Add latest changes from gitlab-org/gitlab@master

app/helpers/application_settings_helper.rb

@@ -176,6 +176,7 @@ module ApplicationSettingsHelper
       :container_registry_token_expire_delay,
       :default_artifacts_expire_in,
       :default_branch_protection,
+      :default_ci_config_path,
       :default_group_visibility,
       :default_project_creation,
       :default_project_visibility,

app/models/application_setting.rb

@@ -297,6 +297,12 @@ class ApplicationSetting < ApplicationRecord
                  pass: :external_auth_client_key_pass,
                  if: -> (setting) { setting.external_auth_client_cert.present? }
 
+  validates :default_ci_config_path,
+    format: { without: %r{(\.{2}|\A/)},
+              message: N_('cannot include leading slash or directory traversal.') },
+    length: { maximum: 255 },
+    allow_blank: true
+
   attr_encrypted :asset_proxy_secret_key,
                  mode: :per_attribute_iv,
                  key: Settings.attr_encrypted_db_key_base_truncated,

app/models/application_setting_implementation.rb

@@ -42,6 +42,7 @@ module ApplicationSettingImplementation
         container_registry_token_expire_delay: 5,
         default_artifacts_expire_in: '30 days',
         default_branch_protection: Settings.gitlab['default_branch_protection'],
+        default_ci_config_path: nil,
         default_group_visibility: Settings.gitlab.default_projects_features['visibility_level'],
         default_project_creation: Settings.gitlab['default_project_creation'],
         default_project_visibility: Settings.gitlab.default_projects_features['visibility_level'],

app/models/clusters/applications/ingress.rb

@@ -21,6 +21,7 @@ module Clusters
       }
 
       FETCH_IP_ADDRESS_DELAY = 30.seconds
+      MODSEC_SIDECAR_INITIAL_DELAY_SECONDS = 10
 
       state_machine :status do
         after_transition any => [:installed] do |application|
@@ -81,11 +82,39 @@ module Clusters
               "enable-owasp-modsecurity-crs" => "true",
               "modsecurity.conf" => modsecurity_config_content
             },
+            "extraContainers" => [
+              {
+                "name" => "modsecurity-log",
+                "image" => "busybox",
+                "args" => [
+                  "/bin/sh",
+                  "-c",
+                  "tail -f /var/log/modsec/audit.log"
+                ],
+                "volumeMounts" => [
+                  {
+                    "name" => "modsecurity-log-volume",
+                    "mountPath" => "/var/log/modsec",
+                    "readOnly" => true
+                  }
+                ],
+                "startupProbe" => {
+                  "exec" => {
+                    "command" => ["ls", "/var/log/modsec"]
+                  },
+                  "initialDelaySeconds" => MODSEC_SIDECAR_INITIAL_DELAY_SECONDS
+                }
+              }
+            ],
             "extraVolumeMounts" => [
               {
                 "name" => "modsecurity-template-volume",
                 "mountPath" => "/etc/nginx/modsecurity/modsecurity.conf",
                 "subPath" => "modsecurity.conf"
+              },
+              {
+                "name" => "modsecurity-log-volume",
+                "mountPath" => "/var/log/modsec"
               }
             ],
             "extraVolumes" => [
@@ -100,6 +129,10 @@ module Clusters
                     }
                   ]
                 }
+              },
+              {
+                "name" => "modsecurity-log-volume",
+                "emptyDir" => {}
               }
             ]
           }

app/models/concerns/noteable.rb

@@ -108,10 +108,6 @@ module Noteable
     discussions_resolvable? && resolvable_discussions.none?(&:to_be_resolved?)
   end
 
-  def discussions_to_be_resolved?
-    discussions_resolvable? && !discussions_resolved?
-  end
-
   def discussions_to_be_resolved
     @discussions_to_be_resolved ||= resolvable_discussions.select(&:to_be_resolved?)
   end

app/models/merge_request.rb

@@ -68,6 +68,7 @@ class MergeRequest < ApplicationRecord
   has_many :cached_closes_issues, through: :merge_requests_closing_issues, source: :issue
   has_many :pipelines_for_merge_request, foreign_key: 'merge_request_id', class_name: 'Ci::Pipeline'
   has_many :suggestions, through: :notes
+  has_many :unresolved_notes, -> { unresolved }, as: :noteable, class_name: 'Note'
 
