Add latest changes from gitlab-org/gitlab@master

19 files changed, 91 insertions, 46 deletions

diff --git a/.rubocop_todo/lint/empty_class.yml b/.rubocop_todo/lint/empty_class.yml
deleted file mode 100644
index c8caff58c35..00000000000
--- a/.rubocop_todo/lint/empty_class.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-Lint/EmptyClass:
-  Exclude:
-    - 'spec/lib/gitlab/multi_destination_logger_spec.rb'
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index 829f41679b2..6dd25430c9e 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-d687ebe4b114fce6d74deed3d7f45c0b58e3bbc4
+c8e24f24ed55dc90cd7f3ad4272421b4fce368f7
diff --git a/app/models/merge_request/diff_llm_summary.rb b/app/models/merge_request/diff_llm_summary.rb
deleted file mode 100644
index e13fe5e1f50..00000000000
--- a/app/models/merge_request/diff_llm_summary.rb
+++ /dev/null
@@ -1,14 +0,0 @@
-# rubocop:disable Style/ClassAndModuleChildren
-# frozen_string_literal: true
-
-class MergeRequest::DiffLlmSummary < ApplicationRecord
-  belongs_to :merge_request_diff
-  belongs_to :user, optional: true
-
-  validates :merge_request_diff_id, uniqueness: true
-  validates :provider, presence: true
-  validates :content, presence: true, length: { maximum: 2056 }
-
-  enum provider: { openai: 0 }
-end
-# rubocop:enable Style/ClassAndModuleChildren
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index 49f9225a1d3..090be645b21 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -16,6 +16,10 @@ class MergeRequestPolicy < IssuablePolicy
     prevent :accept_merge_request
   end
 
+  rule { can?(:read_merge_request) }.policy do
+    enable :generate_diff_summary
+  end
+
   rule { can_approve }.policy do
     enable :approve_merge_request
   end
@@ -43,6 +47,10 @@ class MergeRequestPolicy < IssuablePolicy
     enable :set_merge_request_metadata
   end
 
+  rule { llm_bot }.policy do
+    enable :generate_diff_summary
+  end
+
   private
 
   def can_approve?
diff --git a/app/validators/json_schemas/scan_result_policy_vulnerability_attributes.json b/app/validators/json_schemas/scan_result_policy_vulnerability_attributes.json
new file mode 100644
index 00000000000..e0051179a1d
--- /dev/null
+++ b/app/validators/json_schemas/scan_result_policy_vulnerability_attributes.json
@@ -0,0 +1,14 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "description": "Scan result policy vulnerability_attributes",
+  "type": "object",
+  "properties": {
+    "false_positive": {
+      "type": "boolean"
+    },
+    "fix_available": {
+      "type": "boolean"
+    }
+  },
+  "additionalProperties": false
+}
diff --git a/db/migrate/20230613122211_add_vulnerability_attributes_to_scan_result_policies.rb b/db/migrate/20230613122211_add_vulnerability_attributes_to_scan_result_policies.rb
new file mode 100644
index 00000000000..c3467efe4af
--- /dev/null
+++ b/db/migrate/20230613122211_add_vulnerability_attributes_to_scan_result_policies.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddVulnerabilityAttributesToScanResultPolicies < Gitlab::Database::Migration[2.1]
+  def change
+    add_column :scan_result_policies, :vulnerability_attributes, :jsonb, default: {}
+  end
+end
diff --git a/db/schema_migrations/20230613122211 b/db/schema_migrations/20230613122211
new file mode 100644
index 00000000000..ccdecf69019
--- /dev/null
+++ b/db/schema_migrations/20230613122211
@@ -0,0 +1 @@
+da2cc429052e2db307e8eff2de61049ce93db4a7f6321a265889edeff1e7897d
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 073fd5e31fa..c579b085c82 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -22303,6 +22303,7 @@ CREATE TABLE scan_result_policies (
     age_value integer,
     age_operator smallint,
     age_interval smallint,
+    vulnerability_attributes jsonb DEFAULT '{}'::jsonb,
     CONSTRAINT age_value_null_or_positive CHECK (((age_value IS NULL) OR (age_value >= 0)))
 );
 
diff --git a/doc/administration/audit_event_streaming/index.md b/doc/administration/audit_event_streaming/index.md
index 44c6cff7455..22670e95d49 100644
--- a/doc/administration/audit_event_streaming/index.md
+++ b/doc/administration/audit_event_streaming/index.md
@@ -226,6 +226,25 @@ To list streaming destinations for an instance and see the verification tokens:
 1. On the main area, select the **Streams**.
 1. View the verification token on the right side of each item.
 
