gitlab-security_report_schemas 0.1.2.min15.0.0.max15.2.1 → 0.1.3.min15.0.0.max15.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 61392ff385582c0bf996ac3499646ed14c1eea91803bd35fea7123785a495306
-  data.tar.gz: d4590f557b834a2f1de55154af50a637f7f6fd434eda23fa5e395dcf3fd43d9b
+  metadata.gz: d69ed2a06ec3ed14840cb492a0fb999a6ea1ce02ae7359cac919d9e03fe86155
+  data.tar.gz: 482cad69c32ce1d46229b133eb9c536126572616eec770413ec1f7a1c22b2fa9
 SHA512:
-  metadata.gz: 6fda21362754cdfc414aec3b6316302f7ff443d9c68aecff3cd53e269cae3caff17de09d39d843d422577f1e1152518b500209889530b25e3f859c0bba92142c
-  data.tar.gz: ccb8b9ddda36069dddc45c4dad3503091a1691ce245db46280526ad86cd0fad6b60138223d4897e7a3c0b00607ae267cdb0094ed665a7081161b5c31ee566ba0
+  metadata.gz: 35a601473896abf26a5206ed96906c7b9516ed5dfa2086418eedcbc7b8c801e36d45e5d186ec6df86629db886e56543898a6dc2e0b7eed2b96a0ec42595c67d1
+  data.tar.gz: 55daaeaad381551d36108a09db9385bcbedaf9f3e2e497241a7d1dd3a7efca1d7972149c116c9fd9b3e66a8227e1316014f82e4760a2533a5ce4c551e71931c2

data/Gemfile.lock

@@ -1,9 +1,10 @@
 PATH
   remote: .
   specs:
-    gitlab-security_report_schemas (0.1.2.min15.0.0.max15.2.1)
+    gitlab-security_report_schemas (0.1.3.min15.0.0.max15.2.2)
       activesupport (>= 6, < 8)
       json_schemer (~> 2.3.0)
+      mutex_m (~> 0.3.0)
 
 GEM
   remote: https://rubygems.org/
@@ -31,6 +32,7 @@ GEM
       simpleidn (~> 0.2)
     method_source (1.0.0)
     minitest (5.16.2)
+    mutex_m (0.3.0)
     parallel (1.22.1)
     parser (3.1.2.0)
       ast (~> 2.4.1)

data/README.md

@@ -8,6 +8,10 @@ Rubygem for https://gitlab.com/gitlab-org/security-products/security-report-sche
 
 This gem provides a Ruby and command line interface to validate the report artifact generated by the security analyzers.
 
+## Maintenance
+
+See [`RUNBOOK.md`](./RUNBOOK.md) for common release and maintenance tasks.
+
 ## Installation
 
 Install the gem and add to the application's Gemfile by executing:
@@ -47,24 +51,17 @@ bundle exec security-reports-schemas $FILE_PATH
 
 #### Credentials
 
-| Key                         | Description                                                                                   |
-|-----------------------------|-----------------------------------------------------------------------------------------------|
-| `GITLAB_PUSH_ACCESS_TOKEN`  | Own project access token used to push new schema versions. Requires `write_repository` scope. |
-| `GITLAB_ISSUE_ACCESS_TOKEN` | Project access token used to create an issue on `gitlab-org/gitlab`. Requires `api` scopes.   |
-| `GEM_HOST_API_KEY`          | rubygems.org API key                                                                          |
+| Key                         | Description                                                                                                         |
+|-----------------------------|---------------------------------------------------------------------------------------------------------------------|
+| `GITLAB_PUSH_ACCESS_TOKEN`  | Access token for the `gl-service-dev-govern-sec-report-schemas` service account of the top-level `gitlab-org` group |
+| `GEM_HOST_API_KEY`          | rubygems.org API key (inherited from parent group)                                                                  |
 
 #### Configuration
 
-| Key                       | Default                                                | Description                            |
-|---------------------------|--------------------------------------------------------|----------------------------------------|
-| `SCHEMAS_PATH`            | `./schemas`                                            | Schema storage location                |
-| `SCHEMA_PROJECT`          | `gitlab-org/security-products/security-report-schemas` | Where to source schemas                |
-| `GITLAB_PROJECT`          | `gitlab-org/gitlab`                                    | Project to open MRs for                |
-| `ISSUE_TARGET_PROJECT_ID` | `278964` (`gitlab-org/gitlab`)                         | Project ID for which to open an issue. |
-
-## Maintenance
-
-See [`RUNBOOK.md`](./RUNBOOK.md) for solutions to common maintenance tasks.
+| Key                       | Default                                                | Description             |
+|---------------------------|--------------------------------------------------------|-------------------------|
+| `SCHEMAS_PATH`            | `./schemas`                                            | Schema storage location |
+| `SCHEMA_PROJECT`          | `gitlab-org/security-products/security-report-schemas` | Where to source schemas |
 
 ## Development
 

data/RUNBOOK.md

@@ -1,6 +1,6 @@
 # Common maintenance tasks
 
-### Problem
+## Manually release a new RubyGem version
 
 * an upstream [security-report-schemas](https://gitlab.com/gitlab-org/security-products/security-report-schemas) pipeline failed to trigger the release pipeline
 * you want to add, remove or deprecate support for report schema versions
@@ -22,6 +22,40 @@
    variable.
 3. Trigger the manual `manual-release` job in the resulting pipeline.
 
