Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

Diff for: .gitlab/ci/includes/gitlab-com/danger-review.gitlab-ci.yml

@@ -1,6 +1,6 @@
 include:
   - project: gitlab-org/quality/pipeline-common
-    ref: 8.5.0
+    ref: 8.5.1
     file:
       - /ci/danger-review.yml
 

Diff for: AI_GATEWAY_VERSION

@@ -0,0 +1 @@
+1dbddb919823f69cb58bf36343c84c52ec4a3418

Diff for: app/assets/images/bot_avatars/security-bot.png

@@ -56,7 +56,8 @@
     "InstanceExternalAuditEventDestination"
   ],
   "AuditEventStreamingDestinationInterface": [
-    "GroupAuditEventStreamingDestination"
+    "GroupAuditEventStreamingDestination",
+    "InstanceAuditEventStreamingDestination"
   ],
   "GoogleCloudArtifactRegistryArtifact": [
     "GoogleCloudArtifactRegistryDockerImage"

Diff for: app/assets/images/bot_avatars/security-bot_120.png

@@ -0,0 +1,30 @@
+import { initToggle } from '~/toggles';
+
+/**
+ * Uses a toggle element in combination with a hidden field
+ * to force submit a form that updates the settings.
+ *
+ * Unlike other settings in this page, updating this setting uses
+ * a full page refresh (submit). This is done to avoid adding
+ * `allow_runner_registration_token` to any API as this setting
+ * is discouraged.
+ */
+export const initAllowRunnerRegistrationTokenToggle = () => {
+  const el = document.querySelector('.js-allow-runner-registration-token-toggle');
+  const input = document.querySelector('.js-allow-runner-registration-token-input');
+
+  if (el && input) {
+    const toggle = initToggle(el);
+
+    toggle.$on('change', (isEnabled) => {
+      input.value = isEnabled;
+
+      toggle.isLoading = true;
+
+      toggle.$el.closest('form').requestSubmit();
+    });
+    return toggle;
+  }
+
+  return null;
+};

Diff for: app/assets/images/bot_avatars/security-bot_16.png

@@ -529,7 +529,6 @@ export default {
       <gl-empty-state
         :description="emptyStateDescription"
         :svg-path="emptyStateSvgPath"
-        :svg-height="150"
         :title="emptyStateTitle"
       />
     </template>

Diff for: app/assets/images/bot_avatars/security-bot_160.png

@@ -1,4 +1,6 @@
 import initStaleRunnerCleanupSetting from 'ee_else_ce/group_settings/stale_runner_cleanup';
+import { initAllowRunnerRegistrationTokenToggle } from '~/group_settings/allow_runner_registration_token_toggle';
+
 import initVariableList from '~/ci/ci_variable_list';
 import initSharedRunnersForm from '~/group_settings/mount_shared_runners';
 import initSettingsPanels from '~/settings_panels';
@@ -7,7 +9,7 @@ import initDeployTokens from '~/deploy_tokens';
 // Initialize expandable settings panels
 initSettingsPanels();
 initDeployTokens();
-
+initAllowRunnerRegistrationTokenToggle();
 initSharedRunnersForm();
 initStaleRunnerCleanupSetting();
 initVariableList();

Diff for: app/assets/images/bot_avatars/security-bot_20.png

@@ -351,7 +351,7 @@ export default {
         @submitted="$apollo.queries.project.refetch()"
       >
         <template #rules>
-          <project-rules />
+          <project-rules :is-branch-rules-edit="true" />
         </template>
       </approval-rules-app>
     </template>

Diff for: app/assets/images/bot_avatars/security-bot_23.png

@@ -79,7 +79,7 @@ def update_group_service
       end
 
       def update_group_params
-        params.require(:group).permit(:max_artifacts_size)
+        params.require(:group).permit(:max_artifacts_size, :allow_runner_registration_token)
       end
 
       # Overridden in EE

Diff for: app/assets/images/bot_avatars/security-bot_24.png

@@ -207,7 +207,7 @@ def dashboard_issues_list_data(current_user)
       dashboard_labels_path: dashboard_labels_path(format: :json, include_ancestor_groups: true),
       dashboard_milestones_path: dashboard_milestones_path(format: :json),
       empty_state_with_filter_svg_path: image_path('illustrations/empty-state/empty-issues-md.svg'),
-      empty_state_without_filter_svg_path: image_path('illustrations/issue-dashboard_results-without-filter.svg'),
+      empty_state_without_filter_svg_path: image_path('illustrations/empty-state/empty-search-md.svg'),
       has_issue_date_filter_feature: Feature.enabled?(:issue_date_filter, current_user).to_s,
       initial_sort: current_user&.user_preference&.issues_sort,
       is_public_visibility_restricted:

Diff for: app/assets/images/bot_avatars/security-bot_26.png

@@ -61,6 +61,10 @@ def avatar_path(only_path: true, size: nil)
       return uncached_avatar_path(only_path: only_path, size: size)
     end
 
+    if self.try(:static_avatar_path?)
+      return self.static_avatar_path(size)
+    end
+
     # Cache this avatar path only within the request because avatars in
     # object storage may be generated with time-limited, signed URLs.
     key = "#{self.class.name}:#{self.id}:#{only_path}:#{size}"

Diff for: app/assets/images/bot_avatars/security-bot_32.png

@@ -3,3 +3,13 @@
 - if @group.licensed_feature_available?(:stale_runner_cleanup_for_namespace)
   .gl-mb-5
     #stale-runner-cleanup-form{ data: { group_full_path: @group.full_path, stale_timeout_secs: ::Ci::Runner::STALE_TIMEOUT.to_i } }
+
+- if @group.root? && Gitlab::CurrentSettings.allow_runner_registration_token
+  -# Only available to top-level groups when the registration token is available in the instance
+  .gl-mb-5
+  = gitlab_ui_form_for @group, url: group_settings_ci_cd_path(@group, anchor: 'runners-settings') do |f|
+    = f.hidden_field :allow_runner_registration_token, class: 'js-allow-runner-registration-token-input', value: @group.allow_runner_registration_token?
+    = render Pajamas::ToggleComponent.new(classes: 'js-allow-runner-registration-token-toggle',
+      label: s_("GroupSettings|Allow members of projects and groups to create runners with runner registration tokens"),
+      is_checked: @group.allow_runner_registration_token?) do
+      = s_("GroupSettings|When disabled, members will not be able to register runners using runner registration tokens. They can instead use runner authentication tokens as a more secure runner registration method.")

Diff for: app/assets/images/bot_avatars/security-bot_36.png

@@ -0,0 +1,19 @@
+---
+migration_job_name: FixCorruptedScannerIdsOfVulnerabilityReads
+description: >-
+  There was a bug in production where the scanner_id of a
+  vulnerability finding would be updated, yet the scanner_id of the
+  related vulnerability_read would remain unchanged. This is an issue
+  as the vulnerability_read should always be in sync with the
+  vulnerability finding.
+
+  The bug has been fixed in production. This
+  migration finds any vulnerability_reads with a scanner_id mismatch
+  with the vulnerability_occurrence. It updates the vulnerability_read
+  to have the value from the vulnerability_occurrence
+feature_category: vulnerability_management
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148807
+milestone: '16.11'
+queued_migration_version: 20240409023046
+# Replace with the approximate date you think it's best to ensure the completion of this BBM.
+finalize_after: '2024-05-01'

Diff for: app/assets/images/bot_avatars/security-bot_38.png

@@ -7,4 +7,5 @@ feature_categories:
 description: Describes a Zoekt server that will be used for indexing and search for some configured namespaces
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134901
 milestone: '16.6'
-gitlab_schema: gitlab_main
+gitlab_schema: gitlab_main_cell
+exempt_from_sharding: true

Diff for: app/assets/images/bot_avatars/security-bot_40.png

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+class QueueFixCorruptedScannerIdsOfVulnerabilityReads < Gitlab::Database::Migration[2.2]
+  milestone '16.11'
+
+  MIGRATION = "FixCorruptedScannerIdsOfVulnerabilityReads"
+  DELAY_INTERVAL = 2.minutes
+  BATCH_SIZE = 1000
+  SUB_BATCH_SIZE = 100
+
+  disable_ddl_transaction!
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+  def up
+    queue_batched_background_migration(
+      MIGRATION,
+      :vulnerability_reads,
+      :id,
+      job_interval: DELAY_INTERVAL,
+      batch_size: BATCH_SIZE,
+      sub_batch_size: SUB_BATCH_SIZE
+    )
+  end
+
+  def down
+    delete_batched_background_migration(MIGRATION, :vulnerability_reads, :id, [])
+  end
+end

