TB 41649: Create rebase and security backport gitlab issue templates

.gitlab/issue_templates/Backport Android Security Fixes.md

+<details>
+  <summary>Explanation of Variables</summary>
+
+- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
+  - **Example**: `102.8.0`
+- `$(RR_VERSION)`: the Mozilla defined Rapid-Release version; Tor Browser for Android is based off of the `$(ESR_VERSION)`, but Mozilla's Firefox for Android is based off of the `$(RR_VERSION)` so we need to keep track of security vulnerabilities to backport from the monthly Rapid-Release train and our frozen ESR train.
+  - **Example**: `110`
+- `$(PROJECT_NAME)`: the name of the browser project, either `base-browser` or `tor-browser`
+- `$(TOR_BROWSER_MAJOR)`: the Tor Browser major version
+  - **Example**: `12`
+- `$(TOR_BROWSER_MINOR)`: the Tor Browser minor version
+  - **Example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
+- `$(BUILD_N)`: a project's build revision within a its branch; many of the Firefox-related projects have a `$(BUILD_N)` suffix and may differ between projects even when they contribute to the same build.
+  - **Example**: `build1`
+</details>
+
+**NOTE:** It is assumed the `tor-browser` rebases (stable and alpha) have already happened and there exists a `build1` build tags for both `base-browser` and `tor-browser` (stable and alpha)
+
+### **Bookkeeping**
+
+- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Apps%3A%3AType%3A%3AReleasePreparation) issues (stable and alpha).
+
+### **Security Vulnerabilities Report**: https://www.mozilla.org/en-US/security/advisories/
+
+- Potentially Affected Components:
+  - `firefox`/`geckoview`: https://github.com/mozilla/gecko-dev
+  - `application-services`: https://github.com/mozilla/application-services
+  - `android-components` (ESR 102 only): https://github.com/mozilla-mobile/firefox-android
+  - `fenix` (ESR 102 only): https://github.com/mozilla-mobile/firefox-android
+  - `firefox-android`: https://github.com/mozilla-mobile/firefox-android
+
+**NOTE:** `android-components` and `fenix` used to have their own repos, but since November 2022 they have converged to a single `firefox-android` repo. Any backports will require manually porting patches over to our legacy repos until we have transitioned to ESR 115.
+
+- [ ] Go through the `Security Vulnerabilities fixed in Firefox $(RR_VERSION)` report and create a candidate list of CVEs which potentially need to be backported in this issue:
+  - CVEs which are explicitly labeled as 'Android' only
+  - CVEs which are fixed in Rapid Release but not in ESR
+  - 'Memory safety bugs' fixed in Rapid Release but not in ESR
+- [ ] Foreach issue:
+  - Create link to the CVE on [mozilla.org](https://www.mozilla.org/en-US/security/advisories/)
+    - **Example**: https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/#CVE-2023-25740
+  - Create link to the associated Bugzilla issues (found in the CVE description)
+  - Create links to the relevant `gecko-dev`/other commit hashes which need to be backported OR a brief justification for why the fix does not need to be backported
+    - To find the `gecko-dev` version of a `mozilla-central`, search for a unique string in the relevant `mozilla-central` commit message in the `gecko-dev/release` branch log.
+    - **NOTE:** This process is unfortunately somewhat poorly defined/ad-hoc given the general variation in how Bugzilla issues are labeled and resolved. In general this is going to involve a bit of hunting to identify needed commits or determining whether or not the fix is relevant.
+
+### CVEs
+
+<!-- CVE Resolution Template, foreach CVE to investigate add an entry in the form:
+- [ ] https://www.mozilla.org/en-US/security/advisories/mfsaYYYY-NN/#CVE-YYYY-XXXXX // CVE description
+  - https://bugzilla.mozilla.org/show_bug.cgi?id=NNNNNN // Bugzilla issue
+  - **Note**: Any relevant info about this fix, justification for why it is not necessary, etc
+  - **Patches**
+    - firefox-android: https://link.to/relevant/patch
+    - firefox: https://link.to/relevant/patch
+ -->
+
+### **tor-browser**: https://gitlab.torproject.org/tpo/applications/tor-browser.git
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - [ ] Backport patches to `tor-browser` stable branch
+  - [ ] Open MR
+  - [ ] Merge
+  - [ ] Rebase patches onto:
+    - [ ] `base-browser` stable
+    - [ ] `tor-browser` alpha
+    - [ ] `base-browser` alpha
+  - [ ] Sign/Tag commits:
+    - **Tag**: `$(PROJECT_NAME)-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)`
+    - [ ] `base-browser` stable
+    - [ ] `tor-browser` stable
+    - [ ] `base-browser` alpha
+    - [ ] `tor-browser` alpha
+  - [ ] Push tags to `upstream`
+- **OR**
+- [ ] No backports
+
+### **application-services**: https://gitlab.torproject.org/tpo/applications/application-services
+- **NOTE**: we will need to setup a gitlab copy of this repo and update `tor-browser-build` before we can apply security backports here
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - [ ] Backport patches to `application-services` stable branch
+  - [ ] Open MR
+  - [ ] Merge
+  - [ ] Rebase patches onto `application-services` alpha
+  - [ ] Sign/Tag commits:
+    - **Tag**: `application-services-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha`
+    - [ ] `application-services` stable
+    - [ ] `application-services` alpha
+  - [ ] Push tags to `upstream`
+- **OR**
+- [ ] No backports
+
+
+### **android-components (Optional, ESR 102)**: https://gitlab.torproject.org/tpo/applications/android-components.git
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - **NOTE**: Since November 2022, this repo has been merged with `fenix` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `android-components` project.
+  - [ ] Backport patches to `android-components` stable branch
+  - [ ] Open MR
+  - [ ] Merge
+  - [ ] Rebase patches onto `android-components` alpha
+  - [ ] Sign/Tag commits:
+    - **Tag**: `android-components-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)`
+    - [ ] `android-components` stable
+    - [ ] `android-components` alpha
+  - [ ] Push tags to `upstream`
+- **OR**
+- [ ] No backports
+
+
+### **fenix (Optional, ESR 102)**: https://gitlab.torproject.org/tpo/applications/fenix.git
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - **NOTE**: Since February 2023, this repo has been merged with `android-components` into a singular `firefox-android` repo: https://github.com/mozilla-mobile/firefox-android. Any backport will require a patch rewrite to apply to our legacy `fenix` project.
+  - [ ] Backport patches to `fenix` stable branch
+  - [ ] Open MR
+  - [ ] Merge
+  - [ ] Rebase patches onto `fenix` alpha
+  - [ ] Sign/Tag commits:
+    - **Tag**: `tor-browser-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)`
+    - [ ] `fenix` stable
+    - [ ] `fenix` alpha
+  - [ ] Push tags to `upstream`
+- **OR**
+- [ ] No backports
+
+### **firefox-android**: https://gitlab.torproject.org/tpo/applications/firefox-android
+- [ ] Backport any Android-specific security fixes from Firefox rapid-release
+  - [ ] Backport patches to `firefox-android` stable branch
+  - [ ] Open MR
+  - [ ] Merge
+  - [ ] Rebase patches onto `fenix` alpha
+  - [ ] Sign/Tag commits:
+    - **Tag**: `firefox-android-$(ESR_VERSION)-$(TOR_BROWSER_MAJOR).$(TOR_BROWSER_MINOR)-1-$(BUILD_N)`
+    - **Message**: `Tagging $(BUILD_N) for $(ESR_VERSION)-based stable|alpha)`
+    - [ ] `firefox-android` stable
+    - [ ] `firefox-android` alpha
+  - [ ] Push tags to `upstream`
+- **OR**
+- [ ] No backports
+
+/confidential

.gitlab/issue_templates/Bugzilla Triage.md

+  # Bugzilla Triage
+
+  **NOTE** This issue presumes the branches and tags for the next Firefox release have already been created in tor-browser.git
+
+  - [ ] Generate Bugzilla triage CSV
+    - Run (from `tor-browser-build` root):
+    ```bash
+      ./tools/browser/generate-bugzilla-triage-csv ${FIREFOX_VERSION} ${PREVIOUS_NIGHTLY_TAG} ${NEXT_NIGHLTY_TAG} ${TRIAGE_ISSUE_NUMBER} ${REVIEWERS} > out.csv
+    ```
+    - `${FIREFOX_VERSION}`: the major Firefox version of the nightly to review
+      - **Example**: 129
+    - `${PREVIOUS_NIGHTLY_TAG}`: the nightly 'end' tag of the previous major Firefox version
+      - **Example**: `FIREFOX_NIGHTLY_128_END`
+    - `${NEXT_NIGHLTY_TAG}`: the nightly 'end' tag of the next major Firefox version we are reviewing
+      - **Example**: `FIREFOX_NIGHTLY_129_END`
+    - `${TRIAGE_ISSUE_NUMBER}`: this `tor-browser` issue
+      - **Example**: `43303`
+    - `${REVIEWERS}`: `morgan` and two additional devs to triage this Firefox version
+      - `boklm`
+      - `brizental`
+      - `clairehurst`
+      - `dan`
+      - `henry`
+      - `jwilde`
+      - `ma1`
+      - `pierov`
+    - **Example**:
+      ```bash
+      ./tools/browser/generate-bugzilla-triage-csv 129 FIREFOX_NIGHTLY_128_END FIREFOX_NIGHTLY_129_END 43303 morgan pierov henry > 129.csv
+      ```
+  - [ ] Attach the generated CSV file to the triage isssue
+  - [ ] Import to Google Sheets ( https://sheets.google.com )
+    - [ ] Create blank spreadsheet
+    - [ ] **Title**: `Bugzilla Triage ${VERSION}`
+    - [ ] Import CSV: File > Import > Upload
+      - **Import location**: "Replace spreadsheet"
+      - **Separator type**: "Comma"
+      - **Convert text to numbers, dates, and fomulas**: "✅"
+    - [ ] Convert 'Review' column's issue cells to check-boxes:
+      - Select relevant cells (i.e.: `A2:A1554` for in the 129 triage)
+      - Insert > Checkbox
+    - [ ] Convert 'Triaged by' cells to check-boxes
+    - [ ] Share Spreadsheet
+      - 🔒 Share > General access
+        - Change `Restricted` to `Anyone with the link`
+      - Post link in an internal note on this issue
+  - [ ] Page requested reviewers to this issue
+  - [ ] Triage Completed by:
+    - [ ] morgan
+    - [ ] reviewer 1 <!-- replace with reviewer name :) -->
+    - [ ] reviewer 2 <!-- replace with reviewer name :) -->

.gitlab/issue_templates/Rebase Browser - Alpha.md

+**NOTE:** All examples in this template reference the rebase from 102.7.0esr to 102.8.0esr
+
+<details>
+  <summary>Explanation of Variables</summary>
+
+- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
+  - **Example**: `102.8.0`
+- `$(ESR_TAG)`: the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
+  - **Example**: `FIREFOX_102_8_0esr_RELEASE`
+- `$(ESR_TAG_PREV)`: the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
+  - **Example**: `FIREFOX_102_7_0esr_BUILD1`
+- `$(BROWSER_MAJOR)`: the browser major version
+  - **Example**: `12`
+- `$(BROWSER_MINOR)`: the browser minor version
+  - **Example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
+- `$(BASE_BROWSER_BRANCH)`: the full name of the current `base-browser` branch
+  - **Example**: `base-browser-102.8.0esr-12.5-1`
+- `$(BASE_BROWSER_BRANCH_PREV)`: the full name of the previous `base-browser` branch
+  - **Example**: `base-browser-102.7.0esr-12.5-1`
+- `$(TOR_BROWSER_BRANCH)`: the full name of the current `tor-browser` branch
+  - **Example**: `tor-browser-102.8.0esr-12.5-1`
+- `$(TOR_BROWSER_BRANCH_PREV)`: the full name of the previous `tor-browser` branch
+  - **Example**: `tor-browser-102.7.0esr-12.5-1`
+</details>
+
+**NOTE:** It is assumed that we've already identified the new ESR branch during the tor-browser stable rebase
+
+### **Bookkeeping**
+
+- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Apps%3A%3AType%3A%3AReleasePreparation) issue.
+
+### Update Branch Protection Rules
+
+- [ ] In [Repository Settings](https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/repository):
+  - [ ] Remove previous alpha `base-browser` and `tor-browser` branch protection rules (this will prevent pushing new changes to the branches being rebased)
+  - [ ] Create new `base-browser` and `tor-browser` branch protection rule:
+    - **Branch**: `*-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1*`
+      - **Example**: `*-102.8.0esr-12.5-1*`
+    - **Allowed to merge**: `Maintainers`
+    - **Allowed to push and merge**: `Maintainers`
+    - **Allowed to force push**: `false`
+    - If you copied and pasted from old rules, double check you didn't add spaces at the end, as GitLab will not trim them!
+
+### **Create New Branches**
+
+- [ ] Find the Firefox mercurial tag `$(ESR_TAG)`
+  - If `$(BROWSER_MINOR)` is 5, the tag should already exist from the stable release
+  - Otherwise:
+    - [ ] Go to `https://hg.mozilla.org/releases/mozilla-esr$(ESR_MAJOR)/tags`
+    - [ ] Find and inspect the commit tagged with `$(ESR_TAG)`
+      - Tags are in yellow in the Mercurial web UI
+    - [ ] Find the equivalent commit in `https://github.com/mozilla/gecko-dev/commits/esr$(ESR_MAJOR)`
+      - The tag should be very close to `HEAD` (usually the second, before a `No bug - Tagging $(HG_HASH) with $(ESR_TAG)`)
+      - **Notice**: GitHub sorts commits by time, you might want to use `git log gecko-dev/esr$(ESR_MAJOR)` locally, instead
+    - [ ] Sign/Tag the `gecko-dev` commit: `git tag -as $(ESR_TAG) $(GIT_HASH) -m "Hg tag $(ESR_TAG)"`
+- [ ] Create new alpha `base-browser` branch from Firefox mercurial tag
+  - Branch name in the form: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1`
+  - **Example**: `base-browser-102.8.0esr-12.5-1`
+- [ ] Create new alpha `tor-browser` branch from Firefox mercurial tag
+  - Branch name in the form: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1`
+  - **Example**: `tor-browser-102.8.0esr-12.5-1`
+- [ ] Push new `base-browser` branch to `upstream`
+- [ ] Push new `tor-browser` branch to `upstream`
+
+### **Rebase tor-browser**
+
+- [ ] Checkout a new local branch for the `tor-browser` rebase
+  - **Example**: `git branch tor-browser-rebase FIREFOX_102_8_0esr_BUILD1`
+- [ ] **(Optional)** `base-browser` rebase and autosquash
+  - **NOTE** This step may be skipped if the `HEAD` of the previous `base-browser` branch is a `-buildN` tag
+  - [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `buildN` tag onto new `base-browser` rebase branch
+    - **Example**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.5-1-build1`
+  - [ ] Rebase and autosquash these cherry-picked commits
+    - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD`
+  - [ ] Cherry-pick remainder of patches after the `buildN` tag
+    - **Example**: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..upstream/base-browser-102.7.0esr-12.5-1`
+
+- [ ] `tor-browser` rebase and autosquash
+  - [ ] Note the current git hash of `HEAD` for `tor-browser` rebase+autosquash step: `git rev-parse HEAD`
+  - [ ] Cherry-pick the appropriate previous `tor-browser` branch's commit range up to the last `tor-browser` `buildN` tag
+    - **Example**: `git cherry-pick base-browser-102.7.0esr-12.5-1-build1..tor-browser-102.7.0esr-12.5-1-build1`
+    - **Example (if separate base-browser rebase was skipped)**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..tor-browser-102.7.0esr-12.5-1-build1`
+  - [ ] Rebase and autosquash  **ONLY** these newly cherry-picked commits using the commit noted previously: `git rebase --autosquash --interactive $(PREV_HEAD)`
+     - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE`
+  - [ ] **(Optional)** Patch reordering
+    - **NOTE**: We typically want to do this after new features or bug fix commits which are not !fixups to an existing commit have been merged and are just sitting at the end of the commit history
+    - Relocate new `base-browser` patches in the patch-set to enforce this rough thematic ordering:
+      - **MOZILLA BACKPORTS** - official Firefox patches we have backported to our ESR branch: Android-specific security updates, critical bug fixes, worthwhile features, etc
+      - **MOZILLA REVERTS** - revert commits of official Firefox patches
+      - **UPLIFT CANDIDATES** - patches which stand on their own and should be uplifted to `mozilla-central`
+      - **BUILD CONFIGURATION** - tools/scripts, gitlab templates, etc
+      - **BROWSER CONFIGURATION** - branding, mozconfigs, preference overrides, etc
+      - **SECURITY PATCHES** - security improvements, hardening, etc
+      - **PRIVACY PATCHES** - fingerprinting, linkability, proxy bypass, etc
+      - **FEATURES** - new functionality: updater, UX, letterboxing, security level, add-on
+    - Relocate new `tor-browser` patches in the patch-set to enforce this rough thematic ordering:
+      - **BUILD CONFIGURATION** - tools/scripts, gitlab templates, etc
+      - **BROWSER CONFIGURATION** - branding, mozconfigs, preference overrides, etc
+      - **UPDATER PATCHES** - updater tweaks, signing keys, etc
+      - **SECURITY PATCHES** - non tor-dependent security improvements, hardening, etc
+      - **PRIVACY PATCHES** - non tor-dependent fingerprinting, linkability, proxy bypass, etc
+      - **FEAURES** - non tor-dependent features
+      - **TOR INTEGRATION** - legacy tor-launcher/torbutton, tor modules, bootstrapping, etc
+      - **TOR SECURITY PATCHES** - tor-specific security improvements
+      - **TOR PRIVACY PATCHES** - tor-specific privacy improvements
+      - **TOR FEATURES** - new tor-specific functionality: manual, onion-location, onion service client auth, etc
+  - [ ] Cherry-pick remainder of patches after the last `tor-browser` `buildN` tag
+    - **Example**: `git cherry-pick tor-browser-102.7.0esr-12.5-1-build1..upstream/tor-browser-102.7.0esr-12.5-1`
+  - [ ] Rebase and autosquash again, this time replacing all `fixup` and `squash` commands with `pick`. The goal here is to have all of the `fixup` and `squash` commits beside the commit which they modify, but kept un-squashed for easy debugging/bisecting.
+    - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE`
+- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution:
+  - [ ] diff of diffs:
+    -  Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or -
+    - `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff`
+    - `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff`
+    - diff `current_patchset.diff` and `rebased_patchset.diff`
+      - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` (unless the previous `base-browser` branch includes changes not included in the previous `tor-browser` branch)
+  - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD`
+    - **Example**: `git range-dif FIREFOX_102_7_0esr_BUILD1..upstream/tor-browser-102.7.0esr-12.5-1 FIREFOX_102_8_0esr_BUILD1..HEAD`
+- [ ] Open MR for the `tor-browser` rebase
+- [ ] Merge
+- Update and push `base-browser` branch
+  - [ ] Reset the new `base-browser` branch to the appropriate commit in this new `tor-browser` branch
+  - [ ] Push these commits to `upstream`
+- [ ] Set `$(TOR_BROWSER_BRANCH)` as the default GitLab branch
+  - [ ] Go to [Repository Settings](https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/repository)
+  - [ ] Expand `Branch defaults`
+  - [ ] Set the branch and leave the `Auto-close` checkbox unchecked
+  - [ ] Save changes
+
+### **Sign and Tag**
+
+- [ ] Sign/Tag `HEAD` of the merged `tor-browser` branch:
+  - In **tor-browser.git**, checkout the new alpha `tor-browser` branch
+  - In **tor-browser-build.git**, run signing script:
+    ```bash
+    ./tools/browser/sign-tag.torbrowser alpha build1
+    ```
+  - [ ] Push tag to `upstream`
+- [ ] Sign/Tag HEAD of the merged `base-browser` branch:
+  - In **tor-browser.git**, checkout the new alpha `base-browser` branch
+  - In **tor-browser-build.git**, run signing script:
+    ```bash
+    ./tools/browser/sign-tag.basebrowser alpha build1
+    ```
+  - [ ] Push tag to `upstream`
+- [ ] Update tor-browser-build's `main` branch (no MR required, you can just push it if you have the permissions)
+  - [ ] Update `projects/firefox/config`
+    - [ ] Update `firefox_platform_version`
+    - [ ] Set `browser_build` to 1 (to prevent failures in alpha testbuilds)
+  - [ ] Update `projects/geckoview/config`
+    - [ ] Update `firefox_platform_version`
+    - [ ] Set `browser_build` to 1 (to prevent failures in alpha testbuilds)
+
+/label ~"Apps::Type::Rebase"

.gitlab/issue_templates/Rebase Browser - Legacy.md

+**NOTE:** All examples in this template reference the rebase from 115.17.0esr to 115.18.0esr
+
+<details>
+  <summary>Explanation of Variables</summary>
+
+- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
+  - **Example**: `115.18.0`
+- `$(ESR_TAG)`: the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
+  - **Example**: `FIREFOX_115_18_0esr_BUILD1`
+- `$(ESR_TAG_PREV)`: the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
+  - **Example**: `FIREFOX_115_17_0esr_BUILD1`
+- `$(BASE_BROWSER_BRANCH)`: the full name of the current `base-browser` branch
+  - **Example**: `base-browser-115.18.0esr-13.5-1`
+- `$(BASE_BROWSER_BRANCH_PREV)`: the full name of the previous `base-browser` branch
+  - **Example**: `base-browser-115.17.0esr-13.5-1`
+- `$(TOR_BROWSER_BRANCH)`: the full name of the current `tor-browser` branch
+  - **Example**: `tor-browser-115.18.0esr-13.5-1`
+- `$(TOR_BROWSER_BRANCH_PREV)`: the full name of the previous `tor-browser` branch
+  - **Example**: `tor-browser-115.17.0esr-13.5-1`
+</details>
+
+### **Bookkeeping**
+
+- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Apps%3A%3AType%3A%3AReleasePreparation) issue.
