Add latest changes from gitlab-org/gitlab@14-2-stable-eev14.2.0-rc42

4 files changed, 45 insertions, 19 deletions

diff --git a/doc/ci/variables/README.md b/doc/ci/variables/README.md
index 5ab8653dc35..0e6c2f63f9e 100644
--- a/doc/ci/variables/README.md
+++ b/doc/ci/variables/README.md
@@ -1,5 +1,6 @@
 ---
 redirect_to: 'index.md'
+remove_date: '2021-09-28'
 ---
 
 This document was moved to [another location](index.md).
diff --git a/doc/ci/variables/index.md b/doc/ci/variables/index.md
index e6768968d83..a00b8b678ec 100644
--- a/doc/ci/variables/index.md
+++ b/doc/ci/variables/index.md
@@ -112,20 +112,33 @@ job1:
     - echo This job does not need any variables
 ```
 
-You can use variables to help define other variables. Use `$$` to ignore a variable
-name inside another variable:
+Use the [`value` and `description`](../yaml/index.md#prefill-variables-in-manual-pipelines)
+keywords to define [variables that are prefilled](../pipelines/index.md#prefill-variables-in-manual-pipelines)
+for [manually-triggered pipelines](../pipelines/index.md#run-a-pipeline-manually).
+
+### Use variables or `$` in other variables
+
+You can use variables inside other variables:
 
 ```yaml
-variables:
-  FLAGS: '-al'
-  LS_CMD: 'ls "$FLAGS" $$TMP_DIR'
-script:
-  - 'eval "$LS_CMD"'  # Executes 'ls -al $TMP_DIR'
+job:
+  variables:
+    FLAGS: '-al'
+    LS_CMD: 'ls "$FLAGS"'
+  script:
+    - 'eval "$LS_CMD"'  # Executes 'ls -al'
 ```
 
-Use the [`value` and `description`](../yaml/index.md#prefill-variables-in-manual-pipelines)
-keywords to define [variables that are prefilled](../pipelines/index.md#prefill-variables-in-manual-pipelines)
-for [manually-triggered pipelines](../pipelines/index.md#run-a-pipeline-manually).
+If you do not want the `$` interpreted as the start of a variable, use `$$` instead:
+
+```yaml
+job:
+  variables:
+    FLAGS: '-al'
+    LS_CMD: 'ls "$FLAGS" $$TMP_DIR'
+  script:
+    - 'eval "$LS_CMD"'  # Executes 'ls -al $TMP_DIR'
+```
 
 ### Add a CI/CD variable to a project
 
@@ -294,7 +307,7 @@ To mask a variable:
 1. In the project, group, or Admin Area, go to **Settings > CI/CD**.
 1. Expand the **Variables** section.
 1. Next to the variable you want to protect, select **Edit**.
-1. Select the **Mask variable** check box.
+1. Select the **Mask variable** checkbox.
 1. Select **Update variable**.
 
 The value of the variable must:
@@ -311,18 +324,27 @@ NOTE:
 Masking a CI/CD variable is not a guaranteed way to prevent malicious users from accessing
 variable values. To make variables more secure, you can [use external secrets](../secrets/index.md).
 
+WARNING:
+Due to a technical limitation, masked variables that are more than 4 KiB in length are not recommended. Printing such
+a large value to the trace log has the potential to be [revealed](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/28128).
+When using GitLab Runner 14.2, only the tail of the variable, characters beyond 4KiB in length, have the potential to
+be revealed.
+
 ### Protect a CI/CD variable
 
 You can protect a project, group or instance CI/CD variable so it is only passed
 to pipelines running on [protected branches](../../user/project/protected_branches.md)
 or [protected tags](../../user/project/protected_tags.md).
 
+[Pipelines for merge requests](../pipelines/merge_request_pipelines.md) do not have access to protected variables.
+An [issue exists](https://gitlab.com/gitlab-org/gitlab/-/issues/28002) regarding this limitation.
+
 To protect a variable:
 
 1. Go to **Settings > CI/CD** in the project, group or instance admin area.
 1. Expand the **Variables** section.
 1. Next to the variable you want to protect, select **Edit**.
-1. Select the **Protect variable** check box.
+1. Select the **Protect variable** checkbox.
 1. Select **Update variable**.
 
 The variable is available for all subsequent pipelines.
@@ -398,7 +420,7 @@ job_name:
 ```
 
