Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade dependencies 2024-09-02 (#6537) #6548

Merged
merged 14 commits into from
Sep 10, 2024
Merged

Conversation

achave11-ucsc
Copy link
Member

@achave11-ucsc achave11-ucsc commented Sep 6, 2024

Connected issue: #6537

Checklist

Author

  • Target branch is develop
  • Name of PR branch matches upgrades/yyyy-mm-dd
  • On ZenHub, PR is connected to the upgrade issue it resolves
  • PR title matches Upgrade dependencies yyyy-mm-dd
  • PR title references the connected issue

Author (upgrading deployments)

  • Ran make docker_images.json and committed the resulting changes or this PR does not modify azul_docker_images, or any other variables referenced in the definition of that variable
  • Documented upgrading of deployments in UPGRADING.rst or this PR does not require upgrading deployments
  • Added u tag to commit title or this PR does not require upgrading deployments
  • This PR is labeled upgrade or does not require upgrading deployments
  • This PR is labeled deploy:shared or does not modify docker_images.json, and does not require deploying the shared component for any other reason
  • This PR is labeled deploy:gitlab or does not require deploying the gitlab component
  • This PR is labeled backup:gitlab
  • This PR is labeled deploy:runner or does not require deploying the runner image

Author (before every review)

  • Rebased PR branch on develop, squashed old fixups
  • Ran make requirements_update or this PR does not modify requirements*.txt, common.mk, Makefile and Dockerfile
  • Added R tag to commit title or this PR does not modify requirements*.txt
  • This PR is labeled reqs or does not modify requirements*.txt
  • make integration_test passes in personal deployment or this PR does not modify functionality that could affect the IT outcome

System administrator (after approval)

  • Actually approved the PR
  • Labeled connected issue as no demo
  • A comment to this PR details the completed security design review
  • PR title is appropriate as title of merge commit
  • Moved connected issue to Approved column
  • PR is assigned to only the operator

Operator (before pushing merge the commit)

  • Squashed PR branch and rebased onto develop
  • Sanity-checked history
  • Pushed PR branch to GitHub
  • Ran _select dev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused or this PR is not labeled deploy:shared
  • Made a backup of the GitLab data volume in dev (see operator manual for details) or this PR is not labeled backup:gitlab
  • Ran _select dev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply or this PR is not labeled deploy:gitlab
  • Ran _select anvildev.shared && CI_COMMIT_REF_NAME=develop make -C terraform/shared apply_keep_unused or this PR is not labeled deploy:shared
  • Made a backup of the GitLab data volume in anvildev (see operator manual for details) or this PR is not labeled backup:gitlab
  • Ran _select anvildev.gitlab && CI_COMMIT_REF_NAME=develop make -C terraform/gitlab apply or this PR is not labeled deploy:gitlab
  • Checked the items in the next section or this PR is labeled deploy:gitlab
  • PR is assigned to only the system administrator or this PR is not labeled deploy:gitlab

System administrator

  • Background migrations for dev.gitlab are complete or this PR is not labeled deploy:gitlab
  • Background migrations for anvildev.gitlab are complete or this PR is not labeled deploy:gitlab
  • PR is assigned to only the operator

Operator (before pushing merge the commit)

  • Ran _select dev.gitlab && make -C terraform/gitlab/runner or this PR is not labeled deploy:runner
  • Ran _select anvildev.gitlab && make -C terraform/gitlab/runner or this PR is not labeled deploy:runner
  • Added sandbox label
  • Pushed PR branch to GitLab dev
  • Pushed PR branch to GitLab anvildev
  • Build passes in sandbox deployment
  • Build passes in anvilbox deployment
  • Reviewed build logs for anomalies in sandbox deployment
  • Reviewed build logs for anomalies in anvilbox deployment
  • The title of the merge commit starts with the title of this PR
  • Added PR # reference to merge commit title
  • Collected commit title tags in merge commit title but excluded any p tags
  • Moved connected issue to Merged lower column in ZenHub
  • Moved blocked issues to Triage or no issues are blocked on the connected issue
  • Closed related Dependabot PRs with a comment referencing the corresponding commit in this PR or this PR does not include any such commits
  • Pushed merge commit to GitHub

Operator (after pushing the merge commit)

  • Pushed merge commit to GitLab dev
  • Pushed merge commit to GitLab anvildev
  • Build passes on GitLab dev
  • Reviewed build logs for anomalies on GitLab dev
  • Build passes on GitLab anvildev
  • Reviewed build logs for anomalies on GitLab anvildev
  • Ran _select dev.shared && make -C terraform/shared apply or this PR is not labeled deploy:shared
  • Ran _select anvildev.shared && make -C terraform/shared apply or this PR is not labeled deploy:shared
  • Deleted PR branch from GitHub
  • Deleted PR branch from GitLab dev
  • Deleted PR branch from GitLab anvildev

Operator

  • At least one hour has passed since anvildev.shared was last deployed
  • Ran script/export_inspector_findings.py against anvildev, imported results to Google Sheet and posted screenshot of relevant1 findings as a comment on the connected issue.
  • Propagated the deploy:shared, deploy:gitlab, deploy:runner and backup:gitlab labels to the next promotion PRs or this PR carries none of these labels
  • Propagated any specific instructions related to the deploy:shared, deploy:gitlab, deploy:runner and backup:gitlab labels, from the description of this PR to that of the next promotion PRs or this PR carries none of these labels
  • PR is assigned to only the system administrator

1A relevant finding is a high or critical vulnerability in an image
that is used within the security boundary. Images not used within the boundary
are tracked in azul.docker_images under a key starting with _.

