push sheeet

pkgs/by-name/gi/gitlab/Remove-unsupported-database-names.patch

@@ -0,0 +1,79 @@
+From 054e2e2092e3f20267a5d2046978df6d33c72712 Mon Sep 17 00:00:00 2001
+From: Yaya <mak@nyantec.com>
+Date: Tue, 23 May 2023 13:49:18 +0000
+Subject: [PATCH] Remove unsupported database names
+
+The only supported ones are main, ci, main_clusterwide.
+---
+ config/database.yml.postgresql | 37 ----------------------------------
+ 1 file changed, 37 deletions(-)
+
+diff --git a/config/database.yml.postgresql b/config/database.yml.postgresql
+index da9f458ff..2d6d44e37 100644
+--- a/config/database.yml.postgresql
++++ b/config/database.yml.postgresql
+@@ -26,13 +26,6 @@ production:
+     username: git
+     password: "secure password"
+     host: localhost
+-  geo:
+-    adapter: postgresql
+-    encoding: unicode
+-    database: gitlabhq_geo_production
+-    username: git
+-    password: "secure password"
+-    host: localhost
+ 
+ #
+ # Development specific
+@@ -57,13 +50,6 @@ development:
+     host: localhost
+     variables:
+       statement_timeout: 15s
+-  geo:
+-    adapter: postgresql
+-    encoding: unicode
+-    database: gitlabhq_geo_development
+-    username: postgres
+-    password: "secure password"
+-    host: localhost
+ 
+ #
+ # Staging specific
+@@ -84,13 +70,6 @@ staging:
+     username: git
+     password: "secure password"
+     host: localhost
+-  geo:
+-    adapter: postgresql
+-    encoding: unicode
+-    database: gitlabhq_geo_staging
+-    username: git
+-    password: "secure password"
+-    host: localhost
+ 
+ # Warning: The database defined as "test" will be erased and
+ # re-generated from your development database when you run "rake".
+@@ -119,19 +98,3 @@ test: &test
+     reaping_frequency: nil
+     variables:
+       statement_timeout: 15s
+-  geo:
+-    adapter: postgresql
+-    encoding: unicode
+-    database: gitlabhq_geo_test
+-    username: postgres
+-    password:
+-    host: localhost
+-    reaping_frequency: nil
+-  embedding:
+-    adapter: postgresql
+-    encoding: unicode
+-    database: gitlabhq_embedding_test
+-    username: postgres
+-    password:
+-    host: localhost
+-    reaping_frequency: nil
+-- 
+2.40.1
+

pkgs/by-name/gi/gitlab/data.json

@@ -0,0 +1,15 @@
+{
+  "version": "18.4.1",
+  "repo_hash": "0wqk6vcjsnv84qbngzri4klg299kk154cadl98zf9vzypv5l66rz",
+  "yarn_hash": "1s9fz2apb7wkpppq14b3020b2pqdah917wblvzk32np8s2dqqc14",
+  "owner": "gitlab-org",
+  "repo": "gitlab",
+  "rev": "v18.4.1-ee",
+  "passthru": {
+    "GITALY_SERVER_VERSION": "18.4.1",
+    "GITLAB_PAGES_VERSION": "18.4.1",
+    "GITLAB_SHELL_VERSION": "14.45.2",
+    "GITLAB_ELASTICSEARCH_INDEXER_VERSION": "5.9.1",
+    "GITLAB_WORKHORSE_VERSION": "18.4.1"
+  }
+}

pkgs/by-name/gi/gitlab/gitlab-workhorse/default.nix

@@ -0,0 +1,37 @@
+{
+  lib,
+  fetchFromGitLab,
+  git,
+  buildGoModule,
+}:
+let
+  data = lib.importJSON ../data.json;
+in
+buildGoModule rec {
+  pname = "gitlab-workhorse";
+
+  version = "18.4.1";
+
+  # nixpkgs-update: no auto update
+  src = fetchFromGitLab {
+    owner = data.owner;
+    repo = data.repo;
+    rev = data.rev;
+    sha256 = data.repo_hash;
+  };
+
+  sourceRoot = "${src.name}/workhorse";
+
+  vendorHash = "sha256-R9hI+y4n+6YM0dXIRvNZWwy1gAasdKHBWmFBXJaI1G0=";
+  buildInputs = [ git ];
+  ldflags = [ "-X main.Version=${version}" ];
+  doCheck = false;
+  prodyVendor = true;
+
+  meta = with lib; {
+    homepage = "http://www.gitlab.com/";
+    platforms = platforms.linux;
+    teams = [ teams.gitlab ];
+    license = licenses.mit;
+  };
+}

pkgs/by-name/gi/gitlab/package.nix

@@ -0,0 +1,318 @@
+{
+  bundlerEnv,
+  cacert,
+  defaultGemConfig,
+  fetchFromGitLab,
+  fetchYarnDeps,
+  yarnConfigHook,
+  git,
+  gitlabEnterprise ? false,
+  lib,
+  makeWrapper,
+  net-tools,
+  nixosTests,
+  nodejs_20,
+  replace,
+  ruby_3_3,
+  stdenv,
+  tzdata,
+
+  # gem dependencies:
+  # gitlab-glfm-markdown
+  buildRubyGem,
+  cargo,
+  rustc,
+  rustPlatform,
+
+  # gpgme
+  pkg-config,
+
+  # openssl
+  openssl,
+
+  # ruby-magic
+  file,
+
+  # static-holmes
+  icu,
+  which,
+  zlib,
+}:
+
+let
+  data = lib.importJSON ./data.json;
+
+  version = data.version;
+  src = fetchFromGitLab {
+    owner = data.owner;
+    repo = data.repo;
+    rev = data.rev;
+    sha256 = data.repo_hash;
+  };
+
+  rubyEnv = bundlerEnv rec {
+    name = "gitlab-env-${version}";
+    ruby = ruby_3_3;
+    gemdir = ./rubyEnv;
+    gemset = import (gemdir + "/gemset.nix") src;
+    gemConfig = defaultGemConfig // {
+      gpgme = attrs: {
+        nativeBuildInputs = [ pkg-config ];
+      };
+      # the openssl needs the openssl include files
+      openssl = attrs: {
+        buildInputs = [ openssl ];
+      };
+      ruby-magic = attrs: {
+        buildInputs = [ file ];
+        buildFlags = [ "--enable-system-libraries" ];
+      };
+      gitlab-glfm-markdown = attrs: {
+        cargoDeps = rustPlatform.fetchCargoVendor {
+          src = stdenv.mkDerivation {
+            inherit (buildRubyGem { inherit (attrs) gemName version source; })
+              name
+              src
+              unpackPhase
+              nativeBuildInputs
+              ;
+            dontBuilt = true;
+            installPhase = ''
+              cp -R ext/glfm_markdown $out
+              rm $out/Cargo.lock
+              cp Cargo.lock $out
+            '';
+          };
+          hash = "sha256-NJLpfIgVgqbf1fHIzEKxzpHOKvtY9QHXVQPpRdvH0Uo=";
+        };
+
+        dontBuild = false;
+
+        nativeBuildInputs = [
+          cargo
+          rustc
+          rustPlatform.cargoSetupHook
+          rustPlatform.bindgenHook
+        ];
+
+        disallowedReferences = [
+          rustc.unwrapped
+        ];
+
+        preInstall = ''
+          export CARGO_HOME="$PWD/../.cargo/"
+        '';
+
+        postInstall = ''
+          mv -v $GEM_HOME/gems/${attrs.gemName}-${attrs.version}/lib/{glfm_markdown/glfm_markdown.so,}
+          find $out -type f -name .rustc_info.json -delete
+        '';
+      };
+
+      static_holmes = attrs: {
+        nativeBuildInputs = [
+          icu
+          which
+          zlib.dev
+        ];
+      };
+    };
+    groups = [
+      "default"
+      "unicorn"
+      "ed25519"
+      "metrics"
+      "development"
+      "puma"
+      "test"
+      "kerberos"
+      "opentelemetry"
+    ];
+    # N.B. omniauth_oauth2_generic and apollo_upload_server both provide a
+    # `console` executable.
+    ignoreCollisions = true;
+
+    extraConfigPaths = [
+      "${src}/vendor"
+      "${src}/gems"
+    ];
+  };
+
+  assets = stdenv.mkDerivation {
+    pname = "gitlab-assets";
+    inherit version src;
+
+    yarnOfflineCache = fetchYarnDeps {
+      yarnLock = src + "/yarn.lock";
+      sha256 = data.yarn_hash;
+    };
+
+    nativeBuildInputs = [
+      rubyEnv.wrappedRuby
+      rubyEnv.bundler
+      nodejs_20
+      git
+      cacert
+      yarnConfigHook
+    ];
+
+    patches = [
+      # Since version 12.6.0, the rake tasks need the location of git,
+      # so we have to apply the location patches here too.
+      ./remove-hardcoded-locations.patch
+
+      # Gitlab edited the default database config since [1] and the
+      # installer now complains about valid keywords only being "main", "ci" and "embedded".
+      #
+      # [1]: https://gitlab.com/gitlab-org/gitlab/-/commit/99c0fac52b10cd9df62bbe785db799352a2d9028
+      ./Remove-unsupported-database-names.patch
+    ];
+    # One of the patches uses this variable - if it's unset, execution
+    # of rake tasks fails.
+    GITLAB_LOG_PATH = "log";
+    FOSS_ONLY = !gitlabEnterprise;
+
+    SKIP_YARN_INSTALL = 1;
+    NODE_OPTIONS = "--max-old-space-size=8192";
+
+    postConfigure = ''
+      # Some rake tasks try to run yarn automatically, which won't work
+      rm lib/tasks/yarn.rake
+
+      # The rake tasks won't run without a basic configuration in place
+      mv config/database.yml.postgresql config/database.yml
+      mv config/gitlab.yml.example config/gitlab.yml
+
+      patchShebangs scripts/frontend/
+    '';
+
+    buildPhase = ''
+      runHook preBuild
+
+      # TODO: Try to yarn install without --ignore-scripts
+      # Needed for the js dependency pinia to work
+      pushd node_modules/vue-demi
+      yarn run postinstall
+      popd
+
+      bundle exec rake gitlab:assets:compile RAILS_ENV=production NODE_ENV=production SKIP_YARN_INSTALL=true
+
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      mv public/assets $out
+
+      runHook postInstall
+    '';
+  };
+in
+stdenv.mkDerivation {
+  name = "gitlab${lib.optionalString gitlabEnterprise "-ee"}-${version}";
+
+  inherit src;
+
+  nativeBuildInputs = [ makeWrapper ];
+  buildInputs = [
+    rubyEnv
+    rubyEnv.wrappedRuby
+    rubyEnv.bundler
+    tzdata
+    git
+    net-tools
+  ];
+
+  patches = [
+    # Change hardcoded paths to the NixOS equivalent
+    ./remove-hardcoded-locations.patch
+  ];
+
+  postPatch = ''
+    ${lib.optionalString (!gitlabEnterprise) ''
+      # Remove all proprietary components
+      rm -rf ee
+      sed -i 's/-ee//' ./VERSION
+    ''}
+
+    # For reasons I don't understand "bundle exec" ignores the
+    # RAILS_ENV causing tests to be executed that fail because we're
+    # not installing development and test gems above. Deleting the
+    # tests works though.
+    rm lib/tasks/test.rake
+
+    rm config/initializers/gitlab_shell_secret_token.rb
+
+    sed -i '/ask_to_continue/d' lib/tasks/gitlab/two_factor.rake
+    sed -ri -e '/log_level/a config.logger = Logger.new(STDERR)' config/environments/production.rb
+
+    mv config/puma.rb.example config/puma.rb
+    # Always require lib-files and application.rb through their store
+    # path, not their relative state directory path. This gets rid of
+    # warnings and means we don't have to link back to lib from the
+    # state directory.
+    ${replace}/bin/replace-literal -f -r -e '../../lib' "$out/share/gitlab/lib" config
+    ${replace}/bin/replace-literal -f -r -e '../lib' "$out/share/gitlab/lib" config
+    ${replace}/bin/replace-literal -f -r -e "require_relative 'application'" "require_relative '$out/share/gitlab/config/application'" config
+    ${replace}/bin/replace-literal -f -r -e 'require_relative "/home/git/gitlab/lib/gitlab/puma/error_handler"' "require_relative '$out/share/gitlab/lib/gitlab/puma/error_handler'" config
+  '';
+
+  buildPhase = ''
+    rm -f config/secrets.yml
+    mv config config.dist
+    rm -r tmp
+  '';
+
+  installPhase = ''
+    mkdir -p $out/share
+    cp -r . $out/share/gitlab
+    ln -sf ${assets} $out/share/gitlab/public/assets
+    rm -rf $out/share/gitlab/log
+    ln -sf /run/gitlab/log $out/share/gitlab/log
+    ln -sf /run/gitlab/uploads $out/share/gitlab/public/uploads
+    ln -sf /run/gitlab/config $out/share/gitlab/config
+    ln -sf /run/gitlab/tmp $out/share/gitlab/tmp
+
+    # rake tasks to mitigate CVE-2017-0882
+    # see https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/
+    cp ${./reset_token.rake} $out/share/gitlab/lib/tasks/reset_token.rake
+
+    # manually patch the shebang line in generate-loose-foreign-key
+    wrapProgram $out/share/gitlab/scripts/decomposition/generate-loose-foreign-key --set ENABLE_SPRING 0 --add-flags 'runner -e test'
+  '';
+
+  passthru = {
+    inherit rubyEnv assets;
+    ruby = rubyEnv.wrappedRuby;
+    GITALY_SERVER_VERSION = data.passthru.GITALY_SERVER_VERSION;
+    GITLAB_PAGES_VERSION = data.passthru.GITLAB_PAGES_VERSION;
+    GITLAB_SHELL_VERSION = data.passthru.GITLAB_SHELL_VERSION;
+    GITLAB_WORKHORSE_VERSION = data.passthru.GITLAB_WORKHORSE_VERSION;
+    gitlabEnv.FOSS_ONLY = lib.boolToString (!gitlabEnterprise);
+    tests = {
+      nixos-test-passes = nixosTests.gitlab;
+    };
+  };
+
+  meta =
+    with lib;
+    {
+      homepage = "http://www.gitlab.com/";
+      platforms = platforms.linux;
+      teams = [ teams.gitlab ];
+    }
+    // (
+      if gitlabEnterprise then
+        {
+          license = licenses.unfreeRedistributable; # https://gitlab.com/gitlab-org/gitlab-ee/raw/master/LICENSE
+          description = "GitLab Enterprise Edition";
+        }
+      else
+        {
+          license = licenses.mit;
+          description = "GitLab Community Edition";
+          longDescription = "GitLab Community Edition (CE) is an open source end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more. Self-host GitLab CE on your own servers, in a container, or on a cloud provider.";
+        }
+    );
+}

pkgs/by-name/gi/gitlab/remove-hardcoded-locations.patch

@@ -0,0 +1,217 @@
+diff --git a/config/environments/production.rb b/config/environments/production.rb
+index e1a7db8d860..5823f170410 100644
+--- a/config/environments/production.rb
++++ b/config/environments/production.rb
+@@ -71,10 +71,10 @@
+ 
+   config.action_mailer.delivery_method = :sendmail
+   # Defaults to:
+-  # # config.action_mailer.sendmail_settings = {
+-  # #   location: '/usr/sbin/sendmail',
+-  # #   arguments: '-i -t'
+-  # # }
++  config.action_mailer.sendmail_settings = {
++    location: '/run/wrappers/bin/sendmail',
++    arguments: '-i -t'
++  }
+   config.action_mailer.perform_deliveries = true
+   config.action_mailer.raise_delivery_errors = true
+ 
+diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
+index da1a15302da..c846db93e5c 100644
+--- a/config/gitlab.yml.example
++++ b/config/gitlab.yml.example
+@@ -1191,7 +1191,7 @@ production: &base
+   # CAUTION!
+   # Use the default values unless you really know what you are doing
+   git:
+-    bin_path: /usr/bin/git
++    bin_path: git
+ 
+   ## Webpack settings
+   # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
+diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
+index d096174fca3a..02d0f689c523 100644
+--- a/config/initializers/1_settings.rb
++++ b/config/initializers/1_settings.rb
+@@ -206,7 +206,7 @@
+ Settings.gitlab['user_home'] ||= begin
+   Etc.getpwnam(Settings.gitlab['user']).dir
+ rescue ArgumentError # no user configured
+-  '/home/' + Settings.gitlab['user']
++  '/homeless-shelter'
+ end
+ Settings.gitlab['time_zone'] ||= nil
+ Settings.gitlab['signup_enabled'] ||= true if Settings.gitlab['signup_enabled'].nil?
+@@ -959,7 +959,7 @@
+ # Git
+ #
+ Settings['git'] ||= {}
+-Settings.git['bin_path'] ||= '/usr/bin/git'
++Settings.git['bin_path'] ||= 'git'
+
+ # Important: keep the satellites.path setting until GitLab 9.0 at
+ # least. This setting is fed to 'rm -rf' in
+diff --git a/config/puma.rb.example b/config/puma.rb.example
+index 07a6f6a25015..14a718a43202 100644
+--- a/config/puma.rb.example
++++ b/config/puma.rb.example
+@@ -5,12 +5,8 @@
+ # The default is "config.ru".
+ #
+ rackup 'config.ru'
+-pidfile '/home/git/gitlab/tmp/pids/puma.pid'
+-state_path '/home/git/gitlab/tmp/pids/puma.state'
+-
+-stdout_redirect '/home/git/gitlab/log/puma.stdout.log',
+-  '/home/git/gitlab/log/puma.stderr.log',
+-  true
++pidfile ENV['PUMA_PATH'] + '/tmp/pids/puma.pid'
++state_path ENV['PUMA_PATH'] + '/tmp/pids/puma.state'
+ 
+ # Configure "min" to be the minimum number of threads to use to answer
+ # requests and "max" the maximum.
+@@ -31,11 +27,11 @@ queue_requests false
+ 
+ # Bind the server to "url". "tcp://", "unix://" and "ssl://" are the only
+ # accepted protocols.
+-bind 'unix:///home/git/gitlab/tmp/sockets/gitlab.socket'
++bind "unix://#{ENV['PUMA_PATH']}/tmp/sockets/gitlab.socket"
+ 
+ workers 3
+ 
+-require_relative "/home/git/gitlab/lib/gitlab/cluster/lifecycle_events"
++require_relative ENV['GITLAB_PATH'] + "lib/gitlab/cluster/lifecycle_events"
+ 
+ on_restart do
+   # Signal application hooks that we're about to restart
+@@ -74,7 +70,7 @@ worker_timeout 60
+ wait_for_less_busy_worker ENV.fetch('PUMA_WAIT_FOR_LESS_BUSY_WORKER', 0.001).to_f
+ 
+ # Use json formatter
+-require_relative "/home/git/gitlab/lib/gitlab/puma_logging/json_formatter"
++require_relative ENV['GITLAB_PATH'] + "lib/gitlab/puma_logging/json_formatter"
+ 
+ json_formatter = Gitlab::PumaLogging::JSONFormatter.new
+ log_formatter do |str|
+diff --git a/lib/api/api.rb b/lib/api/api.rb
+index a287ffbfcd8..1a5ca59183a 100644
+--- a/lib/api/api.rb
++++ b/lib/api/api.rb
+@@ -4,7 +4,7 @@ module API
+   class API < ::API::Base
+     include APIGuard
+ 
+-    LOG_FILENAME = Rails.root.join("log", "api_json.log")
++    LOG_FILENAME = File.join(ENV["GITLAB_LOG_PATH"], "api_json.log")
+ 
+     NO_SLASH_URL_PART_REGEX = %r{[^/]+}.freeze
+     NAMESPACE_OR_PROJECT_REQUIREMENTS = { id: NO_SLASH_URL_PART_REGEX }.freeze
+diff --git a/lib/gitlab/authorized_keys.rb b/lib/gitlab/authorized_keys.rb
+index 50cd15b7a10..3ac89e5b8e9 100644
+--- a/lib/gitlab/authorized_keys.rb
++++ b/lib/gitlab/authorized_keys.rb
+@@ -157,7 +157,7 @@ def command(id)
+         raise KeyError, "Invalid ID: #{id.inspect}"
+       end
+ 
+-      "#{File.join(Gitlab.config.gitlab_shell.path, 'bin', 'gitlab-shell')} #{id}"
++      "#{File.join('/run/current-system/sw/bin', 'gitlab-shell')} #{id}"
+     end
+ 
+     def strip(key)
+diff --git a/lib/gitlab/logger.rb b/lib/gitlab/logger.rb
+index 89a4e36a232..ae379ffb27a 100644
+--- a/lib/gitlab/logger.rb
++++ b/lib/gitlab/logger.rb
+@@ -37,7 +37,7 @@ def self.build
+     end
+ 
+     def self.full_log_path
+-      Rails.root.join("log", file_name)
++      File.join(ENV["GITLAB_LOG_PATH"], file_name)
+     end
+ 
+     def self.cache_key
+diff --git a/lib/gitlab/uploads_transfer.rb b/lib/gitlab/uploads_transfer.rb
+index e0e7084e27e..19fab855b90 100644
+--- a/lib/gitlab/uploads_transfer.rb
++++ b/lib/gitlab/uploads_transfer.rb
+@@ -3,7 +3,7 @@
+ module Gitlab
+   class UploadsTransfer < ProjectTransfer
+     def root_dir
+-      FileUploader.root
++      ENV['GITLAB_UPLOADS_PATH'] || FileUploader.root
+     end
+   end
+ end
+diff --git a/lib/system_check/app/log_writable_check.rb b/lib/system_check/app/log_writable_check.rb
+index 2c108f0c18d..3a16ff52d01 100644
+--- a/lib/system_check/app/log_writable_check.rb
++++ b/lib/system_check/app/log_writable_check.rb
+@@ -23,7 +23,7 @@ def show_error
+       private
+ 
+       def log_path
+-        Rails.root.join('log')
++        ENV["GITLAB_LOG_PATH"]
+       end
+     end
+   end
+diff --git a/lib/system_check/app/uploads_directory_exists_check.rb b/lib/system_check/app/uploads_directory_exists_check.rb
+index 54dff63ab61..882da702f29 100644
+--- a/lib/system_check/app/uploads_directory_exists_check.rb
++++ b/lib/system_check/app/uploads_directory_exists_check.rb
+@@ -6,12 +6,13 @@ class UploadsDirectoryExistsCheck < SystemCheck::BaseCheck
+       set_name 'Uploads directory exists?'
+ 
+       def check?
+-        File.directory?(Rails.root.join('public/uploads'))
++        File.directory?(ENV['GITLAB_UPLOADS_PATH'] || Rails.root.join('public/uploads'))
+       end
+ 
+       def show_error
++        uploads_dir = ENV['GITLAB_UPLOADS_PATH'] || Rails.root.join('public/uploads')
+         try_fixing_it(
+-          "sudo -u #{gitlab_user} mkdir #{Rails.root}/public/uploads"
++          "sudo -u #{gitlab_user} mkdir #{uploads_dir}"
+         )
+         for_more_information(
+           see_installation_guide_section('GitLab')
+diff --git a/lib/system_check/app/uploads_path_permission_check.rb b/lib/system_check/app/uploads_path_permission_check.rb
+index 2e1cc687c43..ca69d63bcf6 100644
+--- a/lib/system_check/app/uploads_path_permission_check.rb
++++ b/lib/system_check/app/uploads_path_permission_check.rb
+@@ -27,7 +27,7 @@ def show_error
+       private
+ 
+       def rails_uploads_path
+-        Rails.root.join('public/uploads')
++        ENV['GITLAB_UPLOADS_PATH'] || Rails.root.join('public/uploads')
+       end
+ 
+       def uploads_fullpath
+diff --git a/lib/system_check/app/uploads_path_tmp_permission_check.rb b/lib/system_check/app/uploads_path_tmp_permission_check.rb
+index 567c7540777..29906b1c132 100644
+--- a/lib/system_check/app/uploads_path_tmp_permission_check.rb
++++ b/lib/system_check/app/uploads_path_tmp_permission_check.rb
+@@ -35,7 +35,7 @@ def upload_path_tmp
+       end
+ 
+       def uploads_fullpath
+-        File.realpath(Rails.root.join('public/uploads'))
++        File.realpath(ENV['GITLAB_UPLOADS_PATH'] || Rails.root.join('public/uploads'))
+       end
+     end
+   end
+diff --git a/scripts/decomposition/generate-loose-foreign-key b/scripts/decomposition/generate-loose-foreign-key
+index 35f84c64ce1..c2fecf3404c 100755
+--- a/scripts/decomposition/generate-loose-foreign-key
++++ b/scripts/decomposition/generate-loose-foreign-key
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env -S ENABLE_SPRING=0 bin/rails runner -e test
++#!/usr/bin/env rails
+ 
+ # This is helper script to swap foreign key to loose foreign key
+ # using DB schema

