[meta] Define Runner security process
Overview
At the moment when there needs to be a security release, we don't really have a process documented and most of the time we end up using a private fork of some engineer which is not the best situation to be in.
Things to look at
- https://gitlab.com/gitlab-org/release/docs/-/tree/master/general%2Fsecurity
- Merge requests for confidential issues
Todos
-
Create a security release issue: gitlab-org/ci-cd/runner-release-helper!44 (merged) -
Create protected branches on gitlab-org/gitlab-runner
forsecurity-*
to prevent pushes -
Add Secuirty Issue template to the Runner: !2298 (merged) -
Add Merge request template for the Runner: !2298 (merged) -
Update PROCESS.md to include links to https://gitlab.com/gitlab-org/release/docs/-/tree/master/general/security and specify what is different: !2322 (merged) -
Add security harness for Runner repository: !2315 (merged) -
Update changelog generator to accept the security label as it's one scope -
Automatically release runner from tags created in private fork: #21301 (closed) -
Add CI/CD variables inside of security fork. -
Don't create GitLab Release when creating tag from security release: !2314 (merged) -
Update helm chart release pipeline to work on security fork: gitlab-org/charts/gitlab-runner!252 (merged) -
Automatically push docker images to security registry when the security merge request is opened: #26643
Maybes
- Update CI to automatically publish to GitLab registry, so AppSec team can easily test
Dev Log
- 2020-07-14: #21301 (comment 378984438)
- 2020-07-15: #21301 (comment 379730819)
- 2020-07-16: #21301 (comment 380564621)
Edited by Steve Xuereb