Test GitLab merge requests as a long term solution to sync security changes to GitLab repository
On #19402 (closed), the merge-train was adopted to sync security changes to GitLab canonical once the security release is out. This strategy helped reduce the time release managers spent on the last section of a security release and made the syncing experience painless (details #19402 (comment 1451901930)).
Using the merge-train as a solution works for now, but it might not work in the long term:
- The git traffic for the GitLab project is only going to increase with more engineers joining the team and more features being developed.
- It might conflict with the adoption of the merge train feature in the GitLab project gitlab-org/quality/quality-engineering/team-tasks#195
As a long-term solution, able to support our scaling needs, we would like to test the GitLab merge request feature as a solution for syncing security commits into the canonical repository at the end of the security release.
Some of the key benefits of this approach are:
- We are saving a lot of time and bandwidth by not cloning the security and the canonical repositories to perform the merge inside the CI job
- It scales with the number of commits to the default branch, as GitLab will take care of running the merges in order without conflicting pushes
- It will be compatible with the adoption of the merge train feature in the GitLab project gitlab-org/quality/quality-engineering/team-tasks#195
- we are removing a custom implementation in favor of a feature of the product
Things to figure out in our testing:
-
Can we have a blazing-fast CI for the security:master -> canonical:master merge request? gitlab-org/gitlab!125862 (merged) -
Can we take advantage of triage-ops
reactive framework to automatically approve and merge this (and only this) type of merge request? gitlab-org/quality/triage-ops!2310 (merged) -
Can we have the GitLab-bot as a codeowner approver for every file in the repo? gitlab-org/gitlab!126503 (merged)
Sequence diagrams
Today
sequenceDiagram
actor rm as Relese Manager
participant rt as release-tools
participant mt as merge-train
participant gl as gitlab.com
actor Maintainer
rm->>rt: Sync security default branch
rt->>mt: merge sercurity:master->canonical:master
activate mt
mt->>+gl: clone gitlab-org/security/gitlab
gl-->>-mt: security:master
mt->>+gl: clone gitlab-org/gitlab
gl-->>-mt: canonical:master
par Release Process
mt->>mt: merge security:master into canonical:master
and Development Process
Maintainer->>+gl: Merge gitlab-org/gitlab!12345
gl-->>-Maintainer: merged
end
mt->>+gl: git push
gl-->>-mt: ❌ push failure, master advanced
loop up to 5 times if push fails
mt->>+gl: pull gitlab-org/gitlab master
gl-->>-mt: canonical:master
mt->>mt: merge HEAD into canonical:master
mt->>+gl: git push
gl-->>-mt: push result
end
deactivate mt
rm->>rt: Very mirroring status
Desired state
sequenceDiagram
actor rm as Relese Manager
participant rt as release-tools
participant gl as gitlab.com
participant ops as triage-ops
participant runner
actor Maintainer
rm->>rt: Sync security default branch
par Release Process
rt->>+gl: API merge sercurity:master->canonical:master
gl-->>rt: created gitlab-org/gitlab!5555
and Development Process
Maintainer->>+gl: Merge gitlab-org/gitlab!12345
gl-->>-Maintainer: merged
end
runner->>+gl: pick a job
note right of runner: no-op single job pipeline
gl-->>-runner: single job for gitlab-org/gitlab!5555
activate runner
gl->>+ops: mergerequest.opened gitlab-org/gitlab!5555
ops->>gl: approve gitlab-org/gitlab!5555
ops->>gl: set auto-merge gitlab-org/gitlab!5555
ops-->>-gl: done
runner->>gl: job completed
deactivate runner
gl->>gl: auto-merge
deactivate gl
rm->>rt: Very mirroring status