Merge master and fix conflicts

Fix conflicts in db/schema.rb

.gitlab/CODEOWNERS

@@ -6,8 +6,8 @@
 /doc/ @axil @marcia @eread @mikelewis
 
 # Frontend maintainers should see everything in `app/assets/`
-app/assets/ @ClemMakesApps @fatihacet @filipa @mikegreiling @timzallmann @kushalpandya @pslaughter @wortschi @ntepluhina
-*.scss @annabeldunstone @ClemMakesApps @fatihacet @filipa @mikegreiling @timzallmann @kushalpandya @pslaughter @wortschi @ntepluhina
+app/assets/ @ClemMakesApps @fatihacet @filipa @mikegreiling @timzallmann @kushalpandya @pslaughter @wortschi @ntepluhina @iamphill
+*.scss @annabeldunstone @ClemMakesApps @fatihacet @filipa @mikegreiling @timzallmann @kushalpandya @pslaughter @wortschi @ntepluhina @iamphill
 
 # Database maintainers should review changes in `db/`
 db/ @gitlab-org/maintainers/database

.gitlab/ci/review.gitlab-ci.yml

@@ -122,6 +122,7 @@ schedule:review-build-cng:
     - source scripts/utils.sh
     - install_api_client_dependencies_with_apk
     - source scripts/review_apps/review-apps.sh
+    - export REVIEW_APP_CONFIG_CHANGED=$(base_config_changed)
   script:
     - date
     - check_kube_domain

CHANGELOG-EE.md

 Please view this file on the master branch, on stable branches it's out of date.
 
+## 12.4.1
+
+### Security (6 changes)
+
+- Do not display project labels that are not visible for user accessing group labels.
+- Do not index system notes for issue update.
+- Redact search results based on Ability.allowed?.
+- Do not show private cross references in epic notes.
+- Filter out packages the user does'nt have permission to see at group level.
+- Fixes a Open Redirect issue in `InternalRedirect`.
+
+
 ## 12.4.0
 
 ### Security (2 changes)

CHANGELOG.md

@@ -2,6 +2,26 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 12.4.1
+
+### Security (14 changes)
+
+- Standardize error response when route is missing.
+- Do not display project labels that are not visible for user accessing group labels.
+- Show cross-referenced label and milestones in issues' activities only to authorized users.
+- Show cross-referenced label and milestones in issues' activities only to authorized users.
+- Analyze incoming GraphQL queries and check for recursion.
+- Disallow unprivileged users from commenting on private repository commits.
+- Don't allow maintainers of a target project to delete the source branch of a merge request from a fork.
+- Require Maintainer permission on group where project is transferred to.
+- Don't leak private members in project member autocomplete suggestions.
+- Return 404 on LFS request if project doesn't exist.
+- Mask sentry auth token in Error Tracking dashboard.
+- Fixes a Open Redirect issue in `InternalRedirect`.
+- Remove deploy access level when project/group link is deleted.
+- Sanitize all wiki markup formats with GitLab sanitization pipelines.
+
+
 ## 12.4.0
 
 ### Security (14 changes)

app/assets/javascripts/gl_dropdown.js

@@ -617,7 +617,7 @@ GitLabDropdown = (function() {
   GitLabDropdown.prototype.hidden = function(e) {
     var $input;
     this.resetRows();
-    this.removeArrayKeyEvent();
+    this.removeArrowKeyEvent();
     $input = this.dropdown.find('.dropdown-input-field');
     if (this.options.filterable) {
       $input.blur();
@@ -900,7 +900,7 @@ GitLabDropdown = (function() {
     );
   };
 
-  GitLabDropdown.prototype.removeArrayKeyEvent = function() {
+  GitLabDropdown.prototype.removeArrowKeyEvent = function() {
     return $('body').off('keydown');
   };
 

app/assets/javascripts/grafana_integration/components/grafana_integration.vue

+<script>
+import { GlButton, GlFormGroup, GlFormInput, GlLink } from '@gitlab/ui';
+import Icon from '~/vue_shared/components/icon.vue';
+import { mapState, mapActions } from 'vuex';
+
+export default {
+  components: {
+    GlButton,
+    GlFormGroup,
+    GlFormInput,
+    GlLink,
+    Icon,
+  },
+  data() {
+    return { placeholderUrl: 'https://my-url.grafana.net/my-dashboard' };
+  },
+  computed: {
+    ...mapState(['operationsSettingsEndpoint', 'grafanaToken', 'grafanaUrl']),
+    localGrafanaToken: {
+      get() {
+        return this.grafanaToken;
+      },
+      set(token) {
+        this.setGrafanaToken(token);
+      },
+    },
+    localGrafanaUrl: {
+      get() {
+        return this.grafanaUrl;
+      },
+      set(url) {
+        this.setGrafanaUrl(url);
+      },
+    },
+  },
+  methods: {
+    ...mapActions(['setGrafanaUrl', 'setGrafanaToken', 'updateGrafanaIntegration']),
+  },
+};
+</script>
+
+<template>
+  <section id="grafana" class="settings no-animate js-grafana-integration">
+    <div class="settings-header">
+      <h4 class="js-section-header">
+        {{ s__('GrafanaIntegration|Grafana Authentication') }}
+      </h4>
+      <gl-button class="js-settings-toggle">{{ __('Expand') }}</gl-button>
+      <p class="js-section-sub-header">
+        {{ s__('GrafanaIntegration|Embed Grafana charts in GitLab issues.') }}
+      </p>
+    </div>
+    <div class="settings-content">
+      <form>
+        <gl-form-group
+          :label="s__('GrafanaIntegration|Grafana URL')"
+          label-for="grafana-url"
+          :description="s__('GrafanaIntegration|Enter the base URL of the Grafana instance.')"
+        >
+          <gl-form-input id="grafana-url" v-model="localGrafanaUrl" :placeholder="placeholderUrl" />
+        </gl-form-group>
+        <gl-form-group :label="s__('GrafanaIntegration|API Token')" label-for="grafana-token">
+          <gl-form-input id="grafana-token" v-model="localGrafanaToken" />
+          <p class="form-text text-muted">
+            {{ s__('GrafanaIntegration|Enter the Grafana API Token.') }}
+            <a
+              href="https://grafana.com/docs/http_api/auth/#create-api-token"
+              target="_blank"
+              rel="noopener noreferrer"
+            >
+              {{ __('More information') }}
+              <icon name="external-link" class="vertical-align-middle" />
+            </a>
+          </p>
+        </gl-form-group>
+        <gl-button variant="success" @click="updateGrafanaIntegration">
+          {{ __('Save Changes') }}
+        </gl-button>
+      </form>
+    </div>
+  </section>
+</template>

app/assets/javascripts/grafana_integration/index.js

+import Vue from 'vue';
+import store from './store';
+import GrafanaIntegration from './components/grafana_integration.vue';
+
+export default () => {
+  const el = document.querySelector('.js-grafana-integration');
+
+  return new Vue({
+    el,
+    store: store(el.dataset),
+    render(createElement) {
+      return createElement(GrafanaIntegration);
+    },
+  });
+};

app/assets/javascripts/grafana_integration/store/actions.js

+import axios from '~/lib/utils/axios_utils';
+import { __ } from '~/locale';
+import createFlash from '~/flash';
+import { refreshCurrentPage } from '~/lib/utils/url_utility';
+import * as mutationTypes from './mutation_types';
+
+export const setGrafanaUrl = ({ commit }, url) => commit(mutationTypes.SET_GRAFANA_URL, url);
+
+export const setGrafanaToken = ({ commit }, token) =>
+  commit(mutationTypes.SET_GRAFANA_TOKEN, token);
+
+export const updateGrafanaIntegration = ({ state, dispatch }) =>
+  axios
+    .patch(state.operationsSettingsEndpoint, {
+      project: {
+        grafana_integration_attributes: {
+          grafana_url: state.grafanaUrl,
+          token: state.grafanaToken,
+        },
+      },
+    })
+    .then(() => dispatch('receiveGrafanaIntegrationUpdateSuccess'))
+    .catch(error => dispatch('receiveGrafanaIntegrationUpdateError', error));
+
+export const receiveGrafanaIntegrationUpdateSuccess = () => {
+  /**
+   * The operations_controller currently handles successful requests
+   * by creating a flash banner messsage to notify the user.
+   */
+  refreshCurrentPage();
+};
+
+export const receiveGrafanaIntegrationUpdateError = (_, error) => {
+  const { response } = error;
+  const message = response.data && response.data.message ? response.data.message : '';
+
+  createFlash(`${__('There was an error saving your changes.')} ${message}`, 'alert');
+};

app/assets/javascripts/grafana_integration/store/index.js

+import Vue from 'vue';
+import Vuex from 'vuex';
+import createState from './state';
+import * as actions from './actions';
+import mutations from './mutations';
+
+Vue.use(Vuex);
+
+export const createStore = initialState =>
+  new Vuex.Store({
+    state: createState(initialState),
+    actions,
+    mutations,
+  });
+
+export default createStore;

app/assets/javascripts/grafana_integration/store/mutation_types.js

+export const SET_GRAFANA_URL = 'SET_GRAFANA_URL';
+export const SET_GRAFANA_TOKEN = 'SET_GRAFANA_TOKEN';

app/assets/javascripts/grafana_integration/store/mutations.js

+import * as types from './mutation_types';
+
+export default {
+  [types.SET_GRAFANA_URL](state, url) {
+    state.grafanaUrl = url;
+  },
+  [types.SET_GRAFANA_TOKEN](state, token) {
+    state.grafanaToken = token;
+  },
+};

app/assets/javascripts/grafana_integration/store/state.js

+export default (initialState = {}) => ({
+  operationsSettingsEndpoint: initialState.operationsSettingsEndpoint,
+  grafanaToken: initialState.grafanaIntegrationToken || '',
+  grafanaUrl: initialState.grafanaIntegrationUrl || '',
+});

app/assets/javascripts/lib/graphql.js

@@ -26,7 +26,8 @@ export default (resolvers = {}, config = {}) => {
       createUploadLink(httpOptions),
       new BatchHttpLink(httpOptions),
     ),
-    cache: new InMemoryCache(config.cacheConfig),
+    cache: new InMemoryCache({ ...config.cacheConfig, freezeResults: true }),
     resolvers,
+    assumeImmutableResults: true,
   });
 };

app/assets/javascripts/lib/utils/forms.js

@@ -4,7 +4,11 @@ export const serializeFormEntries = entries =>
 export const serializeForm = form => {
   const fdata = new FormData(form);
   const entries = Array.from(fdata.keys()).map(key => {
-    const val = fdata.getAll(key);
+    let val = fdata.getAll(key);
+    // Microsoft Edge has a bug in FormData.getAll() that returns an undefined
+    // value for each form element that does not match the given key:
+    // https://github.com/jimmywarting/FormData/issues/80
+    val = val.filter(n => n);
     return { name: key, value: val.length === 1 ? val[0] : val };
   });
 

