Add latest changes from gitlab-org/gitlab@12-7-stable-ee

cb0d23c4 · GitLab Bot · c3e911be · cb0d23c4 · cb0d23c4 · cb0d23c4
Commit cb0d23c4 authored 5 years ago by GitLab Bot
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -42,17 +42,13 @@ rules:
  lines-between-class-members: off
  # Disabled for now, to make the plugin-vue 4.5 -> 5.0 update smoother
  vue/no-confusing-v-for-v-if: error
-  vue/no-unused-components: off
  vue/no-use-v-if-with-v-for: off
  vue/no-v-html: off
  vue/use-v-on-exact: off
-  no-jquery/no-animate: off
  # all offenses of no-jquery/no-animate-toggle are false positives ( $toast.show() )
  no-jquery/no-animate-toggle: off
  no-jquery/no-event-shorthand: off
-  no-jquery/no-fade: off
  no-jquery/no-serialize: error
-  no-jquery/no-sizzle: off
  promise/always-return: off
  promise/no-callback-in-promise: off
 overrides:

--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 .bundle
 .chef
 .directory
+.eslintcache
 /.envrc
 eslint-report.html
 /.gitlab_shell_secret
@@ -85,3 +86,4 @@ jsdoc/
 .projections.json
 /qa/.rakeTasks
 webpack-dev-server.json
+/.nvimrc
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
-image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-9.6-graphicsmagick-1.3.33"
+image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.5-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-9.6-graphicsmagick-1.3.33"
  
 stages:
  - sync
@@ -10,7 +10,6 @@ stages:
  - review
  - qa
  - post-qa
-  - notification
  - pages
  
 variables:
@@ -36,13 +35,13 @@ include:
  - local: .gitlab/ci/frontend.gitlab-ci.yml
  - local: .gitlab/ci/global.gitlab-ci.yml
  - local: .gitlab/ci/memory.gitlab-ci.yml
-  - local: .gitlab/ci/notifications.gitlab-ci.yml
  - local: .gitlab/ci/pages.gitlab-ci.yml
  - local: .gitlab/ci/qa.gitlab-ci.yml
  - local: .gitlab/ci/reports.gitlab-ci.yml
  - local: .gitlab/ci/rails.gitlab-ci.yml
  - local: .gitlab/ci/review.gitlab-ci.yml
  - local: .gitlab/ci/setup.gitlab-ci.yml
+  - local: .gitlab/ci/dev-fixtures.gitlab-ci.yml
  - local: .gitlab/ci/test-metadata.gitlab-ci.yml
  - local: .gitlab/ci/yaml.gitlab-ci.yml
  - local: .gitlab/ci/releases.gitlab-ci.yml
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -3,7 +3,8 @@
 *.rake @gitlab-org/maintainers/rails-backend
  
 # Technical writing team are the default reviewers for everything in `doc/`
-/doc/ @gl-docsteam
+*.md @gl-docsteam
+doc/ @gl-docsteam
  
 # Frontend maintainers should see everything in `app/assets/`
 app/assets/ @gitlab-org/maintainers/frontend

--- a/.gitlab/ci/cache-repo.gitlab-ci.yml
+++ b/.gitlab/ci/cache-repo.gitlab-ci.yml
@@ -18,16 +18,23 @@
 # runner, or network egress charges will apply:
 # https://cloud.google.com/storage/pricing
 cache-repo:
-  extends:
-    - .only:variables_refs-canonical-dot-com-schedules
  image: gcr.io/google.com/cloudsdktool/cloud-sdk:alpine
  stage: sync
  allow_failure: true
  variables:
-    GIT_DEPTH: 0
+    GIT_STRATEGY: none
    TAR_FILENAME: /tmp/gitlab-master.tar
  script:
+    - cd ..
+    - rm -rf $CI_PROJECT_NAME
+    - git clone --progress $CI_REPOSITORY_URL $CI_PROJECT_NAME
+    - cd $CI_PROJECT_NAME
    - gcloud auth activate-service-account --key-file=$CI_REPO_CACHE_CREDENTIALS
    - tar cf $TAR_FILENAME .
    - gzip $TAR_FILENAME
    - gsutil cp $TAR_FILENAME.gz gs://gitlab-ci-git-repo-cache/project-$CI_PROJECT_ID/gitlab-master.tar.gz
+  only:
+    variables:
+      - $CI_REPO_CACHE_CREDENTIALS
+    refs:
+      - schedules
--- a/.gitlab/ci/dev-fixtures.gitlab-ci.yml
+++ b/.gitlab/ci/dev-fixtures.gitlab-ci.yml
+.run-dev-fixtures:
+  extends:
+    - .only-code-rails-job-base
+    - .use-pg9
+  stage: test
+  needs: ["setup-test-env"]
+  dependencies: ["setup-test-env"]
+  variables:
+    FIXTURE_PATH: "db/fixtures/development"
+    SEED_CYCLE_ANALYTICS: "true"
+    SEED_PRODUCTIVITY_ANALYTICS: "true"
+    CYCLE_ANALYTICS_ISSUE_COUNT: 1
+    SIZE: 0 # number of external projects to fork, requires network connection
+    # SEED_NESTED_GROUPS: "false" # requires network connection
+
+run-dev-fixtures-foss:
+  extends: .run-dev-fixtures
+  script:
+    - scripts/gitaly-test-spawn
+    - RAILS_ENV=test bundle exec rake db:seed_fu
+
+run-dev-fixtures-ee:
+  extends:
+    - .only-ee
+    - .use-pg9-ee
+    - .run-dev-fixtures
+  script:
+    - scripts/gitaly-test-spawn
+    - cp ee/db/fixtures/development/* $FIXTURE_PATH
+    - RAILS_ENV=test bundle exec rake db:seed_fu
--- a/.gitlab/ci/docs.gitlab-ci.yml
+++ b/.gitlab/ci/docs.gitlab-ci.yml
@@ -11,7 +11,10 @@
  stage: review
  dependencies: []
  variables:
-    GIT_STRATEGY: none
+    # We're cloning the repo instead of downloading the script for now
+    # because some repos are private and CI_JOB_TOKEN cannot access files.
+    # See https://gitlab.com/gitlab-org/gitlab/issues/191273
+    GIT_DEPTH: 1
  environment:
    name: review-docs/$DOCS_GITLAB_REPO_SUFFIX-$CI_MERGE_REQUEST_IID
    # DOCS_REVIEW_APPS_DOMAIN and DOCS_GITLAB_REPO_SUFFIX are CI variables
@@ -19,11 +22,7 @@
    url: http://docs-preview-$DOCS_GITLAB_REPO_SUFFIX-$CI_MERGE_REQUEST_IID.$DOCS_REVIEW_APPS_DOMAIN/$DOCS_GITLAB_REPO_SUFFIX
    on_stop: review-docs-cleanup
  before_script:
-    # We don't clone the repo by using GIT_STRATEGY: none and only download the
-    # single script we need here so it's much faster than cloning.
    - apk add --update openssl
-    - wget $CI_PROJECT_URL/raw/$CI_COMMIT_SHA/scripts/trigger-build-docs
-    - chmod 755 trigger-build-docs
    - gem install httparty --no-document --version 0.17.3
    - gem install gitlab --no-document --version 4.13.0
  
@@ -32,7 +31,7 @@
 review-docs-deploy:
  extends: .review-docs
  script:
-    - ./trigger-build-docs deploy
+    - ./scripts/trigger-build-docs deploy
  when: manual
  
 # Cleanup remote environment of gitlab-docs
@@ -42,7 +41,7 @@ review-docs-cleanup:
    name: review-docs/$DOCS_GITLAB_REPO_SUFFIX-$CI_MERGE_REQUEST_IID
    action: stop
  script:
-    - ./trigger-build-docs cleanup
+    - ./scripts/trigger-build-docs cleanup
  when: manual
  
 docs lint:
@@ -51,7 +50,7 @@ docs lint:
    - .default-retry
    - .default-only
    - .only:changes-docs
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-docs-lint"
+  image: "registry.gitlab.com/gitlab-org/gitlab-docs:docs-lint"
  stage: test
  dependencies: []
  script:

