Default branch security MRs can be merged in security release pipeline
What does this MR do and why?
We currently merge the default branch security MRs by calling a chatops command during the patch release process.
We've been automating tasks to using security release pipeline(s), so this MR is to move that step to a part in the security release pipeline, similarly to the other stages such as release_preparation and publish.
Part of: gitlab-com/gl-infra/delivery#20189 (closed)
Currently in draft while testing creating the pipeline in ops.
Testing
Pipeline creation
This was tested in this repo (gitlab-org/release-tools), just to see that the pipeline gets created as we expect it.
With SECURITY_RELEASE_PIPELINE=true
|
With SECURITY_RELEASE_PIPELINE='early_merge'
|
|---|---|
 |
 |
| Pipeline | Pipeline |
Configuration testing
This was to test the configuration of the pipeline (the job order).
| Step | Screenshot |
|---|---|
| Initialized as manual pipeline |  |
After security_release:early_merge:start is manually triggered |
 |
| Slack notification (Link) |  |
After security_release:early_merge:start is completed successfully, it starts security_release:early_merge stage |
 |
Execution testing
This was to actually test the execution of the job calling the bundle exec rake 'security:merge[:merge_default:'true']'. I created a test issue to not actually merge the MRs associated with the actual security issue.
| Step | Screenshot/link |
|---|---|
Disabled security-target issue processor in https://ops.gitlab.net/gitlab-org/release/tools/-/pipeline_schedules
|
|
| Created an empty test patch release issue with upcoming security release https://gitlab.com/gitlab-org/gitlab/-/issues/462184 | |
Tested locally that ReleaseTools::GitlabClient.next_security_tracking_issue is returning the test issue |
 |
| Pipeline manually started | Pipeline, Testing commit |
| Slack notification |  |
security_release_early_merge:merge job successfully called bundle exec rake 'security:merge[:merge_default:'true']', picked up the test issue, and merged (0) MRs, left a comment on the issue |
job, bot comment |
| Pipeline successfully finished |  |
| Removed label and closed the issue, re-enabled the pipeline schedule |