app/assets/javascripts/monitoring/components/charts/anomaly.vue

+<script>
+import { flatten, isNumber } from 'underscore';
+import { GlLineChart, GlChartSeriesLabel } from '@gitlab/ui/dist/charts';
+import { roundOffFloat } from '~/lib/utils/common_utils';
+import { hexToRgb } from '~/lib/utils/color_utils';
+import { areaOpacityValues, symbolSizes, colorValues } from '../../constants';
+import { graphDataValidatorForAnomalyValues } from '../../utils';
+import MonitorTimeSeriesChart from './time_series.vue';
+
+/**
+ * Series indexes
+ */
+const METRIC = 0;
+const UPPER = 1;
+const LOWER = 2;
+
+/**
+ * Boundary area appearance
+ */
+const AREA_COLOR = colorValues.anomalyAreaColor;
+const AREA_OPACITY = areaOpacityValues.default;
+const AREA_COLOR_RGBA = `rgba(${hexToRgb(AREA_COLOR).join(',')},${AREA_OPACITY})`;
+
+/**
+ * The anomaly component highlights when a metric shows
+ * some anomalous behavior.
+ *
+ * It shows both a metric line and a boundary band in a
+ * time series chart, the boundary band shows the normal
+ * range of values the metric should take.
+ *
+ * This component accepts 3 queries, which contain the
+ * "metric", "upper" limit and "lower" limit.
+ *
+ * The upper and lower series are "stacked areas" visually
+ * to create the boundary band, and if any "metric" value
+ * is outside this band, it is highlighted to warn users.
+ *
+ * The boundary band stack must be painted above the 0 line
+ * so the area is shown correctly. If any of the values of
+ * the data are negative, the chart data is shifted to be
+ * above 0 line.
+ *
+ * The data passed to the time series is will always be
+ * positive, but reformatted to show the original values of
+ * data.
+ *
+ */
+export default {
+  components: {
+    GlLineChart,
+    GlChartSeriesLabel,
+    MonitorTimeSeriesChart,
+  },
+  inheritAttrs: false,
+  props: {
+    graphData: {
+      type: Object,
+      required: true,
+      validator: graphDataValidatorForAnomalyValues,
+    },
+  },
+  computed: {
+    series() {
+      return this.graphData.queries.map(query => {
+        const values = query.result[0] ? query.result[0].values : [];
+        return {
+          label: query.label,
+          data: values.filter(([, value]) => !Number.isNaN(value)),
+        };
+      });
+    },
+    /**
+     * If any of the values of the data is negative, the
+     * chart data is shifted to the lowest value
+     *
+     * This offset is the lowest value.
+     */
+    yOffset() {
+      const values = flatten(this.series.map(ser => ser.data.map(([, y]) => y)));
+      const min = values.length ? Math.floor(Math.min(...values)) : 0;
+      return min < 0 ? -min : 0;
+    },
+    metricData() {
+      const originalMetricQuery = this.graphData.queries[0];
+
+      const metricQuery = { ...originalMetricQuery };
+      metricQuery.result[0].values = metricQuery.result[0].values.map(([x, y]) => [
+        x,
+        y + this.yOffset,
+      ]);
+      return {
+        ...this.graphData,
+        type: 'line-chart',
+        queries: [metricQuery],
+      };
+    },
+    metricSeriesConfig() {
+      return {
+        type: 'line',
+        symbol: 'circle',
+        symbolSize: (val, params) => {
+          if (this.isDatapointAnomaly(params.dataIndex)) {
+            return symbolSizes.anomaly;
+          }
+          // 0 causes echarts to throw an error, use small number instead
+          // see https://gitlab.com/gitlab-org/gitlab-ui/issues/423
+          return 0.001;
+        },
+        showSymbol: true,
+        itemStyle: {
+          color: params => {
+            if (this.isDatapointAnomaly(params.dataIndex)) {
+              return colorValues.anomalySymbol;
+            }
+            return colorValues.primaryColor;
+          },
+        },
+      };
+    },
+    chartOptions() {
+      const [, upperSeries, lowerSeries] = this.series;
+      const calcOffsetY = (data, offsetCallback) =>
+        data.map((value, dataIndex) => {
+          const [x, y] = value;
+          return [x, y + offsetCallback(dataIndex)];
+        });
+
+      const yAxisWithOffset = {
+        name: this.yAxisLabel,
+        axisLabel: {
+          formatter: num => roundOffFloat(num - this.yOffset, 3).toString(),
+        },
+      };
+
+      /**
+       * Boundary is rendered by 2 series: An invisible
+       * series (opacity: 0) stacked on a visible one.
+       *
+       * Order is important, lower boundary is stacked
+       * *below* the upper boundary.
+       */
+      const boundarySeries = [];
+
+      if (upperSeries.data.length && lowerSeries.data.length) {
+        // Lower boundary, plus the offset if negative values
+        boundarySeries.push(
+          this.makeBoundarySeries({
+            name: this.formatLegendLabel(lowerSeries),
+            data: calcOffsetY(lowerSeries.data, () => this.yOffset),
+          }),
+        );
+        // Upper boundary, minus the lower boundary
+        boundarySeries.push(
+          this.makeBoundarySeries({
+            name: this.formatLegendLabel(upperSeries),
+            data: calcOffsetY(upperSeries.data, i => -this.yValue(LOWER, i)),
+            areaStyle: {
+              color: AREA_COLOR,
+              opacity: AREA_OPACITY,
+            },
+          }),
+        );
+      }
+      return { yAxis: yAxisWithOffset, series: boundarySeries };
+    },
+  },
+  methods: {
+    formatLegendLabel(query) {
+      return query.label;
+    },
+    yValue(seriesIndex, dataIndex) {
+      const d = this.series[seriesIndex].data[dataIndex];
+      return d && d[1];
+    },
+    yValueFormatted(seriesIndex, dataIndex) {
+      const y = this.yValue(seriesIndex, dataIndex);
+      return isNumber(y) ? y.toFixed(3) : '';
+    },
+    isDatapointAnomaly(dataIndex) {
+      const yVal = this.yValue(METRIC, dataIndex);
+      const yUpper = this.yValue(UPPER, dataIndex);
+      const yLower = this.yValue(LOWER, dataIndex);
+      return (isNumber(yUpper) && yVal > yUpper) || (isNumber(yLower) && yVal < yLower);
+    },
+    makeBoundarySeries(series) {
+      const stackKey = 'anomaly-boundary-series-stack';
+      return {
+        type: 'line',
+        stack: stackKey,
+        lineStyle: {
+          width: 0,
+          color: AREA_COLOR_RGBA, // legend color
+        },
+        color: AREA_COLOR_RGBA, // tooltip color
+        symbol: 'none',
+        ...series,
+      };
+    },
+  },
+};
+</script>
+
+<template>
+  <monitor-time-series-chart
+    v-bind="$attrs"
+    :graph-data="metricData"
+    :option="chartOptions"
+    :series-config="metricSeriesConfig"
+  >
+    <slot></slot>
+    <template v-slot:tooltipContent="slotProps">
+      <div
+        v-for="(content, seriesIndex) in slotProps.tooltip.content"
+        :key="seriesIndex"
+        class="d-flex justify-content-between"
+      >
+        <gl-chart-series-label :color="content.color">
+          {{ content.name }}
+        </gl-chart-series-label>
+        <div class="prepend-left-32">
+          {{ yValueFormatted(seriesIndex, content.dataIndex) }}
+        </div>
+      </div>
+    </template>
+  </monitor-time-series-chart>
+</template>

app/assets/javascripts/monitoring/components/charts/time_series.vue

 <script>
 import { s__, __ } from '~/locale';
+import _ from 'underscore';
 import { GlLink, GlButton, GlTooltip, GlResizeObserverDirective } from '@gitlab/ui';
 import { GlAreaChart, GlLineChart, GlChartSeriesLabel } from '@gitlab/ui/dist/charts';
 import dateFormat from 'dateformat';
 import { roundOffFloat } from '~/lib/utils/common_utils';
 import { getSvgIconPathContent } from '~/lib/utils/icon_utils';
 import Icon from '~/vue_shared/components/icon.vue';
-import { chartHeight, graphTypes, lineTypes, symbolSizes, dateFormats } from '../../constants';
+import {
+  chartHeight,
+  graphTypes,
+  lineTypes,
+  lineWidths,
+  symbolSizes,
+  dateFormats,
+} from '../../constants';
 import { makeDataSeries } from '~/helpers/monitor_helper';
 import { graphDataValidatorForValues } from '../../utils';
 
@@ -30,6 +38,16 @@ export default {
       required: true,
       validator: graphDataValidatorForValues.bind(null, false),
     },
+    option: {
+      type: Object,
+      required: false,
+      default: () => ({}),
+    },
+    seriesConfig: {
+      type: Object,
+      required: false,
+      default: () => ({}),
+    },
     deploymentData: {
       type: Array,
       required: false,
@@ -96,29 +114,35 @@ export default {
         const lineWidth =
           appearance && appearance.line && appearance.line.width
             ? appearance.line.width
-            : undefined;
+            : lineWidths.default;
         const areaStyle = {
           opacity:
             appearance && appearance.area && typeof appearance.area.opacity === 'number'
               ? appearance.area.opacity
               : undefined,
         };
-
         const series = makeDataSeries(query.result, {
           name: this.formatLegendLabel(query),
           lineStyle: {
             type: lineType,
             width: lineWidth,
+            color: this.primaryColor,
           },
           showSymbol: false,
           areaStyle: this.graphData.type === 'area-chart' ? areaStyle : undefined,
+          ...this.seriesConfig,
         });
 
         return acc.concat(series);
       }, []);
     },
+    chartOptionSeries() {
+      return (this.option.series || []).concat(this.scatterSeries ? [this.scatterSeries] : []);
+    },
     chartOptions() {
+      const option = _.omit(this.option, 'series');
       return {
+        series: this.chartOptionSeries,
         xAxis: {
           name: __('Time'),
           type: 'time',
@@ -135,8 +159,8 @@ export default {
             formatter: num => roundOffFloat(num, 3).toString(),
           },
         },
-        series: this.scatterSeries,
         dataZoom: [this.dataZoomConfig],
+        ...option,
       };
     },
     dataZoomConfig() {
@@ -144,6 +168,14 @@ export default {
 
       return handleIcon ? { handleIcon } : {};
     },
+    /**
+     * This method returns the earliest time value in all series of a chart.
+     * Takes a chart data with data to populate a timeseries.
+     * data should be an array of data points [t, y] where t is a ISO formatted date,
+     * and is sorted by t (time).
+     * @returns {(String|null)} earliest x value from all series, or null when the
+     * chart series data is empty.
+     */
     earliestDatapoint() {
       return this.chartData.reduce((acc, series) => {
         const { data } = series;
@@ -230,10 +262,11 @@ export default {
           this.tooltip.sha = deploy.sha.substring(0, 8);
           this.tooltip.commitUrl = deploy.commitUrl;
         } else {
-          const { seriesName, color } = dataPoint;
+          const { seriesName, color, dataIndex } = dataPoint;
           const value = yVal.toFixed(3);
           this.tooltip.content.push({
             name: seriesName,
+            dataIndex,
             value,
             color,
           });
@@ -306,23 +339,27 @@ export default {
       </template>
       <template v-else>
         <template slot="tooltipTitle">
-          <div class="text-nowrap">
-            {{ tooltip.title }}
-          </div>
+          <slot name="tooltipTitle">
+            <div class="text-nowrap">
+              {{ tooltip.title }}
+            </div>
+          </slot>
         </template>
         <template slot="tooltipContent">
-          <div
-            v-for="(content, key) in tooltip.content"
-            :key="key"
-            class="d-flex justify-content-between"
-          >
-            <gl-chart-series-label :color="isMultiSeries ? content.color : ''">
-              {{ content.name }}
-            </gl-chart-series-label>
-            <div class="prepend-left-32">
-              {{ content.value }}
+          <slot name="tooltipContent" :tooltip="tooltip">
+            <div
+              v-for="(content, key) in tooltip.content"
+              :key="key"
+              class="d-flex justify-content-between"
+            >
+              <gl-chart-series-label :color="isMultiSeries ? content.color : ''">
+                {{ content.name }}
+              </gl-chart-series-label>
+              <div class="prepend-left-32">
+                {{ content.value }}
+              </div>
             </div>
-          </div>
+          </slot>
         </template>
       </template>
     </component>

