Add latest changes from gitlab-org/gitlab@master

21 files changed, 371 insertions, 67 deletions

diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index 29d2ecb1bd9..49a98b9af1c 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -75,16 +75,38 @@ module ApplicationSettingsHelper
   end
 
   def restricted_level_checkboxes(form)
-    Gitlab::VisibilityLevel.values.map do |level|
+    restricted_visibility_levels_help_text = {
+      Gitlab::VisibilityLevel::PUBLIC => s_(
+        'AdminSettings|If selected, only administrators are able to create public groups, projects, ' \
+        'and snippets. Also, profiles are only visible to authenticated users.'
+      ),
+      Gitlab::VisibilityLevel::INTERNAL => s_(
+        'AdminSettings|If selected, only administrators are able to create internal groups, projects, and ' \
+        'snippets.'
+      ),
+      Gitlab::VisibilityLevel::PRIVATE => s_(
+        'AdminSettings|If selected, only administrators are able to create private groups, projects, and ' \
+        'snippets.'
+      )
+    }
+
+    Gitlab::VisibilityLevel.options.map do |label, level|
       checked = restricted_visibility_levels(true).include?(level)
 
       form.gitlab_ui_checkbox_component(
         :restricted_visibility_levels,
-        "#{visibility_level_icon(level)} #{visibility_level_label(level)}".html_safe,
         checkbox_options: { checked: checked, multiple: true, autocomplete: 'off' },
         checked_value: level,
         unchecked_value: nil
-      )
+      ) do |c|
+        c.label do
+          visibility_level_icon(level) + content_tag(:span, label, { class: 'gl-ml-2' })
+        end
+
+        c.help_text do
+          restricted_visibility_levels_help_text.fetch(level)
+        end
+      end
     end
   end
 
diff --git a/app/models/ci/job_token/project_scope_link.rb b/app/models/ci/job_token/project_scope_link.rb
index 774d85e3d3c..96e370bba1e 100644
--- a/app/models/ci/job_token/project_scope_link.rb
+++ b/app/models/ci/job_token/project_scope_link.rb
@@ -8,6 +8,8 @@ module Ci
     class ProjectScopeLink < Ci::ApplicationRecord
       self.table_name = 'ci_job_token_project_scope_links'
 
+      PROJECT_LINK_DIRECTIONAL_LIMIT = 100
+
       belongs_to :source_project, class_name: 'Project'
       # the project added to the scope's allowlist
       belongs_to :target_project, class_name: 'Project'
@@ -20,6 +22,7 @@ module Ci
       validates :source_project, presence: true
       validates :target_project, presence: true
       validate :not_self_referential_link
+      validate :source_project_under_link_limit, on: :create
 
       # When outbound the target project is allowed to be accessed by the source job token.
       # When inbound the source project is allowed to be accessed by the target job token.
@@ -41,6 +44,16 @@ module Ci
           self.errors.add(:target_project, _("can't be the same as the source project"))
         end
       end
+
+      def source_project_under_link_limit
+        return unless source_project
+
+        existing_links_count = self.class.with_source(source_project).with_access_direction(direction).count
+
+        if existing_links_count >= PROJECT_LINK_DIRECTIONAL_LIMIT
+          errors.add(:source_project, "exceeds the allowable number of project links in this direction")
+        end
+      end
     end
   end
 end
diff --git a/app/views/admin/application_settings/_visibility_and_access.html.haml b/app/views/admin/application_settings/_visibility_and_access.html.haml
index e01126e32e1..0305a9487ca 100644
--- a/app/views/admin/application_settings/_visibility_and_access.html.haml
+++ b/app/views/admin/application_settings/_visibility_and_access.html.haml
@@ -14,13 +14,15 @@
     .form-group.visibility-level-setting
       = f.label :default_group_visibility, class: 'label-bold'
       = render('shared/visibility_radios', model_method: :default_group_visibility, form: f, selected_level: @application_setting.default_group_visibility, form_model: Group.new)
-    .form-group
-      = f.label :restricted_visibility_levels, class: 'label-bold gl-mb-0'
-      %span.form-text.gl-mt-0.gl-mb-3#restricted-visibility-help
-        = _('Selected levels cannot be used by non-admin users for groups, projects or snippets. If the public level is restricted, user profiles are only visible to logged in users.')
+    %fieldset.form-group.gl-form-group{ data: { testid: 'restricted-visibility-levels' } }
+      %legend.col-form-label
+        = s_('AdminSettings|Restricted visibility levels')
+        %small.form-text.text-gl-muted
+          = s_('AdminSettings|Prevent non-administrators from using the selected visibility levels for groups, projects and snippets.')
       = hidden_field_tag 'application_setting[restricted_visibility_levels][]'
-      - restricted_level_checkboxes(f).each do |level|
-        = level
+      .gl-form-checkbox-group
+        - restricted_level_checkboxes(f).each do |checkbox|
+          = checkbox
     .form-group
       = f.label :import_sources, s_('AdminSettings|Import sources'), class: 'label-bold gl-mb-0'
       %span.form-text.gl-mt-0.gl-mb-3#import-sources-help
diff --git a/app/views/admin/application_settings/general.html.haml b/app/views/admin/application_settings/general.html.haml
index e9df82a922b..a4af1913d22 100644
--- a/app/views/admin/application_settings/general.html.haml
+++ b/app/views/admin/application_settings/general.html.haml
@@ -3,7 +3,7 @@
 - add_page_specific_style 'page_bundles/settings'
 - @content_class = "limit-container-width" unless fluid_layout
 
-%section.settings.as-visibility-access.no-animate#js-visibility-settings{ class: ('expanded' if expanded_by_default?) }
+%section.settings.as-visibility-access.no-animate#js-visibility-settings{ class: ('expanded' if expanded_by_default?), data: { testid: 'admin-visibility-access-settings' } }
   .settings-header
     %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
       = _('Visibility and access controls')
diff --git a/data/deprecations/15-9-deprecate-legacy-requirements-iid.yml b/data/deprecations/15-9-deprecate-legacy-requirements-iid.yml
new file mode 100644
index 00000000000..05ae0feaa47
--- /dev/null
+++ b/data/deprecations/15-9-deprecate-legacy-requirements-iid.yml
@@ -0,0 +1,10 @@
+- title: 'The GitLab legacy requirement IID is deprecated in favor of work item IID'
+  announcement_milestone: '15.9'
+  removal_milestone: '17.0'
+  breaking_change: true
+  reporter: mmacfarlane
+  body: |
+    We will be transitioning to a new IID as a result of moving requirements to a [work item type](https://docs.gitlab.com/ee/development/work_items.html#work-items-and-work-item-types). Users should begin using the new IID as support for the legacy IID and existing formatting will end in GitLab 17.0. The legacy requirement IID remains available until its removal in GitLab 17.0.
+
+  stage: plan
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/390263
diff --git a/data/deprecations/15-9-rails-error-tracking.yml b/data/deprecations/15-9-rails-error-tracking.yml
new file mode 100644
index 00000000000..42ec004afa9
--- /dev/null
+++ b/data/deprecations/15-9-rails-error-tracking.yml
@@ -0,0 +1,16 @@
+- title: "Error Tracking UI in GitLab Rails is deprecated"
+  announcement_milestone: "15.9"
+  removal_milestone: "16.0"
+  breaking_change: true
+  reporter: kbychu
+  stage: monitor
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/389991
+  body: |
+    The [Error Tracking UI](https://docs.gitlab.com/ee/operations/error_tracking.html) is deprecated in 15.9 and will be removed in 16.0. In future versions, you should use the [GitLab Observability UI](https://gitlab.com/gitlab-org/opstrace/opstrace-ui/), which will gradually be made available on GitLab.com over the next few releases.
+
+    During the transition to the GitLab Observability UI, we will migrate the [GitLab Observability Backend](https://gitlab.com/gitlab-org/opstrace/opstrace) from a per-cluster deployment model to a per-tenant deployment model. Because [Integrated Error Tracking](https://docs.gitlab.com/ee/operations/error_tracking.html#integrated-error-tracking) is in Open Beta, we will not migrate any existing user data. For more details about the migration, see the direction pages for:
+
+    - [Observability](https://about.gitlab.com/direction/monitor/observability/data-visualization/).
+    - The [Observability Backend](https://about.gitlab.com/direction/monitor/observability/data-management/).
+    - [Data visualization](https://about.gitlab.com/direction/monitor/observability/data-visualization/).
+  documentation_url: https://docs.gitlab.com/ee/operations/error_tracking.html
diff --git a/doc/administration/geo/replication/container_registry.md b/doc/administration/geo/replication/container_registry.md
index abf34efa56e..88ca8781dc3 100644
--- a/doc/administration/geo/replication/container_registry.md
+++ b/doc/administration/geo/replication/container_registry.md
@@ -7,7 +7,12 @@ type: howto
 
 # Container Registry for a secondary site **(PREMIUM SELF)**
 
-You can set up a Container Registry on your **secondary** Geo site that mirrors the one on the **primary** Geo site.
+You can set up a Container Registry on your **secondary** Geo site that mirrors the one on the **primary** Geo site. 
+
+NOTE:
+The Container Registry replication is used only for disaster recovery purposes. We do not recommend
+pulling the Container Registry data from the secondary. For a feature proposal to implement it in the
+future, see [Geo: Accelerate container images by serving read request from secondary site](https://gitlab.com/gitlab-org/gitlab/-/issues/365864) for details.
 
