Add latest changes from gitlab-org/gitlab@master

10 files changed, 170 insertions, 0 deletions

diff --git a/data/deprecations/15-0-ci-cd-settings-update-mutation-renamed.yml b/data/deprecations/15-0-ci-cd-settings-update-mutation-renamed.yml
new file mode 100644
index 00000000000..7f426190963
--- /dev/null
+++ b/data/deprecations/15-0-ci-cd-settings-update-mutation-renamed.yml
@@ -0,0 +1,19 @@
+- name: "CiCdSettingsUpdate mutation renamed to ProjectCiCdSettingsUpdate"
+  announcement_milestone: "15.0"
+  announcement_date: "2022-05-22"
+  removal_milestone: "16.0"
+  removal_date: "2023-05-22"
+  breaking_change: true
+  reporter: pedropombeiro
+  stage: Verify
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/361801
+  body: |
+    The `CiCdSettingsUpdate` mutation was renamed to `ProjectCiCdSettingsUpdate` in GitLab 15.0.
+    The `CiCdSettingsUpdate` mutation will be removed in GitLab 16.0.
+    Any user scripts that use the `CiCdSettingsUpdate` mutation must be updated to use `ProjectCiCdSettingsUpdate`
+    instead.
+
+  tiers: [Core, Premium, Ultimate]
+  documentation_url: https://docs.gitlab.com/ee/api/graphql/reference/#mutationprojectcicdsettingsupdate
+  image_url:
+  video_url:
diff --git a/data/removals/15_0/15-0-Legacy-approval-status-names-from-License-Compliance-API.yml b/data/removals/15_0/15-0-Legacy-approval-status-names-from-License-Compliance-API.yml
new file mode 100644
index 00000000000..4a241f913a1
--- /dev/null
+++ b/data/removals/15_0/15-0-Legacy-approval-status-names-from-License-Compliance-API.yml
@@ -0,0 +1,11 @@
+- name: "Legacy approval status names in License Compliance API"
+  announcement_milestone: "14.6"
+  announcement_date: "2021-12-13"
+  removal_milestone: "15.0"
+  removal_date: "2022-05-22"
+  breaking_change: false
+  reporter: sam.white
+  stage: secure
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/345839
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    We have now removed the deprecated legacy names for approval status of license policy (`blacklisted`, `approved`) in the API queries and responses. If you are using our License Compliance API you should stop using the `approved` and `blacklisted` query parameters, they are now `allowed` and `denied`. In 15.0 the responses will also stop using `approved` and `blacklisted` so you may need to adjust any of your custom tools.
diff --git a/data/removals/15_0/15-0-Retire-js-analyzer.yml b/data/removals/15_0/15-0-Retire-js-analyzer.yml
new file mode 100644
index 00000000000..5b5d38d039c
--- /dev/null
+++ b/data/removals/15_0/15-0-Retire-js-analyzer.yml
@@ -0,0 +1,13 @@
+- name: "Retire-JS Dependency Scanning tool"
+  announcement_milestone: "14.8"
+  announcement_date: "2022-02-22"
+  removal_milestone: "15.0"
+  removal_date: "2022-05-22"
+  breaking_change: true
+  reporter: sam.white
+  body: |  # Do not modify this line, instead modify the lines below.
+    We have removed support for retire.js from Dependency Scanning as of May 22, 2022 in GitLab 15.0. JavaScript scanning functionality will not be affected as it is still being covered by Gemnasium.
+
+    If you have explicitly excluded retire.js using the `DS_EXCLUDED_ANALYZERS` variable, then you will be able to remove the reference to retire.js. If you have customized your pipeline’s Dependency Scanning configuration related to the `retire-js-dependency_scanning` job, then you will want to switch to `gemnasium-dependency_scanning`. If you have not used the `DS_EXCLUDED_ANALYZERS` to reference retire.js, or customized your template specifically for retire.js, you will not need to take any action.
+  stage: secure
+  issue_url: "https://gitlab.com/gitlab-org/gitlab/-/issues/289830"
diff --git a/data/removals/15_0/15-0-bundler-audit.yml b/data/removals/15_0/15-0-bundler-audit.yml
new file mode 100644
index 00000000000..991280585ba
--- /dev/null
+++ b/data/removals/15_0/15-0-bundler-audit.yml
@@ -0,0 +1,13 @@
+- name: "bundler-audit Dependency Scanning tool"
+  announcement_milestone: "14.8"
+  announcement_date: "2022-02-22"
+  removal_milestone: "15.0"
+  removal_date: "2022-05-22"
+  breaking_change: true
+  reporter: sam.white
+  body: |  # Do not modify this line, instead modify the lines below.
+    We are removing bundler-audit from Dependency Scanning on May 22, 2022 in 15.0. After this removal, Ruby scanning functionality will not be affected as it is still being covered by Gemnasium.
+
+    If you have explicitly excluded bundler-audit using the `DS_EXCLUDED_ANALYZERS` variable, then you will be able to remove the reference to bundler-audit. If you have customized your pipeline’s Dependency Scanning configuration related to the `bundler-audit-dependency_scanning` job, then you will want to switch to `gemnasium-dependency_scanning`. If you have not used the `DS_EXCLUDED_ANALYZERS` to reference bundler-audit or customized your template specifically for bundler-audit, you will not need to take any action.
+  stage: secure
+  issue_url: "https://gitlab.com/gitlab-org/gitlab/-/issues/347491"
diff --git a/data/removals/15_0/15-0-ds-default-analyzers.yml b/data/removals/15_0/15-0-ds-default-analyzers.yml
new file mode 100644
index 00000000000..702ce854d0d
--- /dev/null
+++ b/data/removals/15_0/15-0-ds-default-analyzers.yml
@@ -0,0 +1,12 @@
+- name: "DS_DEFAULT_ANALYZERS environment variable"
+  announcement_milestone: "14.0"
+  announcement_date: "2021-06-22"
+  removal_milestone: "15.0"
+  removal_date: "2022-05-22"
+  breaking_change: true
+  reporter: sam.white
+  body: |  # Do not modify this line, instead modify the lines below.
+    We are removing the `DS_DEFAULT_ANALYZERS` environment variable from Dependency Scanning on May 22, 2022 in 15.0. After this removal, this variable's value will be ignored. To configure which analyzers to run with the default configuration, you should use the `DS_EXCLUDED_ANALYZERS` variable instead.
+
+  stage: secure
+  issue_url: "https://gitlab.com/gitlab-org/gitlab/-/issues/333299"
diff --git a/data/removals/15_0/15-0-sast-dotnet-21.yml b/data/removals/15_0/15-0-sast-dotnet-21.yml
new file mode 100644
index 00000000000..28f13949154
--- /dev/null
+++ b/data/removals/15_0/15-0-sast-dotnet-21.yml
@@ -0,0 +1,33 @@
+- name: "SAST support for .NET 2.1"
+  announcement_milestone: "14.8"
+  announcement_date: "2022-02-22"
+  removal_milestone: "15.0"
+  removal_date: "2022-05-22"
+  breaking_change: false
+  reporter: connorgilbert
+  stage: Secure
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352553
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    The [GitLab SAST Security Code Scan analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) scans .NET code for security vulnerabilities.
+    For technical reasons, the analyzer must first build the code to scan it.
+
+    In GitLab versions prior to 15.0, the default analyzer image (version 2) included support for:
+
+    - .NET 2.1
+    - .NET Core 3.1
+    - .NET 5.0
+
+    In GitLab 15.0, we've changed the default major version for this analyzer from version 2 to version 3. This change:
+
+    - Adds [severity values for vulnerabilities](https://gitlab.com/gitlab-org/gitlab/-/issues/350408) along with [other new features and improvements](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan/-/blob/master/CHANGELOG.md).
+    - Removes .NET 2.1 support.
+    - Adds support for .NET 6.0, Visual Studio 2019, and Visual Studio 2022.
+
+    Version 3 was [announced in GitLab 14.6](https://about.gitlab.com/releases/2021/12/22/gitlab-14-6-released/#sast-support-for-net-6) and made available as an optional upgrade.
+
+    If you rely on .NET 2.1 support being present in the analyzer image by default, you must take action as detailed in the [deprecation issue for this change](https://gitlab.com/gitlab-org/gitlab/-/issues/352553#breaking-change).
+# The following items are not published on the docs page, but may be used in the future.
+  tiers: [Free, Silver, Gold, Core, Premium, Ultimate]
+  documentation_url: https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks  # (optional) This is a link to the current documentation page
+  image_url:  # (optional) This is a link to a thumbnail image depicting the feature
+  video_url:  # (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
diff --git a/data/removals/15_0/removal-manage-premium-required-pipelines.yml b/data/removals/15_0/removal-manage-premium-required-pipelines.yml
new file mode 100644
index 00000000000..1e91fe1d3fc
--- /dev/null
+++ b/data/removals/15_0/removal-manage-premium-required-pipelines.yml
@@ -0,0 +1,18 @@
+- name: "Required pipeline configurations in Premium tier"
+  announcement_milestone: "14.8"
+  announcement_date: "2021-02-22"
+  removal_milestone: "15.0"
+  removal_date: "2022-05-22"
+  breaking_change: true
+  reporter: stkerr
+  body: |
+   [Required pipeline configuration](https://docs.gitlab.com/ee/user/admin_area/settings/continuous_integration.html#required-pipeline-configuration) helps to define and mandate organization-wide pipeline configurations and is a requirement at an executive and organizational level. To align better with our [pricing philosophy](https://about.gitlab.com/company/pricing/#three-tiers), this feature is removed from the Premium tier in GitLab 15.0. This feature continues to be available in the GitLab Ultimate tier.
