Security pipeline finalize stage - verify tags are synced
🚙 Overview
We are automating the final steps of the security release as part of reducing release manager workload during security releases. Each section of tasks in the security release task issue will in turn become its own stage in the security release pipeline. The goal is to remove those tasks entirely, allowing the release manager to start a stage of a pipeline on the appropriate date and only pay attention if something fails, which they will be notified of in slack.
This issue covers the verify_tags_synced
job in the security_release:finalize
stage, which verifies all tags for the release were synced back to canonical.
Click to expand pipeline diagram
sequenceDiagram
security_release start-->>+security_release prepare: Start job
security_release prepare-->>+security_release prepare: Other jobs
security_release finalize start-->>+security_release finalize: Start job
security_release finalize-->>+security_release finalize: sync_remotes
security_release finalize-->>+security_release finalize: mirror_status
security_release finalize-->>+security_release finalize: close_security_implementation_issues
security_release finalize-->>+security_release finalize: notify_release
security_release finalize-->>+security_release finalize: enable_omnibus_nightly
security_release finalize-->>+security_release finalize: enable_gitaly_update_task
security_release finalize-->>+security_release finalize: close_security_tracking_issue
security_release finalize-->>+security_release finalize: notify_upcoming_release_managers
Note over security_release finalize: This issue
security_release finalize-->>+security_release finalize: verify_tags_synced
security_release finalize-->>+security_release finalize: link_tracking_issue_in_slack
🛵 Proposal
- Add a job,
security_release_finalize:verify_tags_synced
verifies all tags created for the release were synced back to canonical. The tags are listed here: https://gitlab.com/gitlab-org/gitlab/-/tags, and can be accessed with the tags API. - Move the step
Check all new tags have synced to Canonical
in thesecurity_patch
template behind the:security_release_pipeline
feature flag. - If the job is successful, it should notify on slack that it was successful.
- If any failure occurs, the job should output the manual instructions for completing this task and a failure notification should be posted to slack linking to the job.
- This should only run on regular security releases, not for critical security releases. The
SECURITY
environment variable can be used to check if it is a critical security release. The value will be'critical'
for critical security releases.
Edited by Steve Abrams