pkgs/by-name/gi/gitlab/reset_token.rake

@@ -0,0 +1,43 @@
+# Taken from:
+# https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/
+
+# lib/tasks/reset_token.rake
+require_relative '../../app/models/concerns/token_authenticatable.rb'
+
+STDOUT.sync = true
+
+namespace :tokens do
+  desc "Reset all GitLab user auth tokens"
+  task reset_all: :environment do
+    reset_all_users_token(:reset_authentication_token!)
+  end
+
+  desc "Reset all GitLab email tokens"
+  task reset_all_email: :environment do
+    reset_all_users_token(:reset_incoming_email_token!)
+  end
+
+  def reset_all_users_token(token)
+    TmpUser.find_in_batches do |batch|
+      puts "Processing batch starting with user ID: #{batch.first.id}"
+
+      batch.each(&token)
+    end
+  end
+end
+
+class TmpUser < ActiveRecord::Base
+  include TokenAuthenticatable
+
+  self.table_name = 'users'
+
+  def reset_authentication_token!
+    write_new_token(:authentication_token)
+    save!(validate: false)
+  end
+
+  def reset_incoming_email_token!
+    write_new_token(:incoming_email_token)
+    save!(validate: false)
+  end
+end

pkgs/by-name/gi/gitlab/rubyEnv/Gemfile

@@ -0,0 +1,760 @@
+# frozen_string_literal: true
+
+def next?
+  File.basename(__FILE__) == "Gemfile.next"
+end
+
+source 'https://rubygems.org'
+
+if ENV.fetch('BUNDLER_CHECKSUM_VERIFICATION_OPT_IN', 'false') != 'false' # this verification is still experimental
+  $LOAD_PATH.unshift(File.expand_path("gems/bundler-checksum/lib", __dir__))
+  require 'bundler-checksum'
+  BundlerChecksum.patch!
+end
+
+# Please see https://docs.gitlab.com/ee/development/feature_categorization/#gemfile
+ignore_feature_category = Module.new do
+  def gem(*arguments, feature_category: nil, **keyword_arguments) # rubocop:disable Lint/UnusedMethodArgument -- Ignoring feature_category intentionally
+    super(*arguments, **keyword_arguments)
+  end
+end
+
+extend ignore_feature_category
+
+gem 'bundler-checksum', '~> 0.1.0', path: 'gems/bundler-checksum', require: false, feature_category: :shared
+
+# See https://docs.gitlab.com/ee/development/gemfile.html#upgrade-rails for guidelines when upgrading Rails
+
+if next?
+  gem 'rails', '~> 7.2.2.2', feature_category: :shared
+else
+  gem 'rails', '~> 7.1.5.2', feature_category: :shared
+end
+
+gem 'activerecord-gitlab', path: 'gems/activerecord-gitlab', feature_category: :shared
+# This can be dropped after upgrading to Rails 7.2: https://github.com/rails/rails/pull/49674
+gem 'mutex_m', '~> 0.3', feature_category: :shared
+# Need by Rails
+gem 'drb', '~> 2.2', feature_category: :shared
+
+gem 'bootsnap', '~> 1.18.6', require: false, feature_category: :shared
+
+# Avoid the precompiled native gems because Omnibus needs to build this to ensure
+# LD_LIBRARY_PATH is correct: https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7730
+if RUBY_PLATFORM.include?('darwin')
+  gem 'ffi', '~> 1.17.2', feature_category: :shared
+else
+  gem 'ffi', '~> 1.17.2', force_ruby_platform: true, feature_category: :shared
+end
+
+gem 'openssl', '~> 3.0', feature_category: :shared
+
+gem 'gitlab-safe_request_store', path: 'gems/gitlab-safe_request_store', feature_category: :shared
+
+# GitLab Monorepo Gems
+group :monorepo do
+  gem 'gitlab-utils', path: 'gems/gitlab-utils', feature_category: :shared
+end
+
+gem 'gitlab-backup-cli', path: 'gems/gitlab-backup-cli', require: 'gitlab/backup/cli', feature_category: :backup_restore
+
+gem 'gitlab-secret_detection', '< 1.0', feature_category: :secret_detection
+
+# Responders respond_to and respond_with
+gem 'responders', '~> 3.0', feature_category: :shared
+
+gem 'sprockets', '~> 3.7.0', feature_category: :shared
+gem 'sprockets-rails', '~>  3.5.1', feature_category: :shared
+
+gem 'view_component', '~> 3.23.2', feature_category: :shared
+
+# Supported DBs
+gem 'pg', '~> 1.6.1', feature_category: :database
+
+gem 'rugged', '~> 1.6', feature_category: :gitaly
+
+gem 'faraday', '~> 2', feature_category: :shared
+gem 'faraday-retry', '~> 2', feature_category: :shared
+# Logger is a dependency of Faraday, but Logger 1.6.0 does not work with Chef.
+gem 'logger', '~> 1.7.0', feature_category: :shared
+
+gem 'marginalia', '~> 1.11.1', feature_category: :database
+
+# Authorization
+gem 'declarative_policy', '~> 2.0.1', feature_category: :shared
+
+# For source code paths mapping
+gem 'coverband', '6.1.5', require: false, feature_category: :shared
+
+# Authentication libraries
+gem 'devise', '~> 4.9.3', feature_category: :system_access
+gem 'devise-pbkdf2-encryptable', '~> 0.0.0', path: 'vendor/gems/devise-pbkdf2-encryptable',
+  feature_category: :system_access
+gem 'bcrypt', '~> 3.1', '>= 3.1.14', feature_category: :system_access
+gem 'doorkeeper', '~> 5.8', '>= 5.8.1', feature_category: :system_access
+gem 'doorkeeper-openid_connect', '~> 1.8.10', feature_category: :system_access
+gem 'doorkeeper-device_authorization_grant', '~> 1.0.0', feature_category: :system_access
+gem 'rexml', '~> 3.4.0', feature_category: :shared
+gem 'ruby-saml', '~> 1.18', feature_category: :system_access
+gem 'omniauth-saml', '~> 2.2.1', feature_category: :system_access
+gem 'omniauth', '~> 2.1.0', feature_category: :system_access
+gem 'omniauth-auth0', '~> 3.1', feature_category: :system_access
+gem 'omniauth-azure-activedirectory-v2', '~> 2.0', feature_category: :system_access
+gem 'omniauth-alicloud', '~> 3.0.0', feature_category: :system_access
+gem 'omniauth-github', '2.0.1', feature_category: :system_access
+# See vendor/gems/omniauth-gitlab/README.md
+gem 'omniauth-gitlab', '~> 4.0.0', path: 'vendor/gems/omniauth-gitlab', feature_category: :system_access
+gem 'omniauth-google-oauth2', '~> 1.1', feature_category: :system_access
+gem 'omniauth-oauth2-generic', '~> 0.2.2', feature_category: :system_access
+gem 'omniauth-shibboleth-redux', '~> 2.0', require: 'omniauth-shibboleth', feature_category: :system_access
+# See vendor/gems/omniauth_crowd/README.md
+gem 'omniauth_crowd', '~> 2.4.0', path: 'vendor/gems/omniauth_crowd', feature_category: :system_access
+gem 'omniauth_openid_connect', '~> 0.8.0', feature_category: :system_access
+# Locked until Ruby 3.0 upgrade since upgrading will pull in an updated net-smtp gem.
+# See https://docs.gitlab.com/ee/development/emails.html#rationale.
+gem 'openid_connect', '~> 2.3.0', feature_category: :system_access
+# See gem README.md
+gem 'omniauth-salesforce', '~> 1.0.5', path: 'vendor/gems/omniauth-salesforce', feature_category: :system_access
+gem 'omniauth-atlassian-oauth2', '~> 0.2.0', feature_category: :system_access
+gem 'rack-oauth2', '~> 2.2.1', feature_category: :system_access
+gem 'jwt', '~> 2.10.0', feature_category: :system_access
+
+# Kerberos authentication. EE-only
+gem 'gssapi', '~> 1.3.1', group: :kerberos, feature_category: :system_access
+gem 'timfel-krb5-auth', '~> 0.8', group: :kerberos, feature_category: :system_access
+
+# Spam and anti-bot protection
+gem 'recaptcha', '~> 5.12', require: 'recaptcha/rails', feature_category: :insider_threat
+gem 'akismet', '~> 3.0', feature_category: :insider_threat
+gem 'invisible_captcha', '~> 2.3.0', feature_category: :insider_threat
+
+# Two-factor authentication
+gem 'devise-two-factor', '~> 4.1.1', feature_category: :system_access
+gem 'rqrcode', '~> 2.2', feature_category: :system_access
+
+gem 'attr_encrypted', '~> 4.2', feature_category: :shared
+
+# GitLab Pages
+gem 'validates_hostname', '~> 1.0.13', feature_category: :pages
+gem 'rubyzip', '~> 2.4.0', require: 'zip', feature_category: :pages
+# GitLab Pages letsencrypt support
+gem 'acme-client', '~> 2.0.19', feature_category: :pages
+
+# Browser detection
+gem 'browser', '~> 5.3.1', feature_category: :shared
+
+# OS detection for usage ping
+gem 'ohai', '~> 18.1', feature_category: :product_analytics
+
+# GPG
+gem 'gpgme', '~> 2.0.24', feature_category: :source_code_management
+
+# LDAP Auth
+# GitLab fork with several improvements to original library. For full list of changes
+# see https://github.com/intridea/omniauth-ldap/compare/master...gitlabhq:master
+gem 'gitlab_omniauth-ldap', '~> 2.3.0', require: 'omniauth-ldap', feature_category: :system_access
+gem 'net-ldap', '~> 0.17.1', feature_category: :system_access
+
+# API
+gem 'grape', '~> 2.0.0', feature_category: :api
+gem 'grape-entity', '~> 1.0.1', feature_category: :api
+gem 'grape-swagger', '~> 2.1.2', group: [:development, :test], feature_category: :api
+gem 'grape-swagger-entity', '~> 0.5.5', group: [:development, :test], feature_category: :api
+gem 'grape-path-helpers', '~> 2.0.1', feature_category: :api
+gem 'rack-cors', '~> 2.0.1', require: 'rack/cors', feature_category: :shared
+
+# GraphQL API
+gem 'graphql', '2.5.11', feature_category: :api
+gem 'graphql-docs', '~> 5.2.0', group: [:development, :test], feature_category: :api
+gem 'apollo_upload_server', '~> 2.1.6', feature_category: :api
+
+# Cells
+gem 'gitlab-topology-service-client', '~> 0.1',
+  path: 'vendor/gems/gitlab-topology-service-client',
+  require: 'gitlab/cells/topology_service',
+  feature_category: :cell
+
+# Duo Workflow
+gem 'gitlab-duo-workflow-service-client', '~> 0.3',
+  path: 'vendor/gems/gitlab-duo-workflow-service-client',
+  feature_category: :agent_foundations
+
+# Generate Fake data
+gem 'ffaker', '~> 2.24', feature_category: :shared
+
+gem 'hashie', '~> 5.0.0', feature_category: :shared
+
+# Pagination
+gem 'kaminari', '~> 1.2.2', feature_category: :shared
+
+# HAML
+gem 'hamlit', '~> 3.0.0', feature_category: :shared
+
+# Files attachments
+gem 'carrierwave', '~> 1.3', feature_category: :shared
+gem 'mini_magick', '~> 4.12', feature_category: :shared
+gem 'marcel', '~> 1.0.4', feature_category: :shared
+
+# PDF generation
+gem 'prawn', feature_category: :vulnerability_management
+gem 'prawn-svg', feature_category: :vulnerability_management
+
+# for backups
+gem 'fog-aws', '~> 3.26', feature_category: :shared
+gem 'fog-core', '~> 2.5', feature_category: :shared
+gem 'fog-google', '~> 1.25', require: 'fog/google', feature_category: :shared
+gem 'fog-local', '~> 0.8', feature_category: :shared
+# NOTE:
+# the fog-aliyun gem since v0.4 pulls in aliyun-sdk transitively, which monkey-patches
+# the rest-client gem to drop the Content-Length header field for chunked transfers,
+# which may have knock-on effects on other features using `RestClient`.
+# We may want to update this dependency if this is ever addressed upstream, e.g. via
+# https://github.com/aliyun/aliyun-oss-ruby-sdk/pull/93
+gem 'fog-aliyun', '~> 0.4', feature_category: :shared
+gem 'gitlab-fog-azure-rm', '~> 2.3.0', require: 'fog/azurerm', feature_category: :shared
+
+# for Google storage
+
+# Need this specific version of google-apis-storage_v1 so that fog-google will utilize the updated list_objects with
+# match_glob support in google-apis-core 0.11.1. Because of this we also have to bump google-cloud-storage to 1.45.0.
+gem 'google-apis-storage_v1', '~> 0.29', feature_category: :shared
+gem 'google-cloud-storage', '~> 1.57.0', feature_category: :shared
+# We need >= 0.11.1 because that's when match_glob support is added to list_objects
+gem 'google-apis-core', '~> 0.18.0', '>= 0.18.0', feature_category: :shared
+gem 'google-apis-compute_v1', '~> 0.129.0', feature_category: :shared
+gem 'google-apis-container_v1', '~> 0.100.0', feature_category: :shared
+gem 'google-apis-container_v1beta1', '~> 0.90.0', feature_category: :shared
+gem 'google-apis-cloudbilling_v1', '~> 0.22.0', feature_category: :shared
+gem 'google-apis-cloudresourcemanager_v1', '~> 0.31.0', feature_category: :shared
+gem 'google-apis-iam_v1', '~> 0.73.0', feature_category: :shared
+gem 'google-apis-serviceusage_v1', '~> 0.28.0', feature_category: :shared
+gem 'google-apis-sqladmin_v1beta4', '~> 0.41.0', feature_category: :shared
+gem 'google-apis-androidpublisher_v3', '~> 0.86.0', feature_category: :shared
+
+gem 'googleauth', '~> 1.14', feature_category: :shared
+gem 'google-cloud-artifact_registry-v1', '~> 0.11.0', feature_category: :shared
+gem 'google-cloud-compute-v1', '~> 2.6.0', feature_category: :shared
+
+# Seed data
+gem 'seed-fu', '~> 2.3.7', feature_category: :shared
+
+# Search
+gem 'elasticsearch-model', '~> 7.2', feature_category: :global_search
+gem 'elasticsearch-rails', '~> 7.2', require: 'elasticsearch/rails/instrumentation', feature_category: :global_search
+gem 'elasticsearch-api', '7.17.11', feature_category: :global_search
+gem 'aws-sdk-core', '~> 3.226.0', feature_category: :global_search
+gem 'aws-sdk-cloudformation', '~> 1', feature_category: :global_search
+gem 'aws-sdk-s3', '~> 1.193.0', feature_category: :global_search
+gem 'faraday-typhoeus', '~> 1.1', feature_category: :global_search
+gem 'faraday_middleware-aws-sigv4', '~> 1.0.1', feature_category: :global_search
+# Used with Elasticsearch to support http keep-alive connections
+gem 'typhoeus', '~> 1.4.0', feature_category: :global_search
+
+gem 'gitlab-active-context', path: 'gems/gitlab-active-context', require: 'active_context',
+  feature_category: :global_search
+
+# Markdown and HTML processing
+gem 'html-pipeline', '~> 2.14.3', feature_category: :markdown
+gem 'deckar01-task_list', '2.3.4', feature_category: :markdown
+gem 'gitlab-markup', '~> 2.0.0', require: 'github/markup', feature_category: :markdown
+gem 'commonmarker', '~> 0.23.10', feature_category: :markdown
+gem 'kramdown', '~> 2.5.0', feature_category: :markdown
+gem 'RedCloth', '~> 4.3.3', feature_category: :markdown
+gem 'org-ruby', '~> 0.9.12', feature_category: :markdown
+gem 'creole', '~> 0.5.0', feature_category: :markdown
+gem 'wikicloth', '0.8.1', feature_category: :markdown
+gem 'asciidoctor', '~> 2.0.18', feature_category: :markdown
+gem 'asciidoctor-include-ext', '~> 0.4.0', require: false, feature_category: :markdown
+gem 'asciidoctor-plantuml', '~> 0.0.16', feature_category: :markdown
+gem 'asciidoctor-kroki', '~> 0.10.0', require: false, feature_category: :markdown
+gem 'rouge', '~> 4.6.0', feature_category: :shared
+gem 'truncato', '~> 0.7.13', feature_category: :team_planning
+gem 'nokogiri', '~> 1.18', feature_category: :shared
+gem 'gitlab-glfm-markdown', '~> 0.0.33', feature_category: :markdown
+gem 'tanuki_emoji', '~> 0.13', feature_category: :markdown
+gem 'unicode-emoji', '~> 4.0', feature_category: :markdown
+
+# Calendar rendering
+gem 'icalendar', '~> 2.10.1', feature_category: :team_planning
+
+# Diffs
+gem 'diffy', '~> 3.4', feature_category: :shared
+gem 'diff_match_patch', '~> 0.1.0', path: 'vendor/gems/diff_match_patch', feature_category: :team_planning
+
+# Application server
+gem 'rack', '~> 2.2.9', feature_category: :shared
+# https://github.com/zombocom/rack-timeout/blob/master/README.md#rails-apps-manually
+gem 'rack-timeout', '~> 0.7.0', require: 'rack/timeout/base', feature_category: :shared
+
+group :puma do
+  gem 'puma', '= 6.6.1', require: false, feature_category: :shared
+  gem 'sd_notify', '~> 0.1.0', require: false, feature_category: :shared
+end
+
+# State machine
+gem 'state_machines-activerecord', '~> 0.8.0', feature_category: :shared
+
+# Background jobs
+gem 'sidekiq', '~> 7.3.9', feature_category: :scalability
+gem 'sidekiq-cron', '~> 1.12.0', feature_category: :scalability
+gem 'gitlab-sidekiq-fetcher',
+  path: 'vendor/gems/sidekiq-reliable-fetch',
+  require: 'sidekiq-reliable-fetch',
+  feature_category: :scalability
+
+# Cron Parser
+gem 'fugit', '~> 1.11.1', feature_category: :continuous_integration
+
+# HTTP requests
+gem 'httparty', '~> 0.23.0', feature_category: :shared
+
+# Colored output to console
+gem 'rainbow', '~> 3.0', feature_category: :shared
+
+# Progress bar
+gem 'ruby-progressbar', '~> 1.10', feature_category: :shared
+
+# Linear-time regex library for untrusted regular expressions
+gem 're2', '~> 2.15', feature_category: :shared
+
+# Misc
+
+gem 'semver_dialects', '~> 3.7', feature_category: :software_composition_analysis
+gem 'version_sorter', '~> 2.3', feature_category: :shared
+gem 'csv_builder', path: 'gems/csv_builder', feature_category: :shared
+
+# Export Ruby Regex to Javascript
+gem 'js_regex', '~> 3.8', feature_category: :shared
+
+# User agent parsing
+gem 'device_detector', feature_category: :shared
+
+# Redis
+gem 'redis', '~> 5.4.0', feature_category: :redis
+gem 'redis-client', '~> 0.25', feature_category: :redis
+gem 'redis-cluster-client', '~> 0.13', feature_category: :redis
+gem 'redis-clustering', '~> 5.4.0', feature_category: :redis
+gem 'connection_pool', '~> 2.5.3', feature_category: :shared
+
+# Redis session store
+gem 'redis-actionpack', '~> 5.5.0', feature_category: :redis
+
+# Jira integration
+gem 'jira-ruby', '~> 2.3.0', feature_category: :integrations
+gem 'atlassian-jwt', '~> 0.2.1', feature_category: :integrations
+
+# Slack integration
+gem 'slack-messenger', '~> 2.3.5', feature_category: :integrations
+
+# Kubernetes integration
+gem 'kubeclient', '~> 4.12.0', feature_category: :shared
+
+# AI
+gem 'circuitbox', '2.0.0', feature_category: :shared
+
+# Sanitize user input
+gem 'sanitize', '~> 6.0.2', feature_category: :shared
+gem 'babosa', '~> 2.0', feature_category: :shared
+
+# Sanitizes SVG input
+gem 'loofah', '~> 2.24.0', feature_category: :shared
+
+# Used to provide license templates
+gem 'licensee', '~> 9.16', feature_category: :shared
+
+# Detect and convert string character encoding
+gem 'charlock_holmes', '~> 0.7.9', feature_category: :shared
+
+# Detect mime content type from content
+gem 'ruby-magic', '~> 0.6', feature_category: :shared
+
+# Faster blank
+gem 'fast_blank', '~> 1.0.1', feature_category: :shared
+
+# Parse time & duration
+gem 'gitlab-chronic', '~> 0.10.5', feature_category: :shared
+gem 'gitlab_chronic_duration', '~> 0.12', feature_category: :shared
+
+gem 'rack-proxy', '~> 0.7.7', feature_category: :shared
+
+gem 'cssbundling-rails', '1.4.3', feature_category: :shared
+gem 'terser', '1.0.2', feature_category: :shared
+
+gem 'click_house-client', '0.5.1', feature_category: :database
+gem 'addressable', '~> 2.8', feature_category: :shared
+gem 'gon', '~> 6.5.0', feature_category: :shared
+gem 'request_store', '~> 1.7.0', feature_category: :shared
+gem 'base32', '~> 0.3.0', feature_category: :shared
+gem 'gitlab-license', '~> 2.6', feature_category: :shared
+
+# Protect against bruteforcing
+gem 'rack-attack', '~> 6.7.0', feature_category: :shared
+
+# Sentry integration
+gem 'sentry-ruby', '~> 5.23.0', feature_category: :observability
+gem 'sentry-rails', '~> 5.23.0', feature_category: :observability
+gem 'sentry-sidekiq', '~> 5.23.0', feature_category: :observability
+
+# PostgreSQL query parsing
+#
+gem 'pg_query', '~> 6.1.0', feature_category: :database
+
+gem 'gitlab-schema-validation', path: 'gems/gitlab-schema-validation', feature_category: :shared
+gem 'gitlab-http', path: 'gems/gitlab-http', feature_category: :shared
+
+gem 'premailer-rails', '~> 1.12.0', feature_category: :notifications
+gem 'gitlab-labkit', '~> 0.40.0', feature_category: :shared
+gem 'thrift', '~> 0.22.0', feature_category: :shared
+
+# I18n
+gem 'rails-i18n', '~> 7.0', '>= 7.0.9', feature_category: :internationalization
+gem 'gettext_i18n_rails', '~> 1.13.0', feature_category: :internationalization
+gem 'gettext', '~> 3.5', '>= 3.5.1',
+  require: false,
+  group: [:development, :test],
+  feature_category: :internationalization
+
+gem 'batch-loader', '~> 2.0.5', feature_category: :shared
+
+gem 'tty-prompt', '~> 0.23', require: false, feature_category: :shared
+
+# Perf bar
+gem 'peek', '~> 1.1', feature_category: :shared
+
+# Snowplow events trackin
+gem 'snowplow-tracker', '~> 0.8.0', feature_category: :product_analytics
+
+# Metrics
+gem 'webrick', '~> 1.9.0', require: false, feature_category: :shared
+gem 'prometheus-client-mmap', '~> 1.2.9', require: 'prometheus/client', feature_category: :shared
+
+# Event-driven reactor for Ruby
+# Required manually in config/initializers/require_async_gem
+gem 'async', '~> 2.28.0', require: false, feature_category: :shared
+gem 'io-event', '~> 1.12', require: false, feature_category: :shared
+
+# Security report schemas used to validate CI job artifacts of security jobs
+gem 'gitlab-security_report_schemas', '0.1.3.min15.0.0.max15.2.3', feature_category: :vulnerability_management
+
+# Frontend bundling
+gem 'vite_rails', '~> 3.0.17', feature_category: :shared
+gem 'vite_ruby', '~> 3.9.0', feature_category: :shared
+
+# OpenTelemetry
+group :opentelemetry do
+  # Core OpenTelemetry gems
+  gem 'opentelemetry-sdk', feature_category: :observability
+  gem 'opentelemetry-exporter-otlp', feature_category: :observability
+
+  # OpenTelemetry gems selected from full set in `opentelemetry-instrumentation-all` metagem
+  gem 'opentelemetry-instrumentation-active_support', feature_category: :observability
+  gem 'opentelemetry-instrumentation-action_pack', feature_category: :observability
+  gem 'opentelemetry-instrumentation-active_job', feature_category: :observability
+  gem 'opentelemetry-instrumentation-active_record', feature_category: :observability
+  gem 'opentelemetry-instrumentation-action_view', feature_category: :observability
+  gem 'opentelemetry-instrumentation-aws_sdk', feature_category: :observability
+  gem 'opentelemetry-instrumentation-http', feature_category: :observability
+  gem 'opentelemetry-instrumentation-concurrent_ruby', feature_category: :observability
+  gem 'opentelemetry-instrumentation-ethon', feature_category: :observability
+  gem 'opentelemetry-instrumentation-excon', feature_category: :observability
+  gem 'opentelemetry-instrumentation-faraday', feature_category: :observability
+  gem 'opentelemetry-instrumentation-grape', feature_category: :observability
+  gem 'opentelemetry-instrumentation-graphql', feature_category: :observability
+  gem 'opentelemetry-instrumentation-http_client', feature_category: :observability
+  gem 'opentelemetry-instrumentation-net_http', feature_category: :observability
+  gem 'opentelemetry-instrumentation-pg', feature_category: :observability
+  gem 'opentelemetry-instrumentation-rack', feature_category: :observability
+  gem 'opentelemetry-instrumentation-rails', feature_category: :observability
+  gem 'opentelemetry-instrumentation-rake', feature_category: :observability
+  gem 'opentelemetry-instrumentation-redis', feature_category: :observability
+  gem 'opentelemetry-instrumentation-sidekiq', feature_category: :observability
+end
+
+gem 'warning', '~> 1.5.0', feature_category: :shared
+
+group :development do
+  gem 'lefthook', '~> 1.12.0', require: false, feature_category: :tooling
+  gem 'rubocop', feature_category: :tooling, require: false
+  gem 'debug', '~> 1.11.0', feature_category: :shared
+
+  gem 'solargraph', '~> 0.54.0', require: false, feature_category: :shared
+  gem 'solargraph-rspec', '~> 0.5.1', require: false, feature_category: :shared
+
+  gem 'letter_opener_web', '~> 3.0.0', feature_category: :shared
+  gem 'lookbook', '~> 2.3', feature_category: :shared
+
+  # Better errors handler
+  gem 'better_errors', '~> 2.10.1', feature_category: :shared
+
+  gem 'sprite-factory', '~> 1.7', feature_category: :shared
+
+  gem 'listen', '~> 3.7', feature_category: :shared
+
+  gem 'ruby-lsp', "~> 0.23.0", require: false, feature_category: :tooling
+
+  gem 'ruby-lsp-rails', "~> 0.3.6", feature_category: :tooling
+
+  gem 'ruby-lsp-rspec', "~> 0.1.10", require: false, feature_category: :tooling
+
+  gem 'gdk-toogle', '~> 0.9', '>= 0.9.5', require: 'toogle', feature_category: :tooling
+
+  # Used by
+  # * `lib/tasks/gitlab/security/update_banned_ssh_keys.rake`
+  # * `lib/tasks/gitlab/db/migration_squash.rake`
+  gem 'git', '~> 1.8', feature_category: :shared
+end
+
+group :development, :test do
+  gem 'deprecation_toolkit', '~> 2.2.3', require: false, feature_category: :shared
+  gem 'bullet', '~> 8.0.0', feature_category: :shared
+  gem 'parser', '= 3.3.9.0', feature_category: :shared
+  gem 'pry-byebug', feature_category: :shared
+  gem 'pry-rails', '~> 0.3.9', feature_category: :shared
+  gem 'pry-shell', '~> 0.6.4', feature_category: :shared
+
+  gem 'awesome_print', require: false, feature_category: :shared
+
+  gem 'database_cleaner-active_record', '~> 2.2.0', feature_category: :database
+  gem 'rspec-rails', '~> 7.1.0', feature_category: :shared
+  gem 'factory_bot_rails', '~> 6.5.0', feature_category: :tooling
+
+  # Prevent occasions where minitest is not bundled in packaged versions of ruby (see #3826)
+  gem 'minitest', '~> 5.11.0', feature_category: :shared
+
+  gem 'spring', '~> 4.3.0', feature_category: :shared
+  gem 'spring-commands-rspec', '~> 1.0.4', feature_category: :shared
+
+  gem 'gitlab-styles', '~> 13.1.0', feature_category: :tooling, require: false
+  gem 'haml_lint', '~> 0.58', feature_category: :tooling, require: false
+
+  # Benchmarking & profiling
+  gem 'benchmark-ips', '~> 2.14.0', require: false, feature_category: :shared
+  gem 'benchmark-memory', '~> 0.1', require: false, feature_category: :shared
+
+  gem 'knapsack', '~> 4.0.0', feature_category: :tooling
+  gem 'gitlab-crystalball', '~> 1.1.0', require: false, feature_category: :tooling
+  gem 'test_file_finder', '~> 0.3.1', feature_category: :tooling
+
+  gem 'simple_po_parser', '~> 1.1.6', require: false, feature_category: :shared
+
+  gem 'png_quantizator', '~> 0.2.1', require: false, feature_category: :shared
+
+  gem 'parallel', '~> 1.19', require: false, feature_category: :shared
+
+  gem 'sigdump', '~> 0.2.4', require: 'sigdump/setup', feature_category: :shared
+
+  gem 'pact', '~> 1.64', feature_category: :shared
+
+  gem 'gitlab-housekeeper', path: 'gems/gitlab-housekeeper', feature_category: :tooling
+
+  gem 'yard', '~> 0.9', require: false, feature_category: :tooling
+end
+
