Fix Broken Master Branch in Gemnasium
Description
The master branch of Gemnasium is currently broken due to two main issues: the absence of curl
in the FIPS image and a 403 error causing the danger-review
job to fail. These issues need to be addressed to restore the functionality of the master branch pipeline.
Problem
-
The Gemnasium pipeline is failing since merging changes to base the final image on UBI-Micro because the FIPS image no longer contains
curl
. This causes thetest-custom-ca-bundle
FIPS downstream test to fail.Error log:
wget/curl not found, attempting to install 'wget'.. /check-cert.sh: line 40: wget: command not found installation for this OS variant is not implemented. Variant info: NAME="Red Hat Enterprise Linux"
-
The
danger-review
job is failing due to a 403 error, likely related to token expiration issues.Job log: https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/jobs/6848548318
-
The upsert git tag job is failing with the following error:
You are not allowed to create this tag as it is protected
Solution
-
Install
curl
in FIPS Docker Image:- Modify the Dockerfile for the FIPS image to include
curl
. - Verify that the
test-custom-ca-bundle
FIPS downstream test passes with the updated image.
- Modify the Dockerfile for the FIPS image to include
-
Resolve
danger-review
403 Error:- Investigate the cause of the 403 error in the
danger-review
job. - Update the token or adjust the job configuration to resolve the 403 error.
- Investigate the cause of the 403 error in the
Implementation Plan
-
Modify FIPS Docker Image: - Update the Dockerfile to install
curl
in the FIPS image. - Create a Merge Request with these changes.
- Ensure the
test-custom-ca-bundle
FIPS downstream test passes.
- Update the Dockerfile to install
-
Fix danger-review
Job:- Investigate the 403 error in the
danger-review
job. - Update the token or adjust the job configuration as needed.
- Verify that the
danger-review
job completes successfully.
https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/jobs/6849637297+s
- Investigate the 403 error in the
-
Fix upsert git tag
job:This is broken due to a permission issue.
Tasks
-
Update the FIPS Dockerfile to include curl
. -
Create MR with the updated Dockerfile. -
Ensure the test-custom-ca-bundle
FIPS downstream test passes. -
Investigate the 403 error in the danger-review
job. -
Update the token or job configuration to fix the 403 error. -
Verify that the danger-review
job completes successfully. -
Merge changes and verify the master pipeline passes.
Workaround
- If releasing a new version of Gemnasium, manually create a release that matches the latest version in the changelog.
- Go to Releases -> New Release.
- For the tag name create a new tag. For example, if the latest version in the changelog is v5.1.2 then you should use
v5.1.2
as the new tag. - Copy the changelog notes to the release notes, and submit by clicking on
Create release
.