gitlab-org/gitlab v16.7.0-ee

on GitLab

Previously, the Container Registry relied on the Docker/OCI listing image tags registry API to list and display tags in GitLab. This API had significant performance and discoverability limitations.

This API performed slowly because the number of network requests against the registry scaled with the number of tags in the tags list. In addition, because the API didn't track publish time, the published timestamp was often incorrect. There were also limitations when displaying images based on Docker manifest lists or OCI indexes, such as for multi-architecture images.

To address these limitations, we introduced a new registry list repository tags API. By updating the user interface to use the new API, the number of requests to the Container Registry is reduced to just one. Publish timestamps are also accurate, and there is more robust support for multi-architecture images.

This feature is available only on GitLab.com. Self-managed support is blocked until the next-generation Container Registry is generally available. To learn more, see issue 423459.

Before this release, you could not rename a project that had a container repository with at least one tag without having first deleted all container images associated with that project.

This was a real problem that forced users to rely on custom scripts to manually delete/move all tags before a different project name could be used, but now you can rename projects on GitLab.com, even if they have container images in the registry!

SAST findings now appear in the merge request Changes view. This makes it easier to see, understand, and fix potential weaknesses during the code review process.

Lines containing SAST issues are marked by a symbol beside the gutter. Select the symbol to see the list of issues, then select an issue to see its details.

We've enabled this feature on GitLab.com. We plan to enable the feature flag by default for Self-Managed instances in GitLab 16.8.

You can now use the UI to assign a custom role to a new user, or change an existing user's role to a custom role. You can do this in any part of the UI where you can currently assign or change a user's role. Previously, you could only do this through the API.

CI/CD variable precedence has been improved to first prioritize variables defined in scan execution policies.

As organizations work to meet compliance requirements, a common need is to ensure that security scanners are enabled in business critical applications.

Scan execution policies allow teams to enforce scanners and to define default and custom CI/CD variables. With this enhancement to CI/CD variable precedence, teams can be confident that regardless of how pipelines are triggered, the variables defined with compliance in mind remain intact.

With the Insights report you can analyze patterns over time using customizable charts. The new drill-down capability added to the "Bugs created by priority" and "Bugs created by severity" Insights reports allows you to drill down on the Issue analytics report for deeper analysis.

We plan to include this capability in the other Insight reports as a custom option in a later version.

Continuous Vulnerability Scanning is now Generally Available. With CVS enabled, your projects are automatically scanned when advisories are added to the GitLab Advisory Database. If new dependency-related vulnerabilities are identified, vulnerabilities are created automatically.

During the 16.7 release milestone, we enabled the following active checks for browser-based DAST by default:

• Check 89.1 replaces ZAP checks 40018, 40019, 40020, 40021, 40022, 40024, 40027, 40033, and 90018 and identifies SQL Injection.
• Check 918.1 replaces ZAP check 40046 and identifies Server Side Request Forgery.
• Check 98.1 replaces ZAP check 7 and identifies PHP Remote File Inclusion.
• Check 917.1 replaces ZAP check 90025 and identifies Expression Language Injection.
• Check 1336.1 replaces ZAP check 90035 and Server-Side Template Injection.

The new DAST_AFTER_LOGIN_ACTIONS variable enables you to provide a list of actions to be executed after login. This allows for multi step login interactions, for example Azure AD's "Keep Me Signed In" workflow.

We've updated the default ruleset used in GitLab SAST to provide higher-quality results. We analyzed each rule that was previously included by default, then removed rules that did not provide enough value in most codebases.

The rule changes are included in updated versions of the Semgrep-based GitLab SAST analyzer. This update is automatically applied on GitLab 16.0 or newer unless you've pinned SAST analyzers to a specific version.

Existing scan results from the removed rules are automatically resolved after your pipeline runs a scan with the updated analyzer.

We're working on more SAST rule improvements in epic 10907.

In GitLab 16.7, issues with code have become more discoverable. With advanced search, you can now find issues that contain code snippets and logs in their descriptions.

SAML attribute statements now support the Microsoft SAML attribute format, which is in URL form. Previously, self-managed instance administrators had to manually configure attribute statements, and GitLab.com group owners had to add custom attributes to their SAML responses. This change allows both self-managed GitLab and GitLab.com to work with Microsoft without any manual configuration.

GitLab Duo Code Suggestions is now generally available!

GitLab Duo Code Suggestions helps teams create software faster and more efficiently, by completing lines of code and defining and generating logic for functions.

Code Suggestions is built with privacy as a critical foundation. Private, non-public customer code stored in GitLab is not used as training data. Learn about data usage when using Code Suggestions.

In the general release, we've made Code Suggestions available across several IDEs. Code Suggestions is also now more intuitive and responsive.

GitLab Duo Code Suggestions is free to try subject to the GitLab Testing Agreement until February 15, 2024. Starting today, you can buy Code Suggestions as an add-on to GitLab subscriptions for an introductory price of $9 USD per user/per month. Please contact us to get started with Code Suggestions.

In GitLab 16.7, you can now define a network policy with egress rules when you configure the GitLab agent for Kubernetes to support remote development. Use this feature for your self-hosted installation where the GitLab instance resolves to a private IP or when a workspace must access a cloud resource on a private IP range.

GitLab merge request dependencies are a great way to ensure that code changes that rely on other changes aren't merged in a way that could break the codebase. Previously, GitLab didn't allow complex dependency chains, which could result in circular references or deep nesting.

The limitations around dependency hierarchy, and items in the chain, have been removed. Merge request dependencies can now be more complex: a single merge request can be blocked by up to 10 merge requests, and in turn, block to 10 other merge requests. Deeper dependency chains make it possible to represent more complex workflows via dependencies. We're excited to see how you continue to expand your usage of this feature.

You can now list your Mastodon handle on the User Profile. With this enhancement we are now supporting a fediverse social network, which will help in advancing ActivityPub for GitLab.

Group descriptions can now contain up to 500 characters. If you try to save a group description with more than 500 characters, a warning message appears stating that the description is too long. Thanks to @freznicek for this community contribution!

The search bar is now more prominent on the search results page. To increase the search bar visibility, the group and project filters have been moved to the left sidebar.

If you're switching from Terraform to OpenTofu, this release of GitLab adds preliminary support for OpenTofu. Because OpenTofu is a fork of Terraform, the MR widget integration, module registry, and GitLab-managed Terraform state work by default. We added support for OpenTofu in the gitlab-terraform helper image to simplify the usage of the GitLab IaC offering.

GitLab continues to support Terraform for the MR widget, module registry, and GitLab-managed Terraform state.

You can now optionally input a new parameter, expires_at, when rotating an access token. This allows you to create a custom expiry date for the token. Previously, each rotation extended the expiration one week from the previous expiry date. This new option provides flexibility in rotation interval.

You can now override the default single-threaded gzip compression library with an alternate compression library of your choice for backups using the COMPRESS_CMD and DECOMPRESS_CMD commands. This allows you to leverage parallel compression libraries to speed up the compression stage of the backup by using the power of modern multi-core processors. The commands include support for passing options to the compression library allowing you to adjust parameters such as compression levels and speed.

Until now, GitLab only displayed time in 12 hour format, which could not be changed.

From this release, thanks to the community contribution, you can customize the format used to display time in places like issue lists, overview pages or when setting your status. You can display times as:

• 12 hour format, for example 2:34 PM.
• 24 hour format, for example 14:34.

Thanks to Thorben Westerhuys for this community contribution!

In the following milestone we will audit all timestamps shown across the GitLab product to make them respect the setting.

Administrators can now access the Admin Area in one step, by using a link at the bottom of the left sidebar. Previously, you had to select Search or go to and then select Admin Area. This change should save you time when accessing the Admin Area.

GitLab groups and project migrations done by direct transfer can become stuck for various reasons. In the past, to avoid leaving these migrations in an incomplete state indefinitely, GitLab periodically executed a worker to identify migrations that hadn't completed within 8 hours. GitLab marked these migrations as timed out.

For large organizations, the migration process can take longer than 8 hours, so this amount of time was not always sufficient to properly determine if a migration was stuck. As a result, this worker might have incorrectly marked a migration as stuck.

In this milestone, instead of using an 8 hour time limit, GitLab now only marks the migration as stuck if the child workers stop working for 24 hours.

Knowing how crucial for our users is to understand the results of the import process, in this milestone we further improved on information presented for imports by direct transfer. We now display import status badges next to GitLab groups and projects on:

• The page where you can select groups and projects to import.
• The page listing imported groups and projects.

The import status badges are:

• Not started
• Pending
• Importing
• Failed
• Timeout
• Cancelled
• Complete
• Partially completed

The Partially completed badge was added in this release and identifies a completed import process that has some items (such as merge requests or issues) not imported.

Groups that an import process was started for have a View details link that shows imported subgroups and projects for that particular group. From there, you can see the list of items that couldn't be imported (if any) by clicking a See failures link. See failures was released in the last release.

In this milestone we also improved navigation with the breadcrumbs between those pages.

In GitLab 16.2 we released the rich text editor as an alternative to the existing Markdown editing experience. The rich text editor provides a “what you see is what you get” editing experience and an extensible foundation on which we can build custom editing interfaces for things like diagrams, content embeds, media management, and more.

