Skip to content

Removes QA from security template

Mayra Cabrera requested to merge removes-qa-section-from-security-template into master

What does this MR do?

Starting with the security release of 13.2, QA is performed before the security merge requests targeting master are merged. Therefore we no longer need to wait for AppSec to validate the security fixes on staging, we can now promote directly to Canary and to production (if there are no active incidents or issues on Sentry).

This commit updates the security template to reflect that.

Related to gitlab-com/gl-infra/delivery#839 (closed)

Example

Security Release example

Security patch release: 13.1.4, 13.0.10, 12.10.15

Preparation

Preparation steps should ideally be completed within one day

  • Temporarily disable the scheduled auto-deploy tasks via ChatOps:

    # In Slack
/chatops run auto_deploy pause

  • Disable Omnibus nightly builds by setting the schedules to inactive: https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules.

  • Ensure that staging, canary, and production are all running the same version from the same auto-deploy branch

  • Ensure latest auto-deploy branches are synced across Canonical, Security, and Build:

    # In Slack
/chatops run mirror status

  • Merge security merge requests using ChatOps

    # In Slack:
/chatops run release merge --security

  • If any merge requests could not be merged, investigate what needs to be done to resolve the issues. Do not proceed unless it has been determined safe to do so.

  • Ensure security fixes are included in the auto-deploy branch. Fixes are automatically cherry-picked into the auto-deploy branch after they're merged. If they were not chery-picked, you can use the cherry pick script to do it manually.

    • For GitLab
    • For Omnibus GitLab

Auto Deploy tag and deployment to GitLab.com

  • Tag a new auto-deploy version via ChatOps (no need to wait for green build), to create a deployer pipeline that will deploy to Canary and create a QA issue:

    # In Slack
/chatops run auto_deploy tag --security

  • Ping the Security Engineers so they can get started with the blog post. The blog post should be done on https://dev.gitlab.org/gitlab/www-gitlab-com

  • Once the deployment to Canary has been completed, if there are no issues reported on Sentry and no active production incidents, proceed to promote to production.

Packaging

  • Ensure tests are green in CE and green in EE

    # In Slack:
/chatops run release status --security

  • Tag the security release:

    # In Slack:
  /chatops run release tag --security 13.1.4
  /chatops run release tag --security 13.0.10
  /chatops run release tag --security 12.10.15

  • Check that EE and CE packages are built:

Deploy

Release

  • This section should be done in coordination with the Security team, so make sure to confirm with them before proceeding

    # In Slack
@appsec-team - We are ready to publish the security release packages for 13.1.4, please let us know if the blog post is ready.

  • Publish the packages via ChatOps:

     # In Slack:
  /chatops run publish 13.1.4
  /chatops run publish 13.0.10
  /chatops run publish 12.10.15

  • Verify that EE packages appear on packages.gitlab.com: EE (should contain 14 packages)

  • Verify that CE packages appear on packages.gitlab.com: CE (should contain 13 packages)

  • Verify that Docker images appear on hub.docker.com: EE / CE

  • Create the versions:

  • Merge the blog post on https://gitlab.com/gitlab-com/www-gitlab-com

  • In the #content-updates channel, share a link to the blog post.

Sync

  • Sync master and auto-deploy branches for GitLab, GitLab Foss, Omnibus GitLab and Gitaly, via ChatOps:

    # In Slack
/chatops run release sync_remotes --security

  • Verify all remotes are synced:

    # In Slack
/chatops run mirror status

    If conflicts are found, manual intervention will be needed to sync the repositories.

Auto-Deploy

Merge request reports