1 files changed, 161 insertions, 75 deletions

diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml
index 9596594ad26..d1e29084a5a 100644
--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -21,7 +21,7 @@
   if: '$FORCE_GITLAB_CI'
 
 .if-default-refs: &if-default-refs
-  if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_COMMIT_REF_NAME == "ruby2" || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG || $FORCE_GITLAB_CI'
+  if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_COMMIT_REF_NAME == "ruby2" || ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") || $CI_COMMIT_TAG || $FORCE_GITLAB_CI'
 
 .if-default-branch-refs: &if-default-branch-refs
   if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $CI_MERGE_REQUEST_IID == null'
@@ -30,30 +30,33 @@
   if: '$CI_COMMIT_BRANCH =~ /^\d+-\d+-auto-deploy-\d+$/'
 
 .if-default-branch-or-tag: &if-default-branch-or-tag
-  if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG'
+  if: '($CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $CI_MERGE_REQUEST_IID == null) || $CI_COMMIT_TAG'
+
+.if-tag: &if-tag
+  if: '$CI_COMMIT_TAG'
 
 .if-merge-request: &if-merge-request
-  if: '$CI_MERGE_REQUEST_IID'
+  if: '$CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached"'
 
 # Once https://gitlab.com/gitlab-org/gitlab/-/issues/373904 is implemented, we should be able to change this back to
-# if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_APPROVALS_COUNT > 0'
+# if: '($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $CI_MERGE_REQUEST_APPROVALS_COUNT > 0'
 # or any similar condition to check that the MR has *any* approval (not just required approval).
 #
 # Temprorarily adding || $CI_MERGE_REQUEST_LABELS =~ /pipeline:run-full-rspec/ for backward compatibility,
 # remove once https://gitlab.com/gitlab-org/quality/quality-engineering/team-tasks/-/issues/1557 is fully rolled out
 .if-merge-request-approved: &if-merge-request-approved
-  if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_LABELS =~ /pipeline:mr-approved/ || $CI_MERGE_REQUEST_LABELS =~ /pipeline:run-full-rspec/'
+  if: '($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $CI_MERGE_REQUEST_LABELS =~ /pipeline:mr-approved/ || $CI_MERGE_REQUEST_LABELS =~ /pipeline:run-full-rspec/'
 
 # Temprorarily adding && $CI_MERGE_REQUEST_LABELS !~ /pipeline:run-full-rspec/ for backward compatibility,
 # remove once https://gitlab.com/gitlab-org/quality/quality-engineering/team-tasks/-/issues/1557 is fully rolled out
 .if-merge-request-not-approved: &if-merge-request-not-approved
-  if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_LABELS !~ /pipeline:mr-approved/ && $CI_MERGE_REQUEST_LABELS !~ /pipeline:run-full-rspec/'
+  if: '($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $CI_MERGE_REQUEST_LABELS !~ /pipeline:mr-approved/ && $CI_MERGE_REQUEST_LABELS !~ /pipeline:run-full-rspec/'
 
 .if-automated-merge-request: &if-automated-merge-request
   if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == "release-tools/update-gitaly" || $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /stable-ee$/'
 
 .if-merge-request-targeting-stable-branch: &if-merge-request-targeting-stable-branch
-  if: '$CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^[\d-]+-stable(-ee)?$/'
+  if: '($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME =~ /^[\d-]+-stable(-ee)?$/'
 
 .if-merge-request-labels-run-in-ruby2: &if-merge-request-labels-run-in-ruby2
   if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-in-ruby2/'
@@ -73,6 +76,9 @@
 .if-merge-request-labels-run-all-jest: &if-merge-request-labels-run-all-jest
   if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-all-jest/'
 
+.if-merge-request-labels-run-all-e2e: &if-merge-request-labels-run-all-e2e
+  if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-all-e2e/'
+
 .if-merge-request-labels-run-single-db: &if-merge-request-labels-run-single-db
   if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-single-db/'
 
@@ -98,10 +104,10 @@
   if: '$CI_MERGE_REQUEST_LABELS =~ /frontend/ && $CI_MERGE_REQUEST_LABELS =~ /feature flag/'
 
 .if-security-merge-request: &if-security-merge-request
-  if: '$CI_PROJECT_NAMESPACE == "gitlab-org/security" && $CI_MERGE_REQUEST_IID'
+  if: '$CI_PROJECT_NAMESPACE == "gitlab-org/security" && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached")'
 
 .if-fork-merge-request: &if-fork-merge-request
-  if: '$CI_PROJECT_NAMESPACE !~ /^gitlab(-org)?($|\/)/ && $CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_LABELS !~ /pipeline:run-all-rspec/'
+  if: '$CI_PROJECT_NAMESPACE !~ /^gitlab(-org)?($|\/)/ && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $CI_MERGE_REQUEST_LABELS !~ /pipeline:run-all-rspec/'
 
 .if-schedule-pipeline: &if-schedule-pipeline
   if: '$CI_PIPELINE_SOURCE == "schedule"'
@@ -118,29 +124,29 @@
 .if-security-schedule: &if-security-schedule
   if: '$CI_PROJECT_NAMESPACE == "gitlab-org/security" && $CI_PIPELINE_SOURCE == "schedule"'
 
+.if-foss-schedule: &if-foss-schedule
+  if: '$CI_PROJECT_PATH == "gitlab-org/gitlab-foss" && $CI_PIPELINE_SOURCE == "schedule"'
+
 .if-dot-com-gitlab-org-schedule: &if-dot-com-gitlab-org-schedule
   if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"'
 
 .if-dot-com-ee-schedule-default-branch-maintenance: &if-dot-com-ee-schedule-default-branch-maintenance
   if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_TYPE == "maintenance"'
 
-.if-dot-com-ee-schedule-nightly-child-pipeline: &if-dot-com-ee-schedule-nightly-child-pipeline
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_PATH == "gitlab-org/gitlab" && $CI_PIPELINE_SOURCE == "parent_pipeline" && $SCHEDULE_TYPE == "nightly"'
-
 .if-dot-com-gitlab-org-default-branch: &if-dot-com-gitlab-org-default-branch
   if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'
 
 .if-dot-com-gitlab-org-merge-request: &if-dot-com-gitlab-org-merge-request
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID'
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached")'
 
 .if-dot-com-gitlab-org-and-security-merge-request: &if-dot-com-gitlab-org-and-security-merge-request
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_MERGE_REQUEST_IID'
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached")'
 
 .if-dot-com-gitlab-org-and-security-merge-request-and-qa-tests-specified: &if-dot-com-gitlab-org-and-security-merge-request-and-qa-tests-specified
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_MERGE_REQUEST_IID && $QA_TESTS'
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $QA_TESTS'
 
 .if-dot-com-gitlab-org-and-security-merge-request-manual-ff-package-and-e2e: &if-dot-com-gitlab-org-and-security-merge-request-manual-ff-package-and-e2e
-  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_MERGE_REQUEST_IID && $QA_MANUAL_FF_PACKAGE_AND_QA'
+  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $QA_MANUAL_FF_PACKAGE_AND_QA'
 
 .if-dot-com-gitlab-org-and-security-tag: &if-dot-com-gitlab-org-and-security-tag
   if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/security$)/ && $CI_COMMIT_TAG'
@@ -172,8 +178,7 @@
   - ".gitlab/ci/build-images.gitlab-ci.yml"
   - ".gitlab/ci/review.gitlab-ci.yml"
   - ".gitlab/ci/review-apps/**/*"
-  - "scripts/review_apps/base-config.yaml"
-  - "scripts/review_apps/review-apps.sh"
+  - "scripts/review_apps/**/*"
   - "scripts/trigger-build.rb"
   - "{,ee/,jh/}{bin,config}/**/*.rb"
 
@@ -220,6 +225,11 @@
   - "scripts/lint-doc.sh"
   - ".gitlab/ci/docs.gitlab-ci.yml"
 
+.docs-blueprints-patterns: &docs-blueprints-patterns
+  - "doc/architecture/blueprints/**/*"
+  - "scripts/lint-docs-blueprints.rb"
+  - ".gitlab/ci/docs.gitlab-ci.yml"
+
 .docs-deprecations-and-removals-patterns: &docs-deprecations-and-removals-patterns
   - "doc/update/deprecations.md"
   - "doc/update/removals.md"
@@ -285,12 +295,15 @@
   - ".browserslistrc"
   - "babel.config.js"
   - "jest.config.{base,integration,unit}.js"
-  - ".csscomb.json"
+  - ".stylelintrc"
   - "Dockerfile.assets"
   - "config/**/*.js"
   - "vendor/assets/**/*"
   - "{app/assets,app/components,app/helpers,app/presenters,app/views,locale,public,spec/frontend,storybook,symbol}/**/*"
 
+.initializers-patterns: &initializers-patterns
+  - "{,ee/,jh/}config/initializers/**/*"
+
 .controllers-patterns: &controllers-patterns
   - "{,ee/,jh/}{app/controllers}/**/*"
 
@@ -332,14 +345,14 @@
 # DB patterns + .ci-patterns
 .db-patterns: &db-patterns
   - "{,ee/,jh/}{,spec/}{db,migrations}/**/*"
-  - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/database/**/*"
-  - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/database{,_spec}.rb"
-  - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/background_migration/**/*"
   - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/background_migration{,_spec}.rb"
+  - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/background_migration/**/*"
+  - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/database{,_spec}.rb"
+  - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/database/**/*"
   - "{,ee/,jh/}spec/support/helpers/database/**/*"
   - "{,ee/,jh/}spec/support/helpers/migrations_helpers/**/*"
-  - "lib/gitlab/markdown_cache/active_record/**/*"
   - "lib/api/admin/batched_background_migrations.rb"
+  - "lib/gitlab/markdown_cache/active_record/**/*"
   - "spec/requests/api/admin/batched_background_migrations_spec.rb"
   - "config/prometheus/common_metrics.yml"  # Used by Gitlab::DatabaseImporters::CommonMetrics::Importer
   - "{,ee/,jh/}app/models/project_statistics.rb"  # Used to calculate sizes in migration specs
@@ -378,7 +391,7 @@
   - ".browserslistrc"
   - "babel.config.js"
   - "jest.config.{base,integration,unit}.js"
-  - ".csscomb.json"
+  - ".stylelintrc"
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
@@ -403,7 +416,7 @@
   - ".browserslistrc"
   - "babel.config.js"
   - "jest.config.{base,integration,unit}.js"
-  - ".csscomb.json"
+  - ".stylelintrc"
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
@@ -434,7 +447,7 @@
   - ".browserslistrc"
   - "babel.config.js"
   - "jest.config.{base,integration,unit}.js"
-  - ".csscomb.json"
+  - ".stylelintrc"
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
@@ -461,7 +474,7 @@
   - ".browserslistrc"
   - "babel.config.js"
   - "jest.config.{base,integration,unit}.js"
-  - ".csscomb.json"
+  - ".stylelintrc"
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
@@ -499,7 +512,7 @@
   - ".browserslistrc"
   - "babel.config.js"
   - "jest.config.{base,integration,unit}.js"
-  - ".csscomb.json"
+  - ".stylelintrc"
   - "Dockerfile.assets"
   - "vendor/assets/**/*"
   - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
@@ -547,6 +560,7 @@
   - "{,ee/,jh/}Gemfile.lock"  # This should include gitlab-styles, rubocop itself, and any plugins we might be using
   - "lib/gitlab_edition.rb"  # This is required in RuboCop::CodeReuseHelpers
   - ".gitlab/ci/static-analysis.gitlab-ci.yml"
+  - "config/feature_categories.yml"  # Used by RSpec/InvalidFeatureCategory
 
 .danger-patterns: &danger-patterns
   - "Dangerfile"
@@ -590,6 +604,8 @@
       when: never
     - <<: *if-merge-request-targeting-stable-branch
       when: never
+    - <<: *if-merge-request-labels-pipeline-expedite
+      when: never
 
 .rails:rules:predictive-default-rules:
   rules:
@@ -679,6 +695,7 @@
   rules:
     - <<: *if-schedule-maintenance
     - <<: *if-security-schedule
+    - <<: *if-foss-schedule
     - <<: *if-merge-request-labels-update-caches
 
 .shared:rules:update-gitaly-binaries-cache:
@@ -690,7 +707,7 @@
 ######################
 # Build images rules #
 ######################
-.build-images:rules:build-qa-image:
+.build-images:rules:build-qa-image-merge-requests:
   rules:
     - <<: *if-not-canonical-namespace
       when: never
@@ -700,18 +717,44 @@
       changes: *ci-build-images-patterns
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
       changes: *code-qa-patterns
+
+.build-images:rules:build-qa-image:
+  rules:
+    - !reference [".build-images:rules:build-qa-image-merge-requests", "rules"]
     - <<: *if-auto-deploy-branches
       variables:
         ARCH: amd64,arm64
-    - <<: *if-default-branch-or-tag
+    - <<: *if-default-branch-refs
+      variables:
+        ARCH: amd64,arm64
+    - <<: *if-tag
       variables:
         ARCH: amd64,arm64
+      # TODO: Remove once confirmed on a tag pipeline
+      allow_failure: true
     - <<: *if-dot-com-gitlab-org-schedule
       variables:
         ARCH: amd64,arm64
     - <<: *if-force-ci
     - <<: *if-ruby2-branch
 
+.build-images:rules:build-qa-image-as-if-foss:
+  rules:
+    - !reference [".build-images:rules:build-qa-image-merge-requests", "rules"]
+
+# We want to rebuild the master image when the full e2e test pipeline runs. Currently this happens on a 2 hour schedule.
+.build-images:rules:build-qa-on-gdk-master-image:
+  rules:
+    - if: '$QA_RUN_TESTS_ON_GDK !~ /true|yes|1/i'
+      when: never
+    - <<: *if-not-canonical-namespace
+      when: never
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-dot-com-gitlab-org-schedule
+      variables:
+        ARCH: amd64,arm64
+
 .build-images:rules:build-assets-image:
   rules:
     - <<: *if-not-canonical-namespace
@@ -822,6 +865,11 @@
     - <<: *if-default-refs
       changes: *docs-patterns
 
+.docs:rules:docs-blueprints-lint:
+  rules:
+    - <<: *if-default-refs
+      changes: *docs-blueprints-patterns
+
 .docs:rules:deprecations-and-removals:
   rules:
     - <<: *if-default-refs
@@ -1036,7 +1084,7 @@
     - <<: *if-default-branch-refs
       changes: *frontend-build-patterns
       allow_failure: true
-    - if: '$DANGER_GITLAB_API_TOKEN && $CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
+    - if: '$DANGER_GITLAB_API_TOKEN && ($CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" || $CI_MERGE_REQUEST_EVENT_TYPE == "detached") && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
       changes: *frontend-build-patterns
       allow_failure: true
 
