init

config/software/postgresql.rb

+#
+# Copyright 2012-2014 Chef Software, Inc.
+# Copyright:: Copyright (c) 2016 GitLab Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'postgresql'
+default_version '14.11'
+
+license 'PostgreSQL'
+license_file 'COPYRIGHT'
+
+skip_transitive_dependency_licensing true
+
+dependency 'zlib'
+dependency 'openssl' unless Build::Check.use_system_ssl?
+dependency 'libedit'
+dependency 'ncurses'
+dependency 'libossp-uuid'
+dependency 'config_guess'
+
+version '14.11' do
+  source sha256: 'a670bd7dce22dcad4297b261136b3b1d4a09a6f541719562aa14ca63bf2968a8'
+end
+
+major_version = '14'
+
+source url: "https://ftp.postgresql.org/pub/source/v#{version}/postgresql-#{version}.tar.bz2"
+
+relative_path "postgresql-#{version}"
+
+build do
+  env = with_standard_compiler_flags(with_embedded_path)
+
+  env['CFLAGS'] << ' -fno-omit-frame-pointer'
+
+  prefix = "#{install_dir}/embedded/postgresql/#{major_version}"
+  update_config_guess(target: 'config')
+
+  patch source: 'no_docs.patch', target: 'GNUmakefile.in'
+
+  command './configure' \
+          " --prefix=#{prefix}" \
+          ' --with-libedit-preferred' \
+          ' --with-openssl' \
+          ' --with-uuid=ossp', env: env
+
+  make "world -j #{workers}", env: env
+  make 'install-world', env: env
+
+  libpq = 'libpq.so.5'
+  link "#{prefix}/lib/#{libpq}", "#{install_dir}/embedded/lib/#{libpq}"
+
+  # NOTE: There are several dependencies which require these files in these
+  # locations and have dependency on `postgresql_new`. So when this block is
+  # changed to be in the `postgresql` software definition for default PG
+  # version changes, change those dependencies to `postgresql`.
+  block 'link bin files' do
+    Dir.glob("#{prefix}/bin/*").each do |bin_file|
+      link bin_file, "#{install_dir}/embedded/bin/#{File.basename(bin_file)}"
+    end
+  end
+end
+
+# exclude headers and static libraries from package
+project.exclude "embedded/postgresql/#{major_version}/include"
+project.exclude "embedded/postgresql/#{major_version}/lib/*.a"
+project.exclude "embedded/postgresql/#{major_version}/lib/pgxs"
+project.exclude "embedded/postgresql/#{major_version}/lib/pkgconfig"

config/software/prometheus.rb

+#
+## Copyright:: Copyright (c) 2014 GitLab.com
+## License:: Apache License, Version 2.0
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+#
+
+require "#{Omnibus::Config.project_root}/lib/gitlab/version"
+require "#{Omnibus::Config.project_root}/lib/gitlab/prometheus_helper"
+
+name 'prometheus'
+version = Gitlab::Version.new('prometheus', '2.53.0')
+default_version version.print
+
+license 'APACHE-2.0'
+license_file 'LICENSE'
+license_file 'NOTICE'
+
+skip_transitive_dependency_licensing true
+
+source git: version.remote
+
+relative_path 'src/github.com/prometheus/prometheus'
+
+build do
+  prometheus_source_dir = "#{Omnibus::Config.source_dir}/prometheus"
+  cwd = "#{prometheus_source_dir}/#{relative_path}"
+  env = {
+    'GOPATH' => prometheus_source_dir,
+    'GO111MODULE' => 'on',
+    'GOTOOLCHAIN' => 'local',
+  }
+
+  prom_version = Prometheus::VersionFlags.new(version)
+
+  patch source: 'rpi-correct-platform.patch' if OhaiHelper.raspberry_pi?
+
+  make 'build', env: env, cwd: cwd
+  command "go build -tags netgo,builtinassets,stringlabels -ldflags '#{prom_version.print_ldflags}' ./cmd/prometheus", env: env, cwd: cwd
+
+  mkdir "#{install_dir}/embedded/bin"
+  copy 'prometheus', "#{install_dir}/embedded/bin/prometheus"
+
+  command "license_finder report --decisions-file=#{Omnibus::Config.project_root}/support/dependency_decisions.yml --format=json --columns name version licenses texts notice --save=license.json"
+  copy "license.json", "#{install_dir}/licenses/prometheus.json"
+end

config/software/psycopg2.rb

+#
+# Copyright:: Copyright (c) 2020 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'psycopg2'
+version = Gitlab::Version.new('psycopg2', '2_8_6')
+default_version version.print(false)
+
+license 'LGPL'
+license_file 'LICENSE'
+
+skip_transitive_dependency_licensing true
+
+source git: version.remote
+
+dependency 'python3'
+dependency 'postgresql'
+
+pg_major_version = '14'
+
+build do
+  env = with_standard_compiler_flags(with_embedded_path)
+
+  # Prepend PostgreSQL's bin directory to the PATH, so that setup.py can find pg_config and build against it
+  env['PATH'] = "#{install_dir}/embedded/postgresql/#{pg_major_version}/bin:#{env['PATH']}"
+
+  command "#{install_dir}/embedded/bin/python3 setup.py build_ext", env: env
+  command "#{install_dir}/embedded/bin/python3 setup.py install", env: env
+end

config/software/python-docutils.rb

+#
+## Copyright:: Copyright (c) 2014-2020 GitLab Inc.
+## License:: Apache License, Version 2.0
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+#
+
+name 'python-docutils'
+
+default_version '0.19'
+
+license 'Public-Domain'
+license_file 'COPYING.txt'
+
+skip_transitive_dependency_licensing true
+
+dependency 'python3'
+
+build do
+  patch source: "license/#{version}/add-license-file.patch"
+  env = with_standard_compiler_flags(with_embedded_path)
+  command "#{install_dir}/embedded/bin/pip3 install --compile docutils==#{version}", env: env
+end

config/software/python3.rb

+#
+# Copyright:: Copyright (c) 2013-2014 Chef Software, Inc.
+# Copyright:: Copyright (c) 2016-2021 GitLab B.V.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'python3'
+# If bumping from 3.9.x to something higher, be sure to update the following files with the new path:
+# files/gitlab-config-template/gitlab.rb.template
+# files/gitlab-cookbooks/gitaly/recipes/enable.rb
+# files/gitlab-cookbooks/gitlab/attributes/default.rb
+# spec/chef/recipes/gitaly_spec.rb
+# spec/chef/recipes/gitlab-rails_spec.rb
+default_version '3.9.17'
+
+dependency 'libedit'
+dependency 'ncurses'
+dependency 'zlib'
+dependency 'openssl' unless Build::Check.use_system_ssl?
+dependency 'bzip2'
+dependency 'libffi'
+dependency 'liblzma'
+dependency 'libyaml'
+
+license 'Python-2.0'
+license_file 'LICENSE'
+
+skip_transitive_dependency_licensing true
+
+source url: "https://www.python.org/ftp/python/#{version}/Python-#{version}.tgz",
+       sha256: '8ead58f669f7e19d777c3556b62fae29a81d7f06a7122ff9bc57f7dd82d7e014'
+
+relative_path "Python-#{version}"
+
+LIB_PATH = %W(#{install_dir}/embedded/lib #{install_dir}/embedded/lib64 #{install_dir}/lib #{install_dir}/lib64 #{install_dir}/libexec).freeze
+
+env = {
+  'CFLAGS' => "-I#{install_dir}/embedded/include -O3 -g -pipe",
+  'LDFLAGS' => "-Wl,-rpath,#{LIB_PATH.join(',-rpath,')} -L#{LIB_PATH.join(' -L')} -I#{install_dir}/embedded/include"
+}
+
+build do
+  # Patches below are a backport of https://github.com/python/cpython/pull/24189
+  patch source: 'readline-3-9.patch'
+
+  # Patch to avoid building nis module in Debian 11. If nis is built, it gets
+  # linked to system `nsl` and `tirpc` libraries and thus fails omnibus
+  # healthcheck in Debian 11 and Ubuntu 22.04.
+  patch source: 'skip-nis-build.patch' if
+    (ohai['platform_family'] =~ /^debian/ && (ohai['platform_version'] =~ /^11/ || ohai['platform_version'] =~ /^12/)) ||
+      (ohai['platform'] =~ /^ubuntu/ && ohai['platform_version'] =~ /^22/)
+
+  with_openssl = ''
+  if (ohai['platform'] =~ /^amzn/ || ohai['platform'] =~ /^amazon/) && (ohai['platform_version'] == "2023")
+    patch source: 'custom-openssl.patch'
+    with_openssl = "--with-openssl=/usr/local/openssl"
+  end
+
+  command ['./configure',
+           "--prefix=#{install_dir}/embedded",
+           '--enable-shared',
+           '--with-readline=editline',
+           with_openssl,
+           '--with-dbmliborder='].join(' '), env: env
+  make env: env
+  make 'install', env: env
+
+  delete("#{install_dir}/embedded/lib/python3.9/lib-dynload/dbm.*")
+  delete("#{install_dir}/embedded/lib/python3.9/lib-dynload/_sqlite3.*")
+  delete("#{install_dir}/embedded/lib/python3.9/test")
+  command "find #{install_dir}/embedded/lib/python3.9 -name '__pycache__' -type d -print -exec rm -r {} +"
+end
+
+project.exclude "embedded/bin/python3*-config"

