From f5f08e56f9842e5c498f29bde9727c13981465cb Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Mon, 24 Nov 2025 11:39:29 -0500
Subject: [PATCH 1/4] SecureDrop 2.13.0~rc1

(cherry picked from commit b80c264a0355ca39674f2fb4226ef147e6d3180f)
---
 admin/debian/changelog      |  5 +--
 changelog.md                | 62 +++++++++++++++++++++++++++++++++++++
 securedrop/debian/changelog |  2 +-
 3 files changed, 66 insertions(+), 3 deletions(-)

diff --git a/admin/debian/changelog b/admin/debian/changelog
index 37f966f84f..9b23fbf75d 100644
--- a/admin/debian/changelog
+++ b/admin/debian/changelog
@@ -1,5 +1,6 @@
 securedrop-admin (2.13.0~rc1) unstable; urgency=medium
 
-  *
+  * see changelog.md
+
+ -- SecureDrop Team <securedrop@freedom.press>  Mon, 24 Nov 2025 11:44:11 -0500
 
- -- SecureDrop Team <securedrop@freedom.press>  Fri, 09 May 2025 11:14:37 -0400
diff --git a/changelog.md b/changelog.md
index cc8459b7f8..2f51aac565 100644
--- a/changelog.md
+++ b/changelog.md
@@ -2,6 +2,68 @@
 
 ## 2.13.0~rc1
 
+### Web Applications and API
+
+* Add check for valid tab IDs when creating sources (#7708)
+* Update Rust version to 1.90.0 (#7688)
+* Update wordlist to remove offensive term (#7678)
+* Add Clear-Site-Data header on logout response for Source Interface (#7660)
+* Use separate prefix for session cookies in Source and Journalist Interface (#7662)
+* Implement v2 Journalist API (#7604, #7622, #7624, #7626, #7629, #7665, #7685, #7691, #7683, #7701, #7681, #7699, #7705, #7706, #7712, #7703, #7713, #7716, #7719)
+* Fix UndefinedError exception on 404 responses for static URLs (#7504)
+* Fix deprecation warnings in `pretty_bad_privacy` (#7532)
+* Remove guard around opening i18n.json (#7458)
+* Dependency updates:
+  * pip to 25.2 (#7668)
+  * psutil to 7.0.0 (#7642)
+
+### Operations
+
+* Update admin toolng to be deployed as a Debian package instead of via git (#7606)
+* Suppress OSSEC alert caused by non-error Tor log message (#7670)
+* Remove support for Ubuntu 20.04 (Focal) #7671, #7673, #7674)
+* Add playbook checks for server OS version (#7652, #7654)
+* Support admin tools in Qubes (#7576)
+* Dependency updates:
+  * markupsafe to 3.0.3 (#7606)
+  * resolvelib to 1.0.1 (#7606)
+  * wcwidth to 0.2.13 (#7606)
+
+### Development
+
+* Add test to validate apparmor config (#7702)
+* Update test Firefox and Tor Browser versions to 140 and 15 respectively (#7698)
+* Add workflows for demo container management to Github Packages (#7693)
+* Clean up cargo config following noble migration removal (#7680)
+* Support import of fixd datasets (#7669)
+* add redwood build artifacts to `.gitignore` (#7643)
+* Add CSP for demo landing page (#7638)
+* Remove `safety` Makefile target and CI jobs (#7627)
+* Increase functional test startup timeout (#7623)
+* Add dependency review Github Actions workflow (#7625)
+* Remove CircleCI badge from README (#7598)
+* Update developer quickstart section in README (#7596)
+* Add optional datastore persistence for the dev environments (#7578)
+* Set Ubuntu Noble as default in devops scripts and dev environments (#7570)
+* Update demo Dockerfile to use Ubuntu Noble by default (#7567)
+* Use a base requirements file and consistently apply constraints (#7551)
+* Updated functional test setup to simplify driver creation (#7439)
+* Add "Copy to clipboard" to all fields on demo site (#7557)
+* Update functional tests to use webdriver-supplied locale (#7548)
+* Pin `ruamel.yamel.clib` at version 0.2.12 in Ubuntu Noble (#7550)
+* Add additional dev-helper Makefile targets (#7278)
+* Add integration tests for nl2br jinja2 filter (#7546)
+* Improve testinfra grsecurity checks to support automated kernel testing (#7542)
+* Verify a build tag's signature and working tree (#7478)
+* Dependency updates:
+  * requests to 2.32.4 (#7586)
+  * urllib3 to 2.5.0 (#7582, #7586)
+  * uv to 0.9.6 (#7710)
+  * semgrep to 1.142.1 (#7710)
+  * Github actions/upload-artifact to 5 (#7694)
+  * Github actions/setup-python to 6 (#7656)
+  * Github actions/download to 5 (#7636)
+  * Github actions/checkout to 5 (#7637)
 
 ## 2.12.10
 
diff --git a/securedrop/debian/changelog b/securedrop/debian/changelog
index 58af774cac..bae6f04327 100644
--- a/securedrop/debian/changelog
+++ b/securedrop/debian/changelog
@@ -2,7 +2,7 @@ securedrop (2.13.0~rc1) unstable; urgency=medium
 
   * see changelog.md
 
- -- SecureDrop Team <securedrop@freedom.press>  Thu, 25 Sep 2025 11:06:25 -0400
+ -- SecureDrop Team <securedrop@freedom.press>  Mon, 24 Nov 2025 11:44:43 -0500
 
 securedrop (2.12.10) unstable; urgency=medium
 

From dce562e5930805a1f2618af8d41ae9eedd74663c Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Thu, 4 Dec 2025 10:45:38 -0500
Subject: [PATCH 2/4] SecureDrop 2.13.0

(cherry picked from commit 560555757d230f020f1ce0e46f730e2b95f48002)
---
 admin/debian/changelog                               | 5 ++---
 changelog.md                                         | 4 ++--
 install_files/ansible-base/group_vars/all/securedrop | 2 +-
 molecule/shared/stable.ver                           | 2 +-
 securedrop/debian/changelog                          | 5 ++---
 securedrop/setup.py                                  | 2 +-
 securedrop/version.py                                | 2 +-
 7 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/admin/debian/changelog b/admin/debian/changelog
index 9b23fbf75d..a0822094a7 100644
--- a/admin/debian/changelog
+++ b/admin/debian/changelog
@@ -1,6 +1,5 @@
-securedrop-admin (2.13.0~rc1) unstable; urgency=medium
+securedrop-admin (2.13.0) unstable; urgency=medium
 
   * see changelog.md
 
- -- SecureDrop Team <securedrop@freedom.press>  Mon, 24 Nov 2025 11:44:11 -0500
-
+ -- SecureDrop Team <securedrop@freedom.press>  Thu, 04 Dec 2025 10:44:25 -0500
diff --git a/changelog.md b/changelog.md
index 2f51aac565..68c2eb23d1 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,6 +1,6 @@
 # Changelog
 
-## 2.13.0~rc1
+## 2.13.0
 
 ### Web Applications and API
 
@@ -19,7 +19,7 @@
 
 ### Operations
 
-* Update admin toolng to be deployed as a Debian package instead of via git (#7606)
+* Update admin tooling to be deployed as a Debian package instead of via git (#7606)
 * Suppress OSSEC alert caused by non-error Tor log message (#7670)
 * Remove support for Ubuntu 20.04 (Focal) #7671, #7673, #7674)
 * Add playbook checks for server OS version (#7652, #7654)
diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index 9c22fef77f..452768e4c6 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -2,7 +2,7 @@
 # Variables that apply to both the app and monitor server go in this file
 # If the monitor or app server need different values define the variable in
 # hosts_vars/app.yml or host_vars/mon.yml
-securedrop_version: "2.13.0~rc1"
+securedrop_version: "2.13.0"
 securedrop_app_code_sdist_name: "securedrop-app-code-{{ securedrop_version | replace('~', '-') }}.tar.gz"
 
 grsecurity: true
diff --git a/molecule/shared/stable.ver b/molecule/shared/stable.ver
index 420fbec6f1..fb2c0766b7 100644
--- a/molecule/shared/stable.ver
+++ b/molecule/shared/stable.ver
@@ -1 +1 @@
-2.12.10
+2.13.0
diff --git a/securedrop/debian/changelog b/securedrop/debian/changelog
index bae6f04327..f1535b75c7 100644
--- a/securedrop/debian/changelog
+++ b/securedrop/debian/changelog
@@ -1,8 +1,8 @@
-securedrop (2.13.0~rc1) unstable; urgency=medium
+securedrop (2.13.0) unstable; urgency=medium
 
   * see changelog.md
 
- -- SecureDrop Team <securedrop@freedom.press>  Mon, 24 Nov 2025 11:44:43 -0500
+ -- SecureDrop Team <securedrop@freedom.press>  Thu, 04 Dec 2025 10:45:00 -0500
 
 securedrop (2.12.10) unstable; urgency=medium
 
@@ -10,7 +10,6 @@ securedrop (2.12.10) unstable; urgency=medium
 
  -- SecureDrop Team <securedrop@freedom.press>  Wed, 24 Sep 2025 14:36:57 -0400
 
-
 securedrop (2.12.9) unstable; urgency=medium
 
   * see changelog.md 
diff --git a/securedrop/setup.py b/securedrop/setup.py
index a15adf6eea..af84bc6959 100644
--- a/securedrop/setup.py
+++ b/securedrop/setup.py
@@ -4,7 +4,7 @@
 
 setuptools.setup(
     name="securedrop-app-code",
-    version="2.13.0~rc1",
+    version="2.13.0",
     author="Freedom of the Press Foundation",
     author_email="securedrop@freedom.press",
     description="SecureDrop Server",
diff --git a/securedrop/version.py b/securedrop/version.py
index 21036988e1..930e2cd686 100644
--- a/securedrop/version.py
+++ b/securedrop/version.py
@@ -1 +1 @@
-__version__ = "2.13.0~rc1"
+__version__ = "2.13.0"