app/assets/javascripts/monitoring/components/panel_type.vue

@@ -11,6 +11,7 @@ import {
 } from '@gitlab/ui';
 import Icon from '~/vue_shared/components/icon.vue';
 import MonitorTimeSeriesChart from './charts/time_series.vue';
+import MonitorAnomalyChart from './charts/anomaly.vue';
 import MonitorSingleStatChart from './charts/single_stat.vue';
 import MonitorEmptyChart from './charts/empty_chart.vue';
 import TrackEventDirective from '~/vue_shared/directives/track_event';
@@ -19,7 +20,6 @@ import { downloadCSVOptions, generateLinkToChartOptions } from '../utils';
 export default {
   components: {
     MonitorSingleStatChart,
-    MonitorTimeSeriesChart,
     MonitorEmptyChart,
     Icon,
     GlDropdown,
@@ -67,6 +67,12 @@ export default {
       const data = new Blob([this.csvText], { type: 'text/plain' });
       return window.URL.createObjectURL(data);
     },
+    monitorChartComponent() {
+      if (this.isPanelType('anomaly-chart')) {
+        return MonitorAnomalyChart;
+      }
+      return MonitorTimeSeriesChart;
+    },
   },
   methods: {
     getGraphAlerts(queries) {
@@ -93,13 +99,14 @@ export default {
     v-if="isPanelType('single-stat') && graphDataHasMetrics"
     :graph-data="graphData"
   />
-  <monitor-time-series-chart
+  <component
+    :is="monitorChartComponent"
     v-else-if="graphDataHasMetrics"
     :graph-data="graphData"
     :deployment-data="deploymentData"
     :project-path="projectPath"
     :thresholds="getGraphAlertValues(graphData.queries)"
-    group-id="monitor-area-chart"
+    group-id="panel-type-chart"
   >
     <div class="d-flex align-items-center">
       <alert-widget
@@ -141,6 +148,6 @@ export default {
         </gl-dropdown-item>
       </gl-dropdown>
     </div>
-  </monitor-time-series-chart>
+  </component>
   <monitor-empty-chart v-else :graph-title="graphData.title" />
 </template>

app/assets/javascripts/monitoring/constants.js

@@ -14,13 +14,28 @@ export const graphTypes = {
 };
 
 export const symbolSizes = {
+  anomaly: 8,
   default: 14,
 };
 
+export const areaOpacityValues = {
+  default: 0.2,
+};
+
+export const colorValues = {
+  primaryColor: '#1f78d1', // $blue-500 (see variables.scss)
+  anomalySymbol: '#db3b21',
+  anomalyAreaColor: '#1f78d1',
+};
+
 export const lineTypes = {
   default: 'solid',
 };
 
+export const lineWidths = {
+  default: 2,
+};
+
 export const timeWindows = {
   thirtyMinutes: __('30 minutes'),
   threeHours: __('3 hours'),

app/assets/javascripts/monitoring/utils.js

@@ -131,4 +131,20 @@ export const downloadCSVOptions = title => {
   return { category, action, label: 'Chart title', property: title };
 };
 
+/**
+ * This function validates the graph data contains exactly 3 queries plus
+ * value validations from graphDataValidatorForValues.
+ * @param {Object} isValues
+ * @param {Object} graphData  the graph data response from a prometheus request
+ * @returns {boolean} true if the data is valid
+ */
+export const graphDataValidatorForAnomalyValues = graphData => {
+  const anomalySeriesCount = 3; // metric, upper, lower
+  return (
+    graphData.queries &&
+    graphData.queries.length === anomalySeriesCount &&
+    graphDataValidatorForValues(false, graphData)
+  );
+};
+
 export default {};

app/assets/javascripts/pages/projects/settings/operations/show/index.js

 import mountErrorTrackingForm from '~/error_tracking_settings';
 import mountOperationSettings from '~/operation_settings';
+import mountGrafanaIntegration from '~/grafana_integration';
 import initSettingsPanels from '~/settings_panels';
 
 document.addEventListener('DOMContentLoaded', () => {
   mountErrorTrackingForm();
   mountOperationSettings();
+  if (gon.features.gfmGrafanaIntegration) {
+    mountGrafanaIntegration();
+  }
   initSettingsPanels();
 });

app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue

 <script>
-/* eslint-disable @gitlab/vue-i18n/no-bare-strings */
 import settingsMixin from 'ee_else_ce/pages/projects/shared/permissions/mixins/settings_pannel_mixin';
-import { __ } from '~/locale';
+import { s__ } from '~/locale';
 import projectFeatureSetting from './project_feature_setting.vue';
 import projectFeatureToggle from '~/vue_shared/components/toggle_button.vue';
 import projectSettingRow from './project_setting_row.vue';
@@ -13,7 +12,7 @@ import {
 } from '../constants';
 import { toggleHiddenClassBySelector } from '../external';
 
-const PAGE_FEATURE_ACCESS_LEVEL = __('Everyone');
+const PAGE_FEATURE_ACCESS_LEVEL = s__('ProjectSettings|Everyone');
 
 export default {
   components: {
@@ -207,7 +206,10 @@ export default {
 <template>
   <div>
     <div class="project-visibility-setting">
-      <project-setting-row :help-path="visibilityHelpPath" label="Project visibility">
+      <project-setting-row
+        :help-path="visibilityHelpPath"
+        :label="s__('ProjectSettings|Project visibility')"
+      >
         <div class="project-feature-controls">
           <div class="select-wrapper">
             <select
@@ -220,17 +222,17 @@ export default {
               <option
                 :value="visibilityOptions.PRIVATE"
                 :disabled="!visibilityAllowed(visibilityOptions.PRIVATE)"
-                >{{ __('Private') }}</option
+                >{{ s__('ProjectSettings|Private') }}</option
               >
               <option
                 :value="visibilityOptions.INTERNAL"
                 :disabled="!visibilityAllowed(visibilityOptions.INTERNAL)"
-                >{{ __('Internal') }}</option
+                >{{ s__('ProjectSettings|Internal') }}</option
               >
               <option
                 :value="visibilityOptions.PUBLIC"
                 :disabled="!visibilityAllowed(visibilityOptions.PUBLIC)"
-                >{{ __('Public') }}</option
+                >{{ s__('ProjectSettings|Public') }}</option
               >
             </select>
             <i aria-hidden="true" data-hidden="true" class="fa fa-chevron-down"></i>
@@ -243,14 +245,15 @@ export default {
             type="hidden"
             name="project[request_access_enabled]"
           />
-          <input v-model="requestAccessEnabled" type="checkbox" /> Allow users to request access
+          <input v-model="requestAccessEnabled" type="checkbox" />
+          {{ s__('ProjectSettings|Allow users to request access') }}
         </label>
       </project-setting-row>
     </div>
     <div :class="{ 'highlight-changes': highlightChangesClass }" class="project-feature-settings">
       <project-setting-row
-        label="Issues"
-        help-text="Lightweight issue tracking system for this project"
+        :label="s__('ProjectSettings|Issues')"
+        :help-text="s__('ProjectSettings|Lightweight issue tracking system for this project')"
       >
         <project-feature-setting
           v-model="issuesAccessLevel"
@@ -258,7 +261,10 @@ export default {
           name="project[project_feature_attributes][issues_access_level]"
         />
       </project-setting-row>
-      <project-setting-row label="Repository" help-text="View and edit files in this project">
+      <project-setting-row
+        :label="s__('ProjectSettings|Repository')"
+        :help-text="s__('ProjectSettings|View and edit files in this project')"
+      >
         <project-feature-setting
           v-model="repositoryAccessLevel"
           :options="featureAccessLevelOptions"
@@ -267,8 +273,8 @@ export default {
       </project-setting-row>
       <div class="project-feature-setting-group">
         <project-setting-row
-          label="Merge requests"
-          help-text="Submit changes to be merged upstream"
+          :label="s__('ProjectSettings|Merge requests')"
+          :help-text="s__('ProjectSettings|Submit changes to be merged upstream')"
         >
           <project-feature-setting
             v-model="mergeRequestsAccessLevel"
@@ -277,7 +283,10 @@ export default {
             name="project[project_feature_attributes][merge_requests_access_level]"
           />
         </project-setting-row>
-        <project-setting-row label="Pipelines" help-text="Build, test, and deploy your changes">
+        <project-setting-row
+          :label="s__('ProjectSettings|Pipelines')"
+          :help-text="s__('ProjectSettings|Build, test, and deploy your changes')"
+        >
           <project-feature-setting
             v-model="buildsAccessLevel"
             :options="repoFeatureAccessLevelOptions"
@@ -288,11 +297,17 @@ export default {
         <project-setting-row
           v-if="registryAvailable"
           :help-path="registryHelpPath"
-          label="Container registry"
-          help-text="Every project can have its own space to store its Docker images"
+          :label="s__('ProjectSettings|Container registry')"
+          :help-text="
+            s__('ProjectSettings|Every project can have its own space to store its Docker images')
+          "
         >
           <div v-if="showContainerRegistryPublicNote" class="text-muted">
-            {{ __('Note: the container registry is always visible when a project is public') }}
+            {{
+              s__(
+                'ProjectSettings|Note: the container registry is always visible when a project is public',
+              )
+            }}
           </div>
           <project-feature-toggle
             v-model="containerRegistryEnabled"
@@ -303,8 +318,10 @@ export default {
         <project-setting-row
           v-if="lfsAvailable"
           :help-path="lfsHelpPath"
-          label="Git Large File Storage"
-          help-text="Manages large files such as audio, video, and graphics files"
+          :label="s__('ProjectSettings|Git Large File Storage')"
+          :help-text="
+            s__('ProjectSettings|Manages large files such as audio, video, and graphics files')
+          "
         >
           <project-feature-toggle
             v-model="lfsEnabled"
@@ -315,8 +332,10 @@ export default {
         <project-setting-row
           v-if="packagesAvailable"
           :help-path="packagesHelpPath"
-          label="Packages"
-          help-text="Every project can have its own space to store its packages"
+          :label="s__('ProjectSettings|Packages')"
+          :help-text="
+            s__('ProjectSettings|Every project can have its own space to store its packages')
+          "
         >
           <project-feature-toggle
             v-model="packagesEnabled"
@@ -325,7 +344,10 @@ export default {
           />
         </project-setting-row>
       </div>
-      <project-setting-row label="Wiki" help-text="Pages for project documentation">
+      <project-setting-row
+        :label="s__('ProjectSettings|Wiki')"
+        :help-text="s__('ProjectSettings|Pages for project documentation')"
+      >
         <project-feature-setting
           v-model="wikiAccessLevel"
           :options="featureAccessLevelOptions"
@@ -333,8 +355,8 @@ export default {
         />
       </project-setting-row>
       <project-setting-row
-        label="Snippets"
-        help-text="Share code pastes with others out of Git repository"
+        :label="s__('ProjectSettings|Snippets')"
+        :help-text="s__('ProjectSettings|Share code pastes with others out of Git repository')"
       >
         <project-feature-setting
           v-model="snippetsAccessLevel"
@@ -346,7 +368,9 @@ export default {
         v-if="pagesAvailable && pagesAccessControlEnabled"
         :help-path="pagesHelpPath"
         :label="s__('ProjectSettings|Pages')"
-        :help-text="__('With GitLab Pages you can host your static websites on GitLab')"
+        :help-text="
+          s__('ProjectSettings|With GitLab Pages you can host your static websites on GitLab')
+        "
       >
         <project-feature-setting
           v-model="pagesAccessLevel"
@@ -358,10 +382,13 @@ export default {
     <project-setting-row v-if="canDisableEmails" class="mb-3">
       <label class="js-emails-disabled">
         <input :value="emailsDisabled" type="hidden" name="project[emails_disabled]" />
-        <input v-model="emailsDisabled" type="checkbox" /> {{ __('Disable email notifications') }}
+        <input v-model="emailsDisabled" type="checkbox" />
+        {{ s__('ProjectSettings|Disable email notifications') }}
       </label>
       <span class="form-text text-muted">{{
-        __('This setting will override user notification preferences for all project members.')
+        s__(
+          'ProjectSettings|This setting will override user notification preferences for all project members.',
+        )
       }}</span>
     </project-setting-row>
   </div>

app/assets/javascripts/pages/sessions/new/index.js

@@ -20,12 +20,17 @@ document.addEventListener('DOMContentLoaded', () => {
   // Save the URL fragment from the current window location. This will be present if the user was
   // redirected to sign-in after attempting to access a protected URL that included a fragment.
   preserveUrlFragment(window.location.hash);
+});
 
+export default function trackData() {
   if (gon.tracking_data) {
     const tab = document.querySelector(".new-session-tabs a[href='#register-pane']");
     const { category, action, ...data } = gon.tracking_data;
+
     tab.addEventListener('click', () => {
       Tracking.event(category, action, data);
     });
   }
-});
+}
+
+trackData();

app/assets/javascripts/project_find_file.js

@@ -5,6 +5,7 @@ import fuzzaldrinPlus from 'fuzzaldrin-plus';
 import axios from '~/lib/utils/axios_utils';
 import flash from '~/flash';
 import { __ } from '~/locale';
+import sanitize from 'sanitize-html';
 
 // highlight text(awefwbwgtc -> <b>a</b>wefw<b>b</b>wgt<b>c</b> )
 const highlighter = function(element, text, matches) {
@@ -74,7 +75,7 @@ export default class ProjectFindFile {
 
   findFile() {
     var result, searchText;
-    searchText = this.inputElement.val();
+    searchText = sanitize(this.inputElement.val());
     result =
       searchText.length > 0 ? fuzzaldrinPlus.filter(this.filePaths, searchText) : this.filePaths;
     return this.renderList(result, searchText);

app/assets/javascripts/repository/components/directory_download_links.vue

+<script>
+import { GlLink } from '@gitlab/ui';
+
+export default {
+  components: {
+    GlLink,
+  },
+  props: {
+    currentPath: {
+      type: String,
+      required: false,
+      default: null,
+    },
+    links: {
+      type: Array,
+      required: true,
+    },
+  },
+  computed: {
+    normalizedLinks() {
+      return this.links.map(link => ({
+        text: link.text,
+        path: `${link.path}?path=${this.currentPath}`,
+      }));
+    },
+  },
+};
+</script>
+
+<template>
+  <section class="border-top pt-1 mt-1">
+    <h5 class="m-0 dropdown-bold-header">{{ __('Download this directory') }}</h5>
+    <div class="dropdown-menu-content">
+      <div class="btn-group ml-0 w-100">
+        <gl-link
+          v-for="(link, index) in normalizedLinks"
+          :key="index"
+          :href="link.path"
+          :class="{ 'btn-primary': index === 0 }"
+          class="btn btn-xs"
+        >
+          {{ link.text }}
+        </gl-link>
+      </div>
+    </div>
+  </section>
+</template>

app/assets/javascripts/repository/components/table/row.vue

@@ -97,11 +97,13 @@ export default {
     },
   },
   methods: {
-    openRow() {
-      if (this.isFolder) {
+    openRow(e) {
+      if (e.target.tagName === 'A') return;
+
+      if (this.isFolder && !e.metaKey) {
         this.$router.push(this.routerLinkTo);
       } else {
-        visitUrl(this.url);
+        visitUrl(this.url, e.metaKey);
       }
     },
   },

app/assets/javascripts/repository/components/tree_action_link.vue

+<script>
+import { GlLink } from '@gitlab/ui';
+
+export default {
+  components: {
+    GlLink,
+  },
+  props: {
+    path: {
+      type: String,
+      required: true,
+    },
+    text: {
+      type: String,
+      required: true,
+    },
+    cssClass: {
+      type: String,
+      required: false,
+      default: null,
+    },
+  },
+};
+</script>
+
+<template>
+  <gl-link :href="path" :class="cssClass" class="btn">{{ text }}</gl-link>
+</template>

app/assets/javascripts/repository/index.js

@@ -3,9 +3,13 @@ import createRouter from './router';
 import App from './components/app.vue';
 import Breadcrumbs from './components/breadcrumbs.vue';
 import LastCommit from './components/last_commit.vue';
+import TreeActionLink from './components/tree_action_link.vue';
+import DirectoryDownloadLinks from './components/directory_download_links.vue';
 import apolloProvider from './graphql';
 import { setTitle } from './utils/title';
 import { parseBoolean } from '../lib/utils/common_utils';
+import { webIDEUrl } from '../lib/utils/url_utility';
+import { __ } from '../locale';
 
 export default function setupVueRepositoryList() {
   const el = document.getElementById('js-tree-list');
@@ -91,6 +95,66 @@ export default function setupVueRepositoryList() {
     },
   });
 
+  const treeHistoryLinkEl = document.getElementById('js-tree-history-link');
+  const { historyLink } = treeHistoryLinkEl.dataset;
+
+  // eslint-disable-next-line no-new
+  new Vue({
+    el: treeHistoryLinkEl,
+    router,
+    render(h) {
+      return h(TreeActionLink, {
+        props: {
+          path: historyLink + (this.$route.params.pathMatch || '/'),
+          text: __('History'),
+        },
+      });
+    },
+  });
+
+  const webIdeLinkEl = document.getElementById('js-tree-web-ide-link');
+
+  if (webIdeLinkEl) {
+    // eslint-disable-next-line no-new
+    new Vue({
+      el: webIdeLinkEl,
+      router,
+      render(h) {
+        return h(TreeActionLink, {
+          props: {
+            path: webIDEUrl(`/${projectPath}/edit/${ref}/-${this.$route.params.pathMatch || '/'}`),
+            text: __('Web IDE'),
+            cssClass: 'qa-web-ide-button',
+          },
+        });
+      },
+    });
+  }
+
+  const directoryDownloadLinks = document.getElementById('js-directory-downloads');
+
+  if (directoryDownloadLinks) {
+    // eslint-disable-next-line no-new
+    new Vue({
+      el: directoryDownloadLinks,
+      router,
+      render(h) {
+        const currentPath = this.$route.params.pathMatch || '/';
+
+        if (currentPath !== '/') {
+          return h(DirectoryDownloadLinks, {
+            props: {
+              currentPath: currentPath.replace(/^\//, ''),
+              links: JSON.parse(directoryDownloadLinks.dataset.links),
+            },
+          });
+        }
+
+        return null;
+      },
+    });
+  }
+
   // eslint-disable-next-line no-new
   new Vue({
     el,

app/assets/javascripts/search_autocomplete.js

-/* eslint-disable no-return-assign, one-var, no-var, consistent-return, class-methods-use-this, no-lonely-if, vars-on-top */
+/* eslint-disable no-return-assign, one-var, no-var, consistent-return, class-methods-use-this, vars-on-top */
 
 import $ from 'jquery';
 import { escape, throttle } from 'underscore';
@@ -95,7 +95,6 @@ export class SearchAutocomplete {
       this.createAutocomplete();
     }
 
-    this.saveTextLength();
     this.bindEvents();
     this.dropdownToggle.dropdown();
     this.searchInput.addClass('js-autocomplete-disabled');
@@ -107,7 +106,7 @@ export class SearchAutocomplete {
     this.onClearInputClick = this.onClearInputClick.bind(this);
     this.onSearchInputFocus = this.onSearchInputFocus.bind(this);
     this.onSearchInputKeyUp = this.onSearchInputKeyUp.bind(this);
-    this.onSearchInputKeyDown = this.onSearchInputKeyDown.bind(this);
+    this.onSearchInputChange = this.onSearchInputChange.bind(this);
     this.setScrollFade = this.setScrollFade.bind(this);
   }
   getElement(selector) {
@@ -118,10 +117,6 @@ export class SearchAutocomplete {
     return (this.originalState = this.serializeState());
   }
 
-  saveTextLength() {
-    return (this.lastTextLength = this.searchInput.val().length);
-  }
-
   createAutocomplete() {
     return this.searchInput.glDropdown({
       filterInputBlur: false,
@@ -318,12 +313,16 @@ export class SearchAutocomplete {
   }
 
   bindEvents() {
-    this.searchInput.on('keydown', this.onSearchInputKeyDown);
+    this.searchInput.on('input', this.onSearchInputChange);
     this.searchInput.on('keyup', this.onSearchInputKeyUp);
     this.searchInput.on('focus', this.onSearchInputFocus);
     this.searchInput.on('blur', this.onSearchInputBlur);
     this.clearInput.on('click', this.onClearInputClick);
     this.dropdownContent.on('scroll', throttle(this.setScrollFade, 250));
+
+    this.searchInput.on('click', e => {
+      e.stopPropagation();
+    });
   }
 
   enableAutocomplete() {
@@ -342,43 +341,19 @@ export class SearchAutocomplete {
     }
   }
 
-  // Saves last length of the entered text
-  onSearchInputKeyDown() {
-    return this.saveTextLength();
+  onSearchInputChange() {
+    this.enableAutocomplete();
   }
 
   onSearchInputKeyUp(e) {
     switch (e.keyCode) {
-      case KEYCODE.BACKSPACE:
-        // When removing the last character and no badge is present
-        if (this.lastTextLength === 1) {
-          this.disableAutocomplete();
-        }
-        // When removing any character from existin value
-        if (this.lastTextLength > 1) {
-          this.enableAutocomplete();
-        }
-        break;
       case KEYCODE.ESCAPE:
         this.restoreOriginalState();
         break;
       case KEYCODE.ENTER:
         this.disableAutocomplete();
         break;
-      case KEYCODE.UP:
-      case KEYCODE.DOWN:
-        return;
       default:
-        // Handle the case when deleting the input value other than backspace
-        // e.g. Pressing ctrl + backspace or ctrl + x
-        if (this.searchInput.val() === '') {
-          this.disableAutocomplete();
-        } else {
-          // We should display the menu only when input is not empty
-          if (e.keyCode !== KEYCODE.ENTER) {
-            this.enableAutocomplete();
-          }
-        }
     }
     this.wrap.toggleClass('has-value', Boolean(e.target.value));
   }
@@ -434,7 +409,7 @@ export class SearchAutocomplete {
   disableAutocomplete() {
     if (!this.searchInput.hasClass('js-autocomplete-disabled') && this.dropdown.hasClass('show')) {
       this.searchInput.addClass('js-autocomplete-disabled');
-      this.dropdown.removeClass('show').trigger('hidden.bs.dropdown');
+      this.dropdown.dropdown('toggle');
       this.restoreMenu();
     }
   }

app/assets/stylesheets/pages/experimental_separate_sign_up.scss

@@ -23,6 +23,7 @@
 
   .signup-heading h2 {
     font-weight: $gl-font-weight-bold;
+    padding: 0 10px;
 
