Add latest changes from gitlab-org/gitlab@16-5-stable-eev16.5.0-rc42

11 files changed, 183 insertions, 1 deletions

diff --git a/data/deprecations/14-9-removal_monitor_respond_integrated_error_tracking.yml b/data/deprecations/14-9-removal_monitor_respond_integrated_error_tracking.yml
new file mode 100644
index 00000000000..93824a4e68b
--- /dev/null
+++ b/data/deprecations/14-9-removal_monitor_respond_integrated_error_tracking.yml
@@ -0,0 +1,14 @@
+- title: "Integrated error tracking disabled by default"
+  announcement_milestone: "14.9"
+  announcement_date: "2022-02-23"  # This is the date customers were notified about the change in rate limits, making integrated error tracking unusable, see https://gitlab.com/groups/gitlab-org/-/epics/7580#communication-to-rate-limit-impacted-users
+  removal_milestone: "14.9"
+  removal_date: "2022-03-10"  # The MR was merged on this date, outside of the normal release cycle, https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81767
+  breaking_change: true
+  reporter: abellucci
+  body: |
+    In GitLab 14.4, GitLab released an integrated error tracking backend that replaces Sentry. This feature caused database performance issues. In GitLab 14.9, integrated error tracking is removed from GitLab.com, and turned off by default in GitLab self-managed. While we explore the future development of this feature, please consider switching to the Sentry backend by [changing your error tracking to Sentry in your project settings](https://docs.gitlab.com/ee/operations/error_tracking.html#sentry-error-tracking).
+
+    For additional background on this removal, please reference [Disable Integrated Error Tracking by Default](https://gitlab.com/groups/gitlab-org/-/epics/7580). If you have feedback please add a comment to [Feedback: Removal of Integrated Error Tracking](https://gitlab.com/gitlab-org/gitlab/-/issues/355493).
+  stage: monitor
+  tiers: [Free, Silver, Gold, Core, Premium, Ultimate]
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353639
diff --git a/data/deprecations/15-7-remove-flowdock-integration.yml b/data/deprecations/15-7-remove-flowdock-integration.yml
new file mode 100644
index 00000000000..46f8ed6bdf9
--- /dev/null
+++ b/data/deprecations/15-7-remove-flowdock-integration.yml
@@ -0,0 +1,18 @@
+- title: "Flowdock integration"  # (required) Actionable title. e.g., The `confidential` field for a `Note` is deprecated. Use `internal` instead.
+  announcement_milestone: "15.7"  # (required) The milestone when this feature was deprecated.
+  announcement_date: "2022-12-22"  # (required) The date of the milestone release when this feature was deprecated. This should almost always be the 22nd of a month (YYYY-MM-DD), unless you did an out of band blog post.
+  removal_milestone: "15.7"  # (required) The milestone when this feature is being removed.
+  removal_date: "2022-12-22"  # (required) This should almost always be the 22nd of a month (YYYY-MM-DD), the date of the milestone release when this feature will be removed.
+  breaking_change: false  # (required) Change to true if this removal is a breaking change.
+  reporter: arturoherrero  # (required) GitLab username of the person reporting the removal
+  stage: manage  # (required) String value of the stage that the feature was created in. e.g., Growth
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/379197  # (required) Link to the deprecation issue in GitLab
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    As of December 22, 2022, we are removing the Flowdock integration because the service was shut down on August 15, 2022.
+#
+# OPTIONAL FIELDS
+#
+  tiers:  # (optional - may be required in the future) An array of tiers that the feature is available in currently.  e.g., [Free, Silver, Gold, Core, Premium, Ultimate]
+  documentation_url:  # (optional) This is a link to the current documentation page
+  image_url:  # (optional) This is a link to a thumbnail image depicting the feature
+  video_url:  # (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
diff --git a/data/deprecations/15-8-azure-storage-driver-root-prefix.yml b/data/deprecations/15-8-azure-storage-driver-root-prefix.yml
index 16f848c0193..de88ba7aa06 100644
--- a/data/deprecations/15-8-azure-storage-driver-root-prefix.yml
+++ b/data/deprecations/15-8-azure-storage-driver-root-prefix.yml
@@ -6,7 +6,7 @@
   stage: Package  # (required) String value of the stage that the feature was created in. e.g., Growth
   issue_url: https://gitlab.com/gitlab-org/container-registry/-/issues/854  # (required) Link to the deprecation issue in GitLab
   body: |  # (required) Do not modify this line, instead modify the lines below.
