diff --git a/general/security/developer.md b/general/security/developer.md index da26a72d835676c1f8dbb81a18b31f03bc097f68..ffdec034c4fb2d33363b41848b0abf6edea2206a 100644 --- a/general/security/developer.md +++ b/general/security/developer.md @@ -94,11 +94,10 @@ Once an eligible confidential security issue is assigned to a developer: * Merge requests on [GitLab Security] follow the same [code review and approval](#code-reviews-and-approvals) process as any other change. * Note: The security repos have a setting enabled to remove existing approvals when a new commit is pushed. If you push changes during the approval process, you will need to ping anyone who previously approved the MR and ask for re-review and re-approval. * Additionally, the merge request targeting the default branch needs to be approved by an AppSec team member. See the [code reviews and approval](#code-reviews-and-approvals) section for details on who to ping. -4. Once the merge request targeting the default branch is approved according to our Approval guidelines and by an AppSec team member, the - engineer can proceed to prepare the [backports](#backports) +4. Once the merge request targeting the default branch is approved according to our Approval guidelines and by an AppSec team member, they must be assigned to `@gitlab-release-tools-bot` and the engineer can proceed to prepare the [backports](#backports). 5. [Backports](#backports) need to be approved by the same maintainer that reviewed and approved the merge request targeting the default branch. * It's not required for the backports to have the AppSec approval. -6. Once the merge request targeting the default branch and the backports are ready, they must be assigned to `@gitlab-release-tools-bot`. +6. Once the merge request targeting the backports are ready, they must be assigned to `@gitlab-release-tools-bot`. * Since the release managers merge the merge requests during the preparation of the security release, you can now sit back & relax. * You will be notified by a release manager if there is an issue with one or more of your MRs.