internal/task: add workflow to build internal security release branches

Take security patches in the internal gerrit and from them build the
internal release branches that are used to build a security release.

Updates golang/go#59717

Change-Id: I2eb4e9fda773e49fbde1fe967678ab3cc813bac8
Reviewed-on: https://go-review.googlesource.com/c/build/+/612116
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Roland Shoemaker <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: rolandshoemaker

cmd/relui/main.go

@@ -365,6 +365,12 @@ func main() {
 	}
 	dh.RegisterDefinition("Publish a private patch to a x/ repo", privateXPatchTask.NewDefinition(tagTasks))
 
+	securityReleaseCoalesceTask := &task.SecurityReleaseCoalesceTask{
+		PrivateGerrit: privateGerritClient,
+		Version:       versionTasks,
+	}
+	dh.RegisterDefinition("Prepare internal security release branches", securityReleaseCoalesceTask.NewDefinition())
+
 	var base *url.URL
 	if *baseURL != "" {
 		base, err = url.Parse(*baseURL)

gerrit/gerrit.go

@@ -326,6 +326,9 @@ type ChangeInfo struct {
 	// MoreChanges is set on the last change from QueryChanges if
 	// the result set is truncated by an 'n' parameter.
 	MoreChanges bool `json:"_more_changes"`
+
+	// ContainsGitConflicts indicates if the change has merge conflicts.
+	ContainsGitConflicts bool `json:"contains_git_conflicts"`
 }
 
 // ReviewerUpdateInfo is a Gerrit data structure.
@@ -1204,3 +1207,75 @@ func (c *Client) GetCommitsInRefs(ctx context.Context, project string, commits,
 	err := c.do(ctx, &result, "GET", "/projects/"+url.PathEscape(project)+"/commits:in", urlValues(vals))
 	return result, err
 }
+
+// CherryPickRevision cherry picks a change revision to a destination branch.
+//
+// See https://gerrit-review.googlesource.com/Documentation/rest-api-changes.html#cherry-pick.
+func (c *Client) CherryPickRevision(ctx context.Context, changeID, revisionID string, cpi CherryPickInput) (ChangeInfo, error) {
+	var change ChangeInfo
+	err := c.do(ctx, &change, "POST", "/changes/"+changeID+"/revisions/"+revisionID+"/cherrypick", reqBodyJSON{&cpi}, wantResStatus(http.StatusOK))
+	return change, err
+}
+
+// CherryPickInput contains the options for creating a new cherry-pick.
+//
+// See https://gerrit-review.googlesource.com/Documentation/rest-api-changes.html#cherrypick-input.
+type CherryPickInput struct {
+	Destination    string `json:"destination"`
+	KeepReviewers  bool   `json:"keep_reviewers"`
+	AllowConflicts bool   `json:"allow_conflicts"`
+	Message        string `json:"message,omitempty"`
+}
+
+// MoveChange moves a change onto a destination branch.
+//
+// See https://gerrit-review.googlesource.com/Documentation/rest-api-changes.html#move-change.
+func (c *Client) MoveChange(ctx context.Context, changeID string, mi MoveInput) (ChangeInfo, error) {
+	var change ChangeInfo
+	err := c.do(ctx, &change, "POST", "/changes/"+changeID+"/move", reqBodyJSON{&mi}, wantResStatus(http.StatusOK))
+	return change, err
+}
+
+// MoveInput contains the options for moving a change.
+//
+// See https://gerrit-review.googlesource.com/Documentation/rest-api-changes.html#move-input.
+type MoveInput struct {
+	DestinationBranch string `json:"destination_branch"`
+	KeepAllVotes      bool   `json:"keep_all_votes"`
+}
+
+// RebaseChange rebases a change onto a new base revision, or directly on top of
+// the target branch.
+//
+// See https://gerrit-review.googlesource.com/Documentation/rest-api-changes.html#rebase-change.
+func (c *Client) RebaseChange(ctx context.Context, changeID string, ri RebaseInput) (ChangeInfo, error) {
+	var change ChangeInfo
+	err := c.do(ctx, &change, "POST", "/changes/"+changeID+"/rebase", reqBodyJSON{&ri}, wantResStatus(http.StatusOK))
+	return change, err
+}
+
+// RebaseInput contains the options for rebasing a change.
+//
+// See https://gerrit-review.googlesource.com/Documentation/rest-api-changes.html#rebase-input.
+type RebaseInput struct {
+	Base           string `json:"base,omitempty"`
+	AllowConflicts bool   `json:"allow_conflicts"`
+}
+
+// GetCommitMessage retrieves the commit message for a change.
+//
+// See https://gerrit-review.googlesource.com/Documentation/rest-api-changes.html#get-message.
+func (c *Client) GetCommitMessage(ctx context.Context, changeID string) (CommitMessageInfo, error) {
+	var cmi CommitMessageInfo
+	err := c.do(ctx, &cmi, "GET", "/changes/"+changeID+"/message")
+	return cmi, err
+}
+
+// CommitMessageInfo contains information about a commit message.
+//
+// See https://gerrit-review.googlesource.com/Documentation/rest-api-changes.html#commit-message-info.
+type CommitMessageInfo struct {
+	Subject     string            `json:"subject"`
+	FullMessage string            `json:"full_message"`
+	Footers     map[string]string `json:"footers"`
+}

internal/task/fakes.go

@@ -520,6 +520,30 @@ func (*FakeGerrit) GetChange(_ context.Context, _ string, _ ...gerrit.QueryChang
 	return nil, nil
 }
 
+func (*FakeGerrit) SubmitChange(ctx context.Context, changeID string) (gerrit.ChangeInfo, error) {
+	return gerrit.ChangeInfo{}, nil
+}
+
+func (*FakeGerrit) CreateCherryPick(ctx context.Context, changeID string, branch string, message string) (gerrit.ChangeInfo, bool, error) {
+	return gerrit.ChangeInfo{}, false, nil
+}
+
+func (*FakeGerrit) MoveChange(ctx context.Context, changeID string, branch string, keepAllVotes bool) (gerrit.ChangeInfo, error) {
+	return gerrit.ChangeInfo{}, nil
+}
+
+func (*FakeGerrit) RebaseChange(ctx context.Context, changeID string, baseRev string) (gerrit.ChangeInfo, error) {
+	return gerrit.ChangeInfo{}, nil
+}
+
+func (*FakeGerrit) GetRevisionActions(ctx context.Context, changeID, revision string) (map[string]*gerrit.ActionInfo, error) {
+	return map[string]*gerrit.ActionInfo{}, nil
+}
+
+func (*FakeGerrit) GetCommitMessage(ctx context.Context, changeID string) (string, error) {
+	return "", nil
+}
+
 // NewFakeSignService returns a fake signing service that can sign PKGs, MSIs,
 // and generate GPG signatures. MSIs are "signed" by adding a suffix to them.
 // PKGs must actually be tarballs with a prefix of "I'm a PKG!\n". Any files

internal/task/gerrit.go

@@ -64,6 +64,22 @@ type GerritClient interface {
 	SetHashtags(ctx context.Context, changeID string, hashtags gerrit.HashtagsInput) error
 	// GetChange gets information about a specific change.
 	GetChange(ctx context.Context, changeID string, opts ...gerrit.QueryChangesOpt) (*gerrit.ChangeInfo, error)
+	// SubmitChange submits a specific change.
+	SubmitChange(ctx context.Context, changeID string) (gerrit.ChangeInfo, error)
+	// CreateCherryPick creates a cherry-pick change. If there are no merge
+	// conflicts, it starts trybots. If commitMessage is provided, the commit
+	// message is updated, otherwise it is taken from the original change.
+	// Reviewers are taken from the original change.
+	CreateCherryPick(ctx context.Context, changeID string, branch string, commitMessage string) (_ gerrit.ChangeInfo, conflicts bool, _ error)
+	// RebaseChange rebases a change onto a base revision. If revision is empty,
+	// the change is rebased directly on top of the target branch.
+	RebaseChange(ctx context.Context, changeID string, revision string) (gerrit.ChangeInfo, error)
+	// MoveChange moves a change onto a new branch.
+	MoveChange(ctx context.Context, changeID string, branch string, keepAllVotes bool) (gerrit.ChangeInfo, error)
+	// GetRevisionActions retrieves revision actions.
+	GetRevisionActions(ctx context.Context, changeID, revision string) (map[string]*gerrit.ActionInfo, error)
+	// GetCommitMessage retrieves the commit message for a change.
+	GetCommitMessage(ctx context.Context, changeID string) (string, error)
 }
 
 type RealGerritClient struct {
@@ -311,3 +327,46 @@ func (c *RealGerritClient) SetHashtags(ctx context.Context, changeID string, has
 	_, err := c.Client.SetHashtags(ctx, changeID, hashtags)
 	return err
 }
+
+func (c *RealGerritClient) SubmitChange(ctx context.Context, changeID string) (gerrit.ChangeInfo, error) {
+	return c.Client.SubmitChange(ctx, changeID)
+}
+
+func (c *RealGerritClient) CreateCherryPick(ctx context.Context, changeID string, branch string, commitMessage string) (gerrit.ChangeInfo, bool, error) {
+	cpi := gerrit.CherryPickInput{Destination: branch, KeepReviewers: true, AllowConflicts: true, Message: commitMessage}
+	ci, err := c.Client.CherryPickRevision(ctx, changeID, "current", cpi)
+	if err != nil {
+		return gerrit.ChangeInfo{}, false, err
+	}
+	if ci.ContainsGitConflicts {
+		return ci, true, nil
+	}
+	if err := c.Client.SetReview(ctx, ci.ID, "current", gerrit.ReviewInput{
+		Labels: map[string]int{
+			"Commit-Queue": 1,
+		},
+	}); err != nil {
+		return gerrit.ChangeInfo{}, false, err
+	}
+	return ci, false, nil
+}
+
+func (c *RealGerritClient) MoveChange(ctx context.Context, changeID string, branch string, keepAllVotes bool) (gerrit.ChangeInfo, error) {
+	return c.Client.MoveChange(ctx, changeID, gerrit.MoveInput{DestinationBranch: branch, KeepAllVotes: keepAllVotes})
+}
+
+func (c *RealGerritClient) RebaseChange(ctx context.Context, changeID string, base string) (gerrit.ChangeInfo, error) {
+	return c.Client.RebaseChange(ctx, changeID, gerrit.RebaseInput{Base: base, AllowConflicts: true})
+}
+
+func (c *RealGerritClient) GetRevisionActions(ctx context.Context, changeID, revision string) (map[string]*gerrit.ActionInfo, error) {
+	return c.Client.GetRevisionActions(ctx, changeID, revision)
+}
+
+func (c *RealGerritClient) GetCommitMessage(ctx context.Context, changeID string) (string, error) {
+	cmi, err := c.Client.GetCommitMessage(ctx, changeID)
+	if err != nil {
+		return "", err
+	}
+	return cmi.FullMessage, nil
+}