Add close-issues step into security template
What does this MR do?
- Updates the security template to add the "Close steps" issue.
- Updates the docs too
Context
With gitlab-com/gl-infra&109 (closed), security implementation issues are processed in a different manner:
- Approximately 1 week before the due date, security MR's targeting master are merged into Security master,
- Then during the Security Release, the backports are merged.
With this new process, security implementation issues are still opened even if all their merge requests were merged.
This commit introduces a new step to close the implementation issues at the end of the security release process. It also re-groups the last steps in a section called "Last steps" :)
Example
Security patch release
Security patch release: 13.3.2, 13.2.7, 13.1.9
Preparation
Preparation steps should ideally be completed within one day
-
Temporarily disable the scheduled auto-deploy tasks via ChatOps: # In Slack /chatops run auto_deploy pause
-
Disable Omnibus nightly builds by setting the schedules to inactive: https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules. -
Ensure that staging, canary, and production are all running the same version from the same auto-deploy branch -
Ensure latest auto-deploy branches are synced across Canonical, Security, and Build: # In Slack /chatops run mirror status
-
Notify AppSec Engineers that the Security Release has started. Link to the blog post on dev: https://dev.gitlab.org/gitlab/www-gitlab-com
-
Merge security merge requests using ChatOps # In Slack: /chatops run release merge --security
-
If any merge requests could not be merged, investigate what needs to be done to resolve the issues. Do not proceed unless it has been determined safe to do so. -
Ensure security fixes are included in the auto-deploy branch. Fixes are automatically cherry-picked into the auto-deploy branch after they're merged. If they were not chery-picked, you can use the cherry pick script to do it manually.
-
For GitLab -
For Omnibus GitLab
-
Auto Deploy tag and deployment to GitLab.com
-
Tag a new auto-deploy version via ChatOps (no need to wait for green build), to create a deployer pipeline that will deploy to Canary: # In Slack /chatops run auto_deploy tag --security
-
Once the deployment to Canary has been completed, if there are no issues reported on Sentry and no active production incidents, proceed to promote to production.
Packaging
-
Ensure tests are green in CE and green in EE # In Slack: /chatops run release status --security
-
Tag the 13.3.2 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.3.2
-
Tag the 13.2.7 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.2.7
-
Tag the 13.1.9 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.1.9
Waiting between pipelines is necessary as they may othewrise fail to concurrently push changes to the same project/branch.
-
Check that EE and CE packages are built: - 13.3.2: EE packages and CE packages
- 13.2.7: EE packages and CE packages
- 13.1.9: EE packages and CE packages
Deploy
-
Verify that release.gitlab.net is running the latest patch version - Check in Slack
#announcements
channel - Go to https://release.gitlab.net/help
- Check in Slack
Release
-
Publish the packages via ChatOps: # In Slack: /chatops run publish 13.3.2 /chatops run publish 13.2.7 /chatops run publish 13.1.9
-
Notify AppSec counterparts they can submit and merge the blog post to https://gitlab.com/gitlab-com/www-gitlab-com/
-
Verify that EE packages appear on packages.gitlab.com
: EE (should contain 14 packages) -
Verify that CE packages appear on packages.gitlab.com
: CE (should contain 13 packages) -
Create the versions: -
13.3.2
version on version.gitlab.com. Be sure to mark it as a security release. -
13.2.7
version on version.gitlab.com. Be sure to mark it as a security release. -
13.1.9
version on version.gitlab.com. Be sure to mark it as a security release.
-
-
In the #content-updates
channel, share a link to the blog post.
Final steps
-
Sync master
andauto-deploy
branches for GitLab, GitLab Foss, Omnibus GitLab and Gitaly, via ChatOps:# In Slack /chatops run release sync_remotes --security
-
Verify all remotes are synced: # In Slack /chatops run mirror status
If conflicts are found, manual intervention will be needed to sync the repositories.
-
Close the security implementation issues # In Slack /chatops run release close_issues --security
-
Re-enable the scheduled auto-deploy tasks via ChatOps: # In Slack /chatops run auto_deploy unpause
-
Enable Omnibus nightly builds by setting the schedules to active https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules