Add latest changes from gitlab-org/gitlab@13-7-stable-eev13.7.0-rc42

89 files changed, 3682 insertions, 379 deletions

diff --git a/spec/support/atlassian/jira_connect/schemata.rb b/spec/support/atlassian/jira_connect/schemata.rb
new file mode 100644
index 00000000000..91f8fe0bb41
--- /dev/null
+++ b/spec/support/atlassian/jira_connect/schemata.rb
@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module Atlassian
+  module Schemata
+    def self.build_info
+      {
+        'type' => 'object',
+        'required' => %w(schemaVersion pipelineId buildNumber updateSequenceNumber displayName url state issueKeys testInfo references),
+        'properties' => {
+          'schemaVersion' => { 'type' => 'string', 'pattern' => '1.0' },
+          'pipelineId' => { 'type' => 'string' },
+          'buildNumber' => { 'type' => 'integer' },
+          'updateSequenceNumber' => { 'type' => 'integer' },
+          'displayName' => { 'type' => 'string' },
+          'url' => { 'type' => 'string' },
+          'state' => {
+            'type' => 'string',
+            'pattern' => '(pending|in_progress|successful|failed|cancelled)'
+          },
+          'issueKeys' => {
+            'type' => 'array',
+            'items' => { 'type' => 'string' },
+            'minItems' => 1
+          },
+          'testInfo' => {
+            'type' => 'object',
+            'required' => %w(totalNumber numberPassed numberFailed numberSkipped),
+            'properties' => {
+              'totalNumber' => { 'type' => 'integer' },
+              'numberFailed' => { 'type' => 'integer' },
+              'numberPassed' => { 'type' => 'integer' },
+              'numberSkipped' => { 'type' => 'integer' }
+            }
+          },
+          'references' => {
+            'type' => 'array',
+            'items' => {
+              'type' => 'object',
+              'required' => %w(commit ref),
+              'properties' => {
+                'commit' => {
+                  'type' => 'object',
+                  'required' => %w(id repositoryUri),
+                  'properties' => {
+                    'id' => { 'type' => 'string' },
+                    'repositoryUri' => { 'type' => 'string' }
+                  }
+                },
+                'ref' => {
+                  'type' => 'object',
+                  'required' => %w(name uri),
+                  'properties' => {
+                    'name' => { 'type' => 'string' },
+                    'uri' => { 'type' => 'string' }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    end
+
+    def self.build_info_payload
+      {
+        'type' => 'object',
+        'required' => %w(providerMetadata builds),
+        'properties' => {
+          'providerMetadata' => provider_metadata,
+          'builds' => { 'type' => 'array', 'items' => build_info }
+        }
+      }
+    end
+
+    def self.provider_metadata
+      {
+        'type' => 'object',
+        'required' => %w(product),
+        'properties' => { 'product' => { 'type' => 'string' } }
+      }
+    end
+  end
+end
diff --git a/spec/support/caching.rb b/spec/support/caching.rb
index 883d531550a..11e4f534971 100644
--- a/spec/support/caching.rb
+++ b/spec/support/caching.rb
@@ -25,7 +25,7 @@ RSpec.configure do |config|
     original_null_store = Rails.cache
     caching_config_hash = Gitlab::Redis::Cache.params
     caching_config_hash[:namespace] = Gitlab::Redis::Cache::CACHE_NAMESPACE
-    Rails.cache = ActiveSupport::Cache::RedisCacheStore.new(caching_config_hash)
+    Rails.cache = ActiveSupport::Cache::RedisCacheStore.new(**caching_config_hash)
 
     redis_cache_cleanup!
 
diff --git a/spec/support/gitlab_experiment.rb b/spec/support/gitlab_experiment.rb
new file mode 100644
index 00000000000..1f283e4f06c
--- /dev/null
+++ b/spec/support/gitlab_experiment.rb
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+# Disable all caching for experiments in tests.
+Gitlab::Experiment::Configuration.cache = nil
diff --git a/spec/support/gitlab_stubs/gitlab_ci_includes.yml b/spec/support/gitlab_stubs/gitlab_ci_includes.yml
new file mode 100644
index 00000000000..e74773ce23e
--- /dev/null
+++ b/spec/support/gitlab_stubs/gitlab_ci_includes.yml
@@ -0,0 +1,19 @@
+rspec 0 1:
+  stage: build
+  script: 'rake spec'
+  needs: []
+
+rspec 0 2:
+  stage: build
+  script: 'rake spec'
+  needs: []
+
+spinach:
+  stage: build
+  script: 'rake spinach'
+  needs: []
+
+docker:
+  stage: test
+  script: 'curl http://dockerhub/URL'
+  needs: [spinach, rspec 0 1]
diff --git a/spec/support/graphql/arguments.rb b/spec/support/graphql/arguments.rb
new file mode 100644
index 00000000000..d8c334c2ca4
--- /dev/null
+++ b/spec/support/graphql/arguments.rb
@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module Graphql
+  class Arguments
+    delegate :blank?, :empty?, to: :to_h
+
+    def initialize(values)
+      @values = values.compact
+    end
+
+    def to_h
+      @values
+    end
+
+    def ==(other)
+      to_h == other&.to_h
+    end
+
+    alias_method :eql, :==
+
+    def to_s
+      return '' if empty?
+
+      @values.map do |name, value|
+        value_str = as_graphql_literal(value)
+
+        "#{GraphqlHelpers.fieldnamerize(name.to_s)}: #{value_str}"
+      end.join(", ")
+    end
+
+    def as_graphql_literal(value)
+      self.class.as_graphql_literal(value)
+    end
+
+    # Transform values to GraphQL literal arguments.
+    # Use symbol for Enum values
+    def self.as_graphql_literal(value)
+      case value
+      when ::Graphql::Arguments then "{#{value}}"
+      when Array then "[#{value.map { |v| as_graphql_literal(v) }.join(',')}]"
+      when Hash then "{#{new(value)}}"
+      when Integer, Float, Symbol then value.to_s
+      when String then "\"#{value.gsub(/"/, '\\"')}\""
+      when nil then 'null'
+      when true then 'true'
+      when false then 'false'
+      else
+        value.to_graphql_value
+      end
+    rescue NoMethodError
+      raise ArgumentError, "Cannot represent #{value} as GraphQL literal"
+    end
+
+    def merge(other)
+      self.class.new(@values.merge(other.to_h))
+    end
+
+    def +(other)
+      if blank?
+        other
+      elsif other.blank?
+        self
+      elsif other.is_a?(String)
+        [to_s, other].compact.join(', ')
+      else
+        merge(other)
+      end
+    end
+  end
+end
diff --git a/spec/support/graphql/field_inspection.rb b/spec/support/graphql/field_inspection.rb
new file mode 100644
index 00000000000..f39ba751141
--- /dev/null
+++ b/spec/support/graphql/field_inspection.rb
@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Graphql
+  class FieldInspection
+    def initialize(field)
+      @field = field
+    end
+
+    def nested_fields?
+      !scalar? && !enum?
+    end
+
+    def scalar?
+      type.kind.scalar?
+    end
+
+    def enum?
+      type.kind.enum?
+    end
+
+    def type
+      @type ||= begin
+        field_type = @field.type.respond_to?(:to_graphql) ? @field.type.to_graphql : @field.type
+
+        # The type could be nested. For example `[GraphQL::STRING_TYPE]`:
+        # - List
+        # - String!
+        # - String
+        field_type = field_type.of_type while field_type.respond_to?(:of_type)
+
+        field_type
+      end
+    end
+  end
+end
diff --git a/spec/support/graphql/field_selection.rb b/spec/support/graphql/field_selection.rb
new file mode 100644
index 00000000000..e2a3334acac
--- /dev/null
+++ b/spec/support/graphql/field_selection.rb
@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module Graphql
+  class FieldSelection
+    delegate :empty?, :blank?, :to_h, to: :selection
+    delegate :size, to: :paths
+
+    attr_reader :selection
+
+    def initialize(selection = {})
+      @selection = selection.to_h
+    end
+
+    def to_s
+      serialize_field_selection(selection)
+    end
+
+    def paths
+      selection.flat_map do |field, subselection|
+        paths_in([field], subselection)
+      end
+    end
+
+    private
+
+    def paths_in(path, leaves)
+      return [path] if leaves.nil?
+
+      leaves.to_a.flat_map do |k, v|
+        paths_in([k], v).map { |tail| path + tail }
+      end
+    end
+
+    def serialize_field_selection(hash, level = 0)
+      indent = ' ' * level
+
+      hash.map do |field, subselection|
+        if subselection.nil?
+          "#{indent}#{field}"
+        else
+          subfields = serialize_field_selection(subselection, level + 1)
+          "#{indent}#{field} {\n#{subfields}\n#{indent}}"
+        end
+      end.join("\n")
+    end
+
+    NO_SKIP = ->(_name, _field) { false }
+
+    def self.select_fields(type, skip = NO_SKIP, parent_types = Set.new, max_depth = 3)
+      return new if max_depth <= 0
+
+      new(type.fields.flat_map do |name, field|
+        next [] if skip[name, field]
+
+        inspected = ::Graphql::FieldInspection.new(field)
+        singular_field_type = inspected.type
+
+        # If field type is the same as parent type, then we're hitting into
+        # mutual dependency. Break it from infinite recursion
+        next [] if parent_types.include?(singular_field_type)
+
+        if inspected.nested_fields?
+          subselection = select_fields(singular_field_type, skip, parent_types | [type], max_depth - 1)
+          next [] if subselection.empty?
+
+          [[name, subselection.to_h]]
+        else
+          [[name, nil]]
+        end
+      end)
+    end
+  end
+end
diff --git a/spec/support/graphql/var.rb b/spec/support/graphql/var.rb
new file mode 100644
index 00000000000..4f2c774e898
--- /dev/null
+++ b/spec/support/graphql/var.rb
@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Graphql
+  # Helper to pass variables around generated queries.
+  #
+  # e.g.:
+  #   first = var('Int')
+  #   after = var('String')
+  #
+  #   query = with_signature(
+  #     [first, after],
+  #     query_graphql_path([
+  #       [:project, { full_path: project.full_path }],
+  #       [:issues, { after: after, first: first }]
+  #       :nodes
+  #     ], all_graphql_fields_for('Issue'))
+  #   )
+  #
+  #   post_graphql(query, variables: [first.with(2), after.with(some_cursor)])
+  #
+  class Var
+    attr_reader :name, :type
+    attr_accessor :value
+
+    def initialize(name, type)
+      @name = name
+      @type = type
+    end
+
+    def sig
+      "#{to_graphql_value}: #{type}"
+    end
+
+    def to_graphql_value
+      "$#{name}"
+    end
+
+    # We return a new object so that running the same query twice with
+    # different values does not risk re-using the value
+    #
+    # e.g.
+    #
+    #   x = var('Int')
+    #   expect { post_graphql(query, variables: x) }
+    #     .to issue_same_number_of_queries_as { post_graphql(query, variables: x.with(1)) }
+    #
+    # Here we post the `x` variable once with the value set to 1, and once with
+    # the value set to `nil`.
+    def with(value)
+      copy = Var.new(name, type)
+      copy.value = value
+      copy
+    end
+
+    def to_h
+      { name => value }
+    end
+  end
+end
diff --git a/spec/support/helpers/after_next_helpers.rb b/spec/support/helpers/after_next_helpers.rb
new file mode 100644
index 00000000000..0a7844fdd8f
--- /dev/null
+++ b/spec/support/helpers/after_next_helpers.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require_relative './next_instance_of'
+
+module AfterNextHelpers
+  class DeferredExpectation
+    include ::NextInstanceOf
+    include ::RSpec::Matchers
+    include ::RSpec::Mocks::ExampleMethods
+
+    def initialize(klass, args, level:)
+      @klass = klass
+      @args = args
+      @level = level.to_sym
+    end
+
+    def to(condition)
+      run_condition(condition, asserted: true)
+    end
+
+    def not_to(condition)
+      run_condition(condition, asserted: false)
+    end
+
+    private
+
+    attr_reader :klass, :args, :level
+
+    def run_condition(condition, asserted:)
+      msg = asserted ? :to : :not_to
+      case level
+      when :expect
+        if asserted
+          expect_next_instance_of(klass, *args) { |instance| expect(instance).send(msg, condition) }
+        else
+          allow_next_instance_of(klass, *args) { |instance| expect(instance).send(msg, condition) }
+        end
+      when :allow
+        allow_next_instance_of(klass, *args) { |instance| allow(instance).send(msg, condition) }
+      else
+        raise "Unknown level: #{level}"
+      end
+    end
+  end
+
+  def allow_next(klass, *args)
+    DeferredExpectation.new(klass, args, level: :allow)
+  end
+
+  def expect_next(klass, *args)
+    DeferredExpectation.new(klass, args, level: :expect)
+  end
+end
diff --git a/spec/support/helpers/database_helpers.rb b/spec/support/helpers/database_helpers.rb
new file mode 100644
index 00000000000..e9f0a74a8d1
--- /dev/null
+++ b/spec/support/helpers/database_helpers.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module DatabaseHelpers
+  # In order to directly work with views using factories,
+  # we can swapout the view for a table of identical structure.
+  def swapout_view_for_table(view)
+    ActiveRecord::Base.connection.execute(<<~SQL)
+      CREATE TABLE #{view}_copy (LIKE #{view});
+      DROP VIEW #{view};
+      ALTER TABLE #{view}_copy RENAME TO #{view};
+    SQL
+  end
+end
diff --git a/spec/support/helpers/dependency_proxy_helpers.rb b/spec/support/helpers/dependency_proxy_helpers.rb
index 545b9d1f4d0..ebb849628bf 100644
--- a/spec/support/helpers/dependency_proxy_helpers.rb
+++ b/spec/support/helpers/dependency_proxy_helpers.rb
@@ -11,11 +11,18 @@ module DependencyProxyHelpers
       .to_return(status: status, body: body || auth_body)
   end
 
-  def stub_manifest_download(image, tag, status = 200, body = nil)
+  def stub_manifest_download(image, tag, status: 200, body: nil, headers: {})
     manifest_url = registry.manifest_url(image, tag)
 
     stub_full_request(manifest_url)
-      .to_return(status: status, body: body || manifest)
+      .to_return(status: status, body: body || manifest, headers: headers)
+  end
+
+  def stub_manifest_head(image, tag, status: 200, body: nil, digest: '123456')
+    manifest_url = registry.manifest_url(image, tag)
+
+    stub_full_request(manifest_url, method: :head)
+      .to_return(status: status, body: body, headers: { 'docker-content-digest' => digest } )
   end
 
   def stub_blob_download(image, blob_sha, status = 200, body = '123456')
@@ -25,6 +32,13 @@ module DependencyProxyHelpers
       .to_return(status: status, body: body)
   end
 
+  def build_jwt(user = nil, expire_time: nil)
+    JSONWebToken::HMACToken.new(::Auth::DependencyProxyAuthenticationService.secret).tap do |jwt|
+      jwt['user_id'] = user.id if user
+      jwt.expire_time = expire_time || jwt.issued_at + 1.minute
+    end
+  end
+
   private
 
   def registry
diff --git a/spec/support/helpers/features/merge_request_helpers.rb b/spec/support/helpers/features/merge_request_helpers.rb
new file mode 100644
index 00000000000..53896e1fe12
--- /dev/null
+++ b/spec/support/helpers/features/merge_request_helpers.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Spec
+  module Support
+    module Helpers
+      module Features
+        module MergeRequestHelpers
+          def preload_view_requirements(merge_request, note)
+            # This will load the status fields of the author of the note and merge request
+            # to avoid queries when rendering the view being tested.
+            #
+            merge_request.author.status
+            note.author.status
+          end
+
+          def serialize_issuable_sidebar(user, project, merge_request)
+            MergeRequestSerializer
+              .new(current_user: user, project: project)
+              .represent(merge_request, serializer: 'sidebar')
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/spec/support/helpers/features/web_ide_spec_helpers.rb b/spec/support/helpers/features/web_ide_spec_helpers.rb
index 12d3cecd052..358bfacce05 100644
--- a/spec/support/helpers/features/web_ide_spec_helpers.rb
+++ b/spec/support/helpers/features/web_ide_spec_helpers.rb
@@ -22,8 +22,6 @@ module WebIdeSpecHelpers
     click_link('Web IDE')
 
     wait_for_requests
-
-    save_monaco_editor_reference
   end
 
   def ide_tree_body
@@ -65,17 +63,6 @@ module WebIdeSpecHelpers
     ide_set_editor_value(content)
   end
 
-  def ide_rename_file(path, new_path)
-    container = ide_traverse_to_file(path)
-
-    click_file_action(container, 'Rename/Move')
-
-    within '#ide-new-entry' do
-      find('input').fill_in(with: new_path)
-      click_button('Rename file')
-    end
-  end
-
   # Deletes a file by traversing to `path`
   # then clicking the 'Delete' action.
   #
@@ -103,20 +90,6 @@ module WebIdeSpecHelpers
     container
   end
 
-  def ide_close_file(name)
-    within page.find('.multi-file-tabs') do
-      click_button("Close #{name}")
-    end
-  end
-
-  def ide_open_file(path)
-    row = ide_traverse_to_file(path)
-
-    ide_open_file_row(row)
-
-    wait_for_requests
-  end
-
   def ide_open_file_row(row)
     return if ide_folder_row_open?(row)
 
@@ -130,10 +103,6 @@ module WebIdeSpecHelpers
     execute_script("monaco.editor.getModel('#{uri}').setValue('#{escape_javascript(value)}')")
   end
 
-  def ide_set_editor_position(line, col)
-    execute_script("TEST_EDITOR.setPosition(#{{ lineNumber: line, column: col }.to_json})")
-  end
-
   def ide_editor_value
     editor = find('.monaco-editor')
     uri = editor['data-uri']
@@ -180,8 +149,4 @@ module WebIdeSpecHelpers
       wait_for_requests
     end
   end
-
-  def save_monaco_editor_reference
-    evaluate_script("monaco.editor.onDidCreateEditor(editor => { window.TEST_EDITOR = editor; })")
-  end
 end
diff --git a/spec/support/helpers/file_read_helpers.rb b/spec/support/helpers/file_read_helpers.rb
new file mode 100644
index 00000000000..c30a9e6466f
--- /dev/null
+++ b/spec/support/helpers/file_read_helpers.rb
@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module FileReadHelpers
+  def stub_file_read(file, content: nil, error: nil)
+    allow_original_file_read
+
+    expectation = allow(File).to receive(:read).with(file)
+
+    if error
+      expectation.and_raise(error)
+    elsif content
+      expectation.and_return(content)
+    else
+      expectation
+    end
+  end
+
+  def expect_file_read(file, content: nil, error: nil)
+    allow_original_file_read
+
+    expectation = expect(File).to receive(:read).with(file)
+
+    if error
+      expectation.and_raise(error)
+    elsif content
+      expectation.and_return(content)
+    else
+      expectation
+    end
+  end
+
+  def expect_file_not_to_read(file)
+    allow_original_file_read
+
+    expect(File).not_to receive(:read).with(file)
+  end
+
+  private
+
+  def allow_original_file_read
+    # Don't set this mock twice, otherwise subsequent calls will clobber
+    # previous mocks
+    return if @allow_original_file_read
+
+    @allow_original_file_read = true
+    allow(File).to receive(:read).and_call_original
+  end
+end
diff --git a/spec/support/helpers/filtered_search_helpers.rb b/spec/support/helpers/filtered_search_helpers.rb
index d203ff60cc9..10068b9c508 100644
--- a/spec/support/helpers/filtered_search_helpers.rb
+++ b/spec/support/helpers/filtered_search_helpers.rb
@@ -113,6 +113,10 @@ module FilteredSearchHelpers
     create_token('Assignee', assignee_name)
   end
 
+  def reviewer_token(reviewer_name = nil)
+    create_token('Reviewer', reviewer_name)
+  end
+
   def milestone_token(milestone_name = nil, has_symbol = true, operator = '=')
     symbol = has_symbol ? '%' : nil
     create_token('Milestone', milestone_name, symbol, operator)
diff --git a/spec/support/helpers/git_http_helpers.rb b/spec/support/helpers/git_http_helpers.rb
index c9c1c4dcfc9..c9b4e06f067 100644
--- a/spec/support/helpers/git_http_helpers.rb
+++ b/spec/support/helpers/git_http_helpers.rb
@@ -5,45 +5,45 @@ require_relative 'workhorse_helpers'
 module GitHttpHelpers
   include WorkhorseHelpers
 
-  def clone_get(project, **options)
-    get "/#{project}/info/refs", params: { service: 'git-upload-pack' }, headers: auth_env(*options.values_at(:user, :password, :spnego_request_token))
+  def clone_get(repository_path, **options)
+    get "/#{repository_path}/info/refs", params: { service: 'git-upload-pack' }, headers: auth_env(*options.values_at(:user, :password, :spnego_request_token))
   end
 
-  def clone_post(project, **options)
-    post "/#{project}/git-upload-pack", headers: auth_env(*options.values_at(:user, :password, :spnego_request_token))
+  def clone_post(repository_path, **options)
+    post "/#{repository_path}/git-upload-pack", headers: auth_env(*options.values_at(:user, :password, :spnego_request_token))
   end
 
-  def push_get(project, **options)
-    get "/#{project}/info/refs", params: { service: 'git-receive-pack' }, headers: auth_env(*options.values_at(:user, :password, :spnego_request_token))
+  def push_get(repository_path, **options)
+    get "/#{repository_path}/info/refs", params: { service: 'git-receive-pack' }, headers: auth_env(*options.values_at(:user, :password, :spnego_request_token))
   end
 
-  def push_post(project, **options)
-    post "/#{project}/git-receive-pack", headers: auth_env(*options.values_at(:user, :password, :spnego_request_token))
+  def push_post(repository_path, **options)
+    post "/#{repository_path}/git-receive-pack", headers: auth_env(*options.values_at(:user, :password, :spnego_request_token))
   end
 
-  def download(project, user: nil, password: nil, spnego_request_token: nil)
+  def download(repository_path, user: nil, password: nil, spnego_request_token: nil)
     args = { user: user, password: password, spnego_request_token: spnego_request_token }
 
-    clone_get(project, **args)
+    clone_get(repository_path, **args)
     yield response
 
-    clone_post(project, **args)
+    clone_post(repository_path, **args)
     yield response
   end
 
-  def upload(project, user: nil, password: nil, spnego_request_token: nil)
+  def upload(repository_path, user: nil, password: nil, spnego_request_token: nil)
     args = { user: user, password: password, spnego_request_token: spnego_request_token }
 
-    push_get(project, **args)
+    push_get(repository_path, **args)
     yield response
 
-    push_post(project, **args)
+    push_post(repository_path, **args)
     yield response
   end
 
-  def download_or_upload(project, **args, &block)
-    download(project, **args, &block)
-    upload(project, **args, &block)
+  def download_or_upload(repository_path, **args, &block)
+    download(repository_path, **args, &block)
+    upload(repository_path, **args, &block)
   end
 
   def auth_env(user, password, spnego_request_token)
diff --git a/spec/support/helpers/gitlab_verify_helpers.rb b/spec/support/helpers/gitlab_verify_helpers.rb
index 9901ce374ed..2a6ba8aaff4 100644
--- a/spec/support/helpers/gitlab_verify_helpers.rb
+++ b/spec/support/helpers/gitlab_verify_helpers.rb
@@ -2,7 +2,7 @@
 
 module GitlabVerifyHelpers
   def collect_ranges(args = {})
-    verifier = described_class.new(args.merge(batch_size: 1))
+    verifier = described_class.new(**args.merge(batch_size: 1))
 
     collect_results(verifier).map { |range, _| range }
   end
diff --git a/spec/support/helpers/gpg_helpers.rb b/spec/support/helpers/gpg_helpers.rb
index f4df1cf601c..389e5818dbe 100644
--- a/spec/support/helpers/gpg_helpers.rb
+++ b/spec/support/helpers/gpg_helpers.rb
@@ -144,6 +144,145 @@ module GpgHelpers
       '5F7EA3981A5845B141ABD522CCFBE19F00AC8B1D'
     end
 
