14 files changed, 169 insertions, 175 deletions

diff --git a/.gitlab/ci/cng.gitlab-ci.yml b/.gitlab/ci/cng.gitlab-ci.yml
deleted file mode 100644
index d720ec5ae45..00000000000
--- a/.gitlab/ci/cng.gitlab-ci.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-cloud-native-image-env:
-  extends:
-    - .default-retry
-    - .cng:rules
-  image: ${GITLAB_DEPENDENCY_PROXY}ruby:2.7-alpine3.13
-  stage: post-test
-  before_script:
-    - source ./scripts/utils.sh
-    - install_gitlab_gem
-  script:
-    - 'ruby -r./scripts/trigger-build.rb -e "puts Trigger.variables_for_env_file(Trigger::CNG.new.variables)" > build.env'
-    - cat build.env
-  artifacts:
-    reports:
-      dotenv: build.env
-    paths:
-      - build.env
-    expire_in: 7 days
-    when: always
-
-cloud-native-image:
-  extends: .cng:rules
-  stage: post-test
-  needs: ["cloud-native-image-env"]
-  inherit:
-    variables: false
-  variables:
-    TOP_UPSTREAM_SOURCE_PROJECT: "${TOP_UPSTREAM_SOURCE_PROJECT}"
-    TOP_UPSTREAM_SOURCE_REF: "${TOP_UPSTREAM_SOURCE_REF}"
-    TOP_UPSTREAM_SOURCE_JOB: "${TOP_UPSTREAM_SOURCE_JOB}"
-    TOP_UPSTREAM_SOURCE_SHA: "${TOP_UPSTREAM_SOURCE_SHA}"
-    TOP_UPSTREAM_MERGE_REQUEST_PROJECT_ID: "${TOP_UPSTREAM_MERGE_REQUEST_PROJECT_ID}"
-    TOP_UPSTREAM_MERGE_REQUEST_IID: "${TOP_UPSTREAM_MERGE_REQUEST_IID}"
-    GITLAB_REF_SLUG: "${GITLAB_REF_SLUG}"
-    # CNG pipeline specific variables
-    GITLAB_VERSION: "${GITLAB_VERSION}"
-    GITLAB_TAG: "${GITLAB_TAG}"
-    GITLAB_ASSETS_TAG: "${GITLAB_ASSETS_TAG}"
-    FORCE_RAILS_IMAGE_BUILDS: "${FORCE_RAILS_IMAGE_BUILDS}"
-    CE_PIPELINE: "${CE_PIPELINE}"  # Based on https://docs.gitlab.com/ee/ci/jobs/job_control.html#check-if-a-variable-exists, `if: '$CE_PIPELINE'` will evaluate to `false` when this variable is empty
-    EE_PIPELINE: "${EE_PIPELINE}"  # Based on https://docs.gitlab.com/ee/ci/jobs/job_control.html#check-if-a-variable-exists, `if: '$EE_PIPELINE'` will evaluate to `false` when this variable is empty
-    GITLAB_SHELL_VERSION: "${GITLAB_SHELL_VERSION}"
-    GITLAB_ELASTICSEARCH_INDEXER_VERSION: "${GITLAB_ELASTICSEARCH_INDEXER_VERSION}"
-    GITLAB_KAS_VERSION: "${GITLAB_KAS_VERSION}"
-    GITLAB_WORKHORSE_VERSION: "${GITLAB_WORKHORSE_VERSION}"
-    GITLAB_PAGES_VERSION: "${GITLAB_PAGES_VERSION}"
-    GITALY_SERVER_VERSION: "${GITALY_SERVER_VERSION}"
-  trigger:
-    project: gitlab-org/build/CNG
-    branch: $TRIGGER_BRANCH
-    strategy: depend
diff --git a/.gitlab/ci/docs.gitlab-ci.yml b/.gitlab/ci/docs.gitlab-ci.yml
index 8b7691045cb..217da6506bf 100644
--- a/.gitlab/ci/docs.gitlab-ci.yml
+++ b/.gitlab/ci/docs.gitlab-ci.yml
@@ -44,7 +44,7 @@ docs-lint markdown:
     - .default-retry
     - .docs:rules:docs-lint
   # When updating the image version here, update it in /scripts/lint-doc.sh too.
-  image: registry.gitlab.com/gitlab-org/gitlab-docs/lint-markdown:alpine-3.15-vale-2.15.0-markdownlint-0.31.0
+  image: registry.gitlab.com/gitlab-org/gitlab-docs/lint-markdown:alpine-3.15-vale-2.15.5-markdownlint-0.31.1
   stage: lint
   needs: []
   script:
diff --git a/.gitlab/ci/frontend.gitlab-ci.yml b/.gitlab/ci/frontend.gitlab-ci.yml
index cb07384676d..6e84d4f3914 100644
--- a/.gitlab/ci/frontend.gitlab-ci.yml
+++ b/.gitlab/ci/frontend.gitlab-ci.yml
@@ -293,14 +293,14 @@ coverage-frontend:
     - *yarn-install
     - run_timed_command "retry yarn run webpack-prod"
 
-qa-frontend-node:12:
-  extends: .qa-frontend-node
-  image: ${GITLAB_DEPENDENCY_PROXY}node:12
-
 qa-frontend-node:14:
   extends: .qa-frontend-node
   image: ${GITLAB_DEPENDENCY_PROXY}node:14
 
+qa-frontend-node:16:
+  extends: .qa-frontend-node
+  image: ${GITLAB_DEPENDENCY_PROXY}node:16
+
 qa-frontend-node:latest:
   extends:
     - .qa-frontend-node
@@ -335,10 +335,13 @@ bundle-size-review:
   stage: test
   needs: ["compile-production-assets"]
   script:
+    - source scripts/utils.sh
     - mkdir -p bundle-size-review
     - cp webpack-report/index.html bundle-size-review/bundle-report.html
     - yarn global add https://gitlab.com/gitlab-org/frontend/playground/webpack-memory-metrics.git
-    - danger --dangerfile=danger/bundle_size/Dangerfile --fail-on-errors=true --verbose --danger_id=bundle-size-review
+    - |
+      danger_id=$(echo -n ${DANGER_GITLAB_API_TOKEN} | md5sum | awk '{print $1}' | cut -c5-10)
+      run_timed_command "danger --dangerfile=danger/Dangerfile-bundle_size --fail-on-errors=true --verbose --danger_id=bundle-size-review-${danger_id}"
   artifacts:
     when: always
     name: bundle-size-review
diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml
index 146a7067acd..4069dfe9a2b 100644
--- a/.gitlab/ci/global.gitlab-ci.yml
+++ b/.gitlab/ci/global.gitlab-ci.yml
@@ -41,18 +41,19 @@
   key:
     files:
       - GITALY_SERVER_VERSION
+      - lib/gitlab/setup_helper.rb
     prefix: "gitaly-binaries-${DEBIAN-VERSION}"
   paths:
-    - tmp/tests/gitaly/_build/bin/
-    - tmp/tests/gitaly/_build/deps/git/install/
-    - tmp/tests/gitaly/config.toml
-    - tmp/tests/gitaly/gitaly2.config.toml
-    - tmp/tests/gitaly/internal/
-    - tmp/tests/gitaly/internal_gitaly2/
-    - tmp/tests/gitaly/internal_sockets/
-    - tmp/tests/gitaly/Makefile
-    - tmp/tests/gitaly/praefect.config.toml
-    - tmp/tests/gitaly/ruby/
+    - ${TMP_TEST_FOLDER}/gitaly/_build/bin/
+    - ${TMP_TEST_FOLDER}/gitaly/_build/deps/git/install/
+    - ${TMP_TEST_FOLDER}/gitaly/config.toml
+    - ${TMP_TEST_FOLDER}/gitaly/gitaly2.config.toml
+    - ${TMP_TEST_FOLDER}/gitaly/internal/
+    - ${TMP_TEST_FOLDER}/gitaly/run/
+    - ${TMP_TEST_FOLDER}/gitaly/run2/
+    - ${TMP_TEST_FOLDER}/gitaly/Makefile
+    - ${TMP_TEST_FOLDER}/gitaly/praefect.config.toml
+    - ${TMP_TEST_FOLDER}/gitaly/ruby/
   policy: pull
 
 .go-pkg-cache: &go-pkg-cache
@@ -213,34 +214,33 @@
     - *storybook-node-modules-cache-push
 
 .use-pg11:
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:debian-${DEBIAN_VERSION}-ruby-2.7.patched-golang-1.16-git-2.33-lfs-2.9-chrome-97-node-16.14-yarn-1.22-postgresql-11-graphicsmagick-1.3.36
   services:
     - name: postgres:11.6
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
     - name: redis:5.0-alpine
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
+    PG_VERSION: "11"
 
 .use-pg12:
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:debian-${DEBIAN_VERSION}-ruby-2.7.patched-golang-1.16-git-2.33-lfs-2.9-chrome-97-node-16.14-yarn-1.22-postgresql-12-graphicsmagick-1.3.36
   services:
     - name: postgres:12
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
     - name: redis:6.0-alpine
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
+    PG_VERSION: "12"
 
 .use-pg13:
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:debian-${DEBIAN_VERSION}-ruby-2.7.patched-golang-1.16-git-2.33-lfs-2.9-chrome-97-node-16.14-yarn-1.22-postgresql-13-graphicsmagick-1.3.36
   services:
     - name: postgres:13
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
     - name: redis:5.0-alpine
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
+    PG_VERSION: "13"
 
 .use-pg11-ee:
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:debian-${DEBIAN_VERSION}-ruby-2.7.patched-golang-1.16-git-2.33-lfs-2.9-chrome-97-node-16.14-yarn-1.22-postgresql-11-graphicsmagick-1.3.36
   services:
     - name: postgres:11.6
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -249,9 +249,9 @@
       command: ["elasticsearch", "-E", "discovery.type=single-node"]
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
+    PG_VERSION: "11"
 
 .use-pg12-ee:
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:debian-${DEBIAN_VERSION}-ruby-2.7.patched-golang-1.16-git-2.33-lfs-2.9-chrome-97-node-16.14-yarn-1.22-postgresql-12-graphicsmagick-1.3.36
   services:
     - name: postgres:12
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -260,9 +260,9 @@
       command: ["elasticsearch", "-E", "discovery.type=single-node"]
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
+    PG_VERSION: "12"
 
 .use-pg13-ee:
-  image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:debian-${DEBIAN_VERSION}-ruby-2.7.patched-golang-1.16-git-2.33-lfs-2.9-chrome-97-node-16.14-yarn-1.22-postgresql-13-graphicsmagick-1.3.36
   services:
     - name: postgres:13
       command: ["postgres", "-c", "fsync=off", "-c", "synchronous_commit=off", "-c", "full_page_writes=off"]
@@ -271,6 +271,7 @@
       command: ["elasticsearch", "-E", "discovery.type=single-node"]
   variables:
     POSTGRES_HOST_AUTH_METHOD: trust
+    PG_VERSION: "13"
 
 .use-kaniko:
   image:
diff --git a/.gitlab/ci/graphql.gitlab-ci.yml b/.gitlab/ci/graphql.gitlab-ci.yml
index 1a05f68b178..c4c4d500fb5 100644
--- a/.gitlab/ci/graphql.gitlab-ci.yml
+++ b/.gitlab/ci/graphql.gitlab-ci.yml
@@ -11,3 +11,5 @@ graphql-verify:
   script:
     - bundle exec rake gitlab:graphql:validate
     - bundle exec rake gitlab:graphql:check_docs
+    - bundle exec rake gitlab:graphql:schema:dump
+    - node scripts/frontend/graphql_possible_types_extraction.js --check
diff --git a/.gitlab/ci/qa.gitlab-ci.yml b/.gitlab/ci/qa.gitlab-ci.yml
index 77d12a3e848..8881a4c486d 100644
--- a/.gitlab/ci/qa.gitlab-ci.yml
+++ b/.gitlab/ci/qa.gitlab-ci.yml
@@ -16,14 +16,14 @@
 qa:internal:
   extends:
     - .qa-job-base
-    - .qa:rules:ee-and-foss
+    - .qa:rules:internal
   script:
-    - bundle exec rspec
+    - bundle exec rspec -O .rspec_internal
 
 qa:internal-as-if-foss:
   extends:
     - qa:internal
-    - .qa:rules:as-if-foss
+    - .qa:rules:internal-as-if-foss
     - .as-if-foss
 
 qa:selectors:
@@ -33,15 +33,25 @@ qa:selectors:
   script:
     - bundle exec bin/qa Test::Sanity::Selectors
 
-qa:auto_quarantine:
+qa:master-auto-quarantine-dequarantine:
+  extends:
+    - .qa-job-base
+  rules:
+    - if: '$QA_TRIGGER_AUTO_QUARANTINE =~ /true|yes|1/i'
+  script:
+    - bundle exec confiner -r .confiner/master.yml
+  allow_failure: true
+
+qa:nightly-auto-quarantine-dequarantine:
   extends:
     - .qa-job-base
   rules:
     - if: '$QA_TRIGGER_AUTO_QUARANTINE =~ /true|yes|1/i'
   script:
-    - bundle exec confiner -r .confiner/quarantine.yml
+    - bundle exec confiner -r .confiner/nightly.yml
   allow_failure: true
 
+
 qa:selectors-as-if-foss:
   extends:
     - qa:selectors
diff --git a/.gitlab/ci/rails.gitlab-ci.yml b/.gitlab/ci/rails.gitlab-ci.yml
index 1c745e6d986..9ca125a0b2a 100644
--- a/.gitlab/ci/rails.gitlab-ci.yml
+++ b/.gitlab/ci/rails.gitlab-ci.yml
@@ -24,8 +24,6 @@
 
 .single-db-rspec:
   extends: .single-db
-  variables:
-    GITLAB_USE_MODEL_LOAD_BALANCING: "false"
 
 .rspec-base:
   extends:
@@ -208,8 +206,8 @@ setup-test-env:
       - ${TMP_TEST_FOLDER}/gitaly/config.toml
       - ${TMP_TEST_FOLDER}/gitaly/gitaly2.config.toml
       - ${TMP_TEST_FOLDER}/gitaly/internal/
-      - ${TMP_TEST_FOLDER}/gitaly/internal_gitaly2/
-      - ${TMP_TEST_FOLDER}/gitaly/internal_sockets/
+      - ${TMP_TEST_FOLDER}/gitaly/run/
+      - ${TMP_TEST_FOLDER}/gitaly/run2/
       - ${TMP_TEST_FOLDER}/gitaly/Makefile
       - ${TMP_TEST_FOLDER}/gitaly/praefect.config.toml
       - ${TMP_TEST_FOLDER}/gitaly/ruby/
@@ -387,8 +385,6 @@ db:migrate-from-previous-major-version:
     SETUP_DB: "false"
     PROJECT_TO_CHECKOUT: "gitlab-foss"
     TAG_TO_CHECKOUT: "v13.12.9"
-    # FIXME: make this job work with `GITLAB_USE_MODEL_LOAD_BALANCING: true`, see https://gitlab.com/gitlab-org/gitlab/-/issues/355573
-    GITLAB_USE_MODEL_LOAD_BALANCING: "false"
   before_script:
     - !reference [.default-before_script, before_script]
     - '[[ -d "ee/" ]] || export PROJECT_TO_CHECKOUT="gitlab"'
diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml
index d040abfe902..3628013fc9b 100644
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -87,12 +87,6 @@ gemnasium-dependency_scanning:
     - apk add git-lfs
   rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
 
-bundler-audit-dependency_scanning:
-  rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]
-
-retire-js-dependency_scanning:
-  rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]
-
 gemnasium-python-dependency_scanning:
   rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
 
diff --git a/.gitlab/ci/review-apps/qa.gitlab-ci.yml b/.gitlab/ci/review-apps/qa.gitlab-ci.yml
index a955096992f..d2192a7511a 100644
--- a/.gitlab/ci/review-apps/qa.gitlab-ci.yml
+++ b/.gitlab/ci/review-apps/qa.gitlab-ci.yml
@@ -1,3 +1,10 @@
+include:
+  - project: gitlab-org/quality/pipeline-common
+    ref: 0.3.6
+    file:
+      - /ci/allure-report.yml
+      - /ci/knapsack-report.yml
+
 .review-qa-base:
   extends:
     - .use-docker-in-docker
@@ -43,27 +50,13 @@
     when: always
 
 .allure-report-base:
-  image:
-    name: ${GITLAB_DEPENDENCY_PROXY}andrcuns/allure-report-publisher:0.4.2
-    entrypoint: [""]
+  extends: .generate-allure-report-base
   stage: post-qa
   variables:
-    GIT_STRATEGY: none
-    STORAGE_CREDENTIALS: $QA_ALLURE_REPORT_GCS_CREDENTIALS
     GITLAB_AUTH_TOKEN: $GITLAB_QA_MR_ALLURE_REPORT_TOKEN
     ALLURE_PROJECT_PATH: $CI_PROJECT_PATH
     ALLURE_MERGE_REQUEST_IID: $CI_MERGE_REQUEST_IID
-  allow_failure: true
-  script:
-    - |
-      allure-report-publisher upload gcs \
-        --results-glob="qa/tmp/allure-results/*" \
-        --bucket="gitlab-qa-allure-reports" \
-        --prefix="$ALLURE_REPORT_PATH_PREFIX/$CI_COMMIT_REF_SLUG" \
-        --update-pr="comment" \
-        --copy-latest \
-        --ignore-missing-results \
-        --color
+    ALLURE_RESULTS_GLOB: qa/tmp/allure-results/*
 
 review-qa-smoke:
   extends:
@@ -121,23 +114,19 @@ review-performance:
       performance: performance.json
     expire_in: 31d
 
-allure-report-qa-smoke:
-  extends:
-    - .allure-report-base
-    - .review:rules:review-qa-smoke-report
-  needs: ["review-qa-smoke"]
-  variables:
-    ALLURE_REPORT_PATH_PREFIX: gitlab-review-smoke
-    ALLURE_JOB_NAME: review-qa-smoke
-
-allure-report-qa-reliable:
+# Generate single report for both smoke and reliable test jobs
+# Both job types are essentially the same:
+# * always executed
+# * always blocking
+allure-report-qa-blocking:
   extends:
     - .allure-report-base
-    - .review:rules:review-qa-reliable-report
-  needs: ["review-qa-reliable"]
+    - .review:rules:review-qa-blocking-report
+  needs:
+    - review-qa-smoke
+    - review-qa-reliable
   variables:
-    ALLURE_REPORT_PATH_PREFIX: gitlab-review-reliable
-    ALLURE_JOB_NAME: review-qa-reliable
+    ALLURE_JOB_NAME: review-qa-blocking
 
 allure-report-qa-all:
   extends:
@@ -145,18 +134,11 @@ allure-report-qa-all:
     - .review:rules:review-qa-all-report
   needs: ["review-qa-all"]
   variables:
-    ALLURE_REPORT_PATH_PREFIX: gitlab-review-all
     ALLURE_JOB_NAME: review-qa-all
 
 knapsack-report:
   extends:
-    - .review:rules:knapsack-report
-  image:
-    name: ${QA_IMAGE}
-    entrypoint: [""]
+    - .generate-knapsack-report-base
   stage: post-qa
-  allow_failure: true
-  before_script:
-    - cd qa
-  script:
-    - bundle exec rake 'knapsack:upload[tmp/knapsack/*/*.json]'
+  variables:
+    QA_KNAPSACK_REPORT_FILE_PATTERN: $CI_PROJECT_DIR/tmp/knapsack/*/*.json
diff --git a/.gitlab/ci/review.gitlab-ci.yml b/.gitlab/ci/review.gitlab-ci.yml
index b90af076a56..03223e64b23 100644
--- a/.gitlab/ci/review.gitlab-ci.yml
+++ b/.gitlab/ci/review.gitlab-ci.yml
@@ -1,3 +1,6 @@
+include:
+  - remote: 'https://gitlab.com/gitlab-org/modelops/applied-ml/review-recommender/ci-templates/-/raw/v0.2.1/recommender/Reviewers.gitlab-ci.yml'
+
 review-cleanup:
   extends:
     - .default-retry
@@ -55,7 +58,8 @@ danger-review:
       if [ -z "$DANGER_GITLAB_API_TOKEN" ]; then
         run_timed_command danger_as_local
       else
-        run_timed_command "bundle exec danger --fail-on-errors=true --verbose"
+        danger_id=$(echo -n ${DANGER_GITLAB_API_TOKEN} | md5sum | awk '{print $1}' | cut -c5-10)
+        run_timed_command "bundle exec danger --fail-on-errors=true --verbose --danger_id=${danger_id}"
       fi
 
 danger-review-local:
@@ -64,3 +68,9 @@ danger-review-local:
     - .review:rules:danger-local
   script:
     - run_timed_command danger_as_local
+
+reviewers-recommender:
+  extends:
+    - .default-retry
+  stage: test
+  needs: []
diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml
index 70b532b97f4..142341e5741 100644
--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -13,6 +13,9 @@
 .if-jh: &if-jh
   if: '$CI_PROJECT_PATH =~ /^gitlab-(jh|cn)\/.*/'
 
+.if-force-ci: &if-force-ci
+  if: '$FORCE_GITLAB_CI'
+
 .if-default-refs: &if-default-refs
   if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG || $FORCE_GITLAB_CI'
 
@@ -70,6 +73,9 @@
 .if-merge-request-labels-skip-undercoverage: &if-merge-request-labels-skip-undercoverage
   if: '$CI_MERGE_REQUEST_LABELS =~ /pipeline:skip-undercoverage/'
 
+.if-merge-request-labels-jh-contribution: &if-merge-request-labels-jh-contribution
+  if: '$CI_MERGE_REQUEST_LABELS =~ /JiHu contribution/'
+
 .if-security-merge-request: &if-security-merge-request
   if: '$CI_PROJECT_NAMESPACE == "gitlab-org/security" && $CI_MERGE_REQUEST_IID'
 
@@ -158,6 +164,7 @@
 
 .gitaly-patterns: &gitaly-patterns
   - "GITALY_SERVER_VERSION"
+  - "lib/gitlab/setup_helper.rb"
 
 .workhorse-patterns: &workhorse-patterns
   - "GITLAB_WORKHORSE_VERSION"
@@ -257,6 +264,8 @@
   - ".gitlab/ci/**/*"
   - "*_VERSION"
   - "scripts/rspec_helpers.sh"
+  # Mapped patterns (see tests.yml)
+  - "data/whats_new/*.yml"
 
 # DB patterns + .ci-patterns
 .db-patterns: &db-patterns
@@ -269,7 +278,9 @@
   - "lib/gitlab/markdown_cache/active_record/**/*"
   - "config/prometheus/common_metrics.yml"  # Used by Gitlab::DatabaseImporters::CommonMetrics::Importer
   - "{,ee/,jh/}app/models/project_statistics.rb"  # Used to calculate sizes in migration specs
-  - "GITALY_SERVER_VERSION"  # Has interactions with background migrations:https://gitlab.com/gitlab-org/gitlab/-/issues/336538
+  # Gitaly has interactions with background migrations: https://gitlab.com/gitlab-org/gitlab/-/issues/336538
+  - "GITALY_SERVER_VERSION"
+  - "lib/gitlab/setup_helper.rb"
   # CI changes
   - ".gitlab-ci.yml"
   - ".gitlab/ci/**/*"
@@ -311,10 +322,11 @@
   - "config.ru"
   - "{,ee/,jh/}{app,bin,config,db,generator_templates,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
   - "doc/api/graphql/reference/*"  # Files in this folder are auto-generated
-  - "data/whats_new/*.yml"
   # CI changes
   - ".gitlab-ci.yml"
   - ".gitlab/ci/**/*"
+  # Mapped patterns (see tests.yml)
+  - "data/whats_new/*.yml"
 
 # .code-patterns + .backstage-patterns
 .code-backstage-patterns: &code-backstage-patterns
@@ -335,7 +347,6 @@
   - "config.ru"
   - "{,ee/,jh/}{app,bin,config,db,generator_templates,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
   - "doc/api/graphql/reference/*"  # Files in this folder are auto-generated
-  - "data/whats_new/*.yml"
   # CI changes
   - ".gitlab-ci.yml"
   - ".gitlab/ci/**/*"
@@ -346,6 +357,8 @@
   - "{,ee/,jh/}rubocop/**/*"
   - "{,ee/,jh/}spec/**/*"
   - "{,spec/}tooling/**/*"
+  # Mapped patterns (see tests.yml)
+  - "data/whats_new/*.yml"
 
 # .code-patterns + .qa-patterns
 .code-qa-patterns: &code-qa-patterns
@@ -366,13 +379,14 @@
   - "config.ru"
   - "{,ee/,jh/}{app,bin,config,db,generator_templates,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
   - "doc/api/graphql/reference/*"  # Files in this folder are auto-generated
-  - "data/whats_new/*.yml"
   # CI changes
   - ".gitlab-ci.yml"
   - ".gitlab/ci/**/*"
   # QA changes
   - ".dockerignore"
   - "qa/**/*"
+  # Mapped patterns (see tests.yml)
+  - "data/whats_new/*.yml"
 
