Since the release branch is protected, the process is a little different. If a developer wants to merge the GitLab master into a protected branch, the proper approach is to perform a merge request.

A remote prompt injection flaw in GitLab Duo allowed attackers to steal private source code and inject malicious HTML. GitLab has since patched the issue.