Add latest changes from gitlab-org/gitlab@16-1-stable-eev16.1.0-rc42

9 files changed, 84 insertions, 92 deletions

diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb
index 61585de4ff7..bb1bfe8c889 100644
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -48,6 +48,7 @@ module Ci
     # Details: https://gitlab.com/gitlab-org/gitlab/-/issues/24644#note_689472685
     has_many :job_artifacts, class_name: 'Ci::JobArtifact', foreign_key: :job_id, dependent: :destroy, inverse_of: :job # rubocop:disable Cop/ActiveRecordDependent
     has_many :job_variables, class_name: 'Ci::JobVariable', foreign_key: :job_id, inverse_of: :job
+    has_many :job_annotations, class_name: 'Ci::JobAnnotation', foreign_key: :job_id, inverse_of: :job
     has_many :sourced_pipelines, class_name: 'Ci::Sources::Pipeline', foreign_key: :source_job_id, inverse_of: :build
 
     has_many :pages_deployments, foreign_key: :ci_build_id, inverse_of: :ci_build
@@ -259,10 +260,6 @@ module Ci
         !build.any_unmet_prerequisites? # If false is returned, it stops the transition
       end
 
-      before_transition on: :enqueue do |build|
-        !build.waiting_for_deployment_approval? # If false is returned, it stops the transition
-      end
-
       before_transition any => [:pending] do |build|
         build.ensure_token
         true
@@ -428,11 +425,7 @@ module Ci
     end
 
     def playable?
-      action? && !archived? && (manual? || scheduled? || retryable?) && !waiting_for_deployment_approval?
-    end
-
-    def waiting_for_deployment_approval?
-      manual? && deployment_job? && deployment&.blocked?
+      action? && !archived? && (manual? || scheduled? || retryable?)
     end
 
     def outdated_deployment?
@@ -598,14 +591,6 @@ module Ci
           .append(key: 'CI_JOB_URL', value: Gitlab::Routing.url_helpers.project_job_url(project, self))
           .append(key: 'CI_JOB_TOKEN', value: token.to_s, public: false, masked: true)
           .append(key: 'CI_JOB_STARTED_AT', value: started_at&.iso8601)
-
-        if Feature.disabled?(:ci_remove_legacy_predefined_variables, project)
-          variables
-            .append(key: 'CI_BUILD_ID', value: id.to_s)
-            .append(key: 'CI_BUILD_TOKEN', value: token.to_s, public: false, masked: true)
-        end
-
-        variables
           .append(key: 'CI_REGISTRY_USER', value: ::Gitlab::Auth::CI_JOB_USER)
           .append(key: 'CI_REGISTRY_PASSWORD', value: token.to_s, public: false, masked: true)
           .append(key: 'CI_REPOSITORY_URL', value: repo_url.to_s, public: false)
@@ -658,9 +643,8 @@ module Ci
 
     def apple_app_store_variables
       return [] unless apple_app_store_integration.try(:activated?)
-      return [] unless pipeline.protected_ref?
 
-      Gitlab::Ci::Variables::Collection.new(apple_app_store_integration.ci_variables)
+      Gitlab::Ci::Variables::Collection.new(apple_app_store_integration.ci_variables(protected_ref: pipeline.protected_ref?))
     end
 
     def google_play_variables
@@ -1274,7 +1258,7 @@ module Ci
     def id_tokens_variables
       Gitlab::Ci::Variables::Collection.new.tap do |variables|
         id_tokens.each do |var_name, token_data|
-          token = Gitlab::Ci::JwtV2.for_build(self, aud: token_data['aud'])
+          token = Gitlab::Ci::JwtV2.for_build(self, aud: expanded_id_token_aud(token_data['aud']))
 
           variables.append(key: var_name, value: token, public: false, masked: true)
         end
@@ -1283,6 +1267,19 @@ module Ci
       end
     end
 
+    def expanded_id_token_aud(aud)
+      return unless aud
+
+      strong_memoize_with(:expanded_id_token_aud, aud) do
+        # `aud` can be a string or an array of strings.
+        if aud.is_a?(Array)
+          aud.map { |x| ExpandVariables.expand(x, -> { scoped_variables.sort_and_expand_all }) }
+        else
+          ExpandVariables.expand(aud, -> { scoped_variables.sort_and_expand_all })
+        end
+      end
+    end
+
     def cache_for_online_runners(&block)
       Rails.cache.fetch(
         ['has-online-runners', id],
diff --git a/app/models/ci/catalog/listing.rb b/app/models/ci/catalog/listing.rb
index b9e777f27a0..1cb030c67c3 100644
--- a/app/models/ci/catalog/listing.rb
+++ b/app/models/ci/catalog/listing.rb
@@ -14,16 +14,25 @@ module Ci
         @current_user = current_user
       end
 
-      def resources
-        Ci::Catalog::Resource
-          .joins(:project).includes(:project)
-          .merge(projects_in_namespace_visible_to_user)
+      def resources(sort: nil)
+        case sort.to_s
+        when 'name_desc' then all_resources.order_by_name_desc
+        when 'name_asc' then all_resources.order_by_name_asc
+        else
+          all_resources.order_by_created_at_desc
+        end
       end
 
       private
 
       attr_reader :namespace, :current_user
 
+      def all_resources
+        Ci::Catalog::Resource
+          .joins(:project).includes(:project)
+          .merge(projects_in_namespace_visible_to_user)
+      end
+
       def projects_in_namespace_visible_to_user
         Project
           .in_namespace(namespace.self_and_descendant_ids)
diff --git a/app/models/ci/catalog/resource.rb b/app/models/ci/catalog/resource.rb
index bb4584aacae..77cfe91ddd6 100644
--- a/app/models/ci/catalog/resource.rb
+++ b/app/models/ci/catalog/resource.rb
@@ -13,16 +13,21 @@ module Ci
       belongs_to :project
 
       scope :for_projects, ->(project_ids) { where(project_id: project_ids) }
+      scope :order_by_created_at_desc, -> { reorder(created_at: :desc) }
+      scope :order_by_name_desc, -> { joins(:project).merge(Project.sorted_by_name_desc) }
+      scope :order_by_name_asc, -> { joins(:project).merge(Project.sorted_by_name_asc) }
 
-      delegate :avatar_path, :description, :name, to: :project
+      delegate :avatar_path, :description, :name, :star_count, :forks_count, to: :project
 
       def versions
         project.releases.order_released_desc
       end
 
       def latest_version
-        versions.first
+        project.releases.latest
       end
     end
   end
 end
+
+Ci::Catalog::Resource.prepend_mod_with('Ci::Catalog::Resource')
diff --git a/app/models/ci/group_variable.rb b/app/models/ci/group_variable.rb
index f04f0d27e51..5522a01758f 100644
--- a/app/models/ci/group_variable.rb
+++ b/app/models/ci/group_variable.rb
@@ -23,6 +23,19 @@ module Ci
     scope :by_environment_scope, -> (environment_scope) { where(environment_scope: environment_scope) }
     scope :for_groups, ->(group_ids) { where(group_id: group_ids) }
 
+    scope :for_environment_scope_like, -> (query) do
+      top_level = 'LOWER(ci_group_variables.environment_scope) LIKE LOWER(?) || \'%\''
+      search_like = "%#{sanitize_sql_like(query)}%"
+
+      where(top_level, search_like)
+    end
+
+    scope :environment_scope_names, -> do
+      group(:environment_scope)
+      .order(:environment_scope)
+      .pluck(:environment_scope)
+    end
+
     self.limit_name = 'group_ci_variables'
     self.limit_scope = :group
 
diff --git a/app/models/ci/job_annotation.rb b/app/models/ci/job_annotation.rb
new file mode 100644
index 00000000000..a8bef02cc42
--- /dev/null
+++ b/app/models/ci/job_annotation.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Ci
+  class JobAnnotation < Ci::ApplicationRecord
+    include Ci::Partitionable
+
+    self.table_name = :p_ci_job_annotations
+    self.primary_key = :id
+
+    belongs_to :job, class_name: 'Ci::Build', inverse_of: :job_annotations
+
+    partitionable scope: :job, partitioned: true
+
+    validates :data, json_schema: { filename: 'ci_job_annotation_data' }
+    validates :name, presence: true,
+      length: { maximum: 255 },
+      uniqueness: { scope: [:job_id, :partition_id] }
+  end
+end
diff --git a/app/models/ci/job_artifact.rb b/app/models/ci/job_artifact.rb
index 766155c6a99..5cd7988837e 100644
--- a/app/models/ci/job_artifact.rb
+++ b/app/models/ci/job_artifact.rb
@@ -372,11 +372,11 @@ module Ci
       file_stored_after_transaction_hooks
     end
 
-    # method overriden in EE
+    # method overridden in EE
     def file_stored_after_transaction_hooks
     end
 
-    # method overriden in EE
+    # method overridden in EE
     def file_stored_in_transaction_hooks
     end
 
diff --git a/app/models/ci/pipeline.rb b/app/models/ci/pipeline.rb
index babea831d85..6f2939583e0 100644
--- a/app/models/ci/pipeline.rb
+++ b/app/models/ci/pipeline.rb
@@ -366,7 +366,6 @@ module Ci
         project = pipeline&.project
 
         next unless project
-        next unless Feature.enabled?(:pipeline_trigger_merge_status, project)
 
         pipeline.run_after_commit do
           next if pipeline.child?
@@ -384,6 +383,10 @@ module Ci
     scope :ci_sources, -> { where(source: Enums::Ci::Pipeline.ci_sources.values) }
     scope :ci_branch_sources, -> { where(source: Enums::Ci::Pipeline.ci_branch_sources.values) }
     scope :ci_and_parent_sources, -> { where(source: Enums::Ci::Pipeline.ci_and_parent_sources.values) }
+    scope :ci_and_security_orchestration_sources, -> do
+      where(source: Enums::Ci::Pipeline.ci_and_security_orchestration_sources.values)
+    end
+
     scope :for_user, -> (user) { where(user: user) }
     scope :for_sha, -> (sha) { where(sha: sha) }
     scope :where_not_sha, -> (sha) { where.not(sha: sha) }
@@ -675,32 +678,6 @@ module Ci
       canceled? && auto_canceled_by_id?
     end
 
-    # Cancel a pipelines cancelable jobs and optionally it's child pipelines cancelable jobs
-    # retries - # of times to retry if errors
-    # cascade_to_children - if true cancels all related child pipelines for parent child pipelines
-    # auto_canceled_by_pipeline_id - store the pipeline_id of the pipeline that triggered cancellation
-    # execute_async - if true cancel the children asyncronously
-    def cancel_running(retries: 1, cascade_to_children: true, auto_canceled_by_pipeline_id: nil, execute_async: true)
-      Gitlab::AppJsonLogger.info(
-        event: 'pipeline_cancel_running',
-        pipeline_id: id,
-        auto_canceled_by_pipeline_id: auto_canceled_by_pipeline_id,
-        cascade_to_children: cascade_to_children,
-        execute_async: execute_async,
-        **Gitlab::ApplicationContext.current
-      )
-
-      update(auto_canceled_by_id: auto_canceled_by_pipeline_id) if auto_canceled_by_pipeline_id
-
-      cancel_jobs(cancelable_statuses, retries: retries, auto_canceled_by_pipeline_id: auto_canceled_by_pipeline_id)
-
-      if cascade_to_children
-        # cancel any bridges that could spin up new child pipelines
-        cancel_jobs(bridges_in_self_and_project_descendants.cancelable, retries: retries, auto_canceled_by_pipeline_id: auto_canceled_by_pipeline_id)
-        cancel_children(auto_canceled_by_pipeline_id: auto_canceled_by_pipeline_id, execute_async: execute_async)
-      end
-    end
-
     # rubocop: disable CodeReuse/ServiceClass
     def retry_failed(current_user)
       Ci::RetryPipelineService.new(project, current_user)
@@ -1375,42 +1352,6 @@ module Ci
 
     private
 
-    def cancel_jobs(jobs, retries: 1, auto_canceled_by_pipeline_id: nil)
-      retry_lock(jobs, retries, name: 'ci_pipeline_cancel_running') do |statuses|
-        preloaded_relations = [:project, :pipeline, :deployment, :taggings]
-
-        statuses.find_in_batches do |status_batch|
-          relation = CommitStatus.where(id: status_batch)
-          Preloaders::CommitStatusPreloader.new(relation).execute(preloaded_relations)
-
-          relation.each do |job|
-            job.auto_canceled_by_id = auto_canceled_by_pipeline_id if auto_canceled_by_pipeline_id
-            job.cancel
-          end
-        end
-      end
-    end
-
-    # For parent child-pipelines only (not multi-project)
-    def cancel_children(auto_canceled_by_pipeline_id: nil, execute_async: true)
-      all_child_pipelines.each do |child_pipeline|
-        if execute_async
-          ::Ci::CancelPipelineWorker.perform_async(
-            child_pipeline.id,
-            auto_canceled_by_pipeline_id
-          )
-        else
-          child_pipeline.cancel_running(
-            # cascade_to_children is false because we iterate through children
-            # we also cancel bridges prior to prevent more children
-            cascade_to_children: false,
-            execute_async: execute_async,
-            auto_canceled_by_pipeline_id: auto_canceled_by_pipeline_id
-          )
-        end
-      end
-    end
-
     def add_message(severity, content)
       messages.build(severity: severity, content: content)
     end
diff --git a/app/models/ci/runner.rb b/app/models/ci/runner.rb
index 7727e94875b..6319163b0d7 100644
--- a/app/models/ci/runner.rb
+++ b/app/models/ci/runner.rb
@@ -100,7 +100,10 @@ module Ci
 
     scope :with_recent_runner_queue, -> { where('contacted_at > ?', recent_queue_deadline) }
     scope :with_running_builds, -> do
-      where('EXISTS(?)', ::Ci::Build.running.select(1).where('ci_builds.runner_id = ci_runners.id'))
+      where('EXISTS(?)',
+        ::Ci::Build.running.select(1)
+          .where("#{::Ci::Build.quoted_table_name}.runner_id = #{quoted_table_name}.id")
+      )
     end
 
     # BACKWARD COMPATIBILITY: There are needed to maintain compatibility with `AVAILABLE_SCOPES` used by `lib/api/runners.rb`
diff --git a/app/models/ci/secure_file.rb b/app/models/ci/secure_file.rb
index 5e273e0fd4b..af04db0a153 100644
--- a/app/models/ci/secure_file.rb
+++ b/app/models/ci/secure_file.rb
@@ -29,6 +29,7 @@ module Ci
 
     scope :order_by_created_at, -> { order(created_at: :desc) }
     scope :project_id_in, ->(ids) { where(project_id: ids) }
+    scope :with_files_stored_locally, -> { where(file_store: Ci::SecureFileUploader::Store::LOCAL) }
 
     def checksum_algorithm
       CHECKSUM_ALGORITHM
@@ -69,6 +70,10 @@ module Ci
       end
     end
 
+    def local?
+      file_store == ObjectStorage::Store::LOCAL
+    end
+
     private
 
     def assign_checksum