debian-mirror-gitlab/.gitlab/issue_templates/Security developer workflow.md
2019-12-26 22:10:19 +05:30

3.1 KiB

Prior to starting the security release work

  • Read the security process for developers if you are not familiar with it.
  • Link to the original issue adding it to the links section
  • Run scripts/security-harness in the CE, EE, and/or Omnibus to prevent pushing to any remote besides dev.gitlab.org
  • Create a new branch prefixing it with security-
  • Create a MR targeting dev.gitlab.org master
  • Add a link to this issue in the original security issue on gitlab.com.

Backports

  • Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches
    • At this point, it might be easy to squash the commits from the MR into one
    • You can use the script bin/secpick instead of the following steps, to help you cherry-picking. See the secpick documentation
    • Create each MR targeting the stable branch X-Y-stable, using the "Security Release" merge request template.
    • Every merge request will have its own set of TODOs, so make sure to complete those.
  • Make sure all MRs have a link in the links section

Documentation and final details

  • Check the topic on #releases to see when the next release is going to happen and add a link to the links section
  • Add links to this issue and your MRs in the description of the security release issue
  • Find out the versions affected (the Git history of the files affected may help you with this) and add them to the details section
  • Fill in any upgrade notes that users may need to take into account in the details section
  • Add Yes/No and further details if needed to the migration and settings columns in the details section
  • Add the nickname of the external user who found the issue (and/or HackerOne profile) to the Thanks row in the details section
  • Once your master MR is merged, comment on the original security issue with a link to that MR indicating the issue is fixed.

Summary

Description Link
Original issue #TODO
Security release issue #TODO
master MR !TODO
master MR (EE) !TODO
Backport X.Y MR !TODO
Backport X.Y MR !TODO
Backport X.Y MR !TODO
Backport X.Y MR (EE) !TODO
Backport X.Y MR (EE) !TODO
Backport X.Y MR (EE) !TODO

Details

Description Details Further details
Versions affected X.Y
Upgrade notes
GitLab Settings updated Yes/No
Migration required Yes/No
Thanks

/label ~security