Notify release managers when patch doesnt have security fixes
What does this MR do and why?
Notify release managers if a patch doesn't have security fixes
Starting on 16.7, two patch releases have been scheduled per month. Each of these releases has had security fixes included. If there is ever a case of a patch release without security fixes, release managers (Delivery and AppSec) should be notified about this.
- Release managers will need to update the release/task steps and remove the security exclusive sections
- AppSec release managers will need to communicate to Marketing that no security email should be sent.
Related to gitlab-com/gl-infra/delivery#20150 (closed)
Test
Pipeline | Delivery notification | AppSec notification |
---|---|---|
![]() |
![]() |
![]() |
Link | Link | Link |
Script execution
Dry-run
11:24:35 ❯ TEST=true rake security:prepare:review_security_fixes
2024-04-11 11:24:40.791518 D [dry-run] ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:24:40 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Fgitlab/issues" -
2024-04-11 11:24:41.068335 D [dry-run] ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:24:41 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Fgitlab/issues/455378/links" 2
2024-04-11 11:24:41.068552 I [dry-run] ReleaseTools::Security::Prepare::FixesVerifier -- The patch release doesn't include security fixes, notifying Delivery and AppSec release managers
2024-04-11 11:24:42.782557 D [dry-run] ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:24:42 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Frelease%2Ftasks/issues" -
2024-04-11 11:24:42.782801 I [dry-run] ReleaseTools::Security::Prepare::FixesVerifier -- Posting note -- {:project=>"gitlab-org/release/tasks", :issue=>"https://gitlab.com/gitlab-org/release/tasks/-/issues/10068", :body=>"@jennykim-gitlab, @anganga, @rpereira2 :wave:,\n\nThis patch release doesn't include security fixes. The 'Two days before due date' and\n'One due date before the due date' sections no longer apply, please adjust the steps\non this issue."}
2024-04-11 11:24:44.105957 D [dry-run] ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:24:44 -0600] 200 "GET https://gitlab.com/api/v4/groups/4654006/members" -
2024-04-11 11:24:44.507823 D [dry-run] ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:24:44 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-com%2Fgl-security%2Fsecurity-communications%2Fcommunications/issues" -
2024-04-11 11:24:44.859534 D [dry-run] ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:24:44 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Fgitlab/issues" -
2024-04-11 11:24:44.859863 I [dry-run] ReleaseTools::Security::Prepare::FixesVerifier -- Posting note -- {:project=>"gitlab-org/gitlab", :issue=>"https://gitlab.com/gitlab-org/gitlab/-/issues/455378", :body=>"@ameyadarshan, @greg :wave:,\n\nThis patch release doesn't include security fixes. Please notify the Marketing team that\nno email alert should be sent https://gitlab.com/gitlab-com/gl-security/security-communications/communications/-/issues/590."}
Example execution
To prevent pinging actual release managers, fake issues were created and the code was adapted to use my username.
11:31:16 ❯ rake security:prepare:review_security_fixes
2024-04-11 11:31:30.974112 D ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:31:30 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Fgitlab/issues" -
2024-04-11 11:31:31.215255 D ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:31:31 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Fgitlab/issues/455707/links" 2
2024-04-11 11:31:31.215484 I ReleaseTools::Security::Prepare::FixesVerifier -- The patch release doesn't include security fixes, notifying Delivery and AppSec release managers
2024-04-11 11:31:33.056865 D ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:31:33 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Frelease%2Ftasks/issues" -
2024-04-11 11:31:33.057305 I ReleaseTools::Security::Prepare::FixesVerifier -- Posting note -- {:project=>"gitlab-org/release/tasks", :issue=>"https://gitlab.com/gitlab-org/release/tasks/-/issues/10068", :body=>"@mayra-cabrera :wave:,\n\nThis patch release doesn't include security fixes. The 'Two days before due date' and\n'One due date before the due date' sections no longer apply, please adjust the steps\non this issue."}
2024-04-11 11:31:33.945022 D ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:31:33 -0600] 201 "POST https://gitlab.com/api/v4/projects/gitlab-org%2Frelease%2Ftasks/issues/10068/notes" 763
2024-04-11 11:31:34.285580 D ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:31:34 -0600] 200 "GET https://gitlab.com/api/v4/groups/4654006/members" -
2024-04-11 11:31:34.757787 D ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:31:34 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-com%2Fgl-security%2Fsecurity-communications%2Fcommunications/issues" -
2024-04-11 11:31:35.094937 D ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:31:35 -0600] 200 "GET https://gitlab.com/api/v4/projects/gitlab-org%2Fgitlab/issues" -
2024-04-11 11:31:35.095359 I ReleaseTools::Security::Prepare::FixesVerifier -- Posting note -- {:project=>"gitlab-org/gitlab", :issue=>"https://gitlab.com/gitlab-org/gitlab/-/issues/455707", :body=>"@mayra-cabrera :wave:,\n\nThis patch release doesn't include security fixes. Please notify the Marketing team that\nno email alert should be sent https://gitlab.com/gitlab-com/gl-security/security-communications/communications/-/issues/590."}
2024-04-11 11:31:35.900734 D ReleaseTools::GitlabClient -- [HTTParty] [2024-04-11 11:31:35 -0600] 201 "POST https://gitlab.com/api/v4/projects/gitlab-org%2Fgitlab/issues/455707/notes" 790
Author Check-list
- [-] Has documentation been updated?
Edited by Mayra Cabrera