Add latest changes from gitlab-org/gitlab@15-9-stable-eev15.9.0-rc42

29 files changed, 760 insertions, 356 deletions

diff --git a/.gitlab/ci/as-if-jh.gitlab-ci.yml b/.gitlab/ci/as-if-jh.gitlab-ci.yml
index 6019c8a9649..6bd46bee770 100644
--- a/.gitlab/ci/as-if-jh.gitlab-ci.yml
+++ b/.gitlab/ci/as-if-jh.gitlab-ci.yml
@@ -10,7 +10,7 @@ add-jh-files:
   extends:
     - .shared-as-if-jh
     - .as-if-jh:rules:prepare-as-if-jh
-  image: ${GITLAB_DEPENDENCY_PROXY}ruby:${RUBY_VERSION}
+  image: ${GITLAB_DEPENDENCY_PROXY_ADDRESS}ruby:${RUBY_VERSION}
   stage: prepare
   before_script:
     - source ./scripts/utils.sh
@@ -38,12 +38,12 @@ prepare-as-if-jh-branch:
   needs:
     - add-jh-files
   script:
+    # Fetch for the history of the branch so it does not cause the following error:
+    #   ! [remote rejected] ref -> ref (shallow update not allowed)
+    - git fetch --unshallow --filter=tree:0 origin "${CI_COMMIT_SHA}"
     - git checkout -b "${AS_IF_JH_BRANCH}"
     - git add ${JH_FILES_TO_COMMIT}
     - git commit -m 'Add JH files'  # TODO: Mark which SHA we add
-    # Fetch for the history of the branch so it does not cause the following error:
-    #   ! [remote rejected] ref -> ref (shallow update not allowed)
-    - git fetch --unshallow --filter=tree:0 origin "${CI_COMMIT_REF_NAME}"
     - git push -f "${SANDBOX_REPOSITORY}" "${AS_IF_JH_BRANCH}"
 
 start-as-if-jh:
diff --git a/.gitlab/ci/build-images.gitlab-ci.yml b/.gitlab/ci/build-images.gitlab-ci.yml
index 05748cff266..4ee15ccb311 100644
--- a/.gitlab/ci/build-images.gitlab-ci.yml
+++ b/.gitlab/ci/build-images.gitlab-ci.yml
@@ -27,6 +27,34 @@ build-qa-image as-if-foss:
   extends:
     - build-qa-image
     - .as-if-foss
+    - .build-images:rules:build-qa-image-as-if-foss
+
+# Prepares an image with GDK configured based on code in master. This saves some time in MRs because some installation
+# and complilation will have already been performed.
+build-qa-on-gdk-master-image:
+  extends:
+    - .base-image-build-buildx
+    - .build-images:rules:build-qa-on-gdk-master-image
+  tags:
+    - e2e
+  stage: build-images
+  needs: []
+  variables:
+    QA_GDK_IMAGE: "${CI_REGISTRY}/${CI_PROJECT_PATH}/gitlab-qa-gdk"
+  before_script:
+    - !reference [.use-buildx, before_script]
+    - sysctl -n -w fs.inotify.max_user_watches=524288
+  script:
+    - |
+      docker buildx build \
+        --cache-to=type=inline \
+        --cache-from ${QA_GDK_IMAGE}:master \
+        --platform=${ARCH:-amd64} \
+        --add-host gdk.test:127.0.0.1 \
+        --tag ${QA_GDK_IMAGE}:master \
+        --file="qa/gdk/Dockerfile" \
+        --push \
+        ${CI_PROJECT_DIR}
 
 build-assets-image:
   extends:
diff --git a/.gitlab/ci/caching.gitlab-ci.yml b/.gitlab/ci/caching.gitlab-ci.yml
index 6a13fc3c56f..31975e481bc 100644
--- a/.gitlab/ci/caching.gitlab-ci.yml
+++ b/.gitlab/ci/caching.gitlab-ci.yml
@@ -47,16 +47,15 @@ cache-assets:test as-if-foss:
     - .as-if-foss
 
 cache-assets:production:
-  extends: .cache-assets-base
-  variables:
-    NODE_ENV: "production"
-    RAILS_ENV: "production"
+  extends:
+    - .cache-assets-base
+    - .production
 
 packages-cleanup:
   extends:
     - .default-retry
     - .caching:rules:packages-cleanup
-  image: ${GITLAB_DEPENDENCY_PROXY}ruby:${RUBY_VERSION}
+  image: ${GITLAB_DEPENDENCY_PROXY_ADDRESS}ruby:${RUBY_VERSION}
   stage: prepare
   before_script:
     - source scripts/utils.sh
diff --git a/.gitlab/ci/database.gitlab-ci.yml b/.gitlab/ci/database.gitlab-ci.yml
new file mode 100644
index 00000000000..ace968ec249
--- /dev/null
+++ b/.gitlab/ci/database.gitlab-ci.yml
@@ -0,0 +1,118 @@
+include:
+  - local: .gitlab/ci/rails/shared.gitlab-ci.yml
+
+db:rollback:
+  extends:
+    - .db-job-base
+    - .rails:rules:db-rollback
+  script:
+    - scripts/db_tasks db:migrate VERSION=20220502173045  # 14.10 (last 14.x version)
+    - scripts/db_tasks db:migrate
+
+db:rollback single-db:
+  extends:
+    - db:rollback
+    - .single-db
+    - .rails:rules:single-db
+
+db:migrate:reset:
+  extends: .db-job-base
+  script:
+    - bundle exec rake db:migrate:reset
+
+db:migrate:reset single-db:
+  extends:
+    - db:migrate:reset
+    - .single-db
+    - .rails:rules:single-db
+
+db:check-schema:
+  extends:
+    - .db-job-base
+    - .rails:rules:ee-mr-and-default-branch-only
+  script:
+    - run_timed_command "bundle exec rake db:drop db:create"
+    - run_timed_command "scripts/db_tasks db:migrate"
+
+db:check-schema-single-db:
+  extends:
+    - db:check-schema
+    - .single-db
+    - .rails:rules:single-db
+
+db:check-migrations:
+  extends:
+    - .db-job-base
+    - .rails:rules:ee-and-foss-mr-with-migration
+  script:
+    - git fetch origin $CI_MERGE_REQUEST_TARGET_BRANCH_NAME:$CI_MERGE_REQUEST_TARGET_BRANCH_NAME --depth 20
+    - scripts/validate_migration_schema
+  allow_failure: true
+
+db:check-migrations-single-db:
+  extends:
+    - db:check-migrations
+    - .single-db
+    - .rails:rules:db:check-migrations-single-db
+
+db:post_deployment_migrations_validator:
+  extends:
+    - .db-job-base
+    - .rails:rules:ee-and-foss-mr-with-migration
+  script:
+    - git fetch origin $CI_MERGE_REQUEST_TARGET_BRANCH_NAME:$CI_MERGE_REQUEST_TARGET_BRANCH_NAME --depth 20
+    - scripts/post_deployment_migrations_validator
+  allow_failure: true
+
+db:post_deployment_migrations_validator-single-db:
+  extends:
+    - db:post_deployment_migrations_validator
+    - .single-db
+    - .rails:rules:db:check-migrations-single-db
+
+db:migrate-non-superuser:
+  extends:
+    - .db-job-base
+    - .rails:rules:ee-and-foss-mr-with-migration
+  script:
+    - bundle exec rake gitlab:db:reset_as_non_superuser
+
+db:gitlabcom-database-testing:
+  extends: .rails:rules:db:gitlabcom-database-testing
+  stage: test
+  image: ruby:${RUBY_VERSION}-alpine
+  needs: []
+  allow_failure: true
+  script:
+    - source scripts/utils.sh
+    - install_gitlab_gem
+    - ./scripts/trigger-build.rb gitlab-com-database-testing
+
+db:backup_and_restore:
+  extends:
+    - .db-job-base
+    - .rails:rules:db-backup
+  variables:
+    SETUP_DB: "false"
+    GITLAB_ASSUME_YES: "1"
+  script:
+    - . scripts/prepare_build.sh
+    - bundle exec rake db:drop db:create db:structure:load db:seed_fu
+    - mkdir -p tmp/tests/public/uploads tmp/tests/{artifacts,pages,lfs-objects,terraform_state,registry,packages}
+    - bundle exec rake gitlab:backup:create
+    - date
+    - bundle exec rake gitlab:backup:restore
+
+db:backup_and_restore single-db:
+  extends:
+    - db:backup_and_restore
+    - .single-db
+    - .rails:rules:db-backup
+
+db:rollback geo:
+  extends:
+    - db:rollback
+    - .rails:rules:ee-only-migration
+  script:
+    - bundle exec rake db:migrate:geo VERSION=20170627195211
+    - bundle exec rake db:migrate:geo
diff --git a/.gitlab/ci/dev-fixtures.gitlab-ci.yml b/.gitlab/ci/dev-fixtures.gitlab-ci.yml
index ea868ada621..0ff469d7114 100644
--- a/.gitlab/ci/dev-fixtures.gitlab-ci.yml
+++ b/.gitlab/ci/dev-fixtures.gitlab-ci.yml
@@ -16,7 +16,7 @@
 
 .run-dev-fixtures-script: &run-dev-fixtures-script
   - run_timed_command "scripts/gitaly-test-spawn"
-  - run_timed_command "RAILS_ENV=test bundle exec rake db:seed_fu"
+  - run_timed_command "bundle exec rake db:seed_fu"
 
 run-dev-fixtures:
   extends:
diff --git a/.gitlab/ci/docs.gitlab-ci.yml b/.gitlab/ci/docs.gitlab-ci.yml
index 02fc58f8580..b404444f815 100644
--- a/.gitlab/ci/docs.gitlab-ci.yml
+++ b/.gitlab/ci/docs.gitlab-ci.yml
@@ -42,7 +42,7 @@ review-docs-cleanup:
 docs-lint links:
   extends:
     - .docs:rules:docs-lint
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-docs/lint-html:alpine-3.16-ruby-2.7.6-0bc327a4
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-docs/lint-html:alpine-3.16-ruby-3.0.5-869cfc5d
   stage: lint
   needs: []
   script:
@@ -58,18 +58,31 @@ docs-lint links:
 
 .docs-markdown-lint-image:
   # When updating the image version here, update it in /scripts/lint-doc.sh too.
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-docs/lint-markdown:alpine-3.16-vale-2.20.1-markdownlint-0.32.2
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-docs/lint-markdown:alpine-3.16-vale-2.22.0-markdownlint-0.32.2-markdownlint2-0.6.0
 
 docs-lint markdown:
   extends:
     - .default-retry
     - .docs:rules:docs-lint
     - .docs-markdown-lint-image
+    - .yarn-cache
   stage: lint
   needs: []
   script:
+    - source ./scripts/utils.sh
+    - yarn_install_script
     - scripts/lint-doc.sh
 
+docs-lint blueprint:
+  extends:
+    - .default-retry
+    - .docs:rules:docs-blueprints-lint
+  image: ${GITLAB_DEPENDENCY_PROXY_ADDRESS}ruby:${RUBY_VERSION}-slim
+  stage: lint
+  needs: []
+  script:
+    - scripts/lint-docs-blueprints.rb
+
 docs code_quality:
   extends:
     - .reports:rules:code_quality
diff --git a/.gitlab/ci/frontend.gitlab-ci.yml b/.gitlab/ci/frontend.gitlab-ci.yml
index 0c9cdc28136..2e0d83187cf 100644
--- a/.gitlab/ci/frontend.gitlab-ci.yml
+++ b/.gitlab/ci/frontend.gitlab-ci.yml
@@ -33,10 +33,8 @@
 compile-production-assets:
   extends:
     - .compile-assets-base
+    - .production
     - .frontend:rules:compile-production-assets
-  variables:
-    NODE_ENV: "production"
-    RAILS_ENV: "production"
   artifacts:
     name: webpack-report
     expire_in: 31d
@@ -131,7 +129,7 @@ rspec-all frontend_fixture:
   needs:
     - !reference [.frontend-fixtures-base, needs]
     - "compile-test-assets"
-  parallel: 5
+  parallel: 7
 
 # Builds FOSS fixtures in the EE project, with the `ee/` folder removed (due to `as-if-foss`).
 rspec-all frontend_fixture as-if-foss:
@@ -202,7 +200,7 @@ jest:
       - tmp/tests/frontend/
     reports:
       junit: junit_jest.xml
-  parallel: 5
+  parallel: 7
 
 jest predictive:
   extends:
@@ -220,7 +218,7 @@ jest as-if-foss:
     - .frontend:rules:jest:as-if-foss
     - .as-if-foss
   needs: ["rspec-all frontend_fixture as-if-foss"]
-  parallel: 2
+  parallel: 4
 
 jest predictive as-if-foss:
   extends:
diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml
index 90f00c887f7..ba623ef4cbe 100644
--- a/.gitlab/ci/global.gitlab-ci.yml
+++ b/.gitlab/ci/global.gitlab-ci.yml
@@ -21,6 +21,12 @@
     - !reference [.default-utils-before_script, before_script]
     - source scripts/prepare_build.sh
 
+.production:
+  variables:
+    RAILS_ENV: "production"
+    NODE_ENV: "production"
+    GITLAB_ALLOW_SEPARATE_CI_DATABASE: "true"
+
 .ruby-gems-cache: &ruby-gems-cache
   key: "ruby-gems-debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}"
   paths:
@@ -257,9 +263,13 @@
     - name: redis:5.0-alpine
     - name: elasticsearch:7.17.6
       command: ["elasticsearch", "-E", "discovery.type=single-node", "-E", "xpack.security.enabled=false"]
+    - name: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:zoekt-ci-image-1.0
+      alias: zoekt-ci-image
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
     PG_VERSION: "11"
+    ZOEKT_INDEX_BASE_URL: http://zoekt-ci-image:6060
+    ZOEKT_SEARCH_BASE_URL: http://zoekt-ci-image:6070
 
 .use-pg12-es7-ee:
   services:
@@ -268,9 +278,13 @@
     - name: redis:6.0-alpine
     - name: elasticsearch:7.17.6
       command: ["elasticsearch", "-E", "discovery.type=single-node", "-E", "xpack.security.enabled=false"]
+    - name: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:zoekt-ci-image-1.0
+      alias: zoekt-ci-image
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
     PG_VERSION: "12"
+    ZOEKT_INDEX_BASE_URL: http://zoekt-ci-image:6060
+    ZOEKT_SEARCH_BASE_URL: http://zoekt-ci-image:6070
 
 .use-pg13-es7-ee:
   services:
@@ -279,9 +293,13 @@
     - name: redis:6.2-alpine
     - name: elasticsearch:7.17.6
       command: ["elasticsearch", "-E", "discovery.type=single-node", "-E", "xpack.security.enabled=false"]
+    - name: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:zoekt-ci-image-1.0
+      alias: zoekt-ci-image
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
     PG_VERSION: "13"
+    ZOEKT_INDEX_BASE_URL: http://zoekt-ci-image:6060
+    ZOEKT_SEARCH_BASE_URL: http://zoekt-ci-image:6070
 
 .use-pg12-es8-ee:
   services:
@@ -289,11 +307,15 @@
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
     - name: redis:6.0-alpine
     - name: elasticsearch:8.5.3
+    - name: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:zoekt-ci-image-1.0
+      alias: zoekt-ci-image
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
     PG_VERSION: "12"
     ES_SETTING_DISCOVERY_TYPE: "single-node"
     ES_SETTING_XPACK_SECURITY_ENABLED: "false"
+    ZOEKT_INDEX_BASE_URL: http://zoekt-ci-image:6060
+    ZOEKT_SEARCH_BASE_URL: http://zoekt-ci-image:6070
 
 .use-pg12-opensearch1-ee:
   services:
@@ -303,9 +325,13 @@
     - name: opensearchproject/opensearch:1.3.5
       alias: elasticsearch
       command: ["bin/opensearch", "-E", "discovery.type=single-node", "-E", "plugins.security.disabled=true"]
+    - name: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:zoekt-ci-image-1.0
+      alias: zoekt-ci-image
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
     PG_VERSION: "12"
+    ZOEKT_INDEX_BASE_URL: http://zoekt-ci-image:6060
+    ZOEKT_SEARCH_BASE_URL: http://zoekt-ci-image:6070
 
 .use-pg12-opensearch2-ee:
   services:
@@ -315,9 +341,13 @@
     - name: opensearchproject/opensearch:2.2.1
       alias: elasticsearch
       command: ["bin/opensearch", "-E", "discovery.type=single-node", "-E", "plugins.security.disabled=true"]
+    - name: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:zoekt-ci-image-1.0
+      alias: zoekt-ci-image
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
     PG_VERSION: "12"
+    ZOEKT_INDEX_BASE_URL: http://zoekt-ci-image:6060
+    ZOEKT_SEARCH_BASE_URL: http://zoekt-ci-image:6070
 
 .use-kaniko:
   image:
diff --git a/.gitlab/ci/memory.gitlab-ci.yml b/.gitlab/ci/memory.gitlab-ci.yml
index efdae0715aa..5d6b90d107d 100644
--- a/.gitlab/ci/memory.gitlab-ci.yml
+++ b/.gitlab/ci/memory.gitlab-ci.yml
@@ -19,12 +19,11 @@
 memory-on-boot:
   extends:
     - .only-code-memory-job-base
+    - .production
     - .use-pg12
   stage: test
   needs: ["setup-test-env", "compile-test-assets"]
   variables:
-    NODE_ENV: "production"
-    RAILS_ENV: "production"
     SETUP_DB: "true"
     MEMORY_ON_BOOT_FILE_PREFIX: "tmp/memory_on_boot_"
     TEST_COUNT: 5
diff --git a/.gitlab/ci/notify.gitlab-ci.yml b/.gitlab/ci/notify.gitlab-ci.yml
index 638e1cd8bd8..20f19978022 100644
--- a/.gitlab/ci/notify.gitlab-ci.yml
+++ b/.gitlab/ci/notify.gitlab-ci.yml
@@ -55,13 +55,14 @@ notify-pipeline-failure:
   script:
     - |
       if [[ "${CREATE_INCIDENT_FOR_PIPELINE_FAILURE}" == "true" ]]; then
-        scripts/create-pipeline-failure-incident.rb -p ${INCIDENT_PROJECT} -f ${INCIDENT_JSON} -t ${BROKEN_BRANCH_PROJECT_TOKEN};
+        scripts/create-pipeline-failure-incident.rb -p ${INCIDENT_PROJECT} -f ${INCIDENT_JSON} -t ${BROKEN_BRANCH_PROJECT_TOKEN} ||
+          scripts/slack ${SLACK_CHANNEL} "☠️  Broken pipeline incident creation failed! ☠️  See ${CI_JOB_URL}" ci_failing "Failed pipeline reporter";
         echosuccess "Created incident $(jq '.web_url' ${INCIDENT_JSON})";
       fi
     - |
       scripts/generate-failed-pipeline-slack-message.rb -i ${INCIDENT_JSON} -f ${FAILED_PIPELINE_SLACK_MESSAGE_FILE};
       curl -X POST -H 'Content-Type: application/json' --data @${FAILED_PIPELINE_SLACK_MESSAGE_FILE} "$CI_SLACK_WEBHOOK_URL" ||
-        scripts/slack ${SLACK_CHANNEL} "☠️  Broken pipeline notification failed! ☠️  See ${CI_JOB_URL}" ci_failing "Failed pipeline reporter"
+        scripts/slack ${SLACK_CHANNEL} "☠️  Broken pipeline notification failed! ☠️  See ${CI_JOB_URL}" ci_failing "Failed pipeline reporter";
 
   artifacts:
     paths:
diff --git a/.gitlab/ci/package-and-test/main.gitlab-ci.yml b/.gitlab/ci/package-and-test/main.gitlab-ci.yml
index 48059d9518f..0d30cb78be7 100644
--- a/.gitlab/ci/package-and-test/main.gitlab-ci.yml
+++ b/.gitlab/ci/package-and-test/main.gitlab-ci.yml
@@ -1,4 +1,5 @@
 # E2E tests pipeline loaded dynamically by script: scripts/generate-e2e-pipeline
+# For adding new tests, refer to: doc/development/testing_guide/end_to_end/package_and_test_pipeline.md
 
 default:
   interruptible: true
@@ -7,7 +8,7 @@ include:
   - local: .gitlab/ci/package-and-test/rules.gitlab-ci.yml
   - local: .gitlab/ci/package-and-test/variables.gitlab-ci.yml
   - project: gitlab-org/quality/pipeline-common
-    ref: 1.14.1
+    ref: 2.0.0
     file:
       - /ci/base.gitlab-ci.yml
       - /ci/allure-report.yml
@@ -57,15 +58,16 @@ stages:
       optional: true
     - job: download-knapsack-report
       artifacts: true
+      optional: true
   variables:
     QA_GENERATE_ALLURE_REPORT: "true"
     QA_CAN_TEST_PRAEFECT: "false"
     QA_INTERCEPT_REQUESTS: "true"
     QA_RUN_TYPE: e2e-package-and-test
-    TEST_LICENSE_MODE: $QA_TEST_LICENSE_MODE
     EE_LICENSE: $QA_EE_LICENSE
     GITHUB_ACCESS_TOKEN: $QA_GITHUB_ACCESS_TOKEN
     GITLAB_QA_ADMIN_ACCESS_TOKEN: $QA_ADMIN_ACCESS_TOKEN
+    GITLAB_LICENSE_MODE: test
 
 # ==========================================
 # Prepare stage
@@ -161,7 +163,7 @@ trigger-omnibus:
 download-knapsack-report:
   extends:
     - .gitlab-qa-image
-    - .rules:prepare
+    - .rules:download-knapsack
   stage: .pre
   variables:
     KNAPSACK_DIR: ${CI_PROJECT_DIR}/qa/knapsack
@@ -216,13 +218,13 @@ _ee:quarantine:
 # ------------------------------------------
 
 # Run specs with feature flags set to the opposite of the default state
-ee:instance-parallel-ff-inverse:
+ee:instance-ff-inverse:
   extends:
     - .qa
     - .parallel
   variables:
     QA_SCENARIO: Test::Instance::Image
-    QA_KNAPSACK_REPORT_NAME: ee-instance-parallel
+    QA_KNAPSACK_REPORT_NAME: ee-instance
     GITLAB_QA_OPTS: --set-feature-flags $QA_FEATURE_FLAGS
   rules:
     - !reference [.rules:test:feature-flags-set, rules]
@@ -230,140 +232,141 @@ ee:instance-parallel-ff-inverse:
 # ------------------------------------------
 # Jobs with parallel variant
 # ------------------------------------------
-ee:instance:
+ee:instance-selective:
   extends: .qa
   variables:
     QA_SCENARIO: Test::Instance::Image
   rules:
-    - !reference [.rules:test:qa-non-parallel, rules]
+    - !reference [.rules:test:qa-selective, rules]
     - if: $QA_SUITES =~ /Test::Instance::All/
-ee:instance-parallel:
+ee:instance:
   extends:
     - .parallel
-    - ee:instance
+    - ee:instance-selective
   rules:
-    - !reference [.rules:test:feature-flags-set, rules]  # always run instance-parallel to validate ff change
+    - !reference [.rules:test:feature-flags-set, rules]  # always run ee:instance to validate ff change
     - !reference [.rules:test:qa-parallel, rules]
     - if: $QA_SUITES =~ /Test::Instance::All/
 
-ee:praefect:
+ee:praefect-selective:
   extends: .qa
   variables:
     QA_SCENARIO: Test::Integration::Praefect
     QA_CAN_TEST_PRAEFECT: "true"
   rules:
-    - !reference [.rules:test:qa-non-parallel, rules]
+    - !reference [.rules:test:qa-selective, rules]
     - if: $QA_SUITES =~ /Test::Instance::All/
-ee:praefect-parallel:
+ee:praefect:
   extends:
     - .parallel
-    - ee:praefect
+    - ee:praefect-selective
   rules:
     - !reference [.rules:test:qa-parallel, rules]
     - if: $QA_SUITES =~ /Test::Instance::All/
 
