artin/sourcegraph
1
0
Fork 0
mirror of https://github.com/sourcegraph/sourcegraph.git synced 2026-02-06 12:31:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
main
sourcegraph/tools
History
Will Dollman 9dd901f3c9
Integrate security release approval into release pipeline (#63990) 
As part of the [Vuln Scanning
Improvements](https://linear.app/sourcegraph/project/[p0]-vulnerability-scanning-improvements-75299c4312dd/issues)
project, I've been working on tooling to automate the security approval
step of the release process.

This PR integrates these improvements into the release pipeline:

* Internal releases will run a vulnerability scan
* Promote-to-public releases will check for security approval

If a public release does not have security approval, it will block the
promotion process. The step happens at the start of the pipeline so
should be a fast-fail. You can also check for release approval before
running promotion by running `@secbot cve approve-release <version>` in
the #secbot-commands channel. In an ideal world we (security) will have
already gone through and approved ahead of release.

I've tested this PR as much as I can without running an actual release!
We have a 5.5.x release tomorrow so it'll be a good test. If it does
cause problems that can't be easily solved, it can always be temporarily
disabled.

I've tagged this PR to be backported to `5.5.x`.

<!-- PR description tips:
https://www.notion.so/sourcegraph/Write-a-good-pull-request-description-610a7fd3e613496eb76f450db5a49b6e
-->

## Pre-merge checklist

- [x] Revert commit that disables release promotion

## Test plan

Manual testing of the release process:
- [x] [Successful test
run](https://buildkite.com/sourcegraph/sourcegraph/builds/283774#0190dfd6-fa70-4cea-9711-f5b8493c7714)
that shows the security scan being triggered
- [x] [Promote to public test
run](https://buildkite.com/sourcegraph/sourcegraph/builds/283826) that
shows the security approval approving a release
- [x] [Promote to public test
run](https://buildkite.com/sourcegraph/sourcegraph/builds/283817#0190e0ec-0641-4451-b7c7-171e664a3127)
that shows the security approval rejecting a release with un-accepted
CVEs

<!-- REQUIRED; info at
https://docs-legacy.sourcegraph.com/dev/background-information/testing_principles
-->

## Changelog

<!-- OPTIONAL; info at
https://www.notion.so/sourcegraph/Writing-a-changelog-entry-dd997f411d524caabf0d8d38a24a878c
-->
2024-07-24 09:19:49 +01:00
..
build_rules bazel: transcribe test ownership to bazel tags (#62664) 2024-05-16 15:51:16 +01:00
md2mdx bazel: transcribe test ownership to bazel tags (#62664) 2024-05-16 15:51:16 +01:00
release Integrate security release approval into release pipeline (#63990) 2024-07-24 09:19:49 +01:00