[tor-commits] [Git][tpo/applications/tor-browser-build][main] 2 commits: Updated gitlab merge request template

richard pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

aafb2ab9
by Richard Pospesel at 2023-06-20T21:22:57+00:00
```
Updated gitlab merge request template
```
82bb2187
by Richard Pospesel at 2023-06-20T21:22:59+00:00
```
Release Prep issue template updates
```

5 changed files:

+ .gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md
.gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md
.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md
.gitlab/issue_templates/Release Prep - Tor Browser Stable.md
.gitlab/merge_request_templates/default.md

Changes:

.gitlab/issue_templates/Release Prep - Mullvad Browser Alpha.md

 +<details>
 +  <summary>Explanation of variables</summary>
++
 +- `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
 +- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
 +  - **example** : `pierov`
 +- `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
 +- `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc
 +  - **example** : `91.6.0`
 +- `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version
 +  - **example** : `11`
 +- `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version
 +  - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
 +- `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format
 +  - **example** : `12.5a3`, `12.0.3`
 +- `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
 +    - **example** : `build1`
 +- `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
 +    - **example** : `build2`
 +    - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :
 +      - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
 +      - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
 +- `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version
 +    - **example** : `11.5a6`, `11.0.7`
 +- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version
 +    - **example** : `mb-12.0.7-build1`
 +</details>
++
 +**NOTE** It is assumed that the `tor-browser` alpha rebase and security backport tasks have been completed
++
 +<details>
 +  <summary>Building</summary>
++
 +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
 +Mullvad Browser Alpha (and Nightly) are on the `main` branch
++
 +- [ ] Update `rbm.conf`
 +  - [ ] `var/torbrowser_version` : update to next version
 +  - [ ] `var/torbrowser_build` : update to `$(MULLVAD_BROWSER_BUILD_N)`
 +  - [ ] `var/torbrowser_incremental_from` : update to previous Desktop version
 +    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make mullvadbrowser-incrementals-*` step will fail
 +- [ ] Update build configs
 +  - [ ] Update `projects/firefox/config`
 +    - [ ] `browser_build` : update to match `mullvad-browser` tag
 +    - [ ] ***(Optional)*** `var/firefox_platform_version` : update to latest `$(ESR_VERSION)` if rebased
 +  - [ ] Update `projects/translation/config`:
 +    - [ ] run `make list_translation_updates-alpha` to get updated hashes
 +    - [ ] `steps/base-browser/git_hash` : update with `HEAD` commit of project's `base-browser` branch
 +    - [ ] `steps/base-browser-fluent/git_hash` : update with `HEAD` commit of project's `basebrowser-newidentityftl` branch
 +- [ ] Update common build configs
 +  - [ ] Check for NoScript updates here : https://addons.mozilla.org/en-US/firefox/addon/noscript
 +    - [ ] ***(Optional)*** If new version available, update `noscript` section of `input_files` in `projects/browser/config`
 +      - [ ] `URL`
 +      - [ ] `sha256sum`
 +  - [ ] Check for uBlock-origin updates here : https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
 +    - [ ] ***(Optional)*** If new version available, update `ublock-origin` section of `input_files` in `projects/browser/config`
 +      - [ ] `URL`
 +      - [ ] `sha256sum`
 +  - [ ] Check for Mullvad Privacy Companion updates here : https://github.com/mullvad/browser-extension/releases
 +    - [ ] ***(Optional)*** If new version available, update `mullvad-extension` section of `input_files` in `projects/browser/config`
 +      - [ ] `URL`
 +      - [ ] `sha256sum`
 +- [ ] Open MR with above changes
 +- [ ] Merge
 +- [ ] Sign/Tag commit: `make mullvadbrowser-signtag-alpha`
 +- [ ] Push tag to `origin`
 +- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
 +- [ ] **TODO** Submit build-tag to Mullvad build infra
 +- [ ] Ensure builders have matching builds
++
 +</details>
++
 +<details>
 +  <summary>QA</summary>
++
 +### send the build
++
 +  - [ ] Email Mullvad QA: support@xxxxxxxxxxx, rui@xxxxxxxxxxx
 +    <details>
 +      <summary>email template</summary>
++
 +        Subject:
 +        New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (unsigned)
++
 +        Body:
 +        unsigned builds: https://tb-build-05.torproject.org/~$(BUILDER)/builds/mullvadbrowser/release/unsigned/$(MB_BUILD_TAG)
++
 +        changelog:
 +        ...
++
 +    </details>
++
 +    - ***(Optional)*** Add additional information:
 +      - [ ] Note any new functionality which needs testing
 +      - [ ] Link to any known issues
++
 +</details>
++
 +<details>
 +  <summary>Signing</summary>
++
 +### signing
 +- [ ] On `$(STAGING_SERVER)`, ensure updated:
 +  - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
 +    - `ssh_host_builder` : ssh hostname of machine with unsigned builds
 +      - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
 +    - `ssh_host_linux_signer` : ssh hostname of linux signing machine
 +    - `ssh_host_macos_signer` : ssh hostname of macOS signing machine
 +  - [ ] `tor-browser-build/tools/signing/set-config.macos-notarization`
 +    - `macos_notarization_user` : the email login for a mullvad notariser Apple Developer account
 +  - [ ] `set-config.update-responses`
 +    - `update_responses_repository_dir` : directory where you cloned `git@xxxxxxxxxxxxxxxxxxxxx:tpo/applications/mullvad-browser-update-responses.git`
 +  - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
 +    - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
 +    - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
 +    - `tbb_version_type` : either `alpha` for alpha releases or `release` for stable releases
 +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, run the macOS proxy script:
 +    - `cd tor-browser-build/tools/signing/`
 +    - `./macos-signer-proxy`
 +- [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
 +- [ ] run do-all-signing script:
 +    - `cd tor-browser-build/tools/signing/`
 +    - `./do-all-signing.mullvadbrowser`
 +- **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
 +- [ ] Update `staticiforme.torproject.org`:
 +  - From `screen` session on `staticiforme.torproject.org`:
 +  - [ ] Static update components : `static-update-component dist.torproject.org`
 +  - [ ] Remove old release data from `/srv/dist-master.torproject.org/htdocs/mullvadbrowser`
 +  - [ ] Static update components (again) : `static-update-component dist.torproject.org`
++
 +</details>
++
 +<details>
 +  <summary>Publishing</summary>
++
 +### email
++
 +- [ ] Email Mullvad with release information: support@xxxxxxxxxxx, rui@xxxxxxxxxxx
 +  <details>
 +    <summary>email template</summary>
++
 +      Subject:
 +      New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
++
 +      Body:
 +      signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
++
 +      update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
++
 +      changelog:
 +      ...
++
 +  </details>
++
 +### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
 +- [ ] Push this release's associated `mullvad-browser.git` branch to github
 +- [ ] Push this release's associated tags to github:
 +  - [ ] Firefox ESR tag
 +    - **example** : `FIREFOX_102_12_0esr_BUILD1,`
 +  - [ ] `base-browser` tag
 +    - **example** : `base-browser-102.12.0esr-12.0-1-build1`
 +  - [ ] `mullvad-browser` tag
 +    - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
 +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
 +  - **Tag**: `$(MULLVAD_BROWSER_VERSION)`
 +    - **example** : `12.5a7`
 +  - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
 +    - **example** : `102.12.0esr-based 12.5a7`
 +  - [ ] Push tag to github
++
 +</details>
++
 +<details>
 +  <summary>Downstream</summary>
++
 +### notify packagers
++
 +- [ ] **(Optional, Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
 +  <details>
 +    <summary>email template</summary>
++
 +    ...
++
 +    ...
++
 +  </details>
++
 +  - **NOTE**: This is an optional step and only necessary close a major release/transition from alpha to stable, or if there are major packing changes these developers need to be aware of
 +  - [ ] flathub package maintainer: proletarius101@xxxxxxxxxxxxxx
 +  - [ ] arch package maintainer: bootctl@xxxxxxxxx
 +  - [ ] nixOS package maintainer: dev@xxxxxxxxxxx
++
 +</details>
++
 +/label ~"Release Prep"

.gitlab/issue_templates/Release Prep - Mullvad Browser Stable.md

@@ -2,32 +2,36 @@
    <summary>Explanation of variables</summary>
  - `$(BUILD_SERVER)` : the server the main builder is using to build a mullvad-browser release
 +- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
 +  - **example** : `pierov`
  - `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
  - `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building mullvad-browser tags, labels, etc
 -  - example : `91.6.0`
 +  - **example** : `91.6.0`
  - `$(MULLVAD_BROWSER_MAJOR)` : the Mullvad Browser major version
 -  - example : `11`
 +  - **example** : `11`
  - `$(MULLVAD_BROWSER_MINOR)` : the Mullvad Browser minor version
 -  - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
 +  - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
  - `$(MULLVAD_BROWSER_VERSION)` : the Mullvad Browser version in the format
 -  - example: `12.5a3`, `12.0.3`
 +  - **example** : `12.5a3`, `12.0.3`
  - `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(MULLVAD_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
 -    - example : `build1`
 +    - **example** : `build1`
  - `$(MULLVAD_BROWSER_BUILD_N)` : the mullvad-browser build revision for a given Mullvad Browser release; used in tagging git commits
 -    - example : `build2`
 -    - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
 -        - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
 -        - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
 +    - **example** : `build2`
 +    - **NOTE** : A project's `$(BUILD_N)` and `$(MULLVAD_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For **example** :
 +      - if we have multiple Mullvad Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(MULLVAD_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(MULLVAD_BROWSER_VERSION)` will increase)
 +      - if we have build failures unrelated to `mullvad-browser`, the `$(MULLVAD_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
  - `$(MULLVAD_BROWSER_VERSION)` : the published Mullvad Browser version
 -    - example : `11.5a6`, `11.0.7`
 +    - **example** : `11.5a6`, `11.0.7`
 +- `$(MB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Mullvad Browser version
 +    - **example** : `mb-12.0.7-build1`
  </details>
 -**NOTE** It is assumed that the `tor-browser` rebase and security backport tasks have been completed
 +**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
  <details>
 -  <summary>Build Configs</summary>
 +  <summary>Building</summary>
 -### tor-browser-build: https://gitlab.mullvadproject.org/tpo/applications/tor-browser-build.git
 +### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
  Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MULLVAD_BROWSER_MINOR)` (and possibly more specific) branches
  - [ ] Update `rbm.conf`
@@ -57,30 +61,55 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
        - [ ] `URL`
        - [ ] `sha256sum`
  - [ ] Open MR with above changes
 -- [ ] Begin build on `$(BUILD_SERVER)` (and fix any issues which come up and update MR)
  - [ ] Merge
  - [ ] Sign/Tag commit: `make mullvadbrowser-signtag-release`
  - [ ] Push tag to `origin`
 +- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
 +- [ ] **TODO** Submit build-tag to Mullvad build infra
 +- [ ] Ensure builders have matching builds
++
 +</details>
++
 +<details>
 +  <summary>QA</summary>
++
 +### send the build
++
 +  - [ ] Email Mullvad QA: support@xxxxxxxxxxx, rui@xxxxxxxxxxx
 +    <details>
 +      <summary>email template</summary>
++
 +        Subject:
 +        New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (unsigned)
++
 +        Body:
 +        unsigned builds: https://tb-build-05.torproject.org/~$(BUILDER)/builds/mullvadbrowser/release/unsigned/$(MB_BUILD_TAG)
++
 +        changelog:
 +        ...
++
 +    </details>
++
 +    - ***(Optional)*** Add additional information:
 +      - [ ] Note any new functionality which needs testing
 +      - [ ] Link to any known issues
  </details>
  <details>
    <summary>Signing</summary>
 -### signing + publishing
 -- [ ] Ensure builders have matching builds
