[release-11.4.6] Chore: Also add `+security` branches on release-comms PR (#106517)

Chore: Also add `+security` branches on release-comms PR (#105689) * baldm0mma/ add create-security-branch.yml and update release-comms * baldm0mma/ update target repo * baldm0mma/ add enterprise * baldm0mma/ update naming * baldm0mma/ update descriptions * baldm0mma/ use go action * baldm0mma/ add dispatch * baldm0mma/ update codwowners * baldm0mma/ remove old oush step * baldm0mma/ update to pass branch, not version * baldm0mma/ add create-security-branch script * baldm0mma/ move script * baldm0mma/ update codeowners * Revert "baldm0mma/ update codeowners" This reverts commit a68531c62e. * baldm0mma/ add script to codeowners * baldm0mma/ alphabetize workflows and templates * baldm0mma/ update script path * baldm0mma/ add push conditions * baldm0mma/ remove trigger * baldm0mma/ update codeowners (cherry picked from commit 82d271051a) Co-authored-by: Jev Forsberg <46619047+baldm0mma@users.noreply.github.com>
2 weeks ago · ca86201ce5
parent 49f3fa91b3
commit ca86201ce5
4 changed files with 117 additions and 0 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -772,6 +772,7 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/release-comms.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/migrate-prs.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/create-next-release-branch.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/create-security-branch.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/codeowners-validator.yml @tolzhabayev
 /.github/workflows/codeql-analysis.yml @DanCech
 /.github/workflows/commands.yml @torkelo
@ -799,6 +800,7 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/storybook-verification.yml @grafana/grafana-frontend-platform
 /.github/workflows/update-make-docs.yml @grafana/docs-tooling
 /.github/workflows/scripts/kinds/verify-kinds.go @grafana/platform-monitoring
+/.github/workflows/scripts/create-security-branch/create-security-branch.sh @grafana/grafana-developer-enablement-squad
 /.github/workflows/publish-kinds-next.yml @grafana/platform-monitoring
 /.github/workflows/publish-kinds-release.yml @grafana/platform-monitoring
 /.github/workflows/verify-kinds.yml @grafana/platform-monitoring
--- a/.github/workflows/create-security-branch.yml
+++ b/.github/workflows/create-security-branch.yml
@ -0,0 +1,79 @@
+name: Create security branch
+on:
+  workflow_call:
+    inputs:
+      release_branch:
+        type: string
+        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.3+security-01` being created)
+        required: true
+      security_branch_number:
+        type: string
+        description: 'The security branch number (e.g., 01)'
+        required: false
+        default: '01'
+      repository:
+        type: string
+        description: 'The repository to create the security branch in (e.g., grafana/grafana-security-mirror)'
+        required: true
+    outputs:
+      branch:
+        description: The new security branch that was created
+        value: ${{ jobs.main.outputs.branch }}
+  workflow_dispatch:
+    inputs:
+      release_branch:
+        type: string
+        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.3+security-01` being created)
+        required: true
+      security_branch_number:
+        type: string
+        description: 'The security branch number (e.g., 01)'
+        required: false
+        default: '01'
+      repository:
+        type: string
+        description: 'The repository to create the security branch in (e.g., grafana/grafana-security-mirror)'
+        required: true
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    outputs:
+      branch: ${{ steps.branch.outputs.branch }}
+    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.release_branch }}
+
+      - name: Create security branch
+        id: branch
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          INPUT_RELEASE_BRANCH: ${{ inputs.release_branch }}
+          INPUT_SECURITY_BRANCH_NUMBER: ${{ inputs.security_branch_number }}
+          INPUT_REPOSITORY: ${{ inputs.repository }}
+        run: |
+          chmod +x .github/workflows/scripts/create-security-branch/create-security-branch.sh
+          .github/workflows/scripts/create-security-branch/create-security-branch.sh
--- a/.github/workflows/release-comms.yml
+++ b/.github/workflows/release-comms.yml
@ -72,6 +72,22 @@ jobs:
    with:
      ownerRepo: 'grafana/grafana-enterprise'
      source: ${{ needs.setup.outputs.release_branch }}
+  create_security_branch_grafana:
+    name: Create security branch (Grafana Security Mirror)
+    needs: setup
+    uses: ./.github/workflows/create-security-branch.yml
+    with:
+      release_branch: ${{ needs.setup.outputs.release_branch }}
+      security_branch_number: "01"
+      repository: grafana/grafana-security-mirror
+  create_security_branch_enterprise:
+    name: Create security branch (Enterprise)
+    needs: setup
+    uses: ./.github/workflows/create-security-branch.yml
+    with:
+      release_branch: ${{ needs.setup.outputs.release_branch }}
+      security_branch_number: "01"
+      repository: grafana/grafana-enterprise
  migrate_prs_grafana:
    needs:
      - setup
--- a/.github/workflows/scripts/create-security-branch/create-security-branch.sh
+++ b/.github/workflows/scripts/create-security-branch/create-security-branch.sh
@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Construct the security branch name
+SECURITY_BRANCH="${INPUT_RELEASE_BRANCH}+security-${INPUT_SECURITY_BRANCH_NUMBER}"
+
+# Check if branch already exists
+if git show-ref --verify --quiet "refs/heads/${SECURITY_BRANCH}"; then
+    echo "::error::Security branch ${SECURITY_BRANCH} already exists"
+    exit 1
+fi
+
+# Create and push the new branch from the release branch
+git checkout "${INPUT_RELEASE_BRANCH}"
+git checkout -b "${SECURITY_BRANCH}"
+git push origin "${SECURITY_BRANCH}"
+
+# Output the branch name for the workflow
+echo "branch=${SECURITY_BRANCH}" >> "${GITHUB_OUTPUT}"