+    def secret_key2
+      <<~KEY.strip
+      -----BEGIN PGP PRIVATE KEY BLOCK-----
+
+      lQWGBF+7O0oBDADvRto4K9PT83Lbyp/qaMPIzBbXHB6ljdDoyb+Pn2UrHk9MhB5v
+      bTgBv+rctOabmimPPalcyaxOQ1GtrYizo1l33YQZupSvaOoStVLWqnBx8eKKcUv8
+      QucS3S2qFhj9G0tdHW7RW2BGrSwEM09d2xFsFKKAj/4RTTU5idYWrvB24DNcrBh+
+      iKsoa+rmJf1bwL6Mn9f9NwzundG16qibY/UwMlltQriWaVMn2AKVuu6HrX9pe3g5
+      Er2Szjc7DZitt6eAy3PmuWHXzDCCvsO7iPxXlywY49hLhDen3/Warwn1pSbp+im4
+      /0oJExLZBSS1xHbRSQoR6matF0+V/6TQz8Yo3g8z9HgyEtn1V7QJo3PoNrnEl73e
+      9yslTqVtzba0Q132oRoO7eEYf82KrPOmVGj6Q9LpSXFLfsl3GlPgoBxRZXpT62CV
+      3rGalIa2yKmcBQtyICjR1+PTIAJcVIPyr92xTo4RfLwVFW0czX7LM2H0FT2Ksj7L
+      U450ewBz8N6bFDMAEQEAAf4HAwIkqHaeA9ofAv9oQj+upbqfdEmXd0krBv5R1Q3u
+      VZwtCdnf0KGtueJ7SpPHVbNB0gCYnYdgf59MF9HHuVjHTWCOBwBJ3hmc7Yt2NcZy
+      ow15C+2xy+6/ChIYz3K7cr3jFR17M8Rz430YpCeGdYq5CfNQvNlzHDjO7PClLOek
+      jqy7V0ME0j6Q5+gHKqz6ragrUkfQBK863T4/4IUE+oCcDkuPaQUJQcYbI81R60Tl
+      4Rasi6njwj9MZlt9k8wfXmMInWAl7aLaEzTpwVFG8xZ5IHExWGHO9mS+DNqBRVd9
+      oDQoYoLFW6w0wPIkcn1uoUJaDZoRFzy2AzFInS8oLPAYWg/Wg8TLyyTIHYq9Zn+B
+      1mXeBHqx+TOCFq8P1wk9/A4MIl8cJmsEYrd2u0xdbVUQxCDzqrjqVmU4oamY6N6s
+      JPSp/hhBJB97CbCIoACB3aaH1CFDyXvyiqjobD5daKz8FlDzm4yze5n5b7CLwAWB
+      IA7nbNsGnLZiKQs+jmA6VcAax3nlulhG0YnzNLlwX4PgWjwjtd79rEmSdN9LsZE3
+      R26377QFE6G5NLDiKg/96NsRYA1BsDnAWKpm64ZVHHbBxz/HiAP1Zncw3Ij5p8F1
+      mtHK++qNF1P2OkAP01KaE2v6T+d3lCQzlPwnQIojW/NGvBZXarjV3916fN7rJamf
+      gs6Q72XKuXCOVJxGvknVGjXS97AIWbllLcCG5nYZx5BYaehMWOjrB9abD3h3lRXt
+      lT43gOFI53XY/vTw+jsPeT125QjjB3Kih5Ch5b6tXMj7X1Lkd9yTOIU0LVF5e9St
+      1mvVl+pPwWafq60vlCtEnluwcEmH6XDiIABHDchgBdk+qsvc215bspyPRy4CRVAg
+      V3eaFFKgFrF/qDtzLgYVopcij1ovGmmox+m3mua4wSAs5Bm2UotEZfGscN6sCSfR
+      KAk83bV00rfjC/Zrgx3zn6PUqit5KcpLkQIo/CzUr9UCRC3tMIzFARbmjTE7f471
+      +kUuJGxMONiRQC3ejLDZ/+B7WvZm44KffyKVlOSfG0MDUZzsINNY3jUskF2pfuq2
+      acXqcVi16grRjyIsoRtZFM5/yu7ED7j4yZRRnBjD+E03uui5Rv3uiHcddE8nwwU+
+      Tctvua+0QtS5NzFL6pM8tYdgRTXYekaoZf6N8sE3kgOlanvyXwxguNA7Y5Ns1mFC
+      JqIwOVwQbi8bk9I2PY9ER/nK6HRx2LpM466wRp7Bn9WAY8k/5gjzZrqVDCZJjuTO
+      mmhvGcm9wvsXxfb1NQdhc7ZHvCTj+Gf5hmdpzJnX0Cm83BqEEpmKk0HAXNCmMxQp
+      3twrjrj/RahXVpnUgQR8PKAn7HjVFs/YvbQtTmFubmllIEJlcm5oYXJkIDxuYW5u
+      aWUuYmVybmhhcmRAZXhhbXBsZS5jb20+iQHUBBMBCgA+FiEExEem9r/Zzvj7NxeF
+      VxYlqTAkEXkFAl+7O0oCGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA
+      CgkQVxYlqTAkEXk9xwv/WlJJGJ+QyGeJAhySG3z3bQnFwb2CusF2LbwcAETDgbkf
+      opkkf34Vbb9A7kM7peZ7Va0Edsg09XdkBUAdaqKQn78HiZJC5n0grXcj1c67Adss
+      Ym9TGVM6AC3K3Vm3wVV0X+ng31rdDpjfIqfYDAvwhMc8H/MHs/dCRSIxEGWK8UKh
+      WLUrX+wN+HNMVbzWPGwoTMWiDa/ofA9INhqN+u+mJkTaP+a4R3LTgL5hp+kUDOaB
+      Nc0rqH7vgj+037NTL8vox18J4qgNbRIsywclMYBJDwfA4w1phtsMu1BKPiOu2kue
+      18fyGDtboXUPFOJjf5OEwJsu+MFogWeAVuHN/eeiqOAFCYW+TT6Ehc6BnJ8vWCMS
+      Dgs3t6i94gNZtvEty2EAheHEBD1alU4c6S3VENdh5q2KkWIVFxgNtungo03eAVfj
+      UhMjrrEu0LC/Rizo7Me0kG7rfdn9oIwp4MTn7Cst1wGEWdi9UO4NJf1C+P9rFQuG
+      hMaj+8gb1uBdjPG8WOOanQWGBF+7O0oBDADhzNAvjiphKHsa4O5s3BePLQ+DJz+K
+      rS8f9mb66to/w9BlUtnm/L4gVgiIYqGhH7TSDaGhvIDMf3iKKBnKrWeBe0W8cdq3
+      FlzWC/AHUahEFxFm0l6nq0pOIiAVQ58IPaB/0a5YCY7tU2yfw8llZUN8dWJ7cSsB
+      Gpa6Q9/9y4x5/9VPDPduXRv22KCfDbHXuFS79ubmueFfrOa1CLXRhCy3dUXCyePU
+      YuwxixXJRTJQJm+A6c8TFIL+cji7IEzzDAiNexfGzEfu+Qj1/9PzX8aIn6C5Tf4q
+      B1pcGa4uYr8K1aCENcVt6+GA5gMdcplYXmtA212RyPqQmnJIjxDdS7AJYcivqG2q
+      F5CvqzKY5/A+e9+GLyRM36P8LpB8+XHMoYNMNmOl5KX6WZ1tRw/xxgv1iKX3Pcqd
+      noFwsOCNVpTWlxvjsyve8VQUplORSakIhfKh1VWu7j8AKXWe9S3zMYQDq5G8VrTO
+      Vb1pPvPgiNxo9u1OXi2H9UTXhCWYZ6FIe2UAEQEAAf4HAwIlxJFDCl1eRf+8ne6l
+      KpsQfPjhCNnaXE1Q1izRVNGn0gojZkHTRzBF6ZOaPMNSWOri22JoaACI2txuQLyu
+      fHdO+ROr2Pnp17zeXbrm9Tk0PpugPwW/+AkvLPtcSOoCLEzkoKnwKmpC224Ed2Zb
+      Ma5ApPp3HNGkZgPVw5Mvj8R/n8MbKr7/TC7PV9WInranisZqH9fzvA3KEpaDwSr0
+      vBtn6nXzSQKhmwCGRLCUuA+HG2gXIlYuNi7lPpu+Tivz+FnIaTVtrhG5b6Az30QP
+      C0cLe539X9HgryP6M9kzLSYnfpGQMqSqOUYZfhQW6xtSWr7/iWdnYF7S1YouWPLs
+      vuN+xFFKv3eVtErk4UOgAp9it4/i41QuMNwCWCt71278Ugwqygexw/XMi+Rs2Z6C
+      2ESu1dJnOhYF4eL7ymSKxwBitA+qETQBsjxjegNls/poFjREIhOOwM0w9mn+GptC
+      RVmFdcTlXMGJIGPxTFZQzIitCVoTURrkzBvqUvKFft8GcEBr2izoIqOZU3Npya7c
+      kKHyVMY0n7xjH3Hs4C3A4tBtkbDpwxz+hc9xh5/E/EKKlvZLfIKuuTP4eJap8KEN
+      vvbDPolF3TveTvNLIe86GTSU+wi67PM1PBHKhLSP2aYvS503Z29OLD6Rd6p6jI8u
+      MC8ueF719oH5uG5Sbs3OGmX+UF1aaproLhnGpTwrLyEX7tMebb/JM22Qasj9H9to
+      PNAgEfhlNdhJ+IULkx0My2e55+BIskhsWJpkAhpD2dOyiDBsXZvT3x3dbMKWi1sS
+      +nbKzhMjmUoQ++Vh2uZ9Zi93H3+gsge6e1duRSLNEFrrOk9c6cVPsmle7HoZSzNw
+      qYVCb3npMo+43IgyaK48eGS757ZGsgTEQdicoqVann+wHbAOlWwUFSPTGpqTMMvD
+      17PVFQB4ADb5J3IAy7kJsVUwoqYI8VrdfiJJUeQikePOi760TCUTJ3PlMUNqngMn
+      ItzNidE8A0RvzFW6DNcPHJVpdGRk36GtWooBhxRwelchAgTSB6gVueF9KTW+EZU2
+      evdAwuTfwvTguOuJ3yJ6g+vFiHYrsczHJXq7QaJbpmJLlavvA2yFPDmlSDMSMKFo
+      t13RwYZ+mPLS5QLK52vbCmDKiQI7Z7zLXIcQ2RXXHQN4OYYLbDXeIMO2BwXAsGJf
+      LC3W64gMUSRKB07UXmDdu4U3US0sqMsxUNWqLFC8PRVR68NAxF+8zS1xKLCUPRWS
+      ELivIY0m4ybzITM6xHBCOSFRph5+LKQVehEo1qM7aoRtS+5SHjdtOeyPEQwSTsWj
+      IWlumHJAXFUmBqc+bVi1m661c5O56VCm7PP61oQQxsB3J0E5OsQUA4kBvAQYAQoA
+      JhYhBMRHpva/2c74+zcXhVcWJakwJBF5BQJfuztKAhsMBQkDwmcAAAoJEFcWJakw
+      JBF5T/ML/3Ml7+493hQuoC9O3HOANkimc0pGxILVeJmJmnfbMDJ71fU84h2+xAyk
+      2PZc48wVYKju9THJzdRk+XBPO+G6mSBupSt53JIYb5NijotNTmJmHYpG1yb+9FjD
+      EFWTlxK1mr5wjSUxlGWa/O46XjxzCSEUP1SknLWbTOucV8KOmPWL3DupvGINIIQx
+      e5eJ9SMjlHvUn4rq8sd11FT2bQrd+xMx8gP5cearPqB7qVRlHjtOKn29gTV90kIw
+      amRke8KxSoJh+xT057aKI2+MCu7RC8TgThmUVCWgwUzXlsw1Qe8ySc6CmjIBftfo
+      lQYPDSq1u8RSBAB+t2Xwprvdedr9SQihzBk5GCGBJ/npEcgF2jk26sJqoXYbvyQG
+      tqSDQ925oP7OstyOE4FTH7sQmBvP01Ikdgwkm0cthLSpWY4QI+09Aeg+rZ80Etfv
+      vAKquDGA33no8YGnn+epeLqyscIh4WG3bIoHk9JlFCcwIp9U65IfR1fTcvlTdzZN
+      4f6xMfFu2A==
+      =3YL6
+      -----END PGP PRIVATE KEY BLOCK-----
+      KEY
+    end
+
+    def public_key2
+      <<~KEY.strip
+      -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+      mQGNBF+7O0oBDADvRto4K9PT83Lbyp/qaMPIzBbXHB6ljdDoyb+Pn2UrHk9MhB5v
+      bTgBv+rctOabmimPPalcyaxOQ1GtrYizo1l33YQZupSvaOoStVLWqnBx8eKKcUv8
+      QucS3S2qFhj9G0tdHW7RW2BGrSwEM09d2xFsFKKAj/4RTTU5idYWrvB24DNcrBh+
+      iKsoa+rmJf1bwL6Mn9f9NwzundG16qibY/UwMlltQriWaVMn2AKVuu6HrX9pe3g5
+      Er2Szjc7DZitt6eAy3PmuWHXzDCCvsO7iPxXlywY49hLhDen3/Warwn1pSbp+im4
+      /0oJExLZBSS1xHbRSQoR6matF0+V/6TQz8Yo3g8z9HgyEtn1V7QJo3PoNrnEl73e
+      9yslTqVtzba0Q132oRoO7eEYf82KrPOmVGj6Q9LpSXFLfsl3GlPgoBxRZXpT62CV
+      3rGalIa2yKmcBQtyICjR1+PTIAJcVIPyr92xTo4RfLwVFW0czX7LM2H0FT2Ksj7L
+      U450ewBz8N6bFDMAEQEAAbQtTmFubmllIEJlcm5oYXJkIDxuYW5uaWUuYmVybmhh
+      cmRAZXhhbXBsZS5jb20+iQHUBBMBCgA+FiEExEem9r/Zzvj7NxeFVxYlqTAkEXkF
+      Al+7O0oCGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQVxYlqTAk
+      EXk9xwv/WlJJGJ+QyGeJAhySG3z3bQnFwb2CusF2LbwcAETDgbkfopkkf34Vbb9A
+      7kM7peZ7Va0Edsg09XdkBUAdaqKQn78HiZJC5n0grXcj1c67AdssYm9TGVM6AC3K
+      3Vm3wVV0X+ng31rdDpjfIqfYDAvwhMc8H/MHs/dCRSIxEGWK8UKhWLUrX+wN+HNM
+      VbzWPGwoTMWiDa/ofA9INhqN+u+mJkTaP+a4R3LTgL5hp+kUDOaBNc0rqH7vgj+0
+      37NTL8vox18J4qgNbRIsywclMYBJDwfA4w1phtsMu1BKPiOu2kue18fyGDtboXUP
+      FOJjf5OEwJsu+MFogWeAVuHN/eeiqOAFCYW+TT6Ehc6BnJ8vWCMSDgs3t6i94gNZ
+      tvEty2EAheHEBD1alU4c6S3VENdh5q2KkWIVFxgNtungo03eAVfjUhMjrrEu0LC/
+      Rizo7Me0kG7rfdn9oIwp4MTn7Cst1wGEWdi9UO4NJf1C+P9rFQuGhMaj+8gb1uBd
+      jPG8WOOauQGNBF+7O0oBDADhzNAvjiphKHsa4O5s3BePLQ+DJz+KrS8f9mb66to/
+      w9BlUtnm/L4gVgiIYqGhH7TSDaGhvIDMf3iKKBnKrWeBe0W8cdq3FlzWC/AHUahE
+      FxFm0l6nq0pOIiAVQ58IPaB/0a5YCY7tU2yfw8llZUN8dWJ7cSsBGpa6Q9/9y4x5
+      /9VPDPduXRv22KCfDbHXuFS79ubmueFfrOa1CLXRhCy3dUXCyePUYuwxixXJRTJQ
+      Jm+A6c8TFIL+cji7IEzzDAiNexfGzEfu+Qj1/9PzX8aIn6C5Tf4qB1pcGa4uYr8K
+      1aCENcVt6+GA5gMdcplYXmtA212RyPqQmnJIjxDdS7AJYcivqG2qF5CvqzKY5/A+
+      e9+GLyRM36P8LpB8+XHMoYNMNmOl5KX6WZ1tRw/xxgv1iKX3PcqdnoFwsOCNVpTW
+      lxvjsyve8VQUplORSakIhfKh1VWu7j8AKXWe9S3zMYQDq5G8VrTOVb1pPvPgiNxo
+      9u1OXi2H9UTXhCWYZ6FIe2UAEQEAAYkBvAQYAQoAJhYhBMRHpva/2c74+zcXhVcW
+      JakwJBF5BQJfuztKAhsMBQkDwmcAAAoJEFcWJakwJBF5T/ML/3Ml7+493hQuoC9O
+      3HOANkimc0pGxILVeJmJmnfbMDJ71fU84h2+xAyk2PZc48wVYKju9THJzdRk+XBP
+      O+G6mSBupSt53JIYb5NijotNTmJmHYpG1yb+9FjDEFWTlxK1mr5wjSUxlGWa/O46
+      XjxzCSEUP1SknLWbTOucV8KOmPWL3DupvGINIIQxe5eJ9SMjlHvUn4rq8sd11FT2
+      bQrd+xMx8gP5cearPqB7qVRlHjtOKn29gTV90kIwamRke8KxSoJh+xT057aKI2+M
+      Cu7RC8TgThmUVCWgwUzXlsw1Qe8ySc6CmjIBftfolQYPDSq1u8RSBAB+t2Xwprvd
+      edr9SQihzBk5GCGBJ/npEcgF2jk26sJqoXYbvyQGtqSDQ925oP7OstyOE4FTH7sQ
+      mBvP01Ikdgwkm0cthLSpWY4QI+09Aeg+rZ80EtfvvAKquDGA33no8YGnn+epeLqy
+      scIh4WG3bIoHk9JlFCcwIp9U65IfR1fTcvlTdzZN4f6xMfFu2A==
+      =RAwd
+      -----END PGP PUBLIC KEY BLOCK-----
+      KEY
+    end
+
+    def fingerprint2
+      'C447A6F6BFD9CEF8FB371785571625A930241179'
+    end
+
     def names
       ['Nannie Bernhard']
     end
diff --git a/spec/support/helpers/graphql_helpers.rb b/spec/support/helpers/graphql_helpers.rb
index a1b4e6eee92..b20801bd3c4 100644
--- a/spec/support/helpers/graphql_helpers.rb
+++ b/spec/support/helpers/graphql_helpers.rb
@@ -4,6 +4,11 @@ module GraphqlHelpers
   MutationDefinition = Struct.new(:query, :variables)
 
   NoData = Class.new(StandardError)
+  UnauthorizedObject = Class.new(StandardError)
+
+  def graphql_args(**values)
+    ::Graphql::Arguments.new(values)
+  end
 
   # makes an underscored string look like a fieldname
   # "merge_request" => "mergeRequest"
@@ -17,7 +22,10 @@ module GraphqlHelpers
   # ready, then the early return is returned instead.
   #
   # Then the resolve method is called.
-  def resolve(resolver_class, args: {}, **resolver_args)
+  def resolve(resolver_class, args: {}, lookahead: :not_given, parent: :not_given, **resolver_args)
+    args = aliased_args(resolver_class, args)
+    args[:parent] = parent unless parent == :not_given
+    args[:lookahead] = lookahead unless lookahead == :not_given
     resolver = resolver_instance(resolver_class, **resolver_args)
     ready, early_return = sync_all { resolver.ready?(**args) }
 
@@ -26,6 +34,16 @@ module GraphqlHelpers
     resolver.resolve(**args)
   end
 
+  # TODO: Remove this method entirely when GraphqlHelpers uses real resolve_field
+  # see: https://gitlab.com/gitlab-org/gitlab/-/issues/287791
+  def aliased_args(resolver, args)
+    definitions = resolver.arguments
+
+    args.transform_keys do |k|
+      definitions[GraphqlHelpers.fieldnamerize(k)]&.keyword || k
+    end
+  end
+
   def resolver_instance(resolver_class, obj: nil, ctx: {}, field: nil, schema: GitlabSchema)
     if ctx.is_a?(Hash)
       q = double('Query', schema: schema)
@@ -111,24 +129,33 @@ module GraphqlHelpers
   def variables_for_mutation(name, input)
     graphql_input = prepare_input_for_mutation(input)
 
-    result = { input_variable_name_for_mutation(name) => graphql_input }
+    { input_variable_name_for_mutation(name) => graphql_input }
+  end
 
-    # Avoid trying to serialize multipart data into JSON
-    if graphql_input.values.none? { |value| io_value?(value) }
-      result.to_json
-    else
-      result
-    end
+  def serialize_variables(variables)
+    return unless variables
+    return variables if variables.is_a?(String)
+
+    ::Gitlab::Utils::MergeHash.merge(Array.wrap(variables).map(&:to_h)).to_json
   end
 
-  def resolve_field(name, object, args = {})
-    context = double("Context",
-                    schema: GitlabSchema,
-                    query: GraphQL::Query.new(GitlabSchema),
-                    parent: nil)
-    field = described_class.fields[name]
+  def resolve_field(name, object, args = {}, current_user: nil)
+    q = GraphQL::Query.new(GitlabSchema)
+    context = GraphQL::Query::Context.new(query: q, object: object, values: { current_user: current_user })
+    allow(context).to receive(:parent).and_return(nil)
+    field = described_class.fields.fetch(GraphqlHelpers.fieldnamerize(name))
     instance = described_class.authorized_new(object, context)
-    field.resolve_field(instance, {}, context)
+    raise UnauthorizedObject unless instance
+
+    field.resolve_field(instance, args, context)
+  end
+
+  def simple_resolver(resolved_value = 'Resolved value')
+    Class.new(Resolvers::BaseResolver) do
+      define_method :resolve do |**_args|
+        resolved_value
+      end
+    end
   end
 
   # Recursively convert a Hash with Ruby-style keys to GraphQL fieldname-style keys
@@ -165,10 +192,32 @@ module GraphqlHelpers
   end
 
   def query_graphql_field(name, attributes = {}, fields = nil)
-    <<~QUERY
-      #{field_with_params(name, attributes)}
-      #{wrap_fields(fields || all_graphql_fields_for(name.to_s.classify))}
-    QUERY
+    attributes, fields = [nil, attributes] if fields.nil? && !attributes.is_a?(Hash)
+
+    field = field_with_params(name, attributes)
+
+    field + wrap_fields(fields || all_graphql_fields_for(name.to_s.classify)).to_s
+  end
+
+  def page_info_selection
+    "pageInfo { hasNextPage hasPreviousPage endCursor startCursor }"
+  end
+
+  def query_nodes(name, fields = nil, args: nil, of: name, include_pagination_info: false, max_depth: 1)
+    fields ||= all_graphql_fields_for(of.to_s.classify, max_depth: max_depth)
+    node_selection = include_pagination_info ? "#{page_info_selection} nodes" : :nodes
+    query_graphql_path([[name, args], node_selection], fields)
+  end
+
+  # e.g:
+  #   query_graphql_path(%i[foo bar baz], all_graphql_fields_for('Baz'))
+  #   => foo { bar { baz { x y z } } }
+  def query_graphql_path(segments, fields = nil)
+    # we really want foldr here...
+    segments.reverse.reduce(fields) do |tail, segment|
+      name, args = Array.wrap(segment)
+      query_graphql_field(name, args, tail)
+    end
   end
 
   def wrap_fields(fields)
@@ -203,50 +252,22 @@ module GraphqlHelpers
     type = GitlabSchema.types[class_name.to_s]
     return "" unless type
 
-    type.fields.map do |name, field|
-      # We can't guess arguments, so skip fields that require them
-      next if required_arguments?(field)
-      next if excluded.include?(name)
-
-      singular_field_type = field_type(field)
-
-      # If field type is the same as parent type, then we're hitting into
-      # mutual dependency. Break it from infinite recursion
-      next if parent_types.include?(singular_field_type)
+    # We can't guess arguments, so skip fields that require them
+    skip = ->(name, field) { excluded.include?(name) || required_arguments?(field) }
 
-      if nested_fields?(field)
-        fields =
-          all_graphql_fields_for(singular_field_type, parent_types | [type], max_depth: max_depth - 1)
-
-        "#{name} { #{fields} }" unless fields.blank?
-      else
-        name
-      end
-    end.compact.join("\n")
+    ::Graphql::FieldSelection.select_fields(type, skip, parent_types, max_depth)
   end
 
-  def attributes_to_graphql(attributes)
-    attributes.map do |name, value|
-      value_str = as_graphql_literal(value)
+  def with_signature(variables, query)
+    %Q[query(#{variables.map(&:sig).join(', ')}) #{query}]
+  end
 
-      "#{GraphqlHelpers.fieldnamerize(name.to_s)}: #{value_str}"
-    end.join(", ")
+  def var(type)
+    ::Graphql::Var.new(generate(:variable), type)
   end
 
-  # Fairly dumb Ruby => GraphQL rendering function. Only suitable for testing.
-  # Use symbol for Enum values
-  def as_graphql_literal(value)
-    case value
-    when Array then "[#{value.map { |v| as_graphql_literal(v) }.join(',')}]"
-    when Hash then "{#{attributes_to_graphql(value)}}"
-    when Integer, Float then value.to_s
-    when String then "\"#{value.gsub(/"/, '\\"')}\""
-    when Symbol then value
-    when nil then 'null'
-    when true then 'true'
-    when false then 'false'
-    else raise ArgumentError, "Cannot represent #{value} as GraphQL literal"
-    end
+  def attributes_to_graphql(arguments)
+    ::Graphql::Arguments.new(arguments).to_s
   end
 
   def post_multiplex(queries, current_user: nil, headers: {})
@@ -254,7 +275,7 @@ module GraphqlHelpers
   end
 
   def post_graphql(query, current_user: nil, variables: nil, headers: {})
-    params = { query: query, variables: variables&.to_json }
+    params = { query: query, variables: serialize_variables(variables) }
     post api('/', current_user, version: 'graphql'), params: params, headers: headers
   end
 
@@ -320,36 +341,47 @@ module GraphqlHelpers
     { operations: operations.to_json, map: map.to_json }.merge(extracted_files)
   end
 
+  def fresh_response_data
+    Gitlab::Json.parse(response.body)
+  end
+
   # Raises an error if no data is found
-  def graphql_data
+  def graphql_data(body = json_response)
     # Note that `json_response` is defined as `let(:json_response)` and
     # therefore, in a spec with multiple queries, will only contain data
     # from the _first_ query, not subsequent ones
-    json_response['data'] || (raise NoData, graphql_errors)
+    body['data'] || (raise NoData, graphql_errors(body))
   end
 
   def graphql_data_at(*path)
     graphql_dig_at(graphql_data, *path)
   end
 
+  # Slightly more powerful than just `dig`:
+  # - also supports implicit flat-mapping (.e.g. :foo :nodes :bar :nodes)
   def graphql_dig_at(data, *path)
     keys = path.map { |segment| segment.is_a?(Integer) ? segment : GraphqlHelpers.fieldnamerize(segment) }
 
     # Allows for array indexing, like this
     # ['project', 'boards', 'edges', 0, 'node', 'lists']
     keys.reduce(data) do |memo, key|
-      memo.is_a?(Array) ? memo[key] : memo&.dig(key)
+      if memo.is_a?(Array)
+        key.is_a?(Integer) ? memo[key] : memo.flat_map { |e| Array.wrap(e[key]) }
+      else
+        memo&.dig(key)
+      end
     end
   end
 
-  def graphql_errors
-    case json_response
+  # See note at graphql_data about memoization and multiple requests
+  def graphql_errors(body = json_response)
+    case body
     when Hash # regular query
-      json_response['errors']
+      body['errors']
     when Array # multiplexed queries
-      json_response.map { |response| response['errors'] }
+      body.map { |response| response['errors'] }
     else
-      raise "Unknown GraphQL response type #{json_response.class}"
+      raise "Unknown GraphQL response type #{body.class}"
     end
   end
 
@@ -392,19 +424,29 @@ module GraphqlHelpers
   end
 
   def nested_fields?(field)
-    !scalar?(field) && !enum?(field)
+    ::Graphql::FieldInspection.new(field).nested_fields?
   end
 
   def scalar?(field)
-    field_type(field).kind.scalar?
+    ::Graphql::FieldInspection.new(field).scalar?
   end
 
   def enum?(field)
-    field_type(field).kind.enum?
+    ::Graphql::FieldInspection.new(field).enum?
   end
 
+  # There are a few non BaseField fields in our schema (pageInfo for one).
+  # None of them require arguments.
   def required_arguments?(field)
-    field.arguments.values.any? { |argument| argument.type.non_null? }
+    return field.requires_argument? if field.is_a?(::Types::BaseField)
+
+    if (meta = field.try(:metadata)) && meta[:type_class]
+      required_arguments?(meta[:type_class])
+    elsif args = field.try(:arguments)
+      args.values.any? { |argument| argument.type.non_null? }
+    else
+      false
+    end
   end
 
   def io_value?(value)
@@ -412,15 +454,7 @@ module GraphqlHelpers
   end
 
   def field_type(field)
-    field_type = field.type.respond_to?(:to_graphql) ? field.type.to_graphql : field.type
-
-    # The type could be nested. For example `[GraphQL::STRING_TYPE]`:
-    # - List
-    # - String!
-    # - String
-    field_type = field_type.of_type while field_type.respond_to?(:of_type)
-
-    field_type
+    ::Graphql::FieldInspection.new(field).type
   end
 
   # for most tests, we want to allow unlimited complexity
@@ -498,6 +532,20 @@ module GraphqlHelpers
       variables: {}
     )
   end
+
+  # A lookahead that selects everything
+  def positive_lookahead
+    double(selects?: true).tap do |selection|
+      allow(selection).to receive(:selection).and_return(selection)
+    end
+  end
+
+  # A lookahead that selects nothing
+  def negative_lookahead
+    double(selects?: false).tap do |selection|
+      allow(selection).to receive(:selection).and_return(selection)
+    end
+  end
 end
 
