7.3 KiB
GitLab-Workhorse development process
Maintainers
GitLab-Workhorse has the following maintainers:
- Nick Thomas
@nick.thomas
- Jacob Vosmaer
@jacobvosmaer-gitlab
- Alessio Caiazza
@nolith
This list is defined at https://about.gitlab.com/team/.
Changelog
GitLab-Workhorse keeps a changelog which is generated when a new release
is created. The changelog is generated from entries that are included on each
merge request. To generate an entry on your branch run:
_support/changelog "Change descriptions"
.
After the merge request is created, the ID of the merge request needs to be set
in the generated file. If you already know the merge request ID, run:
_support/changelog -m <ID> "Change descriptions"
.
Any new merge request must contain either a new entry or a justification in the merge request description why no changelog entry is needed.
Merging and reviewing contributions
Contributions must be reviewed by at least one Workhorse maintainer. The final merge must be performed by a maintainer.
Releases
New versions of Workhorse can be released by one of the Workhorse maintainers. The release process is:
- pick a release branch. For x.y.0, use
master
. For all other versions (x.y.1, x.y.2 etc.) , usex-y-stable
. Also see below - run
make tag VERSION=x.y.z"
ormake signed_tag VERSION=x.y.z
on the release branch. This will compile the changelog, bump the VERSION file, and make a tag matching it. - push the branch and the tag to gitlab.com
- the new version will only be deployed to
gitlab.com
ifGITLAB_WORKHORSE_VERSION
is updated accordingly; if applicable, please remind the person who originally asked for a new release to make this change (the MR should include a link back to the version tag and a copy of the changelog)
Security releases
Workhorse is included in the packages we create for GitLab, and each version of
GitLab specifies the version of Workhorse it uses in the GITLAB_WORKHORSE_VERSION
file, so security fixes in Workhorse are tightly coupled to the general security release
workflow, with some elaborations to account for the changes happening across two
repositories. In particular, the Workhorse maintainer takes responsibility for
creating new patch versions of Workhorse that can be used in the security
release.
As security fixes are backported three releases in addition to master, and changes need to happen across two repositories, up to eight merge requests, and four Workhorse releases, can be required to fix a security issue in Workhorse. This is a lot of overhead, so in general, it is better to fix security issues without changing Workhorse. Where changes are necessary, this section documents the necessary steps.
If you're working on a security fix in Workhorse, you need two sets of merge requests:
- The fix itself, in the
gitlab-org/security/gitlab-workhorse
repository - A merge request to change the version of workhorse included in the GitLab
security release, in the
gitlab-org/security/gitlab
repository.
If the Workhorse maintainer isn't also a GitLab maintainer, reviews will need to be split across several people. If changes to GitLab code are required in addition to the change of Workhorse version, they both happen in the same merge request.
Start by creating a single merge request targeting master
in Workhorse. Ensure
you include a changelog! If code changes are needed in GitLab as well, create a
GitLab merge request targeting master
at this point, but don't worry about the
GITLAB_WORKHORSE_VERSION
file yet.
Once the changes have passed review, the Workhorse maintainer will determine the
new versions of Workhorse that will be needed, and communicate that to the
author. To do this, examine the GITLAB_WORKHORSE_VERSION
file on each GitLab
stable branch; for instance, if the security release consisted of GitLab
versions 12.10.1
, 12.9.2
, 12.8.3
, and 12.7.4
, we would see the following:
gitlab$ git fetch security master 12-10-stable-ee 12-9-stable-ee 12-8-stable-ee 12-7-stable-ee`
gitlab$ git show refs/remotes/security/master:GITLAB_WORKHORSE_VERSION
8.30.1
gitlab$ git show refs/remotes/security/12-10-stable-ee:GITLAB_WORKHORSE_VERSION
8.30.1
gitlab$ git show refs/remotes/security/12-9-stable-ee:GITLAB_WORKHORSE_VERSION
8.25.2
gitlab$ git show refs/remotes/security/12-8-stable-ee:GITLAB_WORKHORSE_VERSION
8.21.2
gitlab$ git show refs/remotes/security/12-7-stable-ee:GITLAB_WORKHORSE_VERSION
8.21.2
In this example, there are three distinct Workhorse stable branches to be
concerned with, plus Workhorse master: 8-30-stable
, 8-25-stable
, and
8-21-stable
, and we can predict that we are going to need to create Workhorse
releases 8.30.2
, 8.25.3
, and 8.21.3
.
The author needs to create a merge request targeting each Workhorse stable
branch, and verify that the fix works once backported. They also need to create
(or update, if they already exist) GitLab merge requests, setting the
GITLAB_WORKHORSE_VERSION
file to the predicted workhorse version, and assign
all the MRs back to the appropriate maintainer(s). The pipeline for the GitLab
MRs will fail until the Workhorse releases have been tagged; you can use the
=workhorse_branch_name
syntax in the GITLAB_WORKHORSE_VERSION
file to verify
that the MRs interact as expected, if necessary.
Once all involved maintainers are happy with the overall change, the Workhorse
maintainer will merge each of the Workhorse MRs and generate new Workhorse
releases from the stable branches. The tags will be present on the security
mirror and dev.gitlab.org
only at this point.
Once the Workhorse tags exist, the GitLab maintainer ensures that all the GitLab MRs are green and assigns those MRs on to the release bot.
The release managers merge the GitLab MRs, tag GitLab releases that reference the new Workhorse tags, and release them in the usual way.
Once the security release is done, the Workhorse maintainer is responsible for
syncing the changes to the gitlab-org/gitlab-workhorse
repository. Push the
changes to master
, the new tags, and all the changes to the stable branches.
This process is quite involved, very manual, and extremely error-prone; work is ongoing on automating it.
Versioning
Workhorse uses a variation of SemVer. We don't use "normal" SemVer because we have to be able to integrate into GitLab stable branches.
A version has the format MAJOR.MINOR.PATCH.
- Major and minor releases are tagged on the
master
branch - If the change is backwards compatible, increment the MINOR counter
- If the change breaks compatibility, increment MAJOR and set MINOR to
0
- Patch release tags must be made on stable branches
- Only make a patch release when targeting a GitLab stable branch
This means that tags that end in .0
(e.g. 8.5.0
) must always be on
the master branch, and tags that end in anthing other than .0
(e.g.
8.5.2
) must always be on a stable branch.
The reason we do this is that SemVer suggests something like a refactoring constitutes a "patch release", while the GitLab stable branch quality standards do not allow for back-porting refactorings into a stable branch.