project, author: project_owner) }
+
+  subject(:finder) { described_class.new(user, project_owner) }
+
+  describe '#execute' do
+    it 'does not include the event when a user does not have access to the project' do
+      expect(finder.execute).to be_empty
+    end
+
+    context 'when the user has access to a project' do
+      before do
+        project.add_developer(user)
+      end
+
+      it 'includes the event' do
+        expect(finder.execute).to include(event)
+      end
+
+      it 'does not include the event if the user cannot read cross project' do
+        expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+        expect(finder.execute).to be_empty
+      end
+    end
+  end
+end
diff --git a/spec/fixtures/api/schemas/public_api/v4/pages_domain/basic.json b/spec/fixtures/api/schemas/public_api/v4/pages_domain/basic.json
index e8c17298b43..ed8ed9085c0 100644
--- a/spec/fixtures/api/schemas/public_api/v4/pages_domain/basic.json
+++ b/spec/fixtures/api/schemas/public_api/v4/pages_domain/basic.json
@@ -4,6 +4,9 @@
     "domain": { "type": "string" },
     "url": { "type": "uri" },
     "project_id": { "type": "integer" },
+    "verified": { "type": "boolean" },
+    "verification_code": { "type": ["string", "null"] },
+    "enabled_until": { "type": ["date", "null"] },
     "certificate_expiration": {
       "type": "object",
       "properties": {
@@ -14,6 +17,6 @@
       "additionalProperties": false
     }
   },
-  "required": ["domain", "url", "project_id"],
+  "required": ["domain", "url", "project_id", "verified", "verification_code", "enabled_until"],
   "additionalProperties": false
 }
diff --git a/spec/fixtures/api/schemas/public_api/v4/pages_domain/detail.json b/spec/fixtures/api/schemas/public_api/v4/pages_domain/detail.json
index 08db8d47050..b57d544f896 100644
--- a/spec/fixtures/api/schemas/public_api/v4/pages_domain/detail.json
+++ b/spec/fixtures/api/schemas/public_api/v4/pages_domain/detail.json
@@ -3,6 +3,9 @@
   "properties": {
     "domain": { "type": "string" },
     "url": { "type": "uri" },
+    "verified": { "type": "boolean" },
+    "verification_code": { "type": ["string", "null"] },
+    "enabled_until": { "type": ["date", "null"] },
     "certificate": {
       "type": "object",
       "properties": {
@@ -15,6 +18,6 @@
       "additionalProperties": false
     }
   },
-  "required": ["domain", "url"],
+  "required": ["domain", "url", "verified", "verification_code", "enabled_until"],
   "additionalProperties": false
 }
diff --git a/spec/helpers/dashboard_helper_spec.rb b/spec/helpers/dashboard_helper_spec.rb
new file mode 100644
index 00000000000..7ba24ba2956
--- /dev/null
+++ b/spec/helpers/dashboard_helper_spec.rb
@@ -0,0 +1,24 @@
+require 'spec_helper'
+
+describe DashboardHelper do
+  let(:user) { build(:user) }
+
+  before do
+    allow(helper).to receive(:current_user).and_return(user)
+    allow(helper).to receive(:can?) { true }
+  end
+
+  describe '#dashboard_nav_links' do
+    it 'has all the expected links by default' do
+      menu_items = [:projects, :groups, :activity, :milestones, :snippets]
+
+      expect(helper.dashboard_nav_links).to contain_exactly(*menu_items)
+    end
+
+    it 'does not contain cross project elements when the user cannot read cross project' do
+      expect(helper).to receive(:can?).with(user, :read_cross_project) { false }
+
+      expect(helper.dashboard_nav_links).not_to include(:activity, :milestones)
+    end
+  end
+end
diff --git a/spec/helpers/explore_helper_spec.rb b/spec/helpers/explore_helper_spec.rb
new file mode 100644
index 00000000000..12651d80e36
--- /dev/null
+++ b/spec/helpers/explore_helper_spec.rb
@@ -0,0 +1,18 @@
+require 'spec_helper'
+
+describe ExploreHelper do
+  let(:user) { build(:user) }
+
+  before do
+    allow(helper).to receive(:current_user).and_return(user)
+    allow(helper).to receive(:can?) { true }
+  end
+
+  describe '#explore_nav_links' do
+    it 'has all the expected links by default' do
+      menu_items = [:projects, :groups, :snippets]
+
+      expect(helper.explore_nav_links).to contain_exactly(*menu_items)
+    end
+  end
+end
diff --git a/spec/helpers/groups_helper_spec.rb b/spec/helpers/groups_helper_spec.rb
index 5f608fe18d9..b48c252acd3 100644
--- a/spec/helpers/groups_helper_spec.rb
+++ b/spec/helpers/groups_helper_spec.rb
@@ -201,4 +201,39 @@ describe GroupsHelper do
       end
     end
   end
+
+  describe '#group_sidebar_links' do
+    let(:group) { create(:group, :public) }
+    let(:user) { create(:user) }
+    before do
+      allow(helper).to receive(:current_user) { user }
+      allow(helper).to receive(:can?) { true }
+      helper.instance_variable_set(:@group, group)
+    end
+
+    it 'returns all the expected links' do
+      links = [
+        :overview, :activity, :issues, :labels, :milestones, :merge_requests,
+        :group_members, :settings
+      ]
+
+      expect(helper.group_sidebar_links).to include(*links)
+    end
+
+    it 'includes settings when the user can admin the group' do
+      expect(helper).to receive(:current_user) { user }
+      expect(helper).to receive(:can?).with(user, :admin_group, group) { false }
+
+      expect(helper.group_sidebar_links).not_to include(:settings)
+    end
+
+    it 'excludes cross project features when the user cannot read cross project' do
+      cross_project_features = [:activity, :issues, :labels, :milestones,
+                                :merge_requests]
+
+      expect(helper).to receive(:can?).with(user, :read_cross_project) { false }
+
+      expect(helper.group_sidebar_links).not_to include(*cross_project_features)
+    end
+  end
 end
diff --git a/spec/helpers/issues_helper_spec.rb b/spec/helpers/issues_helper_spec.rb
index ddf881a7b6f..aeef5352333 100644
--- a/spec/helpers/issues_helper_spec.rb
+++ b/spec/helpers/issues_helper_spec.rb
@@ -113,21 +113,6 @@ describe IssuesHelper do
     end
   end
 
-  describe "milestone_options" do
-    it "gets closed milestone from current issue" do
-      closed_milestone = create(:closed_milestone, project: project)
-      milestone1       = create(:milestone, project: project)
-      milestone2       = create(:milestone, project: project)
-      issue.update_attributes(milestone_id: closed_milestone.id)
-
-      options = milestone_options(issue)
-
-      expect(options).to have_selector('option[selected]', text: closed_milestone.title)
-      expect(options).to have_selector('option', text: milestone1.title)
-      expect(options).to have_selector('option', text: milestone2.title)
-    end
-  end
-
   describe "#link_to_discussions_to_resolve" do
     describe "passing only a merge request" do
       let(:merge_request) { create(:merge_request) }
diff --git a/spec/helpers/nav_helper_spec.rb b/spec/helpers/nav_helper_spec.rb
new file mode 100644
index 00000000000..e840c927d59
--- /dev/null
+++ b/spec/helpers/nav_helper_spec.rb
@@ -0,0 +1,53 @@
+require 'spec_helper'
+
+describe NavHelper do
+  describe '#header_links' do
+    before do
+      allow(helper).to receive(:session) { {} }
+    end
+
+    context 'when the user is logged in' do
+      let(:user) { build(:user) }
+
+      before do
+        allow(helper).to receive(:current_user).and_return(user)
+        allow(helper).to receive(:can?) { true }
+      end
+
+      it 'has all the expected links by default' do
+        menu_items = [:user_dropdown, :search, :issues, :merge_requests, :todos]
+
+        expect(helper.header_links).to contain_exactly(*menu_items)
+      end
+
+      it 'contains the impersonation link while impersonating' do
+        expect(helper).to receive(:session) { { impersonator_id: 1 } }
+
+        expect(helper.header_links).to include(:admin_impersonation)
+      end
+
+      context 'when the user cannot read cross project' do
+        before do
+          allow(helper).to receive(:can?).with(user, :read_cross_project) { false }
+        end
+
+        it 'does not contain cross project elements when the user cannot read cross project' do
+          expect(helper.header_links).not_to include(:issues, :merge_requests, :todos, :search)
+        end
+
+        it 'shows the search box when the user cannot read cross project and he is visiting a project' do
+          helper.instance_variable_set(:@project, create(:project))
+
+          expect(helper.header_links).to include(:search)
+        end
+      end
+    end
+
+    it 'returns only the sign in and search when the user is not logged in' do
+      allow(helper).to receive(:current_user).and_return(nil)
+      allow(helper).to receive(:can?).with(nil, :read_cross_project) { true }
+
+      expect(helper.header_links).to contain_exactly(:sign_in, :search)
+    end
+  end
+end
diff --git a/spec/helpers/preferences_helper_spec.rb b/spec/helpers/preferences_helper_spec.rb
index 749aa25e632..e2a0c4322ff 100644
--- a/spec/helpers/preferences_helper_spec.rb
+++ b/spec/helpers/preferences_helper_spec.rb
@@ -77,103 +77,6 @@ describe PreferencesHelper do
     end
   end
 
-  describe '#default_project_view' do
-    context 'user not signed in' do
-      before do
-        helper.instance_variable_set(:@project, project)
-        stub_user
-      end
-
-      context 'when repository is empty' do
-        let(:project) { create(:project_empty_repo, :public) }
-
-        it 'returns activity if user has repository access' do
-          allow(helper).to receive(:can?).with(nil, :download_code, project).and_return(true)
-
-          expect(helper.default_project_view).to eq('activity')
-        end
-
-        it 'returns activity if user does not have repository access' do
-          allow(helper).to receive(:can?).with(nil, :download_code, project).and_return(false)
-
-          expect(helper.default_project_view).to eq('activity')
-        end
-      end
-
-      context 'when repository is not empty' do
-        let(:project) { create(:project, :public, :repository) }
-
-        it 'returns files and readme if user has repository access' do
-          allow(helper).to receive(:can?).with(nil, :download_code, project).and_return(true)
-
-          expect(helper.default_project_view).to eq('files')
-        end
-
-        it 'returns activity if user does not have repository access' do
-          allow(helper).to receive(:can?).with(nil, :download_code, project).and_return(false)
-
-          expect(helper.default_project_view).to eq('activity')
-        end
-      end
-    end
-
-    context 'user signed in' do
-      let(:user) { create(:user, :readme) }
-      let(:project) { create(:project, :public, :repository) }
-
-      before do
-        helper.instance_variable_set(:@project, project)
-        allow(helper).to receive(:current_user).and_return(user)
-      end
-
-      context 'when the user is allowed to see the code' do
-        it 'returns the project view' do
-          allow(helper).to receive(:can?).with(user, :download_code, project).and_return(true)
-
-          expect(helper.default_project_view).to eq('readme')
-        end
-      end
-
-      context 'with wikis enabled and the right policy for the user' do
-        before do
-          project.project_feature.update_attribute(:issues_access_level, 0)
-          allow(helper).to receive(:can?).with(user, :download_code, project).and_return(false)
-        end
-
-        it 'returns wiki if the user has the right policy' do
-          allow(helper).to receive(:can?).with(user, :read_wiki, project).and_return(true)
-
-          expect(helper.default_project_view).to eq('wiki')
-        end
-
-        it 'returns customize_workflow if the user does not have the right policy' do
-          allow(helper).to receive(:can?).with(user, :read_wiki, project).and_return(false)
-
-          expect(helper.default_project_view).to eq('customize_workflow')
-        end
-      end
-
-      context 'with issues as a feature available' do
-        it 'return issues' do
-          allow(helper).to receive(:can?).with(user, :download_code, project).and_return(false)
-          allow(helper).to receive(:can?).with(user, :read_wiki, project).and_return(false)
-
-          expect(helper.default_project_view).to eq('projects/issues/issues')
-        end
-      end
-
-      context 'with no activity, no wikies and no issues' do
-        it 'returns customize_workflow as default' do
-          project.project_feature.update_attribute(:issues_access_level, 0)
-          allow(helper).to receive(:can?).with(user, :download_code, project).and_return(false)
-          allow(helper).to receive(:can?).with(user, :read_wiki, project).and_return(false)
-
-          expect(helper.default_project_view).to eq('customize_workflow')
-        end
-      end
-    end
-  end
-
   def stub_user(messages = {})
     if messages.empty?
       allow(helper).to receive(:current_user).and_return(nil)
diff --git a/spec/helpers/projects_helper_spec.rb b/spec/helpers/projects_helper_spec.rb
index b67fee2fcc0..ce96e90e2d7 100644
--- a/spec/helpers/projects_helper_spec.rb
+++ b/spec/helpers/projects_helper_spec.rb
@@ -75,6 +75,12 @@ describe ProjectsHelper do
 
   describe "#project_list_cache_key", :clean_gitlab_redis_shared_state do
     let(:project) { create(:project, :repository) }
+    let(:user) { create(:user) }
+
+    before do
+      allow(helper).to receive(:current_user).and_return(user)
+      allow(helper).to receive(:can?).with(user, :read_cross_project) { true }
+    end
 
     it "includes the route" do
       expect(helper.project_list_cache_key(project)).to include(project.route.cache_key)
@@ -106,6 +112,10 @@ describe ProjectsHelper do
       expect(helper.project_list_cache_key(project).last).to start_with('v')
     end
 
+    it 'includes wether or not the user can read cross project' do
+      expect(helper.project_list_cache_key(project)).to include('cross-project:true')
+    end
+
     it "includes the pipeline status when there is a status" do
       create(:ci_pipeline, :success, project: project, sha: project.commit.sha)
 
@@ -264,32 +274,6 @@ describe ProjectsHelper do
     end
   end
 
-  describe '#license_short_name' do
-    let(:project) { create(:project) }
-
-    context 'when project.repository has a license_key' do
-      it 'returns the nickname of the license if present' do
-        allow(project.repository).to receive(:license_key).and_return('agpl-3.0')
-
-        expect(helper.license_short_name(project)).to eq('GNU AGPLv3')
-      end
-
-      it 'returns the name of the license if nickname is not present' do
-        allow(project.repository).to receive(:license_key).and_return('mit')
-
-        expect(helper.license_short_name(project)).to eq('MIT License')
-      end
-    end
-
-    context 'when project.repository has no license_key but a license_blob' do
-      it 'returns LICENSE' do
-        allow(project.repository).to receive(:license_key).and_return(nil)
-
-        expect(helper.license_short_name(project)).to eq('LICENSE')
-      end
-    end
-  end
-
   describe '#sanitized_import_error' do
     let(:project) { create(:project, :repository) }
 
@@ -462,6 +446,22 @@ describe ProjectsHelper do
     end
   end
 
+  describe('#push_to_create_project_command') do
+    let(:user) { create(:user, username: 'john') }
+
+    it 'returns the command to push to create project over HTTP' do
+      allow(Gitlab::CurrentSettings.current_application_settings).to receive(:enabled_git_access_protocol) { 'http' }
+
+      expect(helper.push_to_create_project_command(user)).to eq('git push --set-upstream http://test.host/john/$(git rev-parse --show-toplevel | xargs basename).git $(git rev-parse --abbrev-ref HEAD)')
+    end
+
+    it 'returns the command to push to create project over SSH' do
+      allow(Gitlab::CurrentSettings.current_application_settings).to receive(:enabled_git_access_protocol) { 'ssh' }
+
+      expect(helper.push_to_create_project_command(user)).to eq('git push --set-upstream git@localhost:john/$(git rev-parse --show-toplevel | xargs basename).git $(git rev-parse --abbrev-ref HEAD)')
+    end
+  end
+
   describe '#any_projects?' do
     let!(:project) { create(:project) }
 
diff --git a/spec/helpers/users_helper_spec.rb b/spec/helpers/users_helper_spec.rb
index 03f78de8e91..6332217b920 100644
--- a/spec/helpers/users_helper_spec.rb
+++ b/spec/helpers/users_helper_spec.rb
@@ -14,4 +14,17 @@ describe UsersHelper do
       is_expected.to include("title=\"#{user.email}\"")
     end
   end
+
+  describe '#profile_tabs' do
+    subject(:tabs) { helper.profile_tabs }
+
+    before do
+      allow(helper).to receive(:current_user).and_return(user)
+      allow(helper).to receive(:can?).and_return(true)
+    end
+
+    it 'includes all the expected tabs' do
+      expect(tabs).to include(:activity, :groups, :contributed, :projects, :snippets)
+    end
+  end
 end
diff --git a/spec/javascripts/pipelines/async_button_spec.js b/spec/javascripts/pipelines/async_button_spec.js
index 8ce33d410a7..e0ea3649646 100644
--- a/spec/javascripts/pipelines/async_button_spec.js
+++ b/spec/javascripts/pipelines/async_button_spec.js
@@ -15,7 +15,8 @@ describe('Pipelines Async Button', () => {
         title: 'Foo',
         icon: 'repeat',
         cssClass: 'bar',
-        id: 123,
+        pipelineId: 123,
+        type: 'explode',
       },
     }).$mount();
   });
@@ -39,8 +40,9 @@ describe('Pipelines Async Button', () => {
 
   describe('With confirm dialog', () => {
     it('should call the service when confimation is positive', () => {
-      eventHub.$on('actionConfirmationModal', (data) => {
-        expect(data.id).toEqual(123);
+      eventHub.$on('openConfirmationModal', (data) => {
+        expect(data.pipelineId).toEqual(123);
+        expect(data.type).toEqual('explode');
       });
 
       component = new AsyncButtonComponent({
@@ -49,7 +51,8 @@ describe('Pipelines Async Button', () => {
           title: 'Foo',
           icon: 'fa fa-foo',
           cssClass: 'bar',
-          id: 123,
+          pipelineId: 123,
+          type: 'explode',
         },
       }).$mount();
 
diff --git a/spec/lib/banzai/commit_renderer_spec.rb b/spec/lib/banzai/commit_renderer_spec.rb
index 84adaebdcbe..e7ebb2a332f 100644
--- a/spec/lib/banzai/commit_renderer_spec.rb
+++ b/spec/lib/banzai/commit_renderer_spec.rb
@@ -3,7 +3,7 @@ require 'spec_helper'
 describe Banzai::CommitRenderer do
   describe '.render' do
     it 'renders a commit description and title' do
-      user = double(:user)
+      user = build(:user)
       project = create(:project, :repository)
 
       expect(Banzai::ObjectRenderer).to receive(:new).with(project, user).and_call_original
diff --git a/spec/lib/banzai/filter/issuable_state_filter_spec.rb b/spec/lib/banzai/filter/issuable_state_filter_spec.rb
index cacb33d3372..17347768a49 100644
--- a/spec/lib/banzai/filter/issuable_state_filter_spec.rb
+++ b/spec/lib/banzai/filter/issuable_state_filter_spec.rb
@@ -77,6 +77,14 @@ describe Banzai::Filter::IssuableStateFilter do
     expect(doc.css('a').last.text).to eq("#{closed_issue.to_reference(other_project)} (closed)")
   end
 
+  it 'skips cross project references if the user cannot read cross project' do
+    expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+    link = create_link(closed_issue.to_reference(other_project), issue: closed_issue.id, reference_type: 'issue')
+    doc = filter(link, context.merge(project: other_project))
+
+    expect(doc.css('a').last.text).to eq("#{closed_issue.to_reference(other_project)}")
+  end
+
   it 'does not append state when filter is not enabled' do
     link = create_link('text', issue: closed_issue.id, reference_type: 'issue')
     context = { current_user: user }
diff --git a/spec/lib/banzai/filter/redactor_filter_spec.rb b/spec/lib/banzai/filter/redactor_filter_spec.rb
index 5a7858e77f3..9a2e521fdcf 100644
--- a/spec/lib/banzai/filter/redactor_filter_spec.rb
+++ b/spec/lib/banzai/filter/redactor_filter_spec.rb
@@ -6,7 +6,7 @@ describe Banzai::Filter::RedactorFilter do
 
   it 'ignores non-GFM links' do
     html = %(See <a href="https://google.com/">Google</a>)
-    doc = filter(html, current_user: double)
+    doc = filter(html, current_user: build(:user))
 
     expect(doc.css('a').length).to eq 1
   end
diff --git a/spec/lib/banzai/redactor_spec.rb b/spec/lib/banzai/redactor_spec.rb
index 2424c3fdc66..1fa89137972 100644
--- a/spec/lib/banzai/redactor_spec.rb
+++ b/spec/lib/banzai/redactor_spec.rb
@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe Banzai::Redactor do
-  let(:user) { build(:user) }
+  let(:user) { create(:user) }
   let(:project) { build(:project) }
   let(:redactor) { described_class.new(project, user) }
 
