diff --git a/.github/PULL_REQUEST_TEMPLATE/security_fix.md b/.github/PULL_REQUEST_TEMPLATE/security_fix.md new file mode 100644 index 00000000000..76bb658f2e8 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE/security_fix.md @@ -0,0 +1,38 @@ + + +## Security Fix + +### Severity + +- [ ] Critical +- [ ] High +- [ ] Medium +- [ ] Low + +### Description + +A clear description of the security issue being addressed. + +### Root Cause + +Brief explanation of what caused the security issue. + +### Link to Security Notice + +Link to CVE/GHAS notice. + +### Solution + +Describe the fix implemented and why this approach was chosen. + +### Additional Notes + +Any additional context or considerations for reviewers. + +--- + \ No newline at end of file diff --git a/.github/mergify.yml b/.github/mergify.yml index dfbc140d118..0c566a09c75 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -1,4 +1,5 @@ # Configuration file for mergify + defaults: actions: backport: @@ -27,3 +28,17 @@ pull_request_rules: message: | This pull request is now in conflicts. Could you fix it @{{author}}? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/ + + - name: Automatic backport for Security fixes + conditions: + - and: + - merged + - base=master + - label="security" + actions: + backport: + branches: + # current minor release branch + - "release/5.2.x" + # previous major release branch + - "release/4.11.x" \ No newline at end of file diff --git a/common/config/azure-pipelines/jobs/version-bump.yaml b/common/config/azure-pipelines/jobs/version-bump.yaml index 84b5ab906d1..8233c797cfa 100644 --- a/common/config/azure-pipelines/jobs/version-bump.yaml +++ b/common/config/azure-pipelines/jobs/version-bump.yaml @@ -113,6 +113,14 @@ jobs: # manually to be the most recent previous major release # e.g. if this release is `release/5.0.x`, value in `gather-docs.yaml` # should be `release/4..x` + # additionally if major version bump, the `mergify.yml` also needs to be edited manually + # if this release is `release/5.0.x`, the branches under actions/backport should be updated to look like: + # branches: + # # current minor release branch + # - "release/5.0.x" + # # previous major release branch + # - `release/4..x` + if [ $((previousMinorVersion)) -lt 0 ] then echo "This is is a major release. Edit \"gather-docs.yaml\" manually." @@ -254,8 +262,23 @@ jobs: displayName: Get new version number name: getVersion - # When creating a minor release, the NextVersion.md need to be cleared and the contents placed into a {Version Number}.md file - ${{ if eq(parameters.BumpType, 'minor') }}: + + # When creating a minor release, the mergify.yml file needs to be updated to change the hardcoded branch names for security fixes + - bash: | + mergifyPath=".github/mergify.yml" + version=$(echo $(getVersion.version) | sed 's/\([0-9]*\.[0-9]*\)\.[0-9]*/\1.x/') + releaseBranch="release/$version" + majorVersion=$(echo $version | cut -d. -f1) + echo "Updating mergify.yml to backport to $releaseBranch for security fixes" + + # Update the backporting release branch matching the major version number of the new version + sed -i "/\"release\/$majorVersion\.[0-9]*\.x\"/ s|\"release/$majorVersion\.[0-9]*\.x\"|\"$releaseBranch\"|" "$mergifyPath" + + displayName: Update mergify.yml for new minor release + condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')) + + # When creating a minor release, the NextVersion.md need to be cleared and the contents placed into a {Version Number}.md file - powershell: | $sourceFile = 'docs/changehistory/NextVersion.md'