mirror of
https://github.com/sourcegraph/sourcegraph.git
synced 2026-02-06 12:51:55 +00:00
0f4cbff0ca
As part of the [Vuln Scanning
Improvements](https://linear.app/sourcegraph/project/[p0]-vulnerability-scanning-improvements-75299c4312dd/issues)
project, I've been working on tooling to automate the security
approval step of the release process.
This PR integrates these improvements into the release pipeline:
* Internal releases will run a vulnerability scan
* Promote-to-public releases will check for security approval
If a public release does not have security approval, it will block the
promotion process. The step happens at the start of the pipeline so
should be a fast-fail. You can also check for release approval before
running promotion by running `@secbot cve approve-release
<version>` in the #secbot-commands channel. In an ideal world we
(security) will have already gone through and approved ahead of release.
I've tested this PR as much as I can without running an actual
release! We have a 5.5.x release tomorrow so it'll be a good test.
If it does cause problems that can't be easily solved, it can always
be temporarily disabled.
I've tagged this PR to be backported to `5.5.x`.
## Pre-merge checklist
- [x] Revert commit that disables release promotion
## Test plan
Manual testing of the release process:
- [x] [Successful test
run](https://buildkite.com/sourcegraph/sourcegraph/builds/283774#0190dfd6-fa70-4cea-9711-f5b8493c7714)
that shows the security scan being triggered
- [x] [Promote to public test
run](https://buildkite.com/sourcegraph/sourcegraph/builds/283826) that
shows the security approval approving a release
- [x] [Promote to public test
run](https://buildkite.com/sourcegraph/sourcegraph/builds/283817#0190e0ec-0641-4451-b7c7-171e664a3127)
that shows the security approval rejecting a release with un-accepted
CVEs
## Changelog
<br> Backport
|
||
|---|---|---|
| .. | ||
| build_rules | ||
| md2mdx | ||
| release | ||