Add latest changes from gitlab-org/gitlab@master

7 files changed, 166 insertions, 4 deletions

diff --git a/doc/administration/auth/ldap/ldap-troubleshooting.md b/doc/administration/auth/ldap/ldap-troubleshooting.md
index eb1ee203469..39546345355 100644
--- a/doc/administration/auth/ldap/ldap-troubleshooting.md
+++ b/doc/administration/auth/ldap/ldap-troubleshooting.md
@@ -393,6 +393,12 @@ the rails console.
    UIDs here should match the 'Identifier' from the LDAP identity checked earlier. If it doesn't,
    the user does not appear to be in the LDAP group.
 
+#### Cannot add service account user to group when LDAP sync is enabled
+
+When LDAP sync is enabled for a group, you cannot use the "invite" dialog to invite new group members.
+
+To resolve this issue in GitLab 16.8 and later, you can invite service accounts to and remove them from a group using the [group members API endpoints](../../../api/members.md#add-a-member-to-a-group-or-project).
+
 #### Administrator privileges not granted
 
 When [Administrator sync](ldap_synchronization.md#administrator-sync) has been configured
diff --git a/doc/api/merge_request_approvals.md b/doc/api/merge_request_approvals.md
index c150eda720c..2f33040acb0 100644
--- a/doc/api/merge_request_approvals.md
+++ b/doc/api/merge_request_approvals.md
@@ -13,6 +13,89 @@ Configuration for
 [approvals on all merge requests](../user/project/merge_requests/approvals/index.md)
 in the project. Must be authenticated for all endpoints.
 
+## Group-level MR approvals **(EXPERIMENT)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/428051) in GitLab 16.7 [with a flag](../administration/feature_flags.md) named `approval_group_rules`. Disabled by default. This feature is an [Experiment](../policy/experiment-beta-support.md).
+
+FLAG:
+On self-managed GitLab, by default this feature is not available. To make it available, an administrator can [enable the feature flag](../administration/feature_flags.md) named `approval_group_rules`.
+On GitLab.com, this feature is not available.
+This feature is not ready for production use.
+
+Group approval rules apply to all protected branches of projects belonging to the group. This feature is an [Experiment](../policy/experiment-beta-support.md).
+
+### Create group-level approval rules
+
+Users with at least the Maintainer role can create group level approval rules using the following endpoint:
+
+```plaintext
+POST /groups/:id/approval_rules
+```
+
+Supported attributes:
+
+| Attribute                           | Type              | Required               | Description                                                                                                                                                                                                                                                         |
+|-------------------------------------|-------------------|------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `id`                                | integer or string | Yes | The ID or [URL-encoded path of a group](rest/index.md#namespaced-path-encoding).                                                                                                                                                                                    |
+| `approvals_required`                | integer           | Yes | The number of required approvals for this rule.                                                                                                                                                                                                                     |
+| `name`                              | string            | Yes | The name of the approval rule.                                                                                                                                                                                                                                      |
+| `group_ids`                         | array             | No | The IDs of groups as approvers.                                                                                                                                                                                                                                     |
+| `report_type`                       | string            | No | The report type required when the rule type is `report_approver`. The supported report types are `license_scanning` [(Deprecated in GitLab 15.9)](../update/deprecations.md#license-check-and-the-policies-tab-on-the-license-compliance-page) and `code_coverage`. |
+| `rule_type`                         | string            | No | The type of rule. `any_approver` is a pre-configured default rule with `approvals_required` at `0`. Other rules are `regular` and `report_approver`.                                                                                                                |
+| `user_ids`                          | array             | No | The IDs of users as approvers.                                                                                                                                                       |
+
+Example request:
+
+```shell
+curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \
+  --url "https://gitlab.example.com/api/v4/groups/29/approval_rules?name=security&approvals_required=2"
+```
+
+Example response:
+
+```json
+{
+  "id": 5,
+  "name": "security",
+  "rule_type": "any_approver",
+  "eligible_approvers": [],
+  "approvals_required": 2,
+  "users": [],
+  "groups": [],
+  "contains_hidden_groups": false,
+  "protected_branches": [
+    {
+      "id": 5,
+      "name": "master",
+      "push_access_levels": [
+        {
+          "id": 5,
+          "access_level": 40,
+          "access_level_description": "Maintainers",
+          "deploy_key_id": null,
+          "user_id": null,
+          "group_id": null
+        }
+      ],
+      "merge_access_levels": [
+        {
+          "id": 5,
+          "access_level": 40,
+          "access_level_description": "Maintainers",
+          "user_id": null,
+          "group_id": null
+        }
+      ],
+      "allow_force_push": false,
+      "unprotect_access_levels": [],
+      "code_owner_approval_required": false,
+      "inherited": false
+    }
+  ],
+  "applies_to_all_protected_branches": true
+}
+```
+
 ## Project-level MR approvals
 
