Skip to content

Wait for Operator tag to reach Build mirror before syncing remotes

Balasankar 'Balu' C requested to merge wait-for-operator-tag-in-dev into master

What does this MR do and why?

Corrective action for https://gitlab.com/gitlab-org/release/tasks/-/issues/4033

The following is happening as part of publishing of a security release (say 15.2.1, which corresponds to Chart release 6.2.1 and Operator release 0.10.1)

  1. We sync remotes of every project other than Operator
  2. We create the operator tag 0.10.1 in the security mirror - https://gitlab.com/gitlab-org/release-tools/blob/4cb3f1e5b4fa3ac6bfee3e21928997d5624fccc4/lib/release_tools/public_release/gitlab_operator_release.rb#L69
  3. We immediately try to sync operator refs across projects - https://gitlab.com/gitlab-org/release-tools/blob/4cb3f1e5b4fa3ac6bfee3e21928997d5624fccc4/lib/release_tools/public_release/gitlab_operator_release.rb#L71-74
    1. This involves fetching the tag from dev mirror and syncing it to canonical and security.
    2. However, there is a race condition happening. The tag was created in security, but GitLab's native mirroring didn't get time to mirror it over to dev.
      1. sync_tags involves fetching the tag from dev, and pushing it to security and canonical.
      2. This fetching doesn't fail the process if the tag isn't available in dev. It just returns false, as shown in https://gitlab.com/gitlab-org/release/tasks/-/issues/4033#note_993755681.
      3. So, the tag doesn't reach canonical.
    3. So "syncing stuff from dev to canonical and security" didn't actually do what we expect it to do.
    4. Operator's canonical repo still doesn't have 0.10.1

Now, when the next patch release (15.2.2, Charts 6.2.2) comes, we look at Operator's canonical to know "What is the latest release?". Because canonical still has only upto 0.10.0, it will reply 0.10.0. Then release-tools will identify next version as 0.10.1, tags it and pushes it to Canonical. However, because security and dev mirrors already have 0.10.1 from security release, they are now diverged.

In this MR, we waits for the tag to reach Build mirror before attempting syncing remotes.

Author Check-list

  • Has documentation been updated?

Merge request reports