Add latest changes from gitlab-org/gitlab@14-5-stable-ee

13 files changed, 174 insertions, 8 deletions

diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml
index cf53e810d01..50b1650e1d5 100644
--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -19,6 +19,9 @@
 .if-default-branch-refs: &if-default-branch-refs
   if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'
 
+.if-stable-branch-refs: &if-stable-branch-refs
+  if: '$CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/'
+
 .if-default-branch-push: &if-default-branch-push
   if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push"'
 
@@ -40,6 +43,9 @@
 .if-automated-merge-request: &if-automated-merge-request
   if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == "release-tools/update-gitaly" || $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /stable-ee$/'
 
+.if-merge-request-targeting-stable-branch: &if-merge-request-targeting-stable-branch
+  if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^[\d-]+-stable(-ee)?$/'
+
 .if-merge-request-labels-as-if-foss: &if-merge-request-labels-as-if-foss
   if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-as-if-foss/'
 
@@ -577,6 +583,12 @@
       when: never
     - <<: *if-jh
       when: never
+    - <<: *if-security-merge-request
+      when: never
+    - <<: *if-merge-request-targeting-stable-branch
+      when: never
+    - <<: *if-stable-branch-refs
+      when: never
     - <<: *if-merge-request-labels-as-if-jh
     - <<: *if-merge-request-labels-run-all-rspec
     - changes: *code-backstage-qa-patterns
@@ -609,7 +621,11 @@
     - <<: *if-jh
       when: never
     - <<: *if-security-merge-request
-      changes: *code-backstage-patterns
+      when: never
+    - <<: *if-merge-request-targeting-stable-branch
+      when: never
+    - <<: *if-stable-branch-refs
+      when: never
     - <<: *if-merge-request-labels-as-if-jh
     - <<: *if-merge-request-labels-run-all-rspec
     - <<: *if-merge-request
@@ -1255,8 +1271,11 @@
     - <<: *if-jh
       when: never
     - <<: *if-security-merge-request
-      changes: *code-backstage-patterns
-      allow_failure: true
+      when: never
+    - <<: *if-merge-request-targeting-stable-branch
+      when: never
+    - <<: *if-stable-branch-refs
+      when: never
     - <<: *if-merge-request-labels-as-if-jh
       allow_failure: true
     - <<: *if-merge-request
@@ -1806,6 +1825,12 @@
       when: never
     - <<: *if-jh
       when: never
+    - <<: *if-security-merge-request
+      when: never
+    - <<: *if-merge-request-targeting-stable-branch
+      when: never
+    - <<: *if-stable-branch-refs
+      when: never
     - <<: *if-merge-request-labels-as-if-jh
     - <<: *if-merge-request-labels-run-all-rspec
     - changes: *code-backstage-qa-patterns
diff --git a/GITLAB_SHELL_VERSION b/GITLAB_SHELL_VERSION
index 70ca8545134..516e0c5f549 100644
--- a/GITLAB_SHELL_VERSION
+++ b/GITLAB_SHELL_VERSION
@@ -1 +1 @@
-13.22.0
+13.22.1
diff --git a/config/initializers/action_cable.rb b/config/initializers/action_cable.rb
index fc40d0b69c5..0d2073586be 100644
--- a/config/initializers/action_cable.rb
+++ b/config/initializers/action_cable.rb
@@ -9,6 +9,8 @@ Rails.application.configure do
   config.action_cable.worker_pool_size = Gitlab::ActionCable::Config.worker_pool_size
 end
 