 ## Supported container registries
 
diff --git a/doc/administration/operations/fast_ssh_key_lookup.md b/doc/administration/operations/fast_ssh_key_lookup.md
index 48b9600187f..b3cdbd05b29 100644
--- a/doc/administration/operations/fast_ssh_key_lookup.md
+++ b/doc/administration/operations/fast_ssh_key_lookup.md
@@ -134,11 +134,8 @@ This overview is brief. Refer to the above instructions for more context.
 
 ## Use `gitlab-sshd` instead of OpenSSH
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/299109) in GitLab 14.5 as an **Alpha** release for self-managed customers.
-
-WARNING:
-`gitlab-sshd` is in [**Alpha**](../../policy/alpha-beta-support.md#alpha-features).
-It is not ready for production use.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/299109) in GitLab 14.5 as an **Alpha** release for self-managed customers.
+> - Ready for production use with [Cloud Native GitLab in GitLab 15.1](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2540) and [Omnibus GitLab in GitLab 15.9](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5937).
 
 `gitlab-sshd` is [a standalone SSH server](https://gitlab.com/gitlab-org/gitlab-shell/-/tree/main/internal/sshd)
 written in Go. It is provided as a part of the `gitlab-shell` package. It has a lower memory
@@ -150,21 +147,58 @@ running behind the proxy.
 [SSH operations](https://gitlab.com/gitlab-org/gitlab-shell/-/blob/71a7f34a476f778e62f8fe7a453d632d395eaf8f/doc/features.md).
 While OpenSSH uses a restricted shell approach, `gitlab-sshd` behaves more like a
 modern multi-threaded server application, responding to incoming requests. The major
-difference is that OpenSSH uses SSH as a transport protocol while `gitlab-sshd` uses Remote Procedure Calls (RPCs).
+difference is that OpenSSH uses SSH as a transport protocol while `gitlab-sshd` uses Remote Procedure Calls (RPCs). See [the blog post](https://about.gitlab.com/blog/2022/08/17/why-we-have-implemented-our-own-sshd-solution-on-gitlab-sass/) for more details.
 
 The capabilities of GitLab Shell are not limited to Git operations.
 
 If you are considering switching from OpenSSH to `gitlab-sshd`, consider these concerns:
 
-- The `gitlab-sshd` component is only available for
-  [GitLab Helm chart](https://docs.gitlab.com/charts/) deployments.
 - `gitlab-sshd` supports the PROXY protocol. It can run behind proxy servers that rely
-  on it, such as HAProxy. The PROXY protocol not enabled by default, but can be enabled with a Helm chart setting.
-- By default, `gitlab-sshd` binds to port 22, but you can configure a different port in the Helm chart.
+  on it, such as HAProxy. The PROXY protocol is not enabled by default, but [it can be enabled](#proxy-protocol-support).
 - `gitlab-sshd` **does not** support SSH certificates. For more details, read
   [issue #495](https://gitlab.com/gitlab-org/gitlab-shell/-/issues/495).
 
-To switch from OpenSSH to `gitlab-sshd`:
+To use `gitlab-sshd`:
+
+::Tabs
+
+:::TabTitle Linux package (Omnibus)
+
+The following instructions enable `gitlab-sshd` on a different port than OpenSSH:
+
+1. Edit `/etc/gitlab/gitlab.rb`:
+
+   ```ruby
+   gitlab_sshd['enable'] = true
+   gitlab_sshd['listen_address'] = '[::]:2222' # Adjust the port accordingly
+   ```
+
+1. Optional. By default, Omnibus GitLab generates SSH host keys for `gitlab-sshd` if
+they do not exist in `/var/opt/gitlab/gitlab-sshd`. If you wish to disable this automatic generation, add this line:
+
+   ```ruby
+   gitlab_sshd['generate_host_keys'] = false
+   ```
+
+1. Save the file and reconfigure GitLab:
+
+   ```shell
+   sudo gitlab-ctl reconfigure
+   ```
+
+By default, `gitlab-sshd` runs as the `git` user. As a result, `gitlab-sshd` cannot
+run on privileged port numbers lower than 1024. This means users must
+access Git with the `gitlab-sshd` port, or use a load balancer that
+directs SSH traffic to the `gitlab-sshd` port to hide this.
+
+Users may see host key warnings because the newly-generated host keys
+differ from the OpenSSH host keys. Consider disabling host key
+generation and copy the existing OpenSSH host keys into
+`/var/opt/gitlab/gitlab-sshd` if this is an issue.
+
+:::TabTitle Helm chart (Kubernetes)
+
+The following instructions switch OpenSSH in favor of `gitlab-sshd`:
 
 1. Set the `gitlab-shell` charts `sshDaemon` option to
    [`gitlab-sshd`](https://docs.gitlab.com/charts/charts/gitlab/gitlab-shell/index.html#installation-command-line-options).
@@ -178,6 +212,58 @@ To switch from OpenSSH to `gitlab-sshd`:
 
