Merge pull request #202541 from yayayayaka/gitlab-15.6.0

gitlab: 15.4.4 -> 15.6.0

nixos/modules/services/misc/gitlab.nix

@@ -16,22 +16,6 @@ let
                       else
                         pkgs.postgresql_12;
 
-  # Git 2.36.1 seemingly contains a commit-graph related bug which is
-  # easily triggered through GitLab, so we downgrade it to 2.35.x
-  # until this issue is solved. See
-  # https://gitlab.com/gitlab-org/gitlab/-/issues/360783#note_992870101.
-  gitPackage =
-    let
-      version = "2.35.4";
-    in
-      pkgs.git.overrideAttrs (oldAttrs: rec {
-        inherit version;
-        src = pkgs.fetchurl {
-          url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz";
-          sha256 = "sha256-mv13OdNkXggeKQkJ+47QcJ6lYmcw6Qjri1ZJ2ETCTOk=";
-        };
-      });
-
   gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket";
   gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket";
   pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url;
@@ -60,7 +44,7 @@ let
     prometheus_listen_addr = "localhost:9236"
 
     [git]
-    bin_path = "${gitPackage}/bin/git"
+    bin_path = "${pkgs.git}/bin/git"
 
     [gitaly-ruby]
     dir = "${cfg.packages.gitaly.ruby}"
@@ -157,7 +141,7 @@ let
       };
       workhorse.secret_file = "${cfg.statePath}/.gitlab_workhorse_secret";
       gitlab_kas.secret_file = "${cfg.statePath}/.gitlab_kas_secret";
-      git.bin_path = "${gitPackage}/bin/git";
+      git.bin_path = "git";
       monitoring = {
         ip_whitelist = [ "127.0.0.0/8" "::1/128" ];
         sidekiq_exporter = {
@@ -1325,7 +1309,7 @@ in {
       });
       path = with pkgs; [
         postgresqlPackage
-        gitPackage
+        git
         ruby
         openssh
         nodejs
@@ -1356,7 +1340,7 @@ in {
       path = with pkgs; [
         openssh
         procps  # See https://gitlab.com/gitlab-org/gitaly/issues/1562
-        gitPackage
+        git
         cfg.packages.gitaly.rubyEnv
         cfg.packages.gitaly.rubyEnv.wrappedRuby
         gzip
@@ -1402,7 +1386,7 @@ in {
       path = with pkgs; [
         remarshal
         exiftool
-        gitPackage
+        git
         gnutar
         gzip
         openssh
@@ -1475,7 +1459,7 @@ in {
       environment = gitlabEnv;
       path = with pkgs; [
         postgresqlPackage
-        gitPackage
+        git
         openssh
         nodejs
         procps

pkgs/applications/version-management/gitlab/data.json

@@ -1,15 +1,15 @@
 {
-  "version": "15.4.4",
-  "repo_hash": "sha256-iIgN1j02Lr/RtNeopqs6ndFqw8YIU2F6c49RGWvpmgc=",
-  "yarn_hash": "1r33qrvwf2wmq5c1d2awk9qhk9nzvafqn3drdvnczfv43sda4lg8",
+  "version": "15.6.0",
+  "repo_hash": "sha256-7Pjksu1l2QfhpYieEGB9coypSt/0iMfptCa69Iaoe3s=",
+  "yarn_hash": "0lgl8rs9mlrwpzq75rywdbjbiib17wxvzlv1jibnx66iw1ym2rvh",
   "owner": "gitlab-org",
   "repo": "gitlab",
-  "rev": "v15.4.4-ee",
+  "rev": "v15.6.0-ee",
   "passthru": {
-    "GITALY_SERVER_VERSION": "15.4.4",
-    "GITLAB_PAGES_VERSION": "1.62.0",
-    "GITLAB_SHELL_VERSION": "14.10.0",
-    "GITLAB_WORKHORSE_VERSION": "15.4.4"
+    "GITALY_SERVER_VERSION": "15.6.0",
+    "GITLAB_PAGES_VERSION": "1.63.0",
+    "GITLAB_SHELL_VERSION": "14.13.0",
+    "GITLAB_WORKHORSE_VERSION": "15.6.0"
   },
   "vendored_gems": [
     "bundler-checksum",
@@ -17,9 +17,9 @@
     "omniauth-azure-oauth2",
     "omniauth-cas3",
     "omniauth-gitlab",
-    "omniauth-google-oauth2",
     "omniauth_crowd",
     "omniauth-salesforce",
+    "attr_encrypted",
     "mail-smtp_pool",
     "microsoft_graph_mailer",
     "ipynbdiff",

pkgs/applications/version-management/gitlab/default.nix

@@ -108,7 +108,7 @@ let
 
       bundle exec rake gettext:po_to_json RAILS_ENV=production NODE_ENV=production
       bundle exec rake rake:assets:precompile RAILS_ENV=production NODE_ENV=production
-      bundle exec rake gitlab:assets:compile_webpack_if_needed RAILS_ENV=production NODE_ENV=production
+      bundle exec rake gitlab:assets:compile RAILS_ENV=production NODE_ENV=production
       bundle exec rake gitlab:assets:fix_urls RAILS_ENV=production NODE_ENV=production
       bundle exec rake gitlab:assets:check_page_bundle_mixins_css_for_sideeffects RAILS_ENV=production NODE_ENV=production
 
@@ -137,9 +137,6 @@ stdenv.mkDerivation {
   patches = [
     # Change hardcoded paths to the NixOS equivalent
     ./remove-hardcoded-locations.patch
-
-    # Bump pg to 1.4.3 (see https://github.com/NixOS/nixpkgs/pull/187946)
-    ./update-pg.patch
   ];
 
   postPatch = ''

pkgs/applications/version-management/gitlab/gitaly/Gemfile

@@ -4,22 +4,27 @@ gem 'rugged', '~> 1.2'
 gem 'github-linguist', '~> 7.20.0', require: 'linguist'
 gem 'gitlab-markup', '~> 1.7.1'
 gem 'activesupport', '~> 6.1.6.1'
-gem 'rdoc', '~> 6.0'
-gem 'gitlab-gollum-lib', '~> 4.2.7.10.gitlab.2', require: false
-gem 'gitlab-gollum-rugged_adapter', '~> 0.4.4.4.gitlab.1', require: false
 gem 'grpc', '~> 1.42.0' # keep in lock-step with grpc-tools
 gem 'sentry-raven', '~> 3.0', require: false
-gem 'faraday', '~> 1.0'
 gem 'rbtrace', require: false
 
+# The Gitaly Gem contains the Protobuf and gRPC definitions required by the
+# Ruby sidecar.
+gem 'gitaly', '~> 15.5.0'
+
 # Labkit provides observability functionality
-gem 'gitlab-labkit', '~> 0.24'
+gem 'gitlab-labkit', '~> 0.28'
 
 # Detects the open source license the repository includes
 # This version needs to be in sync with GitLab CE/EE
 gem 'licensee', '~> 9.15'
 
-gem 'google-protobuf', '~> 3.21.0'
+gem 'google-protobuf', '~> 3.21.9'
+
+# Rails is currently blocked on the upgrade to the new major version for Redis,
+# so we don't upgrade either until the issue is resolved. This is an indirect
+# dependency and can thus be removed when the version constraint is gone.
+gem 'redis', '~> 4.8.0'
 
 group :development, :test do
   gem 'rubocop', '~> 0.69', require: false
@@ -28,8 +33,6 @@ group :development, :test do
   gem 'timecop', require: false
   gem 'factory_bot', require: false
   gem 'pry', '~> 0.12.2', require: false
-
-  gem 'grpc-tools', '~> 1.42.0'
 end
 
 # Gems required in omnibus-gitlab pipeline

pkgs/applications/version-management/gitlab/gitaly/Gemfile.lock

@@ -46,33 +46,21 @@ GEM
     faraday (1.0.1)
       multipart-post (>= 1.2, < 3)
     ffi (1.15.5)
-    gemojione (3.3.0)
-      json
+    gitaly (15.5.0)
+      grpc (~> 1.0)
     github-linguist (7.20.0)
       charlock_holmes (~> 0.7.7)
       escape_utils (~> 1.2.0)
       mini_mime (~> 1.0)
       rugged (~> 1.0)
-    github-markup (1.7.0)
-    gitlab-gollum-lib (4.2.7.10.gitlab.2)
-      gemojione (~> 3.2)
-      github-markup (~> 1.6)
-      gitlab-gollum-rugged_adapter (~> 0.4.4.4.gitlab.1)
-      nokogiri (>= 1.6.1, < 2.0)
-      rouge (~> 3.1)
-      sanitize (~> 6.0)
-      stringex (~> 2.6)
-    gitlab-gollum-rugged_adapter (0.4.4.4.gitlab.1)
-      mime-types (>= 1.15)
-      rugged (~> 1.0)
-    gitlab-labkit (0.24.0)
+    gitlab-labkit (0.28.0)
       actionpack (>= 5.0.0, < 8.0.0)
       activesupport (>= 5.0.0, < 8.0.0)
       grpc (>= 1.37)
       jaeger-client (~> 1.1.0)
       opentracing (~> 0.4)
       pg_query (~> 2.1)
-      redis (> 3.0.0, < 5.0.0)
+      redis (> 3.0.0, < 6.0.0)
     gitlab-license_finder (6.14.2.1)
       bundler
       rubyzip (>= 1, < 3)
@@ -81,35 +69,30 @@ GEM
       with_env (= 1.1.0)
       xml-simple (~> 1.1.5)
     gitlab-markup (1.7.1)
-    google-protobuf (3.21.5)
+    google-protobuf (3.21.9)
     googleapis-common-protos-types (1.4.0)
       google-protobuf (~> 3.14)
     grpc (1.42.0)
       google-protobuf (~> 3.18)
       googleapis-common-protos-types (~> 1.0)
-    grpc-tools (1.42.0)
     i18n (1.12.0)
       concurrent-ruby (~> 1.0)
     ice_nine (0.11.2)
     jaeger-client (1.1.0)
       opentracing (~> 0.3)
       thrift
-    json (2.5.1)
     licensee (9.15.2)
       dotenv (~> 2.0)
       octokit (~> 4.20)
       reverse_markdown (~> 1.0)
       rugged (>= 0.24, < 2.0)
       thor (>= 0.19, < 2.0)
-    loofah (2.18.0)
+    loofah (2.19.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     memoizable (0.4.2)
       thread_safe (~> 0.3, >= 0.3.1)
     method_source (0.9.2)
-    mime-types (3.3.1)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2020.1104)
     mini_mime (1.1.2)
     mini_portile2 (2.8.0)
     minitest (5.16.3)
@@ -126,7 +109,7 @@ GEM
     parallel (1.19.2)
     parser (3.0.3.2)
       ast (~> 2.4.1)
-    pg_query (2.1.3)
+    pg_query (2.2.0)
       google-protobuf (>= 3.19.2)
     proc_to_ast (0.1.0)
       coderay
@@ -151,13 +134,11 @@ GEM
       ffi (>= 1.0.6)
       msgpack (>= 0.4.3)
       optimist (>= 3.0.0)
-    rdoc (6.3.2)
     redis (4.8.0)
     regexp_parser (1.8.1)
     reverse_markdown (1.4.0)
       nokogiri
     rexml (3.2.5)
-    rouge (3.30.0)
     rspec (3.8.0)
       rspec-core (~> 3.8.0)
       rspec-expectations (~> 3.8.0)
@@ -191,18 +172,14 @@ GEM
     ruby-progressbar (1.10.1)
     rubyzip (2.3.2)
     rugged (1.2.0)
-    sanitize (6.0.0)
-      crass (~> 1.0.2)
-      nokogiri (>= 1.12.0)
     sawyer (0.8.2)
       addressable (>= 2.3.5)
       faraday (> 0.8, < 2.0)
     sentry-raven (3.0.4)
       faraday (>= 1.0)
-    stringex (2.8.5)
     thor (1.1.0)
     thread_safe (0.3.6)
-    thrift (0.16.0)
+    thrift (0.17.0)
     timecop (0.9.1)
     tomlrb (2.0.1)
     tzinfo (2.0.5)
@@ -227,20 +204,17 @@ PLATFORMS
 DEPENDENCIES
   activesupport (~> 6.1.6.1)
   factory_bot
-  faraday (~> 1.0)
+  gitaly (~> 15.5.0)
   github-linguist (~> 7.20.0)
-  gitlab-gollum-lib (~> 4.2.7.10.gitlab.2)
-  gitlab-gollum-rugged_adapter (~> 0.4.4.4.gitlab.1)
-  gitlab-labkit (~> 0.24)
+  gitlab-labkit (~> 0.28)
   gitlab-license_finder
   gitlab-markup (~> 1.7.1)
-  google-protobuf (~> 3.21.0)
+  google-protobuf (~> 3.21.9)
   grpc (~> 1.42.0)
-  grpc-tools (~> 1.42.0)
   licensee (~> 9.15)
   pry (~> 0.12.2)
   rbtrace
-  rdoc (~> 6.0)
+  redis (~> 4.8.0)
   rspec
   rspec-parameterized
   rubocop (~> 0.69)
@@ -249,4 +223,4 @@ DEPENDENCIES
   timecop
 
