habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: updated security release procedure (#15288)

Browse Source 
* ci: skip translate compile

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ci: allow skipping build container for website

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix gha perms?

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L.
2025-06-27 14:18:29 +02:00
committed by GitHub
parent dc287989db
commit c0c2d2ad3c
5 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
website/docs/developer-docs/releases/index.md
View File

@ -110,6 +110,10 @@ If you have any questions or comments about this advisory:
Include the new file in the `/website/sidebars.js`
Push the branch to https://github.com/goauthentik/authentik-internal for CI to run and for reviews
An image with the fix is built under `ghcr.io/goauthentik/internal-server` which can be made accessible to the reporter for testing
- Check with the original reporter that the fix works as intended
- Wait for GitHub to assign a CVE
- Announce the release of the vulnerability via Mailing list and discord
@ -136,7 +140,18 @@ We'll be publishing a security Issue (CVE-2022-xxxxx) and accompanying fix on _d
### Creating a security release
- On the date specified in the announcement, push the local `security/CVE-2022-xxxxx` branch into a PR, and squash merge it if the pipeline passes
- On the date specified in the announcement, retag the image from `authentik-internal` to the main image:
```
docker buildx imagetools create -t ghcr.io/goauthentik/server:xxxx.x ghcr.io/goauthentik/internal-server:gh-cve-2022-xxx
docker buildx imagetools create -t ghcr.io/goauthentik/server:xxxx.x.x ghcr.io/goauthentik/internal-server:gh-cve-2022-xxx
```
Where xxxx.x is the version family and xxxx.x.x is the full version.
This will make the fixed container image available instantly, while the full release is running on the main repository.
- Push the local `security/CVE-2022-xxxxx` branch into a PR, and squash merge it if the pipeline passes
- If the fix made any changes to the API schema, merge the PR to update the web API client
- Cherry-pick the merge commit onto the version branch
- If the fix made any changes to the API schema, manually install the latest version of the API client in `/web`