Merge branch 'security-workflow' into 'master'

Security workflow

See merge request gitlab-org/gitlab-pages!172

2 files changed, 52 insertions, 4 deletions

diff --git a/.gitlab/merge_request_templates/Security Release.md b/.gitlab/merge_request_templates/Security Release.md
new file mode 100644
index 00000000..23bbf965
--- /dev/null
+++ b/.gitlab/merge_request_templates/Security Release.md
@@ -0,0 +1,34 @@
+<!--
+# README first!
+This MR should be created on `dev.gitlab.org`.
+
+See [the general developer security release guidelines](https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md).
+
+This merge request _must not_ close the corresponding security issue!
+
+When submitting a merge request for gitlab-pages, CE and EE merge requests for updating pages version are both required!
+
+-->
+## Related issues
+
+<!-- Mention the issue(s) this MR is related to -->
+
+## Developer checklist
+
+- [ ] Link to the developer security workflow issue on `dev.gitlab.org`
+- [ ] MR targets `master`, or `X-Y-stable` for backports
+- [ ] Milestone is set for the version this MR applies to
+- [ ] Title of this MR is the same as for all backports
+- [ ] A [CHANGELOG entry](https://docs.gitlab.com/ee/development/changelog.html) is added without a `merge_request` value, with `type` set to `security`
+- [ ] Add a link to this MR in the `links` section of related issue
+- [ ] Set up an CE MR: CE_MR_LINK_HERE
+- [ ] Set up an EE MR: EE_MR_LINK_HERE
+- [ ] Assign to a Pages maintainer for review and merge
+
+## Reviewer checklist
+
+- [ ] Correct milestone is applied and the title is matching across all backports
+- [ ] Merge this merge request
+- [ ] Create corresponding tag and push it to `dev.gitlab.org`
+
+/label ~security
diff --git a/PROCESS.md b/PROCESS.md
index 52a4a0e7..8efbc9f7 100644
--- a/PROCESS.md
+++ b/PROCESS.md
@@ -62,17 +62,31 @@ to the **previous** release, or at any time for a security fix.
 
 GitLab may backport security fixes for up to three releases, which may
 correspond to three separate minor versions of GitLab Pages - and so three new
-versions to release.
+versions to release. See [Security releases](#Security releases) for the details.
 
-In either case, the fix should first be developed against the master branch,
-taking account of the [security release workflow](https://about.gitlab.com/handbook/engineering/workflow/#security-issues)
-if necessary. Once ready, the fix should be merged to master, where it will be
+In either case, the fix should first be developed against the master branch.
+Once ready, the fix should be merged to master, where it will be
 included in the next major or minor release as usual.
 
 The fix may be cherry-picked into each relevant stable branch, and a new patch
 release made in the same way as defined above.
 
+
+
 When updating `GITLAB_PAGES_VERSION` in the [GitLab](https://gitlab.com/gitlab-org/gitlab-ce)
 repository, you should target the relevant `X-Y-stable` branches there. In
 general, these branches should only ever have the patch version of GitLab pages
 incremented.
+
+## Security releases
+
+We follow general [security release workflow](https://about.gitlab.com/handbook/engineering/workflow/#security-issues) for pages releases.
+Use [Security Release](.gitlab/merge_request_templates/Security Release.md) template for security related merge requests.
+
+### After security release has been published
+
+Maintainer needs to manually sync tags and branches from dev.gitlab.org to gitlab.com:
+
+- [ ] Sync `master` branch
+- [ ] Sync affected `*-*-stable` branches
+- [ ] Sync affected `v*.*.*` tags