@smaglangit could you please do the initial backend review as it's blocking some future MRs?

All of these shouldn't reside in the namespaces table, and we should address this technical debt.

Column	Index
custom_project_templates_group_id	index_namespaces_on_custom_project_templates_group_id_and_type
file_template_project_id	index_namespaces_on_file_template_project_id
push_rule_id	index_namespaces_on_push_rule_id
runners_token_encrypted	index_namespaces_on_runners_token_encrypted
ldap_sync_last_successful_update_at	index_namespaces_on_ldap_sync_last_successful_update_at

@alipniagov approved!

What does this MR do and why?

Remove feature flags:

• allow_projects_to_create_service_accounts
• allow_subgroups_to_create_service_accounts

...to enable service account management in subgroups and projects by default.

Both FFs are globally enabled on .com within %18.10.

These two FFs are tightly coupled, so I see a very little value in splitting this MR per-FF: it will touch the same files all again.

References

allow_projects_to_create_service_accounts rollout issue: https://gitlab.com/gitlab-org/gitlab/-/work_items/586190+

allow_subgroups_to_create_service_accounts rollout issue: https://gitlab.com/gitlab-org/gitlab/-/work_items/582313+

How to set up and validate locally

N/A - FF removal.
Rely on CI and reviews.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #586190

@julie_huang Thanks! Feel free to merge for the release. 🚀

What does this MR do and why?

• Adds provider column to ai_self_hosted_models table
• Adds provider enum to SelfHostedModel Rails model

Context:

We want to grow our roster of provider options and need to start storing that information in the backend on the self-hosted model record. Currently that information is inferred by the frontend using the stored model identifier, but this is a brittle approach that doesn't scale well.

References

Issue: #507967

Screenshots or screen recordings

Before	After

How to set up and validate locally

Pre-requisites:

An active Ultimate license.

1. Start GDK in self-managed mode GITLAB_SIMULATE_SAAS=0 gdk start
2. Run the Duo setup rake task GITLAB_SIMULATE_SAAS=0 bundle exec 'rake gitlab:duo:setup' to seed instance with necessary Duo data
3. Navigate to the self-hosted models page http://gdk.test:3000/admin/gitlab_duo/model_selection/models and ensure there are no regressions by ensuring that you can create, edit, delete and assign self-hosted models.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

We're adding an index on namespace_details.deletion_scheduled_at in Migrate adjourned group deletion to namespace s... (!226560 - merged), which we moved out of state_metadata.

@abime I have addressed your comments. 🏓

Good catch! I have updated the specs.

For now, I just want to replicate the behavior of the service, which only archived the project, and the policy also didn't check if the parent was scheduled for deletion. This will also be addressed in the migration to state management.

This is because of this override https://gitlab.com/gitlab-org/gitlab/-/blob/0be623bd96762dbbe89cdb67abc2e53cb92d385e/app/models/project.rb#L3136. We'll remove it once we migrate to state management.

A part of this will be covered under Fix mismatch between namespace states and proje... (#593442).

But this would be completely addressed in Iteration 4: Replace legacy state checks with n... (gitlab-org#17958).

Another example of this inconsistency that currently exists is if you archive a project, then schedule it for deletion, but then restore the project, the project doesn't stay archived, it goes back to the unarchived state. We're addressing such inconsistencies in the above epic.

This doesn't warrant a feature flag; we're just shifting the responsibility from the service to the policy to enforce the same behavior. We also have good spec coverage.

Abdul Wadood (6fab4e2a) at 16 Mar 04:10

... and 1037 more commits

@aslota database LGTM!

What does this MR do and why?

Delay the removal of deprecated name and onlyAvailable arguments in WorkItemTypes GraphQL API from milestone 18.11 to 19.0 to avoid multi-version compatibility issues during rolling deployments as discussed here.

This ensures that if the frontend stops using the name and onlyAvailable fields in 18.11 via #593234, there's an additional milestone buffer before backend removal to prevent scenarios where old frontends query new backends that no longer support these arguments.

References

• !226979
• #593280
• #593038

Screenshots or screen recordings

NA

How to set up and validate locally

NA

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Completed in Backfill `project_authorizations_for_migrations... (!190716 - merged).

@chen-gitlab I have dropped some comments. 🏓

I would suggest avoiding a fixed set of routes.

Instead, we can get the namespace_id/project_id like we try to get the organization_id in lib/gitlab/current/organization.rb.

@rutgerwessels do you have any suggestions here since you've worked on the above?

We will have some GET requests as well, where we would be writing to the DB. So instead of relying on these HTTP methods, we should just check if the namespace is read-only or not.