[release-11.4.6] Chore: Also add `+security` branches on release-comms PR (#106517)

Chore: Also add `+security` branches on release-comms PR (#105689)

* baldm0mma/ add create-security-branch.yml and update release-comms

* baldm0mma/ update target repo

* baldm0mma/ add enterprise

* baldm0mma/ update naming

* baldm0mma/ update descriptions

* baldm0mma/ use go action

* baldm0mma/ add dispatch

* baldm0mma/ update codwowners

* baldm0mma/ remove old oush step

* baldm0mma/ update to pass branch, not version

* baldm0mma/ add create-security-branch script

* baldm0mma/ move script

* baldm0mma/ update codeowners

* Revert "baldm0mma/ update codeowners"

This reverts commit a68531c62e.

* baldm0mma/ add script to codeowners

* baldm0mma/ alphabetize workflows and templates

* baldm0mma/ update script path

* baldm0mma/ add push conditions

* baldm0mma/ remove trigger

* baldm0mma/ update codeowners

(cherry picked from commit 82d271051a)

Co-authored-by: Jev Forsberg <46619047+baldm0mma@users.noreply.github.com>

.github/CODEOWNERS

@@ -772,6 +772,7 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/release-comms.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/migrate-prs.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/create-next-release-branch.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/create-security-branch.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/codeowners-validator.yml @tolzhabayev
 /.github/workflows/codeql-analysis.yml @DanCech
 /.github/workflows/commands.yml @torkelo
@@ -799,6 +800,7 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/storybook-verification.yml @grafana/grafana-frontend-platform
 /.github/workflows/update-make-docs.yml @grafana/docs-tooling
 /.github/workflows/scripts/kinds/verify-kinds.go @grafana/platform-monitoring
+/.github/workflows/scripts/create-security-branch/create-security-branch.sh @grafana/grafana-developer-enablement-squad
 /.github/workflows/publish-kinds-next.yml @grafana/platform-monitoring
 /.github/workflows/publish-kinds-release.yml @grafana/platform-monitoring
 /.github/workflows/verify-kinds.yml @grafana/platform-monitoring

.github/workflows/create-security-branch.yml

@@ -0,0 +1,79 @@
+name: Create security branch
+on:
+  workflow_call:
+    inputs:
+      release_branch:
+        type: string
+        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.3+security-01` being created)
+        required: true
+      security_branch_number:
+        type: string
+        description: 'The security branch number (e.g., 01)'
+        required: false
+        default: '01'
+      repository:
+        type: string
+        description: 'The repository to create the security branch in (e.g., grafana/grafana-security-mirror)'
+        required: true
+    outputs:
+      branch:
+        description: The new security branch that was created
+        value: ${{ jobs.main.outputs.branch }}
+  workflow_dispatch:
+    inputs:
+      release_branch:
+        type: string
+        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.3+security-01` being created)
+        required: true
+      security_branch_number:
+        type: string
+        description: 'The security branch number (e.g., 01)'
+        required: false
+        default: '01'
+      repository:
+        type: string
+        description: 'The repository to create the security branch in (e.g., grafana/grafana-security-mirror)'
+        required: true
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    outputs:
+      branch: ${{ steps.branch.outputs.branch }}
+    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.release_branch }}
+
+      - name: Create security branch
+        id: branch
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          INPUT_RELEASE_BRANCH: ${{ inputs.release_branch }}
+          INPUT_SECURITY_BRANCH_NUMBER: ${{ inputs.security_branch_number }}
+          INPUT_REPOSITORY: ${{ inputs.repository }}
+        run: |
+          chmod +x .github/workflows/scripts/create-security-branch/create-security-branch.sh
+          .github/workflows/scripts/create-security-branch/create-security-branch.sh

.github/workflows/release-comms.yml

@@ -72,6 +72,22 @@ jobs:
     with:
       ownerRepo: 'grafana/grafana-enterprise'
       source: ${{ needs.setup.outputs.release_branch }}
+  create_security_branch_grafana:
+    name: Create security branch (Grafana Security Mirror)
+    needs: setup
+    uses: ./.github/workflows/create-security-branch.yml
+    with:
+      release_branch: ${{ needs.setup.outputs.release_branch }}
+      security_branch_number: "01"
+      repository: grafana/grafana-security-mirror
+  create_security_branch_enterprise:
+    name: Create security branch (Enterprise)
+    needs: setup
+    uses: ./.github/workflows/create-security-branch.yml
+    with:
+      release_branch: ${{ needs.setup.outputs.release_branch }}
+      security_branch_number: "01"
+      repository: grafana/grafana-enterprise
   migrate_prs_grafana:
     needs:
       - setup

.github/workflows/scripts/create-security-branch/create-security-branch.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Construct the security branch name
+SECURITY_BRANCH="${INPUT_RELEASE_BRANCH}+security-${INPUT_SECURITY_BRANCH_NUMBER}"
+
+# Check if branch already exists
+if git show-ref --verify --quiet "refs/heads/${SECURITY_BRANCH}"; then
+    echo "::error::Security branch ${SECURITY_BRANCH} already exists"
+    exit 1
+fi
+
+# Create and push the new branch from the release branch
+git checkout "${INPUT_RELEASE_BRANCH}"
+git checkout -b "${SECURITY_BRANCH}"
+git push origin "${SECURITY_BRANCH}"
+
+# Output the branch name for the workflow
+echo "branch=${SECURITY_BRANCH}" >> "${GITHUB_OUTPUT}"