Automatic merge of gitlab-org/gitlab master

64dffb0d · GitLab Bot · 4219e0fc · 7a503520 · 64dffb0d · 64dffb0d
Commit 64dffb0d authored Jan 29, 2021 by GitLab Bot
52 changed files
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -30,6 +30,9 @@ class ProjectPolicy < BasePolicy
  desc "User has maintainer access"
  condition(:maintainer) { team_access_level >= Gitlab::Access::MAINTAINER }
+  desc "User is a project bot"
+  condition(:project_bot) { user.project_bot? && team_member? }
  desc "Project is public"
  condition(:public_project, scope: :subject, score: 0) { project.public? }
@@ -616,10 +619,14 @@ class ProjectPolicy < BasePolicy
    prevent :read_project
  end
+  rule { project_bot }.enable :project_bot_access
  rule { resource_access_token_available & can?(:admin_project) }.policy do
    enable :admin_resource_access_tokens
  end
+  rule { can?(:project_bot_access) }.prevent :admin_resource_access_tokens
  rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do
    enable :set_pipeline_variables
  end

--- a/app/services/users/approve_service.rb
+++ b/app/services/users/approve_service.rb
@@ -17,6 +17,7 @@ module Users
        user.accept_pending_invitations! if user.active_for_authentication?
        DeviseMailer.user_admin_approval(user).deliver_later
+        log_event(user)
        after_approve_hook(user)
        success(message: 'Success', http_status: :created)
      else
@@ -39,6 +40,10 @@ module Users
    def approval_required?(user)
      user.blocked_pending_approval?
    end
+    def log_event(user)
+      Gitlab::AppLogger.info(message: "User instance access request approved", user: "#{user.username}", email: "#{user.email}", approved_by: "#{current_user.username}", ip_address: "#{current_user.current_sign_in_ip}")
+    end
  end
 end

--- a/app/services/users/reject_service.rb
+++ b/app/services/users/reject_service.rb
@@ -16,6 +16,8 @@ module Users
      NotificationService.new.user_admin_rejection(user.name, user.email)
+      log_event(user)
      success
    end
@@ -30,6 +32,10 @@ module Users
    def after_reject_hook(user)
      # overridden by EE module
    end
+    def log_event(user)
+      Gitlab::AppLogger.info(message: "User instance access request rejected", user: "#{user.username}", email: "#{user.email}", rejected_by: "#{current_user.username}", ip_address: "#{current_user.current_sign_in_ip}")
+    end
  end
 end

--- a/changelogs/unreleased/298783-log-user-instance-request-in-audit-events.yml
+++ b/changelogs/unreleased/298783-log-user-instance-request-in-audit-events.yml
+---
+title: Log user approval/rejection in application logs
+merge_request: 51768
+author:
+type: added
--- a/changelogs/unreleased/sfang-project-access-token-api.yml
+++ b/changelogs/unreleased/sfang-project-access-token-api.yml
+---
+title: Project access token management via API
+merge_request: 52139
+author:
+type: added
--- a/doc/.vale/gitlab/spelling-exceptions.txt
+++ b/doc/.vale/gitlab/spelling-exceptions.txt
@@ -12,6 +12,7 @@ Ansible
 Anthos
 approvers
 architected
+architecting
 Arel
 Artifactory
 Asana
@@ -357,6 +358,7 @@ onboarding
 OpenID
 OpenShift
 Opsgenie
+Overcommit
 Packagist
 parallelization
 parallelizations
@@ -408,6 +410,7 @@ pseudocode
 pseudonymized
 pseudonymizer
 Puma
+pytest
 Python
 Qualys
 queryable
@@ -438,6 +441,8 @@ referer
 referers
 reflog
 reflogs
+refspec
+refspecs
 reindex
 reindexed
 reindexes
@@ -503,6 +508,7 @@ Silverlight
 Sisense
 Sitespeed
 Slack
+Slackbot
 Slony
 smartcard
 smartcards
@@ -545,11 +551,15 @@ subquery
 subquerying
 substring
 substrings
+subtask
+subtasks
 subtree
 subtrees
 sudo
 supercookie
 supercookies
+supertype
+supertypes
 swappiness
 swimlane
 swimlanes

--- a/doc/administration/troubleshooting/kubernetes_cheat_sheet.md
+++ b/doc/administration/troubleshooting/kubernetes_cheat_sheet.md
@@ -70,7 +70,7 @@ and they will assist you with any issues you are having.
  kubectl logs <pod-name> --previous
  ```
-  No logs are kept in the containers/pods themselves. Everything is written to stdout.
+  No logs are kept in the containers/pods themselves. Everything is written to `stdout`.
  This is the principle of Kubernetes, read [Twelve-factor app](https://12factor.net/)
  for details.

--- a/doc/api/README.md
+++ b/doc/api/README.md
@@ -124,7 +124,7 @@ There are several methods you can use to authenticate with the GitLab API:
 - [GitLab CI/CD job token](#gitlab-ci-job-token) **(Specific endpoints only)**
 NOTE:
-Project access tokens are supported for self-managed instances on Core and
+Project access tokens are supported for self-managed instances on Free and
 higher. They're also supported on GitLab.com Bronze and higher.
 For administrators who want to authenticate with the API as a specific user, or who want

--- a/doc/api/api_resources.md
+++ b/doc/api/api_resources.md
@@ -25,6 +25,7 @@ The following API resources are available in the project context:
 | Resource                                                            | Available endpoints                                                                                                                                                                                   |
 |:--------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | [Access requests](access_requests.md)                               | `/projects/:id/access_requests` (also available for groups)                                                                                                                                           |
+| [Access tokens](resource_access_tokens.md)                          | `/projects/:id/access_tokens`                  |
 | [Award emoji](award_emoji.md)                                       | `/projects/:id/issues/.../award_emoji`, `/projects/:id/merge_requests/.../award_emoji`, `/projects/:id/snippets/.../award_emoji`                                                                      |
 | [Branches](branches.md)                                             | `/projects/:id/repository/branches/`, `/projects/:id/repository/merged_branches`                                                                                                                      |
 | [Commits](commits.md)                                               | `/projects/:id/repository/commits`, `/projects/:id/statuses`                                                                                                                                          |
@@ -76,7 +77,7 @@ The following API resources are available in the project context:
 | [Remote mirrors](remote_mirrors.md)                                 | `/projects/:id/remote_mirrors`                                                                                                                                                                        |
 | [Repositories](repositories.md)                                     | `/projects/:id/repository`                                                                                                                                                                            |
 | [Repository files](repository_files.md)                             | `/projects/:id/repository/files`                                                                                                                                                                      |
-| [Repository submodules](repository_submodules.md)                   | `/projects/:id/repository/submodules`                                                                                                                                                                 |
+| [Repository submodules](repository_submodules.md)                   | `/projects/:id/repository/submodules`                                                                                                                |
 | [Resource label events](resource_label_events.md)                   | `/projects/:id/issues/.../resource_label_events`, `/projects/:id/merge_requests/.../resource_label_events` (also available for groups)                                                                |
 | [Runners](runners.md)                                               | `/projects/:id/runners` (also available standalone)                                                                                                                                                   |
 | [Search](search.md)                                                 | `/projects/:id/search` (also available for groups and standalone)                                                                                                                                     |

--- a/doc/api/dependency_proxy.md
+++ b/doc/api/dependency_proxy.md
@@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 ## Purge the dependency proxy for a group
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/11631) in GitLab 12.10.
-> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/273655) to [GitLab Core](https://about.gitlab.com/pricing/) in GitLab 13.6.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/273655) to [GitLab Free](https://about.gitlab.com/pricing/) in GitLab 13.6.
 Deletes the cached manifests and blobs for a group. This endpoint requires group admin access.

--- a/doc/api/feature_flag_user_lists.md
+++ b/doc/api/feature_flag_user_lists.md
@@ -7,7 +7,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 # Feature flag user lists API **(FREE)**
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/205409) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.10.
-> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212318) to GitLab Core in 13.5.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212318) to GitLab Free in 13.5.
 API for accessing GitLab Feature Flag User Lists.

--- a/doc/api/feature_flags.md
+++ b/doc/api/feature_flags.md
@@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9566) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.5.
 > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212318) to [GitLab Starter](https://about.gitlab.com/pricing/) in 13.4.
-> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212318) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.5.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212318) to [GitLab Free](https://about.gitlab.com/pricing/) in 13.5.
 API for accessing resources of [GitLab Feature Flags](../operations/feature_flags.md).

--- a/doc/api/feature_flags_legacy.md
+++ b/doc/api/feature_flags_legacy.md
@@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9566) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.5.
 > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212318) to [GitLab Starter](https://about.gitlab.com/pricing/) in 13.4.
-> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212318) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.5.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212318) to [GitLab Free](https://about.gitlab.com/pricing/) in 13.5.
 WARNING:
 This API is deprecated and [scheduled for removal in GitLab 14.0](https://gitlab.com/gitlab-org/gitlab/-/issues/213369). Use [this API](feature_flags.md) instead.

--- a/doc/api/issue_links.md
+++ b/doc/api/issue_links.md
@@ -6,7 +6,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 # Issue links API **(FREE)**
-> The simple "relates to" relationship [moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212329) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.4.
+> The simple "relates to" relationship [moved](https://gitlab.com/gitlab-org/gitlab/-/issues/212329) to [GitLab Free](https://about.gitlab.com/pricing/) in 13.4.
 ## List issue relations

--- a/doc/api/personal_access_tokens.md
+++ b/doc/api/personal_access_tokens.md
@@ -11,7 +11,7 @@ You can read more about [personal access tokens](../user/profile/personal_access
 ## List personal access tokens
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/227264) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.3.
-> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/270200) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.6.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/270200) to [GitLab Free](https://about.gitlab.com/pricing/) in 13.6.
 Get a list of personal access tokens.
@@ -71,7 +71,7 @@ curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/a
 ## Revoke a personal access token
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/216004) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.3.
-> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/270200) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.6.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/270200) to [GitLab Free](https://about.gitlab.com/pricing/) in 13.6.
 Revoke a personal access token.

--- a/doc/api/resource_access_tokens.md
+++ b/doc/api/resource_access_tokens.md
+---
+stage: Manage
+group: Access
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+# Project access tokens API
+You can read more about [project access tokens](../user/project/settings/project_access_tokens.md).
+## List project access tokens
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/238991) in GitLab 13.9.
+Get a list of project access tokens.
+```plaintext
+GET /:id/access_tokens
+```
+| Attribute | Type    | required | Description         |
+|-----------|---------|----------|---------------------|
+| `id` | integer/string | yes | The ID of the project |
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens"
+```
+```json
+[
+   {
+      "user_id" : 141,
+      "scopes" : [
+         "api"
+      ],
+      "name" : "token",
+      "expires_at" : "2021-01-31",
+      "id" : 42,
+      "active" : true,
+      "created_at" : "2021-01-20T22:11:48.151Z",
+      "revoked" : false
+   }
+]
+```
