Release post - GitLab 12.0

Process improvements? Have suggestions for improving the release post process as we go? Please capture them in the retrospective issue!

Review Apps: https://release-12-0.about-src.gitlab.com/2019/06/22/gitlab-12-0-released/

Release post:

• Intro: https://gitlab.com/gitlab-com/www-gitlab-com/blob/release-12-0/source/posts/2019-06-22-gitlab-12-0-released.html.md
• Items: https://gitlab.com/gitlab-com/www-gitlab-com/blob/release-12-0/data/release_posts/2019_06_22_gitlab_12_0_released.yml
• Images: https://gitlab.com/gitlab-com/www-gitlab-com/tree/release-12-0/source/images/12_0

Related files:

• Features YAML link: https://gitlab.com/gitlab-com/www-gitlab-com/blob/release-12-0/data/features.yml
• Features YAML Images link: https://gitlab.com/gitlab-com/www-gitlab-com/blob/release-12-0/source/images/feature_page/screenshots
• Homepage card: https://gitlab.com/gitlab-com/www-gitlab-com/blob/release-12-0/source/includes/home/ten-oh-announcement.html.haml
• MVPs: https://gitlab.com/gitlab-com/www-gitlab-com/blob/release-12-0/data/mvps.yml

Handbook references:

• Blog handbook: https://about.gitlab.com/handbook/marketing/blog/
• Release post handbook: https://about.gitlab.com/handbook/marketing/blog/release-posts/
• Markdown guide: https://about.gitlab.com/handbook/product/technical-writing/markdown-guide/

People:

• Release Post Managers: https://about.gitlab.com/handbook/marketing/blog/release-posts/managers/
• Release Managers: https://about.gitlab.com/community/release-managers/

Release post manager	Tech writer	Messaging	Social
@jeremy	@eread	@johnjeremiah	@evhoffmann

General contributions

Due date: 2019-06-14 (6th working day before the 22nd)

All contributions added by team members, collaborators, and Product Managers (PMs).

Author's checklist

Due date: 2019-06-14 (6th working day before the 22nd)

The PM leading the post is responsible for adding and checking the following items: @jeremy

• Label MR: ~"blog post" release release post ~P1
• Assign the MR to yourself
• Add a release post retrospective issue (example) and provide a link to it at the top of this MR description with the text Process Improvements? Have suggstions for improving the release post process as we go? Capture them in the [Retrospective issue]().
• Check the reviewers on Slack and add their names (and your own) replacing each @mention in the MR description checklists
• Add milestone
• Update the links and due dates in this MR description
• Make sure the blog post have all initial files, as well as this MR template contains the latest template
• Add authorship (author's data)
• Ask the messaging lead to add the introduction by the 6th working day before the 22nd
• Add MVP (MVP block)
• Add MVP to data/mvps.yml
• Make sure the PM for the MVP feature adds a corresponding feature block if applicable, linking from the MVP section
• Add cover image (12_0-cover-image.jpg) (compressed)
• Add social sharing image (gitlab-12-0-released.png) (compressed)
• Make sure all feature descriptions are positive and cheerful
• Make sure all features listed in the direction page are included in the post
• Mention the Distribution PM asking them if there's any relevant info to be added to the upgrade warning section. If not, delete the upgrade block in the relese post data file
• Mention managers to remind them to add their team performance improvements: @gitlab-com/backend-managers and @gitlab-org/frontend/frontend-managers
• Check with the Messaging Lead on what the top features should be.
• Check if deprecations are included
• Alert people one working day before each due date (post a comment to #release-post Slack channel)
• Make sure all images (png, jpg, and gifs) are smaller than 300 KB each
• Run the release post through an automated spell and grammar check
• Pull master into the release post branch and resolve any conflicts
• Perform the content review

Recurring blocks

Due date: 2019-06-14 (6th working day before the 22nd)

The following sections are always present, and managed by the PM or Eng lead owning the related area:

• Mention the below individuals after feature freeze
• Add GitLab Runner improvements: @brendan
• Add Omnibus improvements: @ebrinkman
• Add Mattermost update to the Omnibus improvements section: @ebrinkman
• Add Performance improvements: @DouweM, @smcgivern, @ayufan

Feature blocks

Due date: 2019-06-14 (6th working day before the 22nd)

The Product Managers are responsible for adding their feature blocks to the release post by the due date for general contributions. PMs are also responsible for adding any notable Community Contributions.

PMs: please check your box only when all your features and deprecations were added with completion (documentation links, images, etc). Pls don't check if there are still things missing.

Note: be sure to reference your Direction items and Release features. All items which appear in our Upcoming Releases page should be included in the relevant release post.

• Mention the below individuals after feature freeze
• Manage (@jeremy)
• Plan (@ebrinkman)
• Create:Source Code (@jramsay)
• Create:Knowledge (@phikai)
• Create:Editor (@phikai)
• Verify (@brendan)
• Package (@trizzi)
• Release (@cstasik)
• Secure (@NicoleSchwartz )
• Configure (@danielgruesso)
• Monitor - APM (@kencjohnston)
• Monitor - Debug & Health (@sarahwaldner)
• Fulfillment (@tipyn)
• Distribution (@ebrinkman)

Tip: make your own checklist:

• Primary features
• Improvements (secondary features)
• Deprecations
• Documentation updated
• Documentation links added to the post
• Community contributions documented and added to the post
• Illustrations added to the post (compressed, max width = 1000 pixels)
• Update features.yml (with accompanying screenshots)

Review

Ideally, complete the review until the 4th working day before the 22nd, so that the 3rd and the 2nd working day before the release could be left for fixes and small improvements.

Content review

Due date: 2019-06-17 (5th working day before the 22nd)

Performed by the author of the post: @jeremy

• Label MR: ~"blog post" release review-in-progress
• Check all comments in the thread (make sure no contribution was left behind)
• Check Features' names
• Check Features' availability (Core, Starter, Premium, Ultimate badges)
• Reorder primary and secondary features according to their relevance to the user (most impactful features come first)
• Check Documentation links (all feature blocks contain documentation_link)
• Make sure documentation_link links to feature webpages when available
• Features were added to data/features.yml (with accompanying screenshots)
• Check all images size < 300KB (compress them all with TinyPNG or similar tool)
• Pull master, resolve any conflicts
• Make sure all discussions in the thread are resolved
• Mention @markpundsack, @kencjohnston, @jlenny, and @ebrinkman to remind them to review
• Assign the MR to the next reviewer (structural check)
• Lock features.yml with File Locking on the 21st

Structural check

Due date: 2019-06-19 (3rd working day before the 22nd)

The structural review is performed by a technical writer: @eread

• Add the label review-structure
• Pull master into the release post branch and resolve any conflicts
• Check frontmatter (entries, syntax)
• Check image_title and twitter_image
• Check image shadow applied correctly in release post data. Look for image_noshadow: true when an image already has shadow
• Ensure videos and iframes are wrapped in <figure class="video_container"> tags (for responsiveness)
• Ensure all text is consistently hard wrapped at a suitable column boundary
• Check headings are in sentence case
• Check feature and product names are in capital case
• Check if images are harmonic/consistent
• Check any .gitkeep files and delete them if any
• Add or check cover img reference (at the end of the post). Data in cover_img in release post Yaml file
• Ensure content is balanced between the columns (both columns are even)
• Ensure links have meaningful text for SEO (e.g., "click here" is bad link text)
• Check for badges consistency (applied to all headings)
• Double check that all features are documented
• Check that all links to about.gitlab.com content are relative URLs
• Check the anchor links in the intro. All links in the release post markdown file should point to something in the release post Yaml file
• Remove any remaining instructions (comments) from the release post files
• Run a dead link checker, e.g., Check my Links and ping reporters directly on Slack asking them to fix broken links
• Update the release post templates and release post handbook with anything that comes up during the process
• Pull master into the release post branch and resolve any conflicts (again)
• Report any problems from structural check in the #release-post channel by pinging the reporters directly for each problem. Do NOT ping @all or @channel nor leave a general message that no one will pay attention to. If possible, ensure any issues are tracked by open discussions in the merge request
• Post a comment in the #company-announcements channel linking to the review app + merge request reminding the team to take a look at the release post and to report problems in #release-post. Template to use (replace links):

  Hey all! This month's release post is almost ready! Take a look at it and report any problems in #release-post.
  MR: https://gitlab.com/gitlab-com/www-gitlab-com/merge_requests/1234
  Review app: https://release-12-0.about-src.gitlab.com/2019/06/22/gitlab-12-0-released/

• Remove the label review-structure.
• Assign the MR to the next reviewer (Marketing).

Further reviews

Due date: 2019-06-20 (2nd working day before the 22nd)

• Marketing review (PMMs - messaging lead): @johnjeremiah
  • Write the introduction (by the 6th working day before the 22nd)
  • Check/copyedit feature blocks
  • Check/copyedit features.yml
  • Check/copyedit homepage blurb
  • Check/copyedit social sharing text
  • Mention Mark P (@markpundsack) for final check
  • Remove the label review-in-progress
  • Assign the MR back to the author

On the 22nd

The author of the post is responsible for merging the MR and following up with possible adjustments/fixes: @jeremy.

At 12:00 UTC

• Read the important notes below
• At ~12:30 UTC, ping the release managers on the #releases Slack channel asking if everything is on schedule, and to coordinate timing with them:
  • If anything is wrong with the release, or if it's delayed, you must ping the messaging lead on #release-post so that they coordinate anything scheduled on their side (e.g., press releases, other posts, etc).
  • If everything is okay, the packages should be published at 13:30 UTC, and available publicly around 14:10 UTC.
  • Ask the release managers to ping you when the packs are publicly available (and GitLab.com is up and running on the release version)
• Mention @sumenkovic to remind him to send the swag pack to the MVP
• Check if all the anchor links in the intro are working
• Check if there are no broken links in the review app (use a dead link checker, e.g., Check my Links)
• Pull master and fix any conflicts
• Check if there isn't any alert on Slack's #release-post and #company-announcements channels
• Check if there isn't any alert on this MR thread
• Check if the tweet copy is ready and someone is ready to share on social media

At 13:50 UTC

• Check if there aren't any conflicts. If there are any, pull master again and fix them.

Once the release manager confirmed that the packages are publicly available:

• Unlock features.yml just before merging.
• Verify that the 11.0 to 12.0 YT video has been made public: "It's still unlisted on YT, so we need to be sure to make it public just before the post goes live."
• Merge the MR at 14:10-14:20 UTC.
• Wait for the pipeline. It should take ~40min to complete.
• Check the look on social media with Twitter Card Validator and Facebook Debugger.
• Check for broken links again once the post is live.
• Share on social media (or make sure someone else does) only when you're sure everything is okay.
• Share the links to the post and to the tweet on the #release-posts and #company-announcements on Slack.

@dsumenkovic [is helping with the tweet](https://gitlab.slack.com/archives/C3TRESYPJ/p1560896427173700?thread_ts=1560894427.167300&cid=C3TRESYPJ when we go live, @evhoffmann is on the LinkedIn and FB posts at 9a Pacific. Thank you both very much for the help.

Important notes

• The post is to be live on the 22nd at 15:00 UTC. It should be merged and as soon as GitLab.com is up and running on the new release version (or the latest RC that has the same features as the release), and once all packages are publicly available. Not before. Ideally, merge it around 14:20 UTC as the pipeline takes about 40 min to run.
• The usual release time is 15:00 UTC but it varies according to the deployment. If something comes up and delays the release, the release post will be delayed with the release.
• Coordinate the timing with the release managers. Ask them to keep you in the loop. Ideally, the packages should be published around 13:30-13:40, so they will be publicly available around 14:10 and you'll be able to merge the post at 14:20ish.
• Once the post is live, wait a few minutes to see if no one spot an error (usually posted in #company-announcements), then share on Twitter, Facebook, and LinkedIn, or make sure someone (Emily vH, JJ, Marcia) does. Coordinate the social sharing with them beforehand.
• Keep an eye on Slack and in the blog post comments for a few hours to make sure no one found anything that should be fixed.

source/handbook/engineering/security/index.html.md

@@ -447,14 +447,14 @@ These templates should be used during the onboarding process and throughout the
 * All new access or permissioning change requests require a [New Access Request](https://gitlab.com/gitlab-com/access-requests/issues/new?issuable_template=New%20Access%20Request).
 * All access requests must be approved by the team member's manager with the exception of:
-   
+
    - ARs for G-Suite email distribution lists for internal GitLab team members
    - ARs for Slack groups for internal GitLab team members
-  Please note that ARs for access to internal systems for "external to GitLab individuals" (eg. customers, prospects) require managerial approval. This includes access to G-Suite security groups also require managerial approval. 
+  Please note that ARs for access to internal systems for "external to GitLab individuals" (eg. customers, prospects) require managerial approval. This includes access to G-Suite security groups also require managerial approval.
 * Requests for access to Infrastructure assets (servers and databases) require a second layer of approval from Infrastructure Management.
-  
+
 * All requests for new service accounts require a [New Service Account Request](https://gitlab.com/gitlab-com/access-requests/issues/new?issuable_template=New%20Service%20Account%20Request)
 * All requests for new service accounts must be approved by a member of Infrastructure Management.
@@ -475,7 +475,7 @@ These templates should be used during the onboarding process and throughout the
 ### Access Requests and Onboarding
-During the onboarding process, the manager should determine which email and slack groups the new team member should be added to. Also determine if new team member will need access to the `dev` server, which is used by engineers to prepare fixes for security issues and also allows for access to version.gitlab.com and license.gitlab.com. If so, request the creation of a [new dev.GitLab.org account](https://dev.gitlab.org/admin/users/new) *with the same username the team member has on gitlab.com* and an invitation to the [gitlab group](https://dev.gitlab.org/groups/gitlab/group_members) as a Developer. Fill out one [access request](https://gitlab.com/gitlab-com/access-requests/issues) for both the groups and Dev account if needed. 
+During the onboarding process, the manager should determine which email and slack groups the new team member should be added to. Also determine if new team member will need access to the `dev` server, which is used by engineers to prepare fixes for security issues and also allows for access to version.gitlab.com and license.gitlab.com. If so, request the creation of a [new dev.GitLab.org account](https://dev.gitlab.org/admin/users/new) *with the same username the team member has on gitlab.com* and an invitation to the [gitlab group](https://dev.gitlab.org/groups/gitlab/group_members) as a Developer. Fill out one [access request](https://gitlab.com/gitlab-com/access-requests/issues) for both the groups and Dev account if needed.
 ### Deprovisioning
@@ -488,7 +488,7 @@ During the onboarding process, the manager should determine which email and slac
 ### Access Reviews
 * Access reviews will be formally documented using the [Access Reviews](https://gitlab.com/gitlab-com/access-requests/issues/new?issuable_template=Access%20Review) template.
-  
+
 * As part of an access review, existing access may be modified or revoked. New access (not modification of existing access) requires the submission of a [New Access Request](https://gitlab.com/gitlab-com/access-requests/issues/new?issuable_template=New%20Access%20Request).
 ### Access Control Process Exceptions
@@ -496,10 +496,10 @@ During the onboarding process, the manager should determine which email and slac
 * An access request is not required for Google Drive folders or files.
 * Managerial approval is not required when requesting access to:
-   
+
   - ARs for G-Suite email distribution lists for internal GitLab team members
   - ARs for Slack groups for internal GitLab team members
-  
+
 * Bulk requests can be submitted for the following three types of requests:
   - Email aliases/forwarding in GSuite
@@ -529,7 +529,7 @@ During the onboarding process, the manager should determine which email and slac
 | gitlab.com            |  SRE      | Admin - admin account-username                   |
 | ops.gitlab.net        |  SRE      | added w/ production group from chef users databag|
 | staging.gitlab.com    |  SRE      | add Admin role to regular account                |
-| GCP                   |  SRE      | Folder Admin/Infra.                              | 
+| GCP                   |  SRE      | Folder Admin/Infra.                              |
 | Chef                  |  SRE      | Admin                                            |
 | Pager Duty            |  SRE      | Admin                                            |
 | Status.io             |  SRE      | Admin                                            |
@@ -806,7 +806,7 @@ Team members remain responsible for their own assigned reports.
   - Import the report into a GitLab issue using `/h1import *report_id* [ce/ee] [Sx] [Px]` in Slack
     - Assign the appropriate [Severity and Priority](#severity-and-priority-labels-on-security-issues).
     - Assign the appropriate [Due Date](#due-date-on-security-issues)
-   - @ mention product manager of appropriate teams for scheduling and/or the engineering managers if additional engineering feedback is required to complete the triage, based on the [current organization chart](/company/team/org-chart).
+   - @ mention product manager of appropriate teams for scheduling and/or the engineering managers if additional engineering feedback is required to complete the triage, based on the [product categories page](https://about.gitlab.com/handbook/product/categories/)
     - As applicable, notify relevant team members via the issue, chat, and email, depending on the chosen security level.
   - Change the state of the report to "Triaged" in HackerOne and include a link to the issue as the reference.
     - Fill in the comment using the `00 - Triaged` Common
@@ -832,6 +832,14 @@ Team members remain responsible for their own assigned reports.
       as the template for the bounty award if approved.
     - In any case, no report should go "stale" where updates are not provided within the last month.
+#### Critical Vulnerabilities
+
+When critical vulnerabilities are identified, it is necessary to quickly get the attention of the appropriate engineering team and the security operations team
+in order to fully determine impact to `gitlab.com` and to self-managed customers. When a vulnerability is determined to be P1/S1, do the following after following
+the steps above:
+- [Engage the security oncall](#engaging-the-security-on-call) with a link to the issue.
+- Post the link to the issue in the appropriate engineering team's Slack channel, requesting review.
+
 #### If a Report is Unclear
 If a report is unclear, or the reviewer has any questions about the validity of the finding or how it can be exploited, now is the time to ask. Move the report to the "Needs More Info" state until the researcher has provided all the information necessary to determine the validity and impact of the finding. Use your best judgement to determine whether it makes sense to open a confidential issue anyway, noting in it that you are seeking more information from the reporter. When in doubt, err on the side of opening the issue.