Diff for: app/assets/images/bot_avatars/security-bot_48.png

@@ -0,0 +1 @@
+b652ab8839ccdf19995d8f26c776a8946294367f21dd50279fd8894768f9c47a

Diff for: app/assets/images/bot_avatars/security-bot_60.png

@@ -60,6 +60,7 @@ Audit event types belong to the following product categories.
 | [`create_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74632) | Event triggered when an external audit event destination is created| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [14.6](https://gitlab.com/gitlab-org/gitlab/-/issues/344664) | Group |
 | [`create_group_audit_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147888) | Event triggered when an external audit event destination for a top-level group is created.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/436610) | Group |
 | [`create_http_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136047) | Event triggered when a namespace filter for an external audit event destination for a top-level group is created.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/424176) | Group |
+| [`create_instance_audit_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148383) | Event triggered when an external audit event destination for a GitLab instance is created.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.11](https://gitlab.com/gitlab-org/gitlab/-/issues/436615) | Instance |
 | [`create_instance_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/123882) | Event triggered when an instance level external audit event destination is created| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.2](https://gitlab.com/gitlab-org/gitlab/-/issues/404730) | Instance |
 | [`delete_http_namespace_filter`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136302) | Event triggered when a namespace filter for an external audit event destination for a top-level group is deleted.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.7](https://gitlab.com/gitlab-org/gitlab/-/issues/424177) | Group |
 | [`destroy_event_streaming_destination`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74632) | Event triggered when an external audit event destination is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [14.6](https://gitlab.com/gitlab-org/gitlab/-/issues/344664) | Group |

Diff for: app/assets/images/bot_avatars/security-bot_64.png

@@ -4950,6 +4950,32 @@ Input type: `HttpIntegrationUpdateInput`
 | <a id="mutationhttpintegrationupdateerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
 | <a id="mutationhttpintegrationupdateintegration"></a>`integration` | [`AlertManagementHttpIntegration`](#alertmanagementhttpintegration) | HTTP integration. |
 
+### `Mutation.instanceAuditEventStreamingDestinationsCreate`
+
+DETAILS:
+**Introduced** in GitLab 16.11.
+**Status**: Experiment.
+
+Input type: `InstanceAuditEventStreamingDestinationsCreateInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="mutationinstanceauditeventstreamingdestinationscreatecategory"></a>`category` | [`String!`](#string) | Destination category. |
+| <a id="mutationinstanceauditeventstreamingdestinationscreateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationinstanceauditeventstreamingdestinationscreateconfig"></a>`config` | [`JSON!`](#json) | Destination config. |
+| <a id="mutationinstanceauditeventstreamingdestinationscreatename"></a>`name` | [`String`](#string) | Destination name. |
+| <a id="mutationinstanceauditeventstreamingdestinationscreatesecrettoken"></a>`secretToken` | [`String!`](#string) | Secret token. |
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="mutationinstanceauditeventstreamingdestinationscreateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationinstanceauditeventstreamingdestinationscreateerrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. |
+| <a id="mutationinstanceauditeventstreamingdestinationscreateexternalauditeventdestination"></a>`externalAuditEventDestination` | [`InstanceAuditEventStreamingDestination`](#instanceauditeventstreamingdestination) | Destination created. |
+
 ### `Mutation.instanceExternalAuditEventDestinationCreate`
 
 Input type: `InstanceExternalAuditEventDestinationCreateInput`
@@ -21984,6 +22010,19 @@ Stores instance level Amazon S3 configurations for audit event streaming.
 | <a id="instanceamazons3configurationtypeid"></a>`id` | [`ID!`](#id) | ID of the configuration. |
 | <a id="instanceamazons3configurationtypename"></a>`name` | [`String!`](#string) | Name of the external destination to send audit events to. |
 
+### `InstanceAuditEventStreamingDestination`
+
+Represents an external destination to stream instance level audit events.
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="instanceauditeventstreamingdestinationcategory"></a>`category` | [`String!`](#string) | Category of the external destination to send audit events to. |
+| <a id="instanceauditeventstreamingdestinationconfig"></a>`config` | [`JSON!`](#json) | Config of the external destination. |
+| <a id="instanceauditeventstreamingdestinationid"></a>`id` | [`ID!`](#id) | ID of the destination. |
+| <a id="instanceauditeventstreamingdestinationname"></a>`name` | [`String!`](#string) | Name of the external destination to send audit events to. |
+
 ### `InstanceExternalAuditEventDestination`
 
 Represents an external resource to send instance audit events to.
@@ -34908,6 +34947,7 @@ Implementations:
 Implementations:
 
 - [`GroupAuditEventStreamingDestination`](#groupauditeventstreamingdestination)
+- [`InstanceAuditEventStreamingDestination`](#instanceauditeventstreamingdestination)
 
