Merge branch 'sh-update-grape-1.3.3' into 'master'

Upgrade to Grape v1.3.3

See merge request gitlab-org/gitlab!33450

.rubocop.yml

@@ -308,6 +308,18 @@ Gitlab/Union:
     - 'spec/**/*'
     - 'ee/spec/**/*'
 
+API/GrapeAPIInstance:
+  Enabled: true
+  Include:
+    - 'lib/**/api/**/*.rb'
+    - 'ee/**/api/**/*.rb'
+
+API/GrapeArrayMissingCoerce:
+  Enabled: true
+  Include:
+    - 'lib/**/api/**/*.rb'
+    - 'ee/**/api/**/*.rb'
+
 Cop/SidekiqOptionsQueue:
   Enabled: true
   Exclude:

Gemfile

@@ -19,7 +19,7 @@ gem 'default_value_for', '~> 3.3.0'
 gem 'pg', '~> 1.1'
 
 gem 'rugged', '~> 0.28'
-gem 'grape-path-helpers', '~> 1.2'
+gem 'grape-path-helpers', '~> 1.3'
 
 gem 'faraday', '~> 0.12'
 gem 'marginalia', '~> 1.8.0'
@@ -81,7 +81,7 @@ gem 'gitlab_omniauth-ldap', '~> 2.1.1', require: 'omniauth-ldap'
 gem 'net-ldap'
 
 # API
-gem 'grape', '~> 1.1.0'
+gem 'grape', '~> 1.3.3'
 gem 'grape-entity', '~> 0.7.1'
 gem 'rack-cors', '~> 1.0.6', require: 'rack/cors'
 

Gemfile.lock

@@ -103,10 +103,6 @@ GEM
       aws-sdk-core (= 2.11.374)
     aws-sigv4 (1.1.0)
       aws-eventstream (~> 1.0, >= 1.0.2)
-    axiom-types (0.1.1)
-      descendants_tracker (~> 0.0.4)
-      ice_nine (~> 0.11.0)
-      thread_safe (~> 0.3, >= 0.3.1)
     babosa (1.0.2)
     base32 (0.3.2)
     batch-loader (1.4.0)
@@ -164,8 +160,6 @@ GEM
       nap
       open4 (~> 1.3)
     coderay (1.1.2)
-    coercible (1.0.0)
-      descendants_tracker (~> 0.0.1)
     colored2 (3.1.2)
     commonmarker (0.20.1)
       ruby-enum (~> 0.5)
@@ -221,8 +215,6 @@ GEM
       ruby-statistics (>= 2.1)
       thor (>= 0.19, < 2)
       unicode_plot (>= 0.0.4, < 1.0.0)
-    descendants_tracker (0.0.4)
-      thread_safe (~> 0.3, >= 0.3.1)
     device_detector (1.0.0)
     devise (4.7.1)
       bcrypt (~> 3.0)
@@ -249,6 +241,28 @@ GEM
     doorkeeper-openid_connect (1.6.3)
       doorkeeper (>= 5.0, < 5.2)
       json-jwt (~> 1.6)
+    dry-configurable (0.11.5)
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 0.4, >= 0.4.7)
+      dry-equalizer (~> 0.2)
+    dry-container (0.7.2)
+      concurrent-ruby (~> 1.0)
+      dry-configurable (~> 0.1, >= 0.1.3)
+    dry-core (0.4.9)
+      concurrent-ruby (~> 1.0)
+    dry-equalizer (0.3.0)
+    dry-inflector (0.2.0)
+    dry-logic (1.0.6)
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 0.2)
+      dry-equalizer (~> 0.2)
+    dry-types (1.4.0)
+      concurrent-ruby (~> 1.0)
+      dry-container (~> 0.3)
+      dry-core (~> 0.4, >= 0.4.4)
+      dry-equalizer (~> 0.3)
+      dry-inflector (~> 0.1, >= 0.1.2)
+      dry-logic (~> 1.0, >= 1.0.2)
     ed25519 (1.2.4)
     elasticsearch (6.8.0)
       elasticsearch-api (= 6.8.0)
@@ -439,19 +453,19 @@ GEM
       signet (~> 0.14)
     gpgme (2.0.20)
       mini_portile2 (~> 2.3)
-    grape (1.1.0)
+    grape (1.3.3)
       activesupport
       builder
+      dry-types (>= 1.1)
       mustermann-grape (~> 1.0.0)
       rack (>= 1.3.0)
       rack-accept
-      virtus (>= 1.0.0)
     grape-entity (0.7.1)
       activesupport (>= 4.0)
       multi_json (>= 1.3.2)
-    grape-path-helpers (1.2.0)
+    grape-path-helpers (1.3.0)
       activesupport
-      grape (~> 1.0)
+      grape (~> 1.3)
       rake (~> 12)
     grape_logging (1.8.3)
       grape
@@ -642,9 +656,10 @@ GEM
     multi_xml (0.6.0)
     multipart-post (2.1.1)
     murmurhash3 (0.1.6)
-    mustermann (1.0.3)
-    mustermann-grape (1.0.0)
-      mustermann (~> 1.0.0)
+    mustermann (1.1.1)
+      ruby2_keywords (~> 0.0.1)
+    mustermann-grape (1.0.1)
+      mustermann (>= 1.0.0)
     nakayoshi_fork (0.0.4)
     nap (1.1.0)
     nenv (0.3.0)
@@ -959,6 +974,7 @@ GEM
     ruby-saml (1.7.2)
       nokogiri (>= 1.5.10)
     ruby-statistics (2.1.2)
+    ruby2_keywords (0.0.2)
     ruby_dep (1.5.0)
     ruby_parser (3.13.1)
       sexp_processor (~> 4.9)
@@ -1122,11 +1138,6 @@ GEM
       activerecord (>= 3.0)
       activesupport (>= 3.0)
     version_sorter (2.2.4)
-    virtus (1.0.5)
-      axiom-types (~> 0.1)
-      coercible (~> 1.0)
-      descendants_tracker (~> 0.0, >= 0.0.3)
-      equalizer (~> 0.0, >= 0.0.9)
     vmstat (2.3.0)
     warden (1.2.8)
       rack (>= 2.0.6)
@@ -1257,9 +1268,9 @@ DEPENDENCIES
   google-api-client (~> 0.33)
   google-protobuf (~> 3.8.0)
   gpgme (~> 2.0.19)
-  grape (~> 1.1.0)
+  grape (~> 1.3.3)
   grape-entity (~> 0.7.1)
-  grape-path-helpers (~> 1.2)
+  grape-path-helpers (~> 1.3)
   grape_logging (~> 1.7)
   graphiql-rails (~> 1.4.10)
   graphql (~> 1.10.5)

changelogs/unreleased/sh-update-grape-gem.yml

+---
+title: Upgrade Grape v1.1.0 to v1.3.3
+merge_request: 33450
+author:
+type: other

doc/development/api_styleguide.md

@@ -98,6 +98,46 @@ For instance:
 Model.create(foo: params[:foo])
 ```
 
+## Array types
+
+With Grape v1.3+, Array types must be defined with a `coerce_with`
+block, or parameters will fail to validate when passed a string from an
+API request. See the [Grape upgrading
+documentation](https://github.com/ruby-grape/grape/blob/master/UPGRADING.md#ensure-that-array-types-have-explicit-coercions)
+for more details.
+
+### Automatic coercion of nil inputs
+
+Prior to Grape v1.3.3, Array parameters with `nil` values would
+automatically be coerced to an empty Array. However, due to [this pull
+request in v1.3.3](https://github.com/ruby-grape/grape/pull/2040), this
+is no longer the case. For example, suppose you define a PUT `/test`
+request that has an optional parameter:
+
+```ruby
+optional :user_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The user ids for this rule'
+```
+
+Normally, a request to PUT `/test?user_ids` would cause Grape to pass
+`params` of `{ user_ids: nil }`.
+
+This may introduce errors with endpoints that expect a blank array and
+do not handle `nil` inputs properly. To preserve the previous behavior,
+there is a helper method `coerce_nil_params_to_array!` that is used
+in the `before` block of all API calls:
+
+```ruby
+before do
+  coerce_nil_params_to_array!
+end
+```
+
+With this change, a request to PUT `/test?user_ids` will cause Grape to
+pass `params` to be `{ user_ids: [] }`.
+
+There is [an open issue in the Grape tracker](https://github.com/ruby-grape/grape/issues/2068)
+to make this easier.
+
 ## Using HTTP status helpers
 
 For non-200 HTTP responses, use the provided helpers in `lib/api/helpers.rb` to ensure correct behavior (`not_found!`, `no_content!` etc.). These will `throw` inside Grape and abort the execution of your endpoint.

doc/development/ee_features.md

@@ -512,12 +512,12 @@ do that, so we'll follow regular object-oriented practices that we define the
 interface first here.
 
 For example, suppose we have a few more optional parameters for EE. We can move the
-parameters out of the `Grape::API` class to a helper module, so we can inject it
+parameters out of the `Grape::API::Instance` class to a helper module, so we can inject it
 before it would be used in the class.
 
 ```ruby
 module API
-  class Projects < Grape::API
+  class Projects < Grape::API::Instance
     helpers Helpers::ProjectsHelpers
   end
 end
@@ -578,7 +578,7 @@ class definition to make it easy and clear:
 
 ```ruby
 module API
-  class JobArtifacts < Grape::API
+  class JobArtifacts < Grape::API::Instance
     # EE::API::JobArtifacts would override the following helpers
     helpers do
       def authorize_download_artifacts!
@@ -622,7 +622,7 @@ route. Something like this:
 
 ```ruby
 module API
-  class MergeRequests < Grape::API
+  class MergeRequests < Grape::API::Instance
     helpers do
       # EE::API::MergeRequests would override the following helpers
       def update_merge_request_ee(merge_request)
@@ -691,7 +691,7 @@ least argument. We would approach this as follows:
 ```ruby
 # api/merge_requests/parameters.rb
 module API
-  class MergeRequests < Grape::API
+  class MergeRequests < Grape::API::Instance
     module Parameters
       def self.update_params_at_least_one_of
         %i[
@@ -707,7 +707,7 @@ API::MergeRequests::Parameters.prepend_if_ee('EE::API::MergeRequests::Parameters
 
 # api/merge_requests.rb
 module API
-  class MergeRequests < Grape::API
+  class MergeRequests < Grape::API::Instance
     params do
       at_least_one_of(*Parameters.update_params_at_least_one_of)
     end

ee/lib/api/analytics/code_review_analytics.rb

@@ -2,7 +2,7 @@
 
 module API
   module Analytics
-    class CodeReviewAnalytics < Grape::API
+    class CodeReviewAnalytics < Grape::API::Instance
       include PaginationParams
 
       helpers do
@@ -24,7 +24,7 @@ module API
         end
 
         params :negatable_params do
-          optional :label_name, type: Array, desc: 'Array of label names to filter by'
+          optional :label_name, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'Array of label names to filter by'
           optional :milestone_title, type: String, desc: 'Milestone title to filter by'
         end
       end

ee/lib/api/analytics/group_activity_analytics.rb

@@ -2,7 +2,7 @@
 
 module API
   module Analytics
-    class GroupActivityAnalytics < Grape::API
+    class GroupActivityAnalytics < Grape::API::Instance
       DESCRIPTION_DETAIL =
         'This feature is gated by the `:group_activity_analytics`'\
         ' feature flag, introduced in GitLab 12.9.'

ee/lib/api/audit_events.rb

 # frozen_string_literal: true
 
 module API
-  class AuditEvents < ::Grape::API
+  class AuditEvents < ::Grape::API::Instance
     include ::API::PaginationParams
 
     before do

ee/lib/api/composer_packages.rb

@@ -2,7 +2,7 @@
 
 # PHP composer support (https://getcomposer.org/)
 module API
-  class ComposerPackages < Grape::API
+  class ComposerPackages < Grape::API::Instance
     helpers ::API::Helpers::PackagesManagerClientsHelpers
     helpers ::API::Helpers::RelatedResourcesHelpers
     helpers ::API::Helpers::Packages::BasicAuthHelpers

ee/lib/api/conan_packages.rb

@@ -9,7 +9,7 @@
 #
 # Technical debt: https://gitlab.com/gitlab-org/gitlab/issues/35798
 module API
-  class ConanPackages < Grape::API
+  class ConanPackages < Grape::API::Instance
     helpers ::API::Helpers::PackagesManagerClientsHelpers
 
     PACKAGE_REQUIREMENTS = {

ee/lib/api/dependencies.rb

 # frozen_string_literal: true
 
 module API
-  class Dependencies < Grape::API
+  class Dependencies < Grape::API::Instance
     helpers do
       def dependencies_by(params)
         pipeline = ::Security::ReportFetchService.new(user_project, ::Ci::JobArtifact.dependency_list_reports).pipeline
@@ -12,9 +12,7 @@ module API
       end
     end
 
-    before do
-      authenticate!
-    end
+    before { authenticate! }
 
     params do
       requires :id, type: String, desc: 'The ID of a project'
@@ -28,6 +26,7 @@ module API
       params do
         optional :package_manager,
                  type: Array[String],
+                 coerce_with: Validations::Types::CommaSeparatedToArray.coerce,
                  desc: "Returns dependencies belonging to specified package managers: #{::Security::DependencyListService::FILTER_PACKAGE_MANAGERS_VALUES.join(', ')}.",
                  values: ::Security::DependencyListService::FILTER_PACKAGE_MANAGERS_VALUES
       end
@@ -37,7 +36,8 @@ module API
 
         track_event('view_dependencies')
 
-        dependencies = dependencies_by(declared_params.merge(project: user_project))
+        dependency_params = declared_params(include_missing: false).merge(project: user_project)
+        dependencies = dependencies_by(dependency_params)
 
         present dependencies, with: ::EE::API::Entities::Dependency, user: current_user, project: user_project
       end

ee/lib/api/dependency_proxy.rb

 # frozen_string_literal: true
 
 module API
-  class DependencyProxy < Grape::API
+  class DependencyProxy < Grape::API::Instance
     helpers ::API::Helpers::PackagesHelpers
 
     helpers do

ee/lib/api/elasticsearch_indexed_namespaces.rb

 # frozen_string_literal: true
 
 module API
-  class ElasticsearchIndexedNamespaces < Grape::API
+  class ElasticsearchIndexedNamespaces < Grape::API::Instance
     before { authenticated_as_admin! }
 
     resource :elasticsearch_indexed_namespaces do

ee/lib/api/epic_issues.rb

 # frozen_string_literal: true
 
 module API
-  class EpicIssues < Grape::API
+  class EpicIssues < Grape::API::Instance
     before do
       authenticate!
       authorize_epics_feature!

ee/lib/api/epic_links.rb

 # frozen_string_literal: true
 
 module API
-  class EpicLinks < Grape::API
+  class EpicLinks < Grape::API::Instance
     include ::Gitlab::Utils::StrongMemoize
 
     before do

ee/lib/api/epics.rb

 # frozen_string_literal: true
 
 module API
-  class Epics < Grape::API
+  class Epics < Grape::API::Instance
     include PaginationParams
 
     before do
@@ -28,7 +28,7 @@ module API
         optional :state, type: String, values: %w[opened closed all], default: 'all',
                          desc: 'Return opened, closed, or all epics'
         optional :author_id, type: Integer, desc: 'Return epics which are authored by the user with the given ID'
-        optional :labels, type: Array[String], coerce_with: Validations::Types::LabelsList.coerce, desc: 'Comma-separated list of label names'
+        optional :labels, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Comma-separated list of label names'
         optional :with_labels_details, type: Boolean, desc: 'Return titles of labels and other details', default: false
         optional :created_after, type: DateTime, desc: 'Return epics created after the specified time'
         optional :created_before, type: DateTime, desc: 'Return epics created before the specified time'
@@ -70,7 +70,7 @@ module API
         optional :start_date_is_fixed, type: Boolean, desc: 'Indicates start date should be sourced from start_date_fixed field not the issue milestones'
         optional :end_date, as: :due_date_fixed, type: String, desc: 'The due date of an epic'
         optional :due_date_is_fixed, type: Boolean, desc: 'Indicates due date should be sourced from due_date_fixed field not the issue milestones'
-        optional :labels, type: Array[String], coerce_with: Validations::Types::LabelsList.coerce, desc: 'Comma-separated list of label names'
+        optional :labels, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Comma-separated list of label names'
         optional :parent_id, type: Integer, desc: 'The id of a parent epic'
       end
       post ':id/(-/)epics' do
@@ -96,7 +96,7 @@ module API
         optional :start_date_is_fixed, type: Boolean, desc: 'Indicates start date should be sourced from start_date_fixed field not the issue milestones'
         optional :end_date, as: :due_date_fixed, type: String, desc: 'The due date of an epic'
         optional :due_date_is_fixed, type: Boolean, desc: 'Indicates due date should be sourced from due_date_fixed field not the issue milestones'
-        optional :labels, type: Array[String], coerce_with: Validations::Types::LabelsList.coerce, desc: 'Comma-separated list of label names'
+        optional :labels, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Comma-separated list of label names'
         optional :state_event, type: String, values: %w[reopen close], desc: 'State event for an epic'
         at_least_one_of :title, :description, :start_date_fixed, :start_date_is_fixed, :due_date_fixed, :due_date_is_fixed, :labels, :state_event, :confidential
       end

ee/lib/api/feature_flag_scopes.rb

 # frozen_string_literal: true
 
 module API
-  class FeatureFlagScopes < Grape::API
+  class FeatureFlagScopes < Grape::API::Instance
     include PaginationParams
 
     ENVIRONMENT_SCOPE_ENDPOINT_REQUIREMENTS = FeatureFlags::FEATURE_FLAG_ENDPOINT_REQUIREMENTS

ee/lib/api/feature_flags.rb

 # frozen_string_literal: true
 
 module API
-  class FeatureFlags < Grape::API
+  class FeatureFlags < Grape::API::Instance
     include PaginationParams
 
     FEATURE_FLAG_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS

ee/lib/api/feature_flags_user_lists.rb

 # frozen_string_literal: true
 
 module API
-  class FeatureFlagsUserLists < Grape::API
+  class FeatureFlagsUserLists < Grape::API::Instance
     include PaginationParams
 
     error_formatter :json, -> (message, _backtrace, _options, _env, _original_exception) {

ee/lib/api/geo.rb

@@ -3,7 +3,7 @@
 require 'base64'
 
 module API
-  class Geo < Grape::API
+  class Geo < Grape::API::Instance
     resource :geo do
       helpers do
         def sanitized_node_status_params

ee/lib/api/geo_nodes.rb

 # frozen_string_literal: true
 
 module API
-  class GeoNodes < Grape::API
+  class GeoNodes < Grape::API::Instance
     include PaginationParams
     include APIGuard
     include ::Gitlab::Utils::StrongMemoize
 
-    before { authenticate_admin_or_geo_node! }
+    before do
+      authenticate_admin_or_geo_node!
+    end
 
     helpers do
       def authenticate_admin_or_geo_node!
@@ -45,8 +47,8 @@ module API
         optional :container_repositories_max_capacity, type: Integer, desc: 'Control the maximum concurrency of container repository sync for this node. Defaults to 10.'
         optional :sync_object_storage, type: Boolean, desc: 'Flag indicating if the secondary Geo node will replicate blobs in Object Storage. Defaults to false.'
         optional :selective_sync_type, type: String, desc: 'Limit syncing to only specific groups, or shards. Valid values: `"namespaces"`, `"shards"`, or `null`'
-        optional :selective_sync_shards, type: Array, desc: 'The repository storages whose projects should be synced, if `selective_sync_type` == `shards`'
-        optional :selective_sync_namespace_ids, as: :namespace_ids, type: Array, desc: 'The IDs of groups that should be synced, if `selective_sync_type` == `namespaces`'
+        optional :selective_sync_shards, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'The repository storages whose projects should be synced, if `selective_sync_type` == `shards`'
+        optional :selective_sync_namespace_ids, as: :namespace_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The IDs of groups that should be synced, if `selective_sync_type` == `namespaces`'
         optional :minimum_reverification_interval, type: Integer, desc: 'The interval (in days) in which the repository verification is valid. Once expired, it will be reverified. This has no effect when set on a secondary node.'
       end
       post do
@@ -201,8 +203,8 @@ module API
           optional :container_repositories_max_capacity, type: Integer, desc: 'Control the maximum concurrency of container repository sync for this node'
           optional :sync_object_storage, type: Boolean, desc: 'Flag indicating if the secondary Geo node will replicate blobs in Object Storage'
           optional :selective_sync_type, type: String, desc: 'Limit syncing to only specific groups, or shards. Valid values: `"namespaces"`, `"shards"`, or `null`'
-          optional :selective_sync_shards, type: Array, desc: 'The repository storages whose projects should be synced, if `selective_sync_type` == `shards`'
-          optional :selective_sync_namespace_ids, as: :namespace_ids, type: Array, desc: 'The IDs of groups that should be synced, if `selective_sync_type` == `namespaces`'
+          optional :selective_sync_shards, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'The repository storages whose projects should be synced, if `selective_sync_type` == `shards`'
+          optional :selective_sync_namespace_ids, as: :namespace_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The IDs of groups that should be synced, if `selective_sync_type` == `namespaces`'
           optional :minimum_reverification_interval, type: Integer, desc: 'The interval (in days) in which the repository verification is valid. Once expired, it will be reverified. This has no effect when set on a secondary node.'
         end
         put do

ee/lib/api/geo_replication.rb

 # frozen_string_literal: true
 
 module API
-  class GeoReplication < Grape::API
+  class GeoReplication < Grape::API::Instance
     include PaginationParams
     include APIGuard
     include ::Gitlab::Utils::StrongMemoize

ee/lib/api/go_proxy.rb

 # frozen_string_literal: true
 module API
-  class GoProxy < Grape::API
+  class GoProxy < Grape::API::Instance
     helpers Gitlab::Golang
     helpers ::API::Helpers::PackagesHelpers
 

ee/lib/api/group_hooks.rb

 # frozen_string_literal: true
 
 module API
-  class GroupHooks < Grape::API
+  class GroupHooks < Grape::API::Instance
     include ::API::PaginationParams
 
     before { authenticate! }

ee/lib/api/group_packages.rb

 # frozen_string_literal: true
 
 module API
-  class GroupPackages < Grape::API
+  class GroupPackages < Grape::API::Instance
     include PaginationParams
 
     before do

ee/lib/api/helpers/project_approval_rules_helpers.rb

@@ -5,24 +5,22 @@ module API
     module ProjectApprovalRulesHelpers
       extend Grape::API::Helpers
 
-      ARRAY_COERCION_LAMBDA = ->(val) { val.empty? ? [] : Array.wrap(val) }
-
       params :create_project_approval_rule do
         requires :name, type: String, desc: 'The name of the approval rule'
         requires :approvals_required, type: Integer, desc: 'The number of required approvals for this rule'
         optional :rule_type, type: String, desc: 'The type of approval rule'
-        optional :users, as: :user_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The user ids for this rule'
-        optional :groups, as: :group_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The group ids for this rule'
-        optional :protected_branch_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The protected branch ids for this rule'
+        optional :users, as: :user_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The user ids for this rule'
+        optional :groups, as: :group_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The group ids for this rule'
+        optional :protected_branch_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The protected branch ids for this rule'
       end
 
       params :update_project_approval_rule do
         requires :approval_rule_id, type: Integer, desc: 'The ID of an approval_rule'
         optional :name, type: String, desc: 'The name of the approval rule'
         optional :approvals_required, type: Integer, desc: 'The number of required approvals for this rule'
-        optional :users, as: :user_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The user ids for this rule'
-        optional :groups, as: :group_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The group ids for this rule'
-        optional :protected_branch_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The protected branch ids for this rule'
+        optional :users, as: :user_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The user ids for this rule'
+        optional :groups, as: :group_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The group ids for this rule'
+        optional :protected_branch_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The protected branch ids for this rule'
         optional :remove_hidden_groups, type: Boolean, desc: 'Whether hidden groups should be removed'
       end
 

ee/lib/api/issue_links.rb

 # frozen_string_literal: true
 
 module API
-  class IssueLinks < Grape::API
+  class IssueLinks < Grape::API::Instance
     include PaginationParams
 
     before { authenticate! }

ee/lib/api/ldap.rb

 # frozen_string_literal: true
 
 module API
-  class Ldap < Grape::API
+  class Ldap < Grape::API::Instance
     # Admin users by default should be able to access these API endpoints.
     # However, non-admin users can access these endpoints if the "Allow group
     # owners to manage LDAP-related group settings" is enabled, and they own a

ee/lib/api/ldap_group_links.rb

 # frozen_string_literal: true
 
 module API
-  class LdapGroupLinks < Grape::API
+  class LdapGroupLinks < Grape::API::Instance
     before { authenticate! }
 
     params do

ee/lib/api/license.rb

 # frozen_string_literal: true
 
 module API
-  class License < Grape::API
+  class License < Grape::API::Instance
     before { authenticated_as_admin! }
 
     resource :license do

ee/lib/api/managed_licenses.rb

 # frozen_string_literal: true
 
 module API
-  class ManagedLicenses < Grape::API
+  class ManagedLicenses < Grape::API::Instance
     include PaginationParams
 
     before { authenticate! unless route.settings[:skip_authentication] }

ee/lib/api/maven_packages.rb

 # frozen_string_literal: true
 module API
-  class MavenPackages < Grape::API
+  class MavenPackages < Grape::API::Instance
     MAVEN_ENDPOINT_REQUIREMENTS = {
       file_name: API::NO_SLASH_URL_PART_REGEX
     }.freeze

ee/lib/api/merge_request_approval_rules.rb

@@ -4,8 +4,6 @@ module API
   class MergeRequestApprovalRules < ::Grape::API
     before { authenticate_non_get! }
 
-    ARRAY_COERCION_LAMBDA = ->(val) { val.empty? ? [] : Array.wrap(val) }
-
     helpers do
       def find_merge_request_approval_rule(merge_request, id)
         merge_request.approval_rules.find_by_id!(id)
@@ -34,8 +32,8 @@ module API
           requires :name, type: String, desc: 'The name of the approval rule'
           requires :approvals_required, type: Integer, desc: 'The number of required approvals for this rule'
           optional :approval_project_rule_id, type: Integer, desc: 'The ID of a project-level approval rule'
-          optional :user_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The user ids for this rule'
-          optional :group_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The group ids for this rule'
+          optional :user_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The user ids for this rule'
+          optional :group_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The group ids for this rule'
         end
         post do
           merge_request = find_merge_request_with_access(params[:merge_request_iid], :update_approvers)
@@ -56,8 +54,8 @@ module API
             requires :approval_rule_id, type: Integer, desc: 'The ID of an approval rule'
             optional :name, type: String, desc: 'The name of the approval rule'
             optional :approvals_required, type: Integer, desc: 'The number of required approvals for this rule'
-            optional :user_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The user ids for this rule'
-            optional :group_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The group ids for this rule'
+            optional :user_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The user ids for this rule'
+            optional :group_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The group ids for this rule'
             optional :remove_hidden_groups, type: Boolean, desc: 'Whether hidden groups should be removed'
           end
           put do

ee/lib/api/merge_request_approvals.rb

 # frozen_string_literal: true
 
 module API
-  class MergeRequestApprovals < ::Grape::API
+  class MergeRequestApprovals < ::Grape::API::Instance
     before { authenticate_non_get! }
 
-    ARRAY_COERCION_LAMBDA = ->(val) { val.empty? ? [] : Array.wrap(val) }
-
     helpers do
       def present_approval(merge_request)
         present merge_request.approval_state, with: ::EE::API::Entities::ApprovalState, current_user: current_user
@@ -109,8 +107,10 @@ module API
           success ::EE::API::Entities::ApprovalState
         end
         params do
-          requires :approver_ids, type: Array[String], coerce_with: ARRAY_COERCION_LAMBDA, desc: 'Array of User IDs to set as approvers.'
-          requires :approver_group_ids, type: Array[String], coerce_with: ARRAY_COERCION_LAMBDA, desc: 'Array of Group IDs to set as approvers.'
+          requires :approver_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce,
+            desc: 'Array of User IDs to set as approvers.'
+          requires :approver_group_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce,
+            desc: 'Array of Group IDs to set as approvers.'
         end
         put 'approvers' do
           Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab/issues/8883')

ee/lib/api/merge_trains.rb

 # frozen_string_literal: true
 
 module API
-  class MergeTrains < ::Grape::API
+  class MergeTrains < ::Grape::API::Instance
     include PaginationParams
 
     before do

ee/lib/api/npm_packages.rb

 # frozen_string_literal: true
 module API
-  class NpmPackages < Grape::API
+  class NpmPackages < Grape::API::Instance
     helpers ::API::Helpers::PackagesHelpers
     helpers ::API::Helpers::Packages::DependencyProxyHelpers
 

ee/lib/api/nuget_packages.rb

@@ -6,7 +6,7 @@
 # called by the NuGet package manager client when users run commands
 # like `nuget install` or `nuget push`.
 module API
-  class NugetPackages < Grape::API
+  class NugetPackages < Grape::API::Instance
     helpers ::API::Helpers::PackagesManagerClientsHelpers
     helpers ::API::Helpers::Packages::BasicAuthHelpers
 

ee/lib/api/package_files.rb

 # frozen_string_literal: true
 
 module API
-  class PackageFiles < Grape::API
+  class PackageFiles < Grape::API::Instance
     include PaginationParams
 
     before do

ee/lib/api/project_aliases.rb

 # frozen_string_literal: true
 
 module API
-  class ProjectAliases < Grape::API
+  class ProjectAliases < Grape::API::Instance
     include PaginationParams
 
     before { check_feature_availability }

ee/lib/api/project_approval_rules.rb

 # frozen_string_literal: true
 
 module API
-  class ProjectApprovalRules < ::Grape::API
+  class ProjectApprovalRules < ::Grape::API::Instance
     before { authenticate! }
 
     helpers ::API::Helpers::ProjectApprovalRulesHelpers

ee/lib/api/project_approval_settings.rb

 # frozen_string_literal: true
 
 module API
-  class ProjectApprovalSettings < ::Grape::API
+  class ProjectApprovalSettings < ::Grape::API::Instance
     before { authenticate! }
 
     helpers ::API::Helpers::ProjectApprovalRulesHelpers

ee/lib/api/project_approvals.rb

 # frozen_string_literal: true
 
 module API
-  class ProjectApprovals < ::Grape::API
+  class ProjectApprovals < ::Grape::API::Instance
     before { authenticate! }
     before { authorize! :update_approvers, user_project }
 
-    ARRAY_COERCION_LAMBDA = ->(val) { val.empty? ? [] : Array.wrap(val) }
-
     helpers do
       def filter_forbidden_param!(permission, param)
         unless can?(current_user, permission, user_project)
@@ -67,8 +65,8 @@ module API
         success EE::API::Entities::ApprovalSettings
       end
       params do
-        requires :approver_ids, type: Array[String], coerce_with: ARRAY_COERCION_LAMBDA, desc: 'Array of User IDs to set as approvers.'
-        requires :approver_group_ids, type: Array[String], coerce_with: ARRAY_COERCION_LAMBDA, desc: 'Array of Group IDs to set as approvers.'
+        requires :approver_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'Array of User IDs to set as approvers.'
+        requires :approver_group_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'Array of Group IDs to set as approvers.'
       end
       put ':id/approvers' do
         result = ::Projects::UpdateService.new(user_project, current_user, declared(params, include_parent_namespaces: false).merge(remove_old_approvers: true)).execute

ee/lib/api/project_mirror.rb

@@ -3,7 +3,7 @@
 require_dependency 'declarative_policy'
 
 module API
-  class ProjectMirror < Grape::API
+  class ProjectMirror < Grape::API::Instance
     helpers do
       def github_webhook_signature
         @github_webhook_signature ||= headers['X-Hub-Signature']

ee/lib/api/project_packages.rb

 # frozen_string_literal: true
 
 module API
-  class ProjectPackages < Grape::API
+  class ProjectPackages < Grape::API::Instance
     include PaginationParams
 
     before do

ee/lib/api/project_push_rule.rb

 # frozen_string_literal: true
 
 module API
-  class ProjectPushRule < Grape::API
+  class ProjectPushRule < Grape::API::Instance
     before { authenticate! }
     before { authorize_admin_project }
     before { check_project_feature_available!(:push_rules) }

ee/lib/api/protected_environments.rb

 # frozen_string_literal: true
 
 module API
-  class ProtectedEnvironments < Grape::API
+  class ProtectedEnvironments < Grape::API::Instance
     include PaginationParams
 
     ENVIRONMENT_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(name: API::NO_SLASH_URL_PART_REGEX)

ee/lib/api/pypi_packages.rb

@@ -6,7 +6,7 @@
 # called by the PyPI package manager client when users run commands
 # like `pip install` or `twine upload`.
 module API
-  class PypiPackages < Grape::API
+  class PypiPackages < Grape::API::Instance
     helpers ::API::Helpers::PackagesManagerClientsHelpers
     helpers ::API::Helpers::RelatedResourcesHelpers
     helpers ::API::Helpers::Packages::BasicAuthHelpers

ee/lib/api/resource_weight_events.rb

 # frozen_string_literal: true
 
 module API
-  class ResourceWeightEvents < Grape::API
+  class ResourceWeightEvents < Grape::API::Instance
     include PaginationParams
     helpers ::API::Helpers::NotesHelpers
 

ee/lib/api/scim.rb

 # frozen_string_literal: true
 
 module API
-  class Scim < Grape::API
+  class Scim < Grape::API::Instance
     include ::Gitlab::Utils::StrongMemoize
 
     prefix 'api/scim'

ee/lib/api/unleash.rb

 # frozen_string_literal: true
 
 module API
-  class Unleash < Grape::API
+  class Unleash < Grape::API::Instance
     include PaginationParams
 
     namespace :feature_flags do

ee/lib/api/v3/github.rb

@@ -7,7 +7,7 @@
 #
 module API
   module V3
-    class Github < Grape::API
+    class Github < Grape::API::Instance
       JIRA_DEV_PANEL_FEATURE = :jira_dev_panel_integration.freeze
       NO_SLASH_URL_PART_REGEX = %r{[^/]+}.freeze
       ENDPOINT_REQUIREMENTS = {

ee/lib/api/visual_review_discussions.rb

 # frozen_string_literal: true
 
 module API
-  class VisualReviewDiscussions < Grape::API
+  class VisualReviewDiscussions < Grape::API::Instance
     include PaginationParams
     helpers ::API::Helpers::NotesHelpers
     helpers ::RendersNotes

ee/lib/api/vulnerabilities.rb

 # frozen_string_literal: true
 
 module API
-  class Vulnerabilities < Grape::API
+  class Vulnerabilities < Grape::API::Instance
     include ::API::Helpers::VulnerabilitiesHooks
     include PaginationParams
 

ee/lib/api/vulnerability_exports.rb

 # frozen_string_literal: true
 
 module API
-  class VulnerabilityExports < Grape::API
+  class VulnerabilityExports < Grape::API::Instance
     include ::API::Helpers::VulnerabilitiesHooks
     include ::Gitlab::Utils::StrongMemoize
 

ee/lib/api/vulnerability_findings.rb

 # frozen_string_literal: true
 
 module API
-  class VulnerabilityFindings < Grape::API
+  class VulnerabilityFindings < Grape::API::Instance
     include PaginationParams
     include ::Gitlab::Utils::StrongMemoize
 
@@ -33,19 +33,23 @@ module API
     end
     resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
       params do
-        optional :report_type, type: Array[String], desc: 'The type of report vulnerability belongs to',
+        optional :report_type, type: Array[String],
+                 coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce,
+                 desc: 'The type of report vulnerability belongs to',
                  values: ::Vulnerabilities::Occurrence.report_types.keys,
                  default: ::Vulnerabilities::Occurrence.report_types.keys
         optional :scope, type: String, desc: 'Return vulnerabilities for the given scope: `dismissed` or `all`',
                  default: 'dismissed', values: %w[all dismissed]
         optional :severity,
                  type: Array[String],
+                 coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce,
                  desc: 'Returns vulnerabilities belonging to specified severity level: '\
                        '`info`, `unknown`, `low`, `medium`, `high`, or `critical`. Defaults to all',
                  values: ::Vulnerabilities::Occurrence.severities.keys,
                  default: ::Vulnerabilities::Occurrence.severities.keys
         optional :confidence,
                  type: Array[String],
+                 coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce,
                  desc: 'Returns vulnerabilities belonging to specified confidence level: '\
                        '`ignore`, `unknown`, `experimental`, `low`, `medium`, `high`, or `confirmed`. '\
                        'Defaults to all',

ee/lib/api/vulnerability_issue_links.rb

 # frozen_string_literal: true
 
 module API
-  class VulnerabilityIssueLinks < Grape::API
+  class VulnerabilityIssueLinks < Grape::API::Instance
     include ::API::Helpers::VulnerabilitiesHooks
 
     helpers ::API::Helpers::VulnerabilitiesHelpers

ee/lib/ee/api/boards.rb

@@ -2,7 +2,7 @@
 
 module EE
   module API
-    class Boards < ::Grape::API
+    class Boards < ::Grape::API::Instance
       include ::API::PaginationParams
       include ::API::BoardsResponses
 

ee/lib/ee/api/group_boards.rb

@@ -2,7 +2,7 @@
 
 module EE
   module API
-    class GroupBoards < ::Grape::API
+    class GroupBoards < ::Grape::API::Instance
       include ::API::PaginationParams
       include ::API::BoardsResponses
 

ee/lib/ee/api/helpers/settings_helpers.rb

@@ -26,8 +26,8 @@ module EE
             end
 
             given elasticsearch_limit_indexing: ->(val) { val } do
-              optional :elasticsearch_namespace_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::LabelsList.coerce, desc: 'The namespace ids to index with Elasticsearch.'
-              optional :elasticsearch_project_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::LabelsList.coerce, desc: 'The project ids to index with Elasticsearch.'
+              optional :elasticsearch_namespace_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The namespace ids to index with Elasticsearch.'
+              optional :elasticsearch_project_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The project ids to index with Elasticsearch.'
             end
 
             optional :email_additional_text, type: String, desc: 'Additional text added to the bottom of every email for legal/auditing/compliance reasons'
@@ -36,7 +36,7 @@ module EE
             optional :help_text, type: String, desc: 'GitLab server administrator information'
             optional :repository_size_limit, type: Integer, desc: 'Size limit per repository (MB)'
             optional :file_template_project_id, type: Integer, desc: 'ID of project where instance-level file templates are stored.'
-            optional :repository_storages, type: Array[String], desc: 'A list of names of enabled storage paths, taken from `gitlab.yml`. New projects will be created in one of these stores, chosen at random.'
+            optional :repository_storages, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'A list of names of enabled storage paths, taken from `gitlab.yml`. New projects will be created in one of these stores, chosen at random.'
             optional :usage_ping_enabled, type: Grape::API::Boolean, desc: 'Every week GitLab will report license usage back to GitLab, Inc.'
             optional :updating_name_disabled_for_users, type: Grape::API::Boolean, desc: 'Flag indicating if users are permitted to update their profile name'
             optional :disable_overriding_approvers_per_merge_request, type: Grape::API::Boolean, desc: 'Disable Users ability to overwrite approvers in merge requests.'

ee/spec/lib/ee/api/helpers_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe EE::API::Helpers do
   include Rack::Test::Methods
 
   let(:helper) do
-    Class.new(Grape::API) do
+    Class.new(Grape::API::Instance) do
       helpers EE::API::Helpers
       helpers API::APIGuard::HelperMethods
       helpers API::Helpers

ee/spec/requests/api/geo_nodes_spec.rb

@@ -33,7 +33,7 @@ RSpec.describe API::GeoNodes, :request_store, :geo_fdw, :prometheus, api: true d
         url: 'http://example.com',
         selective_sync_type: "shards",
         selective_sync_shards: %w[shard1 shard2],
-        selective_sync_namespace_ids: [group_to_sync.id],
+        selective_sync_namespace_ids: group_to_sync.id,
         minimum_reverification_interval: 10
       }
       expect_any_instance_of(Geo::NodeCreateService).to receive(:execute).once.and_call_original

ee/spec/requests/api/merge_request_approval_rules_spec.rb

@@ -144,7 +144,9 @@ RSpec.describe API::MergeRequestApprovalRules do
     let(:current_user) { user }
     let(:url) { "/projects/#{project.id}/merge_requests/#{merge_request.iid}/approval_rules" }
     let(:approver) { create(:user) }
+    let(:other_approver) { create(:user) }
     let(:group) { create(:group) }
+    let(:other_group) { create(:group) }
     let(:approval_project_rule_id) { nil }
     let(:approver_params) do
       {
@@ -171,7 +173,9 @@ RSpec.describe API::MergeRequestApprovalRules do
       before do
         project.update!(disable_overriding_approvers_per_merge_request: false)
         project.add_developer(approver)
+        project.add_developer(other_approver)
         group.add_developer(approver)
+        other_group.add_developer(other_approver)
 
         action
       end
@@ -184,7 +188,7 @@ RSpec.describe API::MergeRequestApprovalRules do
 
         expect(rule['name']).to eq(params[:name])
         expect(rule['approvals_required']).to eq(params[:approvals_required])
-        expect(rule['rule_type']).to eq('regular')
+        expect(rule['rule_type']).to eq('any_approver')
         expect(rule['contains_hidden_groups']).to eq(false)
         expect(rule['source_rule']).to be_nil
         expect(rule['eligible_approvers']).to be_empty
@@ -193,24 +197,24 @@ RSpec.describe API::MergeRequestApprovalRules do
       end
 
       context 'users are passed' do
-        let(:user_ids) { [approver.id] }
+        let(:user_ids) { "#{approver.id},#{other_approver.id}" }
 
         it 'includes users' do
           rule = json_response
 
-          expect(rule['eligible_approvers']).to match([hash_including('id' => approver.id)])
-          expect(rule['users']).to match([hash_including('id' => approver.id)])
+          expect(rule['eligible_approvers'].map { |approver| approver['id'] }).to contain_exactly(approver.id, other_approver.id)
+          expect(rule['users'].map { |user| user['id'] }).to contain_exactly(approver.id, other_approver.id)
         end
       end
 
       context 'groups are passed' do
-        let(:group_ids) { [group.id] }
+        let(:group_ids) { "#{group.id},#{other_group.id}" }
 
         it 'includes groups' do
           rule = json_response
 
-          expect(rule['eligible_approvers']).to match([hash_including('id' => approver.id)])
-          expect(rule['groups']).to match([hash_including('id' => group.id)])
+          expect(rule['eligible_approvers'].map { |approver| approver['id'] }).to contain_exactly(approver.id, other_approver.id)
+          expect(rule['groups'].map { |group| group['id'] }).to contain_exactly(group.id, other_group.id)
         end
       end
 
@@ -279,6 +283,8 @@ RSpec.describe API::MergeRequestApprovalRules do
     let(:user_ids) { [] }
     let(:group_ids) { [] }
     let(:remove_hidden_groups) { nil }
+    let(:other_approver) { create(:user) }
+    let(:other_group) { create(:group) }
 
     let(:params) do
       {
@@ -299,8 +305,10 @@ RSpec.describe API::MergeRequestApprovalRules do
         project.update!(disable_overriding_approvers_per_merge_request: false)
         project.add_developer(existing_approver)
         project.add_developer(new_approver)
+        project.add_developer(other_approver)
         existing_group.add_developer(existing_approver)
         new_group.add_developer(new_approver)
+        other_group.add_developer(other_approver)
 
         action
       end
@@ -324,24 +332,24 @@ RSpec.describe API::MergeRequestApprovalRules do
       end
 
       context 'users are passed' do
-        let(:user_ids) { [new_approver.id] }
+        let(:user_ids) { "#{new_approver.id},#{existing_approver.id}" }
 
         it 'changes users' do
           rule = json_response
 
-          expect(rule['eligible_approvers']).to match([hash_including('id' => new_approver.id)])
-          expect(rule['users']).to match([hash_including('id' => new_approver.id)])
+          expect(rule['eligible_approvers'].map { |approver| approver['id'] }).to contain_exactly(new_approver.id, existing_approver.id)
+          expect(rule['users'].map { |user| user['id'] }).to contain_exactly(new_approver.id, existing_approver.id)
         end
       end
 
       context 'groups are passed' do
-        let(:group_ids) { [new_group.id] }
+        let(:group_ids) { "#{new_group.id},#{other_group.id}" }
 
         it 'changes groups' do
           rule = json_response
 
-          expect(rule['eligible_approvers']).to match([hash_including('id' => new_approver.id)])
-          expect(rule['groups']).to match([hash_including('id' => new_group.id)])
+          expect(rule['eligible_approvers'].map { |approver| approver['id'] }).to contain_exactly(new_approver.id, other_approver.id)
+          expect(rule['groups'].map { |group| group['id'] }).to contain_exactly(new_group.id, other_group.id)
         end
       end
 

ee/spec/requests/api/merge_request_approvals_spec.rb

@@ -342,7 +342,7 @@ RSpec.describe API::MergeRequestApprovals do
         it 'does not allow overriding approvers' do
           expect do
             put api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/approvers", current_user),
-              params: { approver_ids: [approver.id], approver_group_ids: [group.id] }
+              params: { approver_ids: approver.id.to_s, approver_group_ids: group.id.to_s }
           end.to not_change { merge_request.approvers.count }.and not_change { merge_request.approver_groups.count }
         end
       end
@@ -355,12 +355,12 @@ RSpec.describe API::MergeRequestApprovals do
         it 'allows overriding approvers' do
           expect do
             put api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/approvers", current_user),
-              params: { approver_ids: [approver.id], approver_group_ids: [group.id] }
-          end.to change { merge_request.approvers.count }.from(0).to(1)
+              params: { approver_ids: "#{approver.id},#{user2.id}", approver_group_ids: "#{group.id}" }
+          end.to change { merge_request.approvers.count }.from(0).to(2)
             .and change { merge_request.approver_groups.count }.from(0).to(1)
 
           expect(response).to have_gitlab_http_status(:ok)
-          expect(json_response['approvers'][0]['user']['username']).to eq(approver.username)
+          expect(json_response['approvers'].map { |approver| approver['user'] }.map { |user| user['username'] }).to contain_exactly(approver.username, user2.username)
           expect(json_response['approver_groups'][0]['group']['name']).to eq(group.name)
         end
 
@@ -370,7 +370,7 @@ RSpec.describe API::MergeRequestApprovals do
 
           expect do
             put api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/approvers", current_user),
-              params: { approver_ids: [], approver_group_ids: [] }.to_json, headers: { CONTENT_TYPE: 'application/json' }
+              params: { approver_ids: '', approver_group_ids: '' }.to_json, headers: { CONTENT_TYPE: 'application/json' }
           end.to change { merge_request.approvers.count }.from(1).to(0)
             .and change { merge_request.approver_groups.count }.from(1).to(0)
 

ee/spec/requests/api/project_approval_rules_spec.rb

@@ -9,6 +9,7 @@ RSpec.describe API::ProjectApprovalRules do
   let_it_be(:admin) { create(:user, :admin) }
   let_it_be(:project) { create(:project, :public, :repository, creator: user, namespace: user.namespace, only_allow_merge_if_pipeline_succeeds: false) }
   let_it_be(:approver) { create(:user) }
+  let_it_be(:other_approver) { create(:user) }
 
   describe 'GET /projects/:id/approval_rules' do
     let(:url) { "/projects/#{project.id}/approval_rules" }

ee/spec/requests/api/project_approval_settings_spec.rb

@@ -9,6 +9,7 @@ RSpec.describe API::ProjectApprovalSettings do
   let_it_be(:admin) { create(:user, :admin) }
   let_it_be(:project) { create(:project, :public, :repository, creator: user, namespace: user.namespace, only_allow_merge_if_pipeline_succeeds: false) }
   let_it_be(:approver) { create(:user) }
+  let_it_be(:other_approver) { create(:user) }
 
   describe 'GET /projects/:id/approval_settings' do
     let(:url) { "/projects/#{project.id}/approval_settings" }

ee/spec/support/shared_examples/requests/api/project_approval_rules_api_shared_examples.rb

@@ -79,6 +79,7 @@ RSpec.shared_examples 'an API endpoint for updating project approval rule' do
   shared_examples 'a user with access' do
     before do
       project.add_developer(approver)
+      project.add_developer(other_approver)
     end
 
     context 'when protected_branch_ids param is present' do
@@ -117,10 +118,10 @@ RSpec.shared_examples 'an API endpoint for updating project approval rule' do
 
     it 'sets approvers' do
       expect do
-        put api(url, current_user), params: { users: [approver.id] }
-      end.to change { approval_rule.users.count }.from(0).to(1)
+        put api(url, current_user), params: { users: "#{approver.id},#{other_approver.id}" }
+      end.to change { approval_rule.users.count }.from(0).to(2)
 
-      expect(approval_rule.users).to contain_exactly(approver)
+      expect(approval_rule.users).to contain_exactly(approver, other_approver)
       expect(approval_rule.groups).to be_empty
 
       expect(response).to have_gitlab_http_status(:ok)

lib/api/access_requests.rb

 # frozen_string_literal: true
 
 module API
-  class AccessRequests < Grape::API
+  class AccessRequests < Grape::API::Instance
     include PaginationParams
 
     before { authenticate! }

lib/api/admin/ci/variables.rb

@@ -3,7 +3,7 @@
 module API
   module Admin
     module Ci
-      class Variables < Grape::API
+      class Variables < Grape::API::Instance
         include PaginationParams
 
         before { authenticated_as_admin! }

lib/api/admin/sidekiq.rb

@@ -2,7 +2,7 @@
 
 module API
   module Admin
-    class Sidekiq < Grape::API
+    class Sidekiq < Grape::API::Instance
       before { authenticated_as_admin! }
 
       namespace 'admin' do

lib/api/api.rb

 # frozen_string_literal: true
 
 module API
-  class API < Grape::API
+  class API < Grape::API::Instance
     include APIGuard
 
     LOG_FILENAME = Rails.root.join("log", "api_json.log")
@@ -46,6 +46,8 @@ module API
     end
 
     before do
+      coerce_nil_params_to_array!
+
       Gitlab::ApplicationContext.push(
         user: -> { @current_user },
         project: -> { @project },

lib/api/api_guard.rb

@@ -153,7 +153,16 @@ module API
                 { scope: e.scopes })
             end
 
-          response.finish
+          finished_response = nil
+          response.finish do |rack_response|
+            # Grape expects a Rack::Response
+            # (https://github.com/ruby-grape/grape/commit/c117bff7d22971675f4b34367d3a98bc31c8fc02),
+            # and we need to retrieve it here:
+            # https://github.com/nov/rack-oauth2/blob/40c9a99fd80486ccb8de0e4869ae384547c0d703/lib/rack/oauth2/server/abstract/error.rb#L28
+            finished_response = rack_response
+          end
+
+          finished_response
         end
       end
     end

lib/api/appearance.rb

 # frozen_string_literal: true
 
 module API
-  class Appearance < Grape::API
+  class Appearance < Grape::API::Instance
     before { authenticated_as_admin! }
 
     helpers do

lib/api/applications.rb

@@ -2,7 +2,7 @@
 
 module API
   # External applications API
-  class Applications < Grape::API
+  class Applications < Grape::API::Instance
     before { authenticated_as_admin! }
 
     resource :applications do

lib/api/avatar.rb

 # frozen_string_literal: true
 
 module API
-  class Avatar < Grape::API
+  class Avatar < Grape::API::Instance
     resource :avatar do
       desc 'Return avatar url for a user' do
         success Entities::Avatar

lib/api/award_emoji.rb

 # frozen_string_literal: true
 
 module API
-  class AwardEmoji < Grape::API
+  class AwardEmoji < Grape::API::Instance
     include PaginationParams
 
     before { authenticate! }

lib/api/badges.rb

 # frozen_string_literal: true
 
 module API
-  class Badges < Grape::API
+  class Badges < Grape::API::Instance
     include PaginationParams
 
     before { authenticate_non_get! }

lib/api/boards.rb

 # frozen_string_literal: true
 
 module API
-  class Boards < Grape::API
+  class Boards < Grape::API::Instance
     include BoardsResponses
     include PaginationParams
 

lib/api/branches.rb

@@ -3,7 +3,7 @@
 require 'mime/types'
 
 module API
-  class Branches < Grape::API
+  class Branches < Grape::API::Instance
     include PaginationParams
 
     BRANCH_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(branch: API::NO_SLASH_URL_PART_REGEX)

lib/api/broadcast_messages.rb

 # frozen_string_literal: true
 
 module API
-  class BroadcastMessages < Grape::API
+  class BroadcastMessages < Grape::API::Instance
     include PaginationParams
 
     resource :broadcast_messages do

lib/api/ci/runner.rb

@@ -2,7 +2,7 @@
 
 module API
   module Ci
-    class Runner < Grape::API
+    class Runner < Grape::API::Instance
       helpers ::API::Helpers::Runner
 
       resource :runners do
@@ -19,7 +19,7 @@ module API
           optional :access_level, type: String, values: ::Ci::Runner.access_levels.keys,
