Add latest changes from gitlab-org/gitlab@12-4-stable-ee

CHANGELOG-EE.md

 Please view this file on the master branch, on stable branches it's out of date.
+## 12.4.1
+
+### Security (6 changes)
+
+- Do not display project labels that are not visible for user accessing group labels.
+- Do not index system notes for issue update.
+- Redact search results based on Ability.allowed?.
+- Do not show private cross references in epic notes.
+- Filter out packages the user does'nt have permission to see at group level.
+- Fixes a Open Redirect issue in `InternalRedirect`.
+
+
+## 12.4.0
+
+### Security (2 changes)
+
+- Prevent IDOR when adding groups to protected environments.
+- Hide approvers if a rule has any hidden groups.
+
+### Removed (1 change)
+
+- Remove db_load_balancing_index gauge metric. !17561
+
+### Fixed (26 changes, 1 of them is from the community)
+
+- Admin settings errors now shown in the correct panel. !14374
+- Add missing error handling for epic quick actions. !15648
+- Fix project exports clobbering concurrent export paths. !16280
+- Fixes scroll handle icon in time series. !16354
+- Remove hardcoded Medium confidence for Container Scanning vulnerabilities. !16395
+- Fixed renaming changed files. !16539
+- Fix project-defined metrics dashboards not rendering. !16589
+- Remove duplication of Licenses in Dependency List page. !16946
+- Backfill SPDX identifiers in software_licenses table. !17004
+- Monitor charts: Validate form for creating an alert before submitting. !17109
+- Hide Push rules link when you dont have a license installed. !17530
+- Operations Dashboard: fix minimum query message. !17574
+- Fix page layout for sidebar on designs view. !17579
+- Display error for invalid insights config. !17589
+- Display appropriate approval status icon next to license. !17613
+- Fix deduplication of WASC vulnerabilities in the Security dashboard. !17778
+- Fix burndown negative count edge case. !18053
+- Change design management empty state button style. !18060 (George Tsiolis)
+- Decouple dependency list parser from v1.0 license scanning report. !18103
+- Respect Group SSO Enforcement on projects where the user is an owner. !18154
+- Scoped labels do not remove old label in board sidebar. !18313
+- Restrict number of users input to positive numbers. !18381
+- Fix undefined method log_geo_deleted_event for MergeRequestDiff. !18405
+- Add default empty values to prevent parser errors from approving the Vulnerability-Check rule. !18423
+- Fix time tracking info when the sidebar is collapsed.
+- Fix Discussion tab counter on Issues.
+
+### Changed (18 changes, 1 of them is from the community)
+
+- Style burndown charts with gitlab-ui. !15463
+- Add epic_iid parameter to issues API. !15640
+- Use a single badge to show number of active alerts on metrics dashboards. !15789
+- Allow files with .svg extensions to be uploaded as designs for Design Management. !16160
+- Implement dismissal behaviour when dismissed vulnerabilities are hidden. !16207
+- Remove environment_metrics_show_multiple_dashboards feature flag. !16640
+- Make name an optional parameter of releases. !16647
+- Expose epics closed_at on API. !17156
+- Add static_context API param when editing GitHub project service. !17397
+- Support variable expansion in branch property of bridge jobs. !17430
+- Add environment dropdown to pod logs screen. !17532
+- Parse v2 license scanning reports. !17646
+- Remove broken HTML5 routing behaviour from Pipeline Security Dashboard. !17767
+- Change Prometheus Alert details list from bulleted to description list. !18116 (Vitali Tatarintev)
+- Check for software license violations using SPDX identifiers. !18300
+- Move 'Advanced search' message to search page title. !18349
+- Add alert message for feature 'require approval from code owners' being moved. !18715
+- Enable Productivity Analytics feature by default. !18754
+
+### Performance (1 change)
+
+- Reduce excessive GC on pull mirrors. !17931
+
+### Added (35 changes)
+
+- Allow Design Management files and data to be included in the project exporter/importer. !14702
+- Create system notes for design events. !14791
+- Paginate SCIM responses using count and startIndex. !14892
+- Front-End UI for design deletion. !15034
+- Add max issue count to lists. !15116
+- Sign in / sign up step for trial. !15289
+- Add notification for updated privacy policy. !15435
+- Show Billing Plan as Cards in profile and groups. !15437
+- Add Audit Event API. !15698
+- Add configurable Code Owner approvals for protected branches. !15862
+- Add Alerts Service to Projects. !16117
+- Add Conan check_credentials API endpoint. !16215
+- Initial endpoint for exposing Cycle Analytics stages for the new frontend. !16240
+- Add ability to multi select issue board cards. !16317
+- Add License-Check approval UI. !16371
+- Add links to associated releases on Tags page. !16479
+- Frontend implementation for improved trial sign-up experience for GitLab.com (SaaS) users. !16732
+- Return Todos for Designs via the REST API. !16885
+- Set active insights dashboard tab from hash fragment. !16904
+- Extend group IP restriction to Git activity. !16980
+- Inactivate pipeline retries for Merge Trains. !17065
+- Expose time when the build was generated. !17113
+- Add new table for recording commit counts per file. !17277
+- Add vendored template for Browser Performance Testing. !17319
+- Link Gitlab managed Prometheus alerts and issues. !17477
+- Disable insights tab navigation whilst current page loads. !17678
+- Drop all merge requests from merge trains when the project-level setting is disabled. !17774
+- Implement DAST for default branches. !17789
+- Add rack attack settings for prometheus and generic alert endpoint. !17859
+- Add Licenses list backend usage ping. !17925
+- Associate self-managed Prometheus Alerts and Issues. !18046
+- Operator can see all projects using an instance level cluster. !18173
+- Expose subscribed attribute for Epics in GraphQL. !18607
+- Expose epic participants on GraphQL. !18691
+- Adds a generic alert integration which can accept alerts from any source via a generic webhook receiver.
+
+### Other (4 changes)
+
+- Productivity analytics: Add scatterplot. !15569
+- Updated sidebar navigation icons to be horizontally centered when bar is condensed. !16820
+- Pin major version of SAST analyzers. !17110
+- Docs for protected branch code owner approval API. !17132
+
+
 ## 12.3.4
 ### Fixed (2 changes)

CHANGELOG.md

@@ -4,11 +4,12 @@ entry.
 ## 12.4.1
-### Security (12 changes)
+### Security (14 changes)
 - Standardize error response when route is missing.
 - Do not display project labels that are not visible for user accessing group labels.
 - Show cross-referenced label and milestones in issues' activities only to authorized users.
+- Show cross-referenced label and milestones in issues' activities only to authorized users.
 - Analyze incoming GraphQL queries and check for recursion.
 - Disallow unprivileged users from commenting on private repository commits.
 - Don't allow maintainers of a target project to delete the source branch of a merge request from a fork.
@@ -17,6 +18,7 @@ entry.
 - Return 404 on LFS request if project doesn't exist.
 - Mask sentry auth token in Error Tracking dashboard.
 - Fixes a Open Redirect issue in `InternalRedirect`.
+- Remove deploy access level when project/group link is deleted.
 - Sanitize all wiki markup formats with GitLab sanitization pipelines.

VERSION

-12.4.1
+12.4.1-ee

app/assets/javascripts/lib/utils/forms.js

@@ -4,7 +4,11 @@ export const serializeFormEntries = entries =>
 export const serializeForm = form => {
   const fdata = new FormData(form);
   const entries = Array.from(fdata.keys()).map(key => {
-    const val = fdata.getAll(key);
+    let val = fdata.getAll(key);
+    // Microsoft Edge has a bug in FormData.getAll() that returns an undefined
+    // value for each form element that does not match the given key:
+    // https://github.com/jimmywarting/FormData/issues/80
+    val = val.filter(n => n);
     return { name: key, value: val.length === 1 ? val[0] : val };
   });

app/assets/javascripts/monitoring/utils.js

@@ -41,7 +41,7 @@ export const isValidDate = dateString => {
       return true;
     }
     return false;
-  } catch {
+  } catch (e) {
     return false;
   }
 };

app/controllers/concerns/uploads_actions.rb

@@ -34,7 +34,7 @@ module UploadsActions
     headers['Pragma'] = ''
     ttl, directives = *cache_settings
-    ttl ||= 6.months
+    ttl ||= 0
     directives ||= { private: true, must_revalidate: true }
     expires_in ttl, directives

app/models/user.rb

@@ -59,7 +59,7 @@ class User < ApplicationRecord
   # Removed in GitLab 12.3. Keep until after 2019-09-22.
   self.ignored_columns += %i[support_bot]
-  MINIMUM_INACTIVE_DAYS = 14
+  MINIMUM_INACTIVE_DAYS = 180
   # Override Devise::Models::Trackable#update_tracked_fields!
   # to limit database writes to at most once every hour

app/views/dashboard/projects/_blank_state_admin_welcome.html.haml

@@ -4,7 +4,7 @@
   = link_to new_project_path, class: "blank-state blank-state-link" do
     .blank-state-icon
-      = image_tag("illustrations/welcome/add_new_project")
+      = custom_icon("add_new_project", size: 50)
     .blank-state-body
       %h3.blank-state-title
         Create a project
@@ -14,7 +14,7 @@
   - if current_user.can_create_group?
     = link_to new_group_path, class: "blank-state blank-state-link" do
       .blank-state-icon
-        = image_tag("illustrations/welcome/add_new_group")
+        = custom_icon("add_new_group", size: 50)
       .blank-state-body
         %h3.blank-state-title
           Create a group
@@ -23,7 +23,7 @@
     = link_to new_admin_user_path, class: "blank-state blank-state-link" do
       .blank-state-icon
-        = image_tag("illustrations/welcome/add_new_user")
+        = custom_icon("add_new_user", size: 50)
       .blank-state-body
         %h3.blank-state-title
           Add people
@@ -32,7 +32,7 @@
   = link_to admin_root_path, class: "blank-state blank-state-link" do
     .blank-state-icon
-      = image_tag("illustrations/welcome/configure_server")
+      = custom_icon("configure_server", size: 50)
     .blank-state-body
       %h3.blank-state-title
         Configure GitLab

app/views/dashboard/projects/_blank_state_welcome.html.haml

@@ -4,7 +4,7 @@
   - if current_user.can_create_project?
     = link_to new_project_path, class: "blank-state blank-state-link" do
       .blank-state-icon
-        = image_tag("illustrations/welcome/add_new_project")
+        = custom_icon("add_new_project", size: 50)
       .blank-state-body
         %h3.blank-state-title
           Create a project
@@ -13,7 +13,7 @@
   - else
     .blank-state
       .blank-state-icon
-        = image_tag("illustrations/welcome/add_new_project")
+        = custom_icon("add_new_project", size: 50)
       .blank-state-body
         %h3.blank-state-title
           Create a project
@@ -23,7 +23,7 @@
   - if current_user.can_create_group?
     = link_to new_group_path, class: "blank-state blank-state-link" do
       .blank-state-icon
-        = image_tag("illustrations/welcome/add_new_group")
+        = custom_icon("add_new_group", size: 50)
       .blank-state-body
         %h3.blank-state-title
           Create a group
@@ -33,7 +33,7 @@
   - if public_project_count > 0
     = link_to trending_explore_projects_path, class: "blank-state blank-state-link" do
       .blank-state-icon
-        = image_tag("illustrations/welcome/globe")
+        = custom_icon("globe", size: 50)
       .blank-state-body
         %h3.blank-state-title
           Explore public projects
@@ -46,7 +46,7 @@
   = link_to "https://docs.gitlab.com/", class: "blank-state blank-state-link" do
     .blank-state-icon
-      = image_tag("illustrations/welcome/lightbulb")
+      = custom_icon("lightbulb", size: 50)
     .blank-state-body
       %h3.blank-state-title
         Learn more about GitLab

app/views/shared/_auto_devops_implicitly_enabled_banner.html.haml

@@ -7,3 +7,7 @@
       = link_to _('Settings'), project_settings_ci_cd_path(project), class: 'alert-link'
       |
       = link_to _('Dismiss'), '#', class: 'hide-auto-devops-implicitly-enabled-banner alert-link', data: { project_id: project.id }
+    - unless Gitlab.config.registry.enabled
+      %div
+        = icon('exclamation-triangle')
+        = _('Container registry is not enabled on this GitLab instance. Ask an administrator to enable it in order for AutoDevOps to work.')

changelogs/unreleased/34684-job-log.yml

+---
+title: Removes arrow icons for old collapsible sections
+merge_request:
+author:
+type: fixed

changelogs/unreleased/34887-fix-prom-duplicate-metrics.yml

+---
+title: Fix Prometheus duplicate metrics
+merge_request: 19327
+author:
+type: fixed

changelogs/unreleased/35337-images-stopped-loading-signed-urls-of-uploads-expire-earlier-than-r.yml

+---
+title: Disable upload HTTP caching to fix case when object storage is enabled and
+  proxy_download is disabled
+merge_request: 19494
+author:
+type: fixed

changelogs/unreleased/dz-ask-users-to-enable-registry.yml

+---
+title: Add extra sentence about registry to AutoDevOps popup
+merge_request: 19092
+author:
+type: changed

changelogs/unreleased/ph-34768-fixIconsNotLoading.yml

+---
+title: Fixed welcome screen icons not showing
+merge_request: 19148
+author:
+type: fixed

changelogs/unreleased/sh-change-throttle-protected-paths-default.yml

+---
+title: Disable protected path throttling by default
+merge_request: 19185
+author:
+type: fixed

changelogs/unreleased/sh-clean-duplicate-ci-trigger-request-indexes.yml

+---
+title: Clean up duplicate indexes on ci_trigger_requests
+merge_request: 19053
+author:
+type: fixed

changelogs/unreleased/sh-fix-grpc-timeouts-backup.yml

+---
+title: Extend gRPC timeouts for Rake tasks
+merge_request: 19461
+author:
+type: fixed

changelogs/unreleased/sh-fix-project-import-commit-status.yml

+---
+title: Fix project imports not working with serialized data
+merge_request: 19124
+author:
+type: fixed

changelogs/unreleased/sh-workaround-ms-edge-form-bug.yml

+---
+title: Fix ref switcher not working on Microsoft Edge
+merge_request: 19335
+author:
+type: fixed