 1. Perform a Helm upgrade.
 
+By default, `gitlab-sshd` listens for:
+
+- External requests on port 22 (`global.shell.port`).
+- Internal requests on port 2222 (`gitlab.gitlab-shell.service.internalPort`).
+
+You can [configure different ports in the Helm chart](https://docs.gitlab.com/charts/charts/gitlab/gitlab-shell/#configuration).
+
+::EndTabs
+
+### PROXY protocol support
+
+When a load balancer is used in front of `gitlab-sshd`, GitLab reports the IP
+address of the proxy instead of the actual IP address of the client. `gitlab-sshd`
+supports the [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) to
+obtain the real IP address.
+
+::Tabs
+
+:::TabTitle Linux package (Omnibus)
+
+To enable the PROXY protocol:
+
+1. Edit `/etc/gitlab/gitlab.rb`:
+
+    ```ruby
+    gitlab_sshd['proxy_protocol'] = true
+    # # Proxy protocol policy ("use", "require", "reject", "ignore"), "use" is the default value
+    gitlab_sshd['proxy_policy'] = "use"
+    ```
+
+1. Save the file and reconfigure GitLab:
+
+   ```shell
+   sudo gitlab-ctl reconfigure
+   ```
+
+:::TabTitle Helm chart (Kubernetes)
+
+1. Set the [`gitlab.gitlab-shell.config` options](https://docs.gitlab.com/charts/charts/gitlab/gitlab-shell/index.html#installation-command-line-options). For example:
+
+   ```yaml
+   gitlab:
+     gitlab-shell:
+       config:
+         proxyProtocol: true
+         proxyPolicy: "use"
+   ```
+
+1. Perform a Helm upgrade.
+
+::EndTabs
+
 ## SELinux support and limitations
 
 GitLab supports `authorized_keys` database lookups with [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux).
diff --git a/doc/api/environments.md b/doc/api/environments.md
index eeaadb6ccdc..bbf6c5fee99 100644
--- a/doc/api/environments.md
+++ b/doc/api/environments.md
@@ -293,7 +293,7 @@ PUT /projects/:id/environments/:environments_id
 |------------------|----------------|----------|---------------------------------------------------------------------------------------------------------------------|
 | `id`             | integer/string | yes      | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding).                                |
 | `environment_id` | integer        | yes      | The ID of the environment.                                                                                          |
-| `name`           | string         | no       | [Deprecated and will be removed in GitLab 15.0](https://gitlab.com/gitlab-org/gitlab/-/issues/338897).              |
+| `name`           | string         | no       | [Deprecated and will be removed in GitLab 16.0](https://gitlab.com/gitlab-org/gitlab/-/issues/338897).              |
 | `external_url`   | string         | no       | The new `external_url`.                                                                                             |
 | `tier`           | string         | no       | The tier of the new environment. Allowed values are `production`, `staging`, `testing`, `development`, and `other`. |
 
diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md
index 5b0daf3010e..a13d38a199d 100644
--- a/doc/raketasks/backup_restore.md
+++ b/doc/raketasks/backup_restore.md
@@ -761,7 +761,9 @@ Backup failed
 
 If this happens, examine the following:
 
-- Confirm there is sufficient disk space for the Gzip operation.
+- Confirm there is sufficient disk space for the Gzip operation. It's not uncommon for backups that
+  use the [default strategy](backup_gitlab.md#backup-strategy-option) to require half the instance size
+  in free disk space during backup creation.
 - If NFS is being used, check if the mount option `timeout` is set. The
   default is `600`, and changing this to smaller values results in this error.
 
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index 79cd864b36a..d7369089103 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -121,6 +121,26 @@ We intend to replace this feature with the ability to [embed charts](https://git
 
 </div>
 
+<div class="deprecation removal-160 breaking-change">
+
+### Error Tracking UI in GitLab Rails is deprecated
+
+Planned removal: GitLab <span class="removal-milestone">16.0</span> <span class="removal-date"></span>
+
+WARNING:
+This is a [breaking change](https://docs.gitlab.com/ee/development/deprecation_guidelines/).
+Review the details carefully before upgrading.
+
+The [Error Tracking UI](https://docs.gitlab.com/ee/operations/error_tracking.html) is deprecated in 15.9 and will be removed in 16.0. In future versions, you should use the [GitLab Observability UI](https://gitlab.com/gitlab-org/opstrace/opstrace-ui/), which will gradually be made available on GitLab.com over the next few releases.
+
+During the transition to the GitLab Observability UI, we will migrate the [GitLab Observability Backend](https://gitlab.com/gitlab-org/opstrace/opstrace) from a per-cluster deployment model to a per-tenant deployment model. Because [Integrated Error Tracking](https://docs.gitlab.com/ee/operations/error_tracking.html#integrated-error-tracking) is in Open Beta, we will not migrate any existing user data. For more details about the migration, see the direction pages for:
+
+- [Observability](https://about.gitlab.com/direction/monitor/observability/data-visualization/).
+- The [Observability Backend](https://about.gitlab.com/direction/monitor/observability/data-management/).
+- [Data visualization](https://about.gitlab.com/direction/monitor/observability/data-visualization/).
+
+</div>
+
 <div class="deprecation removal-170 breaking-change">
 
 ### GitLab Runner platforms and setup instructions in GraphQL API
@@ -190,6 +210,20 @@ This change means the following metrics will become unavailable on `/metrics`:
 This may require updating your metrics collection targets to also scrape `/db_metrics`.
 
 </div>
+
+<div class="deprecation removal-170 breaking-change">
+
+### The GitLab legacy requirement IID is deprecated in favor of work item IID
+
+Planned removal: GitLab <span class="removal-milestone">17.0</span> <span class="removal-date"></span>
+
+WARNING:
+This is a [breaking change](https://docs.gitlab.com/ee/development/deprecation_guidelines/).
+Review the details carefully before upgrading.
+
+We will be transitioning to a new IID as a result of moving requirements to a [work item type](https://docs.gitlab.com/ee/development/work_items.html#work-items-and-work-item-types). Users should begin using the new IID as support for the legacy IID and existing formatting will end in GitLab 17.0. The legacy requirement IID remains available until its removal in GitLab 17.0.
+
+</div>
 </div>
 
 <div class="announcement-milestone">
diff --git a/doc/update/index.md b/doc/update/index.md
index ef93380117c..303f8af21a8 100644
--- a/doc/update/index.md
+++ b/doc/update/index.md
@@ -266,7 +266,7 @@ and [Helm Chart deployments](https://docs.gitlab.com/charts/). They come with ap
 
 ### 15.9.0
 
-- This version removes `SanitizeConfidentialTodos` background migration which was [added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87908/diffs) in 15.6 and removed any user inaccessible Todos. Make sure that this migration is finished before upgrading to 15.9.
+- This version removes `SanitizeConfidentialTodos` background migration [added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87908/diffs) in 15.6, which removed any user inaccessible to-do items. Make sure that this migration is finished before upgrading to 15.9.
 - As part of the [CI Partitioning effort](../architecture/blueprints/ci_data_decay/pipeline_partitioning.md), a [new Foreign Key](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107547) was added to `ci_builds_needs`. On GitLab instances with large CI tables, adding this constraint can take longer than usual. Make sure that this migration is finished before upgrading to 15.9.
 
 ### 15.8.0
diff --git a/doc/user/admin_area/settings/visibility_and_access_controls.md b/doc/user/admin_area/settings/visibility_and_access_controls.md
index 8acded1210d..acff483e4f8 100644
--- a/doc/user/admin_area/settings/visibility_and_access_controls.md
+++ b/doc/user/admin_area/settings/visibility_and_access_controls.md
@@ -155,18 +155,23 @@ For more details on group visibility, see
 
 ## Restrict visibility levels
 
-To restrict visibility levels for projects, snippets, and selected pages:
+To restrict visibility levels for groups, projects, snippets, and selected pages:
 
 1. Sign in to GitLab as a user with Administrator access level.
 1. On the top bar, select **Main menu > Admin**.
 1. On the left sidebar, select **Settings > General**.
 1. Expand the **Visibility and access controls** section.
 1. In the **Restricted visibility levels** section, select the desired visibility levels to restrict.
-   If you restrict the **Public** level:
-   - User profiles are only visible to authenticated users via the Web interface.
-   - User attributes via the GraphQL API are:
-     - Not visible in [GitLab 15.1 and later](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88020).
-     - Only visible to authenticated users between [GitLab 13.1](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/33195) and GitLab 15.0.
+   - If you restrict the **Public** level:
+      - Only administrators are able to create public groups, projects, and snippets.
+      - User profiles are only visible to authenticated users through the Web interface.
+      - User attributes through the GraphQL API are:
+         - Not visible in [GitLab 15.1 and later](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88020).
+         - Only visible to authenticated users between [GitLab 13.1](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/33195) and GitLab 15.0.
+   - If you restrict the **Internal** level:
+     - Only administrators are able to create internal groups, projects, and snippets.
+   - If you restrict the **Private** level:
+     - Only administrators are able to create private groups, projects, and snippets.
 1. Select **Save changes**.
 
