Merge branch 'rs-security-pipeline-for-merge-result' into 'master'

Notify Release Managers if a security merge request was not merged

See merge request gitlab-org/gitlab!44658

.gitlab/ci/notify.gitlab-ci.yml

@@ -3,6 +3,8 @@
   stage: notify
   dependencies: []
   cache: {}
+  variables:
+    MERGE_REQUEST_URL: ${CI_MERGE_REQUEST_PROJECT_URL}/-/merge_requests/${CI_MERGE_REQUEST_IID}
   before_script:
     - apk update && apk add git curl bash
 
@@ -16,8 +18,19 @@ notify-update-gitaly:
   variables:
     NOTIFY_CHANNEL: g_create_gitaly
     GITALY_UPDATE_BRANCH: release-tools/update-gitaly
-    MERGE_REQUEST_URL: ${CI_MERGE_REQUEST_PROJECT_URL}/-/merge_requests/${CI_MERGE_REQUEST_IID}
   script:
     - echo "NOTIFY_CHANNEL is ${NOTIFY_CHANNEL}"
     - echo "CI_PIPELINE_URL is ${CI_PIPELINE_URL}"
-    - scripts/slack ${NOTIFY_CHANNEL} "☠️ \`${GITALY_UPDATE_BRANCH}\` failed! ☠️ See ${CI_PIPELINE_URL} (triggered from ${MERGE_REQUEST_URL})" ci_failing
+    - scripts/slack ${NOTIFY_CHANNEL} "☠️ \`${GITALY_UPDATE_BRANCH}\` failed! ☠️ See ${CI_PIPELINE_URL} (triggered from ${MERGE_REQUEST_URL})" ci_failing "GitLab QA Bot"
+
+notify-security-pipeline:
+  extends:
+    - .notify-slack
+    - .delivery:rules:security-pipeline-merge-result-failure
+  variables:
+    NOTIFY_CHANNEL: f_upcoming_release
+  script:
+    - echo "NOTIFY_CHANNEL is ${NOTIFY_CHANNEL}"
+    - echo "CI_PIPELINE_URL is ${CI_PIPELINE_URL}"
+    # <!subteam^S0127FU8PDE> mentions the `@release-managers` group
+    - scripts/slack ${NOTIFY_CHANNEL} "<!subteam^S0127FU8PDE> ☠️  Pipeline for merged result failed! ☠️ See ${CI_PIPELINE_URL} (triggered from ${MERGE_REQUEST_URL})" ci_failing "GitLab Release Tools Bot"

.gitlab/ci/rules.gitlab-ci.yml

@@ -73,6 +73,12 @@
 .if-rspec-fail-fast-skipped: &if-rspec-fail-fast-skipped
   if: '$CI_MERGE_REQUEST_TITLE =~ /SKIP RSPEC FAIL-FAST/'
 
+# For Security merge requests, the gitlab-release-tools-bot triggers a new
+# pipeline for the "Pipelines for merged results" feature. If the pipeline
+# fails, we notify release managers.
+.if-security-pipeline-merge-result: &if-security-pipeline-merge-result
+  if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH && $CI_PROJECT_NAMESPACE == "gitlab-org/security" && $GITLAB_USER_LOGIN == "gitlab-release-tools-bot"'
+
 ####################
 # Changes patterns #
 ####################
@@ -285,6 +291,14 @@
       when: manual
       allow_failure: true
 
+##################
+# Delivery rules #
+##################
+.delivery:rules:security-pipeline-merge-result-failure:
+  rules:
+    - <<: *if-security-pipeline-merge-result
+      when: on_failure
+
 ######################
 # Dev fixtures rules #
 ######################

scripts/slack

 #!/bin/bash
-# This is copied from:
-# https://gitlab.com/gitlab-org/gitlab-qa/-/blob/master/bin/slack
+# This is based on https://gitlab.com/gitlab-org/gitlab-qa/-/blob/master/bin/slack
 #
 # Sends Slack notification MSG to CI_SLACK_WEBHOOK_URL (which needs to be set).
 # ICON_EMOJI needs to be set to an icon emoji name (without the `:` around it).
@@ -8,10 +7,11 @@
 CHANNEL=$1
 MSG=$2
 ICON_EMOJI=$3
+USERNAME=$4
 
-if [ -z "$CHANNEL" ] || [ -z "$CI_SLACK_WEBHOOK_URL" ] || [ -z "$MSG" ] || [ -z "$ICON_EMOJI" ]; then
-    echo "Missing argument(s) - Use: $0 channel message icon_emoji"
+if [ -z "$CHANNEL" ] || [ -z "$CI_SLACK_WEBHOOK_URL" ] || [ -z "$MSG" ] || [ -z "$ICON_EMOJI" ] || [ -z "$USERNAME" ]; then
+    echo "Missing argument(s) - Use: $0 channel message icon_emoji username"
     echo "and set CI_SLACK_WEBHOOK_URL environment variable."
 else
-    curl -X POST --data-urlencode 'payload={"channel": "#'"$CHANNEL"'", "username": "GitLab QA Bot", "text": "'"$MSG"'", "icon_emoji": "'":$ICON_EMOJI:"'"}' "$CI_SLACK_WEBHOOK_URL"
+    curl -X POST --data-urlencode 'payload={"channel": "#'"$CHANNEL"'", "username": "'"$USERNAME"'", "text": "'"$MSG"'", "icon_emoji": "'":$ICON_EMOJI:"'"}' "$CI_SLACK_WEBHOOK_URL"
 fi