     @include media-breakpoint-down(md) {
       font-size: $gl-font-size-large;

app/controllers/application_controller.rb

@@ -17,7 +17,7 @@ class ApplicationController < ActionController::Base
   include Gitlab::Tracking::ControllerConcern
   include Gitlab::Experimentation::ControllerConcern
 
-  before_action :authenticate_user!
+  before_action :authenticate_user!, except: [:route_not_found]
   before_action :enforce_terms!, if: :should_enforce_terms?
   before_action :validate_user_service_ticket!
   before_action :check_password_expiration
@@ -98,7 +98,9 @@ class ApplicationController < ActionController::Base
     if current_user
       not_found
     else
-      authenticate_user!
+      store_location_for(:user, request.fullpath) unless request.xhr?
+
+      redirect_to new_user_session_path, alert: I18n.t('devise.failure.unauthenticated')
     end
   end
 

app/controllers/boards/issues_controller.rb

@@ -13,7 +13,7 @@ module Boards
 
     requires_cross_project_access if: -> { board&.group_board? }
 
-    before_action :whitelist_query_limiting, only: [:index, :update, :bulk_move]
+    before_action :whitelist_query_limiting, only: [:bulk_move]
     before_action :authorize_read_issue, only: [:index]
     before_action :authorize_create_issue, only: [:create]
     before_action :authorize_update_issue, only: [:update]
@@ -130,8 +130,7 @@ module Boards
     end
 
     def whitelist_query_limiting
-      # Also see https://gitlab.com/gitlab-org/gitlab-foss/issues/42439
-      Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-foss/issues/42428')
+      Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab/issues/35174')
     end
 
     def validate_id_list

app/controllers/concerns/internal_redirect.rb

@@ -6,7 +6,7 @@ module InternalRedirect
   def safe_redirect_path(path)
     return unless path
     # Verify that the string starts with a `/` and a known route character.
-    return unless path =~ %r{^/[-\w].*$}
+    return unless path =~ %r{\A/[-\w].*\z}
 
     uri = URI(path)
     # Ignore anything path of the redirect except for the path, querystring and,

app/controllers/concerns/lfs_request.rb

@@ -34,6 +34,7 @@ module LfsRequest
   end
 
   def lfs_check_access!
+    return render_lfs_not_found unless project
     return if download_request? && lfs_download_access?
     return if upload_request? && lfs_upload_access?
 

app/controllers/groups/group_links_controller.rb

+# frozen_string_literal: true
+
+class Groups::GroupLinksController < Groups::ApplicationController
+  before_action :check_feature_flag!
+  before_action :authorize_admin_group!
+
+  def create
+    shared_with_group = Group.find(params[:shared_with_group_id]) if params[:shared_with_group_id].present?
+
+    if shared_with_group
+      result = Groups::GroupLinks::CreateService
+                 .new(shared_with_group, current_user, group_link_create_params)
+                 .execute(group)
+
+      return render_404 if result[:http_status] == 404
+
+      flash[:alert] = result[:message] if result[:status] == :error
+    else
+      flash[:alert] = _('Please select a group.')
+    end
+
+    redirect_to group_group_members_path(group)
+  end
+
+  private
+
+  def group_link_create_params
+    params.permit(:shared_group_access, :expires_at)
+  end
+
+  def check_feature_flag!
+    render_404 unless Feature.enabled?(:share_group_with_group)
+  end
+end

app/finders/labels_finder.rb

@@ -51,7 +51,7 @@ class LabelsFinder < UnionFinder
       end
 
       label_ids << Label.where(group_id: projects.group_ids)
-      label_ids << Label.where(project_id: projects.select(:id)) unless only_group_labels?
+      label_ids << Label.where(project_id: ids_user_can_read_labels(projects)) unless only_group_labels?
     end
 
     label_ids
@@ -188,4 +188,10 @@ class LabelsFinder < UnionFinder
       groups.select { |group| authorized_to_read_labels?(group) }
     end
   end
+
+  # rubocop: disable CodeReuse/ActiveRecord
+  def ids_user_can_read_labels(projects)
+    Project.where(id: projects.select(:id)).ids_with_issuables_available_for(current_user)
+  end
+  # rubocop: enable CodeReuse/ActiveRecord
 end

app/graphql/gitlab_schema.rb

@@ -18,15 +18,15 @@ class GitlabSchema < GraphQL::Schema
   use Gitlab::Graphql::GenericTracing
 
   query_analyzer Gitlab::Graphql::QueryAnalyzers::LoggerAnalyzer.new
-
-  query(Types::QueryType)
-
-  default_max_page_size 100
+  query_analyzer Gitlab::Graphql::QueryAnalyzers::RecursionAnalyzer.new
 
   max_complexity DEFAULT_MAX_COMPLEXITY
   max_depth DEFAULT_MAX_DEPTH
 
-  mutation(Types::MutationType)
+  query Types::QueryType
+  mutation Types::MutationType
+
+  default_max_page_size 100
 
   class << self
     def multiplex(queries, **kwargs)

app/graphql/types/todo_target_enum.rb

@@ -2,8 +2,10 @@
 
 module Types
   class TodoTargetEnum < BaseEnum
-    value 'Issue'
-    value 'MergeRequest'
-    value 'Epic'
+    value 'COMMIT', value: 'Commit', description: 'A Commit'
+    value 'ISSUE', value: 'Issue', description: 'An Issue'
+    value 'MERGEREQUEST', value: 'MergeRequest', description: 'A MergeRequest'
   end
 end
+
+Types::TodoTargetEnum.prepend_if_ee('::EE::Types::TodoTargetEnum')

app/graphql/types/todo_type.rb

@@ -40,7 +40,8 @@ module Types
 
     field :body, GraphQL::STRING_TYPE,
           description: 'Body of the todo',
-          null: false
+          null: false,
+          calls_gitaly: true # TODO This is only true when `target_type` is `Commit`. See https://gitlab.com/gitlab-org/gitlab/issues/34757#note_234752665
 
     field :state, Types::TodoStateEnum,
           description: 'State of the todo',

app/helpers/markup_helper.rb

@@ -133,15 +133,7 @@ module MarkupHelper
       issuable_state_filter_enabled: true
     )
 
-    html =
-      case wiki_page.format
-      when :markdown
-        markdown_unsafe(text, context)
-      when :asciidoc
-        asciidoc_unsafe(text)
-      else
-        wiki_page.formatted_content.html_safe
-      end
+    html = markup_unsafe(wiki_page.path, text, context)
 
     prepare_for_rendering(html, context)
   end

app/helpers/tree_helper.rb

@@ -195,6 +195,17 @@ module TreeHelper
       full_name: project.name_with_namespace
     }
   end
+
+  def directory_download_links(project, ref, archive_prefix)
+    formats = ['zip', 'tar.gz', 'tar.bz2', 'tar']
+
+    formats.map do |fmt|
+      {
+        text: fmt,
+        path: project_archive_path(project, id: tree_join(ref, archive_prefix), format: fmt)
+      }
+    end
+  end
 end
 
 TreeHelper.prepend_if_ee('::EE::TreeHelper')

app/models/ci/build.rb

@@ -35,6 +35,10 @@ module Ci
       refspecs: -> (build) { build.merge_request_ref? }
     }.freeze
 
+    DEFAULT_RETRIES = {
+      scheduler_failure: 2
+    }.freeze
+
     has_one :deployment, as: :deployable, class_name: 'Deployment'
     has_many :trace_sections, class_name: 'Ci::BuildTraceSection'
     has_many :trace_chunks, class_name: 'Ci::BuildTraceChunk', foreign_key: :build_id
@@ -372,18 +376,25 @@ module Ci
       pipeline.builds.retried.where(name: self.name).count
     end
 
-    def retries_max
-      normalized_retry.fetch(:max, 0)
+    def retry_failure?
+      max_allowed_retries = nil
+      max_allowed_retries ||= options_retry_max if retry_on_reason_or_always?
+      max_allowed_retries ||= DEFAULT_RETRIES.fetch(failure_reason.to_sym, 0)
+
+      max_allowed_retries > 0 && retries_count < max_allowed_retries
     end
 
-    def retry_when
-      normalized_retry.fetch(:when, ['always'])
+    def options_retry_max
+      options_retry[:max]
     end
 
-    def retry_failure?
-      return false if retries_max.zero? || retries_count >= retries_max
+    def options_retry_when
+      options_retry.fetch(:when, ['always'])
+    end
 
-      retry_when.include?('always') || retry_when.include?(failure_reason.to_s)
+    def retry_on_reason_or_always?
+      options_retry_when.include?(failure_reason.to_s) ||
+        options_retry_when.include?('always')
     end
 
     def latest?
@@ -831,6 +842,13 @@ module Ci
       :creating
     end
 
+    # Consider this object to have a structural integrity problems
+    def doom!
+      update_columns(
+        status: :failed,
+        failure_reason: :data_integrity_failure)
+    end
+
     private
 
     def successful_deployment_status
@@ -875,8 +893,8 @@ module Ci
     # format, but builds created before GitLab 11.5 and saved in database still
     # have the old integer only format. This method returns the retry option
     # normalized as a hash in 11.5+ format.
-    def normalized_retry
-      strong_memoize(:normalized_retry) do
+    def options_retry
+      strong_memoize(:options_retry) do
         value = options&.dig(:retry)
         value = value.is_a?(Integer) ? { max: value } : value.to_h
         value.with_indifferent_access

app/models/commit_status_enums.rb

@@ -15,7 +15,9 @@ module CommitStatusEnums
       stale_schedule: 7,
       job_execution_timeout: 8,
       archived_failure: 9,
-      unmet_prerequisites: 10
+      unmet_prerequisites: 10,
+      scheduler_failure: 11,
+      data_integrity_failure: 12
     }
   end
 end

app/models/concerns/mentionable/reference_regexes.rb

@@ -13,7 +13,9 @@ module Mentionable
     def self.other_patterns
       [
         Commit.reference_pattern,
-        MergeRequest.reference_pattern
+        MergeRequest.reference_pattern,
+        Label.reference_pattern,
+        Milestone.reference_pattern
       ]
     end
 

app/models/concerns/worker_attributes.rb

@@ -3,6 +3,10 @@
 module WorkerAttributes
   extend ActiveSupport::Concern
 
+  # Resource boundaries that workers can declare through the
+  # `worker_resource_boundary` attribute
+  VALID_RESOURCE_BOUNDARIES = [:memory, :cpu, :unknown].freeze
+
   class_methods do
     def feature_category(value)
       raise "Invalid category. Use `feature_category_not_owned!` to mark a worker as not owned" if value == :not_owned
@@ -24,6 +28,48 @@ module WorkerAttributes
       get_worker_attribute(:feature_category) == :not_owned
     end
 
