From e412fc2d1d1358e3a50e42b7edd480b9bca838b3 Mon Sep 17 00:00:00 2001 From: andremig-bentley Date: Mon, 29 Sep 2025 22:04:20 -0600 Subject: [PATCH 01/10] init commit --- .github/mergify.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/mergify.yml b/.github/mergify.yml index dfbc140d1184..eacd1706a51e 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -27,3 +27,18 @@ pull_request_rules: message: | This pull request is now in conflicts. Could you fix it @{{author}}? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/ + + - name: Automatic backport for Security fixes + conditions: + - and: + - merged + - base=master + - label="Security" + actions: + backport: + branches: + # Automatically backport to all active release branches + # Update these branch names as needed for your project + - "release/5.2.x" + - "release/5.0.x" + - "release/4.9.x" \ No newline at end of file From e312548833ebae8e9e6fb00bd8003ba356631598 Mon Sep 17 00:00:00 2001 From: andremig-bentley Date: Mon, 29 Sep 2025 22:08:06 -0600 Subject: [PATCH 02/10] cleanup --- .github/mergify.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/mergify.yml b/.github/mergify.yml index eacd1706a51e..a64628f635af 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -37,8 +37,6 @@ pull_request_rules: actions: backport: branches: - # Automatically backport to all active release branches - # Update these branch names as needed for your project - "release/5.2.x" - "release/5.0.x" - "release/4.9.x" \ No newline at end of file From ff18ea990386357dcfc477d68d624f7b6f1a8500 Mon Sep 17 00:00:00 2001 From: andremig-bentley Date: Thu, 9 Oct 2025 16:34:20 -0600 Subject: [PATCH 03/10] add template, update verbump, update mergify --- .github/PULL_REQUEST_TEMPLATE/security_fix.md | 34 +++++++++++++++++++ .github/mergify.yml | 10 ++++-- .../azure-pipelines/jobs/version-bump.yaml | 20 ++++++++++- 3 files changed, 60 insertions(+), 4 deletions(-) create mode 100644 .github/PULL_REQUEST_TEMPLATE/security_fix.md diff --git a/.github/PULL_REQUEST_TEMPLATE/security_fix.md b/.github/PULL_REQUEST_TEMPLATE/security_fix.md new file mode 100644 index 000000000000..b17074d85b87 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE/security_fix.md @@ -0,0 +1,34 @@ + + +## Security Fix + +### Severity + +- [ ] Critical +- [ ] High +- [ ] Medium +- [ ] Low + +### Description + +A clear description of the security issue being addressed. + +### Root Cause + +Brief explanation of what caused the security issue. + +### Solution + +Describe the fix implemented and why this approach was chosen. + +### Additional Notes + +Any additional context or considerations for reviewers. + +--- + \ No newline at end of file diff --git a/.github/mergify.yml b/.github/mergify.yml index a64628f635af..95ce4beccab3 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -1,4 +1,9 @@ # Configuration file for mergify + +# Branch variables for backport targets +latestMinor: &latestMinor "release/5.2.x" +previousMajor: &previousMajor "release/4.9.x" + defaults: actions: backport: @@ -37,6 +42,5 @@ pull_request_rules: actions: backport: branches: - - "release/5.2.x" - - "release/5.0.x" - - "release/4.9.x" \ No newline at end of file + - *latestMinor + - *previousMajor \ No newline at end of file diff --git a/common/config/azure-pipelines/jobs/version-bump.yaml b/common/config/azure-pipelines/jobs/version-bump.yaml index df316fa6114a..bcdd2b1c915c 100644 --- a/common/config/azure-pipelines/jobs/version-bump.yaml +++ b/common/config/azure-pipelines/jobs/version-bump.yaml @@ -113,6 +113,10 @@ jobs: # manually to be the most recent previous major release # e.g. if this release is `release/5.0.x`, value in `gather-docs.yaml` # should be `release/4..x` + # additionally if major version bump, the `mergify.yml` also needs to be edited manually + # if this release is `release/5.0.x`,change the `latestMinor` variable to `release/5.0.x` + # and the `previousMajor` variable to `release/4..x` + if [ $((previousMinorVersion)) -lt 0 ] then echo "This is is a major release. Edit \"gather-docs.yaml\" manually." @@ -248,8 +252,22 @@ jobs: displayName: Get new version number name: getVersion - # When creating a minor release, the NextVersion.md need to be cleared and the contents placed into a {Version Number}.md file - ${{ if eq(parameters.BumpType, 'minor') }}: + + # When creating a minor release, the mergify.yml file needs to be updated to change the "latestMinor" branch for security fixes + - bash: | + mergifyPath=".github/mergify.yml" + version=$(echo $(getVersion.version) | sed 's/\([0-9]*\.