We should write a script that checks the gitlab releases page against the current known version
and sends us an email when there is a new version.
(Put it in a systemd timer that is puppetized)
To replace the process of manually checking the release page.
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| gitlab: check for a new release string (WIP) | operations/puppet | production | +59 -0 |
Change 889640 had a related patch set uploaded (by Dzahn; author: Dzahn):
[operations/puppet@production] gitlab: check for a new release string (WIP)
proof of concept / WIP:
#!/usr/bin/python3 # check the version string of the latest gitlab security release # compare it to the previous version and send an email if it has changed since last check # https://phabricator.wikimedia.org/T323932 # we are using feedparse to parse the upstream XML feed # # requirements: python3-path, python3-feedparser (Debian packages) # ### import feedparser import os import filecmp import shutil import smtplib from email.message import EmailMessage from pathlib import Path ### ### gitlab_release_cur_file = '/tmp/gitlab_release_cur' gitlab_release_prev_file = '/tmp/gitlab_release_prev' gitlab_release_feed_url = 'https://about.gitlab.com/security-releases.xml' email_rcpt_addr = 'dzahn@wikimedia.org' email_sndr_addr = 'root@localhost' email_text_msg = 'detected a new gitlab release:' ### print(f'gitlab version checker - pulling release string from {gitlab_release_feed_url}\n') version_feed = feedparser.parse(gitlab_release_feed_url) if version_feed.status == 200: version = version_feed['entries'][0]['title'] gitlab_release_current_file = open(gitlab_release_cur_file, "w") gitlab_release_current_file.write(version) gitlab_release_current_file.close() else: print(f'could not pull feed from {gitlab_release_feed_url}. status code: {d.status}\n') exit('check network connectivity and feed manually. exiting.\n') if os.path.exists(gitlab_release_prev_file): print(f'found a release string from a previous check in {gitlab_release_prev_file}.\n') if filecmp.cmp(gitlab_release_prev_file, gitlab_release_cur_file): print(f'old and new version string are the same. doing nothing.\n') else: print(f'old and new version string differ. sending an email.\n') new_version_string = Path(gitlab_release_cur_file).read_text() msg = EmailMessage() msg.set_content("{email_text_msg} {new_version_string}") msg['Subject'] = f'{email_text_msg}' msg['From'] = email_sndr_addr msg['To'] = email_rcpt_addr s = smtplib.SMTP('localhost') s.send_message(msg) s.quit() else: print(f'could not find a previous version ({gitlab_release_prev_file}).\nlooks like you are running this for the first time.\n') print(f'copying {gitlab_release_cur_file} to {gitlab_release_prev_file}\n') shutil.copyfile(gitlab_release_cur_file, gitlab_release_prev_file)
python3 gitlab_version_check.py gitlab version checker - pulling release string from https://about.gitlab.com/security-releases.xml could not find a previous version (/tmp/gitlab_release_prev). looks like you are running this for the first time. copying /tmp/gitlab_release_cur to /tmp/gitlab_release_prev
python3 gitlab_version_check.py gitlab version checker - pulling release string from https://about.gitlab.com/security-releases.xml found a release string from a previous check in /tmp/gitlab_release_prev. old and new version string are the same. doing nothing.
python3 gitlab_version_check.py gitlab version checker - pulling release string from https://about.gitlab.com/security-releases.xml found a release string from a previous check in /tmp/gitlab_release_prev. old and new version string differ. sending an email. ...
Why not use LibUp's upstream release monitoring? See https://www.mediawiki.org/wiki/Libraryupgrader
Thanks for the suggestion!
I guess because upstream already provides a feed for us specifically for security releases so we don't have to check multiple repos to get a string like "GitLab Critical Security Release: 15.8.2, 15.7.7 and 15.6.8" and we don't have to add release-monitoring.org into the mix and wonder if a new version also means a security release.
Change 889640 abandoned by Dzahn:
[operations/puppet@production] gitlab: check for a new release string (WIP)
Reason:
should be recreated but create a ticket instead of send email
We are now subscribed to the GitLab releases mailing list so this is slightly lower priority (but would still be useful).