Find a way to sync repositories after a release without cloning Git repos
As part of the security release process we need to make sure all repositories are in sync. This means pushing all changes on dev to security and the canonical projects. At the moment this is done by cloning the repositories and operating on these local clones.
Once we use the API for releasing all components, this will be one of the few remaining pieces using local Git repositories during a release. It would be nice if we could somehow change this to either use APIs, the Merge Train, or some sort of clever push/pull mirroring setup.
The Merge Train may be the easiest option, provided that we ensure it doesn't
overwrite changes in the target repository; instead using
git merge. Merge
conflicts would have to be dealt with manually, but this is already the case
Using push/pull mirrors would require us to be able to mark said mirrors as "manual", and manually (using an API call) trigger those mirrors after a security release. The benefit of this setup is that we can reuse everything our mirroring feature has to offer, and it can be used by other people as well.