   has_many :merge_request_assignees
   has_many :assignees, class_name: "User", through: :merge_request_assignees
@@ -211,7 +212,7 @@ class MergeRequest < ApplicationRecord
   scope :join_project, -> { joins(:target_project) }
   scope :references_project, -> { references(:target_project) }
   scope :with_api_entity_associations, -> {
-    preload(:assignees, :author, :notes, :labels, :milestone, :timelogs,
+    preload(:assignees, :author, :unresolved_notes, :labels, :milestone, :timelogs,
             latest_merge_request_diff: [:merge_request_diff_commits],
             metrics: [:latest_closed_by, :merged_by],
             target_project: [:route, { namespace: :route }],
@@ -923,7 +924,7 @@ class MergeRequest < ApplicationRecord
   def mergeable_discussions_state?
     return true unless project.only_allow_merge_if_all_discussions_are_resolved?
 
-    !discussions_to_be_resolved?
+    unresolved_notes.none?(&:to_be_resolved?)
   end
 
   def for_fork?

app/models/project.rb

@@ -92,6 +92,7 @@ class Project < ApplicationRecord
   default_value_for :snippets_enabled, gitlab_config_features.snippets
   default_value_for :only_allow_merge_if_all_discussions_are_resolved, false
   default_value_for :remove_source_branch_after_merge, true
+  default_value_for(:ci_config_path) { Gitlab::CurrentSettings.default_ci_config_path }
 
   add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
 

app/views/admin/application_settings/_ci_cd.html.haml

@@ -53,5 +53,11 @@
           = s_('AdminSettings|Environment variables are protected by default')
       .form-text.text-muted
         = s_('AdminSettings|When creating a new environment variable it will be protected by default.')
+    .form-group
+      = f.label :ci_config_path, _('Default CI configuration path'), class: 'label-bold'
+      = f.text_field :default_ci_config_path, class: 'form-control', placeholder: '.gitlab-ci.yml'
+      %p.form-text.text-muted
+        = _("The default CI configuration path for new projects.").html_safe
+        = link_to icon('question-circle'), help_page_path('user/project/pipelines/settings', anchor: 'custom-ci-config-path'), target: '_blank'
 
   = f.submit _('Save changes'), class: "btn btn-success"

changelogs/unreleased/14707-add-modsec-logging-sidecar-to-ingress-controller.yml

+---
+title: Add modsecurity logging sidecar to ingress controller
+merge_request: 19600
+author:
+type: added

changelogs/unreleased/32935-preventing-accidental-project-deletion-index.yml

+---
+title: Add index on marked_for_deletion_at in projects table
+merge_request: 19788
+author:
+type: other

changelogs/unreleased/ab-projects-api-indexes-authenticated.yml

+---
+title: Add index for authenticated requests to projects API default endpoint
+merge_request: 19993
+author:
+type: performance

changelogs/unreleased/gitlab_ci_path.yml

+---
+title: Allow to define a default CI configuration path for new projects
+merge_request: 18073
+author: Mathieu Parent
+type: added

changelogs/unreleased/id-optimize-mergeable-discussions-state.yml

+---
+title: Optimize MergeRequest#mergeable_discussions_state? method
+merge_request: 19988
+author:
+type: performance

db/migrate/20191107220314_add_index_to_projects_on_marked_for_deletion.rb

+# frozen_string_literal: true
+
+class AddIndexToProjectsOnMarkedForDeletion < ActiveRecord::Migration[5.2]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_index :projects, :marked_for_deletion_at, where: 'marked_for_deletion_at IS NOT NULL'
+  end
+
+  def down
+    remove_concurrent_index :projects, :marked_for_deletion_at
+  end
+end

db/migrate/20191111121500_default_ci_config_path.rb

+# frozen_string_literal: true
+
+class DefaultCiConfigPath < ActiveRecord::Migration[5.2]
+  DOWNTIME = false
+
+  def up
+    add_column :application_settings, :default_ci_config_path, :string, limit: 255
+  end
+
+  def down
+    remove_column :application_settings, :default_ci_config_path
+  end
+end

db/migrate/20191112221821_add_indexes_for_projects_api_default_params_authenticated.rb

+# frozen_string_literal: true
+
+class AddIndexesForProjectsApiDefaultParamsAuthenticated < ActiveRecord::Migration[5.2]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_index :projects, %i(created_at id)
+    remove_concurrent_index_by_name :projects, 'index_projects_on_created_at'
+  end
+
+  def down
+    add_concurrent_index :projects, :created_at
+    remove_concurrent_index_by_name :projects, 'index_projects_on_created_at_and_id'
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2019_11_12_214305) do
+ActiveRecord::Schema.define(version: 2019_11_12_221821) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "pg_trgm"
@@ -351,6 +351,7 @@ ActiveRecord::Schema.define(version: 2019_11_12_214305) do
     t.text "encrypted_eks_secret_access_key"
     t.string "snowplow_app_id"
     t.datetime_with_timezone "productivity_analytics_start_date"
+    t.string "default_ci_config_path", limit: 255
     t.index ["custom_project_templates_group_id"], name: "index_application_settings_on_custom_project_templates_group_id"
     t.index ["file_template_project_id"], name: "index_application_settings_on_file_template_project_id"
     t.index ["instance_administration_project_id"], name: "index_applicationsettings_on_instance_administration_project_id"
@@ -3121,7 +3122,7 @@ ActiveRecord::Schema.define(version: 2019_11_12_214305) do
     t.integer "marked_for_deletion_by_user_id"
     t.index "lower((name)::text)", name: "index_projects_on_lower_name"
     t.index ["archived", "pending_delete", "merge_requests_require_code_owner_approval"], name: "projects_requiring_code_owner_approval", where: "((pending_delete = false) AND (archived = false) AND (merge_requests_require_code_owner_approval = true))"
-    t.index ["created_at"], name: "index_projects_on_created_at"
+    t.index ["created_at", "id"], name: "index_projects_on_created_at_and_id"
     t.index ["creator_id"], name: "index_projects_on_creator_id"
     t.index ["description"], name: "index_projects_on_description_trigram", opclass: :gin_trgm_ops, using: :gin
     t.index ["id", "repository_storage", "last_repository_updated_at"], name: "idx_projects_on_repository_storage_last_repository_updated_at"
@@ -3131,6 +3132,7 @@ ActiveRecord::Schema.define(version: 2019_11_12_214305) do
     t.index ["last_repository_check_at"], name: "index_projects_on_last_repository_check_at", where: "(last_repository_check_at IS NOT NULL)"
     t.index ["last_repository_check_failed"], name: "index_projects_on_last_repository_check_failed"
     t.index ["last_repository_updated_at"], name: "index_projects_on_last_repository_updated_at"
+    t.index ["marked_for_deletion_at"], name: "index_projects_on_marked_for_deletion_at", where: "(marked_for_deletion_at IS NOT NULL)"
     t.index ["marked_for_deletion_by_user_id"], name: "index_projects_on_marked_for_deletion_by_user_id", where: "(marked_for_deletion_by_user_id IS NOT NULL)"
     t.index ["mirror_last_successful_update_at"], name: "index_projects_on_mirror_last_successful_update_at"
     t.index ["mirror_user_id"], name: "index_projects_on_mirror_user_id"

doc/administration/operations/sidekiq_memory_killer.md

@@ -34,7 +34,7 @@ The MemoryKiller is controlled using environment variables.
   In _daemon_ mode, the MemoryKiller checks the Sidekiq process RSS every 3 seconds
   (defined by `SIDEKIQ_MEMORY_KILLER_CHECK_INTERVAL`).
 
-- `SIDEKIQ_MEMORY_KILLER_MAX_RSS`: if this variable is set, and its value is greater
+- `SIDEKIQ_MEMORY_KILLER_MAX_RSS` (KB): if this variable is set, and its value is greater
   than 0, the MemoryKiller is enabled. Otherwise the MemoryKiller is disabled.
 
   `SIDEKIQ_MEMORY_KILLER_MAX_RSS` defines the Sidekiq process allowed RSS.
@@ -52,7 +52,7 @@ The MemoryKiller is controlled using environment variables.
   [in the Omnibus GitLab
   repository](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/attributes/default.rb).
 
-- `SIDEKIQ_MEMORY_KILLER_HARD_LIMIT_RSS`: is used by _daemon_ mode. If the Sidekiq
+- `SIDEKIQ_MEMORY_KILLER_HARD_LIMIT_RSS` (KB): is used by _daemon_ mode. If the Sidekiq
   process RSS (expressed in kilobytes) exceeds `SIDEKIQ_MEMORY_KILLER_HARD_LIMIT_RSS`,
   an immediate graceful restart of Sidekiq is triggered.
 

doc/api/settings.md

@@ -40,6 +40,7 @@ Example response:
    "domain_blacklist_enabled" : false,
    "domain_blacklist" : [],
    "created_at" : "2016-01-04T15:44:55.176Z",
+   "default_ci_config_path" : null,
    "default_project_visibility" : "private",
    "default_group_visibility" : "private",
    "gravatar_enabled" : true,
@@ -113,6 +114,7 @@ Example response:
   "restricted_visibility_levels": [],
   "max_attachment_size": 10,
   "session_expire_delay": 10080,
+  "default_ci_config_path" : null,
   "default_project_visibility": "internal",
   "default_snippet_visibility": "private",
   "default_group_visibility": "private",
@@ -198,6 +200,7 @@ are listed in the descriptions of the relevant settings.
 | `container_registry_token_expire_delay`  | integer          | no                                   | Container Registry token duration in minutes. |
 | `default_artifacts_expire_in`            | string           | no                                   | Set the default expiration time for each job's artifacts. |
 | `default_branch_protection`              | integer          | no                                   | Determine if developers can push to master. Can take: `0` _(not protected, both developers and maintainers can push new commits, force push, or delete the branch)_, `1` _(partially protected, developers and maintainers can push new commits, but cannot force push or delete the branch)_ or `2` _(fully protected, developers cannot push new commits, but maintainers can; no-one can force push or delete the branch)_ as a parameter. Default is `2`. |
+| `default_ci_config_path`                 | string           | no                                   | Default CI configuration path for new projects (`.gitlab-ci.yml` if not set). |
 | `default_group_visibility`               | string           | no                                   | What visibility level new groups receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. |
 | `default_project_creation`               | integer          | no                                   | Default project creation protection. Can take: `0` _(No one)_, `1` _(Maintainers)_ or `2` _(Developers + Maintainers)_|
 | `default_projects_limit`                 | integer          | no                                   | Project limit per user. Default is `100000`. |

doc/ci/yaml/README.md

@@ -2023,8 +2023,6 @@ Defining an empty array will skip downloading any artifacts for that job.
 The status of the previous job is not considered when using `dependencies`, so
 if it failed or it is a manual job that was not run, no error occurs.
 
----
-
 In the following example, we define two jobs with artifacts, `build:osx` and
 `build:linux`. When the `test:osx` is executed, the artifacts from `build:osx`
 will be downloaded and extracted in the context of the build. The same happens

doc/development/documentation/index.md

@@ -67,8 +67,6 @@ This document was moved to [another location](path/to/new_doc.md).
 
 where `path/to/new_doc.md` is the relative path to the root directory `doc/`.
 
----
-
 For example, if you move `doc/workflow/lfs/lfs_administration.md` to
 `doc/administration/lfs.md`, then the steps would be:
 

doc/development/documentation/styleguide.md

@@ -604,9 +604,6 @@ Inside the document:
 - Always use a proper description for what the image is about. That way, when a
   browser fails to show the image, this text will be used as an alternative
   description.
-- If there are consecutive images with little text between them, always add
-  three dashes (`---`) between the image and the text to create a horizontal
-  line for better clarity.
 - If a heading is placed right after an image, always add three dashes (`---`)
   between the image and the heading.
 

doc/install/openshift_and_gitlab/index.md

@@ -23,8 +23,6 @@ tools that will help us achieve our goal.
 
 For a video demonstration on installing GitLab on OpenShift, check the article [In 13 minutes from Kubernetes to a complete application development tool](https://about.gitlab.com/blog/2016/11/14/idea-to-production/).
 
----
-
 ## Prerequisites
 
 CAUTION: **Caution:** This information is no longer up to date, as the current versions

doc/user/admin_area/settings/continuous_integration.md

@@ -134,6 +134,19 @@ Once that time passes, the jobs will be archived and no longer able to be
 retried. Make it empty to never expire jobs. It has to be no less than 1 day,
 for example: <code>15 days</code>, <code>1 month</code>, <code>2 years</code>.
 
+## Default CI configuration path
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/merge_requests/18073) in GitLab 12.5.
+
+The default CI configuration file path for new projects can be set in the Admin
+area of your GitLab instance (`.gitlab-ci.yml` if not set):
+
+1. Go to **Admin area > Settings > Continuous Integration and Deployment**.
+1. Input the new path in the **Default CI configuration path** field.
+1. Hit **Save changes** for the changes to take effect.
+
+It is also possible to specify a [custom CI configuration path for a specific project](../../project/pipelines/settings.md#custom-ci-configuration-path).
+
 <!-- ## Troubleshooting
 
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues

doc/user/clusters/applications.md

@@ -263,7 +263,7 @@ This feature:
   For example:
 
   ```sh
-  kubectl -n gitlab-managed-apps exec -it $(kubectl get pods -n gitlab-managed-apps | grep 'ingress-controller' | awk '{print $1}') -- tail -f /var/log/modsec_audit.log
+  kubectl -n gitlab-managed-apps exec -it $(kubectl get pods -n gitlab-managed-apps | grep 'ingress-controller' | awk '{print $1}') -- tail -f /var/log/modsec/audit.log
   ```
 
 There is a small performance overhead by enabling `modsecurity`. However, if this is

doc/user/permissions.md

@@ -73,7 +73,7 @@ The following table depicts the various user permission levels in a project.
 | See a commit status                               |         | ✓          | ✓           | ✓        | ✓      |
 | See a container registry                          |         | ✓          | ✓           | ✓        | ✓      |
 | See environments                                  |         | ✓          | ✓           | ✓        | ✓      |
-| See a list of merge requests                      | ✓ (*1*) | ✓          | ✓           | ✓        | ✓      |
+| See a list of merge requests                      |         | ✓          | ✓           | ✓        | ✓      |
 | View project statistics                           |         | ✓          | ✓           | ✓        | ✓      |
 | View Error Tracking list                          |         | ✓          | ✓           | ✓        | ✓      |
 | Pull from [Conan repository](packages/conan_repository/index.md), [Maven repository](packages/maven_repository/index.md), or [NPM registry](packages/npm_registry/index.md) **(PREMIUM)** |         | ✓          | ✓           | ✓        | ✓      |
@@ -83,7 +83,7 @@ The following table depicts the various user permission levels in a project.
 | Push to non-protected branches                    |         |            | ✓           | ✓        | ✓      |
 | Force push to non-protected branches              |         |            | ✓           | ✓        | ✓      |
 | Remove non-protected branches                     |         |            | ✓           | ✓        | ✓      |
-| Create new merge request                          | ✓ (*1*) | ✓          | ✓           | ✓        | ✓      |
+| Create new merge request                          |         | ✓          | ✓           | ✓        | ✓      |
 | Assign merge requests                             |         |            | ✓           | ✓        | ✓      |
 | Label merge requests                              |         |            | ✓           | ✓        | ✓      |
 | Lock merge request threads                        |         |            | ✓           | ✓        | ✓      |

doc/user/profile/notifications.md

@@ -77,7 +77,7 @@ To select a notification level for a project, use either of these methods:
 1. Locate the project in the **Projects** section.
 1. Select the desired [notification level](#notification-levels).
 
----
+Or:
 
 1. Navigate to the project's page.
 1. Click the notification dropdown, marked with a bell icon.

doc/user/project/import/gitea.md

@@ -75,7 +75,5 @@ You also can:
 
 ![Gitea importer page](img/import_projects_from_gitea_importer_v12_3.png)
 
----
-
 You can also choose a different name for the project and a different namespace,
 if you have the privileges to do so.

doc/user/project/merge_requests/merge_request_approvals.md

@@ -219,8 +219,6 @@ and the project level approvers are changed after a merge request is created,
 the merge request retains the previous approvers.
 However, the approvers can be changed by [editing the merge request](#overriding-the-merge-request-approvals-default-settings).
 
----
-
 The default approval settings can now be overridden when creating a
 [merge request](index.md) or by editing it after it's been created:
 

lib/api/settings.rb

@@ -42,6 +42,7 @@ module API
       optional :asset_proxy_whitelist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Assets that match these domain(s) will NOT be proxied. Wildcards allowed. Your GitLab installation URL is automatically whitelisted.'
       optional :container_registry_token_expire_delay, type: Integer, desc: 'Authorization token duration (minutes)'
       optional :default_artifacts_expire_in, type: String, desc: "Set the default expiration time for each job's artifacts"
+      optional :default_ci_config_path, type: String, desc: 'The instance default CI configuration path for new projects'
       optional :default_project_creation, type: Integer, values: ::Gitlab::Access.project_creation_values, desc: 'Determine if developers can create projects in the group'
       optional :default_branch_protection, type: Integer, values: ::Gitlab::Access.protection_values, desc: 'Determine if developers can push to master'
       optional :default_group_visibility, type: String, values: Gitlab::VisibilityLevel.string_values, desc: 'The default group visibility'

locale/gitlab.pot

@@ -5241,6 +5241,9 @@ msgstr ""
 msgid "Default Branch"
 msgstr ""
 