-    The Azure Storage Driver writes to `//` as the default root directory. This default root directory appears in some places within the Azure UI as `/<no-name>/`. We have maintained this legacy behavior to support older deployments using this storage driver. However, when moving to Azure from another storage driver, this behavior hides all your data until you configure the storage driver to build root paths without an extra leading slash by setting `trimlegacyrootprefix: true`.
+    The container registry's Azure Storage Driver writes to `//` as the default root directory. This default root directory appears in some places within the Azure UI as `/<no-name>/`. We have maintained this legacy behavior to support older deployments using this storage driver. However, when moving to Azure from another storage driver, this behavior hides all your data until you configure the storage driver to build root paths without an extra leading slash by setting `trimlegacyrootprefix: true`.
 
     The new default configuration for the storage driver will set `trimlegacyrootprefix: true`, and `/` will be the default root directory. You can add `trimlegacyrootprefix: false` to your current configuration to avoid any disruptions.
 
diff --git a/data/deprecations/15-9-omniauth-authentiq.yml b/data/deprecations/15-9-omniauth-authentiq.yml
new file mode 100644
index 00000000000..2a2e2601704
--- /dev/null
+++ b/data/deprecations/15-9-omniauth-authentiq.yml
@@ -0,0 +1,11 @@
+- title: "`omniauth-authentiq` gem no longer available"  # (required) Clearly explain the change. For example, "The `confidential` field for a `Note` is removed" or "CI/CD job names are limited to 250 characters."
+  announcement_milestone: "15.9"  # (required) The milestone when this feature was deprecated.
+  announcement_date: "2023-02-22"  # (required) The date of the milestone release when this feature was deprecated. This should almost always be the 22nd of a month (YYYY-MM-DD), unless you did an out of band blog post.
+  removal_milestone: "15.9"  # (required) The milestone when this feature is being removed.
+  removal_date: "2023-02-22"  # (required) This should almost always be the 22nd of a month (YYYY-MM-DD), the date of the milestone release when this feature will be removed.
+  breaking_change: true  # (required) Change to false if this is not a breaking change.
+  reporter: adil.farrukh  # (required) GitLab username of the person reporting the removal
+  stage: manage  # (required) String value of the stage that the feature was created in. e.g., Growth
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/389452  # (required) Link to the deprecation issue in GitLab
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    `omniauth-authentiq` is an OmniAuth strategy gem that was part of GitLab. The company providing authentication services, Authentiq, has shut down. Therefore the gem is being removed.
diff --git a/data/deprecations/16-0-source-code-branch-push.yml b/data/deprecations/16-0-source-code-branch-push.yml
new file mode 100644
index 00000000000..ee32a486db1
--- /dev/null
+++ b/data/deprecations/16-0-source-code-branch-push.yml
@@ -0,0 +1,16 @@
+- title: "GitLab administrators must have permission to modify protected branches or tags"
+  announcement_milestone: "16.0"
+  removal_milestone: "16.0"
+  breaking_change: true
+  reporter: tlinz
+  stage: Create
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/12776
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    GitLab administrators can no longer perform actions on protected branches or tags unless they have been explicitly granted that permission. These actions include pushing and merging into a [protected branch](https://docs.gitlab.com/ee/user/project/protected_branches.html), unprotecting a branch, and creating [protected tags](https://docs.gitlab.com/ee/user/project/protected_tags.html).