 ### Get Configuration
diff --git a/doc/ci/triggers/index.md b/doc/ci/triggers/index.md
index 4eee34af402..49ff0ee2356 100644
--- a/doc/ci/triggers/index.md
+++ b/doc/ci/triggers/index.md
@@ -39,10 +39,12 @@ To create a trigger token:
    - You can only see the first 4 characters for tokens created by other project members.
 
 WARNING:
-It is a security risk to save tokens in plain text in public projects. Potential
-attackers could use a trigger token exposed in the `.gitlab-ci.yml` file to impersonate
-the user that created the token. Use [masked CI/CD variables](../variables/index.md#mask-a-cicd-variable)
-to improve the security of trigger tokens.
+It is a security risk to save tokens in plain text in public projects, or store them
+in a way that malicious users could access them. A leaked trigger token could be
+used to force an unscheduled deployment, attempt to access CI/CD variables,
+or other malicious uses. [Masked CI/CD variables](../variables/index.md#mask-a-cicd-variable)
+help improve the security of trigger tokens. For more information about keeping tokens secure,
+see the [security considerations](../../security/token_overview.md#security-considerations).
 
 ## Trigger a pipeline
 
diff --git a/doc/user/permissions.md b/doc/user/permissions.md
index 05633cac3b0..84e9533f725 100644
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -416,6 +416,7 @@ The following table lists group permissions available for each role:
 | [Migrate groups](group/import/index.md)                                                 |       |          |           |            | ✓     |
 | Manage [subscriptions, and purchase storage and compute minutes](../subscriptions/gitlab_com/index.md) |    |    |    |            | ✓     |
 | Manage group-level custom roles                                                         |       |          |           |            | ✓     |
+| Manage [group approval rules](project/merge_requests/approvals/settings.md) (group settings) |          |          |           | ✓          | ✓        |
 
 <!-- markdownlint-disable MD029 -->
 
diff --git a/doc/user/profile/personal_access_tokens.md b/doc/user/profile/personal_access_tokens.md
index dec42e74a58..2e6bd44ff3b 100644
--- a/doc/user/profile/personal_access_tokens.md
+++ b/doc/user/profile/personal_access_tokens.md
@@ -85,6 +85,14 @@ At any time, you can revoke a personal access token.
 1. In the **Active personal access tokens** area, select **Revoke** for the relevant token.
 1. On the confirmation dialog, select **Revoke**.
 
+## Disable personal access tokens **(PREMIUM SELF)**
+
+Prerequisites:
+
+- You must be an administrator.
+
+In GitLab 15.7 and later, you can [use the application settings API to disable personal access tokens](../../api/settings.md#list-of-settings-that-can-be-accessed-via-api-calls).
+
 ## View the last time a token was used
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/33162) in GitLab 13.2. Token usage information is updated every 24 hours.
diff --git a/doc/user/project/members/share_project_with_groups.md b/doc/user/project/members/share_project_with_groups.md
index bf8a7468199..38cf2403841 100644
--- a/doc/user/project/members/share_project_with_groups.md
+++ b/doc/user/project/members/share_project_with_groups.md
@@ -39,6 +39,7 @@ In addition:
   - An _internal_ group to a _public_ project.
   - A _public_ group to a _public_ project.
 