+    # This should be set for jobs that need to be run immediately, or, if
+    # they are delayed, risk creating inconsistencies in the application
+    # that could being perceived by the user as incorrect behavior
+    # (ie, a bug)
+    # See doc/development/sidekiq_style_guide.md#Latency-Sensitive-Jobs
+    # for details
+    def latency_sensitive_worker!
+      worker_attributes[:latency_sensitive] = true
+    end
+
+    # Returns a truthy value if the worker is latency sensitive.
+    # See doc/development/sidekiq_style_guide.md#Latency-Sensitive-Jobs
+    # for details
+    def latency_sensitive_worker?
+      worker_attributes[:latency_sensitive]
+    end
+
+    # Set this attribute on a job when it will call to services outside of the
+    # application, such as 3rd party applications, other k8s clusters etc See
+    # doc/development/sidekiq_style_guide.md#Jobs-with-External-Dependencies for
+    # details
+    def worker_has_external_dependencies!
+      worker_attributes[:external_dependencies] = true
+    end
+
+    # Returns a truthy value if the worker has external dependencies.
+    # See doc/development/sidekiq_style_guide.md#Jobs-with-External-Dependencies
+    # for details
+    def worker_has_external_dependencies?
+      worker_attributes[:external_dependencies]
+    end
+
+    def worker_resource_boundary(boundary)
+      raise "Invalid boundary" unless VALID_RESOURCE_BOUNDARIES.include? boundary
+
+      worker_attributes[:resource_boundary] = boundary
+    end
+
+    def get_worker_resource_boundary
+      worker_attributes[:resource_boundary] || :unknown
+    end
+
     protected
 
     # Returns a worker attribute declared on this class or its parent class.

app/models/discussion.rb

@@ -16,6 +16,7 @@ class Discussion
             :commit_id,
             :for_commit?,
             :for_merge_request?,
+            :noteable_ability_name,
             :to_ability_name,
             :editable?,
             :visible_for?,

app/models/group.rb

@@ -30,6 +30,10 @@ class Group < Namespace
   has_many :members_and_requesters, as: :source, class_name: 'GroupMember'
 
   has_many :milestones
+  has_many :shared_group_links, foreign_key: :shared_with_group_id, class_name: 'GroupGroupLink'
+  has_many :shared_with_group_links, foreign_key: :shared_group_id, class_name: 'GroupGroupLink'
+  has_many :shared_groups, through: :shared_group_links, source: :shared_group
+  has_many :shared_with_groups, through: :shared_with_group_links, source: :shared_with_group
   has_many :project_group_links, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
   has_many :shared_projects, through: :project_group_links, source: :project
 
@@ -376,11 +380,12 @@ class Group < Namespace
 
     return GroupMember::OWNER if user.admin?
 
-    members_with_parents
-      .where(user_id: user)
-      .reorder(access_level: :desc)
-      .first&.
-      access_level || GroupMember::NO_ACCESS
+    max_member_access = members_with_parents.where(user_id: user)
+                                            .reorder(access_level: :desc)
+                                            .first
+                                            &.access_level
+
+    max_member_access || max_member_access_for_user_from_shared_groups(user) || GroupMember::NO_ACCESS
   end
 
   def mattermost_team_params
@@ -474,6 +479,26 @@ class Group < Namespace
     errors.add(:visibility_level, "#{visibility} is not allowed since there are sub-groups with higher visibility.")
   end
 
+  def max_member_access_for_user_from_shared_groups(user)
+    return unless Feature.enabled?(:share_group_with_group)
+
+    group_group_link_table = GroupGroupLink.arel_table
+    group_member_table = GroupMember.arel_table
+
+    group_group_links_query = GroupGroupLink.where(shared_group_id: self_and_ancestors_ids)
+    cte = Gitlab::SQL::CTE.new(:group_group_links_cte, group_group_links_query)
+
+    link = GroupGroupLink
+             .with(cte.to_arel)
+             .from([group_member_table, cte.alias_to(group_group_link_table)])
+             .where(group_member_table[:user_id].eq(user.id))
+             .where(group_member_table[:source_id].eq(group_group_link_table[:shared_with_group_id]))
+             .reorder(Arel::Nodes::Descending.new(group_group_link_table[:group_access]))
+             .first
+
+    link&.group_access
+  end
+
   def self.groups_including_descendants_by(group_ids)
     Gitlab::ObjectHierarchy
       .new(Group.where(id: group_ids))

app/models/group_group_link.rb

+# frozen_string_literal: true
+
+class GroupGroupLink < ApplicationRecord
+  include Expirable
+
+  belongs_to :shared_group, class_name: 'Group', foreign_key: :shared_group_id
+  belongs_to :shared_with_group, class_name: 'Group', foreign_key: :shared_with_group_id
+
+  validates :shared_group, presence: true
+  validates :shared_group_id, uniqueness: { scope: [:shared_with_group_id],
+                                            message: _('The group has already been shared with this group') }
+  validates :shared_with_group, presence: true
+  validates :group_access, inclusion: { in: Gitlab::Access.values },
+                           presence: true
+
+  def self.access_options
+    Gitlab::Access.options
+  end
+
+  def self.default_access
+    Gitlab::Access::DEVELOPER
+  end
+end

app/models/member.rb

@@ -8,6 +8,7 @@ class Member < ApplicationRecord
   include Gitlab::Access
   include Presentable
   include Gitlab::Utils::StrongMemoize
+  include FromUnion
 
   attr_accessor :raw_invite_token
 

app/models/merge_request.rb

@@ -69,6 +69,14 @@ class MergeRequest < ApplicationRecord
   has_many :merge_request_assignees
   has_many :assignees, class_name: "User", through: :merge_request_assignees
 
+  KNOWN_MERGE_PARAMS = [
+    :auto_merge_strategy,
+    :should_remove_source_branch,
+    :force_remove_source_branch,
+    :commit_message,
+    :squash_commit_message,
+    :sha
+  ].freeze
   serialize :merge_params, Hash # rubocop:disable Cop/ActiveRecordSerialize
 
   after_create :ensure_merge_request_diff

app/models/milestone.rb

@@ -261,6 +261,10 @@ class Milestone < ApplicationRecord
     group || project
   end
 
+  def to_ability_name
+    model_name.singular
+  end
+
   def group_milestone?
     group_id.present?
   end

app/models/note.rb

@@ -361,6 +361,10 @@ class Note < ApplicationRecord
   end
 
   def to_ability_name
+    model_name.singular
+  end
+
+  def noteable_ability_name
     for_snippet? ? noteable.class.name.underscore : noteable_type.demodulize.underscore
   end
 

app/models/project.rb

@@ -614,11 +614,11 @@ class Project < ApplicationRecord
       joins(:namespace).where(namespaces: { type: 'Group' }).select(:namespace_id)
     end
 
-    # Returns ids of projects with milestones available for given user
+    # Returns ids of projects with issuables available for given user
     #
-    # Used on queries to find milestones which user can see
-    # For example: Milestone.where(project_id: ids_with_milestone_available_for(user))
-    def ids_with_milestone_available_for(user)
+    # Used on queries to find milestones or labels which user can see
+    # For example: Milestone.where(project_id: ids_with_issuables_available_for(user))
+    def ids_with_issuables_available_for(user)
       with_issues_enabled = with_issues_available_for_user(user).select(:id)
       with_merge_requests_enabled = with_merge_requests_available_for_user(user).select(:id)
 
@@ -1265,6 +1265,10 @@ class Project < ApplicationRecord
     end
   end
 
+  def to_ability_name
+    model_name.singular
+  end
+
   # rubocop: disable CodeReuse/ServiceClass
   def execute_hooks(data, hooks_scope = :push_hooks)
     run_after_commit_or_now do

app/models/system_note_metadata.rb

@@ -10,6 +10,7 @@ class SystemNoteMetadata < ApplicationRecord
     commit cross_reference
     close duplicate
     moved merge
+    label milestone
   ].freeze
 
   ICON_TYPES = %w[

app/models/wiki_page.rb

@@ -121,6 +121,12 @@ class WikiPage
     @version ||= @page.version
   end
 
+  def path
+    return unless persisted?
+
+    @path ||= @page.path
+  end
+
   def versions(options = {})
     return [] unless persisted?
 

app/policies/commit_policy.rb

@@ -4,4 +4,5 @@ class CommitPolicy < BasePolicy
   delegate { @subject.project }
 
   rule { can?(:download_code) }.enable :read_commit
+  rule { ~can?(:read_commit) }.prevent :create_note
 end

app/policies/group_policy.rb

@@ -131,6 +131,8 @@ class GroupPolicy < BasePolicy
 
   rule { owner | admin }.enable :read_statistics
 
+  rule { maintainer & can?(:create_projects) }.enable :transfer_projects
+
   def access_level
     return GroupMember::NO_ACCESS if @user.nil?
 

app/policies/namespace_policy.rb

@@ -15,6 +15,8 @@ class NamespacePolicy < BasePolicy
   end
 
   rule { personal_project & ~can_create_personal_project }.prevent :create_projects
+
+  rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects
 end
 
 NamespacePolicy.prepend_if_ee('EE::NamespacePolicy')

app/policies/note_policy.rb

@@ -9,7 +9,7 @@ class NotePolicy < BasePolicy
 
   condition(:editable, scope: :subject) { @subject.editable? }
 
-  condition(:can_read_noteable) { can?(:"read_#{@subject.to_ability_name}") }
+  condition(:can_read_noteable) { can?(:"read_#{@subject.noteable_ability_name}") }
 
   condition(:is_visible) { @subject.visible_for?(@user) }
 

app/presenters/commit_status_presenter.rb

@@ -11,7 +11,9 @@ class CommitStatusPresenter < Gitlab::View::Presenter::Delegated
     stale_schedule: 'Delayed job could not be executed by some reason, please try again',
     job_execution_timeout: 'The script exceeded the maximum execution time set for the job',
     archived_failure: 'The job is archived and cannot be run',
-    unmet_prerequisites: 'The job failed to complete prerequisite tasks'
+    unmet_prerequisites: 'The job failed to complete prerequisite tasks',
+    scheduler_failure: 'The scheduler failed to assign job to the runner, please try again or contact system administrator',
+    data_integrity_failure: 'There has been a structural integrity problem detected, please contact system administrator'
   }.freeze
 
   private_constant :CALLOUT_FAILURE_MESSAGES
@@ -33,6 +35,6 @@ class CommitStatusPresenter < Gitlab::View::Presenter::Delegated
   end
 
   def unrecoverable?
-    script_failure? || missing_dependency_failure? || archived_failure?
+    script_failure? || missing_dependency_failure? || archived_failure? || scheduler_failure? || data_integrity_failure?
   end
 end

app/serializers/issue_board_entity.rb

@@ -2,7 +2,6 @@
 
 class IssueBoardEntity < Grape::Entity
   include RequestAwareEntity
-  include TimeTrackableEntity
 
   expose :id
   expose :iid

app/services/auto_merge/base_service.rb

@@ -3,12 +3,13 @@
 module AutoMerge
   class BaseService < ::BaseService
     include Gitlab::Utils::StrongMemoize
+    include MergeRequests::AssignsMergeParams
 
     def execute(merge_request)
-      merge_request.merge_params.merge!(params)
+      assign_allowed_merge_params(merge_request, params.merge(auto_merge_strategy: strategy))
+
       merge_request.auto_merge_enabled = true
       merge_request.merge_user = current_user
-      merge_request.auto_merge_strategy = strategy
 
       return :failed unless merge_request.save
 
@@ -21,7 +22,7 @@ module AutoMerge
     end
 
     def update(merge_request)
-      merge_request.merge_params.merge!(params)
+      assign_allowed_merge_params(merge_request, params.merge(auto_merge_strategy: strategy))
 
