Skip to content

Default branch security MRs can be merged in security release pipeline

Jenny Kim requested to merge jennykim/merge-default-pipeline into master

What does this MR do and why?

We currently merge the default branch security MRs by calling a chatops command during the patch release process.

We've been automating tasks to using security release pipeline(s), so this MR is to move that step to a part in the security release pipeline, similarly to the other stages such as release_preparation and publish.

Part of: gitlab-com/gl-infra/delivery#20189 (closed)

Currently in draft while testing creating the pipeline in ops.

Testing

Pipeline creation

This was tested in this repo (gitlab-org/release-tools), just to see that the pipeline gets created as we expect it.

With SECURITY_RELEASE_PIPELINE=true With SECURITY_RELEASE_PIPELINE='early_merge'
image image
Pipeline Pipeline

Configuration testing

This was to test the configuration of the pipeline (the job order).

Step Screenshot
Initialized as manual pipeline image
After security_release:early_merge:start is manually triggered image
Slack notification (Link) image
After security_release:early_merge:start is completed successfully, it starts security_release:early_merge stage image

Pipeline, Testing commit

Execution testing

This was to actually test the execution of the job calling the bundle exec rake 'security:merge[:merge_default:'true']'. I created a test issue to not actually merge the MRs associated with the actual security issue.

Step Screenshot/link
Disabled security-target issue processor in https://ops.gitlab.net/gitlab-org/release/tools/-/pipeline_schedules
Created an empty test patch release issue with upcoming security release https://gitlab.com/gitlab-org/gitlab/-/issues/462184
Tested locally that ReleaseTools::GitlabClient.next_security_tracking_issue is returning the test issue image
Pipeline manually started Pipeline, Testing commit
Slack notification image
security_release_early_merge:merge job successfully called bundle exec rake 'security:merge[:merge_default:'true']', picked up the test issue, and merged (0) MRs, left a comment on the issue job, bot comment
Pipeline successfully finished image
Removed label and closed the issue, re-enabled the pipeline schedule
Edited by Jenny Kim

Merge request reports