config/software/rb-readline.rb

+#
+# Copyright 2012-2022 Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "#{Omnibus::Config.project_root}/lib/gitlab/version"
+
+name 'rb-readline'
+version = Gitlab::Version.new('rb-readline', 'master')
+default_version 'master'
+
+license 'BSD-3-Clause'
+license_file 'LICENSE'
+
+skip_transitive_dependency_licensing true
+
+dependency 'ruby'
+dependency 'rubygems'
+
+source git: version.remote
+
+build do
+  env = with_embedded_path
+
+  ruby 'setup.rb', env: env
+end

config/software/redis-exporter.rb

+#
+## Copyright:: Copyright (c) 2014 GitLab.com
+## License:: Apache License, Version 2.0
+##
+## Licensed under the Apache License, Version 2.0 (the 'License');
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an 'AS IS' BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+#
+
+require "#{Omnibus::Config.project_root}/lib/gitlab/version"
+require 'time'
+
+name 'redis-exporter'
+version = Gitlab::Version.new('redis-exporter', '1.61.0')
+default_version version.print
+
+license 'MIT'
+license_file 'LICENSE'
+
+source git: version.remote
+
+relative_path 'src/github.com/oliver006/redis_exporter'
+
+build do
+  env = {
+    'GOPATH' => "#{Omnibus::Config.source_dir}/redis-exporter",
+    'GO111MODULE' => 'on',
+    'GOTOOLCHAIN' => 'local',
+  }
+
+  ldflags = [
+    "-X main.BuildVersion=#{version.print(false)}",
+    "-X main.BuildDate=''",
+    "-X main.BuildCommitSha=''",
+    "-s",
+    "-w"
+  ].join(' ')
+
+  command "go build -ldflags '#{ldflags}'", env: env
+
+  mkdir "#{install_dir}/embedded/bin"
+  copy 'redis_exporter', "#{install_dir}/embedded/bin/"
+
+  command "license_finder report --enabled-package-managers godep gomodules --decisions-file=#{Omnibus::Config.project_root}/support/dependency_decisions.yml --format=json --columns name version licenses texts notice --save=license.json"
+  copy "license.json", "#{install_dir}/licenses/redis-exporter.json"
+end

config/software/redis.rb

+#
+# Copyright 2012-2014 Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+require "#{Omnibus::Config.project_root}/lib/gitlab/ohai_helper.rb"
+
+name 'redis'
+
+license 'BSD-3-Clause'
+license_file 'COPYING'
+
+skip_transitive_dependency_licensing true
+
+dependency 'config_guess'
+dependency 'openssl' unless Build::Check.use_system_ssl?
+
+version = Gitlab::Version.new('redis', '7.0.15')
+default_version version.print(false)
+
+source git: version.remote
+
+# libatomic is a runtime_dependency of redis for armhf/aarch64 platforms
+if OhaiHelper.arm?
+  whitelist_file "#{install_dir}/embedded/bin/redis-benchmark"
+  whitelist_file "#{install_dir}/embedded/bin/redis-check-aof"
+  whitelist_file "#{install_dir}/embedded/bin/redis-check-rdb"
+  whitelist_file "#{install_dir}/embedded/bin/redis-cli"
+  whitelist_file "#{install_dir}/embedded/bin/redis-server"
+end
+
+build do
+  env = with_standard_compiler_flags(with_embedded_path).merge(
+    'PREFIX' => "#{install_dir}/embedded"
+  )
+
+  env['CFLAGS'] << ' -fno-omit-frame-pointer'
+  env['LDFLAGS'] << ' -latomic' if OhaiHelper.raspberry_pi?
+
+  # jemallocs page size must be >= to the runtime pagesize
+  # Use large for arm/newer platforms based on debian rules:
+  # https://salsa.debian.org/debian/jemalloc/-/blob/c0a88c37a551be7d12e4863435365c9a6a51525f/debian/rules#L8-23
+  env['EXTRA_JEMALLOC_CONFIGURE_FLAGS'] = (OhaiHelper.arm64? ? '--with-lg-page=16' : '--with-lg-page=12')
+
+  patch source: 'jemalloc-extra-config-flags.patch'
+
+  update_config_guess
+
+  make_args = ['BUILD_TLS=yes']
+  make_args << 'uname_M=armv6l' if OhaiHelper.raspberry_pi?
+  make "-j #{workers} #{make_args.join(' ')}", env: env
+  make 'install', env: env
+end

config/software/registry.rb

+#
+## Copyright:: Copyright (c) 2016 GitLab Inc.
+## License:: Apache License, Version 2.0
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+#
+
+require "#{Omnibus::Config.project_root}/lib/gitlab/version"
+
+name 'registry'
+version = Gitlab::Version.new('registry', 'v4.6.0-gitlab')
+
+default_version version.print(false)
+display_version version.print(false).delete_suffix('-gitlab')
+
+license 'Apache-2.0'
+license_file 'LICENSE'
+
+source git: version.remote
+
+relative_path 'src/github.com/docker/distribution'
+
+build do
+  registry_source_dir = "#{Omnibus::Config.source_dir}/registry"
+  cwd = "#{registry_source_dir}/#{relative_path}"
+  env = {
+    'GOPATH' => registry_source_dir,
+    'BUILDTAGS' => 'include_gcs include_oss',
+    'GOTOOLCHAIN' => 'local',
+  }
+
+  make "build", env: env, cwd: cwd
+  make "binaries", env: env, cwd: cwd
+  move "#{cwd}/bin/*", "#{install_dir}/embedded/bin", force: true
+
+  command "license_finder report --enabled-package-managers godep gomodules dep --decisions-file=#{Omnibus::Config.project_root}/support/dependency_decisions.yml --format=json --columns name version licenses texts notice --save=license.json"
+  copy "license.json", "#{install_dir}/licenses/registry.json"
+end

config/software/rsync.rb

+#
+# Copyright 2012-2014 Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'rsync'
+
+default_version '3.2.7'
+
+license 'GPL v3'
+license_file 'COPYING'
+
+skip_transitive_dependency_licensing true
+
+dependency 'popt'
+
+version '3.2.7' do
+  source sha256: '4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb'
+end
+
+source url: "https://rsync.samba.org/ftp/rsync/src/rsync-#{version}.tar.gz"
+
+relative_path "rsync-#{version}"
+
+build do
+  env = with_standard_compiler_flags(with_embedded_path)
+
+  command './configure' \
+          " --prefix=#{install_dir}/embedded" \
+          " --disable-iconv" \
+          " --disable-xxhash" \
+          " --disable-zstd" \
+          " --disable-lz4" \
+          , env: env
+
+  make "-j #{workers}", env: env
+  make 'install', env: env
+end

config/software/ruby-grpc.rb

+#
+# Copyright:: Copyright (c) 2017-2022 GitLab Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'ruby-grpc'
+description 'Reinstalls Ruby grpc gem with system OpenSSL'
+default_version '0.0.1'
+
+license :project_license
+
+skip_transitive_dependency_licensing true
+
+dependency 'ruby'
+
+build do
+  block 're-install grpc gem with system OpenSSL' do
+    env = with_standard_compiler_flags(with_embedded_path)
+    gem_bin = embedded_bin('gem')
+    command = %(#{embedded_bin('ruby')} -e "puts Gem::Specification.select { |x| x.name == 'grpc' }.map(&:version).uniq.map(&:to_s)")
+    grpc_versions = shellout!(command).stdout || ""
+    grpc_versions = grpc_versions.split("\n").map(&:strip)
+
+    raise 'No gRPC versions installed, failing build' if grpc_versions.empty?
+
+    warn "Multiple versions of gRPC found: #{grpc_versions.join(', ')}" if grpc_versions.length > 1
+
+    patches = {}
+
+    grpc_versions.each do |version|
+      source =
+        # https://github.com/grpc/grpc/pull/27660 significantly changed the extconf.rb for TruffleRuby
+        if Gem::Version.new(version) < Gem::Version.new('1.48.0')
+          'grpc-system-ssl-1.42.0.patch'
+        else
+          'grpc-system-ssl-1.48.0.patch'
+        end
+
+      _locations, patch_path = find_file('config/patches', source)
+      patches[version] = patch_path
+    end
+
+    shellout!("#{gem_bin} install --no-document gem-patch -v 0.1.6")
+    shellout!("#{gem_bin} uninstall --force --all grpc")
+
+    grpc_versions.each do |version|
+      patch_path = patches[version]
+      gemfile = "grpc-#{version}.gem"
+      shellout!("rm -f #{gemfile}")
+      shellout!("#{gem_bin} fetch grpc -v #{version} --platform ruby")
+      shellout!("#{gem_bin} patch -p1 #{gemfile} #{patch_path}")
+      shellout!("#{gem_bin} install --platform ruby --no-document #{gemfile}", env: env)
+    end
+
+    shellout!("#{gem_bin} uninstall gem-patch")
+  end
+end

config/software/ruby.rb

+#
+# Copyright 2012-2016 Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'ruby'
+license 'BSD-2-Clause'
+license_file 'BSDL'
+license_file 'COPYING'
+license_file 'LEGAL'
+
+skip_transitive_dependency_licensing true
+
+# Follow the Ruby upgrade guide when changing the ruby version
+# link: https://docs.gitlab.com/ee/development/ruby_upgrade.html
+current_ruby_version = Gitlab::Util.get_env('RUBY_VERSION') || '3.1.5'
+
+# NOTE: When this value is updated, flip `USE_NEXT_RUBY_VERSION_IN_*` variable
+# to false to avoid surprises.
+next_ruby_version = Gitlab::Util.get_env('NEXT_RUBY_VERSION') || '3.2.4'
+
+# MRs targeting stable branches should use current Ruby version and ignore next
+# Ruby version. Also, we provide `USE_SPECIFIED_RUBY_VERSION` variable to force
+# usage of specified Ruby version.
+if Gitlab::Util.get_env('USE_SPECIFIED_RUBY_VERSION') == "true" || Gitlab::Util.get_env('CI_MERGE_REQUEST_TARGET_BRANCH_NAME')&.match?(/^\d+-\d+-stable$/)
+  default_version current_ruby_version
+# Regular branch builds are switched to newer Ruby version first. So once the
+# `NEXT_RUBY_VERSION` variable is updated, regular branches (master and feature
+# branches) start bundling that version of Ruby. Because nightlies are also
+# technically regular branch builds and because they get auto-deployed to
+# dev.gitlab.org, we provide a variable `USE_NEXT_RUBY_VERSION_IN_NIGHTLY` to
+# control it.
+elsif (Build::Check.on_regular_branch? && !Build::Check.is_nightly?) || (Build::Check.is_nightly? && Gitlab::Util.get_env('USE_NEXT_RUBY_VERSION_IN_NIGHTLY') == "true")
+  default_version next_ruby_version
+# Once feature branches and nightlies have switched to newer Ruby version and
+# we are ready to switch auto-deploy releases to GitLab.com to the new
+# version, flip the `USE_NEXT_RUBY_VERSION_IN_AUTODEPLOY` to `true`
+elsif Build::Check.is_auto_deploy_tag? && Gitlab::Util.get_env('USE_NEXT_RUBY_VERSION_IN_AUTODEPLOY') == "true"
+  default_version next_ruby_version
+# Once we see new Ruby version running fine in GitLab.com, set new Ruby version
+# as `current_ruby_version` so that they get used in stable branches and tag
+# builds. This change marks "Switch Ruby to new version" as complete.
+else
+  default_version current_ruby_version
+end
+
+fips_enabled = Build::Check.use_system_ssl?
+
+dependency 'zlib'
+dependency 'openssl' unless Build::Check.use_system_ssl?
+dependency 'libffi'
+dependency 'libyaml'
+# Needed for chef_gem installs of (e.g.) nokogiri on upgrades -
+# they expect to see our libiconv instead of a system version.
+dependency 'libiconv'
+dependency 'jemalloc'
+
+version('3.0.6') { source sha256: '6e6cbd490030d7910c0ff20edefab4294dfcd1046f0f8f47f78b597987ac683e' }
+version('3.1.4') { source sha256: 'a3d55879a0dfab1d7141fdf10d22a07dbf8e5cdc4415da1bde06127d5cc3c7b6' }
+version('3.1.5') { source sha256: '3685c51eeee1352c31ea039706d71976f53d00ab6d77312de6aa1abaf5cda2c5' }
+version('3.2.3') { source sha256: 'af7f1757d9ddb630345988139211f1fd570ff5ba830def1cc7c468ae9b65c9ba' }
+version('3.2.4') { source sha256: 'c72b3c5c30482dca18b0f868c9075f3f47d8168eaf626d4e682ce5b59c858692' }
+
+source url: "https://cache.ruby-lang.org/pub/ruby/#{version.match(/^(\d+\.\d+)/)[0]}/ruby-#{version}.tar.gz"
+
+relative_path "ruby-#{version}"
+
+env = with_standard_compiler_flags(with_embedded_path)
+
+# Ruby will compile out the OpenSSL dyanmic checks for FIPS when
+# OPENSSL_FIPS is not defined. RedHat always defines this macro in
+# /usr/include/openssl/opensslconf-x86_64.h, but Ubuntu does not do
+# this.
+env['CFLAGS'] << " -DOPENSSL_FIPS" if Build::Check.use_system_ssl?
+
+env['CFLAGS'] << ' -O3 -g -pipe'
+
+# Workaround for https://bugs.ruby-lang.org/issues/19161
+env['CFLAGS'] << ' -std=gnu99' if OhaiHelper.get_centos_version.to_i == 7 || OhaiHelper.os_platform == 'sles'
+
+build do
+  env['CFLAGS'] << ' -fno-omit-frame-pointer'
+  # Fix for https://bugs.ruby-lang.org/issues/18409. This can be removed with Ruby 3.0+.
+  env['LDFLAGS'] << ' -Wl,--no-as-needed'
+
+  # disable libpath in mkmf across all platforms, it trolls omnibus and
+  # breaks the postgresql cookbook.  i'm not sure why ruby authors decided
+  # this was a good idea, but it breaks our use case hard.  AIX cannot even
+  # compile without removing it, and it breaks some native gem installs on
+  # other platforms.  generally you need to have a condition where the
+  # embedded and non-embedded libs get into a fight (libiconv, openssl, etc)
+  # and ruby trying to set LD_LIBRARY_PATH itself gets it wrong.
+  if version.satisfies?('>= 2.1')
+    patch source: 'ruby-mkmf.patch', plevel: 1, env: env
+    # should intentionally break and fail to apply on 2.2, patch will need to
+    # be fixed.
+  end
+
+  # Two patches:
+  # 1. Enable custom patch created by ayufan that allows to count memory allocations
+  #    per-thread. This is asked to be upstreamed as part of https://github.com/ruby/ruby/pull/3978
+  # 2. Backport Ruby upstream patch to fix seg faults in libxml2/Nokogiri: https://bugs.ruby-lang.org/issues/19580
+  #    This has been merged for Ruby 3.2.3 and backported to 3.1.5.
+  patches = if version.satisfies?('>= 3.2.3') || version.satisfies?(['>= 3.1.5', '< 3.2.0'])
+              %w[thread-memory-allocations]
+            else
+              %w[thread-memory-allocations fix-ruby-xfree-for-libxml2]
+            end
+
+  # Due to https://bugs.ruby-lang.org/issues/20451, this patch is needed
+  # to compile Ruby 3.1.5 on platforms with libffi < 3.2. This patch pulls in
+  # https://github.com/ruby/ruby/pull/10696.
+  patches += %w[fiddle-closure] if version.satisfies?('= 3.1.5')
+
+  ruby_version = Gem::Version.new(version).canonical_segments[0..1].join('.')
+
+  patches.each do |patch_name|
+    patch source: "#{patch_name}-#{ruby_version}.patch", plevel: 1, env: env
+  end
+
+  # copy_file_range() has been disabled on recent RedHat kernels:
+  # 1. https://gitlab.com/gitlab-org/gitlab/-/issues/218999
+  # 2. https://bugs.ruby-lang.org/issues/16965
+  # 3. https://bugzilla.redhat.com/show_bug.cgi?id=1783554
+  patch source: 'ruby-disable-copy-file-range.patch', plevel: 1, env: env if version.start_with?('2.7') && (centos? || rhel?)
+
+  configure_command = ['--with-out-ext=dbm,readline',
+                       '--enable-shared',
+                       '--with-jemalloc',
+                       '--disable-install-doc',
+                       '--without-gmp',
+                       '--without-gdbm',
+                       '--without-tk',
+                       '--disable-dtrace']
+  configure_command << '--with-ext=psych' if version.satisfies?('< 2.3')
+  configure_command << '--with-bundled-md5' if fips_enabled
+
+  configure_command << %w(host target build).map { |w| "--#{w}=#{OhaiHelper.gcc_target}" } if OhaiHelper.raspberry_pi?
+
+  configure_command << "--with-opt-dir=#{install_dir}/embedded"
+
+  configure(*configure_command, env: env)
+  make "-j #{workers}", env: env
+  make "-j #{workers} install", env: env
+end

config/software/rubygems.rb

+#
+# Copyright 2016-2023 GitLab Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'rubygems'
+default_version '3.5.11'
+
+license 'MIT'
+license_file 'LICENSE.txt'
+
+skip_transitive_dependency_licensing true
+
+dependency 'ruby'
+
+build do
+  patch source: "license/add-license-file.patch"
+  env = with_standard_compiler_flags(with_embedded_path)
+
+  gem "update --no-document --system #{version}", env: env
+end

config/software/runit.rb

+#
+# Copyright 2012-2014 Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'runit'
+default_version '2.1.2'
+
+license 'BSD-3-Clause'
+license_file '../package/COPYING'
+
+skip_transitive_dependency_licensing true
+
+version '2.1.2' do
+  source sha256: '6fd0160cb0cf1207de4e66754b6d39750cff14bb0aa66ab49490992c0c47ba18'
+end
+
+source url: "http://smarden.org/runit/runit-#{version}.tar.gz"
+
+relative_path "admin/runit-#{version}/src"
+
+build do
+  # Patch runit to not consider status of log service associated with a service
+  # on determining output of status command. For details, check
+  # https://gitlab.com/gitlab-org/omnibus-gitlab/issues/4008
+  patch source: 'log-status.patch'
+
+  env = with_standard_compiler_flags(with_embedded_path)
+
+  # Put runit where we want it, not where they tell us to
+  command 'sed -i -e "s/^char\ \*varservice\ \=\"\/service\/\";$/char\ \*varservice\ \=\"' + install_dir.gsub('/', '\\/') + '\/service\/\";/" sv.c', env: env
+
+  # TODO: the following is not idempotent
+  command 'sed -i -e s:-static:: Makefile', env: env
+
+  # Build it
+  make env: env
+  make 'check', env: env
+
+  # Move it
+  mkdir "#{install_dir}/embedded/bin"
+  copy "#{project_dir}/chpst",      "#{install_dir}/embedded/bin"
+  copy "#{project_dir}/runit",      "#{install_dir}/embedded/bin"
+  copy "#{project_dir}/runit-init", "#{install_dir}/embedded/bin"
+  copy "#{project_dir}/runsv",      "#{install_dir}/embedded/bin"
+  copy "#{project_dir}/runsvchdir", "#{install_dir}/embedded/bin"
+  copy "#{project_dir}/runsvdir",   "#{install_dir}/embedded/bin"
+  copy "#{project_dir}/sv",         "#{install_dir}/embedded/bin"
+  copy "#{project_dir}/svlogd",     "#{install_dir}/embedded/bin"
+  copy "#{project_dir}/utmpset",    "#{install_dir}/embedded/bin"
+
+  erb source: 'runsvdir-start.erb',
+      dest: "#{install_dir}/embedded/bin/runsvdir-start",
+      mode: 0755,
+      vars: { install_dir: install_dir }
+
+  # Setup service directories
+  touch "#{install_dir}/service/.gitkeep"
+  touch "#{install_dir}/sv/.gitkeep"
+  touch "#{install_dir}/init/.gitkeep"
+end

config/software/spam-classifier.rb

+#
+## Copyright:: Copyright (c) 2021 GitLab Inc.
+## License:: Apache License, Version 2.0
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+#
+
+name 'spam-classifier'
+
+default_version '0.3.0'
+source url: "https://glsec-spamcheck-ml-artifacts.storage.googleapis.com/spam-classifier/#{version}/linux.tar.gz",
+       sha256: 'c9f7e147d195a45e32c35765e138e006e7636218f8c4413e67d0cef5513335a8'
+
+license 'proprietary'
+license_file 'LICENSE.md'
+
+build do
+  mkdir "#{install_dir}/embedded/service/spam-classifier"
+  sync './', "#{install_dir}/embedded/service/spam-classifier/", exclude: %w(dist tokenizer.pickle)
+  copy "dist", "#{install_dir}/embedded/service/spam-classifier/preprocessor"
+  copy "tokenizer.pickle", "#{install_dir}/embedded/service/spam-classifier/preprocessor/"
+end

config/software/spamcheck.rb

+#
+## Copyright:: Copyright (c) 2021 GitLab Inc.
+## License:: Apache License, Version 2.0
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+#
+
+name 'spamcheck'
+version = Gitlab::Version.new('spamcheck', '0.3.2')
+
+default_version version.print
+
+license 'MIT'
+license_file 'LICENSE'
+
+dependency 'libtensorflow_lite'
+
+source git: version.remote
+
+relative_path 'src/gitlab-org/spamcheck'
+
+build do
+  env = with_standard_compiler_flags(with_embedded_path)
+  env['GOPATH'] = "#{Omnibus::Config.source_dir}/spamcheck"
+  env['PATH'] = "#{env['PATH']}:#{env['GOPATH']}/bin"
+  env['GOTOOLCHAIN'] = 'local'
+
+  mkdir "#{install_dir}/embedded/service"
+  mkdir "#{install_dir}/embedded/bin"
+  sync './', "#{install_dir}/embedded/service/spamcheck/", exclude: %w(
+    _support
+    build
+    config
+    docs
+    examples
+    tests
+    tools
+  )
+
+  env['CGO_CFLAGS'] = env['CFLAGS'].dup
+  env['CGO_CPPFLAGS'] = env['CPPFLAGS'].dup
+  env['CGO_CXXFLAGS'] = env['CXXFLAGS'].dup
+  env['CGO_LDFLAGS'] = env['LDFLAGS'].dup
+
+  make 'build', env: env
+  move 'spamcheck', "#{install_dir}/embedded/bin/spamcheck"
+end

