Tagging (patch) releases messes up mirroring and the Merge Train
Today we ran into an issue where mirroring to dev stopped due to the following error:
13:close stream to gitaly-ruby: rpc error: code = Unknown desc = Gitlab::Git::CommandError: To
! refs/heads/12-8-stable:refs/heads/12-8-stable [remote rejected] (pre-receive hook declined)
! refs/heads/master:refs/heads/master [remote rejected] (pre-receive hook declined)
Done
warning: ignoring extra bitmap file: /var/opt/gitlab/git-data/repositories/@pools/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.git/objects/pack/pack-7807f035b7a29e88c61df14a79e2b844eebcbc5c.pack
remote: GitLab: You are not allowed to force push code to a protected branch on this project.
error: failed to push some refs to '[FILTERED]@dev.gitlab.org/gitlab/gitlabhq.git
Upon close inspection I found out there is a difference between the commits on the 12-8-stable branches. The branches are as follows:
- EE .com: https://gitlab.com/gitlab-org/gitlab/-/commits/12-8-stable-ee
- CE .com: https://gitlab.com/gitlab-org/gitlab-foss/-/commits/12-8-stable
- CE security: https://gitlab.com/gitlab-org/security/gitlab-foss/-/commits/12-8-stable
- CE dev: https://dev.gitlab.org/gitlab/gitlabhq/-/commits/12-8-stable
EE on .com has all the commits we'd expect. CE on .com is just a mirror of that, which means it has the same content but the wrong VERSION (#582 (closed) for more details). This seems to affect all our stable branches. Two examples:
- https://gitlab.com/gitlab-org/gitlab-foss/-/blob/12-8-stable/VERSION
- https://gitlab.com/gitlab-org/gitlab-foss/-/blob/12-6-stable/VERSION
The CE security repository will suffer from the same issue, since it's just a mirror of the public CE repository.
Which brings us to dev. On dev for some reason we still tag/update version files directly, as can be seen in https://dev.gitlab.org/gitlab/gitlabhq/-/commit/d18b43a5f5a1dbfeda474ac3e616682e2ebc6abc. This then results in two issues:
- VERSION is different in the repositories
- CE on dev will have commits not present in the repositories on .com, preventing mirroring from running
To resolve this I think we would have to:
- Simply strip
-ee
from VERSION in the Merge Train. I previously was not a fan of this, but I think there is no way around this. - Tag things only on the canonical public repositories. This obviously may introduce some issues for security releases, but it would ensure we always go from top to bottom; instead of having to merge things both directions.