Updates security release template

What does this MR do?

Updates security release template to:

• Use the new Batch Merger process https://gitlab.com/gitlab-org/release-tools/-/issues/369

Example

Security patch release: 12.10.2, 12.9.9, 12.8.7

General guidelines

• Be sure to follow the Security Releases general information and Security Releases as Release Manager.
• Always work on GitLab Security and dev.gitlab.org. Do not push anything to GitLab Canonical

Preparation

• Validate and merge security merge requests using ChatOps:

  • This will merge all security merge requests associated with a security implementation issue if all of them are valid.

  # In Slack:
  /chatops run release merge --security

• If any merge requests could not be merged, investigate what needs to be done to resolve the issues. Do not proceed unless it has been determined safe to do so.

Auto-Deploy - only for the latest version

The following steps should ideally be completed within one day.

• Temporarily disable the scheduled auto-deploy tasks via ChatOps:

  # In Slack
  /chatops run auto_deploy pause

• Ensure latest auto-deploy branches are synced across Canonical, Security, and Build:

  # In Slack
  /chatops run mirror status

• Disable omnibus nightly builds by setting the schedules to inactive https://dev.gitlab.org/gitlab/omnibus-gitlab/pipeline_schedules

• Manually cherry pick EACH security fix into the CURRENT auto-deploy branch, both GitLab and Omnibus. You can use the following script:

Script to push to auto-deploy branch

# fetch both remotes
git fetch origin
git fetch security

# sync current auto-deploy branch on security
git checkout -b CURRENT_AUTO_DEPLOY_BRANCH --track security/CURRENT_AUTO_DEPLOY_BRANCH
git pull origin CURRENT_AUTO_DEPLOY_BRANCH
git push security

# get a list of all the merge commits on security/master not available on origin/master
git log origin/master..security/master --merges | grep "^commit"

# cherry-pick each commit on that list in the current auto-deploy branch
git cherry-pick -m 1 -x COMMIT_ID

# push to security
git push security

• Tag a new auto-deploy version via ChatOps (no need to wait for green build), to create a deployer pipeline that will deploy to staging and create a QA issue:

  # In Slack
  /chatops run auto_deploy tag --security

QA

• On the deployer pipeline, manually cancel the gprd-cny-change-lock from the deployer pipeline. This will prevent the automatic promotion to Canary.

• Once the deploy to staging is completed, notify the @appsec-team member so they can validate the security fixes on staging.

• Once the security fixes been validated on staging, retry the gprd-cny-change-lock job to promote to Canary.

• If there are no issues reported on canary, proceed to promote the deployment to production.

Rest of the template stays the same

---