 +### signing
  - [ ] On `$(STAGING_SERVER)`, ensure updated:
 -  - [ ] `tor-browser-build/tools/signing/set-config`
 -    - `NSS_DB_DIR` : location of the `nssdb7` direcmullvady
    - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
      - `ssh_host_builder` : ssh hostname of machine with unsigned builds
 -      - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` direcmullvady)
 +      - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
      - `ssh_host_linux_signer` : ssh hostname of linux signing machine
      - `ssh_host_macos_signer` : ssh hostname of macOS signing machine
    - [ ] `tor-browser-build/tools/signing/set-config.macos-notarization`
      - `macos_notarization_user` : the email login for a mullvad notariser Apple Developer account
    - [ ] `set-config.update-responses`
 -    - `update_responses_reposimullvady_dir` : direcmullvady where you cloned `git@gitlab.mullvadproject.org:tpo/applications/mullvad-browser-update-responses.git`
 +    - `update_responses_repository_dir` : directory where you cloned `git@gitlab.torproject.org:tpo/applications/mullvad-browser-update-responses.git`
    - [ ] `tor-browser-build/tools/signing/set-config.tbb-version`
      - `tbb_version` : mullvad browser version string, same as `var/torbrowser_version` in `rbm.conf` (examples: `11.5a12`, `11.0.13`)
      - `tbb_version_build` : the tor-browser-build build number (if `var/torbrowser_build` in `rbm.conf` is `buildN` then this value is `N`)
@@ -91,7 +120,7 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
  - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
  - [ ] run do-all-signing script:
      - `cd tor-browser-build/tools/signing/`
 -    - `./do-all-signing.sh`
 +    - `./do-all-signing.mullvadbrowser`
  - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
  - [ ] Update `staticiforme.torproject.org`:
    - From `screen` session on `staticiforme.torproject.org`:
@@ -101,19 +130,64 @@ Mullvad Browser Stable lives in the various `maint-$(MULLVAD_BROWSER_MAJOR).$(MU
  </details>
 +<details>
 +  <summary>Publishing</summary>
++
 +### email
++
 +- [ ] Email Mullvad with release information: support@xxxxxxxxxxx, rui@xxxxxxxxxxx
 +  <details>
 +    <summary>email template</summary>
++
 +      Subject:
 +      New build: Mullvad Browser $(MULLVAD_BROWSER_VERION) (signed)
++
 +      Body:
 +      signed builds: https://dist.torproject.org/mullvadbrowser/$(MULLVAD_BROWSER_VERSION)
++
 +      update_response hashes: $(MULLVAD_UPDATE_RESPONSES_HASH)
++
 +      changelog:
 +      ...
++
 +  </details>
++
 +### mullvad-browser (github): https://github.com/mullvad/mullvad-browser/
 +- [ ] Push this release's associated `mullvad-browser.git` branch to github
 +- [ ] Push this release's associated tags to github:
 +  - [ ] Firefox ESR tag
 +    - **example** : `FIREFOX_102_12_0esr_BUILD1,`
 +  - [ ] `base-browser` tag
 +    - **example** : `base-browser-102.12.0esr-12.0-1-build1`
 +  - [ ] `mullvad-browser` tag
 +    - **example** : `mullvad-browser-102.12.0esr-12.0-1-build1`
 +- [ ] Sign+Tag additionally the `mullvad-browser.git` `firefox` commit used in build:
 +  - **Tag**: `$(MULLVAD_BROWSER_VERSION)`
 +    - **example** : `12.0.7`
 +  - **Message**: `$(ESR_VERSION)esr-based $(MULLVAD_BROWSER_VERSION)`
 +    - **example** : `102.12.0esr-based 12.0.7`
 +  - [ ] Push tag to github
++
 +</details>
++
  <details>
    <summary>Downstream</summary>
 -### notify stakeholders
 +### notify packagers
++
 +- [ ] **(Once Mullvad Updates their Github Releases Page)** Email downstream consumers:
 +  <details>
 +    <summary>email template</summary>
++
 +    ...
++
 +    ...
++
 +  </details>
 -- [ ] Email Mullvad with release information: rui@xxxxxxxxxxx
 -  - [ ] Build artifact download list
 -  - [ ] New `mullvad-browser` project branch and tags
 -  - [ ] mullvad-browser-update-responses git hash
 -  - [ ] changelog
 -- [ ] Email downstream consumers:
    - [ ] flathub package maintainer: proletarius101@xxxxxxxxxxxxxx
    - [ ] arch package maintainer: bootctl@xxxxxxxxx
 +  - [ ] nixOS package maintainer: dev@xxxxxxxxxxx
  ### merge requests

.gitlab/issue_templates/Release Prep - Tor Browser Alpha.md

@@ -2,28 +2,34 @@
    <summary>Explanation of variables</summary>
  - `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release
 +- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
 +  - **example** : `pierov`
  - `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
  - `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
 -    - example : `91.6.0`
 +  - **example** : `91.6.0`
  - `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version
 -    - example : `11`
 +  - **example** : `11`
  - `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version
 -    - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
 +  - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
 +- `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format
 +  - **example** : `12.5a3`, `12.0.3`
  - `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
 -    - example : `build1`
 +  - **example** : `build1`
  - `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits
 -    - example : `build2`
 -    - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
 -        - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
 -        - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
 +  - **example** : `build2`
 +  - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
 +    - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
 +    - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
  - `$(TOR_BROWSER_VERSION)` : the published Tor Browser version
 -    - example : `11.5a6`, `11.0.7`
 +    - **example** : `11.5a6`, `11.0.7`
 +- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version
 +    - **example** : `tbb-12.5a7-build1`
  </details>
 -**NOTE** It is assumed that the `tor-browser` rebase and security backport tasks have been completed
 +**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
  <details>
 -  <summary>Build Updates</summary>
 +  <summary>Building</summary>
  ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
  Tor Browser Alpha (and Nightly) are on the `main` branch
@@ -44,7 +50,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
      - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
      - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
  - [ ] Update Android-specific build configs
 -  - [ ] ***(Optional)*** Update `projects/geckoview/config`
 +  - [ ] Update `projects/geckoview/config`
      - [ ] `browser_build` : update to match `tor-browser` tag
      - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
    - [ ] ***(Optional)*** Update `projects/tor-android-service/config`
@@ -56,7 +62,6 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
      - [ ] `android_components_build` : update to match alpha android-components tag
    - [ ] ***(Optional)*** Update `projects/fenix/config`
      - [ ] `fenix_build` : update to match fenix tag
 -    - [ ] ***(Optional)*** `var/fenix_version` : update to latest `$(ESR_VERSION)` if rebased
    - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
      - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
  - [ ] Update common build configs
@@ -79,14 +84,13 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
      - [ ] ***(Optional)*** Update `projects/go/config`
        - [ ] `version` : update go version
        - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
 -  - [ ] Update the manual : https://gitlab.torproject.org/tpo/web/manual/-/jobs/
 -    - [ ] Download the `artifacts.zip` file from latest build stage row (download icon button on the right)
 -    - [ ] Rename it to `manual_$PIPELINEID.zip`
 -    - [ ] Upload it to people.tpo
 -    - [ ] Update `projects/manual/config`
 -      - [ ] Change the version to `$PIPELINEID`
 -      - [ ] Update the hash in the input_files section
 -      - [ ] Update the URL if you have uploaded to a different people.tpo home
 +  - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`
 +    - [ ] ***(Optional)*** If new version is available:
 +      - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to people.tpo
 +      - [ ] Update `projects/manual/config`:
 +        - [ ] Change the `version` to `$PIPELINEID`
 +        - [ ] Update `sha256sum` in the `input_files` section
 +        - [ ] ***(Optional)*** Update the URL if you have uploaded to a different people.tpo home
  - [ ] Update `ChangeLog.txt`
    - [ ] Ensure ChangeLog.txt is sync'd between alpha and stable branches
    - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
@@ -94,19 +98,26 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
      - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
      - The first time you run this script you will need to generate an access token; the script will guide you
    - [ ] Copy the output of the script to the beginning of `ChangeLog.txt` and adjust its output
 -    - If you used the issue number, you will need to write the Tor Browser version manually
 -  - [ ] Include any version updates for:
 -    - [ ] translations
 -    - [ ] OpenSSL
 -    - [ ] NoScript
 +    - **NOTE** : If you used the issue number, you will need to write the Tor Browser version manually
 +  - [ ] ***(Optional)*** Under `All Platforms` include any version updates for:
 +    - [ ] Translations
 +    - [ ]OpenSSL
 +    - [ ]NoScript
 +    - [ ]zlib
 +    - [ ] tor daemon
 +  - [ ] ***(Optional)*** Under `Windows + macOS + Linux` include updates for:
 +    - [ ] Firefox
 +  - [ ] ***(Optional)*** Under `Android`, include updates for:
 +    - [ ] Geckoview
 +  - [ ] ***(Optional)*** Under `Build System/All Platforms` include updates for:
      - [ ] Go
 -    - [ ] zlib
 -  - [ ] Include any ESR rebase for Firefox and GeckoView
  - [ ] Open MR with above changes
 -- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues which come up and update MR)
  - [ ] Merge
  - [ ] Sign/Tag commit: `make torbrowser-signtag-alpha`
  - [ ] Push tag to `origin`
 +- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
 +- [ ] **TODO** Submit build-tag to Mullvad build infra
 +- [ ] Ensure builders have matching builds
  </details>
@@ -118,6 +129,10 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    <details>
      <summary>email template</summary>
 +      Subject:
 +      Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
++
 +      Body:
        Hello All,
        Unsigned Tor Browser $(TOR_BROWSER_VERSION) alpha candidate builds are now available for testing:
@@ -126,15 +141,15 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
        The full changelog can be found here:
 -      - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/main/projects/browser/Bundle-Data/Docs/ChangeLog.txt
 +      - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/$(TBB_BUILD_TAG)/ChangeLog.txt
    </details>
  - [ ] Email tor-qa mailing list: tor-qa@xxxxxxxxxxxxxxxxxxxx
 -  - Additional information:
 +  - ***(Optional)*** Additional information:
      - [ ] Note any new functionality which needs testing
      - [ ] Link to any known issues
 -- [ ] ***(Optional, only around build/packaging changes)*** Email downstream consumers:
 +- [ ] ***(Optional, only around build/packaging changes)*** Email packagers:
    - Recipients:
      - Tails dev mailing list: tails-dev@xxxxxxxx
      - Guardian Project: nathan@xxxxxxxxxxxxxxxxxxxx
@@ -142,7 +157,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
      - FreeBSD port: freebsd@xxxxxxxxx <!-- Gitlab user maxfx -->
      - OpenBSD port: caspar@xxxxxxxxxxxxxx <!-- Gitlab user cschutijser -->
    - [ ] Note any changes which may affect packaging/downstream integration
 -- [ ] Email upstream stakeholders:
 +- [ ] Email external partners:
    - ***(Optional, after ESR migration)*** Cloudflare: ask-research@xxxxxxxxxxxxxx
      - **NOTE** :  We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
@@ -151,11 +166,9 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
  <details>
    <summary>Signing</summary>
 -### signing + publishing
 -- [ ] Ensure builders have matching builds
 +### signing
 +- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
  - [ ] On `$(STAGING_SERVER)`, ensure updated:
 -  - [ ] `tor-browser-build/tools/signing/set-config`
 -    - `NSS_DB_DIR` : location of the `nssdb7` directory
    - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
      - `ssh_host_builder` : ssh hostname of machine with unsigned builds
        - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
@@ -182,7 +195,7 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
    - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
    - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-alpha.sh`
    - [ ] Remove old release data from following places:
 -    - **NOTE** : Skip this step if the current release is Android or Desktop *only*
 +    - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
      - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
      - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
    - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
@@ -236,7 +249,24 @@ Tor Browser Alpha (and Nightly) are on the `main` branch
  - [ ] Publish after CI passes and website has been updated
  ### tor-announce mailing list
 -- [ ] Send an email to tor-announce@xxxxxxxxxxxxxxxxxxxx, using the same content as the blog post and subject "Tor Browser $version is released".
 +  <details>
 +    <summary>email template</summary>
++
 +      Subject:
 +      New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
++
 +      Body:
 +      Hi everyone,
++
 +      Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
++
 +      - $(BLOG_POST_URL)
++
 +  </details>
++
 +- [ ] Email tor-announce mailing list: tor-announce@xxxxxxxxxxxxxxxxxxxx
 +  - **(Optional)** Additional information:
 +    - [ ] Link to any known issues
  </details>

.gitlab/issue_templates/Release Prep - Tor Browser Stable.md

@@ -2,33 +2,34 @@
    <summary>Explanation of variables</summary>
  - `$(BUILD_SERVER)` : the server the main builder is using to build a tor-browser release
 +- `$(BUILDER)` : whomever is building the release on the $(BUILD_SERVER)
 +  - **example** : `pierov`
  - `$(STAGING_SERVER)` : the server the signer is using to to run the signing process
  - `$(ESR_VERSION)` : the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
 -  - example : `91.6.0`
 -- `$(ESR_TAG)` : the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
 -  - exmaple : `FIREFOX_91_7_0esr_BUILD2`
 -- `$(ESR_TAG_PREV)` : the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
 +  - **example** : `91.6.0`
  - `$(TOR_BROWSER_MAJOR)` : the Tor Browser major version
 -  - example : `11`
 +  - **example** : `11`
  - `$(TOR_BROWSER_MINOR)` : the Tor Browser minor version
 -  - example : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
 +  - **example** : either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
  - `$(TOR_BROWSER_VERSION)` : the Tor Browser version in the format
 -  - example: `12.5a3`, `12.0.3`
 +  - **example** : `12.5a3`, `12.0.3`
  - `$(BUILD_N)` : a project's build revision within a its branch; this is separate from the `$(TOR_BROWSER_BUILD_N)` value; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
 -    - example : `build1`
 +  - **example** : `build1`
  - `$(TOR_BROWSER_BUILD_N)` : the tor-browser build revision for a given Tor Browser release; used in tagging git commits
 -    - example : `build2`
 -    - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
 -        - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
 -        - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
 +  - **example** : `build2`
 +  - **NOTE** : A project's `$(BUILD_N)` and `$(TOR_BROWSER_BUILD_N)` may be the same, but it is possible for them to diverge. For example :
 +    - if we have multiple Tor Browser releases on a given ESR branch the two will become out of sync as the `$(BUILD_N)` value will increase, while the `$(TOR_BROWSER_BUILD_N)` value may stay at `build1` (but the `$(TOR_BROWSER_VERSION)` will increase)
 +    - if we have build failures unrelated to `tor-browser`, the `$(TOR_BROWSER_BUILD_N)` value will increase while the `$(BUILD_N)` will stay the same.
  - `$(TOR_BROWSER_VERSION)` : the published Tor Browser version
 -    - example : `11.5a6`, `11.0.7`
 +    - **example** : `11.5a6`, `11.0.7`
 +- `$(TBB_BUILD_TAG)` : the `tor-browser-build` build tag used to build a given Tor Browser version
 +    - **example** : `tbb-12.0.7-build1`
  </details>
 -**NOTE** It is assumed that the `tor-browser` rebase and security backport tasks have been completed
 +**NOTE** It is assumed that the `tor-browser` stable rebase and security backport tasks have been completed
  <details>
 -  <summary>Build Configs</summary>
 +  <summary>Building</summary>
  ### tor-browser-build: https://gitlab.torproject.org/tpo/applications/tor-browser-build.git
  Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)` (and possibly more specific) branches
@@ -37,7 +38,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    - [ ] `var/torbrowser_version` : update to next version
    - [ ] `var/torbrowser_build` : update to `$(TOR_BROWSER_BUILD_N)`
    - [ ] ***(Desktop Only)***`var/torbrowser_incremental_from` : update to previous Desktop version
 -    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make incrementals-*` step will fail
 +    - **IMPORTANT**: Really *actually* make sure this is the previous Desktop version or else the `make torbrowser-incrementals-*` step will fail
  - [ ] Update Desktop-specific build configs
    - [ ] Update `projects/firefox/config`
      - [ ] `browser_build` : update to match `tor-browser` tag
@@ -49,7 +50,7 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
      - [ ] `steps/tor-browser/git_hash` : update with `HEAD` commit of project's `tor-browser` branch
      - [ ] `steps/fenix/git_hash` : update with `HEAD` commit of project's `fenix-torbrowserstringsxml` branch
  - [ ] Update Android-specific build configs
 -  - [ ] ***(Optional)*** Update `projects/geckoview/config`
 +  - [ ] Update `projects/geckoview/config`
      - [ ] `browser_build` : update to match `tor-browser` tag
      - [ ] ***(Optional)*** `var/geckoview_version` : update to latest `$(ESR_VERSION)` if rebased
    - [ ] ***(Optional)*** Update `projects/tor-android-service/config`
@@ -58,10 +59,9 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
      **NOTE** we don't currently have any of our own patches for this project
      - [ ] `git_hash` : update to appropriate git commit associated with `$(ESR_VERSION)`
    - [ ] ***(Optional)*** Update `projects/android-components/config`:
 -    - [ ] `android_components_build` : update to match android-components tag
 +    - [ ] `android_components_build` : update to match stable android-components tag
    - [ ] ***(Optional)*** Update `projects/fenix/config`
      - [ ] `fenix_build` : update to match fenix tag
 -    - [ ] ***(Optional)*** `var/fenix_version` : update to latest `$(ESR_VERSION)` if rebased
    - [ ] Update allowed_addons.json by running (from `tor-browser-build` root):
      - `./tools/fetch_allowed_addons.py > projects/browser/allowed_addons.json`
  - [ ] Update common build configs
@@ -84,14 +84,13 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
      - [ ] ***(Optional)*** Update `projects/go/config`
        - [ ] `version` : update go version
        - [ ] `input_files/sha256sum` for `go` : update sha256sum of archive (sha256 sums are displayed on the go download page)
 -  - [ ] Update the manual : https://gitlab.torproject.org/tpo/web/manual/-/jobs/
 -    - [ ] Download the `artifacts.zip` file from latest build stage row (download icon button on the right)
 -    - [ ] Rename it to `manual_$PIPELINEID.zip`
 -    - [ ] Upload it to people.tpo
 -    - [ ] Update `projects/manual/config`
 -      - [ ] Change the version to `$PIPELINEID`
 -      - [ ] Update the hash in the input_files section
 -      - [ ] Update the URL if you have uploaded to a different people.tpo home
 +  - [ ] Check for manual updates by running (from `tor-browser-build` root): `./tools/fetch-manual.py`
 +    - [ ] ***(Optional)*** If new version is available:
 +      - [ ] Upload the downloaded `manual_$PIPELINEID.zip` file to people.tpo
 +      - [ ] Update `projects/manual/config`:
 +        - [ ] Change the `version` to `$PIPELINEID`
 +        - [ ] Update `sha256sum` in the `input_files` section
 +        - [ ] ***(Optional)*** Update the URL if you have uploaded to a different people.tpo home
  - [ ] Update `ChangeLog.txt`
    - [ ] Ensure ChangeLog.txt is sync'd between alpha and stable branches
    - [ ] Check the linked issues: ask people to check if any are missing, remove the not fixed ones
@@ -99,19 +98,26 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
      - Make sure you have `requests` installed (e.g., `apt install python3-requests`)
      - The first time you run this script you will need to generate an access token; the script will guide you
    - [ ] Copy the output of the script to the beginning of `ChangeLog.txt` and adjust its output
 -    - If you used the issue number, you will need to write the Tor Browser version manually
 -  - [ ] Include any version updates for:
 -    - [ ] translations
 -    - [ ] OpenSSL
 -    - [ ] NoScript
 +    - **NOTE** : If you used the issue number, you will need to write the Tor Browser version manually
 +  - [ ] ***(Optional)*** Under `All Platforms` include any version updates for:
 +    - [ ] Translations
 +    - [ ]OpenSSL
 +    - [ ]NoScript
 +    - [ ]zlib
 +    - [ ] tor daemon
 +  - [ ] ***(Optional)*** Under `Windows + macOS + Linux` include updates for:
 +    - [ ] Firefox
 +  - [ ] ***(Optional)*** Under `Android`, include updates for:
 +    - [ ] Geckoview
 +  - [ ] ***(Optional)*** Under `Build System/All Platforms` include updates for:
      - [ ] Go
 -    - [ ] zlib
 -  - [ ] Include any ESR rebase for Firefox and GeckoView
  - [ ] Open MR with above changes
 -- [ ] Begin build on `$(BUILD_SERVER)` (and fix any issues which come up and update MR)
  - [ ] Merge
  - [ ] Sign/Tag commit: `make torbrowser-signtag-release`
  - [ ] Push tag to `origin`
 +- [ ] Begin build on `$(BUILD_SERVER)` (fix any issues in subsequent MRs)
 +- [ ] **TODO** Submit build-tag to Mullvad build infra
 +- [ ] Ensure builders have matching builds
  </details>
@@ -123,6 +129,10 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
    <details>
      <summary>email template</summary>
 +      Subject:
 +      Tor Browser $(TOR_BROWSER_VERION) (Android, Windows, macOS, Linux)
++
 +      Body:
        Hello All,
        Unsigned Tor Browser $(TOR_BROWSER_VERSION) release candidate builds are now available for testing:
@@ -131,36 +141,31 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
        The full changelog can be found here:
 -      - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/raw/maint-12.0/projects/browser/Bundle-Data/Docs/ChangeLog.txt
 +      - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/$(TBB_BUILD_TAG)/ChangeLog.txt
    </details>
  - [ ] Email tor-qa mailing list: tor-qa@xxxxxxxxxxxxxxxxxxxx
 -  - Additional information:
 +  - ***(Optional)*** Additional information:
      - [ ] Note any new functionality which needs testing
      - [ ] Link to any known issues
 -- [ ] Email downstream consumers:
 +- [ ] Email packagers:
    - Recipients:
      - Tails dev mailing list: tails-dev@xxxxxxxx
      - Guardian Project: nathan@xxxxxxxxxxxxxxxxxxxx
      - torbrowser-launcher: micah@xxxxxxxxxxxxx
      - FreeBSD port: freebsd@xxxxxxxxx <!-- Gitlab user maxfx -->
      - OpenBSD port: caspar@xxxxxxxxxxxxxx <!-- Gitlab user cschutijser -->
 -  - [ ] Note any changes which may affect packaging/downstream integration
 -- [ ] Email upstream stakeholders:
 -  - ***(Optional, after ESR migration)*** Cloudflare: ask-research@xxxxxxxxxxxxxx
 -    - **NOTE** :  We need to provide them with updated user agent string so they can update their internal machinery to prevent Tor Browser users from getting so many CAPTCHAs
 +  - [ ] ***(Optional)*** Note any changes which may affect packaging/downstream integration
  </details>
  <details>
    <summary>Signing</summary>
 -### signing + publishing
 -- [ ] Ensure builders have matching builds
 +### signing
 +- **NOTE** : In practice, it's most efficient to have the blog post and website updates ready to merge, since signing doesn't take very long
  - [ ] On `$(STAGING_SERVER)`, ensure updated:
 -  - [ ] `tor-browser-build/tools/signing/set-config`
 -    - `NSS_DB_DIR` : location of the `nssdb7` directory
    - [ ]  `tor-browser-build/tools/signing/set-config.hosts`
      - `ssh_host_builder` : ssh hostname of machine with unsigned builds
        - **NOTE** : `tor-browser-build` is expected to be in the `$HOME` directory)
@@ -180,14 +185,14 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
  - [ ] On `$(STAGING_SERVER)` in a separate `screen` session, ensure tor daemon is running with SOCKS5 proxy on the default port 9050
  - [ ] run do-all-signing script:
      - `cd tor-browser-build/tools/signing/`
 -    - `./do-all-signing.sh`
 +    - `./do-all-signing.torbrowser`
  - **NOTE**: at this point the signed binaries should have been copied to `staticiforme`
  - [ ] Update `staticiforme.torproject.org`:
    - From `screen` session on `staticiforme.torproject.org`:
    - [ ] Static update components : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
    - [ ] Enable update responses : `sudo -u tb-release ./deploy_update_responses-release.sh`
    - [ ] Remove old release data from following places:
 -    - **NOTE** : Skip this step if the current release is Android or Desktop *only*
 +    - **NOTE** : Skip this step if we need to hold on to older versions for some reason (for example, this is an Andoid or Desktop-only release, or if we need to hold back installers in favor of build-to-build updates if there are signing issues, etc)
      - [ ] `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser`
      - [ ] `/srv/dist-master.torproject.org/htdocs/torbrowser`
  - [ ] Static update components (again) : `static-update-component cdn.torproject.org && static-update-component dist.torproject.org`
@@ -241,7 +246,24 @@ Tor Browser Stable lives in the various `maint-$(TOR_BROWSER_MAJOR).$(TOR_BROWSE
  - [ ] Publish after CI passes and website has been updated
  ### tor-announce mailing list
 -- [ ] Send an email to tor-announce@xxxxxxxxxxxxxxxxxxxx, using the same content as the blog post and subject "Tor Browser $version is released".
 +  <details>
 +    <summary>email template</summary>
++
 +      Subject:
 +      New Release: Tor Browser $(TOR_BROWSER_VERSION) (Android, Windows, macOS, Linux)
++
 +      Body:
 +      Hi everyone,
++
 +      Tor Browser $(TOR_BROWSER_VERSION) has now been published for all platforms. For details please see our blog post:
++
 +      - $(BLOG_POST_URL)
++
 +  </details>
++
 +- [ ] Email tor-announce mailing list: tor-announce@xxxxxxxxxxxxxxxxxxxx
 +  - **(Optional)** Additional information:
 +    - [ ] Link to any known issues
  </details>

