Default branch security MRs can be merged in security release pipeline
What does this MR do and why?
We currently merge the default branch security MRs by calling a chatops command during the patch release process.
We've been automating tasks to using security release pipeline(s), so this MR is to move that step to a part in the security release pipeline, similarly to the other stages such as release_preparation
and publish
.
Part of: gitlab-com/gl-infra/delivery#20189 (closed)
Currently in draft while testing creating the pipeline in ops.
Testing
Pipeline creation
This was tested in this repo (gitlab-org/release-tools
), just to see that the pipeline gets created as we expect it.
With SECURITY_RELEASE_PIPELINE=true
|
With SECURITY_RELEASE_PIPELINE='early_merge'
|
---|---|
Pipeline | Pipeline |
Configuration testing
This was to test the configuration of the pipeline (the job order).
Step | Screenshot |
---|---|
Initialized as manual pipeline | |
After security_release:early_merge:start is manually triggered |
|
Slack notification (Link) | |
After security_release:early_merge:start is completed successfully, it starts security_release:early_merge stage |
Execution testing
This was to actually test the execution of the job calling the bundle exec rake 'security:merge[:merge_default:'true']'
. I created a test issue to not actually merge the MRs associated with the actual security issue.
Step | Screenshot/link |
---|---|
Disabled security-target issue processor in https://ops.gitlab.net/gitlab-org/release/tools/-/pipeline_schedules
|
|
Created an empty test patch release issue with upcoming security release https://gitlab.com/gitlab-org/gitlab/-/issues/462184 | |
Tested locally that ReleaseTools::GitlabClient.next_security_tracking_issue is returning the test issue |
|
Pipeline manually started | Pipeline, Testing commit |
Slack notification | |
security_release_early_merge:merge job successfully called bundle exec rake 'security:merge[:merge_default:'true']' , picked up the test issue, and merged (0) MRs, left a comment on the issue |
job, bot comment |
Pipeline successfully finished | |
Removed label and closed the issue, re-enabled the pipeline schedule |