Security preparation pipeline - Disable omnibus builds job
🗺 Overview
We are automating the first steps of the security release as part of reducing release manager workload during security releases.
The goal is to remove those tasks entirely, allowing the release manager to start a pipeline and then move on to the early merge phase without having to manually send notifications and check pipeline statuses.
This issue covers the first step of that process, creating the first job in the pipeline to disable the Omnibus builds job.
Each section of the security release tasks (each day's worth of tasks) will be it's own pipeline. That pipeline will be triggered by a parent pipeline that runs the entire security release. The benefit of using a downstream pipeline for each stage is that the stage can be re-run against new code changes without having to re-run the parent pipeline.
sequenceDiagram
Parent Pipeline (preparation stage)-->>+security-prepare pipeline: Triggers downstream pipeline
Note over Parent Pipeline (preparation stage): Not part of this issue
Note over security-prepare pipeline: This issue
security-prepare pipeline->>+security-prepare pipeline: Disable omnibus builds job
Note over security-prepare pipeline: Other issues
security-prepare pipeline-->>+security-prepare pipeline: Check mirror status
security-prepare pipeline-->>+security-prepare pipeline: Communicate security release
security-prepare pipeline-->>+security-prepare pipeline: Check component pipeline status
We do not yet need to worry about the parent pipeline since we are only introducing the first trigger pipeline here: the security:preparation
pipeline.
📝 Proposal
-
Create a new pipeline:
security-prepare
that can be manually run using a variable$SECURITY_RELEASE_PIPELINE
set to'prepare'
. We are using a specific value for the variable so in the future, we can run other pipelines that can be run with the same variable using different values.This pipeline should have one job,
disable-omnibus-builds
that disables the omnibus nightly builds job ondev
using the pipeline schedules API, settingactive
tofalse
.When the pipeline runs, it should output a success or failure message to
#f_upcoming_release
. If the job fails, the slack notification should link to the failed job, where the job includes information about the failure and instructions for the release manager to retry or complete the task manually. -
Add a feature flag
SECURITY_RELEASE_PIPELINE
to release-tools that when enabled, replaces the disable omnibus builds task in the security_patch template with a step toDisable Omnibus builds by manually running a pipeline with $SECURITY_RELEASE_PIPELINE set to 'prepare'
. While this does not yet remove any tasks, it sets the stage so we can move more of these "first steps" checkboxes into that single task to run the pipeline as the various jobs are implemented.
To do
-
Add barebone classes to disable omnibus nightly builds and to send slack notifications gitlab-org/release-tools!2407 (merged) / gitlab-org/release-tools!2409 (merged) -
Add CI pipeline configuration for the security prepare
pipeline gitlab-org/release-tools!2410 (merged) -
Add a feature flag for the security release pipeline. gitlab-org/release-tools!2420 (merged) -
Create a feature flag in Ops https://ops.gitlab.net/gitlab-org/release/tools/-/feature_flags/235/edit -
Add a note for debugging purposes #19300 (comment 1416941769) -
Remove branch from ops https://ops.gitlab.net/gitlab-org/release/tools/-/commits/add-ci-configuration-for-security-prepare-pipeline -
Remove branch from ops https://ops.gitlab.net/gitlab-org/release/tools/-/commits/add-log-for-debugging-purposes