… and into `testing` if we're in a code freeze. Problem: sometimes, website updates break the build, some test cases, or some functionality. Currently the only documented time when we merge `master` into our release branches is while preparing a release. Merging master into stable is nobody’s job so it happens that we spot trouble e.g. merge conflicts on Monday morning when starting the release process. Goals: - Spot problems early, instead of in the critical path of the release process. - We very often forget to merge stable into devel. - Paves the way for more automation via GitLab CI, once we have a setup for runners to push commits. - Social health, limiting friction, frustration, and the need for nagging by human beings. Implementation: now that we have trusted GitLab CI runners, we should have a CI job that merges `master` into stable and creates a merge request. Then, developers could merge that merge request as-is once it has passed CI. Then we should figure out how to handle the subsequent merge into `devel` and, when relevant, into `testing`. # To-do - [x] gitlab-config!50+ - [x] Fix tails/tails#20373 in master - [x] Forward-port the fix for tails#20373 to stable - [x] Create and use a `role-` user for the job - [x] Document manual token creation - [x] Discuss, decide and implement automatic merging - [x] Decide about where the code should live * It'll live in `tails/tails` so that developers can take care of their own needs. - [x] Ask sysadmins to track somewhere else "decide about whether they want more protections in place" - [x] [Migrage the automatic merge pipeline from tails/gitlab-config to tails/tails](https://gitlab.torproject.org/tpo/tpa/tails/sysadmin/-/issues/18180) \[Zen Fu\] - [x] Merge stable into devel * [x] Discuss * [x] Decide * [x] Implement * [x] Fix initial implementation (tails/tails!1897) * [x] Create a project access token with API access in https://gitlab.tails.boum.org/tails/tails/-/settings/access_tokens (https://gitlab.tails.boum.org/help/user/project/settings/project_access_tokens.md) * [x] Pass this token as the `GITLAB_PRIVATE_TOKEN` CI variable in https://gitlab.tails.boum.org/tails/tails/-/settings/ci_cd#js-cicd-variables-settings, taking great care of [security concerns](https://gitlab.tails.boum.org/help/ci/variables/index.md#cicd-variable-security) * [x] Test * [x] Switch to commit branch = stable * [x] Protect the variable * [x] Merge tails/tails!1897 * [x] Remove the variable from the schedule pipeline's config * [x] Delete `role-branch-merger`'s PAT (now unused) * [x] Monitor master→stable merge * [x] Monitor stable→devel merge