Add configuration step for protecting tags

Why is this change being made?

This MR adds a step for configuring Protected tags in secure projects to the guidelines originally added in Add guidance for secure project configuration (!5540 - merged) • Adam Cohen • 17.1.

This is in response to some confusion we recently ran into with a secure project:

Meir Benayoun
Hey,
That's me ... again 😯
I need some help to understand what happened here

• MR with new CHANGELOG entry was merged
  
• It triggered 2 pipelines
  
• The first one is releasing tag edge, and push it to local container registry and also to $SEC_REGISTRY_IMAGE, as expected 🙂
  
• The second one is releasing to major, minor, patch and latest to local registry, BUT skips the $SEC_REGISTRY_IMAGE 🤔
  

How is it possible that the same condition is met in the first one and not in the second one?

if [[ -n "$SEC_REGISTRY_IMAGE" && \
      -n "$SEC_REGISTRY_PASSWORD" && \
      -n "$SEC_REGISTRY_USER" ]]
then

Those 3 are defined as CI/CD variables, and should have the same value in both pipeline!
Right?
Where is the catch??

Adam Cohen

Meir this is what happened:

1. You merged Release v0.0.6. This kicked off a merge pipeline
   

2. The merge pipeline executed the upsert-git-tag job which created a new git tag and release for the analyzer: https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-advanced-sast-src/-/jobs/7036555531
   

3. When a git tag is created, a new git tag pipeline is executed by the analyzer-automated-pipeline-management bot: https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-advanced-sast-src/-/pipelines/1321287642.
   

   This pipeline is responsible for tagging and pushing the images to the docker registry as part of the release-major stage.
   

   For example, the release patch job released the image registry.gitlab.com/gitlab-org/security-products/analyzers/gitlab-advanced-sast-src:0.0.6
   

4. As part of the git tag pipeline, you expected an image to also be pushed to the $SEC_REGISTRY_IMAGE variable value you configured in https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-advanced-sast-src/-/settings/ci_cd, which is currently set to registry.gitlab.com/security-products/gitlab-advanced-sast, however, this didn't happen.
   

5. If we take a look at the logic for the docker.yml CI template, it shows that as long as the $SEC_REGISTRY_IMAGE, $SEC_REGISTRY_PASSWORD and $SEC_REGISTRY_USER variables are non-zero, then we should publish the $SEC_REGISTRY_IMAGE image.
   

   However, if I look at the variables for https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-advanced-sast-src/-/settings/ci_cd, I can see that they're all Protected. This means "Export variable to pipelines running on protected branches and tags only."
   

   If I look at the protected tags settings in the repo https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-advanced-sast-src/-/settings/repository I see there are no protected tags listed.
   

   So you can fix this by adding v* as a protected tag, with Maintainers allowed to create.
   

6. The reason why the process worked when running a manual pipeline with PUBLISH_IMAGES = true is because it ran from the context of the main branch, which is protected.
   

Author and Reviewer Checklist

Please verify the check list and ensure to tick them off before the MR is merged.

• Provided a concise title for this Merge Request (MR)
• [ x Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
  • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
• Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
  • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
  • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
  • The when to get approval handbook section explains the workflow in more detail
• For transparency, share this MR with the audience that will be impacted.
  • Team: For changes that affect your direct team, share in your group Slack channel
  • Department: If the update affects your department, share the MR in your department Slack channel
  • Division: If the update affects your division, share the MR in your division Slack channel
  • Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR
    • For high-priority company-wide announcements work with the internal communications team to post the update in #company-fyi and align on a plan to circulate in additional channels like the "While You Were Iterating" Newsletter

Commits

• Add configuration step for protecting tags

---