Merge remote-tracking branch 'upstream/master' into 26914-add_deploy_history_data_source

63 files changed, 763 insertions, 511 deletions

diff --git a/app/controllers/admin/abuse_reports_controller.rb b/app/controllers/admin/abuse_reports_controller.rb
index 5055c318a5f..dc9a6df5f75 100644
--- a/app/controllers/admin/abuse_reports_controller.rb
+++ b/app/controllers/admin/abuse_reports_controller.rb
@@ -1,6 +1,7 @@
 class Admin::AbuseReportsController < Admin::ApplicationController
   def index
     @abuse_reports = AbuseReport.order(id: :desc).page(params[:page])
+    @abuse_reports.includes(:reporter, :user)
   end
 
   def destroy
diff --git a/app/controllers/admin/application_controller.rb b/app/controllers/admin/application_controller.rb
index cf795d977ce..a4648b33cfa 100644
--- a/app/controllers/admin/application_controller.rb
+++ b/app/controllers/admin/application_controller.rb
@@ -6,6 +6,6 @@ class Admin::ApplicationController < ApplicationController
   layout 'admin'
 
   def authenticate_admin!
-    render_404 unless current_user.is_admin?
+    render_404 unless current_user.admin?
   end
 end
diff --git a/app/controllers/admin/application_settings_controller.rb b/app/controllers/admin/application_settings_controller.rb
index 8d831ffdd70..643993d035e 100644
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -17,6 +17,18 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
     end
   end
 
+  def usage_data
+    respond_to do |format|
+      format.html do
+        usage_data = Gitlab::UsageData.data
+        usage_data_json = params[:pretty] ? JSON.pretty_generate(usage_data) : usage_data.to_json
+
+        render html: Gitlab::Highlight.highlight('payload.json', usage_data_json)
+      end
+      format.json { render json: Gitlab::UsageData.to_json }
+    end
+  end
+
   def reset_runners_token
     @application_setting.reset_runners_registration_token!
     flash[:notice] = 'New runners registration token has been generated!'
@@ -45,15 +57,6 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
   end
 
   def application_setting_params
-    restricted_levels = params[:application_setting][:restricted_visibility_levels]
-    if restricted_levels.nil?
-      params[:application_setting][:restricted_visibility_levels] = []
-    else
-      restricted_levels.map! do |level|
-        level.to_i
-      end
-    end
-
     import_sources = params[:application_setting][:import_sources]
     if import_sources.nil?
       params[:application_setting][:import_sources] = []
@@ -143,6 +146,8 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
       :unique_ips_limit_enabled,
       :version_check_enabled,
       :terminal_max_session_time,
+      :polling_interval_multiplier,
+      :usage_ping_enabled,
 
       disabled_oauth_sign_in_sources: [],
       import_sources: [],
diff --git a/app/controllers/admin/background_jobs_controller.rb b/app/controllers/admin/background_jobs_controller.rb
index c09095b9849..5f90ad7137d 100644
--- a/app/controllers/admin/background_jobs_controller.rb
+++ b/app/controllers/admin/background_jobs_controller.rb
@@ -1,7 +1,7 @@
 class Admin::BackgroundJobsController < Admin::ApplicationController
   def show
-    ps_output, _ = Gitlab::Popen.popen(%W(ps -U #{Gitlab.config.gitlab.user} -o pid,pcpu,pmem,stat,start,command))
-    @sidekiq_processes = ps_output.split("\n").grep(/sidekiq/)
+    ps_output, _ = Gitlab::Popen.popen(%W(ps ww -U #{Gitlab.config.gitlab.user} -o pid,pcpu,pmem,stat,start,command))
+    @sidekiq_processes = ps_output.split("\n").grep(/sidekiq \d+\.\d+\.\d+/)
     @concurrency = Sidekiq.options[:concurrency]
   end
 end
diff --git a/app/controllers/admin/cohorts_controller.rb b/app/controllers/admin/cohorts_controller.rb
new file mode 100644
index 00000000000..9b77c554908
--- /dev/null
+++ b/app/controllers/admin/cohorts_controller.rb
@@ -0,0 +1,11 @@
+class Admin::CohortsController < Admin::ApplicationController
+  def index
+    if current_application_settings.usage_ping_enabled
+      cohorts_results = Rails.cache.fetch('cohorts', expires_in: 1.day) do
+        CohortsService.new.execute
+      end
+
+      @cohorts = CohortsSerializer.new.represent(cohorts_results)
+    end
+  end
+end
diff --git a/app/controllers/admin/groups_controller.rb b/app/controllers/admin/groups_controller.rb
index cea3d088e94..f28bbdeff5a 100644
--- a/app/controllers/admin/groups_controller.rb
+++ b/app/controllers/admin/groups_controller.rb
@@ -72,7 +72,9 @@ class Admin::GroupsController < Admin::ApplicationController
       :name,
       :path,
       :request_access_enabled,
-      :visibility_level
+      :visibility_level,
+      :require_two_factor_authentication,
+      :two_factor_grace_period
     ]
   end
 end
diff --git a/app/controllers/admin/impersonations_controller.rb b/app/controllers/admin/impersonations_controller.rb
index 9433da02f64..8e7adc06584 100644
--- a/app/controllers/admin/impersonations_controller.rb
+++ b/app/controllers/admin/impersonations_controller.rb
@@ -21,6 +21,6 @@ class Admin::ImpersonationsController < Admin::ApplicationController
   end
 
   def authenticate_impersonator!
-    render_404 unless impersonator && impersonator.is_admin? && !impersonator.blocked?
+    render_404 unless impersonator && impersonator.admin? && !impersonator.blocked?
   end
 end
diff --git a/app/controllers/admin/labels_controller.rb b/app/controllers/admin/labels_controller.rb
index d496f08a598..4531657268c 100644
--- a/app/controllers/admin/labels_controller.rb
+++ b/app/controllers/admin/labels_controller.rb
@@ -16,10 +16,9 @@ class Admin::LabelsController < Admin::ApplicationController
   end
 
   def create
-    @label = Label.new(label_params)
-    @label.template = true
+    @label = Labels::CreateService.new(label_params).execute(template: true)
 
-    if @label.save
+    if @label.persisted?
       redirect_to admin_labels_url, notice: "Label was created"
     else
       render :new
@@ -27,7 +26,9 @@ class Admin::LabelsController < Admin::ApplicationController
   end
 
   def update
-    if @label.update(label_params)
+    @label = Labels::UpdateService.new(label_params).execute(@label)
+
+    if @label.valid?
       redirect_to admin_labels_path, notice: 'label was successfully updated.'
     else
       render :edit
diff --git a/app/controllers/admin/projects_controller.rb b/app/controllers/admin/projects_controller.rb
index daecfc832bf..a1975c0e341 100644
--- a/app/controllers/admin/projects_controller.rb
+++ b/app/controllers/admin/projects_controller.rb
@@ -3,6 +3,7 @@ class Admin::ProjectsController < Admin::ApplicationController
   before_action :group, only: [:show, :transfer]
 
   def index
+    params[:sort] ||= 'latest_activity_desc'
     @projects = Project.with_statistics
     @projects = @projects.in_namespace(params[:namespace_id]) if params[:namespace_id].present?
     @projects = @projects.where(visibility_level: params[:visibility_level]) if params[:visibility_level].present?
diff --git a/app/controllers/admin/spam_logs_controller.rb b/app/controllers/admin/spam_logs_controller.rb
index 2abfa22712d..1d66955bb71 100644
--- a/app/controllers/admin/spam_logs_controller.rb
+++ b/app/controllers/admin/spam_logs_controller.rb
@@ -7,7 +7,7 @@ class Admin::SpamLogsController < Admin::ApplicationController
     spam_log = SpamLog.find(params[:id])
 
     if params[:remove_user]
-      spam_log.remove_user
+      spam_log.remove_user(deleted_by: current_user)
       redirect_to admin_spam_logs_path, notice: "User #{spam_log.user.username} was successfully removed."
     else
       spam_log.destroy
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 6a6e335d314..e77094fe2a8 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -8,12 +8,12 @@ class ApplicationController < ActionController::Base
   include PageLayoutHelper
   include SentryHelper
   include WorkhorseHelper
+  include EnforcesTwoFactorAuthentication
 
   before_action :authenticate_user_from_private_token!
   before_action :authenticate_user!
   before_action :validate_user_service_ticket!
   before_action :check_password_expiration
-  before_action :check_2fa_requirement
   before_action :ldap_security_check
   before_action :sentry_context
   before_action :default_headers
@@ -151,12 +151,6 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  def check_2fa_requirement
-    if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled? && !skip_two_factor?
-      redirect_to profile_two_factor_auth_path
-    end
-  end
-
   def ldap_security_check
     if current_user && current_user.requires_ldap_check?
       return unless current_user.try_obtain_ldap_lease
@@ -265,23 +259,6 @@ class ApplicationController < ActionController::Base
     current_application_settings.import_sources.include?('gitlab_project')
   end
 
-  def two_factor_authentication_required?
-    current_application_settings.require_two_factor_authentication
-  end
-
-  def two_factor_grace_period
-    current_application_settings.two_factor_grace_period
-  end
-
-  def two_factor_grace_period_expired?
-    date = current_user.otp_grace_period_started_at
-    date && (date + two_factor_grace_period.hours) < Time.current
-  end
-
-  def skip_two_factor?
-    session[:skip_tfa] && session[:skip_tfa] > Time.current
-  end
-
   # U2F (universal 2nd factor) devices need a unique identifier for the application
   # to perform authentication.
   # https://developers.yubico.com/U2F/App_ID.html
diff --git a/app/controllers/concerns/continue_params.rb b/app/controllers/concerns/continue_params.rb
index 0a995c45bdf..eb3a623acdd 100644
--- a/app/controllers/concerns/continue_params.rb
+++ b/app/controllers/concerns/continue_params.rb
@@ -7,6 +7,7 @@ module ContinueParams
 
     continue_params = continue_params.permit(:to, :notice, :notice_now)
     return unless continue_params[:to] && continue_params[:to].start_with?('/')
+    return if continue_params[:to].start_with?('//')
 
     continue_params
   end
diff --git a/app/controllers/concerns/creates_commit.rb b/app/controllers/concerns/creates_commit.rb
index 9ac8197e45a..183eb00ef67 100644
--- a/app/controllers/concerns/creates_commit.rb
+++ b/app/controllers/concerns/creates_commit.rb
@@ -1,17 +1,29 @@
 module CreatesCommit
   extend ActiveSupport::Concern
 
+  def set_start_branch_to_branch_name
+    branch_exists = @repository.find_branch(@branch_name)
+    @start_branch = @branch_name if branch_exists
+  end
+
   def create_commit(service, success_path:, failure_path:, failure_view: nil, success_notice: nil)
-    set_commit_variables
+    if can?(current_user, :push_code, @project)
+      @project_to_commit_into = @project
+      @branch_name ||= @ref
+    else
+      @project_to_commit_into = current_user.fork_of(@project)
+      @branch_name ||= @project_to_commit_into.repository.next_branch('patch')
+    end
+
+    @start_branch ||= @ref || @branch_name
 
     commit_params = @commit_params.merge(
-      start_project: @mr_target_project,
-      start_branch: @mr_target_branch,
-      target_branch: @mr_source_branch
+      start_project: @project,
+      start_branch: @start_branch,
+      branch_name: @branch_name
     )
 