+msgid "Default CI configuration path"
+msgstr ""
+
 msgid "Default artifacts expiration"
 msgstr ""
 
@@ -16840,6 +16843,9 @@ msgstr ""
 msgid "The content of this page is not encoded in UTF-8. Edits can only be made via the Git repository."
 msgstr ""
 
+msgid "The default CI configuration path for new projects."
+msgstr ""
+
 msgid "The dependency list details information about the components used within your project."
 msgstr ""
 

spec/lib/gitlab/import_export/all_models.yml

@@ -120,6 +120,7 @@ merge_requests:
 - pipelines_for_merge_request
 - merge_request_assignees
 - suggestions
+- unresolved_notes
 - assignees
 - reviews
 - approval_rules

spec/models/clusters/applications/ingress_spec.rb

@@ -165,6 +165,12 @@ describe Clusters::Applications::Ingress do
         expect(subject.values).to include('extraVolumes')
         expect(subject.values).to include('extraVolumeMounts')
       end
+
+      it 'includes modsecurity sidecar container' do
+        expect(subject.values).to include('modsecurity-log-volume')
+
+        expect(subject.values).to include('extraContainers')
+      end
     end
 
     context 'when ingress_modsecurity is disabled' do
@@ -190,6 +196,12 @@ describe Clusters::Applications::Ingress do
         expect(subject.values).not_to include('extraVolumes')
         expect(subject.values).not_to include('extraVolumeMounts')
       end
+
+      it 'excludes modsecurity sidecar container' do
+        expect(subject.values).not_to include('modsecurity-log-volume')
+
+        expect(subject.values).not_to include('extraContainers')
+      end
     end
   end
 end

spec/models/concerns/noteable_spec.rb

@@ -177,50 +177,6 @@ describe Noteable do
       end
     end
 
-    describe "#discussions_to_be_resolved?" do
-      context "when discussions are not resolvable" do
-        before do
-          allow(subject).to receive(:discussions_resolvable?).and_return(false)
-        end
-
-        it "returns false" do
-          expect(subject.discussions_to_be_resolved?).to be false
-        end
-      end
-
-      context "when discussions are resolvable" do
-        before do
-          allow(subject).to receive(:discussions_resolvable?).and_return(true)
-
-          allow(first_discussion).to receive(:resolvable?).and_return(true)
-          allow(second_discussion).to receive(:resolvable?).and_return(false)
-          allow(third_discussion).to receive(:resolvable?).and_return(true)
-        end
-
-        context "when all resolvable discussions are resolved" do
-          before do
-            allow(first_discussion).to receive(:resolved?).and_return(true)
-            allow(third_discussion).to receive(:resolved?).and_return(true)
-          end
-
-          it "returns false" do
-            expect(subject.discussions_to_be_resolved?).to be false
-          end
-        end
-
-        context "when some resolvable discussions are not resolved" do
-          before do
-            allow(first_discussion).to receive(:resolved?).and_return(true)
-            allow(third_discussion).to receive(:resolved?).and_return(false)
-          end
-
-          it "returns true" do
-            expect(subject.discussions_to_be_resolved?).to be true
-          end
-        end
-      end
-    end
-
     describe "#discussions_to_be_resolved" do
       before do
         allow(first_discussion).to receive(:to_be_resolved?).and_return(true)

spec/models/project_spec.rb

@@ -2029,24 +2029,37 @@ describe Project do
   end
 
   describe '#ci_config_path=' do
-    let(:project) { create(:project) }
+    using RSpec::Parameterized::TableSyntax
 
-    it 'sets nil' do
-      project.update!(ci_config_path: nil)
+    let(:project) { create(:project) }
 
