Discussion: How can we make it easier to guarantee that a specific fix has been included in the security release
Context
In https://gitlab.com/gitlab-org/release/tasks/-/issues/5743#on-the-2nd-one-day-before-due-date we accidentally missed an important bug fix out of the release because of the order in which changes were merged. Related issue.
A boring solution will update the release issue to try and avoid this problem but it would be helpful to have a better tool or process to help us guarantee specific bug fixes
The tricky scenario:
- A security release is in progress
- A bug is identified in one of the n-1, or n-2 versions (technically outside of the maintenance policy) and the fix is ready to go
- An approved backport request would mean an extra patch release unless we can get the fix into the security release
- The tricky part: depending on which step we're on, the fix can either be merged onto the stable branches or, if we're already merging security backports it would need to have an MR opened against the security canonical. Currently, the release manager needs to spot and handle this situation which is risky and also adds more delays to the bug fix prep.
The ideal scenario:
- A security release is in progress
- A bug is identified in one of the n-1, or n-2 versions (technically outside of the maintenance policy) and the fix is ready to go
- A backport request is created and approved
- The developer and release manager has a simple way to decide if the MR is targeting the correct branch (canonical or security), or we have an easy way to double-check that important fixes were included before we tag the package,
Edited by Amy Phillips