Create blog MR in security mirror when release contains security data (!2699) · Merge requests · GitLab.org / release-tools

Reuben Pereira requested to merge rp/create-patch-blog-in-security-mirror into master Oct 18, 2023

What does this MR do and why?

Describe in detail what your merge request does and why.

Content

Create blog MR in security mirror when release contains security data

When doing a patch release that also contains security fixes, the blog MR should be created in the security mirror (gitlab-org/security/www-gitlab-com) so that the security fixes are not publicized until the release is published.

This MR refactors the MergeRequest class to use a method called project_path when calling the GitLab API. This method can be overridden by classes that inherit from MergeRequest in order to change which mirror the API calls go to.

In PatchRelease::BlogMergeRequest, which inherits from MergeRequest, we override the project_path method to return the security mirror path if the blog post contains security content.

gitlab-com/gl-infra/delivery#19719 (closed)

Testing

I applied the following diff:

Diff

diff --git a/lib/release_tools/patch_release/blog_merge_request.rb b/lib/release_tools/patch_release/blog_merge_request.rb
index bb3efc1f..cf6c4475 100644
--- a/lib/release_tools/patch_release/blog_merge_request.rb
+++ b/lib/release_tools/patch_release/blog_merge_request.rb
@@ -197,7 +197,8 @@ module ReleaseTools
       end
 
       def combined_blog_post?
-        Feature.enabled?(:combined_blog_post)
+        true
+        # Feature.enabled?(:combined_blog_post)
       end
 
       def includes_security_content?
diff --git a/lib/release_tools/security/cves_finder.rb b/lib/release_tools/security/cves_finder.rb
index ff5c17f5..cf07d93f 100644
--- a/lib/release_tools/security/cves_finder.rb
+++ b/lib/release_tools/security/cves_finder.rb
@@ -51,7 +51,7 @@ module ReleaseTools
       end
 
       def cve_path
-        ReleaseTools::Project::Cves.to_s
+        ReleaseTools::Project::Cves.path
       end
 
       def client
diff --git a/lib/tasks/release.rake b/lib/tasks/release.rake
index 293c18c2..fddaa737 100644
--- a/lib/tasks/release.rake
+++ b/lib/tasks/release.rake
@@ -245,7 +245,7 @@ namespace :release do
 
     ReleaseTools.logger.info("Printing blog post for patch release", version: args[:version])
 
-    $stdout.puts blog_post.generate_blog_content
+    $stdout.puts blog_post.create
   end
 
   desc 'Post a message on slack containing a list of backports merged into the stable branches'

Then I ran the following rake task locally: SECURITY=true RELEASE_BOT_PRODUCTION_TOKEN='token' RELEASE_BOT_VERSION_TOKEN='token' bundle exec rake 'release:patch_blog_post[]'

Which resulted in the creation of the following commit: https://gitlab.com/gitlab-org/security/www-gitlab-com/-/commit/9c593d08f05baef7faac3552e6a8fc92b09ccff0 (I'll delete this branch once this MR is merged, so that we don't interfere with a legitimate patch)

Author Check-list

Has documentation been updated?

Edited Oct 18, 2023 by Reuben Pereira

Create blog MR in security mirror when release contains security data

What does this MR do and why?

Content

Testing

Author Check-list

Merge request reports