Add latest changes from gitlab-org/gitlab@master

6 files changed, 172 insertions, 63 deletions

diff --git a/doc/ci/yaml/index.md b/doc/ci/yaml/index.md
index 4aa14aebf61..fefd34e855d 100644
--- a/doc/ci/yaml/index.md
+++ b/doc/ci/yaml/index.md
@@ -3959,13 +3959,19 @@ The release name. If omitted, it is populated with the value of `release: tag_na
 
 #### `release:description`
 
-Specifies the long description of the release. You can also specify a file that contains the
-description.
+The long description of the release.
 
-In [GitLab 13.7 and later]((https://gitlab.com/gitlab-org/release-cli/-/merge_requests/67)),
-you can specify a file in `$CI_PROJECT_DIR` that contains the description. The file must be relative
-to the project directory (`$CI_PROJECT_DIR`), and if the file is a symbolic link it can't reside
-outside of `$CI_PROJECT_DIR`. The `./path/to/file` and filename can't contain spaces.
+**Keyword type**: Job keyword. You can use it only as part of a job.
+
+**Possible inputs**:
+
+- A string with the long description.
+- The path to a file that contains the description. Introduced in [GitLab 13.7](https://gitlab.com/gitlab-org/release-cli/-/merge_requests/67).
+  - The file location must be relative to the project directory (`$CI_PROJECT_DIR`).
+  - If the file is a symbolic link, it must be in the `$CI_PROJECT_DIR`.
+  - The `./path/to/file` and filename can't contain spaces.
+
+**Example of `release:description`**:
 
 ```yaml
 job:
@@ -3976,8 +3982,13 @@ job:
 
 #### `release:ref`
 
-If the `release: tag_name` doesn't exist yet, the release is created from `ref`.
-`ref` can be a commit SHA, another tag name, or a branch name.
+The `ref` for the release, if the `release: tag_name` doesn't exist yet.
+
+**Keyword type**: Job keyword. You can use it only as part of a job.
+
+**Possible inputs**:
+
+- A commit SHA, another tag name, or a branch name.
 
 #### `release:milestones`
 
@@ -3985,21 +3996,31 @@ The title of each milestone the release is associated with.
 
 #### `release:released_at`
 
-The date and time when the release is ready. Defaults to the current date and time if not
-defined. Should be enclosed in quotes and expressed in ISO 8601 format.
+The date and time when the release is ready.
 
-```json
+**Possible inputs**:
+
+- A date enclosed in quotes and expressed in ISO 8601 format.
+
+**Example of `release:released_at`**:
+
+```yaml
 released_at: '2021-03-15T08:00:00Z'
 ```
 
+**Additional details**:
+
+- If it is not defined, the current date and time is used.
+
 #### `release:assets:links`
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/271454) in GitLab 13.12.
 
-Include [asset links](../../user/project/releases/index.md#release-assets) in the release.
+Use `release:assets:links` to include [asset links](../../user/project/releases/index.md#release-assets) in the release.
 
-NOTE:
-Requires `release-cli` version v0.4.0 or higher.
+Requires `release-cli` version v0.4.0 or later.
+
+**Example of `release:assets:links`**:
 
 ```yaml
 assets:
diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md
index b3aaf1cf158..32050cf9822 100644
--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -261,6 +261,103 @@ under your project's settings:
 </settings>
 ```
 