+## Event type filters
+
+> Event type filtering in the UI with a defined list of audit event types [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/413581) in GitLab 16.1.
+
+When this feature is enabled for a group, you can permit users to filter streamed audit events per destination.
+If the feature is enabled with no filters, the destination receives all audit events.
+
+A streaming destination that has an event type filter set has a **filtered** (**{filter}**) label.
+
+To update a streaming destination's event filters:
+
+1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group.
+1. Select **Secure > Audit events**.
+1. On the main area, select the **Streams** tab.
+1. To the right of the item, select **Edit** (**{pencil}**).
+1. Select **Filter by stream event**.
+1. Select the dropdown list and select or clear the required event types.
+1. Select **Save** to update the event filters.
+
 ## Override default content type header
 
 By default, streaming destinations use a `content-type` header of `application/x-www-form-urlencoded`. However, you
diff --git a/doc/user/group/compliance_frameworks.md b/doc/user/group/compliance_frameworks.md
index 0ba329a8963..55d096a654e 100644
--- a/doc/user/group/compliance_frameworks.md
+++ b/doc/user/group/compliance_frameworks.md
@@ -12,7 +12,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 You can create a compliance framework that is a label to identify that your project has certain compliance
 requirements or needs additional oversight. The label can optionally enforce
 [compliance pipeline configuration](#compliance-pipelines) to the projects on which it is
-[applied](../project/settings/index.md#add-a-compliance-framework-to-a-project).
+applied. Refer to our
+applied. For more information, see [Add a compliance framework to a project](../project/settings/index.md#add-a-compliance-framework-to-a-project).
 
 Compliance frameworks are created on top-level groups. Group owners can create, edit, and delete compliance frameworks:
 
diff --git a/doc/user/project/merge_requests/approvals/index.md b/doc/user/project/merge_requests/approvals/index.md
index 2a574764954..ad4d32535bd 100644
--- a/doc/user/project/merge_requests/approvals/index.md
+++ b/doc/user/project/merge_requests/approvals/index.md
@@ -115,7 +115,7 @@ FLAG:
 On self-managed GitLab, by default this feature is available. To hide the feature,
 ask an administrator to [disable the feature flag](../../../../administration/feature_flags.md) named `invalid_scan_result_policy_prevents_merge`.
 
-Whenever an approval rule cannot be satisfied, the rule is displayed as **(!) Auto approved**. This applies to the following conditions:
+Whenever an approval rule cannot be satisfied, the rule is displayed as **Auto approved**. This applies to the following conditions:
 
 - The only eligible approver is the author of the merge request.
 - No eligible approvers (either groups or users) have been assigned to the approval rule.
@@ -124,7 +124,7 @@ Whenever an approval rule cannot be satisfied, the rule is displayed as **(!) Au
 These rules are automatically approved to unblock their respective merge requests, unless they were
 created through a [scan result policy](../../../application_security/policies/scan-result-policies.md).
 Invalid approval rules created through a scan result policy are presented with
-**(!) Action Required** and are not automatically approved, blocking their respective merge requests.
+**Action required** and are not automatically approved, blocking their respective merge requests.
 
 ## Related topics
 
diff --git a/qa/gdk/Dockerfile.gdk b/qa/gdk/Dockerfile.gdk
index cf9cea69056..cdb693841cb 100644
--- a/qa/gdk/Dockerfile.gdk
+++ b/qa/gdk/Dockerfile.gdk
@@ -99,6 +99,7 @@ RUN set -eux; \
 #
 COPY --chown=gdk:gdk Gemfile Gemfile.lock ./gitlab/
 COPY --chown=gdk:gdk vendor/gems ./gitlab/vendor/gems
+COPY --chown=gdk:gdk gems ./gitlab/gems
 RUN make .gitlab-bundle && rm -rf ${GEM_HOME}/cache
 
 # Install gitlab npm dependencies
diff --git a/spec/lib/gitlab/background_migration/legacy_upload_mover_spec.rb b/spec/lib/gitlab/background_migration/legacy_upload_mover_spec.rb
index c522c8b307f..71e9a568370 100644
--- a/spec/lib/gitlab/background_migration/legacy_upload_mover_spec.rb
+++ b/spec/lib/gitlab/background_migration/legacy_upload_mover_spec.rb
@@ -139,7 +139,7 @@ RSpec.describe Gitlab::BackgroundMigration::LegacyUploadMover, :aggregate_failur
     end
 
     context 'when an upload belongs to a legacy_diff_note' do
-      let!(:merge_request) { create(:merge_request, source_project: project) }
+      let!(:merge_request) { create(:merge_request, :skip_diff_creation, source_project: project) }
 
       let!(:note) do
         create(:legacy_diff_note_on_merge_request,
diff --git a/spec/lib/gitlab/import_export/all_models.yml b/spec/lib/gitlab/import_export/all_models.yml
index f6bdbc86cc5..0340c7db75d 100644
--- a/spec/lib/gitlab/import_export/all_models.yml
+++ b/spec/lib/gitlab/import_export/all_models.yml
@@ -249,6 +249,7 @@ merge_request_diff:
 - merge_request_diff_commits
 - merge_request_diff_detail
 - merge_request_diff_files
+- merge_request_diff_llm_summary
 merge_request_diff_commits:
 - merge_request_diff
 - commit_author
diff --git a/spec/lib/gitlab/multi_destination_logger_spec.rb b/spec/lib/gitlab/multi_destination_logger_spec.rb
index e0d76afd9bf..53a8541bcb7 100644
--- a/spec/lib/gitlab/multi_destination_logger_spec.rb
+++ b/spec/lib/gitlab/multi_destination_logger_spec.rb
@@ -2,9 +2,6 @@
 
 require 'spec_helper'
 
