Add CI job to enforce security assessments

[vdonato]

📚 Context

This PR adds a simple CI job that fails unless the security-assessment-completed label has been
added to the PR. The intention here is to simply ensure that we don't merge PRs without being reminded
to go through the security assessment process if the PR warrants it. The vast majority of our PRs likely
won't require an in-depth security review, but we do want to make sure that we don't prematurely merge
PRs that we should be getting security reviews for just because we forgot about the process.

NOTE: This security process is only something that maintainers will need to think about. Open source
contributors, of course, may be asked to make changes to their PRs in case that there is a security implication
that needs to be addressed, but the security process itself is a process internal to the Streamlit team.

• What kind of change does this PR introduce?

  • Other, please describe: security process additions

[mayagbarnes]

Just curious if there is a particular reason for using v1 vs. the latest v2 here?

[vdonato]

No reason aside from that I more or less copied this workflow from an internal repo that was using v1

[mayagbarnes]

Reviewing the action code for mheap/github-action-required-labels, I don't see particular concerns, but I do have some hesitation on integrating this as Snowflake guidelines for GHA notes "only the actions offered by GitHub and third party actions verified by GitHub will be allowed to be used". Since this is not a verified 3rd party action and we have generally avoided use of any 3rd party actions thus far, I would prefer to find an alternative means to achieve the goal of reminding us
to consider whether a change necessitates the security assessment process.

[vdonato]

Reviewing the action code for mheap/github-action-required-labels, I don't see particular concerns, but I do have some hesitation on integrating this as Snowflake guidelines for GHA notes "only the actions offered by GitHub and third party actions verified by GitHub will be allowed to be used". Since this is not a verified 3rd party action and we have generally avoided use of any 3rd party actions thus far, I would prefer to find an alternative means to achieve the goal of reminding us to consider whether a change necessitates the security assessment process.

I'm assuming this is fine given that the source code is short enough to quickly read over + doesn't seem problematic, and also we're already using this action elsewhere for the same purpose (CC @sfc-gh-hpathak to double-check)

Given we can manually audit the source code of the action and pin the version being used, I think it makes more sense to do that vs essentially just copy-pasting the same code into our repo to be able to use it

[sfc-gh-hpathak]

Kudos to @mayagbarnes for bringing up the guidelines (I didn't even think of that 😅).

@vdonato Can we add an explicit permissions tag from this? IIRC by default GH gives all perms to a running workflow, we can restrict that to just read. Not sure which on of those keys will allow reading just the label, pull-requests might work.

At some point someone may flag the "using different GH action" as a violation but I agree that this is low risk.

[vdonato]

Can we add an explicit permissions tag from this?

Done! Looks like adding read permissions to pull-requests was sufficient

[sfc-gh-kbregula]

@vdonato the problem with third parties is not only that they can write malicious code, but they are also more vulnerable to phishing and other attacks, and then replacing the code with malicious code in the future.

But I think we can prevent this by pinning actions to a full-length commit SHA. It is aligned with the Github Action hardening guideline.

[vdonato]

But I think we can prevent this by pinning actions to a full-length commit SHA. It is aligned with the Github Action hardening guideline

Thanks @sfc-gh-kbregula, done!