From 528646690bfb4d280f52f0ab63c12d2c02244c18 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Tue, 26 May 2026 17:14:48 +0200 Subject: [PATCH] doc: update `git node land` instructions for security releases Signed-off-by: Antoine du Hamel --- doc/contributing/releases.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/doc/contributing/releases.md b/doc/contributing/releases.md index 5299b0026298e3..e2eba8880b1db9 100644 --- a/doc/contributing/releases.md +++ b/doc/contributing/releases.md @@ -272,11 +272,12 @@ $ git reset --hard upstream/vN.x The list of patches to include should be listed in the "Next Security Release" issue in `nodejs-private`. Ask the security release steward if you're unsure. -The `git node land` tool does not work with the `nodejs-private` -organization. To land a PR in Node.js private, use `git cherry-pick` to apply -each commit from the PR. You will also need to manually apply the PR -metadata (`PR-URL`, `Reviewed-by`, etc.) by amending the commit messages. If +To use the `git node land` tool to land Pull Requests in the `nodejs-private` +organization, you need to specify the full URL to the Pull Request and make sure +you provide a GitHub token with read permission to the private repository. If known, additionally include `CVE-ID: CVE-XXXX-XXXXX` in the commit metadata. +Make sure to sign and push to resulting commit to the private repository and not +the public one. **Note**: Do not run CI on the PRs in `nodejs-private` until CI is locked down. You can integrate the PRs into the proposal without running full CI.