[Feature flag] Rollout of `non_public_artifacts`
Summary
This issue is to roll out [Add artifact visibility settings][#223273 (closed)] on production,
that is currently behind the non_public_artifacts
feature flag.
Remove the :non_public_artifacts
feature flag introduced by !49775 (merged)
Owners
- Team: grouppipeline security
- Most appropriate slack channel to reach out to:
#g_pipeline-security
- Best individual to reach out to:
@mattkasa
Expectations
What are we expecting to happen?
Using artifacts:public
in .gitlab-ci.yml
and setting it to public: false
should deny access to download artifacts (only job_artifacts_archive
/archive.zip
) to guests and anonymous users of public projects even if pipelines are public. This allows users to specify artifacts that are needed for the pipeline but are not fit for public consumption (for instance, intermediary build artifacts or artifacts containing sensitive information).
What might happen if this goes wrong?
We don't expect this to impact existing behavior, it is opt-in using .gitlab-ci.yml
, but does change some database queries by adding joins, related to listing pipelines and jobs:
Ci::Build.with_project_and_metadata
Ci::JobArtifact.with_job
What can we monitor to detect problems with this?
- PostgreSQL Overview
- Errors in Sentry
Beta groups/projects
This is an instance wide feature flag out of necessity since it is protecting the existing behavior of two has_many
scopes that are modified to enable this feature.
Roll Out Steps
-
Confirm that QA tests pass with the feature flag enabled (if you're unsure how, contact the relevant stable counterpart in the Quality department) -
Enable on staging ( /chatops run feature set non_public_artifacts true --staging
) -
Test on staging -
Ensure that documentation has been updated -
Deploy the feature flag at a percentage (recommended percentage: 50%) with /chatops run feature set non_public_artifacts <rollout-percentage> --actors --dev --staging --staging-ref
-
Monitor that the error rates did not increase (repeat with a different percentage as necessary).
-
Enable the feature globally on non-production environments with /chatops run feature set non_public_artifacts true --dev --staging --staging-ref
-
Verify that the feature works as expected. The best environment to validate the feature in is staging-canary
as this is the first environment deployed to. Make sure you are configured to use canary. -
If the feature flag causes end-to-end tests to fail, disable the feature flag on staging to avoid blocking deployments.
For assistance with end-to-end test failures, please reach out via the #quality
Slack channel. Note that end-to-end test failures on staging-ref
don't block deployments.
Specific rollout on production
For visibility, all /chatops
commands that target production should be executed in the #production
Slack channel
and cross-posted (with the command results) to the responsible team's Slack channel.
- Ensure that the feature MRs have been deployed to both production and canary with
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
Depending on the type of actor you are using, pick one of these options: - For project-actor:
/chatops run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com non_public_artifacts true
- For group-actor:
/chatops run feature set --group=gitlab-org,gitlab-com non_public_artifacts true
- For user-actor:
/chatops run feature set --user=<your-username> non_public_artifacts true
- For project-actor:
-
Verify that the feature works for the specific actors.
Preparation before global rollout
-
Set a milestone to this rollout issue to signal for enabling and removing the feature flag when it is stable. -
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. -
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall
Slack alias. -
Ensure that documentation exists for the feature, and the version history text has been updated. -
Leave a comment on [the feature issue][main-issue] announcing estimated time when this feature flag will be enabled on GitLab.com. -
Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware. -
Notify the #support_gitlab-com
Slack channel and your team channel (more guidance when this is necessary in the dev docs). -
Ensure that the feature flag rollout plan is reviewed by another developer familiar with the domain.
Global rollout on production
For visibility, all /chatops
commands that target production should be executed in the #production
Slack channel
and cross-posted (with the command results) to the responsible team's Slack channel (#g_TEAM_NAME
).
-
(Optional) Incrementally roll out the feature on production environment. - Between every step wait for at least 15 minutes and monitor the appropriate graphs on https://dashboards.gitlab.net.
- Perform actor-based rollout:
/chatops run feature set non_public_artifacts <rollout-percentage> --actors
-
Enable the feature globally on production environment: /chatops run feature set non_public_artifacts true
-
Observe appropriate graphs on https://dashboards.gitlab.net and verify that services are not affected. -
Leave a comment on [the feature issue][main-issue] announcing that the feature has been globally enabled. -
Wait for at least one day for the verification term.
(Optional) Release the feature with the feature flag
WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.
See instructions if you're sure about enabling the feature globally through the feature flag definition
If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:
-
Create a merge request with the following changes. Ask for review and merge it. -
Set the default_enabled
attribute in the feature flag definition totrue
. -
Decide which changelog entry is needed.
-
-
Ensure that the default-enabling MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post: /chatops run release check <merge-request-url> <milestone>
-
Consider cleaning up the feature flag from all environments by running these chatops command in #production
channel. Otherwise these settings may override the default enabled:/chatops run feature delete non_public_artifacts --dev --staging --staging-ref --production
-
Close [the feature issue][main-issue] to indicate the feature will be released in the current milestone. -
Set the next milestone to this rollout issue for scheduling the flag removal. -
(Optional) You can create a separate issue for scheduling the steps below to Release the feature. -
Set the title to "[Feature flag] Cleanup non_public_artifacts
". -
Execute the /copy_metadata <this-rollout-issue-link>
quick action to copy the labels from this rollout issue. -
Link this rollout issue as a related issue. -
Close this rollout issue.
-
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
You can either create a follow-up issue for Feature Flag Cleanup or use the checklist below in this same issue.
-
Create a merge request to remove the non_public_artifacts
feature flag. Ask for review/approval/merge as usual. The MR should include the following changes:- Remove all references to the feature flag from the codebase.
- Remove the YAML definitions for the feature from the repository.
- Create a changelog entry.
-
Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post: /chatops run release check <merge-request-url> <milestone>
-
Close [the feature issue][main-issue] to indicate the feature will be released in the current milestone. -
Clean up the feature flag from all environments by running these chatops command in #production
channel:/chatops run feature delete non_public_artifacts --dev --ops --pre --staging --staging-ref --production
-
Close this rollout issue.
Rollback Steps
-
This feature can be disabled by running the following Chatops command:
/chatops run feature set non_public_artifacts false