doc: mention where to push security commits

RafaelGSS · juanarbol · commit 9e83c00e0bfa · 2022-10-11T14:45:27.000-05:00
PR-URL: #44691 Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com>
diff --git a/doc/contributing/releases.md b/doc/contributing/releases.md
@@ -263,6 +263,19 @@ branch.
 $ git checkout -b v1.2.3-proposal upstream/v1.x-staging
 ```
 
+<details>
+<summary>Security release</summary>
+
+When performing Security Releases, the `vN.x.x-proposal` branch should be
+branched off of `vN.x`.
+
+```console
+$ git checkout -b v1.2.3-proposal upstream/v1.x
+git cherry-pick  ...  # cherry-pick nodejs-private PR commits directly into the proposal
+```
+
+</details>
+
 ### 3. Update `src/node_version.h`
 
 Set the version for the proposed release using the following macros, which are
@@ -458,6 +471,9 @@ Notable changes:
 PR-URL: TBD
 ```
 
+**Note**: Ensure to push the proposal branch to the nodejs-private repository.
+Otherwise, you will leak the commits before the security release.
+
 </details>
 
 ### 6. Propose release on GitHub
