<!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "type::bug" label: - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=type::bug and verify the issue you're about to submit isn't a duplicate. ---> ### Summary On a Geo secondary site, the worker `Security::ProjectTrackedContexts::CreateOrUpdateDefaultTrackedContextWorker` fails with `PG::ReadOnlySqlTransaction` when handling `Repositories::DefaultBranchChangedEvent`. The worker attempts to UPDATE security_project_tracked_contexts on the sec database (gitlabhq_development_sec in the example) while the secondary’s sec database is in read-only mode, causing repeated Sidekiq retries. This appears to be a Geo-unaware security worker running on secondaries. My GDK's running latest `master`. I don't know when this bug started sadly. ### What is the current *bug* behavior? Geo::EventWorker on the secondary invokes Security::ProjectTrackedContexts::CreateOrUpdateDefaultTrackedContextWorker for Repositories::DefaultBranchChangedEvent. Because the secondary’s sec DB is read-only, PostgreSQL raises: ``` PG::ReadOnlySqlTransaction: ERROR: cannot execute UPDATE in a read-only transaction ``` The Sidekiq job is retried multiple times (in the example, retry_count: 8 and retry: 25). This is similar in nature to other non–Geo-aware components that try to write on secondaries (multiple prior bugs). This creates: - Noise and confusion in logs: repeated `PG::ReadOnlySqlTransaction` errors from security workers on secondaries. - Potential side effects on Geo if error volume grows (e.g. noisy alerts, harder troubleshooting). ### What is the expected *correct* behavior? The worker does not run on secondary sites. ### Relevant logs and/or screenshots ``` { "severity": "WARN", "time": "2026-03-06T10:12:24.155Z", "retry": 25, "queue": "default", "backtrace": true, "version": 0, "args": [ "Repositories::DefaultBranchChangedEvent", "{\"container_id\"=>120, \"container_type\"=>\"Project\"}" ], "class": "Security::ProjectTrackedContexts::CreateOrUpdateDefaultTrackedContextWorker", "jid": "bf6d748d8b594ce113331423", "correlation_id": "01KHP1KVQ4PYGZBQGT56FVP7EV", "meta.feature_category": "vulnerability_management", "meta.caller_id": "Geo::EventWorker", "meta.root_caller_id": "Geo::EventWorker", ... "db_main_txn_count": 0, "db_ci_txn_count": 0, "db_sec_txn_count": 1, ... "exception.class": "ActiveRecord::StatementInvalid", "exception.message": "PG::ReadOnlySqlTransaction: ERROR: cannot execute UPDATE in a read-only transaction\n", "exception.cause_class": "PG::ReadOnlySqlTransaction", "exception.sql": "UPDATE \"security_project_tracked_contexts\" SET \"updated_at\" = $1, \"context_name\" = $2 WHERE \"security_project_tracked_contexts\".\"id\" = $3 /*application:sidekiq,correlation_id:01KHP1KVQ4PYGZBQGT56FVP7EV,jid:bf6d748d8b594ce113331423,endpoint_id:Security::ProjectTrackedContexts::CreateOrUpdateDefaultTrackedContextWorker,db_config_database:gitlabhq_development_sec,db_config_name:sec,line:/ee/app/services/security/project_tracked_contexts/find_or_create_service.rb:162:in `block in updated_default_branch_context'*/" } ``` ### Possible fixes Mark `Security::ProjectTrackedContexts::CreateOrUpdateDefaultTrackedContextWorker` as primary-only on Geo by prepending `::Geo::SkipSecondary`, per the “Skip execution of workers in Geo secondary” guidance in the Sidekiq worker attributes docs: https://docs.gitlab.com/development/sidekiq/worker_attributes/#skip-execution-of-workers-in-geo-secondary ### Patch release information for backports If the bug fix needs to be backported in a [patch release](https://handbook.gitlab.com/handbook/engineering/releases/patch-releases) to a version under [the maintenance policy](https://docs.gitlab.com/policy/maintenance/), please follow the steps on the [patch release runbook for GitLab engineers](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/patch/engineers.md). Refer to the [internal "Release Information" dashboard](https://dashboards.gitlab.net/d/delivery-release_info/delivery3a-release-information?orgId=1) for information about the next patch release, including the targeted versions, expected release date, and current status. #### High-severity bug remediation To remediate high-severity issues requiring an [internal release](https://handbook.gitlab.com/handbook/engineering/releases/internal-releases/) for single-tenant SaaS instances, refer to the [internal release process for engineers](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/internal-releases/engineers.md?ref_type=heads). <!-- If you don't have /label privileges, follow up with an issue comment of `@gitlab-bot label ~"type::bug"` -->