Add latest changes from gitlab-org/gitlab@master

GITALY_SERVER_VERSION

-00c7c2a5a1820397e65fbcff67cdd05bb961a40b
+c26e2a89d3841b7c730cd18b0d02831a7daf9c0b

app/controllers/groups/variables_controller.rb

@@ -15,7 +15,12 @@ module Groups
     end
 
     def update
-      if @group.update(group_variables_params)
+      update_result = Ci::ChangeVariablesService.new(
+        container: @group, current_user: current_user,
+        params: group_variables_params
+      ).execute
+
+      if update_result
         respond_to do |format|
           format.json { render_group_variables }
         end

app/models/commit_collection.rb

@@ -47,7 +47,10 @@ class CommitCollection
     pipelines = project.ci_pipelines.latest_pipeline_per_commit(map(&:id), ref)
 
     each do |commit|
-      commit.set_latest_pipeline_for_ref(ref, pipelines[commit.id])
+      pipeline = pipelines[commit.id]
+      pipeline&.number_of_warnings # preload number of warnings
+
+      commit.set_latest_pipeline_for_ref(ref, pipeline)
     end
 
     self

app/services/ci/change_variable_service.rb

+# frozen_string_literal: true
+
+module Ci
+  class ChangeVariableService < BaseContainerService
+    def execute
+      case params[:action]
+      when :create
+        container.variables.create(params[:variable_params])
+      when :update
+        variable.tap do |target_variable|
+          target_variable.update(params[:variable_params].except(:key))
+        end
+      when :destroy
+        variable.tap do |target_variable|
+          target_variable.destroy
+        end
+      end
+    end
+
+    private
+
+    def variable
+      container.variables.find_by!(params[:variable_params].slice(:key)) # rubocop:disable CodeReuse/ActiveRecord
+    end
+  end
+end
+
+::Ci::ChangeVariableService.prepend_if_ee('EE::Ci::ChangeVariableService')

app/services/ci/change_variables_service.rb

+# frozen_string_literal: true
+
+module Ci
+  class ChangeVariablesService < BaseContainerService
+    def execute
+      container.update(params)
+    end
+  end
+end
+
+::Ci::ChangeVariablesService.prepend_if_ee('EE::Ci::ChangeVariablesService')

changelogs/unreleased/id-fix-n-1-for-commits.yml

+---
+title: Preload number of pipeline warnings for commits
+merge_request: 37669
+author:
+type: performance

doc/api/members.md

@@ -16,6 +16,12 @@ Due to [an issue](https://gitlab.com/gitlab-org/gitlab/-/issues/219299),
 projects in personal namespaces will not show owner (`50`) permission
 for owner.
 
+## Limitations
+
+The `group_saml_identity` attribute is only visible to a group owner for [SSO enabled groups](../user/group/saml_sso/index.md).
+
+The `email` attribute is only visible to a group owner who manages the user through [Group Managed Accounts](../user/group/saml_sso/group_managed_accounts.md).
+
 ## List all members of a group or project
 
 Gets a list of group or project members viewable by the authenticated user.
@@ -389,9 +395,3 @@ curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://git
 ## Give a group access to a project
 
 See [share project with group](projects.md#share-project-with-group)
-
-## Limitations
-
-The `group_saml_identity` attribute is only visible to a group owner for [SSO enabled groups](../user/group/saml_sso/index.md).
-
-The `email` attribute is only visible to a group owner who manages the user through [Group Managed Accounts](../user/group/saml_sso/group_managed_accounts.md).

