Notify security release completion
What does this MR do and why?
Notify security release completion
Introduces logic to notify the completion of a security release via
Slack. A dedicated class (Security::Finalize::NotifyReleaseComplete
) was
built to:
- Validates if the blog post url exists via service validation.
- If the blog post url is valid, proceed to trigger a ChatOps pipeline with the message (it requires gitlab-com/chatops!386 (merged))
- As with any other security classes, a slack notification is sent if the job succeeds or fails.
Related to gitlab-com/gl-infra/delivery#19439 (closed)
Testing
Pipeline
Prework
- ChatOps and release tools code was modified for testing purposes
- Both branches were protected
- A container registry image in ChatOps was created
When the blog post can be found
- Pipeline: https://ops.gitlab.net/gitlab-org/release/tools/-/pipelines/2146268
- Job: https://ops.gitlab.net/gitlab-org/release/tools/-/jobs/10685795
- ChatOps pipeline: https://ops.gitlab.net/gitlab-com/chatops/-/pipelines/2146269
Job log:
2023-07-24 20:13:03.587431 D ReleaseTools::GitlabClient -- [HTTParty] [2023-07-24 20:13:03 +0000] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Frelease-tools/remote_mirrors" -
2023-07-24 20:13:03.650213 I ReleaseTools::Security::Finalize::NotifyReleaseComplete -- Notifying security release completion -- {:versions=>["16.2.0", "16.1.2", "16.0.7"]}
2023-07-24 20:13:03.650268 I ReleaseTools::Security::Finalize::NotifyReleaseComplete -- Pipeline triggered on Chatops -- {:project=>gitlab-com/chatops, :branch=>"mc-test-branch"}
2023-07-24 20:13:03.650639 I ReleaseTools::Security::Finalize::BlogPostValidator -- Validating blog post url -- {:url=>"https://about.gitlab.com/releases/2023/07/05/security-release-gitlab-16-1-2-released/"}
2023-07-24 20:13:04.686529 D ReleaseTools::GitlabOpsClient -- [HTTParty] [2023-07-24 20:13:04 +0000] 201 "POST https://ops.gitlab.net/api/v4/projects/gitlab-com%2Fchatops/pipeline" 1087
2023-07-24 20:13:04.686781 I ReleaseTools::Security::Finalize::NotifyReleaseComplete -- Pipeline triggered on ChatOps -- {:pipeline=>"https://ops.gitlab.net/gitlab-com/chatops/-/pipelines/2146269"}
2023-07-24 20:13:04.686830 I ReleaseTools::Slack::Security::Notifier -- Posting slack message -- {:job_type=>"Notify Release complete", :status=>:success}
Release-tools pipeline | Job notification message | Slack Message |
---|---|---|
Link | Link | Link |
When the blog post can't be found
- Pipeline: https://ops.gitlab.net/gitlab-org/release/tools/-/pipelines/2145673
- Job: https://ops.gitlab.net/gitlab-org/release/tools/-/jobs/10684359
Job log:
2023-07-20 21:19:07.049748 I ReleaseTools::Security::Finalize::BlogPostValidator -- Validating blog post url -- {:url=>"https://about.gitlab.com/releases/2023/07/20/security-release-gitlab-16-1-2-released/"}
2023-07-20 21:19:07.308422 F ReleaseTools::Security::Finalize::NotifyRelease -- The security release blog post couldn't be found or the pipeline in ChatOps failed to be created.
Verify the blog post link is available at https://about.gitlab.com/releases/categories/releases/ and consider retrying this job. If the failure persists, manually send the notification via Slack:
/chatops run notify :mega: GitLab Security Release: 16.1.2, 16.0.7, 15.11.12 has just been released: ! Share this release blog post with your network to ensure broader visibility across our community.
-- {:error=>#<ReleaseTools::Security::Finalize::BlogPostValidator::CouldNotFindBlogPostError: ReleaseTools::Security::Finalize::BlogPostValidator::CouldNotFindBlogPostError>}
I, [2023-07-20T21:19:07.376624 #15] INFO -- sentry: ** [Sentry] [Transport] Sending envelope with items [event] e45ab641af6046de838bfccfb5d91579 to Sentry
2023-07-20 21:19:07.308608 I ReleaseTools::Slack::Security::Notifier -- Posting slack message -- {:job_type=>"Notify Release", :status=>:failed}
Pipeline | Job Notification message |
---|---|
Link | Link |
Template
When the security release pipeline FF is enabled
Click to expand
-
Start the security_release_finalize:start
job in the security release pipeline: foo -
Sync the GitLab default branch by using the merge-train project: -
Disable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master
[pipeline schedule on the merge-train]. -
Trigger the gitlab-org/security/gitlab@master -> gitlab-org/gitlab@master
[pipeline schedule on the merge-train] and wait until it finishes. This pipeline will attempt to sync the GitLab default branch. -
If the sync fails, repeat the above step.
-
-
If after 5 times the sync by the merge train continues to fail, use the previous strategy to sync the GitLab project: -
Disable the merge_train_to_canonical
[feature flag on ops]. -
Enable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master
[pipeline schedule on the merge-train]. -
Execute the sync_remotes
task on Slack:/chatops run release sync_remotes --security
. In this case, if the sync fails, a merge request will be created and release manager intervention will be required.
-
-
Verify all remotes are synced: # In Slack /chatops run mirror status
If conflicts are found, manual intervention will be needed to sync the repositories.
-
In case it was disabled, enable the Gitaly update task. -
Close the old security release tracking issue and create a new one: # In Slack /chatops run release tracking_issue --security
-
Ping the [next set of release managers] on the [upcoming security release] issue and ask them to set the intended security release due date. If needed, suggest a possible due date based on the current release activities. -
Check all new tags have synced to Canonical -
Link the new security release tracking issue on the topic of the #releases
channel, next toNext Security Release
.
When the security release pipeline is disabled
Click to expand
Final steps
-
Sync default branches for GitLab Foss, Omnibus GitLab and Gitaly, via ChatOps: # In Slack /chatops run release sync_remotes --security
-
Close the security implementation issues # In Slack /chatops run release close_issues --security
-
Enable Omnibus nightly builds by setting the schedules to active https://dev.gitlab.org/gitlab/omnibus-gitlab/-/pipeline_schedules -
Notify engineers the security release is out ( blog post link
needs to be replaced with the actual link):
/chatops run notify ":mega: GitLab Security Release: 16.1.3, 16.0.8, 15.11.13 has just been released: <blog post link>! Share this release blog post with your network to ensure broader visibility across our community."
-
Sync the GitLab default branch by using the merge-train project: -
Disable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master
[pipeline schedule on the merge-train]. -
Trigger the gitlab-org/security/gitlab@master -> gitlab-org/gitlab@master
[pipeline schedule on the merge-train] and wait until it finishes. This pipeline will attempt to sync the GitLab default branch. -
If the sync fails, repeat the above step.
-
-
If after 5 times the sync by the merge train continues to fail, use the previous strategy to sync the GitLab project: -
Disable the merge_train_to_canonical
[feature flag on ops]. -
Enable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master
[pipeline schedule on the merge-train]. -
Execute the sync_remotes
task on Slack:/chatops run release sync_remotes --security
. In this case, if the sync fails, a merge request will be created and release manager intervention will be required.
-
-
Verify all remotes are synced: # In Slack /chatops run mirror status
If conflicts are found, manual intervention will be needed to sync the repositories.
-
In case it was disabled, enable the Gitaly update task. -
Close the old security release tracking issue and create a new one: # In Slack /chatops run release tracking_issue --security
-
Ping the [next set of release managers] on the [upcoming security release] issue and ask them to set the intended security release due date. If needed, suggest a possible due date based on the current release activities. -
Check all new tags have synced to Canonical -
Link the new security release tracking issue on the topic of the #releases
channel, next toNext Security Release
.
Author Check-list
- [-] Has documentation been updated?