Support changelog trailers in sast-rules
Proposal
In order to facilitate Automate semgrep release process (#438939 - closed) • Adam Cohen, we need to first support changelog trailers in sast-rules
The current release process for sast-rules
is as follows:
- Rules are added and edited in MRs and merged without a changelog entry
- A new
release MR
is created which contains an updated changelog entry for the new rule addition - Once the
sast-rules
maintainers feel enough work has been done to release, the release MR is merged and the release job is manually triggered.
The purpose of the above process is to allow multiple developers to add new rules without encountering merge conflicts in the changelog file.
We can automate this process by using changelog trailers, which is the purpose of this issue.
Implementation Plan
-
Update the sast-rules
CHANGELOG.md file to work around this limitation of changelog trailers.We need to do either of the following:
- remove all leading
v
characters from the version values in CHANGELOG.md. - archive the existing CHANGELOG.md file (for example, rename it to
CHANGELOG.old.md
) and create a newCHANGELOG.md
file.
In my opinion, the first option is preferable.
- remove all leading
-
Add a new CI job to sast-rules to ensure that a changelog trailer is provided when a new rule is added, and that the changelog is formatted as expected. In order to allow us to eventually close the corresponding
sast-rules
issues, the changelog trailer will need to contain a link to the corresponding issue, for example:Changelog: added Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/435113
The following custom
.gitlab/changelog_config.yml
file can be used:--- template: | {% if categories %} {% each categories %} ### {{ title }} ({% if single_change %}1 change{% else %}{{ count }} changes{% end %}) {% each entries %} - [{{ title }}]({{ commit.reference }})\ {% if author.credit %} by {{ author.reference }}{% end %}\ {% if merge_request %} ([merge request]({{ merge_request.reference }})){% end %}\ {% if commit.trailers.Issue %} ([issue]({{ commit.trailers.Issue }})){% end %} {% end %} {% end %} {% else %} No changes. {% end %}
This will produce the following changelog entries:
## 1.0.2 (2024-02-26) ### added (1 change) - [Add new crypto hashing rule](adamcohen/sast-rules-automation@e42416871457c9663bd01c3c17bb396ec5ffe806) ([merge request](adamcohen/sast-rules-automation!3)) ([issue](https://gitlab.com/gitlab-org/gitlab/-/issues/440377)) ### changed (1 change) - [Enhance python rule 2](adamcohen/sast-rules-automation@a2fc4ecad267af18dcdbf9748a5f105ec633a476) ([merge request](adamcohen/sast-rules-automation!2)) ([issue](https://gitlab.com/gitlab-org/gitlab/-/issues/435918))
The new CI job should ensure that if a
changelog
trailer is provided, that theIssue
value is also present. -
Add a new manually triggered CI job to sast-rules
which creates a new changelog entry with a bumped version and any rule additions/changes/removals which have a changelog trailer. -
(optional) Add a new scheduled pipeline to trigger the manual CI job added in step 2.
once per week.