Updates cherry-pick step on security template
What does this MR do?
After https://gitlab.com/gitlab-org/release-tools/-/issues/431, security fixes targeting 'master' are automatically cherry-picked into the current auto-deploy branch after they're merged. The security template was modified to indicate so.
Security template example
Security patch release: 13.0.1, 12.10.9, 12.9.8
General guidelines
- Be sure to follow the Security Releases general information and Security Releases as Release Manager.
- Always work on GitLab Security and dev.gitlab.org. Do not push anything to GitLab Canonical
Preparation
-
Validate and merge security merge requests using ChatOps: - This will merge all security merge requests associated with a security implementation issue if all of them are valid.
# In Slack: /chatops run release merge --security -
If any merge requests could not be merged, investigate what needs to be done to resolve the issues. Do not proceed unless it has been determined safe to do so.
Auto-Deploy - only for the latest version
The following steps should ideally be completed within one day.
-
Temporarily disable the scheduled auto-deploy tasks via ChatOps: # In Slack /chatops run auto_deploy pause -
Ensure latest auto-deploy branches are synced across Canonical, Security, and Build: # In Slack /chatops run mirror status -
Disable omnibus nightly builds by setting the schedules to inactive https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules -
Ensure security fixes are included in the auto-deploy branch. Fixes are automatically cherry-picked into the auto-deploy branch after they're merged. If they were not chery-picked, you can use the below script to do it manually.
-
For GitLab -
For Omnibus GitLab
-
Script to push to auto-deploy branch
# fetch both remotes
git fetch origin
git fetch security
# sync current auto-deploy branch on security
git checkout -b CURRENT_AUTO_DEPLOY_BRANCH --track security/CURRENT_AUTO_DEPLOY_BRANCH
git pull origin CURRENT_AUTO_DEPLOY_BRANCH
git push security
# get a list of all the merge commits on security/master not available on origin/master
git log origin/master..security/master --merges | grep "^commit"
# cherry-pick each commit on that list in the current auto-deploy branch
git cherry-pick -m 1 -x COMMIT_ID
# push to security
git push security
-
Tag a new auto-deploy version via ChatOps (no need to wait for green build), to create a deployer pipeline that will deploy to staging and create a QA issue: # In Slack /chatops run auto_deploy tag --security
The rest of the steps are the same so they were omitted