From d4b23333acbe36554d9016401b368fb7ec2fa5d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Dachary?= <loic@dachary.org>
Date: Sat, 21 Jan 2023 14:59:05 +0100
Subject: [PATCH] [DOCS] CONTRIBUTING/RELEASE: publishing security releases

---
 CONTRIBUTING/RELEASE.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/CONTRIBUTING/RELEASE.md b/CONTRIBUTING/RELEASE.md
index 9e8b8a8d95..46ce8754e7 100644
--- a/CONTRIBUTING/RELEASE.md
+++ b/CONTRIBUTING/RELEASE.md
@@ -50,6 +50,16 @@ When Forgejo is released, artefacts (packages, binaries, etc.) are first publish
 
 ### Publication
 
+#### Security releases
+
+This is done at least 48h in advance so people who asked to be members of this organization are given a chance to update and reduce the exposure of the Forgejo instance they run. Some steps are not documented to reduce the chances of exploiting the publicly documented process.
+
+* Push the vX.Y.Z-N tag to https://codeberg.org/forgejo-security/forgejo
+  * Binaries are downloaded from https://codeberg.org/forgejo-integration, signed and copied to https://codeberg.org/forgejo-security
+  * Container images are copied from https://codeberg.org/forgejo-integration to https://codeberg.org/forgejo-security
+
+#### Releases without security patches
+
 * Push the vX.Y.Z-N tag to https://codeberg.org/forgejo/release
   * Binaries are downloaded from https://codeberg.org/forgejo-integration, signed and copied to https://codeberg.org/forgejo
   * Container images are copied from https://codeberg.org/forgejo-integration to https://codeberg.org/forgejo