Add latest changes from gitlab-org/gitlab@master

23 files changed, 197 insertions, 97 deletions

diff --git a/app/assets/javascripts/mirrors/ssh_mirror.js b/app/assets/javascripts/mirrors/ssh_mirror.js
index e375435436e..eb7c43034a4 100644
--- a/app/assets/javascripts/mirrors/ssh_mirror.js
+++ b/app/assets/javascripts/mirrors/ssh_mirror.js
@@ -163,7 +163,7 @@ export default class SSHMirror {
     const $fingerprintsList = this.$hostKeysInformation.find('.js-fingerprints-list');
     let fingerprints = '';
     sshHostKeys.fingerprints.forEach((fingerprint) => {
-      const escFingerprints = escape(fingerprint.fingerprint);
+      const escFingerprints = escape(fingerprint.fingerprint_sha256 || fingerprint.fingerprint);
       fingerprints += `<code>${escFingerprints}</code>`;
     });
 
diff --git a/app/controllers/jira_connect/oauth_application_ids_controller.rb b/app/controllers/jira_connect/oauth_application_ids_controller.rb
index 05c23210da2..a84b47f4c8b 100644
--- a/app/controllers/jira_connect/oauth_application_ids_controller.rb
+++ b/app/controllers/jira_connect/oauth_application_ids_controller.rb
@@ -5,9 +5,10 @@ module JiraConnect
     feature_category :integrations
 
     skip_before_action :authenticate_user!
+    skip_before_action :verify_authenticity_token
 
     def show
-      if Feature.enabled?(:jira_connect_oauth_self_managed) && jira_connect_application_key.present?
+      if show_application_id?
         render json: { application_id: jira_connect_application_key }
       else
         head :not_found
@@ -16,6 +17,12 @@ module JiraConnect
 
     private
 
+    def show_application_id?
+      return if Gitlab.com?
+
+      Feature.enabled?(:jira_connect_oauth_self_managed) && jira_connect_application_key.present?
+    end
+
     def jira_connect_application_key
       Gitlab::CurrentSettings.jira_connect_application_key.presence
     end
diff --git a/app/controllers/jira_connect/subscriptions_controller.rb b/app/controllers/jira_connect/subscriptions_controller.rb
index 2ba9f8264e1..623113f8413 100644
--- a/app/controllers/jira_connect/subscriptions_controller.rb
+++ b/app/controllers/jira_connect/subscriptions_controller.rb
@@ -25,6 +25,7 @@ class JiraConnect::SubscriptionsController < JiraConnect::ApplicationController
 
   before_action :allow_rendering_in_iframe, only: :index
   before_action :verify_qsh_claim!, only: :index
+  before_action :allow_self_managed_content_security_policy, only: :index
   before_action :authenticate_user!, only: :create
 
   def index
@@ -62,6 +63,13 @@ class JiraConnect::SubscriptionsController < JiraConnect::ApplicationController
 
   private
 
+  def allow_self_managed_content_security_policy
+    return unless current_jira_installation.instance_url?
+
+    request.content_security_policy.directives['connect-src'] ||= []
+    request.content_security_policy.directives['connect-src'] << Gitlab::Utils.append_path(current_jira_installation.instance_url, '/-/jira_connect/oauth_application_ids')
+  end
+
   def create_service
     JiraConnectSubscriptions::CreateService.new(current_jira_installation, current_user, namespace_path: params['namespace_path'], jira_user: jira_user)
   end
diff --git a/app/helpers/namespace_storage_limit_alert_helper.rb b/app/helpers/namespace_storage_limit_alert_helper.rb
deleted file mode 100644
index ed11f89a7dd..00000000000
--- a/app/helpers/namespace_storage_limit_alert_helper.rb
+++ /dev/null
@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-
-module NamespaceStorageLimitAlertHelper
-  # Overridden in EE
-  def display_namespace_storage_limit_alert!
-  end
-end
-
-NamespaceStorageLimitAlertHelper.prepend_mod_with('NamespaceStorageLimitAlertHelper')
diff --git a/app/helpers/todos_helper.rb b/app/helpers/todos_helper.rb
index c4cfd3b2287..f87125af07d 100644
--- a/app/helpers/todos_helper.rb
+++ b/app/helpers/todos_helper.rb
@@ -87,7 +87,8 @@ module TodosHelper
     elsif todo.for_alert?
       details_project_alert_management_path(todo.project, todo.target)
     elsif todo.for_issue_or_work_item?
-      Gitlab::UrlBuilder.build(todo.target, only_path: true)
+      path_options[:only_path] = true
+      Gitlab::UrlBuilder.build(todo.target, **path_options)
     else
       path = [todo.resource_parent, todo.target]
 
diff --git a/app/models/group.rb b/app/models/group.rb
index f5aad6e74ff..5919b1e71bf 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -361,8 +361,8 @@ class Group < Namespace
     owners.include?(user)
   end
 