-    result = service.new(
-      @mr_source_project, current_user, commit_params).execute
+    result = service.new(@project_to_commit_into, current_user, commit_params).execute
 
     if result[:status] == :success
       update_flash_notice(success_notice)
@@ -72,30 +84,30 @@ module CreatesCommit
 
   def new_merge_request_path
     new_namespace_project_merge_request_path(
-      @mr_source_project.namespace,
-      @mr_source_project,
+      @project_to_commit_into.namespace,
+      @project_to_commit_into,
       merge_request: {
-        source_project_id: @mr_source_project.id,
-        target_project_id: @mr_target_project.id,
-        source_branch: @mr_source_branch,
-        target_branch: @mr_target_branch
+        source_project_id: @project_to_commit_into.id,
+        target_project_id: @project.id,
+        source_branch: @branch_name,
+        target_branch: @start_branch
       }
     )
   end
 
   def existing_merge_request_path
-    namespace_project_merge_request_path(@mr_target_project.namespace, @mr_target_project, @merge_request)
+    namespace_project_merge_request_path(@project.namespace, @project, @merge_request)
   end
 
   def merge_request_exists?
     return @merge_request if defined?(@merge_request)
 
-    @merge_request = MergeRequestsFinder.new(current_user, project_id: @mr_target_project.id).execute.opened.
-      find_by(source_branch: @mr_source_branch, target_branch: @mr_target_branch, source_project_id: @mr_source_project)
+    @merge_request = MergeRequestsFinder.new(current_user, project_id: @project.id).execute.opened.
+      find_by(source_project_id: @project_to_commit_into, source_branch: @branch_name, target_branch: @start_branch)
   end
 
   def different_project?
-    @mr_source_project != @mr_target_project
+    @project_to_commit_into != @project
   end
 
   def create_merge_request?
@@ -103,22 +115,6 @@ module CreatesCommit
     # as the target branch in the same project,
     # we don't want to create a merge request.
     params[:create_merge_request].present? &&
-      (different_project? || @mr_target_branch != @mr_source_branch)
-  end
-
-  def set_commit_variables
-    if can?(current_user, :push_code, @project)
-      @mr_source_project = @project
-      @target_branch ||= @ref
-    else
-      @mr_source_project = current_user.fork_of(@project)
-      @target_branch ||= @mr_source_project.repository.next_branch('patch')
-    end
-
-    # Merge request to this project
-    @mr_target_project = @project
-    @mr_target_branch ||= @ref || @target_branch
-
-    @mr_source_branch = @target_branch
+      (different_project? || @start_branch != @branch_name)
   end
 end
diff --git a/app/controllers/concerns/enforces_two_factor_authentication.rb b/app/controllers/concerns/enforces_two_factor_authentication.rb
new file mode 100644
index 00000000000..688e8bd4a37
--- /dev/null
+++ b/app/controllers/concerns/enforces_two_factor_authentication.rb
@@ -0,0 +1,58 @@
+# == EnforcesTwoFactorAuthentication
+#
+# Controller concern to enforce two-factor authentication requirements
+#
+# Upon inclusion, adds `check_two_factor_requirement` as a before_action,
+# and makes `two_factor_grace_period_expired?` and `two_factor_skippable?`
+# available as view helpers.
+module EnforcesTwoFactorAuthentication
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :check_two_factor_requirement
+    helper_method :two_factor_grace_period_expired?, :two_factor_skippable?
+  end
+
+  def check_two_factor_requirement
+    if two_factor_authentication_required? && current_user && !current_user.two_factor_enabled? && !skip_two_factor?
+      redirect_to profile_two_factor_auth_path
+    end
+  end
+
+  def two_factor_authentication_required?
+    current_application_settings.require_two_factor_authentication? ||
+      current_user.try(:require_two_factor_authentication_from_group?)
+  end
+
+  def two_factor_authentication_reason(global: -> {}, group: -> {})
+    if two_factor_authentication_required?
+      if current_application_settings.require_two_factor_authentication?
+        global.call
+      else
+        groups = current_user.expanded_groups_requiring_two_factor_authentication.reorder(name: :asc)
+        group.call(groups)
+      end
+    end
+  end
+
+  def two_factor_grace_period
+    periods = [current_application_settings.two_factor_grace_period]
+    periods << current_user.two_factor_grace_period if current_user.try(:require_two_factor_authentication_from_group?)
+    periods.min
+  end
+
+  def two_factor_grace_period_expired?
+    date = current_user.otp_grace_period_started_at
+    date && (date + two_factor_grace_period.hours) < Time.current
+  end
+
+  def two_factor_skippable?
+    two_factor_authentication_required? &&
+      !current_user.two_factor_enabled? &&
+      !two_factor_grace_period_expired?
+  end
+
+  def skip_two_factor?
+    session[:skip_two_factor] && session[:skip_two_factor] > Time.current
+  end
+end
diff --git a/app/controllers/concerns/filter_projects.rb b/app/controllers/concerns/filter_projects.rb
deleted file mode 100644
index 6014112256a..00000000000
--- a/app/controllers/concerns/filter_projects.rb
+++ /dev/null
@@ -1,17 +0,0 @@
-# == FilterProjects
-#
-# Controller concern to handle projects filtering
-# * by name
-# * by archived state
-#
-module FilterProjects
-  extend ActiveSupport::Concern
-
-  def filter_projects(projects)
-    projects = projects.search(params[:name]) if params[:name].present?
-    projects = projects.non_archived if params[:archived].blank?
-    projects = projects.personal(current_user) if params[:personal].present? && current_user
-
-    projects
-  end
-end
diff --git a/app/controllers/concerns/issuable_collections.rb b/app/controllers/concerns/issuable_collections.rb
index 85ae4985e58..c8a501d7319 100644
--- a/app/controllers/concerns/issuable_collections.rb
+++ b/app/controllers/concerns/issuable_collections.rb
@@ -15,6 +15,9 @@ module IssuableCollections
     # a new order into the collection.
     # We cannot use reorder to not mess up the paginated collection.
     issuable_ids = issuable_collection.map(&:id)
+
+    return {} if issuable_ids.empty?
+
     issuable_note_count = Note.count_for_collection(issuable_ids, @collection_type)
     issuable_votes_count = AwardEmoji.votes_for_collection(issuable_ids, @collection_type)
     issuable_merge_requests_count =
diff --git a/app/controllers/concerns/params_backward_compatibility.rb b/app/controllers/concerns/params_backward_compatibility.rb
new file mode 100644
index 00000000000..b0e3d9c7b34
--- /dev/null
+++ b/app/controllers/concerns/params_backward_compatibility.rb
@@ -0,0 +1,7 @@
+module ParamsBackwardCompatibility
+  private
+
+  def set_non_archived_param
+    params[:non_archived] = params[:archived].blank?
+  end
+end
diff --git a/app/controllers/concerns/renders_notes.rb b/app/controllers/concerns/renders_notes.rb
new file mode 100644
index 00000000000..dd21066ac13
--- /dev/null
+++ b/app/controllers/concerns/renders_notes.rb
@@ -0,0 +1,20 @@
+module RendersNotes
+  def prepare_notes_for_rendering(notes)
+    preload_noteable_for_regular_notes(notes)
+    preload_max_access_for_authors(notes, @project)
+    Banzai::NoteRenderer.render(notes, @project, current_user)
+
+    notes
+  end
+
+  private
+
+  def preload_max_access_for_authors(notes, project)
+    user_ids = notes.map(&:author_id)
+    project.team.max_member_access_for_user_ids(user_ids)
+  end
+
+  def preload_noteable_for_regular_notes(notes)
+    ActiveRecord::Associations::Preloader.new.preload(notes.reject(&:for_commit?), :noteable)
+  end
+end
diff --git a/app/controllers/concerns/requires_health_token.rb b/app/controllers/concerns/requires_health_token.rb
new file mode 100644
index 00000000000..34ab1a97649
--- /dev/null
+++ b/app/controllers/concerns/requires_health_token.rb
@@ -0,0 +1,25 @@
+module RequiresHealthToken
+  extend ActiveSupport::Concern
+  included do
+    before_action :validate_health_check_access!
+  end
+
+  private
+
+  def validate_health_check_access!
+    render_404 unless token_valid?
+  end
+
+  def token_valid?
+    token = params[:token].presence || request.headers['TOKEN']
+    token.present? &&
+      ActiveSupport::SecurityUtils.variable_size_secure_compare(
+        token,
+        current_application_settings.health_check_access_token
+      )
+  end
+
+  def render_404
+    render file: Rails.root.join('public', '404'), layout: false, status: '404'
+  end
+end
diff --git a/app/controllers/dashboard/projects_controller.rb b/app/controllers/dashboard/projects_controller.rb
index be00d765f73..5a1efcab1a3 100644
--- a/app/controllers/dashboard/projects_controller.rb
+++ b/app/controllers/dashboard/projects_controller.rb
@@ -1,10 +1,11 @@
 class Dashboard::ProjectsController < Dashboard::ApplicationController
-  include FilterProjects
+  include ParamsBackwardCompatibility
+
+  before_action :set_non_archived_param
+  before_action :default_sorting
 
   def index
-    @projects = load_projects(current_user.authorized_projects)
-    @projects = @projects.sort(@sort = params[:sort])
-    @projects = @projects.page(params[:page])
+    @projects = load_projects(params.merge(non_public: true)).page(params[:page])
 
     respond_to do |format|
       format.html { @last_push = current_user.recent_push }
@@ -21,10 +22,8 @@ class Dashboard::ProjectsController < Dashboard::ApplicationController
   end
 
   def starred
-    @projects = load_projects(current_user.viewable_starred_projects)
-    @projects = @projects.includes(:forked_from_project, :tags)
-    @projects = @projects.sort(@sort = params[:sort])
-    @projects = @projects.page(params[:page])
+    @projects = load_projects(params.merge(starred: true)).
+      includes(:forked_from_project, :tags).page(params[:page])
 
     @last_push = current_user.recent_push
     @groups = []
@@ -41,14 +40,18 @@ class Dashboard::ProjectsController < Dashboard::ApplicationController
 
   private
 
-  def load_projects(base_scope)
-    projects = base_scope.sorted_by_activity.includes(:route, namespace: :route)
+  def default_sorting
+    params[:sort] ||= 'latest_activity_desc'
+    @sort = params[:sort]
+  end
 
-    filter_projects(projects)
+  def load_projects(finder_params)
+    ProjectsFinder.new(params: finder_params, current_user: current_user).
+      execute.includes(:route, namespace: :route)
   end
 
   def load_events
-    @events = Event.in_projects(load_projects(current_user.authorized_projects))
+    @events = Event.in_projects(load_projects(params.merge(non_public: true)))
     @events = event_filter.apply_filter(@events).with_associations
     @events = @events.limit(20).offset(params[:offset] || 0)
   end
diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb
index 498690e8f11..4d7d45787fc 100644
--- a/app/controllers/dashboard/todos_controller.rb
+++ b/app/controllers/dashboard/todos_controller.rb
@@ -7,7 +7,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController
     @sort = params[:sort]
     @todos = @todos.page(params[:page])
     if @todos.out_of_range? && @todos.total_pages != 0
-      redirect_to url_for(params.merge(page: @todos.total_pages))
+      redirect_to url_for(params.merge(page: @todos.total_pages, only_path: true))
     end
   end
 
diff --git a/app/controllers/explore/projects_controller.rb b/app/controllers/explore/projects_controller.rb
index 6167f9bd335..8f1870759e4 100644
--- a/app/controllers/explore/projects_controller.rb
+++ b/app/controllers/explore/projects_controller.rb
@@ -1,14 +1,12 @@
 class Explore::ProjectsController < Explore::ApplicationController
-  include FilterProjects
+  include ParamsBackwardCompatibility
+
+  before_action :set_non_archived_param
 
   def index
-    @projects = load_projects
-    @tags = @projects.tags_on(:tags)
-    @projects = @projects.tagged_with(params[:tag]) if params[:tag].present?
-    @projects = @projects.where(visibility_level: params[:visibility_level]) if params[:visibility_level].present?
-    @projects = filter_projects(@projects)
-    @projects = @projects.sort(@sort = params[:sort])
-    @projects = @projects.includes(:namespace).page(params[:page])
+    params[:sort] ||= 'latest_activity_desc'
+    @sort = params[:sort]
+    @projects = load_projects.page(params[:page])
 
     respond_to do |format|
       format.html
@@ -21,10 +19,9 @@ class Explore::ProjectsController < Explore::ApplicationController
   end
 
   def trending
-    @projects = load_projects(Project.trending)
-    @projects = filter_projects(@projects)
-    @projects = @projects.sort(@sort = params[:sort])
-    @projects = @projects.page(params[:page])
+    params[:trending] = true
+    @sort = params[:sort]
+    @projects = load_projects.page(params[:page])
 
     respond_to do |format|
       format.html
@@ -37,10 +34,7 @@ class Explore::ProjectsController < Explore::ApplicationController
   end
 
   def starred
-    @projects = load_projects
-    @projects = filter_projects(@projects)
-    @projects = @projects.reorder('star_count DESC')
-    @projects = @projects.page(params[:page])
+    @projects = load_projects.reorder('star_count DESC').page(params[:page])
 
     respond_to do |format|
       format.html
@@ -52,10 +46,10 @@ class Explore::ProjectsController < Explore::ApplicationController
     end
   end
 
-  protected
+  private
 
-  def load_projects(base_scope = nil)
-    base_scope ||= ProjectsFinder.new.execute(current_user)
-    base_scope.includes(:route, namespace: :route)
+  def load_projects
+    ProjectsFinder.new(current_user: current_user, params: params).
+      execute.includes(:route, namespace: :route)
   end
 end
diff --git a/app/controllers/groups/application_controller.rb b/app/controllers/groups/application_controller.rb
index c411c21bb80..29ffaeb19c1 100644
--- a/app/controllers/groups/application_controller.rb
+++ b/app/controllers/groups/application_controller.rb
@@ -10,6 +10,7 @@ class Groups::ApplicationController < ApplicationController
     unless @group
       id = params[:group_id] || params[:id]
       @group = Group.find_by_full_path(id)
+      @group_merge_requests = MergeRequestsFinder.new(current_user, group_id: @group.id).execute
 
       unless @group && can?(current_user, :read_group, @group)
         @group = nil
@@ -26,7 +27,7 @@ class Groups::ApplicationController < ApplicationController
   end
 
   def group_projects
-    @projects ||= GroupProjectsFinder.new(group).execute(current_user)
+    @projects ||= GroupProjectsFinder.new(group: group, current_user: current_user).execute
   end
 
   def authorize_admin_group!
diff --git a/app/controllers/groups/group_members_controller.rb b/app/controllers/groups/group_members_controller.rb
index 0cbf3eb58a3..00c50f9d0ad 100644
--- a/app/controllers/groups/group_members_controller.rb
+++ b/app/controllers/groups/group_members_controller.rb
@@ -14,6 +14,7 @@ class Groups::GroupMembersController < Groups::ApplicationController
     @members = @members.search(params[:search]) if params[:search].present?
     @members = @members.sort(@sort)
     @members = @members.page(params[:page]).per(50)
+    @members.includes(:user)
 
     @requesters = AccessRequestsFinder.new(@group).execute(current_user)
 
diff --git a/app/controllers/groups/labels_controller.rb b/app/controllers/groups/labels_controller.rb
index 587898a8634..facb25525b5 100644
--- a/app/controllers/groups/labels_controller.rb
+++ b/app/controllers/groups/labels_controller.rb
@@ -26,7 +26,7 @@ class Groups::LabelsController < Groups::ApplicationController
   end
 
   def create
-    @label = @group.labels.create(label_params)
+    @label = Labels::CreateService.new(label_params).execute(group: group)
 
     if @label.valid?
       redirect_to group_labels_path(@group)
@@ -40,7 +40,9 @@ class Groups::LabelsController < Groups::ApplicationController
   end
 
   def update
-    if @label.update_attributes(label_params)
+    @label = Labels::UpdateService.new(label_params).execute(@label)
+
+    if @label.valid?
       redirect_back_or_group_labels_path
     else
       render :edit
diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 05f9ee1ee90..593001e6396 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -1,7 +1,7 @@
 class GroupsController < Groups::ApplicationController
-  include FilterProjects
   include IssuesAction
   include MergeRequestsAction
+  include ParamsBackwardCompatibility
 
   respond_to :html
 
@@ -105,15 +105,16 @@ class GroupsController < Groups::ApplicationController
   protected
 
   def setup_projects
+    set_non_archived_param
+    params[:sort] ||= 'latest_activity_desc'
+    @sort = params[:sort]
+
     options = {}
     options[:only_owned] = true if params[:shared] == '0'
     options[:only_shared] = true if params[:shared] == '1'
 
-    @projects = GroupProjectsFinder.new(group, options).execute(current_user)
+    @projects = GroupProjectsFinder.new(params: params, group: group, options: options, current_user: current_user).execute
     @projects = @projects.includes(:namespace)
-    @projects = @projects.sorted_by_activity
-    @projects = filter_projects(@projects)
-    @projects = @projects.sort(@sort = params[:sort])
     @projects = @projects.page(params[:page]) if params[:name].blank?
   end
 
@@ -150,7 +151,9 @@ class GroupsController < Groups::ApplicationController
       :visibility_level,
       :parent_id,
       :create_chat_team,
-      :chat_team_name
+      :chat_team_name,
+      :require_two_factor_authentication,
+      :two_factor_grace_period
     ]
   end
 
diff --git a/app/controllers/health_check_controller.rb b/app/controllers/health_check_controller.rb
index 037da7d2bce..5d3109b7187 100644
--- a/app/controllers/health_check_controller.rb
+++ b/app/controllers/health_check_controller.rb
@@ -1,22 +1,3 @@
 class HealthCheckController < HealthCheck::HealthCheckController
-  before_action :validate_health_check_access!
-
-  private
-
-  def validate_health_check_access!
-    render_404 unless token_valid?
-  end
-
-  def token_valid?
-    token = params[:token].presence || request.headers['TOKEN']
-    token.present? &&
-      ActiveSupport::SecurityUtils.variable_size_secure_compare(
-        token,
-        current_application_settings.health_check_access_token
-      )
-  end
-
-  def render_404
-    render file: Rails.root.join('public', '404'), layout: false, status: '404'
-  end
+  include RequiresHealthToken
 end
diff --git a/app/controllers/health_controller.rb b/app/controllers/health_controller.rb
new file mode 100644
index 00000000000..df0fc3132ed
--- /dev/null
+++ b/app/controllers/health_controller.rb
@@ -0,0 +1,60 @@
+class HealthController < ActionController::Base
+  protect_from_forgery with: :exception
+  include RequiresHealthToken
+
+  CHECKS = [
+    Gitlab::HealthChecks::DbCheck,
+    Gitlab::HealthChecks::RedisCheck,
+    Gitlab::HealthChecks::FsShardsCheck,
+  ].freeze
+
+  def readiness
+    results = CHECKS.map { |check| [check.name, check.readiness] }
+
+    render_check_results(results)
+  end
+
+  def liveness
+    results = CHECKS.map { |check| [check.name, check.liveness] }
+
+    render_check_results(results)
+  end
+
+  def metrics
+    results = CHECKS.flat_map(&:metrics)
+
+    response = results.map(&method(:metric_to_prom_line)).join("\n")
+
+    render text: response, content_type: 'text/plain; version=0.0.4'
+  end
+
+  private
+
+  def metric_to_prom_line(metric)
+    labels = metric.labels&.map { |key, value| "#{key}=\"#{value}\"" }&.join(',') || ''
+    if labels.empty?
+      "#{metric.name} #{metric.value}"
+    else
+      "#{metric.name}{#{labels}} #{metric.value}"
+    end
+  end
+
+  def render_check_results(results)
+    flattened = results.flat_map do |name, result|
+      if result.is_a?(Gitlab::HealthChecks::Result)
+        [[name, result]]
+      else
+        result.map { |r| [name, r] }
+      end
+    end
+    success = flattened.all? { |name, r| r.success }
+
+    response = flattened.map do |name, r|
+      info = { status: r.success ? 'ok' : 'failed' }
+      info['message'] = r.message if r.message
+      info[:labels] = r.labels if r.labels
+      [name, info]
+    end
+    render json: response.to_h, status: success ? :ok : :service_unavailable
+  end
+end
diff --git a/app/controllers/import/base_controller.rb b/app/controllers/import/base_controller.rb
index 256c41e6145..9de0297ecfd 100644
--- a/app/controllers/import/base_controller.rb
+++ b/app/controllers/import/base_controller.rb
@@ -1,17 +1,27 @@
 class Import::BaseController < ApplicationController
   private
 
-  def find_or_create_namespace(name, owner)
-    return current_user.namespace if name == owner
+  def find_or_create_namespace(names, owner)
+    return current_user.namespace if names == owner
     return current_user.namespace unless current_user.can_create_group?
 
