Modify security templates to be similar to GitLab

Modifies security issue and merge request templates to be similar to the ones on GitLab. Related to gitlab-com/gl-infra/delivery#692

Modify security templates to be similar to GitLab
87130c8e · Mayra Cabrera · Balasankar 'Balu' C · f8235ea4 · 87130c8e · 87130c8e
Commit 87130c8e authored 4 years ago by Mayra Cabrera Committed by Balasankar 'Balu' C 4 years ago
--- a/.gitlab/issue_templates/Security developer workflow.md
+++ b/.gitlab/issue_templates/Security developer workflow.md
@@ -9,26 +9,32 @@ Set the title to: `Description of the original issue`
 ### Prior to starting the security release work

 - [ ] Read the [security process for developers] if you are not familiar with it.
- [ ] Link to the original issue adding it to the [links section](#links)
- [ ] Run `scripts/security-harness` to prevent pushing to any remote besides `security/omnibus-gitlab`
+- [ ] Mark this [issue as related] to the Security Release tracking issue. You can find it on the topic of the `#releases` Slack channel.
+- [ ] Run `scripts/security-harness` to prevent pushing to any remote besides `security/omnibus-gitlab` and `dev.gitlab.org/gitlab/omnibus-gitlab`
+- Fill out the [Links section](#links):
+  - [ ] Next to **Issue on Omnibus GitLab**, add a link to the `gitlab-org/omnibus-gitlab` issue that describes the security vulnerability.
+  - [ ] Next to **Security Release tracking issue**, add a link to the security release issue that will include this security issue.
+
+### Development
+
 - [ ] Create a new branch prefixing it with `security-`
- [ ] Create a MR targeting `master` on [`security/omnibus-gitlab`](https://gitlab.com/gitlab-org/security/omnibus-gitlab)
- [ ] Add a link to this issue in the original security issue on `gitlab.com`.
+- [ ] Create a MR targeting `master` on [`security/omnibus-gitlab`](https://gitlab.com/gitlab-org/security/omnibus-gitlab) and use the [Security Release merge request template]
+- [ ] Follow the same code review process: Assign to a reviewer, then to a maintainer.
+
+After your merge request has been approved according to our approval guidelines, you're ready to prepare the backports

 #### Backports

- [ ] Once the MR is ready to be merged, create MRs targeting the last 3 releases, plus the current RC if between the 7th and 22nd of the month.
-    - [ ] At this point, it might be easy to squash the commits from the MR into one
-    - You can use the script `bin/secpick` instead of the following steps, to help you cherry-picking. See the [secpick documentation]
-    - [ ] Create each MR targeting the stable branch `X-Y-stable`, using the "Security Release" merge request template.
-    - Every merge request will have its own set of TODOs, so make sure to
-      complete those.
- [ ] Make sure all MRs have a link in the [links section](#links)
+- [ ] Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches
+   * At this point, it might be easy to squash the commits from the MR into one
+- [ ] Create each MR targeting the stable branch `X-Y-stable`, using the [Security Release merge request template].
+   * Every merge request will have its own set of TODOs, so make sure to complete those.
+- [ ] On the "Related merge requests" section, ensure all MRs are linked to this issue.
+   * This section should only list the merge requests created for this issue: One targeting `master` and the 3 backports.

 #### Documentation and final details

- [ ] Check the topic on #releases to see when the next release is going to happen and add a link next to **Security Release Tracking issue** in the [links section](#links)
- [ ] Add links to this issue and your MRs in the description of the security release issue
+- [ ] Ensure the [Links section](#links) is completed.
 - [ ] Find out the versions affected (the Git history of the files affected may help you with this) and add them to the [details section](#details)
 - [ ] Fill in any upgrade notes that users may need to take into account in the [details section](#details)
 - [ ] Add Yes/No and further details if needed to the migration and settings columns in the [details section](#details)
@@ -41,12 +47,8 @@ Set the title to: `Description of the original issue`

 | Description | Link |
 | -------- | -------- |
-| Original issue   | #TODO  |
+| Issue on [Omnibus GitLab](https://gitlab.com/gitlab-org/omnibus-gitlab/issues) | #TODO  |
 | Security Release tracking issue | #TODO  |
-| `master` MR | !TODO   |
-| `Backport X.Y` MR | !TODO   |
-| `Backport X.Y` MR | !TODO   |
-| `Backport X.Y` MR | !TODO   |

 #### Details

@@ -59,7 +61,8 @@ Set the title to: `Description of the original issue`
 | Thanks | | |

 [security process for developers]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md
-[secpick documentation]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md#secpick-script
 [RM list]:  https://about.gitlab.com/release-managers/
+[issue as related]: https://docs.gitlab.com/ee/user/project/issues/related_issues.html#adding-a-related-issue
+[security Release merge request template]: https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/.gitlab/merge_request_templates/Security%20Release.md

 /label ~security
--- a/.gitlab/merge_request_templates/Security Release.md
+++ b/.gitlab/merge_request_templates/Security Release.md
@@ -3,26 +3,22 @@
 This MR should be created on https://gitlab.com/gitlab-org/security/omnibus-gitlab/

 See [the general developer security release guidelines](https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md).
-
-This merge request _must not_ close the corresponding security issue _unless_ it
-targets master.
-
 -->

 ## Related issues

-<!-- Link related issues below. Insert the issue link or reference after the word "Closes" if merging this should automatically close it. -->
+<!-- Mention the GitLab Security issue this MR is related to -->

 ## Developer checklist

- [ ] Link to the developer security workflow issue on [`security/omnibus-gitlab`](https://gitlab.com/gitlab-org/security/omnibus-gitlab)
- [ ] MR targets `master`, or `X-Y-stable` for backports
- [ ] Milestone is set for the version this MR applies to
- [ ] Title of this MR is the same as for all backports
+- [ ] **On "Related issues" section, write down the [Omnibus GitLab Security] issue it belongs to (i.e. `Related to <issue_id>`).**
+- [ ] MR targets `master`, or `X-Y-stable` for backports.
+- [ ] Milestone is set for the version this merge request applies to. A closed milestone can be assigned via [quick actions].
+- [ ] Title of this MR is the same as for all backports.
 - [ ] A [CHANGELOG entry](https://docs.gitlab.com/ee/development/changelog.html) is added without a `merge_request` value, with `type` set to `security`
- [ ] Add a link to this MR in the `links` section of related issue
- [ ] Add a link to an EE MR if required
- [ ] Assign to a reviewer
+- [ ] Assign to a reviewer and maintainer, per our [Code Review process].
+- [ ] For the MR targeting `master`, ensure it's approved according to our [Approval Guidelines]
+- [ ] Merge request _must not_ close the corresponding security issue, _unless_ it targets `master`.

 ## Reviewer checklist

@@ -30,3 +26,8 @@ targets master.
 - [ ] Assigned to `@gitlab-release-tools-bot` with passing CI pipelines

 /label ~security
+
+[Omnibus GitLab Security]: https://gitlab.com/gitlab-org/security/omnibus-gitlab
+[approval guidelines]: https://docs.gitlab.com/ee/development/code_review.html#approval-guidelines
+[Code Review process]: https://docs.gitlab.com/ee/development/code_review.html
+[quick actions]: https://docs.gitlab.com/ee/user/project/quick_actions.html#quick-actions-for-issues-merge-requests-and-epics