If a security fix release is required, run through the below steps.
All cut-off dates are based on 10am (San Francisco Time) on the day stated.
T-minus counts are measured in "working days" (weekdays, Monday through Friday, excluding the listed statutory holidays) prior to release day.
Once the list of security issues to be fixed is finalized, post this checklist in Release Checklist channel
Notify community about upcoming security release through a Twitter announcement and in changelog with links to approved fixes and a date tagged as "TBD"
Email GitLab release team about upcoming security release
Make a post in Announcements channel announcing the security release to the rest of the team with links to approved tickets and include a link to the ticket to submit the GitLab MR
PRs for hotfixes are made to release branch
Review PRs made from release branch and merge changes into the release branch as required and merge the release branch back into master once per day
Verify with Release Manager before cutting any new dot release RCs (approved fixes should be merged)
If the dot release takes place during a regular release, update
prev.test.mattermost.com to dot-release RCs for the previous release and keep
rc.test.mattermost.com on the latest regular release version
Test the new RC to verify fixes merged to the release branch work
Post in Release Discussion channel after testing
If the security researcher has not previously received a security researcher mug, order one for them
Once security fix release is ready to cut:
Tag a new release (e.g., 1.1.1) and run an official build
Verify hashes and GPG signatures are correct, once build is cut
Delete RCs after final version is shipped
Update the Changelog
Update the version archive
Update the ESR documentation
Update Mattermost server download page with the links to the EE and TE bits
Test the download links before and after updating the page
Confirm that mattermost-docker has been updated to the latest version (contact the maintainer via direct message on community server if necessary)
Contact owners of community installers or submit PRs to update install version number
For Puppet, Heroku and Ansible Playbook, post to Installers and Images channel announcing the new release. See example.
For Chef Cookbook, open a new issue to announce the new release. See example.
For Yunohost, open a new pull request to update the version. See example.
For OpenShift, open a new pull request to update the version. See example.
Update Security Research Hall of Fame on the Responsible Disclosure Policy page
Post Mattermost Security Updates 30 days after the dot release has shipped
Update Security Issues spreadsheet with issue number from posted update (e.g. v188.8.131.52)