13 files changed, 84 insertions, 117 deletions
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 98c5d13e75a..5d7cc02c7d7 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -32258,9 +32258,21 @@ see the associated mutation type above.
 | Name | Type | Description |
 | ---- | ---- | ----------- |
 | <a id="aichatinputcontent"></a>`content` | [`String!`](#string) | Content of the message. |
+| <a id="aichatinputcurrentfile"></a>`currentFile` **{warning-solid}** | [`AiCurrentFileInput`](#aicurrentfileinput) | **Deprecated:** This feature is an Experiment. It can be changed or removed at any time. Introduced in 16.6. |
 | <a id="aichatinputnamespaceid"></a>`namespaceId` | [`NamespaceID`](#namespaceid) | Global ID of the namespace the user is acting on. |
 | <a id="aichatinputresourceid"></a>`resourceId` | [`AiModelID`](#aimodelid) | Global ID of the resource to mutate. |
 
+### `AiCurrentFileInput`
+
+#### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="aicurrentfileinputcontentabovecursor"></a>`contentAboveCursor` | [`String`](#string) | Content above cursor. |
+| <a id="aicurrentfileinputcontentbelowcursor"></a>`contentBelowCursor` | [`String`](#string) | Content below cursor. |
+| <a id="aicurrentfileinputfilename"></a>`fileName` | [`String!`](#string) | File name. |
+| <a id="aicurrentfileinputselectedtext"></a>`selectedText` | [`String!`](#string) | Selected text. |
+
 ### `AiExplainCodeInput`
 
 #### Arguments
diff --git a/doc/ci/debugging.md b/doc/ci/debugging.md
index bc4482a43e2..5bcf834b61d 100644
--- a/doc/ci/debugging.md
+++ b/doc/ci/debugging.md
@@ -260,21 +260,36 @@ can cause a `500` error when editing the `.gitlab-ci.yml` file with the [web edi
 
 Ensure that included configuration files do not create a loop of references to each other.
 
-### `Failed to pull image` message
+### `Failed to pull image` messages
 
 > **Allow access to this project with a CI_JOB_TOKEN** setting [renamed to **Limit access _to_ this project**](https://gitlab.com/gitlab-org/gitlab/-/issues/411406) in GitLab 16.3.
 
-When a runner tries to pull an image from a private project, the job could fail with the following error:
+A runner might return a `Failed to pull image` message when trying to pull a container image
+in a CI/CD job.
 
-```shell
-WARNING: Failed to pull image with policy "always": Error response from daemon: pull access denied for registry.example.com/path/to/project, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
-```
+The runner authenticates with a [CI/CD job token](jobs/ci_job_token.md)
+when fetching a container image defined with [`image`](yaml/index.md#image)
+from another project's container registry.
+
+If the job token settings prevent access to the other project's container registry,
+the runner returns an error message.
+
+For example:
+
+- ```plaintext
+  WARNING: Failed to pull image with policy "always": Error response from daemon: pull access denied for registry.example.com/path/to/project, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
+  ```
+
+- ```plaintext
+  WARNING: Failed to pull image with policy "": image pull failed: rpc error: code = Unknown desc = failed to pull and unpack image "registry.example.com/path/to/project/image:v1.2.3": failed to resolve reference "registry.example.com/path/to/project/image:v1.2.3": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
+  ```
 
-This error can happen if the following are both true:
+These errors can happen if the following are both true:
 
-- The **Limit access _to_ this project** option is enabled in the private project
-  hosting the image.
-- The job attempting to fetch the image is running for a project that is not listed in
+- The [**Limit access _to_ this project**](jobs/ci_job_token.md#limit-job-token-scope-for-public-or-internal-projects)
+  option is enabled in the private project hosting the image.
+- The job attempting to fetch the image is running in a project that is not listed in
   the private project's allowlist.
 
-The recommended solution is to [add your project to the private project's job token scope allowlist](jobs/ci_job_token.md#add-a-project-to-the-job-token-scope-allowlist).
+To resolve this issue, add any projects with CI/CD jobs that fetch images from the container
+registry to the target project's [job token allowlist](jobs/ci_job_token.md#allow-access-to-your-project-with-a-job-token).
diff --git a/doc/ci/runners/saas/macos_saas_runner.md b/doc/ci/runners/saas/macos_saas_runner.md
index 1445ae58bd4..b503fea4f2f 100644
--- a/doc/ci/runners/saas/macos_saas_runner.md
+++ b/doc/ci/runners/saas/macos_saas_runner.md
@@ -34,34 +34,26 @@ In comparison to our SaaS runners on Linux, where you can run any Docker image,
 GitLab SaaS provides a set of VM images for macOS.
 
 You can execute your build in one of the following images, which you specify
-in your `.gitlab-ci.yml` file.
-
-Each image runs a specific version of macOS and Xcode.
+in your `.gitlab-ci.yml` file. Each image runs a specific version of macOS and Xcode.
 
 | VM image                   | Status |
 |----------------------------|--------|
-| `macos-12-xcode-13`        | `GA`   |
 | `macos-12-xcode-14`        | `GA`   |
-| `macos-13-xcode-14`        | `Beta` |
-
-## Image update policy for macOS
+| `macos-13-xcode-14`        | `GA`   |
+| `macos-14-xcode-15`        | `Beta` |
 
-macOS and Xcode follow a yearly release cadence, during which GitLab increments its versions synchronously. GitLab typically supports multiple versions of preinstalled tools. For more information, see
-a [full list of preinstalled software](https://gitlab.com/gitlab-org/ci-cd/shared-runners/images/job-images/-/tree/main/toolchain).
+If no image is specified, the macOS runner uses `macos-13-xcode-14`.
 
-GitLab provides `stable` and `latest` macOS images that follow different update patterns:
+## Image update policy for macOS
 
-- **Stable image:** The `stable` images and installed components are updated every release. Images without the `:latest` prefix are considered stable images.
-- **Latest image:** The `latest` images are typically updated on a weekly cadence and use a `:latest` prefix in the image name. Using the `latest` image results in more regularly updated components and shorter update times for Homebrew or asdf. The `latest` images are used to test software components before releasing the components to the `stable` images.
-By definition, the `latest` images are always Beta.
-A `latest` image is not available.
+macOS and Xcode follow a yearly release cadence, during which GitLab increments its versions synchronously. GitLab typically supports multiple versions of preinstalled tools. For more information, see the [full list of preinstalled software](https://gitlab.com/gitlab-org/ci-cd/shared-runners/images/job-images/-/tree/main/toolchain).
 
-### Image release process
+When Apple releases a new macOS version, GitLab releases a new `stable` image based on the OS in the next release, 
+which is in Beta.
 
-When Apple releases a new macOS version, GitLab releases both `stable` and `latest` images based on the OS in the next release. Both images are Beta.
+With the release of the first patch to macOS, the `stable` image becomes Generally Available (GA). As only two GA images are supported at a time, the prior OS version becomes deprecated and is deleted after three months in accordance with the [supported image lifecycle](../index.md#supported-image-lifecycle).
 
-With the release of the first patch to macOS, the `stable` image becomes Generally Available (GA).
-As only two GA images are supported at a time, the prior OS version becomes deprecated and is deleted after three months in accordance with the [supported image lifecycle](../index.md#supported-image-lifecycle).
+The `stable` images and installed components are updated every release, to keep the preinstalled software up-to-date.
 
 ## Example `.gitlab-ci.yml` file
 
diff --git a/doc/development/dangerbot.md b/doc/development/dangerbot.md
index 6ef8bdfb80e..476d370e7ee 100644
--- a/doc/development/dangerbot.md
+++ b/doc/development/dangerbot.md
@@ -159,7 +159,7 @@ To enable the Dangerfile on another existing GitLab project, complete the follow
    ```
 
 1. Create a [Project access tokens](../user/project/settings/project_access_tokens.md) with the `api` scope,
-   `Reporter` permission (so that it can add labels), and no expiration date (which actually means one year).
+   `Developer` permission (so that it can add labels), and no expiration date (which actually means one year).
 1. Add the token as a CI/CD project variable named `DANGER_GITLAB_API_TOKEN`.
 
 You should add the ~"Danger bot" label to the merge request before sending it
diff --git a/doc/development/documentation/styleguide/index.md b/doc/development/documentation/styleguide/index.md
index 4236fe18c75..6158d60a0ba 100644
--- a/doc/development/documentation/styleguide/index.md
+++ b/doc/development/documentation/styleguide/index.md
@@ -1281,11 +1281,10 @@ You can use an automatic screenshot generator to take and compress screenshots.
 
 #### Extending the tool
 
-To add an additional **screenshot generator**, complete the following steps:
+To add an additional screenshot generator:
 
-1. Locate the `spec/docs_screenshots` directory.
-1. Add a new file with a `_docs.rb` extension.
-1. Be sure to include the following information in the file:
+1. In the `spec/docs_screenshots` directory, add a new file with a `_docs.rb` extension.
+1. Add the following information to your file:
 
    ```ruby
    require 'spec_helper'
@@ -1298,29 +1297,29 @@ To add an additional **screenshot generator**, complete the following steps:
      end
    ```
 
-1. In addition, every `it` block must include the path where the screenshot is saved:
+1. To each `it` block, add the path where the screenshot is saved:
 
    ```ruby
-   it 'user/packages/container_registry/img/project_image_repositories_list'
+   it '<path/to/images/directory>'
    ```
 
-##### Full page screenshots
+You can take a screenshot of a page with `visit <path>`.
+To avoid blank screenshots, use `expect` to wait for the content to load.
 
-To take a full page screenshot, `visit the page` and perform any expectation on real content (to have capybara wait till the page is ready and not take a white screenshot).
+##### Single-element screenshots
 
-##### Element screenshot
+You can take a screenshot of a single element.
 
-To have the screenshot focuses few more steps are needed:
+- Add the following to your screenshot generator file:
 
-- **find the area**: `screenshot_area = find('#js-registry-policies')`
-- **scroll the area in focus**: `scroll_to screenshot_area`
-- **wait for the content**: `expect(screenshot_area).to have_content 'Expiration interval'`
-- **set the crop area**: `set_crop_data(screenshot_area, 20)`
-
-In particular, `set_crop_data` accepts as arguments: a `DOM` element and a
-padding. The padding is added around the element, enlarging the screenshot area.
+  ```ruby
+  screenshot_area = find('<element>') # Find the element
+  scroll_to screenshot_area # Scroll to the element
+  expect(screenshot_area).to have_content '<content>' # Wait for the content you want to capture
+  set_crop_data(screenshot_area, <padding>) # Capture the element with added padding
+  ```
 
-Use `spec/docs_screenshots/container_registry_docs.rb` as a guide and as an example to create your own scripts.
+Use `spec/docs_screenshots/container_registry_docs.rb` as a guide to create your own scripts.
 
 ## Emoji
 
diff --git a/doc/development/fe_guide/security.md b/doc/development/fe_guide/security.md
index d578449e578..4e06c22b383 100644
--- a/doc/development/fe_guide/security.md
+++ b/doc/development/fe_guide/security.md
@@ -12,57 +12,6 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 [Qualys SSL Labs Server Test](https://www.ssllabs.com/ssltest/analyze.html) are good resources for finding
 potential problems and ensuring compliance with security best practices.
 
-<!-- Uncomment these sections when CSP/SRI are implemented.
-### Content Security Policy (CSP)
-
-Content Security Policy is a web standard that intends to mitigate certain
-forms of Cross-Site Scripting (XSS) as well as data injection.
-
-Content Security Policy rules should be taken into consideration when
-implementing new features, especially those that may rely on connection with
-external services.
-
-GitLab's CSP is used for the following:
-
-- Blocking plugins like Flash and Silverlight from running at all on our pages.
-- Blocking the use of scripts and stylesheets downloaded from external sources.
-- Upgrading `http` requests to `https` when possible.
-- Preventing `iframe` elements from loading in most contexts.
-
-Some exceptions include:
-
-- Scripts from Google Analytics and Matomo if either is enabled.
-- Connecting with GitHub, Bitbucket, GitLab.com, etc. to allow project importing.
-- Connecting with Google, Twitter, GitHub, etc. to allow OAuth authentication.
-
-We use [the Secure Headers gem](https://github.com/twitter/secureheaders) to enable Content
-Security Policy headers in the GitLab Rails app.
-
-Some resources on implementing Content Security Policy:
-
-- [MDN Article on CSP](https://developer.mozilla.org/en-US/docs/Web/Security/CSP)
-- [GitHub's CSP Journey on the GitHub Engineering Blog](https://github.blog/2016-04-12-githubs-csp-journey/)
-- The Dropbox Engineering Blog's series on CSP: [1](https://blogs.dropbox.com/tech/2015/09/on-csp-reporting-and-filtering/), [2](https://blogs.dropbox.com/tech/2015/09/unsafe-inline-and-nonce-deployment/), [3](https://blogs.dropbox.com/tech/2015/09/csp-the-unexpected-eval/), [4](https://blogs.dropbox.com/tech/2015/09/csp-third-party-integrations-and-privilege-separation/)
-
-### Subresource Integrity (SRI)
-
-Subresource Integrity prevents malicious assets from being provided by a CDN by
-guaranteeing that the asset downloaded is identical to the asset the server
-is expecting.
-
-The Rails app generates a unique hash of the asset, which is used as the
-asset's `integrity` attribute. The browser generates the hash of the asset
-on-load and will reject the asset if the hashes do not match.
-
-All CSS and JavaScript assets should use Subresource Integrity.
-
-Some resources on implementing Subresource Integrity:
-
-- [MDN Article on SRI](https://developer.mozilla.org/en-us/docs/web/security/subresource_integrity)
-- [Subresource Integrity on the GitHub Engineering Blog](https://github.blog/2015-09-19-subresource-integrity/)
-
--->
-
 ## Including external resources
 
 External fonts, CSS, and JavaScript should never be used with the exception of
diff --git a/doc/development/i18n/externalization.md b/doc/development/i18n/externalization.md
index 68c2778eabe..1ce35b254f1 100644
--- a/doc/development/i18n/externalization.md
+++ b/doc/development/i18n/externalization.md
@@ -232,7 +232,7 @@ If strings are reused throughout a component, it can be useful to define these s
 If we are reusing the same translated string in multiple components, it is tempting to add them to a `constants.js` file instead and import them across our components. However, there are multiple pitfalls to this approach:
 
 - It creates distance between the HTML template and the copy, adding an additional level of complexity while navigating our codebase.
-- Copy strings are rarely, if ever, truly the same entity. The benefit of having a reusable variable is to have one easy place to go to update a value, but for copy it is quite common to have similar strings that aren't quite the same.
+- The benefit of having a reusable variable is to have one easy place to go to update a value, but for copy it is quite common to have similar strings that aren't quite the same.
 
 Another practice to avoid when exporting copy strings is to import them in specs. While it might seem like a much more efficient test (if we change the copy, the test will still pass!) it creates additional problems:
 
diff --git a/doc/subscriptions/gitlab_com/index.md b/doc/subscriptions/gitlab_com/index.md
index 0e2d00cb2e8..317cdb1e1d5 100644
--- a/doc/subscriptions/gitlab_com/index.md
+++ b/doc/subscriptions/gitlab_com/index.md
@@ -327,8 +327,11 @@ For details on upgrading your subscription tier, see
 
 ### Automatic subscription renewal
 
-When a subscription is set to auto-renew, it renews automatically on the
-expiration date without a gap in available service. Subscriptions purchased through the Customers Portal or GitLab.com are set to auto-renew by default. The number of seats is adjusted to fit the [number of billable users in your group](#view-seat-usage) at the time of renewal, if that number is higher than the current subscription quantity. You can view and download your renewal invoice on the Customers Portal [View invoices](https://customers.gitlab.com/receipts) page. If your account has a [saved credit card](../customers_portal.md#change-your-payment-method), the card is charged for the invoice amount. If we are unable to process a payment, or the auto-renewal fails for any other reason, you have 14 days to renew your subscription, after which your access is downgraded.
+When a subscription is set to auto-renew, it renews automatically on the expiration date without a gap in available service. Subscriptions purchased through the Customers Portal or GitLab.com are set to auto-renew by default.
+
+The number of seats is adjusted to fit the [number of billable users in your group](#view-seat-usage) at the time of renewal, if that number is higher than the current subscription quantity.
+
+You can view and download your renewal invoice on the Customers Portal [View invoices](https://customers.gitlab.com/receipts) page. If your account has a [saved credit card](../customers_portal.md#change-your-payment-method), the card is charged for the invoice amount. If we are unable to process a payment, or the auto-renewal fails for any other reason, you have 14 days to renew your subscription, after which your access is downgraded.
 
 #### Email notifications
 
diff --git a/doc/subscriptions/self_managed/index.md b/doc/subscriptions/self_managed/index.md
index 3d6e2b9af5f..a1573132ab2 100644
--- a/doc/subscriptions/self_managed/index.md
+++ b/doc/subscriptions/self_managed/index.md
@@ -376,14 +376,12 @@ An invoice is generated for the renewal and available for viewing or download on
 
 ### Automatic subscription renewal
 
-When a subscription is set to auto-renew, it renews automatically on the
-expiration date (at midnight UTC) without a gap in available service. Subscriptions purchased through Customers Portal are set to auto-renew by default.
-The number of user licenses is adjusted to fit the [number of billable users in your instance](#view-user-totals) at the time of renewal, if that number is higher than the current subscription quantity.
-Before auto-renewal you should [prepare for the renewal](#prepare-for-renewal-by-reviewing-your-account) at least 2 days before the renewal date, so that your changes synchronize to GitLab in time for your renewal. To auto-renew your subscription,
+When a subscription is set to auto-renew, it renews automatically on the expiration date (at midnight UTC) without a gap in available service. Subscriptions purchased through Customers Portal are set to auto-renew by default.
+
+The number of user licenses is adjusted to fit the [number of billable users in your instance](#view-user-totals) at the time of renewal, if that number is higher than the current subscription quantity. Before auto-renewal you should [prepare for the renewal](#prepare-for-renewal-by-reviewing-your-account) at least 2 days before the renewal date, so that your changes synchronize to GitLab in time for your renewal. To auto-renew your subscription,
 you must have enabled the [synchronization of subscription data](#subscription-data-synchronization).
 
-You can view and download your renewal invoice on the Customers Portal
-[View invoices](https://customers.gitlab.com/receipts) page. If your account has a [saved credit card](../customers_portal.md#change-your-payment-method), the card is charged for the invoice amount. If we are unable to process a payment or the auto-renewal fails for any other reason, you have 14 days to renew your subscription, after which your GitLab tier is downgraded.
+You can view and download your renewal invoice on the Customers Portal [View invoices](https://customers.gitlab.com/receipts) page. If your account has a [saved credit card](../customers_portal.md#change-your-payment-method), the card is charged for the invoice amount. If we are unable to process a payment or the auto-renewal fails for any other reason, you have 14 days to renew your subscription, after which your GitLab tier is downgraded.
 
 #### Email notifications
 
diff --git a/doc/user/discussions/index.md b/doc/user/discussions/index.md
index 50f2eca8d05..a3ed888ed53 100644
--- a/doc/user/discussions/index.md
+++ b/doc/user/discussions/index.md
@@ -156,12 +156,12 @@ Prerequisite:
 
 To lock an issue or merge request:
 
-1. On the right sidebar, next to **Lock issue** or **Lock merge request**, select **Edit**.
+1. On the right sidebar, next to **Lock discussion**, select **Edit**.
 1. On the confirmation dialog, select **Lock**.
 
 Notes are added to the page details.
 
-If an issue or merge request is locked and closed, you cannot reopen it.
+If an issue or merge request is closed with a locked discussion, then you cannot reopen it until the discussion is unlocked.
 
 <!-- Delete when the `moved_mr_sidebar` feature flag is removed -->
 If you don't see this action on the right sidebar, your project or instance might have [moved sidebar actions](../project/merge_requests/index.md#move-sidebar-actions) enabled.
diff --git a/doc/user/group/saml_sso/group_sync.md b/doc/user/group/saml_sso/group_sync.md
index c18ccaf9c20..7b10da016b9 100644
--- a/doc/user/group/saml_sso/group_sync.md
+++ b/doc/user/group/saml_sso/group_sync.md
@@ -81,6 +81,8 @@ When SAML is enabled, users with the Maintainer or Owner role
 see a new menu item in group **Settings > SAML Group Links**. You can configure one or more **SAML Group Links** to map
 a SAML identity provider group name to a GitLab role. This can be done for a top-level group or any subgroup.
 
+SAML Group Sync only manages a group if that group has one or more SAML group links. If a SAML group link is created then removed, the user remains in the group until they are removed from the group in the identity provider.
+
 To link the SAML groups:
 
 1. In **SAML Group Name**, enter the value of the relevant `saml:AttributeValue`. The value entered here must exactly match the value sent in the SAML response. For some IdPs, this may be a group ID or object ID (Azure AD) instead of a friendly group name.
diff --git a/doc/user/packages/container_registry/troubleshoot_container_registry.md b/doc/user/packages/container_registry/troubleshoot_container_registry.md
index cb0bcf3f35b..3fb2754eb9c 100644
--- a/doc/user/packages/container_registry/troubleshoot_container_registry.md
+++ b/doc/user/packages/container_registry/troubleshoot_container_registry.md
@@ -128,14 +128,11 @@ time is set to 15 minutes.
 If you are using self-managed GitLab, an administrator can
 [increase the token duration](../../../administration/packages/container_registry.md#increase-token-duration).
 
-## `insufficient_scope: authorization failed` when pulling an image
+## `Failed to pull image` messages
 
-GitLab CI/CD jobs that set [`image`](../../../ci/yaml/index.md#image) to pull an image
-from a project's container registry automatically authenticate with a [CI/CD job token](../../../ci/jobs/ci_job_token.md).
-
-All projects with CI/CD jobs that fetch images from the container registry must be listed
-in the registry project's [job token allowlist](../../../ci/jobs/ci_job_token.md#allow-access-to-your-project-with-a-job-token).
-Otherwise, the job fails with an `insufficient_scope: authorization failed` error.
+You might receive a [`Failed to pull image'](../../../ci/debugging.md#failed-to-pull-image-messages)
+error message when a CI/CD job is unable to pull a container image from a project with a limited
+[CI/CD job token scope](../../../ci/jobs/ci_job_token.md#limit-job-token-scope-for-public-or-internal-projects).
 
 ## Slow uploads when using `kaniko` to push large images
 
diff --git a/doc/user/packages/dependency_proxy/index.md b/doc/user/packages/dependency_proxy/index.md
index 7bd5a09d8e3..02810bcb922 100644
--- a/doc/user/packages/dependency_proxy/index.md
+++ b/doc/user/packages/dependency_proxy/index.md
@@ -88,7 +88,7 @@ You can authenticate using:
 - Your GitLab username and password.
 - A [personal access token](../../../user/profile/personal_access_tokens.md) with the scope set to `read_registry` and `write_registry`.
 - A [group deploy token](../../../user/project/deploy_tokens/index.md) with the scope set to `read_registry` and `write_registry`.
-- A [group access token](../../../user/group/settings/group_access_tokens.md) for the group with the scope set to `read_registry` and `write_registry`.
+- A [group access token](../../../user/group/settings/group_access_tokens.md) for the group, with the scope set to `read_registry` and `write_registry`.
 
 Users accessing the Dependency Proxy with a personal access token or username and password must
 have at least the Guest role for the group they pull images from.