From be330016961020beb571dca08a918833c2ae4000 Mon Sep 17 00:00:00 2001
From: Alessio Caiazza <acaiazza@gitlab.com>
Date: Thu, 19 Jan 2023 13:51:04 +0100
Subject: Identify when a security MR introduces unreleased changes

---
 Dangerfile | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'Dangerfile')

diff --git a/Dangerfile b/Dangerfile
index 0cf5c959..dd6380bc 100644
--- a/Dangerfile
+++ b/Dangerfile
@@ -5,3 +5,19 @@ Gitlab::Dangerfiles.for_project(self) do |dangerfiles|
   # TODO: find a way to re-enalbe changelog https://gitlab.com/gitlab-org/gitlab-pages/-/issues/736
   dangerfiles.import_dangerfiles(except: %w[changelog])
 end
+
+# Identify undeployed commits only on the security mirror
+SECURITY_MIRROR_PROJECT_ID = 15_685_887
+if gitlab.mr_json['target_project_id'] == SECURITY_MIRROR_PROJECT_ID && gitlab.mr_json['target_branch'] == ENV['CI_DEFAULT_BRANCH']
+  auto_deploy_sha = gitlab.api.file_contents('gitlab-org/gitlab', 'GITLAB_PAGES_VERSION')&.rstrip
+
+  message("Current auto_deploy candidate version: #{auto_deploy_sha}")
+
+  if gitlab.base_commit != auto_deploy_sha
+    fail <<~MSG
+      Security merge requests for `#{gitlab.mr_json['target_branch']}` must have `gitlab-org/gitlab` `GITLAB_PAGES_VERSION` content as the merge request base commit.
+      Please rebase onto #{auto_deploy_sha} with `git rebase -i --onto #{auto_deploy_sha} #{gitlab.base_commit}`
+      See [our documentation](https://gitlab.com/gitlab-org/release/docs/-/tree/master/components/managed-versioning/security_release.md) for details.
+    MSG
+  end
+end
-- 
cgit v1.2.3