Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

.gitlab/ci/build-images.gitlab-ci.yml

@@ -23,17 +23,18 @@ build-qa-image:
   script:
     - run_timed_command "scripts/build_qa_image"
 
-# This image is used by:
-# - The `CNG` pipelines (via the `review-build-cng` job): https://gitlab.com/gitlab-org/build/CNG/-/blob/cfc67136d711e1c8c409bf8e57427a644393da2f/.gitlab-ci.yml#L335
-# - The `omnibus-gitlab` pipelines (via the `e2e:package-and-test` job): https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/dfd1ad475868fc84e91ab7b5706aa03e46dc3a86/.gitlab-ci.yml#L130
 build-assets-image:
   extends:
     - .base-image-build
     - .build-images:rules:build-assets-image
   stage: build-images
   needs: ["compile-production-assets"]
   script:
-    # TODO: Change the image tag to be the MD5 of assets files and skip image building if the image exists
-    # We'll also need to pass GITLAB_ASSETS_TAG to the trigerred omnibus-gitlab pipeline similarly to how we do it for trigerred CNG pipelines
-    # https://gitlab.com/gitlab-org/gitlab/issues/208389
+    - skopeo login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
     - run_timed_command "scripts/build_assets_image"
+  artifacts:
+    expire_in: 7 days
+    paths:
+      # The `cached-assets-hash.txt` file is used in `review-build-cng-env` (`.gitlab/ci/review-apps/main.gitlab-ci.yml`)
+      # to pass the assets image tag to the CNG downstream pipeline.
+      - cached-assets-hash.txt

.gitlab/ci/frontend.gitlab-ci.yml

@@ -28,6 +28,7 @@
         fi
       fi
     - assets_compile_script
+    - echo -n "${GITLAB_ASSETS_HASH}" > "cached-assets-hash.txt"
 
 compile-production-assets:
   extends:
@@ -43,6 +44,7 @@ compile-production-assets:
       # These assets are used in multiple locations:
       # - in `build-assets-image` job to create assets image for packaging systems
       # - GitLab UI for integration tests: https://gitlab.com/gitlab-org/gitlab-ui/-/blob/e88493b3c855aea30bf60baee692a64606b0eb1e/.storybook/preview-head.pug#L1
+      - cached-assets-hash.txt
       - public/assets/
       - "${WEBPACK_COMPILE_LOG_PATH}"
     when: always
@@ -73,9 +75,6 @@ update-assets-compile-production-cache:
     - .assets-compile-cache-push
     - .shared:rules:update-cache
   stage: prepare
-  script:
-    - !reference [compile-production-assets, script]
-    - echo -n "${GITLAB_ASSETS_HASH}" > "cached-assets-hash.txt"
   artifacts: {}  # This job's purpose is only to update the cache.
 
 update-assets-compile-test-cache:

.gitlab/ci/package-and-test/main.gitlab-ci.yml

@@ -38,23 +38,6 @@ stages:
   extends:
     - .gitlab-qa-install
 
-.omnibus-env:
-  variables:
-    BUILD_ENV: build.env
-  script:
-    - |
-      SECURITY_SOURCES=$([[ ! "$CI_PROJECT_NAMESPACE" =~ ^gitlab-org\/security ]] || echo "true")
-      echo "SECURITY_SOURCES=${SECURITY_SOURCES:-false}" > $BUILD_ENV
-      echo "OMNIBUS_GITLAB_CACHE_UPDATE=${OMNIBUS_GITLAB_CACHE_UPDATE:-false}" >> $BUILD_ENV
-      for version_file in *_VERSION; do echo "$version_file=$(cat $version_file)" >> $BUILD_ENV; done
-      echo "OMNIBUS_GITLAB_RUBY3_BUILD=${OMNIBUS_GITLAB_RUBY3_BUILD:-false}" >> $BUILD_ENV
-      echo "OMNIBUS_GITLAB_CACHE_EDITION=${OMNIBUS_GITLAB_CACHE_EDITION:-GITLAB}" >> $BUILD_ENV
-      echo "Built environment file for omnibus build:"
-      cat $BUILD_ENV
-  artifacts:
-    reports:
-      dotenv: $BUILD_ENV
-
 .update-script:
   script:
     - export QA_COMMAND="bundle exec gitlab-qa Test::Omnibus::UpdateFromPrevious $RELEASE $GITLAB_VERSION $UPDATE_TYPE -- $QA_RSPEC_TAGS $RSPEC_REPORT_OPTS"
@@ -108,9 +91,42 @@ dont-interrupt-me:
 
