From b026651c44316a885052305d397cc448475cc820 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 4 Nov 2025 12:51:35 +0100 Subject: [PATCH 1/8] Change the script generating release announcements Use a different, generic script for preparing release announcements. --- .gitlab-ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 68702ce65c..98bd0fabf2 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1765,10 +1765,11 @@ prepare-release-announcement: when: manual variables: GIT_DEPTH: 1 + DOCUMENT: release-announcement before_script: - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git script: - - bind9-qa/releng/prepare_release_announcement.py --metadata bind9-qa/releng/metadata.json + - bind9-qa/releng/printing_press_mr.py --document "${DOCUMENT}" --metadata bind9-qa/releng/metadata.json needs: [] rules: - *rule_tag_open_source From ca7dbdc3c1b1231566165a10e32ceb61d4e7bb4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 4 Nov 2025 12:51:35 +0100 Subject: [PATCH 2/8] Deduplicate definitions of release-related jobs Extract common YAML keys used by release-related job definitions into reusable anchors to ensure consistency and limit repetition across multiple similar jobs. --- .gitlab-ci.yml | 42 ++++++++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 18 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 98bd0fabf2..0bd600f32c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1645,9 +1645,12 @@ release: - bind-${CI_COMMIT_TAG}-release expire_in: "1 month" -.signer-ssh-job: &signer_ssh_job +.manual_release_job: &manual_release_job stage: release when: manual + +.signer-ssh-job: &signer_ssh_job + <<: *manual_release_job allow_failure: false tags: - signer @@ -1757,40 +1760,43 @@ publish: rules: - *rule_tag_open_source -# Job creating the release announcement MR in Printing Press - -prepare-release-announcement: +.manual_release_job_qa: &manual_release_job_qa + <<: *manual_release_job <<: *base_image - stage: release - when: manual - variables: - GIT_DEPTH: 1 - DOCUMENT: release-announcement before_script: - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git + needs: + - job: staging + artifacts: false + +.printing_press_job: &printing_press_job + <<: *manual_release_job_qa + variables: + GIT_DEPTH: 1 script: - bind9-qa/releng/printing_press_mr.py --document "${DOCUMENT}" --metadata bind9-qa/releng/metadata.json - needs: [] - rules: - - *rule_tag_open_source artifacts: paths: - printing-press/ when: on_failure +# Job creating the release announcement MR in Printing Press + +prepare-release-announcement: + <<: *printing_press_job + variables: + DOCUMENT: release-announcement + rules: + - *rule_tag_open_source + # Job merging the tag back into its base branch merge-tag: - <<: *base_image - stage: release - when: manual + <<: *manual_release_job_qa variables: GIT_DEPTH: 100 - before_script: - - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git script: - bind9-qa/releng/merge_tag.py --tag "$CI_COMMIT_TAG" - needs: [] rules: - *rule_tag_open_source artifacts: From bc84907882625f5a3c560bbf3716612889e1aa0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 4 Nov 2025 12:51:35 +0100 Subject: [PATCH 3/8] Enable overriding the list of fixed CVE IDs Enable manually providing (via an optional CI variable) Printing Press jobs with the list of CVE IDs fixed in a given release cycle in case autodetection fails for any reason. --- .gitlab-ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0bd600f32c..2fae527d03 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1769,12 +1769,14 @@ publish: - job: staging artifacts: false +# Setting the FORCE_CVE_IDS environment variable to a comma-separated +# list of CVE IDs enables overriding the autodetected ones. .printing_press_job: &printing_press_job <<: *manual_release_job_qa variables: GIT_DEPTH: 1 script: - - bind9-qa/releng/printing_press_mr.py --document "${DOCUMENT}" --metadata bind9-qa/releng/metadata.json + - bind9-qa/releng/printing_press_mr.py --document "${DOCUMENT}" --metadata bind9-qa/releng/metadata.json ${FORCE_CVE_IDS:+--force-cve-ids ${FORCE_CVE_IDS}} artifacts: paths: - printing-press/ From 963bf4e32695d65dbe278d7ae01a57ce47092a7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 4 Nov 2025 12:51:35 +0100 Subject: [PATCH 4/8] Enable overriding the list of security releases Enable manually providing (via an optional CI variable) Printing Press jobs with the list of security releases in a given release cycle in case autodetection fails for any reason. --- .gitlab-ci.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2fae527d03..b52d5831a7 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1771,12 +1771,16 @@ publish: # Setting the FORCE_CVE_IDS environment variable to a comma-separated # list of CVE IDs enables overriding the autodetected ones. +# +# Setting the FORCE_SECURITY_RELEASES environment variable to a +# comma-separated list of BIND 9 versions enables overriding the +# autodetected ones. .printing_press_job: &printing_press_job <<: *manual_release_job_qa variables: GIT_DEPTH: 1 script: - - bind9-qa/releng/printing_press_mr.py --document "${DOCUMENT}" --metadata bind9-qa/releng/metadata.json ${FORCE_CVE_IDS:+--force-cve-ids ${FORCE_CVE_IDS}} + - bind9-qa/releng/printing_press_mr.py --document "${DOCUMENT}" --metadata bind9-qa/releng/metadata.json ${FORCE_CVE_IDS:+--force-cve-ids ${FORCE_CVE_IDS}} ${FORCE_SECURITY_RELEASES:+--force-security-releases ${FORCE_SECURITY_RELEASES}} artifacts: paths: - printing-press/ From 126ed8707e175be903b4e17f20fb5986b105d3a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 4 Nov 2025 12:51:35 +0100 Subject: [PATCH 5/8] Add a job preparing EVNs Add a new GitLab CI job that automatically generates BIND 9 Early Vulnerability Notifications based on the metadata for the current release cycle. --- .gitlab-ci.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b52d5831a7..e11c341a87 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -309,6 +309,9 @@ stages: .rule_tag_open_source: &rule_tag_open_source - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_COMMIT_TAG != null && $CI_COMMIT_TAG !~ /-S/' +.rule_tag_security: &rule_tag_security + - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_COMMIT_TAG != null && $RELEASE_TYPE == "security"' + .rule_tag_security_or_subscription: &rule_tag_security_or_subscription - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_COMMIT_TAG != null && ($RELEASE_TYPE == "security" || $CI_COMMIT_TAG =~ /-S/)' @@ -1795,6 +1798,15 @@ prepare-release-announcement: rules: - *rule_tag_open_source +# Job preparing an EVN MR in Printing Press + +prepare-evn: + <<: *printing_press_job + variables: + DOCUMENT: evn + rules: + - *rule_tag_security + # Job merging the tag back into its base branch merge-tag: From f81757bdf3fdd56508948078dc0369a391472487 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 4 Nov 2025 12:51:35 +0100 Subject: [PATCH 6/8] Add a job preparing security pre-announcements Add a new GitLab CI job that automatically generates public T-5 pre-announcements for BIND 9 security releases based on the metadata for the current release cycle. --- .gitlab-ci.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e11c341a87..76377c32d8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1807,6 +1807,15 @@ prepare-evn: rules: - *rule_tag_security +# Job preparing a security pre-announcement MR in Printing Press + +prepare-preannouncement: + <<: *printing_press_job + variables: + DOCUMENT: security-preannouncement + rules: + - *rule_tag_security + # Job merging the tag back into its base branch merge-tag: From 11e59c96ba36bd536a7e8fb2c89e2bb36f7caa1a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 4 Nov 2025 12:51:35 +0100 Subject: [PATCH 7/8] Add a job preparing packager notifications Add a new GitLab CI job that automatically generates T-1 packager notifications for BIND 9 security releases based on the metadata for the current release cycle. --- .gitlab-ci.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 76377c32d8..3c070797a9 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1816,6 +1816,15 @@ prepare-preannouncement: rules: - *rule_tag_security +# Job preparing a packager notification MR in Printing Press + +prepare-package-notification: + <<: *printing_press_job + variables: + DOCUMENT: packager-notification + rules: + - *rule_tag_security + # Job merging the tag back into its base branch merge-tag: From 83b83bac5ada4891fea359de452741573512f753 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 4 Nov 2025 12:51:35 +0100 Subject: [PATCH 8/8] Add a job preparing post-disclosure notifications Add a new GitLab CI job that automatically generates post-disclosure notifications for BIND 9 security releases based on the metadata for the current release cycle. --- .gitlab-ci.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3c070797a9..99fc0d2ae4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1825,6 +1825,15 @@ prepare-package-notification: rules: - *rule_tag_security +# Job preparing a post-disclosure notification MR in Printing Press + +prepare-post-disclosure-notification: + <<: *printing_press_job + variables: + DOCUMENT: post-disclosure-notification + rules: + - *rule_tag_security + # Job merging the tag back into its base branch merge-tag: