Skip to content

Adjust task to close security implementation issues

Mayra Cabrera requested to merge security-finalize-close-issues into master

What does this MR do and why?

Updates the Security::CloseImplementationIssues task to be used on the security release pipeline:

  • The class was moved to the Security::Finalize module since the logic is always going to be part of the last steps of the security relesae.
  • GitLab CI, rake tasks, and specs were adjusted as well.
  • If the close_issues task is executed as part of the security release pipeline, a slack notification will be sent (this logic should be removed once the security release pipeline has been fully adopted).
  • Remove the close_issues from the critical security release tasks. On these releases we don't have tracking issues and therefore don't have security issues associated. Executing this task during critical security releases will accidentally close issues associated with the regular security release.

Related to gitlab-com/gl-infra/delivery#19438 (closed)

Testing

Template

With a security release pipeline

Click to expand

Final steps

  • Start the security_release_finalize:start job in the security release pipeline: foo

  • Sync the GitLab default branch by using the merge-train project:

    • Disable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master [pipeline schedule on the merge-train].
    • Trigger the gitlab-org/security/gitlab@master -> gitlab-org/gitlab@master [pipeline schedule on the merge-train] and wait until it finishes. This pipeline will attempt to sync the GitLab default branch.
    • If the sync fails, repeat the above step.

  • If after 5 times the sync by the merge train continues to fail, use the previous strategy to sync the GitLab project:

    • Disable the merge_train_to_canonical [feature flag on ops].
    • Enable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master [pipeline schedule on the merge-train].
    • Execute the sync_remotes task on Slack: /chatops run release sync_remotes --security. In this case, if the sync fails, a merge request will be created and release manager intervention will be required.

....

Without a security release pipeline

Click to expand

Final steps

  • Sync default branches for GitLab Foss, Omnibus GitLab and Gitaly, via ChatOps:

    # In Slack
/chatops run release sync_remotes --security

  • Close the security implementation issues

    # In Slack
/chatops run release close_issues --security

Without the security release pipeline and on a critical security release

Click to expand

Final steps

  • Sync default branches for GitLab Foss, Omnibus GitLab and Gitaly, via ChatOps:

    # In Slack
/chatops run release sync_remotes --security

  • Sync the GitLab default branch by using the merge-train project:

    • Disable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master [pipeline schedule on the merge-train].
    • Trigger the gitlab-org/security/gitlab@master -> gitlab-org/gitlab@master [pipeline schedule on the merge-train] and wait until it finishes. This pipeline will attempt to sync the GitLab default branch.
    • If the sync fails, repeat the above step.

  • If after 5 times the sync by the merge train continues to fail, use the previous strategy to sync the GitLab project:

    • Disable the merge_train_to_canonical [feature flag on ops].
    • Enable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master [pipeline schedule on the merge-train].
    • Execute the sync_remotes task on Slack: /chatops run release sync_remotes --security. In this case, if the sync fails, a merge request will be created and release manager intervention will be required.

close_issues task

Fake data was created for these tests:

Dry-run

13:43:25 ❯ TEST=true rake security:finalize:close_issues
2023-07-12 13:43:31.030670 D [dry-run] ReleaseTools::GitlabClient -- [HTTParty] [2023-07-12 13:43:31 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Fgitlab/issues" -
2023-07-12 13:43:31.390186 D [dry-run] ReleaseTools::GitlabClient -- [HTTParty] [2023-07-12 13:43:31 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Fgitlab/issues/417909/links" -
2023-07-12 13:43:31.627685 D ReleaseTools::GitlabClient -- [HTTParty] [2023-07-12 13:43:31 -0600] 200 "GET https://gitlab.com/api/v4/projects/15642544/issues/918/related_merge_requests" 2
2023-07-12 13:43:31.672833 D ReleaseTools::GitlabClient -- [HTTParty] [2023-07-12 13:43:31 -0600] 200 "GET https://gitlab.com/api/v4/projects/15642544/issues/919/related_merge_requests" 2
2023-07-12 13:43:31.673053 I [dry-run] ReleaseTools::Security::Finalize::CloseImplementationIssues -- Security implementation issue processed -- {:issue=>"https://gitlab.com/gitlab-org/security/gitlab/-/issues/918"}
2023-07-12 13:43:31.673092 I [dry-run] ReleaseTools::Security::Finalize::CloseImplementationIssues -- Security implementation issue processed -- {:issue=>"https://gitlab.com/gitlab-org/security/gitlab/-/issues/919"}

Security pipeline execution

2023-07-12 20:02:03.104178 I ReleaseTools::Security::Finalize::CloseImplementationIssues -- Security implementation issue processed -- {:issue=>"https://gitlab.com/gitlab-org/security/gitlab/-/issues/918"}
2023-07-12 20:02:03.689228 D ReleaseTools::GitlabClient -- [HTTParty] [2023-07-12 20:02:03 +0000] 200 "PUT https://gitlab.com/api/v4/projects/15642544/issues/918" - 
2023-07-12 20:02:03.689511 I ReleaseTools::Security::Finalize::CloseImplementationIssues -- Security implementation issue processed -- {:issue=>"https://gitlab.com/gitlab-org/security/gitlab/-/issues/919"}
2023-07-12 20:02:05.915140 D ReleaseTools::GitlabClient -- [HTTParty] [2023-07-12 20:02:05 +0000] 200 "PUT https://gitlab.com/api/v4/projects/15642544/issues/919" - 
2023-07-12 20:02:05.915457 I ReleaseTools::Slack::Security::Notifier -- Posting slack message -- {:job_type=>"Close security issues", :status=>:success}
Pipeline Slack Message
Screenshot_2023-07-12_at_14.06.10 Screenshot_2023-07-12_at_14.06.19
Link Slack

Author Check-list

  • [-] Has documentation been updated?
Edited by Mayra Cabrera

Merge request reports