new: ci: Add vulnerability-related jobs

Merge branch 'michal/add-vulnerability-related-jobs-to-ci' into 'main' See merge request isc-projects/bind9!11188
2026-06-11 10:10:00 -04:00 · 2025-11-04 12:53:46 +01:00 · 2025-11-04 12:53:46 +01:00 · 496a5e876a
commit 496a5e876a
parent ac2b36c4bf 83b83bac5a
1 changed files with 70 additions and 18 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -309,6 +309,9 @@ stages:
 .rule_tag_open_source: &rule_tag_open_source
  - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_COMMIT_TAG != null && $CI_COMMIT_TAG !~ /-S/'

+.rule_tag_security: &rule_tag_security
+  - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_COMMIT_TAG != null && $RELEASE_TYPE == "security"'
+
 .rule_tag_security_or_subscription: &rule_tag_security_or_subscription
  - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_COMMIT_TAG != null && ($RELEASE_TYPE == "security" || $CI_COMMIT_TAG =~ /-S/)'

@ -1645,9 +1648,12 @@ release:
      - bind-${CI_COMMIT_TAG}-release
    expire_in: "1 month"

-.signer-ssh-job: &signer_ssh_job
+.manual_release_job: &manual_release_job
  stage: release
  when: manual
+
+.signer-ssh-job: &signer_ssh_job
+  <<: *manual_release_job
  allow_failure: false
  tags:
    - signer
@ -1757,39 +1763,85 @@ publish:
  rules:
    - *rule_tag_open_source

-# Job creating the release announcement MR in Printing Press
-
-prepare-release-announcement:
+.manual_release_job_qa: &manual_release_job_qa
+  <<: *manual_release_job
  <<: *base_image
-  stage: release
-  when: manual
-  variables:
-    GIT_DEPTH: 1
  before_script:
    - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
+  needs:
+    - job: staging
+      artifacts: false
+
+# Setting the FORCE_CVE_IDS environment variable to a comma-separated
+# list of CVE IDs enables overriding the autodetected ones.
+#
+# Setting the FORCE_SECURITY_RELEASES environment variable to a
+# comma-separated list of BIND 9 versions enables overriding the
+# autodetected ones.
+.printing_press_job: &printing_press_job
+  <<: *manual_release_job_qa
+  variables:
+    GIT_DEPTH: 1
  script:
-    - bind9-qa/releng/prepare_release_announcement.py --metadata bind9-qa/releng/metadata.json
-  needs: []
-  rules:
-    - *rule_tag_open_source
+    - bind9-qa/releng/printing_press_mr.py --document "${DOCUMENT}" --metadata bind9-qa/releng/metadata.json ${FORCE_CVE_IDS:+--force-cve-ids ${FORCE_CVE_IDS}} ${FORCE_SECURITY_RELEASES:+--force-security-releases ${FORCE_SECURITY_RELEASES}}
  artifacts:
    paths:
      - printing-press/
    when: on_failure

+# Job creating the release announcement MR in Printing Press
+
+prepare-release-announcement:
+  <<: *printing_press_job
+  variables:
+    DOCUMENT: release-announcement
+  rules:
+    - *rule_tag_open_source
+
+# Job preparing an EVN MR in Printing Press
+
+prepare-evn:
+  <<: *printing_press_job
+  variables:
+    DOCUMENT: evn
+  rules:
+    - *rule_tag_security
+
+# Job preparing a security pre-announcement MR in Printing Press
+
+prepare-preannouncement:
+  <<: *printing_press_job
+  variables:
+    DOCUMENT: security-preannouncement
+  rules:
+    - *rule_tag_security
+
+# Job preparing a packager notification MR in Printing Press
+
+prepare-package-notification:
+  <<: *printing_press_job
+  variables:
+    DOCUMENT: packager-notification
+  rules:
+    - *rule_tag_security
+
+# Job preparing a post-disclosure notification MR in Printing Press
+
+prepare-post-disclosure-notification:
+  <<: *printing_press_job
+  variables:
+    DOCUMENT: post-disclosure-notification
+  rules:
+    - *rule_tag_security
+
 # Job merging the tag back into its base branch

 merge-tag:
-  <<: *base_image
-  stage: release
-  when: manual
+  <<: *manual_release_job_qa
  variables:
    GIT_DEPTH: 100
-  before_script:
-    - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
  script:
    - bind9-qa/releng/merge_tag.py --tag "$CI_COMMIT_TAG"
-  needs: []
  rules:
    - *rule_tag_open_source
  artifacts: