Add latest changes from gitlab-org/gitlab@13-9-stable-eev13.9.0-rc42

30 files changed, 192 insertions, 74 deletions

diff --git a/scripts/api/get_job_id.rb b/scripts/api/get_job_id.rb
index c7fe859db91..dd0b7fbada0 100755
--- a/scripts/api/get_job_id.rb
+++ b/scripts/api/get_job_id.rb
@@ -16,8 +16,8 @@ class JobFinder
 
   def initialize(options)
     @project = options.delete(:project)
-    @pipeline_query = options.delete(:pipeline_query)
-    @job_query = options.delete(:job_query)
+    @pipeline_query = options.delete(:pipeline_query) || DEFAULT_OPTIONS[:pipeline_query]
+    @job_query = options.delete(:job_query) || DEFAULT_OPTIONS[:job_query]
     @pipeline_id = options.delete(:pipeline_id)
     @job_name = options.delete(:job_name)
     @artifact_path = options.delete(:artifact_path)
diff --git a/scripts/flaky_examples/detect-new-flaky-examples b/scripts/flaky_examples/detect-new-flaky-examples
index 3bee4f9a34b..4805c5054a5 100755
--- a/scripts/flaky_examples/detect-new-flaky-examples
+++ b/scripts/flaky_examples/detect-new-flaky-examples
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'json'
 
diff --git a/scripts/flaky_examples/prune-old-flaky-examples b/scripts/flaky_examples/prune-old-flaky-examples
index 4df49c6d8fa..8c09c4cc860 100755
--- a/scripts/flaky_examples/prune-old-flaky-examples
+++ b/scripts/flaky_examples/prune-old-flaky-examples
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 # lib/rspec_flaky/flaky_examples_collection.rb is requiring
 # `active_support/hash_with_indifferent_access`, and we install the `activesupport`
diff --git a/scripts/frontend/extract_gettext_all.js b/scripts/frontend/extract_gettext_all.js
index c34c9a0233d..67163a601bc 100644
--- a/scripts/frontend/extract_gettext_all.js
+++ b/scripts/frontend/extract_gettext_all.js
@@ -36,7 +36,9 @@ const jsParser = extractor.createJsParser([
   }),
 ]);
 
-const vueParser = decorateJSParserWithVueSupport(jsParser);
+const vueParser = decorateJSParserWithVueSupport(jsParser, {
+  vue2TemplateCompiler: require('vue-template-compiler'),
+});
 
 function printJson() {
   const messages = extractor.getMessages().reduce((result, message) => {
diff --git a/scripts/gather-test-memory-data b/scripts/gather-test-memory-data
index 9992a83e6a6..3156365ac19 100755
--- a/scripts/gather-test-memory-data
+++ b/scripts/gather-test-memory-data
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'csv'
 
diff --git a/scripts/generate-gems-memory-metrics-static b/scripts/generate-gems-memory-metrics-static
index aa7ce3615bf..42191f078f1 100755
--- a/scripts/generate-gems-memory-metrics-static
+++ b/scripts/generate-gems-memory-metrics-static
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 abort "usage: #{__FILE__} <memory_bundle_objects_file_name>" unless ARGV.length == 1
 memory_bundle_objects_file_name = ARGV.first
diff --git a/scripts/generate-gems-size-metrics-static b/scripts/generate-gems-size-metrics-static
index ceec8aaccf1..2406e720916 100755
--- a/scripts/generate-gems-size-metrics-static
+++ b/scripts/generate-gems-size-metrics-static
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 abort "usage: #{__FILE__} <memory_bundle_mem_file_name>" unless ARGV.length == 1
 memory_bundle_mem_file_name = ARGV.first
diff --git a/scripts/generate-memory-metrics-on-boot b/scripts/generate-memory-metrics-on-boot
index 5197a8fcdcd..945661aa057 100755
--- a/scripts/generate-memory-metrics-on-boot
+++ b/scripts/generate-memory-metrics-on-boot
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 abort "usage: #{__FILE__} <memory_bundle_mem_file_name>" unless ARGV.length == 1
 memory_bundle_mem_file_name = ARGV.first
diff --git a/scripts/generate-test-mapping b/scripts/generate-test-mapping
index eabe6a5b513..c4d0dfea4d8 100755
--- a/scripts/generate-test-mapping
+++ b/scripts/generate-test-mapping
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'json'
 require_relative '../tooling/lib/tooling/test_map_generator'
diff --git a/scripts/gitaly-test-build b/scripts/gitaly-test-build
index 62d3dbda911..bb561e2906a 100755
--- a/scripts/gitaly-test-build
+++ b/scripts/gitaly-test-build
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'fileutils'
 
