whitelist_headers support added in 1.48.0:
https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-s3/CHANGELOG.md#1480-2019-08-30

* Update `fixture_file_upload` documentation to reflect recent changes. [ci skip]

* Friendlier deprecation message for `fixture_file_upload`.

Suggested change now can be copied and pasted into the code without modification.

Fix references in the form builders guide [ci skip]

I caught two references that seemed inconsistent:

1. In section 2.2 Binding a Form to an Object, the code snippet variable was called `form`, but in the bullet points below, it was referenced as `f`.
2. In section 6 Uploading Files, the references to the params hash returned by two different forms was incorrect.

Unify the query values normalization for multiple values

That test requires Marshal is prepended by `MarshalWithAutoloading`.

Use DidYouMean for ActionNotFound

Currently the query values normalization for multiple values is missing
some parts.

Some values are flatten, but others are not flatten.
Some values are compact, but others are not compact.
some values are compact_blank, but others are not compact_blank.

Originally all multiple values should be flatten and compact_blank
before `build_arel`, if it is not ensured which multiple values are
normalized or not, we need to normalize it again carefully and
conservatively in `build_arel`.

To unify the query values normalization for multiple values, ensure the
normalization in `check_if_method_has_arguments!` since all multiple
values should be checked by the method.

* master-sec:
  Check that request is same-origin prior to including CSRF token in XHRs
  HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
  activesupport: Avoid Marshal.load on raw cache value in RedisCacheStore
  activesupport: Avoid Marshal.load on raw cache value in MemCacheStore
  Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
  Include Content-Length in signature for ActiveStorage direct upload

If an action isn't found on a controller we can suggest similar actions:

```
The action 'indx' could not be found for SimpleController
Did you mean?  index
```

Fix merging NOT IN clause to behave the same as before

`HomogeneousIn` has changed merging behavior for NOT IN clause from
before. This changes `equality?` to return true only if `type == :in` to
restore the original behavior.

Should not substitute binds when `prepared_statements: true`

Support merging option `:rewhere` to allow mergee side condition to be replaced exactly

Related #39236.

`relation.merge` method sometimes replaces mergee side condition, but
sometimes maintain both conditions unless `relation.rewhere` is used.

It is very hard to predict merging result whether mergee side condition
will be replaced or not.

One existing way is to use `relation.rewhere` for merger side relation,
but it is also hard to predict a relation will be used for `merge` in
advance, except one-time relation for `merge`.

To address that issue, I propose to support merging option `:rewhere`,
to allow mergee side condition to be replaced exactly.

That option will allow non-`rewhere` relation behaves as `rewhere`d
relation.

```ruby
david_and_mary = Author.where(id: david.id..mary.id)

# both conflict conditions exists
david_and_mary.merge(Author.where(id: bob)) # => []

# mergee side condition is replaced by rewhere
david_and_mary.merge(Author.rewhere(id: bob)) # => [bob]

# mergee side condition is replaced by rewhere option
david_and_mary.merge(Author.where(id: bob), rewhere: true) # => [bob]
```

Fix update with dirty locking column to not match latest object accidentally

Fix rename column in bulk alter table for PostgreSQL

PostgreSQL doesn't support rename column operation in bulk alter table.

Fixes #39322.

Related #32163.

We should not identify an object by dirty value. If do so, accidentally
matches latest object even though it is a stale object.

Skip interpolated strings in AV::Digestor

Unless explicitly intend to behave it differently from the superclass.

Use DidYouMean for AssociationNotFoundError

Avoid allocating extra hash and arrays when as_json is called without options

Co-authored-by: NEugene Kenny <elkenny@gmail.com>

If an association isn't found we can suggest matching associations:

```
Post.all.merge!(includes: :monkeys).find(6)

Association named 'monkeys' was not found on Post; perhaps you misspelled it?
Did you mean?  funky_tags
               comments
               images
               skimmers
```

In aggregation value's type cast, `klass.attribute_types.fetch(...)`
will find no type almost all cases, since any type is already returned
by `column.type_caster` in that case.
And also, the root of join dependency tree is also the model's `klass`,
so the explicit `klass.attribute_types` is redundant originally.

Add support for finding records based on signed ids, which are tamper-proof, verified ids that can be set to expire and scoped with a purpose. This is particularly useful for things like password reset or email verification, where you want the bearer of the signed id to be able to interact with the underlying record, but usually only within a certain time period.

Otherwise `@_defer_touch_attrs` is touched again with old `@_touch_time`
in `before_committed!`.

* Use app:binstub:yarn in Action Text install generator

Remove `sync_with_transaction_state` to simplify code base

* Add default ENV variable option with BACKTRACE to turn off backtrace cleaning when debugging framework code

* Use runner as the example

Although I think we should consider dropping -b in tests and just relying on this more general option for sidestepping the backtrace cleaner.

This also removes the `if @transaction_state&.finalized?` guard which is
harder to understand optimization introduced at #36049. The guard is
faster enough though, but removing that will make attribute access about
2% ~ 4% faster, and will make code base to ease to maintain.

`sync_with_transaction_state` was introduced at #9068 to address memory
bloat when creating lots of AR objects inside a transaction.

I've found #18638 the same design of this to address memory bloat, but
this differs from #18638 in that it will allocate one `WeakMap` object
only when explicit transaction, no extra allocation for implicit
transaction.

Executable script to reproduce memory bloat:

https://gist.github.com/kamipo/36d869fff81cf878658adc26ee38ea1b
https://github.com/rails/rails/issues/15549#issuecomment-46035848

I can see no memory concern with this.
Co-authored-by: NArthur Neves <arthurnn@gmail.com>

Co-authored-by: NHaroon Ahmed <haroon.ahmed25@gmail.com>