Skip to content

Support changelog trailers in sast-rules

Proposal

In order to facilitate Automate semgrep release process (#438939 - closed) • Adam Cohen, we need to first support changelog trailers in sast-rules

The current release process for sast-rules is as follows:

  1. Rules are added and edited in MRs and merged without a changelog entry
  2. A new release MR is created which contains an updated changelog entry for the new rule addition
  3. Once the sast-rules maintainers feel enough work has been done to release, the release MR is merged and the release job is manually triggered.

The purpose of the above process is to allow multiple developers to add new rules without encountering merge conflicts in the changelog file.

We can automate this process by using changelog trailers, which is the purpose of this issue.

Implementation Plan

  1. Update the sast-rules CHANGELOG.md file to work around this limitation of changelog trailers.

    We need to do either of the following:

    • remove all leading v characters from the version values in CHANGELOG.md.
    • archive the existing CHANGELOG.md file (for example, rename it to CHANGELOG.old.md) and create a new CHANGELOG.md file.

    In my opinion, the first option is preferable.

  2. Add a new CI job to sast-rules to ensure that a changelog trailer is provided when a new rule is added, and that the changelog is formatted as expected.

    In order to allow us to eventually close the corresponding sast-rules issues, the changelog trailer will need to contain a link to the corresponding issue, for example:

    Changelog: added
Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/435113

    The following custom .gitlab/changelog_config.yml file can be used:

    ---
template: |
  {% if categories %}
  {% each categories %}
  ### {{ title }} ({% if single_change %}1 change{% else %}{{ count }} changes{% end %})

  {% each entries %}
  - [{{ title }}]({{ commit.reference }})\
  {% if author.credit %} by {{ author.reference }}{% end %}\
  {% if merge_request %} ([merge request]({{ merge_request.reference }})){% end %}\
  {% if commit.trailers.Issue %} ([issue]({{ commit.trailers.Issue }})){% end %}

  {% end %}

  {% end %}
  {% else %}
  No changes.
  {% end %}

    This will produce the following changelog entries:

    ## 1.0.2 (2024-02-26)

   ### added (1 change)

   - [Add new crypto hashing rule](adamcohen/sast-rules-automation@e42416871457c9663bd01c3c17bb396ec5ffe806) ([merge request](adamcohen/sast-rules-automation!3)) ([issue](https://gitlab.com/gitlab-org/gitlab/-/issues/440377))

   ### changed (1 change)

   - [Enhance python rule 2](adamcohen/sast-rules-automation@a2fc4ecad267af18dcdbf9748a5f105ec633a476) ([merge request](adamcohen/sast-rules-automation!2)) ([issue](https://gitlab.com/gitlab-org/gitlab/-/issues/435918))

    The new CI job should ensure that if a changelog trailer is provided, that the Issue value is also present.

  3. Add a new manually triggered CI job to sast-rules which creates a new changelog entry with a bumped version and any rule additions/changes/removals which have a changelog trailer.

  4. (optional) Add a new scheduled pipeline to trigger the manual CI job added in step 2. once per week.

/cc @twoodham @wayne @craigmsmith @idawson

Edited by Adam Cohen