gitlab-org--gitlab-foss/.gitlab/issue_templates/Security developer workflow.md

4 KiB

Prior to starting the security release work

  • Read the security process for developers if you are not familiar with it.
  • Mark this issue as related to the Security Release tracking issue. You can find it on the topic of the #releases Slack channel.
  • Run scripts/security-harness in your local repository to prevent accidentally pushing to any remote besides gitlab.com/gitlab-org/security.
  • Fill out the Links section:
    • Next to Issue on GitLab, add a link to the gitlab-org/gitlab issue that describes the security vulnerability.
    • Next to Security Release tracking issue, add a link to the security release issue that will include this security issue.

Development

After your merge request has been approved according to our approval guidelines, you're ready to prepare the backports

Backports

  • Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches
    • At this point, it might be easy to squash the commits from the MR into one
    • You can use the script bin/secpick instead of the following steps, to help you cherry-picking. See the secpick documentation
  • Create each MR targeting the stable branch X-Y-stable, using the Security Release merge request template.
    • Every merge request will have its own set of TODOs, so make sure to complete those.
  • On the "Related merge requests" section, ensure all MRs are linked to this issue.
    • This section should only list the merge requests created for this issue: One targeting master and the 3 backports.

Documentation and final details

  • Ensure the Links section is completed.
  • Find out the versions affected and add them to the details section
    • The Git history of the files affected may help you associate the issue with a release
  • Fill in any upgrade notes that users may need to take into account in the details section
  • Add Yes/No and further details if needed to the migration and settings columns in the details section
  • Add the nickname of the external user who found the issue (and/or HackerOne profile) to the Thanks row in the details section
  • Once your master MR is merged, comment on the original security issue with a link to that MR indicating the issue is fixed.

Summary

Description Link
Issue on GitLab #TODO
Security Release tracking issue #TODO

Details

Description Details Further details
Versions affected X.Y
Upgrade notes
GitLab Settings updated Yes/No
Migration required Yes/No
Thanks

/label ~security