Add latest changes from gitlab-org/gitlab@master

25 files changed, 304 insertions, 76 deletions

diff --git a/app/assets/javascripts/ide/components/pipelines/list.vue b/app/assets/javascripts/ide/components/pipelines/list.vue
index 39d67b0762a..cf6d01b6351 100644
--- a/app/assets/javascripts/ide/components/pipelines/list.vue
+++ b/app/assets/javascripts/ide/components/pipelines/list.vue
@@ -88,14 +88,14 @@ export default {
       </div>
       <tabs v-else class="ide-pipeline-list">
         <tab :active="!pipelineFailed">
-          <template slot="title">
+          <template #title>
             {{ __('Jobs') }}
             <span v-if="jobsCount" class="badge badge-pill"> {{ jobsCount }} </span>
           </template>
           <jobs-list :loading="isLoadingJobs" :stages="stages" />
         </tab>
         <tab :active="pipelineFailed">
-          <template slot="title">
+          <template #title>
             {{ __('Failed Jobs') }}
             <span v-if="failedJobsCount" class="badge badge-pill"> {{ failedJobsCount }} </span>
           </template>
diff --git a/app/assets/javascripts/releases/components/app_edit.vue b/app/assets/javascripts/releases/components/app_edit.vue
index 433df839acb..01dd0638023 100644
--- a/app/assets/javascripts/releases/components/app_edit.vue
+++ b/app/assets/javascripts/releases/components/app_edit.vue
@@ -184,18 +184,19 @@ export default {
             :add-spacing-classes="false"
             class="prepend-top-10 append-bottom-10"
           >
-            <textarea
-              id="release-notes"
-              slot="textarea"
-              v-model="releaseNotes"
-              class="note-textarea js-gfm-input js-autosize markdown-area"
-              dir="auto"
-              data-supports-quick-actions="false"
-              :aria-label="__('Release notes')"
-              :placeholder="__('Write your release notes or drag your files here…')"
-              @keydown.meta.enter="updateRelease()"
-              @keydown.ctrl.enter="updateRelease()"
-            ></textarea>
+            <template #textarea>
+              <textarea
+                id="release-notes"
+                v-model="releaseNotes"
+                class="note-textarea js-gfm-input js-autosize markdown-area"
+                dir="auto"
+                data-supports-quick-actions="false"
+                :aria-label="__('Release notes')"
+                :placeholder="__('Write your release notes or drag your files here…')"
+                @keydown.meta.enter="updateRelease()"
+                @keydown.ctrl.enter="updateRelease()"
+              ></textarea>
+            </template>
           </markdown-field>
         </div>
       </gl-form-group>
diff --git a/app/models/blob.rb b/app/models/blob.rb
index 56f6066b576..c8df6c7732a 100644
--- a/app/models/blob.rb
+++ b/app/models/blob.rb
@@ -86,8 +86,8 @@ class Blob < SimpleDelegator
     new(blob, container)
   end
 
-  def self.lazy(container, commit_id, path, blob_size_limit: Gitlab::Git::Blob::MAX_DATA_DISPLAY_SIZE)
-    BatchLoader.for([commit_id, path]).batch(key: container.repository) do |items, loader, args|
+  def self.lazy(repository, commit_id, path, blob_size_limit: Gitlab::Git::Blob::MAX_DATA_DISPLAY_SIZE)
+    BatchLoader.for([commit_id, path]).batch(key: repository) do |items, loader, args|
       args[:key].blobs_at(items, blob_size_limit: blob_size_limit).each do |blob|
         loader.call([blob.commit_id, blob.path], blob) if blob
       end
diff --git a/app/models/snippet.rb b/app/models/snippet.rb
index 32f3309b0a3..37bbf3bbb9a 100644
--- a/app/models/snippet.rb
+++ b/app/models/snippet.rb
@@ -204,7 +204,7 @@ class Snippet < ApplicationRecord
   def blobs
     return [] unless repository_exists?
 