doc/development/gotchas.md

@@ -238,3 +238,34 @@ This problem will disappear as soon as we upgrade to Rails 6 and use the Zeitwer
 - Rails Guides: [Autoloading and Reloading Constants (Classic Mode)](https://guides.rubyonrails.org/autoloading_and_reloading_constants_classic_mode.html)
 - Ruby Constant lookup: [Everything you ever wanted to know about constant lookup in Ruby](http://cirw.in/blog/constant-lookup)
 - Rails 6 and Zeitwerk autoloader: [Understanding Zeitwerk in Rails 6](https://medium.com/cedarcode/understanding-zeitwerk-in-rails-6-f168a9f09a1f)
+
+## Storing assets that do not require pre-compiling
+
+Assets that need to be served to the user are stored under the `app/assets` directory, which is later pre-compiled and placed in the `public/` directory.
+
+However, you cannot access the content of any file from within `app/assets` from the application code, as we do not include that folder in production installations as a [space saving measure](https://gitlab.com/gitlab-org/omnibus-gitlab/-/commit/ca049f990b223f5e1e412830510a7516222810be).
+
+```ruby
+support_bot = User.support_bot
+
+# accessing a file from the `app/assets` folder
+support_bot.avatar = Rails.root.join('app', 'assets', 'images', 'bot_avatars', 'support_bot.png').open
+
+support_bot.save!
+```
+
+While the code above works in local environments, it errors out in production installations as the `app/assets` folder is not included.
+
+### Solution
+
+The alternative is the `lib/assets` folder. Use it if you need to add assets (like images) to the repo that meet the following conditions:
+
+- The assets do not need to be directly served to the user (and hence need not be pre-compiled).
+- The assets do need to be accessed via application code.
+
+In short:
+
+Use `app/assets` for storing any asset that needs to be precompiled and served to the end user.
+Use `lib/assets` for storing any asset that does not need to be served to the end user directly, but is still required to be accessed by the application code.
+
+MR for reference: [!37671](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/37671)

doc/development/telemetry/usage_ping.md

@@ -738,8 +738,8 @@ appear to be associated to any of the services running, since they all appear to
 | `server`                                                  | `topology > nodes > node_services`   | `enablement`  |                  |         | The type of web server used (Unicorn or Puma)                              |
 | `network_policy_forwards`                                 | `counts`                             | `defend`      |                  | EE      | Cumulative count of forwarded packets by Container Network                 |
 | `network_policy_drops`                                    | `counts`                             | `defend`      |                  | EE      | Cumulative count of dropped packets by Container Network                   |
-| `vendor`                                                  | `container_registry`                 | `package`     |                  | CE+EE   | The Container Registry vendor (GitLab or third-party)                      |
-| `version`                                                 | `container_registry`                 | `package`     |                  | CE+EE   | The Container Registry version (only when vendor is GitLab)                |
+| `vendor`                                                  | `container_registry_server`          | `package`     |                  | CE+EE   | The Container Registry vendor (GitLab or third-party)                      |
+| `version`                                                 | `container_registry_server`          | `package`     |                  | CE+EE   | The Container Registry version (only when vendor is GitLab)                |
 
 ## Example Usage Ping payload
 
@@ -814,7 +814,7 @@ The following is example content of the Usage Ping payload.
     "enabled": true,
     "version": "1.17.0"
   },
-  "container_registry": {
+  "container_registry_server": {
     "vendor": "gitlab",
     "version": "2.9.1-gitlab"
   },

doc/development/testing_guide/review_apps.md

@@ -142,6 +142,9 @@ the following node pools:
 
 - `e2-highcpu-16` (16 vCPU, 16 GB memory) pre-emptible nodes with autoscaling
 
+Node pool image type must be `Container-Optimized OS (cos)`, not `Container-Optimized OS with Containerd (cos_containerd)`,
+due to this [known issue on GitLab Runner Kubernetes executor](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4755)
+
 ### Helm
 
 The Helm version used is defined in the

doc/operations/metrics/dashboards/yaml.md

@@ -55,7 +55,7 @@ Panels in a panel group are laid out in rows consisting of two panels per row. A
 
 | Property | Type | Required | Description |
 | ------ | ------ | ------ | ------- |
-| `type` | enum | no, defaults to `area-chart` | Specifies the panel type to use, for example `area-chart`, `line-chart` or `anomaly-chart`. [View documentation on all panel types.](panel_types.md) |
+| `type` | string | no, defaults to `area-chart` | Specifies the panel type to use, for example `area-chart`, `line-chart` or `anomaly-chart`. Only types listed among [all panel types](panel_types.md) are allowed. |
 | `title` | string | yes | Heading for the panel. |
 | `y_label` | string | no, but highly encouraged | Y-Axis label for the panel. |
 | `y_axis` | string | no | Y-Axis configuration for the panel. |

doc/security/two_factor_authentication.md

@@ -39,8 +39,9 @@ period to `0`.
 
