Include step to tracking issue on security template
What does this MR do?
Now that the Security Release Tracking Issue can be automatically created, a step has been added in the security template to create this issue as one of the last steps on a security release.
Security Release example
Security patch release: 13.6.1, 13.5.5, 13.4.7
First steps
-
Disable Omnibus nightly builds by setting the schedules to inactive: https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules. -
Ensure that Canonical, Security and Build repositories are synced: # In Slack /chatops run mirror status -
Modify the dates below to accurately reflect the plan of action.
Early-merge phase
Up until the 27th, or one day before the Security Release due date
- Merge the merge requests targeting
master# In Slack /chatops run release merge --security --master
On the 27th (one day before due date)
If this date is on a weekend, do this work on the next working day.
-
Notify AppSec Engineers that the Security Release has started. Link to the blog post on dev: https://dev.gitlab.org/gitlab/www-gitlab-com -
Merge security merge requests targeting master# In Slack: /chatops run release merge --security --master -
Merge backports and any other merge request pending: # In Slack: /chatops run release merge --security -
If any merge requests could not be merged, investigate what needs to be done to resolve the issues. Do not proceed unless it has been determined safe to do so.
On the Due Date
Packaging
-
Ensure tests are green in CE and green in EE # In Slack: /chatops run release status --security -
Tag the 13.6.1 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.6.1 -
Tag the 13.5.5 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.5.5 -
Tag the 13.4.7 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.4.7
Waiting between pipelines is necessary as they may othewise fail to concurrently push changes to the same project/branch.
-
Check that EE and CE packages are built: - 13.6.1: EE packages and CE packages
- 13.5.5: EE packages and CE packages
- 13.4.7: EE packages and CE packages
Deploy
-
Verify that release.gitlab.net is running the latest patch version - Check in Slack
#announcementschannel - Go to https://release.gitlab.net/help
- Check in Slack
Release
-
Publish the packages via ChatOps: # In Slack: /chatops run publish 13.6.1 /chatops run publish 13.5.5 /chatops run publish 13.4.7 -
Notify AppSec counterparts they can submit and merge the blog post to https://gitlab.com/gitlab-com/www-gitlab-com/ -
Verify that EE packages appear on packages.gitlab.com: EE (should contain 14 packages) -
Verify that CE packages appear on packages.gitlab.com: CE (should contain 13 packages) -
Create the versions: -
13.6.1version on version.gitlab.com. Be sure to mark it as a security release. -
13.5.5version on version.gitlab.com. Be sure to mark it as a security release. -
13.4.7version on version.gitlab.com. Be sure to mark it as a security release.
-
-
In the #content-updateschannel, share a link to the blog post.
Final steps
-
Sync masterbranches for GitLab, GitLab Foss, Omnibus GitLab and Gitaly, via ChatOps:# In Slack /chatops run release sync_remotes --security -
Verify all remotes are synced: # In Slack /chatops run mirror statusIf conflicts are found, manual intervention will be needed to sync the repositories.
-
Close the security implementation issues # In Slack /chatops run release close_issues --security -
Enable Omnibus nightly builds by setting the schedules to active https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules -
Close the old security release tracking issue and create a new one: # In Slack /chatops run release tracking_issue --security -
Link the new security release tracking issue on the topic of the #releases channel, next to Next Security Release.
Related to gitlab-com/gl-infra/delivery#1144 (closed)