 BUNDLED WITH
-   2.3.15
+   2.3.24

pkgs/applications/version-management/gitlab/gitaly/default.nix

@@ -1,7 +1,7 @@
 { lib, fetchFromGitLab, fetchFromGitHub, buildGoModule, ruby
 , bundlerEnv, pkg-config
 # libgit2 + dependencies
-, libgit2_1_3_0, openssl, zlib, pcre, http-parser }:
+, libgit2, openssl, zlib, pcre, http-parser }:
 
 let
   rubyEnv = bundlerEnv rec {
@@ -11,7 +11,7 @@ let
     gemdir = ./.;
   };
 
-  version = "15.4.4";
+  version = "15.6.0";
   package_version = "v${lib.versions.major version}";
   gitaly_package = "gitlab.com/gitlab-org/gitaly/${package_version}";
 
@@ -22,17 +22,17 @@ let
       owner = "gitlab-org";
       repo = "gitaly";
       rev = "v${version}";
-      sha256 = "sha256-b8ChQYaj+7snlrLP4P9FIUSIq/SNMh9hFlFajOPcBEU=";
+      sha256 = "sha256-MQFvDSQhmlCz+ox9TFFEd+q2beDUXYVhIyEWWnxn7r0=";
     };
 
-    vendorSha256 = "sha256-CUFYHjmOfosM3mfw0qEY+AQcR8U3J/1lU2Ml6wSZ/QM=";
+    vendorSha256 = "sha256-SEPfso27PHHpvnQwdeMQYECw/CZIa/NdpMBSTRJEwIo=";
 
     ldflags = [ "-X ${gitaly_package}/internal/version.version=${version}" "-X ${gitaly_package}/internal/version.moduleVersion=${version}" ];
 
     tags = [ "static,system_libgit2" ];
 
     nativeBuildInputs = [ pkg-config ];
-    buildInputs = [ rubyEnv.wrappedRuby libgit2_1_3_0 openssl zlib pcre http-parser ];
+    buildInputs = [ rubyEnv.wrappedRuby libgit2 openssl zlib pcre http-parser ];
 
     doCheck = false;
   };
@@ -59,7 +59,7 @@ buildGoModule ({
 
   postInstall = ''
     mkdir -p $ruby
-    cp -rv $src/ruby/{bin,lib,proto} $ruby
+    cp -rv $src/ruby/{bin,lib} $ruby
   '';
 
   outputs = [ "out" "ruby" ];

