diff options
author | Vladimir Shushlin <vshushlin@gitlab.com> | 2019-08-21 17:36:13 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-08-21 17:36:13 +0300 |
commit | 832edb67c27e0910d4299fac19f53dabc49dbeaf (patch) | |
tree | 6b627d438e44f52fcbd281c5d605209e982cb4ea | |
parent | 3ebac566a1be3a21943734a99663160988829220 (diff) |
Security workflow
-rw-r--r-- | .gitlab/merge_request_templates/Security Release.md | 34 | ||||
-rw-r--r-- | PROCESS.md | 22 |
2 files changed, 52 insertions, 4 deletions
diff --git a/.gitlab/merge_request_templates/Security Release.md b/.gitlab/merge_request_templates/Security Release.md new file mode 100644 index 00000000..23bbf965 --- /dev/null +++ b/.gitlab/merge_request_templates/Security Release.md @@ -0,0 +1,34 @@ +<!-- +# README first! +This MR should be created on `dev.gitlab.org`. + +See [the general developer security release guidelines](https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md). + +This merge request _must not_ close the corresponding security issue! + +When submitting a merge request for gitlab-pages, CE and EE merge requests for updating pages version are both required! + +--> +## Related issues + +<!-- Mention the issue(s) this MR is related to --> + +## Developer checklist + +- [ ] Link to the developer security workflow issue on `dev.gitlab.org` +- [ ] MR targets `master`, or `X-Y-stable` for backports +- [ ] Milestone is set for the version this MR applies to +- [ ] Title of this MR is the same as for all backports +- [ ] A [CHANGELOG entry](https://docs.gitlab.com/ee/development/changelog.html) is added without a `merge_request` value, with `type` set to `security` +- [ ] Add a link to this MR in the `links` section of related issue +- [ ] Set up an CE MR: CE_MR_LINK_HERE +- [ ] Set up an EE MR: EE_MR_LINK_HERE +- [ ] Assign to a Pages maintainer for review and merge + +## Reviewer checklist + +- [ ] Correct milestone is applied and the title is matching across all backports +- [ ] Merge this merge request +- [ ] Create corresponding tag and push it to `dev.gitlab.org` + +/label ~security @@ -62,17 +62,31 @@ to the **previous** release, or at any time for a security fix. GitLab may backport security fixes for up to three releases, which may correspond to three separate minor versions of GitLab Pages - and so three new -versions to release. +versions to release. See [Security releases](#Security releases) for the details. -In either case, the fix should first be developed against the master branch, -taking account of the [security release workflow](https://about.gitlab.com/handbook/engineering/workflow/#security-issues) -if necessary. Once ready, the fix should be merged to master, where it will be +In either case, the fix should first be developed against the master branch. +Once ready, the fix should be merged to master, where it will be included in the next major or minor release as usual. The fix may be cherry-picked into each relevant stable branch, and a new patch release made in the same way as defined above. + + When updating `GITLAB_PAGES_VERSION` in the [GitLab](https://gitlab.com/gitlab-org/gitlab-ce) repository, you should target the relevant `X-Y-stable` branches there. In general, these branches should only ever have the patch version of GitLab pages incremented. + +## Security releases + +We follow general [security release workflow](https://about.gitlab.com/handbook/engineering/workflow/#security-issues) for pages releases. +Use [Security Release](.gitlab/merge_request_templates/Security Release.md) template for security related merge requests. + +### After security release has been published + +Maintainer needs to manually sync tags and branches from dev.gitlab.org to gitlab.com: + +- [ ] Sync `master` branch +- [ ] Sync affected `*-*-stable` branches +- [ ] Sync affected `v*.*.*` tags |