--- a/.gitlab/ci/frontend.gitlab-ci.yml
+++ b/.gitlab/ci/frontend.gitlab-ci.yml
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-default: &if-default
+  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
+
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-default-ee: &if-default-ee
+  if: '($CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG) && $CI_PROJECT_NAME =~ /^gitlab(-ee)?$/'
+
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-master: &if-master
+  if: '$CI_COMMIT_REF_NAME == "master"'
+
+# Make sure to update all the similar patterns in other CI config files if you modify these patterns
+.code-backstage-patterns: &code-backstage-patterns
+  - ".gitlab/ci/**/*"
+  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".csscomb.json"
+  - "Dockerfile.assets"
+  - "*_VERSION"
+  - "Gemfile{,.lock}"
+  - "Rakefile"
+  - "{babel.config,jest.config}.js"
+  - "config.ru"
+  - "{package.json,yarn.lock}"
+  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
+  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
+  # Backstage changes
+  - "Dangerfile"
+  - "danger/**/*"
+  - "{,ee/}fixtures/**/*"
+  - "{,ee/}rubocop/**/*"
+  - "{,ee/}spec/**/*"
+  - "doc/README.md"  # Some RSpec test rely on this file
+
 .assets-compile-cache:
  cache:
    paths:
      - vendor/ruby/
      - .yarn-cache/
      - tmp/cache/assets/sprockets
+      - tmp/cache/babel-loader
+      - tmp/cache/vue-loader
  
 .gitlab:assets:compile-metadata:
  extends:
@@ -13,10 +50,8 @@
    - .default-before_script
    - .assets-compile-cache
    - .only:changes-code-backstage-qa
-  image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-graphicsmagick-1.3.33-docker-19.03.1
-  stage: test
-  dependencies: ["setup-test-env"]
-  needs: ["setup-test-env"]
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.5-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-graphicsmagick-1.3.33-docker-19.03.1
+  stage: prepare
  services:
    - docker:19.03.0-dind
  variables:
@@ -30,7 +65,7 @@
    DOCKER_DRIVER: overlay2
    DOCKER_HOST: tcp://docker:2375
  cache:
-    key: "assets-compile:production:vendor_ruby:.yarn-cache:tmp_cache_assets_sprockets:v6"
+    key: "assets-compile:production:vendor_ruby:.yarn-cache:tmp_cache_assets_sprockets:tmp_cache_webpack:v7"
  artifacts:
    name: webpack-report
    expire_in: 31d
@@ -86,7 +121,7 @@ gitlab:assets:compile pull-cache:
    # we override the max_old_space_size to prevent OOM errors
    NODE_OPTIONS: --max_old_space_size=3584
  cache:
-    key: "assets-compile:v7"
+    key: "assets-compile:v8"
  artifacts:
    expire_in: 7d
    paths:
@@ -108,7 +143,7 @@ compile-assets pull-push-cache foss:
      - master
  cache:
    policy: pull-push
-    key: "assets-compile:v7:foss"
+    key: "assets-compile:v8:foss"
  
 compile-assets pull-cache:
  extends: .compile-assets-metadata
@@ -119,7 +154,7 @@ compile-assets pull-cache foss:
  extends: [".compile-assets-metadata", ".only-ee-as-if-foss"]
  cache:
    policy: pull
-    key: "assets-compile:v7:foss"
+    key: "assets-compile:v8:foss"
  
 .only-code-frontend-job-base:
  extends:
@@ -132,7 +167,6 @@ compile-assets pull-cache foss:
    - .use-pg9
  stage: test
  needs: ["setup-test-env", "compile-assets pull-cache"]
-  dependencies: ["setup-test-env", "compile-assets pull-cache"]
  
 .karma-base:
  extends: .only-code-frontend-job-base
@@ -204,9 +238,10 @@ jest-foss:
    - .default-tags
    - .default-retry
    - .default-cache
-    - .default-only
-    - .only:changes-code-backstage
  stage: test
+  rules:
+    - <<: *if-master
+      when: on_success
  dependencies: []
  cache:
    key: "$CI_JOB_NAME"
@@ -237,11 +272,12 @@ webpack-dev-server:
    - .default-tags
    - .default-retry
    - .default-cache
-    - .default-only
-    - .only:changes-code-backstage
  stage: test
+  rules:
+    - <<: *if-default
+      changes: *code-backstage-patterns
+      when: on_success
  needs: ["setup-test-env", "compile-assets pull-cache"]
-  dependencies: ["setup-test-env", "compile-assets pull-cache"]
  variables:
    WEBPACK_MEMORY_TEST: "true"
    WEBPACK_VENDOR_DLL: "true"

--- a/.gitlab/ci/global.gitlab-ci.yml
+++ b/.gitlab/ci/global.gitlab-ci.yml
@@ -22,7 +22,7 @@
 # Jobs that only need to pull cache
 .default-cache:
  cache:
-    key: "debian-stretch-ruby-2.6.3-node-12.x"
+    key: "debian-stretch-ruby-2.6.5-node-12.x"
    paths:
      - .go/pkg/mod
      - vendor/ruby
@@ -202,7 +202,7 @@
    - name: redis:alpine
  