-ee:relative-url:
+ee:relative-url-selective:
   extends: .qa
   variables:
     QA_SCENARIO: Test::Instance::RelativeUrl
   rules:
-    - !reference [.rules:test:qa-non-parallel, rules]
+    - !reference [.rules:test:qa-selective, rules]
     - if: $QA_SUITES =~ /Test::Instance::All/
-ee:relative-url-parallel:
+ee:relative-url:
   extends:
     - .parallel
-    - ee:relative-url
+    - ee:relative-url-selective
   rules:
     - !reference [.rules:test:qa-parallel, rules]
     - if: $QA_SUITES =~ /Test::Instance::All/
 
-ee:decomposition-single-db:
+ee:decomposition-single-db-selective:
   extends: .qa
   variables:
     QA_SCENARIO: Test::Instance::Image
     GITLAB_QA_OPTS: --omnibus-config decomposition_single_db
   rules:
-    - !reference [.rules:test:qa-non-parallel, rules]
+    - !reference [.rules:test:qa-selective, rules]
     - if: $QA_SUITES =~ /Test::Instance::All/
-ee:decomposition-single-db-parallel:
+ee:decomposition-single-db:
   extends:
     - .parallel
-    - ee:decomposition-single-db
+    - ee:decomposition-single-db-selective
   rules:
     - !reference [.rules:test:qa-parallel, rules]
     - if: $QA_SUITES =~ /Test::Instance::All/
 
-ee:decomposition-multiple-db:
+ee:decomposition-multiple-db-selective:
   extends: .qa
   variables:
     QA_SCENARIO: Test::Instance::Image
+    GITLAB_ALLOW_SEPARATE_CI_DATABASE: "true"
     GITLAB_QA_OPTS: --omnibus-config decomposition_multiple_db
   rules:
-    - !reference [.rules:test:qa-non-parallel, rules]
+    - !reference [.rules:test:qa-selective, rules]
     - if: $QA_SUITES =~ /Test::Instance::All/
-ee:decomposition-multiple-db-parallel:
+ee:decomposition-multiple-db:
   extends:
     - .parallel
-    - ee:decomposition-multiple-db
+    - ee:decomposition-multiple-db-selective
   rules:
     - !reference [.rules:test:qa-parallel, rules]
     - if: $QA_SUITES =~ /Test::Instance::All/
 
-ee:object-storage:
+ee:object-storage-selective:
   extends: .qa
   variables:
     QA_SCENARIO: Test::Instance::Image
     QA_RSPEC_TAGS: --tag object_storage
     GITLAB_QA_OPTS: --omnibus-config object_storage
   rules:
-    - !reference [.rules:test:qa-non-parallel, rules]
+    - !reference [.rules:test:qa-selective, rules]
     - if: $QA_SUITES =~ /Test::Instance::ObjectStorage/
-ee:object-storage-parallel:
-  extends: ee:object-storage
+ee:object-storage:
+  extends: ee:object-storage-selective
   parallel: 2
   rules:
     - !reference [.rules:test:qa-parallel, rules]
     - if: $QA_SUITES =~ /Test::Instance::ObjectStorage/
 
-ee:object-storage-aws:
-  extends: ee:object-storage
+ee:object-storage-aws-selective:
+  extends: ee:object-storage-selective
   variables:
     AWS_S3_ACCESS_KEY: $QA_AWS_S3_ACCESS_KEY
     AWS_S3_BUCKET_NAME: $QA_AWS_S3_BUCKET_NAME
     AWS_S3_KEY_ID: $QA_AWS_S3_KEY_ID
     AWS_S3_REGION: $QA_AWS_S3_REGION
     GITLAB_QA_OPTS: --omnibus-config object_storage_aws
-ee:object-storage-aws-parallel:
-  extends: ee:object-storage-aws
+ee:object-storage-aws:
+  extends: ee:object-storage-aws-selective
   parallel: 2
   rules:
-    - !reference [ee:object-storage-parallel, rules]
+    - !reference [ee:object-storage, rules]
 
-ee:object-storage-gcs:
-  extends: ee:object-storage
+ee:object-storage-gcs-selective:
+  extends: ee:object-storage-selective
   variables:
     GCS_BUCKET_NAME: $QA_GCS_BUCKET_NAME
     GOOGLE_PROJECT: $QA_GOOGLE_PROJECT
     GOOGLE_JSON_KEY: $QA_GOOGLE_JSON_KEY
     GOOGLE_CLIENT_EMAIL: $QA_GOOGLE_CLIENT_EMAIL
     GITLAB_QA_OPTS: --omnibus-config object_storage_gcs
-ee:object-storage-gcs-parallel:
-  extends: ee:object-storage-gcs
+ee:object-storage-gcs:
+  extends: ee:object-storage-gcs-selective
   parallel: 2
   rules:
-    - !reference [ee:object-storage-parallel, rules]
+    - !reference [ee:object-storage, rules]
 
-ee:packages:
+ee:packages-selective:
   extends: .qa
   variables:
     QA_SCENARIO: Test::Instance::Image
     QA_RSPEC_TAGS: --tag packages
     GITLAB_QA_OPTS: --omnibus-config packages
   rules:
-    - !reference [.rules:test:qa-non-parallel, rules]
+    - !reference [.rules:test:qa-selective, rules]
     - if: $QA_SUITES =~ /Test::Instance::Packages/
-ee:packages-parallel:
-  extends: ee:packages
+ee:packages:
+  extends: ee:packages-selective
   parallel: 2
   rules:
     - !reference [.rules:test:qa-parallel, rules]
@@ -440,7 +443,7 @@ ee:jira:
     JIRA_ADMIN_PASSWORD: $QA_JIRA_ADMIN_PASSWORD
   rules:
     - !reference [.rules:test:qa, rules]
-    - if: $QA_SUITES =~ /Test::Instance::Jira/
+    - if: $QA_SUITES =~ /Test::Integration::Jira/
     - !reference [.rules:test:manual, rules]
 
 ee:integrations:
@@ -485,7 +488,7 @@ ee:mtls:
     QA_SCENARIO: Test::Integration::MTLS
   rules:
     - !reference [.rules:test:qa, rules]
-    - if: $QA_SUITES =~ /Test::Integration::MTLS/
+    - if: $QA_SUITES =~ /Test::Integration::Mtls/
     - !reference [.rules:test:manual, rules]
 
 ee:mattermost:
@@ -584,7 +587,6 @@ ee:elasticsearch:
   variables:
     QA_SCENARIO: "Test::Integration::Elasticsearch"
   before_script:
-    - unset ELASTIC_URL  # unset url which is globally defined in .gitlab-ci.yml
     - !reference [.qa, before_script]
   rules:
     - !reference [.rules:test:qa, rules]
@@ -592,7 +594,7 @@ ee:elasticsearch:
     - !reference [.rules:test:manual, rules]
 
 ee:registry-object-storage-tls:
-  extends: ee:object-storage-aws
+  extends: ee:object-storage-aws-selective
   variables:
     QA_SCENARIO: Test::Integration::RegistryTLS
     QA_RSPEC_TAGS: ""
@@ -619,16 +621,11 @@ e2e-test-report:
     - .rules:report:allure-report
   stage: report
   variables:
-    GITLAB_AUTH_TOKEN: $GITLAB_QA_MR_ALLURE_REPORT_TOKEN
+    GITLAB_AUTH_TOKEN: $PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE
     ALLURE_PROJECT_PATH: $CI_PROJECT_PATH
     ALLURE_MERGE_REQUEST_IID: $CI_MERGE_REQUEST_IID
     ALLURE_JOB_NAME: e2e-package-and-test
     GIT_STRATEGY: none
-  artifacts:  # save rspec results for displaying in parent pipeline
-    expire_in: 1 day
-    when: always
-    paths:
-      - gitlab-qa-run-*/**/rspec-*.xml
 
 upload-knapsack-report:
   extends:
@@ -658,7 +655,7 @@ relate-test-failures:
   variables:
     QA_FAILURES_REPORTING_PROJECT: gitlab-org/gitlab
     QA_FAILURES_MAX_DIFF_RATIO: "0.15"
-    GITLAB_QA_ACCESS_TOKEN: $GITLAB_QA_PRODUCTION_ACCESS_TOKEN
+    GITLAB_QA_ACCESS_TOKEN: $QA_GITLAB_CI_TOKEN
   when: on_failure
   script:
     - |
diff --git a/.gitlab/ci/package-and-test/rules.gitlab-ci.yml b/.gitlab/ci/package-and-test/rules.gitlab-ci.yml
index 64d56cec21a..50b07589040 100644
--- a/.gitlab/ci/package-and-test/rules.gitlab-ci.yml
+++ b/.gitlab/ci/package-and-test/rules.gitlab-ci.yml
@@ -43,9 +43,9 @@
 
 .rules:dont-interrupt:
   rules:
-    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
+    - if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $CI_MERGE_REQUEST_IID == null'
       allow_failure: true
-    - if: $CI_MERGE_REQUEST_IID
+    - if: '$CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached"'
       when: manual
       allow_failure: true
 
@@ -61,6 +61,15 @@
       when: never
     - when: always
 
+# This job requires project access token with api permissions to detect parallel jobs,
+# it is problematic to set for every project that would include this template
+# Because parallel jobs themselves can download knapsack report, skip for non canonical runs
+.rules:download-knapsack:
+  rules:
+    - <<: *not-canonical-project
+      when: never
+    - when: always
+
 # ------------------------------------------
 # Test
 # ------------------------------------------
@@ -80,7 +89,7 @@
 
 # parallel and non parallel rules are used for jobs that require parallel execution and thus need to switch
 # between parallel and non parallel when only certain specs are executed
-.rules:test:qa-non-parallel:
+.rules:test:qa-selective:
   rules:
     # always run parallel with full suite when framework changes present or ff state changed
     - <<: *qa-run-all-tests
diff --git a/.gitlab/ci/package-and-test/variables.gitlab-ci.yml b/.gitlab/ci/package-and-test/variables.gitlab-ci.yml
index 838de6bdd3a..c45807e5a23 100644
--- a/.gitlab/ci/package-and-test/variables.gitlab-ci.yml
+++ b/.gitlab/ci/package-and-test/variables.gitlab-ci.yml
@@ -10,3 +10,6 @@ variables:
   QA_LOG_LEVEL: "info"
   QA_TESTS: ""
   QA_FEATURE_FLAGS: ""
+  # run all tests by default when package-and-test is included natively in other projects
+  # this will be overridden when selective test execution is used in gitlab canonical project
+  QA_RUN_ALL_TESTS: "true"
diff --git a/.gitlab/ci/preflight.gitlab-ci.yml b/.gitlab/ci/preflight.gitlab-ci.yml
new file mode 100644
index 00000000000..05b05fde53b
--- /dev/null
+++ b/.gitlab/ci/preflight.gitlab-ci.yml
@@ -0,0 +1,14 @@
+rails-production-environment:
+  extends:
+    - .default-before_script
+    - .production
+    - .ruby-cache
+    - .setup:rules:rails-production-environment
+    - .use-pg12
+  stage: preflight
+  variables:
+    BUNDLE_WITHOUT: "development:test"
+    BUNDLE_WITH: "production"
+  needs: []
+  script:
+    - bundle exec rails runner --environment=production 'puts Rails.env'
diff --git a/.gitlab/ci/qa.gitlab-ci.yml b/.gitlab/ci/qa.gitlab-ci.yml
index f6668d7864e..a72e6fc0137 100644
--- a/.gitlab/ci/qa.gitlab-ci.yml
+++ b/.gitlab/ci/qa.gitlab-ci.yml
@@ -67,6 +67,7 @@ qa:update-qa-cache:
 
 e2e:package-and-test:
   extends:
+    - .production  # this makes sure GITLAB_ALLOW_SEPARATE_CI_DATABASE is passed to the child pipeline
     - .qa:rules:package-and-test
   stage: qa
   needs:
@@ -81,6 +82,13 @@ e2e:package-and-test:
     GITLAB_QA_IMAGE: "${CI_REGISTRY_IMAGE}/gitlab-ee-qa:${CI_COMMIT_SHA}"
     RUN_WITH_BUNDLE: "true"  # instructs pipeline to install and run gitlab-qa gem via bundler
     QA_PATH: qa  # sets the optional path for bundler to run from
+  inherit:
+    variables:
+      - CHROME_VERSION
+      - RUBY_VERSION
+      - DOCKER_VERSION
+      - REGISTRY_GROUP
+      - REGISTRY_HOST
   trigger:
     strategy: depend
     forward:
@@ -90,24 +98,19 @@ e2e:package-and-test:
       - artifact: package-and-test-pipeline.yml
         job: e2e-test-pipeline-generate
 