diff --git a/scripts/gitaly-test-spawn b/scripts/gitaly-test-spawn
index caa41a9a0c3..8547d0b13e4 100755
--- a/scripts/gitaly-test-spawn
+++ b/scripts/gitaly-test-spawn
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 # This script is used both in CI and in local development 'rspec' runs.
 
diff --git a/scripts/gitaly_test.rb b/scripts/gitaly_test.rb
index c7b3f72d590..2262870eb96 100644
--- a/scripts/gitaly_test.rb
+++ b/scripts/gitaly_test.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # This file contains environment settings for gitaly when it's running
 # as part of the gitlab-ce/ee test suite.
 #
@@ -52,7 +54,7 @@ module GitalyTest
 
     if ENV['CI']
       bundle_path = File.expand_path('../vendor/gitaly-ruby', __dir__)
-      env_hash['BUNDLE_FLAGS'] << " --path=#{bundle_path}"
+      env_hash['BUNDLE_FLAGS'] += " --path=#{bundle_path}"
     end
 
     env_hash
diff --git a/scripts/insert-rspec-profiling-data b/scripts/insert-rspec-profiling-data
index 3af5fe763a2..b2011858558 100755
--- a/scripts/insert-rspec-profiling-data
+++ b/scripts/insert-rspec-profiling-data
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'csv'
 require 'rspec_profiling'
diff --git a/scripts/lint-doc.sh b/scripts/lint-doc.sh
index 23e7cb6c455..17c8cdaabec 100755
--- a/scripts/lint-doc.sh
+++ b/scripts/lint-doc.sh
@@ -18,6 +18,18 @@ then
   ((ERRORCODE++))
 fi
 
+# Documentation pages need front matter for tracking purposes.
+echo '=> Checking documentation for front matter...'
+echo
+no_frontmatter=$(find doc -name "*.md" -exec head -n1 {} \; | grep -v  --count -- ---)
+if [ $no_frontmatter -ne 0 ]
+then
+  echo '✖ ERROR: These documentation pages need front matter. See https://docs.gitlab.com/ee/development/documentation/index.html#stage-and-group-metadata for how to add it.' >&2
+  find doc -name "*.md" -exec sh -c 'if (head -n 1 "{}" | grep -v -- --- >/dev/null); then echo "{}"; fi' \; 2>&1
+  echo
+  ((ERRORCODE++))
+fi
+
 # Test for non-standard spaces (NBSP, NNBSP) in documentation.
 echo '=> Checking for non-standard spaces...'
 echo
@@ -57,7 +69,7 @@ fi
 
 # Do not use 'README.md', instead use 'index.md'
 # Number of 'README.md's as of 2020-10-13
-NUMBER_READMES=36
+NUMBER_READMES=28
 FIND_READMES=$(find doc/ -name "README.md" | wc -l)
 echo '=> Checking for new README.md files...'
 echo
@@ -80,12 +92,12 @@ then
   echo "Merge request pipeline (detached) detected. Testing all files."
 else
   MERGE_BASE=$(git merge-base ${CI_MERGE_REQUEST_TARGET_BRANCH_SHA} ${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA})
-  if git diff --name-only "${MERGE_BASE}..${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA}" | grep -E "\.vale|\.markdownlint|lint-doc\.sh"
+  if git diff --diff-filter=d --name-only "${MERGE_BASE}..${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA}" | grep -E "\.vale|\.markdownlint|lint-doc\.sh"
   then
     MD_DOC_PATH=${MD_DOC_PATH:-doc}
     echo "Vale, Markdownlint, or lint-doc.sh configuration changed. Testing all files."
   else
-    MD_DOC_PATH=$(git diff --name-only "${MERGE_BASE}..${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA}" 'doc/*.md')
+    MD_DOC_PATH=$(git diff --diff-filter=d --name-only "${MERGE_BASE}..${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA}" -- 'doc/*.md')
     if [ -n "${MD_DOC_PATH}" ]
     then
       echo -e "Merged results pipeline detected. Testing only the following files:\n${MD_DOC_PATH}"
diff --git a/scripts/lint-rugged b/scripts/lint-rugged
index d7af5499e1c..038fd5199c2 100755
--- a/scripts/lint-rugged
+++ b/scripts/lint-rugged
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 ALLOWED = [
   # https://gitlab.com/gitlab-org/gitaly/issues/760
diff --git a/scripts/merge-html-reports b/scripts/merge-html-reports
index 7d1e15186c8..de300851990 100755
--- a/scripts/merge-html-reports
+++ b/scripts/merge-html-reports
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'nokogiri'
 
