Code drop of security group rotation email bot

[gburgessiv]

This implements a bot that emails the security group when new draft advisories show up in the llvm security group repo. This bot @s people who are currently oncall.

To this end, it also introduces a yaml file (and supporting Python script) to define and extend the rotation.

For running this, Github Actions presents a few challenges:

1. All bot runs are public - observable changes in logs/etc could disclose security issues prior to us publishing them.
2. This requires non-committed state (mostly "what advisories have been emailed about already?")

So for now, the plan is just to run on one of my machines - I already run llvmbb-monitor with reasonable uptime; adding to that isn't hard.

See https://github.com/gburgessiv/test-gha for development history (though it's entirely just me hacking on my own with no input ;) )

[gburgessiv]

/cc @kbeyls @wphuhn-intel

Given the size of this and intended runtime environment, I don't have a strong opinion on "we should do a full fine-toothed review" vs "it's going to be running on George's machine anyway, so shrug." I've tested it manually by having it email me using my access token, and all seems to work well (& the CI this PR adds passes, as well).

In any case, happy to accept any/all comments, and land when those get resolved :)

[kbeyls]

Thank you so much for implementing this @gburgessiv !
I glanced through the patch, and didn't see anything that looked strange to me.
Let's get this set up and going.
In our last monthly public call, IIRC, we said we'd try and get this going at the next public call (which will happen next week Tuesday).
I don't think we need to wait until then. If you're up for it, I think you could set this up and get this going.

I guess that if we manually update the rota, you'll have to remember to update the checkout of the repo you have on your machine where this script will run?

Maybe, after committing this and getting the script running, an email to the LLVM Security Response group with a copy of the current rota and some information about how to easily update the rota (do swaps) would be useful?

[gburgessiv]

Happy to help!

Let's get this set up and going.

SGTM, I'll merge now and try to find time to set up the cronjob within the next few days.

I guess that if we manually update the rota, you'll have to remember to update the checkout of the repo you have on your machine where this script will run?

Yeah, I figured that it's easiest if the rotation exists in editable form somewhere (b/c people will want to swap, or we'll discover that ${current_rotation_member} has left the security group and want to recover that, or [...]). I'll come up with something to make sure the repo stays up-to-date on my end. :)

& yeah, the script will send reminder emails when the rotation runs low, but realistically it's probably 5 or so lines of bash to set up an every-month-or-so ./extend_rotation.py "${by_one_month_flag}" && create_new_pr_and_send_for_review job.

Maybe, after committing this and getting the script running, an email to the LLVM Security Response group with a copy of the current rota and some information about how to easily update the rota (do swaps) would be useful?

Definitely can do. I'd ideally like to phrase instructions as "see this section of the README," so I may upload a follow-up PR adding notes along those lines. We'll see in the coming days :)