Automate merging of security merge requests
Currently security merge requests are manually merged into the security branches, after which we either cherry-pick them individually into the stable branches or merge the entire security branches. Regardless of what approach we take, this requires manual time consuming work.
To remedy this, I propose we automate this workflow using chatops. This would work as follows:
- Every security MR is assigned to @gitlab-bot and has the appropriate labels, milestones, etc. MRs also need at least one approval.
- Chatops has a command that will query these MRs, and merge them into the security branches using the API.
- The command merges the security branch into the stable branch. The API doesn't allow merging of branches directly, so we have three choices:
- We create a merge request that doesn't run a CI pipeline, then have the bot merge it right away.
- We cherry-pick the security MRs after they have been merged into the security branches.
- Security MRs target the stable branches directly, allowing us to merge them straight into the stable branches. Since MRs are not merged until we're working on a security release, this should not expose anything by accident
- We just run this command from Slack whenever necessary.
While this won't solve the issue of merging changes into the upstream GitLab repositories, it at least removes the need for RMs having to go through dozens of merge requests manually.
All of this requires one important change: the security workflow has to be on GitLab.com, otherwise we need to set up @gitlab-bot on dev, keep even more API tokens around, handle this being on dev in chatops, etc.
Merge Request Requirements
For an MR to be merged, it would have to meet these requirements:
- It must have a milestone assigned. For
master
MRs this would be the latest milestone. - It must have the security and "Merge into Security" (or "Pick into X" if we get rid of security branches) labels
- It must be assigned to @gitlab-bot
- It must have at least one approval
- The pipeline must be green
-
The merge request body must include a link to the security issue, in the formatScrapped, too hard to parse. Related issues/MRs would solve this, but this isn't available on dev**Security issue:** ISSUE
(so it's easier to detect) - The merge request must not have the WIP status
- The merge request must use the security MR template. We could detect this by including a comment
<!-- SECURITY MR -->
somewhere, then checking if that comment is present.
The process should also look at security merge requests that are assigned to release managers, and take these two steps:
- Notify the MR author that security merge requests should be assigned to the release tools bot
- Re-assign the MR to the release tools bot
This is necessary to ensure authors don't assign MRs to the wrong people, resulting in the MRs being overlooked. This also removes the need for us having to manually remind people.
TODO
-
Implement automatic validation of security merge requests: gitlab-org/release-tools!558 (merged) -
Implement merging of valid security merge requests in release-tools: gitlab-org/release-tools!564 (merged) -
Add chatops command to allow merging of valid security merge requests from Slack: gitlab-com/chatops!49 (merged)