[Backport 5.5.x] Integrate security release approval into release pipeline (#64030)

As part of the [Vuln Scanning
Improvements](https://linear.app/sourcegraph/project/[p0]-vulnerability-scanning-improvements-75299c4312dd/issues)
project, I've been working on tooling to automate the security
approval step of the release process.

This PR integrates these improvements into the release pipeline:

* Internal releases will run a vulnerability scan
* Promote-to-public releases will check for security approval

If a public release does not have security approval, it will block the
promotion process. The step happens at the start of the pipeline so
should be a fast-fail. You can also check for release approval before
running promotion by running `@secbot cve approve-release
<version>` in the #secbot-commands channel. In an ideal world we
(security) will have already gone through and approved ahead of release.

I've tested this PR as much as I can without running an actual
release! We have a 5.5.x release tomorrow so it'll be a good test.
If it does cause problems that can't be easily solved, it can always
be temporarily disabled.

I've tagged this PR to be backported to `5.5.x`.



## Pre-merge checklist

- [x] Revert commit that disables release promotion

## Test plan

Manual testing of the release process:
- [x] [Successful test
run](https://buildkite.com/sourcegraph/sourcegraph/builds/283774#0190dfd6-fa70-4cea-9711-f5b8493c7714)
that shows the security scan being triggered
- [x] [Promote to public test
run](https://buildkite.com/sourcegraph/sourcegraph/builds/283826) that
shows the security approval approving a release
- [x] [Promote to public test
run](https://buildkite.com/sourcegraph/sourcegraph/builds/283817#0190e0ec-0641-4451-b7c7-171e664a3127)
that shows the security approval rejecting a release with un-accepted
CVEs



## Changelog


 <br> Backport 9dd901f from #63990

Co-authored-by: Will Dollman <[email protected]>

Author: sourcegraph-release-bot

dev/ci/internal/ci/pipeline.go

@@ -275,6 +275,8 @@ func GeneratePipeline(c Config) (*bk.Pipeline, error) {
 		)
 	case runtype.PromoteRelease:
 		ops = operations.NewSet(
+			checkSecurityApproval(c),
+			wait,
 			releasePromoteImages(c),
 			wait,
 			releaseTestOperation(c),

dev/ci/internal/ci/release_operations.go

@@ -11,6 +11,25 @@ import (
 	"github.com/sourcegraph/sourcegraph/dev/ci/internal/ci/operations"
 )
 
+// checkSecurityApproval checks whether the specified release has release approval from the Security Team.
+func checkSecurityApproval(c Config) operations.Operation {
+	return func(pipeline *bk.Pipeline) {
+		pipeline.AddStep(":nodesecurity: Check security approval",
+			bk.Agent("queue", AspectWorkflows.QueueDefault),
+			bk.Env("VERSION", c.Version),
+			bk.AnnotatedCmd(
+				"./tools/release/check_security_approval.sh",
+				bk.AnnotatedCmdOpts{
+					Annotations: &bk.AnnotationOpts{
+						Type:         bk.AnnotationTypeInfo,
+						IncludeNames: false,
+					},
+				},
+			),
+		)
+	}
+}
+
 // releasePromoteImages runs a script that iterates through all defined images that we're producing that has been uploaded
 // on the internal registry with a given version and retags them to the public registry.
 func releasePromoteImages(c Config) operations.Operation {

release.yaml

@@ -75,7 +75,9 @@ internal:
           fi
       - name: 'Trigger Security scan'
         cmd: |
-          curl --location 'https://incoming.sgdev.org/new-image-scan?tag={{tag}}&scanType=release&dev=true' --header 'X-Special-Header: ${SCANNER_TOKEN}'
+          set -eu
+
+          curl --location 'https://security-manager.sgdev.org/internal-release-scan?release={{tag}}' --request POST --header "Authorization: Bearer ${SECURITY_SCANNER_TOKEN}"
       - name: 'notifications'
         cmd: |
           set -eu

tools/release/check_security_approval.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+set -uo pipefail
+
+if [ -z "$VERSION" ]; then
+  echo "❌ Need \$VERSION to be set to check security approval"
+  exit 1
+fi
+
+if [ -z "$SECURITY_SCANNER_TOKEN" ]; then
+  echo "❌ Need \$SECURITY_SCANNER_TOKEN to be set to check security approval"
+  exit 1
+fi
+
+echo "Checking security approval for release ${VERSION}..."
+
+if [ ! -e "./annotations" ]; then
+  mkdir ./annotations
+fi
+echo -e "## :nodesecurity: Security Release Approval" >./annotations/security_approval.md
+
+curl --location "https://security-manager.sgdev.org/approve-release?release=${VERSION}" \
+  --header "Authorization: Bearer ${SECURITY_SCANNER_TOKEN}" --fail
+SECURITY_APPROVAL=$?
+
+if [ "$SECURITY_APPROVAL" -eq 0 ]; then
+  echo "Release \`${VERSION}\` has security approval." | tee -a ./annotations/security_approval.md
+else
+  echo -e "Release ${VERSION} does **not** have security approval - reach out to the Security Team to resolve.\n" | tee -a ./annotations/security_approval.md
+  echo "Run \`@SecBot cve approve-release 5.5.1339\` in [#secbot-commands](https://sourcegraph.slack.com/archives/C07BQJDFCV8) to check the approval status." | tee -a ./annotations/security_approval.md
+  exit 1
+fi