[merge-train skip]

[ci skip]

[ci skip]

Set minimum role for importing projects to Maintainer

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3215



Merged-by: Reuben Pereira <2967854-rpereira2@users.noreply.gitlab.com>
Approved-by: Rodrigo Tomonari <rtomonari@gitlab.com>
Co-authored-by: George Koltsov <gkoltsov@gitlab.com>

Merge branch 'security-update-project-import-to-maintainer-role-15-10' into '15-10-stable-ee'

See merge request gitlab-org/security/gitlab!3215

Changelog: security

Commit trailers now only match public user email addresses

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3208



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: John Mason <9717668-john-mason@users.noreply.gitlab.com>
Co-authored-by: Robert May <rmay@gitlab.com>

Merge branch 'security-385246-15-10' into '15-10-stable-ee'

See merge request gitlab-org/security/gitlab!3208

Changelog: security

Handle invalid URLs in asset proxy

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3212



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Rajendra Kadam <rkadam@gitlab.com>
Co-authored-by: Heinrich Lee Yu <heinrich@gitlab.com>

Merge branch 'security-fix-asset-proxy-invalid-urls-15-10' into '15-10-stable-ee'

See merge request gitlab-org/security/gitlab!3212

Changelog: security

Relay state to check for only allowing sub paths

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3220



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Jon Glassman <jglassman@gitlab.com>
Approved-by: Ameya Darshan <adarshan@gitlab.com>
Approved-by: Bogdan Denkovych <bdenkovych@gitlab.com>
Co-authored-by: smriti <sgarg@gitlab.com>

Merge branch 'security-876-saml_group_login_open_redirect-15-10' into '15-10-stable-ee'

See merge request gitlab-org/security/gitlab!3220

Changelog: security

Prohibit 40 character hex sets at beginning of path-based branch name

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3194



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Vasilii Iakliushin <viakliushin@gitlab.com>
Co-authored-by: Robert May <rmay@gitlab.com>

Merge branch 'security-390910-15-10' into '15-10-stable-ee'

See merge request gitlab-org/security/gitlab!3194

Changelog: security

Add specs for external users flag

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3190



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Drew Blessing <drew@gitlab.com>
Co-authored-by: Jarka Košanová <jarka@gitlab.com>

Merge branch 'security-test-coverage-15-10' into '15-10-stable-ee'

See merge request gitlab-org/security/gitlab!3190

Changelog: security

Merge branch 'security-868-prevent-access-to-public-projects-if-user-is-banned-15-10' into '15-10-stable-ee'

Update policy to prevent banned members from accessing public projects

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3186



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Roy Zwambag <rzwambag@gitlab.com>
Co-authored-by: Hinam Mehra <hmehra@gitlab.com>

Merge branch 'security-868-prevent-access-to-public-projects-if-user-is-banned-15-10' into '15-10-stable-ee'

See merge request gitlab-org/security/gitlab!3186

Changelog: security

Use dummy filename as filename when viewing raw xml files

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3192



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Igor Drozdov <idrozdov@gitlab.com>
Co-authored-by: j.seto <jseto@gitlab.com>

Merge branch 'security-404613-xml-raw-files-15-10' into '15-10-stable-ee'

See merge request gitlab-org/security/gitlab!3192

Changelog: security

Authorize access to vulnerabilitiesCountByDay resolver

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3180



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Mark Chao <mchao@gitlab.com>
Co-authored-by: mo khan <mo@mokhan.ca>

Merge branch '390821-confidential-issue-15-10' into '15-10-stable-ee'

See merge request gitlab-org/security/gitlab!3180

Changelog: security

Backport: Make assets image build on stable branches

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118439



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Graeme Gillies <ggillies@gitlab.com>

Part of https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/2674

Currently we do a trigger to the `cng-mirror` repository to build images
on every commit to a stable branch, because we want to deploy the images
built into a stable environment (via trigger to `release-environments).

However, the rules on when we build the assets image (which we need) vs
when we trigger `cng-mirror` and `release-environments` are different.