 trigger-omnibus-env:
   extends:
-    - .omnibus-env
     - .rules:omnibus-build
   stage: .pre
+  needs:
+    # We need this job because we need its `cached-assets-hash.txt` artifact, so that we can pass the assets image tag to the downstream omnibus-gitlab pipeline.
+    - pipeline: $PARENT_PIPELINE_ID
+      job: build-assets-image
+  variables:
+    BUILD_ENV: build.env
+  before_script:
+    - |
+      # This is duplicating the function from `scripts/utils.sh` since `.gitlab/ci/package-and-test/main.gitlab-ci.yml` can be included in other projects.
+      function assets_image_tag() {
+        local cache_assets_hash_file="cached-assets-hash.txt"
+
+        if [[ -n "${CI_COMMIT_TAG}" ]]; then
+          echo -n "${CI_COMMIT_REF_NAME}"
+        elif [[ -f "${cache_assets_hash_file}" ]]; then
+          echo -n "assets-hash-$(cat ${cache_assets_hash_file} | cut -c1-10)"
+        else
+          echo -n "${CI_COMMIT_SHA}"
+        fi
+      }
+  script:
+    - |
+      SECURITY_SOURCES=$([[ ! "$CI_PROJECT_NAMESPACE" =~ ^gitlab-org\/security ]] || echo "true")
+      echo "SECURITY_SOURCES=${SECURITY_SOURCES:-false}" > $BUILD_ENV
+      echo "OMNIBUS_GITLAB_CACHE_UPDATE=${OMNIBUS_GITLAB_CACHE_UPDATE:-false}" >> $BUILD_ENV
+      for version_file in *_VERSION; do echo "$version_file=$(cat $version_file)" >> $BUILD_ENV; done
+      echo "OMNIBUS_GITLAB_RUBY3_BUILD=${OMNIBUS_GITLAB_RUBY3_BUILD:-false}" >> $BUILD_ENV
+      echo "OMNIBUS_GITLAB_CACHE_EDITION=${OMNIBUS_GITLAB_CACHE_EDITION:-GITLAB}" >> $BUILD_ENV
+      echo "GITLAB_ASSETS_TAG=$(assets_image_tag)" >> $BUILD_ENV
+      echo "Built environment file for omnibus build:"
+      cat $BUILD_ENV
+  artifacts:
+    reports:
+      dotenv: $BUILD_ENV
 
 trigger-omnibus:
   extends: .rules:omnibus-build
@@ -128,6 +144,7 @@ trigger-omnibus:
     GITLAB_SHELL_VERSION: $GITLAB_SHELL_VERSION
     GITLAB_WORKHORSE_VERSION: $GITLAB_WORKHORSE_VERSION
     GITLAB_VERSION: $CI_COMMIT_SHA
+    GITLAB_ASSETS_TAG: $GITLAB_ASSETS_TAG
     IMAGE_TAG: $CI_COMMIT_SHA
     TOP_UPSTREAM_SOURCE_PROJECT: $CI_PROJECT_PATH
     SECURITY_SOURCES: $SECURITY_SOURCES

.gitlab/ci/qa.gitlab-ci.yml

@@ -74,6 +74,8 @@ e2e:package-and-test:
     - build-qa-image
     - e2e-test-pipeline-generate
   variables:
+    # This is needed by `trigger-omnibus-env` (`.gitlab/ci/package-and-test/main.gitlab-ci.yml`).
+    PARENT_PIPELINE_ID: $CI_PIPELINE_ID
     SKIP_MESSAGE: Skipping package-and-test due to mr containing only quarantine changes!
     RELEASE: "${REGISTRY_HOST}/${REGISTRY_GROUP}/build/omnibus-gitlab-mirror/gitlab-ee:${CI_COMMIT_SHA}"
     GITLAB_QA_IMAGE: "${CI_REGISTRY_IMAGE}/gitlab-ee-qa:${CI_COMMIT_SHA}"

