Patch release pipeline: Automate steps for syncing the canonical with security changes
Context
On #19457 (closed), the merge train was adopted to sync security changes to the GitLab canonical repository after the security release has been published. At the moment, that use case for the merge train is handled manually by release managers by following the next instructions (added on gitlab-org/release-tools@a5ea6871)
Patch release issue tasks
Sync the GitLab default branch by using the merge-train project:
Disable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master
[pipeline schedule on the merge-train].Trigger the gitlab-org/security/gitlab@master -> gitlab-org/gitlab@master
[pipeline schedule on the merge-train] and wait until it finishes. This pipeline will attempt to sync the GitLab default branch.If the sync fails, repeat the above step. If after 5 times the sync by the merge train continues to fail, use the previous strategy to sync the GitLab project: Disable the merge_train_to_canonical
[feature flag on ops].Enable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master
[pipeline schedule on the merge-train].Execute the sync_remotes
task on Slack:/chatops run release sync_remotes --security
. In this case, if the sync fails, a merge request will be created and release manager intervention will be required.
The purpose of this issue is to automate the above steps by having a rake task that automatically:
- Disables the
gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master
pipeline schedule - Trigger the
gitlab-org/security/gitlab@master -> gitlab-org/gitlab@master
pipeline schedule. - Reviews if the repositories are synced
- If they repositories are synced:
- Disable the
gitlab-org/security/gitlab@master -> gitlab-org/gitlab@master
pipeline schedule - Enable the
gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master
- Disable the
- If they repositories are not synced, repeat step 2 and 3.
- If after 5 attempts the repositories were not synced, the release manager should be notified to:
- Disable the
merge_train_to_canonical
FF on ops - Execute the
sync_remotes
task on Slack. A merge rqeuest will be created and release manager intervention will be required.
- Disable the
Proposal
- This check should be at the end of
security_release_finalize
stage, similar to how the release task issue is currently organized. - The jobs should be retry-able
- The release managers should be notified whether or not the job passed (manual intervention is needed to fix sync if this automation doesn't sync the default branches)
- Follow guidelines for the release pipelines in https://gitlab.com/gitlab-org/release-tools/-/blob/master/doc/release-pipelines.md
Exit Criteria
-
Release managers can rely on the the patch release pipeline to perform the sync -
The release task issue is updated to use the patch release pipeline for the steps the pipeline automates
Edited by Jenny Kim