Add latest changes from gitlab-org/gitlab@12-10-stable-ee

25 files changed, 221 insertions, 169 deletions

diff --git a/app/assets/javascripts/diffs/store/getters_versions_dropdowns.js b/app/assets/javascripts/diffs/store/getters_versions_dropdowns.js
index dd682060b4b..acc8874dad8 100644
--- a/app/assets/javascripts/diffs/store/getters_versions_dropdowns.js
+++ b/app/assets/javascripts/diffs/store/getters_versions_dropdowns.js
@@ -39,7 +39,11 @@ export const diffCompareDropdownTargetVersions = (state, getters) => {
       ...v,
     };
   };
-  return [...state.mergeRequestDiffs.slice(1).map(formatVersion), baseVersion, headVersion];
+
+  if (gon.features?.diffCompareWithHead) {
+    return [...state.mergeRequestDiffs.slice(1).map(formatVersion), baseVersion, headVersion];
+  }
+  return [...state.mergeRequestDiffs.slice(1).map(formatVersion), baseVersion];
 };
 
 export const diffCompareDropdownSourceVersions = (state, getters) => {
diff --git a/app/assets/javascripts/ide/stores/mutations.js b/app/assets/javascripts/ide/stores/mutations.js
index 49485f4d575..5d567d9b169 100644
--- a/app/assets/javascripts/ide/stores/mutations.js
+++ b/app/assets/javascripts/ide/stores/mutations.js
@@ -216,7 +216,12 @@ export default {
 
     if (entry.type === 'blob') {
       if (tempFile) {
+        // Since we only support one list of file changes, it's safe to just remove from both
+        // changed and staged. Otherwise, we'd need to somehow evaluate the difference between
+        // changed and HEAD.
+        // https://gitlab.com/gitlab-org/create-stage/-/issues/12669
         state.changedFiles = state.changedFiles.filter(f => f.path !== path);
+        state.stagedFiles = state.stagedFiles.filter(f => f.path !== path);
       } else {
         state.changedFiles = state.changedFiles.concat(entry);
       }
diff --git a/app/assets/javascripts/pages/admin/services/edit/index.js b/app/assets/javascripts/pages/admin/services/edit/index.js
new file mode 100644
index 00000000000..e5e80d2f566
--- /dev/null
+++ b/app/assets/javascripts/pages/admin/services/edit/index.js
@@ -0,0 +1,9 @@
+import IntegrationSettingsForm from '~/integrations/integration_settings_form';
+import initAlertsSettings from '~/alerts_service_settings';
+
+document.addEventListener('DOMContentLoaded', () => {
+  const integrationSettingsForm = new IntegrationSettingsForm('.js-integration-settings-form');
+  integrationSettingsForm.init();
+
+  initAlertsSettings(document.querySelector('.js-alerts-service-settings'));
+});
diff --git a/app/assets/javascripts/pages/groups/settings/ci_cd/show/index.js b/app/assets/javascripts/pages/groups/settings/ci_cd/show/index.js
index 1ef18b356f2..479c82265f2 100644
--- a/app/assets/javascripts/pages/groups/settings/ci_cd/show/index.js
+++ b/app/assets/javascripts/pages/groups/settings/ci_cd/show/index.js
@@ -1,13 +1,10 @@
 import initSettingsPanels from '~/settings_panels';
 import AjaxVariableList from '~/ci_variable_list/ajax_variable_list';
 import initVariableList from '~/ci_variable_list';
-import DueDateSelectors from '~/due_date_select';
 
 document.addEventListener('DOMContentLoaded', () => {
   // Initialize expandable settings panels
   initSettingsPanels();
-  // eslint-disable-next-line no-new
-  new DueDateSelectors();
 
