From d4b23333acbe36554d9016401b368fb7ec2fa5d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= Date: Sat, 21 Jan 2023 14:59:05 +0100 Subject: [PATCH] [DOCS] CONTRIBUTING/RELEASE: publishing security releases --- CONTRIBUTING/RELEASE.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CONTRIBUTING/RELEASE.md b/CONTRIBUTING/RELEASE.md index 9e8b8a8d95..46ce8754e7 100644 --- a/CONTRIBUTING/RELEASE.md +++ b/CONTRIBUTING/RELEASE.md @@ -50,6 +50,16 @@ When Forgejo is released, artefacts (packages, binaries, etc.) are first publish ### Publication +#### Security releases + +This is done at least 48h in advance so people who asked to be members of this organization are given a chance to update and reduce the exposure of the Forgejo instance they run. Some steps are not documented to reduce the chances of exploiting the publicly documented process. + +* Push the vX.Y.Z-N tag to https://codeberg.org/forgejo-security/forgejo + * Binaries are downloaded from https://codeberg.org/forgejo-integration, signed and copied to https://codeberg.org/forgejo-security + * Container images are copied from https://codeberg.org/forgejo-integration to https://codeberg.org/forgejo-security + +#### Releases without security patches + * Push the vX.Y.Z-N tag to https://codeberg.org/forgejo/release * Binaries are downloaded from https://codeberg.org/forgejo-integration, signed and copied to https://codeberg.org/forgejo * Container images are copied from https://codeberg.org/forgejo-integration to https://codeberg.org/forgejo