+## Create a project access token
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/238991) in GitLab 13.9.
+Create a project access token.
+```plaintext
+POST /:id/access_tokens
+```
+| Attribute | Type    | required | Description         |
+|-----------|---------|----------|---------------------|
+| `name` | String | yes | The name of the project access token  |
+| `scopes` | Array[String] | yes | [List of scopes](../user/project/settings/project_access_tokens.md#limiting-scopes-of-a-project-access-token) |
+| `expires_at` | Date | no | The token expires at midnight UTC on that date |
+```shell
+curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \
+--header "Content-Type:application/json" \
+--data '{ "name":"test_token", "scopes":["api", "read_repository"], "expires_at":"2021-01-31" }' \
+"https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens"
+```
+```json
+{
+   "scopes" : [
+      "api",
+      "read_repository"
+   ],
+   "active" : true,
+   "name" : "test",
+   "revoked" : false,
+   "created_at" : "2021-01-21T19:35:37.921Z",
+   "user_id" : 166,
+   "id" : 58,
+   "expires_at" : "2021-01-31"
+}
+```
+## Revoke a project access token
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/238991) in GitLab 13.9.
+Revoke a project access token.
+```plaintext
+DELETE /:id/access_tokens/:token_id
+```
+| Attribute | Type    | required | Description         |
+|-----------|---------|----------|---------------------|
+| `id` | integer/string | yes | The ID of the project |
+| `token_id` | integer/string | yes | The ID of the project access token |
+```shell
+curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens/<token_id>"
+```
+### Responses
+- `204: No Content` if successfully revoked.
+- `400 Bad Request` or `404 Not Found` if not revoked successfully.
--- a/doc/ci/README.md
+++ b/doc/ci/README.md
@@ -71,7 +71,7 @@ available through the UI. You can use them by creating a new file,
 choosing a template that suits your application, and adjusting it
 to your needs:
-![Use a `.gitlab-ci.yml` template](img/add_file_template_11_10.png)
+![Use a YAML template](img/add_file_template_11_10.png)
 While building your `.gitlab-ci.yml`, you can use the [CI/CD configuration visualization](pipeline_editor/index.md#visualize-ci-configuration) to facilitate your writing experience.

--- a/doc/ci/chatops/README.md
+++ b/doc/ci/chatops/README.md
@@ -5,10 +5,10 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 type: index, concepts, howto
 ---
-# GitLab ChatOps **(CORE)**
+# GitLab ChatOps **(FREE)**
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/4466) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.6.
-> - [Moved](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/24780) to [GitLab Core](https://about.gitlab.com/pricing/) in 11.9.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/24780) to [GitLab Free](https://about.gitlab.com/pricing/) in 11.9.
 GitLab ChatOps provides a method to interact with CI/CD jobs through chat services
 like Slack. Many organizations' discussion, collaboration, and troubleshooting takes

--- a/doc/ci/ci_cd_for_external_repos/bitbucket_integration.md
+++ b/doc/ci/ci_cd_for_external_repos/bitbucket_integration.md
@@ -14,8 +14,9 @@ GitLab CI/CD can be used with Bitbucket Cloud by:
 To use GitLab CI/CD with a Bitbucket Cloud repository:
-1. In GitLab create a **CI/CD for external repository**, select **Repo by URL** and
+1. <!-- vale gitlab.Spelling = NO --> In GitLab create a **CI/CD for external repository**, select
-   create the project.
+   **Repo by URL** and create the project.
+   <!-- vale gitlab.Spelling = YES -->
   ![Create project](img/external_repository.png)

--- a/doc/ci/ci_cd_for_external_repos/index.md
+++ b/doc/ci/ci_cd_for_external_repos/index.md
@@ -25,11 +25,15 @@ snippets disabled. These features
 To connect to an external repository:
+<!-- vale gitlab.Spelling = NO -->
 1. From your GitLab dashboard, click **New project**.
 1. Switch to the **CI/CD for external repository** tab.
 1. Choose **GitHub** or **Repo by URL**.
 1. The next steps are similar to the [import flow](../../user/project/import/index.md).
+<!-- vale gitlab.Spelling = YES -->
 ![CI/CD for external repository project creation](img/ci_cd_for_external_repo.png)
 ## Pipelines for external pull requests

--- a/doc/ci/docker/using_docker_build.md
+++ b/doc/ci/docker/using_docker_build.md
@@ -126,7 +126,7 @@ not without its own challenges:
  instance of Docker engine so they don't conflict with each other. But this
  also means that jobs can be slower because there's no caching of layers.
 - By default, Docker 17.09 and higher uses `--storage-driver overlay2` which is
-  the recommended storage driver. See [Using the overlayfs driver](#use-the-overlayfs-driver)
+  the recommended storage driver. See [Using the OverlayFS driver](#use-the-overlayfs-driver)
  for details.
 - Since the `docker:19.03.12-dind` container and the runner container don't share their
  root file system, the job's working directory can be used as a mount point for

--- a/doc/ci/environments/environments_dashboard.md
+++ b/doc/ci/environments/environments_dashboard.md
@@ -36,7 +36,7 @@ environments are not displayed.
 To add a project to the dashboard:
-1. Click the **Add projects** button in the homescreen of the dashboard.
+1. Click the **Add projects** button in the home screen of the dashboard.
 1. Search and add one or more projects using the **Search your projects** field.
 1. Click the **Add projects** button.

--- a/doc/ci/environments/index.md
+++ b/doc/ci/environments/index.md
@@ -1009,7 +1009,7 @@ fetch = +refs/environments/*:refs/remotes/origin/environments/*
 ### Scoping environments with specs
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/2112) in [GitLab Premium](https://about.gitlab.com/pricing/) 9.4.
-> - [Scoping for environment variables was moved to Core](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/30779) in GitLab 12.2.
+> - [Scoping for environment variables was moved to Free](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/30779) in GitLab 12.2.
 You can limit the environment scope of a variable by
 defining which environments it can be available for.

--- a/doc/ci/lint.md
+++ b/doc/ci/lint.md
@@ -4,8 +4,10 @@ group: unassigned
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 ---
 <!-- markdownlint-disable MD044 -->
+<!-- vale gitlab.Spelling = NO -->
 # Validate .gitlab-ci.yml syntax with the CI Lint tool
 <!-- markdownlint-enable MD044 -->
+<!-- vale gitlab.Spelling = YES -->
 If you want to test the validity of your GitLab CI/CD configuration before committing
 the changes, you can use the CI Lint tool. This tool checks for syntax and logical

--- a/doc/ci/multi_project_pipelines.md
+++ b/doc/ci/multi_project_pipelines.md
@@ -261,7 +261,7 @@ test:
 ### Mirroring status from triggered pipeline
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/11238) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.3.
-> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/199224) to GitLab Core in 12.8.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/199224) to GitLab Free in 12.8.
 You can mirror the pipeline status from the triggered pipeline to the source
 bridge job by using `strategy: depend`. For example:

--- a/doc/ci/parent_child_pipelines.md
+++ b/doc/ci/parent_child_pipelines.md
@@ -156,7 +156,11 @@ build a matrix of targets and architectures.
 <i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
 For an overview, see [Create child pipelines using dynamically generated configurations](https://youtu.be/nMdfus2JWHM).
-We also have an [example project using Dynamic Child Pipelines with Jsonnet](https://gitlab.com/gitlab-org/project-templates/jsonnet) which shows how to use a data templating language to generate your `.gitlab-ci.yml` at runtime. You could use a similar process for other templating languages like [Dhall](https://dhall-lang.org/) or [`ytt`](https://get-ytt.io/).
+<!-- vale gitlab.Spelling = NO -->
+We also have an example project using
+[Dynamic Child Pipelines with Jsonnet](https://gitlab.com/gitlab-org/project-templates/jsonnet)
+which shows how to use a data templating language to generate your `.gitlab-ci.yml` at runtime. You could use a similar process for other templating languages like [Dhall](https://dhall-lang.org/) or [`ytt`](https://get-ytt.io/).
+<!-- vale gitlab.Spelling = NO -->
 The artifact path is parsed by GitLab, not the runner, so the path must match the
 syntax for the OS running GitLab. If GitLab is running on Linux but using a Windows

--- a/doc/ci/pipelines/settings.md
+++ b/doc/ci/pipelines/settings.md
@@ -131,6 +131,8 @@ averaged.
 ![Build status coverage](img/pipelines_test_coverage_build.png)
+<!-- vale gitlab.Spelling = NO -->
 | Coverage Tool                                  | Sample regular expression |
 |------------------------------------------------|---------------------------|
 | Simplecov (Ruby)                               | `\(\d+.\d+\%\) covered` |
@@ -145,6 +147,8 @@ averaged.
 | JaCoCo (Java/Kotlin)                           | `Total.*?([0-9]{1,3})%` |
 | `go test -cover` (Go)                          | `coverage: \d+.\d+% of statements` |
+<!-- vale gitlab.Spelling = YES -->
 ### Code Coverage history
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/209121) the ability to download a `.csv` in GitLab 12.10.
@@ -154,7 +158,7 @@ To see the evolution of your project code coverage over time,
 you can view a graph or download a CSV file with this data. From your project:
 1. Go to **{chart}** **Project Analytics > Repository** to see the historic data for each job listed in the dropdown above the graph.
-1. If you want a CSV file of that data, click **Download raw data (.csv)**
+1. If you want a CSV file of that data, click **Download raw data (`.csv`)**
 ![Code coverage graph of a project over time](img/code_coverage_graph_v13_1.png)

--- a/doc/ci/unit_test_reports.md
+++ b/doc/ci/unit_test_reports.md
@@ -303,7 +303,7 @@ test:
  artifacts:
    when: always
    reports:
-      junit: 
+      junit:
        - report.xml
 ```