+#
+# OPTIONAL FIELDS
+#
+  tiers:  # (optional - may be required in the future) An array of tiers that the feature is available in currently.  e.g., [Free, Silver, Gold, Core, Premium, Ultimate]
+  documentation_url: https://docs.gitlab.com/ee/user/project/protected_branches.html
+  image_url:  # (optional) This is a link to a thumbnail image depicting the feature
+  video_url:  # (optional) Use the youtube thumbnail URL with the structure of https://img.youtube.com/vi/UNIQUEID/hqdefault.jpg
diff --git a/data/deprecations/16-4-deprecate-newly-detected-field.yml b/data/deprecations/16-4-deprecate-newly-detected-field.yml
new file mode 100644
index 00000000000..499bfd2147d
--- /dev/null
+++ b/data/deprecations/16-4-deprecate-newly-detected-field.yml
@@ -0,0 +1,10 @@
+- title: "Security policy field `newly_detected` is deprecated"  # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
+  removal_milestone: "17.0"  # (required) The milestone when this feature is planned to be removed
+  announcement_milestone: "16.5"  # (required) The milestone when this feature was first announced as deprecated.
+  breaking_change: true  # (required) Change to false if this is not a breaking change.
+  reporter: g.hickman  # (required) GitLab username of the person reporting the change
+  stage: govern  # (required) String value of the stage that the feature was created in. e.g., Growth
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/422414  # (required) Link to the deprecation issue in GitLab
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    In [Support additional filters for scan result policies](https://gitlab.com/groups/gitlab-org/-/epics/6826#note_1341377224), we broke the `newly_detected` field into two options: `new_needs_triage` and `new_dismissed`. By including both options in the security policy YAML, you will achieve the same result as the original `newly_detected` field. However, you may now narrow your filter to ignore findings that have been dismissed by only using `new_needs_triage`.
+  documentation_url: https://docs.gitlab.com/ee/user/application_security/policies/scan-result-policies.html#scan_finding-rule-type  # (optional) This is a link to the current documentation page
diff --git a/data/deprecations/16-4-postgres-exporter-per-table-stats.yml b/data/deprecations/16-4-postgres-exporter-per-table-stats.yml
new file mode 100644
index 00000000000..0daafcd9fb6
--- /dev/null
+++ b/data/deprecations/16-4-postgres-exporter-per-table-stats.yml
@@ -0,0 +1,13 @@
+- title: "`postgres_exporter['per_table_stats']` configuration setting"
+  announcement_milestone: "16.4"  # (required) The milestone when this feature was first announced as deprecated.
+  removal_milestone: "17.0"  # (required) The milestone when this feature is planned to be removed
+  breaking_change: true  # (required) Change to false if this is not a breaking change.
+  reporter: clemensbeck  # (required) GitLab username of the person reporting the change
+  stage: Enablement  # (required) String value of the stage that the feature was created in. e.g., Growth
+  issue_url: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8164  # (required) Link to the deprecation issue in GitLab
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    The Linux package provides custom queries for the bundled PostgreSQL exporter, which included a `per_table_stats` query controlled by `postgres_exporter['per_table_stats']`
+    configuration setting.
+
+    The PostgreSQL exporter now provides a `stat_user_tables` collector that provides the same metrics. If you had `postgres_exporter['per_table_stats']` enabled,
+    enable `postgres_exporter['flags']['collector.stat_user_tables']` instead.
diff --git a/data/deprecations/16-5-offset-pagination.yml b/data/deprecations/16-5-offset-pagination.yml
new file mode 100644
index 00000000000..96b69f81f86
--- /dev/null
+++ b/data/deprecations/16-5-offset-pagination.yml
@@ -0,0 +1,9 @@
+- title: "Offset pagination for `/users` REST API endpoint is deprecated"  # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
+  removal_milestone: "17.0"  # (required) The milestone when this feature is planned to be removed
+  announcement_milestone: "16.5"  # (required) The milestone when this feature was first announced as deprecated.
+  breaking_change: true  # (required) Change to false if this is not a breaking change.