@@ -1109,7 +1157,7 @@
       allow_failure: true
     - <<: *if-ruby2-branch
 
-.qa:rules:package-and-test:
+.qa:rules:package-and-test-mrs:
   rules:
     - <<: *if-not-canonical-namespace
       when: never
@@ -1121,6 +1169,8 @@
       allow_failure: true
     - <<: *if-ruby2-branch
       allow_failure: true
+    - <<: *if-merge-request-labels-run-all-e2e
+      allow_failure: true
     - <<: *if-dot-com-gitlab-org-and-security-merge-request-manual-ff-package-and-e2e
       changes: *feature-flag-development-config-patterns
       when: manual
@@ -1129,6 +1179,9 @@
       changes: *feature-flag-development-config-patterns
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
+      changes: *initializers-patterns
+      allow_failure: true
+    - <<: *if-dot-com-gitlab-org-and-security-merge-request
       changes: *nodejs-patterns
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
@@ -1144,6 +1197,13 @@
       changes: *code-patterns
       when: manual
       allow_failure: true
+    - <<: *if-force-ci
+      when: manual
+      allow_failure: true
+
+.qa:rules:package-and-test:
+  rules:
+    - !reference [".qa:rules:package-and-test-mrs", rules]
     - <<: *if-dot-com-gitlab-org-schedule
       allow_failure: true
       variables:
@@ -1152,9 +1212,12 @@
         KNAPSACK_GENERATE_REPORT: "true"
         QA_SAVE_TEST_METRICS: "true"
         QA_EXPORT_TEST_METRICS: "false" # on main runs, metrics are exported to separate bucket via rake task for better consistency
-    - <<: *if-force-ci
-      when: manual
-      allow_failure: true
+
+.qa:rules:e2e:test-on-gdk:
+  rules:
+    - if: '$QA_RUN_TESTS_ON_GDK !~ /true|yes|1/i'
+      when: never
+    - !reference [".qa:rules:package-and-test", rules]
 
 ###############
 # Rails rules #
@@ -1172,6 +1235,12 @@
       changes: *db-patterns
     - <<: *if-default-branch-schedule-nightly
 
+.rails:rules:db:check-migrations-single-db:
+  rules:
+    - <<: *if-merge-request-labels-run-single-db
+    - <<: *if-merge-request
+      changes: *db-patterns
+
 .rails:rules:db-backup:
   rules:
     - <<: *if-merge-request-labels-run-all-rspec
@@ -1182,6 +1251,15 @@
     - <<: *if-default-refs
       changes: *db-patterns
 
+.rails:rules:db-rollback:
+  rules:
+    - !reference [".rails:rules:ee-and-foss-migration", rules]
+    - <<: *if-default-refs
+      changes: *initializers-patterns
+    - <<: *if-default-refs
+      changes:
+        - "{,ee/,jh/}{,spec/}lib/{,ee/,jh/}gitlab/content_security_policy/config_loader{,_spec}.rb"
+
 .rails:rules:praefect-with-db:
   rules:
     - if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:run-praefect-with-db/'
@@ -1542,9 +1620,9 @@
 .rails:rules:detect-tests:
   rules:
     - <<: *if-merge-request-labels-run-all-rspec
-    - <<: *if-default-refs
+    - <<: *if-merge-request
       changes: *code-backstage-qa-patterns
-    - <<: *if-default-refs
+    - <<: *if-merge-request
       changes: *workhorse-patterns
 
 .rails:rules:detect-previous-failed-tests:
@@ -1720,6 +1798,24 @@
     - <<: *if-merge-request
       changes: *static-analysis-patterns
 
+.semgrep-appsec-custom-rules:rules:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-merge-request
+      changes: *code-backstage-qa-patterns
+
+.ping-appsec-for-sast-findings:rules:
+  rules:
+    # Requiring $CUSTOM_SAST_RULES_BOT_PAT prevents the bot from running on forks or CE
+    # Without it the script would fail too.
+    - if: "$CUSTOM_SAST_RULES_BOT_PAT == null"
+      when: never
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-merge-request
+      changes: *code-backstage-qa-patterns
+
 #######################
 # Vendored gems rules #
 #######################
@@ -1784,6 +1880,12 @@
       changes: ["vendor/gems/devise-pbkdf2-encryptable/**/*"]
     - <<: *if-merge-request-labels-run-all-rspec
 
+.vendor:rules:gitlab_active_record:
+  rules:
+    - <<: *if-merge-request
+      changes: ["vendor/gems/gitlab_active_record/**/*"]
+    - <<: *if-merge-request-labels-run-all-rspec
+
 .vendor:rules:bundler-checksum:
   rules:
     - <<: *if-merge-request
@@ -1883,12 +1985,6 @@
     - <<: *if-default-refs
       changes: *nodejs-patterns
 
