Fixes window.opener bug

Adds `noreferrer` value to rel attribute for external links

REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331

See merge request !1953

Bump Git version requirement to 2.7.4 (for 8.2)

[ci skip]

See merge request !3285

Fix note polling

Closes #4032

See merge request !2084

[ci skip]

Enable Devise paranoid mode and ensure the returned message is the same
every time. This will prevent user enumeration (low impact). 

Prior to this change a user could type an email in the password reset
field and if the email didn't exist it returned an error. If the email
was valid it returned a message saying the forgot password link had been
emailed. After this change the user will receive a message that if the
email is in our database the reset link will be emailed. 

I also changed the throttle mechanism so it still works the same but
now returns the exact same message as above. Previously it would say
'You've already sent a request. Wait a few minutes'. This also allows
user enumeration, although it requires a double-check.

Related to https://dev.gitlab.org/gitlab/gitlabhq/issues/2624

See merge request !2044

Use YAML.safe_load

See merge request !1941

Fix 500 error when creating a merge request that removes a submodule

Fixes #3476

See merge request !1989

[ci skip]

Fix problems with award-emoji-only comment

This fixes a conflict between note with only a single emoji in content
and award-emojis mechanisms.

Closes #3734 

cc @vsizov

See merge request !1936

Add added, modified and removed properties to commit object in webhook

https://gitlab.com/gitlab-org/gitlab-ee/issues/20

See merge request !1988

Fix Error 500 when creating global milestones with Unicode characters

Two issues:

1. The constraints in the resources were incorrect. Here's what it was before:

```
group_milestone  GET /groups/:group_id/milestones/:id(.:format)  groups/milestones#show {:id=>/[a-zA-Z.0-9_\-]+(?<!\.atom)/, :group_id=>/[a-zA-Z.0-9_\-]+(?<!\.atom)/}
```

In this case, id is actually the title of the milestone, which can be anything at the moment.

After:
```
group_milestone  GET /groups/:group_id/milestones/:id(.:format)  groups/milestones#show {:id=>/[^\/]+/, :group_id=>/[a-zA-Z.0-9_\-]+(?<!\.atom)/}
```

2. `parameterize` would strip all Unicode characters, leaving a blank string. Rails would report something like:

```
ActionView::Template::Error (No route matches {:action=>"show", :controller=>"groups/milestones", :group_id=>#<Group id: 48, name: "ops-dev", path: "ops-dev", owner_id: nil, created_at: "2015-11-15 08:55:30", updated_at: "2015-12-02 06:23:26", type: "Group", description: "", avatar: "sha1.c71e73d51af1865c1bbbf6208e10044d46c9bb93.png", public: false>, :id=>"", :title=>"肯定不是中文的问题"} missing required keys: [:id]):
```

This change uses the babosa library to create a better slug, which surprisingly
isn't actually used by the global milestone controllers. Instead, they use the
title passed as a query string for some reason.

Closes https://github.com/gitlabhq/gitlabhq/issues/9881

See merge request !1983

fixed the documentation of the Guest role in permission.md

This MR fixes the documentation of the Guest role.

closes gitlab-org/gitlab-ce#3777

[ci skip]

See merge request !1952

Fix application settings cache not expiring after changes

cache_key is an instance method that relies on updated_at. When changes
were made, the time-dependent key was being used instead of X.application_setting.last.

Closes #3609

See merge request !1972

Show Gmail actions links only on expected set of emails



See merge request !1901

Install gitlab-shell 2.6.8 in installations from source

[ci skip]

See merge request !1932

Fire update hook from GitLab

https://gitlab.com/gitlab-org/gitlab-ce/issues/3069

See merge request !1882

[ci skip]

See merge request !1916

Fix Error 500 when viewing user's personal projects from admin page

This is a regression introduced in 4d7f00fd.

Closes #3680

Closes https://github.com/gitlabhq/gitlabhq/issues/9861

Closes gitlab-org/gitlab-ee#90

See merge request !1909

Nginx workhorse upload limit

See merge request !1919

Bump gitlab-shell to 2.6.8 in stable
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

For gitlab/gitlabhq#2635

See merge request !1940

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Maybe rescue session_expire_delay by setting a default value.

Related to gitlab-org/omnibus-gitlab#956

See merge request !1880

Update required version of lfs client and separate the docs for users and admins.



See merge request !1855

Expose artifacts path

This fixes broken artifacts storage path.

Fixes #3607 
Fixes #3608

Related: gitlab-org/omnibus-gitlab!544

See merge request !1869

[ci skip]

Fix 500 when using CI

- Fix for Ci::Build state machine, allowing to process builds without the project
- Forcefully update builds that didn't want to update with state machine
- Fix saving GitLabCiService as Admin Template

Fixes #3556 

See merge request !1873

Fix CSS styling for clipboard icon in new MR page

Closes #3602 

See merge request !1870

Emoji bug: Invalid url to image

Closes #3591

See merge request !1868

Handle removed source projects in MR CI commits

Fixes #3599 

@dzaporozhets assigning this to you since you wrote the original code. Perhaps checking for the source project isn't the right way, but I'm not sure if there's a better way (e.g. somewhere earlier in the process) that we can detect this.

See merge request !1859

Add upvote/downvote fields to merge request and note API to preserve compatibility

As discussed in !1825 we should not break the API compatibility.

* This MR adds the fields `upvotes`/`downvotes` to the merge request API again, which always return `0`.
* Add the fields `upvote`/`downvote` to the notes API, which always return `false`

This behavior is documented in the API docs.

See merge request !1867