Mayra Cabrera requested to merge notify-security-release-completion into master Jul 19, 2023

What does this MR do and why?

Notify security release completion

Introduces logic to notify the completion of a security release via Slack. A dedicated class (Security::Finalize::NotifyReleaseComplete) was built to:

Validates if the blog post url exists via service validation.
If the blog post url is valid, proceed to trigger a ChatOps pipeline with the message (it requires gitlab-com/chatops!386 (merged))
As with any other security classes, a slack notification is sent if the job succeeds or fails.

Testing

Pipeline

Prework

ChatOps and release tools code was modified for testing purposes
- ChatOps: https://ops.gitlab.net/gitlab-com/chatops/-/commits/mc-test-branch
- Release-tools: https://ops.gitlab.net/gitlab-org/release/tools/-/commit/26f6c8bc69cc7832a1906fa4a1bdbd8c46aa6ce8
Both branches were protected
A container registry image in ChatOps was created

When the blog post can be found

Pipeline: https://ops.gitlab.net/gitlab-org/release/tools/-/pipelines/2146268
Job: https://ops.gitlab.net/gitlab-org/release/tools/-/jobs/10685795
ChatOps pipeline: https://ops.gitlab.net/gitlab-com/chatops/-/pipelines/2146269

Job log:

2023-07-24 20:13:03.587431 D ReleaseTools::GitlabClient -- [HTTParty] [2023-07-24 20:13:03 +0000] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Frelease-tools/remote_mirrors" - 
2023-07-24 20:13:03.650213 I ReleaseTools::Security::Finalize::NotifyReleaseComplete -- Notifying security release completion -- {:versions=>["16.2.0", "16.1.2", "16.0.7"]}
2023-07-24 20:13:03.650268 I ReleaseTools::Security::Finalize::NotifyReleaseComplete -- Pipeline triggered on Chatops -- {:project=>gitlab-com/chatops, :branch=>"mc-test-branch"}
2023-07-24 20:13:03.650639 I ReleaseTools::Security::Finalize::BlogPostValidator -- Validating blog post url -- {:url=>"https://about.gitlab.com/releases/2023/07/05/security-release-gitlab-16-1-2-released/"}
2023-07-24 20:13:04.686529 D ReleaseTools::GitlabOpsClient -- [HTTParty] [2023-07-24 20:13:04 +0000] 201 "POST https://ops.gitlab.net/api/v4/projects/gitlab-com%2Fchatops/pipeline" 1087 
2023-07-24 20:13:04.686781 I ReleaseTools::Security::Finalize::NotifyReleaseComplete -- Pipeline triggered on ChatOps -- {:pipeline=>"https://ops.gitlab.net/gitlab-com/chatops/-/pipelines/2146269"}
2023-07-24 20:13:04.686830 I ReleaseTools::Slack::Security::Notifier -- Posting slack message -- {:job_type=>"Notify Release complete", :status=>:success}

Release-tools pipeline	Job notification message	Slack Message

Link	Link	Link

When the blog post can't be found

Job log:

2023-07-20 21:19:07.049748 I ReleaseTools::Security::Finalize::BlogPostValidator -- Validating blog post url -- {:url=>"https://about.gitlab.com/releases/2023/07/20/security-release-gitlab-16-1-2-released/"}
2023-07-20 21:19:07.308422 F ReleaseTools::Security::Finalize::NotifyRelease -- The security release blog post couldn't be found or the pipeline in ChatOps failed to be created.
Verify the blog post link is available at https://about.gitlab.com/releases/categories/releases/ and consider retrying this job. If the failure persists, manually send the notification via Slack:
/chatops run notify :mega: GitLab Security Release: 16.1.2, 16.0.7, 15.11.12 has just been released: ! Share this release blog post with your network to ensure broader visibility across our community.
 -- {:error=>#<ReleaseTools::Security::Finalize::BlogPostValidator::CouldNotFindBlogPostError: ReleaseTools::Security::Finalize::BlogPostValidator::CouldNotFindBlogPostError>}
I, [2023-07-20T21:19:07.376624 #15]  INFO -- sentry: ** [Sentry] [Transport] Sending envelope with items [event] e45ab641af6046de838bfccfb5d91579 to Sentry
2023-07-20 21:19:07.308608 I ReleaseTools::Slack::Security::Notifier -- Posting slack message -- {:job_type=>"Notify Release", :status=>:failed}

Pipeline	Job Notification message

Link	Link

Template

When the security release pipeline FF is enabled

Click to expand

Start the security_release_finalize:start job in the security release pipeline: foo
Sync the GitLab default branch by using the merge-train project:
- Disable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master [pipeline schedule on the merge-train].
- Trigger the gitlab-org/security/gitlab@master -> gitlab-org/gitlab@master [pipeline schedule on the merge-train] and wait until it finishes. This pipeline will attempt to sync the GitLab default branch.
- If the sync fails, repeat the above step.
If after 5 times the sync by the merge train continues to fail, use the previous strategy to sync the GitLab project:
- Disable the merge_train_to_canonical [feature flag on ops].
- Enable the gitlab-org/gitlab@master -> gitlab-org/security/gitlab@master [pipeline schedule on the merge-train].
- Execute the sync_remotes task on Slack: /chatops run release sync_remotes --security. In this case, if the sync fails, a merge request will be created and release manager intervention will be required.
Verify all remotes are synced:
```
# In Slack
/chatops run mirror status
```
If conflicts are found, manual intervention will be needed to sync the repositories.
In case it was disabled, enable the Gitaly update task.
Close the old security release tracking issue and create a new one:
```
# In Slack
/chatops run release tracking_issue --security
```
Ping the [next set of release managers] on the [upcoming security release] issue and ask them to set the intended security release due date. If needed, suggest a possible due date based on the current release activities.
Check all new tags have synced to Canonical
Link the new security release tracking issue on the topic of the #releases channel, next to Next Security Release.

When the security release pipeline is disabled