 # .code-patterns + .backstage-patterns + .qa-patterns
 .code-backstage-qa-patterns: &code-backstage-qa-patterns
@@ -393,7 +407,6 @@
   - "config.ru"
   - "{,ee/,jh/}{app,bin,config,db,generator_templates,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
   - "doc/api/graphql/reference/*"  # Files in this folder are auto-generated
-  - "data/whats_new/*.yml"
   # CI changes
   - ".gitlab-ci.yml"
   - ".gitlab/ci/**/*"
@@ -407,6 +420,8 @@
   # QA changes
   - ".dockerignore"
   - "qa/**/*"
+  # Mapped patterns (see tests.yml)
+  - "data/whats_new/*.yml"
 
 # .code-backstage-qa-patterns + .workhorse-patterns
 .setup-test-env-patterns: &setup-test-env-patterns
@@ -597,6 +612,7 @@
     - <<: *if-dot-com-gitlab-org-default-branch
       changes: *code-qa-patterns
     - <<: *if-dot-com-gitlab-org-schedule
+    - <<: *if-force-ci
 
 .build-images:rules:build-assets-image:
   rules:
@@ -607,15 +623,6 @@
     - changes: *ci-build-images-patterns
     - changes: *code-qa-patterns
 
-#############
-# CNG rules #
-#############
-.cng:rules:
-  rules:
-    - <<: *if-dot-com-gitlab-org-and-security-tag
-      when: manual
-      allow_failure: true
-
 ######################
 # CI Templates Rules #
 ######################
@@ -842,6 +849,11 @@
 ############
 # QA rules #
 ############
+.qa:rules:internal:
+  rules:
+    - <<: *if-default-refs
+      changes: *qa-patterns
+
 .qa:rules:ee-and-foss:
   rules:
     - <<: *if-default-refs
@@ -857,6 +869,12 @@
     - <<: *if-merge-request
       changes: *ci-patterns
 
+.qa:rules:internal-as-if-foss:
+  rules:
+    - !reference [".strict-ee-only-rules", rules]
+    - <<: *if-default-refs
+      changes: *qa-patterns
+
 .qa:rules:package-and-qa:
   rules:
     - <<: *if-not-ee
@@ -865,6 +883,9 @@
       changes: *feature-flag-development-config-patterns
       when: never
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
+      changes: *nodejs-patterns
+      allow_failure: true
+    - <<: *if-dot-com-gitlab-org-and-security-merge-request
       changes: *ci-qa-patterns
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-and-security-merge-request
@@ -876,6 +897,9 @@
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-schedule
       allow_failure: true
+    - <<: *if-force-ci
+      when: manual
+      allow_failure: true
 
 .qa:rules:package-and-qa:feature-flags:
   rules:
@@ -1352,6 +1376,10 @@
   rules:
     - changes: *code-backstage-qa-patterns
 
+.static-analysis:rules:ee-and-foss-qa:
+  rules:
+    - changes: *qa-patterns
+
 .static-analysis:rules:ee:
   rules:
     - <<: *if-not-ee
@@ -1450,18 +1478,6 @@
       when: never
     - changes: *dependency-patterns
 
-.reports:rules:bundler-audit-dependency_scanning:
-  rules:
-    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/ || $DS_DEFAULT_ANALYZERS !~ /bundler-audit/'
-      when: never
-    - changes: *bundler-patterns
-
-.reports:rules:retire-js-dependency_scanning:
-  rules:
-    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /retire.js/ || $DS_DEFAULT_ANALYZERS !~ /retire.js/'
-      when: never
-    - changes: *nodejs-patterns
-
 .reports:rules:gemnasium-python-dependency_scanning:
   rules:
     - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium-python/'
@@ -1565,17 +1581,12 @@
 #
 # See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/76756
 
-# Since `review-qa-smoke` isn't allowed to fail, we need to use `when: always` for `review-qa-smoke-report`.
-.review:rules:review-qa-smoke-report:
-  rules:
-    - when: always
-
 .review:rules:review-qa-reliable:
   rules:
     - when: on_success
 
 # Since `review-qa-reliable` isn't allowed to fail, we need to use `when: always`for `review-qa-reliable-report`.
-.review:rules:review-qa-reliable-report:
+.review:rules:review-qa-blocking-report:
   rules:
     - when: always
 
@@ -1595,19 +1606,10 @@
     - when: on_success
     - when: on_failure
 
-.review:rules:knapsack-report:
-  rules:
-    - if: '$KNAPSACK_GENERATE_REPORT == "true"'
-      when: always
-
 .review:rules:review-cleanup:
   rules:
     - <<: *if-not-ee
       when: never
-    - <<: *if-dot-com-gitlab-org-merge-request
-      changes: *code-qa-patterns
-      when: manual
-      allow_failure: true
     - <<: *if-dot-com-gitlab-org-schedule
       allow_failure: true
 
@@ -1670,6 +1672,13 @@
     - <<: *if-default-refs
       changes: *code-backstage-patterns
 
+.setup:rules:jh-contribution:
+  rules:
+    - <<: *if-jh
+      when: never
+    - <<: *if-merge-request-labels-jh-contribution
+
+
 .setup:rules:generate-frontend-fixtures-mapping:
   rules:
     - <<: *if-not-ee
diff --git a/.gitlab/ci/setup.gitlab-ci.yml b/.gitlab/ci/setup.gitlab-ci.yml
index ad500fe0ddc..4339251897c 100644
--- a/.gitlab/ci/setup.gitlab-ci.yml
+++ b/.gitlab/ci/setup.gitlab-ci.yml
@@ -68,6 +68,15 @@ verify-tests-yml:
     - install_tff_gem
     - scripts/verify-tff-mapping
 
+verify-approvals:
+  extends:
+    - .setup:rules:jh-contribution
+  needs: []
+  script:
+    - source scripts/utils.sh
+    - install_gitlab_gem
+    - tooling/bin/find_app_sec_approval
+
 generate-frontend-fixtures-mapping:
   extends:
     - .setup:rules:generate-frontend-fixtures-mapping
diff --git a/.gitlab/ci/static-analysis.gitlab-ci.yml b/.gitlab/ci/static-analysis.gitlab-ci.yml
index a5cc02303f3..f5f0dcfe7f8 100644
--- a/.gitlab/ci/static-analysis.gitlab-ci.yml
+++ b/.gitlab/ci/static-analysis.gitlab-ci.yml
@@ -114,10 +114,27 @@ rubocop:
 qa:testcases:
   extends:
     - .static-analysis-base
-    - .rubocop-job-cache
-    - .static-analysis:rules:ee-and-foss
+    - .static-analysis:rules:ee-and-foss-qa
+  before_script:
+    - !reference [.default-before_script, before_script]
+    - cd qa/
+    - bundle_install_script
   script:
-    - run_timed_command "bundle exec rubocop qa/qa/specs/features/**/* --only QA/DuplicateTestcaseLink"
+    - run_timed_command "bundle exec bin/qa Test::Instance::All http://localhost:3000 --test-metadata-only"
+    - cd ..
+    - run_timed_command "./scripts/qa/testcases-check qa/tmp/test-metadata.json"
+  variables:
+    USE_BUNDLE_INSTALL: "false"
+    SETUP_DB: "false"
+    QA_EXPORT_TEST_METRICS: "false"
+    # Disable warnings in browserslist which can break on backports
+    # https://github.com/browserslist/browserslist/blob/a287ec6/node.js#L367-L384
+    BROWSERSLIST_IGNORE_OLD_DATA: "true"
+  artifacts:
+    expire_in: 31d
+    when: always
+    paths:
+      - qa/tmp/
 
 feature-flags-usage:
   extends:
diff --git a/.gitlab/ci/yaml.gitlab-ci.yml b/.gitlab/ci/yaml.gitlab-ci.yml
index 606bb385325..ac32e4226e2 100644
--- a/.gitlab/ci/yaml.gitlab-ci.yml
+++ b/.gitlab/ci/yaml.gitlab-ci.yml
@@ -11,3 +11,15 @@ lint-yaml:
     LINT_PATHS: .gitlab-ci.yml .gitlab/ci lib/gitlab/ci/templates data/deprecations data/removals data/whats_new
   script:
     - yamllint --strict -f colored $LINT_PATHS
+
+lint-metrics-yaml:
+  extends:
+    - .default-retry
+    - .yaml-lint:rules
+  image: pipelinecomponents/yamllint:latest
+  stage: lint
+  needs: []
+  variables:
+    LINT_PATHS: config/metrics
+  script:
+    - 'yamllint --strict -f colored -d "{extends: default, rules: {line-length: disable, document-start: disable, indentation: {spaces: 2, indent-sequences: whatever}}}" $LINT_PATHS'