-.reports:rules:schedule-dast:
-  rules:
-    - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
-      when: never
-    - <<: *if-dot-com-ee-schedule-nightly-child-pipeline
-
 .reports:rules:test-dast:
   rules:
     - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
@@ -1971,32 +2067,10 @@
         QA_SAVE_TEST_METRICS: "true"
         QA_EXPORT_TEST_METRICS: "false" # on main runs, metrics are exported to separate bucket via rake task for better consistency
 
-.review:rules:review-build-cng:
-  rules:
-    - when: always
-
-.review:rules:review-deploy:
-  rules:
-    - when: on_success
-
-.review:rules:review-performance:
-  rules:
-    - if: '$DAST_RUN == "true"'  # Skip this job when DAST is run
-      when: never
-    - <<: *if-merge-request-labels-run-review-app  # we explicitely don't allow the job to fail in that case
-    - <<: *if-dot-com-gitlab-org-merge-request  # we explicitely don't allow the job to fail in that case
-      changes: *ci-review-patterns
-    - when: on_success
-      allow_failure: true
-
-.review:rules:review-delete-deployment:
-  rules:
-    - when: on_success
-
 # The following rules needs to be the same as the one for .review:rules:start-review-app-pipeline
 # except that:
 # - all rules have `when: manual` and `allow_failure: true` here
-.review:rules:review-cleanup:
+.review:rules:review-stop-merge-requests:
   rules:
     - <<: *if-not-ee
       when: never
@@ -2033,12 +2107,23 @@
       changes: *code-patterns
       when: manual
       allow_failure: true
+
+.review:rules:review-cleanup:
+  rules:
+    - !reference [".review:rules:review-stop-merge-requests", rules]
+    - <<: *if-dot-com-ee-schedule-default-branch-maintenance
+      allow_failure: true
+
+.review:rules:review-stop:
+  rules:
+    - !reference [".review:rules:review-stop-merge-requests", rules]
     - <<: *if-dot-com-gitlab-org-schedule
+      when: manual
       allow_failure: true
 
 .review:rules:review-k8s-resources-count-checks:
   rules:
-    - <<: *if-dot-com-gitlab-org-schedule
+    - <<: *if-dot-com-ee-schedule-default-branch-maintenance
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-merge-request
       changes:
@@ -2047,18 +2132,13 @@
 
 .review:rules:review-gcp-quotas-checks:
   rules:
-    - <<: *if-dot-com-gitlab-org-schedule
+    - <<: *if-dot-com-ee-schedule-default-branch-maintenance
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-merge-request
       changes:
         - "scripts/review_apps/gcp-quotas-checks.rb"
       allow_failure: true
 
-.review:rules:review-stop:
-  rules:
-    - when: manual
-      allow_failure: true
-
 .review:rules:danger:
   rules:
     - <<: *if-merge-request
@@ -2098,6 +2178,11 @@
     - <<: *if-default-refs
       changes: *code-backstage-patterns
 
+.setup:rules:rails-production-environment:
+  rules:
+    - <<: *if-default-refs
+      changes: *code-patterns
+
 .setup:rules:no-ee-check:
   rules:
     - <<: *if-not-foss
@@ -2134,7 +2219,7 @@
     - <<: *if-not-ee
       when: never
     - <<: *if-dot-com-ee-schedule-default-branch-maintenance
-    - <<: *if-default-refs
+    - <<: *if-default-branch-refs
       changes:
         - ".gitlab/ci/setup.gitlab-ci.yml"
         - ".gitlab/ci/test-metadata.gitlab-ci.yml"
@@ -2156,7 +2241,8 @@
     - <<: *if-not-ee
       when: never
     - <<: *if-dot-com-ee-schedule-default-branch-maintenance
-    - <<: *if-default-refs
+      when: always
+    - <<: *if-default-branch-refs
       changes:
         - ".gitlab/ci/test-metadata.gitlab-ci.yml"
         - "scripts/rspec_helpers.sh"