 For more details on project visibility, see
diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index 09ba1ce3b10..0a586a14cc4 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -268,6 +268,7 @@ including a large number of false positives.
 | `CS_REGISTRY_PASSWORD`              | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode) is enabled. | All |
 | `CS_REGISTRY_USER`                  | `$CI_REGISTRY_USER` | Username for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode) is enabled. | All |
 | `CS_DOCKERFILE_PATH`              | `Dockerfile`  | The path to the `Dockerfile` to use for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project. You should configure this variable only if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. | All |
+| `CS_QUIET`                     | `""`          | If set, this variable disables output of the [vulnerabilities table](#container-scanning-job-log-format) in the job log. [Introduced](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/merge_requests/50) in GitLab 15.1. | All |
 | `SECURE_LOG_LEVEL`             | `info`        | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1. | All |
 
 ### Supported distributions
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index ba3ea693b8f..ae9b654d73d 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -2929,6 +2929,15 @@ msgstr ""
 msgid "AdminSettings|If not specified at the group or instance level, the default is %{default_initial_branch_name}. Does not affect existing repositories."
 msgstr ""
 
+msgid "AdminSettings|If selected, only administrators are able to create internal groups, projects, and snippets."
+msgstr ""
+
+msgid "AdminSettings|If selected, only administrators are able to create private groups, projects, and snippets."
+msgstr ""
+
+msgid "AdminSettings|If selected, only administrators are able to create public groups, projects, and snippets. Also, profiles are only visible to authenticated users."
+msgstr ""
+
 msgid "AdminSettings|If there isn't any existing index, GitLab creates one."
 msgstr ""
 
@@ -3010,6 +3019,9 @@ msgstr ""
 msgid "AdminSettings|Pause Elasticsearch indexing"
 msgstr ""
 
+msgid "AdminSettings|Prevent non-administrators from using the selected visibility levels for groups, projects and snippets."
+msgstr ""
+
 msgid "AdminSettings|Preview payload"
 msgstr ""
 
@@ -3037,6 +3049,9 @@ msgstr ""
 msgid "AdminSettings|Restrict group access by IP address. %{link_start}Learn more%{link_end}."
 msgstr ""
 
+msgid "AdminSettings|Restricted visibility levels"
+msgstr ""
+
 msgid "AdminSettings|Save %{name} limits"
 msgstr ""
 
@@ -29368,6 +29383,9 @@ msgstr ""
 msgid "OnDemandScans|Unable to fetch runner tags. Try reloading the page."
 msgstr ""
 
+msgid "OnDemandScans|Verify"
+msgstr ""
+
 msgid "OnDemandScans|Verify configuration"
 msgstr ""
 
@@ -38996,9 +39014,6 @@ msgstr ""
 msgid "Selected for some items."
 msgstr ""
 
-msgid "Selected levels cannot be used by non-admin users for groups, projects or snippets. If the public level is restricted, user profiles are only visible to logged in users."
-msgstr ""
-
 msgid "Selected tag is already in use. Choose another option."
 msgstr ""
 
diff --git a/spec/controllers/projects/pipelines_controller_spec.rb b/spec/controllers/projects/pipelines_controller_spec.rb
index 0c97f11090d..00866ca118f 100644
--- a/spec/controllers/projects/pipelines_controller_spec.rb
+++ b/spec/controllers/projects/pipelines_controller_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Projects::PipelinesController do
+RSpec.describe Projects::PipelinesController, feature_category: :continuous_integration do
   include ApiHelpers
 
   let_it_be(:user) { create(:user) }
@@ -52,21 +52,6 @@ RSpec.describe Projects::PipelinesController do
           expect(stages.count).to eq 3
         end
       end
-
-      it 'does not execute N+1 queries', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/345470' do
-        get_pipelines_index_json
-
-        control_count = ActiveRecord::QueryRecorder.new do
-          get_pipelines_index_json
-        end.count
-
-        create_all_pipeline_types
-
-        # There appears to be one extra query for Pipelines#has_warnings? for some reason
-        expect { get_pipelines_index_json }.not_to exceed_query_limit(control_count + 1)
-        expect(response).to have_gitlab_http_status(:ok)
-        expect(json_response['pipelines'].count).to eq 12
-      end
     end
 
     it 'does not include coverage data for the pipelines' do
diff --git a/spec/controllers/registrations_controller_spec.rb b/spec/controllers/registrations_controller_spec.rb
index b217b100349..51a26c351c3 100644
--- a/spec/controllers/registrations_controller_spec.rb
+++ b/spec/controllers/registrations_controller_spec.rb
@@ -8,7 +8,6 @@ RSpec.describe RegistrationsController, feature_category: :user_profile do
 
   before do
     stub_application_setting(require_admin_approval_after_user_signup: false)
-    stub_feature_flags(arkose_labs_signup_challenge: false)
   end
 
   describe '#new' do
diff --git a/spec/features/admin/admin_settings_spec.rb b/spec/features/admin/admin_settings_spec.rb
index 6642bd7ac61..34025e9dd14 100644
--- a/spec/features/admin/admin_settings_spec.rb
+++ b/spec/features/admin/admin_settings_spec.rb
@@ -24,7 +24,7 @@ RSpec.describe 'Admin updates settings', feature_category: :not_owned do
       end
 