 In [some cases](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4115#note_157692820)
-environment variables might need to be surrounded by quotes to expand properly:
+environment variables must be surrounded by quotes to expand properly:
 
 ```yaml
 job_name:
@@ -626,7 +648,7 @@ the environment scope of a variable. GitLab does this by
 [defining which environments and corresponding jobs](../environments/index.md)
 the variable can be available for.
 
-To learn more about scoping environments, see [Scoping environments with specs](../environments/index.md#scoping-environments-with-specs).
+To learn more about scoping environments, see [Scoping environments with specs](../environments/index.md#scope-environments-with-specs).
 
 To learn more about ensuring CI/CD variables are only exposed in pipelines running from protected
 branches or tags, see [Protect a CI/CD Variable](#protect-a-cicd-variable).
@@ -770,6 +792,8 @@ if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then
 ++ CI_PROJECT_VISIBILITY=public
 ++ export CI_PROJECT_REPOSITORY_LANGUAGES=
 ++ CI_PROJECT_REPOSITORY_LANGUAGES=
+++ export CI_PROJECT_CLASSIFICATION_LABEL=
+++ CI_PROJECT_CLASSIFICATION_LABEL=
 ++ export CI_DEFAULT_BRANCH=main
 ++ CI_DEFAULT_BRANCH=main
 ++ export CI_REGISTRY=registry.gitlab.com
diff --git a/doc/ci/variables/predefined_variables.md b/doc/ci/variables/predefined_variables.md
index b6dd9446644..b5999a555c9 100644
--- a/doc/ci/variables/predefined_variables.md
+++ b/doc/ci/variables/predefined_variables.md
@@ -38,7 +38,7 @@ There are also [Kubernetes-specific deployment variables](../../user/project/clu
 | `CI_COMMIT_TITLE`                        | 10.8   | all    | The title of the commit. The full first line of the message. |
 | `CI_CONCURRENT_ID`                       | all    | 11.10  | The unique ID of build execution in a single executor. |
 | `CI_CONCURRENT_PROJECT_ID`               | all    | 11.10  | The unique ID of build execution in a single executor and project. |
-| `CI_CONFIG_PATH`                         | 9.4    | 0.5    | The path to the CI/CD configuration file. Defaults to `.gitlab-ci.yml`. |
+| `CI_CONFIG_PATH`                         | 9.4    | 0.5    | The path to the CI/CD configuration file. Defaults to `.gitlab-ci.yml`. Read-only inside a running pipeline. |
 | `CI_DEBUG_TRACE`                         | all    | 1.7    | `true` if [debug logging (tracing)](index.md#debug-logging) is enabled. |
 | `CI_DEFAULT_BRANCH`                      | 12.4   | all    | The name of the project's default branch. |
 | `CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX` | 13.7   | all    | The image prefix for pulling images through the Dependency Proxy. |
@@ -89,8 +89,9 @@ There are also [Kubernetes-specific deployment variables](../../user/project/clu
 | `CI_PROJECT_TITLE`                       | 12.4   | all    | The human-readable project name as displayed in the GitLab web interface. |
 | `CI_PROJECT_URL`                         | 8.10   | 0.5    | The HTTP(S) address of the project. |
 | `CI_PROJECT_VISIBILITY`                  | 10.3   | all    | The project visibility. Can be `internal`, `private`, or `public`. |
+| `CI_PROJECT_CLASSIFICATION_LABEL`        | 14.2   | all    | The project [external authorization classification label](../../user/admin_area/settings/external_authorization.md). |
 | `CI_REGISTRY_IMAGE`                      | 8.10   | 0.5    | The address of the project's Container Registry. Only available if the Container Registry is enabled for the project. |
-| `CI_REGISTRY_PASSWORD`                   | 9.0    | all    | The password to push containers to the project's GitLab Container Registry. Only available if the Container Registry is enabled for the project. |
+| `CI_REGISTRY_PASSWORD`                   | 9.0    | all    | The password to push containers to the project's GitLab Container Registry. Only available if the Container Registry is enabled for the project. This password value is the same as the `CI_JOB_TOKEN` and is valid only as long as the job is running. Use the `CI_DEPLOY_PASSWORD` for long-lived access to the registry |
 | `CI_REGISTRY_USER`                       | 9.0    | all    | The username to push containers to the project's GitLab Container Registry. Only available if the Container Registry is enabled for the project. |
 | `CI_REGISTRY`                            | 8.10   | 0.5    | The address of the GitLab Container Registry. Only available if the Container Registry is enabled for the project. This variable includes a `:port` value if one is specified in the registry configuration. |
 | `CI_REPOSITORY_URL`                      | 9.0    | all    | The URL to clone the Git repository. |
diff --git a/doc/ci/variables/where_variables_can_be_used.md b/doc/ci/variables/where_variables_can_be_used.md
index beb19c8beea..8009687dbca 100644
--- a/doc/ci/variables/where_variables_can_be_used.md
+++ b/doc/ci/variables/where_variables_can_be_used.md
@@ -113,7 +113,7 @@ Feature.disable(:variable_inside_variable, Project.find(<project id>))
 
 - Supported: project/group variables, `.gitlab-ci.yml` variables, `config.toml` variables, and
   variables from triggers, pipeline schedules, and manual pipelines.
-- Not supported: variables defined inside of scripts (e.g., `export MY_VARIABLE="test"`).
+- Not supported: variables defined inside of scripts (for example, `export MY_VARIABLE="test"`).
 
 The runner uses Go's `os.Expand()` method for variable expansion. It means that it handles
 only variables defined as `$variable` and `${variable}`. What's also important, is that
@@ -132,7 +132,7 @@ use a different variables syntax.
 
 Supported:
 
-- The `script` may use all available variables that are default for the shell (e.g., `$PATH` which
+- The `script` may use all available variables that are default for the shell (for example, `$PATH` which
   should be present in all bash/sh shells) and all variables defined by GitLab CI/CD (project/group variables,
   `.gitlab-ci.yml` variables, `config.toml` variables, and variables from triggers and pipeline schedules).
 - The `script` may also use all variables defined in the lines before. So, for example, if you define
@@ -174,7 +174,7 @@ They are:
   - Script execution shell.
 - Not supported:
   - For definitions where the ["Expansion place"](#gitlab-ciyml-file) is GitLab.
-  - In the `only` and `except` [variables expressions](../jobs/job_control.md#cicd-variable-expressions).
+  - In the `only`, `except`, and `rules` [variables expressions](../jobs/job_control.md#cicd-variable-expressions).
 
 Some of the persisted variables contain tokens and cannot be used by some definitions
 due to security reasons.