Disable/Enable security-target issue processor during security release
🔬 What does this MR do and why?
This MR introduces a new job to the security release pipeline in the finalize stage that enables the security target issue processor. This job depends on the new tracking issue being opened so we don't link any issues until the new issue exists.
We also add a step to the security release task issue template to disable the security target issue processor before proceeding with the merge phase of the security release. We are adding the step here since this date and time is still variable and we want to give some flexibility to release managers as we roll out the new auto-picking process introduced in gitlab-com/gl-infra&1061 (closed). Once the process is consistent and the variability is tightened up, we will automate the disabling as well.
Related to gitlab-com/gl-infra/delivery#19672 (closed)
🚧 Testing
To test this I modified the branch, removing all other jobs from the finalize stage of the security release pipeline and updating the close_security_tracking_issue job to be a no-op. I updated the slack notification channels to use the test channel.
git diff
diff --git a/.gitlab/ci/security/finalize-ci.yml b/.gitlab/ci/security/finalize-ci.yml
index 54ece64f..695a94bb 100644
--- a/.gitlab/ci/security/finalize-ci.yml
+++ b/.gitlab/ci/security/finalize-ci.yml
@@ -21,41 +21,41 @@ security_release_finalize:start:
script:
- bundle exec rake 'security:finalize:start'
-security_release_finalize:sync_remotes:
- extends: .security-release-finalize-base
- script:
- - source scripts/setup_ssh.sh
- - source scripts/setup_git.sh
- - bundle exec rake 'security:sync_remotes'
+# security_release_finalize:sync_remotes:
+# extends: .security-release-finalize-base
+# script:
+# - source scripts/setup_ssh.sh
+# - source scripts/setup_git.sh
+# - bundle exec rake 'security:sync_remotes'
-security_release_finalize:close_issues:
- extends: .security-release-finalize-base
- rules:
- - <<: *if-critical-security-release
- when: never
- - <<: *if-security-release-finalize
- script:
- - bundle exec rake 'security:finalize:close_issues'
+# security_release_finalize:close_issues:
+# extends: .security-release-finalize-base
+# rules:
+# - <<: *if-critical-security-release
+# when: never
+# - <<: *if-security-release-finalize
+# script:
+# - bundle exec rake 'security:finalize:close_issues'
-security_release_finalize:enable_omnibus_nightly:
- extends: .security-release-finalize-base
- script:
- - bundle exec rake 'security:finalize:enable_omnibus_nightly'
+# security_release_finalize:enable_omnibus_nightly:
+# extends: .security-release-finalize-base
+# script:
+# - bundle exec rake 'security:finalize:enable_omnibus_nightly'
-security_release_finalize:notify_release:
- extends: .security-release-finalize-base
- script:
- - bundle exec rake 'security:finalize:notify_release'
+# security_release_finalize:notify_release:
+# extends: .security-release-finalize-base
+# script:
+# - bundle exec rake 'security:finalize:notify_release'
-security_release_finalize:enable_gitaly_update_task:
- extends: .security-release-finalize-base
- script:
- - bundle exec rake 'security:finalize:enable_gitaly_update_task'
+# security_release_finalize:enable_gitaly_update_task:
+# extends: .security-release-finalize-base
+# script:
+# - bundle exec rake 'security:finalize:enable_gitaly_update_task'
-security_release_finalize:check_canonical_tags_synced:
- extends: .security-release-finalize-base
- script:
- - bundle exec rake 'security:finalize:check_canonical_tags_synced'
+# security_release_finalize:check_canonical_tags_synced:
+# extends: .security-release-finalize-base
+# script:
+# - bundle exec rake 'security:finalize:check_canonical_tags_synced'
security_release_finalize:close_security_tracking_issue:
extends: .security-release-finalize-base