From 15dba18f8de4fa2c0c7992570750c437a5031d04 Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Mon, 24 Nov 2025 11:43:54 -0500
Subject: [PATCH 3/4] Update admin debian changelog with new versions

(cherry picked from commit 100492d8298b1e46e910d271a31494060bd4c05b)
---
 update_version.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/update_version.sh b/update_version.sh
index 90e2a41a8d..d44e9064fa 100755
--- a/update_version.sh
+++ b/update_version.sh
@@ -65,7 +65,8 @@ sed -i "s/\(## ${OLD_VERSION}\)/## ${NEW_VERSION}\n\n\n\n\1/g" changelog.md
 export DEBEMAIL="${DEBEMAIL:-securedrop@freedom.press}"
 export DEBFULLNAME="${DEBFULLNAME:-SecureDrop Team}"
 
-# Update the changelog in the Debian package
+# Update the changelog in the Debian packages
+dch -b -v "${NEW_VERSION}" -D unstable -c admin/debian/changelog
 dch -b -v "${NEW_VERSION}" -D unstable -c securedrop/debian/changelog
 # Commit the change
 git commit -a -m "SecureDrop ${NEW_VERSION}"

From 84d5e275322036406b0124e8bf7039445d6acc39 Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Fri, 5 Dec 2025 10:57:05 -0500
Subject: [PATCH 4/4] SecureDrop 2.14.0~rc1

---
 admin/debian/changelog                               | 6 ++++++
 changelog.md                                         | 4 ++++
 install_files/ansible-base/group_vars/all/securedrop | 2 +-
 securedrop/debian/changelog                          | 6 ++++++
 securedrop/setup.py                                  | 2 +-
 securedrop/version.py                                | 2 +-
 6 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/admin/debian/changelog b/admin/debian/changelog
index a0822094a7..158f180f8e 100644
--- a/admin/debian/changelog
+++ b/admin/debian/changelog
@@ -1,3 +1,9 @@
+securedrop-admin (2.14.0~rc1) unstable; urgency=medium
+
+  * 
+
+ -- SecureDrop Team <securedrop@freedom.press>  Fri, 05 Dec 2025 10:56:36 -0500
+
 securedrop-admin (2.13.0) unstable; urgency=medium
 
   * see changelog.md
diff --git a/changelog.md b/changelog.md
index 68c2eb23d1..71515bb4fc 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.14.0~rc1
+
+
+
 ## 2.13.0
 
 ### Web Applications and API
diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index 452768e4c6..dd844b5cb3 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -2,7 +2,7 @@
 # Variables that apply to both the app and monitor server go in this file
 # If the monitor or app server need different values define the variable in
 # hosts_vars/app.yml or host_vars/mon.yml
-securedrop_version: "2.13.0"
+securedrop_version: "2.14.0~rc1"
 securedrop_app_code_sdist_name: "securedrop-app-code-{{ securedrop_version | replace('~', '-') }}.tar.gz"
 
 grsecurity: true
diff --git a/securedrop/debian/changelog b/securedrop/debian/changelog
index f1535b75c7..6ce9a9518c 100644
--- a/securedrop/debian/changelog
+++ b/securedrop/debian/changelog
@@ -1,3 +1,9 @@
+securedrop (2.14.0~rc1) unstable; urgency=medium
+
+  * 
+
+ -- SecureDrop Team <securedrop@freedom.press>  Fri, 05 Dec 2025 10:56:53 -0500
+
 securedrop (2.13.0) unstable; urgency=medium
 
   * see changelog.md
diff --git a/securedrop/setup.py b/securedrop/setup.py
index af84bc6959..283402603a 100644
--- a/securedrop/setup.py
+++ b/securedrop/setup.py
@@ -4,7 +4,7 @@
 
 setuptools.setup(
     name="securedrop-app-code",
-    version="2.13.0",
+    version="2.14.0~rc1",
     author="Freedom of the Press Foundation",
     author_email="securedrop@freedom.press",
     description="SecureDrop Server",
diff --git a/securedrop/version.py b/securedrop/version.py
index 930e2cd686..1a6241a997 100644
--- a/securedrop/version.py
+++ b/securedrop/version.py
@@ -1 +1 @@
-__version__ = "2.13.0"
+__version__ = "2.14.0~rc1"