`spp_scan_diffs` change management issue

Production Change

Change Summary

Rollout epic: gitlab-org&14313 (closed)

FF rollout issue: gitlab-org/gitlab#480092 (closed)

Implementation issue: gitlab-org/gitlab#469161 (closed)

Enabling the spp_scan_diffs feature flag limits Secret Push Protection to only scan the diffs that a user is pushing from their local repo, rather than the entire file. The old behavior (FF disabled) was causing pushes to be unexpectedly blocked when the file contains a secret but the secret is not part of the committed diffs. Only SSH and HTTP local-to-remote-repo user pushes are diff-scanned when the FF is enabled -- web protocol actions, including merges and reverts, merge trains, repo mirroring/syncing, and WebIDE pushes are scanned with the old behavior. See this comment for an explanation.

We would like to enable diff scanning feature flag on production for all .com projects on 2024-10-17 as per the SPP GA rollout timeline, starting at 15:00UTC (morning for @serenafang)

Change Details

1. Services Impacted - Git pushes over SSH and HTTP
2. Change Technician - @serenafang
3. Change Reviewer - @ayeung
4. Time tracking - 210
5. Downtime Component - 0

Set Maintenance Mode in GitLab

If your change involves scheduled maintenance, add a step to set and unset maintenance mode per our runbooks. This will make sure SLA calculations adjust for the maintenance period.

Detailed steps for the change

Change Steps - steps to take to execute the change

As suggested in the FF rollout issue, wait 15+ minutes between each percentage increase.

Estimated Time to Complete (mins) - 180

• Set label changein-progress /label ~change::in-progress
• /chatops run feature set spp_scan_diffs 1 --actors
• /chatops run feature set spp_scan_diffs 10 --actors
• /chatops run feature set spp_scan_diffs 25 --actors
• /chatops run feature set spp_scan_diffs 50 --actors
• /chatops run feature set spp_scan_diffs 75 --actors
• /chatops run feature set spp_scan_diffs true
• Set label changecomplete /label ~change::complete

Rollback

Rollback steps - steps to be taken in the event of a need to rollback this change

Estimated Time to Complete (mins) - 30

• /chatops run feature set spp_scan_diffs false
• Set label changeaborted /label ~change::aborted

Monitoring

https://log.gprd.gitlab.net/app/discover#/view/31afcbb2-28e9-466f-a6c3-486e869e1ee3?_g=h@97e8101&_a=h@7bc9fa1, https://log.gprd.gitlab.net/app/discover#/view/db7ba29d-d406-46df-8b43-e6d9c47fbed7?_g=h@725fc2c&_a=h@6262242

Key metrics to observe

• Metric: json.message.keyword: PUSH BLOCKED: Secrets detected in code changes
  • Location: https://log.gprd.gitlab.net/app/discover#/view/db7ba29d-d406-46df-8b43-e6d9c47fbed7?_g=h@725fc2c&_a=h@6262242
  • What changes to this metric should prompt a rollback: An abnormally high number of pushes blocked by SPP. The number varies day-to-day, but for reference, between 2024-10-07 and 2024-10-14, the highest number of pushes blocked per day was 16, though the number will increase as we make SPP generally available.

Change Reviewer checklist

C4 C3 C2 C1:

• Check if the following applies:
  • The scheduled day and time of execution of the change is appropriate.
  • The change plan is technically accurate.
  • The change plan includes estimated timing values based on previous testing.
  • The change plan includes a viable rollback plan.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.

C2 C1:

• Check if the following applies:
  • The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
  • The change plan includes success measures for all steps/milestones during the execution.
  • The change adequately minimizes risk within the environment/service.
  • The performance implications of executing the change are well-understood and documented.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.
    • If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
  • The change has a primary and secondary SRE with knowledge of the details available during the change window.
  • The change window has been agreed with Release Managers in advance of the change. If the change is planned for APAC hours, this issue has an agreed pre-change approval.
  • The labels blocks deployments and/or blocks feature-flags are applied as necessary.

Change Technician checklist

• Check if all items below are complete:
  • The change plan is technically accurate.
  • This Change Issue is linked to the appropriate Issue and/or Epic
  • Change has been tested in staging and results noted in a comment on this issue.
  • A dry-run has been conducted and results noted in a comment on this issue.
  • The change execution window respects the Production Change Lock periods.
  • For C1 and C2 change issues, the change event is added to the GitLab Production calendar.
  • For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (In #production channel, mention @sre-oncall and this issue and await their acknowledgement.)
  • For C1 and C2 change issues, the SRE on-call provided approval with the eoc_approved label on the issue.
  • For C1 and C2 change issues, the Infrastructure Manager provided approval with the manager_approved label on the issue.
  • Release managers have been informed prior to any C1, C2, or blocks deployments change being rolled out. (In #production channel, mention @release-managers and this issue and await their acknowledgment.)
  • There are currently no active incidents that are severity1 or severity2
  • If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.