[0-9]*\)\.[0-9]*/\1.x/') + releaseBranch="release/$version" + echo "Updating mergify.yml to use $releaseBranch as the recent minor branch for security fixes" + + # Update the latestMinor variable in mergify.yml + sed -i "s|^latestMinor: \&latestMinor \"release/[0-9]*\.[0-9]*\.x\"$|latestMinor: \&latestMinor \"$releaseBranch\"|" "$mergifyPath" + + displayName: Update mergify.yml for new minor release + condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')) + + # When creating a minor release, the NextVersion.md need to be cleared and the contents placed into a {Version Number}.md file - powershell: | $sourceFile = 'docs/changehistory/NextVersion.md' From 05635be4d63e31f7e7166e9241f2c2d33d19b633 Mon Sep 17 00:00:00 2001 From: andremig-bentley <101671244+andremig-bentley@users.noreply.github.com> Date: Fri, 10 Oct 2025 14:17:10 -0600 Subject: [PATCH 04/10] Update .github/mergify.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/mergify.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/mergify.yml b/.github/mergify.yml index 95ce4beccab3..caa3e44f01c2 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -38,7 +38,7 @@ pull_request_rules: - and: - merged - base=master - - label="Security" + - label="security" actions: backport: branches: From be287472157c51e697db2db39ecf3a6d3841108d Mon Sep 17 00:00:00 2001 From: andremig-bentley <101671244+andremig-bentley@users.noreply.github.com> Date: Fri, 10 Oct 2025 14:17:19 -0600 Subject: [PATCH 05/10] Update .github/PULL_REQUEST_TEMPLATE/security_fix.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/PULL_REQUEST_TEMPLATE/security_fix.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE/security_fix.md b/.github/PULL_REQUEST_TEMPLATE/security_fix.md index b17074d85b87..1f172c00ff1e 100644 --- a/.github/PULL_REQUEST_TEMPLATE/security_fix.md +++ b/.github/PULL_REQUEST_TEMPLATE/security_fix.md @@ -2,7 +2,7 @@ Please rename the PR to follow the following convention: PR Title: "Security Fix: " -Please add the "securty" label to the PR. +Please add the "security" label to the PR. --> ## Security Fix From faa279c9a4b577ed2986562126365973cd8afe03 Mon Sep 17 00:00:00 2001 From: andremig-bentley Date: Fri, 10 Oct 2025 14:38:12 -0600 Subject: [PATCH 06/10] cleanup, add link to template --- .github/PULL_REQUEST_TEMPLATE/security_fix.md | 4 ++++ .github/mergify.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/PULL_REQUEST_TEMPLATE/security_fix.md b/.github/PULL_REQUEST_TEMPLATE/security_fix.md index 1f172c00ff1e..76bb658f2e8e 100644 --- a/.github/PULL_REQUEST_TEMPLATE/security_fix.md +++ b/.github/PULL_REQUEST_TEMPLATE/security_fix.md @@ -22,6 +22,10 @@ A clear description of the security issue being addressed. Brief explanation of what caused the security issue. +### Link to Security Notice + +Link to CVE/GHAS notice. + ### Solution Describe the fix implemented and why this approach was chosen. diff --git a/.github/mergify.yml b/.github/mergify.yml index caa3e44f01c2..525fc9b20a45 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -2,7 +2,7 @@ # Branch variables for backport targets latestMinor: &latestMinor "release/5.2.x" -previousMajor: &previousMajor "release/4.9.x" +previousMajor: &previousMajor "release/4.11.x" defaults: actions: From 9d2dee031a65cdebc5cb6655d7496e89322b6fe3 Mon Sep 17 00:00:00 2001 From: andremig-bentley Date: Mon, 13 Oct 2025 15:06:58 -0600 Subject: [PATCH 07/10] rm vars --- .github/mergify.yml | 8 ++------ common/config/azure-pipelines/jobs/version-bump.yaml | 6 +++--- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/mergify.yml b/.github/mergify.yml index 525fc9b20a45..e189b6a07d35 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -1,9 +1,5 @@ # Configuration file for mergify -# Branch variables for backport targets -latestMinor: &latestMinor "release/5.2.x" -previousMajor: &previousMajor "release/4.11.x" - defaults: actions: backport: @@ -42,5 +38,5 @@ pull_request_rules: actions: backport: branches: - - *latestMinor - - *previousMajor \ No newline at end of file + - "release/5.2.x" + - "release/4.11.x" \ No newline at end of file diff --git a/common/config/azure-pipelines/jobs/version-bump.yaml b/common/config/azure-pipelines/jobs/version-bump.yaml index c10627032518..2aa5482c2c24 100644 --- a/common/config/azure-pipelines/jobs/version-bump.yaml +++ b/common/config/azure-pipelines/jobs/version-bump.yaml @@ -260,15 +260,15 @@ jobs: - ${{ if eq(parameters.BumpType, 'minor') }}: - # When creating a minor release, the mergify.yml file needs to be updated to change the "latestMinor" branch for security fixes + # When creating a minor release, the mergify.yml file needs to be updated to change the hardcoded branch names for security fixes - bash: | mergifyPath=".github/mergify.yml" version=$(echo $(getVersion.version) | sed 's/\([0-9]*\.[0-9]*\)\.[0-9]*/\1.x/') releaseBranch="release/$version" echo "Updating mergify.yml to use $releaseBranch as the recent minor branch for security fixes" - # Update the latestMinor variable in mergify.yml - sed -i "s|^latestMinor: \&latestMinor \"release/[0-9]*\.[0-9]*\.x\"$|latestMinor: \&latestMinor \"$releaseBranch\"|" "$mergifyPath" + # Update the latest minor backporting release branch in mergify.yml + sed -i "0,/\"release\/[0-9]*\.[0-9]*\.x\"/ s|\"release/[0-9]*\.[0-9]*\.x\"|\"$releaseBranch\"|" "$mergifyPath" displayName: Update mergify.yml for new minor release condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')) From 2296513ed4ecebaf4316aff1a2d90fd83280a759 Mon Sep 17 00:00:00 2001 From: andremig-bentley Date: Mon, 13 Oct 2025 15:47:21 -0600 Subject: [PATCH 08/10] doc comments --- .github/mergify.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/mergify.yml b/.github/mergify.yml index e189b6a07d35..0c566a09c750 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -38,5 +38,7 @@ pull_request_rules: actions: backport: branches: + # current minor release branch - "release/5.2.x" + # previous major release branch - "release/4.11.x" \ No newline at end of file From 181e074dd735ef88207317f152e040e8f0d90920 Mon Sep 17 00:00:00 2001 From: andremig-bentley Date: Wed, 15 Oct 2025 12:58:39 -0600 Subject: [PATCH 09/10] update comment --- common/config/azure-pipelines/jobs/version-bump.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/common/config/azure-pipelines/jobs/version-bump.yaml b/common/config/azure-pipelines/jobs/version-bump.yaml index 2aa5482c2c24..17765d05bf8d 100644 --- a/common/config/azure-pipelines/jobs/version-bump.yaml +++ b/common/config/azure-pipelines/jobs/version-bump.yaml @@ -114,8 +114,12 @@ jobs: # e.g. if this release is `release/5.0.x`, value in `gather-docs.yaml` # should be `release/4..x` # additionally if major version bump, the `mergify.yml` also needs to be edited manually - # if this release is `release/5.0.x`,change the `latestMinor` variable to `release/5.0.x` - # and the `previousMajor` variable to `release/4..x` + # if this release is `release/5.0.x`, the branches under actions/backport should be updated to look like: + # branches: + # # current minor release branch + # - "release/5.0.x" + # # previous major release branch + # - `release/4..x` if [ $((previousMinorVersion)) -lt 0 ] then From a0f0af9376591b4aad2fa9900bfc94653d631681 Mon Sep 17 00:00:00 2001 From: andremig-bentley Date: Wed, 15 Oct 2025 13:33:57 -0600 Subject: [PATCH 10/10] update branch starting with same major version number --- common/config/azure-pipelines/jobs/version-bump.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/common/config/azure-pipelines/jobs/version-bump.yaml b/common/config/azure-pipelines/jobs/version-bump.yaml index 17765d05bf8d..8233c797cfac 100644 --- a/common/config/azure-pipelines/jobs/version-bump.yaml +++ b/common/config/azure-pipelines/jobs/version-bump.yaml @@ -269,10 +269,11 @@ jobs: mergifyPath=".github/mergify.yml" version=$(echo $(getVersion.version) | sed 's/\([0-9]*\.[0-9]*\)\.[0-9]*/\1.x/') releaseBranch="release/$version" - echo "Updating mergify.yml to use $releaseBranch as the recent minor branch for security fixes" + majorVersion=$(echo $version | cut -d. -f1) + echo "Updating mergify.yml to backport to $releaseBranch for security fixes" - # Update the latest minor backporting release branch in mergify.yml - sed -i "0,/\"release\/[0-9]*\.[0-9]*\.x\"/ s|\"release/[0-9]*\.[0-9]*\.x\"|\"$releaseBranch\"|" "$mergifyPath" + # Update the backporting release branch matching the major version number of the new version + sed -i "/\"release\/$majorVersion\.[0-9]*\.x\"/ s|\"release/$majorVersion\.[0-9]*\.x\"|\"$releaseBranch\"|" "$mergifyPath" displayName: Update mergify.yml for new minor release condition: and(succeeded(), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/'))