System administrator

  • No currently reported vulnerability requires immediate attention
  • PR is assigned to no one

Shorthand for review comments

  • L line is too long
  • W line wrapping is wrong
  • Q bad quotes
  • F other formatting problem

@github-actions github-actions bot added the orange [process] Done by the Azul team label Sep 6, 2024
@achave11-ucsc achave11-ucsc force-pushed the upgrades/2024-09-02 branch 2 times, most recently from ae7f16d to 27e8d3d Compare September 6, 2024 02:50
@achave11-ucsc achave11-ucsc added upgrade [process] PR includes commit requiring manual upgrade deploy:gitlab [process] PR requires deploying `gitlab` component deploy:shared [process] PR requires deploying `shared` component deploy:runner [process] PR requires deploying `runner` component reqs [process] PR includes commit requiring ``make requirements`` backup:gitlab [process] PR requires backing up GitLab instances labels Sep 6, 2024
Copy link

codecov bot commented Sep 6, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.38%. Comparing base (f42a38e) to head (68924bf).
Report is 15 commits behind head on develop.

Additional details and impacted files
@@           Coverage Diff            @@
##           develop    #6548   +/-   ##
========================================
  Coverage    85.38%   85.38%           
========================================
  Files          155      155           
  Lines        20735    20735           
========================================
+ Hits         17704    17705    +1     
+ Misses        3031     3030    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@coveralls
Copy link

coveralls commented Sep 6, 2024

Coverage Status

coverage: 85.404% (+0.005%) from 85.399%
when pulling 68924bf on upgrades/2024-09-02
into f42a38e on develop.

@achave11-ucsc achave11-ucsc removed the upgrade [process] PR includes commit requiring manual upgrade label Sep 6, 2024
hannes-ucsc
hannes-ucsc previously approved these changes Sep 6, 2024
@hannes-ucsc
Copy link
Member

Security design review

  • Security design review completed; this PR does not
    • … affect authentication; for example:
      • OAuth 2.0 with the application (API or Swagger UI)
      • Authentication of developers with Google Cloud APIs
      • Authentication of developers with AWS APIs
      • Authentication with a GitLab instance in the system
      • Password and 2FA authentication with GitHub
      • API access token authentication with GitHub
      • Authentication with Terra
    • … affect the permissions of internal users like access to
      • Cloud resources on AWS and GCP
      • GitLab repositories, projects and groups, administration
      • an EC2 instance via SSH
      • GitHub issues, pull requests, commits, commit statuses, wikis, repositories, organizations
    • … affect the permissions of external users like access to
      • TDR snapshots
    • … affect permissions of service or bot accounts
      • Cloud resources on AWS and GCP
    • … affect audit logging in the system, like
      • adding, removing or changing a log message that represents an auditable event
      • changing the routing of log messages through the system
    • … affect monitoring of the system
    • … introduce a new software dependency like
      • Python packages on PYPI
      • Command-line utilities
      • Docker images
      • Terraform providers
    • … add an interface that exposes sensitive or confidential data at the security boundary
    • … affect the encryption of data at rest
    • … require persistence of sensitive or confidential data that might require encryption at rest
    • … require unencrypted transmission of data within the security boundary
    • … affect the network security layer; for example by
      • modifying, adding or removing firewall rules
      • modifying, adding or removing security groups
      • changing or adding a port a service, proxy or load balancer listens on
  • Documentation on any unchecked boxes is provided in comments below

hannes-ucsc
hannes-ucsc previously approved these changes Sep 10, 2024
@achave11-ucsc achave11-ucsc added the sandbox [process] Resolution is being verified in sandbox deployment label Sep 10, 2024
@achave11-ucsc achave11-ucsc merged commit 6e66a5b into develop Sep 10, 2024
11 checks passed
@achave11-ucsc achave11-ucsc deleted the upgrades/2024-09-02 branch September 10, 2024 15:51
@hannes-ucsc hannes-ucsc removed their assignment Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backup:gitlab [process] PR requires backing up GitLab instances deploy:gitlab [process] PR requires deploying `gitlab` component deploy:runner [process] PR requires deploying `runner` component deploy:shared [process] PR requires deploying `shared` component orange [process] Done by the Azul team reqs [process] PR includes commit requiring ``make requirements`` sandbox [process] Resolution is being verified in sandbox deployment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants