Releases

1. You are here:
2. Engineering
3. Releases

On this page

• Overview and terminology
• Self-managed releases overview
  • Self-managed releases process
  • Timelines
  • How can I determine if my merge request will make it into the monthly release?
• Labels of importance
  • Delivery impact labels
  • Self-managed releases
    • Labels indicating inclusion in upcoming Self-managed release
• Frequently Asked Questions
  • Who are the release managers for release X?
  • What is a release candidate and when are they created?
  • Will release managers create a release candidate earlier if I ask them to?
  • When do I need to have my MR merged in order for it to be included into the monthly release?
  • What's the process for a release of type X?
  • A security issue was assigned to me, where should I start?
  • Why wasn't my security fix included in the Security Release?
  • How many backports do I need when working on a security issue?
  • How can I get a high severity bug fix released?
  • How can I revert a security merge request?
• Resources

Overview and terminology

This page describes the processes used to release packages to self-managed users.

The Monthly self-managed release: GitLab version (XX.YY.0) is published every month on the 22nd. From this monthly release, patch, non-critical, and critical security releases are created as needed.

Our maintenance policy describes in detail the cadence of our major, minor and patch releases for self-managed users. The major release yearly cadence was defined after an all stakeholder discussion.

Self-managed releases overview

The self-managed release is a semver versioned package containing changes from many successful deployments on GitLab.com. Users on GitLab.com, therefore, receive features and bug fixes earlier than users of self-managed installations.

The deployments and releases page details how the two processes work together.

Self-managed releases process

The monthly self-managed release timelines are concentrated around the 22nd.

Monthly self-managed release preparation steps

1. In the days leading up to the 22nd, the release managers will post announcements in #releases, #development, #backend, and #frontend to update on candidate and guaranteed commits for the release. Only changes that have successfully run on GitLab.com can be considered for self-managed releases. This means that the availability and stability of GitLab.com deployments will determine the cutoff date for inclusion in the release
2. Following a successful deployment to GitLab.com a stable branch is created for the targeted semver version with a stable suffix, eg. 12-3-stable and a test release candidate (RC) is tagged. The test RC checks that a package can be built and successfully deployed and tested on the Pre environment. At this point release managers will announce the final commit to be included in the release
3. After confirming automated tests have passed on the CE stable branch, EE stable branch, and Omnibus stable branches the release managers will tag the release
4. The release package is built and deployed to the Release environment
5. On the 22nd the release package and the release blog post are published

Timelines

The only guaranteed date throughout the release cycle is the 22nd. On this date, the self-managed release will be published together with the release announcement.

All other dates are a guideline only and cannot be considered a deadline when it comes to what will be included into any type of release. This includes the development month and the dates defined there as well as any promises given to customers. This is strictly because there are a lot of moving parts to be considered when preparing a release which includes working on highest priority and severity issues as well as security related issues.

If it is absolutely necessary to get a certain feature ready for a specific version, merge the feature early in the development cycle. Merges closer to the release date are absolutely not guaranteed to be included in that specific monthly self-managed release.

How can I determine if my merge request will make it into the monthly release?

When we create release candidates, and when we create a new release package, the Release Tools project will add a label to the merge requests included.

For more information, refer to the Auto-deploy status command.

In the runup to the 22nd, release managers will also start announcing what commit will at the very least make it into the release. Such notifications are shared in Slack #releases channel and will look something like this (format is defined in the release-tools monthly template):

This is the candidate commit to be released on the 22nd. https://gitlab.com/gitlab-org/gitlab/commits/4033cb0ed66de77a4b5c1936e33de918edef558e

The last commit to make it into the release will have a message similar to this:

:mega: Barring any show-stopping issues, this is the final commit to be released on the 22nd. https://gitlab.com/gitlab-org/gitlab/-/commits/13-1-stable-ee

Merge Requests that have been included in the monthly release will receive a label indicating inclusion.

Labels of importance

The release process has a few labels of specific importance.

Delivery impact labels

Incidents may optionally have a Delivery impact:* label to indicate the impact the incident has when active. This label is intended to help with prioritizing between multiple incidents.

Impact label	Definition
Delivery impact::1	Deployments and/or scheduled releases are fully blocked by this incident. Action should be taken to resolve this immediately
Delivery impact::2	Deployments and/or scheduled releases will soon become blocked. Resolve as soon as possible
Delivery impact::3	Deployments and releases are not currently blocked but there is some impact on the delivery process

Self-managed releases

Similar to the above mentioned label, each self-managed release has a label to highlight that a certain merge request should be backported to the targeted release. For example, releases in the 12.3 series will have ~"Pick into 12.3" label which will signal that this merge request should be included in one of the next patch releases being created. The patch releases are created as needed but only according to our maintenance policy.

The label should be applied in the following situations:

• The backport (stable) branch has been created, the release on the 22nd is not created and the merge request fixes a critical regression.
• The 22nd has passed and the merge request fixes a bug.

The label should not be applied to merge requests:

• Introducing new features
• Resolving a security vulnerability because process for security releases differs from the regular release

Labels indicating inclusion in upcoming Self-managed release

As a merge request is included in monthly self-managed release candidates (RC), it will receive the released::candidate label when the release candidate it is included in is deployed to [pre.gitlab.com]. See "What is a release candidate and when are they created?" for more information on release candidates. This label indicates that the MR will most likely be included in the upcoming Self-managed release.

A merge request will receive the released::published label (which replaces the released::candidate label) when included in a packaged release, such as 13.6.0 or 13.5.2, and deployed to release.gitlab.net for both automated and manual testing. This label indicates that the MR will be published with the Self-managed release.

Frequently Asked Questions

Who are the release managers for release X?

You can find this out by taking a look at the GitLab Release Managers schedule.

What is a release candidate and when are they created?

A release candidate (RC) is a GitLab package that includes the changes that will make it into the final self-managed release, except for the rare case where a change may need to be reverted. RCs are only created for the monthly self-managed release, not patch releases. The amount of RCs created per month will vary per release.

There is no fixed point in time where a release manager creates a release candidate. Instead, this is based entirely on how the release process has been going, what the state is of GitLab.com, etc.

Release candidates are created whenever possible, and as such there are no guarantees on creation timing. This will depend on factors such as:

• Any incidents on GitLab.com that are or have been going on in the run-up to the release.
• Any (critical) security releases that require the attention of release managers.
• Any issues with our auto-deployment pipelines.
• Other release related work that may delay or prevent the creation of a release candidate until said work is dealt with.

In other words, if you want to know when a release candidate is created your best option is to join one of the following Slack channels:

• #releases
• #f_upcoming_release

Release candidates are deployed to [pre.gitlab.com] for both automated and manual testing.

Will release managers create a release candidate earlier if I ask them to?

It is up to a release manager to decide when to create a release candidate, taking into account the state of deployments and GitLab.com.

Please do not message a release manager in private about release related questions or requests. Instead, post your request/question in the #releases channel.

When do I need to have my MR merged in order for it to be included into the monthly release?

The earlier in the monthly cycle your MR is merged, the higher the chances are for it to be included in that month's release.

There is no guaranteed "cut-off", "freeze" or any other date defined under which the MR will be included.

Availability, security and performance of GitLab.com is a pre-requisite for any monthly self-managed release. If GitLab.com is not experiencing any issues, MR's merged as late as the 20th of the month were included in the release. On the opposite side, when GitLab.com stability was lower, MR's merged as early as 15th of the month were not included.

In other words:

The quality and stability of what is delivered by everyone defines the final MR that will be included in the monthly release.

For more detailed answer, see self-managed release timelines.

What's the process for a release of type X?

The different processes are documented here:

• Self-managed releases:
  • Monthly releases
  • Critical security releases
  • Non-critical security releases
  • Patch releases
• GitLab.com releases:
  • Auto-deploy releases
  • Hot patch

A security issue was assigned to me, where should I start?

See the Security Release process as Developer documentation for more information.

Also, make sure to see Security Releases How to video for a broad explanation about all the steps required as a Developer when working on a security fix.

Why wasn't my security fix included in the Security Release?

Security issues created on GitLab Security need to be associated with the Security Release Tracking issue for them to be included on the Security Release. Make sure to use the security issue template and follow the steps there.

How many backports do I need when working on a security issue?

Besides the merge request targeting master, three backports will be needed targeting the last two monthly releases and the current release. For more information, see security release backports.

How can I get a high severity bug fix released?

Any high severity issue should start with an issue labelled with the appropriate bug and severity labels.

Depending on the bug details, follow one of the following processes:

• For high severity security bugs
• For high severity bugs affecting self-managed users. If the bug has been found close to the 22nd of the month please also alert the Release Managers in #releases.
• For high severity bugs affecting GitLab.com

How can I revert a security merge request?

Once a security merge request has been merged, it's not advisable to revert it for multiple reasons:

1. Reverting requires rolling back a security fix, compromising the integrity of GitLab.com and self-managed instances
2. Reverting without making another fix into the release risks disclosing the vulnerability to the public when we make the release. For high severity vulnerabilities, this is unacceptable
3. Security releases are performed in a restricted time constraint, reverting a security merge request requires another fix to be prepared in time to avoid impacting the security release timeframe

If a security vulnerability introduced a bug, in most cases, the appropriate path forward is to fix the issue in the canonical repository (after the security release has been published).

If a security vulnerability introduced a high severity bug, engage with AppSec and release managers to coordinate next steps.

Resources

Description	Location
Release documentation	Link
Issue Tracker	gitlab-org/release/tasks
Slack Channels	#f_upcoming_release / @release-managers
Release Manager schedule	Link
Maintenance Policy	Link
Reaching us	How to find us

---

If you need any additional help please ask the Release Managers in the #releases Slack channel.