Merge Security merge requests as soon as they're ready
We need to be able to merge security merge request as soon as it's ready to be merged. A merge request can be considered ready when:
- It has been approved by maintainers based on our Approval guidelines
- It has been approved by a member of the AppSec team
Proposal
When auto_deploy_on_security
is enabled:
-
/chatops run release merge --security --master
should only merge MR targetingmaster
and pick it into the current auto_deploy branch -
/chatops run release merge --security
should merge MRs targeting stable branches
To do
-
Restore master
option from ChatOps - gitlab-com/chatops!145 (merged) -
Modify merge --security
task so that it only processes MR targetingmaster
ifauto_deploy_on_security
is enabled andmaster
option is sent - gitlab-org/release-tools!1096 (merged) -
Modify merge --security
task so that it only processes MR targeting stable branches ifauto_deploy_on_security
is enabled. - gitlab-org/release-tools!1106 (merged) -
Test with --master
flag and without it
Testing
-
Execute /chatops run release merge --dry-run --security
- https://ops.gitlab.net/gitlab-org/release/tools/-/jobs/1540914 -
Verify it processes security issues and merge requests in batches -
Enable security_release_auto_deploy_experiment
-
Execute /chatops run release merge --dry-run --security --master
- https://ops.gitlab.net/gitlab-org/release/tools/-/jobs/1540925 -
Verify it only processes security merge requests targeting master
-
Execute /chatops run release merge --dry-run --security
- https://ops.gitlab.net/gitlab-org/release/tools/-/jobs/1541027 -
Verify it only processes security backports - https://ops.gitlab.net/gitlab-org/release/tools/-/jobs/1541027 -
Disable the flag
Edited by Mayra Cabrera