From c17adc1570efac490c20143dd02dcf1301628976 Mon Sep 17 00:00:00 2001 From: "grafana-delivery-bot[bot]" <132647405+grafana-delivery-bot[bot]@users.noreply.github.com> Date: Tue, 10 Jun 2025 17:05:55 -0600 Subject: [PATCH] [release-11.6.3] Chore: Also add `+security` branches on release-comms PR (#106515) Chore: Also add `+security` branches on release-comms PR (#105689) * baldm0mma/ add create-security-branch.yml and update release-comms * baldm0mma/ update target repo * baldm0mma/ add enterprise * baldm0mma/ update naming * baldm0mma/ update descriptions * baldm0mma/ use go action * baldm0mma/ add dispatch * baldm0mma/ update codwowners * baldm0mma/ remove old oush step * baldm0mma/ update to pass branch, not version * baldm0mma/ add create-security-branch script * baldm0mma/ move script * baldm0mma/ update codeowners * Revert "baldm0mma/ update codeowners" This reverts commit a68531c62eba4fddae7c7ad7ac8a37944af4ef26. * baldm0mma/ add script to codeowners * baldm0mma/ alphabetize workflows and templates * baldm0mma/ update script path * baldm0mma/ add push conditions * baldm0mma/ remove trigger * baldm0mma/ update codeowners (cherry picked from commit 82d271051a2a67c127991b4fc177051e79e5953d) Co-authored-by: Jev Forsberg <46619047+baldm0mma@users.noreply.github.com> --- .github/CODEOWNERS | 2 + .github/workflows/create-security-branch.yml | 79 +++++++++++++++++++ .github/workflows/release-comms.yml | 16 ++++ .../create-security-branch.sh | 20 +++++ 4 files changed, 117 insertions(+) create mode 100644 .github/workflows/create-security-branch.yml create mode 100644 .github/workflows/scripts/create-security-branch/create-security-branch.sh diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index bdfaa799cad..f81d8bae70f 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -772,6 +772,7 @@ embed.go @grafana/grafana-as-code /.github/workflows/release-comms.yml @grafana/grafana-developer-enablement-squad /.github/workflows/migrate-prs.yml @grafana/grafana-developer-enablement-squad /.github/workflows/create-next-release-branch.yml @grafana/grafana-developer-enablement-squad +/.github/workflows/create-security-branch.yml @grafana/grafana-developer-enablement-squad /.github/workflows/codeowners-validator.yml @tolzhabayev /.github/workflows/codeql-analysis.yml @DanCech /.github/workflows/commands.yml @torkelo @@ -799,6 +800,7 @@ embed.go @grafana/grafana-as-code /.github/workflows/storybook-verification.yml @grafana/grafana-frontend-platform /.github/workflows/update-make-docs.yml @grafana/docs-tooling /.github/workflows/scripts/kinds/verify-kinds.go @grafana/platform-monitoring +/.github/workflows/scripts/create-security-branch/create-security-branch.sh @grafana/grafana-developer-enablement-squad /.github/workflows/publish-kinds-next.yml @grafana/platform-monitoring /.github/workflows/publish-kinds-release.yml @grafana/platform-monitoring /.github/workflows/verify-kinds.yml @grafana/platform-monitoring diff --git a/.github/workflows/create-security-branch.yml b/.github/workflows/create-security-branch.yml new file mode 100644 index 00000000000..98ff8267380 --- /dev/null +++ b/.github/workflows/create-security-branch.yml @@ -0,0 +1,79 @@ +name: Create security branch +on: + workflow_call: + inputs: + release_branch: + type: string + description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.3+security-01` being created) + required: true + security_branch_number: + type: string + description: 'The security branch number (e.g., 01)' + required: false + default: '01' + repository: + type: string + description: 'The repository to create the security branch in (e.g., grafana/grafana-security-mirror)' + required: true + outputs: + branch: + description: The new security branch that was created + value: ${{ jobs.main.outputs.branch }} + workflow_dispatch: + inputs: + release_branch: + type: string + description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.3+security-01` being created) + required: true + security_branch_number: + type: string + description: 'The security branch number (e.g., 01)' + required: false + default: '01' + repository: + type: string + description: 'The repository to create the security branch in (e.g., grafana/grafana-security-mirror)' + required: true + +permissions: + contents: write + id-token: write + +jobs: + main: + runs-on: ubuntu-latest + outputs: + branch: ${{ steps.branch.outputs.branch }} + steps: + - name: "Get vault secrets" + id: vault-secrets + uses: grafana/shared-workflows/actions/get-vault-secrets@main + with: + # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault + repo_secrets: | + GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY + + - name: "Generate token" + id: generate_token + uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 + with: + app_id: ${{ vars.DELIVERY_BOT_APP_ID }} + private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }} + + - name: Checkout repository + uses: actions/checkout@v4 + with: + token: ${{ steps.generate_token.outputs.token }} + repository: ${{ inputs.repository }} + ref: ${{ inputs.release_branch }} + + - name: Create security branch + id: branch + env: + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + INPUT_RELEASE_BRANCH: ${{ inputs.release_branch }} + INPUT_SECURITY_BRANCH_NUMBER: ${{ inputs.security_branch_number }} + INPUT_REPOSITORY: ${{ inputs.repository }} + run: | + chmod +x .github/workflows/scripts/create-security-branch/create-security-branch.sh + .github/workflows/scripts/create-security-branch/create-security-branch.sh diff --git a/.github/workflows/release-comms.yml b/.github/workflows/release-comms.yml index e5532ca12ca..c0c435f61d2 100644 --- a/.github/workflows/release-comms.yml +++ b/.github/workflows/release-comms.yml @@ -72,6 +72,22 @@ jobs: with: ownerRepo: 'grafana/grafana-enterprise' source: ${{ needs.setup.outputs.release_branch }} + create_security_branch_grafana: + name: Create security branch (Grafana Security Mirror) + needs: setup + uses: ./.github/workflows/create-security-branch.yml + with: + release_branch: ${{ needs.setup.outputs.release_branch }} + security_branch_number: "01" + repository: grafana/grafana-security-mirror + create_security_branch_enterprise: + name: Create security branch (Enterprise) + needs: setup + uses: ./.github/workflows/create-security-branch.yml + with: + release_branch: ${{ needs.setup.outputs.release_branch }} + security_branch_number: "01" + repository: grafana/grafana-enterprise migrate_prs_grafana: needs: - setup diff --git a/.github/workflows/scripts/create-security-branch/create-security-branch.sh b/.github/workflows/scripts/create-security-branch/create-security-branch.sh new file mode 100644 index 00000000000..11a3a2f3808 --- /dev/null +++ b/.github/workflows/scripts/create-security-branch/create-security-branch.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +set -euo pipefail + +# Construct the security branch name +SECURITY_BRANCH="${INPUT_RELEASE_BRANCH}+security-${INPUT_SECURITY_BRANCH_NUMBER}" + +# Check if branch already exists +if git show-ref --verify --quiet "refs/heads/${SECURITY_BRANCH}"; then + echo "::error::Security branch ${SECURITY_BRANCH} already exists" + exit 1 +fi + +# Create and push the new branch from the release branch +git checkout "${INPUT_RELEASE_BRANCH}" +git checkout -b "${SECURITY_BRANCH}" +git push origin "${SECURITY_BRANCH}" + +# Output the branch name for the workflow +echo "branch=${SECURITY_BRANCH}" >> "${GITHUB_OUTPUT}"