.gitlab/merge_request_templates/default.md

@@ -2,20 +2,52 @@
  <!-- Bookkeeping information for release management -->
 -- ### Related Issues
 -  - tor-browser#xxxxx
 -  - tor-browser-build#xxxxx
 -  - etc
 +### Related Issues
 +- tor-browser#xxxxx
 +- mullvad-browser#xxxxx
 +- tor-browser-build#xxxxx
 -- ### Backport Timeline
 -  - [ ] **Immediate** - patchsets for critical bug fixes or other major blocker (e.g. fixes for a 0-day exploit) OR patchsets with trivial changes which do not need testing (e.g. fixes for typos or fixes easily verified in a local developer build)
 -  - [ ] **Next Minor Stable Release** - patchset that needs to be verified in nightly before backport
 -  - [ ] **Eventually** - patchset that needs to be verified in alpha before backport
 -  - [ ] **No Backport** - patchset for the next major stable
 +### Backporting
 -- ### Issue Tracking
 -  - [ ] Link resolved issues with appropriate [Release Prep issue](https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep&first_page_size=20) for changelog generation
 +#### Timeline
 +- [ ] **Immediate**: patchset needed as soon as possible
 +- [ ] **Next Minor Stable Release**: patchset that needs to be verified in nightly before backport
 +- [ ] **Eventually**: patchset that needs to be verified in alpha before backport
 +- [ ] **No Backport (preferred)**: patchset for the next major stable
 -## Change Description
 +#### (Optional) Justification
 +- [ ] **Emergency security update**: patchset fixes CVEs, 0-days, etc
 +- [ ] **Censorship event**: patchset enables censorship circumvention
 +- [ ] **Critical bug-fix**: patchset fixes a bug in core-functionality
 +- [ ] **Consistency**: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
 +- [ ] **Sponsor required**: patchset required for sponsor
 +- [ ] **Other**: please explain
 -<!-- Whatever context the reviewer needs to effectively review the patchset -->
 \ No newline at end of file
 +### Issue Tracking
 +- [ ] Link resolved issues with appropriate [Release Prep issue](https://gitlab.torproject.org/groups/tpo/applications/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Release%20Prep&first_page_size=20) for changelog generation
++
 +### Review
++
 +#### Request Reviewer
++
 +- [ ] Request review from an applications developer depending on modified system:
 +  - **NOTE**: if the MR modifies multiple areas, please `/cc` all the relevant reviewers (since gitlab only allows 1 reviewer)
 +  - **accessibility** : henry
 +  - **android** : dan
 +  - **build system** : boklm
 +  - **extensions** : ma1
 +  - **firefox internals (XUL/JS/XPCOM)** : ma1
 +  - **fonts** : pierov
 +  - **frontend (implementation)** : henry
 +  - **frontend (review)** : donuts, richard
 +  - **localization** : henry, pierov
 +  - **nightly builds** : boklm
 +  - **rebases/release-prep** : dan_b, ma1, pierov, richard
 +  - **security** : ma1
 +  - **signing** : boklm, richard
 +  - **updater** : pierov
 +  - **misc/other** : pierov, richard
++
 +#### Change Description
++
 +<!-- Whatever context the reviewer needs to effectively review the patchset; if the patch includes UX updates be sure to include screenshots/video of how any new behaviour -->