 If you want to enforce 2FA only for certain groups, you can:
 
-1. Enable it in the group's **Settings > General** page.
-1. Optionally specify a grace period as above.
+1. Enable it in the group's **Settings > General** page. Navigate to **Permissions, LFS, 2FA > Two-factor authentication**.
+You can then check the **Require all users in this group to setup Two-factor authentication** option.
+1. You can also specify a grace period in the **Time before enforced** option.
 
 To change this setting, you need to be administrator or owner of the group.
 

doc/user/admin_area/abuse_reports.md

@@ -12,6 +12,14 @@ View and resolve abuse reports from GitLab users.
 GitLab administrators can view and [resolve](#resolving-abuse-reports) abuse
 reports in the Admin Area.
 
+## Receiving notifications of abuse reports
+
+To receive notifications of new abuse reports by e-mail, follow these steps:
+
+1. Select **{admin}** **Admin Area > Settings >  Reporting**.
+1. Expand the **Abuse reports** section.
+1. Provide an email address.
+
 ## Reporting abuse
 
 To find out more about reporting abuse, see [abuse reports user

doc/user/application_security/index.md

@@ -243,6 +243,36 @@ Click this button to create a merge request to apply the solution onto the sourc
 
 ![Create merge request from vulnerability](img/create_issue_with_list_hover.png)
 
+### Managing related issues for a vulnerability
+
+Issues can be linked to a vulnerability using the related issues block on the vulnerability page.
+The relationship is uni-directional. The vulnerability page shows related issues, but the issue page
+doesn't show the vulnerability it's related to. An issue can only be related to one vulnerability at
+a time. Issues can be linked across groups and projects.
+
+#### Adding a related issue
+
+You can link an issue by clicking the **{plus}** button in the **Related Issues** block.
+
+![Vulnerability related issues add button](img/vulnerability_related_issues_add_button_v13_2.png)
+
+A text box appears that lets you type an issue number or paste an issue link. You can enter multiple
+issues at once. Pressing the space bar after each issue number or link converts them to tags that
+you can remove by clicking the **{close}** icon to the tag's right. Typing `#` followed by a number
+shows an autocomplete menu. Click an issue in the menu to add it as a tag. When you're finished
+entering issues, click the **Add** button to link the issues to the vulnerability. Alternatively,
+click **Cancel** to exit without linking any issues.
+
+![Vulnerability related issues text box tags animation](img/vulnerability_related_issues_text_box_tags_v13_2.gif)
+
+### Removing a related issue
+
+Click the **{close}** icon to right of an issue to remove it as a related issue. Note that this only
+removes it as a related issue of the vulnerability; it doesn't modify or remove the issue itself.
+You can link it to the vulnerability again if desired.
+
+![Vulnerability related issues remove issue animation](img/vulnerability_related_issues_remove_v13_2.gif)
+
 ## Security approvals in merge requests
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9928) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.2.

doc/user/project/clusters/kubernetes_pod_logs.md

 ---
-stage: Configure
-group: Configure
+stage: Monitor
+group: APM
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
 ---
 
@@ -9,56 +9,54 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/4752) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.0.
 > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/26383) to [GitLab Core](https://about.gitlab.com/pricing/) 12.9.
 
-GitLab makes it easy to view the logs of running pods in [connected Kubernetes clusters](index.md).
-By displaying the logs directly in GitLab in the **Log Explorer**, developers can avoid
-managing console tools or jumping to a different interface.
-
-NOTE: **Note:**
-[Learn more about Kubernetes + GitLab](https://about.gitlab.com/solutions/kubernetes/).
-Everything you need to build, test, deploy, and run your application at scale.
-
-## Overview
-
-[Kubernetes](https://kubernetes.io) logs can be viewed directly within GitLab with
-the **Log Explorer**.
+GitLab makes it easy to view the logs of running pods or managed applications in
+[connected Kubernetes clusters](index.md). By displaying the logs directly in GitLab
+in the **Log Explorer**, developers can avoid managing console tools or jumping
+to a different interface. The **Log Explorer** interface provides a set of filters
+above the log file data, depending on your configuration:
 
