Add latest changes from gitlab-org/gitlab@master

14 files changed, 114 insertions, 11 deletions

diff --git a/doc/administration/auth/index.md b/doc/administration/auth/index.md
index 4a8e230a944..4e96cdf0411 100644
--- a/doc/administration/auth/index.md
+++ b/doc/administration/auth/index.md
@@ -19,7 +19,7 @@ and the following external authentication and authorization providers:
 NOTE:
 UltraAuth has removed their software which supports OmniAuth integration. We have therefore removed all references to UltraAuth integration.
 
-## SaaS vs Self-Managed Comparison
+## SaaS vs self-managed comparison
 
 The external authentication and authorization providers may support the following capabilities.
 For more information, see the links shown on this page for each external provider.
diff --git a/doc/administration/packages/container_registry.md b/doc/administration/packages/container_registry.md
index 007072647a2..ad5006186d0 100644
--- a/doc/administration/packages/container_registry.md
+++ b/doc/administration/packages/container_registry.md
@@ -1618,7 +1618,7 @@ this error appears:
 
 - `Error response from daemon: manifest invalid: Schema 1 manifest not supported`
 
-For Self-Managed GitLab instances, you can regain access to these images by temporarily downgrading
+For self-managed GitLab instances, you can regain access to these images by temporarily downgrading
 the GitLab Container Registry to a version lower than `v3.0.0-gitlab`. Follow these steps to regain
 access to these images:
 
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 5eb7db9a728..9a99354b77b 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -6715,6 +6715,8 @@ Input type: `UpdateNamespacePackageSettingsInput`
 | <a id="mutationupdatenamespacepackagesettingsmavenpackagerequestsforwarding"></a>`mavenPackageRequestsForwarding` | [`Boolean`](#boolean) | Indicates whether Maven package forwarding is allowed for this namespace. |
 | <a id="mutationupdatenamespacepackagesettingsnamespacepath"></a>`namespacePath` | [`ID!`](#id) | Namespace path where the namespace package setting is located. |
 | <a id="mutationupdatenamespacepackagesettingsnpmpackagerequestsforwarding"></a>`npmPackageRequestsForwarding` | [`Boolean`](#boolean) | Indicates whether npm package forwarding is allowed for this namespace. |
+| <a id="mutationupdatenamespacepackagesettingsnugetduplicateexceptionregex"></a>`nugetDuplicateExceptionRegex` | [`UntrustedRegexp`](#untrustedregexp) | When nuget_duplicates_allowed is false, you can publish duplicate packages with names that match this regex. Otherwise, this setting has no effect. Error is raised if `nuget_duplicates_option` feature flag is disabled. |
+| <a id="mutationupdatenamespacepackagesettingsnugetduplicatesallowed"></a>`nugetDuplicatesAllowed` | [`Boolean`](#boolean) | Indicates whether duplicate NuGet packages are allowed for this namespace. Error is raised if `nuget_duplicates_option` feature flag is disabled. |
 | <a id="mutationupdatenamespacepackagesettingspypipackagerequestsforwarding"></a>`pypiPackageRequestsForwarding` | [`Boolean`](#boolean) | Indicates whether PyPI package forwarding is allowed for this namespace. |
 
