Automate validating of security merge requests
This automates the process of validating (not merging) security merge requests on dev.gitlab.org, based on the requirements outlined in https://gitlab.com/gitlab-org/release/framework/issues/165. This work is done periodically instead of when we're about to merge security merge requests, allowing us to catch any errors earlier in the security release workflow.
When a merge request does not meet our requirements, a discussion note is created explaining why. The use of a discussion note is deliberate: it prevents merging the merge request before the discussion is resolved. The details of every error are collapsed by default, as otherwise the note can get very long; making it harder to quickly scan for the error summaries. After the note is submitted, the code will assign the merge request back to the author.
The code makes no attempt to edit previous comments or not post them when they are present. This is done deliberately for the following two reasons:
- It's easier to implement
- It provides a clear overview of how many times the merge request was assigned back, and what the errors were at every point in time
We also don't look at merge requests assigned to release managers (RMs), instead we only look at those assigned to the bot. This allows us to assign certain merge requests to RMs when the bot would reassign them otherwise. An example might be a merge request that fails due to an error unrelated to the changes (e.g. a case of broken master). Only looking at merge requests assigned to the bot is also easier to implement.
What it looks like
A live preview can be found here.
TODO
-
Set up CI job that runs this code periodically, making sure it doesn't get triggered for other schedules -
Write RSpec tests