-# Fetch child pipeline test results and store in parent pipeline
-# workaround until natively implemented: https://gitlab.com/groups/gitlab-org/-/epics/8205
-e2e:package-and-test-results:
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-ruby-${RUBY_VERSION}:bundler-2.3
+e2e:test-on-gdk:
   extends:
-    - .qa-job-base
-    - .qa:rules:package-and-test
+    - .qa:rules:e2e:test-on-gdk
   stage: qa
   needs:
-    - e2e:package-and-test
-  variables:
-    COLORIZED_LOGS: "true"
-    QA_LOG_LEVEL: "debug"
-  when: always
+    # In scheduled master pipelines we wait for the image to be built.
+    # In MRs we assume the last scheduled master pipeline built the image already.
+    - job: build-qa-on-gdk-master-image
+      optional: true
   allow_failure: true
-  script:
-    - bundle exec rake "ci:download_test_results[e2e:package-and-test,e2e-test-report,${CI_PROJECT_DIR}]"
-  artifacts:
-    when: always
-    reports:
-      junit: gitlab-qa-run-*/**/rspec-*.xml
+  trigger:
+    strategy: depend
+    forward:
+      yaml_variables: true
+      pipeline_variables: true
+    include: .gitlab/ci/test-on-gdk/main.gitlab-ci.yml
diff --git a/.gitlab/ci/rails.gitlab-ci.yml b/.gitlab/ci/rails.gitlab-ci.yml
index df3b3704a52..23f38fddb80 100644
--- a/.gitlab/ci/rails.gitlab-ci.yml
+++ b/.gitlab/ci/rails.gitlab-ci.yml
@@ -210,91 +210,6 @@ rspec fast_spec_helper:
     # Load fast_spec_helper as well just in case there are no specs available.
     - bin/rspec --dry-run spec/fast_spec_helper.rb $fast_spec_helper_specs
 
-db:rollback:
-  extends: .db-job-base
-  script:
-    - scripts/db_tasks db:migrate VERSION=20210602155110
-    - scripts/db_tasks db:migrate SKIP_SCHEMA_VERSION_CHECK=true
-
-db:rollback single-db:
-  extends:
-    - db:rollback
-    - .single-db
-    - .rails:rules:single-db
-
-db:migrate:reset:
-  extends: .db-job-base
-  script:
-    - bundle exec rake db:migrate:reset
-
-db:migrate:reset single-db:
-  extends:
-    - db:migrate:reset
-    - .single-db
-    - .rails:rules:single-db
-
-db:check-schema:
-  extends:
-    - .db-job-base
-    - .rails:rules:ee-mr-and-default-branch-only
-  script:
-    - run_timed_command "bundle exec rake db:drop db:create"
-    - run_timed_command "scripts/db_tasks db:migrate"
-
-db:check-schema-single-db:
-  extends:
-    - db:check-schema
-    - .single-db
-    - .rails:rules:single-db
-
-db:check-migrations:
-  extends:
-    - .db-job-base
-    - .rails:rules:ee-and-foss-mr-with-migration
-  script:
-    - git fetch origin $CI_MERGE_REQUEST_TARGET_BRANCH_NAME:$CI_MERGE_REQUEST_TARGET_BRANCH_NAME --depth 20
-    - scripts/validate_migration_schema
-  allow_failure: true
-
-db:check-migrations-single-db:
-  extends:
-    - db:check-migrations
-    - .single-db
-    - .rails:rules:single-db
-
-db:post_deployment_migrations_validator:
-  extends:
-    - .db-job-base
-    - .rails:rules:ee-and-foss-mr-with-migration
-  script:
-    - git fetch origin $CI_MERGE_REQUEST_TARGET_BRANCH_NAME:$CI_MERGE_REQUEST_TARGET_BRANCH_NAME --depth 20
-    - scripts/post_deployment_migrations_validator
-  allow_failure: true
-
-db:post_deployment_migrations_validator-single-db:
-  extends:
-    - db:post_deployment_migrations_validator
-    - .single-db
-    - .rails:rules:single-db
-
-db:migrate-non-superuser:
-  extends:
-    - .db-job-base
-    - .rails:rules:ee-and-foss-mr-with-migration
-  script:
-    - bundle exec rake gitlab:db:reset_as_non_superuser
-
-db:gitlabcom-database-testing:
-  extends: .rails:rules:db:gitlabcom-database-testing
-  stage: test
-  image: ruby:${RUBY_VERSION}-alpine
-  needs: []
-  allow_failure: true
-  script:
-    - source scripts/utils.sh
-    - install_gitlab_gem
-    - ./scripts/trigger-build.rb gitlab-com-database-testing
-
 gitlab:setup:
   extends: .db-job-base
   variables:
@@ -312,27 +227,6 @@ gitlab:setup:
     paths:
       - log/*.log
 
-db:backup_and_restore:
-  extends:
-    - .db-job-base
-    - .rails:rules:db-backup
-  variables:
-    SETUP_DB: "false"
-    GITLAB_ASSUME_YES: "1"
-  script:
-    - . scripts/prepare_build.sh
-    - bundle exec rake db:drop db:create db:structure:load db:seed_fu
-    - mkdir -p tmp/tests/public/uploads tmp/tests/{artifacts,pages,lfs-objects,terraform_state,registry,packages}
-    - bundle exec rake gitlab:backup:create
-    - date
-    - bundle exec rake gitlab:backup:restore
-
-db:backup_and_restore single-db:
-  extends:
-    - db:backup_and_restore
-    - .single-db
-    - .rails:rules:db-backup
-
 rspec:deprecations:
   extends:
     - .default-retry
@@ -716,14 +610,6 @@ rspec-ee system pg12 single-db:
     - rspec-ee system pg12
     - .single-db-rspec
     - .rails:rules:single-db
-
-db:rollback geo:
-  extends:
-    - db:rollback
-    - .rails:rules:ee-only-migration
-  script:
-    - bundle exec rake db:migrate:geo VERSION=20170627195211
-    - bundle exec rake db:migrate:geo
 # EE: default refs (MRs, default branch, schedules) jobs #
 ##################################################
 
@@ -908,19 +794,28 @@ rspec-ee system pg13:
 
 ##################################################
 # EE: Canonical MR pipelines
-rspec fail-fast:
+.rspec-fail-fast:
   extends:
-    - .rspec-ee-base-pg12  # This job also runs EE spec which needs elasticsearch
     - .rails:rules:rspec fail-fast
   stage: test
   needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets", "detect-tests"]
   script:
     - !reference [.base-script, script]
-    - rspec_fail_fast "${RSPEC_MATCHING_TESTS_PATH}" "--tag ~quarantine"
-  artifacts:
-    expire_in: 7d
-    paths:
-      - tmp/capybara/
+    - rspec_fail_fast "${MATCHING_TESTS_PATH}" "--tag ~quarantine --tag ~zoekt"
+
+rspec fail-fast:
+  extends:
+    - .rspec-base-pg12
+    - .rspec-fail-fast  # extends from .rspec-fail-fast last to override script from .rspec-base-pg12
+  variables:
+    MATCHING_TESTS_PATH: "${RSPEC_MATCHING_TESTS_FOSS_PATH}"
+
+rspec-ee fail-fast:
+  extends:
+    - .rspec-ee-base-pg12
+    - .rspec-fail-fast  # extends from .rspec-fail-fast last to override script from .rspec-ee-base-pg12
+  variables:
+    MATCHING_TESTS_PATH: "${RSPEC_MATCHING_TESTS_EE_PATH}"
 
 rspec-foss-impact:pipeline-generate:
   extends:
@@ -977,7 +872,7 @@ fail-pipeline-early:
   extends:
     - .rails:rules:rerun-previous-failed-tests
   stage: test
-  needs: ["setup-test-env", "compile-test-assets", "detect-previous-failed-tests"]
+  needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets", "detect-previous-failed-tests"]
   script:
     - !reference [.base-script, script]
     - rspec_rerun_previous_failed_tests "${PREVIOUS_FAILED_TESTS_FILE}"
@@ -987,7 +882,7 @@ rspec rspec-pg12-rerun-previous-failed-tests:
     - .rspec-base-pg12
     - .base-rspec-pg12-rerun-previous-failed-tests
   variables:
-    PREVIOUS_FAILED_TESTS_FILE: tmp/previous_failed_tests/rspec_failed_files.txt
+    PREVIOUS_FAILED_TESTS_FILE: tmp/previous_failed_tests/rspec_failed_tests.txt
 
 rspec rspec-ee-pg12-rerun-previous-failed-tests:
   extends:
@@ -995,6 +890,5 @@ rspec rspec-ee-pg12-rerun-previous-failed-tests:
     - .base-rspec-pg12-rerun-previous-failed-tests
   variables:
     PREVIOUS_FAILED_TESTS_FILE: tmp/previous_failed_tests/rspec_ee_failed_files.txt
-
 # EE: Canonical MR pipelines
 ##################################################
diff --git a/.gitlab/ci/rails/rspec-foss-impact.gitlab-ci.yml.erb b/.gitlab/ci/rails/rspec-foss-impact.gitlab-ci.yml.erb
index 4ae4cb75a25..eb54fa25875 100644
--- a/.gitlab/ci/rails/rspec-foss-impact.gitlab-ci.yml.erb
+++ b/.gitlab/ci/rails/rspec-foss-impact.gitlab-ci.yml.erb
@@ -42,7 +42,7 @@ rspec foss-impact:
 <% end %>
   script:
     - !reference [.base-script, script]
-    - rspec_paralellized_job "--tag ~quarantine --tag ~level:migration"
+    - rspec_paralellized_job "--tag ~quarantine --tag ~level:migration --tag ~zoekt"
   artifacts:
     expire_in: 7d
     paths:
diff --git a/.gitlab/ci/rails/shared.gitlab-ci.yml b/.gitlab/ci/rails/shared.gitlab-ci.yml
index 4ca82f55b63..4943f7c2e28 100644
--- a/.gitlab/ci/rails/shared.gitlab-ci.yml
+++ b/.gitlab/ci/rails/shared.gitlab-ci.yml
@@ -55,7 +55,12 @@ include:
     GEO_SECONDARY_PROXY: 0
     RSPEC_TESTS_FILTER_FILE: "${RSPEC_MATCHING_TESTS_PATH}"
     SUCCESSFULLY_RETRIED_TEST_EXIT_CODE: 137
-  needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets", "detect-tests"]
+  needs:
+    - job: "setup-test-env"
+    - job: "retrieve-tests-metadata"
+    - job: "compile-test-assets"
+    - job: "detect-tests"
+      optional: true
   script:
     - !reference [.base-script, script]
     # We need to exclude background migration because unit tests run with
@@ -85,7 +90,7 @@ include:
 .rspec-base-migration:
   script:
     - !reference [.base-script, script]
-    - rspec_paralellized_job "--tag ~quarantine"
+    - rspec_paralellized_job "--tag ~quarantine --tag ~zoekt"
 
 .rspec-base-pg11:
   extends:
@@ -102,7 +107,12 @@ include:
     - .rspec-base
     - .as-if-foss
     - .use-pg12
-  needs: ["setup-test-env", "retrieve-tests-metadata", "compile-test-assets as-if-foss", "detect-tests"]
+  needs:
+    - job: "setup-test-env"
+    - job: "retrieve-tests-metadata"
+    - job: "compile-test-assets as-if-foss"
+    - job: "detect-tests"
+      optional: true
 
 .rspec-base-pg13:
   extends:
diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml
index b87e5ad9bba..3242ca29d75 100644
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -104,7 +104,8 @@ yarn-audit-dependency_scanning:
     - mkdir ~/.aws
     - '[[ -z "${AWS_SIEM_REPORT_INGESTION_CREDENTIALS_FILE}" ]] || mv "${AWS_SIEM_REPORT_INGESTION_CREDENTIALS_FILE}" ~/.aws/credentials'
     - npm install --no-save --ignore-scripts @aws-sdk/client-s3@3.49.0
-    - scripts/ingest-reports-to-siem
+    - scripts/ingest-reports-to-siem || true  # Allow legacy report to fail as we'll remove it in the future anyway
+    - scripts/ingest-reports-to-siem-devo
   artifacts:
     paths:
       - gl-dependency-scanning-report.json
diff --git a/.gitlab/ci/review-apps/main.gitlab-ci.yml b/.gitlab/ci/review-apps/main.gitlab-ci.yml
index 13e8ea330da..369330f8189 100644
--- a/.gitlab/ci/review-apps/main.gitlab-ci.yml
+++ b/.gitlab/ci/review-apps/main.gitlab-ci.yml
@@ -10,7 +10,6 @@ stages:
 
 include:
   - local: .gitlab/ci/global.gitlab-ci.yml
-  - local: .gitlab/ci/rules.gitlab-ci.yml
   - local: .gitlab/ci/review-apps/rules.gitlab-ci.yml
   - local: .gitlab/ci/review-apps/qa.gitlab-ci.yml
   - local: .gitlab/ci/review-apps/dast.gitlab-ci.yml
@@ -19,7 +18,6 @@ include:
 .base-before_script: &base-before_script
   - source ./scripts/utils.sh
   - source ./scripts/review_apps/review-apps.sh
-  - apt-get update && apt-get install -y jq
 
 dont-interrupt-me:
   extends: .rules:dont-interrupt
@@ -32,7 +30,7 @@ review-build-cng-env:
   extends:
     - .default-retry
     - .review:rules:review-build-cng
-  image: ${GITLAB_DEPENDENCY_PROXY}ruby:${RUBY_VERSION}-alpine3.16
+  image: ${GITLAB_DEPENDENCY_PROXY_ADDRESS}ruby:${RUBY_VERSION}-alpine3.16
   stage: prepare
   needs:
     # We need this job because we need its `cached-assets-hash.txt` artifact, so that we can pass the assets image tag to the downstream CNG pipeline.
@@ -97,20 +95,21 @@ review-build-cng:
   variables:
     HOST_SUFFIX: "${CI_ENVIRONMENT_SLUG}"
     DOMAIN: "-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}"
-    GITLAB_HELM_CHART_REF: "ed813953079c1d81aa69d4cb8171c69aa9741f01"  # 6.5.4: https://gitlab.com/gitlab-org/charts/gitlab/-/commit/ed813953079c1d81aa69d4cb8171c69aa9741f01
+    GITLAB_HELM_CHART_REF: "afcef7854ac72c5ff958035ef210ba6c68ec800b"  # 6.8.0: https://gitlab.com/gitlab-org/charts/gitlab/-/commit/afcef7854ac72c5ff958035ef210ba6c68ec800b
   environment:
     name: review/${CI_COMMIT_REF_SLUG}${SCHEDULE_TYPE}  # No separator for SCHEDULE_TYPE so it's compatible as before and looks nice without it
     url: https://gitlab-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}
-    on_stop: review-stop
-    auto_stop_in: 6 hours
+    on_stop: trigger-review-stop
 
 review-deploy:
   extends:
     - .review-workflow-base
     - .review:rules:review-deploy
   stage: deploy
-  image: ${GITLAB_DEPENDENCY_PROXY}dtzar/helm-kubectl:3.10.3
-  needs: ["review-build-cng"]
+  image: ${GITLAB_DEPENDENCY_PROXY_ADDRESS}dtzar/helm-kubectl:3.9.3
+  needs:
+    - review-build-cng
+    - review-delete-deployment # We always want to start from a clean slate (i.e. no helm release, no k8s namespace)
   cache:
     key: "review-deploy-dependencies-charts-${GITLAB_HELM_CHART_REF}-v1"
     paths:
@@ -168,31 +167,35 @@ review-deploy-sample-projects:
   extends: .review-workflow-base
   environment:
     action: stop
-  dependencies: []
   variables:
     # We're cloning the repo instead of downloading the script for now
     # because some repos are private and CI_JOB_TOKEN cannot access files.
     # See https://gitlab.com/gitlab-org/gitlab/issues/191273
     GIT_DEPTH: 1
-  before_script:
-    - source ./scripts/utils.sh
-    - source ./scripts/review_apps/review-apps.sh
-    - !reference [".use-kube-context", before_script]
 
 review-delete-deployment:
   extends:
     - .review-stop-base
     - .review:rules:review-delete-deployment
+  dependencies: []
   stage: prepare
+  before_script:
+    - source ./scripts/utils.sh
+    - source ./scripts/review_apps/review-apps.sh
+    - !reference [".use-kube-context", before_script]
   script:
-    - delete_helm_release
+    - retry delete_helm_release
 
-review-stop:
+trigger-review-stop:
   extends:
     - .review-stop-base
-    - .review:rules:review-stop
-  resource_group: review/${CI_COMMIT_REF_SLUG}${SCHEDULE_TYPE} # CI_ENVIRONMENT_SLUG is not available here and we want this to be the same as the environment
+    - .review:rules:trigger-review-stop
   stage: deploy
   needs: []
+  before_script:
+    - source ./scripts/utils.sh
+    - install_gitlab_gem
   script:
-    - delete_helm_release
+    - review_stop_job_id="$(scripts/api/get_job_id.rb --pipeline-id "${PARENT_PIPELINE_ID}" --job-name "review-stop")"
+    - |
+      curl --request POST --header "Private-Token: ${PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/jobs/${review_stop_job_id}/play"
diff --git a/.gitlab/ci/review-apps/qa.gitlab-ci.yml b/.gitlab/ci/review-apps/qa.gitlab-ci.yml
index 01a738127f7..edca2cae1c6 100644
--- a/.gitlab/ci/review-apps/qa.gitlab-ci.yml
+++ b/.gitlab/ci/review-apps/qa.gitlab-ci.yml
@@ -1,6 +1,6 @@
 include:
   - project: gitlab-org/quality/pipeline-common
-    ref: 1.14.1
+    ref: 2.0.0
     file:
       - /ci/base.gitlab-ci.yml
       - /ci/allure-report.yml
@@ -143,15 +143,10 @@ e2e-test-report:
     ALLURE_PROJECT_PATH: $CI_PROJECT_PATH
     ALLURE_RESULTS_GLOB: qa/tmp/allure-results
     ALLURE_MERGE_REQUEST_IID: $CI_MERGE_REQUEST_IID
-    GITLAB_AUTH_TOKEN: $GITLAB_QA_MR_ALLURE_REPORT_TOKEN
+    GITLAB_AUTH_TOKEN: $PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE
     GIT_STRATEGY: none
   allow_failure: true
   when: always
-  artifacts:  # re-save rspec results for displaying in parent pipeline
-    expire_in: 1 day
-    when: always
-    paths:
-      - qa/tmp/rspec-*.xml
 
 upload-knapsack-report:
   extends:
diff --git a/.gitlab/ci/review-apps/rules.gitlab-ci.yml b/.gitlab/ci/review-apps/rules.gitlab-ci.yml
index 49343c98547..a3ae31cb14c 100644
--- a/.gitlab/ci/review-apps/rules.gitlab-ci.yml
+++ b/.gitlab/ci/review-apps/rules.gitlab-ci.yml
@@ -1,3 +1,6 @@
+# ------------------------------------------
+# Conditions
+# ------------------------------------------
 # Specific specs passed
 .specific-specs: &specific-specs
   if: $QA_TESTS != ""
@@ -8,7 +11,7 @@
 
 # No specific specs in mr pipeline
 .all-specs-mr: &all-specs-mr
-  if: $CI_MERGE_REQUEST_IID && $QA_TESTS == ""
+  if: '($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $QA_TESTS == ""'
   when: manual
 
 # Triggered by change pattern
@@ -22,6 +25,31 @@
 .default-branch: &default-branch
   if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
 
+.if-merge-request: &if-merge-request
+  if: '$CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached"'
+
+.if-merge-request-labels-run-review-app: &if-merge-request-labels-run-review-app
+  if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-review-app/'
+
+.if-dot-com-ee-schedule-nightly-child-pipeline: &if-dot-com-ee-schedule-nightly-child-pipeline
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "parent_pipeline" && $SCHEDULE_TYPE == "nightly"'
+
+# ------------------------------------------
+# Changes patterns
+# ------------------------------------------
+.ci-review-patterns: &ci-review-patterns
+  - ".gitlab-ci.yml"
+  - ".gitlab/ci/frontend.gitlab-ci.yml"
+  - ".gitlab/ci/build-images.gitlab-ci.yml"
+  - ".gitlab/ci/review.gitlab-ci.yml"
+  - ".gitlab/ci/review-apps/**/*"
+  - "scripts/review_apps/**/*"
+  - "scripts/trigger-build.rb"
+  - "{,ee/,jh/}{bin,config}/**/*.rb"
+
+# ------------------------------------------
+# Conditions set
+# ------------------------------------------
 .qa-manual: &qa-manual
   when: manual
   allow_failure: true
@@ -53,6 +81,26 @@
       when: manual
       allow_failure: true
 
+.review:rules:review-build-cng:
+  rules:
+    - when: always
+
+.review:rules:review-delete-deployment:
+  rules:
+    - when: on_success
+
+# ------------------------------------------
+# Deploy
+# ------------------------------------------
+.review:rules:review-deploy:
+  rules:
+    - when: on_success
+
+.review:rules:trigger-review-stop:
+  rules:
+    - when: manual
+      allow_failure: true
+
 # ------------------------------------------
 # Test
 # ------------------------------------------
@@ -91,6 +139,25 @@
     - *all-specs-mr  # set full suite to manual when no specific specs passed in mr
     - if: $QA_SUITES =~ /Test::Instance::ReviewNonBlocking/
 
+.review:rules:review-performance:
+  rules:
+    - if: '$DAST_RUN == "true"'  # Skip this job when DAST is run
+      when: never
+    - <<: *if-merge-request-labels-run-review-app  # we explicitly don't allow the job to fail in that case
+    - <<: *if-merge-request  # we explicitly don't allow the job to fail in that case
+      changes: *ci-review-patterns
+    - when: on_success
+      allow_failure: true
+
+# ------------------------------------------
+# DAST
+# ------------------------------------------
+.reports:rules:schedule-dast:
+  rules:
+    - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
+      when: never
+    - <<: *if-dot-com-ee-schedule-nightly-child-pipeline
+
 # ------------------------------------------
 # Prepare/Report
 # ------------------------------------------
diff --git a/.gitlab/ci/review.gitlab-ci.yml b/.gitlab/ci/review.gitlab-ci.yml
index b6c273aeb99..f0e87e0161a 100644
--- a/.gitlab/ci/review.gitlab-ci.yml
+++ b/.gitlab/ci/review.gitlab-ci.yml
@@ -4,9 +4,12 @@ review-cleanup:
     - .review:rules:review-cleanup
   image: ${REVIEW_APPS_IMAGE}
   stage: prepare
+  needs: []
   environment:
     name: review/regular-cleanup
     action: access
+  variables:
+    GIT_DEPTH: 1
   before_script:
     - source scripts/utils.sh
     - !reference [".use-kube-context", before_script]
@@ -15,6 +18,21 @@ review-cleanup:
   script:
     - scripts/review_apps/automated_cleanup.rb || (scripts/slack review-apps-monitoring "☠️ \`${CI_JOB_NAME}\` failed! ☠️ See ${CI_JOB_URL} - <https://gitlab.com/gitlab-org/quality/engineering-productivity/team/-/blob/main/runbooks/review-apps.md#review-cleanup-job-failed|📗 RUNBOOK 📕>" warning "GitLab Bot" && exit 1);
 
+review-stop:
+  extends:
+    - review-cleanup
+    - .review:rules:review-stop
+  environment:
+    name: review/${CI_COMMIT_REF_SLUG}${SCHEDULE_TYPE}  # No separator for SCHEDULE_TYPE so it's compatible as before and looks nice without it
+    action: stop
+  resource_group: review/${CI_COMMIT_REF_SLUG}${SCHEDULE_TYPE}  # CI_ENVIRONMENT_SLUG is not available here and we want this to be the same as the environment
+  before_script:
+    - source ./scripts/utils.sh
+    - source ./scripts/review_apps/review-apps.sh
+    - !reference [".use-kube-context", before_script]
+  script:
+    - retry delete_helm_release
+
 .base-review-checks:
   extends:
     - .default-retry
@@ -58,6 +76,21 @@ start-review-app-pipeline:
     - job: e2e-test-pipeline-generate
     - job: build-assets-image
       artifacts: false
+  # We do not want to have ALL global variables passed as trigger variables,
+  # as they cannot be overridden. See this issue for more context:
+  #
+  # https://gitlab.com/gitlab-org/gitlab/-/issues/387183
+  inherit:
+    variables:
+      - CHROME_VERSION
+      - REGISTRY_GROUP
+      - REGISTRY_HOST
+      - REVIEW_APPS_DOMAIN
+      - REVIEW_APPS_GCP_PROJECT
+      - REVIEW_APPS_GCP_REGION
+      - REVIEW_APPS_IMAGE
+      - RUBY_VERSION
+
   # These variables are set in the pipeline schedules.
   # They need to be explicitly passed on to the child pipeline.
   # https://docs.gitlab.com/ee/ci/pipelines/multi_project_pipelines.html#pass-cicd-variables-to-a-downstream-pipeline-by-using-the-variables-keyword
@@ -73,30 +106,6 @@ start-review-app-pipeline:
       - artifact: review-app-pipeline.yml
         job: e2e-test-pipeline-generate
 
-# Fetch child pipeline test results and store in parent pipeline
-# workaround until natively implemented: https://gitlab.com/groups/gitlab-org/-/epics/8205
-review-app-test-results:
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-ruby-${RUBY_VERSION}:bundler-2.3
-  stage: review
-  extends:
-    - .qa-cache
-    - .review:rules:start-review-app-pipeline
-  needs:
-    - start-review-app-pipeline
-  variables:
-    COLORIZED_LOGS: "true"
-    QA_LOG_LEVEL: "debug"
-  before_script:
-    - cd qa && bundle install
-  script:
-    - bundle exec rake "ci:download_test_results[start-review-app-pipeline,e2e-test-report,${CI_PROJECT_DIR}]"
-  when: always
-  allow_failure: true
-  artifacts:
-    when: always
-    reports:
-      junit: qa/tmp/rspec-*.xml
-
 danger-review:
   extends:
     - .default-retry
diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml
index 9596594ad26..d1e29084a5a 100644
--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -21,7 +21,7 @@
   if: '$FORCE_GITLAB_CI'
 
 .if-default-refs: &if-default-refs
-  if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_COMMIT_REF_NAME == "ruby2" || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG || $FORCE_GITLAB_CI'
+  if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_COMMIT_REF_NAME == "ruby2" || ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") || $CI_COMMIT_TAG || $FORCE_GITLAB_CI'
 
 .if-default-branch-refs: &if-default-branch-refs
   if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $CI_MERGE_REQUEST_IID == null'
@@ -30,30 +30,33 @@
   if: '$CI_COMMIT_BRANCH =~ /^\d+-\d+-auto-deploy-\d+$/'
 
 .if-default-branch-or-tag: &if-default-branch-or-tag
-  if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG'
+  if: '($CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $CI_MERGE_REQUEST_IID == null) || $CI_COMMIT_TAG'
+
+.if-tag: &if-tag
+  if: '$CI_COMMIT_TAG'
 
 .if-merge-request: &if-merge-request
-  if: '$CI_MERGE_REQUEST_IID'
+  if: '$CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached"'
 
 # Once https://gitlab.com/gitlab-org/gitlab/-/issues/373904 is implemented, we should be able to change this back to
-# if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_APPROVALS_COUNT > 0'
+# if: '($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $CI_MERGE_REQUEST_APPROVALS_COUNT > 0'
 # or any similar condition to check that the MR has *any* approval (not just required approval).
 #
 # Temprorarily adding || $CI_MERGE_REQUEST_LABELS =~ /pipeline:run-full-rspec/ for backward compatibility,
 # remove once https://gitlab.com/gitlab-org/quality/quality-engineering/team-tasks/-/issues/1557 is fully rolled out
 .if-merge-request-approved: &if-merge-request-approved
-  if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_LABELS =~ /pipeline:mr-approved/ || $CI_MERGE_REQUEST_LABELS =~ /pipeline:run-full-rspec/'
+  if: '($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $CI_MERGE_REQUEST_LABELS =~ /pipeline:mr-approved/ || $CI_MERGE_REQUEST_LABELS =~ /pipeline:run-full-rspec/'
 
 # Temprorarily adding && $CI_MERGE_REQUEST_LABELS !~ /pipeline:run-full-rspec/ for backward compatibility,
 # remove once https://gitlab.com/gitlab-org/quality/quality-engineering/team-tasks/-/issues/1557 is fully rolled out
 .if-merge-request-not-approved: &if-merge-request-not-approved
-  if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_LABELS !~ /pipeline:mr-approved/ && $CI_MERGE_REQUEST_LABELS !~ /pipeline:run-full-rspec/'
+  if: '($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $CI_MERGE_REQUEST_LABELS !~ /pipeline:mr-approved/ && $CI_MERGE_REQUEST_LABELS !~ /pipeline:run-full-rspec/'
 
 .if-automated-merge-request: &if-automated-merge-request
   if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == "release-tools/update-gitaly" || $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /stable-ee$/'
 
 .if-merge-request-targeting-stable-branch: &if-merge-request-targeting-stable-branch
-  if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^[\d-]+-stable(-ee)?$/'
+  if: '($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^[\d-]+-stable(-ee)?$/'
 
 .if-merge-request-labels-run-in-ruby2: &if-merge-request-labels-run-in-ruby2
   if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-in-ruby2/'
@@ -73,6 +76,9 @@
 .if-merge-request-labels-run-all-jest: &if-merge-request-labels-run-all-jest
   if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-all-jest/'
 
+.if-merge-request-labels-run-all-e2e: &if-merge-request-labels-run-all-e2e
+  if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-all-e2e/'
+
 .if-merge-request-labels-run-single-db: &if-merge-request-labels-run-single-db
   if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-single-db/'
 
@@ -98,10 +104,10 @@
   if: '$CI_MERGE_REQUEST_LABELS =~ /frontend/ && $CI_MERGE_REQUEST_LABELS =~ /feature flag/'
 
 .if-security-merge-request: &if-security-merge-request
-  if: '$CI_PROJECT_NAMESPACE == "gitlab-org/security" && $CI_MERGE_REQUEST_IID'
+  if: '$CI_PROJECT_NAMESPACE == "gitlab-org/security" && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached")'
 
 .if-fork-merge-request: &if-fork-merge-request
-  if: '$CI_PROJECT_NAMESPACE !~ /^gitlab(-org)?($|\/)/ && $CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_LABELS !~ /pipeline:run-all-rspec/'
+  if: '$CI_PROJECT_NAMESPACE !~ /^gitlab(-org)?($|\/)/ && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $CI_MERGE_REQUEST_LABELS !~ /pipeline:run-all-rspec/'
 
 .if-schedule-pipeline: &if-schedule-pipeline
   if: '$CI_PIPELINE_SOURCE == "schedule"'
@@ -118,29 +124,29 @@
 .if-security-schedule: &if-security-schedule
   if: '$CI_PROJECT_NAMESPACE == "gitlab-org/security" && $CI_PIPELINE_SOURCE == "schedule"'
 
+.if-foss-schedule: &if-foss-schedule
+  if: '$CI_PROJECT_PATH == "gitlab-org/gitlab-foss" && $CI_PIPELINE_SOURCE == "schedule"'
+
 .if-dot-com-gitlab-org-schedule: &if-dot-com-gitlab-org-schedule
   if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"'
 
 .if-dot-com-ee-schedule-default-branch-maintenance: &if-dot-com-ee-schedule-default-branch-maintenance
   if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_TYPE == "maintenance"'
 
-.if-dot-com-ee-schedule-nightly-child-pipeline: &if-dot-com-ee-schedule-nightly-child-pipeline
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "parent_pipeline" && $SCHEDULE_TYPE == "nightly"'
-
 .if-dot-com-gitlab-org-default-branch: &if-dot-com-gitlab-org-default-branch
   if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'
 
 .if-dot-com-gitlab-org-merge-request: &if-dot-com-gitlab-org-merge-request
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID'
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached")'
 
 .if-dot-com-gitlab-org-and-security-merge-request: &if-dot-com-gitlab-org-and-security-merge-request
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_MERGE_REQUEST_IID'
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached")'
 
 .if-dot-com-gitlab-org-and-security-merge-request-and-qa-tests-specified: &if-dot-com-gitlab-org-and-security-merge-request-and-qa-tests-specified
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_MERGE_REQUEST_IID && $QA_TESTS'
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $QA_TESTS'
 
 .if-dot-com-gitlab-org-and-security-merge-request-manual-ff-package-and-e2e: &if-dot-com-gitlab-org-and-security-merge-request-manual-ff-package-and-e2e
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_MERGE_REQUEST_IID && $QA_MANUAL_FF_PACKAGE_AND_QA'
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $QA_MANUAL_FF_PACKAGE_AND_QA'
 
 .if-dot-com-gitlab-org-and-security-tag: &if-dot-com-gitlab-org-and-security-tag
   if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_COMMIT_TAG'
@@ -172,8 +178,7 @@
   - ".gitlab/ci/build-images.gitlab-ci.yml"
   - ".gitlab/ci/review.gitlab-ci.yml"
   - ".gitlab/ci/review-apps/**/*"
-  - "scripts/review_apps/base-config.yaml"
-  - "scripts/review_apps/review-apps.sh"
+  - "scripts/review_apps/**/*"
   - "scripts/trigger-build.rb"
   - "{,ee/,jh/}{bin,config}/**/*.rb"
 
@@ -220,6 +225,11 @@
   - "scripts/lint-doc.sh"
   - ".gitlab/ci/docs.gitlab-ci.yml"
 
+.docs-blueprints-patterns: &docs-blueprints-patterns
+  - "doc/architecture/blueprints/**/*"
+  - "scripts/lint-docs-blueprints.rb"
+  - ".gitlab/ci/docs.gitlab-ci.yml"
+
 .docs-deprecations-and-removals-patterns: &docs-deprecations-and-removals-patterns
   - "doc/update/deprecations.md"
   - "doc/update/removals.md"
@@ -285,12 +295,15 @@
   - ".browserslistrc"
   - "babel.config.js"
   - "jest.config.{base,integration,unit}.js"
-  - ".csscomb.json"
+  - ".stylelintrc"
   - "Dockerfile.assets"
   - "config/**/*.js"
   - "vendor/assets/**/*"
   - "{app/assets,app/components,app/helpers,app/presenters,app/views,locale,public,spec/frontend,storybook,symbol}/**/*"
 
+.initializers-patterns: &initializers-patterns
+  - "{,ee/,jh/}config/initializers/**/*"
+
 .controllers-patterns: &controllers-patterns
   - "{,ee/,jh/}{app/controllers}/**/*"
 
@@ -332,14 +345,14 @@
 # DB patterns + .ci-patterns
 .db-patterns: &db-patterns
   - "{,ee/,jh/}{,spec/}{db,migrations}/**/*"
-  - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/database/**/*"
-  - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/database{,_spec}.rb"
-  - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/background_migration/**/*"
   - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/background_migration{,_spec}.rb"
+  - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/background_migration/**/*"
+  - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/database{,_spec}.rb"
+  - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/database/**/*"
   - "{,ee/,jh/}spec/support/helpers/database/**/*"
   - "{,ee/,jh/}spec/support/helpers/migrations_helpers/**/*"
-  - "lib/gitlab/markdown_cache/active_record/**/*"
   - "lib/api/admin/batched_background_migrations.rb"
+  - "lib/gitlab/markdown_cache/active_record/**/*"
   - "spec/requests/api/admin/batched_background_migrations_spec.rb"
   - "config/prometheus/common_metrics.yml"  # Used by Gitlab::DatabaseImporters::CommonMetrics::Importer
   - "{,ee/,jh/}app/models/project_statistics.rb"  # Used to calculate sizes in migration specs
@@ -378,7 +391,7 @@
   - ".browserslistrc"
   - "babel.config.js"
   - "jest.config.{base,integration,unit}.js"
-  - ".csscomb.json"
+  - ".stylelintrc"
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
@@ -403,7 +416,7 @@
   - ".browserslistrc"
   - "babel.config.js"
   - "jest.config.{base,integration,unit}.js"
-  - ".csscomb.json"
+  - ".stylelintrc"
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
@@ -434,7 +447,7 @@
   - ".browserslistrc"
   - "babel.config.js"
   - "jest.config.{base,integration,unit}.js"
-  - ".csscomb.json"
+  - ".stylelintrc"
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
@@ -461,7 +474,7 @@
   - ".browserslistrc"
   - "babel.config.js"
   - "jest.config.{base,integration,unit}.js"
-  - ".csscomb.json"
+  - ".stylelintrc"
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
@@ -499,7 +512,7 @@
   - ".browserslistrc"
   - "babel.config.js"
   - "jest.config.{base,integration,unit}.js"
-  - ".csscomb.json"
+  - ".stylelintrc"
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
@@ -547,6 +560,7 @@
   - "{,ee/,jh/}Gemfile.lock"  # This should include gitlab-styles, rubocop itself, and any plugins we might be using
   - "lib/gitlab_edition.rb"  # This is required in RuboCop::CodeReuseHelpers
   - ".gitlab/ci/static-analysis.gitlab-ci.yml"
+  - "config/feature_categories.yml"  # Used by RSpec/InvalidFeatureCategory
 
 .danger-patterns: &danger-patterns
   - "Dangerfile"
@@ -590,6 +604,8 @@
       when: never
     - <<: *if-merge-request-targeting-stable-branch
       when: never
+    - <<: *if-merge-request-labels-pipeline-expedite
+      when: never
 
 .rails:rules:predictive-default-rules:
   rules:
@@ -679,6 +695,7 @@
   rules:
     - <<: *if-schedule-maintenance
     - <<: *if-security-schedule
+    - <<: *if-foss-schedule
     - <<: *if-merge-request-labels-update-caches
 
 .shared:rules:update-gitaly-binaries-cache:
@@ -690,7 +707,7 @@
 ######################
 # Build images rules #
 ######################
-.build-images:rules:build-qa-image:
+.build-images:rules:build-qa-image-merge-requests:
   rules:
     - <<: *if-not-canonical-namespace
       when: never
@@ -700,18 +717,44 @@
       changes: *ci-build-images-patterns
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
       changes: *code-qa-patterns
+
+.build-images:rules:build-qa-image:
+  rules:
+    - !reference [".build-images:rules:build-qa-image-merge-requests", "rules"]
     - <<: *if-auto-deploy-branches
       variables:
         ARCH: amd64,arm64
-    - <<: *if-default-branch-or-tag
+    - <<: *if-default-branch-refs
+      variables:
+        ARCH: amd64,arm64
+    - <<: *if-tag
       variables:
         ARCH: amd64,arm64
+      # TODO: Remove once confirmed on a tag pipeline
+      allow_failure: true
     - <<: *if-dot-com-gitlab-org-schedule
       variables:
         ARCH: amd64,arm64
     - <<: *if-force-ci
     - <<: *if-ruby2-branch
 
+.build-images:rules:build-qa-image-as-if-foss:
+  rules:
+    - !reference [".build-images:rules:build-qa-image-merge-requests", "rules"]
+
+# We want to rebuild the master image when the full e2e test pipeline runs. Currently this happens on a 2 hour schedule.
+.build-images:rules:build-qa-on-gdk-master-image:
+  rules:
+    - if: '$QA_RUN_TESTS_ON_GDK !~ /true|yes|1/i'
+      when: never
+    - <<: *if-not-canonical-namespace
+      when: never
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-dot-com-gitlab-org-schedule
+      variables:
+        ARCH: amd64,arm64
+
 .build-images:rules:build-assets-image:
   rules:
     - <<: *if-not-canonical-namespace
@@ -822,6 +865,11 @@
     - <<: *if-default-refs
       changes: *docs-patterns
 
+.docs:rules:docs-blueprints-lint:
+  rules:
+    - <<: *if-default-refs
+      changes: *docs-blueprints-patterns
+
 .docs:rules:deprecations-and-removals:
   rules:
     - <<: *if-default-refs
@@ -1036,7 +1084,7 @@
     - <<: *if-default-branch-refs
       changes: *frontend-build-patterns
       allow_failure: true
-    - if: '$DANGER_GITLAB_API_TOKEN && $CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
+    - if: '$DANGER_GITLAB_API_TOKEN && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
       changes: *frontend-build-patterns
       allow_failure: true
 
@@ -1109,7 +1157,7 @@
       allow_failure: true
     - <<: *if-ruby2-branch
 
-.qa:rules:package-and-test:
+.qa:rules:package-and-test-mrs:
   rules:
     - <<: *if-not-canonical-namespace
       when: never
@@ -1121,6 +1169,8 @@
       allow_failure: true
     - <<: *if-ruby2-branch
       allow_failure: true
+    - <<: *if-merge-request-labels-run-all-e2e
+      allow_failure: true
     - <<: *if-dot-com-gitlab-org-and-security-merge-request-manual-ff-package-and-e2e
       changes: *feature-flag-development-config-patterns
       when: manual
@@ -1129,6 +1179,9 @@
       changes: *feature-flag-development-config-patterns
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
+      changes: *initializers-patterns
+      allow_failure: true
+    - <<: *if-dot-com-gitlab-org-and-security-merge-request
       changes: *nodejs-patterns
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
@@ -1144,6 +1197,13 @@
       changes: *code-patterns
       when: manual
       allow_failure: true
+    - <<: *if-force-ci
+      when: manual
+      allow_failure: true
+
+.qa:rules:package-and-test:
+  rules:
+    - !reference [".qa:rules:package-and-test-mrs", rules]
     - <<: *if-dot-com-gitlab-org-schedule
       allow_failure: true
       variables:
@@ -1152,9 +1212,12 @@
         KNAPSACK_GENERATE_REPORT: "true"
         QA_SAVE_TEST_METRICS: "true"
         QA_EXPORT_TEST_METRICS: "false" # on main runs, metrics are exported to separate bucket via rake task for better consistency
-    - <<: *if-force-ci
-      when: manual
-      allow_failure: true
+
+.qa:rules:e2e:test-on-gdk:
+  rules:
+    - if: '$QA_RUN_TESTS_ON_GDK !~ /true|yes|1/i'
+      when: never
+    - !reference [".qa:rules:package-and-test", rules]
 
 ###############
 # Rails rules #
@@ -1172,6 +1235,12 @@
       changes: *db-patterns
     - <<: *if-default-branch-schedule-nightly
 
+.rails:rules:db:check-migrations-single-db:
+  rules:
+    - <<: *if-merge-request-labels-run-single-db
+    - <<: *if-merge-request
+      changes: *db-patterns
+
 .rails:rules:db-backup:
   rules:
     - <<: *if-merge-request-labels-run-all-rspec
@@ -1182,6 +1251,15 @@
     - <<: *if-default-refs
       changes: *db-patterns
 
+.rails:rules:db-rollback:
+  rules:
+    - !reference [".rails:rules:ee-and-foss-migration", rules]
+    - <<: *if-default-refs
+      changes: *initializers-patterns
+    - <<: *if-default-refs
+      changes:
+        - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/content_security_policy/config_loader{,_spec}.rb"
+
 .rails:rules:praefect-with-db:
   rules:
     - if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-praefect-with-db/'
@@ -1542,9 +1620,9 @@
 .rails:rules:detect-tests:
   rules:
     - <<: *if-merge-request-labels-run-all-rspec
-    - <<: *if-default-refs
+    - <<: *if-merge-request
       changes: *code-backstage-qa-patterns
-    - <<: *if-default-refs
+    - <<: *if-merge-request
       changes: *workhorse-patterns
 
 .rails:rules:detect-previous-failed-tests:
@@ -1720,6 +1798,24 @@
     - <<: *if-merge-request
       changes: *static-analysis-patterns
 
+.semgrep-appsec-custom-rules:rules:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-merge-request
+      changes: *code-backstage-qa-patterns
+
+.ping-appsec-for-sast-findings:rules:
+  rules:
+    # Requiring $CUSTOM_SAST_RULES_BOT_PAT prevents the bot from running on forks or CE
+    # Without it the script would fail too.
+    - if: "$CUSTOM_SAST_RULES_BOT_PAT == null"
+      when: never
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-merge-request
+      changes: *code-backstage-qa-patterns
+
 #######################
 # Vendored gems rules #
 #######################
@@ -1784,6 +1880,12 @@
       changes: ["vendor/gems/devise-pbkdf2-encryptable/**/*"]
     - <<: *if-merge-request-labels-run-all-rspec
 
+.vendor:rules:gitlab_active_record:
+  rules:
+    - <<: *if-merge-request
+      changes: ["vendor/gems/gitlab_active_record/**/*"]
+    - <<: *if-merge-request-labels-run-all-rspec
+
 .vendor:rules:bundler-checksum:
   rules:
     - <<: *if-merge-request
@@ -1883,12 +1985,6 @@
     - <<: *if-default-refs
       changes: *nodejs-patterns
 
-.reports:rules:schedule-dast:
-  rules:
-    - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
-      when: never
-    - <<: *if-dot-com-ee-schedule-nightly-child-pipeline
-
 .reports:rules:test-dast:
   rules:
     - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
@@ -1971,32 +2067,10 @@
         QA_SAVE_TEST_METRICS: "true"
         QA_EXPORT_TEST_METRICS: "false" # on main runs, metrics are exported to separate bucket via rake task for better consistency
 
-.review:rules:review-build-cng:
-  rules:
-    - when: always
-
-.review:rules:review-deploy:
-  rules:
-    - when: on_success
-
-.review:rules:review-performance:
-  rules:
-    - if: '$DAST_RUN == "true"'  # Skip this job when DAST is run
-      when: never
-    - <<: *if-merge-request-labels-run-review-app  # we explicitely don't allow the job to fail in that case
-    - <<: *if-dot-com-gitlab-org-merge-request  # we explicitely don't allow the job to fail in that case
-      changes: *ci-review-patterns
-    - when: on_success
-      allow_failure: true
-
-.review:rules:review-delete-deployment:
-  rules:
-    - when: on_success
-
 # The following rules needs to be the same as the one for .review:rules:start-review-app-pipeline
 # except that:
 # - all rules have `when: manual` and `allow_failure: true` here
-.review:rules:review-cleanup:
+.review:rules:review-stop-merge-requests:
   rules:
     - <<: *if-not-ee
       when: never
@@ -2033,12 +2107,23 @@
       changes: *code-patterns
       when: manual
       allow_failure: true
+
+.review:rules:review-cleanup:
+  rules:
+    - !reference [".review:rules:review-stop-merge-requests", rules]
+    - <<: *if-dot-com-ee-schedule-default-branch-maintenance
+      allow_failure: true
+
+.review:rules:review-stop:
+  rules:
+    - !reference [".review:rules:review-stop-merge-requests", rules]
     - <<: *if-dot-com-gitlab-org-schedule
+      when: manual
       allow_failure: true
 
 .review:rules:review-k8s-resources-count-checks:
   rules:
-    - <<: *if-dot-com-gitlab-org-schedule
+    - <<: *if-dot-com-ee-schedule-default-branch-maintenance
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-merge-request
       changes:
@@ -2047,18 +2132,13 @@
 
 .review:rules:review-gcp-quotas-checks:
   rules:
-    - <<: *if-dot-com-gitlab-org-schedule
+    - <<: *if-dot-com-ee-schedule-default-branch-maintenance
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-merge-request
       changes:
         - "scripts/review_apps/gcp-quotas-checks.rb"
       allow_failure: true
 
-.review:rules:review-stop:
-  rules:
-    - when: manual
-      allow_failure: true
-
 .review:rules:danger:
   rules:
     - <<: *if-merge-request
@@ -2098,6 +2178,11 @@
     - <<: *if-default-refs
       changes: *code-backstage-patterns
 