--- a/doc/ci/yaml/README.md
+++ b/doc/ci/yaml/README.md
@@ -341,7 +341,7 @@ include:
 > - Introduced in [GitLab Premium](https://about.gitlab.com/pricing/) 10.5.
 > - Available for Starter, Premium, and Ultimate in GitLab 10.6 and later.
-> - [Moved](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/42861) to GitLab Core in 11.4.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/42861) to GitLab Free in 11.4.
 Use the `include` keyword to include external YAML files in your CI/CD configuration.
 You can break down one long `gitlab-ci.yml` file into multiple files to increase readability,
@@ -3675,7 +3675,7 @@ deploystacks:
 ### `trigger`
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/8997) in [GitLab Premium](https://about.gitlab.com/pricing/) 11.8.
-> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/199224) to GitLab Core in 12.8.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/199224) to GitLab Free in 12.8.
 Use `trigger` to define a downstream pipeline trigger. When GitLab starts a `trigger` job,
 a downstream pipeline is created.

--- a/doc/development/adding_service_component.md
+++ b/doc/development/adding_service_component.md
@@ -65,7 +65,7 @@ Notify the [Distribution team](https://about.gitlab.com/handbook/engineering/dev
 New services to be bundled with GitLab need to be available in the following environments.
-**Dev environment**
+**Development environment**
 The first step of bundling a new service is to provide it in the development environment to engage in collaboration and feedback.

--- a/doc/development/api_graphql_styleguide.md
+++ b/doc/development/api_graphql_styleguide.md
@@ -1683,7 +1683,7 @@ full stack:
 - An argument or scalar's [`prepare`](#validating-arguments) applies correctly.
 - Logic in a resolver or mutation's [`#ready?` method](#correct-use-of-resolverready) applies correctly.
 - An [argument's `default_value`](https://graphql-ruby.org/fields/arguments.html) applies correctly.
- Objects resolve performantly and there are no N+1 issues.
+- Objects resolve successfully, and there are no N+1 issues.
 When adding a query, you can use the `a working graphql query` shared example to test if the query
 renders valid results.