With GitLab 16.7, we've changed the rich text editor to match the behavior with our Markdown editing experience and fix reported bugs. We've changed the sorting order in the labels autocomplete modal to be consistent between the Markdown and rich-text editor, addressed a bug in the options returned in the unassign quick action in the rich-text editor, added support for custom emojis, and updated the look and feel of the quick action selection dropdown to be consistent in the two editing experiences, among other improvements.

The value stream analytics report now has a set of filter options for data in the last 30, 60, 90, or 180 days. These new filter options simplify the date selection process, making it more efficient and user-friendly to understand where time is spent during the development lifecycle.

Previously, to create a GitLab Pages project, you needed a domain formatted like name.example.io or name.pages.example.io. This requirement meant you had to set up wildcard DNS records and SSL/TLS certificates. In GitLab 16.7, you can set up a GitLab Pages project without a DNS wildcard. This feature is an experiment.

Removing the requirement for wildcard certificates eases administrative overhead associated with GitLab pages. Some customers can't use GitLab Pages because of organizational restrictions on wildcard DNS records or certificates.

We welcome feedback related to this feature in issue 434372.

Who doesn't love a good emoji to really express yourself? When commenting on items across GitLab, you've used our default set of emoji to add reactions, but sometimes those emoji just weren't enough to express your emotions. Groups can now add custom emoji to use across their projects. Custom emoji allow you to express your true feelings and communicate more clearly with the rest of your team. We can't wait to see how you'll react next.

When your approval is required for a merge request, you need to be notified to take action. Some users only want notifications when their approval is required, which is typically done by adding a user by name to review the changes. However, some users want a notification for any merge request they are eligible to approve, even if they aren't added by name as reviewers.

Enable the Added as approver custom notification level to trigger an email and to-do for each merge request you are eligible to approve. This helps you be aware of merge requests sooner in the process, and take action to get the proposal merged.

Previously, the artifacts:public keyword was only available as a default disabled feature for self-managed instances. Now in GitLab 16.7 we've made the artifacts:public keyword generally available for all users. You can now use the artifacts:public keyword in CI/CD configuration files to control whether job artifacts should be publicly accessible.

In GitLab 13.0 we introduced the ability to keep the job artifacts from the most recent successful pipeline. Unfortunately, the feature also marked all failed and blocked pipelines as the latest pipeline regardless of whether they were the most recent or not. This led to a buildup of artifacts in storage which had to be deleted manually.

In GitLab 16.7 the bugs causing this unintended behavior are resolved. Job artifacts from failed and blocked pipelines are only kept if they are from the most recent pipeline, otherwise they will follow the expire_in configuration. Affected GitLab.com customers should see artifacts which were inadvertently kept now unlocked and removed after a new pipeline run.

The Keep artifacts from most recent successful jobs setting overrides the job's artifacts: expire_in configuration and can result in a large number of artifacts stored without expiry. If your pipelines create many large artifacts, they can fill up your project storage quota quickly. We recommend disabling this setting if this feature is not required.

We’re also releasing GitLab Runner 16.7 today! GitLab Runner is the lightweight, highly-scalable agent that runs your CI/CD jobs and sends the results back to a GitLab instance. GitLab Runner works in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab.

What's new:

• Implement graceful shutdown for Docker executor
• Dynamically create PVC volumes with storage classes for Kubernetes

Bug Fixes:

• allow_failure:exit codes unusable with custom executor because exit code is always 1
• Add better handling of signals in the runner helper and build container for the Kubernetes executor

The list of all changes is in the GitLab Runner CHANGELOG.

Runners can now generate provenance metadata with a statement that adheres to SLSA 1.0. To enable SLSA 1.0, set the SLSA_PROVENANCE_SCHEMA_VERSION=v1 variable in the .gitlab-ci.yml file. The SLSA version 1.0 statement is planned to become the default version in GitLab 17.0.

GitLab 16.7 sees the Beta release of the CI/CD catalog! The catalog is where you can search for CI/CD components maintained by you, your organization, or the public community. This is the place where DevOps engineers come together to create, contribute, and share reusable pipeline configurations.

Unlike other methods of reusing CI/CD configuration, CI/CD components published in the catalog have an improved experience, and are easily added to your pipeline. We invite you to start testing this new and exciting feature! You can try out components that others have created and shared in the catalog, or create your own components and share them with everyone.

While this is our initial beta release of the feature, we continue to work on making the experience even better. Our goal is to make the CI/CD catalog a fundamental part of the GitLab CI/CD experience.

You can now configure GitLab to reopen closed issues when an external participant adds a new comment on an issue by email. This gives you full visibility into ongoing conversations, even after an issue has been resolved.

It also adds an internal comment that mentions the assignees of the issue and creates to-do items for them. This way you can make sure you never miss a follow-up email again.