diff --git a/scripts/merge-reports b/scripts/merge-reports
index 3a421f1f1fc..a1164495f2f 100755
--- a/scripts/merge-reports
+++ b/scripts/merge-reports
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'json'
 
diff --git a/scripts/merge-simplecov b/scripts/merge-simplecov
index c00dae81c4d..38dd2dfe2e9 100755
--- a/scripts/merge-simplecov
+++ b/scripts/merge-simplecov
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require_relative '../spec/simplecov_env'
 SimpleCovEnv.configure_profile
diff --git a/scripts/no-ee-check b/scripts/no-ee-check
index 29d319dc822..a878a4424e9 100755
--- a/scripts/no-ee-check
+++ b/scripts/no-ee-check
@@ -1,4 +1,6 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
+
 ee_path = File.join(File.expand_path(__dir__), '../ee')
 
 if Dir.exist?(ee_path)
diff --git a/scripts/pack-test-mapping b/scripts/pack-test-mapping
index 58ace3eca67..b5148cd1882 100755
--- a/scripts/pack-test-mapping
+++ b/scripts/pack-test-mapping
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'json'
 require_relative '../tooling/lib/tooling/test_map_packer'
diff --git a/scripts/prepare_build.sh b/scripts/prepare_build.sh
index e95f20bc26c..cd41aa0ff14 100644
--- a/scripts/prepare_build.sh
+++ b/scripts/prepare_build.sh
@@ -6,7 +6,8 @@ export BUNDLE_INSTALL_FLAGS=${BUNDLE_INSTALL_FLAGS:-"--without=production develo
 
 if [ "$USE_BUNDLE_INSTALL" != "false" ]; then
   bundle --version
-  run_timed_command "bundle install --clean ${BUNDLE_INSTALL_FLAGS}"
+  bundle config set clean 'true'
+  run_timed_command "bundle install ${BUNDLE_INSTALL_FLAGS}"
   run_timed_command "bundle check"
   # When we test multiple versions of PG in the same pipeline, we have a single `setup-test-env`
   # job but the `pg` gem needs to be rebuilt since it includes extensions (https://guides.rubygems.org/gems-with-extensions).
diff --git a/scripts/review_apps/automated_cleanup.rb b/scripts/review_apps/automated_cleanup.rb
index bef5b7ad5ee..0927481070b 100755
--- a/scripts/review_apps/automated_cleanup.rb
+++ b/scripts/review_apps/automated_cleanup.rb
@@ -22,7 +22,8 @@ class AutomatedCleanup
     %w[gitlab gitlab-ee].include?(ENV['CI_PROJECT_NAME'])
   end
 
-  def initialize(project_path: ENV['CI_PROJECT_PATH'], gitlab_token: ENV['GITLAB_BOT_REVIEW_APPS_CLEANUP_TOKEN'])
+  # $GITLAB_PROJECT_REVIEW_APP_CLEANUP_API_TOKEN => `Automated Review App Cleanup` project token
+  def initialize(project_path: ENV['CI_PROJECT_PATH'], gitlab_token: ENV['GITLAB_PROJECT_REVIEW_APP_CLEANUP_API_TOKEN'])
     @project_path = project_path
     @gitlab_token = gitlab_token
   end
diff --git a/scripts/security-harness b/scripts/security-harness
index b9492e16066..0c1ade06587 100755
--- a/scripts/security-harness
+++ b/scripts/security-harness
@@ -17,6 +17,7 @@ else
   SHELL_CLEAR  = "\e[0m"
 end
 