+
+### Update Branch Protection Rules
+
+- [ ] In [Repository Settings](https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/repository):
+  - [ ] Remove previous legacy `base-browser` and `tor-browser` branch protection rules (this will prevent pushing new changes to the branches being rebased)
+  - [ ] Create new `base-browser` and `tor-browser` branch protection rule:
+    - **Branch**: `*-$(ESR_VERSION)esr-13.5-1*`
+      - **Example**: `*-115.18.0esr-13.5-1*`
+    - **Allowed to merge**: `Maintainers`
+    - **Allowed to push and merge**: `Maintainers`
+    - **Allowed to force push**: `false`
+
+### **Identify the Firefox Tagged Commit and Create New Branches**
+
+- [ ] Find the Firefox mercurial tag here: https://hg.mozilla.org/releases/mozilla-esr102/tags
+   - **Example**: `FIREFOX_115_18_0esr_BUILD1`
+- [ ] Find the analogous `gecko-dev` commit: https://github.com/mozilla/gecko-dev
+  - **Tip**: Search for unique string (like the Differential Revision ID) found in the mercurial commit in the `gecko-dev/esr115` branch to find the equivalent commit
+  - **Example**: `293d490d2e8d9fbb91c76336288f1287cbe285fb`
+- [ ] Sign and Tag `gecko-dev` commit
+  - Sign/Tag `gecko-dev` commit :
+    - **Tag**: `$(ESR_TAG)`
+    - **Message**: `Hg tag $(ESR_TAG)`
+- [ ] Create new legacy `base-browser` branch from tag
+  - Branch name in the form: `base-browser-$(ESR_VERSION)esr-13.5-1`
+  - **Example**: `base-browser-115.18.0esr-13.5-1`
+- [ ] Create new legacy `tor-browser` branch from
+  - Branch name in the form: `tor-browser-$(ESR_VERSION)esr-13.5-1`
+  - **Example**: `tor-browser-115.18.0esr-13.5-1`
+- [ ] Push new `base-browser` branch to `upstream`
+- [ ] Push new `tor-browser` branch to `upstream`
+- [ ] Push new `$(ESR_TAG)` to `upstream`
+
+### **Rebase tor-browser**
+
+- [ ] Checkout a new local branch for the `tor-browser` rebase
+  - **Example**: `git branch tor-browser-rebase FIREFOX_115_18_0esr_BUILD1`
+- [ ] **(Optional)** `base-browser` rebase
+  - **NOTE** This step may be skipped if the `HEAD` of the previous `base-browser` branch is a `-buildN` tag
+  - [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `buildN` tag onto new `base-browser` rebase branch
+    - **Example**: `git cherry-pick FIREFOX_115_17_0esr_BUILD1..base-browser-115.17.0esr-13.5-1-build2`
+  - [ ] Rebase and autosquash these cherry-picked commits
+    - **Example**: `git rebase --autosquash --interactive FIREFOX_115_18_0esr_BUILD1 HEAD`
+  - [ ] Cherry-pick remainder of patches after the `buildN` tag
+    - **Example**: `git cherry-pick base-browser-115.17.0esr-13.5-1-build21..upstream/base-browser-115.17.0esr-13.5-1`
+- [ ] `tor-browser` rebase
+  - [ ] Note the current git hash of `HEAD` for `tor-browser` rebase+autosquash step: `git rev-parse HEAD`
+  - [ ] Cherry-pick the appropriate previous `tor-browser` branch's commit range up to the last `tor-browser` `buildN` tag
+    - **Example**: `git cherry-pick base-browser-115.17.0esr-13.5-1-build1..tor-browser-115.17.0esr-13.5-1-build2
+    - **Example (if separate base-browser rebase was skipped)**: `git cherry-pick FIREFOX_115_17_0esr_BUILD1..tor-browser-115.17.0esr-13.5-1-build2`
+  - [ ] Rebase and autosquash these newly cherry-picked commits: `git rebase --autosquash --interactive $(PREV_HEAD)`
+     - **Example**: `git rebase --autosquash --interactive FIREFOX_115_18_0esr_BUILD1`
+  - [ ] Cherry-pick remainder of patches after the last `tor-browser` `buildN` tag
+    - **Example**: `git cherry-pick tor-browser-115.17.0esr-13.5-1-build1..upstream/tor-browser-115.17.0esr-13.5-1`
+  - [ ] Rebase and autosquash again, this time replacing all `fixup` and `squash` commands with `pick`. The goal here is to have all of the `fixup` and `squash` commits beside the commit which they modify, but kept un-squashed for easy debugging/bisecting.
+    - **Example**: `git rebase --autosquash --interactive FIREFOX_115_18_0esr_BUILD1`
+- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution:
+  - [ ] diff of diffs:
+    -  Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or -
+    - `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff`
+    - `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff`
+    - diff `current_patchset.diff` and `rebased_patchset.diff`
+      - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` (unless the previous `base-browser` branch includes changes not included in the previous `tor-browser` branch)
+  - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD`
+    - **Example**: `git range-dif FIREFOX_115_17_0esr_BUILD1..upstream/tor-browser-115.17.0esr-13.5-1 FIREFOX_115_18_0esr_BUILD1..HEAD`
+- [ ] Open MR for the `tor-browser` rebase
+- [ ] Merge
+- Update and push `base-browser` branch
+  - [ ] Reset the new `base-browser` branch to the appropriate commit in this new `tor-browser` branch
+  - [ ] Push these commits to `upstream`
+
+### **Sign and Tag**
+
+- [ ] Sign/Tag `HEAD` of the merged `tor-browser` branch:
+  - In **tor-browser.git**, checkout the new legacy `tor-browser` branch
+  - In **tor-browser-build.git**, run signing script:
+    ```bash
+    ./tools/browser/sign-tag.torbrowser legacy build1
+    ```
+  - [ ] Push tag to `upstream`
+- [ ] Sign/Tag HEAD of the merged `base-browser` branch:
+  - In **tor-browser.git**, checkout the new legacy `base-browser` branch
+  - In **tor-browser-build.git**, run signing script:
+    ```bash
+    ./tools/browser/sign-tag.basebrowser legacy build1
+    ```
+  - [ ] Push tag to `upstream`
+
+/label ~"Apps::Type::Rebase"

.gitlab/issue_templates/Rebase Browser - Rapid.md

+- **NOTE**: All examples in this template reference the rebase from Firefox 129.0a1 to 130.0a1
+- **TODO**:
+  - Documentation step for any difficulties or noteworthy things for each rapid rebase
+
+<details>
+  <summary>Explanation of Channels</summary>
+
+  There are unfortunately some collisions between how we and Mozilla name our release channels which can make things confusing:
+  - **Firefox**:
+    - **Nightly**: \_START and \_END tags, version in the format `$(MAJOR).$(MINOR)a1`
+      - **Example**: Firefox Nightly 130 was `130.0a1`
+      - **Note**: Nightly is 2 major versions ahead of the current Release
+    - **Beta**: tagged each Monday, Wednesday, and Friday until release, version in the format `$(MAJOR).$(MINOR)b$(PATCH)`
+      - **Example**: the first Firefox Beta 130 was `130.0b1`
+      - **Note**: Beta is 1 major version ahead of the current Release, should be irrelevant to us
+    - **Release**: tagged monthly, version in the format `$(MAJOR).$(MINOR)` or `$(MAJOR).$(MINOR).$(PATCH)`
+      - **Example** Firefox Release 130 was `130.0`
+    - **ESR**: tagged monthly, version in the format `$(ESR_MAJOR).$(ESR_MINOR).$(ESR_PATCH)esr`
+      - **Example**: Firefox ESR 128.1 is `128.1.0esr`
+  - **Tor+Mullvad Browser**:
+    - **Rapid**: tagged monthly, based on the latest Firefox Nightly
+    - **Nightly**: not tagged, built nightly from our current Alpha branch's `HEAD`
+    - **Alpha**: tagged monthly, based on the latest Firefox ESR
+    - **Stable**: tagged monthly, based on oldest supported Firefox ESR
+
+</details>
+
+<details>
+  <summary>Branching Overview</summary>
+
+  Rebasing Tor Browser Rapid onto the current Firefox Nightly is a bit more confusing/involved than rebasing Tor Browser Alpha or Stable from one minor ESR to the next minor ESR.
+
+  The general process basically involves rebasing the previous Firefox Nightly-based Tor Browser Rapid onto the latest Firefox Nightly, and then cherry-picking all of the commits from the previous Firefox ESR-based Tor Browser Alpha after that channel's `build1` tag. This process presumes that the previous Tor Browser Alpha branch is locked and receiving no more changes.
+
+  This diagram provides a high-level view of the overall code-flow for rebasing/cherry-picking commits from Tor Browser Alpha based on Firefox 128.1.0esr and Tor Browser Rapid based on Firefox 129.0a1 onto Firefox 130.0a1:
+
+  ```mermaid
+%%{init: { 'themeVariables': {'git0': '#0072b2', 'gitBranchLabel0': '#fff', 'git1': "#e69f00", 'gitBranchLabel1': '#fff', 'git2': '#009e73', 'gitBranchLabel2': '#fff', 'git3': '#cc79a7', 'gitBranchLabel3': '#fff'}, 'gitGraph': {'mainBranchName': 'tor-browser-128.1.0esr-14.5-1'}} }%%
+gitGraph:
+    branch tor-browser-129.0a1-15.0-2
+    branch tor-browser-130.0a1-15.0-1
+    branch tor-browser-130.0a1-15.0-2
+
+    checkout tor-browser-128.1.0esr-14.5-1
+    commit id: "FIREFOX_128_1_0esr_BUILD1"
+    commit id: "base-browser-128.1.0esr-14.5-1-build1"
+    commit id: "tor-browser-128.1.0esr-14.5-1-build1"
+    commit id: "tor-browser-128.1.0esr-14.5-1-build2"
+
+    checkout tor-browser-129.0a1-15.0-2
+    commit id: "FIREFOX_NIGHTLY_129_END"
+    %% commit id: "tor-browser-129.0a1-15.0-2-build1"
+
+    checkout tor-browser-130.0a1-15.0-1
+    commit id: "FIREFOX_NIGHTLY_130_END"
+
+    checkout tor-browser-130.0a1-15.0-2
+    commit id: "FIREFOX_NIGHTLY_130_END "
+
+    checkout tor-browser-130.0a1-15.0-1
+    merge tor-browser-129.0a1-15.0-2
+
+    checkout tor-browser-130.0a1-15.0-2
+    merge tor-browser-130.0a1-15.0-1
+
+
+    checkout tor-browser-129.0a1-15.0-2
+    commit id: "tor-browser-129.0a1-15.0-2-build1"
+
+    checkout tor-browser-130.0a1-15.0-1
+    merge tor-browser-129.0a1-15.0-2 id: "tor-browser-130.0a1-15.0-1-build1"
+
+    checkout tor-browser-130.0a1-15.0-2
+    merge tor-browser-130.0a1-15.0-1
+
+    checkout tor-browser-130.0a1-15.0-1
+    merge tor-browser-128.1.0esr-14.5-1
+
+    checkout tor-browser-130.0a1-15.0-2
+    merge tor-browser-130.0a1-15.0-1
+
+    checkout tor-browser-128.1.0esr-14.5-1
+    commit id: "tor-browser-128.1.0esr-14.5-1"
+
+    checkout tor-browser-130.0a1-15.0-1
+    merge tor-browser-128.1.0esr-14.5-1 id:"tor-browser-130.0a1-15.0-1-build2"
+
+    checkout tor-browser-130.0a1-15.0-2
+
+    merge tor-browser-130.0a1-15.0-1
+    commit id: "tor-browser-130.0a1-15.0-2-build1"
+
+  ```
+
+  In this concrete example, the rebaser performs the following steps:
+  - create new `tor-browser-130.0a1-15.0-1`, and `tor-browser-130.0a1-15.0-2` branches from the `FIREFOX_NIGHTLY_130_END` tag.
+    - these will be the rebase review branches
+  - onto `tor-browser-130.0a1-15.0-1`, cherry-pick the range `FIREFOX_NIGHTLY_129_END..tor-browser-129.0a1-15.0-2-build1` (i.e. the Firefox Nightly 129-based Tor Browser Rapid commits)
+    - this updates the previous Tor Browser Rapid onto Firefox Nightly 130
+  - cherry-pick the new alpha patches onto `tor-browser-130.0a1-15.0-1` (i.e. cherry-pick `tor-browser-128.1.0esr-14.5-1-build2..origin/tor-browser-128.1.0esr-14.5-1`)
+  - onto `tor-browser-130.0a1-15.0-2`, rebase and autosquash the `FIREFOX_NIGHTLY_130_END..tor-browser-130.0a1-15.0-2-build1` commit range
+  - onto `tor-browser-130.0a1-15.0-2`, cherry-pick the remaining commit range `tor-browser-130.0a1-15.0-2-build1..origin/tor-browser-130.0a1-15.0-2`
+  - re-order any remaining fixup! commits to be adjacent to their parents (i.e. the same rebase command queue as one would get from `git rebase --autosquash`, but with the `fixup!` commands replaced with `pick!` commands).
+    - this re-organises the branch in a nicely-bisectable way, and will ensure the rebase+autosquash step for the next release *should* succeed without any additional effort
+
+</details>
+
+<details>
+  <summary>Explanation of Variables</summary>
+
+- `$(NIGHTLY_VERSION)`: the Mozilla defined nightly version, used in various places for building tor-browser tags, labels, etc
+  - **Example**: `130.0a1`
+- `$(NIGHTLY_TAG)`: the Mozilla defined hg (Mercurial) tag associated with `$(NIGHTLY_VERSION)`
+  - **Example**: `FIREFOX_NIGHTLY_130_END`
+- `$(NIGHTLY_TAG_PREV)`: the Mozilla defined hg (Mercurial) tag associated with the previous nightly version when rebasing (ie, the nightly version we are rebasing from)
+  - **Example**: `FIREFOX_NIGHTLY_129_END`
+- `$(BROWSER_VERSION)`: the browser version which will first be based on the next major ESR version this *Firefox* Nightly series is leading up to
+  - **Example**: `15`
+- `$(TOR_BROWSER_BRANCH)`: the full name of the current `tor-browser` branch based off of the Firefox Nightly channel
+  - **Example**: `tor-browser-130.0a1-15.0-1`
+- `$(TOR_BROWSER_BRANCH_PREV)`: the full name of the previous `tor-browser` branch based off of the Firefox Nightly channel
+  - **Example**: `tor-browser-129.0a1-15.0-1`
+</details>
+
+### Update Branch Protection Rules
+
+- [ ] In [Repository Settings](https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/repository):
+  - [ ] Remove previous nightly `tor-browser` branch protection rules (this will prevent pushing new changes to the branches being rebased)
+  - [ ] Create new `tor-browser` branch protection rule:
+    - **Branch**: `tor-browser-$(NIGHTLY_VERSION)-$(BROWSER_VERSION)-*`
+      - **Example**: `tor-browser-130.0a1-15.0-*`
+    - **Allowed to merge**: `Maintainers`
+    - **Allowed to push and merge**: `Maintainers`
+    - **Allowed to force push**: `false`
+    - ⚠️ **IMPORTANT**: If you copied and pasted from old rules, double check you didn't add spaces at the end, as GitLab will not trim them!
+
+### **Create New Branches**
+
+- [ ] Find the Firefox mercurial tag `$(NIGHTLY_TAG)`
+  - Go to https://hg.mozilla.org/mozilla-central/tags
+  - Find and inspect the commit tagged with `$(NIGHTLY_TAG)`
+    - Tags are in yellow in the Mercurial web UI
+  - Find the equivalent commit in https://github.com/mozilla/gecko-dev/commits/master
+    - **Notice**: GitHub sorts commits by time, you might want to use `git log gecko-dev/master` locally, instead
+    - Using the differential revision link is useful to quickly find the git commit
+  - Sign/Tag the `gecko-dev` commit: `git tag -as $(NIGHTLY_TAG) $(GIT_HASH) -m "Hg tag $(NIGHTLY_TAG)"`
+- [ ] Create two new rapid `tor-browser` branches from Firefox mercurial tag
+  - Branch name in the form: `tor-browser-$(NIGHTLY_VERSION)-$(BROWSER_VERSION)-${BRANCH_NUM}`
+  - **Example**: `tor-browser-130.0a1-15.0-1` and `tor-browser-130.0a1-15.0-2`
+- [ ] Push new `tor-browser` branches and the `firefox` tag to `upstream`
+
+### **Rebase previous `-2` rapid branch's HEAD onto current `-1` rapid branch**
+
+- **Desired outcome**:
+  - An easy to review branch with the previous rapid branch rebased onto the latest Firefox Nighty tag
+  - It must be possible to run `git range-diff` between the previous `-2` and the new branch
+    - We want to see only the effects of the rebase
+    - No autosquash should happen at this point
+  - **Expected difficulties**:
+    - Conflicts with upstream developments
+    - Sometimes it will be hard to keep a feature working. It's fine to drop it, and create an issue to restore it after a deeper investigation.
+- [ ] Checkout a new local branch for the first part of the `-1` rebase
+  - **Example**: `git checkout -b rapid-rebase-part1 origin/tor-browser-130.0a1-15.0-1`
+- [ ] Firefox Nightly-based `tor-browser` rebase:
+  - [ ] cherry-pick previous Tor Browser Rapid `-2` branch to new `-1` rebase branch
+    - **Example**: `git cherry-pick FIREFOX_NIGHTLY_129_END..origin/tor-browser-129.0a1-15.0-2`
+- [ ] Rebase Verification:
+    - [ ] Clean range-diff between the previous rapid branch and current rebase branch
+      - **Example**:
+        ```bash
+        git range-diff FIREFOX_NIGHTLY_129_END..origin/tor-browser-129.0a1-15.0-2 FIREFOX_NIGHTLY_130_END..rapid-rebase-part1
+        ```
+    - [ ] Optional: clean diff of diffs between previous rapid branch and current rebase branch
+      - **Example**:
+        ```bash
+        git diff FIREFOX_NIGHTLY_129_END origin/tor-browser-129.0a1-15.0-2 > 129.diff
+        git diff FIREFOX_NIGHTLY_130_END HEAD > 130.diff
+        # A two-column diff tool is suggested rather than plain-diff, e.g., meld on Linux.
+        meld 129.diff 130.diff
+        ```
+      - **Note**: Only differences should be due to resolving merge conflicts with upstream changes from Firefox Nightly
+- [ ] Open MR
+- [ ] Merge
+- [ ] Sign/Tag `HEAD` of the merged `tor-browser` branch:
+  - In **tor-browser.git**, checkout the `-1` rapid `tor-browser` branch
+  - In **tor-browser-build.git**, run signing script:
+    ```bash
+    ./tools/browser/sign-tag.torbrowser rapid build1
+    ```
+  - [ ] Push tag to `upstream`
+
+### **Port new alpha patches to `-1`**
+
+- **Desired outcome**:
+  - The previous release-cycle's new alpha patches cherry-picked to the end of the current nightly
+  - It must be possible to run `git range-diff ESR-build1..ESR NIGHTLY-build1..`
+  - **Expected difficulties**:
+    - Conflicts with upstream developments (similar to the previous part)
+    - The range might contain cherry-picked upstream commits, which will result in empty commits: it's fine to skip them
+  - **Note**: The Tor Browser Alpha branch should be closed at this point and not receiving any more MRs
+- [ ] Checkout a new local branch for the second part of the `-1` rebase
+  - **Example**: `git checkout -b rapid-rebase-part2 origin/tor-browser-130.0a1-15.0-1`
+- [ ] Cherry-pick the new `tor-browser` alpha commits (i.e. the new dangling commits which did not appear in the previous Tor Browser Alpha release):
+  - **Example** `git cherry-pick tor-browser-128.1.0esr-14.5-1-build1..origin/tor-browser-128.1.0esr-14.5-1`
+- [ ] Rebase Verification
+  - [ ] Clean range-diff between the alpha patch set ranges
+    - **Example**:
+      ```bash
+      git range-diff tor-browser-128.1.0esr-14.5-1-build1..origin/tor-browser-128.1.0esr-14.5-1 origin/tor-browser-130.0a1-15.0-1..HEAD
+      ```
+  - [ ] Clean diff of diffs between the alpha patch set ranges
+    - **Example**:
+      ```bash
+      git diff tor-browser-128.1.0esr-14.5-1-build1 origin/tor-browser-128.1.0esr-14.5-1 > 128.1.0esr.diff
+      git diff origin/tor-browser-130.0a1-15.0-1 HEAD > 130.diff
+      # A two-column diff tool is suggested rather than plain-diff, e.g., meld on Linux.