+group :development, :test, :danger do
+  gem 'gitlab-dangerfiles', '~> 4.10.0', require: false, feature_category: :tooling
+end
+
+group :development, :test, :coverage do
+  gem 'simplecov', '~> 0.22', require: false, feature_category: :tooling
+  gem 'simplecov-lcov', '~> 0.8.0', require: false, feature_category: :tooling
+  gem 'simplecov-cobertura', '~> 2.1.0', require: false, feature_category: :tooling
+  gem 'undercover', '~> 0.7.0', require: false, feature_category: :tooling
+end
+
+# Gems required in omnibus-gitlab pipeline
+group :development, :test, :omnibus do
+  gem 'license_finder', '~> 7.0', require: false, feature_category: :shared
+end
+
+# Gems required in various pipelines
+group :development, :test, :monorepo do
+  gem 'gitlab-rspec', path: 'gems/gitlab-rspec', feature_category: :shared
+  gem 'gitlab-rspec_flaky', path: 'gems/gitlab-rspec_flaky', feature_category: :tooling
+end
+
+group :test do
+  gem 'rspec-retry', '~> 0.6.2', feature_category: :tooling
+  gem 'rspec_profiling', '~> 0.0.9', feature_category: :tooling
+  gem 'rspec-benchmark', '~> 0.6.0', feature_category: :tooling
+  gem 'rspec-parameterized', '~> 1.0', '>= 1.0.2', require: false, feature_category: :tooling
+  gem 'os', '~> 1.1', '>= 1.1.4', feature_category: :tooling
+
+  gem 'capybara', '~> 3.40', feature_category: :test_platform
+  gem 'capybara-screenshot', '~> 1.0.26', feature_category: :test_platform
+  gem 'selenium-webdriver', '~> 4.21', '>= 4.21.1', feature_category: :test_platform
+
+  gem 'graphlyte', '~> 1.0.0', feature_category: :shared
+
+  # Upload CI metrics to a GCP BigQuery instance
+  #
+  # We only use this gem in CI.
+  gem 'google-cloud-bigquery', '~> 1.0', feature_category: :tooling
+
+  gem 'shoulda-matchers', '~> 6.4.0', require: false, feature_category: :shared
+  gem 'email_spec', '~> 2.3.0', feature_category: :shared
+  gem 'webmock', '~> 3.25.0', feature_category: :shared
+  gem 'rails-controller-testing', feature_category: :shared
+  gem 'concurrent-ruby', '~> 1.1', feature_category: :shared
+  gem 'test-prof', '~> 1.4.0', feature_category: :tooling
+  gem 'rspec_junit_formatter', feature_category: :shared
+  gem 'guard-rspec', feature_category: :shared
+  gem 'axe-core-rspec', '~> 4.10.0', feature_category: :tooling
+  gem 'state_machines-rspec', '~> 0.6', feature_category: :shared
+
+  # Moved in `test` because https://gitlab.com/gitlab-org/gitlab/-/issues/217527
+  gem 'derailed_benchmarks', require: false, feature_category: :shared
+
+  gem 'gitlab_quality-test_tooling', '~> 2.20.0', require: false, feature_category: :tooling
+end
+
+gem 'octokit', '~> 9.0', feature_category: :importers
+# Needed by octokit: https://github.com/octokit/octokit.rb/pull/1688
+gem 'faraday-multipart', '~> 1.0', feature_category: :importers
+
+gem 'gitlab-mail_room', '~> 0.0.24', require: 'mail_room', feature_category: :shared
+
+gem 'email_reply_trimmer', '~> 0.1', feature_category: :shared
+gem 'html2text', feature_category: :shared
+
+gem 'stackprof', '~> 0.2.26', require: false, feature_category: :shared
+gem 'rbtrace', '~> 0.4', require: false, feature_category: :shared
+gem 'memory_profiler', '~> 1.0', require: false, feature_category: :shared
+
+# OAuth
+gem 'oauth2', '~> 2.0', feature_category: :system_access
+
+# Health check
+gem 'health_check', '~> 3.0', feature_category: :shared
+
+# System information
+gem 'vmstat', '~> 2.3.0', feature_category: :shared
+gem 'sys-filesystem', '~> 1.4.3', feature_category: :shared
+
+# NTP client
+gem 'net-ntp', feature_category: :shared
+
+# SSH keys support
+gem 'ssh_data', '~> 1.3', feature_category: :shared
+
+# Spamcheck GRPC protocol definitions
+gem 'spamcheck', '~> 1.3.0', feature_category: :insider_threat
+
+# Gitaly GRPC protocol definitions
+gem 'gitaly', '~> 18.4.0.pre.rc1', feature_category: :gitaly
+
+# KAS GRPC protocol definitions
+gem 'gitlab-kas-grpc', '~> 18.3.0', feature_category: :deployment_management
+
+gem 'grpc', '~> 1.74.0', feature_category: :shared
+
+gem 'google-protobuf', '~> 3.25', '>= 3.25.3', feature_category: :shared
+
+gem 'toml-rb', '~> 2.2.0', feature_category: :shared
+
+# Feature toggles
+gem 'flipper', '~> 0.28.0', feature_category: :shared
+gem 'flipper-active_record', '~> 0.28.0', feature_category: :shared
+gem 'flipper-active_support_cache_store', '~> 0.28.0', feature_category: :shared
+gem 'unleash', '~> 3.2.2', feature_category: :shared
+gem 'gitlab-experiment', '~> 0.9.1', feature_category: :shared
+
+# Structured logging
+gem 'lograge', '~> 0.5', feature_category: :shared
+gem 'grape_logging', '~> 1.8', '>= 1.8.4', feature_category: :api
+
+# DNS Lookup
+gem 'gitlab-net-dns', '~> 0.15.0', feature_category: :shared
+
+# Countries list
+gem 'countries', '~> 4.0.0', feature_category: :shared
+
+gem 'retriable', '~> 3.1.2', feature_category: :shared
+
+# LRU cache
+gem 'lru_redux', feature_category: :shared
+
+# Locked as long as quoted-printable encoding issues are not resolved
+# Monkey-patched in `config/initializers/mail_encoding_patch.rb`
+# See https://gitlab.com/gitlab-org/gitlab/issues/197386
+#
+# `config/initializers/mail_starttls_patch.rb` has also been patched to
+# fix STARTTLS handling until https://github.com/mikel/mail/pull/1536 is
+# released.
+gem 'mail', '= 2.8.1', feature_category: :shared
+gem 'mail-smtp_pool', '~> 0.1.0', path: 'gems/mail-smtp_pool', require: false, feature_category: :shared
+
+gem 'microsoft_graph_mailer', '~> 0.1.0', path: 'vendor/gems/microsoft_graph_mailer', feature_category: :shared
+
+# File encryption
+gem 'lockbox', '~> 1.4.0', feature_category: :shared
+
+# Email validation
+gem 'valid_email', '~> 0.1', feature_category: :shared
+
+# JSON
+gem 'jsonb_accessor', '~> 1.4', feature_category: :shared
+gem 'json', '~> 2.13.0', feature_category: :shared
+gem 'json_schemer', '~> 2.3.0', feature_category: :shared
+gem 'oj', '~> 3.16.0', '>=3.16.10', feature_category: :shared
+gem 'oj-introspect', '~> 0.8', feature_category: :shared
+gem 'multi_json', '~> 1.17.0', feature_category: :shared
+gem 'yajl-ruby', '~> 1.4.3', require: 'yajl', feature_category: :shared
+
+gem 'webauthn', '~> 3.0', feature_category: :shared
+
+# IPAddress utilities
+gem 'ipaddress', '~> 0.8.3', feature_category: :shared
+
+gem 'parslet', '~> 1.8', feature_category: :shared
+
+gem 'ipynbdiff', path: 'gems/ipynbdiff', require: 'ipynb_diff', feature_category: :shared
+
+gem 'ed25519', '~> 1.4.0', feature_category: :shared
+
+# Error Tracking OpenAPI client
+# See https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/development/rake_tasks.md#update-openapi-client-for-error-tracking-feature
+gem 'error_tracking_open_api', path: 'gems/error_tracking_open_api', feature_category: :shared
+
+# Vulnerability advisories
+gem 'cvss-suite', '~> 3.3.0', require: 'cvss_suite', feature_category: :software_composition_analysis
+
+# Work with RPM packages
+gem 'arr-pm', '~> 0.0.12', feature_category: :package_registry
+
+# Remote Development
+gem 'devfile', '~> 0.4.8', feature_category: :workspaces
+gem 'hashdiff', '~> 1.2.0', feature_category: :workspaces
+
+# Apple plist parsing
+gem 'CFPropertyList', '~> 3.0.0', feature_category: :mobile_devops
+gem 'app_store_connect', feature_category: :mobile_devops
+
+# For phone verification
+gem 'telesignenterprise', '~> 2.6', feature_category: :insider_threat
+
+# NOTE: In Ruby 3.4 base64 was moved out of the stdlib
+# This gem was added while upgrading `telesignenterprise` to 2.6.0 to ensure compatibility with Ruby 3.4
+gem "base64", "~> 0.2.0", feature_category: :shared
+
+# BufferedIO patch
+gem 'net-protocol', '~> 0.2.2', feature_category: :shared
+gem "nkf", "~> 0.2.0", feature_category: :shared
+
+# This is locked to 0.6.0 because we patch Net::HTTP#connect in
+# gems/gitlab-http/lib/net_http/connect_patch.rb.
+# It can be upgraded but care must be taken to preserve the patch.
+gem 'net-http', '= 0.6.0', feature_category: :shared
+# This is locked to 0.13.0 because the default parser changes from RFC2396 to RFC3986,
+# which can be removed after Rails 7.2 upgrade
+# See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173142#note_2277952450
+gem 'uri', '= 0.13.2', feature_category: :shared
+
+gem 'duo_api', '~> 1.3', feature_category: :system_access
+
+gem 'gitlab-sdk', '~> 0.3.0', feature_category: :application_instrumentation
+
+gem 'paper_trail', '~> 16.0', feature_category: :shared
+
+gem "i18n_data", "~> 0.13.1", feature_category: :system_access
+
+gem "gitlab-cloud-connector", "~> 1.26", require: 'gitlab/cloud_connector', feature_category: :plan_provisioning

pkgs/by-name/gi/gitlab/update.py

@@ -0,0 +1,444 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -I nixpkgs=../../../.. -i python3 -p bundix bundler nix-update nix python3 python3Packages.requests python3Packages.click python3Packages.click-log python3Packages.packaging prefetch-yarn-deps git go
+
+import click
+import click_log
+import re
+import logging
+import subprocess
+import json
+import pathlib
+import tempfile
+from packaging.version import Version
+from typing import Iterable
+
+import requests
+
+NIXPKGS_PATH = pathlib.Path(__file__).parent / "../../../../"
+GITLAB_DIR = pathlib.Path(__file__).parent
+
+logger = logging.getLogger(__name__)
+click_log.basic_config(logger)
+
+
+class GitLabRepo:
+    version_regex = re.compile(r"^v\d+\.\d+\.\d+(\-rc\d+)?(\-ee)?(\-gitlab)?")
+
+    def __init__(self, owner: str = "gitlab-org", repo: str = "gitlab"):
+        self.owner = owner
+        self.repo = repo
+
+    @property
+    def url(self):
+        return f"https://gitlab.com/{self.owner}/{self.repo}"
+
+    @property
+    def tags(self) -> Iterable[str]:
+        """Returns a sorted list of repository tags"""
+        r = requests.get(self.url + "/refs?sort=updated_desc&ref=master").json()
+        tags = r.get("Tags", [])
+
+        # filter out versions not matching version_regex
+        versions = list(filter(self.version_regex.match, tags))
+
+        # sort, but ignore v, -ee and -gitlab for sorting comparisons
+        versions.sort(
+            key=lambda x: Version(
+                x.replace("v", "").replace("-ee", "").replace("-gitlab", "")
+            ),
+            reverse=True,
+        )
+        return versions
+    def get_git_hash(self, rev: str):
+        return (
+            subprocess.check_output(
+                [
+                    "nix-prefetch-url",
+                    "--unpack",
+                    f"https://gitlab.com/{self.owner}/{self.repo}/-/archive/{rev}/{self.repo}-{rev}.tar.gz",
+                ]
+            )
+            .decode("utf-8")
+            .strip()
+        )
+
+    def get_yarn_hash(self, rev: str):
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            with open(tmp_dir + "/yarn.lock", "w") as f:
+                f.write(self.get_file("yarn.lock", rev))
+            return (
+                subprocess.check_output(["prefetch-yarn-deps", tmp_dir + "/yarn.lock"])
+                .decode("utf-8")
+                .strip()
+            )
+
+    @staticmethod
+    def rev2version(tag: str) -> str:
+        """
+        normalize a tag to a version number.
+        This obviously isn't very smart if we don't pass something that looks like a tag
+        :param tag: the tag to normalize
+        :return: a normalized version number
+        """
+        # strip v prefix
+        version = re.sub(r"^v", "", tag)
+        # strip -ee and -gitlab suffixes
+        return re.sub(r"-(ee|gitlab)$", "", version)
+
+    def get_file(self, filepath, rev):
+        """
+        returns file contents at a given rev
+        :param filepath: the path to the file, relative to the repo root
+        :param rev: the rev to fetch at
+        :return:
+        """
+        return requests.get(self.url + f"/raw/{rev}/{filepath}").text
+
+    def get_data(self, rev):
+        version = self.rev2version(rev)
+
+        passthru = {
+            v: self.get_file(v, rev).strip()
+            for v in [
+                "GITALY_SERVER_VERSION",
+                "GITLAB_PAGES_VERSION",
+                "GITLAB_SHELL_VERSION",
+                "GITLAB_ELASTICSEARCH_INDEXER_VERSION",
+            ]
+        }
+        passthru["GITLAB_WORKHORSE_VERSION"] = version
+
+        return dict(
+            version=self.rev2version(rev),
+            repo_hash=self.get_git_hash(rev),
+            yarn_hash=self.get_yarn_hash(rev),
+            owner=self.owner,
+            repo=self.repo,
+            rev=rev,
+            passthru=passthru,
+        )
+
+
+def _get_data_json():
+    data_file_path = pathlib.Path(__file__).parent / "data.json"
+    with open(data_file_path, "r") as f:
+        return json.load(f)
+
+
+def _call_nix_update(pkg, version):
+    """calls nix-update from nixpkgs root dir"""
+    return subprocess.check_output(
+        ["nix-update", pkg, "--version", version], cwd=NIXPKGS_PATH
+    )
+
+
+@click_log.simple_verbosity_option(logger)
+@click.group()
+def cli():
+    pass
+
+
+@cli.command("update-data")
+@click.option("--rev", default="latest", help="The rev to use (vX.Y.Z-ee), or 'latest'")
+def update_data(rev: str):
+    """Update data.json"""
+    logger.info("Updating data.json")
+
+    repo = GitLabRepo()
+    if rev == "latest":
+        # filter out pre and rc releases
+        rev = next(filter(lambda x: not ("rc" in x or x.endswith("pre")), repo.tags))
+
+    data_file_path = pathlib.Path(__file__).parent / "data.json"
+
+    data = repo.get_data(rev)
+
+    with open(data_file_path.as_posix(), "w") as f:
+        json.dump(data, f, indent=2)
+        f.write("\n")
+
+
+@cli.command("update-rubyenv")
+def update_rubyenv():
+    """Update rubyEnv"""
+    logger.info("Updating gitlab")
+    repo = GitLabRepo()
+    rubyenv_dir = pathlib.Path(__file__).parent / "rubyEnv"
+
+    # load rev from data.json
+    data = _get_data_json()
+    rev = data["rev"]
+    version = data["version"]
+
+    for fn in ["Gemfile.lock", "Gemfile"]:
+        with open(rubyenv_dir / fn, "w") as f:
+            f.write(repo.get_file(fn, rev))
+
+    # update to 1.2.9 to include https://gitlab.com/gitlab-org/ruby/gems/prometheus-client-mmap/-/commit/5d77f3f3e048834250589b416c6b3d4bba65a570
+    subprocess.check_output(
+        ["sed", "-i", "s:'prometheus-client-mmap', '~> 1.2.8':'prometheus-client-mmap', '~> 1.2.9':g", "Gemfile"],
+        cwd=rubyenv_dir,
+    )
+
+    # Un-vendor sidekiq
+    #
+    # The sidekiq dependency was vendored to maintain compatibility with Redis 6.0 (as
+    # stated in this [comment]) but unfortunately, it seems to cause a crash in the
+    # application, as noted in this [upstream issue].
+    #
+    # We can safely swap out the dependency, as our Redis release in nixpkgs is >= 7.0.
+    #
+    # [comment]: https://gitlab.com/gitlab-org/gitlab/-/issues/468435#note_1979750600
+    # [upstream issue]: https://gitlab.com/gitlab-org/gitlab/-/issues/468435
+    subprocess.check_output(
+        ["sed", "-i", "s|gem 'sidekiq', path: 'vendor/gems/sidekiq', require: 'sidekiq'|gem 'sidekiq', '~> 7.3.9'|g", "Gemfile"],
+        cwd=rubyenv_dir,
+    )
+
+    # Fetch vendored dependencies temporarily in order to build the gemset.nix
+    subprocess.check_output(["mkdir", "-p", "vendor/gems", "gems"], cwd=rubyenv_dir)
+    subprocess.check_output(
+        [
+            "sh",
+            "-c",
+            f"curl -L https://gitlab.com/gitlab-org/gitlab/-/archive/v{version}-ee/gitlab-v{version}-ee.tar.bz2?path=vendor/gems | tar -xj --strip-components=3",
+        ],
+        cwd=f"{rubyenv_dir}/vendor/gems",
+    )
+    subprocess.check_output(
+        [
+            "sh",
+            "-c",
+            f"curl -L https://gitlab.com/gitlab-org/gitlab/-/archive/v{version}-ee/gitlab-v{version}-ee.tar.bz2?path=gems | tar -xj --strip-components=2",
+        ],
+        cwd=f"{rubyenv_dir}/gems",
+    )
+
+    # Undo our gemset.nix patches so that bundix runs through
+    subprocess.check_output(
+        ["sed", "-i", "-e", "s|\\${src}/||g", "gemset.nix"], cwd=rubyenv_dir
+    )
+    subprocess.check_output(
+        ["sed", "-i", "-e", "s|^src:[[:space:]]||g", "gemset.nix"], cwd=rubyenv_dir
+    )
+
+    subprocess.check_output(["bundle", "lock"], cwd=rubyenv_dir)
+    subprocess.check_output(["bundix"], cwd=rubyenv_dir)
+
+    subprocess.check_output(
+        [
+            "sed",
+            "-i",
+            "-e",
+            "1c\\src: {",
+            "-e",
+            's:path = \\(vendor/[^;]*\\);:path = "${src}/\\1";:g',
+            "-e",
+            's:path = \\(gems/[^;]*\\);:path = "${src}/\\1";:g',
+            "gemset.nix",
+        ],
+        cwd=rubyenv_dir,
+    )
+    subprocess.check_output(["rm", "-rf", "vendor", "gems"], cwd=rubyenv_dir)
+
+    # Reformat gemset.nix
+    subprocess.check_output(["nix-shell", "--run", "treefmt pkgs/by-name/gi/gitlab"], cwd=NIXPKGS_PATH)
+
+
+@cli.command("update-gitaly")
+def update_gitaly():
+    """Update gitaly"""
+    logger.info("Updating gitaly")
+    data = _get_data_json()
+    gitaly_server_version = data['passthru']['GITALY_SERVER_VERSION']
+    repo = GitLabRepo(repo="gitaly")
+    gitaly_dir = pathlib.Path(__file__).parent / 'gitaly'
+
+    makefile = repo.get_file("Makefile", f"v{gitaly_server_version}")
+    makefile += "\nprint-%:;@echo $($*)\n"
+
+    git_version = subprocess.run(["make", "-f", "-", "print-GIT_VERSION"], check=True, input=makefile, text=True, capture_output=True).stdout.strip()
+
+    _call_nix_update("gitaly", gitaly_server_version)
+    _call_nix_update("gitaly.git", git_version)
+
+
+@cli.command("update-gitlab-pages")
+def update_gitlab_pages():
+    """Update gitlab-pages"""
+    logger.info("Updating gitlab-pages")
+    data = _get_data_json()
+    gitlab_pages_version = data["passthru"]["GITLAB_PAGES_VERSION"]
+    _call_nix_update("gitlab-pages", gitlab_pages_version)
+
+
+def get_container_registry_version() -> str:
+    """Returns the version attribute of gitlab-container-registry"""
+    return subprocess.check_output(
+        [
+            "nix",
+            "--experimental-features",
+            "nix-command",
+            "eval",
+            "-f",
+            ".",
+            "--raw",
+            "gitlab-container-registry.version",
+        ],
+        cwd=NIXPKGS_PATH,
+    ).decode("utf-8")
+
+
+@cli.command("update-gitlab-shell")
+def update_gitlab_shell():
+    """Update gitlab-shell"""
+    logger.info("Updating gitlab-shell")
+    data = _get_data_json()
+    gitlab_shell_version = data["passthru"]["GITLAB_SHELL_VERSION"]
+    _call_nix_update("gitlab-shell", gitlab_shell_version)
+
+
+@cli.command("update-gitlab-workhorse")
+def update_gitlab_workhorse():
+    """Update gitlab-workhorse"""
+    logger.info("Updating gitlab-workhorse")
+    data = _get_data_json()
+    gitlab_workhorse_version = data["passthru"]["GITLAB_WORKHORSE_VERSION"]
+    _call_nix_update("gitlab-workhorse", gitlab_workhorse_version)
+
+
+@cli.command("update-gitlab-container-registry")
+@click.option("--rev", default="latest", help="The rev to use (vX.Y.Z-ee), or 'latest'")
+@click.option(
+    "--commit", is_flag=True, default=False, help="Commit the changes for you"
+)
+def update_gitlab_container_registry(rev: str, commit: bool):
+    """Update gitlab-container-registry"""
+    logger.info("Updading gitlab-container-registry")
+    repo = GitLabRepo(repo="container-registry")
+    old_container_registry_version = get_container_registry_version()
+
+    if rev == "latest":
+        rev = next(filter(lambda x: not ("rc" in x or x.endswith("pre")), repo.tags))
+
+    version = repo.rev2version(rev)
+    _call_nix_update("gitlab-container-registry", version)
+    if commit:
+        new_container_registry_version = get_container_registry_version()
+        commit_container_registry(
+            old_container_registry_version, new_container_registry_version
+        )
+
+
+@cli.command('update-gitlab-elasticsearch-indexer')
+def update_gitlab_elasticsearch_indexer():
+    """Update gitlab-elasticsearch-indexer"""
+    data = _get_data_json()
+    gitlab_elasticsearch_indexer_version = data['passthru']['GITLAB_ELASTICSEARCH_INDEXER_VERSION']
+    _call_nix_update('gitlab-elasticsearch-indexer', gitlab_elasticsearch_indexer_version)
+    # Update the dependency gitlab-code-parser
+    src_workdir = subprocess.check_output(
+        [
+            "nix-build",
+            "-A",
+            "gitlab-elasticsearch-indexer.src",
+        ],
+        cwd=NIXPKGS_PATH,
+    ).decode("utf-8").strip()
+    codeparser_module = json.loads(
+        subprocess.check_output(
+            [
+                "go",
+                "list",
+                "-m",
+                "-json",
+                "gitlab.com/gitlab-org/rust/gitlab-code-parser/bindings/go"
+            ],
+            cwd=src_workdir
+        ).decode("utf-8").strip()
+    )
+    codeparser_version = codeparser_module["Version"].replace("v", "")
+    _call_nix_update('gitlab-elasticsearch-indexer.codeParserBindings', codeparser_version)
+
+
+@cli.command("update-all")
+@click.option("--rev", default="latest", help="The rev to use (vX.Y.Z-ee), or 'latest'")
+@click.option(
+    "--commit", is_flag=True, default=False, help="Commit the changes for you"
+)
+@click.pass_context
+def update_all(ctx, rev: str, commit: bool):
+    """Update all gitlab components to the latest stable release"""
+    old_data_json = _get_data_json()
+    old_container_registry_version = get_container_registry_version()
+
+    ctx.invoke(update_data, rev=rev)
+
+    new_data_json = _get_data_json()
+
+    ctx.invoke(update_rubyenv)
+    ctx.invoke(update_gitaly)
+    ctx.invoke(update_gitlab_pages)
+    ctx.invoke(update_gitlab_shell)
+    ctx.invoke(update_gitlab_workhorse)
+    ctx.invoke(update_gitlab_elasticsearch_indexer)
+    if commit:
+        commit_gitlab(
+            old_data_json["version"], new_data_json["version"], new_data_json["rev"]
+        )
+
+    ctx.invoke(update_gitlab_container_registry)
+    if commit:
+        new_container_registry_version = get_container_registry_version()
+        commit_container_registry(
+            old_container_registry_version, new_container_registry_version
+        )
+
+
+def commit_gitlab(old_version: str, new_version: str, new_rev: str) -> None:
+    """Commits the gitlab changes for you"""
+    subprocess.run(
+        [
+            "git",
+            "add",
+            "pkgs/by-name/gi/gitlab",
+            "pkgs/by-name/gi/gitaly",
+            "pkgs/by-name/gi/gitlab-elasticsearch-indexer",
+            "pkgs/by-name/gi/gitlab-pages",
+        ],
+        cwd=NIXPKGS_PATH,
+    )
+    subprocess.run(
+        [
+            "git",
+            "commit",
+            "--message",
+            f"""gitlab: {old_version} -> {new_version}\n\nhttps://gitlab.com/gitlab-org/gitlab/-/blob/{new_rev}/CHANGELOG.md""",
+        ],
+        cwd=NIXPKGS_PATH,
+    )
+
+
+def commit_container_registry(old_version: str, new_version: str) -> None:
+    """Commits the gitlab-container-registry changes for you"""
+    subprocess.run(
+        [
+            "git",
+            "add",
+            "pkgs/by-name/gi/gitlab-container-registry"
+        ],
+        cwd=NIXPKGS_PATH,
+    )
+    subprocess.run(
+        [
+            "git",
+            "commit",
+            "--message",
+            f"gitlab-container-registry: {old_version} -> {new_version}\n\nhttps://gitlab.com/gitlab-org/container-registry/-/blob/v{new_version}-gitlab/CHANGELOG.md",
+        ],
+        cwd=NIXPKGS_PATH,
+    )
+
+
+if __name__ == "__main__":
+    cli()