Replace x-y-stable docker images with major tag for Security Products
Problem to solve
For some of our tools (SAST, Dependency Scanning, License Management) the current process implies to release a new
x-y-stable docker image tag every month when there is a new version of GitLab. All these
x-y-stable images are actually using a Major tag under the hood.
This process has a maintenance cost with no particular benefit now that we have the vendored templates shipping within the GitLab rails application. So we want to get rid of it.
Currently, when we release a new version of a tool:
- we publish a new semantic version with a git tag:
- we publish a corresponding docker image:
- we override the corresponding major docker image:
- we override the existing
x-y-stableimages that are (supposed to be) compatible with that major version:
And when there is a new monthly release of GitLab we update the CI config to add a new job to publish a corresponding
For the Analyzers, we have quite a similar process but stop at step
#3 and use the major tag that is matching the major version of the tool (SAST, DS). Though, this is also being replaced with the non-DinD approach by now having a dedicated job per analyzer that can directly use their own versions.
For DS and SAST, the DinD mode requires to sync the major version of the tool with the major version of the analyzers. With the removal of Dind, this is no longer necessary and each analyzer could then follow their own semantic versioning and have independent Major versions too.
Ask customers to override the job definition to change the version they want to use.
DS_MAJOR_VERSIONand directly use the major number here.
SAST_ANALYZER_IMAGE_TAGand directly use the major number here.
CS_MAJOR_VERSIONand directly use the major number here.
Template: https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml (and the deprecated https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/License-Management.gitlab-ci.yml)
$CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stableand directly use the major number here.
Permissions and Security
ensure documentation states the deprecation of
x-y-stabledocker images and related env variables and that support will be dropped in %13.0.
- update the release process doc in https://gitlab.com/gitlab-org/security-products/release
Availability & Testing
This will need thorough testing and make sure that the automated QA is kept compatible.
What does success look like, and how can we measure that?
We publish docker images matching semantic versions of our tools (and just keep pushing
x-y-stable images too until we officially drop support for them in %13.0).