+## Using a custom scanning stage
+
+When security scanning is enabled by including CI/CD templates as described in the
+[Security scanning without Auto DevOps](#security-scanning-without-auto-devops) section, the scanning jobs
+use the predefined `test` stage by default. If you specify a custom stage in your `.gitlab-ci.yml` file without
+including a `test` stage, an error occurs.
+
+For example, the following attempts to use a `unit-tests` stage:
+
+```yaml
+include:
+  - template: Security/Dependency-Scanning.gitlab-ci.yml
+  - template: Security/License-Scanning.gitlab-ci.yml
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
+
+stages:
+  - unit-tests
+
+custom job:
+  stage: unit-tests
+  script:
+    - echo "custom job"
+```
+
+The above `.gitlab-ci.yml` causes a linting error:
+
+```plaintext
+Found errors in your .gitlab-ci.yml:
+- dependency_scanning job: chosen stage does not exist; available stages are .pre
+- unit-tests
+- .post
+```
+
+This error appears because the `test` stage used by the security scanning jobs isn't declared in the `.gitlab-ci.yml` file.
+To fix this issue, you can either:
+
+- Add a `test` stage in your `.gitlab-ci.yml`:
+
+  ```yaml
+  include:
+    - template: Security/Dependency-Scanning.gitlab-ci.yml
+    - template: Security/License-Scanning.gitlab-ci.yml
+    - template: Security/SAST.gitlab-ci.yml
+    - template: Security/Secret-Detection.gitlab-ci.yml
+
+  stages:
+    - test
+    - unit-tests
+
+  custom job:
+    stage: unit-tests
+    script:
+      - echo "custom job"
+  ```
+
+- Override the default stage of each security job. For example, to use a pre-defined stage named `unit-tests`:
+
+  ```yaml
+  include:
+    - template: Security/Dependency-Scanning.gitlab-ci.yml
+    - template: Security/License-Scanning.gitlab-ci.yml
+    - template: Security/SAST.gitlab-ci.yml
+    - template: Security/Secret-Detection.gitlab-ci.yml
+
+  stages:
+    - unit-tests
+
+  dependency_scanning:
+    stage: unit-tests
+
+  license_scanning:
+    stage: unit-tests
+
+  sast:
+    stage: unit-tests
+
+  .secret-analyzer:
+    stage: unit-tests
+
+  custom job:
+    stage: unit-tests
+    script:
+      - echo "custom job"
+  ```
+
+Learn more on overriding security jobs:
+
+- [Overriding SAST jobs](sast/index.md#overriding-sast-jobs).
+- [Overriding Dependency Scanning jobs](dependency_scanning/index.md#overriding-dependency-scanning-jobs).
+- [Overriding Container Scanning jobs](container_scanning/index.md#overriding-the-container-scanning-template).
+- [Overriding Secret Detection jobs](secret_detection/index.md#customizing-settings).
+- [Overriding DAST jobs](dast/index.md#customize-dast-settings).
+- [Overriding License Compliance jobs](../compliance/license_compliance/index.md#overriding-the-template).
+
+All the security scanning tools define their stage, so this error can occur with all of them.
+
 ## Security report validation
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/321918) in GitLab 13.11.
@@ -379,51 +476,6 @@ Select **new pipeline** to run a new pipeline.
 
 ![Run a new pipeline](img/outdated_report_pipeline_v12_9.png)
 
-### Getting error message `sast job: stage parameter should be [some stage name here]`
-
-When [including](../../ci/yaml/index.md#includetemplate) a `.gitlab-ci.yml` template
-like [`SAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml),
-the following error may occur, depending on your GitLab CI/CD configuration:
-
-```plaintext
-Found errors in your .gitlab-ci.yml:
-
-* sast job: stage parameter should be unit-tests
-```
-
-This error appears when the included job's stage (named `test`) isn't declared in `.gitlab-ci.yml`.
-
-To fix this issue, you can either:
-
-- Add a `test` stage in your `.gitlab-ci.yml`.
-- Override the default stage of each security job. For example, to use a pre-defined stage name `unit-tests`:
-
-  ```yaml
-  include:
-    - template: Security/Dependency-Scanning.gitlab-ci.yml
-    - template: Security/License-Scanning.gitlab-ci.yml
-    - template: Security/SAST.gitlab-ci.yml
-    - template: Security/Secret-Detection.gitlab-ci.yml
-
-  stages:
-    - unit-tests
-
-  dependency_scanning:
-    stage: unit-tests
-
-  license_scanning:
-    stage: unit-tests
-
-  sast:
-    stage: unit-tests
-
-  .secret-analyzer:
-    stage: unit-tests
-  ```
-
-[Learn more on overriding SAST jobs](sast/index.md#overriding-sast-jobs).
-All the security scanning tools define their stage, so this error can occur with all of them.
-
 ### Getting warning messages `… report.json: no matching files`
 
 This message is often followed by the [error `No files to upload`](../../ci/pipelines/job_artifacts.md#error-message-no-files-to-upload),
diff --git a/lib/gitlab/database/shared_model.rb b/lib/gitlab/database/shared_model.rb
index f304c32d731..f31dbc01907 100644
--- a/lib/gitlab/database/shared_model.rb
+++ b/lib/gitlab/database/shared_model.rb
@@ -8,13 +8,17 @@ module Gitlab
 
       class << self
         def using_connection(connection)
-          raise 'cannot nest connection overrides for shared models' unless overriding_connection.nil?
+          previous_connection = self.overriding_connection
+
+          unless previous_connection.nil? || previous_connection.equal?(connection)
+            raise 'cannot nest connection overrides for shared models with different connections'
+          end
 
           self.overriding_connection = connection
 
           yield
         ensure
-          self.overriding_connection = nil
+          self.overriding_connection = nil unless previous_connection.equal?(self.overriding_connection)
         end
 
         def connection
diff --git a/qa/qa/specs/features/browser_ui/5_package/container_registry/container_registry_omnibus_spec.rb b/qa/qa/specs/features/browser_ui/5_package/container_registry/container_registry_omnibus_spec.rb
index 125867bc694..ffc76204731 100644
--- a/qa/qa/specs/features/browser_ui/5_package/container_registry/container_registry_omnibus_spec.rb
+++ b/qa/qa/specs/features/browser_ui/5_package/container_registry/container_registry_omnibus_spec.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Package', :orchestrated do
+  RSpec.describe 'Package', :orchestrated, only: { pipeline: :main } do
     describe 'Self-managed Container Registry' do
       let(:project) do
         Resource::Project.fabricate_via_api! do |project|
diff --git a/qa/qa/specs/features/browser_ui/5_package/dependency_proxy/dependency_proxy_spec.rb b/qa/qa/specs/features/browser_ui/5_package/dependency_proxy/dependency_proxy_spec.rb
index 41e5a99657c..b941d5434df 100644
--- a/qa/qa/specs/features/browser_ui/5_package/dependency_proxy/dependency_proxy_spec.rb
+++ b/qa/qa/specs/features/browser_ui/5_package/dependency_proxy/dependency_proxy_spec.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module QA
-  RSpec.describe 'Package', :orchestrated, :registry do
+  RSpec.describe 'Package', :orchestrated, :registry, only: { pipeline: :main } do
     describe 'Dependency Proxy' do
       let(:project) do
         Resource::Project.fabricate_via_api! do |project|
diff --git a/spec/lib/gitlab/database/shared_model_spec.rb b/spec/lib/gitlab/database/shared_model_spec.rb
index 5d616aeb05f..94f2b5a3434 100644
--- a/spec/lib/gitlab/database/shared_model_spec.rb
+++ b/spec/lib/gitlab/database/shared_model_spec.rb
@@ -27,6 +27,38 @@ RSpec.describe Gitlab::Database::SharedModel do
       end
     end
 
+    context 'when multiple connection overrides are nested', :aggregate_failures do
+      let(:second_connection) { double('connection') }
+
+      it 'allows the nesting with the same connection object' do
+        expect_original_connection_around do
+          described_class.using_connection(new_connection) do
+            expect(described_class.connection).to be(new_connection)
+
+            described_class.using_connection(new_connection) do
+              expect(described_class.connection).to be(new_connection)
+            end
+
+            expect(described_class.connection).to be(new_connection)
+          end
+        end
+      end
+
+      it 'raises an error if the connection is changed' do
+        expect_original_connection_around do
+          described_class.using_connection(new_connection) do
+            expect(described_class.connection).to be(new_connection)
+
+            expect do
+              described_class.using_connection(second_connection) {}
+            end.to raise_error(/cannot nest connection overrides/)
+
+            expect(described_class.connection).to be(new_connection)
+          end
+        end
+      end
+    end
+
     context 'when the block raises an error', :aggregate_failures do
       it 're-raises the error, removing the overridden connection' do
         expect_original_connection_around do