-    repository.ls_files(repository.root_ref).map { |file| Blob.lazy(self, repository.root_ref, file) }
+    repository.ls_files(repository.root_ref).map { |file| Blob.lazy(repository, repository.root_ref, file) }
   end
 
   def hook_attrs
diff --git a/app/services/deployments/older_deployments_drop_service.rb b/app/services/deployments/older_deployments_drop_service.rb
index 122f8ac89ed..e765d2484ea 100644
--- a/app/services/deployments/older_deployments_drop_service.rb
+++ b/app/services/deployments/older_deployments_drop_service.rb
@@ -12,7 +12,9 @@ module Deployments
       return unless @deployment&.running?
 
       older_deployments.find_each do |older_deployment|
-        older_deployment.deployable&.drop!(:forward_deployment_failure)
+        Gitlab::OptimisticLocking.retry_lock(older_deployment.deployable) do |deployable|
+          deployable.drop(:forward_deployment_failure)
+        end
       rescue => e
         Gitlab::ErrorTracking.track_exception(e, subject_id: @deployment.id, deployment_id: older_deployment.id)
       end
diff --git a/changelogs/unreleased/216300-allow-for-mr-creation.yml b/changelogs/unreleased/216300-allow-for-mr-creation.yml
new file mode 100644
index 00000000000..9852b7b687a
--- /dev/null
+++ b/changelogs/unreleased/216300-allow-for-mr-creation.yml
@@ -0,0 +1,5 @@
+---
+title: Add ability to create merge request from vulnerability page
+merge_request: 31620
+author:
+type: added
diff --git a/changelogs/unreleased/update-deprecated-slot-syntax-in---app-assets-javascripts-releases-compon.yml b/changelogs/unreleased/update-deprecated-slot-syntax-in---app-assets-javascripts-releases-compon.yml
new file mode 100644
index 00000000000..b30c5c684ea
--- /dev/null
+++ b/changelogs/unreleased/update-deprecated-slot-syntax-in---app-assets-javascripts-releases-compon.yml
@@ -0,0 +1,5 @@
+---
+title: Update deprecated slot syntax in ./app/assets/javascripts/releases/components/app_edit.vue
+merge_request: 32018
+author: Gilang Gumilar
+type: other
diff --git a/changelogs/unreleased/update-deprecated-slot-syntax-in---javascripts-ide-pipelines-list-vue.yml b/changelogs/unreleased/update-deprecated-slot-syntax-in---javascripts-ide-pipelines-list-vue.yml
new file mode 100644
index 00000000000..315f0a0fc50
--- /dev/null
+++ b/changelogs/unreleased/update-deprecated-slot-syntax-in---javascripts-ide-pipelines-list-vue.yml
@@ -0,0 +1,5 @@
+---
+title: Update deprecated slot syntax in ./app/assets/javascripts/ide/components/pipelines/list.vue
+merge_request: 32027
+author: Gilang Gumilar
+type: other
diff --git a/doc/administration/instance_limits.md b/doc/administration/instance_limits.md
index 2f6598da2da..d0e8f079cb2 100644
--- a/doc/administration/instance_limits.md
+++ b/doc/administration/instance_limits.md
@@ -219,6 +219,12 @@ alerts in the following ways:
 
 Prometheus alert payloads sent to the `notify.json` endpoint are limited to 1 MB in size.
 
+### Generic Alert JSON payloads
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/16441) in GitLab 12.4.
+
+Alert payloads sent to the `notify.json` endpoint are limited to 1 MB in size.
+
 ## Environment data on Deploy Boards
 
