Version pin security products in `.gitlab-ci.yml`
Problem to solve
Prevent gitlab-ce/ee pipeline to randomly fail when gitlab.com gets updated.
Further details
RC1 on GitLab.com usually get deployed before feature freeze, according to the documentation. Now inside of .gitlab-ci.yml for code_quality, sast, dependency_scanning we use the version corresponding with the $CI_SERVER_VERSION for the docker image tag. When RC1 is deployed this might result into failed jobs for gitlab-ce/ee due to that tag missing, as we saw in the last deployment for 11.4-rc1. For example https://gitlab.com/gitlab-org/gitlab-ce/-/jobs/104507536.
Proposal
Explicity define version
It is always best practice to version pin your upstream dependencies to prevent things from getting updated without the developer noticing. What might be our best option is having a SECURITY_PRODUCT_VERSION file similar to the GITLAB_WORKHORSE_VERSION and get the version from there.
Pros:
- Control over the version
- Explicit updates
Cons:
- Manually update it every release (can be part of release for
codequality). - Might be forgotten as every other manual task.
Add to RM duties in the checklist
Add a checklist in the release manager tasks to check with #g_verify to either deploy the tag or copy the tag.
Pros:
Cons:
- Need syncing across teams, which might result in the slow response
- One extra thing to check for the RM
- Seems like a
gitlab-ce/eespecific problem not a GitLab product problem.
What does success look like, and how can we measure that?
(If no way to measure success, link to an issue that will implement a way to measure this)