 ![Pod logs](img/kubernetes_pod_logs_v12_10.png)
 
+- **Namespace** - Select the environment to display. Users with Maintainer or
+  greater [permissions](../../permissions.md) can also select Managed Apps.
+- **Search** - Only available if the Elastic Stack managed application is installed.
+- **Time picker** - Select the range of time to display. Only available if the
+  Elastic Stack managed application is installed.
+- **Scroll to bottom** **{scroll_down}** - Scroll to the end of the displayed logs.
+- **Refresh** **{retry}** - Reload the displayed logs.
+
 <i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
-To learn more, see [APM - Log Explorer](https://www.youtube.com/watch?v=hWclZHA7Dgw).
+To learn more about the Log Explorer, see [APM - Log Explorer](https://www.youtube.com/watch?v=hWclZHA7Dgw).
+
+NOTE: **Note:**
+[Learn more about Kubernetes + GitLab](https://about.gitlab.com/solutions/kubernetes/).
+Everything you need to build, test, deploy, and run your application at scale.
 
 ## Requirements
 
 [Deploying to a Kubernetes environment](../deploy_boards.md#enabling-deploy-boards)
 is required to use Logs.
 
-## Usage
-
-To access logs, you must have the right [permissions](../../permissions.md#project-members-permissions).
-
-You can access them in two ways.
-
-### From the project sidebar
+## Accessing the log explorer
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/22011) in GitLab 12.5.
+To access the **Log explorer**, click the **More actions** **{ellipsis_v}** menu on
+a [metrics dashboard](../../../operations/metrics/index.md) and select **View logs**, or:
 
-Go to **{cloud-gear}** **Operations > Pod logs** on the sidebar menu to display
-the **Log Explorer**.
+1. Sign in as a user with the _View pod logs_
+   [permissions](../../permissions.md#project-members-permissions) in the project.
+1. *To navigate to the **Log Explorer** from the sidebar menu,* go to
+   **{cloud-gear}** **Operations > Pod logs**.
+   ([Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/22011) in GitLab 12.5.)
+1. *To navigate to the **Log Explorer** from a specific pod on a [Deploy Board](../deploy_boards.md):*
 
-![Sidebar menu](img/sidebar_menu_pod_logs_v12_10.png)
-
-### From Deploy Boards
-
-Logs can be displayed by clicking on a specific pod from [Deploy Boards](../deploy_boards.md):
-
-1. Go to **{cloud-gear}** **Operations > Environments** and find the environment
-   which contains the desired pod, like `production`.
-1. On the **Environments** page, you should see the status of the environment's
-   pods with [Deploy Boards](../deploy_boards.md).
-1. When mousing over the list of pods, a tooltip will appear with the exact pod name
-   and status.
-   ![Deploy Boards pod list](img/pod_logs_deploy_board.png)
-1. Click on the desired pod to display the **Log Explorer**.
+   1. Go to **{cloud-gear}** **Operations > Environments** and find the environment
+      which contains the desired pod, like `production`.
+   1. On the **Environments** page, you should see the status of the environment's
+      pods with [Deploy Boards](../deploy_boards.md).
+   1. When mousing over the list of pods, GitLab displays a tooltip with the exact pod name
+      and status.
+      ![Deploy Boards pod list](img/pod_logs_deploy_board.png)
+   1. Click on the desired pod to display the **Log Explorer**.
 
 ### Logs view
 
@@ -69,6 +67,7 @@ The **Log Explorer** lets you filter the logs by:
 - [From GitLab 12.7](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/21656),
   [full text search](#full-text-search).
 - [From GitLab 12.8](https://gitlab.com/gitlab-org/gitlab/-/issues/197879), dates.
+- [From GitLab 13.2](https://gitlab.com/gitlab-org/gitlab/-/issues/208790), managed apps.
 
 Loading more than 500 log lines is possible from
 [GitLab 12.9](https://gitlab.com/gitlab-org/gitlab/-/issues/198050) onward.
@@ -93,17 +92,16 @@ Click **Show last** in the **Log Explorer** to see the available options.
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/21656) in GitLab 12.7.
 
 When you enable [Elastic Stack](../../clusters/applications.md#elastic-stack) on your cluster,
-you can search the content of your logs through a search bar.
-
-The search is passed on to Elasticsearch using the
+you can search the content of your logs through a search bar. The search is passed
+to Elasticsearch using the
 [simple_query_string](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-simple-query-string-query.html)
 Elasticsearch function, which supports the following operators:
 
-| Operator                   | Description                                                |
-|----------------------------|------------------------------------------------------------|
-|  `\|`                      | An OR operation.                                            |
+| Operator                   | Description                                                 |
+|----------------------------|-------------------------------------------------------------|
+|  `\|`                      | An `OR` operation.                                          |
 | `-`                        | Negates a single token.                                     |
-| `+`                        | An AND operation.                                           |
+| `+`                        | An `AND` operation.                                         |
 | `"`                        | Wraps a number of tokens to signify a phrase for searching. |
 | `*` (at the end of a term) | A prefix query.                                             |
 | `(` and `)`                | Precedence.                                                 |

doc/user/project/import/tfvc.md

@@ -41,6 +41,14 @@ Advantages of migrating to Git/GitLab:
 
 ## How to migrate
 
-The best option to migrate from TFVC to Git is to use the [`git-tfs`](https://github.com/git-tfs/git-tfs)
-tool. Read the [Migrate TFS to Git](https://github.com/git-tfs/git-tfs/blob/master/doc/usecases/migrate_tfs_to_git.md)
-guide for more details.
+Migration options from TFVC to Git depend on your operating system.
+
+- If you're migrating on Microsoft Windows:
+
+  Use the [`git-tfs`](https://github.com/git-tfs/git-tfs)
+tool.
+  Read the [Migrate TFS to Git](https://github.com/git-tfs/git-tfs/blob/master/doc/usecases/migrate_tfs_to_git.md) guide for details.
+
+- If you're on a Unix-based system:
+
+  Follow the procedures described with this [TFVC to Git migration tool](https://github.com/turbo/gtfotfs).

lib/api/group_variables.rb

@@ -51,9 +51,11 @@ module API
         optional :variable_type, type: String, values: ::Ci::GroupVariable.variable_types.keys, desc: 'The type of variable, must be one of env_var or file. Defaults to env_var'
       end
       post ':id/variables' do
-        variable_params = declared_params(include_missing: false)
-
-        variable = user_group.variables.create(variable_params)
+        variable = ::Ci::ChangeVariableService.new(
+          container: user_group,
+          current_user: current_user,
+          params: { action: :create, variable_params: declared_params(include_missing: false) }
+        ).execute
 
         if variable.valid?
           present variable, with: Entities::Variable
@@ -74,17 +76,19 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       put ':id/variables/:key' do
-        variable = user_group.variables.find_by(key: params[:key])
-
-        break not_found!('GroupVariable') unless variable
-
-        variable_params = declared_params(include_missing: false).except(:key)
+        variable = ::Ci::ChangeVariableService.new(
+          container: user_group,
+          current_user: current_user,
+          params: { action: :update, variable_params: declared_params(include_missing: false) }
+        ).execute
 
-        if variable.update(variable_params)
+        if variable.valid?
           present variable, with: Entities::Variable
         else
           render_validation_error!(variable)
         end
+      rescue ::ActiveRecord::RecordNotFound
+        not_found!('GroupVariable')
       end
       # rubocop: enable CodeReuse/ActiveRecord
 
@@ -96,10 +100,17 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       delete ':id/variables/:key' do
-        variable = user_group.variables.find_by(key: params[:key])
-        not_found!('GroupVariable') unless variable
-
-        destroy_conditionally!(variable)
+        variable = user_group.variables.find_by!(key: params[:key])
+
+        destroy_conditionally!(variable) do |target_variable|
+          ::Ci::ChangeVariableService.new(
+            container: user_group,
+            current_user: current_user,
+            params: { action: :destroy, variable_params: declared_params(include_missing: false) }
+          ).execute
+        end
+      rescue ::ActiveRecord::RecordNotFound
+        not_found!('GroupVariable')
       end
       # rubocop: enable CodeReuse/ActiveRecord
     end