 # This warms our schema, doing this as part of loading the helpers to avoid
diff --git a/spec/support/helpers/login_helpers.rb b/spec/support/helpers/login_helpers.rb
index e21d4497cda..86022e16d71 100644
--- a/spec/support/helpers/login_helpers.rb
+++ b/spec/support/helpers/login_helpers.rb
@@ -138,13 +138,15 @@ module LoginHelpers
         secret: 'mock_secret'
       },
       extra: {
-        raw_info: {
-          info: {
-            name: 'mockuser',
-            email: email,
-            image: 'mock_user_thumbnail_url'
+        raw_info: OneLogin::RubySaml::Attributes.new(
+          {
+            info: {
+              name: 'mockuser',
+              email: email,
+              image: 'mock_user_thumbnail_url'
+            }
           }
-        },
+        ),
         response_object: response_object
       }
     }).merge(additional_info) { |_, old_hash, new_hash| old_hash.merge(new_hash) }
@@ -198,7 +200,7 @@ module LoginHelpers
     env['omniauth.error.strategy'] = strategy
   end
 
-  def stub_omniauth_saml_config(messages, context: Rails.application)
+  def stub_omniauth_saml_config(context: Rails.application, **messages)
     set_devise_mapping(context: context)
     routes = Rails.application.routes
     routes.disable_clear_and_finalize = true
diff --git a/spec/support/helpers/multipart_helpers.rb b/spec/support/helpers/multipart_helpers.rb
index 2e8db0e9e42..bcb184f84c5 100644
--- a/spec/support/helpers/multipart_helpers.rb
+++ b/spec/support/helpers/multipart_helpers.rb
@@ -37,7 +37,7 @@ module MultipartHelpers
     # *without* the "#{key}." prefix
     result.deep_transform_keys! { |k| k.remove("#{key}.") }
     {
-      "#{key}.gitlab-workhorse-upload" => jwt_token('upload' => result)
+      "#{key}.gitlab-workhorse-upload" => jwt_token(data: { 'upload' => result })
     }
   end
 
diff --git a/spec/support/helpers/next_instance_of.rb b/spec/support/helpers/next_instance_of.rb
index 83c788c3d38..a8e9ab2bafe 100644
--- a/spec/support/helpers/next_instance_of.rb
+++ b/spec/support/helpers/next_instance_of.rb
@@ -1,28 +1,31 @@
 # frozen_string_literal: true
 
 module NextInstanceOf
-  def expect_next_instance_of(klass, *new_args)
-    stub_new(expect(klass), *new_args) do |expectation|
-      yield(expectation)
-    end
+  def expect_next_instance_of(klass, *new_args, &blk)
+    stub_new(expect(klass), nil, *new_args, &blk)
   end
 
-  def allow_next_instance_of(klass, *new_args)
-    stub_new(allow(klass), *new_args) do |allowance|
-      yield(allowance)
-    end
+  def expect_next_instances_of(klass, number, *new_args, &blk)
+    stub_new(expect(klass), number, *new_args, &blk)
+  end
+
+  def allow_next_instance_of(klass, *new_args, &blk)
+    stub_new(allow(klass), nil, *new_args, &blk)
+  end
+
+  def allow_next_instances_of(klass, number, *new_args, &blk)
+    stub_new(allow(klass), number, *new_args, &blk)
   end
 
   private
 
-  def stub_new(target, *new_args)
+  def stub_new(target, number, *new_args, &blk)
     receive_new = receive(:new)
+    receive_new.exactly(number).times if number
     receive_new.with(*new_args) if new_args.any?
 
     target.to receive_new.and_wrap_original do |method, *original_args|
-      method.call(*original_args).tap do |instance|
-        yield(instance)
-      end
+      method.call(*original_args).tap(&blk)
     end
   end
 end
diff --git a/spec/support/helpers/services_helper.rb b/spec/support/helpers/services_helper.rb
new file mode 100644
index 00000000000..bf007815551
--- /dev/null
+++ b/spec/support/helpers/services_helper.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require_relative './after_next_helpers'
+
+module ServicesHelper
+  include AfterNextHelpers
+
+  def expect_execution_of(service_class, *args)
+    expect_next(service_class, *args).to receive(:execute)
+  end
+end
diff --git a/spec/support/helpers/snowplow_helpers.rb b/spec/support/helpers/snowplow_helpers.rb
index 15eac1b24fc..70a4eadd8de 100644
--- a/spec/support/helpers/snowplow_helpers.rb
+++ b/spec/support/helpers/snowplow_helpers.rb
@@ -31,7 +31,31 @@ module SnowplowHelpers
   #       )
   #     end
   #   end
-  def expect_snowplow_event(category:, action:, **kwargs)
+  #
+  # Passing context:
+  #
+  #   Simply provide a hash that has the schema and data expected.
+  #
+  #   expect_snowplow_event(
+  #     category: 'Experiment',
+  #     action: 'created',
+  #     context: [
+  #       {
+  #         schema: 'iglu:com.gitlab/.../0-3-0',
+  #         data: { key: 'value' }
+  #       }
+  #     ]
+  #   )
+  def expect_snowplow_event(category:, action:, context: nil, **kwargs)
+    if context
+      kwargs[:context] = []
+      context.each do |c|
+        expect(SnowplowTracker::SelfDescribingJson).to have_received(:new)
+          .with(c[:schema], c[:data]).at_least(:once)
+        kwargs[:context] << an_instance_of(SnowplowTracker::SelfDescribingJson)
+      end
+    end
+
     expect(Gitlab::Tracking).to have_received(:event) # rubocop:disable RSpec/ExpectGitlabTracking
       .with(category, action, **kwargs).at_least(:once)
   end
diff --git a/spec/support/helpers/stub_experiments.rb b/spec/support/helpers/stub_experiments.rb
index 7a6154d5ef9..247692d83ee 100644
--- a/spec/support/helpers/stub_experiments.rb
+++ b/spec/support/helpers/stub_experiments.rb
@@ -3,15 +3,15 @@
 module StubExperiments
   # Stub Experiment with `key: true/false`
   #
-  # @param [Hash] experiment where key is feature name and value is boolean whether enabled or not.
+  # @param [Hash] experiment where key is feature name and value is boolean whether active or not.
   #
   # Examples
-  # - `stub_experiment(signup_flow: false)` ... Disable `signup_flow` experiment globally.
+  # - `stub_experiment(signup_flow: false)` ... Disables `signup_flow` experiment.
   def stub_experiment(experiments)
-    allow(Gitlab::Experimentation).to receive(:enabled?).and_call_original
+    allow(Gitlab::Experimentation).to receive(:active?).and_call_original
 
     experiments.each do |experiment_key, enabled|
-      allow(Gitlab::Experimentation).to receive(:enabled?).with(experiment_key) { enabled }
+      allow(Gitlab::Experimentation).to receive(:active?).with(experiment_key) { enabled }
     end
   end
 
@@ -20,12 +20,12 @@ module StubExperiments
   # @param [Hash] experiment where key is feature name and value is boolean whether enabled or not.
   #
   # Examples
-  # - `stub_experiment_for_user(signup_flow: false)` ... Disable `signup_flow` experiment for user.
-  def stub_experiment_for_user(experiments)
-    allow(Gitlab::Experimentation).to receive(:enabled_for_value?).and_call_original
+  # - `stub_experiment_for_subject(signup_flow: false)` ... Disable `signup_flow` experiment for user.
+  def stub_experiment_for_subject(experiments)
+    allow(Gitlab::Experimentation).to receive(:in_experiment_group?).and_call_original
 
     experiments.each do |experiment_key, enabled|
-      allow(Gitlab::Experimentation).to receive(:enabled_for_value?).with(experiment_key, anything) { enabled }
+      allow(Gitlab::Experimentation).to receive(:in_experiment_group?).with(experiment_key, anything) { enabled }
     end
   end
 end
diff --git a/spec/support/helpers/stub_object_storage.rb b/spec/support/helpers/stub_object_storage.rb
index dba3d2b137e..dc54a21d0fa 100644
--- a/spec/support/helpers/stub_object_storage.rb
+++ b/spec/support/helpers/stub_object_storage.rb
@@ -22,6 +22,16 @@ module StubObjectStorage
         background_upload: false,
         direct_upload: false
   )
+    new_config = config.to_h.deep_symbolize_keys.merge({
+      enabled: enabled,
+      proxy_download: proxy_download,
+      background_upload: background_upload,
+      direct_upload: direct_upload
+    })
+
+    # Needed for ObjectStorage::Config compatibility
+    allow(config).to receive(:to_hash).and_return(new_config)
+    allow(config).to receive(:to_h).and_return(new_config)
     allow(config).to receive(:enabled) { enabled }
     allow(config).to receive(:proxy_download) { proxy_download }
     allow(config).to receive(:background_upload) { background_upload }
@@ -84,13 +94,6 @@ module StubObjectStorage
 
   def stub_terraform_state_object_storage(**params)
     stub_object_storage_uploader(config: Gitlab.config.terraform_state.object_store,
-                                 uploader: Terraform::VersionedStateUploader,
-                                 remote_directory: 'terraform',
-                                 **params)
-  end
-
-  def stub_terraform_state_version_object_storage(**params)
-    stub_object_storage_uploader(config: Gitlab.config.terraform_state.object_store,
                                  uploader: Terraform::StateUploader,
                                  remote_directory: 'terraform',
                                  **params)
diff --git a/spec/support/helpers/test_env.rb b/spec/support/helpers/test_env.rb
index 4c78ca0117c..01571277a1d 100644
--- a/spec/support/helpers/test_env.rb
+++ b/spec/support/helpers/test_env.rb
@@ -168,6 +168,11 @@ module TestEnv
       version: Gitlab::GitalyClient.expected_server_version,
       task: "gitlab:gitaly:install[#{install_gitaly_args}]") do
         Gitlab::SetupHelper::Gitaly.create_configuration(gitaly_dir, { 'default' => repos_path }, force: true)
+        Gitlab::SetupHelper::Gitaly.create_configuration(
+          gitaly_dir,
+          { 'default' => repos_path }, force: true,
+          options: { gitaly_socket: "gitaly2.socket", config_filename: "gitaly2.config.toml" }
+        )
         Gitlab::SetupHelper::Praefect.create_configuration(gitaly_dir, { 'praefect' => repos_path }, force: true)
       end
 
@@ -241,15 +246,38 @@ module TestEnv
   end
 
   def setup_workhorse
-    install_workhorse_args = [workhorse_dir, workhorse_url].compact.join(',')
-
-    component_timed_setup(
-      'GitLab Workhorse',
-      install_dir: workhorse_dir,
-      version: Gitlab::Workhorse.version,
-      task: "gitlab:workhorse:install[#{install_workhorse_args}]") do
-        Gitlab::SetupHelper::Workhorse.create_configuration(workhorse_dir, nil)
-      end
+    start = Time.now
+    return if skip_compile_workhorse?
+
+    puts "\n==> Setting up GitLab Workhorse..."
+
+    FileUtils.rm_rf(workhorse_dir)
+    Gitlab::SetupHelper::Workhorse.compile_into(workhorse_dir)
+    Gitlab::SetupHelper::Workhorse.create_configuration(workhorse_dir, nil)
+
+    File.write(workhorse_tree_file, workhorse_tree) if workhorse_source_clean?
+
+    puts "    GitLab Workhorse set up in #{Time.now - start} seconds...\n"
+  end
+
+  def skip_compile_workhorse?
+    File.directory?(workhorse_dir) &&
+      workhorse_source_clean? &&
+      File.exist?(workhorse_tree_file) &&
+      workhorse_tree == File.read(workhorse_tree_file)
+  end
+
+  def workhorse_source_clean?
+    out = IO.popen(%w[git status --porcelain workhorse], &:read)
+    $?.success? && out.empty?
+  end
+
+  def workhorse_tree
+    IO.popen(%w[git rev-parse HEAD:workhorse], &:read)
+  end
+
+  def workhorse_tree_file
+    File.join(workhorse_dir, 'WORKHORSE_TREE')
   end
 
   def workhorse_dir
@@ -260,7 +288,7 @@ module TestEnv
     host = "[#{host}]" if host.include?(':')
     listen_addr = [host, port].join(':')
 
-    config_path = Gitlab::SetupHelper::Workhorse.get_config_path(workhorse_dir)
+    config_path = Gitlab::SetupHelper::Workhorse.get_config_path(workhorse_dir, {})
 
     # This should be set up in setup_workhorse, but since
     # component_needs_update? only checks that versions are consistent,
diff --git a/spec/support/helpers/usage_data_helpers.rb b/spec/support/helpers/usage_data_helpers.rb
index 8e8aeea2ea1..df79049123d 100644
--- a/spec/support/helpers/usage_data_helpers.rb
+++ b/spec/support/helpers/usage_data_helpers.rb
@@ -85,6 +85,7 @@ module UsageDataHelpers
       projects
       projects_imported_from_github
       projects_asana_active
+      projects_jenkins_active
       projects_jira_active
       projects_jira_server_active
       projects_jira_cloud_active
@@ -161,7 +162,6 @@ module UsageDataHelpers
       git
       gitaly
       database
-      avg_cycle_analytics
       prometheus_metrics_enabled
       web_ide_clientside_preview_enabled
       ingress_modsecurity_enabled
diff --git a/spec/support/helpers/workhorse_helpers.rb b/spec/support/helpers/workhorse_helpers.rb
index 7e95f49aea2..cd8387de686 100644
--- a/spec/support/helpers/workhorse_helpers.rb
+++ b/spec/support/helpers/workhorse_helpers.rb
@@ -85,15 +85,15 @@ module WorkhorseHelpers
 
     return {} if upload_params.empty?
 
-    { "#{key}.gitlab-workhorse-upload" => jwt_token('upload' => upload_params) }
+    { "#{key}.gitlab-workhorse-upload" => jwt_token(data: { 'upload' => upload_params }) }
   end
 
-  def jwt_token(data = {}, issuer: 'gitlab-workhorse', secret: Gitlab::Workhorse.secret, algorithm: 'HS256')
+  def jwt_token(data: {}, issuer: 'gitlab-workhorse', secret: Gitlab::Workhorse.secret, algorithm: 'HS256')
     JWT.encode({ 'iss' => issuer }.merge(data), secret, algorithm)
   end
 
   def workhorse_rewritten_fields_header(fields)
-    { Gitlab::Middleware::Multipart::RACK_ENV_KEY => jwt_token('rewritten_fields' => fields) }
+    { Gitlab::Middleware::Multipart::RACK_ENV_KEY => jwt_token(data: { 'rewritten_fields' => fields }) }
   end
 
   def workhorse_disk_accelerated_file_params(key, file)
diff --git a/spec/support/import_export/common_util.rb b/spec/support/import_export/common_util.rb
index ae951ea35af..a6b395ad4d5 100644
--- a/spec/support/import_export/common_util.rb
+++ b/spec/support/import_export/common_util.rb
@@ -70,9 +70,12 @@ module ImportExport
       )
     end
 
-    def get_shared_env(path:)
+    def get_shared_env(path:, logger: nil)
+      logger ||= double(info: true, warn: true, error: true)
+
       instance_double(Gitlab::ImportExport::Shared).tap do |shared|
         allow(shared).to receive(:export_path).and_return(path)
+        allow(shared).to receive(:logger).and_return(logger)
       end
     end
 
diff --git a/spec/support/matchers/access_matchers.rb b/spec/support/matchers/access_matchers.rb
index c9ff777f604..acf5fb0944f 100644
--- a/spec/support/matchers/access_matchers.rb
+++ b/spec/support/matchers/access_matchers.rb
@@ -52,7 +52,7 @@ module AccessMatchers
       emulate_user(user, @membership)
       visit(url)
 
-      status_code == 200 && current_path != new_user_session_path
+      status_code == 200 && !current_path.in?([new_user_session_path, new_admin_session_path])
     end
 
     chain :of do |membership|
@@ -67,7 +67,7 @@ module AccessMatchers
       emulate_user(user, @membership)
       visit(url)
 
-      [401, 404].include?(status_code) || current_path == new_user_session_path
+      [401, 404, 403].include?(status_code) || current_path.in?([new_user_session_path, new_admin_session_path])
     end
 
     chain :of do |membership|
diff --git a/spec/support/matchers/be_valid_json.rb b/spec/support/matchers/be_valid_json.rb
new file mode 100644
index 00000000000..f46c35c7198
--- /dev/null
+++ b/spec/support/matchers/be_valid_json.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+RSpec::Matchers.define :be_valid_json do
+  def according_to_schema(schema)
+    @schema = schema
+    self
+  end
+
+  match do |actual|
+    data = Gitlab::Json.parse(actual)
+
+    if @schema.present?
+      @validation_errors = JSON::Validator.fully_validate(@schema, data)
+      @validation_errors.empty?
+    else
+      data.present?
+    end
+  rescue JSON::ParserError => e
+    @error = e
+    false
+  end
+
+  def failure_message
+    if @error
+      "Parse failed with error: #{@error}"
+    elsif @validation_errors.present?
+      "Validation failed because #{@validation_errors.join(', and ')}"
+    else
+      "Parsing did not return any data"
+    end
+  end
+end
diff --git a/spec/support/matchers/exceed_query_limit.rb b/spec/support/matchers/exceed_query_limit.rb
index 04482d3bfb8..7a66eff3a41 100644
--- a/spec/support/matchers/exceed_query_limit.rb
+++ b/spec/support/matchers/exceed_query_limit.rb
@@ -3,6 +3,13 @@
 module ExceedQueryLimitHelpers
   MARGINALIA_ANNOTATION_REGEX = %r{\s*\/\*.*\*\/}.freeze
 
+  DB_QUERY_RE = Regexp.union([
+    /^(?<prefix>SELECT .* FROM "?[a-z_]+"?) (?<suffix>.*)$/m,
+    /^(?<prefix>UPDATE "?[a-z_]+"?) (?<suffix>.*)$/m,
+    /^(?<prefix>INSERT INTO "[a-z_]+" \((?:"[a-z_]+",?\s?)+\)) (?<suffix>.*)$/m,
+    /^(?<prefix>DELETE FROM "[a-z_]+") (?<suffix>.*)$/m
+  ]).freeze
+
   def with_threshold(threshold)
     @threshold = threshold
     self
@@ -13,41 +20,129 @@ module ExceedQueryLimitHelpers
     self
   end
 
+  def show_common_queries
+    @show_common_queries = true
+    self
+  end
+
+  def ignoring(pattern)
+    @ignoring_pattern = pattern
+    self
+  end
+
   def threshold
     @threshold.to_i
   end
 
   def expected_count
     if expected.is_a?(ActiveRecord::QueryRecorder)
-      expected.count
+      query_recorder_count(expected)
     else
       expected
     end
   end
 
   def actual_count
-    @actual_count ||= if @query
-                        recorder.log.select { |recorded| recorded =~ @query }.size
-                      else
-                        recorder.count
-                      end
+    @actual_count ||= query_recorder_count(recorder)
+  end
+
+  def query_recorder_count(query_recorder)
+    return query_recorder.count unless @query || @ignoring_pattern
+
+    query_log(query_recorder).size
+  end
+
+  def query_log(query_recorder)
+    filtered = query_recorder.log
+    filtered = filtered.select { |q| q =~ @query } if @query
+    filtered = filtered.reject { |q| q =~ @ignoring_pattern } if @ignoring_pattern
+    filtered
   end
 
   def recorder
     @recorder ||= ActiveRecord::QueryRecorder.new(skip_cached: skip_cached, &@subject_block)
   end
 
-  def count_queries(queries)
-    queries.each_with_object(Hash.new(0)) { |query, counts| counts[query] += 1 }
+  # Take a query recorder and tabulate the frequencies of suffixes for each prefix.
+  #
+  # @return Hash[String, Hash[String, Int]]
+  #
+  # Example:
+  #
+  # r = ActiveRecord::QueryRecorder.new do
+  #   SomeTable.create(x: 1, y: 2, z: 3)
+  #   SomeOtherTable.where(id: 1).first
+  #   SomeTable.create(x: 4, y: 5, z: 6)
+  #   SomeOtherTable.all
+  # end
+  # count_queries(r)
+  # #=>
+  #  {
+  #    'INSERT INTO "some_table" VALUES' => {
+  #      '(1,2,3)' => 1,
+  #      '(4,5,6)' => 1
+  #    },
+  #    'SELECT * FROM "some_other_table"' => {
+  #      'WHERE id = 1 LIMIT 1' => 1,
+  #      '' => 2
+  #    }
+  #  }
+  def count_queries(query_recorder)
+    strip_marginalia_annotations(query_log(query_recorder))
+      .map { |q| query_group_key(q) }
+      .group_by { |k| k[:prefix] }
+      .transform_values { |keys| frequencies(:suffix, keys) }
+  end
+
+  def frequencies(key, things)
+    things.group_by { |x| x[key] }.transform_values(&:size)
+  end
+
+  def query_group_key(query)
+    DB_QUERY_RE.match(query) || { prefix: query, suffix: '' }
+  end
+
+  def diff_query_counts(expected, actual)
+    expected_counts = expected.transform_values do |suffixes|
+      suffixes.transform_values { |n| [n, 0] }
+    end
+    recorded_counts = actual.transform_values do |suffixes|
+      suffixes.transform_values { |n| [0, n] }
+    end
+
+    combined_counts = expected_counts.merge(recorded_counts) do |_k, exp, got|
+      exp.merge(got) do |_k, exp_counts, got_counts|
+        exp_counts.zip(got_counts).map { |a, b| a + b }
+      end
+    end
+
+    unless @show_common_queries
+      combined_counts = combined_counts.transform_values do |suffs|
+        suffs.reject { |_k, counts| counts.first == counts.second }
+      end
+    end
+
+    combined_counts.reject { |_prefix, suffs| suffs.empty? }
+  end
+
+  def diff_query_group_message(query, suffixes)
+    suffix_messages = suffixes.map do |s, counts|
+      "-- (expected: #{counts.first}, got: #{counts.second})\n   #{s}"
+    end
+
+    "#{query}...\n#{suffix_messages.join("\n")}"
   end
 
   def log_message
     if expected.is_a?(ActiveRecord::QueryRecorder)
-      counts = count_queries(strip_marginalia_annotations(expected.log))
-      extra_queries = strip_marginalia_annotations(@recorder.log).reject { |query| counts[query] -= 1 unless counts[query] == 0 }
-      extra_queries_display = count_queries(extra_queries).map { |query, count| "[#{count}] #{query}" }
-
-      (['Extra queries:'] + extra_queries_display).join("\n\n")
+      diff_counts = diff_query_counts(count_queries(expected), count_queries(@recorder))
+      sections = diff_counts.map { |q, suffixes| diff_query_group_message(q, suffixes) }
+
+      <<~MSG
+      Query Diff:
+      -----------
+      #{sections.join("\n\n")}
+      MSG
     else
       @recorder.log_message
     end
diff --git a/spec/support/services/issuable_import_csv_service_shared_examples.rb b/spec/support/services/issuable_import_csv_service_shared_examples.rb
index 20ac2ff5c7c..f68750bec32 100644
--- a/spec/support/services/issuable_import_csv_service_shared_examples.rb
+++ b/spec/support/services/issuable_import_csv_service_shared_examples.rb
@@ -26,29 +26,33 @@ RSpec.shared_examples 'issuable import csv service' do |issuable_type|
     end
   end
 
+  shared_examples_for 'invalid file' do
+    it 'returns invalid file error' do
+      expect(subject[:success]).to eq(0)
+      expect(subject[:parse_error]).to eq(true)
+    end
+
+    it_behaves_like 'importer with email notification'
+    it_behaves_like 'an issuable importer'
+  end
+
   describe '#execute' do
-    context 'invalid file' do
+    context 'invalid file extension' do
       let(:file) { fixture_file_upload('spec/fixtures/banana_sample.gif') }
 
-      it 'returns invalid file error' do
-        expect(subject[:success]).to eq(0)
-        expect(subject[:parse_error]).to eq(true)
-      end
+      it_behaves_like 'invalid file'
+    end
 
-      it_behaves_like 'importer with email notification'
-      it_behaves_like 'an issuable importer'
+    context 'empty file' do
+      let(:file) { fixture_file_upload('spec/fixtures/csv_empty.csv') }
+
+      it_behaves_like 'invalid file'
     end
 
     context 'file without headers' do
       let(:file) { fixture_file_upload('spec/fixtures/csv_no_headers.csv') }
 
-      it 'returns invalid file error' do
-        expect(subject[:success]).to eq(0)
-        expect(subject[:parse_error]).to eq(true)
-      end
-
-      it_behaves_like 'importer with email notification'
-      it_behaves_like 'an issuable importer'
+      it_behaves_like 'invalid file'
     end
 
     context 'with a file generated by Gitlab CSV export' do
diff --git a/spec/support/shared_contexts/finders/group_projects_finder_shared_contexts.rb b/spec/support/shared_contexts/finders/group_projects_finder_shared_contexts.rb
index 68ff16922d8..6b15eadc1c1 100644
--- a/spec/support/shared_contexts/finders/group_projects_finder_shared_contexts.rb
+++ b/spec/support/shared_contexts/finders/group_projects_finder_shared_contexts.rb
@@ -9,13 +9,13 @@ RSpec.shared_context 'GroupProjectsFinder context' do
 
   let(:finder) { described_class.new(group: group, current_user: current_user, params: params, options: options) }
 
-  let_it_be(:public_project) { create(:project, :public, group: group, path: '1') }
-  let_it_be(:private_project) { create(:project, :private, group: group, path: '2') }
-  let_it_be(:shared_project_1) { create(:project, :public, path: '3') }
-  let_it_be(:shared_project_2) { create(:project, :private, path: '4') }
-  let_it_be(:shared_project_3) { create(:project, :internal, path: '5') }
-  let_it_be(:subgroup_project) { create(:project, :public, path: '6', group: subgroup) }
-  let_it_be(:subgroup_private_project) { create(:project, :private, path: '7', group: subgroup) }
+  let_it_be(:public_project) { create(:project, :public, group: group, path: '1', name: 'g') }
+  let_it_be(:private_project) { create(:project, :private, group: group, path: '2', name: 'f') }
+  let_it_be(:shared_project_1) { create(:project, :public, path: '3', name: 'e') }
+  let_it_be(:shared_project_2) { create(:project, :private, path: '4', name: 'd') }
+  let_it_be(:shared_project_3) { create(:project, :internal, path: '5', name: 'c') }
+  let_it_be(:subgroup_project) { create(:project, :public, path: '6', group: subgroup, name: 'b') }
+  let_it_be(:subgroup_private_project) { create(:project, :private, path: '7', group: subgroup, name: 'a') }
 
   before do
     shared_project_1.project_group_links.create!(group_access: Gitlab::Access::MAINTAINER, group: group)
diff --git a/spec/support/shared_contexts/finders/merge_requests_finder_shared_contexts.rb b/spec/support/shared_contexts/finders/merge_requests_finder_shared_contexts.rb
index 88c31bf9cfd..4c003dff947 100644
--- a/spec/support/shared_contexts/finders/merge_requests_finder_shared_contexts.rb
+++ b/spec/support/shared_contexts/finders/merge_requests_finder_shared_contexts.rb
@@ -54,19 +54,19 @@ RSpec.shared_context 'MergeRequestsFinder multiple projects with merge requests
   let!(:label2) { create(:label, project: project1) }
 
   let!(:merge_request1) do
-    create(:merge_request, assignees: [user], author: user,
+    create(:merge_request, assignees: [user], author: user, reviewers: [user2],
            source_project: project2, target_project: project1,
            target_branch: 'merged-target')
   end
 
   let!(:merge_request2) do
-    create(:merge_request, :conflict, assignees: [user], author: user,
+    create(:merge_request, :conflict, assignees: [user], author: user, reviewers: [user2],
            source_project: project2, target_project: project1,
            state: 'closed')
   end
 
   let!(:merge_request3) do
-    create(:merge_request, :simple, author: user, assignees: [user2],
+    create(:merge_request, :simple, author: user, assignees: [user2], reviewers: [user],
            source_project: project2, target_project: project2,
            state: 'locked',
            title: 'thing WIP thing')
diff --git a/spec/support/shared_contexts/issuable/merge_request_shared_context.rb b/spec/support/shared_contexts/issuable/merge_request_shared_context.rb
index 79fc42e73c7..0fee170a35d 100644
--- a/spec/support/shared_contexts/issuable/merge_request_shared_context.rb
+++ b/spec/support/shared_contexts/issuable/merge_request_shared_context.rb
@@ -1,8 +1,35 @@
 # frozen_string_literal: true
 
-RSpec.shared_context 'merge request show action' do
+RSpec.shared_context 'open merge request show action' do
+  include Spec::Support::Helpers::Features::MergeRequestHelpers
+
+  let(:user) { create(:user) }
+  let(:project) { create(:project, :public, :repository) }
+  let(:note) { create(:note_on_merge_request, project: project, noteable: open_merge_request) }
+
+  let(:open_merge_request) do
+    create(:merge_request, :opened, source_project: project, author: user)
+  end
+
+  before do
+    assign(:project, project)
+    assign(:merge_request, open_merge_request)
+    assign(:note, note)
+    assign(:noteable, open_merge_request)
+    assign(:notes, [])
+    assign(:pipelines, Ci::Pipeline.none)
+    assign(:issuable_sidebar, serialize_issuable_sidebar(user, project, open_merge_request))
+
+    preload_view_requirements(open_merge_request, note)
+
+    sign_in(user)
+  end
+end
+
+RSpec.shared_context 'closed merge request show action' do
   include Devise::Test::ControllerHelpers
   include ProjectForksHelper
+  include Spec::Support::Helpers::Features::MergeRequestHelpers
 
   let(:user) { create(:user) }
   let(:project) { create(:project, :public, :repository) }
@@ -17,13 +44,6 @@ RSpec.shared_context 'merge request show action' do
            author: user)
   end
 
-  def preload_view_requirements
-    # This will load the status fields of the author of the note and merge request
-    # to avoid queries in when rendering the view being tested.
-    closed_merge_request.author.status
-    note.author.status
-  end
-
   before do
     assign(:project, project)
     assign(:merge_request, closed_merge_request)
@@ -34,16 +54,10 @@ RSpec.shared_context 'merge request show action' do
     assign(:pipelines, Ci::Pipeline.none)
     assign(:issuable_sidebar, serialize_issuable_sidebar(user, project, closed_merge_request))
 
-    preload_view_requirements
+    preload_view_requirements(closed_merge_request, note)
 
     allow(view).to receive_messages(current_user: user,
                                     can?: true,
                                     current_application_settings: Gitlab::CurrentSettings.current_application_settings)
   end
-
-  def serialize_issuable_sidebar(user, project, merge_request)
-    MergeRequestSerializer
-      .new(current_user: user, project: project)
-      .represent(closed_merge_request, serializer: 'sidebar')
-  end
 end
diff --git a/spec/support/shared_contexts/lib/gitlab/middleware/with_a_mocked_gitlab_instance_shared_context.rb b/spec/support/shared_contexts/lib/gitlab/middleware/with_a_mocked_gitlab_instance_shared_context.rb
index 3830b89f1ff..5d65c168d8d 100644
--- a/spec/support/shared_contexts/lib/gitlab/middleware/with_a_mocked_gitlab_instance_shared_context.rb
+++ b/spec/support/shared_contexts/lib/gitlab/middleware/with_a_mocked_gitlab_instance_shared_context.rb
@@ -25,7 +25,7 @@ RSpec.shared_context 'with a mocked GitLab instance' do
   let(:request) { Rack::MockRequest.new(rack_stack) }
 
   subject do
-    described_class.new(fake_app).tap do |app|
+    Gitlab::Middleware::ReadOnly.new(fake_app).tap do |app|
       app.extend(observe_env)
     end
   end
diff --git a/spec/support/shared_contexts/navbar_structure_context.rb b/spec/support/shared_contexts/navbar_structure_context.rb
index ed74c3f179f..549dc1cff1d 100644
--- a/spec/support/shared_contexts/navbar_structure_context.rb
+++ b/spec/support/shared_contexts/navbar_structure_context.rb
@@ -14,6 +14,15 @@ RSpec.shared_context 'project navbar structure' do
     }
   end
 
+  let(:security_and_compliance_nav_item) do
+    {
+      nav_item: _('Security & Compliance'),
+      nav_sub_items: [
+        _('Audit Events')
+      ]
+    }
+  end
+
   let(:structure) do
     [
       {
@@ -62,6 +71,7 @@ RSpec.shared_context 'project navbar structure' do
           _('Schedules')
         ]
       },
+      (security_and_compliance_nav_item if Gitlab.ee?),
       {
         nav_item: _('Operations'),
         nav_sub_items: [
@@ -101,8 +111,7 @@ RSpec.shared_context 'project navbar structure' do
           _('Access Tokens'),
           _('Repository'),
           _('CI / CD'),
-          _('Operations'),
-          (_('Audit Events') if Gitlab.ee?)
+          _('Operations')
         ].compact
       }
     ].compact
@@ -128,8 +137,7 @@ RSpec.shared_context 'group navbar structure' do
         _('Projects'),
         _('Repository'),
         _('CI / CD'),
-        _('Webhooks'),
-        _('Audit Events')
+        _('Webhooks')
       ]
     }
   end
@@ -143,6 +151,15 @@ RSpec.shared_context 'group navbar structure' do
     }
   end
 
+  let(:security_and_compliance_nav_item) do
+    {
+      nav_item: _('Security & Compliance'),
+      nav_sub_items: [
+        _('Audit Events')
+      ]
+    }
+  end
+
   let(:push_rules_nav_item) do
     {
       nav_item: _('Push Rules'),
@@ -172,6 +189,7 @@ RSpec.shared_context 'group navbar structure' do
         nav_item: _('Merge Requests'),
         nav_sub_items: []
       },
+      (security_and_compliance_nav_item if Gitlab.ee?),
       (push_rules_nav_item if Gitlab.ee?),
       {
         nav_item: _('Kubernetes'),
diff --git a/spec/support/shared_contexts/policies/group_policy_shared_context.rb b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
index af46e5474b0..e0e2a18cdd2 100644
--- a/spec/support/shared_contexts/policies/group_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
@@ -30,6 +30,7 @@ RSpec.shared_context 'GroupPolicy context' do
 
   let(:owner_permissions) do
     [
+      :owner_access,
       :admin_group,
       :admin_namespace,
       :admin_group_member,
diff --git a/spec/support/shared_contexts/services_shared_context.rb b/spec/support/shared_contexts/services_shared_context.rb
index 2bd516a2339..320f7564cf9 100644
--- a/spec/support/shared_contexts/services_shared_context.rb
+++ b/spec/support/shared_contexts/services_shared_context.rb
@@ -16,6 +16,8 @@ Service.available_services_names.each do |service|
           hash.merge!(k => 'secrettoken')
         elsif service == 'confluence' && k == :confluence_url
           hash.merge!(k => 'https://example.atlassian.net/wiki')
+        elsif service == 'datadog' && k == :datadog_site
+          hash.merge!(k => 'datadoghq.com')
         elsif k =~ /^(.*_url|url|webhook)/
           hash.merge!(k => "http://example.com")
         elsif service_klass.method_defined?("#{k}?")
@@ -34,8 +36,7 @@ Service.available_services_names.each do |service|
 
     let(:licensed_features) do
       {
-        'github' => :github_project_service_integration,
-        'jenkins' => :jenkins_integration
+        'github' => :github_project_service_integration
       }
     end
 
diff --git a/spec/support/shared_examples/boards/multiple_issue_boards_shared_examples.rb b/spec/support/shared_examples/boards/multiple_issue_boards_shared_examples.rb
index 38a5ed244c4..f89d52f81ad 100644
--- a/spec/support/shared_examples/boards/multiple_issue_boards_shared_examples.rb
+++ b/spec/support/shared_examples/boards/multiple_issue_boards_shared_examples.rb
@@ -85,7 +85,7 @@ RSpec.shared_examples 'multiple issue boards' do
 
       wait_for_requests
 
-      expect(page).to have_selector('.board', count: 5)
+      expect(page).to have_selector('.board', count: 3)
 
       in_boards_switcher_dropdown do
         click_link board.name
@@ -93,7 +93,7 @@ RSpec.shared_examples 'multiple issue boards' do
 
       wait_for_requests
 
-      expect(page).to have_selector('.board', count: 4)
+      expect(page).to have_selector('.board', count: 2)
     end
 
     it 'maintains sidebar state over board switch' do
diff --git a/spec/support/shared_examples/controllers/githubish_import_controller_shared_examples.rb b/spec/support/shared_examples/controllers/githubish_import_controller_shared_examples.rb
index 5a4322f73b6..422282da4d8 100644
--- a/spec/support/shared_examples/controllers/githubish_import_controller_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/githubish_import_controller_shared_examples.rb
@@ -219,7 +219,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
   it 'returns 200 response when the project is imported successfully' do
     allow(Gitlab::LegacyGithubImport::ProjectCreator)
-      .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, access_params, type: provider)
+      .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, type: provider, **access_params)
       .and_return(double(execute: project))
 
     post :create, format: :json
@@ -233,7 +233,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
     project.errors.add(:path, 'is old')
 
     allow(Gitlab::LegacyGithubImport::ProjectCreator)
-      .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, access_params, type: provider)
+      .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, type: provider, **access_params)
       .and_return(double(execute: project))
 
     post :create, format: :json
@@ -244,7 +244,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
   it "touches the etag cache store" do
     allow(Gitlab::LegacyGithubImport::ProjectCreator)
-      .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, access_params, type: provider)
+      .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, type: provider, **access_params)
       .and_return(double(execute: project))
     expect_next_instance_of(Gitlab::EtagCaching::Store) do |store|
       expect(store).to receive(:touch) { "realtime_changes_import_#{provider}_path" }
@@ -257,7 +257,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
     context "when the provider user and GitLab user's usernames match" do
       it "takes the current user's namespace" do
         expect(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         post :create, format: :json
@@ -269,7 +269,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
       it "takes the current user's namespace" do
         expect(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         post :create, format: :json
@@ -296,7 +296,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
         it "takes the existing namespace" do
           expect(Gitlab::LegacyGithubImport::ProjectCreator)
-            .to receive(:new).with(provider_repo, provider_repo.name, existing_namespace, user, access_params, type: provider)
+            .to receive(:new).with(provider_repo, provider_repo.name, existing_namespace, user, type: provider, **access_params)
             .and_return(double(execute: project))
 
           post :create, format: :json
@@ -308,7 +308,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
           create(:user, username: other_username)
 
           expect(Gitlab::LegacyGithubImport::ProjectCreator)
-            .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, access_params, type: provider)
+            .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, type: provider, **access_params)
             .and_return(double(execute: project))
 
           post :create, format: :json
@@ -327,7 +327,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
         it "takes the new namespace" do
           expect(Gitlab::LegacyGithubImport::ProjectCreator)
-            .to receive(:new).with(provider_repo, provider_repo.name, an_instance_of(Group), user, access_params, type: provider)
+            .to receive(:new).with(provider_repo, provider_repo.name, an_instance_of(Group), user, type: provider, **access_params)
             .and_return(double(execute: project))
 
           post :create, params: { target_namespace: provider_repo.name }, format: :json
@@ -348,7 +348,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
         it "takes the current user's namespace" do
           expect(Gitlab::LegacyGithubImport::ProjectCreator)
-            .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, access_params, type: provider)
+            .to receive(:new).with(provider_repo, provider_repo.name, user.namespace, user, type: provider, **access_params)
             .and_return(double(execute: project))
 
           post :create, format: :json
@@ -366,7 +366,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
       it 'takes the selected namespace and name' do
         expect(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, test_name, test_namespace, user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, test_name, test_namespace, user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         post :create, params: { target_namespace: test_namespace.name, new_name: test_name }, format: :json
@@ -374,7 +374,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
       it 'takes the selected name and default namespace' do
         expect(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, test_name, user.namespace, user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, test_name, user.namespace, user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         post :create, params: { new_name: test_name }, format: :json
@@ -393,7 +393,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
       it 'takes the selected namespace and name' do
         expect(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, test_name, nested_namespace, user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, test_name, nested_namespace, user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         post :create, params: { target_namespace: nested_namespace.full_path, new_name: test_name }, format: :json
@@ -405,7 +405,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
       it 'takes the selected namespace and name' do
         expect(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         post :create, params: { target_namespace: 'foo/bar', new_name: test_name }, format: :json
@@ -413,7 +413,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
       it 'creates the namespaces' do
         allow(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         expect { post :create, params: { target_namespace: 'foo/bar', new_name: test_name }, format: :json }
@@ -422,7 +422,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
       it 'new namespace has the right parent' do
         allow(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         post :create, params: { target_namespace: 'foo/bar', new_name: test_name }, format: :json
@@ -441,7 +441,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
       it 'takes the selected namespace and name' do
         expect(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         post :create, params: { target_namespace: 'foo/foobar/bar', new_name: test_name }, format: :json
@@ -449,7 +449,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
       it 'creates the namespaces' do
         allow(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         expect { post :create, params: { target_namespace: 'foo/foobar/bar', new_name: test_name }, format: :json }
@@ -458,7 +458,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
       it 'does not create a new namespace under the user namespace' do
         expect(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, test_name, user.namespace, user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, test_name, user.namespace, user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         expect { post :create, params: { target_namespace: "#{user.namespace_path}/test_group", new_name: test_name }, format: :js }
@@ -472,7 +472,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
       it 'does not take the selected namespace and name' do
         expect(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, test_name, user.namespace, user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, test_name, user.namespace, user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         post :create, params: { target_namespace: 'foo/foobar/bar', new_name: test_name }, format: :js
@@ -480,7 +480,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
 
       it 'does not create the namespaces' do
         allow(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         expect { post :create, params: { target_namespace: 'foo/foobar/bar', new_name: test_name }, format: :js }
@@ -497,7 +497,7 @@ RSpec.shared_examples 'a GitHub-ish import controller: POST create' do
         user.update!(can_create_group: false)
 
         expect(Gitlab::LegacyGithubImport::ProjectCreator)
-          .to receive(:new).with(provider_repo, test_name, group, user, access_params, type: provider)
+          .to receive(:new).with(provider_repo, test_name, group, user, type: provider, **access_params)
           .and_return(double(execute: project))
 
         post :create, params: { target_namespace: 'foo', new_name: test_name }, format: :js
diff --git a/spec/support/shared_examples/controllers/repositories/git_http_controller_shared_examples.rb b/spec/support/shared_examples/controllers/repositories/git_http_controller_shared_examples.rb
new file mode 100644
index 00000000000..9b738a4b002
--- /dev/null
+++ b/spec/support/shared_examples/controllers/repositories/git_http_controller_shared_examples.rb
@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples Repositories::GitHttpController do
+  include GitHttpHelpers
+
+  let(:repository_path) { "#{container.full_path}.git" }
+  let(:params) { { repository_path: repository_path } }
+
+  describe 'HEAD #info_refs' do
+    it 'returns 403' do
+      head :info_refs, params: params
+
+      expect(response).to have_gitlab_http_status(:forbidden)
+    end
+  end
+
+  describe 'GET #info_refs' do
+    let(:params) { super().merge(service: 'git-upload-pack') }
+
+    it 'returns 401 for unauthenticated requests to public repositories when http protocol is disabled' do
+      stub_application_setting(enabled_git_access_protocol: 'ssh')
+      allow(controller).to receive(:basic_auth_provided?).and_call_original
+
+      expect(controller).to receive(:http_download_allowed?).and_call_original
+
+      get :info_refs, params: params
+
+      expect(response).to have_gitlab_http_status(:unauthorized)
+    end
+
+    it 'calls the right access checker class with the right object' do
+      allow(controller).to receive(:verify_workhorse_api!).and_return(true)
+
+      access_double = double
+      options = {
+        authentication_abilities: [:download_code],
+        repository_path: repository_path,
+        redirected_path: nil,
+        auth_result_type: :none
+      }
+
+      expect(access_checker_class).to receive(:new)
+        .with(nil, container, 'http', hash_including(options))
+        .and_return(access_double)
+
+      allow(access_double).to receive(:check).and_return(false)
+
+      get :info_refs, params: params
+    end
+
+    context 'with authorized user' do
+      before do
+        request.headers.merge! auth_env(user.username, user.password, nil)
+      end
+
+      it 'returns 200' do
+        get :info_refs, params: params
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+
+      it 'updates the user activity' do
+        expect_next_instance_of(Users::ActivityService) do |activity_service|
+          expect(activity_service).to receive(:execute)
+        end
+
+        get :info_refs, params: params
+      end
+
+      include_context 'parsed logs' do
+        it 'adds user info to the logs' do
+          get :info_refs, params: params
+
+          expect(log_data).to include('username' => user.username,
+                                      'user_id' => user.id,
+                                      'meta.user' => user.username)
+        end
+      end
+    end
+
+    context 'with exceptions' do
+      before do
+        allow(controller).to receive(:authenticate_user).and_return(true)
+        allow(controller).to receive(:verify_workhorse_api!).and_return(true)
+      end
+
+      it 'returns 503 with GRPC Unavailable' do
+        allow(controller).to receive(:access_check).and_raise(GRPC::Unavailable)
+
+        get :info_refs, params: params
+
+        expect(response).to have_gitlab_http_status(:service_unavailable)
+      end
+
+      it 'returns 503 with timeout error' do
+        allow(controller).to receive(:access_check).and_raise(Gitlab::GitAccess::TimeoutError)
+
+        get :info_refs, params: params
+
+        expect(response).to have_gitlab_http_status(:service_unavailable)
+        expect(response.body).to eq 'Gitlab::GitAccess::TimeoutError'
+      end
+    end
+  end
+
+  describe 'POST #git_upload_pack' do
+    before do
+      allow(controller).to receive(:verify_workhorse_api!).and_return(true)
+    end
+
+    it 'returns 200' do
+      post :git_upload_pack, params: params
+
+      expect(response).to have_gitlab_http_status(:ok)
+    end
+  end
+end
diff --git a/spec/support/shared_examples/controllers/wiki_actions_shared_examples.rb b/spec/support/shared_examples/controllers/wiki_actions_shared_examples.rb
index a6ad8fc594c..dcbf494186a 100644
--- a/spec/support/shared_examples/controllers/wiki_actions_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/wiki_actions_shared_examples.rb
@@ -14,6 +14,22 @@ RSpec.shared_examples 'wiki controller actions' do
     sign_in(user)
   end
 
+  shared_examples 'recovers from git timeout' do
+    let(:method_name) { :page }
+
+    context 'when we encounter git command errors' do
+      it 'renders the appropriate template', :aggregate_failures do
+        expect(controller).to receive(method_name) do
+          raise ::Gitlab::Git::CommandTimedOut, 'Deadline Exceeded'
+        end
+
+        request
+
+        expect(response).to render_template('shared/wikis/git_error')
+      end
+    end
+  end
+
   describe 'GET #new' do
     subject(:request) { get :new, params: routing_params }
 
@@ -48,6 +64,12 @@ RSpec.shared_examples 'wiki controller actions' do
       get :pages, params: routing_params.merge(id: wiki_title)
     end
 
+    it_behaves_like 'recovers from git timeout' do
+      subject(:request) { get :pages, params: routing_params.merge(id: wiki_title) }
+
+      let(:method_name) { :wiki_pages }
+    end
+
     it 'assigns the page collections' do
       expect(assigns(:wiki_pages)).to contain_exactly(an_instance_of(WikiPage))
       expect(assigns(:wiki_entries)).to contain_exactly(an_instance_of(WikiPage))
@@ -99,6 +121,12 @@ RSpec.shared_examples 'wiki controller actions' do
       end
     end
 
+    it_behaves_like 'recovers from git timeout' do
+      subject(:request) { get :history, params: routing_params.merge(id: wiki_title) }
+
+      let(:allow_read_wiki)   { true }
+    end
+
     it_behaves_like 'fetching history', :ok do
       let(:allow_read_wiki)   { true }
 
@@ -139,6 +167,10 @@ RSpec.shared_examples 'wiki controller actions' do
         expect(response).to have_gitlab_http_status(:not_found)
       end
     end
+
+    it_behaves_like 'recovers from git timeout' do
+      subject(:request) { get :diff, params: routing_params.merge(id: wiki_title, version_id: wiki.repository.commit.id) }
+    end
   end
 
   describe 'GET #show' do
@@ -151,6 +183,8 @@ RSpec.shared_examples 'wiki controller actions' do
     context 'when page exists' do
       let(:id) { wiki_title }
 
+      it_behaves_like 'recovers from git timeout'
+
       it 'renders the page' do
         request
 
@@ -161,6 +195,28 @@ RSpec.shared_examples 'wiki controller actions' do
         expect(assigns(:sidebar_limited)).to be(false)
       end
 
+      context 'the sidebar fails to load' do
+        before do
+          allow(Wiki).to receive(:for_container).and_return(wiki)
+          wiki.wiki
+          expect(wiki).to receive(:find_sidebar) do
+            raise ::Gitlab::Git::CommandTimedOut, 'Deadline Exceeded'
+          end
+        end
+
+        it 'renders the page, and marks the sidebar as failed' do
+          request
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to render_template('shared/wikis/_sidebar')
+          expect(assigns(:page).title).to eq(wiki_title)
+          expect(assigns(:sidebar_page)).to be_nil
+          expect(assigns(:sidebar_wiki_entries)).to be_nil
+          expect(assigns(:sidebar_limited)).to be_nil
+          expect(assigns(:sidebar_error)).to be_a_kind_of(::Gitlab::Git::CommandError)
+        end
+      end
+
       context 'page view tracking' do
         it_behaves_like 'tracking unique hll events', :track_unique_wiki_page_views do
           let(:target_id) { 'wiki_action' }
@@ -308,6 +364,7 @@ RSpec.shared_examples 'wiki controller actions' do
     subject(:request) { get(:edit, params: routing_params.merge(id: id_param)) }
 
     it_behaves_like 'edit action'
+    it_behaves_like 'recovers from git timeout'
 
     context 'when page content encoding is valid' do
       render_views
@@ -447,6 +504,17 @@ RSpec.shared_examples 'wiki controller actions' do
     end
   end
 
+  describe '#git_access' do
+    render_views
+
+    it 'renders the git access page' do
+      get :git_access, params: routing_params
+
+      expect(response).to render_template('shared/wikis/git_access')
+      expect(response.body).to include(wiki.http_url_to_repo)
+    end
+  end
+
   def redirect_to_wiki(wiki, page)
     redirect_to(controller.wiki_page_path(wiki, page))
   end
diff --git a/spec/support/shared_examples/features/issuable_invite_members_shared_examples.rb b/spec/support/shared_examples/features/issuable_invite_members_shared_examples.rb
index ac1cc2da7e3..3fec1a56c0c 100644
--- a/spec/support/shared_examples/features/issuable_invite_members_shared_examples.rb
+++ b/spec/support/shared_examples/features/issuable_invite_members_shared_examples.rb
@@ -3,7 +3,7 @@
 RSpec.shared_examples 'issuable invite members experiments' do
   context 'when invite_members_version_a experiment is enabled' do
     before do
-      stub_experiment_for_user(invite_members_version_a: true)
+      stub_experiment_for_subject(invite_members_version_a: true)
     end
 
     it 'shows a link for inviting members and follows through to the members page' do
@@ -28,7 +28,7 @@ RSpec.shared_examples 'issuable invite members experiments' do
 
   context 'when invite_members_version_b experiment is enabled' do
     before do
-      stub_experiment_for_user(invite_members_version_b: true)
+      stub_experiment_for_subject(invite_members_version_b: true)
     end
 
     it 'shows a link for inviting members and follows through to modal' do
diff --git a/spec/support/shared_examples/features/master_manages_access_requests_shared_example.rb b/spec/support/shared_examples/features/master_manages_access_requests_shared_example.rb
index 724d6db2705..1dbaace1c89 100644
--- a/spec/support/shared_examples/features/master_manages_access_requests_shared_example.rb
+++ b/spec/support/shared_examples/features/master_manages_access_requests_shared_example.rb
@@ -50,7 +50,6 @@ RSpec.shared_examples 'Maintainer manages access requests' do
   def expect_visible_access_request(entity, user)
     if has_tabs
       expect(page).to have_content "Access requests 1"
-      expect(page).to have_content "Users requesting access to #{entity.name}"
     else
       expect(page).to have_content "Users requesting access to #{entity.name} 1"
     end
diff --git a/spec/support/shared_examples/features/reportable_note_shared_examples.rb b/spec/support/shared_examples/features/reportable_note_shared_examples.rb
index bdaa375721f..288e1df9b2a 100644
--- a/spec/support/shared_examples/features/reportable_note_shared_examples.rb
+++ b/spec/support/shared_examples/features/reportable_note_shared_examples.rb
@@ -29,7 +29,7 @@ RSpec.shared_examples 'reportable note' do |type|
     end
   end
 
-  it 'Report button links to a report page' do
+  it 'report button links to a report page' do
     dropdown = comment.find(more_actions_selector)
     open_dropdown(dropdown)
 
diff --git a/spec/support/shared_examples/features/wiki/user_git_access_wiki_page_shared_examples.rb b/spec/support/shared_examples/features/wiki/user_git_access_wiki_page_shared_examples.rb
new file mode 100644
index 00000000000..d3d2a36147d
--- /dev/null
+++ b/spec/support/shared_examples/features/wiki/user_git_access_wiki_page_shared_examples.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'User views Git access wiki page' do
+  let(:wiki_page) { create(:wiki_page, wiki: wiki) }
+
+  before do
+    sign_in(user)
+  end
+
+  it 'shows the correct clone URLs', :js do
+    visit wiki_page_path(wiki, wiki_page)
+    click_link 'Clone repository'
+
+    expect(page).to have_text("Clone repository #{wiki.full_path}")
+
+    within('.git-clone-holder') do
+      expect(page).to have_css('#clone-dropdown', text: 'HTTP')
+      expect(page).to have_field('clone_url', with: wiki.http_url_to_repo)
+
+      click_link 'HTTP' # open the dropdown
+      click_link 'SSH'  # select the dropdown item
+
+      expect(page).to have_css('#clone-dropdown', text: 'SSH')
+      expect(page).to have_field('clone_url', with: wiki.ssh_url_to_repo)
+    end
+  end
+end
diff --git a/spec/support/shared_examples/features/wiki/user_uses_wiki_shortcuts_shared_examples.rb b/spec/support/shared_examples/features/wiki/user_uses_wiki_shortcuts_shared_examples.rb
index 0330b345a18..759cfaf6b1f 100644
--- a/spec/support/shared_examples/features/wiki/user_uses_wiki_shortcuts_shared_examples.rb
+++ b/spec/support/shared_examples/features/wiki/user_uses_wiki_shortcuts_shared_examples.rb
@@ -12,7 +12,7 @@ RSpec.shared_examples 'User uses wiki shortcuts' do
     visit wiki_page_path(wiki, wiki_page)
   end
 
-  it 'Visit edit wiki page using "e" keyboard shortcut', :js do
+  it 'visit edit wiki page using "e" keyboard shortcut', :js do
     find('body').native.send_key('e')
 
     expect(find('.wiki-page-title')).to have_content('Edit Page')
diff --git a/spec/support/shared_examples/graphql/connection_redaction_shared_examples.rb b/spec/support/shared_examples/graphql/connection_redaction_shared_examples.rb
new file mode 100644
index 00000000000..12a7b3fe414
--- /dev/null
+++ b/spec/support/shared_examples/graphql/connection_redaction_shared_examples.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+# requires:
+#  - `connection` (no-empty, containing `unwanted` and at least one more item)
+#  - `unwanted` (single item in collection)
+RSpec.shared_examples 'a redactable connection' do
+  context 'no redactor set' do
+    it 'contains the unwanted item' do
+      expect(connection.nodes).to include(unwanted)
+    end
+
+    it 'does not redact more than once' do
+      connection.nodes
+      r_state = connection.send(:redaction_state)
+
+      expect(r_state.redacted { raise 'Should not be called!' }).to be_present
+    end
+  end
+
+  let_it_be(:constant_redactor) do
+    Class.new do
+      def initialize(remove)
+        @remove = remove
+      end
+
+      def redact(items)
+        items - @remove
+      end
+    end
+  end
+
+  context 'redactor is set' do
+    let(:redactor) do
+      constant_redactor.new([unwanted])
+    end
+
+    before do
+      connection.redactor = redactor
+    end
+
+    it 'does not contain the unwanted item' do
+      expect(connection.nodes).not_to include(unwanted)
+      expect(connection.nodes).not_to be_empty
+    end
+
+    it 'does not redact more than once' do
+      expect(redactor).to receive(:redact).once.and_call_original
+
+      connection.nodes
+      connection.nodes
+      connection.nodes
+    end
+  end
+end
diff --git a/spec/support/shared_examples/graphql/connection_shared_examples.rb b/spec/support/shared_examples/graphql/connection_shared_examples.rb
new file mode 100644
index 00000000000..4cba5b5a69d
--- /dev/null
+++ b/spec/support/shared_examples/graphql/connection_shared_examples.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'a connection with collection methods' do
+  %i[to_a size include? empty?].each do |method_name|
+    it "responds to #{method_name}" do
+      expect(connection).to respond_to(method_name)
+    end
+  end
+end
diff --git a/spec/support/shared_examples/graphql/design_fields_shared_examples.rb b/spec/support/shared_examples/graphql/design_fields_shared_examples.rb
index ef7086234c4..9c2eb3e5a5c 100644
--- a/spec/support/shared_examples/graphql/design_fields_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/design_fields_shared_examples.rb
@@ -26,27 +26,35 @@ RSpec.shared_examples 'a GraphQL type with design fields' do
   end
 
   describe '#image' do
+    let_it_be(:current_user) { create(:user) }
     let(:schema) { GitlabSchema }
     let(:query) { GraphQL::Query.new(schema) }
-    let(:context) { double('Context', schema: schema, query: query, parent: nil) }
+    let(:context) { query.context }
     let(:field) { described_class.fields['image'] }
     let(:args) { GraphQL::Query::Arguments::NO_ARGS }
-    let(:instance) do
+    let(:instance) { instantiate(object_id) }
+    let(:instance_b) { instantiate(object_id_b) }
+
+    def instantiate(object_id)
       object = GitlabSchema.sync_lazy(GitlabSchema.object_from_id(object_id))
       object_type.authorized_new(object, query.context)
     end
 
-    let(:instance_b) do
-      object_b = GitlabSchema.sync_lazy(GitlabSchema.object_from_id(object_id_b))
-      object_type.authorized_new(object_b, query.context)
+    def resolve_image(instance)
+      field.resolve_field(instance, args, context)
+    end
+
+    before do
+      context[:current_user] = current_user
+      allow(Ability).to receive(:allowed?).with(current_user, :read_design, anything).and_return(true)
+      allow(context).to receive(:parent).and_return(nil)
     end
 
     it 'resolves to the design image URL' do
-      image = field.resolve_field(instance, args, context)
       sha = design.versions.first.sha
       url = ::Gitlab::Routing.url_helpers.project_design_management_designs_raw_image_url(design.project, design, sha)
 
-      expect(image).to eq(url)
+      expect(resolve_image(instance)).to eq(url)
     end
 
     it 'has better than O(N) peformance', :request_store do
@@ -68,10 +76,10 @@ RSpec.shared_examples 'a GraphQL type with design fields' do
       #   = 10
       expect(instance).not_to eq(instance_b) # preload designs themselves.
       expect do
-        image_a = field.resolve_field(instance, args, context)
-        image_b = field.resolve_field(instance, args, context)
-        image_c = field.resolve_field(instance_b, args, context)
-        image_d = field.resolve_field(instance_b, args, context)
+        image_a = resolve_image(instance)
+        image_b = resolve_image(instance)
+        image_c = resolve_image(instance_b)
+        image_d = resolve_image(instance_b)
         expect(image_a).to eq(image_b)
         expect(image_c).not_to eq(image_b)
         expect(image_c).to eq(image_d)
diff --git a/spec/support/shared_examples/graphql/jira_import/jira_import_resolver_shared_examples.rb b/spec/support/shared_examples/graphql/jira_import/jira_import_resolver_shared_examples.rb
deleted file mode 100644
index b2047f1d32c..00000000000
--- a/spec/support/shared_examples/graphql/jira_import/jira_import_resolver_shared_examples.rb
+++ /dev/null
@@ -1,15 +0,0 @@
-# frozen_string_literal: true
-
-RSpec.shared_examples 'no Jira import data present' do
-  it 'returns none' do
-    expect(resolve_imports).to eq JiraImportState.none
-  end
-end
-
-RSpec.shared_examples 'no Jira import access' do
-  it 'raises error' do
-    expect do
-      resolve_imports
-    end.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
-  end
-end
diff --git a/spec/support/shared_examples/graphql/members_shared_examples.rb b/spec/support/shared_examples/graphql/members_shared_examples.rb
index 3a046c3feec..b0bdd27a95f 100644
--- a/spec/support/shared_examples/graphql/members_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/members_shared_examples.rb
@@ -36,9 +36,10 @@ RSpec.shared_examples 'querying members with a group' do
   let_it_be(:group_2_member)    { create(:group_member, user: user_3, group: group_2) }
 
   let(:args) { {} }
+  let(:base_args) { { relations: described_class.arguments['relations'].default_value } }
 
   subject do
-    resolve(described_class, obj: resource, args: args, ctx: { current_user: user_4 })
+    resolve(described_class, obj: resource, args: base_args.merge(args), ctx: { current_user: user_4 })
   end
 
   describe '#resolve' do
@@ -72,7 +73,7 @@ RSpec.shared_examples 'querying members with a group' do
       let_it_be(:other_user) { create(:user) }
 
       subject do
-        resolve(described_class, obj: resource, args: args, ctx: { current_user: other_user })
+        resolve(described_class, obj: resource, args: base_args.merge(args), ctx: { current_user: other_user })
       end
 
       it 'raises an error' do
diff --git a/spec/support/shared_examples/graphql/mutation_shared_examples.rb b/spec/support/shared_examples/graphql/mutation_shared_examples.rb
index b67cac94547..84ebd4852b9 100644
--- a/spec/support/shared_examples/graphql/mutation_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/mutation_shared_examples.rb
@@ -13,6 +13,8 @@ RSpec.shared_examples 'a mutation that returns top-level errors' do |errors: []|
   it do
     post_graphql_mutation(mutation, current_user: current_user)
 
+    expect(graphql_errors).to be_present
+
     error_messages = graphql_errors.map { |e| e['message'] }
 
     expect(error_messages).to match_errors
diff --git a/spec/support/shared_examples/graphql/mutations/boards_create_shared_examples.rb b/spec/support/shared_examples/graphql/mutations/boards_create_shared_examples.rb
index 9c0b398a5c1..2b93d174653 100644
--- a/spec/support/shared_examples/graphql/mutations/boards_create_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/mutations/boards_create_shared_examples.rb
@@ -40,6 +40,30 @@ RSpec.shared_examples 'boards create mutation' do
         end
       end
 
+      context 'when hide_backlog_list parameter is true' do
+        before do
+          params[:hide_backlog_list] = true
+        end
+
+        it 'returns the board with correct hide_backlog_list field' do
+          post_graphql_mutation(mutation, current_user: current_user)
+
+          expect(mutation_response['board']['hideBacklogList']).to eq(true)
+        end
+      end
+
+      context 'when hide_closed_list parameter is true' do
+        before do
+          params[:hide_closed_list] = true
+        end
+
+        it 'returns the board with correct hide_closed_list field' do
+          post_graphql_mutation(mutation, current_user: current_user)
+
+          expect(mutation_response['board']['hideClosedList']).to eq(true)
+        end
+      end
+
       context 'when the Boards::CreateService returns an error response' do
         before do
           allow_next_instance_of(Boards::CreateService) do |service|
diff --git a/spec/support/shared_examples/graphql/mutations/spammable_mutation_fields_examples.rb b/spec/support/shared_examples/graphql/mutations/spammable_mutation_fields_examples.rb
index 54b3f84a6e6..8678b23ad31 100644
--- a/spec/support/shared_examples/graphql/mutations/spammable_mutation_fields_examples.rb
+++ b/spec/support/shared_examples/graphql/mutations/spammable_mutation_fields_examples.rb
@@ -13,7 +13,8 @@ end
 
 RSpec.shared_examples 'can raise spam flag' do
   it 'spam parameters are passed to the service' do
-    expect(service).to receive(:new).with(anything, anything, hash_including(api: true, request: instance_of(ActionDispatch::Request)))
+    args = [anything, anything, hash_including(api: true, request: instance_of(ActionDispatch::Request))]
+    expect(service).to receive(:new).with(*args).and_call_original
 
     subject
   end
@@ -39,7 +40,9 @@ RSpec.shared_examples 'can raise spam flag' do
     end
 
     it 'request parameter is not passed to the service' do
-      expect(service).to receive(:new).with(anything, anything, hash_not_including(request: instance_of(ActionDispatch::Request)))
+      expect(service).to receive(:new)
+        .with(anything, anything, hash_not_including(request: instance_of(ActionDispatch::Request)))
+        .and_call_original
 
       subject
     end
diff --git a/spec/support/shared_examples/graphql/projects/services_resolver_shared_examples.rb b/spec/support/shared_examples/graphql/projects/services_resolver_shared_examples.rb
index 94b7ed1618d..16c2ab07f3a 100644
--- a/spec/support/shared_examples/graphql/projects/services_resolver_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/projects/services_resolver_shared_examples.rb
@@ -2,14 +2,12 @@
 
 RSpec.shared_examples 'no project services' do
   it 'returns empty collection' do
-    expect(resolve_services).to eq []
+    expect(resolve_services).to be_empty
   end
 end
 
 RSpec.shared_examples 'cannot access project services' do
   it 'raises error' do
-    expect do
-      resolve_services
-    end.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
+    expect(resolve_services).to be_nil
   end
 end
diff --git a/spec/support/shared_examples/graphql/sorted_paginated_query_shared_examples.rb b/spec/support/shared_examples/graphql/sorted_paginated_query_shared_examples.rb
index 7627a7b4d59..f78ea364147 100644
--- a/spec/support/shared_examples/graphql/sorted_paginated_query_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/sorted_paginated_query_shared_examples.rb
@@ -16,80 +16,111 @@
 #
 # Example:
 #   describe 'sorting and pagination' do
-#     let(:sort_project) { create(:project, :public) }
+#     let_it_be(:sort_project) { create(:project, :public) }
 #     let(:data_path)    { [:project, :issues] }
 #
-#     def pagination_query(params, page_info)
-#       graphql_query_for(
-#         'project',
-#         { 'fullPath' => sort_project.full_path },
-#         query_graphql_field('issues', params, "#{page_info} edges { node { id } }")
+#     def pagination_query(arguments)
+#       graphql_query_for(:project, { full_path: sort_project.full_path },
+#         query_nodes(:issues, :iid, include_pagination_info: true, args: arguments)
 #       )
 #     end
 #
-#     def pagination_results_data(data)
-#       data.map { |issue| issue.dig('node', 'iid').to_i }
+#     # A method transforming nodes to data to match against
+#     # default: the identity function
+#     def pagination_results_data(issues)
+#       issues.map { |issue| issue['iid].to_i }
 #     end
 #
 #     context 'when sorting by weight' do
-#       ...
+#       let_it_be(:issues) { make_some_issues_with_weights }
+#
 #       context 'when ascending' do
+#         let(:ordered_issues) { issues.sort_by(&:weight) }
+#
 #         it_behaves_like 'sorted paginated query' do
-#           let(:sort_param)       { 'WEIGHT_ASC' }
+#           let(:sort_param)       { :WEIGHT_ASC }
 #           let(:first_param)      { 2 }
-#           let(:expected_results) { [weight_issue3.iid, weight_issue5.iid, weight_issue1.iid, weight_issue4.iid, weight_issue2.iid] }
+#           let(:expected_results) { ordered_issues.map(&:iid) }
 #         end
 #       end
 #
 RSpec.shared_examples 'sorted paginated query' do
+  # Provided as a convenience when constructing queries using string concatenation
+  let(:page_info) { 'pageInfo { startCursor endCursor }' }
+  # Convenience for using default implementation of pagination_results_data
+  let(:node_path) { ['id'] }
+
   it_behaves_like 'requires variables' do
     let(:required_variables) { [:sort_param, :first_param, :expected_results, :data_path, :current_user] }
   end
 
   describe do
-    let(:sort_argument)  { "sort: #{sort_param}" if sort_param.present? }
-    let(:first_argument) { "first: #{first_param}" if first_param.present? }
+    let(:sort_argument)  { graphql_args(sort: sort_param) }
     let(:params)         { sort_argument }
-    let(:start_cursor)   { graphql_data_at(*data_path, :pageInfo, :startCursor) }
-    let(:end_cursor)     { graphql_data_at(*data_path, :pageInfo, :endCursor) }
-    let(:sorted_edges)   { graphql_data_at(*data_path, :edges) }
-    let(:page_info)      { "pageInfo { startCursor endCursor }" }
 
-    def pagination_query(params, page_info)
-      raise('pagination_query(params, page_info) must be defined in the test, see example in comment') unless defined?(super)
+    # Convenience helper for the large number of queries defined as a projection
+    # from some root value indexed by full_path to a collection of objects with IID
+    def nested_internal_id_query(root_field, parent, field, args, selection: :iid)
+      graphql_query_for(root_field, { full_path: parent.full_path },
+        query_nodes(field, selection, args: args, include_pagination_info: true)
+      )
+    end
+
+    def pagination_query(params)
+      raise('pagination_query(params) must be defined in the test, see example in comment') unless defined?(super)
 
       super
     end
 
-    def pagination_results_data(data)
-      raise('pagination_results_data(data) must be defined in the test, see example in comment') unless defined?(super)
+    def pagination_results_data(nodes)
+      if defined?(super)
+        super(nodes)
+      else
+        nodes.map { |n| n.dig(*node_path) }
+      end
+    end
+
+    def results
+      nodes = graphql_dig_at(graphql_data(fresh_response_data), *data_path, :nodes)
+      pagination_results_data(nodes)
+    end
+
+    def end_cursor
+      graphql_dig_at(graphql_data(fresh_response_data), *data_path, :page_info, :end_cursor)
+    end
 
-      super(data)
+    def start_cursor
+      graphql_dig_at(graphql_data(fresh_response_data), *data_path, :page_info, :start_cursor)
     end
 
+    let(:query) { pagination_query(params) }
+
     before do
-      post_graphql(pagination_query(params, page_info), current_user: current_user)
+      post_graphql(query, current_user: current_user)
     end
 
     context 'when sorting' do
       it 'sorts correctly' do
-        expect(pagination_results_data(sorted_edges)).to eq expected_results
+        expect(results).to eq expected_results
       end
 
       context 'when paginating' do
-        let(:params) { [sort_argument, first_argument].compact.join(',') }
+        let(:params) { sort_argument.merge(first: first_param) }
+        let(:first_page) { expected_results.first(first_param) }
+        let(:rest) { expected_results.drop(first_param) }
 
         it 'paginates correctly' do
-          expect(pagination_results_data(sorted_edges)).to eq expected_results.first(first_param)
+          expect(results).to eq first_page
 
-          cursored_query = pagination_query([sort_argument, "after: \"#{end_cursor}\""].compact.join(','), page_info)
-          post_graphql(cursored_query, current_user: current_user)
+          fwds = pagination_query(sort_argument.merge(after: end_cursor))
+          post_graphql(fwds, current_user: current_user)
 
-          expect(response).to have_gitlab_http_status(:ok)
+          expect(results).to eq rest
 
-          response_data = graphql_dig_at(Gitlab::Json.parse(response.body), :data, *data_path, :edges)
+          bwds = pagination_query(sort_argument.merge(before: start_cursor))
+          post_graphql(bwds, current_user: current_user)
 
-          expect(pagination_results_data(response_data)).to eq expected_results.drop(first_param)
+          expect(results).to eq first_page
         end
       end
     end
diff --git a/spec/support/shared_examples/graphql/types/gitlab_style_deprecations_shared_examples.rb b/spec/support/shared_examples/graphql/types/gitlab_style_deprecations_shared_examples.rb
index ed139e638bf..269e9170906 100644
--- a/spec/support/shared_examples/graphql/types/gitlab_style_deprecations_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/types/gitlab_style_deprecations_shared_examples.rb
@@ -32,16 +32,16 @@ RSpec.shared_examples 'Gitlab-style deprecations' do
   it 'adds a formatted `deprecated_reason` to the subject' do
     deprecable = subject(deprecated: { milestone: '1.10', reason: 'Deprecation reason' })
 
-    expect(deprecable.deprecation_reason).to eq('Deprecation reason. Deprecated in 1.10')
+    expect(deprecable.deprecation_reason).to eq('Deprecation reason. Deprecated in 1.10.')
   end
 
   it 'appends to the description if given' do
     deprecable = subject(
       deprecated: { milestone: '1.10', reason: 'Deprecation reason' },
-      description: 'Deprecable description'
+      description: 'Deprecable description.'
     )
 
-    expect(deprecable.description).to eq('Deprecable description. Deprecated in 1.10: Deprecation reason')
+    expect(deprecable.description).to eq('Deprecable description. Deprecated in 1.10: Deprecation reason.')
   end
 
   it 'does not append to the description if it is absent' do
diff --git a/spec/support/shared_examples/lib/gitlab/diff_file_collections_shared_examples.rb b/spec/support/shared_examples/lib/gitlab/diff_file_collections_shared_examples.rb
index 469c0c287b1..c9e03ced0dd 100644
--- a/spec/support/shared_examples/lib/gitlab/diff_file_collections_shared_examples.rb
+++ b/spec/support/shared_examples/lib/gitlab/diff_file_collections_shared_examples.rb
@@ -143,3 +143,55 @@ RSpec.shared_examples 'cacheable diff collection' do
     end
   end
 end
+
+shared_examples_for 'sortable diff files' do
+  subject { described_class.new(diffable, **collection_default_args) }
+
+  describe '#raw_diff_files' do
+    let(:raw_diff_files_paths) do
+      subject.raw_diff_files(sorted: sorted).map { |file| file.new_path.presence || file.old_path }
+    end
+
+    context 'when sorted is false (default)' do
+      let(:sorted) { false }
+
+      it 'returns unsorted diff files' do
+        expect(raw_diff_files_paths).to eq(unsorted_diff_files_paths)
+      end
+    end
+
+    context 'when sorted is true' do
+      let(:sorted) { true }
+
+      it 'returns sorted diff files' do
+        expect(raw_diff_files_paths).to eq(sorted_diff_files_paths)
+      end
+
+      context 'when sort_diffs feature flag is disabled' do
+        before do
+          stub_feature_flags(sort_diffs: false)
+        end
+
+        it 'returns unsorted diff files' do
+          expect(raw_diff_files_paths).to eq(unsorted_diff_files_paths)
+        end
+      end
+    end
+  end
+end
+
+shared_examples_for 'unsortable diff files' do
+  subject { described_class.new(diffable, **collection_default_args) }
+
+  describe '#raw_diff_files' do
+    it 'does not call Gitlab::Diff::FileCollectionSorter even when sorted is true' do
+      # Ensure that diffable is created before expectation to ensure that we are
+      # not calling it from `FileCollectionSorter` from `#raw_diff_files`.
+      diffable
+
+      expect(Gitlab::Diff::FileCollectionSorter).not_to receive(:new)
+
+      subject.raw_diff_files(sorted: true)
+    end
+  end
+end
diff --git a/spec/support/shared_examples/lib/gitlab/import_export/import_failure_service_shared_examples.rb b/spec/support/shared_examples/lib/gitlab/import_export/import_failure_service_shared_examples.rb
index 801be5ae946..67afd2035c4 100644
--- a/spec/support/shared_examples/lib/gitlab/import_export/import_failure_service_shared_examples.rb
+++ b/spec/support/shared_examples/lib/gitlab/import_export/import_failure_service_shared_examples.rb
@@ -3,10 +3,10 @@
 RSpec.shared_examples 'log import failure' do |importable_column|
   it 'tracks error' do
     extra = {
-              source: action,
-              relation_key: relation_key,
-              relation_index: relation_index,
-              retry_count: retry_count
+      source: action,
+      relation_name: relation_key,
+      relation_index: relation_index,
+      retry_count: retry_count
     }
     extra[importable_column] = importable.id
 
diff --git a/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_instance_shared_examples.rb b/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_instance_shared_examples.rb
index e07d3e2dec9..5b3d30df739 100644
--- a/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_instance_shared_examples.rb
+++ b/spec/support/shared_examples/lib/gitlab/middleware/read_only_gitlab_instance_shared_examples.rb
@@ -125,6 +125,9 @@ RSpec.shared_examples 'write access for a read-only GitLab instance' do
       where(:description, :path) do
         'LFS request to batch'        | '/root/rouge.git/info/lfs/objects/batch'
         'request to git-upload-pack'  | '/root/rouge.git/git-upload-pack'
+        'user sign out'               | '/users/sign_out'
+        'admin session'               | '/admin/session'
+        'admin session destroy'       | '/admin/session/destroy'
       end
 
       with_them do
diff --git a/spec/support/shared_examples/lib/gitlab/sidekiq_middleware/strategy_shared_examples.rb b/spec/support/shared_examples/lib/gitlab/sidekiq_middleware/strategy_shared_examples.rb
index 2936bb354cf..89b793d5e16 100644
--- a/spec/support/shared_examples/lib/gitlab/sidekiq_middleware/strategy_shared_examples.rb
+++ b/spec/support/shared_examples/lib/gitlab/sidekiq_middleware/strategy_shared_examples.rb
@@ -38,7 +38,7 @@ RSpec.shared_examples 'deduplicating jobs when scheduling' do |strategy_name|
       it 'adds the jid of the existing job to the job hash' do
         allow(fake_duplicate_job).to receive(:scheduled?).and_return(false)
         allow(fake_duplicate_job).to receive(:check!).and_return('the jid')
-        allow(fake_duplicate_job).to receive(:droppable?).and_return(true)
+        allow(fake_duplicate_job).to receive(:idempotent?).and_return(true)
         allow(fake_duplicate_job).to receive(:options).and_return({})
         job_hash = {}
 