 #### Fields
@@ -20235,6 +20237,8 @@ Namespace-level Package Registry settings.
 | <a id="packagesettingsmavenpackagerequestsforwardinglocked"></a>`mavenPackageRequestsForwardingLocked` | [`Boolean!`](#boolean) | Indicates whether Maven package forwarding settings are locked by a parent namespace. |
 | <a id="packagesettingsnpmpackagerequestsforwarding"></a>`npmPackageRequestsForwarding` | [`Boolean`](#boolean) | Indicates whether npm package forwarding is allowed for this namespace. |
 | <a id="packagesettingsnpmpackagerequestsforwardinglocked"></a>`npmPackageRequestsForwardingLocked` | [`Boolean!`](#boolean) | Indicates whether npm package forwarding settings are locked by a parent namespace. |
+| <a id="packagesettingsnugetduplicateexceptionregex"></a>`nugetDuplicateExceptionRegex` | [`UntrustedRegexp`](#untrustedregexp) | When nuget_duplicates_allowed is false, you can publish duplicate packages with names that match this regex. Otherwise, this setting has no effect. Error is raised if `nuget_duplicates_option` feature flag is disabled. |
+| <a id="packagesettingsnugetduplicatesallowed"></a>`nugetDuplicatesAllowed` | [`Boolean!`](#boolean) | Indicates whether duplicate NuGet packages are allowed for this namespace. Error is raised if `nuget_duplicates_option` feature flag is disabled. |
 | <a id="packagesettingspypipackagerequestsforwarding"></a>`pypiPackageRequestsForwarding` | [`Boolean`](#boolean) | Indicates whether PyPI package forwarding is allowed for this namespace. |
 | <a id="packagesettingspypipackagerequestsforwardinglocked"></a>`pypiPackageRequestsForwardingLocked` | [`Boolean!`](#boolean) | Indicates whether PyPI package forwarding settings are locked by a parent namespace. |
 
diff --git a/doc/architecture/blueprints/cells/cells-feature-database-sequences.md b/doc/architecture/blueprints/cells/cells-feature-database-sequences.md
index af9c8adb097..43301a2b57f 100644
--- a/doc/architecture/blueprints/cells/cells-feature-database-sequences.md
+++ b/doc/architecture/blueprints/cells/cells-feature-database-sequences.md
@@ -30,7 +30,7 @@ to access Merge Request, CI Job or Project by a known global ID.
 Cells will use many distinct and not connected databases, each of them having
 a separate IDs for most of entities.
 
-At a minimum, any ID referenced between a cell and the shared schema will need to be unique across the cluster to avoid ambiguous references.
+At a minimum, any ID referenced by `gitlab_main_clusterwide` table to a `gitlab_main_cell` table record will need to be unique across the cluster to avoid ambiguous references.
 
 Further to required global IDs, it might also be desirable to retain globally unique IDs for all database rows
 to allow migrating resources between Cells in the future.
diff --git a/doc/architecture/blueprints/container_registry_metadata_database/index.md b/doc/architecture/blueprints/container_registry_metadata_database/index.md
index a538910f553..243270afdb2 100644
--- a/doc/architecture/blueprints/container_registry_metadata_database/index.md
+++ b/doc/architecture/blueprints/container_registry_metadata_database/index.md
@@ -174,7 +174,7 @@ The diagram below illustrates the architecture of the database cluster:
 
 [Rate](https://gitlab.com/gitlab-org/container-registry/-/issues/94) and [size](https://gitlab.com/gitlab-org/container-registry/-/issues/61#note_446609886) requirements for the GitLab.com database were extrapolated based on the `dev.gitlab.org` registry and are available in the linked issues.
 
-#### Self-Managed Instances
+#### Self-managed instances
 
 By default, for self-managed instances, the registry will have a separate logical database in the same PostgreSQL instance/cluster as the GitLab database. However, it will be possible to configure the registry to use a separate instance/cluster if needed.
 
diff --git a/doc/architecture/blueprints/container_registry_metadata_database_self_managed_rollout/index.md b/doc/architecture/blueprints/container_registry_metadata_database_self_managed_rollout/index.md
index a73f6335218..0987b317af8 100644
--- a/doc/architecture/blueprints/container_registry_metadata_database_self_managed_rollout/index.md
+++ b/doc/architecture/blueprints/container_registry_metadata_database_self_managed_rollout/index.md
@@ -135,7 +135,7 @@ drivers, we could have the importer retry more time and for more errors. There's
 a risk we would retry several times on non-retryable errors, but since no writes
 are being made to object storage, this should not ultimately be harmful.
 
-Additionally, implementing [Validate Self-Managed Imports](https://gitlab.com/gitlab-org/container-registry/-/issues/938)
+Additionally, implementing [Validate self-managed imports](https://gitlab.com/gitlab-org/container-registry/-/issues/938)
 would perform a consistency check against a sample of images before and after
 import which would lead to greater consistency across all storage driver implementations.
 
diff --git a/doc/development/database/pagination_guidelines.md b/doc/development/database/pagination_guidelines.md
index d6550d0a515..8b07dcada05 100644
--- a/doc/development/database/pagination_guidelines.md
+++ b/doc/development/database/pagination_guidelines.md
@@ -218,7 +218,9 @@ We can argue that a typical user does not visit these pages, however, API users
 
 ### Keyset pagination
 
-Keyset pagination addresses the performance concerns of "skipping" previous rows when requesting a large page, however, it's not a drop-in replacement for offset-based pagination. Keyset pagination is used only in the [GraphQL API](../graphql_guide/pagination.md)
+Keyset pagination addresses the performance concerns of "skipping" previous rows when requesting a large page, however, it's not a drop-in replacement for offset-based pagination. When moving an API endpoint from offset-based pagination to keyset-based pagination, both must be supported. Removing one type of pagination entirely is a [breaking changes](../../update/terminology.md#breaking-change).
+
+Keyset pagination used in both the [GraphQL API](../graphql_guide/pagination.md#keyset-pagination) and the [REST API](../../api/rest/index.md#keyset-based-pagination).
 
 Consider the following `issues` table:
 
diff --git a/doc/development/packages/new_format_development.md b/doc/development/packages/new_format_development.md
index 66e6cb89661..0af0b8ad480 100644
--- a/doc/development/packages/new_format_development.md
+++ b/doc/development/packages/new_format_development.md
@@ -62,7 +62,7 @@ As an MVC, we recommend beginning with a project-level endpoint. A typical itera
 
 - Publish and install in a project
 - Install from a group
-- Publish and install in an Instance (this is for Self-Managed customers)
+- Publish and install in an instance (this is for self-managed customers)
 
 Using instance-level endpoints requires [stricter naming conventions](#naming-conventions).
 
diff --git a/doc/development/packages/settings.md b/doc/development/packages/settings.md
index 7cd3438731d..0fc49c4eb5d 100644
--- a/doc/development/packages/settings.md
+++ b/doc/development/packages/settings.md
@@ -67,6 +67,8 @@ Setting | Table | Description
 `maven_duplicate_exception_regex` | `namespace_package_settings` | Regex defining Maven packages that are allowed to be duplicate when duplicates are not allowed. This matches the name and version of the package.
 `generic_duplicates_allowed` | `namespace_package_settings` | Allow or prevent duplicate generic packages.
 `generic_duplicate_exception_regex` | `namespace_package_settings` | Regex defining generic packages that are allowed to be duplicate when duplicates are not allowed.
+`nuget_duplicates_allowed` | `namespace_package_settings` | Allow or prevent duplicate NuGet packages.
+`nuget_duplicate_exception_regex` | `namespace_package_settings` | Regex defining NuGet packages that are allowed to be duplicate when duplicates are not allowed.
 Dependency Proxy Cleanup Policies - `ttl` | `dependency_proxy_image_ttl_group_policies` | Number of days to retain an unused Dependency Proxy file before it is removed.
 Dependency Proxy - `enabled` | `dependency_proxy_image_ttl_group_policies` | Enable or disable the Dependency Proxy cleanup policy.
 
