Regularly merge master branch into stable and stable into devel

… and into testing if we're in a code freeze.

Problem: sometimes, website updates break the build, some test cases, or some functionality. Currently the only documented time when we merge master into our release branches is while preparing a release. Merging master into stable is nobody’s job so it happens that we spot trouble e.g. merge conflicts on Monday morning when starting the release process.

Goals:

Spot problems early, instead of in the critical path of the release process.
We very often forget to merge stable into devel.
Paves the way for more automation via GitLab CI, once we have a setup for runners to push commits.
Social health, limiting friction, frustration, and the need for nagging by human beings.

Implementation: now that we have trusted GitLab CI runners, we should have a CI job that merges master into stable and creates a merge request. Then, developers could merge that merge request as-is once it has passed CI. Then we should figure out how to handle the subsequent merge into devel and, when relevant, into testing.

To-do

gitlab-config!50+
Fix #20373 (closed) in master
Forward-port the fix for #20373 (closed) to stable
Create and use a role- user for the job
Document manual token creation
Discuss, decide and implement automatic merging
Decide about where the code should live
- It'll live in tails/tails so that developers can take care of their own needs.
Ask sysadmins to track somewhere else "decide about whether they want more protections in place"
Migrage the automatic merge pipeline from tails/gitlab-config to tails/tails [Zen Fu]
Merge stable into devel
- Discuss
- Decide
- Implement
- Fix initial implementation (!1897 (merged))
  - Create a project access token with API access in https://gitlab.tails.boum.org/tails/tails/-/settings/access_tokens (https://gitlab.tails.boum.org/help/user/project/settings/project_access_tokens.md)
  - Pass this token as the GITLAB_PRIVATE_TOKEN CI variable in https://gitlab.tails.boum.org/tails/tails/-/settings/ci_cd#js-cicd-variables-settings, taking great care of security concerns
  - Test
  - Switch to commit branch = stable
  - Protect the variable
  - Merge !1897 (merged)
  - Remove the variable from the schedule pipeline's config
  - Delete role-branch-merger's PAT (now unused)
  - Monitor master→stable merge
  - Monitor stable→devel merge

Edited Jan 28, 2025 by intrigeri

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Assignee Loading

Time tracking Loading

Confidentiality

Confidentiality controls have moved to the issue actions menu () at the top of the page.