# frozen_string_literal: true module ReleaseTools module Security module Prepare class FixesVerifier include ::SemanticLogger::Loggable include ::ReleaseTools::Security::IssueHelper def initialize @client = ReleaseTools::GitlabClient @fetcher = ReleaseTools::Security::IssuesFetcher.new(@client) @security_fixes = [] end def execute security_issues = fetcher.execute if security_issues.present? logger.info('The patch release includes security fixes. Nothing to do') send_slack_notification(:success) return end logger.info("The patch release doesn't include security fixes, notifying Delivery and AppSec release managers") notify_release_managers notify_appsec_release_managers send_slack_notification(:success) rescue StandardError => ex logger.fatal(failure_message, error: ex) send_slack_notification(:failed) raise end private attr_reader :client, :fetcher, :security_fixes def notify_release_managers message = <<~MSG.strip #{usernames(release_managers.active_release_managers)} :wave:, There are no security fixes available for the patch release. This might be caused due to a global holiday period. Review if security fixes were recently unlinked from the [security tracking issue](#{security_tracking_issue.web_url}), ping the authors to notify them about the patch release due date. If necessary, consider delaying the patch release to the next day (Thursday). If there are no security fixes available: 1. Notify AppSec about this. 2. Perform the patch release with only bug fixes. MSG create_issue_note(ReleaseTools::Project::Release::Tasks, security_task_issue, message) end def notify_appsec_release_managers message = <<~MSG.strip #{usernames(release_managers.active_appsec_release_managers)} :wave:, This patch release doesn't include security fixes, please coordinate with release managers. If there are no security fixes available, notify the Marketing team that no email alert should be sent - #{security_communication_issue.web_url}. MSG create_issue_note(ReleaseTools::Project::GitlabEe, security_tracking_issue, message) end def create_issue_note(project, issue, body) logger.info('Posting note', project: project.path, issue: issue.web_url, body: body) return if SharedStatus.dry_run? Retriable.with_context(:api) do client.create_issue_note(project, issue: issue, body: body) end end def usernames(users) users.map do |user| "@#{user.username}" end.join(', ') end def release_managers @release_managers ||= ReleaseTools::ReleaseManagers::Schedule.new end def send_slack_notification(status) ReleaseTools::Slack::ReleaseJobEndNotifier.new( job_type: 'Security fixes verifier', status: status, release_type: :patch ).send_notification end def failure_message <<~MSG.strip Security fixes could not be verified. Review if there are any security fixes on the [tracking issue](#{security_tracking_issue.web_url}). If no security issues are present: * Notify AppSec that no security fixes are present on the patch release * Perform the patch release with only bug fixes. MSG end end end end end