diff --git a/doc/development/pipelines/internals.md b/doc/development/pipelines/internals.md
index c0d7bbd3713..97424e02437 100644
--- a/doc/development/pipelines/internals.md
+++ b/doc/development/pipelines/internals.md
@@ -294,3 +294,98 @@ qa:selectors-as-if-foss:
   extends:
     - .qa:rules:as-if-foss
 ```
+
+### Extend the `.fast-no-clone-job` job
+
+Downloading the branch for the canonical project takes between 20 and 30 seconds.
+
+Some jobs only need a limited number of files, which we can download via the GitLab API.
+
+You can skip a job `git clone`/`git fetch` by adding the following pattern to a job.
+
+#### Scenario 1: no `before_script` is defined in the job
+
+You can just extend the `.fast-no-clone-job`:
+
+```yaml
+  extends:
+    - .fast-no-clone-job
+  variables:
+    FILES_TO_DOWNLOAD: >
+      scripts/rspec_helpers.sh
+      scripts/slack
+```
+
+#### Scenario 2: a `before_script` block is already defined in the job
+
+You have to include the `.fast-no-clone-job` via a `!reference` as well:
+
+```yaml
+  extends:
+    - .fast-no-clone-job
+  variables:
+    FILES_TO_DOWNLOAD: >
+      scripts/rspec_helpers.sh
+      scripts/slack
+  before_script:
+    - !reference [".fast-no-clone-job", before_script]
+    - # [...]
+```
+
+- The job sets the `GIT_STRATEGY` to `none`.
+- The files are downloaded from current project, on the current `CI_COMMIT_SHA`
+- We use the `PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE` to fetch files from the repository (particularly important if we are in a private project)
+
+Below is an example on how to convert a job using this pattern:
+
+```yaml
+# Before
+my-job:
+  image: ruby
+  stage: prepare
+  script: # This job requires two files to function
+    - source ./scripts/rspec_helpers.sh
+    - source ./scripts/slack
+    - echo "The files were successfully sourced!"
+
+# After
+my-job:
+  extends:
+    - .fast-no-clone-job
+  image: ruby
+  stage: prepare
+  variables:
+    FILES_TO_DOWNLOAD: >
+      scripts/rspec_helpers.sh
+      scripts/slack
+  script: # This job requires two files to function
+    - source ./scripts/rspec_helpers.sh
+    - source ./scripts/slack
+    - echo "The files were successfully sourced!"
+```
+
+#### Caveats
+
+- This pattern does not work if a script relies on `git` to access the repository, because we don't have the repository without cloning or fetching.
+- The job using this pattern needs to have `curl` available.
+
+#### Where is this pattern used?
+
+- For now, we use this pattern for the following jobs, and those do not block private repositories:
+  - `review-build-cng-env` for:
+    - `GITALY_SERVER_VERSION`
+    - `GITLAB_ELASTICSEARCH_INDEXER_VERSION`
+    - `GITLAB_KAS_VERSION`
+    - `GITLAB_METRICS_EXPORTER_VERSION`
+    - `GITLAB_PAGES_VERSION`
+    - `GITLAB_SHELL_VERSION`
+    - `scripts/trigger-build.rb`
+    - `VERSION`
+  - `review-deploy` for:
+    - `GITALY_SERVER_VERSION`
+    - `GITLAB_SHELL_VERSION`
+    - `scripts/review_apps/review-apps.sh`
+    - `scripts/review_apps/seed-dast-test-data.sh`
+    - `VERSION`
+
+Additionally, `scripts/utils.sh` is always downloaded from the API when this pattern is used (this file contains the code for `.fast-no-clone-job`).
diff --git a/doc/install/openshift_and_gitlab/index.md b/doc/install/openshift_and_gitlab/index.md
index c13e586a207..38e7b10c091 100644
--- a/doc/install/openshift_and_gitlab/index.md
+++ b/doc/install/openshift_and_gitlab/index.md
@@ -12,7 +12,7 @@ OpenShift - GitLab compatibility can be addressed in three different aspects. Th
 
 OpenShift helps you to develop, deploy, and manage container-based applications. It provides you with a self-service platform to create, modify, and deploy applications on demand, thus enabling faster development and release life cycles.
 
-## Use OpenShift to run GitLab Self-Managed
+## Use OpenShift to run GitLab self-managed
 
 Running GitLab within an OpenShift cluster is officially supported using the GitLab Operator. You can learn more on
 [setting up GitLab on OpenShift on the GitLab Operator's documentation](https://docs.gitlab.com/charts/installation/operator.html).
diff --git a/doc/security/token_overview.md b/doc/security/token_overview.md
index fb4fb71356a..731ebecb5b6 100644
--- a/doc/security/token_overview.md