.gitlab/ci/review-apps/main.gitlab-ci.yml

@@ -34,19 +34,25 @@ review-build-cng-env:
     - .review:rules:review-build-cng
   image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}:bundler-2.3
   stage: prepare
-  needs: []
+  needs:
+    # We need this job because we need its `cached-assets-hash.txt` artifact, so that we can pass the assets image tag to the downstream CNG pipeline.
+    - pipeline: $PARENT_PIPELINE_ID
+      job: build-assets-image
+  variables:
+    BUILD_ENV: build.env
   before_script:
     - source ./scripts/utils.sh
     - install_gitlab_gem
   script:
-    - ruby -r./scripts/trigger-build.rb -e "puts Trigger.variables_for_env_file(Trigger::CNG.new.variables)" > build.env
+    - 'ruby -r./scripts/trigger-build.rb -e "puts Trigger.variables_for_env_file(Trigger::CNG.new.variables)" > $BUILD_ENV'
+    - echo "GITLAB_ASSETS_TAG=$(assets_image_tag)" >> $BUILD_ENV
     - ruby -e 'puts "FULL_RUBY_VERSION=#{RUBY_VERSION}"' >> build.env
-    - cat build.env
+    - cat $BUILD_ENV
   artifacts:
     reports:
-      dotenv: build.env
+      dotenv: $BUILD_ENV
     paths:
-      - build.env
+      - $BUILD_ENV
     expire_in: 7 days
     when: always
 

.gitlab/ci/review.gitlab-ci.yml

@@ -62,6 +62,8 @@ start-review-app-pipeline:
   # They need to be explicitly passed on to the child pipeline.
   # https://docs.gitlab.com/ee/ci/pipelines/multi_project_pipelines.html#pass-cicd-variables-to-a-downstream-pipeline-by-using-the-variables-keyword
   variables:
+    # This is needed by `review-build-cng-env` (`.gitlab/ci/review-apps/main.gitlab-ci.yml`).
+    PARENT_PIPELINE_ID: $CI_PIPELINE_ID
     SCHEDULE_TYPE: $SCHEDULE_TYPE
     DAST_RUN: $DAST_RUN
     SKIP_MESSAGE: Skipping review-app due to mr containing only quarantine changes!

Dockerfile.assets

@@ -1,4 +1,4 @@
 # Simple container to store assets for later use
 FROM scratch
-ADD public/assets /assets/
+COPY public/assets /assets/
 CMD /bin/true

doc/ci/pipelines/settings.md

@@ -284,9 +284,8 @@ when merging a merge request would cause the project's test coverage to decline.
 Follow these steps to enable the `Coverage-Check` MR approval rule:
 
 1. Set up a [`coverage`](../yaml/index.md#coverage) regular expression for all jobs you want to include in the overall coverage value.
-1. Go to your project and select **Settings > General**.
-1. Expand **Merge request approvals**.
-1. Select **Enable** next to the `Coverage-Check` approval rule.
+1. Go to your project and select **Settings > Merge requests**.
+1. Under **Merge request approvals**, select **Enable** next to the `Coverage-Check` approval rule.
 1. Select the **Target branch**.
 1. Set the number of **Approvals required** to greater than zero.
 1. Select the users or groups to provide approval.

doc/development/database/efficient_in_operator_queries.md

@@ -160,7 +160,7 @@ The technique can only optimize `IN` queries that satisfy the following requirem
   in the following order: `column_for_the_in_query`, `order by column 1`, and
   `order by column 2`.
 - The columns in the `ORDER BY` clause are distinct
-  (the combination of the columns uniquely identifies one particular column in the table).
+  (the combination of the columns uniquely identifies one particular row in the table).
 
 WARNING:
 This technique does not improve the performance of the `COUNT(*)` queries.

doc/development/directory_structure.md

@@ -1,94 +1,11 @@
 ---
-stage: none
-group: unassigned
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+redirect_to: 'software_design.md'
+remove_date: '2023-01-24'
 ---
 
-# Backend directory structure
+This document was moved to [another location](software_design.md)
 