+LEFTHOOK_GLOBAL_CONFIG_PATH = File.expand_path("../lefthook.yml", __dir__)
 HOOK_PATH = File.expand_path("../.git/hooks/pre-push", __dir__)
 HOOK_DATA = <<~HOOK
   #!/usr/bin/env bash
@@ -24,42 +25,65 @@ HOOK_DATA = <<~HOOK
   set -e
 
   url="$2"
-  harness=`dirname "$0"`/../security_harness
 
-  if [ -e "$harness" ]
+  if [[ "$url" != *"gitlab-org/security/"* ]]
   then
-    if [[ "$url" != *"gitlab-org/security/"* ]]
-    then
-      echo "Pushing to remotes other than gitlab.com/gitlab-org/security has been disabled!"
-      echo "Run scripts/security-harness to disable this check."
-      echo
-
-      exit 1
-    fi
+    echo "Pushing to remotes other than gitlab.com/gitlab-org/security has been disabled!"
+    echo "Run scripts/security-harness to disable this check."
+    echo
+
+    exit 1
   fi
 HOOK
 
+def hook_exist?
+  File.exist?(HOOK_PATH)
+end
+
+def lefthook_hook_in_place?
+  hook_exist? && File.foreach(HOOK_PATH).grep(/lefthook/i).any?
+end
+
+def lefthook_available?
+  system('bundle exec lefthook run prepare-commit-msg &>/dev/null') # rubocop:disable GitlabSecurity/SystemCommandInjection
+end
+
+def uninstall_lefthook
+  return unless lefthook_available?
+
+  system('bundle exec lefthook uninstall') # rubocop:disable GitlabSecurity/SystemCommandInjection
+  # `bundle exec lefthook uninstall` removes the `lefthook.yml` file so we checkout it again
+  system("git checkout -- #{LEFTHOOK_GLOBAL_CONFIG_PATH}") # rubocop:disable GitlabSecurity/SystemCommandInjection
+  puts "#{SHELL_YELLOW}Lefthook was uninstalled to let the security harness work properly.#{SHELL_CLEAR}"
+end
+
+def install_lefthook
+  return unless lefthook_available?
+
+  system('bundle exec lefthook install') # rubocop:disable GitlabSecurity/SystemCommandInjection
+  puts "#{SHELL_GREEN}Lefthook was re-installed.#{SHELL_CLEAR}"
+end
+
 def write_hook
   FileUtils.mkdir_p(File.dirname(HOOK_PATH))
   File.open(HOOK_PATH, 'w') do |file|
     file.write(HOOK_DATA)
   end
   File.chmod(0755, HOOK_PATH)
+  puts "#{SHELL_GREEN}Security harness installed -- you will only be able to push to gitlab.com/gitlab-org/security!#{SHELL_CLEAR}"
 end
 
-# Toggle the harness on or off
-def toggle
-  harness_path = File.expand_path('../.git/security_harness', __dir__)
-
-  if File.exist?(harness_path)
-    FileUtils.rm(harness_path)
+def delete_hook
+  FileUtils.rm(HOOK_PATH)
+  puts "#{SHELL_YELLOW}Security harness removed -- you can now push to all remotes.#{SHELL_CLEAR}"
+end
 
-    puts "#{SHELL_YELLOW}Security harness removed -- you can now push to all remotes.#{SHELL_CLEAR}"
-  else
-    FileUtils.touch(harness_path)
+def hook_file_sum
+  Digest::SHA256.file(HOOK_PATH).hexdigest
+end
 
-    puts "#{SHELL_GREEN}Security harness installed -- you will only be able to push to gitlab.com/gitlab-org/security!#{SHELL_CLEAR}"
-  end
+def hook_data_sum
+  Digest::SHA256.hexdigest(HOOK_DATA)
 end
 
 # If we were to change the script and then check for a pre-existing hook before
@@ -67,33 +91,39 @@ end
 # the old hook. Checking previous version hashes allows us to safely overwrite a
 # script that differs from the current version, as long as it's an old one and
 # not custom.
-def previous_version?(dest_sum)
-  # SHA256 hashes of previous iterations of the script contained in `DATA`
+def upgrade_available?
+  # SHA256 hashes of previous iterations of the script contained in `HOOK_DATA`
   %w[
     010bf0363a911ebab2bd5728d80795ed02388da51815f0b2530d08ae8ac574f0
-  ].include?(dest_sum)
+    d9866fc672f373d631eed9cd8dc9c920fa3d36ff26d956fb96a4082a0931b371
+  ].include?(hook_file_sum)
 end
 
-if !File.exist?(HOOK_PATH)
-  write_hook
-  toggle
-else
-  # Deal with a pre-existing hook
-  source_sum = Digest::SHA256.hexdigest(HOOK_DATA)
-  dest_sum   = Digest::SHA256.file(HOOK_PATH).hexdigest
+def current_version?
+  hook_data_sum == hook_file_sum
+end
 
-  if previous_version?(dest_sum)
+# Uninstall Lefthook if it's in place
+uninstall_lefthook if lefthook_hook_in_place?
+
+if hook_exist?
+  # Deal with a pre-existing hook
+  if upgrade_available?
     # Upgrading from a previous version, update in-place
     write_hook
-    toggle
-  elsif source_sum != dest_sum
+  elsif current_version?
+    # Delete the hook if we're already using the current version
+    delete_hook
+
+    # Re-install Lefthook pre-push hook
+    install_lefthook
+  else
     # Pre-existing hook we didn't create; do nothing
     puts "#{SHELL_RED}#{HOOK_PATH} exists and is different from our hook!"
     puts "Remove it and re-run this script to continue.#{SHELL_CLEAR}"
 
     exit 1
-  else
-    # No hook update needed, just toggle
-    toggle
   end
+else
+  write_hook
 end
diff --git a/scripts/static-analysis b/scripts/static-analysis
index 9103a9c14af..febfdbd1da4 100755
--- a/scripts/static-analysis
+++ b/scripts/static-analysis
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 # We don't have auto-loading here
 require_relative '../lib/gitlab'
diff --git a/scripts/sync-reports b/scripts/sync-reports
index 5ed65e78005..73afd276e6c 100755
--- a/scripts/sync-reports
+++ b/scripts/sync-reports
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'rubygems'
 require 'fog/aws'
diff --git a/scripts/trigger-build b/scripts/trigger-build
index ab6dcc63e11..29d53609026 100755
--- a/scripts/trigger-build
+++ b/scripts/trigger-build
@@ -3,13 +3,6 @@
 
 require 'gitlab'
 
-#
-# Configure credentials to be used with gitlab gem
-#
-Gitlab.configure do |config|
-  config.endpoint = 'https://gitlab.com/api/v4'
-end
-
 module Trigger
   def self.ee?
     # Support former project name for `dev`
@@ -34,18 +27,13 @@ module Trigger
       ENV['GITLAB_BOT_MULTI_PROJECT_PIPELINE_POLLING_TOKEN']
     end
 
-    def initialize
-      # gitlab-bot's token "GitLab multi-project pipeline polling"
-      Gitlab.private_token = self.class.access_token
-    end
-
     def invoke!(post_comment: false, downstream_job_name: nil)
       pipeline_variables = variables
 
       puts "Triggering downstream pipeline on #{downstream_project_path}"
       puts "with variables #{pipeline_variables}"
 
-      pipeline = Gitlab.run_trigger(
+      pipeline = gitlab_client(:downstream).run_trigger(
         downstream_project_path,
         trigger_token,
         ref,
@@ -54,23 +42,34 @@ module Trigger
       puts "Triggered downstream pipeline: #{pipeline.web_url}\n"
       puts "Waiting for downstream pipeline status"
 
