Rewords auto-deploy step on security template
What does this MR do?
Records auto-deploy step on security template. Merge requests targeting master are automatically picked in the
current auto-deploy branch after they're merged, so the security patch
template is updated to reflect so.
The old script was left in place in case they were not picked for some reason.
Example of the security template
Security patch release: 12.10.2, 12.9.9, 12.8.7
General guidelines
- Be sure to follow the Security Releases general information and Security Releases as Release Manager.
- Always work on GitLab Security and dev.gitlab.org. Do not push anything to GitLab Canonical
- Deployment tasks (staging, production canary VMs, and production) should be done only if the patch is for the latest version. Feel free to delete those sections if they don't apply.
Preparation
-
Validate issues and merge requests on the Security issue. - Per security issue, ensure all related merge requests are valid and assigned to the
@gitlab-release-tools-bot - If any merge request is not valid, unassign all the related merge requests and notify the author.
- Per security issue, ensure all related merge requests are valid and assigned to the
-
Merge security merge requests using ChatOps: # In Slack: /chatops run release merge --security -
If any merge requests could not be merged, investigate what needs to be done to resolve the issues. Do not proceed unless it has been determined safe to do so.
Auto-Deploy - only for the latest version
The following steps should ideally be completed within one day.
-
Temporarily disable the scheduled auto-deploy tasks via ChatOps: # In Slack /chatops run auto_deploy pause -
Ensure latest auto-deploy branches are synced across Canonical, Security, and Build: # In Slack /chatops run mirror status -
Disable omnibus nightly builds by setting the schedules to inactive https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules -
Merge security merge requests targeting masterusing ChatOps:# In Slack: /chatops run release merge --security --master -
Ensure merge requests targeting masterwere automatically picked into the current auto-deploy branch. If they were not picked, you can use the following script to pick them.
Script to push to auto-deploy branch
# fetch both remotes
git fetch origin
git fetch security
# sync current auto-deploy branch on security
git checkout -b CURRENT_AUTO_DEPLOY_BRANCH --track security/CURRENT_AUTO_DEPLOY_BRANCH
git pull origin CURRENT_AUTO_DEPLOY_BRANCH
git push security
# get a list of all the merge commits on security/master not available on origin/master
git log origin/master..security/master --merges | grep "^commit"
# cherry-pick each commit on that list in the current auto-deploy branch
git cherry-pick -m 1 -x COMMIT_ID
# push to security
git push security
-
Trigger an auto-deploy tagging via ChatOps: # In Slack /chatops run auto_deploy tag --security- This will trigger a deployer pipeline that automatically deploys to staging. If successful this will also create a QA issue.
QA
-
On the deployer pipeline, manually cancel the gprd-cny-warmupfrom the deployer pipeline. This will prevent the automatic promotion to Canary. -
Once the deploy to staging is completed, notify the @appsec-teammember so they can validate the security fixes on staging. -
Once the security fixes been validated on staging, manually promote to Canary. -
Once the deploy to canary is completed, notify the @appsec-teammember so they can validate the security fixes on canary.- It's recommended to wait for this confirmation, but not a strict requirement to continue the process.
-
If there are no objections, proceed to push this to production.
Packaging
-
Ping the Security Engineers so they can get started with the blog post. The blog post should be done on https://dev.gitlab.org/gitlab/www-gitlab-com -
Ensure tests are green in CE and green in EE # In Slack: /chatops run release status --security -
Tag the security release: # In Slack: /chatops run release tag --security 12.10.2 /chatops run release tag --security 12.9.9 /chatops run release tag --security 12.8.7 -
Check that EE and CE packages are built: - 12.10.2: EE packages and CE packages
- 12.9.9: EE packages and CE packages
- 12.8.7: EE packages and CE packages
Deploy
-
Verify that pre.gitlab.com is running the latest patch version - Check in Slack
#announcementschannel - Go to https://pre.gitlab.com/help
- Check in Slack
Release
-
This section should be done in coordination with the Security team, so make sure to confirm with them before proceeding # In Slack @appsec-team - We are ready to publish the security release packages for 12.10.2, please let us know if the blog post is ready. -
Publish the packages via ChatOps: # In Slack: /chatops run publish 12.10.2 /chatops run publish 12.9.9 /chatops run publish 12.8.7 -
Create the versions: -
12.10.2version on version.gitlab.com. Be sure to mark it as a security release. -
12.9.9version on version.gitlab.com. Be sure to mark it as a security release. -
12.8.7version on version.gitlab.com. Be sure to mark it as a security release.
-
-
Merge the blog post on https://gitlab.com/gitlab-com/www-gitlab-com -
In the #content-updateschannel, share a link to the blog post. -
Enable omnibus nightly builds by setting the schedules to active https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules
Sync
-
Push security/gitlabmaster, andauto-deploybranches to all remotes. -
Push security/gitlab-fossmasterandauto-deploybranches to all remotes. -
Push security/omnibus-gitlabmasterandauto-deploybranches to all remotes. -
Push security/gitalymasterbranch to all remotes. -
Verify all remotes are synced: # In Slack /chatops run mirror status
Auto-Deploy - only for the latest version
-
Re-enable the scheduled auto-deploy tasks via ChatOps: # In Slack /chatops run auto_deploy unpause -
Create a new auto-deploy branch from mastervia ChatOps:# In Slack /chatops run auto_deploy prepare
Related to https://gitlab.com/gitlab-org/release-tools/-/issues/364