Create mirroring structure for Canonical -> Security -> Build
Structure
Mirrors will go from their Canonical source (gitlab.com/gitlab-org/whatever
) to a Security mirror (gitlab.com/gitlab-org/security/whatever
), to Build (dev.gitlab.org/gitlab/whatever
).
graph TD
classDef canonical fill:#74bd3d,stroke:#333,stroke-width:1px
classDef security fill:#ff7272,stroke:#333,stroke-width:1px
classDef fade opacity:0.8,stroke-dasharray:4 4
subgraph g-canonical[Canonical]
subgraph g-c-protected[Protected branches]
c-master(master)
c-stable(stable)
c-auto-deploy(auto-deploy)
end
c-feature(feature/some-new-feature)
c-bug(15015-some-bug-fix)
end
subgraph g-security[Security]
subgraph g-s-protected[Protected branches]
s-master(master)
s-stable(stable)
s-auto-deploy(auto-deploy)
end
s-developer(security-fix-mermaid-xss)
s-developer-backport(security-fix-mermaid-xss-backport)
end
subgraph g-build[Build]
subgraph g-b-protected[Protected branches]
b-master(master)
b-stable(stable)
b-auto-deploy(auto-deploy)
end
end
c-master -->|push mirror| s-master
c-stable -->|push mirror| s-stable
c-auto-deploy -->|push mirror| s-auto-deploy
s-master -->|push mirror| b-master
s-stable -->|push mirror| b-stable
s-auto-deploy -->|push mirror| b-auto-deploy
class c-master,c-stable,c-auto-deploy canonical
class s-master,s-stable,s-auto-deploy canonical
class b-master,b-stable,b-auto-deploy canonical
class c-feature,c-bug fade
class s-developer,s-developer-backport fade
Note that Canonical will no longer go directly to Build, but rather always goes through Security.
We use Pull Mirroring for Canonical to Security so that we can selectively protect branches in Security and only get the three types of branches we care about ( We use Push mirroring for all mirrors, using only protected branches.master
, X-Y-stable
, and X-Y-auto-deploy-YYYYMMDD
), and then Push Mirroring from Security to Build.
This has a nice added side benefit in that we no longer mirror temporary development branches from Canonical to Build, so Build will only have the two types of branches we build from (stable
and auto-deploy
), plus master
.
Projects
-
gitlab-org/gitlab -
gitlab-org/gitlab-foss -
gitlab-org/omnibus-gitlab -
gitlab-org/gitlab-shell -
gitlab-org/gitlab-pages -
gitlab-org/gitaly
Procedure
-
gitlab-org/gitlab
-
Add Canonical -> Security push mirror to https://gitlab.com/gitlab-org/gitlab/-/settings/repository - Username:
gitlab-bot
- Password: See gitlab-bot in Team vault
- Branch prefix: none
- Only protected branches: true
- Username:
-
Add Security -> Build push mirror to https://gitlab.com/gitlab-org/security/gitlab/-/settings/repository - Username:
gitlab_pushbot
- Password: See gitlab_pushbot in Build vault
- Only protected branches: true
- Username:
-
Remove existing Canonical -> Build push mirror from https://gitlab.com/gitlab-org/gitlab/-/settings/repository
-
-
gitlab-org/gitlab-foss
-
Add Canonical -> Security push mirror to https://gitlab.com/gitlab-org/gitlab-foss/-/settings/repository - Username:
gitlab-bot
- Password: See gitlab-bot in Team vault
- Branch prefix: none
- Only protected branches: true
- Username:
-
Add Security -> Build push mirror to https://gitlab.com/gitlab-org/security/gitlab-foss/-/settings/repository - Username:
gitlab_pushbot
- Password: See gitlab_pushbot in Build vault
- Only protected branches: true
- Username:
-
Remove existing Canonical -> Build push mirror from https://gitlab.com/gitlab-org/gitlab-foss/-/settings/repository
-
-
gitlab-org/omnibus-gitlab
-
Add Canonical -> Security push mirror to https://gitlab.com/gitlab-org/omnibus-gitlab/-/settings/repository - Username:
gitlab-bot
- Password: See gitlab-bot in Team vault
- Branch prefix: none
- Only protected branches: true
- Username:
-
Add Security -> Build push mirror to https://gitlab.com/gitlab-org/security/omnibus-gitlab/-/settings/repository - Username:
gitlab_pushbot
- Password: See gitlab_pushbot in Build vault
- Only protected branches: true
- Username:
-
Remove existing Canonical -> Build push mirror from https://gitlab.com/gitlab-org/omnibus-gitlab/-/settings/repository
-
-
gitlab-org/gitlab-shell
-
Add Canonical -> Security push mirror to https://gitlab.com/gitlab-org/gitlab-shell/-/settings/repository - Username:
gitlab-bot
- Password: See gitlab-bot in Team vault
- Branch prefix: none
- Only protected branches: true
- Username:
-
Add Security -> Build push mirror to https://gitlab.com/gitlab-org/security/gitlab-shell/-/settings/repository - Username:
gitlab_pushbot
- Password: See gitlab_pushbot in Build vault
- Only protected branches: true
- Username:
-
Remove existing Canonical -> Build push mirror from https://gitlab.com/gitlab-org/gitlab-shell/-/settings/repository
-
-
gitlab-org/gitlab-pages
-
Add Canonical -> Security push mirror to https://gitlab.com/gitlab-org/gitlab-pages/-/settings/repository - Username:
gitlab-bot
- Password: See gitlab-bot in Team vault
- Branch prefix: none
- Only protected branches: true
- Username:
-
Add Security -> Build push mirror to https://gitlab.com/gitlab-org/security/gitlab-pages/-/settings/repository - Username:
gitlab_pushbot
- Password: See gitlab_pushbot in Build vault
- Only protected branches: true
- Username:
-
Remove existing Canonical -> Build push mirror from https://gitlab.com/gitlab-org/gitlab-pages/-/settings/repository
-
-
gitlab-org/gitaly
-
Add Canonical -> Security push mirror to https://gitlab.com/gitlab-org/gitaly/-/settings/repository - Username:
gitlab-bot
- Password: See gitlab-bot in Team vault
- Branch prefix: none
- Only protected branches: true
- Username:
-
Add Security -> Build push mirror to https://gitlab.com/gitlab-org/security/gitaly/-/settings/repository - Username:
gitlab_pushbot
- Password: See gitlab_pushbot in Build vault
- Only protected branches: true
- Username:
-
Remove existing Canonical -> Build push mirror from https://gitlab.com/gitlab-org/gitaly/-/settings/repository
-