@@ -62,7 +62,7 @@ RSpec.shared_examples 'deduplicating jobs when scheduling' do |strategy_name|
               receive(:check!)
                 .with(Gitlab::SidekiqMiddleware::DuplicateJobs::DuplicateJob::DUPLICATE_KEY_TTL)
                 .and_return('the jid'))
-            allow(fake_duplicate_job).to receive(:droppable?).and_return(true)
+            allow(fake_duplicate_job).to receive(:idempotent?).and_return(true)
             job_hash = {}
 
             expect(fake_duplicate_job).to receive(:duplicate?).and_return(true)
@@ -82,7 +82,7 @@ RSpec.shared_examples 'deduplicating jobs when scheduling' do |strategy_name|
               allow(fake_duplicate_job).to receive(:options).and_return({ including_scheduled: true })
               allow(fake_duplicate_job).to(
                 receive(:check!).with(time_diff.to_i).and_return('the jid'))
-              allow(fake_duplicate_job).to receive(:droppable?).and_return(true)
+              allow(fake_duplicate_job).to receive(:idempotent?).and_return(true)
               job_hash = {}
 
               expect(fake_duplicate_job).to receive(:duplicate?).and_return(true)
@@ -104,13 +104,13 @@ RSpec.shared_examples 'deduplicating jobs when scheduling' do |strategy_name|
         allow(fake_duplicate_job).to receive(:duplicate?).and_return(true)
         allow(fake_duplicate_job).to receive(:options).and_return({})
         allow(fake_duplicate_job).to receive(:existing_jid).and_return('the jid')
-        allow(fake_duplicate_job).to receive(:droppable?).and_return(true)
+        allow(fake_duplicate_job).to receive(:idempotent?).and_return(true)
       end
 
       it 'drops the job' do
         schedule_result = nil
 
-        expect(fake_duplicate_job).to receive(:droppable?).and_return(true)
+        expect(fake_duplicate_job).to receive(:idempotent?).and_return(true)
 
         expect { |b| schedule_result = strategy.schedule({}, &b) }.not_to yield_control
         expect(schedule_result).to be(false)
diff --git a/spec/support/shared_examples/models/concerns/can_move_repository_storage_shared_examples.rb b/spec/support/shared_examples/models/concerns/can_move_repository_storage_shared_examples.rb
new file mode 100644
index 00000000000..85a2c6f1449
--- /dev/null
+++ b/spec/support/shared_examples/models/concerns/can_move_repository_storage_shared_examples.rb
@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'can move repository storage' do
+  let(:container) { raise NotImplementedError }
+
+  describe '#set_repository_read_only!' do
+    it 'makes the repository read-only' do
+      expect { container.set_repository_read_only! }
+        .to change(container, :repository_read_only?)
+        .from(false)
+        .to(true)
+    end
+
+    it 'raises an error if the project is already read-only' do
+      container.set_repository_read_only!
+
+      expect { container.set_repository_read_only! }.to raise_error(described_class::RepositoryReadOnlyError, /already read-only/)
+    end
+
+    it 'raises an error when there is an existing git transfer in progress' do
+      allow(container).to receive(:git_transfer_in_progress?) { true }
+
+      expect { container.set_repository_read_only! }.to raise_error(described_class::RepositoryReadOnlyError, /in progress/)
+    end
+
+    context 'skip_git_transfer_check is true' do
+      it 'makes the project read-only when git transfers are in progress' do
+        allow(container).to receive(:git_transfer_in_progress?) { true }
+
+        expect { container.set_repository_read_only!(skip_git_transfer_check: true) }
+          .to change(container, :repository_read_only?)
+          .from(false)
+          .to(true)
+      end
+    end
+  end
+
+  describe '#set_repository_writable!' do
+    it 'sets repository_read_only to false' do
+      expect { container.set_repository_writable! }
+        .to change(container, :repository_read_only)
+        .from(true).to(false)
+    end
+  end
+
+  describe '#reference_counter' do
+    it 'returns a Gitlab::ReferenceCounter object' do
+      expect(Gitlab::ReferenceCounter).to receive(:new).with(container.repository.gl_repository).and_call_original
+
+      result = container.reference_counter(type: container.repository.repo_type)
+
+      expect(result).to be_a Gitlab::ReferenceCounter
+    end
+  end
+end
diff --git a/spec/support/shared_examples/models/concerns/repository_storage_movable_shared_examples.rb b/spec/support/shared_examples/models/concerns/repository_storage_movable_shared_examples.rb
new file mode 100644
index 00000000000..5a8388d01df
--- /dev/null
+++ b/spec/support/shared_examples/models/concerns/repository_storage_movable_shared_examples.rb
@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'handles repository moves' do
+  describe 'associations' do
+    it { is_expected.to belong_to(:container) }
+  end
+
+  describe 'validations' do
+    it { is_expected.to validate_presence_of(:container) }
+    it { is_expected.to validate_presence_of(:state) }
+    it { is_expected.to validate_presence_of(:source_storage_name) }
+    it { is_expected.to validate_presence_of(:destination_storage_name) }
+
+    context 'source_storage_name inclusion' do
+      subject { build(repository_storage_factory_key, source_storage_name: 'missing') }
+
+      it "does not allow repository storages that don't match a label in the configuration" do
+        expect(subject).not_to be_valid
+        expect(subject.errors[:source_storage_name].first).to match(/is not included in the list/)
+      end
+    end
+
+    context 'destination_storage_name inclusion' do
+      subject { build(repository_storage_factory_key, destination_storage_name: 'missing') }
+
+      it "does not allow repository storages that don't match a label in the configuration" do
+        expect(subject).not_to be_valid
+        expect(subject.errors[:destination_storage_name].first).to match(/is not included in the list/)
+      end
+    end
+
+    context 'container repository read-only' do
+      subject { build(repository_storage_factory_key, container: container) }
+
+      it "does not allow the container to be read-only on create" do
+        container.update!(repository_read_only: true)
+
+        expect(subject).not_to be_valid
+        expect(subject.errors[error_key].first).to match(/is read only/)
+      end
+    end
+  end
+
+  describe 'defaults' do
+    context 'destination_storage_name' do
+      subject { build(repository_storage_factory_key) }
+
+      it 'picks storage from ApplicationSetting' do
+        expect(Gitlab::CurrentSettings).to receive(:pick_repository_storage).and_return('picked').at_least(:once)
+
+        expect(subject.destination_storage_name).to eq('picked')
+      end
+    end
+  end
+
+  describe 'state transitions' do
+    before do
+      stub_storage_settings('test_second_storage' => { 'path' => 'tmp/tests/extra_storage' })
+    end
+
+    context 'when in the default state' do
+      subject(:storage_move) { create(repository_storage_factory_key, container: container, destination_storage_name: 'test_second_storage') }
+
+      context 'and transits to scheduled' do
+        it 'triggers the corresponding repository storage worker' do
+          skip unless repository_storage_worker # TODO remove after https://gitlab.com/gitlab-org/gitlab/-/issues/218991 is implemented
+          expect(repository_storage_worker).to receive(:perform_async).with(container.id, 'test_second_storage', storage_move.id)
+
+          storage_move.schedule!
+
+          expect(container).to be_repository_read_only
+        end
+
+        context 'when the transition fails' do
+          it 'does not trigger ProjectUpdateRepositoryStorageWorker and adds an error' do
+            skip unless repository_storage_worker # TODO remove after https://gitlab.com/gitlab-org/gitlab/-/issues/218991 is implemented
+            allow(storage_move.container).to receive(:set_repository_read_only!).and_raise(StandardError, 'foobar')
+            expect(repository_storage_worker).not_to receive(:perform_async)
+
+            storage_move.schedule!
+
+            expect(storage_move.errors[error_key]).to include('foobar')
+          end
+        end
+      end
+
+      context 'and transits to started' do
+        it 'does not allow the transition' do
+          expect { storage_move.start! }
+            .to raise_error(StateMachines::InvalidTransition)
+        end
+      end
+    end
+
+    context 'when started' do
+      subject(:storage_move) { create(repository_storage_factory_key, :started, container: container, destination_storage_name: 'test_second_storage') }
+
+      context 'and transits to replicated' do
+        it 'marks the container as writable' do
+          storage_move.finish_replication!
+
+          expect(container).not_to be_repository_read_only
+        end
+      end
+
+      context 'and transits to failed' do
+        it 'marks the container as writable' do
+          storage_move.do_fail!
+
+          expect(container).not_to be_repository_read_only
+        end
+      end
+    end
+  end
+end
diff --git a/spec/support/shared_examples/models/concerns/shardable_shared_examples.rb b/spec/support/shared_examples/models/concerns/shardable_shared_examples.rb
index fa929d5b791..fd0639b628e 100644
--- a/spec/support/shared_examples/models/concerns/shardable_shared_examples.rb
+++ b/spec/support/shared_examples/models/concerns/shardable_shared_examples.rb
@@ -18,4 +18,10 @@ RSpec.shared_examples 'shardable scopes' do
       expect(described_class.excluding_repository_storage('default')).to eq([record_2])
     end
   end
+
+  describe '.for_shard' do
+    it 'returns the objects for a given shard' do
+      expect(described_class.for_shard(record_1.shard)).to eq([record_1])
+    end
+  end
 end
diff --git a/spec/support/shared_examples/models/mentionable_shared_examples.rb b/spec/support/shared_examples/models/mentionable_shared_examples.rb
index 0ee0b7e6d88..2392658e584 100644
--- a/spec/support/shared_examples/models/mentionable_shared_examples.rb
+++ b/spec/support/shared_examples/models/mentionable_shared_examples.rb
@@ -92,7 +92,7 @@ RSpec.shared_examples 'a mentionable' do
         end
       end
 
-      expect(subject).to receive(:cached_markdown_fields).at_least(:once).and_call_original
+      expect(subject).to receive(:cached_markdown_fields).at_least(1).and_call_original
 
       subject.all_references(author)
     end
@@ -151,7 +151,7 @@ RSpec.shared_examples 'an editable mentionable' do
       end
 
       it 'persists the refreshed cache so that it does not have to be refreshed every time' do
-        expect(subject).to receive(:refresh_markdown_cache).once.and_call_original
+        expect(subject).to receive(:refresh_markdown_cache).at_least(1).and_call_original
 
         subject.all_references(author)
 
diff --git a/spec/support/shared_examples/models/resource_timebox_event_shared_examples.rb b/spec/support/shared_examples/models/resource_timebox_event_shared_examples.rb
index 5198508d48b..f56e8d4e085 100644
--- a/spec/support/shared_examples/models/resource_timebox_event_shared_examples.rb
+++ b/spec/support/shared_examples/models/resource_timebox_event_shared_examples.rb
@@ -75,11 +75,17 @@ RSpec.shared_examples 'timebox resource event actions' do
 end
 
 RSpec.shared_examples 'timebox resource tracks issue metrics' do |type|
-  describe '#usage_metrics' do
-    it 'tracks usage' do
+  describe '#issue_usage_metrics' do
+    it 'tracks usage for issues' do
       expect(Gitlab::UsageDataCounters::IssueActivityUniqueCounter).to receive(:"track_issue_#{type}_changed_action")
 
       create(described_class.name.underscore.to_sym, issue: create(:issue))
     end
+
+    it 'does not track usage for merge requests' do
+      expect(Gitlab::UsageDataCounters::IssueActivityUniqueCounter).not_to receive(:"track_issue_#{type}_changed_action")
+
+      create(described_class.name.underscore.to_sym, merge_request: create(:merge_request))
+    end
   end
 end
diff --git a/spec/support/shared_examples/quick_actions/issue/clone_quick_action_shared_examples.rb b/spec/support/shared_examples/quick_actions/issue/clone_quick_action_shared_examples.rb
new file mode 100644
index 00000000000..a99304f7214
--- /dev/null
+++ b/spec/support/shared_examples/quick_actions/issue/clone_quick_action_shared_examples.rb
@@ -0,0 +1,187 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'clone quick action' do
+  context 'clone the issue to another project' do
+    let(:target_project) { create(:project, :public) }
+
+    context 'when no target is given' do
+      it 'clones the issue in the current project' do
+        add_note("/clone")
+
+        expect(page).to have_content "Cloned this issue to #{project.full_path}."
+        expect(issue.reload).to be_open
+
+        visit project_issue_path(project, issue)
+
+        expect(page).to have_content 'Issues 2'
+      end
+    end
+
+    context 'when the project is valid' do
+      before do
+        target_project.add_maintainer(user)
+      end
+
+      it 'clones the issue' do
+        add_note("/clone #{target_project.full_path}")
+
+        expect(page).to have_content "Cloned this issue to #{target_project.full_path}."
+        expect(issue.reload).to be_open
+
+        visit project_issue_path(target_project, issue)
+
+        expect(page).to have_content 'Issues 1'
+      end
+
+      context 'when cloning with notes', :aggregate_failures do
+        it 'clones the issue with all notes' do
+          add_note("Some random note")
+          add_note("Another note")
+
+          add_note("/clone --with_notes #{target_project.full_path}")
+
+          expect(page).to have_content "Cloned this issue to #{target_project.full_path}."
+          expect(issue.reload).to be_open
+
+          visit project_issue_path(target_project, issue)
+
+          expect(page).to have_content 'Issues 1'
+          expect(page).to have_content 'Some random note'
+          expect(page).to have_content 'Another note'
+        end
+
+        it 'returns an error if the params are malformed' do
+          # Note that this is missing one `-`
+          add_note("/clone -with_notes #{target_project.full_path}")
+
+          wait_for_requests
+
+          expect(page).to have_content 'Failed to clone this issue: wrong parameters.'
+          expect(issue.reload).to be_open
+        end
+      end
+    end
+
+    context 'when the project is valid but the user not authorized' do
+      let(:project_unauthorized) { create(:project, :public) }
+
+      it 'does not clone the issue' do
+        add_note("/clone #{project_unauthorized.full_path}")
+
+        wait_for_requests
+
+        expect(page).to have_content "Cloned this issue to #{project_unauthorized.full_path}."
+        expect(issue.reload).to be_open
+
+        visit project_issue_path(target_project, issue)
+
+        expect(page).not_to have_content 'Issues 1'
+      end
+    end
+
+    context 'when the project is invalid' do
+      it 'does not clone the issue' do
+        add_note("/clone not/valid")
+
+        wait_for_requests
+
+        expect(page).to have_content "Failed to clone this issue because target project doesn't exist."
+        expect(issue.reload).to be_open
+      end
+    end
+
+    context 'when the user issues multiple commands' do
+      let(:milestone) { create(:milestone, title: '1.0', project: project) }
+      let(:bug)      { create(:label, project: project, title: 'bug') }
+      let(:wontfix)  { create(:label, project: project, title: 'wontfix') }
+
+      let!(:target_milestone) { create(:milestone, title: '1.0', project: target_project) }
+
+      before do
+        target_project.add_maintainer(user)
+      end
+
+      shared_examples 'applies the commands to issues in both projects, target and source' do
+        it "applies quick actions" do
+          expect(page).to have_content "Cloned this issue to #{target_project.full_path}."
+          expect(issue.reload).to be_open
+
+          visit project_issue_path(target_project, issue)
+
+          expect(page).to have_content 'bug'
+          expect(page).to have_content 'wontfix'
+          expect(page).to have_content '1.0'
+
+          visit project_issue_path(project, issue)
+          expect(page).to have_content 'bug'
+          expect(page).to have_content 'wontfix'
+          expect(page).to have_content '1.0'
+        end
+      end
+
+      context 'applies multiple commands with clone command in the end' do
+        before do
+          add_note("/label ~#{bug.title} ~#{wontfix.title}\n\n/milestone %\"#{milestone.title}\"\n\n/clone #{target_project.full_path}")
+        end
+
+        it_behaves_like 'applies the commands to issues in both projects, target and source'
+      end
+
+      context 'applies multiple commands with clone command in the begining' do
+        before do
+          add_note("/clone #{target_project.full_path}\n\n/label ~#{bug.title} ~#{wontfix.title}\n\n/milestone %\"#{milestone.title}\"")
+        end
+
+        it_behaves_like 'applies the commands to issues in both projects, target and source'
+      end
+    end
+
+    context 'when editing comments' do
+      let(:target_project) { create(:project, :public) }
+
+      before do
+        target_project.add_maintainer(user)
+
+        sign_in(user)
+        visit project_issue_path(project, issue)
+        wait_for_all_requests
+      end
+
+      it 'clones the issue after quickcommand note was updated' do
+        # misspelled quick action
+        add_note("test note.\n/cloe #{target_project.full_path}")
+
+        expect(issue.reload).not_to be_closed
+
+        edit_note("/cloe #{target_project.full_path}", "test note.\n/clone #{target_project.full_path}")
+        wait_for_all_requests
+
+        expect(page).to have_content 'test note.'
+        expect(issue.reload).to be_open
+
+        visit project_issue_path(target_project, issue)
+        wait_for_all_requests
+
+        expect(page).to have_content 'Issues 1'
+      end
+
+      it 'deletes the note if it was updated to just contain a command' do
+        # missspelled quick action
+        add_note("test note.\n/cloe #{target_project.full_path}")
+
+        expect(page).not_to have_content 'Commands applied'
+
+        edit_note("/cloe #{target_project.full_path}", "/clone #{target_project.full_path}")
+        wait_for_all_requests
+
+        expect(page).not_to have_content "/clone #{target_project.full_path}"
+        expect(issue.reload).to be_open
+
+        visit project_issue_path(target_project, issue)
+        wait_for_all_requests
+
+        expect(page).to have_content 'Issues 1'
+      end
+    end
+  end
+end
diff --git a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
index c56290a0aa9..49b6fc13900 100644
--- a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
@@ -629,6 +629,7 @@ RSpec.shared_examples 'workhorse recipe file upload endpoint' do
   it_behaves_like 'rejects invalid recipe'
   it_behaves_like 'rejects invalid file_name', 'conanfile.py.git%2fgit-upload-pack'
   it_behaves_like 'uploads a package file'
+  it_behaves_like 'creates build_info when there is a job'
 end
 
 RSpec.shared_examples 'workhorse package file upload endpoint' do
@@ -649,6 +650,7 @@ RSpec.shared_examples 'workhorse package file upload endpoint' do
   it_behaves_like 'rejects invalid recipe'
   it_behaves_like 'rejects invalid file_name', 'conaninfo.txttest'
   it_behaves_like 'uploads a package file'
+  it_behaves_like 'creates build_info when there is a job'
 
   context 'tracking the conan_package.tgz upload' do
     let(:file_name) { ::Packages::Conan::FileMetadatum::PACKAGE_BINARY }
@@ -657,6 +659,20 @@ RSpec.shared_examples 'workhorse package file upload endpoint' do
   end
 end
 
+RSpec.shared_examples 'creates build_info when there is a job' do
+  context 'with job token' do
+    let(:jwt) { build_jwt_from_job(job) }
+
+    it 'creates a build_info record' do
+      expect { subject }.to change { Packages::BuildInfo.count }.by(1)
+    end
+
+    it 'creates a package_file_build_info record' do
+      expect { subject }.to change { Packages::PackageFileBuildInfo.count }.by(1)
+    end
+  end
+end
+
 RSpec.shared_examples 'uploads a package file' do
   context 'file size above maximum limit' do
     before do
diff --git a/spec/support/shared_examples/requests/api/graphql/group_and_project_boards_query_shared_examples.rb b/spec/support/shared_examples/requests/api/graphql/group_and_project_boards_query_shared_examples.rb
index 5145880ef9a..54f4ba7ff73 100644
--- a/spec/support/shared_examples/requests/api/graphql/group_and_project_boards_query_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/graphql/group_and_project_boards_query_shared_examples.rb
@@ -47,18 +47,12 @@ RSpec.shared_examples 'group and project boards query' do
     describe 'sorting and pagination' do
       let(:data_path) { [board_parent_type, :boards] }
 
-      def pagination_query(params, page_info)
-        graphql_query_for(
-          board_parent_type,
-          { 'fullPath' => board_parent.full_path },
-          query_graphql_field('boards', params, "#{page_info} edges { node { id } }")
+      def pagination_query(params)
+        graphql_query_for(board_parent_type, { full_path: board_parent.full_path },
+          query_nodes(:boards, :id, include_pagination_info: true, args: params)
         )
       end
 
-      def pagination_results_data(data)
-        data.map { |board| board.dig('node', 'id') }
-      end
-
       context 'when using default sorting' do
         let!(:board_B) { create(:board, resource_parent: board_parent, name: 'B') }
         let!(:board_C) { create(:board, resource_parent: board_parent, name: 'C') }
@@ -72,9 +66,9 @@ RSpec.shared_examples 'group and project boards query' do
             let(:first_param)      { 2 }
             let(:expected_results) do
               if board_parent.multiple_issue_boards_available?
-                boards.map { |board| board.to_global_id.to_s }
+                boards.map { |board| global_id_of(board) }
               else
-                [boards.first.to_global_id.to_s]
+                [global_id_of(boards.first)]
               end
             end
           end
diff --git a/spec/support/shared_examples/requests/api/nuget_endpoints_shared_examples.rb b/spec/support/shared_examples/requests/api/nuget_endpoints_shared_examples.rb
new file mode 100644
index 00000000000..f808d12baf4
--- /dev/null
+++ b/spec/support/shared_examples/requests/api/nuget_endpoints_shared_examples.rb
@@ -0,0 +1,265 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'handling nuget service requests' do
+  subject { get api(url) }
+
+  context 'with valid project' do
+    using RSpec::Parameterized::TableSyntax
+
+    context 'personal token' do
+      where(:project_visibility_level, :user_role, :member, :user_token, :shared_examples_name, :expected_status) do
+        'PUBLIC'  | :developer  | true  | true  | 'process nuget service index request'   | :success
+        'PUBLIC'  | :guest      | true  | true  | 'process nuget service index request'   | :success
+        'PUBLIC'  | :developer  | true  | false | 'process nuget service index request'   | :success
+        'PUBLIC'  | :guest      | true  | false | 'process nuget service index request'   | :success
+        'PUBLIC'  | :developer  | false | true  | 'process nuget service index request'   | :success
+        'PUBLIC'  | :guest      | false | true  | 'process nuget service index request'   | :success
+        'PUBLIC'  | :developer  | false | false | 'process nuget service index request'   | :success
+        'PUBLIC'  | :guest      | false | false | 'process nuget service index request'   | :success
+        'PUBLIC'  | :anonymous  | false | true  | 'process nuget service index request'   | :success
+        'PRIVATE' | :developer  | true  | true  | 'process nuget service index request'   | :success
+        'PRIVATE' | :guest      | true  | true  | 'rejects nuget packages access'         | :forbidden
+        'PRIVATE' | :developer  | true  | false | 'rejects nuget packages access'         | :unauthorized
+        'PRIVATE' | :guest      | true  | false | 'rejects nuget packages access'         | :unauthorized
+        'PRIVATE' | :developer  | false | true  | 'rejects nuget packages access'         | :not_found
+        'PRIVATE' | :guest      | false | true  | 'rejects nuget packages access'         | :not_found
+        'PRIVATE' | :developer  | false | false | 'rejects nuget packages access'         | :unauthorized
+        'PRIVATE' | :guest      | false | false | 'rejects nuget packages access'         | :unauthorized
+        'PRIVATE' | :anonymous  | false | true  | 'rejects nuget packages access'         | :unauthorized
+      end
+
+      with_them do
+        let(:token) { user_token ? personal_access_token.token : 'wrong' }
+        let(:headers) { user_role == :anonymous ? {} : basic_auth_header(user.username, token) }
+
+        subject { get api(url), headers: headers }
+
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel.const_get(project_visibility_level, false))
+        end
+
+        it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status], params[:member]
+      end
+    end
+
+    context 'with job token' do
+      where(:project_visibility_level, :user_role, :member, :user_token, :shared_examples_name, :expected_status) do
+        'PUBLIC'  | :developer  | true  | true  | 'process nuget service index request' | :success
+        'PUBLIC'  | :guest      | true  | true  | 'process nuget service index request' | :success
+        'PUBLIC'  | :developer  | true  | false | 'rejects nuget packages access'       | :unauthorized
+        'PUBLIC'  | :guest      | true  | false | 'rejects nuget packages access'       | :unauthorized
+        'PUBLIC'  | :developer  | false | true  | 'process nuget service index request' | :success
+        'PUBLIC'  | :guest      | false | true  | 'process nuget service index request' | :success
+        'PUBLIC'  | :developer  | false | false | 'rejects nuget packages access'       | :unauthorized
+        'PUBLIC'  | :guest      | false | false | 'rejects nuget packages access'       | :unauthorized
+        'PUBLIC'  | :anonymous  | false | true  | 'process nuget service index request' | :success
+        'PRIVATE' | :developer  | true  | true  | 'process nuget service index request' | :success
+        'PRIVATE' | :guest      | true  | true  | 'rejects nuget packages access'       | :forbidden
+        'PRIVATE' | :developer  | true  | false | 'rejects nuget packages access'       | :unauthorized
+        'PRIVATE' | :guest      | true  | false | 'rejects nuget packages access'       | :unauthorized
+        'PRIVATE' | :developer  | false | true  | 'rejects nuget packages access'       | :not_found
+        'PRIVATE' | :guest      | false | true  | 'rejects nuget packages access'       | :not_found
+        'PRIVATE' | :developer  | false | false | 'rejects nuget packages access'       | :unauthorized
+        'PRIVATE' | :guest      | false | false | 'rejects nuget packages access'       | :unauthorized
+        'PRIVATE' | :anonymous  | false | true  | 'rejects nuget packages access'       | :unauthorized
+      end
+
+      with_them do
+        let(:job) { user_token ? create(:ci_build, project: project, user: user, status: :running) : double(token: 'wrong') }
+        let(:headers) { user_role == :anonymous ? {} : job_basic_auth_header(job) }
+
+        subject { get api(url), headers: headers }
+
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel.const_get(project_visibility_level, false))
+        end
+
+        it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status], params[:member]
+      end
+    end
+  end
+
+  it_behaves_like 'deploy token for package GET requests'
+
+  it_behaves_like 'rejects nuget access with unknown project id'
+
+  it_behaves_like 'rejects nuget access with invalid project id'
+end
+
+RSpec.shared_examples 'handling nuget metadata requests with package name' do
+  include_context 'with expected presenters dependency groups'
+
+  let_it_be(:package_name) { 'Dummy.Package' }
+  let_it_be(:packages) { create_list(:nuget_package, 5, :with_metadatum, name: package_name, project: project) }
+  let_it_be(:tags) { packages.each { |pkg| create(:packages_tag, package: pkg, name: 'test') } }
+
+  subject { get api(url) }
+
+  before do
+    packages.each { |pkg| create_dependencies_for(pkg) }
+  end
+
+  context 'with valid project' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:project_visibility_level, :user_role, :member, :user_token, :shared_examples_name, :expected_status) do
+      'PUBLIC'  | :developer  | true  | true  | 'process nuget metadata request at package name level' | :success
+      'PUBLIC'  | :guest      | true  | true  | 'process nuget metadata request at package name level' | :success
+      'PUBLIC'  | :developer  | true  | false | 'process nuget metadata request at package name level' | :success
+      'PUBLIC'  | :guest      | true  | false | 'process nuget metadata request at package name level' | :success
+      'PUBLIC'  | :developer  | false | true  | 'process nuget metadata request at package name level' | :success
+      'PUBLIC'  | :guest      | false | true  | 'process nuget metadata request at package name level' | :success
+      'PUBLIC'  | :developer  | false | false | 'process nuget metadata request at package name level' | :success
+      'PUBLIC'  | :guest      | false | false | 'process nuget metadata request at package name level' | :success
+      'PUBLIC'  | :anonymous  | false | true  | 'process nuget metadata request at package name level' | :success
+      'PRIVATE' | :developer  | true  | true  | 'process nuget metadata request at package name level' | :success
+      'PRIVATE' | :guest      | true  | true  | 'rejects nuget packages access'                        | :forbidden
+      'PRIVATE' | :developer  | true  | false | 'rejects nuget packages access'                        | :unauthorized
+      'PRIVATE' | :guest      | true  | false | 'rejects nuget packages access'                        | :unauthorized
+      'PRIVATE' | :developer  | false | true  | 'rejects nuget packages access'                        | :not_found
+      'PRIVATE' | :guest      | false | true  | 'rejects nuget packages access'                        | :not_found
+      'PRIVATE' | :developer  | false | false | 'rejects nuget packages access'                        | :unauthorized
+      'PRIVATE' | :guest      | false | false | 'rejects nuget packages access'                        | :unauthorized
+      'PRIVATE' | :anonymous  | false | true  | 'rejects nuget packages access'                        | :unauthorized
+    end
+
+    with_them do
+      let(:token) { user_token ? personal_access_token.token : 'wrong' }
+      let(:headers) { user_role == :anonymous ? {} : basic_auth_header(user.username, token) }
+
+      subject { get api(url), headers: headers }
+
+      before do
+        project.update!(visibility_level: Gitlab::VisibilityLevel.const_get(project_visibility_level, false))
+      end
+
+      it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status], params[:member]
+    end
+
+    it_behaves_like 'deploy token for package GET requests'
+
+    it_behaves_like 'rejects nuget access with unknown project id'
+
+    it_behaves_like 'rejects nuget access with invalid project id'
+  end
+end
+
+RSpec.shared_examples 'handling nuget metadata requests with package name and package version' do
+  include_context 'with expected presenters dependency groups'
+
+  let_it_be(:package_name) { 'Dummy.Package' }
+  let_it_be(:package) { create(:nuget_package, :with_metadatum, name: 'Dummy.Package', project: project) }
+  let_it_be(:tag) { create(:packages_tag, package: package, name: 'test') }
+
+  subject { get api(url) }
+
+  before do
+    create_dependencies_for(package)
+  end
+
+  context 'with valid project' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:project_visibility_level, :user_role, :member, :user_token, :shared_examples_name, :expected_status) do
+      'PUBLIC'  | :developer  | true  | true  | 'process nuget metadata request at package name and package version level' | :success
+      'PUBLIC'  | :guest      | true  | true  | 'process nuget metadata request at package name and package version level' | :success
+      'PUBLIC'  | :developer  | true  | false | 'process nuget metadata request at package name and package version level' | :success
+      'PUBLIC'  | :guest      | true  | false | 'process nuget metadata request at package name and package version level' | :success
+      'PUBLIC'  | :developer  | false | true  | 'process nuget metadata request at package name and package version level' | :success
+      'PUBLIC'  | :guest      | false | true  | 'process nuget metadata request at package name and package version level' | :success
+      'PUBLIC'  | :developer  | false | false | 'process nuget metadata request at package name and package version level' | :success
+      'PUBLIC'  | :guest      | false | false | 'process nuget metadata request at package name and package version level' | :success
+      'PUBLIC'  | :anonymous  | false | true  | 'process nuget metadata request at package name and package version level' | :success
+      'PRIVATE' | :developer  | true  | true  | 'process nuget metadata request at package name and package version level' | :success
+      'PRIVATE' | :guest      | true  | true  | 'rejects nuget packages access'                                            | :forbidden
+      'PRIVATE' | :developer  | true  | false | 'rejects nuget packages access'                                            | :unauthorized
+      'PRIVATE' | :guest      | true  | false | 'rejects nuget packages access'                                            | :unauthorized
+      'PRIVATE' | :developer  | false | true  | 'rejects nuget packages access'                                            | :not_found
+      'PRIVATE' | :guest      | false | true  | 'rejects nuget packages access'                                            | :not_found
+      'PRIVATE' | :developer  | false | false | 'rejects nuget packages access'                                            | :unauthorized
+      'PRIVATE' | :guest      | false | false | 'rejects nuget packages access'                                            | :unauthorized
+      'PRIVATE' | :anonymous  | false | true  | 'rejects nuget packages access'                                            | :unauthorized
+    end
+
+    with_them do
+      let(:token) { user_token ? personal_access_token.token : 'wrong' }
+      let(:headers) { user_role == :anonymous ? {} : basic_auth_header(user.username, token) }
+
+      subject { get api(url), headers: headers }
+
+      before do
+        project.update!(visibility_level: Gitlab::VisibilityLevel.const_get(project_visibility_level, false))
+      end
+
+      it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status], params[:member]
+    end
+  end
+
+  it_behaves_like 'deploy token for package GET requests'
+
+  context 'with invalid package name' do
+    let_it_be(:package_name) { 'Unkown' }
+
+    it_behaves_like 'rejects nuget packages access', :developer, :not_found
+  end
+end
+
+RSpec.shared_examples 'handling nuget search requests' do
+  let_it_be(:package_a) { create(:nuget_package, :with_metadatum, name: 'Dummy.PackageA', project: project) }
+  let_it_be(:tag) { create(:packages_tag, package: package_a, name: 'test') }
+  let_it_be(:packages_b) { create_list(:nuget_package, 5, name: 'Dummy.PackageB', project: project) }
+  let_it_be(:packages_c) { create_list(:nuget_package, 5, name: 'Dummy.PackageC', project: project) }
+  let_it_be(:package_d) { create(:nuget_package, name: 'Dummy.PackageD', version: '5.0.5-alpha', project: project) }
+  let_it_be(:package_e) { create(:nuget_package, name: 'Foo.BarE', project: project) }
+  let(:search_term) { 'uMmy' }
+  let(:take) { 26 }
+  let(:skip) { 0 }
+  let(:include_prereleases) { true }
+  let(:query_parameters) { { q: search_term, take: take, skip: skip, prerelease: include_prereleases } }
+
+  subject { get api(url) }
+
+  context 'with valid project' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:project_visibility_level, :user_role, :member, :user_token, :shared_examples_name, :expected_status) do
+      'PUBLIC'  | :developer  | true  | true  | 'process nuget search request'  | :success
+      'PUBLIC'  | :guest      | true  | true  | 'process nuget search request'  | :success
+      'PUBLIC'  | :developer  | true  | false | 'process nuget search request'  | :success
+      'PUBLIC'  | :guest      | true  | false | 'process nuget search request'  | :success
+      'PUBLIC'  | :developer  | false | true  | 'process nuget search request'  | :success
+      'PUBLIC'  | :guest      | false | true  | 'process nuget search request'  | :success
+      'PUBLIC'  | :developer  | false | false | 'process nuget search request'  | :success
+      'PUBLIC'  | :guest      | false | false | 'process nuget search request'  | :success
+      'PUBLIC'  | :anonymous  | false | true  | 'process nuget search request'  | :success
+      'PRIVATE' | :developer  | true  | true  | 'process nuget search request'  | :success
+      'PRIVATE' | :guest      | true  | true  | 'rejects nuget packages access' | :forbidden
+      'PRIVATE' | :developer  | true  | false | 'rejects nuget packages access' | :unauthorized
+      'PRIVATE' | :guest      | true  | false | 'rejects nuget packages access' | :unauthorized
+      'PRIVATE' | :developer  | false | true  | 'rejects nuget packages access' | :not_found
+      'PRIVATE' | :guest      | false | true  | 'rejects nuget packages access' | :not_found
+      'PRIVATE' | :developer  | false | false | 'rejects nuget packages access' | :unauthorized
+      'PRIVATE' | :guest      | false | false | 'rejects nuget packages access' | :unauthorized
+      'PRIVATE' | :anonymous  | false | true  | 'rejects nuget packages access' | :unauthorized
+    end
+
+    with_them do
+      let(:token) { user_token ? personal_access_token.token : 'wrong' }
+      let(:headers) { user_role == :anonymous ? {} : basic_auth_header(user.username, token) }
+
+      subject { get api(url), headers: headers }
+
+      before do
+        project.update!(visibility_level: Gitlab::VisibilityLevel.const_get(project_visibility_level, false))
+      end
+
+      it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status], params[:member]
+    end
+  end
+
+  it_behaves_like 'deploy token for package GET requests'
+
+  it_behaves_like 'rejects nuget access with unknown project id'
+
+  it_behaves_like 'rejects nuget access with invalid project id'
+end
diff --git a/spec/support/shared_examples/requests/api/nuget_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/nuget_packages_shared_examples.rb
index 58e99776fd9..dc6ac5f0371 100644
--- a/spec/support/shared_examples/requests/api/nuget_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/nuget_packages_shared_examples.rb
@@ -12,7 +12,7 @@ RSpec.shared_examples 'rejects nuget packages access' do |user_type, status, add
       it 'has the correct response header' do
         subject
 
-        expect(response.headers['Www-Authenticate: Basic realm']).to eq 'GitLab Packages Registry'
+        expect(response.headers['WWW-Authenticate']).to eq 'Basic realm="GitLab Packages Registry"'
       end
     end
   end
@@ -26,7 +26,7 @@ RSpec.shared_examples 'process nuget service index request' do |user_type, statu
 
     it_behaves_like 'returning response status', status
 
-    it_behaves_like 'a package tracking event', described_class.name, 'cli_metadata'
+    it_behaves_like 'a package tracking event', 'API::NugetPackages', 'cli_metadata'
 
     it 'returns a valid json response' do
       subject
@@ -169,7 +169,7 @@ RSpec.shared_examples 'process nuget upload' do |user_type, status, add_member =
       context 'with correct params' do
         it_behaves_like 'package workhorse uploads'
         it_behaves_like 'creates nuget package files'
-        it_behaves_like 'a package tracking event', described_class.name, 'push_package'
+        it_behaves_like 'a package tracking event', 'API::NugetPackages', 'push_package'
       end
     end
 
@@ -286,7 +286,7 @@ RSpec.shared_examples 'process nuget download content request' do |user_type, st
 
     it_behaves_like 'returning response status', status
 
-    it_behaves_like 'a package tracking event', described_class.name, 'pull_package'
+    it_behaves_like 'a package tracking event', 'API::NugetPackages', 'pull_package'
 
     it 'returns a valid package archive' do
       subject
@@ -336,7 +336,7 @@ RSpec.shared_examples 'process nuget search request' do |user_type, status, add_
 
     it_behaves_like 'returns a valid json search response', status, 4, [1, 5, 5, 1]
 
-    it_behaves_like 'a package tracking event', described_class.name, 'search_package'
+    it_behaves_like 'a package tracking event', 'API::NugetPackages', 'search_package'
 
     context 'with skip set to 2' do
       let(:skip) { 2 }
diff --git a/spec/support/shared_examples/requests/graphql_shared_examples.rb b/spec/support/shared_examples/requests/graphql_shared_examples.rb
index 0045fe14501..a66bc7112fe 100644
--- a/spec/support/shared_examples/requests/graphql_shared_examples.rb
+++ b/spec/support/shared_examples/requests/graphql_shared_examples.rb
@@ -9,3 +9,8 @@ RSpec.shared_examples 'a working graphql query' do
     expect(json_response.keys).to include('data')
   end
 end
+
+RSpec.shared_examples 'a mutation on an unauthorized resource' do
+  it_behaves_like 'a mutation that returns top-level errors',
+                      errors: [::Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR]
+end
diff --git a/spec/support/shared_examples/requests/lfs_http_shared_examples.rb b/spec/support/shared_examples/requests/lfs_http_shared_examples.rb
index 4ae77179527..294ceffd77b 100644
--- a/spec/support/shared_examples/requests/lfs_http_shared_examples.rb
+++ b/spec/support/shared_examples/requests/lfs_http_shared_examples.rb
@@ -65,12 +65,19 @@ end
 RSpec.shared_examples 'LFS http requests' do
   include LfsHttpHelpers
 
+  let(:lfs_enabled) { true }
   let(:authorize_guest) {}
   let(:authorize_download) {}
   let(:authorize_upload) {}
 
   let(:lfs_object) { create(:lfs_object, :with_file) }
   let(:sample_oid) { lfs_object.oid }
+  let(:sample_size) { lfs_object.size }
+  let(:sample_object) { { 'oid' => sample_oid, 'size' => sample_size } }
+  let(:non_existing_object_oid) { '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897' }
+  let(:non_existing_object_size) { 1575078 }
+  let(:non_existing_object) { { 'oid' => non_existing_object_oid, 'size' => non_existing_object_size } }
+  let(:multiple_objects) { [sample_object, non_existing_object] }
 
   let(:authorization) { authorize_user }
   let(:headers) do
@@ -89,13 +96,11 @@ RSpec.shared_examples 'LFS http requests' do
   end
 
   before do
-    stub_lfs_setting(enabled: true)
+    stub_lfs_setting(enabled: lfs_enabled)
   end
 
   context 'when LFS is disabled globally' do
-    before do
-      stub_lfs_setting(enabled: false)
-    end
+    let(:lfs_enabled) { false }
 
     describe 'download request' do
       before do
diff --git a/spec/support/shared_examples/requests/rack_attack_shared_examples.rb b/spec/support/shared_examples/requests/rack_attack_shared_examples.rb
index d4ee68309ff..5d300d38e4a 100644
--- a/spec/support/shared_examples/requests/rack_attack_shared_examples.rb
+++ b/spec/support/shared_examples/requests/rack_attack_shared_examples.rb
@@ -23,6 +23,11 @@ RSpec.shared_examples 'rate-limited token-authenticated requests' do
     settings_to_set[:"#{throttle_setting_prefix}_period_in_seconds"] = period_in_seconds
   end
 
+  after do
+    stub_env('GITLAB_THROTTLE_USER_ALLOWLIST', nil)
+    Gitlab::RackAttack.configure_user_allowlist
+  end
+
   context 'when the throttle is enabled' do
     before do
       settings_to_set[:"#{throttle_setting_prefix}_enabled"] = true
@@ -30,6 +35,8 @@ RSpec.shared_examples 'rate-limited token-authenticated requests' do
     end
 
     it 'rejects requests over the rate limit' do
+      expect(Gitlab::Instrumentation::Throttle).not_to receive(:safelist=)
+
       # At first, allow requests under the rate limit.
       requests_per_period.times do
         make_request(request_args)
@@ -40,6 +47,18 @@ RSpec.shared_examples 'rate-limited token-authenticated requests' do
       expect_rejection { make_request(request_args) }
     end
 
+    it 'does not reject requests if the user is in the allowlist' do
+      stub_env('GITLAB_THROTTLE_USER_ALLOWLIST', user.id.to_s)
+      Gitlab::RackAttack.configure_user_allowlist
+
+      expect(Gitlab::Instrumentation::Throttle).to receive(:safelist=).with('throttle_user_allowlist').at_least(:once)
+
+      (requests_per_period + 1).times do
+        make_request(request_args)
+        expect(response).not_to have_gitlab_http_status(:too_many_requests)
+      end
+    end
+
     it 'allows requests after throttling and then waiting for the next period' do
       requests_per_period.times do
         make_request(request_args)
@@ -110,6 +129,14 @@ RSpec.shared_examples 'rate-limited token-authenticated requests' do
         expect { make_request(request_args) }.not_to exceed_query_limit(control_count)
       end
     end
+
+    it_behaves_like 'tracking when dry-run mode is set' do
+      let(:throttle_name) { throttle_types[throttle_setting_prefix] }
+
+      def do_request
+        make_request(request_args)
+      end
+    end
   end
 
   context 'when the throttle is disabled' do
@@ -159,6 +186,11 @@ RSpec.shared_examples 'rate-limited web authenticated requests' do
     settings_to_set[:"#{throttle_setting_prefix}_period_in_seconds"] = period_in_seconds
   end
 
+  after do
+    stub_env('GITLAB_THROTTLE_USER_ALLOWLIST', nil)
+    Gitlab::RackAttack.configure_user_allowlist
+  end
+
   context 'when the throttle is enabled' do
     before do
       settings_to_set[:"#{throttle_setting_prefix}_enabled"] = true
@@ -166,6 +198,8 @@ RSpec.shared_examples 'rate-limited web authenticated requests' do
     end
 
     it 'rejects requests over the rate limit' do
+      expect(Gitlab::Instrumentation::Throttle).not_to receive(:safelist=)
+
       # At first, allow requests under the rate limit.
       requests_per_period.times do
         request_authenticated_web_url
@@ -176,6 +210,18 @@ RSpec.shared_examples 'rate-limited web authenticated requests' do
       expect_rejection { request_authenticated_web_url }
     end
 
+    it 'does not reject requests if the user is in the allowlist' do
+      stub_env('GITLAB_THROTTLE_USER_ALLOWLIST', user.id.to_s)
+      Gitlab::RackAttack.configure_user_allowlist
+
+      expect(Gitlab::Instrumentation::Throttle).to receive(:safelist=).with('throttle_user_allowlist').at_least(:once)
+
+      (requests_per_period + 1).times do
+        request_authenticated_web_url
+        expect(response).not_to have_gitlab_http_status(:too_many_requests)
+      end
+    end
+
     it 'allows requests after throttling and then waiting for the next period' do
       requests_per_period.times do
         request_authenticated_web_url
@@ -245,6 +291,14 @@ RSpec.shared_examples 'rate-limited web authenticated requests' do
       expect(Gitlab::AuthLogger).to receive(:error).with(arguments).once
       expect { request_authenticated_web_url }.not_to exceed_query_limit(control_count)
     end
+
+    it_behaves_like 'tracking when dry-run mode is set' do
+      let(:throttle_name) { throttle_types[throttle_setting_prefix] }
+
+      def do_request
+        request_authenticated_web_url
+      end
+    end
   end
 
   context 'when the throttle is disabled' do
@@ -269,3 +323,63 @@ RSpec.shared_examples 'rate-limited web authenticated requests' do
     end
   end
 end
+
+# Requires:
+# - #do_request - This needs to be a method so the result isn't memoized
+# - throttle_name
+RSpec.shared_examples 'tracking when dry-run mode is set' do
+  let(:dry_run_config) { '*' }
+
+  # we can't use `around` here, because stub_env isn't supported outside of the
+  # example itself
+  before do
+    stub_env('GITLAB_THROTTLE_DRY_RUN', dry_run_config)
+    reset_rack_attack
+  end
+
+  after do
+    stub_env('GITLAB_THROTTLE_DRY_RUN', '')
+    reset_rack_attack
+  end
+
+  def reset_rack_attack
+    Rack::Attack.reset!
+    Rack::Attack.clear_configuration
+    Gitlab::RackAttack.configure(Rack::Attack)
+  end
+
+  it 'does not throttle the requests when `*` is configured' do
+    (1 + requests_per_period).times do
+      do_request
+      expect(response).not_to have_gitlab_http_status(:too_many_requests)
+    end
+  end
+
+  it 'logs RackAttack info into structured logs' do
+    arguments = a_hash_including({
+      message: 'Rack_Attack',
+      env: :track,
+      remote_ip: '127.0.0.1',
+      matched: throttle_name
+    })
+
+    expect(Gitlab::AuthLogger).to receive(:error).with(arguments)
+
+    (1 + requests_per_period).times do
+      do_request
+    end
+  end
+
+  context 'when configured with the the throttled name in a list' do
+    let(:dry_run_config) do
+      "throttle_list, #{throttle_name}, other_throttle"
+    end
+
+    it 'does not throttle' do
+      (1 + requests_per_period).times do
+        do_request
+        expect(response).not_to have_gitlab_http_status(:too_many_requests)
+      end
+    end
+  end
+end
diff --git a/spec/support/shared_examples/requests/self_monitoring_shared_examples.rb b/spec/support/shared_examples/requests/self_monitoring_shared_examples.rb
index db11b1fe07d..ff87fc5d8df 100644
--- a/spec/support/shared_examples/requests/self_monitoring_shared_examples.rb
+++ b/spec/support/shared_examples/requests/self_monitoring_shared_examples.rb
@@ -20,6 +20,18 @@ RSpec.shared_examples 'not accessible to non-admin users' do
       expect(response).to have_gitlab_http_status(:not_found)
     end
   end
+
+  context 'with authenticated admin user without admin mode' do
+    before do
+      login_as(create(:admin))
+    end
+
+    it 'redirects to enable admin mode' do
+      subject
+
+      expect(response).to redirect_to(new_admin_session_path)
+    end
+  end
 end
 
 # Requires subject and worker_class and status_api to be defined
diff --git a/spec/support/shared_examples/requests/uploads_auhorize_shared_examples.rb b/spec/support/shared_examples/requests/uploads_auhorize_shared_examples.rb
new file mode 100644
index 00000000000..9cef5cfc25e
--- /dev/null
+++ b/spec/support/shared_examples/requests/uploads_auhorize_shared_examples.rb
@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'handle uploads authorize request' do
+  before do
+    login_as(user)
+  end
+
+  describe 'POST authorize' do
+    it 'authorizes workhorse header' do
+      subject
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response.media_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
+      expect(json_response['TempPath']).to eq(uploader_class.workhorse_local_upload_path)
+    end
+
+    it 'rejects requests that bypassed gitlab-workhorse' do
+      workhorse_headers.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER)
+
+      expect { subject }.to raise_error(JWT::DecodeError)
+    end
+
+    context 'when using remote storage' do
+      context 'when direct upload is enabled' do
+        before do
+          stub_uploads_object_storage(uploader_class, enabled: true, direct_upload: true)
+        end
+
+        it 'responds with status 200, location of file remote store and object details' do
+          subject
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response.media_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
+          expect(json_response).not_to have_key('TempPath')
+          expect(json_response['RemoteObject']).to have_key('ID')
+          expect(json_response['RemoteObject']).to have_key('GetURL')
+          expect(json_response['RemoteObject']).to have_key('StoreURL')
+          expect(json_response['RemoteObject']).to have_key('DeleteURL')
+          expect(json_response['RemoteObject']).to have_key('MultipartUpload')
+          expect(json_response['MaximumSize']).to eq(maximum_size)
+        end
+      end
+
+      context 'when direct upload is disabled' do
+        before do
+          stub_uploads_object_storage(uploader_class, enabled: true, direct_upload: false)
+        end
+
+        it 'handles as a local file' do
+          subject
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response.media_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
+          expect(json_response['TempPath']).to eq(uploader_class.workhorse_local_upload_path)
+          expect(json_response['RemoteObject']).to be_nil
+          expect(json_response['MaximumSize']).to eq(maximum_size)
+        end
+      end
+    end
+  end
+end
diff --git a/spec/support/shared_examples/routing/git_http_routing_shared_examples.rb b/spec/support/shared_examples/routing/git_http_routing_shared_examples.rb
new file mode 100644
index 00000000000..b0e1e942d81
--- /dev/null
+++ b/spec/support/shared_examples/routing/git_http_routing_shared_examples.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'git repository routes' do
+  let(:params) { { repository_path: path.delete_prefix('/') } }
+  let(:container_path) { path.delete_suffix('.git') }
+
+  it 'routes Git endpoints' do
+    expect(get("#{path}/info/refs")).to route_to('repositories/git_http#info_refs', **params)
+    expect(post("#{path}/git-upload-pack")).to route_to('repositories/git_http#git_upload_pack', **params)
+    expect(post("#{path}/git-receive-pack")).to route_to('repositories/git_http#git_receive_pack', **params)
+  end
+
+  context 'requests without .git format' do
+    it 'redirects requests to /info/refs', type: :request do
+      expect(get("#{container_path}/info/refs")).to redirect_to("#{container_path}.git/info/refs")
+      expect(get("#{container_path}/info/refs?service=git-upload-pack")).to redirect_to("#{container_path}.git/info/refs?service=git-upload-pack")
+      expect(get("#{container_path}/info/refs?service=git-receive-pack")).to redirect_to("#{container_path}.git/info/refs?service=git-receive-pack")
+    end
+
+    it 'does not redirect other requests' do
+      expect(post("#{container_path}/git-upload-pack")).not_to be_routable
+    end
+  end
+
+  it 'routes LFS endpoints' do
+    oid = generate(:oid)
+
+    expect(post("#{path}/info/lfs/objects/batch")).to route_to('repositories/lfs_api#batch', **params)
+    expect(post("#{path}/info/lfs/objects")).to route_to('repositories/lfs_api#deprecated', **params)
+    expect(get("#{path}/info/lfs/objects/#{oid}")).to route_to('repositories/lfs_api#deprecated', oid: oid, **params)
+
+    expect(post("#{path}/info/lfs/locks/123/unlock")).to route_to('repositories/lfs_locks_api#unlock', id: '123', **params)
+    expect(post("#{path}/info/lfs/locks/verify")).to route_to('repositories/lfs_locks_api#verify', **params)
+
+    expect(get("#{path}/gitlab-lfs/objects/#{oid}")).to route_to('repositories/lfs_storage#download', oid: oid, **params)
+    expect(put("#{path}/gitlab-lfs/objects/#{oid}/456/authorize")).to route_to('repositories/lfs_storage#upload_authorize', oid: oid, size: '456', **params)
+    expect(put("#{path}/gitlab-lfs/objects/#{oid}/456")).to route_to('repositories/lfs_storage#upload_finalize', oid: oid, size: '456', **params)
+
+    expect(put("#{path}/gitlab-lfs/objects/foo")).not_to be_routable
+    expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo")).not_to be_routable
+    expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo/authorize")).not_to be_routable
+  end
+end
diff --git a/spec/support/shared_examples/services/alert_management_shared_examples.rb b/spec/support/shared_examples/services/alert_management_shared_examples.rb
index 003705ca21c..d9f28a97a0f 100644
--- a/spec/support/shared_examples/services/alert_management_shared_examples.rb
+++ b/spec/support/shared_examples/services/alert_management_shared_examples.rb
@@ -16,6 +16,38 @@ RSpec.shared_examples 'creates an alert management alert' do
   end
 end
 
+# This shared_example requires the following variables:
+# - last_alert_attributes, last created alert
+# - project, project that alert created
+# - payload_raw, hash representation of payload
+# - environment, project's environment
+# - fingerprint, fingerprint hash
+RSpec.shared_examples 'assigns the alert properties' do
+  it 'ensures that created alert has all data properly assigned' do
+    subject
+
+    expect(last_alert_attributes).to match(
+      project_id: project.id,
+      title: payload_raw.fetch(:title),
+      started_at: Time.zone.parse(payload_raw.fetch(:start_time)),
+      severity: payload_raw.fetch(:severity),
+      status: AlertManagement::Alert.status_value(:triggered),
+      events: 1,
+      domain: domain,
+      hosts: payload_raw.fetch(:hosts),
+      payload: payload_raw.with_indifferent_access,
+      issue_id: nil,
+      description: payload_raw.fetch(:description),
+      monitoring_tool: payload_raw.fetch(:monitoring_tool),
+      service: payload_raw.fetch(:service),
+      fingerprint: Digest::SHA1.hexdigest(fingerprint),
+      environment_id: environment.id,
+      ended_at: nil,
+      prometheus_alert_id: nil
+    )
+  end
+end
+
 RSpec.shared_examples 'does not an create alert management alert' do
   it 'does not create alert' do
     expect { subject }.not_to change(AlertManagement::Alert, :count)
diff --git a/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
new file mode 100644
index 00000000000..ba176b616c3
--- /dev/null
+++ b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
@@ -0,0 +1,1006 @@
+# frozen_string_literal: true
+
+RSpec.shared_context 'container registry auth service context' do
+  let(:current_project) { nil }
+  let(:current_user) { nil }
+  let(:current_params) { {} }
+  let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
+  let(:payload) { JWT.decode(subject[:token], rsa_key, true, { algorithm: 'RS256' }).first }
+
+  let(:authentication_abilities) do
+    [:read_container_image, :create_container_image, :admin_container_image]
+  end
+
+  let(:log_data) { { message: 'Denied container registry permissions' } }
+
+  subject do
+    described_class.new(current_project, current_user, current_params)
+      .execute(authentication_abilities: authentication_abilities)
+  end
+
+  before do
+    allow(Gitlab.config.registry).to receive_messages(enabled: true, issuer: 'rspec', key: nil)
+    allow_next_instance_of(JSONWebToken::RSAToken) do |instance|
+      allow(instance).to receive(:key).and_return(rsa_key)
+    end
+  end
+end
+
+RSpec.shared_examples 'an authenticated' do
+  it { is_expected.to include(:token) }
+  it { expect(payload).to include('access') }
+end
+
+RSpec.shared_examples 'a valid token' do
+  it { is_expected.to include(:token) }
+  it { expect(payload).to include('access') }
+
+  context 'a expirable' do
+    let(:expires_at) { Time.zone.at(payload['exp']) }
+    let(:expire_delay) { 10 }
+
+    context 'for default configuration' do
+      it { expect(expires_at).not_to be_within(2.seconds).of(Time.current + expire_delay.minutes) }
+    end
+
+    context 'for changed configuration' do
+      before do
+        stub_application_setting(container_registry_token_expire_delay: expire_delay)
+      end
+
+      it { expect(expires_at).to be_within(2.seconds).of(Time.current + expire_delay.minutes) }
+    end
+  end
+end
+
+RSpec.shared_examples 'a browsable' do
+  let(:access) do
+    [{ 'type' => 'registry',
+       'name' => 'catalog',
+       'actions' => ['*'] }]
+  end
+
+  it_behaves_like 'a valid token'
+  it_behaves_like 'not a container repository factory'
+
+  it 'has the correct scope' do
+    expect(payload).to include('access' => access)
+  end
+end
+
+RSpec.shared_examples 'an accessible' do
+  let(:access) do
+    [{ 'type' => 'repository',
+       'name' => project.full_path,
+       'actions' => actions }]
+  end
+
+  it_behaves_like 'a valid token'
+
+  it 'has the correct scope' do
+    expect(payload).to include('access' => access)
+  end
+end
+
+RSpec.shared_examples 'an inaccessible' do
+  it_behaves_like 'a valid token'
+  it { expect(payload).to include('access' => []) }
+end
+
+RSpec.shared_examples 'a deletable' do
+  it_behaves_like 'an accessible' do
+    let(:actions) { ['*'] }
+  end
+end
+
+RSpec.shared_examples 'a deletable since registry 2.7' do
+  it_behaves_like 'an accessible' do
+    let(:actions) { ['delete'] }
+  end
+end
+
+RSpec.shared_examples 'a pullable' do
+  it_behaves_like 'an accessible' do
+    let(:actions) { ['pull'] }
+  end
+end
+
+RSpec.shared_examples 'a pushable' do
+  it_behaves_like 'an accessible' do
+    let(:actions) { ['push'] }
+  end
+end
+
+RSpec.shared_examples 'a pullable and pushable' do
+  it_behaves_like 'an accessible' do
+    let(:actions) { %w(pull push) }
+  end
+end
+
+RSpec.shared_examples 'a forbidden' do
+  it { is_expected.to include(http_status: 403) }
+  it { is_expected.not_to include(:token) }
+end
+
+RSpec.shared_examples 'container repository factory' do
+  it 'creates a new container repository resource' do
+    expect { subject }
+      .to change { project.container_repositories.count }.by(1)
+  end
+end
+
+RSpec.shared_examples 'not a container repository factory' do
+  it 'does not create a new container repository resource' do
+    expect { subject }.not_to change { ContainerRepository.count }
+  end
+end
+
+RSpec.shared_examples 'logs an auth warning' do |requested_actions|
+  let(:expected) do
+    {
+      scope_type: 'repository',
+      requested_project_path: project.full_path,
+      requested_actions: requested_actions,
+      authorized_actions: [],
+      user_id: current_user.id,
+      username: current_user.username
+    }
+  end
+
+  it do
+    expect(Gitlab::AuthLogger).to receive(:warn).with(expected.merge!(log_data))
+
+    subject
+  end
+end
+
+RSpec.shared_examples 'a container registry auth service' do
+  include_context 'container registry auth service context'
+
+  describe '#full_access_token' do
+    let_it_be(:project) { create(:project) }
+    let(:token) { described_class.full_access_token(project.full_path) }
+
+    subject { { token: token } }
+
+    it_behaves_like 'an accessible' do
+      let(:actions) { ['*'] }
+    end
+
+    it_behaves_like 'not a container repository factory'
+  end
+
+  describe '#pull_access_token' do
+    let_it_be(:project) { create(:project) }
+    let(:token) { described_class.pull_access_token(project.full_path) }
+
+    subject { { token: token } }
+
+    it_behaves_like 'an accessible' do
+      let(:actions) { ['pull'] }
+    end
+
+    it_behaves_like 'not a container repository factory'
+  end
+
+  context 'user authorization' do
+    let_it_be(:current_user) { create(:user) }
+
+    context 'for registry catalog' do
+      let(:current_params) do
+        { scopes: ["registry:catalog:*"] }
+      end
+
+      context 'disallow browsing for users without GitLab admin rights' do
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+    end
+
+    context 'for private project' do
+      let_it_be(:project) { create(:project) }
+
+      context 'allow to use scope-less authentication' do
+        it_behaves_like 'a valid token'
+      end
+
+      context 'allow developer to push images' do
+        before_all do
+          project.add_developer(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:push"] }
+        end
+
+        it_behaves_like 'a pushable'
+        it_behaves_like 'container repository factory'
+      end
+
+      context 'disallow developer to delete images' do
+        before_all do
+          project.add_developer(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:*"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+
+        it_behaves_like 'logs an auth warning', ['*']
+      end
+
+      context 'disallow developer to delete images since registry 2.7' do
+        before_all do
+          project.add_developer(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:delete"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+
+      context 'allow reporter to pull images' do
+        before_all do
+          project.add_reporter(current_user)
+        end
+
+        context 'when pulling from root level repository' do
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:pull"] }
+          end
+
+          it_behaves_like 'a pullable'
+          it_behaves_like 'not a container repository factory'
+        end
+      end
+
+      context 'disallow reporter to delete images' do
+        before_all do
+          project.add_reporter(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:*"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+
+      context 'disallow reporter to delete images since registry 2.7' do
+        before_all do
+          project.add_reporter(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:delete"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+
+      context 'return a least of privileges' do
+        before_all do
+          project.add_reporter(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:push,pull"] }
+        end
+
+        it_behaves_like 'a pullable'
+        it_behaves_like 'not a container repository factory'
+      end
+
+      context 'disallow guest to pull or push images' do
+        before_all do
+          project.add_guest(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:pull,push"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+
+      context 'disallow guest to delete images' do
+        before_all do
+          project.add_guest(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:*"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+
+      context 'disallow guest to delete images since registry 2.7' do
+        before_all do
+          project.add_guest(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:delete"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+    end
+
+    context 'for public project' do
+      let_it_be(:project) { create(:project, :public) }
+
+      context 'allow anyone to pull images' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:pull"] }
+        end
+
+        it_behaves_like 'a pullable'
+        it_behaves_like 'not a container repository factory'
+      end
+
+      context 'disallow anyone to push images' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:push"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+
+      context 'disallow anyone to delete images' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:*"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+
+      context 'disallow anyone to delete images since registry 2.7' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:delete"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+
+      context 'when repository name is invalid' do
+        let(:current_params) do
+          { scopes: ['repository:invalid:push'] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+    end
+
+    context 'for internal project' do
+      let_it_be(:project) { create(:project, :internal) }
+
+      context 'for internal user' do
+        context 'allow anyone to pull images' do
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:pull"] }
+          end
+
+          it_behaves_like 'a pullable'
+          it_behaves_like 'not a container repository factory'
+        end
+
+        context 'disallow anyone to push images' do
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:push"] }
+          end
+
+          it_behaves_like 'an inaccessible'
+          it_behaves_like 'not a container repository factory'
+        end
+
+        context 'disallow anyone to delete images' do
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:*"] }
+          end
+
+          it_behaves_like 'an inaccessible'
+          it_behaves_like 'not a container repository factory'
+        end
+
+        context 'disallow anyone to delete images since registry 2.7' do
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:delete"] }
+          end
+
+          it_behaves_like 'an inaccessible'
+          it_behaves_like 'not a container repository factory'
+        end
+      end
+
+      context 'for external user' do
+        context 'disallow anyone to pull or push images' do
+          let_it_be(:current_user) { create(:user, external: true) }
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:pull,push"] }
+          end
+
+          it_behaves_like 'an inaccessible'
+          it_behaves_like 'not a container repository factory'
+        end
+
+        context 'disallow anyone to delete images' do
+          let_it_be(:current_user) { create(:user, external: true) }
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:*"] }
+          end
+
+          it_behaves_like 'an inaccessible'
+          it_behaves_like 'not a container repository factory'
+        end
+
+        context 'disallow anyone to delete images since registry 2.7' do
+          let_it_be(:current_user) { create(:user, external: true) }
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:delete"] }
+          end
+
+          it_behaves_like 'an inaccessible'
+          it_behaves_like 'not a container repository factory'
+        end
+      end
+    end
+  end
+
+  context 'delete authorized as maintainer' do
+    let_it_be(:current_project) { create(:project) }
+    let_it_be(:current_user) { create(:user) }
+
+    let(:authentication_abilities) do
+      [:admin_container_image]
+    end
+
+    before_all do
+      current_project.add_maintainer(current_user)
+    end
+
+    it_behaves_like 'a valid token'
+
+    context 'allow to delete images' do
+      let(:current_params) do
+        { scopes: ["repository:#{current_project.full_path}:*"] }
+      end
+
+      it_behaves_like 'a deletable' do
+        let(:project) { current_project }
+      end
+    end
+
+    context 'allow to delete images since registry 2.7' do
+      let(:current_params) do
+        { scopes: ["repository:#{current_project.full_path}:delete"] }
+      end
+
+      it_behaves_like 'a deletable since registry 2.7' do
+        let(:project) { current_project }
+      end
+    end
+  end
+
+  context 'build authorized as user' do
+    let_it_be(:current_project) { create(:project) }
+    let_it_be(:current_user) { create(:user) }
+
+    let(:authentication_abilities) do
+      [:build_read_container_image, :build_create_container_image, :build_destroy_container_image]
+    end
+
+    before_all do
+      current_project.add_developer(current_user)
+    end
+
+    context 'allow to use offline_token' do
+      let(:current_params) do
+        { offline_token: true }
+      end
+
+      it_behaves_like 'an authenticated'
+    end
+
+    it_behaves_like 'a valid token'
+
+    context 'allow to pull and push images' do
+      let(:current_params) do
+        { scopes: ["repository:#{current_project.full_path}:pull,push"] }
+      end
+
+      it_behaves_like 'a pullable and pushable' do
+        let(:project) { current_project }
+      end
+
+      it_behaves_like 'container repository factory' do
+        let(:project) { current_project }
+      end
+    end
+
+    context 'allow to delete images since registry 2.7' do
+      let(:current_params) do
+        { scopes: ["repository:#{current_project.full_path}:delete"] }
+      end
+
+      it_behaves_like 'a deletable since registry 2.7' do
+        let(:project) { current_project }
+      end
+    end
+
+    context 'disallow to delete images' do
+      let(:current_params) do
+        { scopes: ["repository:#{current_project.full_path}:*"] }
+      end
+
+      it_behaves_like 'an inaccessible' do
+        let(:project) { current_project }
+      end
+    end
+
+    context 'for other projects' do
+      context 'when pulling' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:pull"] }
+        end
+
+        context 'allow for public' do
+          let_it_be(:project) { create(:project, :public) }
+
+          it_behaves_like 'a pullable'
+          it_behaves_like 'not a container repository factory'
+        end
+
+        shared_examples 'pullable for being team member' do
+          context 'when you are not member' do
+            it_behaves_like 'an inaccessible'
+            it_behaves_like 'not a container repository factory'
+          end
+
+          context 'when you are member' do
+            before_all do
+              project.add_developer(current_user)
+            end
+
+            it_behaves_like 'a pullable'
+            it_behaves_like 'not a container repository factory'
+          end
+
+          context 'when you are owner' do
+            let_it_be(:project) { create(:project, namespace: current_user.namespace) }
+
+            it_behaves_like 'a pullable'
+            it_behaves_like 'not a container repository factory'
+          end
+        end
+
+        context 'for private' do
+          let_it_be(:project) { create(:project, :private) }
+
+          it_behaves_like 'pullable for being team member'
+
+          context 'when you are admin' do
+            let_it_be(:current_user) { create(:admin) }
+
+            context 'when you are not member' do
+              it_behaves_like 'an inaccessible'
+              it_behaves_like 'not a container repository factory'
+            end
+
+            context 'when you are member' do
+              before_all do
+                project.add_developer(current_user)
+              end
+
+              it_behaves_like 'a pullable'
+              it_behaves_like 'not a container repository factory'
+            end
+
+            context 'when you are owner' do
+              let_it_be(:project) { create(:project, namespace: current_user.namespace) }
+
+              it_behaves_like 'a pullable'
+              it_behaves_like 'not a container repository factory'
+            end
+          end
+        end
+      end
+
+      context 'when pushing' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:push"] }
+        end
+
+        context 'disallow for all' do
+          context 'when you are member' do
+            let_it_be(:project) { create(:project, :public) }
+
+            before_all do
+              project.add_developer(current_user)
+            end
+
+            it_behaves_like 'an inaccessible'
+            it_behaves_like 'not a container repository factory'
+          end
+
+          context 'when you are owner' do
+            let_it_be(:project) { create(:project, :public, namespace: current_user.namespace) }
+
+            it_behaves_like 'an inaccessible'
+            it_behaves_like 'not a container repository factory'
+          end
+        end
+      end
+    end
+
+    context 'for project without container registry' do
+      let_it_be(:project) { create(:project, :public, container_registry_enabled: false) }
+
+      before do
+        project.update!(container_registry_enabled: false)
+      end
+
+      context 'disallow when pulling' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:pull"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+    end
+
+    context 'for project that disables repository' do
+      let_it_be(:project) { create(:project, :public, :repository_disabled) }
+
+      context 'disallow when pulling' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:pull"] }
+        end
+
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+    end
+  end
+
+  context 'registry catalog browsing authorized as admin' do
+    let_it_be(:current_user) { create(:user, :admin) }
+    let_it_be(:project) { create(:project, :public) }
+
+    let(:current_params) do
+      { scopes: ["registry:catalog:*"] }
+    end
+
+    it_behaves_like 'a browsable'
+  end
+
+  context 'support for multiple scopes' do
+    let_it_be(:internal_project) { create(:project, :internal) }
+    let_it_be(:private_project) { create(:project, :private) }
+
+    let(:current_params) do
+      {
+        scopes: [
+          "repository:#{internal_project.full_path}:pull",
+          "repository:#{private_project.full_path}:pull"
+        ]
+      }
+    end
+
+    context 'user has access to all projects' do
+      let_it_be(:current_user) { create(:user, :admin) }
+
+      before do
+        enable_admin_mode!(current_user)
+      end
+
+      it_behaves_like 'a browsable' do
+        let(:access) do
+          [
+            { 'type' => 'repository',
+              'name' => internal_project.full_path,
+              'actions' => ['pull'] },
+            { 'type' => 'repository',
+              'name' => private_project.full_path,
+              'actions' => ['pull'] }
+          ]
+        end
+      end
+    end
+
+    context 'user only has access to internal project' do
+      let_it_be(:current_user) { create(:user) }
+
+      it_behaves_like 'a browsable' do
+        let(:access) do
+          [
+            { 'type' => 'repository',
+              'name' => internal_project.full_path,
+              'actions' => ['pull'] }
+          ]
+        end
+      end
+    end
+
+    context 'anonymous access is rejected' do
+      let(:current_user) { nil }
+
+      it_behaves_like 'a forbidden'
+    end
+  end
+
+  context 'unauthorized' do
+    context 'disallow to use scope-less authentication' do
+      it_behaves_like 'a forbidden'
+      it_behaves_like 'not a container repository factory'
+    end
+
+    context 'for invalid scope' do
+      let(:current_params) do
+        { scopes: ['invalid:aa:bb'] }
+      end
+
+      it_behaves_like 'a forbidden'
+      it_behaves_like 'not a container repository factory'
+    end
+
+    context 'for private project' do
+      let_it_be(:project) { create(:project, :private) }
+
+      let(:current_params) do
+        { scopes: ["repository:#{project.full_path}:pull"] }
+      end
+
+      it_behaves_like 'a forbidden'
+    end
+
+    context 'for public project' do
+      let_it_be(:project) { create(:project, :public) }
+
+      context 'when pulling and pushing' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:pull,push"] }
+        end
+
+        it_behaves_like 'a pullable'
+        it_behaves_like 'not a container repository factory'
+      end
+
+      context 'when pushing' do
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:push"] }
+        end
+
+        it_behaves_like 'a forbidden'
+        it_behaves_like 'not a container repository factory'
+      end
+    end
+
+    context 'for registry catalog' do
+      let(:current_params) do
+        { scopes: ["registry:catalog:*"] }
+      end
+
+      it_behaves_like 'a forbidden'
+      it_behaves_like 'not a container repository factory'
+    end
+  end
+
+  context 'for deploy tokens' do
+    let(:current_params) do
+      { scopes: ["repository:#{project.full_path}:pull"] }
+    end
+
+    context 'when deploy token has read and write registry as scopes' do
+      let(:current_user) { create(:deploy_token, write_registry: true, projects: [project]) }
+
+      shared_examples 'able to login' do
+        context 'registry provides read_container_image authentication_abilities' do
+          let(:current_params) { {} }
+          let(:authentication_abilities) { [:read_container_image] }
+
+          it_behaves_like 'an authenticated'
+        end
+      end
+
+      context 'for public project' do
+        let_it_be(:project) { create(:project, :public) }
+
+        context 'when pulling' do
+          it_behaves_like 'a pullable'
+        end
+
+        context 'when pushing' do
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:push"] }
+          end
+
+          it_behaves_like 'a pushable'
+        end
+
+        it_behaves_like 'able to login'
+      end
+
+      context 'for internal project' do
+        let_it_be(:project) { create(:project, :internal) }
+
+        context 'when pulling' do
+          it_behaves_like 'a pullable'
+        end
+
+        context 'when pushing' do
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:push"] }
+          end
+
+          it_behaves_like 'a pushable'
+        end
+
+        it_behaves_like 'able to login'
+      end
+
+      context 'for private project' do
+        let_it_be(:project) { create(:project, :private) }
+
+        context 'when pulling' do
+          it_behaves_like 'a pullable'
+        end
+
+        context 'when pushing' do
+          let(:current_params) do
+            { scopes: ["repository:#{project.full_path}:push"] }
+          end
+
+          it_behaves_like 'a pushable'
+        end
+
+        it_behaves_like 'able to login'
+      end
+    end
+
+    context 'when deploy token does not have read_registry scope' do
+      let(:current_user) { create(:deploy_token, projects: [project], read_registry: false) }
+
+      shared_examples 'unable to login' do
+        context 'registry provides no container authentication_abilities' do
+          let(:current_params) { {} }
+          let(:authentication_abilities) { [] }
+
+          it_behaves_like 'a forbidden'
+        end
+
+        context 'registry provides inapplicable container authentication_abilities' do
+          let(:current_params) { {} }
+          let(:authentication_abilities) { [:download_code] }
+
+          it_behaves_like 'a forbidden'
+        end
+      end
+
+      context 'for public project' do
+        let_it_be(:project) { create(:project, :public) }
+
+        context 'when pulling' do
+          it_behaves_like 'a pullable'
+        end
+
+        it_behaves_like 'unable to login'
+      end
+
+      context 'for internal project' do
+        let_it_be(:project) { create(:project, :internal) }
+
+        context 'when pulling' do
+          it_behaves_like 'an inaccessible'
+        end
+
+        it_behaves_like 'unable to login'
+      end
+
+      context 'for private project' do
+        let_it_be(:project) { create(:project, :internal) }
+
+        context 'when pulling' do
+          it_behaves_like 'an inaccessible'
+        end
+
+        context 'when logging in' do
+          let(:current_params) { {} }
+          let(:authentication_abilities) { [] }
+
+          it_behaves_like 'a forbidden'
+        end
+
+        it_behaves_like 'unable to login'
+      end
+    end
+
+    context 'when deploy token is not related to the project' do
+      let_it_be(:current_user) { create(:deploy_token, read_registry: false) }
+
+      context 'for public project' do
+        let_it_be(:project) { create(:project, :public) }
+
+        context 'when pulling' do
+          it_behaves_like 'a pullable'
+        end
+      end
+
+      context 'for internal project' do
+        let_it_be(:project) { create(:project, :internal) }
+
+        context 'when pulling' do
+          it_behaves_like 'an inaccessible'
+        end
+      end
+
+      context 'for private project' do
+        let_it_be(:project) { create(:project, :internal) }
+
+        context 'when pulling' do
+          it_behaves_like 'an inaccessible'
+        end
+      end
+    end
+
+    context 'when deploy token has been revoked' do
+      let(:current_user) { create(:deploy_token, :revoked, projects: [project]) }
+
+      context 'for public project' do
+        let_it_be(:project) { create(:project, :public) }
+
+        it_behaves_like 'a pullable'
+      end
+
+      context 'for internal project' do
+        let_it_be(:project) { create(:project, :internal) }
+
+        it_behaves_like 'an inaccessible'
+      end
+
+      context 'for private project' do
+        let_it_be(:project) { create(:project, :internal) }
+
+        it_behaves_like 'an inaccessible'
+      end
+    end
+  end
+
+  context 'user authorization' do
+    let_it_be(:current_user) { create(:user) }
+
+    context 'with multiple scopes' do
+      let_it_be(:project) { create(:project) }
+
+      context 'allow developer to push images' do
+        before_all do
+          project.add_developer(current_user)
+        end
+
+        let(:current_params) do
+          { scopes: ["repository:#{project.full_path}:push"] }
+        end
+
+        it_behaves_like 'a pushable'
+        it_behaves_like 'container repository factory'
+      end
+    end
+  end
+end
diff --git a/spec/support/shared_examples/services/incident_shared_examples.rb b/spec/support/shared_examples/services/incident_shared_examples.rb
index 39c22ac8aa3..9fced12b543 100644
--- a/spec/support/shared_examples/services/incident_shared_examples.rb
+++ b/spec/support/shared_examples/services/incident_shared_examples.rb
@@ -11,11 +11,13 @@
 #
 #   include_examples 'incident issue'
 RSpec.shared_examples 'incident issue' do
-  let(:label_properties) { attributes_for(:label, :incident) }
-
   it 'has incident as issue type' do
     expect(issue.issue_type).to eq('incident')
   end
+end
+
+RSpec.shared_examples 'has incident label' do
+  let(:label_properties) { attributes_for(:label, :incident) }
 
   it 'has exactly one incident label' do
     expect(issue.labels).to be_one do |label|
diff --git a/spec/support/shared_examples/services/metrics/dashboard_shared_examples.rb b/spec/support/shared_examples/services/metrics/dashboard_shared_examples.rb
index 1501a2a0f52..b6c33eac7b4 100644
--- a/spec/support/shared_examples/services/metrics/dashboard_shared_examples.rb
+++ b/spec/support/shared_examples/services/metrics/dashboard_shared_examples.rb
@@ -46,7 +46,7 @@ RSpec.shared_examples 'refreshes cache when dashboard_version is changed' do
       allow(service).to receive(:dashboard_version).and_return('1', '2')
     end
 
-    expect(File).to receive(:read).twice.and_call_original
+    expect_file_read(Rails.root.join(described_class::DASHBOARD_PATH)).twice.and_call_original
 
     service = described_class.new(*service_params)
 
diff --git a/spec/support/shared_examples/services/packages_shared_examples.rb b/spec/support/shared_examples/services/packages_shared_examples.rb
index 7987f2c296b..70d29b4bc99 100644
--- a/spec/support/shared_examples/services/packages_shared_examples.rb
+++ b/spec/support/shared_examples/services/packages_shared_examples.rb
@@ -14,6 +14,24 @@ RSpec.shared_examples 'assigns build to package' do
   end
 end
 
+RSpec.shared_examples 'assigns build to package file' do
+  context 'with build info' do
+    let(:job) { create(:ci_build, user: user) }
+    let(:params) { super().merge(build: job) }
+
+    it 'assigns the pipeline to the package' do
+      package_file = subject
+
+      expect(package_file.package_file_build_infos).to be_present
+      expect(package_file.pipelines.first).to eq job.pipeline
+    end
+
+    it 'creates a new PackageFileBuildInfo record' do
+      expect { subject }.to change { Packages::PackageFileBuildInfo.count }.by(1)
+    end
+  end
+end
+
 RSpec.shared_examples 'assigns the package creator' do
   it 'assigns the package creator' do
     subject
diff --git a/spec/support/shared_examples/workers/concerns/reenqueuer_shared_examples.rb b/spec/support/shared_examples/workers/concerns/reenqueuer_shared_examples.rb
index 37f44f98cda..1b09b5fe613 100644
--- a/spec/support/shared_examples/workers/concerns/reenqueuer_shared_examples.rb
+++ b/spec/support/shared_examples/workers/concerns/reenqueuer_shared_examples.rb
@@ -10,6 +10,10 @@ RSpec.shared_examples 'reenqueuer' do
     expect(subject.lease_timeout).to be_a(ActiveSupport::Duration)
   end
 
+  it 'uses the :none deduplication strategy' do
+    expect(subject.class.get_deduplicate_strategy).to eq(:none)
+  end
+
   describe '#perform' do
     it 'tries to obtain a lease' do
       expect_to_obtain_exclusive_lease(subject.lease_key)
diff --git a/spec/support/shared_examples/workers/project_export_shared_examples.rb b/spec/support/shared_examples/workers/project_export_shared_examples.rb
new file mode 100644
index 00000000000..a9bcc3f4f7c
--- /dev/null
+++ b/spec/support/shared_examples/workers/project_export_shared_examples.rb
@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'export worker' do
+  describe '#perform' do
+    let!(:user) { create(:user) }
+    let!(:project) { create(:project) }
+
+    before do
+      allow_next_instance_of(described_class) do |job|
+        allow(job).to receive(:jid).and_return(SecureRandom.hex(8))
+      end
+    end
+
+    context 'when it succeeds' do
+      it 'calls the ExportService' do
+        expect_next_instance_of(::Projects::ImportExport::ExportService) do |service|
+          expect(service).to receive(:execute)
+        end
+
+        subject.perform(user.id, project.id, { 'klass' => 'Gitlab::ImportExport::AfterExportStrategies::DownloadNotificationStrategy' })
+      end
+
+      context 'export job' do
+        before do
+          allow_next_instance_of(::Projects::ImportExport::ExportService) do |service|
+            allow(service).to receive(:execute)
+          end
+        end
+
+        it 'creates an export job record for the project' do
+          expect { subject.perform(user.id, project.id, {}) }.to change { project.export_jobs.count }.from(0).to(1)
+        end
+
+        it 'sets the export job status to started' do
+          expect_next_instance_of(ProjectExportJob) do |job|
+            expect(job).to receive(:start)
+          end
+
+          subject.perform(user.id, project.id, {})
+        end
+
+        it 'sets the export job status to finished' do
+          expect_next_instance_of(ProjectExportJob) do |job|
+            expect(job).to receive(:finish)
+          end
+
+          subject.perform(user.id, project.id, {})
+        end
+      end
+    end
+
+    context 'when it fails' do
+      it 'does not raise an exception when strategy is invalid' do
+        expect(::Projects::ImportExport::ExportService).not_to receive(:new)
+
+        expect { subject.perform(user.id, project.id, { 'klass' => 'Whatever' }) }.not_to raise_error
+      end
+
+      it 'does not raise error when project cannot be found' do
+        expect { subject.perform(user.id, non_existing_record_id, {}) }.not_to raise_error
+      end
+
+      it 'does not raise error when user cannot be found' do
+        expect { subject.perform(non_existing_record_id, project.id, {}) }.not_to raise_error
+      end
+    end
+  end
+
+  describe 'sidekiq options' do
+    it 'disables retry' do
+      expect(described_class.sidekiq_options['retry']).to eq(false)
+    end
+
+    it 'disables dead' do
+      expect(described_class.sidekiq_options['dead']).to eq(false)
+    end
+
+    it 'sets default status expiration' do
+      expect(described_class.sidekiq_options['status_expiration']).to eq(StuckExportJobsWorker::EXPORT_JOBS_EXPIRATION)
+    end
+  end
+end
diff --git a/spec/support/snowplow.rb b/spec/support/snowplow.rb
index b67fa96fab8..0d6102f1705 100644
--- a/spec/support/snowplow.rb
+++ b/spec/support/snowplow.rb
@@ -9,12 +9,15 @@ RSpec.configure do |config|
     # WebMock is set up to allow requests to `localhost`
     host = 'localhost'
 
+    allow_any_instance_of(Gitlab::Tracking::Destinations::ProductAnalytics).to receive(:event)
+
     allow_any_instance_of(Gitlab::Tracking::Destinations::Snowplow)
       .to receive(:emitter)
       .and_return(SnowplowTracker::Emitter.new(host, buffer_size: buffer_size))
 
     stub_application_setting(snowplow_enabled: true)
 
+    allow(SnowplowTracker::SelfDescribingJson).to receive(:new).and_call_original
     allow(Gitlab::Tracking).to receive(:event).and_call_original # rubocop:disable RSpec/ExpectGitlabTracking
   end