12 files changed, 63 insertions, 51 deletions

diff --git a/app/services/projects/create_service.rb b/app/services/projects/create_service.rb
index 7dd9280e5b1..9a5c260e488 100644
--- a/app/services/projects/create_service.rb
+++ b/app/services/projects/create_service.rb
@@ -108,11 +108,7 @@ module Projects
 
       current_user.invalidate_personal_projects_count
 
-      if Feature.enabled?(:projects_post_creation_worker, current_user, default_enabled: :yaml)
-        Projects::PostCreationWorker.perform_async(@project.id)
-      else
-        create_prometheus_service
-      end
+      Projects::PostCreationWorker.perform_async(@project.id)
 
       create_readme if @initialize_with_readme
     end
@@ -151,7 +147,7 @@ module Projects
         branch_name: @default_branch.presence || @project.default_branch_or_main,
         commit_message: 'Initial commit',
         file_path: 'README.md',
-        file_content: "# #{@project.name}\n\n#{@project.description}"
+        file_content: experiment(:new_project_readme_content, namespace: @project.namespace).run_with(@project)
       }
 
       Files::CreateService.new(@project, current_user, commit_attrs).execute
@@ -191,25 +187,6 @@ module Projects
       @project
     end
 
-    # Deprecated: https://gitlab.com/gitlab-org/gitlab/-/issues/326665
-    def create_prometheus_service
-      service = @project.find_or_initialize_service(::PrometheusService.to_param)
-
-      # If the service has already been inserted in the database, that
-      # means it came from a template, and there's nothing more to do.
-      return if service.persisted?
-
-      if service.prometheus_available?
-        service.save!
-      else
-        @project.prometheus_service = nil
-      end
-
-    rescue ActiveRecord::RecordInvalid => e
-      Gitlab::ErrorTracking.track_exception(e, extra: { project_id: project.id })
-      @project.prometheus_service = nil
-    end
-
     def set_project_name_from_path
       # if both name and path set - everything is ok
       return if @project.name.present? && @project.path.present?
diff --git a/app/services/projects/group_links/create_service.rb b/app/services/projects/group_links/create_service.rb
index fc5c936b378..a0232779c97 100644
--- a/app/services/projects/group_links/create_service.rb
+++ b/app/services/projects/group_links/create_service.rb
@@ -13,7 +13,7 @@ module Projects
         )
 
         if link.save
-          setup_authorizations(group, link.group_access)
+          setup_authorizations(group)
           success(link: link)
         else
           error(link.errors.full_messages.to_sentence, 409)
@@ -22,9 +22,8 @@ module Projects
 
       private
 
-      def setup_authorizations(group, group_access = nil)
-        AuthorizedProjectUpdate::ProjectGroupLinkCreateWorker.perform_async(
-          project.id, group.id, group_access)
+      def setup_authorizations(group)
+        AuthorizedProjectUpdate::ProjectRecalculateWorker.perform_async(project.id)
 
         # AuthorizedProjectsWorker uses an exclusive lease per user but
         # specialized workers might have synchronization issues. Until we
diff --git a/app/services/projects/group_links/update_service.rb b/app/services/projects/group_links/update_service.rb
index 7de4b7a211d..475ab17f1a1 100644
--- a/app/services/projects/group_links/update_service.rb
+++ b/app/services/projects/group_links/update_service.rb
@@ -12,15 +12,29 @@ module Projects
       def execute(group_link_params)
         group_link.update!(group_link_params)
 
-        if requires_authorization_refresh?(group_link_params)
-          group_link.group.refresh_members_authorized_projects
-        end
+        refresh_authorizations if requires_authorization_refresh?(group_link_params)
       end
 
