[merge-train skip]

[ci skip]

[ci skip]

Enforce that the policy is executed by the bot user

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3568



Merged-by: Vladimir Glafirov <vglafirov@gitlab.com>
Approved-by: Ottilia Westerlund <owesterlund@gitlab.com>
Co-authored-by: mc_rocha <mrocha@gitlab.com>
Co-authored-by: David Fernandez <dfernandez@gitlab.com>

Merge branch 'security-fix-scan-execution-pipeline-user-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3568

Changelog: security

Backport "Fix Geo secondary proxying Git pulls unnecessarily" to 16.3

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131920



Merged-by: Michael Kozono <mkozono@gitlab.com>
Approved-by: Michael Kozono <mkozono@gitlab.com>
Co-authored-by: Douglas Barbosa Alexandre <dbalexandre@gmail.com>

The Project replication is handled by Geo::ProjectRepositoryRegistry
and SSF since 16.3 (https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125927)

But our "repository out of date?" logic checks the legacy
Geo::ProjectRegistry record.

Changelog: fixed
EE: true

Use new indexer, fix removing blobs from index

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131073



Merged-by: Mark Chao <mchao@gitlab.com>
Approved-by: Mark Chao <mchao@gitlab.com>
Co-authored-by: Terri Chu <tchu@gitlab.com>

Changelog: fixed
EE: true

[merge-train skip]

[ci skip]

[ci skip]

Backport "Prevent pipeline creation while import is running" to 16.3

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131156



Merged-by: Marius Bobin <mbobin@gitlab.com>
Approved-by: Bob Van Landuyt <bob@gitlab.com>

Backport Enable sync with package metadata db by default

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131070



Merged-by: Terri Chu <tchu@gitlab.com>
Approved-by: Terri Chu <tchu@gitlab.com>
Co-authored-by: Gregory Havenga <11164960-ghavenga@users.noreply.gitlab.com>

Remove gdk base image and pin gdk sha

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131121



Merged-by: Dan Davison <ddavison@gitlab.com>
Approved-by: Nao Hashizume <nhashizume@gitlab.com>
Approved-by: Dan Davison <ddavison@gitlab.com>
Co-authored-by: Andrejs Cunskis <acunskis@gitlab.com>

Fix build command

Fix ruby version file name

Remove gdk base rebuilding rule

Extend dockerignore with more patterns

Remove go and yarn cache mounting

Build gitaly last

Remove gem cache mount for final step

Patch UpdateCiMaxTotalYamlSizeBytesDefaultValue - stable branch

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130823



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Gregory Havenga <11164960-ghavenga@users.noreply.gitlab.com>
Approved-by: Adam Hegyi <ahegyi@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Kasia Misirli <kmisirli@gitlab.com>

- /db/migrate/20230808135859_update_ci_max_total_yaml_size_bytes_default_value.rb
- /ee/spec/migrations/update_ci_max_total_yaml_size_bytes_default_value_spec.rb

Backport 16.3  Fix cluster service reindexing params

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130576



Merged-by: Terri Chu <tchu@gitlab.com>
Approved-by: John Mason <9717668-johnmason@users.noreply.gitlab.com>
Co-authored-by: John Mason <9717668-johnmason@users.noreply.gitlab.com>

Because the imports don't get the internal ids from the
database sequence, creating new pipelines while the
import is still running will attempt to insert
duplicate iid values in the ci_pipelines table.
This fix prevents new pipelines from being created
while the import is running. After the import is
completed, the internal_ids row for the project will
be deleted and the new pipeline will recreate it
with the appropriate value.

Changelog: fixed

Fix cluster service reindexing params

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130107



Merged-by: John Mason <9717668-johnmason@users.noreply.gitlab.com>
Approved-by: Patrick Cyiza <jpcyiza@gitlab.com>
Approved-by: John Mason <9717668-johnmason@users.noreply.gitlab.com>
Reviewed-by: Terri Chu <tchu@gitlab.com>
Co-authored-by: Terri Chu <tchu@gitlab.com>

(cherry picked from commit d23b2754)

f448bc50 Fix cluster service reindexing params
586d8d14 Apply feedback from maintainer
49ba3e61 Add fix for slice id and max out of bounds
3f1caa2d Add descriptive text to ArgumentError
8931e685 Move all KeyError errors to ArgumentError errors