This causes a failure when we haven't got the assets image tag available
to use to build images and thus a subsequent deploy also fails (normally
job dependencies would stop the deploy due to images failing to build,
but as these jobs are in `allow_failure: true` this doesn't currently
happen.

This change adds the specific rule about building on stable branches
(that we use to trigger the whole release-environments child pipeline)
to the rules for the `build-assets-image` job. This means whenever
we would deploy to a release-environment, we are guarenteed to have
run the `build-assets-image` job.

Use proxied_site for geo proxied clone urls

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118219



Merged-by: Michael Kozono <mkozono@gitlab.com>
Approved-by: Michael Kozono <mkozono@gitlab.com>
Co-authored-by: Mariia Solodovnik <msolodovnik-ext@gitlab.com>

Use proxied_site for geo proxied clone urls

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118058



Merged-by: Michael Kozono <mkozono@gitlab.com>
Approved-by: Michael Kozono <mkozono@gitlab.com>
Co-authored-by: Mariia Solodovnik <msolodovnik-ext@gitlab.com>

(cherry picked from commit 1a899b9a)

3ac6a9ca Use proxied_site for geo proxied clone urls

[merge-train skip]

[ci skip]

[ci skip]

Skip certain Danger rules for stable branch MRs

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117913



Merged-by: David Dieulivol <ddieulivol@gitlab.com>
Approved-by: David Dieulivol <ddieulivol@gitlab.com>
Co-authored-by: Steve Abrams <sabrams@gitlab.com>

Backport: Fix trigger to release-environments deployments

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118118



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Graeme Gillies <ggillies@gitlab.com>

Part of https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/2696

In MR https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117212
we added a trigger from stable branch pipelines to do a downstream
trigger pipeline in the release-environment. However, the URL to
the repo to trigger was incorrect leading to a project not found
error. This change corrects this.

Backport: Trigger deploys to release-environments on stable branches

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117950



Merged-by: Graeme Gillies <ggillies@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>

Part of https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/2696

This change expands upon the `start-release-environments` child pipeline
to do the following

* Correct how we tag images built in `cng-mirror` by leveraging the
`IMAGE_TAG_EXT` field to uniquely tag images. Some examples of this
working are at

https://gitlab.com/gitlab-org/build/CNG-mirror/-/jobs/4090399906 15-9-stable

https://gitlab.com/gitlab-org/build/CNG-mirror/-/jobs/4090296623 15-10-stable

* Adds a new stage to actually do a downstream pipeline trigger to the
`release-environments` repository in order to actually trigger a deploy.
This passes in the environment to deploy to and a json object which is
the versions of each component to deploy. The work for the
release-environments repository to support this was done in
https://gitlab.com/gitlab-com/gl-infra/release-environments/-/merge_requests/51

- Skip database warnings
- Skip product intelligence review
- Skip data team warnings

Use primary ssh_url_to_repo for geo proxied ssh clone url

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117676



Merged-by: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Approved-by: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Co-authored-by: Mariia Solodovnik <msolodovnik-ext@gitlab.com>
Co-authored-by: Michael Kozono <mkozono@gitlab.com>

Use primary ssh_url_to_repo for geo proxied ssh clone url

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117247



Merged-by: Michael Kozono <mkozono@gitlab.com>
Approved-by: Michael Kozono <mkozono@gitlab.com>
Reviewed-by: Michael Kozono <mkozono@gitlab.com>
Co-authored-by: Mariia Solodovnik <msolodovnik-ext@gitlab.com>

(cherry picked from commit cefc9e39)

9157f683 Use primary ssh_url_to_repo for geo proxied ssh clone url
5b51beb1 Add check for ssh and primary hosts

[15.10] Patch mail gem to handle TLS settings properly

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117559



Merged-by: Jan Provaznik <jprovaznik@gitlab.com>
Approved-by: Andrejs Cunskis <acunskis@gitlab.com>
Approved-by: Jan Provaznik <jprovaznik@gitlab.com>
Co-authored-by: Stan Hu <stanhu@gmail.com>

[merge-train skip]

[ci skip]

[ci skip]