Skip to content

Rewords auto-deploy step on security template

What does this MR do?

Records auto-deploy step on security template. Merge requests targeting master are automatically picked in the current auto-deploy branch after they're merged, so the security patch template is updated to reflect so.

The old script was left in place in case they were not picked for some reason.

Example of the security template

Security patch release: 12.10.2, 12.9.9, 12.8.7

General guidelines

Preparation

  • Validate issues and merge requests on the Security issue.

    • Per security issue, ensure all related merge requests are valid and assigned to the @gitlab-release-tools-bot
    • If any merge request is not valid, unassign all the related merge requests and notify the author.
  • Merge security merge requests using ChatOps:

    # In Slack:
    /chatops run release merge --security
  • If any merge requests could not be merged, investigate what needs to be done to resolve the issues. Do not proceed unless it has been determined safe to do so.

Auto-Deploy - only for the latest version

The following steps should ideally be completed within one day.

  • Temporarily disable the scheduled auto-deploy tasks via ChatOps:

    # In Slack
    /chatops run auto_deploy pause
  • Ensure latest auto-deploy branches are synced across Canonical, Security, and Build:

    # In Slack
    /chatops run mirror status
  • Disable omnibus nightly builds by setting the schedules to inactive https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules

  • Merge security merge requests targeting master using ChatOps:

    # In Slack:
    /chatops run release merge --security --master
  • Ensure merge requests targeting master were automatically picked into the current auto-deploy branch. If they were not picked, you can use the following script to pick them.

Script to push to auto-deploy branch
# fetch both remotes
git fetch origin
git fetch security

# sync current auto-deploy branch on security
git checkout -b CURRENT_AUTO_DEPLOY_BRANCH --track security/CURRENT_AUTO_DEPLOY_BRANCH
git pull origin CURRENT_AUTO_DEPLOY_BRANCH
git push security

# get a list of all the merge commits on security/master not available on origin/master
git log origin/master..security/master --merges | grep "^commit"

# cherry-pick each commit on that list in the current auto-deploy branch
git cherry-pick -m 1 -x COMMIT_ID

# push to security
git push security
  • Trigger an auto-deploy tagging via ChatOps:

    # In Slack
    /chatops run auto_deploy tag --security
    • This will trigger a deployer pipeline that automatically deploys to staging. If successful this will also create a QA issue.

QA

  • On the deployer pipeline, manually cancel the gprd-cny-warmup from the deployer pipeline. This will prevent the automatic promotion to Canary.

  • Once the deploy to staging is completed, notify the @appsec-team member so they can validate the security fixes on staging.

  • Once the security fixes been validated on staging, manually promote to Canary.

  • Once the deploy to canary is completed, notify the @appsec-team member so they can validate the security fixes on canary.

    • It's recommended to wait for this confirmation, but not a strict requirement to continue the process.
  • If there are no objections, proceed to push this to production.

Packaging

  • Ping the Security Engineers so they can get started with the blog post. The blog post should be done on https://dev.gitlab.org/gitlab/www-gitlab-com

  • Ensure tests are green in CE and green in EE

    # In Slack:
    /chatops run release status --security
  • Tag the security release:

    # In Slack:
      /chatops run release tag --security 12.10.2
      /chatops run release tag --security 12.9.9
      /chatops run release tag --security 12.8.7
    
  • Check that EE and CE packages are built:

Deploy

  • Verify that pre.gitlab.com is running the latest patch version

Release

  • This section should be done in coordination with the Security team, so make sure to confirm with them before proceeding

    # In Slack
    @appsec-team - We are ready to publish the security release packages for 12.10.2, please let us know if the blog post is ready.
  • Publish the packages via ChatOps:

     # In Slack:
      /chatops run publish 12.10.2
      /chatops run publish 12.9.9
      /chatops run publish 12.8.7
    
  • Create the versions:

  • Merge the blog post on https://gitlab.com/gitlab-com/www-gitlab-com

  • In the #content-updates channel, share a link to the blog post.

  • Enable omnibus nightly builds by setting the schedules to active https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules

Sync

  • Push security/gitlab master, and auto-deploy branches to all remotes.

  • Push security/gitlab-foss master and auto-deploy branches to all remotes.

  • Push security/omnibus-gitlab master and auto-deploy branches to all remotes.

  • Push security/gitaly master branch to all remotes.

  • Verify all remotes are synced:

    # In Slack
    /chatops run mirror status

Auto-Deploy - only for the latest version

  • Re-enable the scheduled auto-deploy tasks via ChatOps:
    # In Slack
    /chatops run auto_deploy unpause
  • Create a new auto-deploy branch from master via ChatOps:
    # In Slack
    /chatops run auto_deploy prepare

Related to https://gitlab.com/gitlab-org/release-tools/-/issues/364

Merge request reports

Loading