+ActionCable::SubscriptionAdapter::Base.prepend(Gitlab::Patch::ActionCableSubscriptionAdapterIdentifier)
+
 # https://github.com/rails/rails/blob/bb5ac1623e8de08c1b7b62b1368758f0d3bb6379/actioncable/lib/action_cable/subscription_adapter/redis.rb#L18
 ActionCable::SubscriptionAdapter::Redis.redis_connector = lambda do |config|
   args = config.except(:adapter, :channel_prefix)
diff --git a/data/whats_new/2021111800001_14_05.yml b/data/whats_new/2021111800001_14_05.yml
new file mode 100644
index 00000000000..63b87c21ee0
--- /dev/null
+++ b/data/whats_new/2021111800001_14_05.yml
@@ -0,0 +1,77 @@
+- title: Introducing Infrastructure as Code (IaC) security scanning
+  body: |
+    With Gitlab 14.5 we're introducing security scanning for Infrastructure as Code (IaC) configuration files. Like all our SAST scanners, we've chosen to make this capability available for all customers for free to encourage secure coding practices with the rise of IaC. The initial version of this IaC security scanner supports configuration files for Terraform, Ansible, AWS CloudFormation, and Kubernetes and is based on the open-source [Keeping Infrastructure as Code Secure (KICS) project](https://kics.io/). This new IaC scanning capability joins our [existing Kubernetes manifest SAST scanner](https://docs.gitlab.com/ee/user/application_security/sast/#enabling-kubesec-analyzer).
+  stage: Secure
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/application_security/iac_scanning/'
+  image_url: https://about.gitlab.com/images/14_5/gitlab-iac.png
+  published_at: 2021-11-22
+  release: 14.5
+- title: Add personal README to profile
+  body: |
+    You can now add a README section to your GitLab profile! This is a great way to tell others about, your interests, how you work, or anything else you want! To add a README section, create a new public project with the same name as your user account and add a new [README file](https://docs.gitlab.com/ee/user/project/repository/index.html#readme-and-index-files). The contents of that file are automatically shown on your GitLab profile.
+  stage: Manage
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/profile/#user-profile-readme'
+  image_url: https://about.gitlab.com/images/14_5/user_profiles_readme.png
+  published_at: 2021-11-22
+  release: 14.5
+- title: Geo provides a single command to promote a secondary node
+  body: |
+    When performing a failover, systems administrators use different tools depending on the underlying architecture. On a single-node Geo site, administrators can use the `gitlab-ctl promote-to-primary-node` command. However, multi-node sites did not support this command and required manual editing of configuration. This was cumbersome for large environments because it required updating dozens of configuration files.
+
+    Now, administrators can use `gitlab-ctl geo promote` on any node of a Geo secondary site to promote it to a primary. In a disaster recovery scenario or planned failover, this saves precious time and reduces potential errors when promoting a secondary site to a primary. This command also makes it easier to script the failover process.
+
+    As of GitLab 14.5, the commands `gitlab-ctl promote-to-primary-node` and `gitlab-ctl promote-db` are deprecated and will be removed in GitLab 15.0.
+  stage: Enablement
+  self-managed: true
+  gitlab-com: false
+  packages: [Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/administration/geo/disaster_recovery/planned_failover.html'
+  image_url: https://about.gitlab.com/images/growth/enablement.png
+  published_at: 2021-11-22
+  release: 14.5
+- title: Group-level settings for merge request approvals
+  body: |
+    You can now define and enforce values for merge request approval settings at the group level. These values cascade and are used by any projects within the group. Group-level merge request approvals make it easy for organizations to ensure proper separation of duties across all teams. You only have to specify settings in a single location now, rather than needing to update and monitor every project.
+
+    When these settings are set at the group level, you:
+
+    - Can be confident that projects will use consistent separation of duties workflows.
+    - Do not need to manually check that every project has not had its settings modified.
+  stage: Manage
+  self-managed: true
+  gitlab-com: true
+  packages: [Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/group/#group-approval-rules'
+  image_url: https://about.gitlab.com/images/14_5/group_level_mr_settings_picture.png
+  published_at: 2021-11-22
+  release: 14.5
+- title: GitLab Kubernetes Agent available in GitLab Free
+  body: |
+    Connecting a Kubernetes cluster with the GitLab Kubernetes Agent simplifies the setup for cluster applications and enables secure GitOps deployments to the cluster. Initially, the GitLab Kubernetes Agent was available only for Premium users. In our commitment to the open source ethos, we moved the core features of the GitLab Kubernetes Agent and the CI/CD Tunnel to GitLab Free. We expect that the open-sourced features are compelling to many users without dedicated infrastructure teams and strong requirements around cluster management. Advanced features remain available as part of the GitLab Premium offering.
+  stage: Configure
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/clusters/agent/'
+  image_url: https://about.gitlab.com/images/growth/configure.png
+  published_at: 2021-11-22
+  release: 14.5
+- title: Cleaner diffs for Jupyter Notebook files
+  body: |
+    Jupyter notebooks are key to data scientists' and machine learning engineers' workflows, but the file structure makes code review challenging. Often, the files can't be reviewed properly, and users are forced to accept those changes or treat their repositories as stores of data versus collaborative projects.
+
+    Now GitLab automatically strips out the noise and displays a cleaner version of the diff for these files. Human-readable diffs make it easier to review the substance of the change, without worrying about the formatting pieces that Jupyter Notebooks need.
+  stage: Create
+  self-managed: true
+  gitlab-com: true
+  packages: [Free, Premium, Ultimate]
+  url: 'https://docs.gitlab.com/ee/user/project/repository/jupyter_notebooks/#cleaner-diffs'
+  image_url: https://about.gitlab.com/images/14_5/create-code-review-jupyter-notebook-diffs.png
+  published_at: 2021-11-22
+  release: 14.5
diff --git a/lib/gitlab/checks/branch_check.rb b/lib/gitlab/checks/branch_check.rb
index cfff6e919dc..237a6bbb0f2 100644
--- a/lib/gitlab/checks/branch_check.rb
+++ b/lib/gitlab/checks/branch_check.rb
@@ -40,6 +40,7 @@ module Gitlab
       private
 
       def prohibited_branch_checks
+        return if deletion?
         return unless Feature.enabled?(:prohibit_hexadecimal_branch_names, project, default_enabled: true)
 
         if branch_name =~ /\A\h{40}\z/
diff --git a/lib/gitlab/patch/action_cable_subscription_adapter_identifier.rb b/lib/gitlab/patch/action_cable_subscription_adapter_identifier.rb
new file mode 100644
index 00000000000..e7ac562d844
--- /dev/null
+++ b/lib/gitlab/patch/action_cable_subscription_adapter_identifier.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+# Modifies https://github.com/rails/rails/blob/v6.1.4.1/actioncable/lib/action_cable/subscription_adapter/base.rb so
+# that we do not overwrite an id that was explicitly set to `nil` in cable.yml.
+# This is needed to support GCP Memorystore. See https://github.com/rails/rails/issues/38244.
+
+module Gitlab
+  module Patch
+    module ActionCableSubscriptionAdapterIdentifier
+      def identifier
+        @server.config.cable.has_key?(:id) ? @server.config.cable[:id] : super # rubocop:disable Gitlab/ModuleWithInstanceVariables
+      end
+    end
+  end
+end
diff --git a/spec/controllers/projects/raw_controller_spec.rb b/spec/controllers/projects/raw_controller_spec.rb
index a81173ccaac..79da18f2d6d 100644
--- a/spec/controllers/projects/raw_controller_spec.rb
+++ b/spec/controllers/projects/raw_controller_spec.rb
@@ -101,7 +101,7 @@ RSpec.describe Projects::RawController do
         expect(response).to have_gitlab_http_status(:too_many_requests)
       end
 
-      it 'logs the event on auth.log' do
+      it 'logs the event on auth.log', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/345889' do
         attributes = {
           message: 'Application_Rate_Limiter_Request',
           env: :raw_blob_request_limit,
diff --git a/spec/features/groups/import_export/import_file_spec.rb b/spec/features/groups/import_export/import_file_spec.rb
index 76d17c4409d..3d23451feef 100644
--- a/spec/features/groups/import_export/import_file_spec.rb
+++ b/spec/features/groups/import_export/import_file_spec.rb
@@ -85,7 +85,7 @@ RSpec.describe 'Import/Export - Group Import', :js do
   context 'when the user uploads an invalid export file' do
     let(:file) { File.join(Rails.root, 'spec', %w[fixtures big-image.png]) }
 
-    it 'displays an error' do
+    it 'displays an error', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/343995' do
       visit new_group_path
       click_link 'Import group'
 
diff --git a/spec/initializers/action_cable_subscription_adapter_identifier_spec.rb b/spec/initializers/action_cable_subscription_adapter_identifier_spec.rb
new file mode 100644
index 00000000000..12988b851ef
--- /dev/null
+++ b/spec/initializers/action_cable_subscription_adapter_identifier_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'ActionCableSubscriptionAdapterIdentifier override' do
+  describe '#identifier' do
+    context 'when id key is nil on cable.yml' do
+      it 'does not override server config id with action cable pid' do
+        config = {
+          adapter: 'redis',
+          url: 'unix:/home/localuser/redis/redis.socket',
+          channel_prefix: 'test_',
+          id: nil
+        }
+        ::ActionCable::Server::Base.config.cable = config
+
+        sub = ActionCable.server.pubsub.send(:redis_connection)
+
+        expect(sub.connection[:id]).to eq('redis:///home/localuser/redis/redis.socket/0')
+        expect(ActionCable.server.config.cable[:id]).to be_nil
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/checks/branch_check_spec.rb b/spec/lib/gitlab/checks/branch_check_spec.rb
index 3086cb1bd33..f503759f3f8 100644
--- a/spec/lib/gitlab/checks/branch_check_spec.rb
+++ b/spec/lib/gitlab/checks/branch_check_spec.rb
@@ -32,6 +32,15 @@ RSpec.describe Gitlab::Checks::BranchCheck do
         expect { subject.validate! }.not_to raise_error
       end
 
+      context "deleting a hexadecimal branch" do
+        let(:newrev) { "0000000000000000000000000000000000000000" }
+        let(:ref) { "refs/heads/267208abfe40e546f5e847444276f7d43a39503e" }
+
+        it "doesn't prohibit the deletion of a hexadecimal branch name" do
+          expect { subject.validate! }.not_to raise_error
+        end
+      end
+
       context "the feature flag is disabled" do
         it "doesn't prohibit a 40-character hexadecimal branch name" do
           stub_feature_flags(prohibit_hexadecimal_branch_names: false)
diff --git a/spec/requests/api/graphql/ci/jobs_spec.rb b/spec/requests/api/graphql/ci/jobs_spec.rb
index e6362fdde88..b2f4801a083 100644
--- a/spec/requests/api/graphql/ci/jobs_spec.rb
+++ b/spec/requests/api/graphql/ci/jobs_spec.rb
@@ -105,8 +105,8 @@ RSpec.describe 'Query.project.pipeline' do
         expect(jobs_graphql_data).to contain_exactly(a_hash_including('name' => 'my test job'))
       end
 
-      it 'can find all stages' do
-        post_graphql(query, current_user: user, variables: first_n.with(3))
+      it 'reports the build needs and previous stages with no duplicates', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/346433' do
+        post_graphql(query, current_user: user)
 
         expect(jobs_graphql_data).to contain_exactly(
           a_hash_including('name' => 'my test job'),
diff --git a/spec/services/ci/job_artifacts/create_service_spec.rb b/spec/services/ci/job_artifacts/create_service_spec.rb
index 6ad3e9ceb54..2d309bfe425 100644
--- a/spec/services/ci/job_artifacts/create_service_spec.rb
+++ b/spec/services/ci/job_artifacts/create_service_spec.rb
@@ -24,6 +24,8 @@ RSpec.describe Ci::JobArtifacts::CreateService do
   def file_to_upload(path, params = {})
     upload = Tempfile.new('upload')
     FileUtils.copy(path, upload.path)
+    # This is a workaround for https://github.com/docker/for-linux/issues/1015
+    FileUtils.touch(upload.path)
 
     UploadedFile.new(upload.path, **params)
   end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 25759ca50b8..52560f1f1c3 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -475,3 +475,14 @@ Rugged::Settings['search_path_global'] = Rails.root.join('tmp/tests').to_s
 
 # Initialize FactoryDefault to use create_default helper
 TestProf::FactoryDefault.init
+
+module TouchRackUploadedFile
+  def initialize_from_file_path(path)
+    super
+
+    # This is a no-op workaround for https://github.com/docker/for-linux/issues/1015
+    File.utime @tempfile.atime, @tempfile.mtime, @tempfile.path # rubocop:disable Gitlab/ModuleWithInstanceVariables
+  end
+end
+
+Rack::Test::UploadedFile.prepend(TouchRackUploadedFile)