-    begin
-      name = params[:target_namespace].presence || name
-      namespace = Group.create!(name: name, path: name, owner: current_user)
-      namespace.add_owner(current_user)
-      namespace
-    rescue ActiveRecord::RecordNotUnique, ActiveRecord::RecordInvalid
-      Namespace.find_by_path_or_name(name)
+    names = params[:target_namespace].presence || names
+    full_path_namespace = Namespace.find_by_full_path(names)
+
+    return full_path_namespace if full_path_namespace
+
+    names.split('/').inject(nil) do |parent, name|
+      begin
+        namespace = Group.create!(name: name,
+                                  path: name,
+                                  owner: current_user,
+                                  parent: parent)
+        namespace.add_owner(current_user)
+
+        namespace
+      rescue ActiveRecord::RecordNotUnique, ActiveRecord::RecordInvalid
+        Namespace.where(parent: parent).find_by_path_or_name(name)
+      end
     end
   end
 end
diff --git a/app/controllers/profiles/accounts_controller.rb b/app/controllers/profiles/accounts_controller.rb
index 69959fe3687..7d1aa8d1ce0 100644
--- a/app/controllers/profiles/accounts_controller.rb
+++ b/app/controllers/profiles/accounts_controller.rb
@@ -1,11 +1,22 @@
 class Profiles::AccountsController < Profiles::ApplicationController
+  include AuthHelper
+
   def show
     @user = current_user
   end
 
   def unlink
     provider = params[:provider]
-    current_user.identities.find_by(provider: provider).destroy unless provider.to_s == 'saml'
+    identity = current_user.identities.find_by(provider: provider)
+
+    return render_404 unless identity
+
+    if unlink_allowed?(provider)
+      identity.destroy
+    else
+      flash[:alert] = "You are not allowed to unlink your primary login account"
+    end
+
     redirect_to profile_account_path
   end
 end
diff --git a/app/controllers/profiles/two_factor_auths_controller.rb b/app/controllers/profiles/two_factor_auths_controller.rb
index 26e7e93533e..d3fa81cd623 100644
--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -1,5 +1,5 @@
 class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
-  skip_before_action :check_2fa_requirement
+  skip_before_action :check_two_factor_requirement
 
   def show
     unless current_user.otp_secret
@@ -13,11 +13,24 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
     current_user.save! if current_user.changed?
 
     if two_factor_authentication_required? && !current_user.two_factor_enabled?
-      if two_factor_grace_period_expired?
-        flash.now[:alert] = 'You must enable Two-Factor Authentication for your account.'
-      else
+      two_factor_authentication_reason(
+        global: lambda do
+          flash.now[:alert] =
+            'The global settings require you to enable Two-Factor Authentication for your account.'
+        end,
+        group: lambda do |groups|
+          group_links = groups.map { |group| view_context.link_to group.full_name, group_path(group) }.to_sentence
+
+          flash.now[:alert] = %{
+            The group settings for #{group_links} require you to enable
+            Two-Factor Authentication for your account.
+          }.html_safe
+        end
+      )
+
+      unless two_factor_grace_period_expired?
         grace_period_deadline = current_user.otp_grace_period_started_at + two_factor_grace_period.hours
-        flash.now[:alert] = "You must enable Two-Factor Authentication for your account before #{l(grace_period_deadline)}."
+        flash.now[:alert] << " You need to do this before #{l(grace_period_deadline)}."
       end
     end
 
@@ -71,7 +84,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
     if two_factor_grace_period_expired?
       redirect_to new_profile_two_factor_auth_path, alert: 'Cannot skip two factor authentication setup'
     else
-      session[:skip_tfa] = current_user.otp_grace_period_started_at + two_factor_grace_period.hours
+      session[:skip_two_factor] = current_user.otp_grace_period_started_at + two_factor_grace_period.hours
       redirect_to root_path
     end
   end
diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb
index f1a93ccb3ad..e2f81b09adc 100644
--- a/app/controllers/projects/application_controller.rb
+++ b/app/controllers/projects/application_controller.rb
@@ -89,9 +89,4 @@ class Projects::ApplicationController < ApplicationController
   def builds_enabled
     return render_404 unless @project.feature_available?(:builds, current_user)
   end
-
-  def update_ref
-    branch_exists = @repository.find_branch(@target_branch)
-    @ref = @target_branch if branch_exists
-  end
 end
diff --git a/app/controllers/projects/blob_controller.rb b/app/controllers/projects/blob_controller.rb
index 80a95c6158b..9fce1db6742 100644
--- a/app/controllers/projects/blob_controller.rb
+++ b/app/controllers/projects/blob_controller.rb
@@ -7,9 +7,11 @@ class Projects::BlobController < Projects::ApplicationController
   # Raised when given an invalid file path
   InvalidPathError = Class.new(StandardError)
 
+  prepend_before_action :authenticate_user!, only: [:edit]
+
   before_action :require_non_empty_project, except: [:new, :create]
   before_action :authorize_download_code!
-  before_action :authorize_edit_tree!, only: [:new, :create, :edit, :update, :destroy]
+  before_action :authorize_edit_tree!, only: [:new, :create, :update, :destroy]
   before_action :assign_blob_vars
   before_action :commit, except: [:new, :create]
   before_action :blob, except: [:new, :create]
@@ -23,10 +25,10 @@ class Projects::BlobController < Projects::ApplicationController
   end
 
   def create
-    update_ref
+    set_start_branch_to_branch_name
 
     create_commit(Files::CreateService, success_notice: "The file has been successfully created.",
-                                        success_path: -> { namespace_project_blob_path(@project.namespace, @project, File.join(@target_branch, @file_path)) },
+                                        success_path: -> { namespace_project_blob_path(@project.namespace, @project, File.join(@branch_name, @file_path)) },
                                         failure_view: :new,
                                         failure_path: namespace_project_new_blob_path(@project.namespace, @project, @ref))
   end
@@ -37,7 +39,11 @@ class Projects::BlobController < Projects::ApplicationController
   end
 
   def edit
-    blob.load_all_data!(@repository)
+    if can_collaborate_with_project?
+      blob.load_all_data!(@repository)
+    else
+      redirect_to action: 'show'
+    end
   end
 
   def update
@@ -63,10 +69,10 @@ class Projects::BlobController < Projects::ApplicationController
   end
 
   def destroy
-    create_commit(Files::DestroyService, success_notice: "The file has been successfully deleted.",
-                                         success_path: -> { namespace_project_tree_path(@project.namespace, @project, @target_branch) },
-                                         failure_view: :show,
-                                         failure_path: namespace_project_blob_path(@project.namespace, @project, @id))
+    create_commit(Files::DeleteService, success_notice: "The file has been successfully deleted.",
+                                        success_path: -> { namespace_project_tree_path(@project.namespace, @project, @branch_name) },
+                                        failure_view: :show,
+                                        failure_path: namespace_project_blob_path(@project.namespace, @project, @id))
   end
 
   def diff
@@ -121,16 +127,16 @@ class Projects::BlobController < Projects::ApplicationController
 
   def after_edit_path
     from_merge_request = MergeRequestsFinder.new(current_user, project_id: @project.id).execute.find_by(iid: params[:from_merge_request_iid])
-    if from_merge_request && @target_branch == @ref
+    if from_merge_request && @branch_name == @ref
       diffs_namespace_project_merge_request_path(from_merge_request.target_project.namespace, from_merge_request.target_project, from_merge_request) +
         "##{hexdigest(@path)}"
     else
-      namespace_project_blob_path(@project.namespace, @project, File.join(@target_branch, @path))
+      namespace_project_blob_path(@project.namespace, @project, File.join(@branch_name, @path))
     end
   end
 
   def editor_variables
-    @target_branch = params[:target_branch]
+    @branch_name = params[:branch_name]
 
     @file_path =
       if action_name.to_s == 'create'
diff --git a/app/controllers/projects/builds_controller.rb b/app/controllers/projects/builds_controller.rb
index 3f3c90a49ab..04e8cdf6256 100644
--- a/app/controllers/projects/builds_controller.rb
+++ b/app/controllers/projects/builds_controller.rb
@@ -19,6 +19,11 @@ class Projects::BuildsController < Projects::ApplicationController
       else
         @builds
       end
+    @builds = @builds.includes([
+      { pipeline: :project },
+      :project,
+      :tags
+    ])
     @builds = @builds.page(params[:page]).per(30)
   end
 
@@ -31,25 +36,25 @@ class Projects::BuildsController < Projects::ApplicationController
     @builds = @project.pipelines.find_by_sha(@build.sha).builds.order('id DESC')
     @builds = @builds.where("id not in (?)", @build.id)
     @pipeline = @build.pipeline
-
-    respond_to do |format|
-      format.html
-      format.json do
-        render json: {
-          id: @build.id,
-          status: @build.status,
-          trace_html: @build.trace_html
-        }
-      end
-    end
   end
 
   def trace
-    respond_to do |format|
-      format.json do
-        state = params[:state].presence
-        render json: @build.trace_with_state(state: state).
-          merge!(id: @build.id, status: @build.status)
+    build.trace.read do |stream|
+      respond_to do |format|
+        format.json do
+          result = {
+            id: @build.id, status: @build.status, complete: @build.complete?
+          }
+
+          if stream.valid?
+            stream.limit
+            state = params[:state].presence
+            trace = stream.html_with_state(state)
+            result.merge!(trace.to_h)
+          end
+
+          render json: result
+        end
       end
     end
   end
@@ -86,10 +91,12 @@ class Projects::BuildsController < Projects::ApplicationController
   end
 
   def raw
-    if @build.has_trace_file?
-      send_file @build.trace_file_path, type: 'text/plain; charset=utf-8', disposition: 'inline'
-    else
-      render_404
+    build.trace.read do |stream|
+      if stream.file?
+        send_file stream.path, type: 'text/plain; charset=utf-8', disposition: 'inline'
+      else
+        render_404
+      end
     end
   end
 
diff --git a/app/controllers/projects/commit_controller.rb b/app/controllers/projects/commit_controller.rb
index cc67f688d51..2b5f0383ac1 100644
--- a/app/controllers/projects/commit_controller.rb
+++ b/app/controllers/projects/commit_controller.rb
@@ -2,6 +2,7 @@
 #
 # Not to be confused with CommitsController, plural.
 class Projects::CommitController < Projects::ApplicationController
+  include RendersNotes
   include CreatesCommit
   include DiffForPath
   include DiffHelper
@@ -35,6 +36,8 @@ class Projects::CommitController < Projects::ApplicationController
     respond_to do |format|
       format.html
       format.json do
+        Gitlab::PollingInterval.set_header(response, interval: 10_000)
+
         render json: PipelineSerializer
           .new(project: @project, user: @current_user)
           .represent(@pipelines)
@@ -53,9 +56,7 @@ class Projects::CommitController < Projects::ApplicationController
 
     return render_404 if @start_branch.blank?
 
-    @target_branch = create_new_branch? ? @commit.revert_branch_name : @start_branch
-
-    @mr_target_branch = @start_branch
+    @branch_name = create_new_branch? ? @commit.revert_branch_name : @start_branch
 
     create_commit(Commits::RevertService, success_notice: "The #{@commit.change_type_title(current_user)} has been successfully reverted.",
                                           success_path: -> { successful_change_path }, failure_path: failed_change_path)
@@ -66,9 +67,7 @@ class Projects::CommitController < Projects::ApplicationController
 
     return render_404 if @start_branch.blank?
 
