Prevent security implementation issues from being added close to the Security Release deadline
Linking security issues to the Security Release Tracking Issue near to the deadline is troublesome:
- There's not enough time to prepare all the merge requests and get them approved
- It puts pressure on Release Managers and it has to decide whether to wait for the issue or to move on with it. Giving timings the latter is the common option, example https://gitlab.com/gitlab-org/gitlab/-/issues/225575#note_390678519
Proposal
Prevent security implementation issues to be linked to the Security Release Tracking issue one day before the Security Release deadline. To implement this, we should follow these steps:
-
Extend the GitLab API so that the issue links endpoints include the creation/update times in their output: gitlab-org/gitlab#283948 (closed) -
Extend Release Tools to make use of this API, and remove issue links added after the deadline -
Post a comment listing the associated issues that have been removed. This makes it more clear what's going on, otherwise it may just look like some sort of bug -
Perhaps we need to exclude issues marked as blockers? It may be possible an issue is marked as blocked after the deadline, but we don't want the bot to then immediately unlink the issue
Implemented solution
Added an IssueLinksValidator
that runs during the security:validate
rake task which is executed every few hours by a scheduled pipeline.
-
IssueLinksValidator
will unlink any security issues added less than 24 hours before the due date (in UTC). - However, it will not remove security issues that are blockers.
- It will leave a comment on the security release tracking issue and ping the assignees of issues that were unlinked.
This implementation is behind a feature flag called unlink_late_security_issues
: https://ops.gitlab.net/gitlab-org/release/tools/-/feature_flags/203/edit.
Edited by Reuben Pereira