-  def add_users(users, access_level, current_user: nil, expires_at: nil, tasks_to_be_done: [], tasks_project_id: nil)
-    Members::Groups::CreatorService.add_users( # rubocop:disable CodeReuse/ServiceClass
+  def add_members(users, access_level, current_user: nil, expires_at: nil, tasks_to_be_done: [], tasks_project_id: nil)
+    Members::Groups::CreatorService.add_members( # rubocop:disable CodeReuse/ServiceClass
       self,
       users,
       access_level,
@@ -373,8 +373,8 @@ class Group < Namespace
     )
   end
 
-  def add_user(user, access_level, current_user: nil, expires_at: nil, ldap: false, blocking_refresh: true)
-    Members::Groups::CreatorService.add_user( # rubocop:disable CodeReuse/ServiceClass
+  def add_member(user, access_level, current_user: nil, expires_at: nil, ldap: false, blocking_refresh: true)
+    Members::Groups::CreatorService.add_member( # rubocop:disable CodeReuse/ServiceClass
       self,
       user,
       access_level,
@@ -386,23 +386,23 @@ class Group < Namespace
   end
 
   def add_guest(user, current_user = nil)
-    add_user(user, :guest, current_user: current_user)
+    add_member(user, :guest, current_user: current_user)
   end
 
   def add_reporter(user, current_user = nil)
-    add_user(user, :reporter, current_user: current_user)
+    add_member(user, :reporter, current_user: current_user)
   end
 
   def add_developer(user, current_user = nil)
-    add_user(user, :developer, current_user: current_user)
+    add_member(user, :developer, current_user: current_user)
   end
 
   def add_maintainer(user, current_user = nil)
-    add_user(user, :maintainer, current_user: current_user)
+    add_member(user, :maintainer, current_user: current_user)
   end
 
   def add_owner(user, current_user = nil)
-    add_user(user, :owner, current_user: current_user)
+    add_member(user, :owner, current_user: current_user)
   end
 
   def member?(user, min_access_level = Gitlab::Access::GUEST)
diff --git a/app/models/members/project_member.rb b/app/models/members/project_member.rb
index 791cb6f0dff..d1c7d7c9097 100644
--- a/app/models/members/project_member.rb
+++ b/app/models/members/project_member.rb
@@ -21,30 +21,30 @@ class ProjectMember < Member
   end
 
   class << self
-    # Add users to projects with passed access option
+    # Add members to projects with passed access option
     #
     # access can be an integer representing a access code
     # or symbol like :maintainer representing role
     #
     # Ex.
-    #   add_users_to_projects(
+    #   add_members_to_projects(
     #     project_ids,
     #     user_ids,
     #     ProjectMember::MAINTAINER
     #   )
     #
-    #   add_users_to_projects(
+    #   add_members_to_projects(
     #     project_ids,
     #     user_ids,
     #     :maintainer
     #   )
     #
-    def add_users_to_projects(project_ids, users, access_level, current_user: nil, expires_at: nil)
+    def add_members_to_projects(project_ids, users, access_level, current_user: nil, expires_at: nil)
       self.transaction do
         project_ids.each do |project_id|
           project = Project.find(project_id)
 
-          Members::Projects::CreatorService.add_users( # rubocop:disable CodeReuse/ServiceClass
+          Members::Projects::CreatorService.add_members( # rubocop:disable CodeReuse/ServiceClass
             project,
             users,
             access_level,
diff --git a/app/models/merge_request_diff.rb b/app/models/merge_request_diff.rb
index 87afb7a489a..e08b2cc2a7d 100644
--- a/app/models/merge_request_diff.rb
+++ b/app/models/merge_request_diff.rb
@@ -21,6 +21,10 @@ class MergeRequestDiff < ApplicationRecord
   # from the database if this sentinel is seen
   FILES_COUNT_SENTINEL = 2**15 - 1
 
+  # External diff cache key used by diffs export
+  EXTERNAL_DIFFS_CACHE_TMPDIR = 'project-%{project_id}-external-mr-%{mr_id}-diff-%{id}-cache'
+  EXTERNAL_DIFF_CACHE_CHUNK_SIZE = 8.megabytes
+
   belongs_to :merge_request
 
   manual_inverse_association :merge_request, :merge_request_diff
@@ -545,6 +549,28 @@ class MergeRequestDiff < ApplicationRecord
     merge_request_diff_files.reset
   end
 
+  # Yields locally cached external diff if it's externally stored.
+  # Used during Project Export to speed up externally
+  # stored merge request diffs export
+  def cached_external_diff
+    return yield(nil) unless stored_externally?
+
+    cache_external_diff unless File.exist?(external_diff_cache_filepath)
+
+    File.open(external_diff_cache_filepath) do |file|
+      yield(file)
+    end
+  end
+
+  def remove_cached_external_diff
+    Gitlab::Utils.check_path_traversal!(external_diff_cache_dir)
+    Gitlab::Utils.check_allowed_absolute_path!(external_diff_cache_dir, [Dir.tmpdir])
+
+    return unless Dir.exist?(external_diff_cache_dir)
+
+    FileUtils.rm_rf(external_diff_cache_dir)
+  end
+
   private
 
   def convert_external_diffs_to_database
@@ -791,6 +817,31 @@ class MergeRequestDiff < ApplicationRecord
   def sort_diffs(diffs)
     Gitlab::Diff::FileCollectionSorter.new(diffs).sort
   end
+
+  # Downloads external diff to a temp storage location.
+  def cache_external_diff
+    return unless stored_externally?
+    return if File.exist?(external_diff_cache_filepath)
+
+    Dir.mkdir(external_diff_cache_dir) unless Dir.exist?(external_diff_cache_dir)
+
+    opening_external_diff do |external_diff|
+      File.open(external_diff_cache_filepath, 'wb') do |file|
+        file.write(external_diff.read(EXTERNAL_DIFF_CACHE_CHUNK_SIZE)) until external_diff.eof?
+      end
+    end
+  end
+
+  def external_diff_cache_filepath
+    File.join(external_diff_cache_dir, "diff-#{id}")
+  end
+
+  def external_diff_cache_dir
+    File.join(
+      Dir.tmpdir,
+      EXTERNAL_DIFFS_CACHE_TMPDIR % { project_id: project.id, mr_id: merge_request_id, id: id }
+    )
+  end
 end
 
 MergeRequestDiff.prepend_mod_with('MergeRequestDiff')
diff --git a/app/models/merge_request_diff_file.rb b/app/models/merge_request_diff_file.rb
index f7648937c1d..a5c392f6a36 100644
--- a/app/models/merge_request_diff_file.rb
+++ b/app/models/merge_request_diff_file.rb
@@ -45,4 +45,38 @@ class MergeRequestDiffFile < ApplicationRecord
       content
     end
   end
+
+  # This method is meant to be used during Project Export.
+  # It is identical to the behaviour in #diff & #utf8_diff with the only
+  # difference of caching externally stored diffs on local disk in
+  # temp storage location in order to improve diff export performance.
+  def diff_export
+    return utf8_diff unless Feature.enabled?(:externally_stored_diffs_caching_export)
+    return utf8_diff unless merge_request_diff&.stored_externally?
+
+    content = merge_request_diff.cached_external_diff do |file|
+      file.seek(external_diff_offset)
+
+      force_encode_utf8(file.read(external_diff_size))
+    end
+
+    # See #diff
+    if binary?
+      content = begin
+        content.unpack1('m0')
+      rescue ArgumentError
+        content
+      end
+    end
+
+    if content.respond_to?(:encoding)
+      content = encode_utf8(content)
+    end
+
+    return '' if content.blank?
+
+    content
+  rescue StandardError
+    utf8_diff
+  end
 end
diff --git a/app/models/project.rb b/app/models/project.rb
index 6a265dd1a37..f5a69494237 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -460,7 +460,7 @@ class Project < ApplicationRecord
   delegate :previous_default_branch, :previous_default_branch=, to: :project_setting
   delegate :name, to: :owner, allow_nil: true, prefix: true
   delegate :members, to: :team, prefix: true
-  delegate :add_user, :add_users, to: :team
+  delegate :add_member, :add_members, to: :team
   delegate :add_guest, :add_reporter, :add_developer, :add_maintainer, :add_owner, :add_role, to: :team
   delegate :group_runners_enabled, :group_runners_enabled=, to: :ci_cd_settings, allow_nil: true
   delegate :root_ancestor, to: :namespace, allow_nil: true
diff --git a/app/models/project_team.rb b/app/models/project_team.rb
index 97ab5aa2619..5641fbfb867 100644
--- a/app/models/project_team.rb
+++ b/app/models/project_team.rb
@@ -8,23 +8,23 @@ class ProjectTeam
   end
 
   def add_guest(user, current_user: nil)
-    add_user(user, :guest, current_user: current_user)
+    add_member(user, :guest, current_user: current_user)
   end
 
   def add_reporter(user, current_user: nil)
-    add_user(user, :reporter, current_user: current_user)
+    add_member(user, :reporter, current_user: current_user)
   end
 
   def add_developer(user, current_user: nil)
-    add_user(user, :developer, current_user: current_user)
+    add_member(user, :developer, current_user: current_user)
   end
 
   def add_maintainer(user, current_user: nil)
-    add_user(user, :maintainer, current_user: current_user)
+    add_member(user, :maintainer, current_user: current_user)
   end
 
   def add_owner(user, current_user: nil)
-    add_user(user, :owner, current_user: current_user)
+    add_member(user, :owner, current_user: current_user)
   end
 
   def add_role(user, role, current_user: nil)
@@ -43,8 +43,8 @@ class ProjectTeam
     member
   end
 
-  def add_users(users, access_level, current_user: nil, expires_at: nil, tasks_to_be_done: [], tasks_project_id: nil)
-    Members::Projects::CreatorService.add_users( # rubocop:disable CodeReuse/ServiceClass
+  def add_members(users, access_level, current_user: nil, expires_at: nil, tasks_to_be_done: [], tasks_project_id: nil)
+    Members::Projects::CreatorService.add_members( # rubocop:disable CodeReuse/ServiceClass
       project,
       users,
       access_level,
@@ -55,8 +55,8 @@ class ProjectTeam
     )
   end
 
-  def add_user(user, access_level, current_user: nil, expires_at: nil)
-    Members::Projects::CreatorService.add_user( # rubocop:disable CodeReuse/ServiceClass
+  def add_member(user, access_level, current_user: nil, expires_at: nil)
+    Members::Projects::CreatorService.add_member( # rubocop:disable CodeReuse/ServiceClass
       project,
       user,
       access_level,
diff --git a/app/models/ssh_host_key.rb b/app/models/ssh_host_key.rb
index ac7ba9530dd..daa64f4e087 100644
--- a/app/models/ssh_host_key.rb
+++ b/app/models/ssh_host_key.rb
@@ -12,7 +12,15 @@ class SshHostKey
     end
 
     def as_json(*)
-      { bits: bits, fingerprint: fingerprint, type: type, index: index }
+      { bits: bits, type: type, index: index }.merge(fingerprint_data)
+    end
+
+    private
+
+    def fingerprint_data
+      data = { fingerprint_sha256: fingerprint_sha256 }
+      data[:fingerprint] = fingerprint unless Gitlab::FIPS.enabled?
+      data
     end
   end
 
diff --git a/app/services/issues/related_branches_service.rb b/app/services/issues/related_branches_service.rb
index 5991caffad1..e2cad85ac6a 100644
--- a/app/services/issues/related_branches_service.rb
+++ b/app/services/issues/related_branches_service.rb
@@ -38,7 +38,7 @@ module Issues
     def branches_with_iid_of(issue)
       branch_name_regex = /\A#{issue.iid}-(?!\d+-stable)/i
 
-      project.repository.search_branch_names("#{issue.iid}-*").select do |branch|
+      project.repository.branch_names.select do |branch|
         branch.match?(branch_name_regex)
       end
     end
diff --git a/app/services/members/create_service.rb b/app/services/members/create_service.rb
index 57d9da4cefd..38bebc1d09d 100644
--- a/app/services/members/create_service.rb
+++ b/app/services/members/create_service.rb
@@ -84,7 +84,7 @@ module Members
     end
 
     def add_members
-      @members = source.add_users(
+      @members = source.add_members(
         invites,
         params[:access_level],
         expires_at: params[:expires_at],
diff --git a/app/services/members/creator_service.rb b/app/services/members/creator_service.rb
index 276093a00a9..217004e634d 100644
--- a/app/services/members/creator_service.rb
+++ b/app/services/members/creator_service.rb
@@ -13,9 +13,9 @@ module Members
         Gitlab::Access.sym_options_with_owner
       end
 
-      def add_users( # rubocop:disable Metrics/ParameterLists
+      def add_members( # rubocop:disable Metrics/ParameterLists
         source,
-        users,
+        invitees,
         access_level,
         current_user: nil,
         expires_at: nil,
@@ -24,17 +24,17 @@ module Members
         ldap: nil,
         blocking_refresh: nil
       )
-        return [] unless users.present?
+        return [] unless invitees.present?
 
         # If this user is attempting to manage Owner members and doesn't have permission, do not allow
         return [] if managing_owners?(current_user, access_level) && cannot_manage_owners?(source, current_user)
 
-        emails, users, existing_members = parse_users_list(source, users)
+        emails, users, existing_members = parse_users_list(source, invitees)
 
         Member.transaction do
-          (emails + users).map! do |user|
+          (emails + users).map! do |invitee|
             new(source,
-                user,
+                invitee,
                 access_level,
                 existing_members: existing_members,
                 current_user: current_user,
@@ -48,17 +48,17 @@ module Members
         end
       end
 
-      def add_user( # rubocop:disable Metrics/ParameterLists
+      def add_member( # rubocop:disable Metrics/ParameterLists
         source,
-        user,
+        invitee,
         access_level,
         current_user: nil,
         expires_at: nil,
         ldap: nil,
         blocking_refresh: nil
       )
-        add_users(source,
-                  [user],
+        add_members(source,
+                  [invitee],
                   access_level,
                   current_user: current_user,
                   expires_at: expires_at,
@@ -113,9 +113,9 @@ module Members
       end
     end
 
-    def initialize(source, user, access_level, **args)
+    def initialize(source, invitee, access_level, **args)
       @source = source
-      @user = user
+      @invitee = invitee
       @access_level = self.class.parsed_access_level(access_level)
       @args = args
     end
@@ -133,7 +133,7 @@ module Members
     private
 
     delegate :new_record?, to: :member
-    attr_reader :source, :user, :access_level, :member, :args
+    attr_reader :source, :invitee, :access_level, :member, :args
 
     def assign_member_attributes
       member.attributes = member_attributes
@@ -170,7 +170,7 @@ module Members
     # Populates the attributes of a member.
     #
     # This logic resides in a separate method so that EE can extend this logic,
-    # without having to patch the `add_user` method directly.
+    # without having to patch the `add_members` method directly.
     def member_attributes
       {
         created_by: member.created_by || current_user,
@@ -241,12 +241,10 @@ module Members
     end
 
     def find_or_build_member
-      @user = parse_user_param
-
-      @member = if user.is_a?(User)
+      @member = if invitee.is_a?(User)
                   find_or_initialize_member_by_user
                 else
-                  source.members.build(invite_email: user)
+                  find_or_initialize_member_with_email
                 end
 
       @member.blocking_refresh = args[:blocking_refresh]
@@ -254,24 +252,23 @@ module Members
 
     # This method is used to find users that have been entered into the "Add members" field.
     # These can be the User objects directly, their IDs, their emails, or new emails to be invited.
-    def parse_user_param
-      case user
-      when User
-        user
-      when Integer
-        # might not return anything - this needs enhancement
-        User.find_by(id: user) # rubocop:todo CodeReuse/ActiveRecord
+    def find_or_initialize_member_with_email
+      if user_by_email
+        find_or_initialize_member_by_user(user_id: user_by_email.id)
       else
-        # must be an email or at least we'll consider it one
-        source.users_by_emails([user])[user] || user
+        source.members.build(invite_email: invitee)
       end
     end
 