-    @target_branch = create_new_branch? ? @commit.cherry_pick_branch_name : @start_branch
-
-    @mr_target_branch = @start_branch
+    @branch_name = create_new_branch? ? @commit.cherry_pick_branch_name : @start_branch
 
     create_commit(Commits::CherryPickService, success_notice: "The #{@commit.change_type_title(current_user)} has been successfully cherry-picked.",
                                               success_path: -> { successful_change_path }, failure_path: failed_change_path)
@@ -81,7 +80,7 @@ class Projects::CommitController < Projects::ApplicationController
   end
 
   def successful_change_path
-    referenced_merge_request_url || namespace_project_commits_url(@project.namespace, @project, @target_branch)
+    referenced_merge_request_url || namespace_project_commits_url(@project.namespace, @project, @branch_name)
   end
 
   def failed_change_path
@@ -111,22 +110,19 @@ class Projects::CommitController < Projects::ApplicationController
   end
 
   def define_note_vars
-    @grouped_diff_discussions = commit.notes.grouped_diff_discussions
-    @notes = commit.notes.non_diff_notes.fresh
-
-    Banzai::NoteRenderer.render(
-      @grouped_diff_discussions.values.flat_map(&:notes) + @notes,
-      @project,
-      current_user,
-    )
-
+    @noteable = @commit
     @note = @project.build_commit_note(commit)
 
-    @noteable = @commit
-    @comments_target = {
+    @new_diff_note_attrs = {
       noteable_type: 'Commit',
       commit_id: @commit.id
     }
+
+    @grouped_diff_discussions = commit.grouped_diff_discussions
+    @discussions = commit.discussions
+
+    @notes = (@grouped_diff_discussions.values.flatten + @discussions).flat_map(&:notes)
+    @notes = prepare_notes_for_rendering(@notes)
   end
 
   def assign_change_commit_vars
diff --git a/app/controllers/projects/compare_controller.rb b/app/controllers/projects/compare_controller.rb
index c6651254d70..008d2f5815f 100644
--- a/app/controllers/projects/compare_controller.rb
+++ b/app/controllers/projects/compare_controller.rb
@@ -61,7 +61,6 @@ class Projects::CompareController < Projects::ApplicationController
       @environment = EnvironmentsFinder.new(@project, current_user, environment_params).execute.last
 
       @diff_notes_disabled = true
-      @grouped_diff_discussions = {}
     end
   end
 
diff --git a/app/controllers/projects/container_registry_controller.rb b/app/controllers/projects/container_registry_controller.rb
deleted file mode 100644
index d1f46497207..00000000000
--- a/app/controllers/projects/container_registry_controller.rb
+++ /dev/null
@@ -1,34 +0,0 @@
-class Projects::ContainerRegistryController < Projects::ApplicationController
-  before_action :verify_registry_enabled
-  before_action :authorize_read_container_image!
-  before_action :authorize_update_container_image!, only: [:destroy]
-  layout 'project'
-
-  def index
-    @tags = container_registry_repository.tags
-  end
-
-  def destroy
-    url = namespace_project_container_registry_index_path(project.namespace, project)
-
-    if tag.delete
-      redirect_to url
-    else
-      redirect_to url, alert: 'Failed to remove tag'
-    end
-  end
-
-  private
-
-  def verify_registry_enabled
-    render_404 unless Gitlab.config.registry.enabled
-  end
-
-  def container_registry_repository
-    @container_registry_repository ||= project.container_registry_repository
-  end
-
-  def tag
-    @tag ||= container_registry_repository.tag(params[:id])
-  end
-end
diff --git a/app/controllers/projects/discussions_controller.rb b/app/controllers/projects/discussions_controller.rb
index 1349b015a63..f4a18a5e8f7 100644
--- a/app/controllers/projects/discussions_controller.rb
+++ b/app/controllers/projects/discussions_controller.rb
@@ -28,7 +28,7 @@ class Projects::DiscussionsController < Projects::ApplicationController
   end
 
   def discussion
-    @discussion ||= @merge_request.find_diff_discussion(params[:id]) || render_404
+    @discussion ||= @merge_request.find_discussion(params[:id]) || render_404
   end
 
   def authorize_resolve_discussion!
diff --git a/app/controllers/projects/forks_controller.rb b/app/controllers/projects/forks_controller.rb
index ba46e2528e6..1eb3800e49d 100644
--- a/app/controllers/projects/forks_controller.rb
+++ b/app/controllers/projects/forks_controller.rb
@@ -9,7 +9,7 @@ class Projects::ForksController < Projects::ApplicationController
   def index
     base_query = project.forks.includes(:creator)
 
-    @forks               = base_query.merge(ProjectsFinder.new.execute(current_user))
+    @forks               = base_query.merge(ProjectsFinder.new(current_user: current_user).execute)
     @total_forks_count   = base_query.size
     @private_forks_count = @total_forks_count - @forks.size
     @public_forks_count  = @total_forks_count - @private_forks_count
diff --git a/app/controllers/projects/git_http_controller.rb b/app/controllers/projects/git_http_controller.rb
index 278098fcc58..10adddb4636 100644
--- a/app/controllers/projects/git_http_controller.rb
+++ b/app/controllers/projects/git_http_controller.rb
@@ -5,6 +5,8 @@ class Projects::GitHttpController < Projects::GitHttpClientController
   # GET /foo/bar.git/info/refs?service=git-receive-pack (git push)
   def info_refs
     if upload_pack? && upload_pack_allowed?
+      log_user_activity
+
       render_ok
     elsif receive_pack? && receive_pack_allowed?
       render_ok
@@ -57,7 +59,7 @@ class Projects::GitHttpController < Projects::GitHttpClientController
 
   def render_ok
     set_workhorse_internal_api_content_type
-    render json: Gitlab::Workhorse.git_http_ok(repository, user)
+    render json: Gitlab::Workhorse.git_http_ok(repository, user, action_name)
   end
 
   def render_http_not_allowed
@@ -106,4 +108,8 @@ class Projects::GitHttpController < Projects::GitHttpClientController
   def access_klass
     @access_klass ||= wiki? ? Gitlab::GitAccessWiki : Gitlab::GitAccess
   end
+
+  def log_user_activity
+    Users::ActivityService.new(user, 'pull').execute
+  end
 end
diff --git a/app/controllers/projects/hooks_controller.rb b/app/controllers/projects/hooks_controller.rb
index b668a9331e7..1e41f980f31 100644
--- a/app/controllers/projects/hooks_controller.rb
+++ b/app/controllers/projects/hooks_controller.rb
@@ -10,7 +10,7 @@ class Projects::HooksController < Projects::ApplicationController
     @hook = @project.hooks.new(hook_params)
     @hook.save
 
-    unless @hook.valid?      
+    unless @hook.valid?
       @hooks = @project.hooks.select(&:persisted?)
       flash[:alert] = @hook.errors.full_messages.join.html_safe
     end
@@ -49,7 +49,7 @@ class Projects::HooksController < Projects::ApplicationController
 
   def hook_params
     params.require(:hook).permit(
-      :build_events,
+      :job_events,
       :pipeline_events,
       :enable_ssl_verification,
       :issues_events,
diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb
index d984e6d3918..cbf67137261 100644
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -1,5 +1,5 @@
 class Projects::IssuesController < Projects::ApplicationController
-  include NotesHelper
+  include RendersNotes
   include ToggleSubscriptionAction
   include IssuableActions
   include ToggleAwardEmoji
@@ -11,10 +11,10 @@ class Projects::IssuesController < Projects::ApplicationController
   before_action :redirect_to_external_issue_tracker, only: [:index, :new]
   before_action :module_enabled
   before_action :issue, only: [:edit, :update, :show, :referenced_merge_requests,
-                               :related_branches, :can_create_branch]
+                               :related_branches, :can_create_branch, :rendered_title]
 
   # Allow read any issue
-  before_action :authorize_read_issue!, only: [:show]
+  before_action :authorize_read_issue!, only: [:show, :rendered_title]
 
   # Allow write(create) issue
   before_action :authorize_create_issue!, only: [:new, :create]
@@ -31,7 +31,7 @@ class Projects::IssuesController < Projects::ApplicationController
     @issuable_meta_data = issuable_meta_data(@issues, @collection_type)
 
     if @issues.out_of_range? && @issues.total_pages != 0
-      return redirect_to url_for(params.merge(page: @issues.total_pages))
+      return redirect_to url_for(params.merge(page: @issues.total_pages, only_path: true))
     end
 
     if params[:label_name].present?
@@ -84,15 +84,11 @@ class Projects::IssuesController < Projects::ApplicationController
   end
 
   def show
-    raw_notes = @issue.notes.inc_relations_for_view.fresh
-
-    @notes = Banzai::NoteRenderer.
-      render(raw_notes, @project, current_user, @path, @project_wiki, @ref)
-
-    @note     = @project.notes.new(noteable: @issue)
     @noteable = @issue
+    @note     = @project.notes.new(noteable: @issue)
 
-    preload_max_access_for_authors(@notes, @project)
+    @discussions = @issue.discussions
+    @notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes))
 
     respond_to do |format|
       format.html
@@ -200,6 +196,11 @@ class Projects::IssuesController < Projects::ApplicationController
     end
   end
 
+  def rendered_title
+    Gitlab::PollingInterval.set_header(response, interval: 3_000)
+    render json: { title: view_context.markdown_field(@issue, :title) }
+  end
+
   protected
 
   def issue
diff --git a/app/controllers/projects/labels_controller.rb b/app/controllers/projects/labels_controller.rb
index 1593b5c1afb..2f55ba4e700 100644
--- a/app/controllers/projects/labels_controller.rb
+++ b/app/controllers/projects/labels_controller.rb
@@ -29,7 +29,7 @@ class Projects::LabelsController < Projects::ApplicationController
   end
 
   def create
-    @label = @project.labels.create(label_params)
+    @label = Labels::CreateService.new(label_params).execute(project: @project)
 
     if @label.valid?
       respond_to do |format|
@@ -48,7 +48,9 @@ class Projects::LabelsController < Projects::ApplicationController
   end
 
   def update
-    if @label.update_attributes(label_params)
+    @label = Labels::UpdateService.new(label_params).execute(@label)
+
+    if @label.valid?
       redirect_to namespace_project_labels_path(@project.namespace, @project)
     else
       render :edit
diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb
index 9621b30b251..09dc8b38229 100755
--- a/app/controllers/projects/merge_requests_controller.rb
+++ b/app/controllers/projects/merge_requests_controller.rb
@@ -3,7 +3,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
   include DiffForPath
   include DiffHelper
   include IssuableActions
-  include NotesHelper
+  include RendersNotes
   include ToggleAwardEmoji
   include IssuableCollections
 
@@ -16,7 +16,6 @@ class Projects::MergeRequestsController < Projects::ApplicationController
   before_action :define_show_vars, only: [:show, :diffs, :commits, :conflicts, :conflict_for_path, :builds, :pipelines]
   before_action :define_widget_vars, only: [:merge, :cancel_merge_when_pipeline_succeeds, :merge_check]
   before_action :define_commit_vars, only: [:diffs]
-  before_action :define_diff_comment_vars, only: [:diffs]
   before_action :ensure_ref_fetched, only: [:show, :diffs, :commits, :builds, :conflicts, :conflict_for_path, :pipelines]
   before_action :close_merge_request_without_source_project, only: [:show, :diffs, :commits, :builds, :pipelines]
   before_action :apply_diff_view_cookie!, only: [:new_diffs]
@@ -39,10 +38,11 @@ class Projects::MergeRequestsController < Projects::ApplicationController
     @collection_type    = "MergeRequest"
     @merge_requests     = merge_requests_collection
     @merge_requests     = @merge_requests.page(params[:page])
+    @merge_requests     = @merge_requests.preload(merge_request_diff: :merge_request)
     @issuable_meta_data = issuable_meta_data(@merge_requests, @collection_type)
 
     if @merge_requests.out_of_range? && @merge_requests.total_pages != 0
-      return redirect_to url_for(params.merge(page: @merge_requests.total_pages))
+      return redirect_to url_for(params.merge(page: @merge_requests.total_pages, only_path: true))
     end
 
     if params[:label_name].present?
@@ -100,34 +100,11 @@ class Projects::MergeRequestsController < Projects::ApplicationController
     respond_to do |format|
       format.html { define_discussion_vars }
       format.json do
-        @merge_request_diff =
-          if params[:diff_id]
-            @merge_request.merge_request_diffs.viewable.find(params[:diff_id])
-          else
-            @merge_request.merge_request_diff
-          end
-
-        @merge_request_diffs = @merge_request.merge_request_diffs.viewable.select_without_diff
-        @comparable_diffs = @merge_request_diffs.select { |diff| diff.id < @merge_request_diff.id }
-
-        if params[:start_sha].present?
-          @start_sha = params[:start_sha]
-          @start_version = @comparable_diffs.find { |diff| diff.head_commit_sha == @start_sha }
-
-          unless @start_version
-            @start_sha = @merge_request_diff.head_commit_sha
-            @start_version = @merge_request_diff
-          end
-        end
+        define_diff_vars
+        define_diff_comment_vars
 
         @environment = @merge_request.environments_for(current_user).last
 
-        if @start_sha
-          compared_diff_version
-        else
-          original_diff_version
-        end
-
         render json: { html: view_to_html_string("projects/merge_requests/show/_diffs") }
       end
     end
@@ -139,16 +116,17 @@ class Projects::MergeRequestsController < Projects::ApplicationController
   def diff_for_path
     if params[:id]
       merge_request
+      define_diff_vars
       define_diff_comment_vars
     else
       build_merge_request
+      @diffs = @merge_request.diffs(diff_options)
       @diff_notes_disabled = true
-      @grouped_diff_discussions = {}
     end
 
     define_commit_vars
 
-    render_diff_for_path(@merge_request.diffs(diff_options))
+    render_diff_for_path(@diffs)
   end
 
   def commits
@@ -232,6 +210,8 @@ class Projects::MergeRequestsController < Projects::ApplicationController
       end
 
       format.json do
+        Gitlab::PollingInterval.set_header(response, interval: 10_000)
+
         render json: PipelineSerializer
           .new(project: @project, user: @current_user)
           .represent(@pipelines)
@@ -245,6 +225,8 @@ class Projects::MergeRequestsController < Projects::ApplicationController
       format.json do
         define_pipelines_vars
 
+        Gitlab::PollingInterval.set_header(response, interval: 10_000)
+
         render json: {
           pipelines: PipelineSerializer
           .new(project: @project, user: @current_user)
@@ -451,7 +433,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
 
     if pipeline
       status = pipeline.status
-      coverage = pipeline.try(:coverage)
+      coverage = pipeline.coverage
 
       status = "success_with_warnings" if pipeline.success? && pipeline.has_warnings?
 
@@ -569,20 +551,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
     @note = @project.notes.new(noteable: @merge_request)
 
     @discussions = @merge_request.discussions
-
-    preload_noteable_for_regular_notes(@discussions.flat_map(&:notes))
-
-    # This is not executed lazily
-    @notes = Banzai::NoteRenderer.render(
-      @discussions.flat_map(&:notes),
-      @project,
-      current_user,
-      @path,
-      @project_wiki,
-      @ref
-    )
-
-    preload_max_access_for_authors(@notes, @project)
+    @notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes))
   end
 
   def define_widget_vars
@@ -594,23 +563,47 @@ class Projects::MergeRequestsController < Projects::ApplicationController
     @base_commit = @merge_request.diff_base_commit || @merge_request.likely_diff_base_commit
   end
 
+  def define_diff_vars
+    @merge_request_diff =
+      if params[:diff_id]
+        @merge_request.merge_request_diffs.viewable.find(params[:diff_id])
+      else
+        @merge_request.merge_request_diff
+      end
+
+    @merge_request_diffs = @merge_request.merge_request_diffs.viewable.select_without_diff
+    @comparable_diffs = @merge_request_diffs.select { |diff| diff.id < @merge_request_diff.id }
+
+    if params[:start_sha].present?
+      @start_sha = params[:start_sha]
+      @start_version = @comparable_diffs.find { |diff| diff.head_commit_sha == @start_sha }
+
+      unless @start_version
+        @start_sha = @merge_request_diff.head_commit_sha
+        @start_version = @merge_request_diff
+      end
+    end
+
+    @diffs =
+      if @start_sha
+        @merge_request_diff.compare_with(@start_sha).diffs(diff_options)
+      else
+        @merge_request_diff.diffs(diff_options)
+      end
+  end
+
   def define_diff_comment_vars
-    @comments_target = {
+    @new_diff_note_attrs = {
       noteable_type: 'MergeRequest',
       noteable_id: @merge_request.id
     }
 
+    @diff_notes_disabled = !@merge_request_diff.latest? || @start_sha
+
     @use_legacy_diff_notes = !@merge_request.has_complete_diff_refs?
-    @grouped_diff_discussions = @merge_request.notes.inc_relations_for_view.grouped_diff_discussions
 
-    Banzai::NoteRenderer.render(
-      @grouped_diff_discussions.values.flat_map(&:notes),
-      @project,
-      current_user,
-      @path,
-      @project_wiki,
-      @ref
-    )
+    @grouped_diff_discussions = @merge_request.grouped_diff_discussions(@merge_request_diff.diff_refs)
+    @notes = prepare_notes_for_rendering(@grouped_diff_discussions.values.flatten.flat_map(&:notes))
   end
 
   def define_pipelines_vars
@@ -693,16 +686,6 @@ class Projects::MergeRequestsController < Projects::ApplicationController
     @merge_request = MergeRequests::BuildService.new(project, current_user, merge_request_params.merge(diff_options: diff_options)).execute
   end
 
-  def compared_diff_version
-    @diff_notes_disabled = true
-    @diffs = @merge_request_diff.compare_with(@start_sha).diffs(diff_options)
-  end
-
-  def original_diff_version
-    @diff_notes_disabled = !@merge_request_diff.latest?
-    @diffs = @merge_request_diff.diffs(diff_options)
-  end
-
   def close_merge_request_without_source_project
     if !@merge_request.source_project && @merge_request.open?
       @merge_request.close
diff --git a/app/controllers/projects/milestones_controller.rb b/app/controllers/projects/milestones_controller.rb
index 5922e686cd0..408c0c60cb0 100644
--- a/app/controllers/projects/milestones_controller.rb
+++ b/app/controllers/projects/milestones_controller.rb
@@ -21,9 +21,9 @@ class Projects::MilestonesController < Projects::ApplicationController
     @sort = params[:sort] || 'due_date_asc'
     @milestones = @milestones.sort(@sort)
 
-    @milestones = @milestones.includes(:project)
     respond_to do |format|
       format.html do
+        @milestones = @milestones.includes(:project)
         @milestones = @milestones.page(params[:page])
       end
       format.json do
diff --git a/app/controllers/projects/notes_controller.rb b/app/controllers/projects/notes_controller.rb
index d00177e7612..405ea3c0a4f 100644
--- a/app/controllers/projects/notes_controller.rb
+++ b/app/controllers/projects/notes_controller.rb
@@ -1,4 +1,5 @@
 class Projects::NotesController < Projects::ApplicationController
+  include RendersNotes
   include ToggleAwardEmoji
 
   # Authorize
@@ -6,13 +7,15 @@ class Projects::NotesController < Projects::ApplicationController
   before_action :authorize_create_note!, only: [:create]
   before_action :authorize_admin_note!, only: [:update, :destroy]
   before_action :authorize_resolve_note!, only: [:resolve, :unresolve]
-  before_action :find_current_user_notes, only: [:index]
 
   def index
     current_fetched_at = Time.now.to_i
 
     notes_json = { notes: [], last_fetched_at: current_fetched_at }
 
+    @notes = notes_finder.execute.inc_relations_for_view
+    @notes = prepare_notes_for_rendering(@notes)
+
     @notes.each do |note|
       next if note.cross_reference_not_visible_for?(current_user)
 
@@ -23,7 +26,10 @@ class Projects::NotesController < Projects::ApplicationController
   end
 
   def create
-    create_params = note_params.merge(merge_request_diff_head_sha: params[:merge_request_diff_head_sha])
+    create_params = note_params.merge(
+      merge_request_diff_head_sha: params[:merge_request_diff_head_sha],
+      in_reply_to_discussion_id: params[:in_reply_to_discussion_id]
+    )
     @note = Notes::CreateService.new(project, current_user, create_params).execute
 
     if @note.is_a?(Note)
@@ -111,6 +117,17 @@ class Projects::NotesController < Projects::ApplicationController
     )
   end
 
+  def discussion_html(discussion)
+    return if discussion.individual_note?
+
+    render_to_string(
+      "discussions/_discussion",
+      layout: false,
+      formats: [:html],
+      locals: { discussion: discussion }
+    )
+  end
+
   def diff_discussion_html(discussion)
     return unless discussion.diff_discussion?
 
@@ -118,13 +135,13 @@ class Projects::NotesController < Projects::ApplicationController
       template = "discussions/_parallel_diff_discussion"
       locals =
         if params[:line_type] == 'old'
-          { discussion_left: discussion, discussion_right: nil }
+          { discussions_left: [discussion], discussions_right: nil }
         else
-          { discussion_left: nil, discussion_right: discussion }
+          { discussions_left: nil, discussions_right: [discussion] }
         end
     else
       template = "discussions/_diff_discussion"
-      locals = { discussion: discussion }
+      locals = { discussions: [discussion] }
     end
 
     render_to_string(
@@ -135,54 +152,28 @@ class Projects::NotesController < Projects::ApplicationController
     )
   end
 
-  def discussion_html(discussion)
-    return unless discussion.diff_discussion?
-
-    render_to_string(
-      "discussions/_discussion",
-      layout: false,
-      formats: [:html],
-      locals: { discussion: discussion }
-    )
-  end
-
   def note_json(note)
     attrs = {
-      id: note.id
+      commands_changes: note.commands_changes
     }
 
     if note.persisted?
-      Banzai::NoteRenderer.render([note], @project, current_user)
-
       attrs.merge!(
         valid: true,
-        discussion_id: note.discussion_id,
+        id: note.id,
+        discussion_id: note.discussion_id(noteable),
         html: note_html(note),
         note: note.note
       )
 