 [Deploy Boards](../user/project/deploy_boards.md) load information from Kubernetes about
diff --git a/doc/ci/yaml/README.md b/doc/ci/yaml/README.md
index 3a8e08291e1..913e1c63d6d 100644
--- a/doc/ci/yaml/README.md
+++ b/doc/ci/yaml/README.md
@@ -106,7 +106,7 @@ The following table lists available parameters for jobs:
 | [`when`](#when)                                    | When to run job. Also available: `when:manual` and `when:delayed`.                                                                                                                  |
 | [`environment`](#environment)                      | Name of an environment to which the job deploys. Also available: `environment:name`, `environment:url`, `environment:on_stop`, `environment:auto_stop_in` and `environment:action`. |
 | [`cache`](#cache)                                  | List of files that should be cached between subsequent runs. Also available: `cache:paths`, `cache:key`, `cache:untracked`, and `cache:policy`.                                     |
-| [`artifacts`](#artifacts)                          | List of files and directories to attach to a job on success. Also available: `artifacts:paths`, `artifacts:expose_as`, `artifacts:name`, `artifacts:untracked`, `artifacts:when`, `artifacts:expire_in`, `artifacts:reports`, `artifacts:reports:junit`, `artifacts:reports:cobertura`, and `artifacts:reports:terraform`.<br><br>In GitLab [Enterprise Edition](https://about.gitlab.com/pricing/), these are available: `artifacts:reports:codequality`, `artifacts:reports:sast`, `artifacts:reports:dependency_scanning`, `artifacts:reports:container_scanning`, `artifacts:reports:dast`, `artifacts:reports:license_scanning`, `artifacts:reports:license_management` (removed in 13.0),`artifacts:reports:performance` and `artifacts:reports:metrics`. |
+| [`artifacts`](#artifacts)                          | List of files and directories to attach to a job on success. Also available: `artifacts:paths`, `artifacts:expose_as`, `artifacts:name`, `artifacts:untracked`, `artifacts:when`, `artifacts:expire_in`, `artifacts:reports`, `artifacts:reports:junit`, `artifacts:reports:cobertura`, and `artifacts:reports:terraform`.<br><br>In GitLab [Enterprise Edition](https://about.gitlab.com/pricing/), these are available: `artifacts:reports:codequality`, `artifacts:reports:sast`, `artifacts:reports:dependency_scanning`, `artifacts:reports:container_scanning`, `artifacts:reports:dast`, `artifacts:reports:license_scanning`, `artifacts:reports:license_management` (removed in GitLab 13.0),`artifacts:reports:performance` and `artifacts:reports:metrics`. |
 | [`dependencies`](#dependencies)                    | Restrict which artifacts are passed to a specific job by providing a list of jobs to fetch artifacts from.                                                                          |
 | [`coverage`](#coverage)                            | Code coverage settings for a given job.                                                                                                                                             |
 | [`retry`](#retry)                                  | When and how many times a job can be auto-retried in case of a failure.                                                                                                             |
@@ -2770,7 +2770,7 @@ These are the available report types:
 | [`artifacts:reports:dependency_scanning`](../pipelines/job_artifacts.md#artifactsreportsdependency_scanning-ultimate) **(ULTIMATE)** | The `dependency_scanning` report collects Dependency Scanning vulnerabilities.   |
 | [`artifacts:reports:container_scanning`](../pipelines/job_artifacts.md#artifactsreportscontainer_scanning-ultimate) **(ULTIMATE)**   | The `container_scanning` report collects Container Scanning vulnerabilities.     |
 | [`artifacts:reports:dast`](../pipelines/job_artifacts.md#artifactsreportsdast-ultimate) **(ULTIMATE)**                               | The `dast` report collects Dynamic Application Security Testing vulnerabilities. |
-| [`artifacts:reports:license_management`](../pipelines/job_artifacts.md#artifactsreportslicense_management-ultimate) **(ULTIMATE)**   | The `license_management` report collects Licenses (*removed from 13.0*).                |
+| [`artifacts:reports:license_management`](../pipelines/job_artifacts.md#artifactsreportslicense_management-ultimate) **(ULTIMATE)**   | The `license_management` report collects Licenses (*removed from GitLab 13.0*).  |
 | [`artifacts:reports:license_scanning`](../pipelines/job_artifacts.md#artifactsreportslicense_scanning-ultimate) **(ULTIMATE)**       | The `license_scanning` report collects Licenses.                                 |
 | [`artifacts:reports:performance`](../pipelines/job_artifacts.md#artifactsreportsperformance-premium) **(PREMIUM)**                   | The `performance` report collects Performance metrics.                           |
 | [`artifacts:reports:metrics`](../pipelines/job_artifacts.md#artifactsreportsmetrics-premium) **(PREMIUM)**                           | The `metrics` report collects Metrics.                                           |
diff --git a/doc/development/contributing/issue_workflow.md b/doc/development/contributing/issue_workflow.md
index ddd4e84bfd1..be416bf636e 100644
--- a/doc/development/contributing/issue_workflow.md
+++ b/doc/development/contributing/issue_workflow.md
@@ -264,7 +264,7 @@ release. There are three levels of Release Scoping labels:
   milestone. If these issues are not done in the current release, they will
   strongly be considered for the next release.
 - ~"Next Patch Release": Issues to put in the next patch release. Work on these
-  first, and add the "Pick Into X" label to the merge request, along with the
+  first, and add the `~"Pick into X.Y"` label to the merge request, along with the
   appropriate milestone.
 
 Each issue scheduled for the current milestone should be labeled ~Deliverable
diff --git a/doc/development/documentation/index.md b/doc/development/documentation/index.md
index f747fb4e06f..cdfa4b2fe43 100644
--- a/doc/development/documentation/index.md
+++ b/doc/development/documentation/index.md
@@ -183,7 +183,7 @@ in a follow-up MR or issue.
 
 NOTE: **Note:**
 If the release version you want to add the documentation to has already been
-frozen or released, use the label `Pick into X.Y` to get it merged into
+frozen or released, use the label `~"Pick into X.Y"` to get it merged into
 the correct release. Avoid picking into a past release as much as you can, as
 it increases the work of the release managers.
 
@@ -203,7 +203,7 @@ to the MR.
 For example, let's say your merge request has a milestone set to 11.3, which
 will be released on 2018-09-22. If it gets merged on 2018-09-15, it will be
 available online on 2018-09-15, but, as the feature freeze date has passed, if
-the MR does not have a "pick into 11.3" label, the milestone has to be changed
+the MR does not have a `~"Pick into 11.3"` label, the milestone has to be changed
 to 11.4 and it will be shipped with all GitLab packages only on 2018-10-22,
 with GitLab 11.4. Meaning, it will only be available under `/help` from GitLab
 11.4 onward, but available on <https://docs.gitlab.com/> on the same day it was merged.
diff --git a/doc/development/feature_flags/controls.md b/doc/development/feature_flags/controls.md
index 8ddcee0e531..309aecd7978 100644
--- a/doc/development/feature_flags/controls.md
+++ b/doc/development/feature_flags/controls.md
@@ -192,7 +192,7 @@ feature flag. This ensures the change is available to all users and self-managed
 instances. Make sure to add the ~"feature flag" label to this merge request so
 release managers are aware the changes are hidden behind a feature flag. If the
 merge request has to be picked into a stable branch, make sure to also add the
-appropriate "Pick into X" label (e.g. "Pick into XX.X").
+appropriate `~"Pick into X.Y"` label (e.g. `~"Pick into 13.0"`).
 See [the process document](process.md#including-a-feature-behind-feature-flag-in-the-final-release) for further details.
 
 When a feature gate has been removed from the code base, the feature
diff --git a/doc/topics/autodevops/stages.md b/doc/topics/autodevops/stages.md
index d8266ae2ca9..8c56a87ba30 100644
--- a/doc/topics/autodevops/stages.md
+++ b/doc/topics/autodevops/stages.md
@@ -341,7 +341,7 @@ To use Auto Deploy on a Kubernetes 1.16+ cluster:
 
 1. On GitLab 12.10 or older, set the following in the [`.gitlab/auto-deploy-values.yaml` file](customize.md#customize-values-for-helm-chart):
 
-   ```yml
+   ```yaml
    deploymentApiVersion: apps/v1
    ```
 
diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md
index f18897d5a15..7ceb5fdd4b5 100644
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -470,21 +470,15 @@ include:
 
 variables:
   DS_ANALYZER_IMAGE_PREFIX: "docker-registry.example.com/analyzers"
+  GEMNASIUM_DB_REMOTE_URL: "gitlab.example.com/gemnasium-db.git"
+  GIT_SSL_NO_VERIFY: "true"
 ```
 
 See explanations of the variables above in the [configuration section](#configuration).
 
 ### Specific settings for languages and package managers
 
-For every language and package manager, add the following to the variables section of
-`.gitlab-ci.yml`:
-
-```yaml
-GEMNASIUM_DB_REMOTE_URL: "gitlab.example.com/gemnasium-db.git"
-GIT_SSL_NO_VERIFY: "true"
-```
-
-See the following sections for additional instructions on specific languages and package managers.
+See the following sections for configuring specific languages and package managers.
 
 #### JavaScript (npm and yarn) projects
 
@@ -540,26 +534,6 @@ gemnasium-maven-dependency_scanning:
 
 This adds the self-signed certificates of your Maven repository to the Java KeyStore of the analyzer's Docker image.
 
-#### Python (pip) and Python (Pipfile) projects
-
-Add the following `pip.conf` to your repository to define your index URL and trust its self-signed
-certificate:
-
-```toml
-[global]
-index-url = https://pypi.example.com
-trusted-host = pypi.example.com
-```
-
-Add the following job section to `.gitlab-ci.yml`:
-
-```yaml
-gemnasium-python-dependency_scanning:
-  before_script:
-    - mkdir -p ~/.config/pip
-    - cp pip.conf ~/.config/pip/pip.conf
-```
-
 #### Python (setuptools)
 
 When using self-signed certificates for your private PyPi repository, no extra job configuration (aside
@@ -591,15 +565,18 @@ ensure that it can reach your private repository. Here is an example configurati
 
 ### Referencing local dependencies using a path in JavaScript projects
 
-Although dependency scanning doesn't support it, you can reference dependencies by using a
-[local path](https://docs.npmjs.com/files/package.json#local-paths) in the `package.json` for a
-JavaScript project. The dependency scan generates the following error when you use
-`file: <path/to/dependency-name>` to reference a package:
+The [Retire.js](https://gitlab.com/gitlab-org/security-products/analyzers/retire.js) analyzer
+doesn't support dependency references made with [local paths](https://docs.npmjs.com/files/package.json#local-paths)
+in the `package.json` of JavaScript projects. The dependency scan outputs the following error for
+such references:
 