+++ b/doc/security/token_overview.md
@@ -178,7 +178,7 @@ This table shows available scopes per token. Scopes can be limited further on to
 1. When creating a scoped token, consider using the most limited scope possible to reduce the impact of accidentally leaking the token.
 1. When creating a token, consider setting a token that expires when your task is complete. For example, if performing a one-off import, set the
   token to expire after a few hours or a day. This reduces the impact of a token that is accidentally leaked because it is useless when it expires.
-1. If you are recording a video that might contain a sensitive secret like a personal access token (PAT), feed token, or trigger token, you must mask that secret before uploading the video to GitLab Unfiltered or any other video hosting service. As an additional defense-in-depth security measure, you must revoke those secrets before you share the video publicly. For more information, see [revoking a PAT](../user/profile/personal_access_tokens.md#revoke-a-personal-access-token).
+1. If you have set up a demo environment to showcase a project you have been working on and you are recording a video or writing a blog post describing that project, make sure you are not leaking sensitive secrets (for example a personal access token (PAT), feed token or trigger token) during that process. If you have finished the demo, you must revoke all the secrets created during that demo. For more information, see [revoking a PAT](../user/profile/personal_access_tokens.md#revoke-a-personal-access-token).
 1. Adding access tokens to URLs is a security risk, especially when cloning or adding a remote because Git then writes the URL to its `.git/config` file in plain text. URLs are
   also generally logged by proxies and application servers, which makes those credentials visible to system administrators. Instead, pass API calls an access token using
   headers like [the `Private-Token` header](../api/rest/index.md#personalprojectgroup-access-tokens).
@@ -189,7 +189,6 @@ This table shows available scopes per token. Scopes can be limited further on to
    Consider an approach such as [using external secrets in CI](../ci/secrets/index.md).
 1. Do not log credentials in the console logs or artifacts. Consider [protecting](../ci/variables/index.md#protect-a-cicd-variable) and
   [masking](../ci/variables/index.md#mask-a-cicd-variable) your credentials.
-1. If you have set up a demo environment to showcase a project you have been working on and you are recording a video or writing a blog post describing that project, make sure you are not leaking sensitive secrets during that process. If you are done with the demo, you must revoke all the secrets created during that demo.
 1. Review all active access tokens of all types on a regular basis and revoke any that are no longer needed. This includes:
    - Personal, project, and group access tokens.
    - Feed tokens.
diff --git a/doc/subscriptions/gitlab_dedicated/index.md b/doc/subscriptions/gitlab_dedicated/index.md
index 75fcdb70161..08adcc7fa24 100644
--- a/doc/subscriptions/gitlab_dedicated/index.md
+++ b/doc/subscriptions/gitlab_dedicated/index.md
@@ -123,6 +123,7 @@ The following GitLab application features are not available:
 - Reply-by email
 - Service Desk
 - GitLab-managed runners (hosted runners)
+- GitLab AI capabilities (Refer to our [direction page](https://about.gitlab.com/direction/saas-platforms/dedicated/#supporting-ai-features-on-gitlab-dedicated) for more information)
 - Any feature [not listed above](#available-features) which must be configured outside of the GitLab user interface.
 
 The following features will not be supported:
diff --git a/doc/user/application_security/sast/analyzers.md b/doc/user/application_security/sast/analyzers.md
index fecadaa737d..1c898bfc706 100644
--- a/doc/user/application_security/sast/analyzers.md
+++ b/doc/user/application_security/sast/analyzers.md
@@ -141,7 +141,7 @@ To preview the upcoming changes to the CI/CD configuration in GitLab 15.3 or ear
         template: 'Jobs/SAST.latest.gitlab-ci.yaml'
       ```
 
-    - On a Self-Managed instance, download the template from GitLab.com:
+    - On a self-managed instance, download the template from GitLab.com:
 
       ```yaml
       include: