2019-01-28 06:21:42 -05:00
<!--
# README first!
2019-12-18 13:08:04 -05:00
This MR should be created on `gitlab.com/gitlab-org/security/gitlab` .
2019-01-28 06:21:42 -05:00
2019-01-29 05:57:21 -05:00
See [the general developer security release guidelines ](https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md ).
2019-01-28 06:21:42 -05:00
-->
2019-12-18 13:08:04 -05:00
2019-01-28 06:21:42 -05:00
## Related issues
2020-02-26 10:08:56 -05:00
<!-- Mention the GitLab Security issue this MR is related to -->
2019-01-28 06:21:42 -05:00
2019-02-05 08:57:44 -05:00
## Developer checklist
2019-01-28 06:21:42 -05:00
2020-03-05 13:08:19 -05:00
- [ ] **On "Related issues" section, write down the [GitLab Security] issue it belongs to (i.e. `Related to <issue_id>`).**
2020-07-07 17:09:13 -04:00
- [ ] Merge request targets `master` , or a versioned stable branch (`X-Y-stable-ee`).
2019-12-18 13:08:04 -05:00
- [ ] Title of this merge request is the same as for all backports.
2021-05-24 14:10:28 -04:00
- [ ] A [CHANGELOG entry] has been included, with `Changelog` trailer set to `security` .
2020-01-15 16:08:48 -05:00
- [ ] For the MR targeting `master` :
2020-07-07 17:09:13 -04:00
- [ ] Assign to a reviewer and maintainer, per our [Code Review process].
2020-01-15 16:08:48 -05:00
- [ ] Ensure it's approved according to our [Approval Guidelines].
2020-07-07 17:09:13 -04:00
- [ ] Ensure it's approved by an AppSec engineer.
2021-12-06 16:10:14 -05:00
- Please see the security release [Code reviews and Approvals] documentation for details on which AppSec team member to ping for approval.
2020-07-07 17:09:13 -04:00
- Trigger the [`package-and-qa` build]. The docker image generated will be used by the AppSec engineer to validate the security vulnerability has been remediated.
2021-12-06 16:10:14 -05:00
- [ ] For a backport MR targeting a versioned stable branch (`X-Y-stable-ee`).
2021-08-20 14:12:04 -04:00
- [ ] Milestone is set to the version this backport applies to. A closed milestone can be assigned via [quick actions].
2020-07-07 17:09:13 -04:00
- [ ] Ensure it's approved by a maintainer.
2019-12-18 13:08:04 -05:00
2021-12-06 16:10:14 -05:00
**Note:** Reviewer/maintainer should not be a Release Manager.
2019-01-28 06:21:42 -05:00
2020-01-15 16:08:48 -05:00
## Maintainer checklist
2020-07-07 17:09:13 -04:00
2021-07-06 17:07:50 -04:00
- [ ] Correct milestone is applied and the title is matching across all backports.
2022-02-25 13:18:45 -05:00
- [ ] Assigned (_not_ as reviewer) to `@gitlab-release-tools-bot` with passing CI pipelines.
2019-01-28 06:21:42 -05:00
2019-02-06 08:14:55 -05:00
/label ~security
2019-12-18 13:08:04 -05:00
[GitLab Security]: https://gitlab.com/gitlab-org/security/gitlab
2020-01-03 19:07:49 -05:00
[quick actions]: https://docs.gitlab.com/ee/user/project/quick_actions.html#quick-actions-for-issues-merge-requests-and-epics
2021-05-24 14:10:28 -04:00
[CHANGELOG entry]: https://docs.gitlab.com/ee/development/changelog.html#overview
2020-07-07 17:09:13 -04:00
[Code Review process]: https://docs.gitlab.com/ee/development/code_review.html
2021-12-06 16:10:14 -05:00
[Code reviews and Approvals]: (https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md#code-reviews-and-approvals)
2020-07-07 17:09:13 -04:00
[Approval Guidelines]: https://docs.gitlab.com/ee/development/code_review.html#approval-guidelines
[Canonical repository]: https://gitlab.com/gitlab-org/gitlab
2022-08-30 08:12:25 -04:00
[`e2e:package-and-test` job]: https://docs.gitlab.com/ee/development/testing_guide/end_to_end/#using-the-package-and-test-job