+      meld 128.1.0esr.diff 130.diff
+      ```
+    - **Note**: Only differences should be due to resolving merge conflicts with upstream changes from Firefox Nightly
+- [ ] Open MR
+- [ ] Merge
+- [ ] Sign/Tag `HEAD` of the merged `tor-browser` branch:
+  - In **tor-browser.git**, checkout the `-1` rapid `tor-browser` branch
+  - In **tor-browser-build.git**, run signing script:
+    ```bash
+    ./tools/browser/sign-tag.torbrowser rapid build2
+    ```
+  - [ ] Push tag to `upstream`
+
+### **Squash and Reorder tor-browser `-1` branch to new `-2` branch**
+- **Desired outcome**:
+  - The rapid branch from the previous step prepared for the next nightly
+  - **Rationale**:
+    - We squash a lot of commits. We want to keep them a little bit longer rather than squashing them immediately for troubleshooting and documentation purposes.
+    - Doing this as a separate pass helps to separate errors due to upstream changes from errors due to processes created by our workflow.
+  - **Expected difficulties**:
+    - our patches aren't disjoint, therefore we might have conflicts when shuffling them around.
+- [ ] Checkout a new local branch for the `-2` rebase, aligned to -1-build1
+  - **Example**: `git checkout -b rapid-rebase-part3 tor-browser-130.0a1-15.0-1-build1`
+- [ ] Rebase with autosquash. This step should be trivial and not involve any conflicts.
+  - **Example**: `git rebase -i --autosquash FIREFOX_NIGHTLY_130_END`
+- [ ] Cherry-pick the remaining commits
+  - **Example**: `git cherry-pick tor-browser-130.0a1-15.0-1-build1..upstream/tor-browser-130.0a1-15.0-1`
+- [ ] Create a branch for self-reviewing purposes, or take note of the current commit hash somewhere
+  - **Example**: `git branch rapid-rebase-part3-review`
+  - You do not need to publish this, and you can delete it at the end of the process (`git branch -D rapid-rebase-part3-review`)
+  - When you are a reviewer, it might be useful to repeat these steps locally. They should not involve mental overhead (and PieroV has a script to automate this)
+- [ ] Rebase and reorder commits (i.e. replace `fixup `, `fixup -C ` and `squash ` with `pick ` commands)
+  - Notice the space at the end, to avoid replacing `fixup!` with `pick!` in the commit subject, even though git will probably not care of such changes
+- [ ] Rebase Verification
+  - [ ] Clean range-diff between the temporary review branch and the final branch
+    - **Example**:
+      ```bash
+      git range-diff FIREFOX_NIGHTLY_130_END..rapid-rebase-part3-review FIREFOX_NIGHTLY_130_END..rapid-rebase-part3
+      ```
+    - If you are the reviewer, it should be trivial to create such a branch on your own, as no shuffling is involved
+  - [ ] Clean diff of diffs between rapid branches
+    - **Example**:
+      ```bash
+      git diff FIREFOX_NIGHTLY_130_END tor-browser-130.0a1-15.0-1-build2 > 130-1.diff
+      git diff FIREFOX_NIGHTLY_130_END HEAD > 130-2.diff
+      ```
+  - [ ] Understandable range-diff (i.e. `fixup!` patches are distributed from end of branch next to their parent)
+    - **Example**:
+      ```bash
+      git range-diff FIREFOX_NIGHTLY_130_END..tor-browser-130.0a1-15.0-1-build2 FIREFOX_NIGHTLY_130_END..HEAD
+      ```
+- [ ] Open MR
+- [ ] Merge
+- [ ] Sign/Tag `HEAD` of the merged `tor-browser` branch:
+  - In **tor-browser.git**, checkout the `-2` rapid `tor-browser` branch
+  - In **tor-browser-build.git**, run signing script:
+    ```bash
+    ./tools/browser/sign-tag.torbrowser rapid build1
+    ```
+  - [ ] Push tag to `upstream`
+
+### **Create and Tag base-browser `-2` branch**
+- [ ] Find the last commit in the merged `-2` `tor-browser` branch with a `BB XXXXX...` subject
+- [ ] Create new branch from this commit
+  - Branch name in the form: `base-browser-$(NIGHTLY_VERSION)-$(BROWSER_VERSION)-2`
+  - **Example**: `base-browser-130.0a1-15.0-2`
+- [ ] Push branch to `upstream`
+- [ ] Sign/Tag latest `HEAD` of the merged `base-browser` branch:
+  - In **tor-browser.git**, checkout the `-2` rapid `tor-browser` branch
+  - In **tor-browser-build.git**, run signing script:
+    ```bash
+    ./tools/browser/sign-tag.basebrowser rapid build1 ${COMMIT}
+    ```
+  - [ ] Push tag to `upstream`
+
+/label ~"Apps::Type::Rebase"

.gitlab/issue_templates/Rebase Browser - Stable.md

+**NOTE:** All examples in this template reference the rebase from 102.7.0esr to 102.8.0esr
+
+<details>
+  <summary>Explanation of Variables</summary>
+
+- `$(ESR_VERSION)`: the Mozilla defined ESR version, used in various places for building tor-browser tags, labels, etc
+  - **Example**: `102.8.0`
+- `$(ESR_TAG)`: the Mozilla defined hg (Mercurial) tag associated with `$(ESR_VERSION)`
+  - **Example**: `FIREFOX_102_8_0esr_RELEASE`
+- `$(ESR_TAG_PREV)`: the Mozilla defined hg (Mercurial) tag associated with the previous ESR version when rebasing (ie, the ESR version we are rebasing from)
+  - **Example**: `FIREFOX_102_7_0esr_BUILD1`
+- `$(BROWSER_MAJOR)`: the browser major version
+  - **Example**: `12`
+- `$(BROWSER_MINOR)`: the browser minor version
+  - **Example**: either `0` or `5`; Alpha's is always `(Stable + 5) % 10`
+- `$(BASE_BROWSER_BRANCH)`: the full name of the current `base-browser` branch
+  - **Example**: `base-browser-102.8.0esr-12.0-1`
+- `$(BASE_BROWSER_BRANCH_PREV)`: the full name of the previous `base-browser` branch
+  - **Example**: `base-browser-102.7.0esr-12.0-1`
+- `$(TOR_BROWSER_BRANCH)`: the full name of the current `tor-browser` branch
+  - **Example**: `tor-browser-102.8.0esr-12.0-1`
+- `$(TOR_BROWSER_BRANCH_PREV)`: the full name of the previous `tor-browser` branch
+  - **Example**: `tor-browser-102.7.0esr-12.0-1`
+</details>
+
+### **Bookkeeping**
+
+- [ ] Link this issue to the appropriate [Release Prep](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/?sort=updated_desc&state=opened&label_name%5B%5D=Apps%3A%3AType%3A%3AReleasePreparation) issue.