--- a/doc/development/architecture.md
+++ b/doc/development/architecture.md
@@ -934,7 +934,7 @@ ps aux | grep '^git'
 ```
 GitLab has several components to operate. It requires a persistent database
-(PostgreSQL) and Redis database, and uses Apache `httpd` or NGINX to proxypass
+(PostgreSQL) and Redis database, and uses Apache `httpd` or NGINX to `proxypass`
 Puma. All these components should run as different system users to GitLab
 (for example, `postgres`, `redis`, and `www-data`, instead of `git`).

--- a/doc/development/chaos_endpoints.md
+++ b/doc/development/chaos_endpoints.md
@@ -6,8 +6,12 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 # Generating chaos in a test GitLab instance
+<!-- vale gitlab.Spelling = NO -->
 As [Werner Vogels](https://twitter.com/Werner), the CTO at Amazon Web Services, famously put it, **Everything fails, all the time**.
+<!-- vale gitlab.Spelling = NO -->
 As a developer, it's as important to consider the failure modes in which your software may operate as much as normal operation. Doing so can mean the difference between a minor hiccup leading to a scattering of `500` errors experienced by a tiny fraction of users, and a full site outage that affects all users for an extended period.
 To paraphrase [Tolstoy](https://en.wikipedia.org/wiki/Anna_Karenina_principle), _all happy servers are alike, but all failing servers are failing in their own way_. Luckily, there are ways we can attempt to simulate these failure modes, and the chaos endpoints are tools for assisting in this process.

--- a/doc/development/code_intelligence/index.md
+++ b/doc/development/code_intelligence/index.md
@@ -45,7 +45,7 @@ sequenceDiagram
   GitLab Rails to authorize the upload.
 1. GitLab Rails validates whether the artifact can be uploaded and sends
-   `ProcessLsif: true` header if the lsif artifact can be processed.
+   `ProcessLsif: true` header if the LSIF artifact can be processed.
 1. Workhorse reads the LSIF document line by line and generates code intelligence
   data for each file in the project. The output is a zipped directory of JSON

--- a/doc/development/code_review.md
+++ b/doc/development/code_review.md
@@ -24,7 +24,7 @@ uncovered edge cases.
 The default approach is to choose a reviewer from your group or team for the first review.
 This is only a recommendation and the reviewer may be from a different team.
 However, it is recommended to pick someone who is a [domain expert](#domain-experts).
-If your merge request touches more than one domain (for example, Dynamic Analysis and GraphQL), ask for reviews from an expert from each domain. 
+If your merge request touches more than one domain (for example, Dynamic Analysis and GraphQL), ask for reviews from an expert from each domain.
 You can read more about the importance of involving reviewer(s) in the section on the responsibility of the author below.
@@ -344,7 +344,7 @@ experience, refactors the existing code). Then:
    convey your intent.
  - For non-mandatory suggestions, decorate with (non-blocking) so the author knows they can
    optionally resolve within the merge request or follow-up at a later stage.
-  - There's a [Chrome/Firefox addon](https://gitlab.com/conventionalcomments/conventional-comments-button) which you can use to apply [Conventional Comment](https://conventionalcomments.org/) prefixes.
+  - There's a [Chrome/Firefox add-on](https://gitlab.com/conventionalcomments/conventional-comments-button) which you can use to apply [Conventional Comment](https://conventionalcomments.org/) prefixes.
 - After a round of line notes, it can be helpful to post a summary note such as
  "Looks good to me", or "Just a couple things to address."
 - Assign the merge request to the author if changes are required following your
@@ -569,7 +569,7 @@ A good example of collaboration on an MR touching multiple parts of the codebase
 ### Credits
-Largely based on the [thoughtbot code review guide](https://github.com/thoughtbot/guides/tree/master/code-review).
+Largely based on the [`thoughtbot` code review guide](https://github.com/thoughtbot/guides/tree/master/code-review).
 ---

--- a/doc/development/contributing/style_guides.md
+++ b/doc/development/contributing/style_guides.md
@@ -56,12 +56,12 @@ The current Lefthook configuration can be found in [`lefthook.yml`](https://gitl
 Before you push your changes, Lefthook automatically runs the following checks:
 - Danger: Runs a subset of checks that `danger-review` runs on your merge requests.
- ES lint: Run `yarn eslint` checks (with the [`.eslintrc.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.eslintrc.yml) config) on the modified `*.{js,vue}` files. Tags: `frontend`, `style`.
+- ES lint: Run `yarn eslint` checks (with the [`.eslintrc.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.eslintrc.yml) configuration) on the modified `*.{js,vue}` files. Tags: `frontend`, `style`.
- HAML lint: Run `bundle exec haml-lint` checks (with the [`.haml-lint.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.haml-lint.yml) config) on the modified `*.html.haml` files. Tags: `view`, `haml`, `style`.
+- HAML lint: Run `bundle exec haml-lint` checks (with the [`.haml-lint.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.haml-lint.yml) configuration) on the modified `*.html.haml` files. Tags: `view`, `haml`, `style`.
 - Markdown lint: Run `yarn markdownlint` checks on the modified `*.md` files. Tags: `documentation`, `style`.
- SCSS lint: Run `bundle exec scss-lint` checks (with the [`.scss-lint.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.scss-lint.yml) config) on the modified `*.scss{,.css}` files. Tags: `stylesheet`, `css`, `style`.
+- SCSS lint: Run `bundle exec scss-lint` checks (with the [`.scss-lint.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.scss-lint.yml) configuration) on the modified `*.scss{,.css}` files. Tags: `stylesheet`, `css`, `style`.
- RuboCop: Run `bundle exec rubocop` checks (with the [`.rubocop.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.rubocop.yml) config) on the modified `*.rb` files. Tags: `backend`, `style`.
+- RuboCop: Run `bundle exec rubocop` checks (with the [`.rubocop.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.rubocop.yml) configuration) on the modified `*.rb` files. Tags: `backend`, `style`.
- Vale: Run `vale` checks (with the [`.vale.ini`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.vale.ini) config) on the modified `*.md` files. Tags: `documentation`, `style`.
+- Vale: Run `vale` checks (with the [`.vale.ini`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.vale.ini) configuration) on the modified `*.md` files. Tags: `documentation`, `style`.
 In addition to the default configuration, you can define a [local configuration](https://github.com/Arkweid/lefthook/blob/master/docs/full_guide.md#local-config).
@@ -142,7 +142,7 @@ This ensures that our list isn't mistakenly removed by another auto generation o
 the `.rubocop_todo.yml`. This also allows us greater visibility into the exceptions
 which are currently being resolved.
-One way to generate the initial list is to run the todo auto generation,
+One way to generate the initial list is to run the `todo` auto generation,
 with `exclude limit` set to a high number.
 ```shell
@@ -180,8 +180,12 @@ See the dedicated [Shell scripting standards and style guidelines](../shell_scri
 ## Markdown
+<!-- vale gitlab.Spelling = NO -->
 We're following [Ciro Santilli's Markdown Style Guide](https://cirosantilli.com/markdown-style-guide/).
+<!-- vale gitlab.Spelling = YES -->
 ## Documentation
 See the dedicated [Documentation Style Guide](../documentation/styleguide/index.md).