-      expect(project.ci_config_path).to be_nil
+    where(:default_ci_config_path, :project_ci_config_path, :expected_ci_config_path) do
+      nil           | :notset            | :default
+      nil           | nil                | :default
+      nil           | ''                 | :default
+      nil           | "cust\0om/\0/path" | 'custom//path'
+      ''            | :notset            | :default
+      ''            | nil                | :default
+      ''            | ''                 | :default
+      ''            | "cust\0om/\0/path" | 'custom//path'
+      'global/path' | :notset            | 'global/path'
+      'global/path' | nil                | :default
+      'global/path' | ''                 | :default
+      'global/path' | "cust\0om/\0/path" | 'custom//path'
     end
 
-    it 'sets a string' do
-      project.update!(ci_config_path: 'foo/.gitlab_ci.yml')
-
-      expect(project.ci_config_path).to eq('foo/.gitlab_ci.yml')
-    end
+    with_them do
+      before do
+        stub_application_setting(default_ci_config_path: default_ci_config_path)
 
-    it 'sets a string but removes all null characters' do
-      project.update!(ci_config_path: "f\0oo/\0/.gitlab_ci.yml")
+        if project_ci_config_path != :notset
+          project.ci_config_path = project_ci_config_path
+        end
+      end
 
-      expect(project.ci_config_path).to eq('foo//.gitlab_ci.yml')
+      it 'returns the correct path' do
+        expect(project.ci_config_path.presence || :default).to eq(expected_ci_config_path)
+      end
     end
   end
 

spec/requests/api/merge_requests_spec.rb

@@ -701,16 +701,20 @@ describe API::MergeRequests do
       expect(json_response.first['id']).to eq merge_request_closed.id
     end
 
-    it 'avoids N+1 queries' do
-      control = ActiveRecord::QueryRecorder.new do
-        get api("/projects/#{project.id}/merge_requests", user)
-      end.count
+    context 'a project which enforces all discussions to be resolved' do
+      let!(:project) { create(:project, :repository, only_allow_merge_if_all_discussions_are_resolved: true) }
 
-      create(:merge_request, author: user, assignees: [user], source_project: project, target_project: project, created_at: base_time)
+      it 'avoids N+1 queries' do
+        control = ActiveRecord::QueryRecorder.new do
+          get api("/projects/#{project.id}/merge_requests", user)
+        end.count
 
-      expect do
-        get api("/projects/#{project.id}/merge_requests", user)
-      end.not_to exceed_query_limit(control)
+        create(:merge_request, author: user, assignees: [user], source_project: project, target_project: project, created_at: base_time)
+
+        expect do
+          get api("/projects/#{project.id}/merge_requests", user)
+        end.not_to exceed_query_limit(control)
+      end
     end
   end
 

spec/requests/api/settings_spec.rb

@@ -18,6 +18,7 @@ describe API::Settings, 'Settings' do
       expect(json_response['password_authentication_enabled']).to be_truthy
       expect(json_response['plantuml_enabled']).to be_falsey
       expect(json_response['plantuml_url']).to be_nil
+      expect(json_response['default_ci_config_path']).to be_nil
       expect(json_response['default_project_visibility']).to be_a String
       expect(json_response['default_snippet_visibility']).to be_a String
       expect(json_response['default_group_visibility']).to be_a String
@@ -49,6 +50,7 @@ describe API::Settings, 'Settings' do
       it "updates application settings" do
         put api("/application/settings", admin),
           params: {
+            default_ci_config_path: 'debian/salsa-ci.yml',
             default_projects_limit: 3,
             default_project_creation: 2,
             password_authentication_enabled_for_web: false,
@@ -80,6 +82,7 @@ describe API::Settings, 'Settings' do
           }
 
         expect(response).to have_gitlab_http_status(200)
+        expect(json_response['default_ci_config_path']).to eq('debian/salsa-ci.yml')
         expect(json_response['default_projects_limit']).to eq(3)
         expect(json_response['default_project_creation']).to eq(::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS)
         expect(json_response['password_authentication_enabled_for_web']).to be_falsey

vendor/ingress/modsecurity.conf

@@ -236,7 +236,8 @@ SecAuditLogParts ABIJDEFHZ
 # assumes that you will use the audit log only ocassionally.
 #
 # SecAuditLogType Serial
-SecAuditLog /var/log/modsec_audit.log
+SecAuditLogFormat JSON
+SecAuditLog /var/log/modsec/audit.log
 
 # Specify the path for concurrent audit logging.
 #SecAuditLogStorageDir /opt/modsecurity/var/audit/