       private
 
       attr_reader :group_link
 
+      def refresh_authorizations
+        if Feature.enabled?(:specialized_worker_for_project_share_update_auth_recalculation)
+          AuthorizedProjectUpdate::ProjectRecalculateWorker.perform_async(project.id)
+
+          # Until we compare the inconsistency rates of the new specialized worker and
+          # the old approach, we still run AuthorizedProjectsWorker
+          # but with some delay and lower urgency as a safety net.
+          group_link.group.refresh_members_authorized_projects(
+            blocking: false,
+            priority: UserProjectAccessChangedService::LOW_PRIORITY
+          )
+        else
+          group_link.group.refresh_members_authorized_projects
+        end
+      end
+
       def requires_authorization_refresh?(params)
         params.include?(:group_access)
       end
diff --git a/app/services/projects/lfs_pointers/lfs_download_service.rb b/app/services/projects/lfs_pointers/lfs_download_service.rb
index 9e2edf7c4ef..fe9dce26029 100644
--- a/app/services/projects/lfs_pointers/lfs_download_service.rb
+++ b/app/services/projects/lfs_pointers/lfs_download_service.rb
@@ -22,7 +22,7 @@ module Projects
       def execute
         return unless project&.lfs_enabled? && lfs_download_object
         return error("LFS file with oid #{lfs_oid} has invalid attributes") unless lfs_download_object.valid?
-        return link_existing_lfs_object! if lfs_size > LARGE_FILE_SIZE && lfs_object
+        return link_existing_lfs_object! if Feature.enabled?(:lfs_link_existing_object, project, default_enabled: :yaml) && lfs_size > LARGE_FILE_SIZE && lfs_object
 
         wrap_download_errors do
           download_lfs_file!
@@ -61,8 +61,10 @@ module Projects
       def download_and_save_file!(file)
         digester = Digest::SHA256.new
         fetch_file do |fragment|
-          digester << fragment
-          file.write(fragment)
+          if digest_fragment?(fragment)
+            digester << fragment
+            file.write(fragment)
+          end
 
           raise_size_error! if file.size > lfs_size
         end
@@ -71,6 +73,10 @@ module Projects
         raise_oid_error! if digester.hexdigest != lfs_oid
       end
 
+      def digest_fragment?(fragment)
+        fragment.http_response.is_a?(Net::HTTPSuccess)
+      end
+
       def download_options
         http_options = { headers: lfs_headers, stream_body: true }
 
diff --git a/app/services/projects/operations/update_service.rb b/app/services/projects/operations/update_service.rb
index c0734171ee5..2cc6bcdf57c 100644
--- a/app/services/projects/operations/update_service.rb
+++ b/app/services/projects/operations/update_service.rb
@@ -102,10 +102,10 @@ module Projects
       def prometheus_integration_params
         return {} unless attrs = params[:prometheus_integration_attributes]
 
-        service = project.find_or_initialize_service(::PrometheusService.to_param)
-        service.assign_attributes(attrs)
+        integration = project.find_or_initialize_integration(::Integrations::Prometheus.to_param)
+        integration.assign_attributes(attrs)
 
-        { prometheus_service_attributes: service.attributes.except(*%w(id project_id created_at updated_at)) }
+        { prometheus_integration_attributes: integration.attributes.except(*%w[id project_id created_at updated_at]) }
       end
 
       def incident_management_setting_params
diff --git a/app/services/projects/overwrite_project_service.rb b/app/services/projects/overwrite_project_service.rb
index e681b5643ee..6be3b1b5a6f 100644
--- a/app/services/projects/overwrite_project_service.rb
+++ b/app/services/projects/overwrite_project_service.rb
@@ -20,7 +20,7 @@ module Projects
     rescue Exception => e # rubocop:disable Lint/RescueException
       attempt_restore_repositories(source_project)
 
-      if e.class == Exception
+      if e.instance_of?(Exception)
         raise StandardError, e.message
       else
         raise
diff --git a/app/services/projects/prometheus/alerts/notify_service.rb b/app/services/projects/prometheus/alerts/notify_service.rb
index e1eb1374d14..c1bf2e68436 100644
--- a/app/services/projects/prometheus/alerts/notify_service.rb
+++ b/app/services/projects/prometheus/alerts/notify_service.rb
@@ -67,7 +67,7 @@ module Projects
         end
 
         def valid_for_manual?(token)
-          prometheus = project.find_or_initialize_service('prometheus')
+          prometheus = project.find_or_initialize_integration('prometheus')
           return false unless prometheus.manual_configuration?
 
           if setting = project.alerting_setting
diff --git a/app/services/projects/protect_default_branch_service.rb b/app/services/projects/protect_default_branch_service.rb
index 1d3fb523448..0111b9e377a 100644
--- a/app/services/projects/protect_default_branch_service.rb
+++ b/app/services/projects/protect_default_branch_service.rb
@@ -22,7 +22,7 @@ module Projects
       # Ensure HEAD points to the default branch in case it is not master
       project.change_head(default_branch)
 
-      create_protected_branch if protect_branch?
+      create_protected_branch if protect_branch? && !protected_branch_exists?
     end
 
     def create_protected_branch
@@ -44,6 +44,10 @@ module Projects
         !ProtectedBranch.protected?(project, default_branch)
     end
 
+    def protected_branch_exists?
+      project.protected_branches.find_by_name(default_branch).present?
+    end
+
     def default_branch
       project.default_branch
     end
diff --git a/app/services/projects/transfer_service.rb b/app/services/projects/transfer_service.rb
index d9e49dfae61..fb0fea756bc 100644
--- a/app/services/projects/transfer_service.rb
+++ b/app/services/projects/transfer_service.rb
@@ -139,7 +139,19 @@ module Projects
       user_ids = @old_namespace.user_ids_for_project_authorizations |
         @new_namespace.user_ids_for_project_authorizations
 
-      UserProjectAccessChangedService.new(user_ids).execute
+      if Feature.enabled?(:specialized_worker_for_project_transfer_auth_recalculation)
+        AuthorizedProjectUpdate::ProjectRecalculateWorker.perform_async(project.id)
+
+        # Until we compare the inconsistency rates of the new specialized worker and
+        # the old approach, we still run AuthorizedProjectsWorker
+        # but with some delay and lower urgency as a safety net.
+        UserProjectAccessChangedService.new(user_ids).execute(
+          blocking: false,
+          priority: UserProjectAccessChangedService::LOW_PRIORITY
+        )
+      else
+        UserProjectAccessChangedService.new(user_ids).execute
+      end
     end
 
     def rollback_side_effects
diff --git a/app/services/projects/update_pages_service.rb b/app/services/projects/update_pages_service.rb
index 8ea35131339..a90c22c7de5 100644
--- a/app/services/projects/update_pages_service.rb
+++ b/app/services/projects/update_pages_service.rb
@@ -31,10 +31,11 @@ module Projects
       register_attempt
 
       # Create status notifying the deployment of pages
-      @status = create_status
-      @status.update_older_statuses_retried! if Feature.enabled?(:ci_fix_commit_status_retried, project, default_enabled: :yaml)
-      @status.enqueue!
-      @status.run!
+      @status = build_commit_status
+      ::Ci::Pipelines::AddJobService.new(@build.pipeline).execute!(@status) do |job|
+        job.enqueue!
+        job.run!
+      end
 
       raise InvalidStateError, 'missing pages artifacts' unless build.artifacts?
       raise InvalidStateError, 'build SHA is outdated for this ref' unless latest?
@@ -70,12 +71,9 @@ module Projects
       super
     end
 
-    def create_status
+    def build_commit_status
       GenericCommitStatus.new(
-        project: project,
-        pipeline: build.pipeline,
         user: build.user,
-        ref: build.ref,
         stage: 'deploy',
         name: 'pages:deploy'
       )
diff --git a/app/services/projects/update_remote_mirror_service.rb b/app/services/projects/update_remote_mirror_service.rb
index eac84337967..6c29ba81910 100644
--- a/app/services/projects/update_remote_mirror_service.rb
+++ b/app/services/projects/update_remote_mirror_service.rb
@@ -65,7 +65,7 @@ module Projects
 
       # TODO: Support LFS sync over SSH
       # https://gitlab.com/gitlab-org/gitlab/-/issues/249587
-      return unless remote_mirror.url =~ /\Ahttps?:\/\//i
+      return unless remote_mirror.url =~ %r{\Ahttps?://}i
       return unless remote_mirror.password_auth?
 
       Lfs::PushService.new(
diff --git a/app/services/projects/update_service.rb b/app/services/projects/update_service.rb
index 4351a66351d..d6e7f165d72 100644
--- a/app/services/projects/update_service.rb
+++ b/app/services/projects/update_service.rb
@@ -66,6 +66,8 @@ module Projects
       previous_default_branch = project.default_branch
 
       if project.change_head(params[:default_branch])
+        params[:previous_default_branch] = previous_default_branch
+
         after_default_branch_change(previous_default_branch)
       else
         raise ValidationError, s_("UpdateProject|Could not set the default branch")