Send AppSec a list of bug fixes merged into stable branches.
Context
Starting on 15.10 Delivery is piloting a different patch release process for GitLab engineers that allows stage teams to start merging into stable release branches so that they can self-serve on bug fixes. (details on #2886 (closed)).
Merging bug fixes into stable branches can be done at any time during the release cycle, impacting the security release content: when a security release is tagged and published, the security release package can contain bug fixes, besides the expected security fixes. When preparing the security release blog post, AppSec should be aware of these regular bug fixes so they can be included in the blog post
Proposal: Create a rake task that lists the bug fixes currently merged into stable branches
A dedicated rake task could be prepared to print the list of bug fixes that are currently merged into stable branches. We already have some logic that could be reused for this on the PatchRelease::Coordinator
class. During https://gitlab.com/gitlab-org/release/tasks/-/issues/5294, this step was required and these were the internal modifications made to release tools to accomplish this:
Details
diff --git a/lib/tasks/release.rake b/lib/tasks/release.rake
index 2a505c80..af7d9b2e 100644
--- a/lib/tasks/release.rake
+++ b/lib/tasks/release.rake
@@ -296,10 +296,6 @@ namespace :release do
ReleaseTools.logger.info("Creating new release post", filename: filename)
- next if dry_run?
-
- File.open(filename, 'w') do |file|
- file.puts merge_request.generate_multi_version_blog_post_content
- end
+ puts merge_request.generate_multi_version_blog_post_content
end
Implementation details
-
Implement a rake task that allows us to print the backports merged into stable branches -
This rake task could be triggered via chatops or via pipeline schedule -
Add a step on the security release template to reflect this step. This step should be done before merging the backports.