--- a/doc/development/database/database_reviewer_guidelines.md
+++ b/doc/development/database/database_reviewer_guidelines.md
@@ -50,17 +50,17 @@ European/US and APAC friendly hours. You can join the office hours call and brin
 that require a more in-depth discussion between the database reviewers and maintainers:
 - [Database Office Hours Agenda](https://docs.google.com/document/d/1wgfmVL30F8SdMg-9yY6Y8djPSxWNvKmhR5XmsvYX1EI/edit).
- [Youtube playlist with past recordings](https://www.youtube.com/playlist?list=PL05JrBw4t0Kp-kqXeiF7fF7cFYaKtdqXM).
+- <i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [YouTube playlist with past recordings](https://www.youtube.com/playlist?list=PL05JrBw4t0Kp-kqXeiF7fF7cFYaKtdqXM).
 You should also join the [#database-labs](../understanding_explain_plans.md#database-lab)
-Slack channel and get familiar with how to use Joe, the slackbot that provides developers
+Slack channel and get familiar with how to use Joe, the Slackbot that provides developers
 with their own clone of the production database.
 Understanding and efficiently using `EXPLAIN` plans is at the core of the database review process.
 The following guides provide a quick introduction and links to follow on more advanced topics:
 - Guide on [understanding EXPLAIN plans](../understanding_explain_plans.md).
- [Explaining the unexplainable series in depesz](https://www.depesz.com/tag/unexplainable/).
+- [Explaining the unexplainable series in `depesz`](https://www.depesz.com/tag/unexplainable/).
 Finally, you can find various guides in the [Database guides](index.md) page that cover more specific
 topics and use cases. The most frequently required during database reviewing are the following:

--- a/doc/development/database/table_partitioning.md
+++ b/doc/development/database/table_partitioning.md
@@ -60,7 +60,7 @@ was the first table to be partitioned in the application database
 (scheduled for deployment with the GitLab 13.5 release). This
 table tracks audit entries of security events that happen in the
 application. In almost all cases, users want to see audit activity that
-occurs in a certain timeframe. As a result, date-range partitioning
+occurs in a certain time frame. As a result, date-range partitioning
 was a natural fit for how the data would be accessed.
 To look at this in more detail, imagine a simplified `audit_events` schema:

--- a/doc/development/database_debugging.md
+++ b/doc/development/database_debugging.md
@@ -69,16 +69,14 @@ bundle exec rails db -e development
 Use these instructions for exploring the GitLab database while developing with the GDK:
 1. Install or open [Visual Studio Code](https://code.visualstudio.com/download).
-1. Install the [PostgreSQL VSCode Extension](https://marketplace.visualstudio.com/items?itemName=ckolkman.vscode-postgres) by Chris Kolkman.
+1. Install the [PostgreSQL VSCode Extension](https://marketplace.visualstudio.com/items?itemName=ckolkman.vscode-postgres).
 1. In Visual Studio Code click on the PostgreSQL Explorer button in the left toolbar.
 1. In the top bar of the new window, click on the `+` to **Add Database Connection**, and follow the prompts to fill in the details:
   1. **Hostname**: the path to the PostgreSQL folder in your GDK directory (for example `/dev/gitlab-development-kit/postgresql`).
   1. **PostgreSQL user to authenticate as**: usually your local username, unless otherwise specified during PostgreSQL installation.
   1. **Password of the PostgreSQL user**: the password you set when installing PostgreSQL.
   1. **Port number to connect to**: `5432` (default).
-   1. <!-- vale gitlab.Spelling = NO -->
+   1. **Use an SSL connection?** This depends on your installation. Options are:
-      **Use an ssl connection?**
-      <!-- vale gitlab.Spelling = YES --> This depends on your installation. Options are:
      - **Use Secure Connection**
      - **Standard Connection** (default)
   1. **(Optional) The database to connect to**: `gitlabhq_development`.

--- a/doc/development/database_review.md
+++ b/doc/development/database_review.md
@@ -147,7 +147,7 @@ test its execution using `CREATE INDEX CONCURRENTLY` in the `#database-lab` Slac
 - Provide the link to the plan at: [explain.depesz.com](https://explain.depesz.com). Paste both the plan and the query used in the form.
 - When providing query plans, make sure it hits enough data:
  - You can use a GitLab production replica to test your queries on a large scale,
-  through the `#database-lab` Slack channel or through [chatops](understanding_explain_plans.md#chatops).
+  through the `#database-lab` Slack channel or through [ChatOps](understanding_explain_plans.md#chatops).
  - Usually, the `gitlab-org` namespace (`namespace_id = 9970`) and the
  `gitlab-org/gitlab-foss` (`project_id = 13083`) or the `gitlab-org/gitlab` (`project_id = 278964`)
   projects provide enough data to serve as a good example.
@@ -220,13 +220,13 @@ test its execution using `CREATE INDEX CONCURRENTLY` in the `#database-lab` Slac
  - Check for any obviously complex queries and queries the author specifically
    points out for review (if any)
  - If not present yet, ask the author to provide SQL queries and query plans
-    (for example, by using [chatops](understanding_explain_plans.md#chatops) or direct
+    (for example, by using [ChatOps](understanding_explain_plans.md#chatops) or direct
    database access)
  - For given queries, review parameters regarding data distribution
  - [Check query plans](understanding_explain_plans.md) and suggest improvements
    to queries (changing the query, schema or adding indexes and similar)
  - General guideline is for queries to come in below [100ms execution time](query_performance.md#timing-guidelines-for-queries)
-  - Avoid N+1 problems and minimalize the [query count](merge_request_performance_guidelines.md#query-counts).
+  - Avoid N+1 problems and minimize the [query count](merge_request_performance_guidelines.md#query-counts).
 ### Timing guidelines for migrations

--- a/doc/development/diffs.md
+++ b/doc/development/diffs.md
@@ -14,12 +14,20 @@ We rely on different sources to present diffs. These include:
 ## Deep Dive
+<!-- vale gitlab.Spelling = NO -->
 In January 2019, Oswaldo Ferreira hosted a Deep Dive (GitLab team members only:
 `https://gitlab.com/gitlab-org/create-stage/issues/1`) on GitLab Diffs and Commenting on Diffs
-functionality to share his domain specific knowledge with anyone who may work in this part of the
+functionality to share domain-specific knowledge with anyone who may work in this part of the
-codebase in the future. You can find the <i class="fa fa-youtube-play youtube" aria-hidden="true"></i> [recording on YouTube](https://www.youtube.com/watch?v=K6G3gMcFyek),
+codebase in the future:
-and the slides on [Google Slides](https://docs.google.com/presentation/d/1bGutFH2AT3bxOPZuLMGl1ANWHqFnrxwQwjiwAZkF-TU/edit)
-and in [PDF](https://gitlab.com/gitlab-org/create-stage/uploads/b5ad2f336e0afcfe0f99db0af0ccc71a/).
+<!-- vale gitlab.Spelling = YES -->
+- <i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
+  [Recording on YouTube](https://www.youtube.com/watch?v=K6G3gMcFyek)
+- Slides on [Google Slides](https://docs.google.com/presentation/d/1bGutFH2AT3bxOPZuLMGl1ANWHqFnrxwQwjiwAZkF-TU/edit)
+- [PDF slides](https://gitlab.com/gitlab-org/create-stage/uploads/b5ad2f336e0afcfe0f99db0af0ccc71a/)
 Everything covered in this deep dive was accurate as of GitLab 11.7, and while specific details may
 have changed since then, it should still serve as a good introduction.

--- a/doc/development/documentation/index.md
+++ b/doc/development/documentation/index.md
@@ -514,7 +514,7 @@ To run the tool on an existing screenshot generator, take the following steps:
 1. Set up the [GitLab Development Kit (GDK)](https://gitlab.com/gitlab-org/gitlab-development-kit/blob/master/doc/howto/gitlab_docs.md).
 1. Navigate to the subdirectory with your cloned GitLab repository, typically `gdk/gitlab`.
 1. Make sure that your GDK database is fully migrated: `bin/rake db:migrate RAILS_ENV=development`.
-1. Install pngquant, see the tool website for more information: [`pngquant`](https://pngquant.org/)
+1. Install `pngquant`, see the tool website for more information: [`pngquant`](https://pngquant.org/)
 1. Run `scripts/docs_screenshots.rb spec/docs_screenshots/<name_of_screenshot_generator>.rb <milestone-version>`.
 1. Identify the location of the screenshots, based on the `gitlab/doc` location defined by the `it` parameter in your script.
 1. Commit the newly created screenshots.

