...
Before you start working on a security issue, ensure that you have a GitHub security advisory that has been created by the security working group or yourself.
On the advisory, create a new private fork on which to make any fixes.
Add your changes to a new branch on the temporary private fork.
Create a new pull request so that your changes can be reviewed.
The new PR will not run tests because actions workers can’t get access to the private fork. (Link)
Get the PR reviewed an approved.
BEFORE MERGING
Post a Security Announcement 2 business days before merging that you will be merging a security fix and the level of importance of the fix (Example text below, update the date, severity level and second link.)
Code Block A security patch for **openedx/edx-platform** will be added to the **Palm** release and to the current github master branch around [date=2023-07-25 time=15:00:00 timezone="America/New_York"]. It will fix one security defect with a "critical" [CVSS 3.1 severity rating](https://nvd.nist.gov/vuln-metrics/cvss). Details will be published here after release: [GitHub security advisory](https://github.com/openedx/edx-platform/security/advisories/GHSA-blah-blah-blah).
Merge the fix to the current main branch. Backport it to the currently supported named release.