 ##### Fields
 

Diff for: app/assets/images/bot_avatars/security-bot_90.png

@@ -558,3 +558,60 @@ Alternative solutions were discussed in
 ## Decisions
 
 - [ADR-001: Allow direct connections](decisions/001_direct_connections.md)
+
+## Future work
+
+AI Gateway aim is to become the primary method for the monolith to **access** machine learning models across all usages of GitLab and create a consistent user journey when developing AI-backed features. To do so, these goal is split down into three categories:
+
+- Centralized Access Through AI Gateway
+- Self Managed AI Gateway
+- Unit Primitives
+
+### Centralized Access Through AI Gateway
+
+The AI Gateway, a standalone service, is the sole access point for all communication between GitLab installations and third-party AI models. It is designed to centralize and manage access to all GitLab features, whether they are in-app functionalities or code suggestions, irrespective of their deployment methods. 
+
+This strategy significantly simplifies enterprise management and abstracts machine learning away from the monolith. With future expansions including telemetry, embeddings API, and multi-region/customer-specific deployments, our goal is to provide a scalable, comprehensive AI solution for all GitLab users, regardless of their installation type.
+
+[Model registry](../../../user/project/ml/model_registry/index.md) is a feature that allows users to use GitLab to manage the machine learning models. While not solely focused on large language models, and currently more targeted at smaller model applications, which could be deployed in various ways: as a standalone library, a service, a pod, a cloud deployment, and so forth. For these user-deployed models, the ability to auto-configure an API that's accessible through the AI Gateway could be a significant feature.
+
+- [AI Gateway as the Sole Access Point for Monolith to Access Models](https://gitlab.com/groups/gitlab-org/-/epics/13024)
+
+### Unit Primitives
+
+Unit Primitives are a fundamental part of our strategy for managing access to AI features through the AI Gateway. They represent the smallest unit of functionality that can be accessed and managed through the Gateway. This approach provides a more granular control over the functionalities exposed through the AI Gateway and simplifies the management of AI features. It also paves the way for future work on supporting user-deployed models and locally hosted models. From a business perspective, unit primitives are the smallest pieces that may be shuffled across various tiers or packaging models, providing flexibility and adaptability in our offerings.
+
+In the initial iteration, we will support two primitives: Code Suggestions and Chat. The latter will encompass all Chat features in one primitive. 
+
+In the next iteration, we plan to decompose the Chat primitive into multiple primitives based on top-level tools. This work is dependent on the completion of the task to move classification into the AI Gateway. 
+
+The introduction of Unit Primitives will simplify the management of AI features and provide a more granular control over the functionalities exposed through the AI Gateway. This will also pave the way for future work on supporting user-deployed models and locally hosted models.
+
+For more details, refer to the [Initial Set of Unit Primitives](https://gitlab.com/gitlab-org/gitlab/-/issues/444934) issue.
+
+- [Unit Primitives for Accessing CC Features](https://gitlab.com/groups/gitlab-org/-/epics/12556)
+
+### Self Managed AI Gateway
+
+Self-managed instances can either use GitLab-hosted AI Gateway or have their own AI Gateway if they want to use self-deployed models, with Runway likely being the deployment method. This means part of our work will be to ensure that the AI Gateway can be deployed in a self-managed environment. This work will go hand-in-hand with the work to support locally hosted models (local inference) in support of GitLab AI features.
+
+- [Self Managed AI Gateway](https://gitlab.com/groups/gitlab-org/-/epics/13162)
+
+## Other components in the AI stack
+
+While AI Gateway centralizes _access_ to AI features and models, it interacts with other components to help users achieve their goals:
+
+- AI Agents: create and manage agents and prompts
+- Model registry: manage and deployment machine learning models
+
+### Model registry
+
+[Model registry](../../../user/project/ml/model_registry/index.md) is a feature that allows users to use GitLab to manage the machine learning models. While not solely focused on large language models, and currently more targeted at smaller model applications, which could be deployed in various ways: as a standalone library, a service, a pod, a cloud deployment, and so forth. For these user-deployed models, the ability to auto-configure an API that's accessible through the AI Gateway could be a significant feature.
+
+### AI Agents
+
+[AI Agents](https://gitlab.com/groups/gitlab-org/-/epics/12330) is a feature that allows users to implement and manage their own chats and AI features, managing prompts, models and tools. Development is currently in its early stages. Once mature, we intend to move GitLab feature to agents, but there are blockers that currently prevent us from doing so: 
+
+- [Lack of prompt templating](https://gitlab.com/gitlab-org/gitlab/-/issues/441081).
+- Implement replication of user-defined prompts into ai-gateway.
+- Implement replication of GitLab-defined prompts into self-managed installations (e.g., organization-level agents where we prepopulate with a few agents).