 .use-pg10:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-10-graphicsmagick-1.3.33"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.5-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-10-graphicsmagick-1.3.33"
  services:
    - name: postgres:10.9
      command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -213,15 +213,15 @@
    - name: postgres:9.6
      command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
    - name: redis:alpine
-    - name: elasticsearch:5.6.12
+    - name: elasticsearch:6.4.2
  
 .use-pg10-ee:
-  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-10-graphicsmagick-1.3.33"
+  image: "registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.5-golang-1.12-git-2.24-lfs-2.9-chrome-73.0-node-12.x-yarn-1.16-postgresql-10-graphicsmagick-1.3.33"
  services:
    - name: postgres:10.9
      command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
    - name: redis:alpine
-    - name: elasticsearch:5.6.12
+    - name: elasticsearch:6.4.2
  
 .only-ee:
  only:

--- a/.gitlab/ci/notifications.gitlab-ci.yml
+++ b/.gitlab/ci/notifications.gitlab-ci.yml
-.notify:
-  image: ruby:2.6-alpine
-  stage: notification
-  dependencies: []
-  cache: {}
-  before_script:
-    - apk update && apk add git curl bash
-    - source scripts/utils.sh
-    - source scripts/notifications.sh
-    - install_gitlab_gem
-  variables:
-    COMMIT_NOTES_URL: "https://${CI_SERVER_HOST}/${CI_PROJECT_PATH}/commit/${CI_COMMIT_SHA}#notes-list"
-
-schedule:package-and-qa:notify-failure:
-  extends:
-    - .only:variables_refs-canonical-dot-com-schedules
-    - .notify
-  script:
-    - 'export NOTIFICATION_MESSAGE=":skull_and_crossbones: Scheduled QA against master failed! :skull_and_crossbones: See ${CI_PIPELINE_URL}. For downstream pipelines, see ${COMMIT_NOTES_URL}"'
-    - 'notify_on_job_failure schedule:package-and-qa qa-master "${NOTIFICATION_MESSAGE}" ci_failing'
-  needs: ["schedule:package-and-qa"]
-  allow_failure: true
-  when: always
--- a/.gitlab/ci/qa.gitlab-ci.yml
+++ b/.gitlab/ci/qa.gitlab-ci.yml
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-canonical-gitlab-schedule: &if-canonical-gitlab-schedule
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"'
+
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-canonical-gitlab-merge-request: &if-canonical-gitlab-merge-request
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID'
+
+# Make sure to update all the similar patterns in other CI config files if you modify these patterns
+.code-patterns: &code-patterns
+  - ".gitlab/ci/**/*"
+  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".csscomb.json"
+  - "Dockerfile.assets"
+  - "*_VERSION"
+  - "Gemfile{,.lock}"
+  - "Rakefile"
+  - "{babel.config,jest.config}.js"
+  - "config.ru"
+  - "{package.json,yarn.lock}"
+  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
+  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
+
+# Make sure to update all the similar patterns in other CI config files if you modify these patterns
+.qa-patterns: &qa-patterns
+  - ".dockerignore"
+  - "qa/**/*"
+
 .qa-job-base:
  extends:
    - .default-tags
@@ -40,30 +69,16 @@ qa:selectors-foss:
    - install_gitlab_gem
    - ./scripts/trigger-build omnibus
  
-package-and-qa-manual:
-  extends:
-    - .package-and-qa-base
-    - .default-only
-    - .only:variables-canonical-dot-com
-    - .except:refs-deploy
-    - .only:changes-code
-  when: manual
-  needs: ["build-qa-image", "gitlab:assets:compile pull-cache"]
-
 package-and-qa:
-  extends:
-    - .package-and-qa-base
-    - .default-only
-    - .only:variables-canonical-dot-com
-    - .except:refs-master-tags-stable-deploy
-    - .only:changes-qa
-  needs: ["build-qa-image", "gitlab:assets:compile pull-cache"]
-  allow_failure: true
-
-schedule:package-and-qa:
-  extends:
-    - .package-and-qa-base
-    - .default-only
-    - .only:variables_refs-canonical-dot-com-schedules
+  extends: .package-and-qa-base
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *qa-patterns
+      when: on_success
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-patterns
+      when: manual
+    - <<: *if-canonical-gitlab-schedule
+      when: on_success
  needs: ["build-qa-image", "gitlab:assets:compile pull-cache"]
  allow_failure: true
--- a/.gitlab/ci/rails.gitlab-ci.yml
+++ b/.gitlab/ci/rails.gitlab-ci.yml
@@ -57,7 +57,7 @@ setup-test-env:
  dependencies: ["setup-test-env", "retrieve-tests-metadata", "compile-assets pull-cache"]
  script:
    - source scripts/rspec_helpers.sh
-    - rspec_paralellized_job "--tag ~quarantine --tag ~geo"
+    - rspec_paralellized_job "--tag ~quarantine --tag ~geo --tag ~level:migration"
  artifacts:
    expire_in: 31d
    when: always
@@ -92,12 +92,21 @@ setup-test-env:
    - .use-pg10
    - .only-master
  
+.rspec-base-migration:
+  script:
+    - source scripts/rspec_helpers.sh
+    - rspec_paralellized_job "--tag ~quarantine --tag ~geo --tag level:migration"
+
 rspec migration pg9:
-  extends: .rspec-base-pg9
+  extends:
+    - .rspec-base-pg9
+    - .rspec-base-migration
  parallel: 4
  
 rspec migration pg9-foss:
-  extends: .rspec-base-pg9-foss
+  extends:
+    - .rspec-base-pg9-foss
+    - .rspec-base-migration
  parallel: 4
  
 rspec unit pg9:
@@ -149,7 +158,9 @@ rspec system pg10:
    - .use-pg10-ee
  
 rspec-ee migration pg9:
-  extends: .rspec-ee-base-pg9
+  extends:
+    - .rspec-ee-base-pg9
+    - .rspec-base-migration
  parallel: 2
  
 rspec-ee unit pg9:
@@ -167,6 +178,7 @@ rspec-ee system pg9:
 rspec-ee migration pg10:
  extends:
    - .rspec-ee-base-pg10
+    - .rspec-base-migration
    - .only-master
  parallel: 2
  
@@ -261,7 +273,7 @@ static-analysis:
  script:
    - scripts/static-analysis
  cache:
-    key: "debian-stretch-ruby-2.6.3-and-rubocop"
+    key: "debian-stretch-ruby-2.6-and-rubocop"
    paths:
      - vendor/ruby
      - tmp/rubocop_cache

--- a/.gitlab/ci/releases.gitlab-ci.yml
+++ b/.gitlab/ci/releases.gitlab-ci.yml
@@ -9,7 +9,7 @@
  image: alpine:edge
  stage: sync
  before_script:
-    - apk add --no-cache --update curl bash
+    - apk add --no-cache --update curl bash jq
  after_script: []
  script:
    - bash scripts/sync-stable-branch.sh

--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -20,7 +20,7 @@ code_quality:
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: ""
-    CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/security-products/codequality:12-5-stable"
+    CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/security-products/codequality:0.85.6"
  script:
    - |
      if ! docker info &>/dev/null; then

--- a/.gitlab/ci/review.gitlab-ci.yml
+++ b/.gitlab/ci/review.gitlab-ci.yml
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-canonical-gitlab-schedule: &if-canonical-gitlab-schedule
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"'
+
+# Make sure to update all the similar conditions in other CI config files if you modify these conditions
+.if-canonical-gitlab-merge-request: &if-canonical-gitlab-merge-request
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID'
+
+# Make sure to update all the similar patterns in other CI config files if you modify these patterns
+.code-qa-patterns: &code-qa-patterns
+  - ".gitlab/ci/**/*"
+  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
+  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
+  - ".csscomb.json"
+  - "Dockerfile.assets"
+  - "*_VERSION"
+  - "Gemfile{,.lock}"
+  - "Rakefile"
+  - "{babel.config,jest.config}.js"
+  - "config.ru"
+  - "{package.json,yarn.lock}"
+  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
+  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
+  # QA changes
+  - ".dockerignore"
+  - "qa/**/*"
+
 .review-docker:
  extends:
    - .default-tags
    - .default-retry
-    - .default-only
  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine
  services:
    - docker:19.03.0-dind
@@ -15,12 +41,14 @@
    GITLAB_EDITION: "ce"
  
 build-qa-image:
-  extends:
-    - .review-docker
-    - .only:variables-canonical-dot-com
-    - .except:refs-deploy
-    - .only:changes-code-qa
+  extends: .review-docker
  stage: prepare
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: on_success
+    - <<: *if-canonical-gitlab-schedule
+      when: on_success
  script:
    - '[[ ! -d "ee/" ]] || export GITLAB_EDITION="ee"'
    - export QA_MASTER_IMAGE="${CI_REGISTRY}/${CI_PROJECT_PATH}/gitlab/gitlab-${GITLAB_EDITION}-qa:master"
@@ -90,7 +118,6 @@ schedule:review-build-cng:
  extends:
    - .default-tags
    - .default-retry
-    - .default-only
  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base
  dependencies: []
  variables:
@@ -130,10 +157,11 @@ schedule:review-build-cng:
    when: always
  
 review-deploy:
-  extends:
-    - .review-deploy-base
-    - .only-review
-    - .only:changes-code-qa
+  extends: .review-deploy-base
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: on_success
  
 schedule:review-deploy:
  extends:
@@ -141,43 +169,45 @@ schedule:review-deploy:
    - .only-review-schedules
  
 .base-review-stop:
-  extends:
-    - .review-workflow-base
-    - .only-review
-    - .only:changes-code-qa
+  extends: .review-workflow-base
  environment:
    action: stop
  variables:
-    GIT_STRATEGY: none
+    # We're cloning the repo instead of downloading the script for now
+    # because some repos are private and CI_JOB_TOKEN cannot access files.
+    # See https://gitlab.com/gitlab-org/gitlab/issues/191273
+    GIT_DEPTH: 1
  before_script:
-    # We don't clone the repo by using GIT_STRATEGY: none and only download the
-    # single script we need here so it's much faster than cloning.
    - apk add --update openssl
-    - wget $CI_PROJECT_URL/raw/$CI_COMMIT_SHA/scripts/review_apps/review-apps.sh
-    - wget $CI_PROJECT_URL/raw/$CI_COMMIT_SHA/scripts/utils.sh
-    - source utils.sh
-    - source review-apps.sh
+    - source ./scripts/utils.sh
+    - source ./scripts/review_apps/review-apps.sh
  
 review-stop-failed-deployment:
  extends: .base-review-stop
  stage: prepare
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: on_success
  script:
    - delete_failed_release
  
 review-stop:
  extends: .base-review-stop
  stage: review
-  when: manual
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: manual
  allow_failure: true
  script:
    - delete_release
  
 .review-qa-base:
-  extends:
-    - .review-docker
-    - .only-review
-    - .only:changes-code-qa
+  extends: .review-docker
  stage: qa
+  needs: ["review-deploy"]
+  dependencies: ["review-deploy"]
  allow_failure: true
  variables:
    QA_ARTIFACTS_DIR: "${CI_PROJECT_DIR}/qa"
@@ -189,13 +219,6 @@ review-stop:
    GITLAB_ADMIN_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
    GITHUB_ACCESS_TOKEN: "${REVIEW_APPS_QA_GITHUB_ACCESS_TOKEN}"
    EE_LICENSE: "${REVIEW_APPS_EE_LICENSE}"
-  needs: ["review-deploy"]
-  dependencies: ["review-deploy"]
-  artifacts:
-    paths:
-      - ./qa/gitlab-qa-run-*
-    expire_in: 7 days
-    when: always
  before_script:
    - '[[ ! -d "ee/" ]] || export GITLAB_EDITION="ee"'
    - export QA_IMAGE="${CI_REGISTRY}/${CI_PROJECT_PATH}/gitlab/gitlab-${GITLAB_EDITION}-qa:${CI_COMMIT_REF_SLUG}"
@@ -205,15 +228,27 @@ review-stop:
    - source scripts/utils.sh
    - install_api_client_dependencies_with_apk
    - gem install gitlab-qa --no-document ${GITLAB_QA_VERSION:+ --version ${GITLAB_QA_VERSION}}
+  artifacts:
+    paths:
+      - ./qa/gitlab-qa-run-*
+    expire_in: 7 days
+    when: always
  
 review-qa-smoke:
  extends: .review-qa-base
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: on_success
  script:
    - gitlab-qa Test::Instance::Smoke "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}"
  
 review-qa-all:
  extends: .review-qa-base
-  when: manual
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: manual
  parallel: 5
  script:
    - export KNAPSACK_REPORT_PATH=knapsack/master_report.json
@@ -241,10 +276,11 @@ review-qa-all:
      performance: performance.json
  
 review-performance:
-  extends:
-    - .review-performance-base
-    - .only-review
-    - .only:changes-code-qa
+  extends: .review-performance-base
+  rules:
+    - <<: *if-canonical-gitlab-merge-request
+      changes: *code-qa-patterns
+      when: on_success
  needs: ["review-deploy"]
  dependencies: ["review-deploy"]
  before_script:

--- a/.gitlab/ci/yaml.gitlab-ci.yml
+++ b/.gitlab/ci/yaml.gitlab-ci.yml
@@ -10,5 +10,8 @@ lint-ci-gitlab:
      - "**/*.yml"
  image: sdesbure/yamllint:latest
  dependencies: []
+  variables:
+    LINT_PATHS: .gitlab-ci.yml .gitlab/ci lib/gitlab/ci/templates changelogs
  script:
-    - yamllint .gitlab-ci.yml .gitlab/ci lib/gitlab/ci/templates changelogs
+    - '[[ ! -d "ee/" ]] || export LINT_PATHS="$LINT_PATHS ee/changelogs"'
+    - yamllint $LINT_PATHS
--- a/.gitlab/issue_templates/Coding style proposal.md
+++ b/.gitlab/issue_templates/Coding style proposal.md
@@ -5,7 +5,7 @@ Please describe the proposal and add a link to the source (for example, http://w
 -->
  
 - [ ] Mention the proposal in the next backend weekly call and the #backend channel to encourage contribution
- [ ] Proceed with the proposal once 50% of the maintainers have weighed in, and 80% of the votes are :+1:
+- [ ] Proceed with the proposal once 50% of the maintainers have weighed in, and 80% of their votes are :+1:
 - [ ] Once approved, mention it again in the next backend weekly call and the #backend channel
  
  

--- a/.gitlab/issue_templates/Feature proposal.md
+++ b/.gitlab/issue_templates/Feature proposal.md
@@ -6,6 +6,7 @@
  
 <!-- Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later.
  
+* [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager)
 * [Parker (Product Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#parker-product-manager)
 * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
 * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer)

--- a/.gitlab/issue_templates/Security developer workflow.md
+++ b/.gitlab/issue_templates/Security developer workflow.md
 <!--
 # Read me first!
  
-Create this issue under https://dev.gitlab.org/gitlab/gitlabhq
+Create this issue under https://gitlab.com/gitlab-org/security
  
 Set the title to: `Description of the original issue`
 -->
  
-### Prior to starting the security release work
+## Prior to starting the security release work
  
 - [ ] Read the [security process for developers] if you are not familiar with it.
- [ ] Link to the original issue adding it to the [links section](#links)
- [ ] Run `scripts/security-harness` in the CE, EE, and/or Omnibus to prevent pushing to any remote besides `dev.gitlab.org`
- [ ] Create a new branch prefixing it with `security-`
- [ ] Create a MR targeting `dev.gitlab.org` `master`
- [ ] Add a link to this issue in the original security issue on `gitlab.com`.
+- [ ] Link this issue in the Security Release issue on GitLab.com. You can find this issue in the topic of the `#releases` channel.
+- [ ] Add a link to the confidential `gitlab-org/gitlab` issue describing the vulnerability next to **Original issue** in the [links table](#links).
+- [ ] Add a link to the confidential `gitlab-org/gitlab` Security release issue next to **Security release issue** in the [links table](#links).
+- [ ] Run `scripts/security-harness` in your local repository to prevent accidentally pushing to any remote besides `gitlab.com/gitlab-org/security`.
  
-#### Backports
+## Development
  
- [ ] Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches
-    - [ ] At this point, it might be easy to squash the commits from the MR into one
-    - You can use the script `bin/secpick` instead of the following steps, to help you cherry-picking. See the [secpick documentation]
-    - [ ] Create each MR targeting the stable branch `X-Y-stable`, using the "Security Release" merge request template.
-    - Every merge request will have its own set of TODOs, so make sure to
-      complete those.
- [ ] Make sure all MRs have a link in the [links section](#links)
+- [ ] Create a new branch prefixing it with `security-`.
+- [ ] Create a merge request targeting `master` on `gitlab.com/gitlab-org/security` and use the [Security Release merge request template].
+- [ ] Follow the same [code review process]: Assign to a reviewer, then to a maintainer.
  
-[secpick documentation]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md#secpick-script
+After your merge request has being approved according to our [approval guidelines], you're ready to prepare the backports
+
+## Backports
  
-#### Documentation and final details
+- [ ] Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches
+   * At this point, it might be easy to squash the commits from the MR into one
+   * You can use the script `bin/secpick` instead of the following steps, to help you cherry-picking. See the [secpick documentation]
+- [ ] Create each MR targeting the stable branch `X-Y-stable`, using the [Security Release merge request template].
+   * Every merge request will have its own set of TODOs, so make sure to complete those.
+- [ ] Make sure all MRs are linked in the [Links section](#links)
+
+## Documentation and final details
  
- [ ] Check the topic on #releases to see when the next release is going to happen and add a link to the [links section](#links)
- [ ] Add links to this issue and your MRs in the description of the security release issue
+- [ ] Ensure the [Links section](#links) is completed.
 - [ ] Find out the versions affected (the Git history of the files affected may help you with this) and add them to the [details section](#details)
 - [ ] Fill in any upgrade notes that users may need to take into account in the [details section](#details)
 - [ ] Add Yes/No and further details if needed to the migration and settings columns in the [details section](#details)
 - [ ] Add the nickname of the external user who found the issue (and/or HackerOne profile) to the Thanks row in the [details section](#details)
 - [ ] Once your `master` MR is merged, comment on the original security issue with a link to that MR indicating the issue is fixed.
  
-### Summary
+## Summary
  
-#### Links
+### Links
  
 | Description | Link |
 | -------- | -------- |
 | Original issue   | #TODO  |
 | Security release issue   | #TODO  |
 | `master` MR | !TODO   |
-| `master` MR (EE) | !TODO   |
 | `Backport X.Y` MR | !TODO   |
 | `Backport X.Y` MR | !TODO   |
 | `Backport X.Y` MR | !TODO   |
-| `Backport X.Y` MR (EE) | !TODO   |
-| `Backport X.Y` MR (EE) | !TODO   |
-| `Backport X.Y` MR (EE) | !TODO   |
  
-#### Details
+### Details
  
 | Description | Details | Further details|
 | -------- | -------- | -------- |
@@ -65,6 +64,9 @@ Set the title to: `Description of the original issue`
 | Thanks | | |
  
 [security process for developers]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md
-[RM list]:  https://about.gitlab.com/release-managers/
+[secpick documentation]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md#secpick-script
+[security Release merge request template]: https://gitlab.com/gitlab-org/security/gitlab/blob/master/.gitlab/merge_request_templates/Security%20Release.md
+[code review process]: https://docs.gitlab.com/ee/development/code_review.html
+[approval guidelines]: https://docs.gitlab.com/ee/development/code_review.html#approval-guidelines
  
 /label ~security
--- a/.gitlab/merge_request_templates/Database changes.md
+++ b/.gitlab/merge_request_templates/Database changes.md
-## What does this MR do?
-
-<!--
-Describe in detail what your merge request does, why it does that, etc. Merge
-requests without an adequate description will not be reviewed until one is
-added.
-
-Please also keep this description up-to-date with any discussion that takes
-place so that reviewers can understand your intent. This is especially
-important if they didn't participate in the discussion.
-
-Make sure to remove this comment when you are done.
-->
-
-Add a description of your merge request here.
-
-## Database checklist
-
- [ ] Conforms to the [database guides](https://docs.gitlab.com/ee/development/README.html#database-guides)
-
-When adding migrations:
-
- [ ] Updated `db/schema.rb`
- [ ] Added a `down` method so the migration can be reverted
- [ ] Added the output of the migration(s) to the MR body
- [ ] Added tests for the migration in `spec/migrations` if necessary (e.g. when migrating data)
- [ ] Added rollback procedure. Include either a rollback procedure or description how to rollback changes 
-
-When adding or modifying queries to improve performance:
-
- [ ] Included data that shows the performance improvement, preferably in the form of a benchmark
- [ ] Included the output of `EXPLAIN (ANALYZE, BUFFERS)` of the relevant queries
-
-When adding foreign keys to existing tables:
-
- [ ] Included a migration to remove orphaned rows in the source table before adding the foreign key
- [ ] Removed any instances of `dependent: ...` that may no longer be necessary
-
-When adding tables:
-
- [ ] Ordered columns based on the [Ordering Table Columns](https://docs.gitlab.com/ee/development/ordering_table_columns.html) guidelines
- [ ] Added foreign keys to any columns pointing to data in other tables
- [ ] Added indexes for fields that are used in statements such as `WHERE`, `ORDER BY`, `GROUP BY`, and `JOIN`s
-
-When removing columns, tables, indexes or other structures:
-
- [ ] Removed these in a post-deployment migration
- [ ] Made sure the application no longer uses (or ignores) these structures
-
-/label ~database ~"database::review pending"