Skip to content

Automate the remaining QA tasks in the security release (patch release process)

Currently its quite an expensive and manual process to run Gitlab-QA for a patch release

See https://gitlab.com/gitlab-org/release/tasks/issues/498#automated-qa-for-1142

Proposal

There are three things to do here:

  1. Update gitlab-provisioner to use the QA docker image from dev instead of from .com so that security releases can be tested (otherwise the gitlab-qa job fails because the image cannot be found: https://gitlab.com/gitlab-org/distribution/gitlab-provisioner/-/jobs/169671539).
  2. Put the link to the QA job in the QA issues (security and non-security ones).
  3. Keep the Terraform deployment running to allow manual QA.

For 1., the steps are as follows:

  1. Change gitlab-provisioner to log into the dev registry prior to running the QA job => gitlab-org/distribution/gitlab-provisioner!22 (merged)
  2. Change the HA-Validate-Trigger job to pass the dev image address instead of the Docker Hub one, e.g. dev.gitlab.org:5005/gitlab/omnibus-gitlab/gitlab-ee-qa:11.8.1-ee instead of gitlab/gitlab-ee-qa:11.8.1-ee => gitlab-org/omnibus-gitlab!3107 (merged)
  3. Enjoy 🍿

For 2., the steps are as follows:

  1. Find the omnibus-gitlab pipeline for the given version, e.g. GET https://dev.gitlab.org/api/v4/projects/gitlab%2Fomnibus-gitlab/pipelines?ref=11.9.0%2Brc6.ee.0
    • Getting the omnibus-gitlab tag from the release version can be done with version.to_omnibus(ee: true).
  2. Find the HA-Validate-Tagged job in this pipeline by looping over the pipelines' jobs and select the first job with name HA-Validate-Tagged,, e.g. GET https://dev.gitlab.org/api/v4/projects/gitlab%2Fomnibus-gitlab/pipelines/106960/jobs
  3. Fetch the job's trace, e.g. GET https://dev.gitlab.org/api/v4/projects/gitlab%2Fomnibus-gitlab/jobs/4122266/trace
  4. Search for Waiting for downstream pipeline status: https://gitlab.com/gitlab-org/distribution/gitlab-provisioner/pipelines/<ID> in the trace
  5. We could either display this pipeline URL, or
  6. Continue the search for the gitlab-qa job (this time it will be on GitLab.com)
  7. Once the job found, put the link in the QA issue template before the issue is created
  8. Enjoy 🍿

=> gitlab-org/release-tools!577 (merged)

For 3., the steps are as follows:

  1. Don't automatically stop the GitLab deployment to allow manual QA testing.
  2. Maybe cleanup deployments automatically after 2 or 3 days (using a schedule)?

Original proposal

  • Make sure the change summary automation works for the patch release
  • Automate the provisioning of environments using new review apps
  • Automate the test automation pipelines for GitLab QA against all the ported version environments
Edited by Rémy Coutable