Update security release template to use notify
What does this MR do?
Updates the security release template to notify multiple Slack channels when a security release is published
Action item from https://gitlab.com/gitlab-com/marketing/corporate_marketing/corporate-marketing/-/issues/4287
Examples
Regular security release
Security patch release: 13.10.1, 13.9.5, 13.8.7
First steps
-
Disable Omnibus nightly builds by setting the schedules to inactive: https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules. -
Ensure that Canonical, Security and Build repositories are synced: # In Slack /chatops run mirror status -
Modify the dates below to accurately reflect the plan of action.
Early-merge phase
Up until the 27th, or one day before the Security Release due date
- Merge the merge requests targeting default branches
# In Slack /chatops run release merge --security --default-branch
On the 27th (one day before due date)
If this date is on a weekend, do this work on the next working day.
-
Notify AppSec Engineers that the Security Release has started. Link to the blog post on security: https://gitlab.com/gitlab-org/security/www-gitlab-com/-/merge_requests/ -
Merge security merge requests targeting default branches # In Slack: /chatops run release merge --security --default-branch -
Merge backports and any other merge request pending: # In Slack: /chatops run release merge --security -
If any merge requests could not be merged, investigate what needs to be done to resolve the issues. Do not proceed unless it has been determined safe to do so.
On the Due Date
Packaging
-
Ensure tests are green in CE and green in EE # In Slack: /chatops run release status --security -
Tag the 13.10.1 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.10.1 -
Tag the 13.9.5 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.9.5 -
Tag the 13.8.7 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.8.7
Waiting between pipelines is necessary as they may othewise fail to concurrently push changes to the same project/branch.
-
Check that EE and CE packages are built: - 13.10.1: EE packages and CE packages
- 13.9.5: EE packages and CE packages
- 13.8.7: EE packages and CE packages
Deploy
-
Verify that release.gitlab.net is running the latest patch version - Check in Slack
#announcementschannel - Go to https://release.gitlab.net/help
- Check in Slack
Release
-
Publish the packages via ChatOps: # In Slack: /chatops run publish 13.10.1 /chatops run publish 13.9.5 /chatops run publish 13.8.7 -
Notify AppSec counterparts they can submit the blog post to https://gitlab.com/gitlab-com/www-gitlab-com/ -
Verify that EE packages appear on packages.gitlab.com: EE (should contain 15 packages) -
Verify that CE packages appear on packages.gitlab.com: CE (should contain 13 packages) -
Create the versions: -
13.10.1version on version.gitlab.com. Be sure to mark it as a security release. -
13.9.5version on version.gitlab.com. Be sure to mark it as a security release. -
13.8.7version on version.gitlab.com. Be sure to mark it as a security release.
-
-
Deploy the blog post
Final steps
-
Sync default branches for GitLab, GitLab Foss, Omnibus GitLab and Gitaly, via ChatOps: # In Slack /chatops run release sync_remotes --security -
Verify all remotes are synced: # In Slack /chatops run mirror statusIf conflicts are found, manual intervention will be needed to sync the repositories.
-
Close the security implementation issues # In Slack /chatops run release close_issues --security -
Notify engineers the security release is out ( blog post linkneeds to be replaced with the actual link):/chatops run notify ":mega: GitLab Security Release: 13.10.1, 13.9.5, 13.8.7 has just been released: <blog post link>! Share this release blog post with your network to ensure broader visibility across our community." -
Enable Omnibus nightly builds by setting the schedules to active https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules -
Close the old security release tracking issue and create a new one: # In Slack /chatops run release tracking_issue --security -
Link the new security release tracking issue on the topic of the #releases channel, next to Next Security Release.
Critical security release
Critical security patch release: 13.10.1, 13.9.5, 13.8.7
First steps
-
Disable Omnibus nightly builds by setting the schedules to inactive: https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules. -
Ensure that Canonical, Security and Build repositories are synced: # In Slack /chatops run mirror status
One day before the due date
-
Notify AppSec Engineers that the Security Release has started. Link to the blog post on security: https://gitlab.com/gitlab-org/security/www-gitlab-com/-/merge_requests/ -
Merge critical security merge requests using the UI. - Enable "Squash commits" option when merging.
-
Cherry-pick the security fixes into the auto-deploy branch that is running on production. -
Wait for the tests on the auto-deploy branch to pass. This ensures that when we tag, we tag the security commits; not older commits. -
Deploy all the fixes to production.
On the Due Date
Packaging
-
Ensure tests are green in CE and green in EE # In Slack: /chatops run release status --security -
Tag the 13.10.1 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.10.1 -
Tag the 13.9.5 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.9.5 -
Tag the 13.8.7 security release, and wait for the pipeline to finish: /chatops run release tag --security 13.8.7
Waiting between pipelines is necessary as they may othewise fail to concurrently push changes to the same project/branch.
-
Check that EE and CE packages are built: - 13.10.1: EE packages and CE packages
- 13.9.5: EE packages and CE packages
- 13.8.7: EE packages and CE packages
Deploy
-
Verify that release.gitlab.net is running the latest patch version - Check in Slack
#announcementschannel - Go to https://release.gitlab.net/help
- Check in Slack
Release
-
Publish the packages via ChatOps: # In Slack: /chatops run publish 13.10.1 /chatops run publish 13.9.5 /chatops run publish 13.8.7 -
Notify AppSec counterparts they can submit the blog post to https://gitlab.com/gitlab-com/www-gitlab-com/ -
Verify that EE packages appear on packages.gitlab.com: EE (should contain 15 packages) -
Verify that CE packages appear on packages.gitlab.com: CE (should contain 13 packages) -
Create the versions: -
13.10.1version on version.gitlab.com. Be sure to mark it as a security release. -
13.9.5version on version.gitlab.com. Be sure to mark it as a security release. -
13.8.7version on version.gitlab.com. Be sure to mark it as a security release.
-
-
Deploy the blog post
Final steps
-
Sync default branches for GitLab, GitLab Foss, Omnibus GitLab and Gitaly, via ChatOps: # In Slack /chatops run release sync_remotes --security -
Verify all remotes are synced: # In Slack /chatops run mirror statusIf conflicts are found, manual intervention will be needed to sync the repositories.
-
Close the security implementation issues # In Slack /chatops run release close_issues --security -
Notify engineers the security release is out ( blog post linkneeds to be replaced with the actual link):/chatops run notify ":mega: GitLab Critical Security Release: 13.10.1, 13.9.5, 13.8.7 has just been released: <blog post link>! Share this release blog post with your network to ensure broader visibility across our community." -
Enable Omnibus nightly builds by setting the schedules to active https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules -
Close the old security release tracking issue and create a new one: # In Slack /chatops run release tracking_issue --security