pkgs/applications/version-management/gitlab/gitaly/gemset.nix

@@ -215,14 +215,16 @@
     };
     version = "1.15.5";
   };
-  gemojione = {
-    dependencies = ["json"];
+  gitaly = {
+    dependencies = ["grpc"];
+    groups = ["default"];
+    platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "0ayk8r147k1s38nj18pwk76npx1p7jhi86silk800nj913pjvrhj";
+      sha256 = "0hpgljz05rhik15z081ghxw9pw83vz78p12wjdgxj3qz1a4x8pfq";
       type = "gem";
     };
-    version = "3.3.0";
+    version = "15.5.0";
   };
   github-linguist = {
     dependencies = ["charlock_holmes" "escape_utils" "mini_mime" "rugged"];
@@ -235,46 +237,16 @@
     };
     version = "7.20.0";
   };
-  github-markup = {
-    source = {
-      remotes = ["https://rubygems.org"];
-      sha256 = "17g6g18gdjg63k75sfwiskjzl9i0hfcnrkcpb4fwrnb20v3jgswp";
-      type = "gem";
-    };
-    version = "1.7.0";
-  };
-  gitlab-gollum-lib = {
-    dependencies = ["gemojione" "github-markup" "gitlab-gollum-rugged_adapter" "nokogiri" "rouge" "sanitize" "stringex"];
-    groups = ["default"];
-    platforms = [];
-    source = {
-      remotes = ["https://rubygems.org"];
-      sha256 = "1vs6frgnhhfnyicsjck39xibmn7xc6ji7wvznvfmr53f4smqjk40";
-      type = "gem";
-    };
-    version = "4.2.7.10.gitlab.2";
-  };
-  gitlab-gollum-rugged_adapter = {
-    dependencies = ["mime-types" "rugged"];
-    groups = ["default"];
-    platforms = [];
-    source = {
-      remotes = ["https://rubygems.org"];
-      sha256 = "0gvgqfn05swsazfxdwmlqcq8v2pjyy7dmyl3bd8b8jrrxbpmpxxg";
-      type = "gem";
-    };
-    version = "0.4.4.4.gitlab.1";
-  };
   gitlab-labkit = {
     dependencies = ["actionpack" "activesupport" "grpc" "jaeger-client" "opentracing" "pg_query" "redis"];
     groups = ["default"];
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "0j0598m9445msa0rksl1l1cvd11wsnyq1s4gjmcbw18a9smfa5lg";
+      sha256 = "0m2n5lvnm5nxn7bc6bqm3ycwk47kck6nl1c0s83pcvsn6qizbsx7";
       type = "gem";
     };
-    version = "0.24.0";
+    version = "0.28.0";
   };
   gitlab-license_finder = {
     dependencies = ["rubyzip" "thor" "tomlrb" "with_env" "xml-simple"];
@@ -302,10 +274,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1ysvm5mxx1knjp3sbhi18nswaml625vbgm3gbh7is14h4d8fwjy9";
+      sha256 = "1p4aa5nnkkrdd3v3i57092vj2agj7ih3zavymw451j52k8anqras";
       type = "gem";
     };
-    version = "3.21.5";
+    version = "3.21.9";
   };
   googleapis-common-protos-types = {
     dependencies = ["google-protobuf"];
@@ -329,16 +301,6 @@
     };
     version = "1.42.0";
   };
-  grpc-tools = {
-    groups = ["development" "test"];
-    platforms = [];
-    source = {
-      remotes = ["https://rubygems.org"];
-      sha256 = "0xipvw8zcm1c3pna6fgmy83x0yvffii8d7wafwcxmszxa647brw1";
-      type = "gem";
-    };
-    version = "1.42.0";
-  };
   i18n = {
     dependencies = ["concurrent-ruby"];
     groups = ["default" "development" "test"];
@@ -369,16 +331,6 @@
     };
     version = "1.1.0";
   };
-  json = {
-    groups = ["default"];
-    platforms = [];
-    source = {
-      remotes = ["https://rubygems.org"];
-      sha256 = "0lrirj0gw420kw71bjjlqkqhqbrplla61gbv1jzgsz6bv90qr3ci";
-      type = "gem";
-    };
-    version = "2.5.1";
-  };
   licensee = {
     dependencies = ["dotenv" "octokit" "reverse_markdown" "rugged" "thor"];
     groups = ["default"];
@@ -396,10 +348,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "18ymp6l3bv7abz07k6qbbi9c9vsiahq30d2smh4qzsvag8j5m5v1";
+      sha256 = "1fpyk1965py77al7iadkn5dibwgvybknkr7r8bii2dj73wvr29rh";
       type = "gem";
     };
-    version = "2.18.0";
+    version = "2.19.0";
   };
   memoizable = {
     dependencies = ["thread_safe"];
@@ -418,27 +370,6 @@
     };
     version = "0.9.2";
   };
-  mime-types = {
-    dependencies = ["mime-types-data"];
-    groups = ["default"];
-    platforms = [];
-    source = {
-      remotes = ["https://rubygems.org"];
-      sha256 = "1zj12l9qk62anvk9bjvandpa6vy4xslil15wl6wlivyf51z773vh";
-      type = "gem";
-    };
-    version = "3.3.1";
-  };
-  mime-types-data = {
-    groups = ["default"];
-    platforms = [];
-    source = {
-      remotes = ["https://rubygems.org"];
-      sha256 = "0ipjyfwn9nlvpcl8knq3jk4g5f12cflwdbaiqxcq1s7vwfwfxcag";
-      type = "gem";
-    };
-    version = "3.2020.1104";
-  };
   mini_mime = {
     groups = ["default"];
     platforms = [];
@@ -558,10 +489,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "00bhwkhjy6bkp04313m5il7vd165i3fz0x4jissflf66i164ppgk";
+      sha256 = "0l79y41nwwacabj61jkbh4r7haajaf8y4bn5pihh0m1g8547b8w4";
       type = "gem";
     };
-    version = "2.1.3";
+    version = "2.2.0";
   };
   proc_to_ast = {
     dependencies = ["coderay" "parser" "unparser"];
@@ -671,16 +602,6 @@
     };
     version = "0.4.14";
   };
-  rdoc = {
-    groups = ["default"];
-    platforms = [];
-    source = {
-      remotes = ["https://rubygems.org"];
-      sha256 = "19h5g3g7k7wggy9amfx8b3m09ss7wrakbrva2xnda9sw4chagx6y";
-      type = "gem";
-    };
-    version = "6.3.2";
-  };
   redis = {
     groups = ["default"];
     platforms = [];
@@ -722,16 +643,6 @@
     };
     version = "3.2.5";
   };
-  rouge = {
-    groups = ["default"];
-    platforms = [];
-    source = {
-      remotes = ["https://rubygems.org"];
-      sha256 = "1dnfkrk8xx2m8r3r9m2p5xcq57viznyc09k7r3i4jbm758i57lx3";
-      type = "gem";
-    };
-    version = "3.30.0";
-  };
   rspec = {
     dependencies = ["rspec-core" "rspec-expectations" "rspec-mocks"];
     groups = ["development" "test"];
@@ -849,17 +760,6 @@
     };
     version = "1.2.0";
   };
-  sanitize = {
-    dependencies = ["crass" "nokogiri"];
-    groups = ["default"];
-    platforms = [];
-    source = {
-      remotes = ["https://rubygems.org"];
-      sha256 = "1zq8pxmsd1abw18zz6mazsm2jfpwmbgdxbpawb7bmwvkb2c5yyc1";
-      type = "gem";
-    };
-    version = "6.0.0";
-  };
   sawyer = {
     dependencies = ["addressable" "faraday"];
     groups = ["default"];
@@ -882,16 +782,6 @@
     };
     version = "3.0.4";
   };
-  stringex = {
-    groups = ["default"];
-    platforms = [];
-    source = {
-      remotes = ["https://rubygems.org"];
-      sha256 = "15ns7j5smw04w6w7bqd5mm2qcl7w9lhwykyb974i4isgg9yc23ys";
-      type = "gem";
-    };
-    version = "2.8.5";
-  };
   thor = {
     groups = ["default"];
     platforms = [];
@@ -915,10 +805,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1knw2xa3pkfql4np9qazz2mdi1vz21vdsa0wkx648c4ym1p2h8yh";
+      sha256 = "12p856z7inf47azpvh9qswsfx8035r5hbzlg2x5n8z2sjqzjkk80";
       type = "gem";
     };
-    version = "0.16.0";
+    version = "0.17.0";
   };
   timecop = {
     source = {

pkgs/applications/version-management/gitlab/gitlab-shell/default.nix

@@ -2,19 +2,19 @@
 
 buildGoModule rec {
   pname = "gitlab-shell";
-  version = "14.10.0";
+  version = "14.13.0";
   src = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitlab-shell";
     rev = "v${version}";
-    sha256 = "sha256-7uy7F4wK/4xz0PK9ZadaMjy3c+xUK9+YKaaEm5iFqUs=";
+    sha256 = "sha256-KN1twfuamRsG5/jan4Frhd4LXOU9Bp5Htex+TsTc+Is=";
   };
 
   buildInputs = [ ruby ];
 
   patches = [ ./remove-hardcoded-locations.patch ];
 
-  vendorSha256 = "sha256-urS0FED636APQe5uNvhDvWsnZtHCW60VtRE1B7IzGZQ=";
+  vendorSha256 = "sha256-CAadjiZCopjGNxQTJbvs56THtAve92ewiFLjGTY2/9E=";
 
   postInstall = ''
     cp -r "$NIX_BUILD_TOP/source"/bin/* $out/bin

pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix

@@ -5,7 +5,7 @@ in
 buildGoModule rec {
   pname = "gitlab-workhorse";
 
-  version = "15.4.4";
+  version = "15.6.0";
 
   src = fetchFromGitLab {
     owner = data.owner;
@@ -16,7 +16,7 @@ buildGoModule rec {
 
   sourceRoot = "source/workhorse";
 
-  vendorSha256 = "sha256-dN3DfkAJkqkmGyahsBDsPQBog52RGECV+SESSR6W3fg=";
+  vendorSha256 = "sha256-VqJqyRRFmDugq0VG7gPBxllikVNv5et93jJHleSTS7M=";
   buildInputs = [ git ];
   ldflags = [ "-X main.Version=${version}" ];
   doCheck = false;

pkgs/applications/version-management/gitlab/rubyEnv/Gemfile

@@ -2,30 +2,48 @@
 
 source 'https://rubygems.org'
 
+if ENV['BUNDLER_CHECKSUM_VERIFICATION_OPT_IN'] # this verification is still experimental
+  $LOAD_PATH.unshift(File.expand_path("vendor/gems/bundler-checksum/lib", __dir__))
+  require 'bundler-checksum'
+  Bundler::Checksum.patch!
+end
+
 gem 'bundler-checksum', '~> 0.1.0', path: 'bundler-checksum', require: false
 
+# NOTE: When incrementing the major or minor version here, also increment activerecord_version
+# in vendor/gems/attr_encrypted/attr_encrypted.gemspec until we resolve
+# https://gitlab.com/gitlab-org/gitlab/-/issues/375713
 gem 'rails', '~> 6.1.6.1'
 
 gem 'bootsnap', '~> 1.13.0', require: false
 
+# Pin openssl to match the version bundled with our supported Rubies.
+# See https://stdgems.org/openssl/#gem-version.
+gem 'openssl', '2.2.1'
+# This gem was originally bundled with Ruby 2.7, but is unbundled as of Ruby 3.
+# Since the latest version caused problems with GitLab, we pin this to an older
+# version for now.
+# See https://gitlab.com/gitlab-org/gitlab/-/issues/376417
+gem 'ipaddr', '1.2.2'
+
 # Responders respond_to and respond_with
 gem 'responders', '~> 3.0'
 
 gem 'sprockets', '~> 3.7.0'
 
-gem 'view_component', '~> 2.71.0'
+gem 'view_component', '~> 2.74.1'
 
 # Default values for AR models
 gem 'default_value_for', '~> 3.4.0'
 
 # Supported DBs
-gem 'pg', '~> 1.4.0'
+gem 'pg', '~> 1.4.3'
 
 gem 'rugged', '~> 1.2'
 gem 'grape-path-helpers', '~> 1.7.1'
 
 gem 'faraday', '~> 1.0'
-gem 'marginalia', '~> 1.10.0'
+gem 'marginalia', '~> 1.11.1'
 
 # Authorization
 gem 'declarative_policy', '~> 1.1.0'
@@ -38,18 +56,17 @@ gem 'doorkeeper', '~> 5.5.0.rc2'
 gem 'doorkeeper-openid_connect', '~> 1.7.5'
 gem 'rexml', '~> 3.2.5'
 gem 'ruby-saml', '~> 1.13.0'
-gem 'omniauth-rails_csrf_protection'
 gem 'omniauth', '~> 2.1.0'
 gem 'omniauth-auth0', '~> 2.0.0'
-gem 'omniauth-azure-activedirectory-v2', '~> 1.0'
+gem 'omniauth-azure-activedirectory-v2', '~> 2.0'
 gem 'omniauth-azure-oauth2', '~> 0.0.9', path: 'omniauth-azure-oauth2' # See gem README.md
 gem 'omniauth-cas3', '~> 1.1.4', path: 'omniauth-cas3' # See vendor/gems/omniauth-cas3/README.md
 gem 'omniauth-dingtalk-oauth2', '~> 1.0'
-gem 'omniauth-alicloud', '~> 1.0.1'
+gem 'omniauth-alicloud', '~> 2.0.0'
 gem 'omniauth-facebook', '~> 4.0.0'
-gem 'omniauth-github', '2.0.0'
+gem 'omniauth-github', '2.0.1'
 gem 'omniauth-gitlab', '~> 4.0.0', path: 'omniauth-gitlab' # See vendor/gems/omniauth-gitlab/README.md
-gem 'omniauth-google-oauth2', '~> 1.0.1', path: 'omniauth-google-oauth2' # See gem README.md
+gem 'omniauth-google-oauth2', '~> 1.1'
 gem 'omniauth-oauth2-generic', '~> 0.2.2'
 gem 'omniauth-saml', '~> 2.0.0'
 gem 'omniauth-shibboleth', '~> 1.3.0'
@@ -59,7 +76,7 @@ gem 'omniauth-authentiq', '~> 0.3.3'
 gem 'gitlab-omniauth-openid-connect', '~> 0.10.0', require: 'omniauth_openid_connect'
 gem 'omniauth-salesforce', '~> 1.0.5', path: 'omniauth-salesforce' # See gem README.md
 gem 'omniauth-atlassian-oauth2', '~> 0.2.0'
-gem 'rack-oauth2', '~> 1.21.2'
+gem 'rack-oauth2', '~> 1.21.3'
 gem 'jwt', '~> 2.1.0'
 
 # Kerberos authentication. EE-only
@@ -69,12 +86,12 @@ gem 'timfel-krb5-auth', '~> 0.8', group: :kerberos
 # Spam and anti-bot protection
 gem 'recaptcha', '~> 4.11', require: 'recaptcha/rails'
 gem 'akismet', '~> 3.0'
-gem 'invisible_captcha', '~> 1.1.0'
+gem 'invisible_captcha', '~> 2.0.0'
 
 # Two-factor authentication
 gem 'devise-two-factor', '~> 4.0.2'
 gem 'rqrcode-rails3', '~> 0.1.7'
-gem 'attr_encrypted', '~> 3.1.0'
+gem 'attr_encrypted', '~> 3.2.4', path: 'attr_encrypted'
 gem 'u2f', '~> 0.2.1'
 
 # GitLab Pages
@@ -84,7 +101,7 @@ gem 'rubyzip', '~> 2.3.2', require: 'zip'
 gem 'acme-client', '~> 2.0'
 
 # Browser detection
-gem 'browser', '~> 4.2'
+gem 'browser', '~> 5.3.1'
 
 # OS detection for usage ping
 gem 'ohai', '~> 16.10'
@@ -101,7 +118,9 @@ gem 'net-ldap', '~> 0.16.3'
 # API
 gem 'grape', '~> 1.5.2'
 gem 'grape-entity', '~> 0.10.0'
-gem 'rack-cors', '~> 1.1.0', require: 'rack/cors'
+gem 'rack-cors', '~> 1.1.1', require: 'rack/cors'
+gem 'grape-swagger', '~>1.5.0', group: [:development, :test]
+gem 'grape-swagger-entity', '~> 0.5.1', group: [:development, :test]
 
 # GraphQL API
 gem 'graphql', '~> 1.13.12'
@@ -110,12 +129,10 @@ gem 'apollo_upload_server', '~> 2.1.0'
 gem 'graphql-docs', '~> 2.1.0', group: [:development, :test]
 gem 'graphlient', '~> 0.5.0' # Used by BulkImport feature (group::import)
 
-gem 'hashie'
-# Disable strong_params so that Mash does not respond to :permitted?
-gem 'hashie-forbidden_attributes'
+gem 'hashie', '~> 5.0.0'
 
 # Pagination
-gem 'kaminari', '~> 1.0'
+gem 'kaminari', '~> 1.2.2'
 
 # HAML
 gem 'hamlit', '~> 2.15.0'
@@ -125,16 +142,16 @@ gem 'carrierwave', '~> 1.3'
 gem 'mini_magick', '~> 4.10.1'
 
 # for backups
-gem 'fog-aws', '~> 3.14'
+gem 'fog-aws', '~> 3.15'
 # Locked until fog-google resolves https://github.com/fog/fog-google/issues/421.
 # Also see config/initializers/fog_core_patch.rb.
 gem 'fog-core', '= 2.1.0'
-gem 'fog-google', '~> 1.15', require: 'fog/google'
-gem 'fog-local', '~> 0.6'
+gem 'fog-google', '~> 1.19', require: 'fog/google'
+gem 'fog-local', '~> 0.8'
 gem 'fog-openstack', '~> 1.0'
 gem 'fog-rackspace', '~> 0.1.1'
 gem 'fog-aliyun', '~> 0.3'
-gem 'gitlab-fog-azure-rm', '~> 1.3.0', require: 'fog/azurerm'
+gem 'gitlab-fog-azure-rm', '~> 1.4.0', require: 'fog/azurerm'
 
 # for Google storage
 gem 'google-api-client', '~> 0.33'
@@ -149,18 +166,17 @@ gem 'seed-fu', '~> 2.3.7'
 gem 'elasticsearch-model', '~> 7.2'
 gem 'elasticsearch-rails', '~> 7.2', require: 'elasticsearch/rails/instrumentation'
 gem 'elasticsearch-api',   '7.13.3'
-gem 'aws-sdk-core', '~> 3.131.0'
+gem 'aws-sdk-core', '~> 3.167.0'
 gem 'aws-sdk-cloudformation', '~> 1'
-gem 'aws-sdk-s3', '~> 1.114.0'
+gem 'aws-sdk-s3', '~> 1.117.1'
 gem 'faraday_middleware-aws-sigv4', '~>0.3.0'
 gem 'typhoeus', '~> 1.4.0' # Used with Elasticsearch to support http keep-alive connections
 
 # Markdown and HTML processing
-gem 'html-pipeline', '~> 2.13.2'
-gem 'deckar01-task_list', '2.3.1'
-gem 'gitlab-markup', '~> 1.8.0'
-gem 'github-markup', '~> 1.7.0', require: 'github/markup'
-gem 'commonmarker', '~> 0.23.4'
+gem 'html-pipeline', '~> 2.14.3'
+gem 'deckar01-task_list', '2.3.2'
+gem 'gitlab-markup', '~> 1.8.0', require: 'github/markup'
+gem 'commonmarker', '~> 0.23.6'
 gem 'kramdown', '~> 2.3.1'
 gem 'RedCloth', '~> 4.3.2'
 gem 'rdoc', '~> 6.3.2'
@@ -170,12 +186,11 @@ gem 'wikicloth', '0.8.1'
 gem 'asciidoctor', '~> 2.0.17'
 gem 'asciidoctor-include-ext', '~> 0.4.0', require: false
 gem 'asciidoctor-plantuml', '~> 0.0.16'
-gem 'asciidoctor-kroki', '~> 0.5.0', require: false
+gem 'asciidoctor-kroki', '~> 0.7.0', require: false
 gem 'rouge', '~> 3.30.0'
 gem 'truncato', '~> 0.7.12'
 gem 'bootstrap_form', '~> 4.2.0'
-gem 'nokogiri', '~> 1.13.8'
-gem 'escape_utils', '~> 1.1'
+gem 'nokogiri', '~> 1.13.9'
 
 # Calendar rendering
 gem 'icalendar'
@@ -187,7 +202,7 @@ gem 'diff_match_patch', '~> 0.1.0'
 # Application server
 gem 'rack', '~> 2.2.4'
 # https://github.com/zombocom/rack-timeout/blob/master/README.md#rails-apps-manually
-gem 'rack-timeout', '~> 0.6.0', require: 'rack/timeout/base'
+gem 'rack-timeout', '~> 0.6.3', require: 'rack/timeout/base'
 
 group :puma do
   gem 'puma', '~> 5.6.5', require: false
@@ -202,16 +217,16 @@ gem 'state_machines-activerecord', '~> 0.8.0'
 gem 'acts-as-taggable-on', '~> 9.0'
 
 # Background jobs
-gem 'sidekiq', '~> 6.4.0'
-gem 'sidekiq-cron', '~> 1.4.0'
-gem 'redis-namespace', '~> 1.8.1'
-gem 'gitlab-sidekiq-fetcher', '0.8.0', require: 'sidekiq-reliable-fetch'
+gem 'sidekiq', '~> 6.5.7'
+gem 'sidekiq-cron', '~> 1.8.0'
+gem 'redis-namespace', '~> 1.9.0'
+gem 'gitlab-sidekiq-fetcher', '0.9.0', require: 'sidekiq-reliable-fetch'
 
 # Cron Parser
 gem 'fugit', '~> 1.2.1'
 
 # HTTP requests
-gem 'httparty', '~> 0.16.4'
+gem 'httparty', '~> 0.20.0'
 
 # Colored output to console
 gem 'rainbow', '~> 3.0'
@@ -223,20 +238,20 @@ gem 'ruby-progressbar', '~> 1.10'
 gem 'settingslogic', '~> 2.0.9'
 
 # Linear-time regex library for untrusted regular expressions
-gem 're2', '~> 1.4.0'
+gem 're2', '~> 1.6.0'
 
 # Misc
 
 gem 'version_sorter', '~> 2.2.4'
 
 # Export Ruby Regex to Javascript
-gem 'js_regex', '~> 3.7'
+gem 'js_regex', '~> 3.8'
 
 # User agent parsing
 gem 'device_detector'
 
 # Redis
-gem 'redis', '~> 4.7.0'
+gem 'redis', '~> 4.8.0'
 gem 'connection_pool', '~> 2.0'
 
 # Redis session store
@@ -262,7 +277,7 @@ gem 'hangouts-chat', '~> 0.0.5', require: 'hangouts_chat'
 gem 'asana', '~> 0.10.13'
 
 # FogBugz integration
-gem 'ruby-fogbugz', '~> 0.2.1'
+gem 'ruby-fogbugz', '~> 0.3.0'
 
 # Kubernetes integration
 gem 'kubeclient', '~> 4.9.3'
@@ -272,7 +287,7 @@ gem 'sanitize', '~> 6.0'
 gem 'babosa', '~> 1.0.4'
 
 # Sanitizes SVG input
-gem 'loofah', '~> 2.18.0'
+gem 'loofah', '~> 2.19.0'
 
 # Working with license
 # Detects the open source license the repository includes
@@ -292,7 +307,7 @@ gem 'fast_blank'
 gem 'gitlab-chronic', '~> 0.10.5'
 gem 'gitlab_chronic_duration', '~> 0.10.6.2'
 
-gem 'rack-proxy', '~> 0.7.2'
+gem 'rack-proxy', '~> 0.7.4'
 
 gem 'sassc-rails', '~> 2.1.0'
 gem 'autoprefixer-rails', '10.2.5.1'
@@ -301,13 +316,13 @@ gem 'terser', '1.0.2'
 gem 'addressable', '~> 2.8'
 gem 'tanuki_emoji', '~> 0.6'
 gem 'gon', '~> 6.4.0'
-gem 'request_store', '~> 1.5'
+gem 'request_store', '~> 1.5.1'
 gem 'base32', '~> 0.3.0'
 
 gem 'gitlab-license', '~> 2.2.1'
 
 # Protect against bruteforcing
-gem 'rack-attack', '~> 6.6.0'
+gem 'rack-attack', '~> 6.6.1'
 
 # Sentry integration
 gem 'sentry-raven', '~> 3.1'
@@ -317,12 +332,12 @@ gem 'sentry-sidekiq', '~> 5.1.1'
 
 # PostgreSQL query parsing
 #
-gem 'pg_query', '~> 2.1.0'
+gem 'pg_query', '~> 2.2'
 
 gem 'premailer-rails', '~> 1.10.3'
 
 # LabKit: Tracing and Correlation
-gem 'gitlab-labkit', '~> 0.24.0'
+gem 'gitlab-labkit', '~> 0.28.0'
 gem 'thrift', '>= 0.16.0'
 
 # I18n
@@ -347,12 +362,12 @@ gem 'prometheus-client-mmap', '~> 0.16', require: 'prometheus/client'
 gem 'warning', '~> 1.3.0'
 
 group :development do
-  gem 'lefthook', '~> 1.1.1', require: false
+  gem 'lefthook', '~> 1.2.0', require: false
   gem 'rubocop'
-  gem 'solargraph', '~> 0.46.0', require: false
+  gem 'solargraph', '~> 0.47.2', require: false
 
   gem 'letter_opener_web', '~> 2.0.0'
-  gem 'lookbook', '~> 1.0'
+  gem 'lookbook', '~> 1.2', '>= 1.2.1'
 
   # Better errors handler
   gem 'better_errors', '~> 2.9.1'
@@ -382,7 +397,7 @@ group :development, :test do
   gem 'spring', '~> 2.1.0'
   gem 'spring-commands-rspec', '~> 1.0.4'
 
-  gem 'gitlab-styles', '~> 8.0.0', require: false
+  gem 'gitlab-styles', '~> 9.0.0', require: false
 
   gem 'haml_lint', '~> 0.40.0', require: false
   gem 'bundler-audit', '~> 0.7.0.1', require: false
@@ -406,11 +421,11 @@ group :development, :test do
 
   gem 'sigdump', '~> 0.2.4', require: 'sigdump/setup'
 
-  gem 'pact', '~> 1.12'
+  gem 'pact', '~> 1.63'
 end
 
 group :development, :test, :danger do
-  gem 'gitlab-dangerfiles', '~> 3.5.2', require: false
+  gem 'gitlab-dangerfiles', '~> 3.6.2', require: false
 end
 
 group :development, :test, :coverage do
@@ -460,10 +475,9 @@ gem 'gitlab-mail_room', '~> 0.0.9', require: 'mail_room'
 gem 'email_reply_trimmer', '~> 0.1'
 gem 'html2text'
 
-gem 'ruby-prof', '~> 1.3.0'
 gem 'stackprof', '~> 0.2.21', require: false
 gem 'rbtrace', '~> 0.4', require: false
-gem 'memory_profiler', '~> 0.9', require: false
+gem 'memory_profiler', '~> 1.0', require: false
 gem 'activerecord-explain-analyze', '~> 0.1', require: false
 
 # OAuth
@@ -486,16 +500,16 @@ gem 'ssh_data', '~> 1.3'
 gem 'spamcheck', '~> 1.0.0'
 
 # Gitaly GRPC protocol definitions
-gem 'gitaly', '~> 15.4.0-rc2'
+gem 'gitaly', '~> 15.5.0'
 
 # KAS GRPC protocol definitions
 gem 'kas-grpc', '~> 0.0.2'
 
 gem 'grpc', '~> 1.42.0'
 
-gem 'google-protobuf', '~> 3.21'
+gem 'google-protobuf', '~> 3.21', '>= 3.21.9'
 
-gem 'toml-rb', '~> 2.0'
+gem 'toml-rb', '~> 2.2.0'
 
 # Feature toggles
 gem 'flipper', '~> 0.25.0'
@@ -519,8 +533,6 @@ gem 'retriable', '~> 3.1.2'
 # LRU cache
 gem 'lru_redux'
 
-gem 'erubi', '~> 1.9.0'
-
 # Locked as long as quoted-printable encoding issues are not resolved
 # Monkey-patched in `config/initializers/mail_encoding_patch.rb`
 # See https://gitlab.com/gitlab-org/gitlab/issues/197386
@@ -539,6 +551,7 @@ gem 'valid_email', '~> 0.1'
 gem 'json', '~> 2.5.1'
 gem 'json_schemer', '~> 0.2.18'
 gem 'oj', '~> 3.13.21'
+gem 'oj-introspect', '~> 0.7'
 gem 'multi_json', '~> 1.14.1'
 gem 'yajl-ruby', '~> 1.4.3', require: 'yajl'
 
@@ -556,3 +569,15 @@ gem 'ed25519', '~> 1.3.0'
 # Error Tracking OpenAPI client
 # See https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/development/rake_tasks.md#update-openapi-client-for-error-tracking-feature
 gem 'error_tracking_open_api', path: 'error_tracking_open_api'
+
+# Vulnerability advisories
+gem 'cvss-suite', '~> 3.0.1', require: 'cvss_suite'
+
+# Work with RPM packages
+gem 'arr-pm', '~> 0.0.12'
+
+# Apple plist parsing
+gem 'CFPropertyList'
+
+# For phone verification
+gem 'telesignenterprise', '~> 2.2'

pkgs/applications/version-management/gitlab/update-pg.patch

@@ -1,13 +0,0 @@
-diff --git a/Gemfile.lock b/Gemfile.lock
-index 9074b48c56b..57a1c924897 100644
---- a/Gemfile.lock
-+++ b/Gemfile.lock
-@@ -1019,7 +1019,7 @@ GEM
-       tty-color (~> 0.5)
-     peek (1.1.0)
-       railties (>= 4.0.0)
--    pg (1.4.1)
-+    pg (1.4.3)
-     pg_query (2.1.4)
-       google-protobuf (>= 3.19.2)
-     plist (3.6.0)

pkgs/applications/version-management/gitlab/update.py

@@ -23,9 +23,9 @@ VENDORED_GEMS = [
     "omniauth-azure-oauth2",
     "omniauth-cas3",
     "omniauth-gitlab",
-    "omniauth-google-oauth2",
     "omniauth_crowd",
     "omniauth-salesforce",
+    "attr_encrypted",
     "mail-smtp_pool",
     "microsoft_graph_mailer",
     "ipynbdiff",
@@ -159,11 +159,6 @@ def update_rubyenv():
     gemfile = repo.get_file('Gemfile', rev)
     gemfile_lock = repo.get_file('Gemfile.lock', rev)
 
-    if "pg (1.4.1)" in gemfile_lock:
-        gemfile_lock = gemfile_lock.replace("pg (1.4.1)", "pg (1.4.3)")
-    else:
-        logger.info("Looks like pg was updated! Please remove update-pg.patch, as this will cause a build failure")
-
     with open(rubyenv_dir / 'Gemfile', 'w') as f:
         f.write(re.sub(f'.*({"|".join(VENDORED_GEMS)}).*', "", gemfile))