Now that we've migrated to use
ProjectFeature#container_registry_access_level instead of
Project#container_registry_enabled, allow
container_registry_access_level to be modified by the public
projects API.

This allows users to set the visibility of a
container registry independently of the project visibility.

Also update the public API docs.

Deprecate container_registry_enabled in the public API in favor of
container_registry_access_level.

Changelog: deprecated

Changelog: added

Remove the read_container_registry_access_level feature flag and
always read project_features.container_registry_access_level instead
of projects.container_registry_enabled.

Changelog: changed

Improves performance of authenticated request on the /projects
endpoint

Changelog: performance

- follow style guide.

This change improves the performance of the api/v4/projects/:id/users
endpoint (behind FF). The change also changes a database index in the
project_authorizations table.

Changelog: performance

Rename project association from jira_service to jira_integration

Changelog: security

Changelog: removed

Put the reading of project_features.container_registry_access_level
instead of projects.container_registry_enabled behind a feature flag
called read_container_registry_access_level.

Update readers of projects.container_registry_enabled to read
project_features.container_registry_access_level.

Writers will continue writing to projects.container_registry_enabled.
The before_update callback on the Project model and the before_create
on ProjectFeature model will copy the value to
project_features.container_registry_access_level.

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/26261

Set `default_branch` value as a default branch name for non-empty
repositories.

Changelog: fixed

Expose the project's squash option (never, always, default_on,
default_off) as part of the projects API. This commit updates the
Projects API documentation accordingly, and delegates the squash
option to the project's settings.

Changelog: changed
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63543

This removes the `Links` header in favour of the standard `Link` header,
which was added in 13.1

See: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/33714

Changelog: changed

Use specialized worker to refresh authorizations on group share removal [RUN ALL RSPEC] [RUN AS-IF-FOSS]

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/28902

* Filter out shared groups user does not have access to

Changelog: added

Objects created via let_it_be are shared between tests.
Sometimes we reload them in order to reset the state.
Sometimes it's not enough.
For example, some tests fail because @_destroyed instance
variable preserved. So the objects removed in a previous
test, marked as removed in the subsequent ones.

Let's use refind to fix those cases

So we can test a single project schema included in other entities

We have rolled this out in production and seen that it works: no
increase in error rate, and temporary files do not hang around any more.

Previously if the project were on the `GITLAB_UPLOAD_API_ALLOWLIST`
exemption list we would not log a message. However, it is still useful
to track these exceptions so that we know that they are happening. We
add a `upload_allowed` boolean field to make it possible to filter these
exempted uploads.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/325788

Rack writes files from multipart/form-data requests to disk in a
temporary file. Rack includes a middleware to clean these up -
Rack::TempfileReaper - but that won't withstand a process being sent
SIGKILL. To handle that case, we can immediately unlink the created
temporary file, which means it will be removed once we're done with it
or the current process goes away.

For development mode and test mode, we have to ensure that this new
middleware is before Gitlab::Middleware::Static, otherwise we might not
get the chance to set our own middleware.

With direct upload configured, GitLab mostly doesn't accept
multipart/form-data requests in a way where they reach Rack directly -
they typically go via Workhorse which accelerates them - but there are
cases where it can happen, and direct upload is still only an option.

To test this manually, we can set `$GITLAB_API_TOKEN_LOCAL` to a
personal access token for the API in the local environment,
`$PATH_TO_FILE` to be a path to a (preferably large) file to be
uploaded, and break the actual saving of uploads (in the default case
with GDK, stop Minio):

    curl -H "Private-Token: $GITLAB_API_TOKEN_LOCAL" \
      -F "file=@$PATH_TO_FILE" \
      http://localhost:3000/api/v4/projects/1/uploads

Once the upload is finished and the request fails, we'll see the file we
uploaded in `$TMPDIR`:

    $ ls -l $TMPDIR/RackMultipart* | awk '{ print $5, $8 }'
    952107008 17:40

With this change, that won't happen: we'll see the file created and
immediately unlinked, so no matter what happens, it won't stick around
on disk. (This specific test case is handled by Rack::TempfileReaper in
later versions of Rack, but it still depends on manual cleanup.)

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/322739

When we retrieve projects from the REST endpoint and there are
several forks inside, there are several N+1.

In this commit we fix several of those.

Since Workhorse started accelerating attachments in the upload API
(https://gitlab.com/gitlab-org/gitlab/-/merge_requests/57250), the
`content_length` log in `api_json.log` no longer holds the actual bytes
used by the uploaded file. It now reports the number of bytes from the
Workhorse JSON metadata.

In order to determine which projects might be exceeding this limit, we
log a JSON warning that will make it easier to fill in the allow list
for https://gitlab.com/gitlab-org/gitlab/-/issues/325788.

This adds the `enforce_max_attachment_size_upload_api` feature flag to
enable enforcement of max attachment size in the upload API.  If the
feature is not enabled, we limit to 1 GB by
default. `GITLAB_UPLOAD_API_ALLOWLIST` can be set in the environment to
allow certain project IDs to bypass enforcement.

Add /api/v4/projects/:id/uploads/authorize endpoint

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/324813

This enables Workhorse to accelerate API uploads and limits to the
configured maximum attachment size (10 MB by default).

api/project_spec is failing on FOSS since 'issues_templates' and
'merge_requests_templates' attributes were moved to EE

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/323953

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/28902

* Add `ProjectGroupFinder` to fetch ancestor and shared groups for the
project
* Add `projects/:id/groups` endpoint to Project API
* Add documentation for the new endpoint

In this commit we move some project related classes to the
`Projects` namespace. This is an effort to have everything
in the codebase aligned.