+- If a group in the project's hierarchy [does not allow sub-projects to be shared with groups](../../group/access_and_permissions.md#prevent-a-project-from-being-shared-with-groups), the option to **Invite a group** is not available.
 - If the project's root ancestor group [does not allow the project to be shared outside the hierarchy](../../group/access_and_permissions.md#prevent-group-sharing-outside-the-group-hierarchy), the invited group or subgroup must be in the project's [namespace](../../namespace/index.md).
   For example, a project in the namespace `group/subgroup01/project`:
   - Can be shared with `group/subgroup02` or `group/subgroup01/subgroup03`.
@@ -129,3 +130,4 @@ A list of shared projects is displayed.
 ## Related topics
 
 - [Prevent a project from being shared with groups](../../group/access_and_permissions.md#prevent-a-project-from-being-shared-with-groups).
+- [Prevent group sharing outside the group hierarchy](../../group/access_and_permissions.md#prevent-group-sharing-outside-the-group-hierarchy).
diff --git a/doc/user/project/merge_requests/changes.md b/doc/user/project/merge_requests/changes.md
index 094d2cf5730..f1fc1bfe233 100644
--- a/doc/user/project/merge_requests/changes.md
+++ b/doc/user/project/merge_requests/changes.md
@@ -34,6 +34,66 @@ To view the diff of changes included in a merge request:
 Files with many changes are collapsed to improve performance. GitLab displays the message:
 **Some changes are not shown**. To view the changes for that file, select **Expand file**.
 
+### Collapse generated files **(FREE SELF)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140180) in GitLab 16.8 [with a flag](../../../administration/feature_flags.md) named `collapse_generated_diff_files`. Disabled by default.
+
+FLAG:
+On self-managed GitLab, by default this feature is not available. To make it available,
+an administrator can [enable the feature flag](../../../administration/feature_flags.md)
+named `collapse_generated_diff_files`.
+On GitLab.com, this feature is not available.
+
+To help reviewers focus on the files needed to perform a code review, GitLab collapses
+several common types of generated files. These files are collapsed by default, because
+they are unlikely to require code reviews:
+
+1. Files with `.nib`, `.xcworkspacedata`, or `.xcurserstate` extensions.
+1. Package lock files such as `package-lock.json` or `Gopkg.lock`.
+1. Files in the `node_modules` folder.
+1. Minified `js` or `css` files.
+1. Source map reference files.
+1. Generated Go files, including the generated files by protocol buffer compiler.
+
+If you want to automatically collapse additional files or file types, you can use the `gitlab-generated` attribute. To mark or unmark certain files/paths as generated if the default doesn't suit
+your preference. See [overriding syntax highlighting](../highlighting.md#override-syntax-highlighting-for-a-file-type) for more
+detail on how to use override attributes.
+
+#### View a collapsed file
+
+1. On the left sidebar, select **Search or go to** and find your project.
+1. Select **Code > Merge requests** and find your merge request.
+1. Below the merge request title, select **Changes**.
+1. Find the file you want to view, and select **Expand file**.
+
+#### Configure collapse behavior for a file type
+
+To change the default collapse behavior for a file type:
+
+1. If a `.gitattributes` file does not exist in the root directory of your project,
+   create a blank file with this name.
+1. For each file type you want to modify, add a line to the `.gitattributes` file
+   declaring the file extension and your desired behavior:
+
+   ```conf
+   # Collapse all files with a .txt extension
+   *.txt gitlab-generated
+
+   # Collapse all files within the docs directory
+   docs/** gitlab-generated
+
+   # Do not collapse package-lock.json
+   package-json -gitlab-generated
+   ```
+
+1. Commit, push, and merge your changes into your default branch.
+
+After the changes merge into your [default branch](../repository/branches/default.md),
+all files of this type in your project use this behavior in merge requests.
+
+For technical details about how generated files are detected, see the
+[`go-enry`](https://github.com/go-enry/go-enry/blob/master/data/generated.go) repository.
+
 ## Show one file at a time
 
 For larger merge requests, you can review one file at a time. You can change this setting