+.setup:rules:rails-production-environment:
+  rules:
+    - <<: *if-default-refs
+      changes: *code-patterns
+
 .setup:rules:no-ee-check:
   rules:
     - <<: *if-not-foss
@@ -2134,7 +2219,7 @@
     - <<: *if-not-ee
       when: never
     - <<: *if-dot-com-ee-schedule-default-branch-maintenance
-    - <<: *if-default-refs
+    - <<: *if-default-branch-refs
       changes:
         - ".gitlab/ci/setup.gitlab-ci.yml"
         - ".gitlab/ci/test-metadata.gitlab-ci.yml"
@@ -2156,7 +2241,8 @@
     - <<: *if-not-ee
       when: never
     - <<: *if-dot-com-ee-schedule-default-branch-maintenance
-    - <<: *if-default-refs
+      when: always
+    - <<: *if-default-branch-refs
       changes:
         - ".gitlab/ci/test-metadata.gitlab-ci.yml"
         - "scripts/rspec_helpers.sh"
diff --git a/.gitlab/ci/setup.gitlab-ci.yml b/.gitlab/ci/setup.gitlab-ci.yml
index 852c4739d9d..298d5c4ae08 100644
--- a/.gitlab/ci/setup.gitlab-ci.yml
+++ b/.gitlab/ci/setup.gitlab-ci.yml
@@ -128,6 +128,7 @@ detect-tests:
     - source ./scripts/rspec_helpers.sh
     - install_gitlab_gem
     - install_tff_gem
+    - install_activesupport_gem
     - retrieve_tests_mapping
     - retrieve_frontend_fixtures_mapping
     - |
@@ -135,12 +136,14 @@ detect-tests:
         mkdir -p $(dirname "$RSPEC_CHANGED_FILES_PATH")
         tooling/bin/find_changes ${RSPEC_CHANGED_FILES_PATH};
         tooling/bin/find_tests ${RSPEC_CHANGED_FILES_PATH} ${RSPEC_MATCHING_TESTS_PATH};
+        tooling/bin/js_to_system_specs_mappings ${RSPEC_CHANGED_FILES_PATH} ${RSPEC_MATCHING_TESTS_PATH};
         tooling/bin/find_changes ${RSPEC_CHANGED_FILES_PATH} ${RSPEC_MATCHING_TESTS_PATH} ${FRONTEND_FIXTURES_MAPPING_PATH};
         filter_rspec_matched_foss_tests ${RSPEC_MATCHING_TESTS_PATH} ${RSPEC_MATCHING_TESTS_FOSS_PATH};
+        filter_rspec_matched_ee_tests ${RSPEC_MATCHING_TESTS_PATH} ${RSPEC_MATCHING_TESTS_EE_PATH};
         tooling/bin/view_to_js_mappings ${RSPEC_CHANGED_FILES_PATH} ${RSPEC_MATCHING_JS_FILES_PATH};
         echoinfo "Changed files: $(cat $RSPEC_CHANGED_FILES_PATH)";
-        echoinfo "Related RSpec tests: $(cat $RSPEC_MATCHING_TESTS_PATH)";
         echoinfo "Related FOSS RSpec tests: $(cat $RSPEC_MATCHING_TESTS_FOSS_PATH)";
+        echoinfo "Related EE RSpec tests: $(cat $RSPEC_MATCHING_TESTS_EE_PATH)";
         echoinfo "Related JS files: $(cat $RSPEC_MATCHING_JS_FILES_PATH)";
       fi
   artifacts:
@@ -149,8 +152,9 @@ detect-tests:
       - ${FRONTEND_FIXTURES_MAPPING_PATH}
       - ${RSPEC_CHANGED_FILES_PATH}
       - ${RSPEC_MATCHING_JS_FILES_PATH}
-      - ${RSPEC_MATCHING_TESTS_FOSS_PATH}
       - ${RSPEC_MATCHING_TESTS_PATH}
+      - ${RSPEC_MATCHING_TESTS_FOSS_PATH}
+      - ${RSPEC_MATCHING_TESTS_EE_PATH}
 
 detect-previous-failed-tests:
   extends:
@@ -158,12 +162,10 @@ detect-previous-failed-tests:
     - .rails:rules:detect-previous-failed-tests
   variables:
     PREVIOUS_FAILED_TESTS_DIR: tmp/previous_failed_tests/
-    RSPEC_PG_REGEX: /rspec .+ pg12( .+)?/
-    RSPEC_EE_PG_REGEX: /rspec-ee .+ pg12( .+)?/
   script:
     - source ./scripts/utils.sh
     - source ./scripts/rspec_helpers.sh
-    - retrieve_previous_failed_tests ${PREVIOUS_FAILED_TESTS_DIR} "${RSPEC_PG_REGEX}" "${RSPEC_EE_PG_REGEX}"
+    - retrieve_failed_tests "${PREVIOUS_FAILED_TESTS_DIR}" "oneline" "previous"
   artifacts:
     expire_in: 7d
     paths:
diff --git a/.gitlab/ci/static-analysis.gitlab-ci.yml b/.gitlab/ci/static-analysis.gitlab-ci.yml
index 13013d9a9db..d546c79aab9 100644
--- a/.gitlab/ci/static-analysis.gitlab-ci.yml
+++ b/.gitlab/ci/static-analysis.gitlab-ci.yml
@@ -183,3 +183,37 @@ feature-flags-usage:
     when: always
     paths:
       - tmp/feature_flags/
+
+semgrep-appsec-custom-rules:
+  stage: lint
+  extends:
+    - .semgrep-appsec-custom-rules:rules
+  image: returntocorp/semgrep
+  needs: []
+  script:
+    # Required to avoid a timeout https://github.com/returntocorp/semgrep/issues/5395
+    - git fetch origin master
+    # Include/exclude list isn't ideal https://github.com/returntocorp/semgrep/issues/5399
+    - |
+      semgrep ci --gitlab-sast --metrics off --config $CUSTOM_RULES_URL \
+        --include app --include lib --include workhorse \
+        --exclude '*_test.go' --exclude spec --exclude qa > gl-sast-report.json || true
+  variables:
+    CUSTOM_RULES_URL: https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules/-/raw/main/appsec-pings/rules.yml
+  artifacts:
+    paths:
+      - gl-sast-report.json
+
+ping-appsec-for-sast-findings:
+  stage: lint
+  image: alpine:latest
+  extends:
+    - .ping-appsec-for-sast-findings:rules
+  variables:
+    # Project Access Token bot ID for /gitlab-com/gl-security/appsec/sast-custom-rules
+    BOT_USER_ID: 13559989
+  needs:
+    - semgrep-appsec-custom-rules
+  script:
+    - apk add jq curl
+    - scripts/process_custom_semgrep_results.sh
diff --git a/.gitlab/ci/test-metadata.gitlab-ci.yml b/.gitlab/ci/test-metadata.gitlab-ci.yml
index 3f6760394c4..176a0b67d66 100644
--- a/.gitlab/ci/test-metadata.gitlab-ci.yml
+++ b/.gitlab/ci/test-metadata.gitlab-ci.yml
@@ -37,10 +37,12 @@ update-tests-metadata:
     - rspec unit pg12
     - rspec integration pg12
     - rspec system pg12
+    - rspec background_migration pg12
     - rspec-ee migration pg12
     - rspec-ee unit pg12
     - rspec-ee integration pg12
     - rspec-ee system pg12
+    - rspec-ee background_migration pg12
   script:
     - run_timed_command "retry gem install fog-aws mime-types activesupport rspec_profiling postgres-copy --no-document"
     - source ./scripts/rspec_helpers.sh
diff --git a/.gitlab/ci/test-on-gdk/main.gitlab-ci.yml b/.gitlab/ci/test-on-gdk/main.gitlab-ci.yml
new file mode 100644
index 00000000000..a04d81fb342
--- /dev/null
+++ b/.gitlab/ci/test-on-gdk/main.gitlab-ci.yml
@@ -0,0 +1,81 @@
+default:
+  interruptible: true
+
+include:
+  - local: .gitlab/ci/package-and-test/rules.gitlab-ci.yml
+
+dont-interrupt-me:
+  extends: .rules:dont-interrupt
+  stage: test
+  interruptible: false
+  script:
+    - echo "This jobs makes sure this pipeline won't be interrupted! See https://docs.gitlab.com/ee/ci/yaml/#interruptible."
+
+.run-tests:
+  stage: test
+  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images/debian-bullseye-ruby-${RUBY_VERSION}:bundler-2.3-chrome-${CHROME_VERSION}-docker-${DOCKER_VERSION}
+  services:
+    - docker:${DOCKER_VERSION}-dind
+  tags:
+    - e2e
+  before_script:
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+    - sysctl -n -w fs.inotify.max_user_watches=524288
+  variables:
+    DOCKER_DRIVER: overlay2
+    DOCKER_HOST: tcp://docker:2375
+    QA_GDK_IMAGE: "${CI_REGISTRY}/${CI_PROJECT_PATH}/gitlab-qa-gdk:master"
+    QA_GENERATE_ALLURE_REPORT: "false"
+    QA_CAN_TEST_PRAEFECT: "false"
+    QA_INTERCEPT_REQUESTS: "false"
+    QA_RUN_TYPE: e2e-test-on-gdk
+    TEST_LICENSE_MODE: $QA_TEST_LICENSE_MODE
+    EE_LICENSE: $QA_EE_LICENSE
+    GITHUB_ACCESS_TOKEN: $QA_GITHUB_ACCESS_TOKEN
+    GITLAB_QA_ADMIN_ACCESS_TOKEN: $QA_ADMIN_ACCESS_TOKEN
+    QA_KNAPSACK_REPORTS: qa-smoke,ee-instance-parallel
+  timeout: 2 hours
+  artifacts:
+    when: always
+    paths:
+      - test_output
+      - logs
+    expire_in: 7 days
+  script:
+    - echo -e "\e[0Ksection_start:`date +%s`:pull_image\r\e[0KPull GDK QA image"
+    - docker pull ${QA_GDK_IMAGE}
+    - echo -e "\e[0Ksection_end:`date +%s`:pull_image\r\e[0K"
+    - echo -e "\e[0Ksection_start:`date +%s`:launch_gdk_and_tests\r\e[0KLaunch GDK and run QA tests"
+    - cd qa && bundle install --jobs=$(nproc) --retry=3 --quiet
+    - mkdir -p $CI_PROJECT_DIR/test_output $CI_PROJECT_DIR/logs/gdk $CI_PROJECT_DIR/logs/gitlab
+    # This command matches the permissions of the user that runs GDK inside the container.
+    - chown -R 1000:1000 $CI_PROJECT_DIR/test_output $CI_PROJECT_DIR/logs
+    - |
+      docker run --rm --name gdk --add-host gdk.test:127.0.0.1 --shm-size=2gb \
+        --env-file <(bundle exec rake ci:env_var_name_list) \
+        --volume /var/run/docker.sock:/var/run/docker.sock:z \
+        --volume $CI_PROJECT_DIR/test_output:/home/gdk/gdk/gitlab/qa/tmp:z \
+        --volume $CI_PROJECT_DIR/logs/gdk:/home/gdk/gdk/log \
+        --volume $CI_PROJECT_DIR/logs/gitlab:/home/gdk/gdk/gitlab/log \
+        ${QA_GDK_IMAGE} "${CI_COMMIT_REF_SLUG}" "$TEST_GDK_TAGS --tag ~requires_praefect" || true
+    - echo -e "\e[0Ksection_end:`date +%s`:launch_gdk_and_tests\r\e[0K"
+  allow_failure: true
+
+test-on-gdk-smoke:
+  extends:
+    - .run-tests
+  parallel: 2
+  variables:
+    TEST_GDK_TAGS: "--tag smoke"
+    QA_KNAPSACK_REPORT_NAME: qa-smoke
+  rules:
+    - when: always
+
+test-on-gdk-full:
+  extends:
+    - .run-tests
+  parallel: 5
+  variables:
+    QA_KNAPSACK_REPORT_NAME: ee-instance-parallel
+  rules:
+    - when: manual
diff --git a/.gitlab/ci/vendored-gems.gitlab-ci.yml b/.gitlab/ci/vendored-gems.gitlab-ci.yml
index a22ac5337f6..1086d9074d2 100644
--- a/.gitlab/ci/vendored-gems.gitlab-ci.yml
+++ b/.gitlab/ci/vendored-gems.gitlab-ci.yml
@@ -85,3 +85,11 @@ vendor bundler-checksum:
   trigger:
     include: vendor/gems/bundler-checksum/.gitlab-ci.yml
     strategy: depend
+
+vendor gitlab_active_record:
+  extends:
+    - .vendor:rules:gitlab_active_record
+  needs: []
+  trigger:
+    include: vendor/gems/gitlab_active_record/.gitlab-ci.yml
+    strategy: depend