Deploy fixes for a security vulnerability
When responding to a security incident, we should review the changes in private before deploying them, so that we don’t accidentally disclose the vulnerability.
To do this, push branches to the AWS CodeCommit backup of the repository, rather than the normal repository on github.com.
This repository should be up to date as of the previous release, but will be missing any unreleased commits that are on github.com master. This is fine as you don’t want to deploy these.
Ensure nobody else deploys the app until you’ve confirmed the vulnerability is fixed.
Review the pull request on AWS CodeCommit
Create a release tag manually in git. This should follow the standard format
release_X. Tag the branch directly instead of merging it.
Don’t use the release app. Go directly to the
deploy_appJenkins job, and check “DEPLOY_FROM_AWS_CODECOMMIT”.
Ensure the vulnerability is fixed.
Push the branch and tag to github.com.
Merge the branch into master.
Record the missing deployment in the release app.
More about Deployment
- Add a deployment dashboard for an application
- Block apps from being deployed
- Deploy an application to GOV.UK
- Deploy Puppet
- Deploy when GitHub is unavailable
- Fall back to the static mirrors
- Handle encrypted hieradata
- Monitor your app during deployment
- Restart an application
- Retire an application
- Run a rake task
- Set up a new Rails app
- Set up Heroku review apps for pull requests
- Switch an app off