[Discussion] How to reduce review time for security -> canonical conflict MRs
In incident production#18053 (closed), the synchronization from canonical
to security
repo was blocked for around 30 hours, thus indirectly blocked rolling out new changes to .com
(since no new commits arrived at security
, auto-deploy packages were empty).
A big part of time and effort was spent to get reviewer approvals for the conflict MR gitlab-org/gitlab!153841 (merged). It required 9 approvals from different teams (some approvals could be done by one person, if they fitted more than one approval rule). The MR was opened at 2024-05-22 11:06 UTC and merged at 2024-05-23 15:08 UTC, so the review process took more than one day, for an urgent MR IMO. From this, I want to raise some discussion questions (feel free to add more):
-
Was 1 day of reviewing the conflict MR too long, or acceptable?
-
How do we raise the awareness of other teams about the urgency of the MR?
-
Can we reduce the amount of required approval? I imagine we only need the two steps mentioned in the MR description:
-
Identify the author and/or reviewer of the conflicting changes and ask them to fix the conflicts in this MR. -
Request a review and get approval from AppSec on the MR if this has not already been done by the developers who fixed the conflict.
So instead of requiring the approvals from all CODEOWNERS of all commits, only the CODEOWNERS of the conflicts are needed. However, I don't have a solution to implement it yet.
-