 ```text
 ERROR: Could not find dependencies: <dependency-name>. You may need to run npm install
 ```
 
+As a workaround, remove the [`retire.js`](analyzers.md#selecting-specific-analyzers) analyzer from
+[DS_DEFAULT_ANALYZERS](#configuring-dependency-scanning).
+
 ## Troubleshooting
 
 ### Error response from daemon: error processing tar file: docker-tar: relocation error
diff --git a/doc/user/compliance/license_compliance/index.md b/doc/user/compliance/license_compliance/index.md
index f3518520232..97c2b900b61 100644
--- a/doc/user/compliance/license_compliance/index.md
+++ b/doc/user/compliance/license_compliance/index.md
@@ -100,7 +100,7 @@ For GitLab versions earlier than 11.9, you can copy and use the job as defined
 that template.
 
 NOTE: **Note:**
-In GitLab 13.0, the `License-Management.gitlab-ci.yml` template was removed.
+GitLab 13.0 removes the `License-Management.gitlab-ci.yml` template.
 Use `License-Scanning.gitlab-ci.yml` instead.
 
 Add the following to your `.gitlab-ci.yml` file:
@@ -115,7 +115,7 @@ and scan your dependencies to find their licenses.
 
 NOTE: **Note:**
 Before GitLab 12.8, the `license_scanning` job was named `license_management`.
-In GitLab 13.0, the `license_management` job was removed,
+GitLab 13.0 removes the `license_management` job,
 so you're advised to migrate to the `license_scanning` job and used the new
 `License-Scanning.gitlab-ci.yml` template.
 
@@ -329,13 +329,13 @@ strict-ssl = false
 ### Migration from `license_management` to `license_scanning`
 
 In GitLab 12.8 a new name for `license_management` job was introduced. This change was made to improve clarity around the purpose of the scan, which is to scan and collect the types of licenses present in a projects dependencies.
-The support of `license_management` was dropped in GitLab 13.0.
+GitLab 13.0 drops support for `license_management`.
 If you're using a custom setup for License Compliance, you're required
 to update your CI config accordingly:
 
 1. Change the CI template to `License-Scanning.gitlab-ci.yml`.
 1. Change the job name to `license_scanning` (if you mention it in `.gitlab-ci.yml`).
-1. Change the artifact name to `license_scanning` and file name to `gl-license-scanning-report.json` (if you mention it in `.gitlab-ci.yml`).
+1. Change the artifact name to `license_scanning`, and the file name to `gl-license-scanning-report.json` (if you mention it in `.gitlab-ci.yml`).
 
 For example, the following `.gitlab-ci.yml`:
 
@@ -361,7 +361,7 @@ license_scanning:
       license_scanning: gl-license-scanning-report.json
 ```
 
-Since GitLab 13.0, if you use `license_management` artifact, you will encounter an error while running the License Compliance job:
+If you use the `license_management` artifact in GitLab 13.0 or later, the License Compliance job generates this error:
 
 ```text
 WARNING: Uploading artifacts to coordinator... failed id=:id responseStatus=400 Bad Request status=400 Bad Request token=:sha
@@ -369,7 +369,7 @@ WARNING: Uploading artifacts to coordinator... failed id=:id responseStatus=400
 FATAL: invalid_argument
 ```
 
-If you encounter this error, you're encouraged to follow the instructions described in this section.
+If you encounter this error, follow the instructions described in this section.
 
 ## Running License Compliance in an offline environment
 
diff --git a/doc/user/infrastructure/img/terraform_plan_log_v13_0.png b/doc/user/infrastructure/img/terraform_plan_log_v13_0.png
new file mode 100644
index 00000000000..c3c6f6b2f8b
--- /dev/null
+++ b/doc/user/infrastructure/img/terraform_plan_log_v13_0.png
diff --git a/doc/user/infrastructure/img/terraform_plan_widget_v13_0.png b/doc/user/infrastructure/img/terraform_plan_widget_v13_0.png
new file mode 100644
index 00000000000..62bf4b279b2
--- /dev/null
+++ b/doc/user/infrastructure/img/terraform_plan_widget_v13_0.png
diff --git a/doc/user/infrastructure/index.md b/doc/user/infrastructure/index.md
index e4ad6244bfe..65237bf24e0 100644
--- a/doc/user/infrastructure/index.md
+++ b/doc/user/infrastructure/index.md
@@ -4,7 +4,9 @@ group: Configure
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
 ---
 
-# Infrastructure as code with GitLab managed Terraform State
+# Infrastructure as code with Terraform and GitLab
+
+## GitLab managed Terraform State
 
 [Terraform remote backends](https://www.terraform.io/docs/backends/index.html)
 enable you to store the state file in a remote, shared store. GitLab uses the
@@ -156,3 +158,186 @@ The output from the above `terraform` commands should be viewable in the job log
 ## Example project
 
 See [this reference project](https://gitlab.com/nicholasklick/gitlab-terraform-aws) using GitLab and Terraform to deploy a basic AWS EC2 within a custom VPC.
+
+## Output Terraform Plan information into a merge request
+
+Using the [GitLab Terraform Report Artifact](../../ci/pipelines/job_artifacts.md#artifactsreportsterraform),
+you can expose details from `terraform plan` runs directly into a merge request widget,
+enabling you to see statistics about the resources that Terraform will create,
+modify, or destroy.
+
+Let's explore how to configure a GitLab Terraform Report Artifact:
+
+1. First, for simplicity, let's define a few reusable variables to allow us to
+   refer to these files multiple times:
+
+   ```yaml
+   variables:
+     PLAN: plan.tfplan
+     PLAN_JSON: tfplan.json
+   ```
+
+1. Next we need to install `jq`, a [lightweight and flexible command-line JSON processor](https://stedolan.github.io/jq/). We will also create an alias for a specific `jq` command that parses out the extact information we want to extract from the `terraform plan` output:
+
+```yaml
+before_script:
+  - apk --no-cache add jq
+  - alias convert_report="jq -r '([.resource_changes[]?.change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
+```
+
+1. Finally, we define a `script` that runs `terraform plan` and also a `terraform show` which pipes the output and converts the relevant bits into a store variable `PLAN_JSON`. This json is then leveraged to create a [GitLab Terraform Report Artifact](../../ci/pipelines/job_artifacts.md#artifactsreportsterraform).
+
+The terraform report obtains a Terraform tfplan.json file. The collected Terraform plan report will be uploaded to GitLab as an artifact and will be automatically shown in merge requests.
+
+```yaml
+plan:
+  stage: build
+  script:
+    - terraform plan -out=$PLAN
+    - terraform show --json $PLAN | convert_report > $PLAN_JSON
+  artifacts:
+    name: plan
+    paths:
+      - $PLAN
+    reports:
+      terraform: $PLAN_JSON
+```
+
+A full `.gitlab-ci.yaml` file could look like this:
+
+```yaml
+image:
+  name: hashicorp/terraform:light
+  entrypoint:
+    - '/usr/bin/env'
+    - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
+
+# Default output file for Terraform plan
+variables:
+  GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/${CI_PROJECT_NAME}
+  PLAN: plan.tfplan
+  PLAN_JSON: tfplan.json
+  TF_ROOT: ${CI_PROJECT_DIR}
+
+cache:
+  paths:
+    - .terraform
+
+before_script:
+  - apk --no-cache add jq
+  - alias convert_report="jq -r '([.resource_changes[]?.change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
+  - cd ${TF_ROOT}
+  - terraform --version
+  - terraform init -backend-config="address=${GITLAB_TF_ADDRESS}" -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" -backend-config="username=${GITLAB_USER_LOGIN}" -backend-config="password=${GITLAB_TF_PASSWORD}" -backend-config="lock_method=POST" -backend-config="unlock_method=DELETE" -backend-config="retry_wait_min=5"
+
+stages:
+  - validate
+  - build
+  - deploy
+
+validate:
+  stage: validate
+  script:
+    - terraform validate
+
+plan:
+  stage: build
+  script:
+    - terraform plan -out=$PLAN
+    - terraform show --json $PLAN | convert_report > $PLAN_JSON
+  artifacts:
+    name: plan
+    paths:
+      - ${TF_ROOT}/plan.tfplan
+    reports:
+      terraform: ${TF_ROOT}/tfplan.json
+
+# Separate apply job for manual launching Terraform as it can be destructive
+# action.
+apply:
+  stage: deploy
+  environment:
+    name: production
+  script:
+    - terraform apply -input=false $PLAN
+  dependencies:
+    - plan
+  when: manual
+  only:
+    - master
+
+```
+
+1. Running the pipeline displays the widget in the merge request, like this:
+
+   ![MR Terraform widget](img/terraform_plan_widget_v13_0.png)
+
+1. Clicking the **View Full Log** button in the widget takes you directly to the
+   plan output present in the pipeline logs:
+
+   ![Terraform plan logs](img/terraform_plan_log_v13_0.png)
+
+### Example `.gitlab-ci.yaml` file
+
+```yaml
+image:
+  name: hashicorp/terraform:light
+  entrypoint:
+    - '/usr/bin/env'
+    - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
+
+# Default output file for Terraform plan
+variables:
+  GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/${CI_PROJECT_NAME}
+  PLAN: plan.tfplan
+  PLAN_JSON: tfplan.json
+  TF_ROOT: ${CI_PROJECT_DIR}
+
+cache:
+  paths:
+    - .terraform
+
+before_script:
+  - apk --no-cache add jq
+  - alias convert_report="jq -r '([.resource_changes[]?.change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
+  - cd ${TF_ROOT}
+  - terraform --version
+  - terraform init -backend-config="address=${GITLAB_TF_ADDRESS}" -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock" -backend-config="username=${GITLAB_USER_LOGIN}" -backend-config="password=${GITLAB_TF_PASSWORD}" -backend-config="lock_method=POST" -backend-config="unlock_method=DELETE" -backend-config="retry_wait_min=5"
+
+stages:
+  - validate
+  - build
+  - deploy
+
+validate:
+  stage: validate
+  script:
+    - terraform validate
+
+plan:
+  stage: build
+  script:
+    - terraform plan -out=$PLAN
+    - terraform show --json $PLAN | convert_report > $PLAN_JSON
+  artifacts:
+    name: plan
+    paths:
+      - ${TF_ROOT}/plan.tfplan
+    reports:
+      terraform: ${TF_ROOT}/tfplan.json
+
+# Separate apply job for manual launching Terraform as it can be destructive
+# action.
+apply:
+  stage: deploy
+  environment:
+    name: production
+  script:
+    - terraform apply -input=false $PLAN
+  dependencies:
+    - plan
+  when: manual
+  only:
+    - master
+
+```
diff --git a/doc/user/project/integrations/generic_alerts.md b/doc/user/project/integrations/generic_alerts.md
index 97630a887f3..2234727dd82 100644
--- a/doc/user/project/integrations/generic_alerts.md
+++ b/doc/user/project/integrations/generic_alerts.md
@@ -40,6 +40,9 @@ You can customize the payload by sending the following parameters. All fields ar
 | `hosts` | String or Array | One or more hosts, as to where this incident occurred. |
 | `severity` | String | The severity of the alert. Must be one of `critical`, `high`, `medium`, `low`, `info`, `unknown`. Default is `critical`. |
 
+TIP: **Payload size:**
+Ensure your requests are smaller than the [payload application limits](../../../administration/instance_limits.md#generic-alert-json-payloads).
+
 Example request:
 
 ```shell
diff --git a/doc/user/project/issues/related_issues.md b/doc/user/project/issues/related_issues.md
index 5fba73c2971..8002b528a80 100644
--- a/doc/user/project/issues/related_issues.md
+++ b/doc/user/project/issues/related_issues.md
@@ -10,12 +10,14 @@ The relationship only shows up in the UI if the user can see both issues.
 
 ## Adding a related issue
 
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/2035) in [GitLab Starter](https://about.gitlab.com/pricing/) 12.8.
+> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/34239) in [GitLab Starter](https://about.gitlab.com/pricing/) 13.0.
+>   When you try to close an issue with open blockers, you'll see a warning that you can dismiss.
+
 You can relate one issue to another by clicking the related issues "+" button
 in the header of the related issue block. Then, input the issue reference number
 or paste in the full URL of the issue.
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/2035) in GitLab 12.8.
-
 Additionally, you can select whether the current issue relates to, blocks, or is blocked by the issues being entered.
 
 ![Adding a related issue](img/related_issues_add_v12_8.png)
diff --git a/lib/gitlab/diff/file.rb b/lib/gitlab/diff/file.rb
index c03f042d462..d1398ddb642 100644
--- a/lib/gitlab/diff/file.rb
+++ b/lib/gitlab/diff/file.rb
@@ -357,7 +357,7 @@ module Gitlab
       def fetch_blob(sha, path)
         return unless sha
 
-        Blob.lazy(repository.project, sha, path)
+        Blob.lazy(repository, sha, path)
       end
 
       def total_blob_lines(blob)
diff --git a/spec/lib/gitlab/import_export/group/legacy_tree_restorer_spec.rb b/spec/lib/gitlab/import_export/group/legacy_tree_restorer_spec.rb
index 3030cdf4cf8..4c926da1436 100644
--- a/spec/lib/gitlab/import_export/group/legacy_tree_restorer_spec.rb
+++ b/spec/lib/gitlab/import_export/group/legacy_tree_restorer_spec.rb
@@ -141,7 +141,7 @@ describe Gitlab::ImportExport::Group::LegacyTreeRestorer do
         let(:filepath) { "group_exports/visibility_levels/#{visibility_level}" }
 
         it "imports all subgroups as #{visibility_level}" do
-          expect(group.children.map(&:visibility_level)).to eq(expected_visibilities)
+          expect(group.children.map(&:visibility_level)).to match_array(expected_visibilities)
         end
       end
     end
diff --git a/spec/models/blob_spec.rb b/spec/models/blob_spec.rb
index 1b1908be390..c2d6406c3fb 100644
--- a/spec/models/blob_spec.rb
+++ b/spec/models/blob_spec.rb
@@ -32,7 +32,7 @@ describe Blob do
       it 'does not fetch blobs when none are accessed' do
         expect(container.repository).not_to receive(:blobs_at)
 
-        described_class.lazy(container, commit_id, 'CHANGELOG')
+        described_class.lazy(container.repository, commit_id, 'CHANGELOG')
       end
 
       it 'fetches all blobs for the same repository when one is accessed' do
@@ -41,10 +41,10 @@ describe Blob do
           .once.and_call_original
         expect(other_container.repository).not_to receive(:blobs_at)
 
-        changelog = described_class.lazy(container, commit_id, 'CHANGELOG')
-        contributing = described_class.lazy(same_container, commit_id, 'CONTRIBUTING.md')
+        changelog = described_class.lazy(container.repository, commit_id, 'CHANGELOG')
+        contributing = described_class.lazy(same_container.repository, commit_id, 'CONTRIBUTING.md')
 
-        described_class.lazy(other_container, commit_id, 'CHANGELOG')
+        described_class.lazy(other_container.repository, commit_id, 'CHANGELOG')
 
         # Access property so the values are loaded
         changelog.id
@@ -52,14 +52,14 @@ describe Blob do
       end
 
       it 'does not include blobs from previous requests in later requests' do
-        changelog = described_class.lazy(container, commit_id, 'CHANGELOG')
-        contributing = described_class.lazy(same_container, commit_id, 'CONTRIBUTING.md')
+        changelog = described_class.lazy(container.repository, commit_id, 'CHANGELOG')
+        contributing = described_class.lazy(same_container.repository, commit_id, 'CONTRIBUTING.md')
 
         # Access property so the values are loaded
         changelog.id
         contributing.id
 
-        readme = described_class.lazy(container, commit_id, 'README.md')
+        readme = described_class.lazy(container.repository, commit_id, 'README.md')
 
         expect(container.repository).to receive(:blobs_at)
           .with([[commit_id, 'README.md']], blob_size_limit: blob_size_limit).once.and_call_original
diff --git a/spec/services/deployments/older_deployments_drop_service_spec.rb b/spec/services/deployments/older_deployments_drop_service_spec.rb
index 44e9af07e46..4c9bcf90533 100644
--- a/spec/services/deployments/older_deployments_drop_service_spec.rb
+++ b/spec/services/deployments/older_deployments_drop_service_spec.rb
@@ -66,6 +66,43 @@ describe Deployments::OlderDeploymentsDropService do
             expect(deployable.reload.failed?).to be_truthy
           end
 
+          context 'when older deployable is a manual job' do
+            let(:older_deployment) { create(:deployment, :created, environment: environment, deployable: build) }
+            let(:build) { create(:ci_build, :manual) }
+
+            it 'does not drop any builds nor track the exception' do
+              expect(Gitlab::ErrorTracking).not_to receive(:track_exception)
+
+              expect { subject }.not_to change { Ci::Build.failed.count }
+            end
+          end
+
+          context 'when deployable.drop raises RuntimeError' do
+            before do
+              allow_any_instance_of(Ci::Build).to receive(:drop).and_raise(RuntimeError)
+            end
+
+            it 'does not drop an older deployment and tracks the exception' do
+              expect(Gitlab::ErrorTracking).to receive(:track_exception)
+                .with(kind_of(RuntimeError), subject_id: deployment.id, deployment_id: older_deployment.id)
+
+              expect { subject }.not_to change { Ci::Build.failed.count }
+            end
+          end
+
+          context 'when ActiveRecord::StaleObjectError is raised' do
+            before do
+              allow_any_instance_of(Ci::Build)
+                .to receive(:drop).and_raise(ActiveRecord::StaleObjectError)
+            end
+
+            it 'resets the object via Gitlab::OptimisticLocking' do
+              allow_any_instance_of(Ci::Build).to receive(:reset).at_least(:once)
+
+              subject
+            end
+          end
+
           context 'and there is no deployable for that older deployment' do
             let(:older_deployment) { create(:deployment, :running, environment: environment, deployable: nil) }