Adjust task to close security implementation issues
What does this MR do and why?
Updates the Security::CloseImplementationIssues
task to be used on the
security release pipeline:
- The class was moved to the
Security::Finalize
module since the logic is always going to be part of the last steps of the security relesae. - GitLab CI, rake tasks, and specs were adjusted as well.
- If the close_issues task is executed as part of the security release pipeline, a slack notification will be sent (this logic should be removed once the security release pipeline has been fully adopted).
- Remove the
close_issues
from the critical security release tasks. On these releases we don't have tracking issues and therefore don't have security issues associated. Executing this task during critical security releases will accidentally close issues associated with the regular security release.
Related to gitlab-com/gl-infra/delivery#19438 (closed)
Testing
Template
With a security release pipeline
Click to expand
Final steps
-
Start the security_release_finalize:start
job in the security release pipeline: foo -
Sync the GitLab default branch by using the merge-train project: -
Disable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master
[pipeline schedule on the merge-train]. -
Trigger the gitlab-org/security/gitlab@master -> gitlab-org/gitlab@master
[pipeline schedule on the merge-train] and wait until it finishes. This pipeline will attempt to sync the GitLab default branch. -
If the sync fails, repeat the above step.
-
-
If after 5 times the sync by the merge train continues to fail, use the previous strategy to sync the GitLab project: -
Disable the merge_train_to_canonical
[feature flag on ops]. -
Enable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master
[pipeline schedule on the merge-train]. -
Execute the sync_remotes
task on Slack:/chatops run release sync_remotes --security
. In this case, if the sync fails, a merge request will be created and release manager intervention will be required.
-
....
Without a security release pipeline
Click to expand
Final steps
-
Sync default branches for GitLab Foss, Omnibus GitLab and Gitaly, via ChatOps: # In Slack /chatops run release sync_remotes --security
-
Close the security implementation issues # In Slack /chatops run release close_issues --security
Without the security release pipeline and on a critical security release
Click to expand
Final steps
-
Sync default branches for GitLab Foss, Omnibus GitLab and Gitaly, via ChatOps: # In Slack /chatops run release sync_remotes --security
-
Sync the GitLab default branch by using the merge-train project: -
Disable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master
[pipeline schedule on the merge-train]. -
Trigger the gitlab-org/security/gitlab@master -> gitlab-org/gitlab@master
[pipeline schedule on the merge-train] and wait until it finishes. This pipeline will attempt to sync the GitLab default branch. -
If the sync fails, repeat the above step.
-
-
If after 5 times the sync by the merge train continues to fail, use the previous strategy to sync the GitLab project: -
Disable the merge_train_to_canonical
[feature flag on ops]. -
Enable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master
[pipeline schedule on the merge-train]. -
Execute the sync_remotes
task on Slack:/chatops run release sync_remotes --security
. In this case, if the sync fails, a merge request will be created and release manager intervention will be required.
-
close_issues
task
Fake data was created for these tests:
- Tracking issue https://gitlab.com/gitlab-org/gitlab/-/issues/417909
- Security issues:
Dry-run
13:43:25 ❯ TEST=true rake security:finalize:close_issues
2023-07-12 13:43:31.030670 D [dry-run] ReleaseTools::GitlabClient -- [HTTParty] [2023-07-12 13:43:31 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Fgitlab/issues" -
2023-07-12 13:43:31.390186 D [dry-run] ReleaseTools::GitlabClient -- [HTTParty] [2023-07-12 13:43:31 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Fgitlab/issues/417909/links" -
2023-07-12 13:43:31.627685 D ReleaseTools::GitlabClient -- [HTTParty] [2023-07-12 13:43:31 -0600] 200 "GET https://gitlab.com/api/v4/projects/15642544/issues/918/related_merge_requests" 2
2023-07-12 13:43:31.672833 D ReleaseTools::GitlabClient -- [HTTParty] [2023-07-12 13:43:31 -0600] 200 "GET https://gitlab.com/api/v4/projects/15642544/issues/919/related_merge_requests" 2
2023-07-12 13:43:31.673053 I [dry-run] ReleaseTools::Security::Finalize::CloseImplementationIssues -- Security implementation issue processed -- {:issue=>"https://gitlab.com/gitlab-org/security/gitlab/-/issues/918"}
2023-07-12 13:43:31.673092 I [dry-run] ReleaseTools::Security::Finalize::CloseImplementationIssues -- Security implementation issue processed -- {:issue=>"https://gitlab.com/gitlab-org/security/gitlab/-/issues/919"}
Security pipeline execution
- The code was adjusted to send Slack notifications to a test channel https://ops.gitlab.net/gitlab-org/release/tools/-/commit/b17025181d88567869a87c2e682aaeb847e06114
- Job: https://ops.gitlab.net/gitlab-org/release/tools/-/jobs/10577043
2023-07-12 20:02:03.104178 I ReleaseTools::Security::Finalize::CloseImplementationIssues -- Security implementation issue processed -- {:issue=>"https://gitlab.com/gitlab-org/security/gitlab/-/issues/918"}
2023-07-12 20:02:03.689228 D ReleaseTools::GitlabClient -- [HTTParty] [2023-07-12 20:02:03 +0000] 200 "PUT https://gitlab.com/api/v4/projects/15642544/issues/918" -
2023-07-12 20:02:03.689511 I ReleaseTools::Security::Finalize::CloseImplementationIssues -- Security implementation issue processed -- {:issue=>"https://gitlab.com/gitlab-org/security/gitlab/-/issues/919"}
2023-07-12 20:02:05.915140 D ReleaseTools::GitlabClient -- [HTTParty] [2023-07-12 20:02:05 +0000] 200 "PUT https://gitlab.com/api/v4/projects/15642544/issues/919" -
2023-07-12 20:02:05.915457 I ReleaseTools::Slack::Security::Notifier -- Posting slack message -- {:job_type=>"Close security issues", :status=>:success}
Pipeline | Slack Message |
---|---|
Link | Slack |
Author Check-list
- [-] Has documentation been updated?