-      Trigger::CommitComment.post!(pipeline) if post_comment
+      Trigger::CommitComment.post!(pipeline, gitlab_client(:upstream)) if post_comment
       downstream_job =
         if downstream_job_name
-          Gitlab.pipeline_jobs(downstream_project_path, pipeline.id).auto_paginate.find do |potential_job|
+          gitlab_client(:downstream).pipeline_jobs(downstream_project_path, pipeline.id).auto_paginate.find do |potential_job|
             potential_job.name == downstream_job_name
           end
         end
 
       if downstream_job
-        Trigger::Job.new(downstream_project_path, downstream_job.id)
+        Trigger::Job.new(downstream_project_path, downstream_job.id, gitlab_client(:downstream))
       else
-        Trigger::Pipeline.new(downstream_project_path, pipeline.id)
+        Trigger::Pipeline.new(downstream_project_path, pipeline.id, gitlab_client(:downstream))
       end
     end
 
     private
 
+    # Override to trigger and work with pipeline on different GitLab instance
+    # type: :downstream -> downstream build and pipeline status
+    # type: :upstream -> this project, e.g. for posting comments
+    def gitlab_client(type)
+      # By default, always use the same client
+      @gitlab_client ||= Gitlab.client(
+        endpoint: 'https://gitlab.com/api/v4',
+        private_token: self.class.access_token
+      )
+    end
+
     # Must be overridden
     def downstream_project_path
       raise NotImplementedError
@@ -201,7 +200,7 @@ module Trigger
 
   class Docs < Base
     def self.access_token
-      ENV['DOCS_API_TOKEN']
+      ENV['DOCS_PROJECT_API_TOKEN']
     end
 
     SUCCESS_MESSAGE = <<~MSG
@@ -232,7 +231,7 @@ module Trigger
     # Remove a remote branch in gitlab-docs.
     #
     def cleanup!
-      Gitlab.delete_branch(downstream_project_path, ref)
+      gitlab_client(:downstream).delete_branch(downstream_project_path, ref)
       puts "=> Remote branch '#{downstream_project_path}' deleted"
     end
 
@@ -276,7 +275,7 @@ module Trigger
     end
 
     def create_remote_branch!
-      Gitlab.create_branch(downstream_project_path, ref, 'master')
+      gitlab_client(:downstream).create_branch(downstream_project_path, ref, 'master')
       puts "=> Remote branch '#{ref}' created"
     rescue Gitlab::Error::BadRequest
       puts "=> Remote branch '#{ref}' already exists!"
@@ -289,7 +288,7 @@ module Trigger
       loop do
         sleep 1
         puts "=> Waiting for pipeline to start..."
-        pipelines = Gitlab.pipelines(downstream_project_path, { ref: ref })
+        pipelines = gitlab_client(:downstream).pipelines(downstream_project_path, { ref: ref })
         break if pipelines.any?
       end
 
@@ -297,7 +296,7 @@ module Trigger
       pipeline_id = pipelines.first.id
 
       # Cancel the pipeline
-      Gitlab.cancel_pipeline(downstream_project_path, pipeline_id)
+      gitlab_client(:downstream).cancel_pipeline(downstream_project_path, pipeline_id)
     end
 
     def display_success_message
@@ -305,9 +304,53 @@ module Trigger
     end
   end
 
+  class DatabaseTesting < Base
+    def self.access_token
+      ENV['GITLABCOM_DATABASE_TESTING_ACCESS_TOKEN']
+    end
+
+    private
+
+    def gitlab_client(type)
+      @gitlab_clients ||= {
+        downstream: Gitlab.client(
+          endpoint: 'https://ops.gitlab.net/api/v4',
+          private_token: self.class.access_token
+        ),
+        upstream: Gitlab.client(
+          endpoint: 'https://gitlab.com/api/v4',
+          private_token: Base.access_token
+        )
+      }
+
+      @gitlab_clients[type]
+    end
+
+    def trigger_token
+      ENV['GITLABCOM_DATABASE_TESTING_TRIGGER_TOKEN']
+    end
+
+    def downstream_project_path
+      ENV['GITLABCOM_DATABASE_TESTING_PROJECT_PATH'] || 'gitlab-com/database-team/gitlab-com-database-testing'
+    end
+
+    def extra_variables
+      {
+        # Use CI_MERGE_REQUEST_SOURCE_BRANCH_SHA for omnibus checkouts due to pipeline for merged results
+        # and fallback to CI_COMMIT_SHA for the `detached` pipelines.
+        'GITLAB_COMMIT_SHA' => Trigger.non_empty_variable_value('CI_MERGE_REQUEST_SOURCE_BRANCH_SHA') || ENV['CI_COMMIT_SHA'],
+        'TRIGGERED_USER_LOGIN' => ENV['GITLAB_USER_LOGIN']
+      }
+    end
+
+    def ref
+      ENV['GITLABCOM_DATABASE_TESTING_TRIGGER_REF'] || 'master'
+    end
+  end
+
   class CommitComment
-    def self.post!(downstream_pipeline)
-      Gitlab.create_commit_comment(
+    def self.post!(downstream_pipeline, gitlab_client)
+      gitlab_client.create_commit_comment(
         ENV['CI_PROJECT_PATH'],
         Trigger.non_empty_variable_value('CI_MERGE_REQUEST_SOURCE_BRANCH_SHA') || ENV['CI_COMMIT_SHA'],
         "The [`#{ENV['CI_JOB_NAME']}`](#{ENV['CI_JOB_URL']}) job from pipeline #{ENV['CI_PIPELINE_URL']} triggered #{downstream_pipeline.web_url} downstream.")
@@ -329,9 +372,10 @@ module Trigger
       unscoped_class_name.downcase
     end
 
-    def initialize(project, id)
+    def initialize(project, id, gitlab_client)
       @project = project
       @id = id
+      @gitlab_client = gitlab_client
       @start_time = Time.now.to_i
     end
 
@@ -359,7 +403,7 @@ module Trigger
     end
 
     def status
-      Gitlab.public_send(self.class.gitlab_api_method_name, project, id).status.to_sym # rubocop:disable GitlabSecurity/PublicSend
+      gitlab_client.public_send(self.class.gitlab_api_method_name, project, id).status.to_sym # rubocop:disable GitlabSecurity/PublicSend
     rescue Gitlab::Error::Error => error
       puts "Ignoring the following error: #{error}"
       # Ignore GitLab API hiccups. If GitLab is really down, we'll hit the job
@@ -369,7 +413,7 @@ module Trigger
 
     private
 
-    attr_reader :project, :id, :start_time
+    attr_reader :project, :id, :gitlab_client, :start_time
   end
 
   Job = Class.new(Pipeline)
@@ -380,6 +424,8 @@ when 'omnibus'
   Trigger::Omnibus.new.invoke!(post_comment: true, downstream_job_name: 'Trigger:qa-test').wait!
 when 'cng'
   Trigger::CNG.new.invoke!.wait!
+when 'gitlab-com-database-testing'
+  Trigger::DatabaseTesting.new.invoke!
 when 'docs'
   docs_trigger = Trigger::Docs.new
 
@@ -395,5 +441,6 @@ when 'docs'
 else
   puts "Please provide a valid option:
   omnibus - Triggers a pipeline that builds the omnibus-gitlab package
-  cng - Triggers a pipeline that builds images used by the GitLab helm chart"
+  cng - Triggers a pipeline that builds images used by the GitLab helm chart
+  gitlab-com-database-testing - Triggers a pipeline that tests database changes on GitLab.com data"
 end
diff --git a/scripts/unpack-test-mapping b/scripts/unpack-test-mapping
index c0f706c3f9f..7176f9cecea 100755
--- a/scripts/unpack-test-mapping
+++ b/scripts/unpack-test-mapping
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'json'
 require_relative '../tooling/lib/tooling/test_map_packer'
diff --git a/scripts/update-feature-categories b/scripts/update-feature-categories
index ed5d8dccdd6..88520b9f95f 100755
--- a/scripts/update-feature-categories
+++ b/scripts/update-feature-categories
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'uri'
 require 'net/http'
diff --git a/scripts/used-feature-flags b/scripts/used-feature-flags
index 7ef3dbafd36..aebd007dda9 100755
--- a/scripts/used-feature-flags
+++ b/scripts/used-feature-flags
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'set'
 
diff --git a/scripts/verify-tff-mapping b/scripts/verify-tff-mapping
index 8bf25ea3b5f..9931e14008a 100755
--- a/scripts/verify-tff-mapping
+++ b/scripts/verify-tff-mapping
@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'set'