Skip to content

Delivery team members should have maintainer access to GitLab repos

Wrapping up today's security release, I wasn't able to sync out GitLab Pages repository because I don't have maintainer permission on that repo, the tag not being available on the canonical repo unleashed the following problems:

  • gdk update failed:
--------------------------------------------------------------------------------
Updating gitlab-org/gitlab-pages to v1.34.0
--------------------------------------------------------------------------------
Fetching origin
error: pathspec 'v1.34.0' did not match any file(s) known to git
command failed: git checkout v1.34.0
make: *** [gitlab-pages/.git/pull] Error 1
❌️ ERROR: Failed to update.
-------------------------------------------------------

An alternative could be to wait until a GitLab Page maintainer to be available, but there are none in America. @skarbek push the tag to the Canonical repo which unblocked the engineering department.

Proposal

On Canonical and Security repositories standardize @gitlab-org/release/managers access to GitLab projects based on:

  • @gitlab-org/release/managers should have maintainer access
  • @gitlab-org/release/managers should be allowed to push and merge to *-auto-deploy-* and *-stable branches.
  • @gitlab-org/release/managers should be allowed to push to master

Additionally:

  • @gitlab-bot and @gitlab-release-tools-bot should be allowed to push and merge to master, *-auto-deploy-* and *-stable branches.

On Dev, teamDelivery team members, @gitlab-bot, @gitlab-release-tools-bot should be added as maintainers

Projects

Canonical

Project Permissions up to date? Action required Action completed
GitLab Allow @gitlab-org/release/managers to push and merge to **-auto-deploy-*. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
GitLab FOSS --- Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
Omnibus --- Allow @gitlab-org/release/managers to push and merge to to master.Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
Gitaly ---- Allow @gitlab/release/managers to push and merge to *-stable and master. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
GitLab Chart   Allow @gitlab/release/managers to push and merge to *-stable and master. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
 GitLab Agent Give @gitlab-delivery maintainer access. Allow @gitlab/release/managers to push and merge to master. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
GitLab Pages Give @gitlab-delivery maintainer access. Allow @gitlab/release/managers to push and merge to master. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
GitLab Workhorse Give @gitlab-delivery maintainer access. Allow @gitlab/release/managers to push and merge to master. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
 CNG     Allow @gitlab-org/release/managers to push and merge to **-auto-deploy-*, **-stable, **-stable-ee and master Add @gitlab-bot to push, merge to auto-deploy, master and stable branches

Security

Project Permissions up to date? Action required Action completed
GitLab --- Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
GitLab FOSS Allow @gitlab-delivery and @gitlab/release/managers to push and merge to **-auto-deploy-*, **-stable, **-stable-ee and (RMs to) master. Also we need to remove maintainer access to the stable branches, they shouldn't be able to push or merge to these. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
Omnibus --- Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
Gitaly Allow @gitlab-delivery and @gitlab/release/managers to push and merge to **-auto-deploy-*, **-stable, **-stable-ee and master. Also we need to remove maintainer access to the stable branches, they shouldn't be able to push or merge to these. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
GitLab Chart   Allow @gitlab/release/managers to push and merge to master. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
 GitLab Agent Allow @gitlab/release/managers to push and merge to master. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
GitLab Pages Allow @gitlab/release/managers to push and merge to master, @gitlab-delivery *-stable, and *-auto-deploy-* branches. Remove maintainers from merge/push to master. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
GitLab Workhorse Allow @gitlab/release/managers to push and merge to master, @gitlab-delivery *-stable, and *-auto-deploy-* branches. Remove maintainers from merge/push to master/stable. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches
 CNG     Allow @gitlab/release/managers to push and merge to master, @gitlab-delivery *-stable, and *-auto-deploy-* branches. Add @gitlab-bot to push, merge to auto-deploy, master and stable branches

Dev

dev.gitlab.org is a CE instance, therefore "Protected branch" feature is limited to Roles. In this case, we need to ensure teamDelivery members have maintainer access to the projects.

Note: Allowing maintainers to push and merge to dev repos, will allow every project maintainer to do so, not just teamDelivery members, which could be a bit risky (e.g imagine a maintainer accidentally merging something in gitlab-ee on Dev). Another option is to limit maintainer role to teamDelivery, but that might cause unforeseen consequences.

Project Permissions up to date? Action required Action complete
GitLab ---
GitLab FOSS ---
Omnibus ---
Gitaly ---
GitLab Chart ---
 GitLab Agent --- Add teamDelivery members as maintainers
GitLab Pages --- Add teamDelivery members as maintainers
GitLab Workhorse --- Add teamDelivery members as maintainers
 CNG   ---
Edited by Mayra Cabrera