       return :failed unless merge_request.save
 

app/services/ci/register_job_service.rb

@@ -42,26 +42,16 @@ module Ci
       end
 
       builds.each do |build|
-        next unless runner.can_pick?(build)
-
-        begin
-          # In case when 2 runners try to assign the same build, second runner will be declined
-          # with StateMachines::InvalidTransition or StaleObjectError when doing run! or save method.
-          if assign_runner!(build, params)
-            register_success(build)
-
-            return Result.new(build, true)
-          end
-        rescue StateMachines::InvalidTransition, ActiveRecord::StaleObjectError
-          # We are looping to find another build that is not conflicting
-          # It also indicates that this build can be picked and passed to runner.
-          # If we don't do it, basically a bunch of runners would be competing for a build
-          # and thus we will generate a lot of 409. This will increase
-          # the number of generated requests, also will reduce significantly
-          # how many builds can be picked by runner in a unit of time.
-          # In case we hit the concurrency-access lock,
-          # we still have to return 409 in the end,
-          # to make sure that this is properly handled by runner.
+        result = process_build(build, params)
+        next unless result
+
+        if result.valid?
+          register_success(result.build)
+
+          return result
+        else
+          # The usage of valid: is described in
+          # handling of ActiveRecord::StaleObjectError
           valid = false
         end
       end
@@ -73,6 +63,35 @@ module Ci
 
     private
 
+    def process_build(build, params)
+      return unless runner.can_pick?(build)
+
+      # In case when 2 runners try to assign the same build, second runner will be declined
+      # with StateMachines::InvalidTransition or StaleObjectError when doing run! or save method.
+      if assign_runner!(build, params)
+        Result.new(build, true)
+      end
+    rescue StateMachines::InvalidTransition, ActiveRecord::StaleObjectError
+      # We are looping to find another build that is not conflicting
+      # It also indicates that this build can be picked and passed to runner.
+      # If we don't do it, basically a bunch of runners would be competing for a build
+      # and thus we will generate a lot of 409. This will increase
+      # the number of generated requests, also will reduce significantly
+      # how many builds can be picked by runner in a unit of time.
+      # In case we hit the concurrency-access lock,
+      # we still have to return 409 in the end,
+      # to make sure that this is properly handled by runner.
+      Result.new(nil, false)
+    rescue => ex
+      raise ex unless Feature.enabled?(:ci_doom_build, default_enabled: true)
+
+      scheduler_failure!(build)
+      track_exception_for_build(ex, build)
+
+      # skip, and move to next one
+      nil
+    end
+
     def assign_runner!(build, params)
       build.runner_id = runner.id
       build.runner_session_attributes = params[:session] if params[:session].present?
@@ -96,6 +115,28 @@ module Ci
       true
     end
 
+    def scheduler_failure!(build)
+      Gitlab::OptimisticLocking.retry_lock(build, 3) do |subject|
+        subject.drop!(:scheduler_failure)
+      end
+    rescue => ex
+      build.doom!
+
+      # This requires extra exception, otherwise we would loose information
+      # why we cannot perform `scheduler_failure`
+      track_exception_for_build(ex, build)
+    end
+
+    def track_exception_for_build(ex, build)
+      Gitlab::Sentry.track_acceptable_exception(ex, extra: {
+        build_id: build.id,
+        build_name: build.name,
+        build_stage: build.stage,
+        pipeline_id: build.pipeline_id,
+        project_id: build.project_id
+      })
+    end
+
     # rubocop: disable CodeReuse/ActiveRecord
     def builds_for_shared_runner
       new_builds.

app/services/clusters/update_service.rb

@@ -23,7 +23,7 @@ module Clusters
     end
 
     def validate_params(cluster)
-      if params[:management_project_id]
+      if params[:management_project_id].present?
         management_project = management_project_scope(cluster).find_by_id(params[:management_project_id])
 
         unless management_project

app/services/concerns/merge_requests/assigns_merge_params.rb

+# frozen_string_literal: true
+
+module MergeRequests
+  module AssignsMergeParams
+    def self.included(klass)
+      raise "#{self} can not be included in #{klass} without implementing #current_user" unless klass.method_defined?(:current_user)
+    end
+
+    def assign_allowed_merge_params(merge_request, merge_params)
+      known_merge_params = merge_params.to_h.with_indifferent_access.slice(*MergeRequest::KNOWN_MERGE_PARAMS)
+
+      # Not checking `MergeRequest#can_remove_source_branch` as that includes
+      # other checks that aren't needed here.
+      known_merge_params.delete(:force_remove_source_branch) unless current_user.can?(:push_code, merge_request.source_project)
+
+      merge_request.merge_params.merge!(known_merge_params)
+
+      # Delete the known params now that they're assigned, so we don't try to
+      # assign them through an `#assign_attributes` later.
+      # They could be coming in as strings or symbols
+      merge_params.to_h.with_indifferent_access.except!(*MergeRequest::KNOWN_MERGE_PARAMS)
+    end
+  end
+end

app/services/error_tracking/list_projects_service.rb

@@ -32,7 +32,7 @@ module ErrorTracking
           project_slug: 'proj'
         )
 
-        setting.token = params[:token]
+        setting.token = token(setting)
         setting.enabled = true
       end
     end
@@ -40,5 +40,12 @@ module ErrorTracking
     def can_read?
       can?(current_user, :read_sentry_issue, project)
     end
+
+    def token(setting)
+      # Use param token if not masked, otherwise use database token
+      return params[:token] unless /\A\*+\z/.match?(params[:token])
+
+      setting.token
+    end
   end
 end

app/services/groups/group_links/create_service.rb

+# frozen_string_literal: true
+
+module Groups
+  module GroupLinks
+    class CreateService < BaseService
+      def execute(shared_group)
+        unless group && shared_group &&
+               can?(current_user, :admin_group, shared_group) &&
+               can?(current_user, :read_group, group)
+          return error('Not Found', 404)
+        end
+
+        link = GroupGroupLink.new(
+          shared_group: shared_group,
+          shared_with_group: group,
+          group_access: params[:shared_group_access],
+          expires_at: params[:expires_at]
+        )
+
+        if link.save
+          group.refresh_members_authorized_projects
+          success(link: link)
+        else
+          error(link.errors.full_messages.to_sentence, 409)
+        end
+      end
+    end
+  end
+end

app/services/merge_requests/base_service.rb

@@ -2,6 +2,8 @@
 
 module MergeRequests
   class BaseService < ::IssuableBaseService
+    include MergeRequests::AssignsMergeParams
+
     def create_note(merge_request, state = merge_request.state)
       SystemNoteService.change_status(merge_request, merge_request.target_project, current_user, state, nil)
     end
@@ -29,6 +31,18 @@ module MergeRequests
 
     private
 
+    def create(merge_request)
+      self.params = assign_allowed_merge_params(merge_request, params)
+
+      super
+    end
+
+    def update(merge_request)
+      self.params = assign_allowed_merge_params(merge_request, params)
+
+      super
+    end
+
     def handle_wip_event(merge_request)
       if wip_event = params.delete(:wip_event)
         # We update the title that is provided in the params or we use the mr title

app/services/merge_requests/build_service.rb

@@ -24,6 +24,8 @@ module MergeRequests
           merge_request.source_project.remove_source_branch_after_merge?
         end
 
+      self.params = assign_allowed_merge_params(merge_request, params)
+
       filter_params(merge_request)
 
       # merge_request.assign_attributes(...) below is a Rails

app/services/merge_requests/create_service.rb

@@ -9,7 +9,6 @@ module MergeRequests
       merge_request.target_project = @project
       merge_request.source_project = @source_project
       merge_request.source_branch = params[:source_branch]
-      merge_request.merge_params['force_remove_source_branch'] = params.delete(:force_remove_source_branch)
 
       create(merge_request)
     end

app/services/merge_requests/update_service.rb

@@ -16,10 +16,6 @@ module MergeRequests
         params.delete(:force_remove_source_branch)
       end
 
-      if params.has_key?(:force_remove_source_branch)
-        merge_request.merge_params['force_remove_source_branch'] = params.delete(:force_remove_source_branch)
-      end
-
       handle_wip_event(merge_request)
       update_task_event(merge_request) || update(merge_request)
     end

app/services/notification_service.rb

@@ -281,7 +281,7 @@ class NotificationService
   end
 
   def send_new_note_notifications(note)
-    notify_method = "note_#{note.to_ability_name}_email".to_sym
+    notify_method = "note_#{note.noteable_ability_name}_email".to_sym
 
     recipients = NotificationRecipientService.build_new_note_recipients(note)
     recipients.each do |recipient|

app/services/projects/operations/update_service.rb

@@ -36,15 +36,17 @@ module Projects
           organization_slug: settings.dig(:project, :organization_slug)
         )
 
-        {
+        params = {
           error_tracking_setting_attributes: {
             api_url: api_url,
-            token: settings[:token],
             enabled: settings[:enabled],
             project_name: settings.dig(:project, :name),
             organization_name: settings.dig(:project, :organization_name)
           }
         }
+        params[:error_tracking_setting_attributes][:token] = settings[:token] unless /\A\*+\z/.match?(settings[:token]) # Don't update token if we receive masked value
+
+        params
       end
 
       def grafana_integration_params

app/services/projects/participants_service.rb

@@ -7,16 +7,69 @@ module Projects
     def execute(noteable)
       @noteable = noteable
 
-      participants = noteable_owner + participants_in_noteable + all_members + groups + project_members
+      participants =
+        noteable_owner +
+        participants_in_noteable +
+        all_members +
+        groups +
+        project_members
+
       participants.uniq
     end
 
     def project_members
-      @project_members ||= sorted(project.team.members)
+      @project_members ||= sorted(get_project_members)
+    end
+
+    def get_project_members
+      members = Member.from_union([project_members_through_ancestral_groups,
+                                   project_members_through_invited_groups,
+                                   individual_project_members])
+
+      User.id_in(members.select(:user_id))
     end
 
     def all_members
       [{ username: "all", name: "All Project and Group Members", count: project_members.count }]
     end
+
+    private
+
+    def project_members_through_invited_groups
+      groups_with_ancestors_ids = Gitlab::ObjectHierarchy
+        .new(visible_groups)
+        .base_and_ancestors
+        .pluck_primary_key
+
+      GroupMember
+        .active_without_invites_and_requests
+        .with_source_id(groups_with_ancestors_ids)
+    end
+
+    def visible_groups
+      visible_groups = project.invited_groups
+
+      unless project_owner?
+        visible_groups = visible_groups.public_or_visible_to_user(current_user)
+      end
+
+      visible_groups
+    end
+
+    def project_members_through_ancestral_groups
+      project.group.present? ? project.group.members_with_parents : Member.none
+    end
+
+    def individual_project_members
+      project.project_members
+    end
+
+    def project_owner?
+      if project.group.present?
+        project.group.owners.include?(current_user)
+      else
+        project.namespace.owner == current_user
+      end
+    end
   end
 end

app/services/projects/transfer_service.rb

@@ -98,7 +98,7 @@ module Projects
       @new_namespace &&
         can?(current_user, :change_namespace, project) &&
         @new_namespace.id != project.namespace_id &&
-        current_user.can?(:create_projects, @new_namespace)
+        current_user.can?(:transfer_projects, @new_namespace)
     end
 
     def update_namespace_and_visibility(to_namespace)

app/views/ci/variables/_header.html.haml

@@ -7,5 +7,5 @@
 %button.btn.btn-default.js-settings-toggle{ type: 'button' }
   = expanded ? _('Collapse') : _('Expand')
 
-%p.append-bottom-0
+%p
   = render "ci/variables/content"

app/views/layouts/nav/sidebar/_group.html.haml

@@ -16,13 +16,19 @@
             .nav-icon-container
               = sprite_icon('home')
             %span.nav-item-name
-              = _('Overview')
+              - if @group.subgroup?
+                = _('Subgroup overview')
+              - else
+                = _('Group overview')
 
