Do not sync stable branches for public commits

If a new commit is pushed to a stable branch on canonical, it will
trigger push mirroring to security.

Now we have a race where both canonical and security wants to trigger a
FOSS merge train ending up into a diverged branch.

This commit will check that the current commit is not available on
canonical before triggering a security FOSS merge train

.gitlab/ci/releases.gitlab-ci.yml

@@ -9,7 +9,7 @@
   image: alpine:edge
   stage: sync
   before_script:
-    - apk add --no-cache --update curl bash
+    - apk add --no-cache --update curl bash jq
   after_script: []
   script:
     - bash scripts/sync-stable-branch.sh

scripts/sync-stable-branch.sh

@@ -35,6 +35,22 @@ then
     exit 1
 fi
 
+if [[ "$TARGET_PROJECT" != "gitlab-org/gitlab-foss" ]]
+then
+    echo 'This is a security FOSS merge train'
+    echo "Checking if $CI_COMMIT_SHA is available on canonical"
+
+    gitlab_com_commit_status=$(curl -s "https://gitlab.com/api/v4/projects/278964/repository/commits/$CI_COMMIT_SHA" | jq -M .status)
+
+    if [[ "$gitlab_com_commit_status" != "null" ]]
+    then
+       echo 'Commit available on canonical, skipping merge train'
+       exit 0
+    fi
+
+    echo 'Commit not available, triggering a merge train'
+fi
+
 curl -X POST \
     -F token="$MERGE_TRAIN_TRIGGER_TOKEN" \
     -F ref=master \