config/software/unzip.rb

+#
+## Copyright:: Copyright (c) 2016 GitLab Inc
+## License:: Apache License, Version 2.0
+##
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+##
+#
+
+name 'unzip'
+
+# Version tied to Debian's release, not downloaded source version.
+default_version '6.0.27'
+
+license 'Info-ZIP'
+license_file 'LICENSE'
+
+skip_transitive_dependency_licensing true
+
+# We download the pure 6.0 source code and then apply all of Debian's
+# patches and track to their version for CVE and security validation.
+source url: 'https://downloads.sourceforge.net/project/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/unzip60.tar.gz',
+       sha256: '036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37'
+
+relative_path 'unzip60'
+
+build do
+  env = with_standard_compiler_flags(with_embedded_path)
+
+  # This software follows Debian as an upstream to ensure CVEs are resolved
+  # and automatic scanners can detect the updated versions with fixes.
+  #
+  # If new patches are applied, ensure that the `default_version` above is
+  # updated to match the new upstream version number.
+  #
+  # Check for newer versions at https://sources.debian.org/src/unzip/
+  #
+  # Check in `debian/patches` and `debian/changelog` for patch files.
+  patch source: '01-manpages-in-section-1-not-in-section-1l.patch'
+  # Replaces Debian upstream's 02 patch which is branding for who maintains
+  # the final package build from this source stream.
+  patch source: '0-gitlab-source.patch'
+  patch source: '03-include-unistd-for-kfreebsd.patch'
+  patch source: '04-handle-pkware-verification-bit.patch'
+  patch source: '05-fix-uid-gid-handling.patch'
+  patch source: '06-initialize-the-symlink-flag.patch'
+  # Resolves CVE-2018-18384
+  # See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741384
+  patch source: '07-increase-size-of-cfactorstr.patch'
+  patch source: '08-allow-greater-hostver-values.patch'
+  patch source: '09-cve-2014-8139-crc-overflow.patch'
+  patch source: '10-cve-2014-8140-test-compr-eb.patch'
+  patch source: '11-cve-2014-8141-getzip64data.patch'
+  patch source: '12-cve-2014-9636-test-compr-eb.patch'
+  patch source: '13-remove-build-date.patch'
+  patch source: '14-cve-2015-7696.patch'
+  patch source: '15-cve-2015-7697.patch'
+  patch source: '16-fix-integer-underflow-csiz-decrypted.patch'
+  patch source: '17-restore-unix-timestamps-accurately.patch'
+  patch source: '18-cve-2014-9913-unzip-buffer-overflow.patch'
+  patch source: '19-cve-2016-9844-zipinfo-buffer-overflow.patch'
+  patch source: '20-cve-2018-1000035-unzip-buffer-overflow.patch'
+  patch source: '21-fix-warning-messages-on-big-files.patch'
+  patch source: '22-cve-2019-13232-fix-bug-in-undefer-input.patch'
+  patch source: '23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch'
+  patch source: '24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch'
+  patch source: '25-cve-2019-13232-fix-bug-in-uzbunzip2.patch'
+  patch source: '26-cve-2019-13232-fix-bug-in-uzinflate.patch'
+  patch source: '27-zipgrep-avoid-test-errors.patch'
+  patch source: '28-cve-2022-0529-and-cve-2022-0530.patch'
+
+  make '-f unix/Makefile clean', env: env
+  make "-j #{workers} -f unix/Makefile generic", env: env
+  make "-f unix/Makefile prefix=#{install_dir}/embedded install", env: env
+end

config/software/version-manifest.rb

+#
+# Copyright 2012-2014 Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'version-manifest'
+description 'generates a version manifest file'
+default_version '0.0.1'
+
+license :project_license
+
+skip_transitive_dependency_licensing true
+
+build do
+  block do
+    File.open("#{install_dir}/version-manifest.txt", 'w') do |f|
+      f.puts "#{project.name} #{project.build_version}"
+      f.puts ''
+      f.puts Omnibus::Reports.pretty_version_map(project)
+    end
+  end
+end

config/software/zlib.rb

+#
+# Copyright 2012-2018 Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name 'zlib'
+version = Gitlab::Version.new('zlib', 'v1.3.1')
+default_version version.print(false)
+
+source git: version.remote
+
+license 'Zlib'
+license_file 'README'
+skip_transitive_dependency_licensing true
+
+build do
+  env = with_standard_compiler_flags
+
+  # Default from `configure` in upstream zlib
+  env['CFLAGS'] << ' -O3'
+
+  # Enable frame-pointers to support profiling processes that
+  # call this library's functions.
+  env['CFLAGS'] << ' -fno-omit-frame-pointer'
+
+  configure env: env
+
+  make "-j #{workers}", env: env
+  make "-j #{workers} install", env: env
+end

config/templates/gitaly/gitlab_shell_hooks_wrapper.erb

+#!<%= install_dir %>/embedded/bin/ruby --disable-gems
+
+<%= script %>