Warn when analyzer changelog is updated without a new release
Problem to solve
The analyzer changelog for gemnasium
was updated as part of Ensure filename and dirnames are sorted, however, a new version of the analyzer was not released, as described here. This situation occurs often enough that we should create some type of automated slack or email warning when the changelog version for an analyzer is updated, but a new version of the analyzer is not released within a configurable threshold, possibly 4 hours.
Proposal
Create a scheduled job that periodically checks the most recent version of the changelog for each analyzer and sends a slack alert to the #s_secure-alerts
channel and mentions the user responsible for updating the changelog if a git tag matching the analyzer doesn't exist.
Alternatively, we could perform the check in the pipeline for the default branch, and trigger that pipeline on a regular basis (using scheduled pipelines). The pipeline would fail if the last git tag doesn't match the last changelog entry, and project maintainers would be notified on Slack. This would be a "broken master" situation. The pipeline for the default branch could be used to rebuild the Docker image on a regular basis or simply but this is not necessary; right now it's only used to ensure that the default branch is healthy.
Intended users
Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later.
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
User experience goal
Warn developers if they forget to release an analyzer
Further details
This issue will ensure that analyzers are always released as soon as the changelog is updated
Availability & Testing
Manually test the feature to make sure when an analyzer changelog is updated and no new analyzer is released within the threshold time that an alert is sent on slack.
What does success look like, and how can we measure that?
If the changelog version for an analyzer is updated but a new analyzers is not released within the threshold time, an alert is sent on slack.
What is the type of buyer?
Enterprise Edition GitLab Ultimate
Is this a cross-stage feature?
Initially this will only affect ~"Category:Dependency Scanning", but it might be added to other groups in the future.