Announcement: Merging of security merge requests is changing
Announcement: Merging of security merge requests is changing
What is changing?
We're incorporating an "early-merge" phase for security merge requests: Around one week before and up to the Security Release deadline, security merge requests targeting master
will be merged and deployed to GitLab.com at the same pace as any other regular fix.
What is the new process for merging the security merge requests?
Pipelines for Merged Results has been enabled on GitLab Security, once the early-merge phase starts, @gitlab-release-tools-bot will trigger a new pipeline on the merge requests and set MWPS.
Which merge requests are considered for the "early-merge" phase?
Only GitLab security merge requests that:
- Target
master
. Backports will be merged during the Security Release (as usual) - Are associated to a security issue that is linked to the Security Release Tracking issue
- Are associated to a security issue that is ready to be processed (with all the backports approved and ready to go)
As an Engineer working on a security fix, how does this impact me?
The only difference is that merge requests authors won't have to rebase their security branches as frequently anymore (only when there are conflicts) since the Pipelines for Merged Results will incorporate the latest changes from security master
.
The rest of the Security developer process stays the same, and no additional action is required from your side.
As an Application Security Engineer validating a security fix, how does this impact me?
Once you've approved a security merge request (and this one satisfies the conditions mentioned above), the merge request will be deployed to GitLab.com.
The rest of the Security engineer process stays the same, and no additional action is required from your side.
Why these changes were made?
Merging security fixes in an early manner has a direct impact on our Release Velocity since it removes the blocking nature of Security Releases and allows regular and security fixes to be deployed to GitLab.com as quickly as possible. As a result, the MTTP target has been lowered to 12hrs
If you have any other questions or concerns, please submit it to this issue.