   if (gon.features.newVariablesUi) {
     initVariableList();
diff --git a/app/assets/javascripts/pages/groups/settings/repository/show/index.js b/app/assets/javascripts/pages/groups/settings/repository/show/index.js
new file mode 100644
index 00000000000..f4b26ba81fe
--- /dev/null
+++ b/app/assets/javascripts/pages/groups/settings/repository/show/index.js
@@ -0,0 +1,9 @@
+import initSettingsPanels from '~/settings_panels';
+import DueDateSelectors from '~/due_date_select';
+
+document.addEventListener('DOMContentLoaded', () => {
+  // Initialize expandable settings panels
+  initSettingsPanels();
+
+  new DueDateSelectors(); // eslint-disable-line no-new
+});
diff --git a/app/assets/javascripts/pages/projects/settings/ci_cd/show/index.js b/app/assets/javascripts/pages/projects/settings/ci_cd/show/index.js
index 7f865f4cfb6..aeeef40fc6e 100644
--- a/app/assets/javascripts/pages/projects/settings/ci_cd/show/index.js
+++ b/app/assets/javascripts/pages/projects/settings/ci_cd/show/index.js
@@ -3,7 +3,6 @@ import SecretValues from '~/behaviors/secret_values';
 import AjaxVariableList from '~/ci_variable_list/ajax_variable_list';
 import registrySettingsApp from '~/registry/settings/registry_settings_bundle';
 import initVariableList from '~/ci_variable_list';
-import DueDateSelectors from '~/due_date_select';
 import initDeployKeys from '~/deploy_keys';
 
 document.addEventListener('DOMContentLoaded', () => {
@@ -41,9 +40,6 @@ document.addEventListener('DOMContentLoaded', () => {
     autoDevOpsExtraSettings.classList.toggle('hidden', !target.checked);
   });
 
-  // eslint-disable-next-line no-new
-  new DueDateSelectors();
-
   registrySettingsApp();
   initDeployKeys();
 });
diff --git a/app/controllers/groups/deploy_tokens_controller.rb b/app/controllers/groups/deploy_tokens_controller.rb
index a765922fc54..6bb075fd115 100644
--- a/app/controllers/groups/deploy_tokens_controller.rb
+++ b/app/controllers/groups/deploy_tokens_controller.rb
@@ -7,6 +7,6 @@ class Groups::DeployTokensController < Groups::ApplicationController
     @token = @group.deploy_tokens.find(params[:id])
     @token.revoke!
 
-    redirect_to group_settings_ci_cd_path(@group, anchor: 'js-deploy-tokens')
+    redirect_to group_settings_repository_path(@group, anchor: 'js-deploy-tokens')
   end
 end
diff --git a/app/controllers/groups/settings/ci_cd_controller.rb b/app/controllers/groups/settings/ci_cd_controller.rb
index bfe7987176a..18f336eae78 100644
--- a/app/controllers/groups/settings/ci_cd_controller.rb
+++ b/app/controllers/groups/settings/ci_cd_controller.rb
@@ -8,9 +8,8 @@ module Groups
       before_action :authorize_update_max_artifacts_size!, only: [:update]
       before_action do
         push_frontend_feature_flag(:new_variables_ui, @group, default_enabled: true)
-        push_frontend_feature_flag(:ajax_new_deploy_token, @group)
       end
-      before_action :define_variables, only: [:show, :create_deploy_token]
+      before_action :define_variables, only: [:show]
 
       def show
       end
@@ -42,38 +41,10 @@ module Groups
         redirect_to group_settings_ci_cd_path
       end
 
-      def create_deploy_token
-        result = Groups::DeployTokens::CreateService.new(@group, current_user, deploy_token_params).execute
-        @new_deploy_token = result[:deploy_token]
-
-        if result[:status] == :success
-          respond_to do |format|
-            format.json do
-              # IMPORTANT: It's a security risk to expose the token value more than just once here!
-              json = API::Entities::DeployTokenWithToken.represent(@new_deploy_token).as_json
-              render json: json, status: result[:http_status]
-            end
-            format.html do
-              flash.now[:notice] = s_('DeployTokens|Your new group deploy token has been created.')
-              render :show
-            end
-          end
-        else
-          respond_to do |format|
-            format.json { render json: { message: result[:message] }, status: result[:http_status] }
-            format.html do
-              flash.now[:alert] = result[:message]
-              render :show
-            end
-          end
-        end
-      end
-
       private
 
       def define_variables
         define_ci_variables
-        define_deploy_token_variables
       end
 
       def define_ci_variables
@@ -83,12 +54,6 @@ module Groups
           .map { |variable| variable.present(current_user: current_user) }
       end
 
-      def define_deploy_token_variables
-        @deploy_tokens = @group.deploy_tokens.active
-
-        @new_deploy_token = DeployToken.new
-      end
-
       def authorize_admin_group!
         return render_404 unless can?(current_user, :admin_group, group)
       end
@@ -112,10 +77,6 @@ module Groups
       def update_group_params
         params.require(:group).permit(:max_artifacts_size)
       end
-
-      def deploy_token_params
-        params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :write_registry, :username)
-      end
     end
   end
 end
diff --git a/app/controllers/groups/settings/repository_controller.rb b/app/controllers/groups/settings/repository_controller.rb
new file mode 100644
index 00000000000..6e8c5628d24
--- /dev/null
+++ b/app/controllers/groups/settings/repository_controller.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Groups
+  module Settings
+    class RepositoryController < Groups::ApplicationController
+      skip_cross_project_access_check :show
+      before_action :authorize_admin_group!
+      before_action :define_deploy_token_variables
+      before_action do
+        push_frontend_feature_flag(:ajax_new_deploy_token, @group)
+      end
+
+      def create_deploy_token
+        result = Groups::DeployTokens::CreateService.new(@group, current_user, deploy_token_params).execute
+        @new_deploy_token = result[:deploy_token]
+
+        if result[:status] == :success
+          respond_to do |format|
+            format.json do
+              # IMPORTANT: It's a security risk to expose the token value more than just once here!
+              json = API::Entities::DeployTokenWithToken.represent(@new_deploy_token).as_json
+              render json: json, status: result[:http_status]
+            end
+            format.html do
+              flash.now[:notice] = s_('DeployTokens|Your new group deploy token has been created.')
+              render :show
+            end
+          end
+        else
+          respond_to do |format|
+            format.json { render json: { message: result[:message] }, status: result[:http_status] }
+            format.html do
+              flash.now[:alert] = result[:message]
+              render :show
+            end
+          end
+        end
+      end
+
+      private
+
+      def define_deploy_token_variables
+        @deploy_tokens = @group.deploy_tokens.active
+
+        @new_deploy_token = DeployToken.new
+      end
+
+      def deploy_token_params
+        params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :write_registry, :username)
+      end
+    end
+  end
+end
diff --git a/app/controllers/projects/deploy_tokens_controller.rb b/app/controllers/projects/deploy_tokens_controller.rb
index 4a70424ec01..830b1f4fe4a 100644
--- a/app/controllers/projects/deploy_tokens_controller.rb
+++ b/app/controllers/projects/deploy_tokens_controller.rb
@@ -7,6 +7,6 @@ class Projects::DeployTokensController < Projects::ApplicationController
     @token = @project.deploy_tokens.find(params[:id])
     @token.revoke!
 
-    redirect_to project_settings_ci_cd_path(project, anchor: 'js-deploy-tokens')
+    redirect_to project_settings_repository_path(project, anchor: 'js-deploy-tokens')
   end
 end
diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb
index cbab68b2827..8c37d70d4c9 100644
--- a/app/controllers/projects/merge_requests_controller.rb
+++ b/app/controllers/projects/merge_requests_controller.rb
@@ -26,6 +26,7 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
     push_frontend_feature_flag(:code_navigation, @project)
     push_frontend_feature_flag(:widget_visibility_polling, @project, default_enabled: true)
     push_frontend_feature_flag(:merge_ref_head_comments, @project)
+    push_frontend_feature_flag(:diff_compare_with_head, @project)
   end
 
   before_action do
diff --git a/app/controllers/projects/settings/ci_cd_controller.rb b/app/controllers/projects/settings/ci_cd_controller.rb
index c7cd9649dac..c4d291e8634 100644
--- a/app/controllers/projects/settings/ci_cd_controller.rb
+++ b/app/controllers/projects/settings/ci_cd_controller.rb
@@ -48,33 +48,6 @@ module Projects
         redirect_to namespace_project_settings_ci_cd_path
       end
 