-class FakeLogger
-end
-
 class LoggerA < Gitlab::Logger
   def self.file_name_noext
     'loggerA'
diff --git a/spec/models/concerns/batch_destroy_dependent_associations_spec.rb b/spec/models/concerns/batch_destroy_dependent_associations_spec.rb
index e8d84fe9630..256cd386ce2 100644
--- a/spec/models/concerns/batch_destroy_dependent_associations_spec.rb
+++ b/spec/models/concerns/batch_destroy_dependent_associations_spec.rb
@@ -27,7 +27,7 @@ RSpec.describe BatchDestroyDependentAssociations do
     let_it_be(:build) { create(:ci_build, project: project) }
     let_it_be(:notification_setting) { create(:notification_setting, project: project) }
     let_it_be(:note) { create(:note, project: project) }
-    let_it_be(:merge_request) { create(:merge_request, source_project: project) }
+    let_it_be(:merge_request) { create(:merge_request, :skip_diff_creation, source_project: project) }
 
     it 'destroys multiple notes' do
       create(:note, project: project)
diff --git a/spec/models/merge_request/diff_llm_summary_spec.rb b/spec/models/merge_request/diff_llm_summary_spec.rb
deleted file mode 100644
index 860457add62..00000000000
--- a/spec/models/merge_request/diff_llm_summary_spec.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe ::MergeRequest::DiffLlmSummary, feature_category: :code_review_workflow do
-  let_it_be_with_reload(:project) { create(:project, :repository) }
-
-  subject(:merge_request_diff_llm_summary) { build(:merge_request_diff_llm_summary) }
-
-  describe 'associations' do
-    it { is_expected.to belong_to(:merge_request_diff) }
-    it { is_expected.to belong_to(:user).optional }
-    it { is_expected.to validate_uniqueness_of(:merge_request_diff_id) }
-    it { is_expected.to validate_presence_of(:content) }
-    it { is_expected.to validate_length_of(:content).is_at_most(2056) }
-    it { is_expected.to validate_presence_of(:provider) }
-  end
-end
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb
index c21e1244402..285f52956eb 100644
--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
@@ -462,6 +462,37 @@ RSpec.describe MergeRequestPolicy do
     end
   end
 
+  context 'when enabling generate diff summary permission' do
+    let_it_be(:project) { create(:project) }
+    let_it_be(:mr) { create(:merge_request, target_project: project, source_project: project) }
+    let_it_be(:user) { create(:user) }
+    let(:policy) { permissions(user, mr) }
+
+    context 'when can read_merge_request' do
+      before do
+        project.add_developer(user)
+      end
+
+      it 'allows to generate_diff_summary' do
+        expect(policy).to be_allowed(:generate_diff_summary)
+      end
+    end
+
+    context 'when can not read_merge_request' do
+      it 'does not allow to generate_diff_summary' do
+        expect(policy).not_to be_allowed(:generate_diff_summary)
+      end
+
+      context 'and when is the LLM bot' do
+        let(:user) { create(:user, :llm_bot) }
+
+        it 'allows to generate_diff_summary' do
+          expect(policy).to be_allowed(:generate_diff_summary)
+        end
+      end
+    end
+  end
+
   context 'when the author of the merge request is banned', feature_category: :insider_threat do
     let_it_be(:user) { create(:user) }
     let_it_be(:admin) { create(:user, :admin) }
diff --git a/spec/requests/api/statistics_spec.rb b/spec/requests/api/statistics_spec.rb
index baac39abf2c..76190d4e272 100644
--- a/spec/requests/api/statistics_spec.rb
+++ b/spec/requests/api/statistics_spec.rb
@@ -59,7 +59,7 @@ RSpec.describe API::Statistics, 'Statistics', :aggregate_failures, feature_categ
         create_list(:note, 2, author: admin, project: projects.first, noteable: issues.first)
         create_list(:milestone, 3, project: projects.first)
         create(:key, user: admin)
-        create(:merge_request, source_project: projects.first)
+        create(:merge_request, :skip_diff_creation, source_project: projects.first)
         fork_project(projects.first, admin)
 
         # Make sure the reltuples have been updated