-    def find_or_initialize_member_by_user
+    def user_by_email
+      source.users_by_emails([invitee])[invitee]
+    end
+
+    def find_or_initialize_member_by_user(user_id: invitee.id)
       # We have to use `members_and_requesters` here since the given `members` is modified in the models
       # to act more like a scope(removing the requested_at members) and therefore ActiveRecord has issues with that
       # on build and refreshing that relation.
-      existing_members[user.id] || source.members_and_requesters.build(user_id: user.id) # rubocop:disable CodeReuse/ActiveRecord
+      existing_members[user_id] || source.members_and_requesters.build(user_id: user_id) # rubocop:disable CodeReuse/ActiveRecord
     end
 
     def ldap
diff --git a/app/services/members/invite_service.rb b/app/services/members/invite_service.rb
index 1bf209ab79d..6d23a9bc2dc 100644
--- a/app/services/members/invite_service.rb
+++ b/app/services/members/invite_service.rb
@@ -31,8 +31,8 @@ module Members
 
       return if params[:email].blank?
 
-      # we need the below due to add_users hitting Members::CreatorService.parse_users_list and ignoring invalid emails
-      # ideally we wouldn't need this, but we can't really change the add_users method
+      # we need the below due to add_member hitting Members::CreatorService.parse_users_list and ignoring invalid emails
+      # ideally we wouldn't need this, but we can't really change the add_members method
       invalid_emails.each { |email| errors[email] = s_('AddMember|Invite email is invalid') }
     end
 
diff --git a/app/services/members/projects/creator_service.rb b/app/services/members/projects/creator_service.rb
index cde1d0462e8..f45132749f9 100644
--- a/app/services/members/projects/creator_service.rb
+++ b/app/services/members/projects/creator_service.rb
@@ -32,7 +32,7 @@ module Members
       end
 
       def adding_the_creator_as_owner_in_a_personal_project?
-        # this condition is reached during testing setup a lot due to use of `.add_user`
+        # this condition is reached during testing setup a lot due to use of `.add_member`
         member.project.personal_namespace_holder?(member.user)
       end
 
diff --git a/app/services/quick_actions/interpret_service.rb b/app/services/quick_actions/interpret_service.rb
index 4bcb15b2d9c..1d7c5d2c80a 100644
--- a/app/services/quick_actions/interpret_service.rb
+++ b/app/services/quick_actions/interpret_service.rb
@@ -69,28 +69,32 @@ module QuickActions
       Gitlab::QuickActions::Extractor.new(self.class.command_definitions)
     end
 
+    # Find users for commands like /assign
+    #
+    # eg. /assign me and @jane and jack
     def extract_users(params)
-      return [] if params.blank?
-
-      # We are using the a simple User.by_username query here rather than a ReferenceExtractor
-      # because the needs here are much simpler: we only deal in usernames, and
-      # want to also handle bare usernames. The ReferenceExtractor also has
-      # different behaviour, and will return all group members for groups named
-      # using a user-style reference, which is not in scope here.
-      #
-      # nb: underscores may be passed in escaped to protect them from markdown rendering
-      args        = params.split(/\s|,/).select(&:present?).uniq - ['and']
-      args.map! { _1.gsub(/\\_/, '_') }
-      usernames   = (args - ['me']).map { _1.delete_prefix('@') }
-      found       = User.by_username(usernames).to_a.select { can?(:read_user, _1) }
-      found_names = found.map(&:username).map(&:downcase).to_set
-      missing     = args.reject do |arg|
-        arg == 'me' || found_names.include?(arg.downcase.delete_prefix('@'))
-      end.map { "'#{_1}'" }
-
-      failed_parse(format(_("Failed to find users for %{missing}"), missing: missing.to_sentence)) if missing.present?
-
-      found + [current_user].select { args.include?('me') }
+      Gitlab::QuickActions::UsersExtractor
+        .new(current_user, project: project, group: group, target: quick_action_target, text: params)
+        .execute
+
+    rescue Gitlab::QuickActions::UsersExtractor::Error => err
+      extract_users_failed(err)
+    end
+
+    def extract_users_failed(err)
+      case err
+      when Gitlab::QuickActions::UsersExtractor::MissingError
+        failed_parse(format(_("Failed to find users for %{missing}"), missing: err.message))
+      when Gitlab::QuickActions::UsersExtractor::TooManyRefsError
+        failed_parse(format(_('Too many references. Quick actions are limited to at most %{max_count} user references'),
+                 max_count: err.limit))
+      when Gitlab::QuickActions::UsersExtractor::TooManyFoundError
+        failed_parse(format(_("Too many users found. Quick actions are limited to at most %{max_count} users"),
+                 max_count: err.limit))
+      else
+        Gitlab::ErrorTracking.track_and_raise_for_dev_exception(err)
+        failed_parse(_('Something went wrong'))
+      end
     end
 
     def find_milestones(project, params = {})
diff --git a/app/services/resource_access_tokens/create_service.rb b/app/services/resource_access_tokens/create_service.rb
index 316e6367aa7..eed03ba22fe 100644
--- a/app/services/resource_access_tokens/create_service.rb
+++ b/app/services/resource_access_tokens/create_service.rb
@@ -108,7 +108,7 @@ module ResourceAccessTokens
     end
 
     def create_membership(resource, user, access_level)
-      resource.add_user(user, access_level, expires_at: params[:expires_at])
+      resource.add_member(user, access_level, expires_at: params[:expires_at])
     end
 
     def log_event(token)
diff --git a/app/views/layouts/_page.html.haml b/app/views/layouts/_page.html.haml
index b7cf7b7468f..59d4c81358d 100644
--- a/app/views/layouts/_page.html.haml
+++ b/app/views/layouts/_page.html.haml
@@ -17,7 +17,6 @@
       = dispensable_render "shared/service_ping_consent"
       = dispensable_render_if_exists "layouts/header/ee_subscribable_banner"
       = dispensable_render_if_exists "layouts/header/seat_count_alert"
-      = dispensable_render_if_exists "shared/namespace_storage_limit_alert"
       = dispensable_render_if_exists "shared/namespace_user_cap_reached_alert"
       = dispensable_render_if_exists "shared/new_user_signups_cap_reached_alert"
       = yield :page_level_alert
diff --git a/app/views/layouts/group.html.haml b/app/views/layouts/group.html.haml
index 940724e0e4a..1c2ab8cf008 100644
--- a/app/views/layouts/group.html.haml
+++ b/app/views/layouts/group.html.haml
@@ -3,11 +3,11 @@
 - header_title     group_title(@group)     unless header_title
 - nav "group"
 - display_subscription_banner!
-- display_namespace_storage_limit_alert!
 - @left_sidebar = true
 
 - content_for :flash_message do
   = render "layouts/header/storage_enforcement_banner", namespace: @group
+  = dispensable_render_if_exists "shared/namespace_storage_limit_alert"
 
 - content_for :page_specific_javascripts do
   - if current_user
diff --git a/app/views/layouts/project.html.haml b/app/views/layouts/project.html.haml
index 7e69cf1d685..86b4c4eabe3 100644
--- a/app/views/layouts/project.html.haml
+++ b/app/views/layouts/project.html.haml
@@ -4,12 +4,12 @@
 - nav              "project"
 - page_itemtype    'http://schema.org/SoftwareSourceCode'
 - display_subscription_banner!
-- display_namespace_storage_limit_alert!
 - @left_sidebar = true
 - @content_class = [@content_class, project_classes(@project)].compact.join(" ")
 
 - content_for :flash_message do
   = render "layouts/header/storage_enforcement_banner", namespace: @project.namespace
+  = dispensable_render_if_exists "shared/namespace_storage_limit_alert"
 
 - content_for :project_javascripts do
   - project = @target_project || @project
diff --git a/app/views/projects/mirrors/_ssh_host_keys.html.haml b/app/views/projects/mirrors/_ssh_host_keys.html.haml
index e3fe098c807..d367f383e5a 100644
--- a/app/views/projects/mirrors/_ssh_host_keys.html.haml
+++ b/app/views/projects/mirrors/_ssh_host_keys.html.haml
@@ -11,7 +11,7 @@
       = _('Fingerprints')
     .fingerprints-list.js-fingerprints-list{ data: { qa_selector: 'fingerprints_list' } }
       - mirror.ssh_known_hosts_fingerprints.each do |fp|
-        %code= fp.fingerprint
+        %code= fp.fingerprint_sha256 || fp.fingerprint
     - if verified_at
       .form-text.text-muted.js-fingerprint-verification
         = sprite_icon('check', css_class: 'gl-text-green-500')