This repository was archived by the owner on Sep 30, 2024. It is now read-only.
[Backport 5.5.x] Integrate security release approval into release pipeline#64030
Merged
Conversation
As part of the [Vuln Scanning Improvements](https://linear.app/sourcegraph/project/[p0]-vulnerability-scanning-improvements-75299c4312dd/issues) project, I've been working on tooling to automate the security approval step of the release process. This PR integrates these improvements into the release pipeline: * Internal releases will run a vulnerability scan * Promote-to-public releases will check for security approval If a public release does not have security approval, it will block the promotion process. The step happens at the start of the pipeline so should be a fast-fail. You can also check for release approval before running promotion by running `@secbot cve approve-release <version>` in the #secbot-commands channel. In an ideal world we (security) will have already gone through and approved ahead of release. I've tested this PR as much as I can without running an actual release! We have a 5.5.x release tomorrow so it'll be a good test. If it does cause problems that can't be easily solved, it can always be temporarily disabled. I've tagged this PR to be backported to `5.5.x`. <!-- PR description tips: https://www.notion.so/sourcegraph/Write-a-good-pull-request-description-610a7fd3e613496eb76f450db5a49b6e --> ## Pre-merge checklist - [x] Revert commit that disables release promotion ## Test plan Manual testing of the release process: - [x] [Successful test run](https://buildkite.com/sourcegraph/sourcegraph/builds/283774#0190dfd6-fa70-4cea-9711-f5b8493c7714) that shows the security scan being triggered - [x] [Promote to public test run](https://buildkite.com/sourcegraph/sourcegraph/builds/283826) that shows the security approval approving a release - [x] [Promote to public test run](https://buildkite.com/sourcegraph/sourcegraph/builds/283817#0190e0ec-0641-4451-b7c7-171e664a3127) that shows the security approval rejecting a release with un-accepted CVEs <!-- REQUIRED; info at https://docs-legacy.sourcegraph.com/dev/background-information/testing_principles --> ## Changelog <!-- OPTIONAL; info at https://www.notion.so/sourcegraph/Writing-a-changelog-entry-dd997f411d524caabf0d8d38a24a878c --> (cherry picked from commit 9dd901f)
Contributor
|
@willdollman according to https://sourcegraph.slack.com/archives/C05EH3JP15Z/p1721680927230389?thread_ts=1721668960.153519&cid=C05EH3JP15Z, the branch protection rules should be off. Since this is made by the bot, are you able to approve and merge? Ironically, as a member of the team that used to block that branch protection rule, but without repo admin access to check settings, I can't check this 😂 |
willdollman
approved these changes
Jul 24, 2024
Contributor
|
@craigfurman approved, but I'll wait for buildkite to pass before merging (looks like the failure was a test flake). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As part of the Vuln Scanning Improvements project, I've been working on tooling to automate the security approval step of the release process.
This PR integrates these improvements into the release pipeline:
If a public release does not have security approval, it will block the promotion process. The step happens at the start of the pipeline so should be a fast-fail. You can also check for release approval before running promotion by running
@secbot cve approve-release <version>in the #secbot-commands channel. In an ideal world we (security) will have already gone through and approved ahead of release.I've tested this PR as much as I can without running an actual release! We have a 5.5.x release tomorrow so it'll be a good test. If it does cause problems that can't be easily solved, it can always be temporarily disabled.
I've tagged this PR to be backported to
5.5.x.Pre-merge checklist
Test plan
Manual testing of the release process:
Changelog
Backport 9dd901f from #63990