@@ -64,7 +64,8 @@ security_release_finalize:close_security_tracking_issue:
when: never
- <<: *if-security-release-finalize
script:
- - bundle exec rake 'security:finalize:update_tracking_issue'
+ - echo 'issues closed'
+ # - bundle exec rake 'security:finalize:update_tracking_issue'
security_release_finalize:enable_security_target_processor:
extends: .security-release-finalize-base
@@ -72,22 +73,22 @@ security_release_finalize:enable_security_target_processor:
script:
- bundle exec rake 'security:finalize:enable_security_target_processor'
-security_release_finalize:notify_upcoming_release_managers:
- extends: .security-release-finalize-base
- needs: ['security_release_finalize:close_security_tracking_issue']
- rules:
- - <<: *if-critical-security-release
- when: never
- - <<: *if-security-release-finalize
- script:
- - bundle exec rake 'security:finalize:notify_upcoming_release_managers'
+# security_release_finalize:notify_upcoming_release_managers:
+# extends: .security-release-finalize-base
+# needs: ['security_release_finalize:close_security_tracking_issue']
+# rules:
+# - <<: *if-critical-security-release
+# when: never
+# - <<: *if-security-release-finalize
+# script:
+# - bundle exec rake 'security:finalize:notify_upcoming_release_managers'
-security_release_finalize:update_slack_bookmark:
- extends: .security-release-finalize-base
- needs: ['security_release_finalize:close_security_tracking_issue']
- rules:
- - <<: *if-critical-security-release
- when: never
- - <<: *if-security-release-finalize
- script:
- - bundle exec rake 'security:finalize:update_slack_bookmark'
+# security_release_finalize:update_slack_bookmark:
+# extends: .security-release-finalize-base
+# needs: ['security_release_finalize:close_security_tracking_issue']
+# rules:
+# - <<: *if-critical-security-release
+# when: never
+# - <<: *if-security-release-finalize
+# script:
+# - bundle exec rake 'security:finalize:update_slack_bookmark'
diff --git a/lib/release_tools/slack/release_job_end_notifier.rb b/lib/release_tools/slack/release_job_end_notifier.rb
index 6adcf2f5..753bea69 100644
--- a/lib/release_tools/slack/release_job_end_notifier.rb
+++ b/lib/release_tools/slack/release_job_end_notifier.rb
@@ -20,7 +20,7 @@ module ReleaseTools
logger.info('Posting slack message', job_type: job_type, status: status)
ReleaseTools::Slack::Message.post(
- channel: ReleaseTools::Slack::F_UPCOMING_RELEASE,
+ channel: ReleaseTools::Slack::NOTIFICATION_TESTS,
message: fallback_message,
blocks: slack_blocks
)
diff --git a/lib/release_tools/slack/release_pipeline_start_notifier.rb b/lib/release_tools/slack/release_pipeline_start_notifier.rb
index d358e67f..36e194d4 100644
--- a/lib/release_tools/slack/release_pipeline_start_notifier.rb
+++ b/lib/release_tools/slack/release_pipeline_start_notifier.rb
@@ -18,7 +18,7 @@ module ReleaseTools
logger.info("Notifying the stage of a #{release_type} pipeline", stage: stage, release_manager: user_name, pipeline_url: pipeline_url)
ReleaseTools::Slack::Message.post(
- channel: ReleaseTools::Slack::F_UPCOMING_RELEASE,
+ channel: ReleaseTools::Slack::NOTIFICATION_TESTS,
message: fallback_message[stage],
blocks: slack_blocks
)I pushed the branch to the ops instance and ran the finalize stage of the security release pipeline.
| Description | Reference |
|---|---|
| Pipeline | https://ops.gitlab.net/gitlab-org/release/tools/-/pipelines/2374185 |
| Job | https://ops.gitlab.net/gitlab-org/release/tools/-/jobs/11401640 |
| Schedule before (inactive) |  |
| Pending pipeline |  |
| Running pipeline - job does not start until after tracking issue job completes |  |
| Successful slack message |  |
| Schedule after (active and assigned to release tools bot) |  |
| Example of a failed job (I pushed bad code to force this) | https://ops.gitlab.net/gitlab-org/release/tools/-/jobs/11401620 |
| Failed slack message |  |
- [-] Has documentation been updated?
Edited by Steve Abrams