-      if note.diff_note?
-        discussion = note.to_discussion
-
+      discussion = note.to_discussion(noteable)
+      unless discussion.individual_note?
         attrs.merge!(
+          discussion_resolvable: discussion.resolvable?,
+
           diff_discussion_html: diff_discussion_html(discussion),
           discussion_html: discussion_html(discussion)
         )
-
-        # The discussion_id is used to add the comment to the correct discussion
-        # element on the merge request page. Among other things, the discussion_id
-        # contains the sha of head commit of the merge request.
-        # When new commits are pushed into the merge request after the initial
-        # load of the merge request page, the discussion elements will still have
-        # the old discussion_ids, with the old head commit sha. The new comment,
-        # however, will have the new discussion_id with the new commit sha.
-        # To ensure that these new comments will still end up in the correct
-        # discussion element, we also send the original discussion_id, with the
-        # old commit sha, along, and fall back on this value when no discussion
-        # element with the new discussion_id could be found.
-        if note.new_diff_note? && note.position != note.original_position
-          attrs[:original_discussion_id] = note.original_discussion_id
-        end
       end
     else
       attrs.merge!(
@@ -191,7 +182,6 @@ class Projects::NotesController < Projects::ApplicationController
       )
     end
 
-    attrs[:commands_changes] = note.commands_changes
     attrs
   end
 
@@ -205,14 +195,30 @@ class Projects::NotesController < Projects::ApplicationController
 
   def note_params
     params.require(:note).permit(
-      :note, :noteable, :noteable_id, :noteable_type, :project_id,
-      :attachment, :line_code, :commit_id, :type, :position
+      :project_id,
+      :noteable_type,
+      :noteable_id,
+      :commit_id,
+      :noteable,
+      :type,
+
+      :note,
+      :attachment,
+
+      # LegacyDiffNote
+      :line_code,
+
+      # DiffNote
+      :position
     )
   end
 
-  def find_current_user_notes
-    @notes = NotesFinder.new(project, current_user, params.merge(last_fetched_at: last_fetched_at))
-      .execute.inc_author
+  def notes_finder
+    @notes_finder ||= NotesFinder.new(project, current_user, params.merge(last_fetched_at: last_fetched_at))
+  end
+
+  def noteable
+    @noteable ||= notes_finder.target
   end
 
   def last_fetched_at
diff --git a/app/controllers/projects/pipelines_controller.rb b/app/controllers/projects/pipelines_controller.rb
index 43a1abaa662..1780cc0233c 100644
--- a/app/controllers/projects/pipelines_controller.rb
+++ b/app/controllers/projects/pipelines_controller.rb
@@ -29,6 +29,8 @@ class Projects::PipelinesController < Projects::ApplicationController
     respond_to do |format|
       format.html
       format.json do
+        Gitlab::PollingInterval.set_header(response, interval: 10_000)
+
         render json: {
           pipelines: PipelineSerializer
             .new(project: @project, user: @current_user)
@@ -114,7 +116,7 @@ class Projects::PipelinesController < Projects::ApplicationController
   end
 
   def pipeline
-    @pipeline ||= project.pipelines.find_by!(id: params[:id])
+    @pipeline ||= project.pipelines.find_by!(id: params[:id]).present(current_user: current_user)
   end
 
   def commit
diff --git a/app/controllers/projects/pipelines_settings_controller.rb b/app/controllers/projects/pipelines_settings_controller.rb
index c8c80551ac9..ff50602831c 100644
--- a/app/controllers/projects/pipelines_settings_controller.rb
+++ b/app/controllers/projects/pipelines_settings_controller.rb
@@ -23,7 +23,7 @@ class Projects::PipelinesSettingsController < Projects::ApplicationController
   def update_params
     params.require(:project).permit(
       :runners_token, :builds_enabled, :build_allow_git_fetch, :build_timeout_in_minutes, :build_coverage_regex,
-      :public_builds
+      :public_builds, :auto_cancel_pending_pipelines
     )
   end
 end
diff --git a/app/controllers/projects/protected_branches_controller.rb b/app/controllers/projects/protected_branches_controller.rb
index a8cb07eb67a..ba24fa9acfe 100644
--- a/app/controllers/projects/protected_branches_controller.rb
+++ b/app/controllers/projects/protected_branches_controller.rb
@@ -1,58 +1,23 @@
-class Projects::ProtectedBranchesController < Projects::ApplicationController
-  include RepositorySettingsRedirect
-  # Authorize
-  before_action :require_non_empty_project
-  before_action :authorize_admin_project!
-  before_action :load_protected_branch, only: [:show, :update, :destroy]
+class Projects::ProtectedBranchesController < Projects::ProtectedRefsController
+  protected
 
-  layout "project_settings"
-
-  def index
-    redirect_to_repository_settings(@project)
-  end
-
-  def create
-    @protected_branch = ::ProtectedBranches::CreateService.new(@project, current_user, protected_branch_params).execute
-    unless @protected_branch.persisted?
-      flash[:alert] = @protected_branches.errors.full_messages.join(', ').html_safe
-    end
-    redirect_to_repository_settings(@project)
-  end
-
-  def show
-    @matching_branches = @protected_branch.matching(@project.repository.branches)
+  def project_refs
+    @project.repository.branches
   end
 
-  def update
-    @protected_branch = ::ProtectedBranches::UpdateService.new(@project, current_user, protected_branch_params).execute(@protected_branch)
-
-    if @protected_branch.valid?
-      respond_to do |format|
-        format.json { render json: @protected_branch, status: :ok }
-      end
-    else
-      respond_to do |format|
-        format.json { render json: @protected_branch.errors, status: :unprocessable_entity }
-      end
-    end
+  def create_service_class
+    ::ProtectedBranches::CreateService
   end
 
-  def destroy
-    @protected_branch.destroy
-
-    respond_to do |format|
-      format.html { redirect_to_repository_settings(@project) }
-      format.js { head :ok }
-    end
+  def update_service_class
+    ::ProtectedBranches::UpdateService
   end
 
-  private
-
-  def load_protected_branch
-    @protected_branch = @project.protected_branches.find(params[:id])
+  def load_protected_ref
+    @protected_ref = @project.protected_branches.find(params[:id])
   end
 
-  def protected_branch_params
+  def protected_ref_params
     params.require(:protected_branch).permit(:name,
                                              merge_access_levels_attributes: [:access_level, :id],
                                              push_access_levels_attributes: [:access_level, :id])
diff --git a/app/controllers/projects/protected_refs_controller.rb b/app/controllers/projects/protected_refs_controller.rb
new file mode 100644
index 00000000000..083a70968e5
--- /dev/null
+++ b/app/controllers/projects/protected_refs_controller.rb
@@ -0,0 +1,47 @@
+class Projects::ProtectedRefsController < Projects::ApplicationController
+  include RepositorySettingsRedirect
+
+  # Authorize
+  before_action :require_non_empty_project
+  before_action :authorize_admin_project!
+  before_action :load_protected_ref, only: [:show, :update, :destroy]
+
+  layout "project_settings"
+
+  def index
+    redirect_to_repository_settings(@project)
+  end
+
+  def create
+    protected_ref = create_service_class.new(@project, current_user, protected_ref_params).execute
+
+    unless protected_ref.persisted?
+      flash[:alert] = protected_ref.errors.full_messages.join(', ').html_safe
+    end
+
+    redirect_to_repository_settings(@project)
+  end
+
+  def show
+    @matching_refs = @protected_ref.matching(project_refs)
+  end
+
+  def update
+    @protected_ref = update_service_class.new(@project, current_user, protected_ref_params).execute(@protected_ref)
+
+    if @protected_ref.valid?
+      render json: @protected_ref, status: :ok
+    else
+      render json: @protected_ref.errors, status: :unprocessable_entity
+    end
+  end
+
+  def destroy
+    @protected_ref.destroy
+
+    respond_to do |format|
+      format.html { redirect_to_repository_settings(@project) }
+      format.js { head :ok }
+    end
+  end
+end
diff --git a/app/controllers/projects/protected_tags_controller.rb b/app/controllers/projects/protected_tags_controller.rb
new file mode 100644
index 00000000000..c61ddf145e6
--- /dev/null
+++ b/app/controllers/projects/protected_tags_controller.rb
@@ -0,0 +1,23 @@
+class Projects::ProtectedTagsController < Projects::ProtectedRefsController
+  protected
+
+  def project_refs
+    @project.repository.tags
+  end
+
+  def create_service_class
+    ::ProtectedTags::CreateService
+  end
+
+  def update_service_class
+    ::ProtectedTags::UpdateService
+  end
+
+  def load_protected_ref
+    @protected_ref = @project.protected_tags.find(params[:id])
+  end
+
+  def protected_ref_params
+    params.require(:protected_tag).permit(:name, create_access_levels_attributes: [:access_level, :id])
+  end
+end
diff --git a/app/controllers/projects/registry/application_controller.rb b/app/controllers/projects/registry/application_controller.rb
new file mode 100644
index 00000000000..a56f9c58726
--- /dev/null
+++ b/app/controllers/projects/registry/application_controller.rb
@@ -0,0 +1,16 @@
+module Projects
+  module Registry
+    class ApplicationController < Projects::ApplicationController
+      layout 'project'
+
+      before_action :verify_registry_enabled!
+      before_action :authorize_read_container_image!
+
+      private
+
+      def verify_registry_enabled!
+        render_404 unless Gitlab.config.registry.enabled
+      end
+    end
+  end
+end
diff --git a/app/controllers/projects/registry/repositories_controller.rb b/app/controllers/projects/registry/repositories_controller.rb
new file mode 100644
index 00000000000..17f391ba07f
--- /dev/null
+++ b/app/controllers/projects/registry/repositories_controller.rb
@@ -0,0 +1,43 @@
+module Projects
+  module Registry
+    class RepositoriesController < ::Projects::Registry::ApplicationController
+      before_action :authorize_update_container_image!, only: [:destroy]
+      before_action :ensure_root_container_repository!, only: [:index]
+
+      def index
+        @images = project.container_repositories
+      end
+
+      def destroy
+        if image.destroy
+          redirect_to project_container_registry_path(@project),
+                      notice: 'Image repository has been removed successfully!'
+        else
+          redirect_to project_container_registry_path(@project),
+                      alert: 'Failed to remove image repository!'
+        end
+      end
+
+      private
+
+      def image
+        @image ||= project.container_repositories.find(params[:id])
+      end
+
+      ##
+      # Container repository object for root project path.
+      #
+      # Needed to maintain a backwards compatibility.
+      #
+      def ensure_root_container_repository!
+        ContainerRegistry::Path.new(@project.full_path).tap do |path|
+          break if path.has_repository?
+
+          ContainerRepository.build_from_path(path).tap do |repository|
+            repository.save! if repository.has_tags?
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/app/controllers/projects/registry/tags_controller.rb b/app/controllers/projects/registry/tags_controller.rb
new file mode 100644
index 00000000000..d689cade3ab
--- /dev/null
+++ b/app/controllers/projects/registry/tags_controller.rb
@@ -0,0 +1,28 @@
+module Projects
+  module Registry
+    class TagsController < ::Projects::Registry::ApplicationController
+      before_action :authorize_update_container_image!, only: [:destroy]
+
+      def destroy
+        if tag.delete
+          redirect_to project_container_registry_path(@project),
+                      notice: 'Registry tag has been removed successfully!'
+        else
+          redirect_to project_container_registry_path(@project),
+                      alert: 'Failed to remove registry tag!'
+        end
+      end
+
+      private
+
+      def image
+        @image ||= project.container_repositories
+          .find(params[:repository_id])
+      end
+
+      def tag
+        @tag ||= image.tag(params[:id])
+      end
+    end
+  end
+end
diff --git a/app/controllers/projects/settings/repository_controller.rb b/app/controllers/projects/settings/repository_controller.rb
index b6ce4abca45..44de8a49593 100644
--- a/app/controllers/projects/settings/repository_controller.rb
+++ b/app/controllers/projects/settings/repository_controller.rb
@@ -4,46 +4,48 @@ module Projects
       before_action :authorize_admin_project!
 
       def show
-        @deploy_keys = DeployKeysPresenter
-          .new(@project, current_user: current_user)
+        @deploy_keys = DeployKeysPresenter.new(@project, current_user: current_user)
 
-        define_protected_branches
+        define_protected_refs
       end
 
       private
 
-      def define_protected_branches
-        load_protected_branches
+      def define_protected_refs
+        @protected_branches = @project.protected_branches.order(:name).page(params[:page])
+        @protected_tags = @project.protected_tags.order(:name).page(params[:page])
         @protected_branch = @project.protected_branches.new
+        @protected_tag = @project.protected_tags.new
         load_gon_index
       end
 
-      def load_protected_branches
-        @protected_branches = @project.protected_branches.order(:name).page(params[:page])
-      end
-
       def access_levels_options
         {
-          push_access_levels: {
-            roles: ProtectedBranch::PushAccessLevel.human_access_levels.map do |id, text|
-              { id: id, text: text, before_divider: true }
-            end
-          },
-          merge_access_levels: {
-            roles: ProtectedBranch::MergeAccessLevel.human_access_levels.map do |id, text|
-              { id: id, text: text, before_divider: true }
-            end
-          }
+          create_access_levels: levels_for_dropdown(ProtectedTag::CreateAccessLevel),
+          push_access_levels: levels_for_dropdown(ProtectedBranch::PushAccessLevel),
+          merge_access_levels: levels_for_dropdown(ProtectedBranch::MergeAccessLevel)
         }
       end
 
-      def open_branches
-        branches = @project.open_branches.map { |br| { text: br.name, id: br.name, title: br.name } }
-        { open_branches: branches }
+      def levels_for_dropdown(access_level_type)
+        roles = access_level_type.human_access_levels.map do |id, text|
+          { id: id, text: text, before_divider: true }
+        end
+        { roles: roles }
+      end
+
+      def protectable_tags_for_dropdown
+        { open_tags: ProtectableDropdown.new(@project, :tags).hash }
+      end
+
+      def protectable_branches_for_dropdown
+        { open_branches: ProtectableDropdown.new(@project, :branches).hash }
       end
 
       def load_gon_index
-        gon.push(open_branches.merge(access_levels_options))
+        gon.push(protectable_tags_for_dropdown)
+        gon.push(protectable_branches_for_dropdown)
+        gon.push(access_levels_options)
       end
     end
   end
diff --git a/app/controllers/projects/snippets_controller.rb b/app/controllers/projects/snippets_controller.rb
index ea1a97b7cf0..5c9e0d4d1a1 100644
--- a/app/controllers/projects/snippets_controller.rb
+++ b/app/controllers/projects/snippets_controller.rb
@@ -1,4 +1,5 @@
 class Projects::SnippetsController < Projects::ApplicationController
+  include RendersNotes
   include ToggleAwardEmoji
   include SpammableActions
   include SnippetsActions
@@ -55,8 +56,10 @@ class Projects::SnippetsController < Projects::ApplicationController
 
   def show
     @note = @project.notes.new(noteable: @snippet)
-    @notes = Banzai::NoteRenderer.render(@snippet.notes.fresh, @project, current_user)
     @noteable = @snippet
+
+    @discussions = @snippet.discussions
+    @notes = prepare_notes_for_rendering(@discussions.flat_map(&:notes))
   end
 
   def destroy
diff --git a/app/controllers/projects/tree_controller.rb b/app/controllers/projects/tree_controller.rb
index 637b61504d8..5e2182c883e 100644
--- a/app/controllers/projects/tree_controller.rb
+++ b/app/controllers/projects/tree_controller.rb
@@ -34,16 +34,16 @@ class Projects::TreeController < Projects::ApplicationController
   def create_dir
     return render_404 unless @commit_params.values.all?
 
-    update_ref
+    set_start_branch_to_branch_name
     create_commit(Files::CreateDirService,  success_notice: "The directory has been successfully created.",
-                                            success_path: namespace_project_tree_path(@project.namespace, @project, File.join(@target_branch, @dir_name)),
+                                            success_path: namespace_project_tree_path(@project.namespace, @project, File.join(@branch_name, @dir_name)),
                                             failure_path: namespace_project_tree_path(@project.namespace, @project, @ref))
   end
 
   private
 
   def assign_dir_vars
-    @target_branch = params[:target_branch]
+    @branch_name = params[:branch_name]
 
     @dir_name = File.join(@path, params[:dir_name])
     @commit_params = {
diff --git a/app/controllers/projects/triggers_controller.rb b/app/controllers/projects/triggers_controller.rb
index c47198c5eb6..afa56de920b 100644
--- a/app/controllers/projects/triggers_controller.rb
+++ b/app/controllers/projects/triggers_controller.rb
@@ -11,7 +11,7 @@ class Projects::TriggersController < Projects::ApplicationController
   end
 
   def create
-    @trigger = project.triggers.create(create_params.merge(owner: current_user))
+    @trigger = project.triggers.create(trigger_params.merge(owner: current_user))
 
     if @trigger.valid?
       flash[:notice] = 'Trigger was created successfully.'
@@ -36,7 +36,7 @@ class Projects::TriggersController < Projects::ApplicationController
   end
 
   def update
-    if trigger.update(update_params)
+    if trigger.update(trigger_params)
       redirect_to namespace_project_settings_ci_cd_path(@project.namespace, @project), notice: 'Trigger was successfully updated.'
     else
       render action: "edit"
@@ -67,11 +67,10 @@ class Projects::TriggersController < Projects::ApplicationController
     @trigger ||= project.triggers.find(params[:id]) || render_404
   end
 
-  def create_params
-    params.require(:trigger).permit(:description)
-  end
-
-  def update_params
-    params.require(:trigger).permit(:description)
+  def trigger_params
+    params.require(:trigger).permit(
+      :description,
+      trigger_schedule_attributes: [:id, :active, :cron, :cron_timezone, :ref]
+    )
   end
 end
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 47f7e0b1b28..6807c37f972 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -345,7 +345,11 @@ class ProjectsController < Projects::ApplicationController
   end
 
   def project_view_files?
-    current_user && current_user.project_view == 'files'
+    if current_user
+      current_user.project_view == 'files'
+    else
+      project_view_files_allowed?
+    end
   end
 
   # Override extract_ref from ExtractsPath, which returns the branch and file path
@@ -359,4 +363,8 @@ class ProjectsController < Projects::ApplicationController
   def get_id
     project.repository.root_ref
   end
+
+  def project_view_files_allowed?
+    !project.empty_repo? && can?(current_user, :download_code, project)
+  end
 end
diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
index a49a1f50a81..3ca14dee33c 100644
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -25,12 +25,12 @@ class RegistrationsController < Devise::RegistrationsController
   end
 
   def destroy
-    Users::DestroyService.new(current_user).execute(current_user)
+    DeleteUserWorker.perform_async(current_user.id, current_user.id)
 
     respond_to do |format|
       format.html do
         session.try(:destroy)
-        redirect_to new_user_session_path, notice: "Account successfully removed."
+        redirect_to new_user_session_path, notice: "Account scheduled for removal."
       end
     end
   end
@@ -60,7 +60,7 @@ class RegistrationsController < Devise::RegistrationsController
   end
 
   def resource
-    @resource ||= Users::CreateService.new(current_user, sign_up_params).build
+    @resource ||= Users::BuildService.new(current_user, sign_up_params).execute
   end
 
   def devise_mapping
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index 612d69cf557..4a579601785 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -6,45 +6,19 @@ class SearchController < ApplicationController
   layout 'search'
 
   def show
-    if params[:project_id].present?
-      @project = Project.find_by(id: params[:project_id])
-      @project = nil unless can?(current_user, :download_code, @project)
-    end
+    search_service = SearchService.new(current_user, params)
 
-    if params[:group_id].present?
-      @group = Group.find_by(id: params[:group_id])
-      @group = nil unless can?(current_user, :read_group, @group)
-    end
+    @project = search_service.project
+    @group = search_service.group
 
     return if params[:search].blank?
 
     @search_term = params[:search]
 
-    @scope = params[:scope]
-    @show_snippets = params[:snippets].eql? 'true'
-
-    @search_results =
-      if @project
-        unless %w(blobs notes issues merge_requests milestones wiki_blobs
-                  commits).include?(@scope)
-          @scope = 'blobs'
-        end
-
-        Search::ProjectService.new(@project, current_user, params).execute
-      elsif @show_snippets
-        unless %w(snippet_blobs snippet_titles).include?(@scope)
-          @scope = 'snippet_blobs'
-        end
-
-        Search::SnippetService.new(current_user, params).execute
-      else
-        unless %w(projects issues merge_requests milestones).include?(@scope)
-          @scope = 'projects'
-        end
-        Search::GlobalService.new(current_user, params).execute
-      end
-
-    @search_objects = @search_results.objects(@scope, params[:page])
+    @scope = search_service.scope
+    @show_snippets = search_service.show_snippets?
+    @search_results = search_service.search_results
+    @search_objects = search_service.search_objects
 
     check_single_commit_result
   end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 7d81c96262f..8c6ba4915cd 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -3,7 +3,7 @@ class SessionsController < Devise::SessionsController
   include Devise::Controllers::Rememberable
   include Recaptcha::ClientHelper
 
-  skip_before_action :check_2fa_requirement, only: [:destroy]
+  skip_before_action :check_two_factor_requirement, only: [:destroy]
 
   prepend_before_action :check_initial_setup, only: [:new]
   prepend_before_action :authenticate_with_two_factor,
@@ -35,6 +35,7 @@ class SessionsController < Devise::SessionsController
       # hide the signed-in notification
       flash[:notice] = nil
       log_audit_event(current_user, with: authentication_method)
+      log_user_activity(current_user)
     end
   end
 
@@ -79,7 +80,7 @@ class SessionsController < Devise::SessionsController
       if request.referer.present? && (params['redirect_to_referer'] == 'yes')
         referer_uri = URI(request.referer)
         if referer_uri.host == Gitlab.config.gitlab.host
-          referer_uri.path
+          referer_uri.request_uri
         else
           request.fullpath
         end
@@ -123,6 +124,10 @@ class SessionsController < Devise::SessionsController
       for_authentication.security_event
   end
 
+  def log_user_activity(user)
+    Users::ActivityService.new(user, 'login').execute
+  end
+
   def load_recaptcha
     Gitlab::Recaptcha.load_configurations!
   end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 2683614d2e8..a452bbba422 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -140,6 +140,6 @@ class UsersController < ApplicationController
   end
 
   def projects_for_current_user
-    ProjectsFinder.new.execute(current_user)
+    ProjectsFinder.new(current_user: current_user).execute
   end
 end