                                   desc: 'The access_level of the runner'
           optional :run_untagged, type: Boolean, desc: 'Should Runner handle untagged jobs'
-          optional :tag_list, type: Array[String], desc: %q(List of Runner's tags)
+          optional :tag_list, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: %q(List of Runner's tags)
           optional :maximum_timeout, type: Integer, desc: 'Maximum timeout set when this Runner will handle the job'
         end
         post '/' do

lib/api/ci/runners.rb

@@ -2,7 +2,7 @@
 
 module API
   module Ci
-    class Runners < Grape::API
+    class Runners < Grape::API::Instance
       include PaginationParams
 
       before { authenticate! }
@@ -18,7 +18,7 @@ module API
                           desc: 'The type of the runners to show'
           optional :status, type: String, values: ::Ci::Runner::AVAILABLE_STATUSES,
                             desc: 'The status of the runners to show'
-          optional :tag_list, type: Array[String], desc: 'The tags of the runners to show'
+          optional :tag_list, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'The tags of the runners to show'
           use :pagination
         end
         get do
@@ -41,7 +41,7 @@ module API
                           desc: 'The type of the runners to show'
           optional :status, type: String, values: ::Ci::Runner::AVAILABLE_STATUSES,
                             desc: 'The status of the runners to show'
-          optional :tag_list, type: Array[String], desc: 'The tags of the runners to show'
+          optional :tag_list, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'The tags of the runners to show'
           use :pagination
         end
         get 'all' do
@@ -76,7 +76,7 @@ module API
           requires :id, type: Integer, desc: 'The ID of the runner'
           optional :description, type: String, desc: 'The description of the runner'
           optional :active, type: Boolean, desc: 'The state of a runner'
-          optional :tag_list, type: Array[String], desc: 'The list of tags for a runner'
+          optional :tag_list, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'The list of tags for a runner'
           optional :run_untagged, type: Boolean, desc: 'Flag indicating the runner can execute untagged jobs'
           optional :locked, type: Boolean, desc: 'Flag indicating the runner is locked'
           optional :access_level, type: String, values: ::Ci::Runner.access_levels.keys,
@@ -146,7 +146,7 @@ module API
                           desc: 'The type of the runners to show'
           optional :status, type: String, values: ::Ci::Runner::AVAILABLE_STATUSES,
                             desc: 'The status of the runners to show'
-          optional :tag_list, type: Array[String], desc: 'The tags of the runners to show'
+          optional :tag_list, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'The tags of the runners to show'
           use :pagination
         end
         get ':id/runners' do
@@ -209,7 +209,7 @@ module API
                   desc: 'The type of the runners to show'
           optional :status, type: String, values: ::Ci::Runner::AVAILABLE_STATUSES,
                   desc: 'The status of the runners to show'
-          optional :tag_list, type: Array[String], desc: 'The tags of the runners to show'
+          optional :tag_list, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'The tags of the runners to show'
           use :pagination
         end
         get ':id/runners' do

lib/api/commit_statuses.rb

@@ -3,7 +3,7 @@
 require 'mime/types'
 
 module API
-  class CommitStatuses < Grape::API
+  class CommitStatuses < Grape::API::Instance
     params do
       requires :id, type: String, desc: 'The ID of a project'
     end

lib/api/commits.rb

@@ -3,7 +3,7 @@
 require 'mime/types'
 
 module API
-  class Commits < Grape::API
+  class Commits < Grape::API::Instance
     include PaginationParams
 
     before do

lib/api/container_registry_event.rb

 # frozen_string_literal: true
 
 module API
-  class ContainerRegistryEvent < Grape::API
+  class ContainerRegistryEvent < Grape::API::Instance
     DOCKER_DISTRIBUTION_EVENTS_V1_JSON = 'application/vnd.docker.distribution.events.v1+json'
 
     before { authenticate_registry_notification! }

lib/api/deploy_keys.rb

 # frozen_string_literal: true
 
 module API
-  class DeployKeys < Grape::API
+  class DeployKeys < Grape::API::Instance
     include PaginationParams
 
     before { authenticate! }

lib/api/deploy_tokens.rb

 # frozen_string_literal: true
 
 module API
-  class DeployTokens < Grape::API
+  class DeployTokens < Grape::API::Instance
     include PaginationParams
 
     helpers do
@@ -56,7 +56,7 @@ module API
 
       params do
         requires :name, type: String, desc: "New deploy token's name"
-        requires :scopes, type: Array[String], values: ::DeployToken::AVAILABLE_SCOPES.map(&:to_s),
+        requires :scopes, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, values: ::DeployToken::AVAILABLE_SCOPES.map(&:to_s),
           desc: 'Indicates the deploy token scopes. Must be at least one of "read_repository", "read_registry", "write_registry", "read_package_registry", or "write_package_registry".'
         optional :expires_at, type: DateTime, desc: 'Expiration date for the deploy token. Does not expire if no value is provided.'
         optional :username, type: String, desc: 'Username for deploy token. Default is `gitlab+deploy-token-{n}`'
@@ -119,7 +119,7 @@ module API
 
       params do
         requires :name, type: String, desc: 'The name of the deploy token'
-        requires :scopes, type: Array[String], values: ::DeployToken::AVAILABLE_SCOPES.map(&:to_s),
+        requires :scopes, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, values: ::DeployToken::AVAILABLE_SCOPES.map(&:to_s),
           desc: 'Indicates the deploy token scopes. Must be at least one of "read_repository", "read_registry", "write_registry", "read_package_registry", or "write_package_registry".'
         optional :expires_at, type: DateTime, desc: 'Expiration date for the deploy token. Does not expire if no value is provided.'
         optional :username, type: String, desc: 'Username for deploy token. Default is `gitlab+deploy-token-{n}`'

lib/api/deployments.rb

@@ -2,7 +2,7 @@
 
 module API
   # Deployments RESTful API endpoints
-  class Deployments < Grape::API
+  class Deployments < Grape::API::Instance
     include PaginationParams
 
     before { authenticate! }

lib/api/discussions.rb

 # frozen_string_literal: true
 
 module API
-  class Discussions < Grape::API
+  class Discussions < Grape::API::Instance
     include PaginationParams
     helpers ::API::Helpers::NotesHelpers
     helpers ::RendersNotes

lib/api/environments.rb

@@ -2,7 +2,7 @@
 
 module API
   # Environments RESTfull API endpoints
-  class Environments < Grape::API
+  class Environments < Grape::API::Instance
     include PaginationParams
 
     before { authenticate! }

lib/api/error_tracking.rb

 # frozen_string_literal: true
 
 module API
-  class ErrorTracking < Grape::API
+  class ErrorTracking < Grape::API::Instance
     before { authenticate! }
 
     params do

lib/api/events.rb

 # frozen_string_literal: true
 
 module API
-  class Events < Grape::API
+  class Events < Grape::API::Instance
     include PaginationParams
     include APIGuard
     helpers ::API::Helpers::EventsHelpers

lib/api/features.rb

 # frozen_string_literal: true
 
 module API
-  class Features < Grape::API
+  class Features < Grape::API::Instance
     before { authenticated_as_admin! }
 
     helpers do

lib/api/files.rb

 # frozen_string_literal: true
 
 module API
-  class Files < Grape::API
+  class Files < Grape::API::Instance
     include APIGuard
 
     FILE_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(file_path: API::NO_SLASH_URL_PART_REGEX)

lib/api/freeze_periods.rb

 # frozen_string_literal: true
 
 module API
-  class FreezePeriods < Grape::API
+  class FreezePeriods < Grape::API::Instance
     include PaginationParams
 
     before { authenticate! }

lib/api/group_boards.rb

 # frozen_string_literal: true
 
 module API
-  class GroupBoards < Grape::API
+  class GroupBoards < Grape::API::Instance
     include BoardsResponses
     include PaginationParams
 

lib/api/group_clusters.rb

 # frozen_string_literal: true
 
 module API
-  class GroupClusters < Grape::API
+  class GroupClusters < Grape::API::Instance
     include PaginationParams
 
     before { authenticate! }

lib/api/group_container_repositories.rb

 # frozen_string_literal: true
 
 module API
-  class GroupContainerRepositories < Grape::API
+  class GroupContainerRepositories < Grape::API::Instance
     include PaginationParams
 
     before { authorize_read_group_container_images! }

lib/api/group_export.rb

 # frozen_string_literal: true
 
 module API
-  class GroupExport < Grape::API
+  class GroupExport < Grape::API::Instance
     helpers Helpers::RateLimiter
 
     before do

lib/api/group_import.rb

 # frozen_string_literal: true
 
 module API
-  class GroupImport < Grape::API
+  class GroupImport < Grape::API::Instance
     helpers Helpers::FileUploadHelpers
 
     helpers do