+## Jobs fail to self-push due to an expired service account access token
+
+To self-push commits, we use an access token of a service account which
+belongs to the top-level `gitlab-org` group. This token is kept in this project's
+`GITLAB_PUSH_ACCESS_TOKEN` CI variable and the token expires yearly.
+
+The service account access token [should get automatically rotated](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/29595#note_2433504597)
+and the CI variable should get updated with the updated token.
+
+Should auto-rotation fail or the access token become invalid for another
+reason, the `add-schema-version` and `manual-release` jobs fail:
+
+```
+$ git push origin $CI_COMMIT_REF_NAME
+remote: HTTP Basic: Access denied. If a password was provided for Git authentication, the password was incorrect or you're required to use a token instead of a password. If a token was provided, it was either incorrect, expired, or improperly scoped.
+```
+
+### Solution: Manually rotate the service account access token
+
+Owners of the top-level `gitlab-org` group can manually
+[rotate the service account access token](https://docs.gitlab.com/user/profile/service_accounts/#rotate-the-personal-access-token)
+and update this project's `GITLAB_PUSH_ACCESS_TOKEN` CI variable with the
+renewed token.
+
+### Workaround: Use a temporary personal access token
+
+To release urgently without Owner access to `gitlab-org`:
+
+1. update the default branch protection so that you can push
+2. create a short-lived personal access token and rerun the failed `manual-release`
+   job, setting the CI variable `GITLAB_PUSH_ACCESS_TOKEN` to your short-lived token
+3. after the job succeeded, revoke your short-lived token and restore the default
+   branch protection so that you can no longer push
+
 ## Find the commit SHA for a RubyGem version
 
 Before a rubygems.org release is created, a git tag referencing the full

data/Rakefile

@@ -41,15 +41,6 @@ task integrity_check: :prepare_schemas do
   end
 end
 
-namespace :release do
-  desc "Open patch Issue on gitlab-org/gitlab to update its Gemfile to use the current gem version"
-  task :issue do
-    require "gitlab/security_report_schemas"
-
-    Gitlab::SecurityReportSchemas::Release::Workflow.execute
-  end
-end
-
 def cleanup_schema_dir
   puts "Cleaning the schemas directory..."
 

data/gem_version

@@ -1 +1 @@
-0.1.2.min15.0.0.max15.2.1
+0.1.3.min15.0.0.max15.2.2

data/gitlab-security_report_schemas.gemspec

@@ -30,4 +30,5 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency "activesupport", ">= 6", "< 8"
   spec.add_dependency "json_schemer", "~> 2.3.0"
+  spec.add_dependency "mutex_m", "~> 0.3.0"
 end

data/lib/gitlab/security_report_schemas/configuration.rb

@@ -8,9 +8,6 @@ module Gitlab
         schemas_path: -> { SecurityReportSchemas.root_path.join("schemas") },
         deprecated_versions: -> { [] },
         schema_project: -> { "gitlab-org/security-products/security-report-schemas" },
-        gitlab_project: -> { "gitlab-org/gitlab" },
-        issue_target_project_id: -> { "278964" }, # gitlab-org/gitlab
-        gitlab_issue_access_token: nil,
         ci_server_host: nil
       }.freeze
 

data/lib/gitlab/security_report_schemas/version.rb

@@ -5,7 +5,7 @@ module Gitlab
     # Represents the version of the gem
     class Version
       VERSION_SPEC = "%<gem_version>s.min%<min_schema>s.max%<max_schema>s"
-      GEM_VERSION = "0.1.2"
+      GEM_VERSION = "0.1.3"
       MISSING_SCHEMA_VERSION = "0.0.0"
 
       class << self

data/lib/gitlab/security_report_schemas.rb

@@ -6,10 +6,6 @@ require_relative "security_report_schemas/configuration"
 require_relative "security_report_schemas/schema_ver"
 require_relative "security_report_schemas/version"
 require_relative "security_report_schemas/validator"
-require_relative "security_report_schemas/release/bundler"
-require_relative "security_report_schemas/release/gemfile"
-require_relative "security_report_schemas/release/issue"
-require_relative "security_report_schemas/release/workflow"
 
 module Gitlab
   # The `gitlab-security_report_schemas` gem contains JSON schemas and utilities