Update security process to clarify bot assignment (!604) · Merge requests · GitLab.org / release / GitLab Release Docs

charlie ablett requested to merge cablett-release-bot-assign into master Jun 26, 2023

Re: security MRs:

I notice the language around assigning to the bot doesn't clarify who can do this. I think until now it's been generally understood that only the maintainer can do this, but in the spirit of gitlab-org/gitlab!122968 (merged) I'm not sure why authors can't do it. This to me is a process step rather than one that involves any special permissions. It doesn't seem to make a difference who does the assigning as long as all the requirements to merge are satisfied.

Authors, maintainers and AppSec engineers do not merge, the bot does. The merge process is carefully managed by the release managers. This does not introduce any extra risk.
There are checks by the bot for the requirements such as green pipeline, same title across backports, all tickboxes ticked, approvals given etc. If an author prematurely assigns, it will be punted back to them just as if the maintainer had assigned.
it's nice to allow authors to do so because they are the most engaged with the MRs. It's inefficient to have to bug a maintainer after they've given approval

Update security process to clarify bot assignment

Merge request reports