-      def create_deploy_token
-        result = Projects::DeployTokens::CreateService.new(@project, current_user, deploy_token_params).execute
-        @new_deploy_token = result[:deploy_token]
-
-        if result[:status] == :success
-          respond_to do |format|
-            format.json do
-              # IMPORTANT: It's a security risk to expose the token value more than just once here!
-              json = API::Entities::DeployTokenWithToken.represent(@new_deploy_token).as_json
-              render json: json, status: result[:http_status]
-            end
-            format.html do
-              flash.now[:notice] = s_('DeployTokens|Your new project deploy token has been created.')
-              render :show
-            end
-          end
-        else
-          respond_to do |format|
-            format.json { render json: { message: result[:message] }, status: result[:http_status] }
-            format.html do
-              flash.now[:alert] = result[:message]
-              render :show
-            end
-          end
-        end
-      end
-
       private
 
       def update_params
@@ -93,10 +66,6 @@ module Projects
         end
       end
 
-      def deploy_token_params
-        params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :write_registry, :username)
-      end
-
       def run_autodevops_pipeline(service)
         return unless service.run_auto_devops_pipeline?
 
@@ -116,7 +85,6 @@ module Projects
       def define_variables
         define_runners_variables
         define_ci_variables
-        define_deploy_token_variables
         define_triggers_variables
         define_badges_variables
         define_auto_devops_variables
@@ -168,12 +136,6 @@ module Projects
         @auto_devops = @project.auto_devops || ProjectAutoDevops.new
       end
 
-      def define_deploy_token_variables
-        @deploy_tokens = @project.deploy_tokens.active
-
-        @new_deploy_token = DeployToken.new
-      end
-
       def define_deploy_keys
         @deploy_keys = DeployKeysPresenter.new(@project, current_user: current_user)
       end
diff --git a/app/controllers/projects/settings/repository_controller.rb b/app/controllers/projects/settings/repository_controller.rb
index a1f88c73649..68bab952217 100644
--- a/app/controllers/projects/settings/repository_controller.rb
+++ b/app/controllers/projects/settings/repository_controller.rb
@@ -4,7 +4,10 @@ module Projects
   module Settings
     class RepositoryController < Projects::ApplicationController
       before_action :authorize_admin_project!
-      before_action :remote_mirror, only: [:show]
+      before_action :define_variables, only: [:create_deploy_token]
+      before_action do
+        push_frontend_feature_flag(:ajax_new_deploy_token, @project)
+      end
 
       def show
         render_show
@@ -24,15 +27,47 @@ module Projects
         redirect_to project_settings_repository_path(project)
       end
 
+      def create_deploy_token
+        result = Projects::DeployTokens::CreateService.new(@project, current_user, deploy_token_params).execute
+        @new_deploy_token = result[:deploy_token]
+
+        if result[:status] == :success
+          respond_to do |format|
+            format.json do
+              # IMPORTANT: It's a security risk to expose the token value more than just once here!
+              json = API::Entities::DeployTokenWithToken.represent(@new_deploy_token).as_json
+              render json: json, status: result[:http_status]
+            end
+            format.html do
+              flash.now[:notice] = s_('DeployTokens|Your new project deploy token has been created.')
+              render :show
+            end
+          end
+        else
+          respond_to do |format|
+            format.json { render json: { message: result[:message] }, status: result[:http_status] }
+            format.html do
+              flash.now[:alert] = result[:message]
+              render :show
+            end
+          end
+        end
+      end
+
       private
 
       def render_show
-        define_protected_refs
-        remote_mirror
+        define_variables
 
         render 'show'
       end
 
+      def define_variables
+        define_deploy_token_variables
+        define_protected_refs
+        remote_mirror
+      end
+
       # rubocop: disable CodeReuse/ActiveRecord
       def define_protected_refs
         @protected_branches = @project.protected_branches.order(:name).page(params[:page])
@@ -51,6 +86,10 @@ module Projects
         @remote_mirror = project.remote_mirrors.first_or_initialize
       end
 
+      def deploy_token_params
+        params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :write_registry, :username)
+      end
+
       def access_levels_options
         {
           create_access_levels: levels_for_dropdown,
@@ -74,6 +113,12 @@ module Projects
         { open_branches: ProtectableDropdown.new(@project, :branches).hash }
       end
 
+      def define_deploy_token_variables
+        @deploy_tokens = @project.deploy_tokens.active
+
+        @new_deploy_token ||= DeployToken.new
+      end
+
       def load_gon_index
         gon.push(protectable_tags_for_dropdown)
         gon.push(protectable_branches_for_dropdown)
diff --git a/app/helpers/analytics/navbar_helper.rb b/app/helpers/analytics/navbar_helper.rb
new file mode 100644
index 00000000000..ddf2655c887
--- /dev/null
+++ b/app/helpers/analytics/navbar_helper.rb
@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+module Analytics
+  module NavbarHelper
+    class NavbarSubItem
+      attr_reader :title, :path, :link, :link_to_options
+
+      def initialize(title:, path:, link:, link_to_options: {})
+        @title = title
+        @path = path
+        @link = link
+        @link_to_options = link_to_options.merge(title: title)
+      end
+    end
+
+    def project_analytics_navbar_links(project, current_user)
+      [
+        cycle_analytics_navbar_link(project, current_user),
+        repository_analytics_navbar_link(project, current_user),
+        ci_cd_analytics_navbar_link(project, current_user)
+      ].compact
+    end
+
+    def group_analytics_navbar_links(group, current_user)
+      []
+    end
+
+    private
+
+    def navbar_sub_item(args)
+      NavbarSubItem.new(args)
+    end
+
+    def cycle_analytics_navbar_link(project, current_user)
+      return unless project_nav_tab?(:cycle_analytics)
+
+      navbar_sub_item(
+        title: _('Value Stream'),
+        path: 'cycle_analytics#show',
+        link: project_cycle_analytics_path(project),
+        link_to_options: { class: 'shortcuts-project-cycle-analytics' }
+      )
+    end
+
+    def repository_analytics_navbar_link(project, current_user)
+      return if project.empty_repo?
+
+      navbar_sub_item(
+        title: _('Repository'),
+        path: 'graphs#charts',
+        link: charts_project_graph_path(project, current_ref),
+        link_to_options: { class: 'shortcuts-repository-charts' }
+      )
+    end
+
+    def ci_cd_analytics_navbar_link(project, current_user)
+      return unless project_nav_tab?(:pipelines)
+      return unless project.feature_available?(:builds, current_user) || !project.empty_repo?
+
+      navbar_sub_item(
+        title: _('CI / CD'),
+        path: 'pipelines#charts',
+        link: charts_project_pipelines_path(project)
+      )
+    end
+  end
+end
+
+Analytics::NavbarHelper.prepend_if_ee('EE::Analytics::NavbarHelper')
diff --git a/app/helpers/analytics_navbar_helper.rb b/app/helpers/analytics_navbar_helper.rb
deleted file mode 100644
index f94119c4eef..00000000000
--- a/app/helpers/analytics_navbar_helper.rb
+++ /dev/null
@@ -1,67 +0,0 @@
-# frozen_string_literal: true
-
-module AnalyticsNavbarHelper
-  class NavbarSubItem
-    attr_reader :title, :path, :link, :link_to_options
-
-    def initialize(title:, path:, link:, link_to_options: {})
-      @title = title
-      @path = path
-      @link = link
-      @link_to_options = link_to_options.merge(title: title)
-    end
-  end
-
-  def project_analytics_navbar_links(project, current_user)
-    [
-      cycle_analytics_navbar_link(project, current_user),
-      repository_analytics_navbar_link(project, current_user),
-      ci_cd_analytics_navbar_link(project, current_user)
-    ].compact
-  end
-
-  def group_analytics_navbar_links(group, current_user)
-    []
-  end
-
-  private
-
-  def navbar_sub_item(args)
-    NavbarSubItem.new(args)
-  end
-
-  def cycle_analytics_navbar_link(project, current_user)
-    return unless project_nav_tab?(:cycle_analytics)
-
-    navbar_sub_item(
-      title: _('Value Stream'),
-      path: 'cycle_analytics#show',
-      link: project_cycle_analytics_path(project),
-      link_to_options: { class: 'shortcuts-project-cycle-analytics' }
-    )
-  end
-
-  def repository_analytics_navbar_link(project, current_user)
-    return if project.empty_repo?
-
-    navbar_sub_item(
-      title: _('Repository'),
-      path: 'graphs#charts',
-      link: charts_project_graph_path(project, current_ref),
-      link_to_options: { class: 'shortcuts-repository-charts' }
-    )
-  end
-
-  def ci_cd_analytics_navbar_link(project, current_user)
-    return unless project_nav_tab?(:pipelines)
-    return unless project.feature_available?(:builds, current_user) || !project.empty_repo?
-
-    navbar_sub_item(
-      title: _('CI / CD'),
-      path: 'pipelines#charts',
-      link: charts_project_pipelines_path(project)
-    )
-  end
-end
-
-AnalyticsNavbarHelper.prepend_if_ee('EE::AnalyticsNavbarHelper')
diff --git a/app/helpers/ci_variables_helper.rb b/app/helpers/ci_variables_helper.rb
index df220effd5d..cd0718c1b82 100644
--- a/app/helpers/ci_variables_helper.rb
+++ b/app/helpers/ci_variables_helper.rb
@@ -7,7 +7,7 @@ module CiVariablesHelper
 
   def create_deploy_token_path(entity, opts = {})
     if entity.is_a?(Group)
-      create_deploy_token_group_settings_ci_cd_path(entity, opts)
+      create_deploy_token_group_settings_repository_path(entity, opts)
     else
       # TODO: change this path to 'create_deploy_token_project_settings_ci_cd_path'
       # See MR comment for more detail: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/27059#note_311585356
diff --git a/app/helpers/explore_helper.rb b/app/helpers/explore_helper.rb
index b341cc795a0..b66c7a69b71 100644
--- a/app/helpers/explore_helper.rb
+++ b/app/helpers/explore_helper.rb
@@ -52,7 +52,7 @@ module ExploreHelper
   end
 
   def public_visibility_restricted?
-    Gitlab::CurrentSettings.restricted_visibility_levels.include? Gitlab::VisibilityLevel::PUBLIC
+    Gitlab::CurrentSettings.restricted_visibility_levels&.include? Gitlab::VisibilityLevel::PUBLIC
   end
 
   private
diff --git a/app/helpers/groups_helper.rb b/app/helpers/groups_helper.rb
index 2cd685ddcd4..91f8bc33e3e 100644
--- a/app/helpers/groups_helper.rb
+++ b/app/helpers/groups_helper.rb
@@ -15,6 +15,7 @@ module GroupsHelper
       groups#projects
       groups#edit
       badges#index
+      repository#show
       ci_cd#show
       integrations#index
       integrations#edit
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index 9939167e74f..a28e054e13c 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -163,7 +163,7 @@ class MergeRequest < ApplicationRecord
   state_machine :merge_status, initial: :unchecked do
     event :mark_as_unchecked do
       transition [:can_be_merged, :checking, :unchecked] => :unchecked
-      transition [:cannot_be_merged, :cannot_be_merged_recheck] => :cannot_be_merged_recheck
+      transition [:cannot_be_merged, :cannot_be_merged_rechecking, :cannot_be_merged_recheck] => :cannot_be_merged_recheck
     end
 
     event :mark_as_checking do
@@ -200,7 +200,7 @@ class MergeRequest < ApplicationRecord
     # rubocop: enable CodeReuse/ServiceClass
 
     def check_state?(merge_status)
-      [:unchecked, :cannot_be_merged_recheck, :checking].include?(merge_status.to_sym)
+      [:unchecked, :cannot_be_merged_recheck, :checking, :cannot_be_merged_rechecking].include?(merge_status.to_sym)
     end
   end
 
diff --git a/app/models/project.rb b/app/models/project.rb
index 79785bfce85..5db349463d8 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -2402,7 +2402,7 @@ class Project < ApplicationRecord
   end
 
   def deploy_token_create_url(opts = {})
-    Gitlab::Routing.url_helpers.create_deploy_token_project_settings_ci_cd_path(self, opts)
+    Gitlab::Routing.url_helpers.create_deploy_token_project_settings_repository_path(self, opts)
   end
 
   def deploy_token_revoke_url_for(token)
diff --git a/app/views/groups/settings/ci_cd/show.html.haml b/app/views/groups/settings/ci_cd/show.html.haml
index 4aef30622cd..8c9b859e127 100644
--- a/app/views/groups/settings/ci_cd/show.html.haml
+++ b/app/views/groups/settings/ci_cd/show.html.haml
@@ -3,7 +3,6 @@
 
 - expanded = expanded_by_default?
 - general_expanded = @group.errors.empty? ? expanded : true
-- deploy_token_description = s_('DeployTokens|Group deploy tokens allow read-only access to the repositories and registry images within the group.')
 