+
+### Update Branch Protection Rules
+
+- [ ] In [Repository Settings](https://gitlab.torproject.org/tpo/applications/tor-browser/-/settings/repository):
+  - [ ] Remove previous stable `base-browser` and `tor-browser` branch protection rules (this will prevent pushing new changes to the branches being rebased)
+  - [ ] Create new `base-browser` and `tor-browser` branch protection rule:
+    - **Branch**: `*-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1*`
+      - **Example**: `*-102.8.0esr-12.0-1*`
+    - **Allowed to merge**: `Maintainers`
+    - **Allowed to push and merge**: `Maintainers`
+    - **Allowed to force push**: `false`
+
+### **Identify the Firefox Tagged Commit and Create New Branches**
+
+- [ ] Find the Firefox mercurial tag here: https://hg.mozilla.org/releases/mozilla-esr102/tags
+   - **Example**: `FIREFOX_102_8_0esr_BUILD1`
+- [ ] Find the analogous `gecko-dev` commit: https://github.com/mozilla/gecko-dev
+  - **Tip**: Search for unique string (like the Differential Revision ID) found in the mercurial commit in the `gecko-dev/esr102` branch to find the equivalent commit
+  - **Example**: `3a3a96c9eedd02296d6652dd50314fccbc5c4845`
+- [ ] Sign and Tag `gecko-dev` commit
+  - Sign/Tag `gecko-dev` commit :
+    - **Tag**: `$(ESR_TAG)`
+    - **Message**: `Hg tag $(ESR_TAG)`
+- [ ] Create new stable `base-browser` branch from tag
+  - Branch name in the form: `base-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1`
+  - **Example**: `base-browser-102.8.0esr-12.0-1`
+- [ ] Create new stable `tor-browser` branch from
+  - Branch name in the form: `tor-browser-$(ESR_VERSION)esr-$(BROWSER_MAJOR).$(BROWSER_MINOR)-1`
+  - **Example**: `tor-browser-102.8.0esr-12.0-1`
+- [ ] Push new `base-browser` branch to `upstream`
+- [ ] Push new `tor-browser` branch to `upstream`
+- [ ] Push new `$(ESR_TAG)` to `upstream`
+
+### **Rebase tor-browser**
+
+- [ ] Checkout a new local branch for the `tor-browser` rebase
+  - **Example**: `git branch tor-browser-rebase FIREFOX_102_8_0esr_BUILD1`
+- [ ] **(Optional)** `base-browser` rebase
+  - **NOTE** This step may be skipped if the `HEAD` of the previous `base-browser` branch is a `-buildN` tag
+  - [ ] Cherry-pick the previous `base-browser` commits up to `base-browser`'s `buildN` tag onto new `base-browser` rebase branch
+    - **Example**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..base-browser-102.7.0esr-12.0-1-build1`
+  - [ ] Rebase and autosquash these cherry-picked commits
+    - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_BUILD1 HEAD`
+  - [ ] Cherry-pick remainder of patches after the `buildN` tag
+    - **Example**: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..upstream/base-browser-102.7.0esr-12.0-1`
+- [ ] `tor-browser` rebase
+  - [ ] Note the current git hash of `HEAD` for `tor-browser` rebase+autosquash step: `git rev-parse HEAD`
+  - [ ] Cherry-pick the appropriate previous `tor-browser` branch's commit range up to the last `tor-browser` `buildN` tag
+    - **Example**: `git cherry-pick base-browser-102.7.0esr-12.0-1-build1..tor-browser-102.7.0esr-12.0-1-build1`
+    - **Example (if separate base-browser rebase was skipped)**: `git cherry-pick FIREFOX_102_7_0esr_BUILD1..tor-browser-102.7.0esr-12.0-1-build1`
+  - [ ] Rebase and autosquash these newly cherry-picked commits: `git rebase --autosquash --interactive $(PREV_HEAD)`
+     - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE`
+  - [ ] Cherry-pick remainder of patches after the last `tor-browser` `buildN` tag
+    - **Example**: `git cherry-pick tor-browser-102.7.0esr-12.0-1-build1..upstream/tor-browser-102.7.0esr-12.0-1`
+  - [ ] Rebase and autosquash again, this time replacing all `fixup` and `squash` commands with `pick`. The goal here is to have all of the `fixup` and `squash` commits beside the commit which they modify, but kept un-squashed for easy debugging/bisecting.
+    - **Example**: `git rebase --autosquash --interactive FIREFOX_102_8_0esr_RELEASE`
+- [ ] Compare patch sets to ensure nothing *weird* happened during conflict resolution:
+  - [ ] diff of diffs:
+    -  Do the diff between `current_patchset.diff` and `rebased_patchset.diff` with your preferred difftool and look at differences on lines that starts with + or -
+    - `git diff $(ESR_TAG_PREV)..$(BROWSER_BRANCH_PREV) > current_patchset.diff`
+    - `git diff $(ESR_TAG)..$(BROWSER_BRANCH) > rebased_patchset.diff`
+    - diff `current_patchset.diff` and `rebased_patchset.diff`
+      - If everything went correctly, the only lines which should differ should be the lines starting with `index abc123...def456` (unless the previous `base-browser` branch includes changes not included in the previous `tor-browser` branch)
+  - [ ] rangediff: `git range-diff $(ESR_TAG_PREV)..$(TOR_BROWSER_BRANCH_PREV) $(ESR_TAG)..HEAD`
+    - **Example**: `git range-dif FIREFOX_102_7_0esr_BUILD1..upstream/tor-browser-102.7.0esr-12.0-1 FIREFOX_102_8_0esr_BUILD1..HEAD`
+- [ ] Open MR for the `tor-browser` rebase
+- [ ] Merge
+- Update and push `base-browser` branch
+  - [ ] Reset the new `base-browser` branch to the appropriate commit in this new `tor-browser` branch
+  - [ ] Push these commits to `upstream`
+
+### **Sign and Tag**
+
+- [ ] Sign/Tag `HEAD` of the merged `tor-browser` branch:
+  - In **tor-browser.git**, checkout the new stable `tor-browser` branch
+  - In **tor-browser-build.git**, run signing script:
+    ```bash
+    ./tools/browser/sign-tag.torbrowser stable build1
+    ```
+  - [ ] Push tag to `upstream`
+- [ ] Sign/Tag HEAD of the merged `base-browser` branch:
+  - In **tor-browser.git**, checkout the new stable `base-browser` branch
+  - In **tor-browser-build.git**, run signing script:
+    ```bash
+    ./tools/browser/sign-tag.basebrowser stable build1
+    ```
+  - [ ] Push tag to `upstream`
+
+/label ~"Apps::Type::Rebase"