Removes QA from security template
What does this MR do?
Starting with the security release of 13.2, QA is performed before the
security merge requests targeting master
are merged. Therefore we no
longer need to wait for AppSec to validate the security fixes on
staging, we can now promote directly to Canary and to production (if
there are no active incidents or issues on Sentry).
This commit updates the security template to reflect that.
Related to gitlab-com/gl-infra/delivery#839 (closed)
Example
Security Release example
Security patch release: 13.1.4, 13.0.10, 12.10.15
Preparation
Preparation steps should ideally be completed within one day
-
Temporarily disable the scheduled auto-deploy tasks via ChatOps: # In Slack /chatops run auto_deploy pause
-
Disable Omnibus nightly builds by setting the schedules to inactive: https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules. -
Ensure that staging, canary, and production are all running the same version from the same auto-deploy branch -
Ensure latest auto-deploy branches are synced across Canonical, Security, and Build: # In Slack /chatops run mirror status
-
Merge security merge requests using ChatOps # In Slack: /chatops run release merge --security
-
If any merge requests could not be merged, investigate what needs to be done to resolve the issues. Do not proceed unless it has been determined safe to do so. -
Ensure security fixes are included in the auto-deploy branch. Fixes are automatically cherry-picked into the auto-deploy branch after they're merged. If they were not chery-picked, you can use the cherry pick script to do it manually.
-
For GitLab -
For Omnibus GitLab
-
Auto Deploy tag and deployment to GitLab.com
-
Tag a new auto-deploy version via ChatOps (no need to wait for green build), to create a deployer pipeline that will deploy to Canary and create a QA issue: # In Slack /chatops run auto_deploy tag --security
-
Ping the Security Engineers so they can get started with the blog post. The blog post should be done on https://dev.gitlab.org/gitlab/www-gitlab-com
-
Once the deployment to Canary has been completed, if there are no issues reported on Sentry and no active production incidents, proceed to promote to production.
Packaging
-
Ensure tests are green in CE and green in EE # In Slack: /chatops run release status --security
-
Tag the security release: # In Slack: /chatops run release tag --security 13.1.4 /chatops run release tag --security 13.0.10 /chatops run release tag --security 12.10.15
-
Check that EE and CE packages are built: - 13.1.4: EE packages and CE packages
- 13.0.10: EE packages and CE packages
- 12.10.15: EE packages and CE packages
Deploy
-
Verify that release.gitlab.net is running the latest patch version - Check in Slack
#announcements
channel - Go to https://release.gitlab.net/help
- Check in Slack
Release
-
This section should be done in coordination with the Security team, so make sure to confirm with them before proceeding # In Slack @appsec-team - We are ready to publish the security release packages for 13.1.4, please let us know if the blog post is ready.
-
Publish the packages via ChatOps: # In Slack: /chatops run publish 13.1.4 /chatops run publish 13.0.10 /chatops run publish 12.10.15
-
Verify that EE packages appear on packages.gitlab.com
: EE (should contain 14 packages) -
Verify that CE packages appear on packages.gitlab.com
: CE (should contain 13 packages) -
Create the versions: -
13.1.4
version on version.gitlab.com. Be sure to mark it as a security release. -
13.0.10
version on version.gitlab.com. Be sure to mark it as a security release. -
12.10.15
version on version.gitlab.com. Be sure to mark it as a security release.
-
-
Merge the blog post on https://gitlab.com/gitlab-com/www-gitlab-com
-
In the #content-updates
channel, share a link to the blog post.
Sync
-
Sync master
andauto-deploy
branches for GitLab, GitLab Foss, Omnibus GitLab and Gitaly, via ChatOps:# In Slack /chatops run release sync_remotes --security
-
Verify all remotes are synced: # In Slack /chatops run mirror status
If conflicts are found, manual intervention will be needed to sync the repositories.
Auto-Deploy
-
Re-enable the scheduled auto-deploy tasks via ChatOps: # In Slack /chatops run auto_deploy unpause
-
Enable Omnibus nightly builds by setting the schedules to active https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules