Release Gemnasium v4
Why are we doing this work
Per process new major releases of GitLab come with new major releases of the Secure analyzer projects.
We have to release Gemnasium v4, and update the Dependency Scanning CI template to use it starting from GitLab 16.0.
Relevant links
TODO: link to relevant doc sections for the release process
Non-functional requirements
-
Documentation: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/ -
Feature flag: -
Performance: -
Testing: - Integration tests for the new CI template, which uses the new images with tag
:4
. - Non-regression tests for the old CI template, which uses the existing images with tag
:3
.
- Integration tests for the new CI template, which uses the new images with tag
Implementation plan
-
Release Gemnasium v4. - Create
v4
branch frommaster
.- Upgrade Go module to
gemnasium/v4
. - Add a pre-release to the changelog.
- Upgrade Go module to
- Merge breaking changes into
v4
, and publish pre-releases. See &9609 (closed) - Create
v3
branch frommaster
- Make
v3
a protected branch if needed.-
Maintainers
and @group_2452873_bot are allowed to merge. -
No one
is allowed to push and merge.
-
- Create a daily scheduled pipeline for
v3
. - Merge
v4
intomaster
. - Merge the changelog entries of all the pre-releases, and publish
v4.0.0
.
- Create
-
Update DS_MAJOR_VERSION
to4
in CI template. -
Update user documentation. - Update references to Docker images.
NOTES
- The documentation doesn't cover
DS_MAJOR_VERSION
. - The specs of the CI templates don't reference the image names.
- The CI templates used by Gemnasium already supports version branches. See https://gitlab.com/gitlab-org/security-products/ci-templates/-/blob/d37268eb93d50f5b546caeaf4d3f78ea0d837978/includes-dev/docker.yml#L85
Verification steps
On GitLab 16.x, run a new pipeline in a project where the Dependency Scanning CI template is included.
-
If this is a Java project, the gemnasium-maven-dependency_scanning
job successfully runs thegemnasium-maven:4
image. -
If this is a Python project, the gemnasium-python-dependency_scanning
job successfully runs thegemnasium-python:4
image. -
In other projects, the gemnasium-dependency_scanning
job successfully runs thegemnasium-maven:4
image.
Pipelines
-
Pipelines are created for new commits pushed to v4
. -
Images with tag 4
are pushed to the official registry whenPUBLISH_IMAGES
is set. -
Pipelines are created for new commits pushed to v3
. -
Images with tag 3
are pushed to the official registry whenPUBLISH_IMAGES
is set. -
There's a daily scheduled pipeline for v3
, and the last run is successful.
Project settings
-
v3
is protected, and we can't directly push to that branch. -
v4
is protected, and we can't directly push to that branch.
Edited by Fabien Catteau