Enable sync with package metadata db by default

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130176



Merged-by: Gregory Havenga <11164960-ghavenga@users.noreply.gitlab.com>
Approved-by: Gregory Havenga <11164960-ghavenga@users.noreply.gitlab.com>
Approved-by: Ahmed Hemdan <ahemdan@gitlab.com>
Reviewed-by: Grant Young <gyoung@gitlab.com>
Reviewed-by: Igor Frenkel <ifrenkel@gitlab.com>
Reviewed-by: Ahmed Hemdan <ahemdan@gitlab.com>
Co-authored-by: Tetiana Chupryna <tchupryna@gitlab.com>
Co-authored-by: Andrejs Cunskis <acunskis@gitlab.com>

(cherry picked from commit a030dc7c)

3c1867ec Enable sync with package metadata db by default
1f360623 Fix QA constant name
9c0e519b Don't run the condition if it's staging or production env
ef5ad2ab Move condition to CE to make it global
b1f1a4fb Fix setting param
1d5b2706 Move application settings update after license fabrication
a9c0c8b0 Add package_metadata to API
406da9f6 Update package metadata default
f09e5ce3 Add migration to update default pm setting
b90cc302 Remove DDL part of migration
bd144e7f Fix failed test
a8fe08a6 Add doc about the setting
9b10a160 Use better matcher in test
5e976cab Fix broken test
5554f05a Move setting to EE
3f5ade51 Add test for EE setting
a7d7207e Test if QA properly setup the value

Backport create ci_pipelines iid sequence on new projects to 16.3

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130835



Merged-by: Bob Van Landuyt <bob@gitlab.com>
Approved-by: Bob Van Landuyt <bob@gitlab.com>
Co-authored-by: Marius Bobin <mbobin@gitlab.com>

[merge-train skip]

[ci skip]

[ci skip]

Backport "Drop bridge jobs on unknown failures" to 16.3

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130833



Merged-by: Bob Van Landuyt <bob@gitlab.com>
Approved-by: Bob Van Landuyt <bob@gitlab.com>
Reviewed-by: Bob Van Landuyt <bob@gitlab.com>
Co-authored-by: Marius Bobin <mbobin@gitlab.com>

The initialization of the sequence is not atomic and
due to race conditions some pipelines could reinitialize
multiple times, resulting in attempts to insert rows
with duplicate values. This fix moves the initialization
from the first pipeline creation to the project creation,
so the sequence will already be initialized when the
first pipelines are created.

Changelog: fixed

Sometimes the underlying systems fail to respond and
an error from them would leave the bridge in the running
state undefinetly. Since we don't know the full list of
errors that could cause this, we can catch everything
and let the user decide if they want to retry or not.

Changelog: fixed

Fix Code Suggestions in Web IDE on GitLab 16.3

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130755



Merged-by: Paul Slaughter <pslaughter@gitlab.com>
Approved-by: Paul Slaughter <pslaughter@gitlab.com>
Co-authored-by: GitLab Renovate Bot <gitlab-bot@gitlab.com>

- https://gitlab.com/gitlab-org/gitlab/-/issues/424025
- https://gitlab.com/gitlab-org/gitlab/-/issues/405152#note_1534558771

Changelog: fixed

[merge-train skip]

[ci skip]

[ci skip]

Add authorization checks to import status endpoint

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3513



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dylan Griffith <dyl.griffith@gmail.com>
Approved-by: Luke Duncalfe <lduncalfe@gitlab.com>
Co-authored-by: bmarjanovic <bmarjanovic@gitlab.com>

Merge branch 'security-415117-confidential-issue-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3513

Changelog: security

Update commonmarker to 0.23.10

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3507



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Mario Celi <mcelicalderon@gitlab.com>
Co-authored-by: Brett Walker <bwalker@gitlab.com>

Merge branch 'security-update-commonmarker-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3507

Changelog: security

Remove DAST secret variables when URL is updated

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3498



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Aboobacker MK <akarakath@gitlab.com>
Approved-by: Himanshu Kapoor <info@fleon.org>
Co-authored-by: Dheeraj Joshi <djoshi@gitlab.com>