lib/gitlab/usage_data.rb

@@ -255,7 +255,7 @@ module Gitlab
             enabled: alt_usage_data(fallback: nil) { Gitlab.config.pages.enabled },
             version: alt_usage_data { Gitlab::Pages::VERSION }
           },
-          container_registry: {
+          container_registry_server: {
             vendor: alt_usage_data(fallback: nil) { Gitlab::CurrentSettings.container_registry_vendor },
             version: alt_usage_data(fallback: nil) { Gitlab::CurrentSettings.container_registry_version }
           },

qa/qa/specs/features/browser_ui/7_configure/auto_devops/auto_devops_templates_spec.rb

@@ -17,7 +17,7 @@ module QA
       end
 
       with_them do
-        let(:project) do
+        let!(:project) do
           Resource::Project.fabricate_via_api! do |project|
             project.name = "#{template}-autodevops-project-template"
             project.template_name = template

spec/lib/gitlab/usage_data_spec.rb

@@ -591,8 +591,8 @@ RSpec.describe Gitlab::UsageData, :aggregate_failures do
         expect(subject[:gitaly][:clusters]).to be >= 0
         expect(subject[:gitaly][:filesystems]).to be_an(Array)
         expect(subject[:gitaly][:filesystems].first).to be_a(String)
-        expect(subject[:container_registry][:vendor]).to eq('gitlab')
-        expect(subject[:container_registry][:version]).to eq('x.y.z')
+        expect(subject[:container_registry_server][:vendor]).to eq('gitlab')
+        expect(subject[:container_registry_server][:version]).to eq('x.y.z')
       end
     end
 

spec/models/commit_collection_spec.rb

@@ -52,27 +52,38 @@ RSpec.describe CommitCollection do
   end
 
   describe '#with_latest_pipeline' do
+    let(:another_commit) { project.commit("60ecb67744cb56576c30214ff52294f8ce2def98") }
+
     let!(:pipeline) do
-      create(
-        :ci_empty_pipeline,
-        ref: 'master',
-        sha: commit.id,
-        status: 'success',
-        project: project
-      )
+      create(:ci_empty_pipeline, ref: 'master', sha: commit.id, status: 'success', project: project)
+    end
+
+    let!(:another_pipeline) do
+      create(:ci_empty_pipeline, ref: 'master', sha: another_commit.id, status: 'success', project: project)
     end
-    let(:collection) { described_class.new(project, [commit]) }
+
+    let(:collection) { described_class.new(project, [commit, another_commit]) }
 
     it 'sets the latest pipeline for every commit so no additional queries are necessary' do
       commits = collection.with_latest_pipeline('master')
 
       recorder = ActiveRecord::QueryRecorder.new do
         expect(commits.map { |c| c.latest_pipeline('master') })
-          .to eq([pipeline])
+          .to eq([pipeline, another_pipeline])
       end
 
       expect(recorder.count).to be_zero
     end
+
+    it 'performs a single query to fetch pipeline warnings' do
+      recorder = ActiveRecord::QueryRecorder.new do
+        collection.with_latest_pipeline('master').each do |c|
+          c.latest_pipeline('master').number_of_warnings.itself
+        end
+      end
+
+      expect(recorder.count).to eq(2) # 1 for pipelines, 1 for warnings counts
+    end
   end
 
   describe '#with_markdown_cache' do

spec/requests/api/group_variables_spec.rb

@@ -169,6 +169,14 @@ RSpec.describe API::GroupVariables do
 
         expect(response).to have_gitlab_http_status(:not_found)
       end
+
+      it 'responds with 400 if the update fails' do
+        put api("/groups/#{group.id}/variables/#{variable.key}", user), params: { value: 'shrt', masked: true }
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+        expect(variable.reload.masked).to eq(false)
+        expect(json_response['message']).to eq('value' => ['is invalid'])
+      end
     end
 