       it 'change visibility settings' do
-        page.within('.as-visibility-access') do
+        page.within('[data-testid="admin-visibility-access-settings"]') do
           choose "application_setting_default_project_visibility_20"
           click_button 'Save changes'
         end
@@ -33,23 +33,29 @@ RSpec.describe 'Admin updates settings', feature_category: :not_owned do
       end
 
       it 'uncheck all restricted visibility levels' do
-        page.within('.as-visibility-access') do
-          find('#application_setting_restricted_visibility_levels_0').set(false)
-          find('#application_setting_restricted_visibility_levels_10').set(false)
-          find('#application_setting_restricted_visibility_levels_20').set(false)
+        page.within('[data-testid="restricted-visibility-levels"]') do
+          uncheck s_('VisibilityLevel|Public')
+          uncheck s_('VisibilityLevel|Internal')
+          uncheck s_('VisibilityLevel|Private')
+        end
+
+        page.within('[data-testid="admin-visibility-access-settings"]') do
           click_button 'Save changes'
         end
 
         expect(page).to have_content "Application settings saved successfully"
-        expect(find('#application_setting_restricted_visibility_levels_0')).not_to be_checked
-        expect(find('#application_setting_restricted_visibility_levels_10')).not_to be_checked
-        expect(find('#application_setting_restricted_visibility_levels_20')).not_to be_checked
+
+        page.within('[data-testid="restricted-visibility-levels"]') do
+          expect(find_field(s_('VisibilityLevel|Public'))).not_to be_checked
+          expect(find_field(s_('VisibilityLevel|Internal'))).not_to be_checked
+          expect(find_field(s_('VisibilityLevel|Private'))).not_to be_checked
+        end
       end
 
       it 'modify import sources' do
         expect(current_settings.import_sources).not_to be_empty
 
-        page.within('.as-visibility-access') do
+        page.within('[data-testid="admin-visibility-access-settings"]') do
           Gitlab::ImportSources.options.map do |name, _|
             uncheck name
           end
@@ -60,7 +66,7 @@ RSpec.describe 'Admin updates settings', feature_category: :not_owned do
         expect(page).to have_content "Application settings saved successfully"
         expect(current_settings.import_sources).to be_empty
 
-        page.within('.as-visibility-access') do
+        page.within('[data-testid="admin-visibility-access-settings"]') do
           check "Repository by URL"
           click_button 'Save changes'
         end
@@ -70,7 +76,7 @@ RSpec.describe 'Admin updates settings', feature_category: :not_owned do
       end
 
       it 'change Visibility and Access Controls' do
-        page.within('.as-visibility-access') do
+        page.within('[data-testid="admin-visibility-access-settings"]') do
           page.within('[data-testid="project-export"]') do
             uncheck 'Enabled'
           end
@@ -88,7 +94,7 @@ RSpec.describe 'Admin updates settings', feature_category: :not_owned do
       end
 
       it 'change Keys settings' do
-        page.within('.as-visibility-access') do
+        page.within('[data-testid="admin-visibility-access-settings"]') do
           select 'Are forbidden', from: 'RSA SSH keys'
           select 'Are allowed', from: 'DSA SSH keys'
           select 'Must be at least 384 bits', from: 'ECDSA SSH keys'
diff --git a/spec/helpers/application_settings_helper_spec.rb b/spec/helpers/application_settings_helper_spec.rb
index 914c866c464..19cb970553b 100644
--- a/spec/helpers/application_settings_helper_spec.rb
+++ b/spec/helpers/application_settings_helper_spec.rb
@@ -3,6 +3,14 @@
 require 'spec_helper'
 
 RSpec.describe ApplicationSettingsHelper do
+  include Devise::Test::ControllerHelpers
+
+  let_it_be(:current_user) { create(:admin) }
+
+  before do
+    allow(helper).to receive(:current_user).and_return(current_user)
+  end
+
   context 'when all protocols in use' do
     before do
       stub_application_setting(enabled_git_access_protocol: '')
@@ -360,13 +368,10 @@ RSpec.describe ApplicationSettingsHelper do
   end
 
   describe '#instance_clusters_enabled?', :request_store do
-    let_it_be(:user) { create(:user) }
-
     subject { helper.instance_clusters_enabled? }
 
     before do
-      allow(helper).to receive(:current_user).and_return(user)
-      allow(helper).to receive(:can?).with(user, :read_cluster, instance_of(Clusters::Instance)).and_return(true)
+      allow(helper).to receive(:can?).with(current_user, :read_cluster, instance_of(Clusters::Instance)).and_return(true)
     end
 