-## Use namespaces to define bounded contexts
-
-A healthy application is divided into macro and sub components that represent the contexts at play,
-whether they are related to business domain or infrastructure code.
-
-As GitLab code has so many features and components it's hard to see what contexts are involved.
-We should expect any class to be defined inside a module/namespace that represents the contexts where it operates.
-
-When we namespace classes inside their domain:
-
-- Similar terminology becomes unambiguous as the domain clarifies the meaning:
-  For example, `MergeRequests::Diff` and `Notes::Diff`.
-- Top-level namespaces could be associated to one or more groups identified as domain experts.
-- We can better identify the interactions and coupling between components.
-  For example, several classes inside `MergeRequests::` domain interact more with `Ci::`
-  domain and less with `ImportExport::`.
-
-```ruby
-# bad
-class MyClass
-end
-
-# good
-module MyDomain
-  class MyClass
-  end
-end
-```
-
-### About namespace naming
-
-A good guideline for naming a top-level namespace (bounded context) is to use the related
-[feature category](https://gitlab.com/gitlab-com/www-gitlab-com/-/blob/master/data/categories.yml). For example, `Continuous Integration` feature category maps to `Ci::` namespace.
-
-Alternatively a new class could be added to `Projects::` or `Groups::` if it's either:
-
-- Strictly related to one of these domains. For example `Projects::Alias`.
-- A new component that does not have yet a more specific domain. In this case, when
-  a more explicit domain does emerge we would need to move the class to a more specific
-  namespace.
-
-Do not use the [stage or group name](https://about.gitlab.com/handbook/product/categories/#devops-stages)
-since a feature category could be reassigned to a different group in the future.
-
-```ruby
-# bad
-module Create
-  class Commit
-  end
-end
-
-# good
-module Repositories
-  class Commit
-  end
-end
-```
-
-On the other hand, a feature category may sometimes be too granular. Features tend to be
-treated differently according to Product and Marketing, while they may share a lot of
-domain models and behavior under the hood. In this case, having too many bounded contexts
-could make them shallow and more coupled with other contexts.
-
-Bounded contexts (or top-level namespaces) can be seen as macro-components in the overall app.
-Good bounded contexts should be [deep](https://medium.com/@nakabonne/depth-of-module-f62dac3c2fdb)
-so consider having nested namespaces to further break down complex parts of the domain.
-For example, `Ci::Config::`.
-
-For example, instead of having separate and granular bounded contexts like: `ContainerScanning::`,
-`ContainerHostSecurity::`, `ContainerNetworkSecurity::`, we could have:
-
-```ruby
-module ContainerSecurity
-  module HostSecurity
-  end
-
-  module NetworkSecurity
-  end
-
-  module Scanning
-  end
-end
-```
-
-If classes that are defined into a namespace have a lot in common with classes in other namespaces,
-chances are that these two namespaces are part of the same bounded context.
+<!-- This redirect file can be deleted after <2023-01-24>. -->
+<!-- Redirects that point to other docs in the same project expire in three months. -->
+<!-- Redirects that point to docs in a different project or site (link is not relative and starts with `https:`) expire in one year. -->
+<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

doc/development/feature_development.md

@@ -19,7 +19,7 @@ Consult these topics for information on contributing to specific GitLab features
 
 ### General
 
-- [Directory structure](directory_structure.md)
+- [Software design guides](software_design.md)
 - [GitLab EventStore](event_store.md) to publish/subscribe to domain events
 - [GitLab utilities](utilities.md)
 - [Newlines style guide](newlines_styleguide.md)

doc/development/i18n/externalization.md

@@ -284,9 +284,7 @@ expect(wrapper.text()).toEqual(MSG_ALERT_SETTINGS_FORM_ERROR);
 
 ### Dynamic translations
 
-Sometimes there are dynamic translations that the parser can't find when running
-`bin/rake gettext:find`. For these scenarios you can use the [`N_` method](https://github.com/grosser/gettext_i18n_rails/blob/c09e38d481e0899ca7d3fc01786834fa8e7aab97/Readme.md#unfound-translations-with-rake-gettextfind).
-There's also an alternative method to [translate messages from validation errors](https://github.com/grosser/gettext_i18n_rails/blob/c09e38d481e0899ca7d3fc01786834fa8e7aab97/Readme.md#option-a).
+For more details you can see how we [keep translations dynamic](#keep-translations-dynamic).
 
 ## Working with special content
 
@@ -764,6 +762,10 @@ class MyPresenter
 end
 ```
 
+Sometimes there are dynamic translations that the parser can't find when running
+`bin/rake gettext:find`. For these scenarios you can use the [`N_` method](https://github.com/grosser/gettext_i18n_rails/blob/c09e38d481e0899ca7d3fc01786834fa8e7aab97/Readme.md#unfound-translations-with-rake-gettextfind).
+There's also an alternative method to [translate messages from validation errors](https://github.com/grosser/gettext_i18n_rails/blob/c09e38d481e0899ca7d3fc01786834fa8e7aab97/Readme.md#option-a).
+
 ### Splitting sentences
 
 Never split a sentence, as it assumes the sentence's grammar and structure is the same in all

doc/development/reusing_abstractions.md

@@ -198,7 +198,7 @@ Several base classes implement the service classes convention. You may consider
 - `BaseGroupService` for services scoped to groups.
 
 Classes that are not service objects should be
-[created elsewhere](directory_structure.md#use-namespaces-to-define-bounded-contexts),
+[created elsewhere](software_design.md#use-namespaces-to-define-bounded-contexts),
 such as in `lib`.
 
 #### ServiceResponse