Add publish step to the patch release pipeline (!3274) · Merge requests · GitLab.org / release-tools

Dat Tang requested to merge dattang/automate-patch-release-publish-step into master Jul 08, 2024

What does this MR do and why?

Describe in detail what your merge request does and why.

Currently, during the patch release process, we run these chatops commands to publish the release, one patch version at a time. We do this after the tagging process.

/chatops run publish --security <patch version>

This MR changes from using ChatOps to the GitLab CI pipeline for the publish step.

Ref: gitlab-com/gl-infra/delivery#20201 (closed)

Content

Add a base class ReleaseTools::Security::Jobs
Add a class ReleaseTools::Security::Publish::Jobs for generating a publish downstream pipeline, with corresponding CI jobs. The downstream pipeline includes three job, for three patch release versions.
Add a class ReleaseTools::Security::Publish::PatchRelease to perform the publish and send notification.
Add rspec for new classes.

Workflow of the publish step

The security_release_publish:start is manually triggered and send a Slack notification.
A dynamic pipeline is created, which includes three jobs for the three versions.
The downstream pipeline runs, which publish versions one by one.
A notification is sent for each version, successful or failed.

Testing

Pipeline creation

This was tested in this repo (gitlab-org/release-tools), just to see that the pipeline gets created as we expect it.

With `SECURITY_RELEASE_PIPELINE=true`	With `SECURITY_RELEASE_PIPELINE='publish'`
(The publish step happens after tagging and before verifying images)	Looking at the dependencies between jobs, we see that the order is: Start notification Create a dynamic pipeline Run the generated pipeline Move blog post (need another manual trigger) Deploy blog post
Pipeline	Pipeline

With SECURITY_RELEASE_PIPELINE=true

With SECURITY_RELEASE_PIPELINE='publish'

(The publish step happens after tagging and before verifying images)

Looking at the dependencies between jobs, we see that the order is:

Start notification
Create a dynamic pipeline
Run the generated pipeline
Move blog post (need another manual trigger)
Deploy blog post

Pipeline

Configuration testing

This was to test the configuration of the pipeline (the job order).

Step	Screenshot
For testing - Echo a log line instead of actually doing sth (Testing commit)
Initialized as manual pipeline (Pipeline) IS_TESTING = true SECURITY_RELEASE_PIPELINE = publish
After `security_release_publish:start` is manually triggered
Slack notification (Link)
After `ssecurity_release_publish:start` is completed successfully, it starts `security_release_publish:create_dynamic_pipeline`. This job successfully creates the dynamic pipeline and then trigger it.
`security_release_publish:generate_jobs` includes three jobs for three patch releases.
The blog post jobs still need another manual triger.

Execution testing

This was to actually test the execution of the job calling the bundle exec rake 'security:verify_images:verify' .

Step	Screenshot/link
Check if the list of versions is get correctly	[1] pry(main)> ReleaseTools::PatchRelease::Coordinator.new.versions => ["17.1.2", "17.0.4", "16.11.6"]
Test commit to skip the rake task, to test the notification only (Testing commit)
Initialized as manual pipeline (Pipeline) IS_TESTING = true SECURITY_RELEASE_PIPELINE = publish
Slack notification when the job starts (link)
Triggered pipeline is created with three jobs for three release versions
Each `security_release:publish:<version>` posts a Slack notification once it succeeds (or fails)
If the publish task fails, a slack notification like this is posted