@@ -88,6 +88,55 @@ describe Banzai::Redactor do
     end
   end
 
+  context 'when the user cannot read cross project' do
+    include ActionView::Helpers::UrlHelper
+    let(:project) { create(:project) }
+    let(:other_project) { create(:project, :public) }
+
+    def create_link(issuable)
+      type = issuable.class.name.underscore.downcase
+      link_to(issuable.to_reference, '',
+              class: 'gfm has-tooltip',
+              title: issuable.title,
+              data: {
+                reference_type: type,
+                "#{type}": issuable.id
+              })
+    end
+
+    before do
+      project.add_developer(user)
+
+      allow(Ability).to receive(:allowed?).and_call_original
+      allow(Ability).to receive(:allowed?).with(user, :read_cross_project, :global) { false }
+      allow(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+    end
+
+    it 'skips links to issues within the same project' do
+      issue = create(:issue, project: project)
+      link = create_link(issue)
+      doc = Nokogiri::HTML.fragment(link)
+
+      redactor.redact([doc])
+      result = doc.css('a').last
+
+      expect(result['class']).to include('has-tooltip')
+      expect(result['title']).to eq(issue.title)
+    end
+
+    it 'removes info from a cross project reference' do
+      issue = create(:issue, project: other_project)
+      link = create_link(issue)
+      doc = Nokogiri::HTML.fragment(link)
+
+      redactor.redact([doc])
+      result = doc.css('a').last
+
+      expect(result['class']).not_to include('has-tooltip')
+      expect(result['title']).to be_empty
+    end
+  end
+
   describe '#redact_nodes' do
     it 'redacts an Array of nodes' do
       doc = Nokogiri::HTML.fragment('<a href="foo">foo</a>')
diff --git a/spec/lib/banzai/reference_parser/issue_parser_spec.rb b/spec/lib/banzai/reference_parser/issue_parser_spec.rb
index 4cef3bdb24b..0a63567ee40 100644
--- a/spec/lib/banzai/reference_parser/issue_parser_spec.rb
+++ b/spec/lib/banzai/reference_parser/issue_parser_spec.rb
@@ -19,19 +19,58 @@ describe Banzai::ReferenceParser::IssueParser do
 
       it 'returns the nodes when the user can read the issue' do
         expect(Ability).to receive(:issues_readable_by_user)
-          .with([issue], user)
-          .and_return([issue])
+                             .with([issue], user)
+                             .and_return([issue])
 
         expect(subject.nodes_visible_to_user(user, [link])).to eq([link])
       end
 
       it 'returns an empty Array when the user can not read the issue' do
         expect(Ability).to receive(:issues_readable_by_user)
-          .with([issue], user)
-          .and_return([])
+                             .with([issue], user)
+                             .and_return([])
 
         expect(subject.nodes_visible_to_user(user, [link])).to eq([])
       end
+
+      context 'when the user cannot read cross project' do
+        let(:issue) { create(:issue) }
+
+        before do
+          allow(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+          allow(Ability).to receive(:allowed?).with(user, :read_cross_project, :global) { false }
+        end
+
+        it 'returns the nodes when the user can read the issue' do
+          expect(Ability).to receive(:allowed?)
+                               .with(user, :read_issue_iid, issue)
+                               .and_return(true)
+
+          expect(subject.nodes_visible_to_user(user, [link])).to eq([link])
+        end
+
+        it 'returns an empty Array when the user can not read the issue' do
+          expect(Ability).to receive(:allowed?)
+                               .with(user, :read_issue_iid, issue)
+                               .and_return(false)
+
+          expect(subject.nodes_visible_to_user(user, [link])).to eq([])
+        end
+
+        context 'when the issue is not cross project' do
+          let(:issue) { create(:issue, project: project) }
+
+          it 'does not check `can_read_reference` if the issue is not cross project' do
+            expect(Ability).to receive(:issues_readable_by_user)
+                                 .with([issue], user)
+                                 .and_return([])
+
+            expect(subject).not_to receive(:can_read_reference?).with(user, issue)
+
+            expect(subject.nodes_visible_to_user(user, [link])).to eq([])
+          end
+        end
+      end
     end
 
     context 'when the link does not have a data-issue attribute' do
diff --git a/spec/lib/gitlab/background_migration/populate_untracked_uploads_dependencies/untracked_file_spec.rb b/spec/lib/gitlab/background_migration/populate_untracked_uploads_dependencies/untracked_file_spec.rb
new file mode 100644
index 00000000000..c76adcbe2f5
--- /dev/null
+++ b/spec/lib/gitlab/background_migration/populate_untracked_uploads_dependencies/untracked_file_spec.rb
@@ -0,0 +1,262 @@
+require 'spec_helper'
+
+# Rollback DB to 10.5 (later than this was originally written for) because it still needs to work.
+describe Gitlab::BackgroundMigration::PopulateUntrackedUploadsDependencies::UntrackedFile, :migration, schema: 20180208183958 do
+  include MigrationsHelpers::TrackUntrackedUploadsHelpers
+
+  let!(:appearances) { table(:appearances) }
+  let!(:namespaces) { table(:namespaces) }
+  let!(:projects) { table(:projects) }
+  let!(:routes) { table(:routes) }
+  let!(:uploads) { table(:uploads) }
+
+  before(:all) do
+    ensure_temporary_tracking_table_exists
+  end
+
+  describe '#upload_path' do
+    def assert_upload_path(file_path, expected_upload_path)
+      untracked_file = create_untracked_file(file_path)
+
+      expect(untracked_file.upload_path).to eq(expected_upload_path)
+    end
+
+    context 'for an appearance logo file path' do
+      it 'returns the file path relative to the CarrierWave root' do
+        assert_upload_path('/-/system/appearance/logo/1/some_logo.jpg', 'uploads/-/system/appearance/logo/1/some_logo.jpg')
+      end
+    end
+
+    context 'for an appearance header_logo file path' do
+      it 'returns the file path relative to the CarrierWave root' do
+        assert_upload_path('/-/system/appearance/header_logo/1/some_logo.jpg', 'uploads/-/system/appearance/header_logo/1/some_logo.jpg')
+      end
+    end
+
+    context 'for a pre-Markdown Note attachment file path' do
+      it 'returns the file path relative to the CarrierWave root' do
+        assert_upload_path('/-/system/note/attachment/1234/some_attachment.pdf', 'uploads/-/system/note/attachment/1234/some_attachment.pdf')
+      end
+    end
+
+    context 'for a user avatar file path' do
+      it 'returns the file path relative to the CarrierWave root' do
+        assert_upload_path('/-/system/user/avatar/1234/avatar.jpg', 'uploads/-/system/user/avatar/1234/avatar.jpg')
+      end
+    end
+
+    context 'for a group avatar file path' do
+      it 'returns the file path relative to the CarrierWave root' do
+        assert_upload_path('/-/system/group/avatar/1234/avatar.jpg', 'uploads/-/system/group/avatar/1234/avatar.jpg')
+      end
+    end
+
+    context 'for a project avatar file path' do
+      it 'returns the file path relative to the CarrierWave root' do
+        assert_upload_path('/-/system/project/avatar/1234/avatar.jpg', 'uploads/-/system/project/avatar/1234/avatar.jpg')
+      end
+    end
+
+    context 'for a project Markdown attachment (notes, issues, MR descriptions) file path' do
+      it 'returns the file path relative to the project directory in uploads' do
+        project = create_project
+        random_hex = SecureRandom.hex
+
+        assert_upload_path("/#{get_full_path(project)}/#{random_hex}/Some file.jpg", "#{random_hex}/Some file.jpg")
+      end
+    end
+  end
+
+  describe '#uploader' do
+    def assert_uploader(file_path, expected_uploader)
+      untracked_file = create_untracked_file(file_path)
+
+      expect(untracked_file.uploader).to eq(expected_uploader)
+    end
+
+    context 'for an appearance logo file path' do
+      it 'returns AttachmentUploader as a string' do
+        assert_uploader('/-/system/appearance/logo/1/some_logo.jpg', 'AttachmentUploader')
+      end
+    end
+
+    context 'for an appearance header_logo file path' do
+      it 'returns AttachmentUploader as a string' do
+        assert_uploader('/-/system/appearance/header_logo/1/some_logo.jpg', 'AttachmentUploader')
+      end
+    end
+
+    context 'for a pre-Markdown Note attachment file path' do
+      it 'returns AttachmentUploader as a string' do
+        assert_uploader('/-/system/note/attachment/1234/some_attachment.pdf', 'AttachmentUploader')
+      end
+    end
+
+    context 'for a user avatar file path' do
+      it 'returns AvatarUploader as a string' do
+        assert_uploader('/-/system/user/avatar/1234/avatar.jpg', 'AvatarUploader')
+      end
+    end
+
+    context 'for a group avatar file path' do
+      it 'returns AvatarUploader as a string' do
+        assert_uploader('/-/system/group/avatar/1234/avatar.jpg', 'AvatarUploader')
+      end
+    end
+
+    context 'for a project avatar file path' do
+      it 'returns AvatarUploader as a string' do
+        assert_uploader('/-/system/project/avatar/1234/avatar.jpg', 'AvatarUploader')
+      end
+    end
+
+    context 'for a project Markdown attachment (notes, issues, MR descriptions) file path' do
+      it 'returns FileUploader as a string' do
+        project = create_project
+
+        assert_uploader("/#{get_full_path(project)}/#{SecureRandom.hex}/Some file.jpg", 'FileUploader')
+      end
+    end
+  end
+
+  describe '#model_type' do
+    def assert_model_type(file_path, expected_model_type)
+      untracked_file = create_untracked_file(file_path)
+
+      expect(untracked_file.model_type).to eq(expected_model_type)
+    end
+
+    context 'for an appearance logo file path' do
+      it 'returns Appearance as a string' do
+        assert_model_type('/-/system/appearance/logo/1/some_logo.jpg', 'Appearance')
+      end
+    end
+
+    context 'for an appearance header_logo file path' do
+      it 'returns Appearance as a string' do
+        assert_model_type('/-/system/appearance/header_logo/1/some_logo.jpg', 'Appearance')
+      end
+    end
+
+    context 'for a pre-Markdown Note attachment file path' do
+      it 'returns Note as a string' do
+        assert_model_type('/-/system/note/attachment/1234/some_attachment.pdf', 'Note')
+      end
+    end
+
+    context 'for a user avatar file path' do
+      it 'returns User as a string' do
+        assert_model_type('/-/system/user/avatar/1234/avatar.jpg', 'User')
+      end
+    end
+
+    context 'for a group avatar file path' do
+      it 'returns Namespace as a string' do
+        assert_model_type('/-/system/group/avatar/1234/avatar.jpg', 'Namespace')
+      end
+    end
+
+    context 'for a project avatar file path' do
+      it 'returns Project as a string' do
+        assert_model_type('/-/system/project/avatar/1234/avatar.jpg', 'Project')
+      end
+    end
+
+    context 'for a project Markdown attachment (notes, issues, MR descriptions) file path' do
+      it 'returns Project as a string' do
+        project = create_project
+
+        assert_model_type("/#{get_full_path(project)}/#{SecureRandom.hex}/Some file.jpg", 'Project')
+      end
+    end
+  end
+
+  describe '#model_id' do
+    def assert_model_id(file_path, expected_model_id)
+      untracked_file = create_untracked_file(file_path)
+
+      expect(untracked_file.model_id).to eq(expected_model_id)
+    end
+
+    context 'for an appearance logo file path' do
+      it 'returns the ID as a string' do
+        assert_model_id('/-/system/appearance/logo/1/some_logo.jpg', 1)
+      end
+    end
+
+    context 'for an appearance header_logo file path' do
+      it 'returns the ID as a string' do
+        assert_model_id('/-/system/appearance/header_logo/1/some_logo.jpg', 1)
+      end
+    end
+
+    context 'for a pre-Markdown Note attachment file path' do
+      it 'returns the ID as a string' do
+        assert_model_id('/-/system/note/attachment/1234/some_attachment.pdf', 1234)
+      end
+    end
+
+    context 'for a user avatar file path' do
+      it 'returns the ID as a string' do
+        assert_model_id('/-/system/user/avatar/1234/avatar.jpg', 1234)
+      end
+    end
+
+    context 'for a group avatar file path' do
+      it 'returns the ID as a string' do
+        assert_model_id('/-/system/group/avatar/1234/avatar.jpg', 1234)
+      end
+    end
+
+    context 'for a project avatar file path' do
+      it 'returns the ID as a string' do
+        assert_model_id('/-/system/project/avatar/1234/avatar.jpg', 1234)
+      end
+    end
+
+    context 'for a project Markdown attachment (notes, issues, MR descriptions) file path' do
+      it 'returns the ID as a string' do
+        project = create_project
+
+        assert_model_id("/#{get_full_path(project)}/#{SecureRandom.hex}/Some file.jpg", project.id)
+      end
+    end
+  end
+
+  describe '#file_size' do
+    context 'for an appearance logo file path' do
+      let(:appearance) { create_or_update_appearance(logo: true) }
+      let(:untracked_file) { described_class.create!(path: get_uploads(appearance, 'Appearance').first.path) }
+
+      it 'returns the file size' do
+        expect(untracked_file.file_size).to eq(1062)
+      end
+    end
+
+    context 'for a project avatar file path' do
+      let(:project) { create_project(avatar: true) }
+      let(:untracked_file) { described_class.create!(path: get_uploads(project, 'Project').first.path) }
+
+      it 'returns the file size' do
+        expect(untracked_file.file_size).to eq(1062)
+      end
+    end
+
+    context 'for a project Markdown attachment (notes, issues, MR descriptions) file path' do
+      let(:project) { create_project }
+      let(:untracked_file) { create_untracked_file("/#{get_full_path(project)}/#{get_uploads(project, 'Project').first.path}") }
+
+      before do
+        add_markdown_attachment(project)
+      end
+
+      it 'returns the file size' do
+        expect(untracked_file.file_size).to eq(1062)
+      end
+    end
+  end
+
+  def create_untracked_file(path_relative_to_upload_dir)
+    described_class.create!(path: "#{Gitlab::BackgroundMigration::PrepareUntrackedUploads::RELATIVE_UPLOAD_DIR}#{path_relative_to_upload_dir}")
+  end
+end
diff --git a/spec/lib/gitlab/background_migration/populate_untracked_uploads_spec.rb b/spec/lib/gitlab/background_migration/populate_untracked_uploads_spec.rb
index c8fa252439a..0d2074eed22 100644
--- a/spec/lib/gitlab/background_migration/populate_untracked_uploads_spec.rb
+++ b/spec/lib/gitlab/background_migration/populate_untracked_uploads_spec.rb
@@ -1,17 +1,19 @@
 require 'spec_helper'
 
-# This migration is using UploadService, which sets uploads.secret that is only
-# added to the DB schema in 20180129193323. Since the test isn't isolated, we
-# just use the latest schema when testing this migration.
-# Ideally, the test should not use factories nor UploadService, and rely on the
-# `table` helper instead.
-describe Gitlab::BackgroundMigration::PopulateUntrackedUploads, :sidekiq, :migration, schema: 20180129193323 do
-  include TrackUntrackedUploadsHelpers
+# Rollback DB to 10.5 (later than this was originally written for) because it still needs to work.
+describe Gitlab::BackgroundMigration::PopulateUntrackedUploads, :sidekiq, :migration, schema: 20180208183958 do
+  include MigrationsHelpers::TrackUntrackedUploadsHelpers
 
   subject { described_class.new }
 
-  let!(:untracked_files_for_uploads) { described_class::UntrackedFile }
-  let!(:uploads) { described_class::Upload }
+  let!(:appearances) { table(:appearances) }
+  let!(:namespaces) { table(:namespaces) }
+  let!(:notes) { table(:notes) }
+  let!(:projects) { table(:projects) }
+  let!(:routes) { table(:routes) }
+  let!(:untracked_files_for_uploads) { table(:untracked_files_for_uploads) }
+  let!(:uploads) { table(:uploads) }
+  let!(:users) { table(:users) }
 
   before do
     ensure_temporary_tracking_table_exists
@@ -19,30 +21,30 @@ describe Gitlab::BackgroundMigration::PopulateUntrackedUploads, :sidekiq, :migra
   end
 
   context 'with untracked files and tracked files in untracked_files_for_uploads' do
-    let!(:appearance) { create_or_update_appearance(logo: uploaded_file, header_logo: uploaded_file) }
-    let!(:user1) { create(:user, :with_avatar) }
-    let!(:user2) { create(:user, :with_avatar) }
-    let!(:project1) { create(:project, :legacy_storage, :with_avatar) }
-    let!(:project2) { create(:project, :legacy_storage, :with_avatar) }
+    let!(:appearance) { create_or_update_appearance(logo: true, header_logo: true) }
+    let!(:user1) { create_user(avatar: true) }
+    let!(:user2) { create_user(avatar: true) }
+    let!(:project1) { create_project(avatar: true) }
+    let!(:project2) { create_project(avatar: true) }
 
     before do
-      UploadService.new(project1, uploaded_file, FileUploader).execute # Markdown upload
-      UploadService.new(project2, uploaded_file, FileUploader).execute # Markdown upload
+      add_markdown_attachment(project1)
+      add_markdown_attachment(project2)
 
       # File records created by PrepareUntrackedUploads
-      untracked_files_for_uploads.create!(path: appearance.uploads.first.path)
-      untracked_files_for_uploads.create!(path: appearance.uploads.last.path)
-      untracked_files_for_uploads.create!(path: user1.uploads.first.path)
-      untracked_files_for_uploads.create!(path: user2.uploads.first.path)
-      untracked_files_for_uploads.create!(path: project1.uploads.first.path)
-      untracked_files_for_uploads.create!(path: project2.uploads.first.path)
-      untracked_files_for_uploads.create!(path: "#{Gitlab::BackgroundMigration::PrepareUntrackedUploads::RELATIVE_UPLOAD_DIR}/#{project1.full_path}/#{project1.uploads.last.path}")
-      untracked_files_for_uploads.create!(path: "#{Gitlab::BackgroundMigration::PrepareUntrackedUploads::RELATIVE_UPLOAD_DIR}/#{project2.full_path}/#{project2.uploads.last.path}")
+      untracked_files_for_uploads.create!(path: get_uploads(appearance, 'Appearance').first.path)
+      untracked_files_for_uploads.create!(path: get_uploads(appearance, 'Appearance').last.path)
+      untracked_files_for_uploads.create!(path: get_uploads(user1, 'User').first.path)
+      untracked_files_for_uploads.create!(path: get_uploads(user2, 'User').first.path)
+      untracked_files_for_uploads.create!(path: get_uploads(project1, 'Project').first.path)
+      untracked_files_for_uploads.create!(path: get_uploads(project2, 'Project').first.path)
+      untracked_files_for_uploads.create!(path: "#{legacy_project_uploads_dir(project1).sub("#{MigrationsHelpers::TrackUntrackedUploadsHelpers::PUBLIC_DIR}/", '')}/#{get_uploads(project1, 'Project').last.path}")
+      untracked_files_for_uploads.create!(path: "#{legacy_project_uploads_dir(project2).sub("#{MigrationsHelpers::TrackUntrackedUploadsHelpers::PUBLIC_DIR}/", '')}/#{get_uploads(project2, 'Project').last.path}")
 
       # Untrack 4 files
-      user2.uploads.delete_all
-      project2.uploads.delete_all # 2 files: avatar and a Markdown upload
-      appearance.uploads.where("path like '%header_logo%'").delete_all
+      get_uploads(user2, 'User').delete_all
+      get_uploads(project2, 'Project').delete_all # 2 files: avatar and a Markdown upload
+      get_uploads(appearance, 'Appearance').where("path like '%header_logo%'").delete_all
     end
 
     it 'adds untracked files to the uploads table' do
@@ -50,9 +52,9 @@ describe Gitlab::BackgroundMigration::PopulateUntrackedUploads, :sidekiq, :migra
         subject.perform(1, untracked_files_for_uploads.reorder(:id).last.id)
       end.to change { uploads.count }.from(4).to(8)
 
-      expect(user2.uploads.count).to eq(1)
-      expect(project2.uploads.count).to eq(2)
-      expect(appearance.uploads.count).to eq(2)
+      expect(get_uploads(user2, 'User').count).to eq(1)
+      expect(get_uploads(project2, 'Project').count).to eq(2)
+      expect(get_uploads(appearance, 'Appearance').count).to eq(2)
     end
 
     it 'deletes rows after processing them' do
@@ -66,9 +68,9 @@ describe Gitlab::BackgroundMigration::PopulateUntrackedUploads, :sidekiq, :migra
     it 'does not create duplicate uploads of already tracked files' do
       subject.perform(1, untracked_files_for_uploads.last.id)
 
-      expect(user1.uploads.count).to eq(1)
-      expect(project1.uploads.count).to eq(2)
-      expect(appearance.uploads.count).to eq(2)
+      expect(get_uploads(user1, 'User').count).to eq(1)
+      expect(get_uploads(project1, 'Project').count).to eq(2)
+      expect(get_uploads(appearance, 'Appearance').count).to eq(2)
     end
 
     it 'uses the start and end batch ids [only 1st half]' do
@@ -80,11 +82,11 @@ describe Gitlab::BackgroundMigration::PopulateUntrackedUploads, :sidekiq, :migra
         subject.perform(start_id, end_id)
       end.to change { uploads.count }.from(4).to(6)
 
-      expect(user1.uploads.count).to eq(1)
-      expect(user2.uploads.count).to eq(1)
-      expect(appearance.uploads.count).to eq(2)
-      expect(project1.uploads.count).to eq(2)
-      expect(project2.uploads.count).to eq(0)
+      expect(get_uploads(user1, 'User').count).to eq(1)
+      expect(get_uploads(user2, 'User').count).to eq(1)
+      expect(get_uploads(appearance, 'Appearance').count).to eq(2)
+      expect(get_uploads(project1, 'Project').count).to eq(2)
+      expect(get_uploads(project2, 'Project').count).to eq(0)
 
       # Only 4 have been either confirmed or added to uploads
       expect(untracked_files_for_uploads.count).to eq(4)
@@ -99,11 +101,11 @@ describe Gitlab::BackgroundMigration::PopulateUntrackedUploads, :sidekiq, :migra
         subject.perform(start_id, end_id)
       end.to change { uploads.count }.from(4).to(6)
 
-      expect(user1.uploads.count).to eq(1)
-      expect(user2.uploads.count).to eq(0)
-      expect(appearance.uploads.count).to eq(1)
-      expect(project1.uploads.count).to eq(2)
-      expect(project2.uploads.count).to eq(2)
+      expect(get_uploads(user1, 'User').count).to eq(1)
+      expect(get_uploads(user2, 'User').count).to eq(0)
+      expect(get_uploads(appearance, 'Appearance').count).to eq(1)
+      expect(get_uploads(project1, 'Project').count).to eq(2)
+      expect(get_uploads(project2, 'Project').count).to eq(2)
 
