Security pipeline finalize stage - start job and initial setup
🗺 Overview
We are automating the final steps of the security release as part of reducing release manager workload during security releases. Each section of tasks in the security release task issue will in turn become its own stage in the security release pipeline.
The goal is to remove those tasks entirely, allowing the release manager to start a stage of a pipeline on the appropriate date and only pay attention if something fails, which they will be notified of in slack.
This issue covers the trigger job for the security_release:finalize
stage.
sequenceDiagram
security_release start-->>+security_release prepare: Start job
security_release prepare-->>+security_release prepare: Other jobs
security_release finalize start-->>+security_release finalize: Start job (this issue)
Note over security_release finalize: Other issues
security_release finalize-->>+security_release finalize: sync_remotes
security_release finalize-->>+security_release finalize: mirror_status
security_release finalize-->>+security_release finalize: close_security_implementation_issues
security_release finalize-->>+security_release finalize: notify_release
security_release finalize-->>+security_release finalize: enable_omnibus_nightly
security_release finalize-->>+security_release finalize: enable_gitaly_update_task
security_release finalize-->>+security_release finalize: close_security_tracking_issue
security_release finalize-->>+security_release finalize: notify_upcoming_release_managers
security_release finalize-->>+security_release finalize: verify_tags_synced
security_release finalize-->>+security_release finalize: link_tracking_issue_in_slack
📝 Proposal
-
Add a new stage
security_release:finalize_start
that can be manually run using the$SECURITY_RELEASE_PIPELINE
variable set to'finalize'
. -
Create a manual job
security_release_finalize:start
that runs a task and posts a notification in#f_upcoming_release
stating the release manager has started the final steps of the security release. -
Update the
SecurityIssue
code to inject theSECURITY_RELEASE_PIPELINE
variable with a value offinalize
in the pipeline creation. -
Update the
security_patch
template to include a task to start this job when the:security_release_pipeline
feature flag is enabled:- [ ] Start the `security_release_finalize:start` job in the security release pipeline: <%= pipeline.web_url %>
To do
-
Update release-tools to include the finalize stage on the security pipeline gitlab-org/release-tools!2471 (merged) -
Testing gitlab-org/release-tools!2471 (merged) -
Unprotect branch -
Remove branch from ops