     context 'authorized user with invalid permissions' do

spec/services/ci/change_variable_service_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ci::ChangeVariableService do
+  let(:service) { described_class.new(container: group, current_user: user, params: params) }
+
+  let_it_be(:user) { create(:user) }
+  let(:group) { create(:group) }
+
+  describe '#execute' do
+    subject(:execute) { service.execute }
+
+    context 'when creating a variable' do
+      let(:params) { { variable_params: { key: 'new_variable', value: 'variable_value' }, action: :create } }
+
+      it 'persists a variable' do
+        expect { execute }.to change(Ci::GroupVariable, :count).from(0).to(1)
+      end
+    end
+
+    context 'when updating a variable' do
+      let!(:variable) { create(:ci_group_variable, value: 'old_value') }
+      let(:params) { { variable_params: { key: variable.key, value: 'new_value' }, action: :update } }
+
+      before do
+        group.variables << variable
+      end
+
+      it 'updates a variable' do
+        expect { execute }.to change { variable.reload.value }.from('old_value').to('new_value')
+      end
+
+      context 'when the variable does not exist' do
+        before do
+          variable.destroy!
+        end
+
+        it 'raises a record not found error' do
+          expect { execute }.to raise_error(::ActiveRecord::RecordNotFound)
+        end
+      end
+    end
+
+    context 'when destroying a variable' do
+      let!(:variable) { create(:ci_group_variable) }
+      let(:params) { { variable_params: { key: variable.key }, action: :destroy } }
+
+      before do
+        group.variables << variable
+      end
+
+      it 'destroys a variable' do
+        expect { execute }.to change { Ci::GroupVariable.exists?(variable.id) }.from(true).to(false)
+      end
+
+      context 'when the variable does not exist' do
+        before do
+          variable.destroy!
+        end
+
+        it 'raises a record not found error' do
+          expect { execute }.to raise_error(::ActiveRecord::RecordNotFound)
+        end
+      end
+    end
+  end
+end

spec/services/ci/change_variables_service_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ci::ChangeVariablesService do
+  let(:service) { described_class.new(container: group, current_user: user, params: params) }
+
+  let_it_be(:user) { create(:user) }
+  let(:group) { spy(:group, variables: []) }
+  let(:params) { { variables_attributes: [{ key: 'new_variable', value: 'variable_value' }] } }
+
+  describe '#execute' do
+    subject(:execute) { service.execute }
+
+    it 'delegates to ActiveRecord update' do
+      execute
+
+      expect(group).to have_received(:update).with(params)
+    end
+  end
+end

spec/support/helpers/stub_object_storage.rb

 # frozen_string_literal: true
 
 module StubObjectStorage
-  def stub_packages_object_storage(**params)
-    stub_object_storage_uploader(config: ::Gitlab.config.packages.object_store,
-                                  uploader: ::Packages::PackageFileUploader,
-                                  remote_directory: 'packages',
-                                  **params)
-  end
-
   def stub_dependency_proxy_object_storage(**params)
     stub_object_storage_uploader(config: ::Gitlab.config.dependency_proxy.object_store,
                                   uploader: ::DependencyProxy::FileUploader,

spec/tasks/gitlab/packages/migrate_rake_spec.rb

@@ -18,7 +18,7 @@ RSpec.describe 'gitlab:packages namespace rake task' do
 
     context 'object storage disabled' do
       before do
-        stub_packages_object_storage(enabled: false)
+        stub_package_file_object_storage(enabled: false)
       end
 
       it "doesn't migrate files" do
@@ -28,7 +28,7 @@ RSpec.describe 'gitlab:packages namespace rake task' do
 
     context 'object storage enabled' do
       before do
-        stub_packages_object_storage
+        stub_package_file_object_storage
       end
 
       it 'migrates local file to object storage' do

spec/uploaders/packages/package_file_uploader_spec.rb

@@ -15,7 +15,7 @@ RSpec.describe Packages::PackageFileUploader do
 
   context 'object store is remote' do
     before do
-      stub_packages_object_storage
+      stub_package_file_object_storage
     end
 
     include_context 'with storage', described_class::Store::REMOTE
@@ -29,7 +29,7 @@ RSpec.describe Packages::PackageFileUploader do
 
     context 'with object storage enabled' do
       before do
-        stub_packages_object_storage
+        stub_package_file_object_storage
       end
 
       it 'can store file remotely' do