Check protected branches of Secure Test projects
Release notes
As discussed in #250333 (comment 417844979) - we want to enforce that master and *FREEZE branches of secure test projects are protected (as per https://docs.gitlab.com/ee/api/protected_branches.html#protect-repository-branches )
Any other conventions could be checked, and should be documented accordingly.
Problem to solve
It was noted that some secure test projects https://gitlab.com/gitlab-org/security-products/tests/ did not have protected status for master and *FREEZE branches
It was proposed that a lint step could alert to this, which could then be resolved.
The lint job could be ran as part of the Secure Test Project Orchestrator https://gitlab.com/gitlab-org/quality/ci/secure-test-project-orchestrator/
Intended users
User experience goal
The user should be alerted that a secure test project has non-protected branches.
Any other identified conventions that are not being met should also show.
Proposal
Secure Test Project Orchestrator could have a job that iterates over all the secure test projects and checks the protected status of master and *FREEZE branches. As per the dynamic child pipeline, this would leverage the API.
Further details
Permissions and Security
Documentation
Any conventions identified should be documented, the protected branches are documented at https://gitlab.com/gitlab-org/security-products/tests/common#project-content
Availability & Testing
This will be a job within the secure test orchestrator.
What does success look like, and how can we measure that?
Projects that do not align to protected branch conventions (and other identified conventions) are reported. Once fixed, the lint job within the pipeline should pass with no projects being out of compliance.
What is the type of buyer?
Secure team
Is this a cross-stage feature?
Secure team