 -# Given we only have one field in this form which is also admin-only,
 -# we don't want to show an empty section to non-admin users,
@@ -25,8 +24,6 @@
   .settings-content
     = render 'ci/variables/index', save_endpoint: group_variables_path
 
-= render "shared/deploy_tokens/index", group_or_project: @group, description: deploy_token_description
-
 %section.settings#runners-settings.no-animate{ class: ('expanded' if expanded) }
   .settings-header
     %h4
diff --git a/app/views/groups/settings/repository/show.html.haml b/app/views/groups/settings/repository/show.html.haml
new file mode 100644
index 00000000000..1f1d7779267
--- /dev/null
+++ b/app/views/groups/settings/repository/show.html.haml
@@ -0,0 +1,6 @@
+- breadcrumb_title _('Repository Settings')
+- page_title _('Repository')
+
+- deploy_token_description = s_('DeployTokens|Group deploy tokens allow read-only access to the repositories and registry images within the group.')
+
+= render "shared/deploy_tokens/index", group_or_project: @group, description: deploy_token_description
diff --git a/app/views/layouts/nav/sidebar/_group.html.haml b/app/views/layouts/nav/sidebar/_group.html.haml
index 8115c713a4f..f63a7b3a664 100644
--- a/app/views/layouts/nav/sidebar/_group.html.haml
+++ b/app/views/layouts/nav/sidebar/_group.html.haml
@@ -155,6 +155,11 @@
                 %span
                   = _('Projects')
 
+            = nav_link(controller: :repository) do
+              = link_to group_settings_repository_path(@group), title: _('Repository') do
+                %span
+                  = _('Repository')
+
             = nav_link(controller: :ci_cd) do
               = link_to group_settings_ci_cd_path(@group), title: _('CI / CD') do
                 %span
diff --git a/app/views/projects/settings/ci_cd/show.html.haml b/app/views/projects/settings/ci_cd/show.html.haml
index c0f60b5f3b1..4c9de58cc01 100644
--- a/app/views/projects/settings/ci_cd/show.html.haml
+++ b/app/views/projects/settings/ci_cd/show.html.haml
@@ -4,7 +4,6 @@
 
 - expanded = expanded_by_default?
 - general_expanded = @project.errors.empty? ? expanded : true
-- deploy_token_description = s_('DeployTokens|Deploy tokens allow access to your repository and registry images.')
 
 %section.settings#js-general-pipeline-settings.no-animate{ class: ('expanded' if general_expanded) }
   .settings-header
@@ -52,8 +51,6 @@
   .settings-content
     = render 'ci/variables/index', save_endpoint: project_variables_path(@project)
 
-= render "shared/deploy_tokens/index", group_or_project: @project, description: deploy_token_description
-
 = render @deploy_keys
 
 %section.settings.no-animate#js-pipeline-triggers{ class: ('expanded' if expanded) }
diff --git a/app/views/projects/settings/repository/show.html.haml b/app/views/projects/settings/repository/show.html.haml
index 5bf92d32474..77606bfea42 100644
--- a/app/views/projects/settings/repository/show.html.haml
+++ b/app/views/projects/settings/repository/show.html.haml
@@ -1,6 +1,7 @@
 - breadcrumb_title _("Repository Settings")
 - page_title _("Repository")
 - @content_class = "limit-container-width" unless fluid_layout
+- deploy_token_description = s_('DeployTokens|Deploy tokens allow access to your repository and registry images.')
 
 = render "projects/default_branch/show"
 = render_if_exists "projects/push_rules/index"
@@ -11,6 +12,7 @@
 -# Those are used throughout the actual views. These `shared` views are then
 -# reused in EE.
 = render "projects/settings/repository/protected_branches"
+= render "shared/deploy_tokens/index", group_or_project: @project, description: deploy_token_description
 = render "projects/cleanup/show"
 
 = render_if_exists 'shared/promotions/promote_repository_features'