--- a/doc/development/documentation/restful_api_styleguide.md
+++ b/doc/development/documentation/restful_api_styleguide.md
@@ -165,7 +165,7 @@ curl --request POST \
 ### Post data using form-data
-Instead of using JSON or urlencode you can use multipart/form-data which
+Instead of using JSON or URL-encoding data, you can use `multipart/form-data` which
 properly handles data encoding:
 ```shell

--- a/doc/development/documentation/site_architecture/index.md
+++ b/doc/development/documentation/site_architecture/index.md
@@ -114,7 +114,7 @@ located in the [Dockerfiles directory](https://gitlab.com/gitlab-org/gitlab-docs
 If you need to rebuild the Docker images immediately (must have maintainer level permissions):
 WARNING:
-If you change the dockerfile configuration and rebuild the images, you can break the master
+If you change the Dockerfile configuration and rebuild the images, you can break the master
 pipeline in the main `gitlab` repository as well as in `gitlab-docs`. Create an image with
 a different name first and test it to ensure you do not break the pipelines.

--- a/doc/development/documentation/testing.md
+++ b/doc/development/documentation/testing.md
@@ -246,7 +246,7 @@ when building the `image:docs-lint-markdown` Docker image containing these tools
 | Tool               | Version  | Command                                   | Additional information |
 |--------------------|----------|-------------------------------------------|------------------------|
 | `markdownlint-cli` | Latest   | `yarn global add markdownlint-cli`        | n/a                    |
-| `markdownlint-cli` | Specfic  | `yarn global add markdownlint-cli@0.23.2` | The `@` indicates a specific version, and this example updates the tool to version `0.23.2`. |
+| `markdownlint-cli` | Specific  | `yarn global add markdownlint-cli@0.23.2` | The `@` indicates a specific version, and this example updates the tool to version `0.23.2`. |
 | Vale               | Latest   | `brew update && brew upgrade vale`        | This command is for macOS only. |
 | Vale               | Specific | n/a                                       | Not possible using `brew`, but can be [directly downloaded](https://github.com/errata-ai/vale/releases). |

--- a/ee/spec/services/resource_access_tokens/create_service_spec.rb
+++ b/ee/spec/services/resource_access_tokens/create_service_spec.rb
@@ -106,7 +106,7 @@ RSpec.describe ResourceAccessTokens::CreateService do
        end
        context "when access provisioning fails" do
-          let_it_be(:user) { create(:user, :project_bot) }
+          let_it_be(:user) { create(:user) }
          let(:unpersisted_member) { build(:project_member, source: resource, user: user) }
          before do

--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -268,6 +268,7 @@ module API
      mount ::API::Release::Links
      mount ::API::RemoteMirrors
      mount ::API::Repositories
+      mount ::API::ResourceAccessTokens
      mount ::API::Search
      mount ::API::Services
      mount ::API::Settings

--- a/lib/api/resource_access_tokens.rb
+++ b/lib/api/resource_access_tokens.rb
+# frozen_string_literal: true
+module API
+  class ResourceAccessTokens < ::API::Base
+    include PaginationParams
+    before { authenticate! }
+    feature_category :authentication_and_authorization
+    %w[project].each do |source_type|
+      resource source_type.pluralize, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+        desc 'Get list of all access tokens for the specified resource' do
+          detail 'This feature was introduced in GitLab 13.9.'
+        end
+        params do
+          requires :id, type: String, desc: "The #{source_type} ID"
+        end
+        get ":id/access_tokens" do
+          resource = find_source(source_type, params[:id])
+          next unauthorized! unless has_permission_to_read?(resource)
+          tokens = PersonalAccessTokensFinder.new({ user: resource.bots, impersonation: false }).execute
+          present paginate(tokens), with: Entities::PersonalAccessToken
+        end
+        desc 'Revoke a resource access token' do
+          detail 'This feature was introduced in GitLab 13.9.'
+        end
+        params do
+          requires :id, type: String, desc: "The #{source_type} ID"
+          requires :token_id, type: String, desc: "The ID of the token"
+        end
+        delete ':id/access_tokens/:token_id' do
+          resource = find_source(source_type, params[:id])
+          token = find_token(resource, params[:token_id])
+          if token.nil?
+            next not_found!("Could not find #{source_type} access token with token_id: #{params[:token_id]}")
+          end
+          service = ::ResourceAccessTokens::RevokeService.new(
+            current_user,
+            resource,
+            token
+          ).execute
+          service.success? ? no_content! : bad_request!(service.message)
+        end
+        desc 'Create a resource access token' do
+          detail 'This feature was introduced in GitLab 13.9.'
+        end
+        params do
+          requires :id, type: String, desc: "The #{source_type} ID"
+          requires :name, type: String, desc: "Resource access token name"
+          requires :scopes, type: Array[String], desc: "The permissions of the token"
+          optional :expires_at, type: Date, desc: "The expiration date of the token"
+        end
+        post ':id/access_tokens' do
+          resource = find_source(source_type, params[:id])
+          token_response = ::ResourceAccessTokens::CreateService.new(
+            current_user,
+            resource,
+            declared_params
+          ).execute
+          if token_response.success?
+            present token_response.payload[:access_token], with: Entities::PersonalAccessToken
+          else
+            bad_request!(token_response.message)
+          end
+        end
+      end
+    end
+    helpers do
+      def find_source(source_type, id)
+        public_send("find_#{source_type}!", id) # rubocop:disable GitlabSecurity/PublicSend
+      end
+      def find_token(resource, token_id)
+        PersonalAccessTokensFinder.new({ user: resource.bots, impersonation: false }).find_by_id(token_id)
+      end
+      def has_permission_to_read?(resource)
+        can?(current_user, :project_bot_access, resource) || can?(current_user, :admin_resource_access_tokens, resource)
+      end
+    end
+  end
+end
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -468,6 +468,49 @@ RSpec.describe ProjectPolicy do
    end
  end
+  context "project bots" do
+    let(:project_bot) { create(:user, :project_bot) }
+    let(:user) { create(:user) }
+    context "project_bot_access" do
+      context "when regular user and part of the project" do
+        let(:current_user) { user }
+        before do
+          project.add_developer(user)
+        end
+        it { is_expected.not_to be_allowed(:project_bot_access)}
+      end
+      context "when project bot and not part of the project" do
+        let(:current_user) { project_bot }
+        it { is_expected.not_to be_allowed(:project_bot_access)}
+      end
+      context "when project bot and part of the project" do
+        let(:current_user) { project_bot }
+        before do
+          project.add_developer(project_bot)
+        end
+        it { is_expected.to be_allowed(:project_bot_access)}
+      end
+    end
+    context 'with resource access tokens' do
+      let(:current_user) { project_bot }
+      before do
+        project.add_maintainer(project_bot)
+      end
+      it { is_expected.not_to be_allowed(:admin_resource_access_tokens)}
+    end
+  end
  describe 'read_prometheus_alerts' do
    context 'with admin' do
      let(:current_user) { admin }

--- a/spec/requests/api/resource_access_tokens_spec.rb
+++ b/spec/requests/api/resource_access_tokens_spec.rb
--- a/spec/services/users/approve_service_spec.rb
+++ b/spec/services/users/approve_service_spec.rb
@@ -61,6 +61,14 @@ RSpec.describe Users::ApproveService do
          expect(user.reload).to be_active
        end
+        it 'logs approval in application logs' do
+          allow(Gitlab::AppLogger).to receive(:info)
+          subject
+          expect(Gitlab::AppLogger).to have_received(:info).with(message: "User instance access request approved", user: "#{user.username}", email: "#{user.email}", approved_by: "#{current_user.username}", ip_address: "#{current_user.current_sign_in_ip}")
+        end
        it 'emails the user on approval' do
          expect(DeviseMailer).to receive(:user_admin_approval).with(user).and_call_original
          expect { subject }.to have_enqueued_mail(DeviseMailer, :user_admin_approval)

--- a/spec/services/users/reject_service_spec.rb
+++ b/spec/services/users/reject_service_spec.rb
@@ -48,6 +48,14 @@ RSpec.describe Users::RejectService do
          subject
        end
+        it 'logs rejection in application logs' do
+          allow(Gitlab::AppLogger).to receive(:info)
+          subject
+          expect(Gitlab::AppLogger).to have_received(:info).with(message: "User instance access request rejected", user: "#{user.username}", email: "#{user.email}", rejected_by: "#{current_user.username}", ip_address: "#{current_user.current_sign_in_ip}")
+        end
      end
    end