       # Only 4 have been either confirmed or added to uploads
       expect(untracked_files_for_uploads.count).to eq(4)
@@ -122,7 +124,7 @@ describe Gitlab::BackgroundMigration::PopulateUntrackedUploads, :sidekiq, :migra
     end
 
     it 'does not block a whole batch because of one bad path' do
-      untracked_files_for_uploads.create!(path: "#{Gitlab::BackgroundMigration::PrepareUntrackedUploads::RELATIVE_UPLOAD_DIR}/#{project2.full_path}/._7d37bf4c747916390e596744117d5d1a")
+      untracked_files_for_uploads.create!(path: "#{Gitlab::BackgroundMigration::PrepareUntrackedUploads::RELATIVE_UPLOAD_DIR}/#{get_full_path(project2)}/._7d37bf4c747916390e596744117d5d1a")
       expect(untracked_files_for_uploads.count).to eq(9)
       expect(uploads.count).to eq(4)
 
@@ -133,7 +135,7 @@ describe Gitlab::BackgroundMigration::PopulateUntrackedUploads, :sidekiq, :migra
     end
 
     it 'an unparseable path is shown in error output' do
-      bad_path = "#{Gitlab::BackgroundMigration::PrepareUntrackedUploads::RELATIVE_UPLOAD_DIR}/#{project2.full_path}/._7d37bf4c747916390e596744117d5d1a"
+      bad_path = "#{Gitlab::BackgroundMigration::PrepareUntrackedUploads::RELATIVE_UPLOAD_DIR}/#{get_full_path(project2)}/._7d37bf4c747916390e596744117d5d1a"
       untracked_files_for_uploads.create!(path: bad_path)
 
       expect(Rails.logger).to receive(:error).with(/Error parsing path "#{bad_path}":/)
@@ -152,363 +154,100 @@ describe Gitlab::BackgroundMigration::PopulateUntrackedUploads, :sidekiq, :migra
 
   describe 'upload outcomes for each path pattern' do
     shared_examples_for 'non_markdown_file' do
-      let!(:expected_upload_attrs) { model.uploads.first.attributes.slice('path', 'uploader', 'size', 'checksum') }
+      let!(:expected_upload_attrs) { model_uploads.first.attributes.slice('path', 'uploader', 'size', 'checksum') }
       let!(:untracked_file) { untracked_files_for_uploads.create!(path: expected_upload_attrs['path']) }
 
       before do
-        model.uploads.delete_all
+        model_uploads.delete_all
       end
 
       it 'creates an Upload record' do
         expect do
           subject.perform(1, untracked_files_for_uploads.last.id)
-        end.to change { model.reload.uploads.count }.from(0).to(1)
+        end.to change { model_uploads.count }.from(0).to(1)
 
-        expect(model.uploads.first.attributes).to include(expected_upload_attrs)
+        expect(model_uploads.first.attributes).to include(expected_upload_attrs)
       end
     end
 
     context 'for an appearance logo file path' do
-      let(:model) { create_or_update_appearance(logo: uploaded_file) }
+      let(:model) { create_or_update_appearance(logo: true) }
+      let(:model_uploads) { get_uploads(model, 'Appearance') }
 
       it_behaves_like 'non_markdown_file'
     end
 
     context 'for an appearance header_logo file path' do
-      let(:model) { create_or_update_appearance(header_logo: uploaded_file) }
+      let(:model) { create_or_update_appearance(header_logo: true) }
+      let(:model_uploads) { get_uploads(model, 'Appearance') }
 
       it_behaves_like 'non_markdown_file'
     end
 
     context 'for a pre-Markdown Note attachment file path' do
-      let(:model) { create(:note, :with_attachment) }
-      let!(:expected_upload_attrs) { Upload.where(model_type: 'Note', model_id: model.id).first.attributes.slice('path', 'uploader', 'size', 'checksum') }
+      let(:model) { create_note(attachment: true) }
+      let!(:expected_upload_attrs) { get_uploads(model, 'Note').first.attributes.slice('path', 'uploader', 'size', 'checksum') }
       let!(:untracked_file) { untracked_files_for_uploads.create!(path: expected_upload_attrs['path']) }
 
       before do
-        Upload.where(model_type: 'Note', model_id: model.id).delete_all
+        get_uploads(model, 'Note').delete_all
       end
 
       # Can't use the shared example because Note doesn't have an `uploads` association
       it 'creates an Upload record' do
         expect do
           subject.perform(1, untracked_files_for_uploads.last.id)
-        end.to change { Upload.where(model_type: 'Note', model_id: model.id).count }.from(0).to(1)
+        end.to change { get_uploads(model, 'Note').count }.from(0).to(1)
 
-        expect(Upload.where(model_type: 'Note', model_id: model.id).first.attributes).to include(expected_upload_attrs)
+        expect(get_uploads(model, 'Note').first.attributes).to include(expected_upload_attrs)
       end
     end
 
     context 'for a user avatar file path' do
-      let(:model) { create(:user, :with_avatar) }
+      let(:model) { create_user(avatar: true) }
+      let(:model_uploads) { get_uploads(model, 'User') }
 
       it_behaves_like 'non_markdown_file'
     end
 
     context 'for a group avatar file path' do
-      let(:model) { create(:group, :with_avatar) }
+      let(:model) { create_group(avatar: true) }
+      let(:model_uploads) { get_uploads(model, 'Namespace') }
 
       it_behaves_like 'non_markdown_file'
     end
 
     context 'for a project avatar file path' do
-      let(:model) { create(:project, :legacy_storage, :with_avatar) }
+      let(:model) { create_project(avatar: true) }
+      let(:model_uploads) { get_uploads(model, 'Project') }
 
       it_behaves_like 'non_markdown_file'
     end
 
     context 'for a project Markdown attachment (notes, issues, MR descriptions) file path' do
-      let(:model) { create(:project, :legacy_storage) }
+      let(:model) { create_project }
 
       before do
         # Upload the file
-        UploadService.new(model, uploaded_file, FileUploader).execute
+        add_markdown_attachment(model)
 
         # Create the untracked_files_for_uploads record
-        untracked_files_for_uploads.create!(path: "#{Gitlab::BackgroundMigration::PrepareUntrackedUploads::RELATIVE_UPLOAD_DIR}/#{model.full_path}/#{model.uploads.first.path}")
+        untracked_files_for_uploads.create!(path: "#{Gitlab::BackgroundMigration::PrepareUntrackedUploads::RELATIVE_UPLOAD_DIR}/#{get_full_path(model)}/#{get_uploads(model, 'Project').first.path}")
 
         # Save the expected upload attributes
-        @expected_upload_attrs = model.reload.uploads.first.attributes.slice('path', 'uploader', 'size', 'checksum')
+        @expected_upload_attrs = get_uploads(model, 'Project').first.attributes.slice('path', 'uploader', 'size', 'checksum')
 
         # Untrack the file
-        model.reload.uploads.delete_all
+        get_uploads(model, 'Project').delete_all
       end
 
       it 'creates an Upload record' do
         expect do
           subject.perform(1, untracked_files_for_uploads.last.id)
-        end.to change { model.reload.uploads.count }.from(0).to(1)
+        end.to change { get_uploads(model, 'Project').count }.from(0).to(1)
 
-        expect(model.uploads.first.attributes).to include(@expected_upload_attrs)
+        expect(get_uploads(model, 'Project').first.attributes).to include(@expected_upload_attrs)
       end
     end
   end
 end
-
-describe Gitlab::BackgroundMigration::PopulateUntrackedUploads::UntrackedFile do
-  include TrackUntrackedUploadsHelpers
-
-  let(:upload_class) { Gitlab::BackgroundMigration::PopulateUntrackedUploads::Upload }
-
-  before(:all) do
-    ensure_temporary_tracking_table_exists
-  end
-
-  describe '#upload_path' do
-    def assert_upload_path(file_path, expected_upload_path)
-      untracked_file = create_untracked_file(file_path)
-
-      expect(untracked_file.upload_path).to eq(expected_upload_path)
-    end
-
-    context 'for an appearance logo file path' do
-      it 'returns the file path relative to the CarrierWave root' do
-        assert_upload_path('/-/system/appearance/logo/1/some_logo.jpg', 'uploads/-/system/appearance/logo/1/some_logo.jpg')
-      end
-    end
-
-    context 'for an appearance header_logo file path' do
-      it 'returns the file path relative to the CarrierWave root' do
-        assert_upload_path('/-/system/appearance/header_logo/1/some_logo.jpg', 'uploads/-/system/appearance/header_logo/1/some_logo.jpg')
-      end
-    end
-
-    context 'for a pre-Markdown Note attachment file path' do
-      it 'returns the file path relative to the CarrierWave root' do
-        assert_upload_path('/-/system/note/attachment/1234/some_attachment.pdf', 'uploads/-/system/note/attachment/1234/some_attachment.pdf')
-      end
-    end
-
-    context 'for a user avatar file path' do
-      it 'returns the file path relative to the CarrierWave root' do
-        assert_upload_path('/-/system/user/avatar/1234/avatar.jpg', 'uploads/-/system/user/avatar/1234/avatar.jpg')
-      end
-    end
-
-    context 'for a group avatar file path' do
-      it 'returns the file path relative to the CarrierWave root' do
-        assert_upload_path('/-/system/group/avatar/1234/avatar.jpg', 'uploads/-/system/group/avatar/1234/avatar.jpg')
-      end
-    end
-
-    context 'for a project avatar file path' do
-      it 'returns the file path relative to the CarrierWave root' do
-        assert_upload_path('/-/system/project/avatar/1234/avatar.jpg', 'uploads/-/system/project/avatar/1234/avatar.jpg')
-      end
-    end
-
-    context 'for a project Markdown attachment (notes, issues, MR descriptions) file path' do
-      it 'returns the file path relative to the project directory in uploads' do
-        project = create(:project, :legacy_storage)
-        random_hex = SecureRandom.hex
-
-        assert_upload_path("/#{project.full_path}/#{random_hex}/Some file.jpg", "#{random_hex}/Some file.jpg")
-      end
-    end
-  end
-
-  describe '#uploader' do
-    def assert_uploader(file_path, expected_uploader)
-      untracked_file = create_untracked_file(file_path)
-
-      expect(untracked_file.uploader).to eq(expected_uploader)
-    end
-
-    context 'for an appearance logo file path' do
-      it 'returns AttachmentUploader as a string' do
-        assert_uploader('/-/system/appearance/logo/1/some_logo.jpg', 'AttachmentUploader')
-      end
-    end
-
-    context 'for an appearance header_logo file path' do
-      it 'returns AttachmentUploader as a string' do
-        assert_uploader('/-/system/appearance/header_logo/1/some_logo.jpg', 'AttachmentUploader')
-      end
-    end
-
-    context 'for a pre-Markdown Note attachment file path' do
-      it 'returns AttachmentUploader as a string' do
-        assert_uploader('/-/system/note/attachment/1234/some_attachment.pdf', 'AttachmentUploader')
-      end
-    end
-
-    context 'for a user avatar file path' do
-      it 'returns AvatarUploader as a string' do
-        assert_uploader('/-/system/user/avatar/1234/avatar.jpg', 'AvatarUploader')
-      end
-    end
-
-    context 'for a group avatar file path' do
-      it 'returns AvatarUploader as a string' do
-        assert_uploader('/-/system/group/avatar/1234/avatar.jpg', 'AvatarUploader')
-      end
-    end
-
-    context 'for a project avatar file path' do
-      it 'returns AvatarUploader as a string' do
-        assert_uploader('/-/system/project/avatar/1234/avatar.jpg', 'AvatarUploader')
-      end
-    end
-
-    context 'for a project Markdown attachment (notes, issues, MR descriptions) file path' do
-      it 'returns FileUploader as a string' do
-        project = create(:project, :legacy_storage)
-
-        assert_uploader("/#{project.full_path}/#{SecureRandom.hex}/Some file.jpg", 'FileUploader')
-      end
-    end
-  end
-
-  describe '#model_type' do
-    def assert_model_type(file_path, expected_model_type)
-      untracked_file = create_untracked_file(file_path)
-
-      expect(untracked_file.model_type).to eq(expected_model_type)
-    end
-
-    context 'for an appearance logo file path' do
-      it 'returns Appearance as a string' do
-        assert_model_type('/-/system/appearance/logo/1/some_logo.jpg', 'Appearance')
-      end
-    end
-
-    context 'for an appearance header_logo file path' do
-      it 'returns Appearance as a string' do
-        assert_model_type('/-/system/appearance/header_logo/1/some_logo.jpg', 'Appearance')
-      end
-    end
-
-    context 'for a pre-Markdown Note attachment file path' do
-      it 'returns Note as a string' do
-        assert_model_type('/-/system/note/attachment/1234/some_attachment.pdf', 'Note')
-      end
-    end
-
-    context 'for a user avatar file path' do
-      it 'returns User as a string' do
-        assert_model_type('/-/system/user/avatar/1234/avatar.jpg', 'User')
-      end
-    end
-
-    context 'for a group avatar file path' do
-      it 'returns Namespace as a string' do
-        assert_model_type('/-/system/group/avatar/1234/avatar.jpg', 'Namespace')
-      end
-    end
-
-    context 'for a project avatar file path' do
-      it 'returns Project as a string' do
-        assert_model_type('/-/system/project/avatar/1234/avatar.jpg', 'Project')
-      end
-    end
-
-    context 'for a project Markdown attachment (notes, issues, MR descriptions) file path' do
-      it 'returns Project as a string' do
-        project = create(:project, :legacy_storage)
-
-        assert_model_type("/#{project.full_path}/#{SecureRandom.hex}/Some file.jpg", 'Project')
-      end
-    end
-  end
-
-  describe '#model_id' do
-    def assert_model_id(file_path, expected_model_id)
-      untracked_file = create_untracked_file(file_path)
-
-      expect(untracked_file.model_id).to eq(expected_model_id)
-    end
-
-    context 'for an appearance logo file path' do
-      it 'returns the ID as a string' do
-        assert_model_id('/-/system/appearance/logo/1/some_logo.jpg', 1)
-      end
-    end
-
-    context 'for an appearance header_logo file path' do
-      it 'returns the ID as a string' do
-        assert_model_id('/-/system/appearance/header_logo/1/some_logo.jpg', 1)
-      end
-    end
-
-    context 'for a pre-Markdown Note attachment file path' do
-      it 'returns the ID as a string' do
-        assert_model_id('/-/system/note/attachment/1234/some_attachment.pdf', 1234)
-      end
-    end
-
-    context 'for a user avatar file path' do
-      it 'returns the ID as a string' do
-        assert_model_id('/-/system/user/avatar/1234/avatar.jpg', 1234)
-      end
-    end
-
-    context 'for a group avatar file path' do
-      it 'returns the ID as a string' do
-        assert_model_id('/-/system/group/avatar/1234/avatar.jpg', 1234)
-      end
-    end
-
-    context 'for a project avatar file path' do
-      it 'returns the ID as a string' do
-        assert_model_id('/-/system/project/avatar/1234/avatar.jpg', 1234)
-      end
-    end
-
-    context 'for a project Markdown attachment (notes, issues, MR descriptions) file path' do
-      it 'returns the ID as a string' do
-        project = create(:project, :legacy_storage)
-
-        assert_model_id("/#{project.full_path}/#{SecureRandom.hex}/Some file.jpg", project.id)
-      end
-    end
-  end
-
-  describe '#file_size' do
-    context 'for an appearance logo file path' do
-      let(:appearance) { create_or_update_appearance(logo: uploaded_file) }
-      let(:untracked_file) { described_class.create!(path: appearance.uploads.first.path) }
-
-      it 'returns the file size' do
-        expect(untracked_file.file_size).to eq(35255)
-      end
-
-      it 'returns the same thing that CarrierWave would return' do
-        expect(untracked_file.file_size).to eq(appearance.logo.size)
-      end
-    end
-
-    context 'for a project avatar file path' do
-      let(:project) { create(:project, :legacy_storage, avatar: uploaded_file) }
-      let(:untracked_file) { described_class.create!(path: project.uploads.first.path) }
-
-      it 'returns the file size' do
-        expect(untracked_file.file_size).to eq(35255)
-      end
-
-      it 'returns the same thing that CarrierWave would return' do
-        expect(untracked_file.file_size).to eq(project.avatar.size)
-      end
-    end
-
-    context 'for a project Markdown attachment (notes, issues, MR descriptions) file path' do
-      let(:project) { create(:project, :legacy_storage) }
-      let(:untracked_file) { create_untracked_file("/#{project.full_path}/#{project.uploads.first.path}") }
-
-      before do
-        UploadService.new(project, uploaded_file, FileUploader).execute
-      end
-
-      it 'returns the file size' do
-        expect(untracked_file.file_size).to eq(35255)
-      end
-
-      it 'returns the same thing that CarrierWave would return' do
-        expect(untracked_file.file_size).to eq(project.uploads.first.size)
-      end
-    end
-  end
-
-  def create_untracked_file(path_relative_to_upload_dir)
-    described_class.create!(path: "#{Gitlab::BackgroundMigration::PrepareUntrackedUploads::RELATIVE_UPLOAD_DIR}#{path_relative_to_upload_dir}")
-  end
-end
diff --git a/spec/lib/gitlab/background_migration/prepare_untracked_uploads_spec.rb b/spec/lib/gitlab/background_migration/prepare_untracked_uploads_spec.rb
index ca77e64ae40..35750d89c35 100644
--- a/spec/lib/gitlab/background_migration/prepare_untracked_uploads_spec.rb
+++ b/spec/lib/gitlab/background_migration/prepare_untracked_uploads_spec.rb
@@ -1,10 +1,16 @@
 require 'spec_helper'
 
-describe Gitlab::BackgroundMigration::PrepareUntrackedUploads, :sidekiq, :migration, schema: 20180129193323 do
-  include TrackUntrackedUploadsHelpers
-  include MigrationsHelpers
-
-  let!(:untracked_files_for_uploads) { described_class::UntrackedFile }
+# Rollback DB to 10.5 (later than this was originally written for) because it still needs to work.
+describe Gitlab::BackgroundMigration::PrepareUntrackedUploads, :sidekiq, :migration, schema: 20180208183958 do
+  include MigrationsHelpers::TrackUntrackedUploadsHelpers
+
+  let!(:untracked_files_for_uploads) { table(:untracked_files_for_uploads) }
+  let!(:appearances) { table(:appearances) }
+  let!(:namespaces) { table(:namespaces) }
+  let!(:projects) { table(:projects) }
+  let!(:routes) { table(:routes) }
+  let!(:uploads) { table(:uploads) }
+  let!(:users) { table(:users) }
 
   around do |example|
     # Especially important so the follow-up migration does not get run
@@ -15,19 +21,17 @@ describe Gitlab::BackgroundMigration::PrepareUntrackedUploads, :sidekiq, :migrat
 
   shared_examples 'prepares the untracked_files_for_uploads table' do
     context 'when files were uploaded before and after hashed storage was enabled' do
-      let!(:appearance) { create_or_update_appearance(logo: uploaded_file, header_logo: uploaded_file) }
-      let!(:user) { create(:user, :with_avatar) }
-      let!(:project1) { create(:project, :with_avatar, :legacy_storage) }
-      let(:project2) { create(:project) } # instantiate after enabling hashed_storage
+      let!(:appearance) { create_or_update_appearance(logo: true, header_logo: true) }
+      let!(:user) { create_user(avatar: true) }
+      let!(:project1) { create_project(avatar: true) }
+      let(:project2) { create_project } # instantiate after enabling hashed_storage
 
       before do
         # Markdown upload before enabling hashed_storage
-        UploadService.new(project1, uploaded_file, FileUploader).execute
-
-        stub_application_setting(hashed_storage_enabled: true)
+        add_markdown_attachment(project1)
 
         # Markdown upload after enabling hashed_storage
-        UploadService.new(project2, uploaded_file, FileUploader).execute
+        add_markdown_attachment(project2, hashed_storage: true)
       end
 
       it 'has a path field long enough for really long paths' do
@@ -61,7 +65,7 @@ describe Gitlab::BackgroundMigration::PrepareUntrackedUploads, :sidekiq, :migrat
       it 'does not add hashed files to the untracked_files_for_uploads table' do
         described_class.new.perform
 
-        hashed_file_path = project2.uploads.where(uploader: 'FileUploader').first.path
+        hashed_file_path = get_uploads(project2, 'Project').where(uploader: 'FileUploader').first.path
         expect(untracked_files_for_uploads.where("path like '%#{hashed_file_path}%'").exists?).to be_falsey
       end
 
diff --git a/spec/lib/gitlab/contributions_calendar_spec.rb b/spec/lib/gitlab/contributions_calendar_spec.rb
index f1655854486..49a179ba875 100644
--- a/spec/lib/gitlab/contributions_calendar_spec.rb
+++ b/spec/lib/gitlab/contributions_calendar_spec.rb
@@ -118,6 +118,19 @@ describe Gitlab::ContributionsCalendar do
       expect(calendar.events_by_date(today)).to contain_exactly(e1)
       expect(calendar(contributor).events_by_date(today)).to contain_exactly(e1, e2, e3)
     end
+
+    context 'when the user cannot read read cross project' do
+      before do
+        allow(Ability).to receive(:allowed?).and_call_original
+        expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+      end
+
+      it 'does not return any events' do
+        create_event(public_project, today)
+
+        expect(calendar(user).events_by_date(today)).to be_empty
+      end
+    end
   end
 
   describe '#starting_year' do
diff --git a/spec/lib/gitlab/cross_project_access/check_collection_spec.rb b/spec/lib/gitlab/cross_project_access/check_collection_spec.rb
new file mode 100644
index 00000000000..a9e7575240e
--- /dev/null
+++ b/spec/lib/gitlab/cross_project_access/check_collection_spec.rb
@@ -0,0 +1,55 @@
+require 'spec_helper'
+
+describe Gitlab::CrossProjectAccess::CheckCollection do
+  subject(:collection) { described_class.new }
+
+  describe '#add_collection' do
+    it 'merges the checks of 2 collections' do
+      initial_check = double('check')
+      collection.add_check(initial_check)
+
+      other_collection = described_class.new
+      other_check = double('other_check')
+      other_collection.add_check(other_check)
+
+      shared_check = double('shared check')
+      other_collection.add_check(shared_check)
+      collection.add_check(shared_check)
+
+      collection.add_collection(other_collection)
+
+      expect(collection.checks).to contain_exactly(initial_check, shared_check, other_check)
+    end
+  end
+
+  describe '#should_run?' do
+    def fake_check(run, skip)
+      check = double("Check: run=#{run} - skip={skip}")
+      allow(check).to receive(:should_run?).and_return(run)
+      allow(check).to receive(:should_skip?).and_return(skip)
+      allow(check).to receive(:skip).and_return(skip)
+
+      check
+    end
+
+    it 'returns true if one of the check says it should run' do
+      check = fake_check(true, false)
+      other_check = fake_check(false, false)
+
+      collection.add_check(check)
+      collection.add_check(other_check)
+
+      expect(collection.should_run?(double)).to be_truthy
+    end
+
+    it 'returns false if one of the check says it should be skipped' do
+      check = fake_check(true, false)
+      other_check = fake_check(false, true)
+
+      collection.add_check(check)
+      collection.add_check(other_check)
+
+      expect(collection.should_run?(double)).to be_falsey
+    end
+  end
+end
diff --git a/spec/lib/gitlab/cross_project_access/check_info_spec.rb b/spec/lib/gitlab/cross_project_access/check_info_spec.rb
new file mode 100644
index 00000000000..bc9dbf2bece
--- /dev/null
+++ b/spec/lib/gitlab/cross_project_access/check_info_spec.rb
@@ -0,0 +1,111 @@
+require 'spec_helper'
+
+describe Gitlab::CrossProjectAccess::CheckInfo do
+  let(:dummy_controller) { double }
+
+  before do
+    allow(dummy_controller).to receive(:action_name).and_return('index')
+  end
+
+  describe '#should_run?' do
+    it 'runs when an action is defined' do
+      info = described_class.new({ index: true }, nil, nil, false)
+
+      expect(info.should_run?(dummy_controller)).to be_truthy
+    end
+
+    it 'runs when the action is missing' do
+      info = described_class.new({}, nil, nil, false)
+
+      expect(info.should_run?(dummy_controller)).to be_truthy
+    end
+
+    it 'does not run when the action is excluded' do
+      info = described_class.new({ index: false }, nil, nil, false)
+
+      expect(info.should_run?(dummy_controller)).to be_falsy
+    end
+
+    it 'runs when the `if` conditional is true' do
+      info = described_class.new({}, -> { true }, nil, false)
+
+      expect(info.should_run?(dummy_controller)).to be_truthy
+    end
+
+    it 'does not run when the if condition is false' do
+      info = described_class.new({}, -> { false }, nil, false)
+
+      expect(info.should_run?(dummy_controller)).to be_falsy
+    end
+
+    it 'does not run when the `unless` check is true' do
+      info = described_class.new({}, nil, -> { true }, false)
+
+      expect(info.should_run?(dummy_controller)).to be_falsy
+    end
+
+    it 'runs when the `unless` check is false' do
+      info = described_class.new({}, nil, -> { false }, false)
+
+      expect(info.should_run?(dummy_controller)).to be_truthy
+    end
+
+    it 'returns the the oposite of #should_skip? when the check is a skip' do
+      info = described_class.new({}, nil, nil, true)
+
+      expect(info).to receive(:should_skip?).with(dummy_controller).and_return(false)
+      expect(info.should_run?(dummy_controller)).to be_truthy
+    end
+  end
+
+  describe '#should_skip?' do
+    it 'skips when an action is defined' do
+      info = described_class.new({ index: true }, nil, nil, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_truthy
+    end
+
+    it 'does not skip when the action is not defined' do
+      info = described_class.new({}, nil, nil, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_falsy
+    end
+
+    it 'does not skip when the action is excluded' do
+      info = described_class.new({ index: false }, nil, nil, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_falsy
+    end
+
+    it 'skips when the `if` conditional is true' do
+      info = described_class.new({ index: true }, -> { true }, nil, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_truthy
+    end
+
+    it 'does not skip the `if` conditional is false' do
+      info = described_class.new({ index: true }, -> { false }, nil, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_falsy
+    end
+
+    it 'does not skip when the `unless` check is true' do
+      info = described_class.new({ index: true }, nil, -> { true }, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_falsy
+    end
+
+    it 'skips when `unless` check is false' do
+      info = described_class.new({ index: true }, nil, -> { false }, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_truthy
+    end
+
+    it 'returns the the oposite of #should_run? when the check is not a skip' do
+      info = described_class.new({}, nil, nil, false)
+
+      expect(info).to receive(:should_run?).with(dummy_controller).and_return(false)
+      expect(info.should_skip?(dummy_controller)).to be_truthy
+    end
+  end
+end
diff --git a/spec/lib/gitlab/cross_project_access/class_methods_spec.rb b/spec/lib/gitlab/cross_project_access/class_methods_spec.rb
new file mode 100644
index 00000000000..5349685e633
--- /dev/null
+++ b/spec/lib/gitlab/cross_project_access/class_methods_spec.rb
@@ -0,0 +1,46 @@
+require 'spec_helper'
+
+describe Gitlab::CrossProjectAccess::ClassMethods do
+  let(:dummy_class) do
+    Class.new do
+      extend Gitlab::CrossProjectAccess::ClassMethods
+    end
+  end
+  let(:dummy_proc) { lambda { false } }
+
+  describe '#requires_cross_project_access' do
+    it 'creates a correct check when a hash is passed' do
+      expect(Gitlab::CrossProjectAccess)
+        .to receive(:add_check).with(dummy_class,
+                                     actions: { hello: true, world: false },
+                                     positive_condition: dummy_proc,
+                                     negative_condition: dummy_proc)
+
+      dummy_class.requires_cross_project_access(
+        hello: true, world: false, if: dummy_proc, unless: dummy_proc
+      )
+    end
+
+    it 'creates a correct check when an array is passed' do
+      expect(Gitlab::CrossProjectAccess)
+        .to receive(:add_check).with(dummy_class,
+                                     actions: { hello: true, world: true },
+                                     positive_condition: nil,
+                                     negative_condition: nil)
+
+      dummy_class.requires_cross_project_access(:hello, :world)
+    end
+
+    it 'creates a correct check when an array and a hash is passed' do
+      expect(Gitlab::CrossProjectAccess)
+        .to receive(:add_check).with(dummy_class,
+                                     actions: { hello: true, world: true },
+                                     positive_condition: dummy_proc,
+                                     negative_condition: dummy_proc)
+
+      dummy_class.requires_cross_project_access(
+        :hello, :world, if: dummy_proc, unless: dummy_proc
+      )
+    end
+  end
+end
diff --git a/spec/lib/gitlab/cross_project_access_spec.rb b/spec/lib/gitlab/cross_project_access_spec.rb
new file mode 100644
index 00000000000..614b0473c7e
--- /dev/null
+++ b/spec/lib/gitlab/cross_project_access_spec.rb
@@ -0,0 +1,84 @@
+require 'spec_helper'
+
+describe Gitlab::CrossProjectAccess do
+  let(:super_class) { Class.new }
+  let(:descendant_class) { Class.new(super_class) }
+  let(:current_instance) { described_class.new }
+
+  before do
+    allow(described_class).to receive(:instance).and_return(current_instance)
+  end
+
+  describe '#add_check' do
+    it 'keeps track of the properties to check' do
+      expect do
+        described_class.add_check(super_class,
+                                  actions: { index: true },
+                                  positive_condition: -> { true },
+                                  negative_condition: -> { false })
+      end.to change { described_class.checks.size }.by(1)
+    end
+
+    it 'builds the check correctly' do
+      check_collection = described_class.add_check(super_class,
+                                                   actions: { index: true },
+                                                   positive_condition: -> { 'positive' },
+                                                   negative_condition: -> { 'negative' })
+
+      check = check_collection.checks.first
+
+      expect(check.actions).to eq(index: true)
+      expect(check.positive_condition.call).to eq('positive')
+      expect(check.negative_condition.call).to eq('negative')
+    end
+
+    it 'merges the checks of a parent class into existing checks of a subclass' do
+      subclass_collection = described_class.add_check(descendant_class)
+
+      expect(subclass_collection).to receive(:add_collection).and_call_original
+
+      described_class.add_check(super_class)
+    end
+
+    it 'merges the existing checks of a superclass into the checks of a subclass' do
+      super_collection = described_class.add_check(super_class)
+      descendant_collection = described_class.add_check(descendant_class)
+
+      expect(descendant_collection.checks).to include(*super_collection.checks)
+    end
+  end
+
+  describe '#find_check' do
+    it 'returns a check when it was defined for a superclass' do
+      expected_check = described_class.add_check(super_class,
+                                                 actions: { index: true },
+                                                 positive_condition: -> { 'positive' },
+                                                 negative_condition: -> { 'negative' })
+
+      expect(described_class.find_check(descendant_class.new))
+        .to eq(expected_check)
+    end
+
+    it 'caches the result for a subclass' do
+      described_class.add_check(super_class,
+                                actions: { index: true },
+                                positive_condition: -> { 'positive' },
+                                negative_condition: -> { 'negative' })
+
+      expect(described_class.instance).to receive(:closest_parent).once.and_call_original
+
+      2.times { described_class.find_check(descendant_class.new) }
+    end
+
+    it 'returns the checks for the closest class if there are more checks available' do
+      described_class.add_check(super_class,
+                                actions: { index: true })
+      expected_check = described_class.add_check(descendant_class,
+                                                 actions: { index: true, show: false })
+
+      check = described_class.find_check(descendant_class.new)
+
+      expect(check).to eq(expected_check)
+    end
+  end
+end
diff --git a/spec/lib/gitlab/diff/highlight_spec.rb b/spec/lib/gitlab/diff/highlight_spec.rb
index cd602ccab8e..73d60c021c8 100644
--- a/spec/lib/gitlab/diff/highlight_spec.rb
+++ b/spec/lib/gitlab/diff/highlight_spec.rb
@@ -72,6 +72,28 @@ describe Gitlab::Diff::Highlight do
         expect(subject[5].text).to eq(code)
         expect(subject[5].text).to be_html_safe
       end
+
+      context 'when the inline diff marker has an invalid range' do
+        before do
+          allow_any_instance_of(Gitlab::Diff::InlineDiffMarker).to receive(:mark).and_raise(RangeError)
+        end
+
+        it 'keeps the original rich line' do
+          code = %q{+      raise RuntimeError, "System commands must be given as an array of strings"}
+
+          expect(subject[5].text).to eq(code)
+          expect(subject[5].text).not_to be_html_safe
+        end
+
+        it 'reports to Sentry if configured' do
+          allow(Gitlab::Sentry).to receive(:enabled?).and_return(true)
+
+          expect(Gitlab::Sentry).to receive(:context)
+          expect(Raven).to receive(:capture_exception)
+
+          subject
+        end
+      end
     end
   end
 end
diff --git a/spec/lib/gitlab/git/repository_spec.rb b/spec/lib/gitlab/git/repository_spec.rb
index 67271d769a0..d601a383a98 100644
--- a/spec/lib/gitlab/git/repository_spec.rb
+++ b/spec/lib/gitlab/git/repository_spec.rb
@@ -600,6 +600,33 @@ describe Gitlab::Git::Repository, seed_helper: true do
     end
   end
 
+  describe '#branch_names_contains_sha' do
+    shared_examples 'returning the right branches' do
+      let(:head_id) { repository.rugged.head.target.oid }
+      let(:new_branch) { head_id }
+
+      before do
+        repository.create_branch(new_branch, 'master')
+      end
+
+      after do
+        repository.delete_branch(new_branch)
+      end
+
+      it 'displays that branch' do
+        expect(repository.branch_names_contains_sha(head_id)).to include('master', new_branch)
+      end
+    end
+
+    context 'when Gitaly is enabled' do
+      it_behaves_like 'returning the right branches'
+    end
+
+    context 'when Gitaly is disabled', :disable_gitaly do
+      it_behaves_like 'returning the right branches'
+    end
+  end
+
   describe "#refs_hash" do
     subject { repository.refs_hash }
 
@@ -2204,7 +2231,7 @@ describe Gitlab::Git::Repository, seed_helper: true do
       context 'sparse checkout', :skip_gitaly_mock do
         let(:expected_files) { %w(files files/js files/js/application.js) }
 
-        before do
+        it 'checks out only the files in the diff' do
           allow(repository).to receive(:with_worktree).and_wrap_original do |m, *args|
             m.call(*args) do
               worktree_path = args[0]
@@ -2216,11 +2243,34 @@ describe Gitlab::Git::Repository, seed_helper: true do
               expect(Dir[files_pattern]).to eq(expected)
             end
           end
-        end
 
-        it 'checkouts only the files in the diff' do
           subject
         end
+
+        context 'when the diff contains a rename' do
+          let(:repo) { Gitlab::Git::Repository.new('default', TEST_REPO_PATH, '').rugged }
+          let(:end_sha) { new_commit_move_file(repo).oid }
+
+          after do
+            # Erase our commits so other tests get the original repo
+            repo = Gitlab::Git::Repository.new('default', TEST_REPO_PATH, '').rugged
+            repo.references.update('refs/heads/master', SeedRepo::LastCommit::ID)
+          end
+
+          it 'does not include the renamed file in the sparse checkout' do
+            allow(repository).to receive(:with_worktree).and_wrap_original do |m, *args|
+              m.call(*args) do
+                worktree_path = args[0]
+                files_pattern = File.join(worktree_path, '**', '*')
+
+                expect(Dir[files_pattern]).not_to include('CHANGELOG')
+                expect(Dir[files_pattern]).not_to include('encoding/CHANGELOG')
+              end
+            end
+
+            subject
+          end
+        end
       end
 
       context 'with an ASCII-8BIT diff', :skip_gitaly_mock do
@@ -2230,7 +2280,7 @@ describe Gitlab::Git::Repository, seed_helper: true do
           allow(repository).to receive(:run_git!).and_call_original
           allow(repository).to receive(:run_git!).with(%W(diff --binary #{start_sha}...#{end_sha})).and_return(diff.force_encoding('ASCII-8BIT'))
 
-          expect(subject.length).to eq(40)
+          expect(subject).to match(/\h{40}/)
         end
       end
     end
diff --git a/spec/lib/gitlab/git_access_wiki_spec.rb b/spec/lib/gitlab/git_access_wiki_spec.rb
index 186b2d9279d..215f1ecc9c5 100644
--- a/spec/lib/gitlab/git_access_wiki_spec.rb
+++ b/spec/lib/gitlab/git_access_wiki_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'
 
 describe Gitlab::GitAccessWiki do
   let(:access) { described_class.new(user, project, 'web', authentication_abilities: authentication_abilities, redirected_path: redirected_path) }
-  let(:project) { create(:project, :repository) }
+  let(:project) { create(:project, :wiki_repo) }
   let(:user) { create(:user) }
   let(:changes) { ['6f6d7e7ed 570e7b2ab refs/heads/master'] }
   let(:redirected_path) { nil }
@@ -48,6 +48,18 @@ describe Gitlab::GitAccessWiki do
       it 'give access to download wiki code' do
         expect { subject }.not_to raise_error
       end
+
+      context 'when the wiki repository does not exist' do
+        it 'returns not found' do
+          wiki_repo = project.wiki.repository
+          FileUtils.rm_rf(wiki_repo.path)
+
+          # Sanity check for rm_rf
+          expect(wiki_repo.exists?).to eq(false)
+
+          expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'A repository for this project does not exist yet.')
+        end
+      end
     end
 
     context 'when wiki feature is disabled' do
diff --git a/spec/lib/gitlab/gitaly_client/repository_service_spec.rb b/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
index cbc7ce1c1b0..c50e73cecfc 100644
--- a/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
+++ b/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
@@ -84,4 +84,30 @@ describe Gitlab::GitalyClient::RepositoryService do
       expect(client.has_local_branches?).to be(true)
     end
   end
+
+  describe '#rebase_in_progress?' do
+    let(:rebase_id) { 1 }
+
+    it 'sends a repository_rebase_in_progress message' do
+      expect_any_instance_of(Gitaly::RepositoryService::Stub)
+        .to receive(:is_rebase_in_progress)
+        .with(gitaly_request_with_path(storage_name, relative_path), kind_of(Hash))
+        .and_return(double(in_progress: true))
+
+      client.rebase_in_progress?(rebase_id)
+    end
+  end
+
+  describe '#squash_in_progress?' do
+    let(:squash_id) { 1 }
+
+    it 'sends a repository_squash_in_progress message' do
+      expect_any_instance_of(Gitaly::RepositoryService::Stub)
+        .to receive(:is_squash_in_progress)
+        .with(gitaly_request_with_path(storage_name, relative_path), kind_of(Hash))
+        .and_return(double(in_progress: true))
+
+      client.squash_in_progress?(squash_id)
+    end
+  end
 end
diff --git a/spec/lib/gitlab/middleware/go_spec.rb b/spec/lib/gitlab/middleware/go_spec.rb
index 60a134be939..b24c9882c0c 100644
--- a/spec/lib/gitlab/middleware/go_spec.rb
+++ b/spec/lib/gitlab/middleware/go_spec.rb
@@ -3,19 +3,30 @@ require 'spec_helper'
 describe Gitlab::Middleware::Go do
   let(:app) { double(:app) }
   let(:middleware) { described_class.new(app) }
+  let(:env) do
+    {
+      'rack.input' => '',
+      'REQUEST_METHOD' => 'GET'
+    }
+  end
 
   describe '#call' do
     describe 'when go-get=0' do
+      before do
+        env['QUERY_STRING'] = 'go-get=0'
+      end
+
       it 'skips go-import generation' do
-        env = { 'rack.input' => '',
-                'QUERY_STRING' => 'go-get=0' }
         expect(app).to receive(:call).with(env).and_return('no-go')
         middleware.call(env)
       end
     end
 
     describe 'when go-get=1' do
-      let(:current_user) { nil }
+      before do
+        env['QUERY_STRING'] = 'go-get=1'
+        env['PATH_INFO'] = "/#{path}"
+      end
 
       shared_examples 'go-get=1' do |enabled_protocol:|
         context 'with simple 2-segment project path' do
@@ -54,21 +65,75 @@ describe Gitlab::Middleware::Go do
                 project.update_attribute(:visibility_level, Project::PRIVATE)
               end
 
-              context 'with access to the project' do
+              shared_examples 'unauthorized' do
+                it 'returns the 2-segment group path' do
+                  expect_response_with_path(go, enabled_protocol, group.full_path)
+                end
+              end
+
+              context 'when not authenticated' do
+                it_behaves_like 'unauthorized'
+              end
+
+              context 'when authenticated' do
                 let(:current_user) { project.creator }
 
                 before do
                   project.team.add_master(current_user)
                 end
 
-                it 'returns the full project path' do
-                  expect_response_with_path(go, enabled_protocol, project.full_path)
+                shared_examples 'authenticated' do
+                  context 'with access to the project' do
+                    it 'returns the full project path' do
+                      expect_response_with_path(go, enabled_protocol, project.full_path)
+                    end
+                  end
+
+                  context 'without access to the project' do
+                    before do
+                      project.team.find_member(current_user).destroy
+                    end
+
+                    it_behaves_like 'unauthorized'
+                  end
                 end
-              end
 
-              context 'without access to the project' do
-                it 'returns the 2-segment group path' do
-                  expect_response_with_path(go, enabled_protocol, group.full_path)
+                context 'using warden' do
+                  before do
+                    env['warden'] = double(authenticate: current_user)
+                  end
+
+                  context 'when active' do
+                    it_behaves_like 'authenticated'
+                  end
+
+                  context 'when blocked' do
+                    before do
+                      current_user.block!
+                    end
+
+                    it_behaves_like 'unauthorized'
+                  end
+                end
+
+                context 'using a personal access token' do
+                  let(:personal_access_token) { create(:personal_access_token, user: current_user) }
+
+                  before do
+                    env['HTTP_PRIVATE_TOKEN'] = personal_access_token.token
+                  end
+
+                  context 'with api scope' do
+                    it_behaves_like 'authenticated'
+                  end
+
+                  context 'with read_user scope' do
+                    before do
+                      personal_access_token.update_attribute(:scopes, [:read_user])
+                    end
+
+                    it_behaves_like 'unauthorized'
+                  end
                 end
               end
             end
@@ -138,12 +203,6 @@ describe Gitlab::Middleware::Go do
     end
 
     def go
-      env = {
-        'rack.input' => '',
-        'QUERY_STRING' => 'go-get=1',
-        'PATH_INFO' => "/#{path}",
-        'warden' => double(authenticate: current_user)
-      }
       middleware.call(env)
     end
 
diff --git a/spec/lib/gitlab/prometheus/queries/matched_metrics_query_spec.rb b/spec/lib/gitlab/prometheus/queries/matched_metrics_query_spec.rb
index 2b488101496..c95719eff1d 100644
--- a/spec/lib/gitlab/prometheus/queries/matched_metrics_query_spec.rb
+++ b/spec/lib/gitlab/prometheus/queries/matched_metrics_query_spec.rb
@@ -24,7 +24,7 @@ describe Gitlab::Prometheus::Queries::MatchedMetricsQuery do
 
   context 'with one group where two metrics is found' do
     before do
-      allow(metric_group_class).to receive(:all).and_return([simple_metric_group])
+      allow(metric_group_class).to receive(:common_metrics).and_return([simple_metric_group])
       allow(client).to receive(:label_values).and_return(metric_names)
     end
 
@@ -70,7 +70,7 @@ describe Gitlab::Prometheus::Queries::MatchedMetricsQuery do
 
   context 'with one group where only one metric is found' do
     before do
-      allow(metric_group_class).to receive(:all).and_return([simple_metric_group])
+      allow(metric_group_class).to receive(:common_metrics).and_return([simple_metric_group])
       allow(client).to receive(:label_values).and_return('metric_a')
     end
 
@@ -99,7 +99,7 @@ describe Gitlab::Prometheus::Queries::MatchedMetricsQuery do
     let(:second_metric_group) { simple_metric_group(name: 'nameb', metrics: simple_metrics(added_metric_name: 'metric_c')) }
 
     before do
-      allow(metric_group_class).to receive(:all).and_return([simple_metric_group, second_metric_group])
+      allow(metric_group_class).to receive(:common_metrics).and_return([simple_metric_group, second_metric_group])
       allow(client).to receive(:label_values).and_return('metric_c')
     end
 
diff --git a/spec/lib/gitlab/prometheus_client_spec.rb b/spec/lib/gitlab/prometheus_client_spec.rb
index 5d86007f71f..4c3b8deefb9 100644
--- a/spec/lib/gitlab/prometheus_client_spec.rb
+++ b/spec/lib/gitlab/prometheus_client_spec.rb
@@ -19,41 +19,41 @@ describe Gitlab::PrometheusClient do
   # - execute_query: A query call
   shared_examples 'failure response' do
     context 'when request returns 400 with an error message' do
-      it 'raises a Gitlab::PrometheusError error' do
+      it 'raises a Gitlab::PrometheusClient::Error error' do
         req_stub = stub_prometheus_request(query_url, status: 400, body: { error: 'bar!' })
 
         expect { execute_query }
-          .to raise_error(Gitlab::PrometheusError, 'bar!')
+          .to raise_error(Gitlab::PrometheusClient::Error, 'bar!')
         expect(req_stub).to have_been_requested
       end
     end
 
     context 'when request returns 400 without an error message' do
-      it 'raises a Gitlab::PrometheusError error' do
+      it 'raises a Gitlab::PrometheusClient::Error error' do
         req_stub = stub_prometheus_request(query_url, status: 400)
 
         expect { execute_query }
-          .to raise_error(Gitlab::PrometheusError, 'Bad data received')
+          .to raise_error(Gitlab::PrometheusClient::Error, 'Bad data received')
         expect(req_stub).to have_been_requested
       end
     end
 
     context 'when request returns 500' do
-      it 'raises a Gitlab::PrometheusError error' do
+      it 'raises a Gitlab::PrometheusClient::Error error' do
         req_stub = stub_prometheus_request(query_url, status: 500, body: { message: 'FAIL!' })
 
         expect { execute_query }
-          .to raise_error(Gitlab::PrometheusError, '500 - {"message":"FAIL!"}')
+          .to raise_error(Gitlab::PrometheusClient::Error, '500 - {"message":"FAIL!"}')
         expect(req_stub).to have_been_requested
       end
     end
 
     context 'when request returns non json data' do
-      it 'raises a Gitlab::PrometheusError error' do
+      it 'raises a Gitlab::PrometheusClient::Error error' do
         req_stub = stub_prometheus_request(query_url, status: 200, body: 'not json')
 
         expect { execute_query }
-          .to raise_error(Gitlab::PrometheusError, 'Parsing response failed')
+          .to raise_error(Gitlab::PrometheusClient::Error, 'Parsing response failed')
         expect(req_stub).to have_been_requested
       end
     end
@@ -65,27 +65,27 @@ describe Gitlab::PrometheusClient do
     subject { described_class.new(RestClient::Resource.new(prometheus_url)) }
 
     context 'exceptions are raised' do
-      it 'raises a Gitlab::PrometheusError error when a SocketError is rescued' do
+      it 'raises a Gitlab::PrometheusClient::Error error when a SocketError is rescued' do
         req_stub = stub_prometheus_request_with_exception(prometheus_url, SocketError)
 
         expect { subject.send(:get, '/', {}) }
-          .to raise_error(Gitlab::PrometheusError, "Can't connect to #{prometheus_url}")
+          .to raise_error(Gitlab::PrometheusClient::Error, "Can't connect to #{prometheus_url}")
         expect(req_stub).to have_been_requested
       end
 
-      it 'raises a Gitlab::PrometheusError error when a SSLError is rescued' do
+      it 'raises a Gitlab::PrometheusClient::Error error when a SSLError is rescued' do
         req_stub = stub_prometheus_request_with_exception(prometheus_url, OpenSSL::SSL::SSLError)
 
         expect { subject.send(:get, '/', {}) }
-          .to raise_error(Gitlab::PrometheusError, "#{prometheus_url} contains invalid SSL data")
+          .to raise_error(Gitlab::PrometheusClient::Error, "#{prometheus_url} contains invalid SSL data")
         expect(req_stub).to have_been_requested
       end
 
-      it 'raises a Gitlab::PrometheusError error when a RestClient::Exception is rescued' do
+      it 'raises a Gitlab::PrometheusClient::Error error when a RestClient::Exception is rescued' do
         req_stub = stub_prometheus_request_with_exception(prometheus_url, RestClient::Exception)
 
         expect { subject.send(:get, '/', {}) }
-          .to raise_error(Gitlab::PrometheusError, "Network connection error")
+          .to raise_error(Gitlab::PrometheusClient::Error, "Network connection error")
         expect(req_stub).to have_been_requested
       end
     end
diff --git a/spec/lib/gitlab/quick_actions/command_definition_spec.rb b/spec/lib/gitlab/quick_actions/command_definition_spec.rb
index f44a562dc63..b03c1e23ca3 100644
--- a/spec/lib/gitlab/quick_actions/command_definition_spec.rb
+++ b/spec/lib/gitlab/quick_actions/command_definition_spec.rb
@@ -40,7 +40,7 @@ describe Gitlab::QuickActions::CommandDefinition do
   end
 
   describe "#available?" do
-    let(:opts) { { go: false } }
+    let(:opts) { OpenStruct.new(go: false) }
 
     context "when the command has a condition block" do
       before do
@@ -78,7 +78,7 @@ describe Gitlab::QuickActions::CommandDefinition do
       it "doesn't execute the command" do
         expect(context).not_to receive(:instance_exec)
 
-        subject.execute(context, {}, nil)
+        subject.execute(context, nil)
 
         expect(context.run).to be false
       end
@@ -95,7 +95,7 @@ describe Gitlab::QuickActions::CommandDefinition do
         end
 
         it "doesn't execute the command" do
-          subject.execute(context, {}, nil)
+          subject.execute(context, nil)
 
           expect(context.run).to be false
         end
@@ -109,7 +109,7 @@ describe Gitlab::QuickActions::CommandDefinition do
 
           context "when the command is provided an argument" do
             it "executes the command" do
-              subject.execute(context, {}, true)
+              subject.execute(context, true)
 
               expect(context.run).to be true
             end
@@ -117,7 +117,7 @@ describe Gitlab::QuickActions::CommandDefinition do
 
           context "when the command is not provided an argument" do
             it "executes the command" do
-              subject.execute(context, {}, nil)
+              subject.execute(context, nil)
 
               expect(context.run).to be true
             end
@@ -131,7 +131,7 @@ describe Gitlab::QuickActions::CommandDefinition do
 
           context "when the command is provided an argument" do
             it "executes the command" do
-              subject.execute(context, {}, true)
+              subject.execute(context, true)
 
               expect(context.run).to be true
             end
@@ -139,7 +139,7 @@ describe Gitlab::QuickActions::CommandDefinition do
 
           context "when the command is not provided an argument" do
             it "doesn't execute the command" do
-              subject.execute(context, {}, nil)
+              subject.execute(context, nil)
 
               expect(context.run).to be false
             end
@@ -153,7 +153,7 @@ describe Gitlab::QuickActions::CommandDefinition do
 
           context "when the command is provided an argument" do
             it "executes the command" do
-              subject.execute(context, {}, true)
+              subject.execute(context, true)
 
               expect(context.run).to be true
             end
@@ -161,7 +161,7 @@ describe Gitlab::QuickActions::CommandDefinition do
 
           context "when the command is not provided an argument" do
             it "executes the command" do
-              subject.execute(context, {}, nil)
+              subject.execute(context, nil)
 
               expect(context.run).to be true
             end
@@ -175,7 +175,7 @@ describe Gitlab::QuickActions::CommandDefinition do
           end
 
           it 'executes the command passing the parsed param' do
-            subject.execute(context, {}, 'something   ')
+            subject.execute(context, 'something   ')
 
             expect(context.received_arg).to eq('something')
           end
@@ -192,7 +192,7 @@ describe Gitlab::QuickActions::CommandDefinition do
       end
 
       it 'returns nil' do
-        result = subject.explain({}, {}, nil)
+        result = subject.explain({}, nil)
 
         expect(result).to be_nil
       end
@@ -204,7 +204,7 @@ describe Gitlab::QuickActions::CommandDefinition do
       end
 
       it 'returns this static string' do
-        result = subject.explain({}, {}, nil)
+        result = subject.explain({}, nil)
 
         expect(result).to eq 'Explanation'
       end
@@ -216,7 +216,7 @@ describe Gitlab::QuickActions::CommandDefinition do
       end
 
       it 'invokes the proc' do
-        result = subject.explain({}, {}, 'explanation')
+        result = subject.explain({}, 'explanation')
 
         expect(result).to eq 'Dynamic explanation'
       end
diff --git a/spec/lib/gitlab/quick_actions/dsl_spec.rb b/spec/lib/gitlab/quick_actions/dsl_spec.rb
index ff59dc48bcb..067a30fd7e2 100644
--- a/spec/lib/gitlab/quick_actions/dsl_spec.rb
+++ b/spec/lib/gitlab/quick_actions/dsl_spec.rb
@@ -76,7 +76,7 @@ describe Gitlab::QuickActions::Dsl do
 
       expect(dynamic_description_def.name).to eq(:dynamic_description)
       expect(dynamic_description_def.aliases).to eq([])
-      expect(dynamic_description_def.to_h(noteable: 'issue')[:description]).to eq('A dynamic description for ISSUE')
+      expect(dynamic_description_def.to_h(OpenStruct.new(noteable: 'issue'))[:description]).to eq('A dynamic description for ISSUE')
       expect(dynamic_description_def.explanation).to eq('')
       expect(dynamic_description_def.params).to eq(['The first argument', 'The second argument'])
       expect(dynamic_description_def.condition_block).to be_nil
diff --git a/spec/lib/gitlab/sql/pattern_spec.rb b/spec/lib/gitlab/sql/pattern_spec.rb
index ef51e3cc8df..5b5052de372 100644
--- a/spec/lib/gitlab/sql/pattern_spec.rb
+++ b/spec/lib/gitlab/sql/pattern_spec.rb
@@ -154,6 +154,12 @@ describe Gitlab::SQL::Pattern do
       it 'returns a single equality condition' do
         expect(fuzzy_arel_match.to_sql).to match(/title.*I?LIKE 'fo'/)
       end
+
+      it 'uses LOWER instead of ILIKE when LOWER is enabled' do
+        rel = Issue.fuzzy_arel_match(:title, query, lower_exact_match: true)
+
+        expect(rel.to_sql).to match(/LOWER\(.*title.*\).*=.*'fo'/)
+      end
     end
 
     context 'with two words both equal to 3 chars' do
diff --git a/spec/lib/google_api/cloud_platform/client_spec.rb b/spec/lib/google_api/cloud_platform/client_spec.rb
index f65e41dfea3..db9d9158b29 100644
--- a/spec/lib/google_api/cloud_platform/client_spec.rb
+++ b/spec/lib/google_api/cloud_platform/client_spec.rb
@@ -115,6 +115,9 @@ describe GoogleApi::CloudPlatform::Client do
               "initial_node_count": cluster_size,
               "node_config": {
                 "machine_type": machine_type
+              },
+              "legacy_abac": {
+                "enabled": true
               }
             }
           } )
diff --git a/spec/mailers/emails/pages_domains_spec.rb b/spec/mailers/emails/pages_domains_spec.rb
new file mode 100644
index 00000000000..fe428ea657d
--- /dev/null
+++ b/spec/mailers/emails/pages_domains_spec.rb
@@ -0,0 +1,71 @@
+require 'spec_helper'
+require 'email_spec'
+
+describe Emails::PagesDomains do
+  include EmailSpec::Matchers
+  include_context 'gitlab email notification'
+
+  set(:project) { create(:project) }
+  set(:domain) { create(:pages_domain, project: project)  }
+  set(:user) { project.owner }
+
+  shared_examples 'a pages domain email' do
+    it_behaves_like 'an email sent from GitLab'
+    it_behaves_like 'it should not have Gmail Actions links'
+    it_behaves_like 'a user cannot unsubscribe through footer link'
+
+    it 'has the expected content' do
+      aggregate_failures do
+        is_expected.to have_subject(email_subject)
+        is_expected.to have_body_text(project.human_name)
+        is_expected.to have_body_text(domain.domain)
+        is_expected.to have_body_text domain.url
+        is_expected.to have_body_text project_pages_domain_url(project, domain)
+        is_expected.to have_body_text help_page_url('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
+      end
+    end
+  end
+
+  describe '#pages_domain_enabled_email' do
+    let(:email_subject) { "#{project.path} | GitLab Pages domain '#{domain.domain}' has been enabled" }
+
+    subject { Notify.pages_domain_enabled_email(domain, user) }
+
+    it_behaves_like 'a pages domain email'
+
+    it { is_expected.to have_body_text 'has been enabled' }
+  end
+
+  describe '#pages_domain_disabled_email' do
+    let(:email_subject) { "#{project.path} | GitLab Pages domain '#{domain.domain}' has been disabled" }
+
+    subject { Notify.pages_domain_disabled_email(domain, user) }
+
+    it_behaves_like 'a pages domain email'
+
+    it { is_expected.to have_body_text 'has been disabled' }
+  end
+
+  describe '#pages_domain_verification_succeeded_email' do
+    let(:email_subject) { "#{project.path} | Verification succeeded for GitLab Pages domain '#{domain.domain}'" }
+
+    subject { Notify.pages_domain_verification_succeeded_email(domain, user) }
+
+    it_behaves_like 'a pages domain email'
+
+    it { is_expected.to have_body_text 'successfully verified' }
+  end
+
+  describe '#pages_domain_verification_failed_email' do
+    let(:email_subject) { "#{project.path} | ACTION REQUIRED: Verification failed for GitLab Pages domain '#{domain.domain}'" }
+
+    subject { Notify.pages_domain_verification_failed_email(domain, user) }
+
+    it_behaves_like 'a pages domain email'
+
+    it 'says verification has failed and when the domain is enabled until' do
+      is_expected.to have_body_text 'Verification has failed'
+      is_expected.to have_body_text domain.enabled_until.strftime('%F %T')
+    end
+  end
+end
diff --git a/spec/migrations/enqueue_verify_pages_domain_workers_spec.rb b/spec/migrations/enqueue_verify_pages_domain_workers_spec.rb
new file mode 100644
index 00000000000..afcaefa0591
--- /dev/null
+++ b/spec/migrations/enqueue_verify_pages_domain_workers_spec.rb
@@ -0,0 +1,23 @@
+require 'spec_helper'
+require Rails.root.join('db', 'post_migrate', '20180216121030_enqueue_verify_pages_domain_workers')
+
+describe EnqueueVerifyPagesDomainWorkers, :sidekiq, :migration do
+  around do |example|
+    Sidekiq::Testing.fake! do
+      example.run
+    end
+  end
+
+  describe '#up' do
+    it 'enqueues a verification worker for every domain' do
+      domains = 1.upto(3).map { |i| PagesDomain.create!(domain: "my#{i}.domain.com") }
+
+      expect { migrate! }.to change(PagesDomainVerificationWorker.jobs, :size).by(3)
+
+      enqueued_ids = PagesDomainVerificationWorker.jobs.map { |job| job['args'] }
+      expected_ids = domains.map { |domain| [domain.id] }
+
+      expect(enqueued_ids).to match_array(expected_ids)
+    end
+  end
+end
diff --git a/spec/migrations/track_untracked_uploads_spec.rb b/spec/migrations/track_untracked_uploads_spec.rb
index fe4d5b8a279..2fccfb3f12c 100644
--- a/spec/migrations/track_untracked_uploads_spec.rb
+++ b/spec/migrations/track_untracked_uploads_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'
 require Rails.root.join('db', 'post_migrate', '20171103140253_track_untracked_uploads')
 
 describe TrackUntrackedUploads, :migration, :sidekiq do
-  include TrackUntrackedUploadsHelpers
+  include MigrationsHelpers::TrackUntrackedUploadsHelpers
 
   it 'correctly schedules the follow-up background migration' do
     Sidekiq::Testing.fake! do
diff --git a/spec/models/ability_spec.rb b/spec/models/ability_spec.rb
index 38fb98d4f50..cd175dba6da 100644
--- a/spec/models/ability_spec.rb
+++ b/spec/models/ability_spec.rb
@@ -204,6 +204,78 @@ describe Ability do
     end
   end
 
+  describe '.merge_requests_readable_by_user' do
+    context 'with an admin' do
+      it 'returns all merge requests' do
+        user = build(:user, admin: true)
+        merge_request = build(:merge_request)
+
+        expect(described_class.merge_requests_readable_by_user([merge_request], user))
+          .to eq([merge_request])
+      end
+    end
+
+    context 'without a user' do
+      it 'returns merge_requests that are publicly visible' do
+        hidden_merge_request = build(:merge_request)
+        visible_merge_request = build(:merge_request, source_project: build(:project, :public))
+
+        merge_requests = described_class
+                           .merge_requests_readable_by_user([hidden_merge_request, visible_merge_request])
+
+        expect(merge_requests).to eq([visible_merge_request])
+      end
+    end
+
+    context 'with a user' do
+      let(:user) { create(:user) }
+      let(:project) { create(:project) }
+      let(:merge_request) { create(:merge_request, source_project: project) }
+      let(:cross_project_merge_request) do
+        create(:merge_request, source_project: create(:project, :public))
+      end
+      let(:other_merge_request) { create(:merge_request) }
+      let(:all_merge_requests) do
+        [merge_request, cross_project_merge_request, other_merge_request]
+      end
+
+      subject(:readable_merge_requests) do
+        described_class.merge_requests_readable_by_user(all_merge_requests, user)
+      end
+
+      before do
+        project.add_developer(user)
+      end
+
+      it 'returns projects visible to the user' do
+        expect(readable_merge_requests).to contain_exactly(merge_request, cross_project_merge_request)
+      end
+
+      context 'when a user cannot read cross project and a filter is passed' do
+        before do
+          allow(described_class).to receive(:allowed?).and_call_original
+          expect(described_class).to receive(:allowed?).with(user, :read_cross_project) { false }
+        end
+
+        subject(:readable_merge_requests) do
+          read_cross_project_filter = -> (merge_requests) do
+            merge_requests.select { |mr| mr.source_project == project }
+          end
+          described_class.merge_requests_readable_by_user(
+            all_merge_requests, user,
+            filters: { read_cross_project: read_cross_project_filter }
+          )
+        end
+
+        it 'returns only MRs of the specified project without checking access on others' do
+          expect(described_class).not_to receive(:allowed?).with(user, :read_merge_request, cross_project_merge_request)
+
+          expect(readable_merge_requests).to contain_exactly(merge_request)
+        end
+      end
+    end
+  end
+
   describe '.issues_readable_by_user' do
     context 'with an admin user' do
       it 'returns all given issues' do
@@ -250,6 +322,29 @@ describe Ability do
         expect(issues).to eq([visible_issue])
       end
     end
+
+    context 'when the user cannot read cross project' do
+      let(:user) { create(:user) }
+      let(:issue) { create(:issue) }
+      let(:other_project_issue) { create(:issue) }
+      let(:project) { issue.project }
+
+      before do
+        project.add_developer(user)
+
+        allow(described_class).to receive(:allowed?).and_call_original
+        allow(described_class).to receive(:allowed?).with(user, :read_cross_project, any_args) { false }
+      end
+
+      it 'excludes issues from other projects whithout checking separatly when passing a scope' do
+        expect(described_class).not_to receive(:allowed?).with(user, :read_issue, other_project_issue)
+
+        filters = { read_cross_project: -> (issues) { issues.where(project: project) } }
+        result = described_class.issues_readable_by_user(Issue.all, user, filters: filters)
+
+        expect(result).to contain_exactly(issue)
+      end
+    end
   end
 
   describe '.project_disabled_features_rules' do
diff --git a/spec/models/ci/build_spec.rb b/spec/models/ci/build_spec.rb
index 2b6b6a61182..c27313ed88b 100644
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -277,7 +277,7 @@ describe Ci::Build do
           allow_any_instance_of(Project).to receive(:jobs_cache_index).and_return(1)
         end
 
-        it { is_expected.to be_an(Array).and all(include(key: "key_1")) }
+        it { is_expected.to be_an(Array).and all(include(key: "key-1")) }
       end
 
       context 'when project does not have jobs_cache_index' do
diff --git a/spec/models/concerns/protected_ref_access_spec.rb b/spec/models/concerns/protected_ref_access_spec.rb
new file mode 100644
index 00000000000..a62ca391e25
--- /dev/null
+++ b/spec/models/concerns/protected_ref_access_spec.rb
@@ -0,0 +1,31 @@
+require 'spec_helper'
+
+describe ProtectedRefAccess do
+  subject(:protected_ref_access) do
+    create(:protected_branch, :masters_can_push).push_access_levels.first
+  end
+
+  let(:project) { protected_ref_access.project }
+
+  describe '#check_access' do
+    it 'is always true for admins' do
+      admin = create(:admin)
+
+      expect(protected_ref_access.check_access(admin)).to be_truthy
+    end
+
+    it 'is true for masters' do
+      master = create(:user)
+      project.add_master(master)
+
+      expect(protected_ref_access.check_access(master)).to be_truthy
+    end
+
+    it 'is for developers of the project' do
+      developer = create(:user)
+      project.add_developer(developer)
+
+      expect(protected_ref_access.check_access(developer)).to be_falsy
+    end
+  end
+end
diff --git a/spec/models/issue_spec.rb b/spec/models/issue_spec.rb
index f5c9f551e65..feed7968f09 100644
--- a/spec/models/issue_spec.rb
+++ b/spec/models/issue_spec.rb
@@ -221,27 +221,55 @@ describe Issue do
   end
 
   describe '#referenced_merge_requests' do
-    it 'returns the referenced merge requests' do
-      project = create(:project, :public)
-
-      mr1 = create(:merge_request,
-                   source_project: project,
-                   source_branch:  'master',
-                   target_branch:  'feature')
+    let(:project) { create(:project, :public) }
+    let(:issue) do
+      create(:issue, description: merge_request.to_reference, project: project)
+    end
+    let!(:merge_request) do
+      create(:merge_request,
+             source_project: project,
+             source_branch:  'master',
+             target_branch:  'feature')
+    end
 
+    it 'returns the referenced merge requests' do
       mr2 = create(:merge_request,
                    source_project: project,
                    source_branch:  'feature',
                    target_branch:  'master')
 
-      issue = create(:issue, description: mr1.to_reference, project: project)
-
       create(:note_on_issue,
              noteable:   issue,
              note:       mr2.to_reference,
              project_id: project.id)
 
-      expect(issue.referenced_merge_requests).to eq([mr1, mr2])
+      expect(issue.referenced_merge_requests).to eq([merge_request, mr2])
+    end
+
+    it 'returns cross project referenced merge requests' do
+      other_project = create(:project, :public)
+      cross_project_merge_request = create(:merge_request, source_project: other_project)
+      create(:note_on_issue,
+             noteable:   issue,
+             note:       cross_project_merge_request.to_reference(issue.project),
+             project_id: issue.project.id)
+
+      expect(issue.referenced_merge_requests).to eq([merge_request, cross_project_merge_request])
+    end
+
+    it 'excludes cross project references if the user cannot read cross project' do
+      user = create(:user)
+      allow(Ability).to receive(:allowed?).and_call_original
+      expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+
+      other_project = create(:project, :public)
+      cross_project_merge_request = create(:merge_request, source_project: other_project)
+      create(:note_on_issue,
+             noteable:   issue,
+             note:       cross_project_merge_request.to_reference(issue.project),
+             project_id: issue.project.id)
+
+      expect(issue.referenced_merge_requests(user)).to eq([merge_request])
     end
   end
 
@@ -309,7 +337,7 @@ describe Issue do
   end
 
   describe '#related_branches' do
-    let(:user) { build(:admin) }
+    let(:user) { create(:admin) }
 
     before do
       allow(subject.project.repository).to receive(:branch_names)
diff --git a/spec/models/notification_recipient_spec.rb b/spec/models/notification_recipient_spec.rb
new file mode 100644
index 00000000000..eda0e1da835
--- /dev/null
+++ b/spec/models/notification_recipient_spec.rb
@@ -0,0 +1,16 @@
+require 'spec_helper'
+
+describe NotificationRecipient do
+  let(:user) { create(:user) }
+  let(:project) { create(:project, namespace: user.namespace) }
+  let(:target) { create(:issue, project: project) }
+
+  subject(:recipient) { described_class.new(user, :watch, target: target, project: project) }
+
+  it 'denies access to a target when cross project access is denied' do
+    allow(Ability).to receive(:allowed?).and_call_original
+    expect(Ability).to receive(:allowed?).with(user, :read_cross_project, :global).and_return(false)
+
+    expect(recipient.has_access?).to be_falsy
+  end
+end
diff --git a/spec/models/pages_domain_spec.rb b/spec/models/pages_domain_spec.rb
index 9d12f96c642..95713d8b85b 100644
--- a/spec/models/pages_domain_spec.rb
+++ b/spec/models/pages_domain_spec.rb
@@ -1,6 +1,10 @@
 require 'spec_helper'
 
 describe PagesDomain do
+  using RSpec::Parameterized::TableSyntax
+
+  subject(:pages_domain) { described_class.new }
+
   describe 'associations' do
     it { is_expected.to belong_to(:project) }
   end
@@ -64,19 +68,51 @@ describe PagesDomain do
     end
   end
 
+  describe 'validations' do
+    it { is_expected.to validate_presence_of(:verification_code) }
+  end
+
+  describe '#verification_code' do
+    subject { pages_domain.verification_code }
+
+    it 'is set automatically with 128 bits of SecureRandom data' do
+      expect(SecureRandom).to receive(:hex).with(16) { 'verification code' }
+
+      is_expected.to eq('verification code')
+    end
+  end
+
+  describe '#keyed_verification_code' do
+    subject { pages_domain.keyed_verification_code }
+
+    it { is_expected.to eq("gitlab-pages-verification-code=#{pages_domain.verification_code}") }
+  end
+
+  describe '#verification_domain' do
+    subject { pages_domain.verification_domain }
+
+    it { is_expected.to be_nil }
+
+    it 'is a well-known subdomain if the domain is present' do
+      pages_domain.domain = 'example.com'
+
+      is_expected.to eq('_gitlab-pages-verification-code.example.com')
+    end
+  end
+
   describe '#url' do
     subject { domain.url }
 
     context 'without the certificate' do
       let(:domain) { build(:pages_domain, certificate: '') }
 
-      it { is_expected.to eq('http://my.domain.com') }
+      it { is_expected.to eq("http://#{domain.domain}") }
     end
 
     context 'with a certificate' do
       let(:domain) { build(:pages_domain, :with_certificate) }
 
-      it { is_expected.to eq('https://my.domain.com') }
+      it { is_expected.to eq("https://#{domain.domain}") }
     end
   end
 
@@ -154,4 +190,108 @@ describe PagesDomain do
     # We test only existence of output, since the output is long
     it { is_expected.not_to be_empty }
   end
+
+  describe '#update_daemon' do
+    it 'runs when the domain is created' do
+      domain = build(:pages_domain)
+
+      expect(domain).to receive(:update_daemon)
+
+      domain.save!
+    end
+
+    it 'runs when the domain is destroyed' do
+      domain = create(:pages_domain)
+
+      expect(domain).to receive(:update_daemon)
+
+      domain.destroy!
+    end
+
+    it 'delegates to Projects::UpdatePagesConfigurationService' do
+      service = instance_double('Projects::UpdatePagesConfigurationService')
+      expect(Projects::UpdatePagesConfigurationService).to receive(:new) { service }
+      expect(service).to receive(:execute)
+
+      create(:pages_domain)
+    end
+
+    context 'configuration updates when attributes change' do
+      set(:project1) { create(:project) }
+      set(:project2) { create(:project) }
+      set(:domain) { create(:pages_domain) }
+
+      where(:attribute, :old_value, :new_value, :update_expected) do
+        now = Time.now
+        future = now + 1.day
+
+        :project | nil       | :project1 | true
+        :project | :project1 | :project1 | false
+        :project | :project1 | :project2 | true
+        :project | :project1 | nil       | true
+
+        # domain can't be set to nil
+        :domain | 'a.com' | 'a.com' | false
+        :domain | 'a.com' | 'b.com' | true
+
+        # verification_code can't be set to nil
+        :verification_code | 'foo' | 'foo'  | false
+        :verification_code | 'foo' | 'bar'  | false
+
+        :verified_at | nil | now    | false
+        :verified_at | now | now    | false
+        :verified_at | now | future | false
+        :verified_at | now | nil    | false
+
+        :enabled_until | nil | now    | true
+        :enabled_until | now | now    | false
+        :enabled_until | now | future | false
+        :enabled_until | now | nil    | true
+      end
+
+      with_them do
+        it 'runs if a relevant attribute has changed' do
+          a = old_value.is_a?(Symbol) ? send(old_value) : old_value
+          b = new_value.is_a?(Symbol) ? send(new_value) : new_value
+
+          domain.update!(attribute => a)
+
+          if update_expected
+            expect(domain).to receive(:update_daemon)
+          else
+            expect(domain).not_to receive(:update_daemon)
+          end
+
+          domain.update!(attribute => b)
+        end
+      end
+
+      context 'TLS configuration' do
+        set(:domain_with_tls) { create(:pages_domain, :with_key, :with_certificate) }
+
+        let(:cert1) { domain_with_tls.certificate }
+        let(:cert2) { cert1 + ' ' }
+        let(:key1) { domain_with_tls.key }
+        let(:key2) { key1 + ' ' }
+
+        it 'updates when added' do
+          expect(domain).to receive(:update_daemon)
+
+          domain.update!(key: key1, certificate: cert1)
+        end
+
+        it 'updates when changed' do
+          expect(domain_with_tls).to receive(:update_daemon)
+
+          domain_with_tls.update!(key: key2, certificate: cert2)
+        end
+
+        it 'updates when removed' do
+          expect(domain_with_tls).to receive(:update_daemon)
+
+          domain_with_tls.update!(key: nil, certificate: nil)
+        end
+      end
+    end
+  end
 end
diff --git a/spec/models/project_services/prometheus_service_spec.rb b/spec/models/project_services/prometheus_service_spec.rb
index ed17e019d42..6693e5783a5 100644
--- a/spec/models/project_services/prometheus_service_spec.rb
+++ b/spec/models/project_services/prometheus_service_spec.rb
@@ -223,8 +223,8 @@ describe PrometheusService, :use_clean_rails_memory_store_caching do
 
       context 'with cluster for all environments without prometheus installed' do
         context 'without environment supplied' do
-          it 'raises PrometheusError because cluster was not found' do
-            expect { service.client }.to raise_error(Gitlab::PrometheusError, /couldn't find cluster with Prometheus installed/)
+          it 'raises PrometheusClient::Error because cluster was not found' do
+            expect { service.client }.to raise_error(Gitlab::PrometheusClient::Error, /couldn't find cluster with Prometheus installed/)
           end
         end
 
@@ -242,8 +242,8 @@ describe PrometheusService, :use_clean_rails_memory_store_caching do
         context 'with prod environment supplied' do
           let!(:environment) { create(:environment, project: project, name: 'prod') }
 
-          it 'raises PrometheusError because cluster was not found' do
-            expect { service.client }.to raise_error(Gitlab::PrometheusError, /couldn't find cluster with Prometheus installed/)
+          it 'raises PrometheusClient::Error because cluster was not found' do
+            expect { service.client }.to raise_error(Gitlab::PrometheusClient::Error, /couldn't find cluster with Prometheus installed/)
           end
         end
       end
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index ee04d74d848..56c2d7b953e 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -1473,6 +1473,13 @@ describe Project do
 
       expect(project.user_can_push_to_empty_repo?(user)).to be_truthy
     end
+
+    it 'returns false when the repo is not empty' do
+      project.add_master(user)
+      expect(project).to receive(:empty_repo?).and_return(false)
+
+      expect(project.user_can_push_to_empty_repo?(user)).to be_falsey
+    end
   end
 
   describe '#container_registry_url' do
diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb
index 2cf669e8191..d1bf98995e7 100644
--- a/spec/policies/issuable_policy_spec.rb
+++ b/spec/policies/issuable_policy_spec.rb
@@ -1,12 +1,14 @@
 require 'spec_helper'
 
 describe IssuablePolicy, models: true do
+  let(:user) { create(:user) }
+  let(:project) { create(:project, :public) }
+  let(:issue) { create(:issue, project: project) }
+  let(:policies) { described_class.new(user, issue) }
+
   describe '#rules' do
     context 'when discussion is locked for the issuable' do
-      let(:user) { create(:user) }
-      let(:project) { create(:project, :public) }
       let(:issue) { create(:issue, project: project, discussion_locked: true) }
-      let(:policies) { described_class.new(user, issue) }
 
       context 'when the user is not a project member' do
         it 'can not create a note' do
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index a4af9361ea6..793b724bfca 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -30,41 +30,41 @@ describe IssuePolicy do
     end
 
     it 'does not allow non-members to read issues' do
-      expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
-      expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+      expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+      expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
     end
 
     it 'allows guests to read issues' do
-      expect(permissions(guest, issue)).to be_allowed(:read_issue)
+      expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid)
       expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue)
 
-      expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue)
+      expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
       expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue)
     end
 
     it 'allows reporters to read, update, and admin issues' do
-      expect(permissions(reporter, issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-      expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+      expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+      expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
     end
 
     it 'allows reporters from group links to read, update, and admin issues' do
-      expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-      expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+      expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+      expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
     end
 
     it 'allows issue authors to read and update their issues' do
-      expect(permissions(author, issue)).to be_allowed(:read_issue, :update_issue)
+      expect(permissions(author, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
       expect(permissions(author, issue)).to be_disallowed(:admin_issue)
 
-      expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue)
+      expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
       expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue)
     end
 
     it 'allows issue assignees to read and update their issues' do
-      expect(permissions(assignee, issue)).to be_allowed(:read_issue, :update_issue)
+      expect(permissions(assignee, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
       expect(permissions(assignee, issue)).to be_disallowed(:admin_issue)
 
-      expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue)
+      expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
       expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue)
     end
 
@@ -73,37 +73,37 @@ describe IssuePolicy do
       let(:confidential_issue_no_assignee) { create(:issue, :confidential, project: project) }
 
       it 'does not allow non-members to read confidential issues' do
-        expect(permissions(non_member, confidential_issue)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(non_member, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(non_member, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(non_member, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
       end
 
       it 'does not allow guests to read confidential issues' do
-        expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
       end
 
       it 'allows reporters to read, update, and admin confidential issues' do
-        expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
       end
 
       it 'allows reporters from group links to read, update, and admin confidential issues' do
-        expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
       end
 
       it 'allows issue authors to read and update their confidential issues' do
-        expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :update_issue)
+        expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
         expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue)
 
-        expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
       end
 
       it 'allows issue assignees to read and update their confidential issues' do
-        expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :update_issue)
+        expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
         expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue)
 
-        expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
       end
     end
   end
@@ -123,36 +123,36 @@ describe IssuePolicy do
     end
 
     it 'allows guests to read issues' do
-      expect(permissions(guest, issue)).to be_allowed(:read_issue)
+      expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid)
       expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue)
 
-      expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue)
+      expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
       expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue)
     end
 
     it 'allows reporters to read, update, and admin issues' do
-      expect(permissions(reporter, issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-      expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+      expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+      expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
     end
 
     it 'allows reporters from group links to read, update, and admin issues' do
-      expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-      expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+      expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+      expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
     end
 
     it 'allows issue authors to read and update their issues' do
-      expect(permissions(author, issue)).to be_allowed(:read_issue, :update_issue)
+      expect(permissions(author, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
       expect(permissions(author, issue)).to be_disallowed(:admin_issue)
 
-      expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue)
+      expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
       expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue)
     end
 
     it 'allows issue assignees to read and update their issues' do
-      expect(permissions(assignee, issue)).to be_allowed(:read_issue, :update_issue)
+      expect(permissions(assignee, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
       expect(permissions(assignee, issue)).to be_disallowed(:admin_issue)
 
-      expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue)
+      expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
       expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue)
     end
 
@@ -161,32 +161,32 @@ describe IssuePolicy do
       let(:confidential_issue_no_assignee) { create(:issue, :confidential, project: project) }
 
       it 'does not allow guests to read confidential issues' do
-        expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
       end
 
       it 'allows reporters to read, update, and admin confidential issues' do
-        expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
       end
 
       it 'allows reporter from group links to read, update, and admin confidential issues' do
-        expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
       end
 
       it 'allows issue authors to read and update their confidential issues' do
-        expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :update_issue)
+        expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
         expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue)
 
-        expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
       end
 
       it 'allows issue assignees to read and update their confidential issues' do
-        expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :update_issue)
+        expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
         expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue)
 
-        expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
       end
     end
   end
diff --git a/spec/presenters/project_presenter_spec.rb b/spec/presenters/project_presenter_spec.rb
new file mode 100644
index 00000000000..f8c93d91ec5
--- /dev/null
+++ b/spec/presenters/project_presenter_spec.rb
@@ -0,0 +1,397 @@
+require 'spec_helper'
+
+describe ProjectPresenter do
+  let(:user) { create(:user) }
+
+  describe '#license_short_name' do
+    let(:project) { create(:project) }
+    let(:presenter) { described_class.new(project, current_user: user) }
+
+    context 'when project.repository has a license_key' do
+      it 'returns the nickname of the license if present' do
+        allow(project.repository).to receive(:license_key).and_return('agpl-3.0')
+
+        expect(presenter.license_short_name).to eq('GNU AGPLv3')
+      end
+
+      it 'returns the name of the license if nickname is not present' do
+        allow(project.repository).to receive(:license_key).and_return('mit')
+
+        expect(presenter.license_short_name).to eq('MIT License')
+      end
+    end
+
+    context 'when project.repository has no license_key but a license_blob' do
+      it 'returns LICENSE' do
+        allow(project.repository).to receive(:license_key).and_return(nil)
+
+        expect(presenter.license_short_name).to eq('LICENSE')
+      end
+    end
+  end
+
+  describe '#default_view' do
+    let(:presenter) { described_class.new(project, current_user: user) }
+
+    context 'user not signed in' do
+      let(:user) { nil }
+
+      context 'when repository is empty' do
+        let(:project) { create(:project_empty_repo, :public) }
+
+        it 'returns activity if user has repository access' do
+          allow(presenter).to receive(:can?).with(nil, :download_code, project).and_return(true)
+
+          expect(presenter.default_view).to eq('activity')
+        end
+
+        it 'returns activity if user does not have repository access' do
+          allow(project).to receive(:can?).with(nil, :download_code, project).and_return(false)
+
+          expect(presenter.default_view).to eq('activity')
+        end
+      end
+
+      context 'when repository is not empty' do
+        let(:project) { create(:project, :public, :repository) }
+
+        it 'returns files and readme if user has repository access' do
+          allow(presenter).to receive(:can?).with(nil, :download_code, project).and_return(true)
+
+          expect(presenter.default_view).to eq('files')
+        end
+
+        it 'returns activity if user does not have repository access' do
+          allow(presenter).to receive(:can?).with(nil, :download_code, project).and_return(false)
+
+          expect(presenter.default_view).to eq('activity')
+        end
+      end
+    end
+
+    context 'user signed in' do
+      let(:user) { create(:user, :readme) }
+      let(:project) { create(:project, :public, :repository) }
+
+      context 'when the user is allowed to see the code' do
+        it 'returns the project view' do
+          allow(presenter).to receive(:can?).with(user, :download_code, project).and_return(true)
+
+          expect(presenter.default_view).to eq('readme')
+        end
+      end
+
+      context 'with wikis enabled and the right policy for the user' do
+        before do
+          project.project_feature.update_attribute(:issues_access_level, 0)
+          allow(presenter).to receive(:can?).with(user, :download_code, project).and_return(false)
+        end
+
+        it 'returns wiki if the user has the right policy' do
+          allow(presenter).to receive(:can?).with(user, :read_wiki, project).and_return(true)
+
+          expect(presenter.default_view).to eq('wiki')
+        end
+
+        it 'returns customize_workflow if the user does not have the right policy' do
+          allow(presenter).to receive(:can?).with(user, :read_wiki, project).and_return(false)
+
+          expect(presenter.default_view).to eq('customize_workflow')
+        end
+      end
+
+      context 'with issues as a feature available' do
+        it 'return issues' do
+          allow(presenter).to receive(:can?).with(user, :download_code, project).and_return(false)
+          allow(presenter).to receive(:can?).with(user, :read_wiki, project).and_return(false)
+
+          expect(presenter.default_view).to eq('projects/issues/issues')
+        end
+      end
+
+      context 'with no activity, no wikies and no issues' do
+        it 'returns customize_workflow as default' do
+          project.project_feature.update_attribute(:issues_access_level, 0)
+          allow(presenter).to receive(:can?).with(user, :download_code, project).and_return(false)
+          allow(presenter).to receive(:can?).with(user, :read_wiki, project).and_return(false)
+
+          expect(presenter.default_view).to eq('customize_workflow')
+        end
+      end
+    end
+  end
+
+  describe '#can_current_user_push_code?' do
+    let(:project) { create(:project, :repository) }
+    let(:presenter) { described_class.new(project, current_user: user) }
+
+    context 'empty repo' do
+      let(:project) { create(:project) }
+
+      it 'returns true if user can push_code' do
+        project.add_developer(user)
+
+        expect(presenter.can_current_user_push_code?).to be(true)
+      end
+
+      it 'returns false if user cannot push_code' do
+        project.add_reporter(user)
+
+        expect(presenter.can_current_user_push_code?).to be(false)
+      end
+    end
+
+    context 'not empty repo' do
+      let(:project) { create(:project, :repository) }
+
+      it 'returns true if user can push to default branch' do
+        project.add_developer(user)
+
+        expect(presenter.can_current_user_push_code?).to be(true)
+      end
+
+      it 'returns false if default branch is protected' do
+        project.add_developer(user)
+        create(:protected_branch, project: project, name: project.default_branch)
+
+        expect(presenter.can_current_user_push_code?).to be(false)
+      end
+    end
+  end
+
+  context 'statistics anchors' do
+    let(:project) { create(:project, :repository) }
+    let(:presenter) { described_class.new(project, current_user: user) }
+
+    describe '#files_anchor_data' do
+      it 'returns files data' do
+        expect(presenter.files_anchor_data).to eq(OpenStruct.new(enabled: true,
+                                                                 label: 'Files (0 Bytes)',
+                                                                 link: presenter.project_tree_path(project)))
+      end
+    end
+
+    describe '#commits_anchor_data' do
+      it 'returns commits data' do
+        expect(presenter.commits_anchor_data).to eq(OpenStruct.new(enabled: true,
+                                                                   label: 'Commits (0)',
+                                                                   link: presenter.project_commits_path(project, project.repository.root_ref)))
+      end
+    end
+
+    describe '#branches_anchor_data' do
+      it 'returns branches data' do
+        expect(presenter.branches_anchor_data).to eq(OpenStruct.new(enabled: true,
+                                                                    label: "Branches (#{project.repository.branches.size})",
+                                                                    link: presenter.project_branches_path(project)))
+      end
+    end
+
+    describe '#tags_anchor_data' do
+      it 'returns tags data' do
+        expect(presenter.tags_anchor_data).to eq(OpenStruct.new(enabled: true,
+                                                                label: "Tags (#{project.repository.tags.size})",
+                                                                link: presenter.project_tags_path(project)))
+      end
+    end
+
+    describe '#new_file_anchor_data' do
+      it 'returns new file data if user can push' do
+        project.add_developer(user)
+
+        expect(presenter.new_file_anchor_data).to eq(OpenStruct.new(enabled: false,
+                                                                    label: "New file",
+                                                                    link: presenter.project_new_blob_path(project, 'master'),
+                                                                    class_modifier: 'new'))
+      end
+
+      it 'returns nil if user cannot push' do
+        expect(presenter.new_file_anchor_data).to be_nil
+      end
+    end
+
+    describe '#readme_anchor_data' do
+      context 'when user can push and README does not exists' do
+        it 'returns anchor data' do
+          project.add_developer(user)
+          allow(project.repository).to receive(:readme).and_return(nil)
+
+          expect(presenter.readme_anchor_data).to eq(OpenStruct.new(enabled: false,
+                                                                    label: 'Add Readme',
+                                                                    link: presenter.add_readme_path))
+        end
+      end
+
+      context 'when README exists' do
+        it 'returns anchor data' do
+          allow(project.repository).to receive(:readme).and_return(double(name: 'readme'))
+
+          expect(presenter.readme_anchor_data).to eq(OpenStruct.new(enabled: true,
+                                                                    label: 'Readme',
+                                                                    link: presenter.readme_path))
+        end
+      end
+    end
+
+    describe '#changelog_anchor_data' do
+      context 'when user can push and CHANGELOG does not exists' do
+        it 'returns anchor data' do
+          project.add_developer(user)
+          allow(project.repository).to receive(:changelog).and_return(nil)
+
+          expect(presenter.changelog_anchor_data).to eq(OpenStruct.new(enabled: false,
+                                                                       label: 'Add Changelog',
+                                                                       link: presenter.add_changelog_path))
+        end
+      end
+
+      context 'when CHANGELOG exists' do
+        it 'returns anchor data' do
+          allow(project.repository).to receive(:changelog).and_return(double(name: 'foo'))
+
+          expect(presenter.changelog_anchor_data).to eq(OpenStruct.new(enabled: true,
+                                                                       label: 'Changelog',
+                                                                       link: presenter.changelog_path))
+        end
+      end
+    end
+
+    describe '#license_anchor_data' do
+      context 'when user can push and LICENSE does not exists' do
+        it 'returns anchor data' do
+          project.add_developer(user)
+          allow(project.repository).to receive(:license_blob).and_return(nil)
+
+          expect(presenter.license_anchor_data).to eq(OpenStruct.new(enabled: false,
+                                                                     label: 'Add License',
+                                                                     link: presenter.add_license_path))
+        end
+      end
+
+      context 'when LICENSE exists' do
+        it 'returns anchor data' do
+          allow(project.repository).to receive(:license_blob).and_return(double(name: 'foo'))
+
+          expect(presenter.license_anchor_data).to eq(OpenStruct.new(enabled: true,
+                                                                     label: presenter.license_short_name,
+                                                                     link: presenter.license_path))
+        end
+      end
+    end
+
+    describe '#contribution_guide_anchor_data' do
+      context 'when user can push and CONTRIBUTING does not exists' do
+        it 'returns anchor data' do
+          project.add_developer(user)
+          allow(project.repository).to receive(:contribution_guide).and_return(nil)
+
+          expect(presenter.contribution_guide_anchor_data).to eq(OpenStruct.new(enabled: false,
+                                                                                label: 'Add Contribution guide',
+                                                                                link: presenter.add_contribution_guide_path))
+        end
+      end
+
+      context 'when CONTRIBUTING exists' do
+        it 'returns anchor data' do
+          allow(project.repository).to receive(:contribution_guide).and_return(double(name: 'foo'))
+
+          expect(presenter.contribution_guide_anchor_data).to eq(OpenStruct.new(enabled: true,
+                                                                                label: 'Contribution guide',
+                                                                                link: presenter.contribution_guide_path))
+        end
+      end
+    end
+
+    describe '#autodevops_anchor_data' do
+      context 'when Auto Devops is enabled' do
+        it 'returns anchor data' do
+          allow(project).to receive(:auto_devops_enabled?).and_return(true)
+
+          expect(presenter.autodevops_anchor_data).to eq(OpenStruct.new(enabled: true,
+                                                                        label: 'Auto DevOps enabled',
+                                                                        link: nil))
+        end
+      end
+
+      context 'when user can admin pipeline and CI yml does not exists' do
+        it 'returns anchor data' do
+          project.add_master(user)
+          allow(project).to receive(:auto_devops_enabled?).and_return(false)
+          allow(project.repository).to receive(:gitlab_ci_yml).and_return(nil)
+
+          expect(presenter.autodevops_anchor_data).to eq(OpenStruct.new(enabled: false,
+                                                                        label: 'Enable Auto DevOps',
+                                                                        link: presenter.project_settings_ci_cd_path(project, anchor: 'js-general-pipeline-settings')))
+        end
+      end
+    end
+
+    describe '#kubernetes_cluster_anchor_data' do
+      context 'when user can create Kubernetes cluster' do
+        it 'returns link to cluster if only one exists' do
+          project.add_master(user)
+          cluster = create(:cluster, projects: [project])
+
+          expect(presenter.kubernetes_cluster_anchor_data).to eq(OpenStruct.new(enabled: true,
+                                                                                label: 'Kubernetes configured',
+                                                                                link: presenter.project_cluster_path(project, cluster)))
+        end
+
+        it 'returns link to clusters page if more than one exists' do
+          project.add_master(user)
+          create(:cluster, projects: [project])
+          create(:cluster, projects: [project])
+
+          expect(presenter.kubernetes_cluster_anchor_data).to eq(OpenStruct.new(enabled: true,
+                                                                                label: 'Kubernetes configured',
+                                                                                link: presenter.project_clusters_path(project)))
+        end
+
+        it 'returns link to create a cluster if no cluster exists' do
+          project.add_master(user)
+
+          expect(presenter.kubernetes_cluster_anchor_data).to eq(OpenStruct.new(enabled: false,
+                                                                                label: 'Add Kubernetes cluster',
+                                                                                link: presenter.new_project_cluster_path(project)))
+        end
+      end
+
+      context 'when user cannot create Kubernetes cluster' do
+        it 'returns nil' do
+          expect(presenter.kubernetes_cluster_anchor_data).to be_nil
+        end
+      end
+    end
+
+    describe '#koding_anchor_data' do
+      it 'returns link to setup Koding if user can push and no koding YML exists' do
+        project.add_developer(user)
+        allow(project.repository).to receive(:koding_yml).and_return(nil)
+        allow(Gitlab::CurrentSettings).to receive(:koding_enabled?).and_return(true)
+
+        expect(presenter.koding_anchor_data).to eq(OpenStruct.new(enabled: false,
+                                                                  label: 'Set up Koding',
+                                                                  link: presenter.add_koding_stack_path))
+      end
+
+      it 'returns nil if user cannot push' do
+        expect(presenter.koding_anchor_data).to be_nil
+      end
+
+      it 'returns nil if koding is not enabled' do
+        project.add_developer(user)
+        allow(Gitlab::CurrentSettings).to receive(:koding_enabled?).and_return(false)
+
+        expect(presenter.koding_anchor_data).to be_nil
+      end
+
+      it 'returns nil if koding YML already exists' do
+        project.add_developer(user)
+        allow(project.repository).to receive(:koding_yml).and_return(double)
+        allow(Gitlab::CurrentSettings).to receive(:koding_enabled?).and_return(true)
+
+        expect(presenter.koding_anchor_data).to be_nil
+      end
+    end
+  end
+end
diff --git a/spec/requests/api/internal_spec.rb b/spec/requests/api/internal_spec.rb
index c7df6251d74..827f4c04324 100644
--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@@ -3,7 +3,7 @@ require 'spec_helper'
 describe API::Internal do
   let(:user) { create(:user) }
   let(:key) { create(:key, user: user) }
-  let(:project) { create(:project, :repository) }
+  let(:project) { create(:project, :repository, :wiki_repo) }
   let(:secret_token) { Gitlab::Shell.secret_token }
   let(:gl_repository) { "project-#{project.id}" }
   let(:reference_counter) { double('ReferenceCounter') }
diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index 942e5b2bb1b..c6fdda203ad 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -150,7 +150,7 @@ describe 'Git HTTP requests' do
       let(:path) { "/#{wiki.repository.full_path}.git" }
 
       context "when the project is public" do
-        let(:project) { create(:project, :repository, :public, :wiki_enabled) }
+        let(:project) { create(:project, :wiki_repo, :public, :wiki_enabled) }
 
         it_behaves_like 'pushes require Basic HTTP Authentication'
 
@@ -177,7 +177,7 @@ describe 'Git HTTP requests' do
             end
 
             context 'but the repo is disabled' do
-              let(:project) { create(:project, :repository, :public, :repository_disabled, :wiki_enabled) }
+              let(:project) { create(:project, :wiki_repo, :public, :repository_disabled, :wiki_enabled) }
 
               it_behaves_like 'pulls are allowed'
               it_behaves_like 'pushes are allowed'
@@ -198,7 +198,7 @@ describe 'Git HTTP requests' do
       end
 
       context "when the project is private" do
-        let(:project) { create(:project, :repository, :private, :wiki_enabled) }
+        let(:project) { create(:project, :wiki_repo, :private, :wiki_enabled) }
 
         it_behaves_like 'pulls require Basic HTTP Authentication'
         it_behaves_like 'pushes require Basic HTTP Authentication'
@@ -210,7 +210,7 @@ describe 'Git HTTP requests' do
             end
 
             context 'but the repo is disabled' do
-              let(:project) { create(:project, :repository, :private, :repository_disabled, :wiki_enabled) }
+              let(:project) { create(:project, :wiki_repo, :private, :repository_disabled, :wiki_enabled) }
 
               it 'allows clones' do
                 download(path, user: user.username, password: user.password) do |response|
diff --git a/spec/routing/routing_spec.rb b/spec/routing/routing_spec.rb
index 91aefa84d0e..56d025f0176 100644
--- a/spec/routing/routing_spec.rb
+++ b/spec/routing/routing_spec.rb
@@ -37,6 +37,22 @@ describe UsersController, "routing" do
   it "to #calendar_activities" do
     expect(get("/users/User/calendar_activities")).to route_to('users#calendar_activities', username: 'User')
   end
+
+  describe 'redirect alias routes' do
+    include RSpec::Rails::RequestExampleGroup
+
+    it '/u/user1 redirects to /user1' do
+      expect(get("/u/user1")).to redirect_to('/user1')
+    end
+
+    it '/u/user1/groups redirects to /user1/groups' do
+      expect(get("/u/user1/groups")).to redirect_to('/users/user1/groups')
+    end
+
+    it '/u/user1/projects redirects to /user1/projects' do
+      expect(get("/u/user1/projects")).to redirect_to('/users/user1/projects')
+    end
+  end
 end
 
 # search GET    /search(.:format) search#show
diff --git a/spec/services/merge_requests/create_from_issue_service_spec.rb b/spec/services/merge_requests/create_from_issue_service_spec.rb
index 75553afc033..38d84cf0ceb 100644
--- a/spec/services/merge_requests/create_from_issue_service_spec.rb
+++ b/spec/services/merge_requests/create_from_issue_service_spec.rb
@@ -24,7 +24,7 @@ describe MergeRequests::CreateFromIssueService do
     end
 
     it 'delegates issue search to IssuesFinder' do
-      expect_any_instance_of(IssuesFinder).to receive(:execute).once.and_call_original
+      expect_any_instance_of(IssuesFinder).to receive(:find_by).once.and_call_original
 
       described_class.new(project, user, issue_iid: -1).execute
     end
diff --git a/spec/services/notification_service_spec.rb b/spec/services/notification_service_spec.rb
index 836ffb7cea0..62fdf870090 100644
--- a/spec/services/notification_service_spec.rb
+++ b/spec/services/notification_service_spec.rb
@@ -1678,6 +1678,78 @@ describe NotificationService, :mailer do
     end
   end
 
+  describe 'Pages domains' do
+    set(:project) { create(:project) }
+    set(:domain) { create(:pages_domain, project: project) }
+    set(:u_blocked) { create(:user, :blocked) }
+    set(:u_silence) { create_user_with_notification(:disabled, 'silent', project) }
+    set(:u_owner)   { project.owner }
+    set(:u_master1) { create(:user) }
+    set(:u_master2) { create(:user) }
+    set(:u_developer) { create(:user) }
+
+    before do
+      project.add_master(u_blocked)
+      project.add_master(u_silence)
+      project.add_master(u_master1)
+      project.add_master(u_master2)
+      project.add_developer(u_developer)
+
+      reset_delivered_emails!
+    end
+
+    %i[
+      pages_domain_enabled
+      pages_domain_disabled
+      pages_domain_verification_succeeded
+      pages_domain_verification_failed
+    ].each do |sym|
+      describe "##{sym}" do
+        subject(:notify!) { notification.send(sym, domain) }
+
+        it 'emails current watching masters' do
+          expect(Notify).to receive(:"#{sym}_email").at_least(:once).and_call_original
+
+          notify!
+
+          should_only_email(u_master1, u_master2, u_owner)
+        end
+
+        it 'emails nobody if the project is missing' do
+          domain.project = nil
+
+          notify!
+
+          should_not_email_anyone
+        end
+      end
+    end
+
+    describe '#pages_domain_verification_failed' do
+      it 'emails current watching masters' do
+        notification.pages_domain_verification_failed(domain)
+
+        should_only_email(u_master1, u_master2, u_owner)
+      end
+    end
+
+    describe '#pages_domain_enabled' do
+      it 'emails current watching masters' do
+        notification.pages_domain_enabled(domain)
+
+        should_only_email(u_master1, u_master2, u_owner)
+      end
+    end
+
+    describe '#pages_domain_disabled' do
+      it 'emails current watching masters' do
+        notification.pages_domain_disabled(domain)
+
+        should_only_email(u_master1, u_master2, u_owner)
+      end
+    end
+  end
+
   def build_team(project)
     @u_watcher               = create_global_setting_for(create(:user), :watch)
     @u_participating         = create_global_setting_for(create(:user), :participating)
diff --git a/spec/services/quick_actions/interpret_service_spec.rb b/spec/services/quick_actions/interpret_service_spec.rb
index ae160d104f1..f793f55e51b 100644
--- a/spec/services/quick_actions/interpret_service_spec.rb
+++ b/spec/services/quick_actions/interpret_service_spec.rb
@@ -522,6 +522,22 @@ describe QuickActions::InterpretService do
       let(:issuable) { merge_request }
     end
 
+    context 'only group milestones available' do
+      let(:group) { create(:group) }
+      let(:project) { create(:project, :public, namespace: group) }
+      let(:milestone) { create(:milestone, group: group, title: '10.0') }
+
+      it_behaves_like 'milestone command' do
+        let(:content) { "/milestone %#{milestone.title}" }
+        let(:issuable) { issue }
+      end
+
+      it_behaves_like 'milestone command' do
+        let(:content) { "/milestone %#{milestone.title}" }
+        let(:issuable) { merge_request }
+      end
+    end
+
     it_behaves_like 'remove_milestone command' do
       let(:content) { '/remove_milestone' }
       let(:issuable) { issue }
diff --git a/spec/services/todo_service_spec.rb b/spec/services/todo_service_spec.rb
index 5e6c24f5730..562b89e6767 100644
--- a/spec/services/todo_service_spec.rb
+++ b/spec/services/todo_service_spec.rb
@@ -943,7 +943,8 @@ describe TodoService do
 
       described_class.new.mark_todos_as_done_by_ids(todo, john_doe)
 
-      expect_any_instance_of(TodosFinder).not_to receive(:execute)
+      # Make sure no TodosFinder is inialized to perform counting
+      expect(TodosFinder).not_to receive(:new)
 
       expect(john_doe.todos_done_count).to eq(1)
       expect(john_doe.todos_pending_count).to eq(1)
diff --git a/spec/services/verify_pages_domain_service_spec.rb b/spec/services/verify_pages_domain_service_spec.rb
new file mode 100644
index 00000000000..576db1dde2d
--- /dev/null
+++ b/spec/services/verify_pages_domain_service_spec.rb
@@ -0,0 +1,270 @@
+require 'spec_helper'
+
+describe VerifyPagesDomainService do
+  using RSpec::Parameterized::TableSyntax
+  include EmailHelpers
+
+  let(:error_status) { { status: :error, message: "Couldn't verify #{domain.domain}" } }
+
+  subject(:service) { described_class.new(domain) }
+
+  describe '#execute' do
+    context 'verification code recognition (verified domain)' do
+      where(:domain_sym, :code_sym) do
+        :domain | :verification_code
+        :domain | :keyed_verification_code
+
+        :verification_domain | :verification_code
+        :verification_domain | :keyed_verification_code
+      end
+
+      with_them do
+        set(:domain) { create(:pages_domain) }
+
+        let(:domain_name) { domain.send(domain_sym) }
+        let(:verification_code) { domain.send(code_sym) }
+
+        it 'verifies and enables the domain' do
+          stub_resolver(domain_name => ['something else', verification_code])
+
+          expect(service.execute).to eq(status: :success)
+          expect(domain).to be_verified
+          expect(domain).to be_enabled
+        end
+
+        it 'verifies and enables when the code is contained partway through a TXT record' do
+          stub_resolver(domain_name => "something #{verification_code} else")
+
+          expect(service.execute).to eq(status: :success)
+          expect(domain).to be_verified
+          expect(domain).to be_enabled
+        end
+
+        it 'does not verify when the code is not present' do
+          stub_resolver(domain_name => 'something else')
+
+          expect(service.execute).to eq(error_status)
+
+          expect(domain).not_to be_verified
+          expect(domain).to be_enabled
+        end
+      end
+
+      context 'verified domain' do
+        set(:domain) { create(:pages_domain) }
+
+        it 'unverifies (but does not disable) when the right code is not present' do
+          stub_resolver(domain.domain => 'something else')
+
+          expect(service.execute).to eq(error_status)
+          expect(domain).not_to be_verified
+          expect(domain).to be_enabled
+        end
+
+        it 'unverifies (but does not disable) when no records are present' do
+          stub_resolver
+
+          expect(service.execute).to eq(error_status)
+          expect(domain).not_to be_verified
+          expect(domain).to be_enabled
+        end
+      end
+
+      context 'expired domain' do
+        set(:domain) { create(:pages_domain, :expired) }
+
+        it 'verifies and enables when the right code is present' do
+          stub_resolver(domain.domain => domain.keyed_verification_code)
+
+          expect(service.execute).to eq(status: :success)
+
+          expect(domain).to be_verified
+          expect(domain).to be_enabled
+        end
+
+        it 'disables when the right code is not present' do
+          error_status[:message] += '. It is now disabled.'
+
+          stub_resolver
+
+          expect(service.execute).to eq(error_status)
+
+          expect(domain).not_to be_verified
+          expect(domain).not_to be_enabled
+        end
+      end
+    end
+
+    context 'timeout behaviour' do
+      let(:domain) { create(:pages_domain) }
+
+      it 'sets a timeout on the DNS query' do
+        expect(stub_resolver).to receive(:timeouts=).with(described_class::RESOLVER_TIMEOUT_SECONDS)
+
+        service.execute
+      end
+    end
+
+    context 'email notifications' do
+      let(:notification_service) { instance_double('NotificationService') }
+
+      where(:factory, :verification_succeeds, :expected_notification) do
+        nil         | true  | nil
+        nil         | false | :verification_failed
+        :reverify   | true  | nil
+        :reverify   | false | :verification_failed
+        :unverified | true  | :verification_succeeded
+        :unverified | false | nil
+        :expired    | true  | nil
+        :expired    | false | :disabled
+        :disabled   | true  | :enabled
+        :disabled   | false | nil
+      end
+
+      with_them do
+        let(:domain) { create(:pages_domain, *[factory].compact) }
+
+        before do
+          allow(service).to receive(:notification_service) { notification_service }
+
+          if verification_succeeds
+            stub_resolver(domain.domain => domain.verification_code)
+          else
+            stub_resolver
+          end
+        end
+
+        it 'sends a notification if appropriate' do
+          if expected_notification
+            expect(notification_service).to receive(:"pages_domain_#{expected_notification}").with(domain)
+          end
+
+          service.execute
+        end
+      end
+
+      context 'pages verification disabled' do
+        let(:domain) { create(:pages_domain, :disabled) }
+
+        before do
+          stub_application_setting(pages_domain_verification_enabled: false)
+          allow(service).to receive(:notification_service) { notification_service }
+        end
+
+        it 'skips email notifications' do
+          expect(notification_service).not_to receive(:pages_domain_enabled)
+
+          service.execute
+        end
+      end
+    end
+
+    context 'pages configuration updates' do
+      context 'enabling a disabled domain' do
+        let(:domain) { create(:pages_domain, :disabled) }
+
+        it 'schedules an update' do
+          stub_resolver(domain.domain => domain.verification_code)
+
+          expect(domain).to receive(:update_daemon)
+
+          service.execute
+        end
+      end
+
+      context 'verifying an enabled domain' do
+        let(:domain) { create(:pages_domain) }
+
+        it 'schedules an update' do
+          stub_resolver(domain.domain => domain.verification_code)
+
+          expect(domain).not_to receive(:update_daemon)
+
+          service.execute
+        end
+      end
+
+      context 'disabling an expired domain' do
+        let(:domain) { create(:pages_domain, :expired) }
+
+        it 'schedules an update' do
+          stub_resolver
+
+          expect(domain).to receive(:update_daemon)
+
+          service.execute
+        end
+      end
+
+      context 'failing to verify a disabled domain' do
+        let(:domain) { create(:pages_domain, :disabled) }
+
+        it 'does not schedule an update' do
+          stub_resolver
+
+          expect(domain).not_to receive(:update_daemon)
+
+          service.execute
+        end
+      end
+    end
+
+    context 'no verification code' do
+      let(:domain) { create(:pages_domain) }
+
+      it 'returns an error' do
+        domain.verification_code = ''
+
+        disallow_resolver!
+
+        expect(service.execute).to eq(status: :error, message: "No verification code set for #{domain.domain}")
+      end
+    end
+
+    context 'pages domain verification is disabled' do
+      let(:domain) { create(:pages_domain, :disabled) }
+
+      before do
+        stub_application_setting(pages_domain_verification_enabled: false)
+      end
+
+      it 'extends domain validity by unconditionally reverifying' do
+        disallow_resolver!
+
+        service.execute
+
+        expect(domain).to be_verified
+        expect(domain).to be_enabled
+      end
+
+      it 'does not shorten any grace period' do
+        grace = Time.now + 1.year
+        domain.update!(enabled_until: grace)
+        disallow_resolver!
+
+        service.execute
+
+        expect(domain.enabled_until).to be_like_time(grace)
+      end
+    end
+  end
+
+  def disallow_resolver!
+    expect(Resolv::DNS).not_to receive(:open)
+  end
+
+  def stub_resolver(stubbed_lookups = {})
+    resolver = instance_double('Resolv::DNS')
+    allow(resolver).to receive(:timeouts=)
+
+    expect(Resolv::DNS).to receive(:open).and_yield(resolver)
+
+    allow(resolver).to receive(:getresources) { [] }
+    stubbed_lookups.each do |domain, records|
+      records = Array(records).map { |txt| Resolv::DNS::Resource::IN::TXT.new(txt) }
+      allow(resolver).to receive(:getresources).with(domain, Resolv::DNS::Resource::IN::TXT) { records }
+    end
+
+    resolver
+  end
+end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 85de0a14631..c0f3366fb52 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -154,6 +154,22 @@ RSpec.configure do |config|
     Sidekiq.redis(&:flushall)
   end
 
+  # The :each scope runs "inside" the example, so this hook ensures the DB is in the
+  # correct state before any examples' before hooks are called. This prevents a
+  # problem where `ScheduleIssuesClosedAtTypeChange` (or any migration that depends
+  # on background migrations being run inline during test setup) can be broken by
+  # altering Sidekiq behavior in an unrelated spec like so:
+  #
+  # around do |example|
+  #   Sidekiq::Testing.fake! do
+  #     example.run
+  #   end
+  # end
+  config.before(:context, :migration) do
+    schema_migrate_down!
+  end
+
+  # Each example may call `migrate!`, so we must ensure we are migrated down every time
   config.before(:each, :migration) do
     schema_migrate_down!
   end
@@ -169,6 +185,14 @@ RSpec.configure do |config|
   config.around(:each, :postgresql) do |example|
     example.run if Gitlab::Database.postgresql?
   end
+
+  # This makes sure the `ApplicationController#can?` method is stubbed with the
+  # original implementation for all view specs.
+  config.before(:each, type: :view) do
+    allow(view).to receive(:can?) do |*args|
+      Ability.allowed?(*args)
+    end
+  end
 end
 
 # add simpler way to match asset paths containing digest strings
diff --git a/spec/support/migrations_helpers/track_untracked_uploads_helpers.rb b/spec/support/migrations_helpers/track_untracked_uploads_helpers.rb
new file mode 100644
index 00000000000..016bcfa9b1b
--- /dev/null
+++ b/spec/support/migrations_helpers/track_untracked_uploads_helpers.rb
@@ -0,0 +1,128 @@
+module MigrationsHelpers
+  module TrackUntrackedUploadsHelpers
+    PUBLIC_DIR = File.join(Rails.root, 'tmp', 'tests', 'public')
+    UPLOADS_DIR = File.join(PUBLIC_DIR, 'uploads')
+    SYSTEM_DIR = File.join(UPLOADS_DIR, '-', 'system')
+    UPLOAD_FILENAME = 'image.png'.freeze
+    FIXTURE_FILE_PATH = File.join(Rails.root, 'spec', 'fixtures', 'dk.png')
+    FIXTURE_CHECKSUM = 'b804383982bb89b00e828e3f44c038cc991d3d1768009fc39ba8e2c081b9fb75'.freeze
+
+    def create_or_update_appearance(logo: false, header_logo: false)
+      appearance = appearances.first_or_create(title: 'foo', description: 'bar', logo: (UPLOAD_FILENAME if logo), header_logo: (UPLOAD_FILENAME if header_logo))
+
+      add_upload(appearance, 'Appearance', 'logo', 'AttachmentUploader') if logo
+      add_upload(appearance, 'Appearance', 'header_logo', 'AttachmentUploader') if header_logo
+
+      appearance
+    end
+
+    def create_group(avatar: false)
+      index = unique_index(:group)
+      group = namespaces.create(name: "group#{index}", path: "group#{index}", avatar: (UPLOAD_FILENAME if avatar))
+
+      add_upload(group, 'Group', 'avatar', 'AvatarUploader') if avatar
+
+      group
+    end
+
+    def create_note(attachment: false)
+      note = notes.create(attachment: (UPLOAD_FILENAME if attachment))
+
+      add_upload(note, 'Note', 'attachment', 'AttachmentUploader') if attachment
+
+      note
+    end
+
+    def create_project(avatar: false)
+      group = create_group
+      project = projects.create(namespace_id: group.id, path: "project#{unique_index(:project)}", avatar: (UPLOAD_FILENAME if avatar))
+      routes.create(path: "#{group.path}/#{project.path}", source_id: project.id, source_type: 'Project') # so Project.find_by_full_path works
+
+      add_upload(project, 'Project', 'avatar', 'AvatarUploader') if avatar
+
+      project
+    end
+
+    def create_user(avatar: false)
+      user = users.create(email: "foo#{unique_index(:user)}@bar.com", avatar: (UPLOAD_FILENAME if avatar), projects_limit: 100)
+
+      add_upload(user, 'User', 'avatar', 'AvatarUploader') if avatar
+
+      user
+    end
+
+    def unique_index(name = :unnamed)
+      @unique_index ||= {}
+      @unique_index[name] ||= 0
+      @unique_index[name] += 1
+    end
+
+    def add_upload(model, model_type, attachment_type, uploader)
+      file_path = upload_file_path(model, model_type, attachment_type)
+      path_relative_to_public = file_path.sub("#{PUBLIC_DIR}/", '')
+      create_file(file_path)
+
+      uploads.create!(
+        size: 1062,
+        path: path_relative_to_public,
+        model_id: model.id,
+        model_type: model_type == 'Group' ? 'Namespace' : model_type,
+        uploader: uploader,
+        checksum: FIXTURE_CHECKSUM
+      )
+    end
+
+    def add_markdown_attachment(project, hashed_storage: false)
+      project_dir = hashed_storage ? hashed_project_uploads_dir(project) : legacy_project_uploads_dir(project)
+      attachment_dir = File.join(project_dir, SecureRandom.hex)
+      attachment_file_path = File.join(attachment_dir, UPLOAD_FILENAME)
+      project_attachment_path_relative_to_project = attachment_file_path.sub("#{project_dir}/", '')
+      create_file(attachment_file_path)
+
+      uploads.create!(
+        size: 1062,
+        path: project_attachment_path_relative_to_project,
+        model_id: project.id,
+        model_type: 'Project',
+        uploader: 'FileUploader',
+        checksum: FIXTURE_CHECKSUM
+      )
+    end
+
+    def legacy_project_uploads_dir(project)
+      namespace = namespaces.find_by(id: project.namespace_id)
+      File.join(UPLOADS_DIR, namespace.path, project.path)
+    end
+
+    def hashed_project_uploads_dir(project)
+      File.join(UPLOADS_DIR, '@hashed', 'aa', 'aaaaaaaaaaaa')
+    end
+
+    def upload_file_path(model, model_type, attachment_type)
+      dir = File.join(upload_dir(model_type.downcase, attachment_type.to_s), model.id.to_s)
+      File.join(dir, UPLOAD_FILENAME)
+    end
+
+    def upload_dir(model_type, attachment_type)
+      File.join(SYSTEM_DIR, model_type, attachment_type)
+    end
+
+    def create_file(path)
+      File.delete(path) if File.exist?(path)
+      FileUtils.mkdir_p(File.dirname(path))
+      FileUtils.cp(FIXTURE_FILE_PATH, path)
+    end
+
+    def get_uploads(model, model_type)
+      uploads.where(model_type: model_type, model_id: model.id)
+    end
+
+    def get_full_path(project)
+      routes.find_by(source_id: project.id, source_type: 'Project').path
+    end
+
+    def ensure_temporary_tracking_table_exists
+      Gitlab::BackgroundMigration::PrepareUntrackedUploads.new.send(:ensure_temporary_tracking_table_exists)
+    end
+  end
+end
diff --git a/spec/support/prometheus/additional_metrics_shared_examples.rb b/spec/support/prometheus/additional_metrics_shared_examples.rb
index dbbd4ad4d40..c7c3346d39e 100644
--- a/spec/support/prometheus/additional_metrics_shared_examples.rb
+++ b/spec/support/prometheus/additional_metrics_shared_examples.rb
@@ -12,11 +12,12 @@ RSpec.shared_examples 'additional metrics query' do
 
   let(:client) { double('prometheus_client') }
   let(:query_result) { described_class.new(client).query(*query_params) }
-  let(:environment) { create(:environment, slug: 'environment-slug') }
+  let(:project) { create(:project) }
+  let(:environment) { create(:environment, slug: 'environment-slug', project: project) }
 
   before do
     allow(client).to receive(:label_values).and_return(metric_names)
-    allow(metric_group_class).to receive(:all).and_return([simple_metric_group(metrics: [simple_metric])])
+    allow(metric_group_class).to receive(:common_metrics).and_return([simple_metric_group(metrics: [simple_metric])])
   end
 
   context 'metrics query context' do
@@ -24,13 +25,14 @@ RSpec.shared_examples 'additional metrics query' do
 
     shared_examples 'query context containing environment slug and filter' do
       it 'contains ci_environment_slug' do
-        expect(subject).to receive(:query_metrics).with(hash_including(ci_environment_slug: environment.slug))
+        expect(subject).to receive(:query_metrics).with(project, hash_including(ci_environment_slug: environment.slug))
 
         subject.query(*query_params)
       end
 
       it 'contains environment filter' do
         expect(subject).to receive(:query_metrics).with(
+          project,
           hash_including(
             environment_filter: "container_name!=\"POD\",environment=\"#{environment.slug}\""
           )
@@ -48,7 +50,7 @@ RSpec.shared_examples 'additional metrics query' do
         it_behaves_like 'query context containing environment slug and filter'
 
         it 'query context contains kube_namespace' do
-          expect(subject).to receive(:query_metrics).with(hash_including(kube_namespace: kube_namespace))
+          expect(subject).to receive(:query_metrics).with(project, hash_including(kube_namespace: kube_namespace))
 
           subject.query(*query_params)
         end
@@ -72,7 +74,7 @@ RSpec.shared_examples 'additional metrics query' do
       it_behaves_like 'query context containing environment slug and filter'
 
       it 'query context contains empty kube_namespace' do
-        expect(subject).to receive(:query_metrics).with(hash_including(kube_namespace: ''))
+        expect(subject).to receive(:query_metrics).with(project, hash_including(kube_namespace: ''))
 
         subject.query(*query_params)
       end
@@ -81,7 +83,7 @@ RSpec.shared_examples 'additional metrics query' do
 
   context 'with one group where two metrics is found' do
     before do
-      allow(metric_group_class).to receive(:all).and_return([simple_metric_group])
+      allow(metric_group_class).to receive(:common_metrics).and_return([simple_metric_group])
     end
 
     context 'some queries return results' do
@@ -117,7 +119,7 @@ RSpec.shared_examples 'additional metrics query' do
     let(:metrics) { [simple_metric(queries: [simple_query])] }
 
     before do
-      allow(metric_group_class).to receive(:all).and_return(
+      allow(metric_group_class).to receive(:common_metrics).and_return(
         [
           simple_metric_group(name: 'group_a', metrics: [simple_metric(queries: [simple_query])]),
           simple_metric_group(name: 'group_b', metrics: [simple_metric(title: 'title_b', queries: [simple_query('b')])])
diff --git a/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb b/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
index 7ce80c82439..ea7dbade171 100644
--- a/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
@@ -89,6 +89,19 @@ shared_examples 'handle uploads' do
           end
         end
 
+        context "when neither the uploader nor the model exists" do
+          before do
+            allow_any_instance_of(Upload).to receive(:build_uploader).and_return(nil)
+            allow(controller).to receive(:find_model).and_return(nil)
+          end
+
+          it "responds with status 404" do
+            show_upload
+
+            expect(response).to have_gitlab_http_status(404)
+          end
+        end
+
         context "when the file doesn't exist" do
           before do
             allow_any_instance_of(FileUploader).to receive(:exists?).and_return(false)
diff --git a/spec/support/snippet_visibility.rb b/spec/support/snippet_visibility.rb
index 1cb904823d2..3a7c69b7877 100644
--- a/spec/support/snippet_visibility.rb
+++ b/spec/support/snippet_visibility.rb
@@ -252,6 +252,15 @@ RSpec.shared_examples 'snippet visibility' do
           results = described_class.new(user).execute
           expect(results.include?(snippet)).to eq(outcome)
         end
+
+        it 'returns no snippets when the user cannot read cross project' do
+          allow(Ability).to receive(:allowed?).and_call_original
+          allow(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+
+          snippets = described_class.new(user).execute
+
+          expect(snippets).to be_empty
+        end
       end
     end
   end
@@ -298,6 +307,15 @@ RSpec.shared_examples 'snippet visibility' do
           results = described_class.new(user).execute
           expect(results.include?(snippet)).to eq(outcome)
         end
+
+        it 'should return personal snippets when the user cannot read cross project' do
+          allow(Ability).to receive(:allowed?).and_call_original
+          allow(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+
+          results = described_class.new(user).execute
+
+          expect(results.include?(snippet)).to eq(outcome)
+        end
       end
     end
   end
diff --git a/spec/support/track_untracked_uploads_helpers.rb b/spec/support/track_untracked_uploads_helpers.rb
deleted file mode 100644
index a8b3ed1f41c..00000000000
--- a/spec/support/track_untracked_uploads_helpers.rb
+++ /dev/null
@@ -1,16 +0,0 @@
-module TrackUntrackedUploadsHelpers
-  def uploaded_file
-    fixture_path = Rails.root.join('spec/fixtures/rails_sample.jpg')
-    fixture_file_upload(fixture_path)
-  end
-
-  def ensure_temporary_tracking_table_exists
-    Gitlab::BackgroundMigration::PrepareUntrackedUploads.new.send(:ensure_temporary_tracking_table_exists)
-  end
-
-  def create_or_update_appearance(attrs)
-    a = Appearance.first_or_initialize(title: 'foo', description: 'bar')
-    a.update!(attrs)
-    a
-  end
-end
diff --git a/spec/views/shared/projects/_project.html.haml_spec.rb b/spec/views/shared/projects/_project.html.haml_spec.rb
index f0a4f153699..3b14045e61f 100644
--- a/spec/views/shared/projects/_project.html.haml_spec.rb
+++ b/spec/views/shared/projects/_project.html.haml_spec.rb
@@ -5,6 +5,7 @@ describe 'shared/projects/_project.html.haml' do
 
   before do
     allow(view).to receive(:current_application_settings).and_return(Gitlab::CurrentSettings.current_application_settings)
+    allow(view).to receive(:can?) { true }
   end
 
   it 'should render creator avatar if project has a creator' do
diff --git a/spec/workers/pages_domain_verification_cron_worker_spec.rb b/spec/workers/pages_domain_verification_cron_worker_spec.rb
new file mode 100644
index 00000000000..8f780428c82
--- /dev/null
+++ b/spec/workers/pages_domain_verification_cron_worker_spec.rb
@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe PagesDomainVerificationCronWorker do
+  subject(:worker) { described_class.new }
+
+  describe '#perform' do
+    it 'enqueues a PagesDomainVerificationWorker for domains needing verification' do
+      verified = create(:pages_domain)
+      reverify = create(:pages_domain, :reverify)
+      disabled = create(:pages_domain, :disabled)
+
+      [reverify, disabled].each do |domain|
+        expect(PagesDomainVerificationWorker).to receive(:perform_async).with(domain.id)
+      end
+
+      expect(PagesDomainVerificationWorker).not_to receive(:perform_async).with(verified.id)
+
+      worker.perform
+    end
+  end
+end
diff --git a/spec/workers/pages_domain_verification_worker_spec.rb b/spec/workers/pages_domain_verification_worker_spec.rb
new file mode 100644
index 00000000000..372fc95ab4a
--- /dev/null
+++ b/spec/workers/pages_domain_verification_worker_spec.rb
@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+describe PagesDomainVerificationWorker do
+  subject(:worker) { described_class.new }
+
+  let(:domain) { create(:pages_domain) }
+
+  describe '#perform' do
+    it 'does nothing for a non-existent domain' do
+      domain.destroy
+
+      expect(VerifyPagesDomainService).not_to receive(:new)
+
+      expect { worker.perform(domain.id) }.not_to raise_error
+    end
+
+    it 'delegates to VerifyPagesDomainService' do
+      service = double(:service)
+      expected_domain = satisfy { |obj| obj == domain }
+
+      expect(VerifyPagesDomainService).to receive(:new).with(expected_domain) { service }
+      expect(service).to receive(:execute)
+
+      worker.perform(domain.id)
+    end
+  end
+end
diff --git a/spec/workers/stuck_import_jobs_worker_spec.rb b/spec/workers/stuck_import_jobs_worker_spec.rb
index a82eb54ffe4..069514552b1 100644
--- a/spec/workers/stuck_import_jobs_worker_spec.rb
+++ b/spec/workers/stuck_import_jobs_worker_spec.rb
@@ -2,35 +2,59 @@ require 'spec_helper'
 
 describe StuckImportJobsWorker do
   let(:worker) { described_class.new }
-  let(:exclusive_lease_uuid) { SecureRandom.uuid }
 
-  before do
-    allow_any_instance_of(Gitlab::ExclusiveLease).to receive(:try_obtain).and_return(exclusive_lease_uuid)
-  end
+  shared_examples 'project import job detection' do
+    context 'when the job has completed' do
+      context 'when the import status was already updated' do
+        before do
+          allow(Gitlab::SidekiqStatus).to receive(:completed_jids) do
+            project.import_start
+            project.import_finish
 
-  describe 'with started import_status' do
-    let(:project) { create(:project, :import_started, import_jid: '123') }
+            [project.import_jid]
+          end
+        end
+
+        it 'does not mark the project as failed' do
+          worker.perform
+
+          expect(project.reload.import_status).to eq('finished')
+        end
+      end
+
+      context 'when the import status was not updated' do
+        before do
+          allow(Gitlab::SidekiqStatus).to receive(:completed_jids).and_return([project.import_jid])
+        end
 
-    describe 'long running import' do
-      it 'marks the project as failed' do
-        allow(Gitlab::SidekiqStatus).to receive(:completed_jids).and_return(['123'])
+        it 'marks the project as failed' do
+          worker.perform
 
-        expect { worker.perform }.to change { project.reload.import_status }.to('failed')
+          expect(project.reload.import_status).to eq('failed')
+        end
       end
     end
 
-    describe 'running import' do
-      it 'does not mark the project as failed' do
+    context 'when the job is still in Sidekiq' do
+      before do
         allow(Gitlab::SidekiqStatus).to receive(:completed_jids).and_return([])
+      end
 
+      it 'does not mark the project as failed' do
         expect { worker.perform }.not_to change { project.reload.import_status }
       end
+    end
+  end
 
-      describe 'import without import_jid' do
-        it 'marks the project as failed' do
-          expect { worker.perform }.to change { project.reload.import_status }.to('failed')
-        end
-      end
+  describe 'with scheduled import_status' do
+    it_behaves_like 'project import job detection' do
+      let(:project) { create(:project, :import_scheduled, import_jid: '123') }
+    end
+  end
+
+  describe 'with started import_status' do
+    it_behaves_like 'project import job detection' do
+      let(:project) { create(:project, :import_started, import_jid: '123') }
     end
   end
 end