     it { is_expected.to be_truthy }
@@ -379,4 +384,52 @@ RSpec.describe ApplicationSettingsHelper do
       it { is_expected.to be_falsey }
     end
   end
+
+  describe '#restricted_level_checkboxes' do
+    let_it_be(:application_setting) { create(:application_setting) }
+
+    before do
+      allow(current_user).to receive(:can_admin_all_resources?).and_return(true)
+      stub_application_setting(
+        restricted_visibility_levels: [
+          Gitlab::VisibilityLevel::PUBLIC,
+          Gitlab::VisibilityLevel::INTERNAL,
+          Gitlab::VisibilityLevel::PRIVATE
+        ]
+      )
+    end
+
+    it 'returns restricted level checkboxes with correct label, description, and HTML attributes' do
+      helper.gitlab_ui_form_for(application_setting, url: '/admin/application_settings/general') do |form|
+        result = helper.restricted_level_checkboxes(form)
+
+        expect(result[0]).to have_checked_field(s_('VisibilityLevel|Private'), with: Gitlab::VisibilityLevel::PRIVATE)
+        expect(result[0]).to have_selector('[data-testid="lock-icon"]')
+        expect(result[0]).to have_content(
+          s_(
+            'AdminSettings|If selected, only administrators are able to create private groups, projects, and ' \
+            'snippets.'
+          )
+        )
+
+        expect(result[1]).to have_checked_field(s_('VisibilityLevel|Internal'), with: Gitlab::VisibilityLevel::INTERNAL)
+        expect(result[1]).to have_selector('[data-testid="shield-icon"]')
+        expect(result[1]).to have_content(
+          s_(
+            'AdminSettings|If selected, only administrators are able to create internal groups, projects, and ' \
+            'snippets.'
+          )
+        )
+
+        expect(result[2]).to have_checked_field(s_('VisibilityLevel|Public'), with: Gitlab::VisibilityLevel::PUBLIC)
+        expect(result[2]).to have_selector('[data-testid="earth-icon"]')
+        expect(result[2]).to have_content(
+          s_(
+            'AdminSettings|If selected, only administrators are able to create public groups, projects, ' \
+            'and snippets. Also, profiles are only visible to authenticated users.'
+          )
+        )
+      end
+    end
+  end
 end
diff --git a/spec/models/ci/job_token/project_scope_link_spec.rb b/spec/models/ci/job_token/project_scope_link_spec.rb
index 30ae8bc6d88..310f9b550f4 100644
--- a/spec/models/ci/job_token/project_scope_link_spec.rb
+++ b/spec/models/ci/job_token/project_scope_link_spec.rb
@@ -28,6 +28,30 @@ RSpec.describe Ci::JobToken::ProjectScopeLink, feature_category: :continuous_int
     end
   end
 
+  describe '.create' do
+    let_it_be(:target) { create(:project) }
+    let(:new_link) { described_class.create(source_project: project, target_project: target) } # rubocop:disable Rails/SaveBang
+
+    context 'when there are more than PROJECT_LINK_DIRECTIONAL_LIMIT existing links' do
+      before do
+        create_list(:ci_job_token_project_scope_link, 5, source_project: project)
+        stub_const("#{described_class}::PROJECT_LINK_DIRECTIONAL_LIMIT", 3)
+      end
+
+      it 'invalidates new links and prevents them from being created' do
+        expect { new_link }.not_to change { described_class.count }
+        expect(new_link).not_to be_persisted
+        expect(new_link.errors.full_messages)
+          .to include('Source project exceeds the allowable number of project links in this direction')
+      end
+
+      it 'does not invalidate existing links' do
+        expect(described_class.count).to be > described_class::PROJECT_LINK_DIRECTIONAL_LIMIT
+        expect(described_class.all).to all(be_valid)
+      end
+    end
+  end
+
   describe 'validations' do
     it 'must have a source project', :aggregate_failures do
       link = build(:ci_job_token_project_scope_link, source_project: nil)
diff --git a/spec/requests/projects/pipelines_controller_spec.rb b/spec/requests/projects/pipelines_controller_spec.rb
index 7f185ade339..73e002b63b1 100644
--- a/spec/requests/projects/pipelines_controller_spec.rb
+++ b/spec/requests/projects/pipelines_controller_spec.rb
@@ -19,6 +19,32 @@ RSpec.describe Projects::PipelinesController, feature_category: :continuous_inte
     login_as(user)
   end
 
+  describe "GET index.json" do
+    it 'does not execute N+1 queries' do
+      get_pipelines_index
+
+      control_count = ActiveRecord::QueryRecorder.new do
+        get_pipelines_index
+      end.count
+
+      %w[pending running success failed canceled].each do |status|
+        create(:ci_pipeline, project: project, status: status)
+      end
+
+      # There appears to be one extra query for Pipelines#has_warnings? for some reason
+      expect { get_pipelines_index }.not_to exceed_query_limit(control_count + 1)
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response['pipelines'].count).to eq 6
+    end
+
+    def get_pipelines_index
+      get namespace_project_pipelines_path(
+        namespace_id: project.namespace.to_param,
+        project_id: project.to_param,
+        format: :json)
+    end
+  end
+
   describe "GET stages.json" do
     it 'does not execute N+1 queries' do
       request_build_stage