+  reporter: hsutor  # (required) GitLab username of the person reporting the change
+  stage: govern  # (required) String value of the stage that the feature was created in. e.g., Growth
+  issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/426547  # (required) Link to the deprecation issue in GitLab
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    Offset pagination for the `/users` REST API is deprecated in GitLab 16.5, and will be removed in GitLab 17.0. Use [keyset pagination](https://docs.gitlab.com/ee/api/rest/index.html#keyset-based-pagination) instead.
diff --git a/data/deprecations/16-5-opensuse-15-4.yml b/data/deprecations/16-5-opensuse-15-4.yml
new file mode 100644
index 00000000000..7e6519f09ac
--- /dev/null
+++ b/data/deprecations/16-5-opensuse-15-4.yml
@@ -0,0 +1,17 @@
+- title: "openSUSE Leap 15.4 packages"  # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
+  removal_milestone: "16.8"  # (required) The milestone when this feature is planned to be removed
+  announcement_milestone: "16.5"  # (required) The milestone when this feature was first announced as deprecated.
+  breaking_change: false  # (required) Change to false if this is not a breaking change.
+  reporter: twk3  # (required) GitLab username of the person reporting the change
+  stage: enablement  # (required) String value of the stage that the feature was created in. e.g., Growth
+  issue_url: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8212  # (required) Link to the deprecation issue in GitLab
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    Support and security updates for openSUSE Leap 15.4 is [ending November 2023](https://en.opensuse.org/Lifetime#openSUSE_Leap).
+
+    GitLab 15.4 provided packages for openSUSE Leap 15.5. GitLab 15.8 and later will not provide packages for openSUSE Leap 15.4.
+
+    To prepare for GitLab 15.8 and later, you should:
+
+    1. Move instances from openSUSE Leap 15.4 to openSUSE Leap 15.5.
+    1. Switch from the openSUSE Leap 15.4 GitLab-provided packages to the openSUSE Leap 15.5 GitLab-provided packages.
+  documentation_url: https://docs.gitlab.com/ee/administration/package_information/supported_os.html
diff --git a/data/deprecations/16.0-eol-windows-server-2004-and-20H2.yml b/data/deprecations/16.0-eol-windows-server-2004-and-20H2.yml
new file mode 100644
index 00000000000..267304f6a13
--- /dev/null
+++ b/data/deprecations/16.0-eol-windows-server-2004-and-20H2.yml
@@ -0,0 +1,9 @@
+- title: "Stop publishing GitLab Runner images based on Windows Server 2004 and 20H2"  # (required) Clearly explain the change. For example, "The `confidential` field for a `Note` is removed" or "CI/CD job names are limited to 250 characters."
+  announcement_milestone: "16.0"  # (required) The milestone when this feature was deprecated.
+  removal_milestone: "16.0"  # (required) The milestone when this feature is being removed.
+  breaking_change: false  # (required) Change to false if this is not a breaking change.
+  reporter: DarrenEastman  # (required) GitLab username of the person reporting the removal
+  stage: Verify  # (required) String value of the stage that the feature was created in. e.g., Growth
+  issue_url: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/31001  # (required) Link to the deprecation issue in GitLab
+  body: |  # (required) Do not modify this line, instead modify the lines below.
+    As of GitLab 16.0, GitLab Runner images based on Windows Server 2004 and 20H2 will not be provided as these operating systems are end-of-life.
diff --git a/data/whats_new/202309220001_16_4.yml b/data/whats_new/202309220001_16_4.yml
new file mode 100644
index 00000000000..c7ca508cb39
--- /dev/null
+++ b/data/whats_new/202309220001_16_4.yml
@@ -0,0 +1,65 @@
+- name: "Customizable roles"
+  description: |
+    Group Owners or administrators can now create and remove custom roles using the UI under the Roles and Permissions menu. To create a custom role, you add [permissions](https://docs.gitlab.com/ee/user/permissions.html#custom-role-requirements) on top of an existing [base role](https://docs.gitlab.com/ee/user/permissions.html#roles). Currently, there are a limited number of permissions that can be added to a base role, including [granular security permissions](#granular-security-permissions), the ability to approve merge requests, and view code. Each milestone, new permissions will be released that can then be added to existing permissions to create custom roles.
+  stage: Govern
+  self-managed: true
+  gitlab-com: true
+  available_in: [Ultimate]
+  documentation_link: 'https://docs.gitlab.com/ee/user/permissions.html#create-a-custom-role'
+  image_url: 'https://img.youtube.com/vi/pSQ3CCdfaAs/hqdefault.jpg'
+  published_at: 2023-09-22
+  release: 16.4
+
+- name: "Group/sub-group level dependency list"
+  stage: Govern
+  description: |
+    When reviewing a list of dependencies, it is important to have an overall view. Managing dependencies at the project level is problematic for large organizations that want to audit their dependencies across all their projects. With this release, you can see all dependencies at the project or group level, including subgroups. This feature is now available by default.
+  self-managed: true
+  gitlab-com: true
+  available_in: [Ultimate]
+  documentation_link: 'https://docs.gitlab.com/ee/user/application_security/dependency_list/'
+  image_url: 'https://about.gitlab.com/images/16_4/groupsubgroup_level_dependency_list.png'
+  published_at: 2023-09-22
+  release: 16.4
+
+- name: "Access clusters locally using your GitLab user identity"
+  stage: Deploy
+  description: |
+   Allowing developers access to Kubernetes clusters requires either developer cloud accounts or third-party authentication tools. This increases the complexity of cloud identity and access management. Now, you can grant developers access to Kubernetes clusters using only their GitLab identities and the agent for Kubernetes. Use traditional Kubernetes RBAC to manage authorizations within your cluster.
+
+   Together with the [OIDC cloud authentication](https://docs.gitlab.com/ee/ci/cloud_services/) offering in GitLab pipelines, these features allow GitLab users to access cloud resources without dedicated cloud accounts without jeopardizing security and compliance.
+
+   In this first iteration of cluster access, you must [manage your Kubernetes configuration manually](https://docs.gitlab.com/ee/user/clusters/agent/user_access.html). [Issue 7288](https://gitlab.com/gitlab-org/cli/-/issues/7288) proposes to simplify setup by extending the GitLab CLI with related commands.
+  self-managed: true
+  gitlab-com: true
+  available_in: [Free, Premium, Ultimate]
+  documentation_link: 'https://docs.gitlab.com/ee/user/clusters/agent/user_access.html#access-a-cluster-with-the-kubernetes-api'
+  image_url: 'https://img.youtube.com/vi/i9rLhmG7Aog/hqdefault.jpg'
+  published_at: 2023-09-22
+  release: 16.4
+
+- name: "Create workspaces for private projects"
+  stage: Create
+  description: |
+    Previously, it was not possible to [create a workspace](https://docs.gitlab.com/ee/user/workspace/configuration.html#set-up-a-workspace) for a private project. To clone a private project, you could only authenticate yourself after you created the workspace.
+
+    With GitLab 16.4, you can create a workspace for any public or private project. When you create a workspace, you get a personal access token to use with the workspace. With this token, you can clone private projects and perform Git operations without any additional configuration or authentication.
+  available_in: [Premium, Ultimate]
+  self-managed: true
+  gitlab-com: true
+  documentation_link: 'https://docs.gitlab.com/ee/user/workspace/#personal-access-token'
+  image_url: 'https://about.gitlab.com/images/16_4/create-workspace-from-private-repo.png'
+  published_at: 2023-09-22
+  release: 16.4
+
+- name: "`id_tokens` is now a global CI/CD configuration keyword"
+  stage: Verify
+  description: |
+    From GitLab 16.4, you can set `id_tokens` as a global default value in `.gitlab-ci.yml`. Use this feature to automatically set the `id_token` configuration to every job. Jobs that use the `secrets` keyword no longer require you to set up a separate `id_token`.
+  available_in: [Free, Premium, Ultimate]
+  self-managed: true
+  gitlab-com: true
+  documentation_link: 'https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens'
+  image_url: 'https://about.gitlab.com/images/16_4/id_tokens_img.png'
+  published_at: 2023-09-22
+  release: 16.4