Security pipeline finalize stage - check mirror status
🗺 Overview
We are automating the final steps of the security release as part of reducing release manager workload during security releases. Each section of tasks in the security release task issue will in turn become its own stage in the security release pipeline.
The goal is to remove those tasks entirely, allowing the release manager to start a stage of a pipeline on the appropriate date and only pay attention if something fails, which they will be notified of in slack.
This issue covers the mirror_status
job in the security_release:finalize
stage, which checks the mirror status of the components.
sequenceDiagram
security_release start-->>+security_release prepare: Start job
security_release prepare-->>+security_release prepare: Other jobs
security_release finalize start-->>+security_release finalize: Start job
security_release finalize-->>+security_release finalize: sync_remotes
Note over security_release finalize: This issue
security_release finalize-->>+security_release finalize: mirror_status
Note over security_release finalize: Other issues
security_release finalize-->>+security_release finalize: close_security_implementation_issues
security_release finalize-->>+security_release finalize: notify_release
security_release finalize-->>+security_release finalize: enable_omnibus_nightly
security_release finalize-->>+security_release finalize: enable_gitaly_update_task
security_release finalize-->>+security_release finalize: close_security_tracking_issue
security_release finalize-->>+security_release finalize: notify_upcoming_release_managers
security_release finalize-->>+security_release finalize: verify_tags_synced
security_release finalize-->>+security_release finalize: link_tracking_issue_in_slack
📝 Proposal
- This job should be the same as the
security_release_prepare:mirror_status
, but in the new stage:security_release_finalize:mirror_status
- Note that there are changes scheduled for how this job outputs in #19428. While that issue does not block this one, both mirror jobs should perform the same function.
- This job should not start until after the sync_remotes job has completed.
- Move the step to manually run
/chatops run mirror status
insecurity_patch.rb
behind the:security_release_pipeline
feature flag. - If any failure occurs, the job should output the manual instructions for completing this task.
Edited by Steve Abrams