Context

With gitlab-com/gl-infra&109 (closed), security implementation issues are processed in a different manner:

Approximately 1 week before the due date, security MR's targeting master are merged into Security master,
Then during the Security Release, the backports are merged.

With this new process, security implementation issues are still opened even if all their merge requests were merged.

This commit introduces a new step to close the implementation issues at the end of the security release process. It also re-groups the last steps in a section called "Last steps" :)

Example

Security patch release

Security patch release: 13.3.2, 13.2.7, 13.1.9

Preparation

Preparation steps should ideally be completed within one day

Temporarily disable the scheduled auto-deploy tasks via ChatOps:
```
# In Slack
/chatops run auto_deploy pause
```
Disable Omnibus nightly builds by setting the schedules to inactive: https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules.
Ensure that staging, canary, and production are all running the same version from the same auto-deploy branch
Ensure latest auto-deploy branches are synced across Canonical, Security, and Build:
```
# In Slack
/chatops run mirror status
```
Notify AppSec Engineers that the Security Release has started. Link to the blog post on dev: https://dev.gitlab.org/gitlab/www-gitlab-com

Merge security merge requests using ChatOps

# In Slack:
/chatops run release merge --security

If any merge requests could not be merged, investigate what needs to be done to resolve the issues. Do not proceed unless it has been determined safe to do so.
Ensure security fixes are included in the auto-deploy branch. Fixes are automatically cherry-picked into the auto-deploy branch after they're merged. If they were not chery-picked, you can use the cherry pick script to do it manually.
- For GitLab
- For Omnibus GitLab

Auto Deploy tag and deployment to GitLab.com

Tag a new auto-deploy version via ChatOps (no need to wait for green build), to create a deployer pipeline that will deploy to Canary:
```
# In Slack
/chatops run auto_deploy tag --security
```
Once the deployment to Canary has been completed, if there are no issues reported on Sentry and no active production incidents, proceed to promote to production.

Packaging

Ensure tests are green in CE and green in EE

# In Slack:
/chatops run release status --security

Tag the 13.3.2 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.3.2
Tag the 13.2.7 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.2.7
Tag the 13.1.9 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.1.9

Waiting between pipelines is necessary as they may othewrise fail to concurrently push changes to the same project/branch.

Check that EE and CE packages are built:
- 13.3.2: EE packages and CE packages
- 13.2.7: EE packages and CE packages
- 13.1.9: EE packages and CE packages

Deploy

Verify that release.gitlab.net is running the latest patch version
- Check in Slack #announcements channel
- Go to https://release.gitlab.net/help

Release

Publish the packages via ChatOps:

 # In Slack:
  /chatops run publish 13.3.2
  /chatops run publish 13.2.7
  /chatops run publish 13.1.9

Notify AppSec counterparts they can submit and merge the blog post to https://gitlab.com/gitlab-com/www-gitlab-com/
Verify that EE packages appear on packages.gitlab.com: EE (should contain 14 packages)
Verify that CE packages appear on packages.gitlab.com: CE (should contain 13 packages)
Verify that Docker images appear on hub.docker.com: EE / CE
Create the versions:
- 13.3.2 version on version.gitlab.com. Be sure to mark it as a security release.
- 13.2.7 version on version.gitlab.com. Be sure to mark it as a security release.
- 13.1.9 version on version.gitlab.com. Be sure to mark it as a security release.
In the #content-updates channel, share a link to the blog post.

Final steps

Sync master and auto-deploy branches for GitLab, GitLab Foss, Omnibus GitLab and Gitaly, via ChatOps:
```
# In Slack
/chatops run release sync_remotes --security
```
Verify all remotes are synced:
```
# In Slack
/chatops run mirror status
```
If conflicts are found, manual intervention will be needed to sync the repositories.

Close the security implementation issues

# In Slack
/chatops run release close_issues --security

Re-enable the scheduled auto-deploy tasks via ChatOps:
```
# In Slack
/chatops run auto_deploy unpause
```
Enable Omnibus nightly builds by setting the schedules to active https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules

Edited Aug 27, 2020 by Mayra Cabrera

Add close-issues step into security template

What does this MR do?