[Backport 5.5.x] Integrate security release approval into release pipeline (#64030)

As part of the [Vuln Scanning Improvements](https://linear.app/sourcegraph/project/[p0]-vulnerability-scanning-improvements-75299c4312dd/issues) project, I've been working on tooling to automate the security approval step of the release process. This PR integrates these improvements into the release pipeline: * Internal releases will run a vulnerability scan * Promote-to-public releases will check for security approval If a public release does not have security approval, it will block the promotion process. The step happens at the start of the pipeline so should be a fast-fail. You can also check for release approval before running promotion by running `@secbot cve approve-release <version>` in the #secbot-commands channel. In an ideal world we (security) will have already gone through and approved ahead of release. I've tested this PR as much as I can without running an actual release! We have a 5.5.x release tomorrow so it'll be a good test. If it does cause problems that can't be easily solved, it can always be temporarily disabled. I've tagged this PR to be backported to `5.5.x`. ## Pre-merge checklist - [x] Revert commit that disables release promotion ## Test plan Manual testing of the release process: - [x] [Successful test run](https://buildkite.com/sourcegraph/sourcegraph/builds/283774#0190dfd6-fa70-4cea-9711-f5b8493c7714) that shows the security scan being triggered - [x] [Promote to public test run](https://buildkite.com/sourcegraph/sourcegraph/builds/283826) that shows the security approval approving a release - [x] [Promote to public test run](https://buildkite.com/sourcegraph/sourcegraph/builds/283817#0190e0ec-0641-4451-b7c7-171e664a3127) that shows the security approval rejecting a release with un-accepted CVEs ## Changelog <br> Backport 9dd901f3c9 from #63990 Co-authored-by: Will Dollman <will.dollman@sourcegraph.com>
2026-02-06 19:51:50 +00:00 · 2024-07-24 02:42:33 -07:00 · 2024-07-24 02:42:33 -07:00 · 0f4cbff0ca
commit 0f4cbff0ca
parent 1a463ba167
4 changed files with 56 additions and 1 deletions
--- a/dev/ci/internal/ci/pipeline.go
+++ b/dev/ci/internal/ci/pipeline.go
@ -275,6 +275,8 @@ func GeneratePipeline(c Config) (*bk.Pipeline, error) {
 		)
 	case runtype.PromoteRelease:
 		ops = operations.NewSet(
+			checkSecurityApproval(c),
+			wait,
 			releasePromoteImages(c),
 			wait,
 			releaseTestOperation(c),
--- a/dev/ci/internal/ci/release_operations.go
+++ b/dev/ci/internal/ci/release_operations.go
@ -11,6 +11,25 @@ import (
 	"github.com/sourcegraph/sourcegraph/dev/ci/internal/ci/operations"
 )

+// checkSecurityApproval checks whether the specified release has release approval from the Security Team.
+func checkSecurityApproval(c Config) operations.Operation {
+	return func(pipeline *bk.Pipeline) {
+		pipeline.AddStep(":nodesecurity: Check security approval",
+			bk.Agent("queue", AspectWorkflows.QueueDefault),
+			bk.Env("VERSION", c.Version),
+			bk.AnnotatedCmd(
+				"./tools/release/check_security_approval.sh",
+				bk.AnnotatedCmdOpts{
+					Annotations: &bk.AnnotationOpts{
+						Type:         bk.AnnotationTypeInfo,
+						IncludeNames: false,
+					},
+				},
+			),
+		)
+	}
+}
+
 // releasePromoteImages runs a script that iterates through all defined images that we're producing that has been uploaded
 // on the internal registry with a given version and retags them to the public registry.
 func releasePromoteImages(c Config) operations.Operation {
--- a/release.yaml
+++ b/release.yaml
@ -75,7 +75,9 @@ internal:
          fi
      - name: 'Trigger Security scan'
        cmd: |
-          curl --location 'https://incoming.sgdev.org/new-image-scan?tag={{tag}}&scanType=release&dev=true' --header 'X-Special-Header: ${SCANNER_TOKEN}'
+          set -eu
+
+          curl --location 'https://security-manager.sgdev.org/internal-release-scan?release={{tag}}' --request POST --header "Authorization: Bearer ${SECURITY_SCANNER_TOKEN}"
      - name: 'notifications'
        cmd: |
          set -eu
--- a/tools/release/check_security_approval.sh
+++ b/tools/release/check_security_approval.sh
@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+set -uo pipefail
+
+if [ -z "$VERSION" ]; then
+  echo "❌ Need \$VERSION to be set to check security approval"
+  exit 1
+fi
+
+if [ -z "$SECURITY_SCANNER_TOKEN" ]; then
+  echo "❌ Need \$SECURITY_SCANNER_TOKEN to be set to check security approval"
+  exit 1
+fi
+
+echo "Checking security approval for release ${VERSION}..."
+
+if [ ! -e "./annotations" ]; then
+  mkdir ./annotations
+fi
+echo -e "## :nodesecurity: Security Release Approval" >./annotations/security_approval.md
+
+curl --location "https://security-manager.sgdev.org/approve-release?release=${VERSION}" \
+  --header "Authorization: Bearer ${SECURITY_SCANNER_TOKEN}" --fail
+SECURITY_APPROVAL=$?
+
+if [ "$SECURITY_APPROVAL" -eq 0 ]; then
+  echo "Release \`${VERSION}\` has security approval." | tee -a ./annotations/security_approval.md
+else
+  echo -e "Release ${VERSION} does **not** have security approval - reach out to the Security Team to resolve.\n" | tee -a ./annotations/security_approval.md
+  echo "Run \`@SecBot cve approve-release 5.5.1339\` in [#secbot-commands](https://sourcegraph.slack.com/archives/C07BQJDFCV8) to check the approval status." | tee -a ./annotations/security_approval.md
+  exit 1
+fi