+
+   We recommend customers use [Compliance Pipelines](https://docs.gitlab.com/ee/user/project/settings/index.html#compliance-pipeline-configuration), also in GitLab Ultimate, as an alternative as it provides greater flexibility, allowing required pipelines to be assigned to specific compliance framework labels.
+
+   This change also helps GitLab remain consistent in our tiering strategy with the other related Ultimate-tier features:
+
+   - [Security policies](https://docs.gitlab.com/ee/user/application_security/policies/).
+   - [Compliance framework pipelines](https://docs.gitlab.com/ee/user/project/settings/index.html#compliance-pipeline-configuration).
+
+  stage: "Manage"
diff --git a/data/removals/15_0/removal_manage_optional_pat_expiration.yml b/data/removals/15_0/removal_manage_optional_pat_expiration.yml
new file mode 100644
index 00000000000..21c5b99d1a8
--- /dev/null
+++ b/data/removals/15_0/removal_manage_optional_pat_expiration.yml
@@ -0,0 +1,13 @@
+- name: "Optional enforcement of personal access token expiration"
+  announcement_milestone: "14.8"
+  announcement_date: "2022-02-22"
+  removal_milestone: "15.0"
+  removal_date: "2022-05-22"
+  breaking_change: true
+  reporter: stkerr
+  body: |
+    Allowing expired personal access tokens to be used is unusual from a security perspective and could create unusual situations where an
+    expired key is unintentionally able to be used. Unexpected behavior in a security feature is inherently dangerous and so we now do not let expired personal access tokens be used.
+
+  issue_url: "https://gitlab.com/gitlab-org/gitlab/-/issues/351962"
+  documentation_url: "https://docs.gitlab.com/ee/user/admin_area/settings/account_and_limit_settings.html#allow-expired-access-tokens-to-be-used-removed"
diff --git a/data/removals/15_0/removal_manage_ssh_expiration.yml b/data/removals/15_0/removal_manage_ssh_expiration.yml
new file mode 100644
index 00000000000..accd1d49f6f
--- /dev/null
+++ b/data/removals/15_0/removal_manage_ssh_expiration.yml
@@ -0,0 +1,13 @@
+- name: "Optional enforcement of SSH expiration"
+  announcement_milestone: "14.8"
+  announcement_date: "2022-02-22"
+  removal_milestone: "15.0"
+  removal_date: "2022-05-22"
+  breaking_change: true
+  reporter: stkerr
+  body: |
+    Disabling SSH expiration enforcement is unusual from a security perspective and could create unusual situations where an expired
+    key is unintentionally able to be used. Unexpected behavior in a security feature is inherently dangerous and so now we enforce
+    expiration on all SSH keys.
+  issue_url: "https://gitlab.com/gitlab-org/gitlab/-/issues/351963"
+  documentation_url: "https://docs.gitlab.com/ee/user/admin_area/settings/account_and_limit_settings.html#allow-expired-ssh-keys-to-be-used-deprecated"
diff --git a/data/removals/15_0/removal_manage_status_check_passed_status.yml b/data/removals/15_0/removal_manage_status_check_passed_status.yml
new file mode 100644
index 00000000000..598cba369cb
--- /dev/null
+++ b/data/removals/15_0/removal_manage_status_check_passed_status.yml
@@ -0,0 +1,25 @@
+- name: "External status check API breaking changes"
+  announcement_milestone: "14.8"
+  announcement_date: "2022-02-22"
+  removal_milestone: "15.0"
+  removal_date: "2022-05-22"
+  breaking_change: true
+  reporter: stkerr
+  body: |
+    The [external status check API](https://docs.gitlab.com/ee/api/status_checks.html) was originally implemented to
+    support pass-by-default requests to mark a status check as passing. Pass-by-default requests are now removed.
+    Specifically, the following are removed:
+
+    - Requests that do not contain the `status` field.
+    - Requests that have the `status` field set to `approved`.
+
+    From GitLab 15.0, status checks are only set to a passing state if the `status` field is both present
+    and set to `passed`. Requests that:
+
+    - Do not contain the `status` field will be rejected with a `400` error. For more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/-/issues/338827).
+    - Contain any value other than `passed`, such as `approved`, cause the status check to fail. For more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/-/issues/339039).
+
+    To align with this change, API calls to list external status checks also return the value of `passed` rather than
+    `approved` for status checks that have passed.
+  stage: "Manage"
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/339039