           %ul.sidebar-sub-level-items
             = nav_link(path: ['groups#show', 'groups#details', 'groups#activity', 'groups#subgroups'], html_options: { class: "fly-out-top-item" } ) do
               = link_to group_path(@group) do
                 %strong.fly-out-top-item-name
-                  = _('Overview')
+                  - if @group.subgroup?
+                    = _('Subgroup overview')
+                  - else
+                    = _('Group overview')
             %li.divider.fly-out-top-item
 
             = nav_link(path: ['groups#show', 'groups#details', 'groups#subgroups'], html_options: { class: 'home' }) do

app/views/layouts/nav/sidebar/_project.html.haml

@@ -13,13 +13,13 @@
           .nav-icon-container
             = sprite_icon('home')
           %span.nav-item-name
-            = _('Project')
+            = _('Project overview')
 
         %ul.sidebar-sub-level-items
           = nav_link(path: 'projects#show', html_options: { class: "fly-out-top-item" } ) do
             = link_to project_path(@project) do
               %strong.fly-out-top-item-name
-                = _('Project')
+                = _('Project overview')
           %li.divider.fly-out-top-item
           = nav_link(path: 'projects#show') do
             = link_to project_path(@project), title: _('Project details'), class: 'shortcuts-project' do

app/views/projects/buttons/_download.html.haml

@@ -12,11 +12,14 @@
         %h5.m-0.dropdown-bold-header= _('Download source code')
         .dropdown-menu-content
           = render 'projects/buttons/download_links', project: project, ref: ref, archive_prefix: archive_prefix, path: nil
-      - if directory? && Feature.enabled?(:git_archive_path, default_enabled: true)
-        %section.border-top.pt-1.mt-1
-          %h5.m-0.dropdown-bold-header= _('Download this directory')
-          .dropdown-menu-content
-            = render 'projects/buttons/download_links', project: project, ref: ref, archive_prefix: archive_prefix, path: @path
+      - if Feature.enabled?(:git_archive_path, default_enabled: true)
+        - if vue_file_list_enabled?
+          #js-directory-downloads{ data: { links: directory_download_links(project, ref, archive_prefix).to_json } }
+        - elsif directory?
+          %section.border-top.pt-1.mt-1
+            %h5.m-0.dropdown-bold-header= _('Download this directory')
+            .dropdown-menu-content
+              = render 'projects/buttons/download_links', project: project, ref: ref, archive_prefix: archive_prefix, path: @path
       - if pipeline && pipeline.latest_builds_with_artifacts.any?
         %section.border-top.pt-1.mt-1
           %h5.m-0.dropdown-bold-header= _('Download artifacts')

app/views/projects/merge_requests/_how_to_merge.html.haml

@@ -12,8 +12,8 @@
         = clipboard_button(target: "pre#merge-info-1", title: _("Copy commands"))
         %pre.dark#merge-info-1
           - if @merge_request.for_fork?
+            -# All repo/branch refs have been quoted to allow support for special characters (such as #my-branch)
             :preserve
-              -# All repo/branch refs have been quoted to allow support for special characters (such as #my-branch)
               git fetch "#{h default_url_to_repo(@merge_request.source_project)}" "#{h @merge_request.source_branch}"
               git checkout -b "#{h @merge_request.source_project_path}-#{h @merge_request.source_branch}" FETCH_HEAD
           - else

app/views/projects/settings/operations/_error_tracking.html.haml

@@ -17,4 +17,4 @@
         project: error_tracking_setting_project_json,
         api_host: setting.api_host,
         enabled: setting.enabled.to_json,
-        token: setting.token } }
+        token: setting.token.present? ? '*' * 12 : nil } }

app/views/projects/settings/operations/_grafana_integration.html.haml

+.js-grafana-integration{ data: { operations_settings_endpoint: project_settings_operations_path(@project),
+  grafana_integration: { url: grafana_integration_url, token: grafana_integration_token } } }

app/views/projects/settings/operations/show.html.haml

@@ -5,4 +5,5 @@
 = render_if_exists 'projects/settings/operations/incidents'
 = render 'projects/settings/operations/error_tracking'
 = render 'projects/settings/operations/external_dashboard'
+= render 'projects/settings/operations/grafana_integration'
 = render_if_exists 'projects/settings/operations/tracing'

app/views/projects/tree/_tree_header.html.haml

@@ -77,15 +77,21 @@
 
 .tree-controls
   = render_if_exists 'projects/tree/lock_link'
-  = link_to s_('Commits|History'), project_commits_path(@project, @id), class: 'btn'
+  - if vue_file_list_enabled?
+    #js-tree-history-link.d-inline-block{ data: { history_link: project_commits_path(@project, @ref) } }
+  - else
+    = link_to s_('Commits|History'), project_commits_path(@project, @id), class: 'btn'
 
   = render 'projects/find_file_link'
 
   - if can_create_mr_from_fork
     = succeed " " do
       - if can_collaborate || current_user&.already_forked?(@project)
-        = link_to ide_edit_path(@project, @ref, @path), class: 'btn btn-default qa-web-ide-button' do
-          = _('Web IDE')
+        - if vue_file_list_enabled?
+          #js-tree-web-ide-link.d-inline-block
+        - else
+          = link_to ide_edit_path(@project, @ref, @path), class: 'btn btn-default qa-web-ide-button' do
+            = _('Web IDE')
       - else
         = link_to '#modal-confirm-fork', class: 'btn btn-default qa-web-ide-button', data: { target: '#modal-confirm-fork', toggle: 'modal'} do
           = _('Web IDE')

app/views/registrations/welcome.html.haml

-- content_for(:page_title, _('Welcome to GitLab<br>%{username}!' % { username: html_escape(current_user.username) }).html_safe)
+- content_for(:page_title, _('Welcome to GitLab %{username}!') % { username: current_user.username })
 - max_name_length = 128
 .text-center.mb-3
   = _('In order to tailor your experience with GitLab<br>we would like to know a bit more about you.').html_safe

app/workers/authorized_projects_worker.rb

@@ -5,6 +5,7 @@ class AuthorizedProjectsWorker
   prepend WaitableWorker
 
   feature_category :authentication_and_authorization
+  latency_sensitive_worker!
 
   # This is a workaround for a Ruby 2.3.7 bug. rspec-mocks cannot restore the
   # visibility of prepended modules. See https://github.com/rspec/rspec-mocks/issues/1231

app/workers/build_finished_worker.rb

@@ -5,6 +5,8 @@ class BuildFinishedWorker
   include PipelineQueue
 
   queue_namespace :pipeline_processing
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(build_id)

app/workers/build_hooks_worker.rb

@@ -6,6 +6,7 @@ class BuildHooksWorker
 
   queue_namespace :pipeline_hooks
   feature_category :continuous_integration
+  latency_sensitive_worker!
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(build_id)

app/workers/build_queue_worker.rb

@@ -6,6 +6,8 @@ class BuildQueueWorker
 
   queue_namespace :pipeline_processing
   feature_category :continuous_integration
+  latency_sensitive_worker!
+  worker_resource_boundary :cpu
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(build_id)

app/workers/build_success_worker.rb

@@ -5,6 +5,7 @@ class BuildSuccessWorker
   include PipelineQueue
 
   queue_namespace :pipeline_processing
+  latency_sensitive_worker!
 
   # rubocop: disable CodeReuse/ActiveRecord
   def perform(build_id)

app/workers/chat_notification_worker.rb

@@ -4,6 +4,11 @@ class ChatNotificationWorker
   include ApplicationWorker
 
   feature_category :chatops
+  latency_sensitive_worker!
+  # TODO: break this into multiple jobs
+  # as the `responder` uses external dependencies
+  # See https://gitlab.com/gitlab-com/gl-infra/scalability/issues/34
+  # worker_has_external_dependencies!
 
   RESCHEDULE_INTERVAL = 2.seconds
 

app/workers/ci/build_schedule_worker.rb

@@ -7,6 +7,7 @@ module Ci
 
     queue_namespace :pipeline_processing
     feature_category :continuous_integration
+    worker_resource_boundary :cpu
 
     def perform(build_id)
       ::Ci::Build.find_by_id(build_id).try do |build|

app/workers/cluster_install_app_worker.rb

@@ -5,6 +5,8 @@ class ClusterInstallAppWorker
   include ClusterQueue
   include ClusterApplications
 
+  worker_has_external_dependencies!
+
   def perform(app_name, app_id)
     find_application(app_name, app_id) do |app|
       Clusters::Applications::InstallService.new(app).execute

app/workers/cluster_patch_app_worker.rb

@@ -5,6 +5,8 @@ class ClusterPatchAppWorker
   include ClusterQueue
   include ClusterApplications
 
+  worker_has_external_dependencies!
+
   def perform(app_name, app_id)
     find_application(app_name, app_id) do |app|
       Clusters::Applications::PatchService.new(app).execute

app/workers/cluster_project_configure_worker.rb

@@ -4,6 +4,8 @@ class ClusterProjectConfigureWorker
   include ApplicationWorker
   include ClusterQueue
 
+  worker_has_external_dependencies!
+
   def perform(project_id)
     # Scheduled for removal in https://gitlab.com/gitlab-org/gitlab-foss/issues/59319
   end

app/workers/cluster_provision_worker.rb

@@ -4,6 +4,8 @@ class ClusterProvisionWorker
   include ApplicationWorker
   include ClusterQueue
 
+  worker_has_external_dependencies!
+
   def perform(cluster_id)
     Clusters::Cluster.find_by_id(cluster_id).try do |cluster|
       cluster.provider.try do |provider|

app/workers/cluster_upgrade_app_worker.rb

@@ -5,6 +5,8 @@ class ClusterUpgradeAppWorker
   include ClusterQueue
   include ClusterApplications
 
+  worker_has_external_dependencies!
+
   def perform(app_name, app_id)
     find_application(app_name, app_id) do |app|
       Clusters::Applications::UpgradeService.new(app).execute

app/workers/cluster_wait_for_app_installation_worker.rb

@@ -8,6 +8,9 @@ class ClusterWaitForAppInstallationWorker
   INTERVAL = 10.seconds
   TIMEOUT = 20.minutes
 
+  worker_has_external_dependencies!
+  worker_resource_boundary :cpu
+
   def perform(app_name, app_id)
     find_application(app_name, app_id) do |app|
       Clusters::Applications::CheckInstallationProgressService.new(app).execute

app/workers/cluster_wait_for_ingress_ip_address_worker.rb

@@ -5,6 +5,8 @@ class ClusterWaitForIngressIpAddressWorker
   include ClusterQueue
   include ClusterApplications
 
+  worker_has_external_dependencies!
+
   def perform(app_name, app_id)
     find_application(app_name, app_id) do |app|
       Clusters::Applications::CheckIngressIpAddressService.new(app).execute

app/workers/clusters/applications/uninstall_worker.rb

@@ -7,6 +7,8 @@ module Clusters
       include ClusterQueue
       include ClusterApplications
 
+      worker_has_external_dependencies!
+
       def perform(app_name, app_id)
         find_application(app_name, app_id) do |app|
           Clusters::Applications::UninstallService.new(app).execute

app/workers/clusters/applications/wait_for_uninstall_app_worker.rb

@@ -10,6 +10,9 @@ module Clusters
       INTERVAL = 10.seconds
       TIMEOUT = 20.minutes
 
+      worker_has_external_dependencies!
+      worker_resource_boundary :cpu
+
       def perform(app_name, app_id)
         find_application(app_name, app_id) do |app|
           Clusters::Applications::CheckUninstallProgressService.new(app).execute