Skip to content

Code drop of security group rotation email bot #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 9, 2025
Merged

Code drop of security group rotation email bot #2

merged 1 commit into from
Sep 9, 2025

Conversation

@gburgessiv
Copy link
Member

@gburgessiv gburgessiv commented Sep 7, 2025
edited
Loading

This implements a bot that emails the security group when new draft advisories show up in the llvm security group repo. This bot @s people who are currently oncall.

To this end, it also introduces a yaml file (and supporting Python script) to define and extend the rotation.

For running this, Github Actions presents a few challenges:

  1. All bot runs are public - observable changes in logs/etc could disclose security issues prior to us publishing them.
  2. This requires non-committed state (mostly "what advisories have been emailed about already?")

So for now, the plan is just to run on one of my machines - I already run llvmbb-monitor with reasonable uptime; adding to that isn't hard.

See https://github.com/gburgessiv/test-gha for development history (though it's entirely just me hacking on my own with no input ;) )

@gburgessiv
Code drop of security group rotation email bot
f4beb9d 
This implements a bot that emails the security group when new draft
advisories show up in the llvm security group repo. This bot @s people
who are currently oncall.

To this end, it also introduces a yaml file (and supporting Python
script) to define and extend the rotation.

For running this, Github Actions presents a few challenges:

1. All bot runs are public - observable changes in logs/etc could
   disclose security issues prior to us publishing them.
2. This requires non-committed state (mostly "what advisories have been
   emailed about already?")

So for now, the plan is just to run on one of my machines - I already
run llvmbb-monitor with reasonable uptime; adding to that isn't hard.

See https://github.com/gburgessiv/test-gha for development history
(though it's entirely just me hacking on my own with no input ;) )
@gburgessiv gburgessiv marked this pull request as ready for review September 8, 2025 16:28
@gburgessiv
Copy link
Member Author

gburgessiv commented Sep 8, 2025

/cc @kbeyls @wphuhn-intel

Given the size of this and intended runtime environment, I don't have a strong opinion on "we should do a full fine-toothed review" vs "it's going to be running on George's machine anyway, so shrug." I've tested it manually by having it email me using my access token, and all seems to work well (& the CI this PR adds passes, as well).

In any case, happy to accept any/all comments, and land when those get resolved :)

@kbeyls
Copy link
Contributor

kbeyls commented Sep 9, 2025

Thank you so much for implementing this @gburgessiv !
I glanced through the patch, and didn't see anything that looked strange to me.
Let's get this set up and going.
In our last monthly public call, IIRC, we said we'd try and get this going at the next public call (which will happen next week Tuesday).
I don't think we need to wait until then. If you're up for it, I think you could set this up and get this going.

I guess that if we manually update the rota, you'll have to remember to update the checkout of the repo you have on your machine where this script will run?

Maybe, after committing this and getting the script running, an email to the LLVM Security Response group with a copy of the current rota and some information about how to easily update the rota (do swaps) would be useful?

@gburgessiv
Copy link
Member Author

gburgessiv commented Sep 9, 2025

Happy to help!

Let's get this set up and going.

SGTM, I'll merge now and try to find time to set up the cronjob within the next few days.

I guess that if we manually update the rota, you'll have to remember to update the checkout of the repo you have on your machine where this script will run?

Yeah, I figured that it's easiest if the rotation exists in editable form somewhere (b/c people will want to swap, or we'll discover that ${current_rotation_member} has left the security group and want to recover that, or [...]). I'll come up with something to make sure the repo stays up-to-date on my end. :)

& yeah, the script will send reminder emails when the rotation runs low, but realistically it's probably 5 or so lines of bash to set up an every-month-or-so ./extend_rotation.py "${by_one_month_flag}" && create_new_pr_and_send_for_review job.

Maybe, after committing this and getting the script running, an email to the LLVM Security Response group with a copy of the current rota and some information about how to easily update the rota (do swaps) would be useful?

Definitely can do. I'd ideally like to phrase instructions as "see this section of the README," so I may upload a follow-up PR adding notes along those lines. We'll see in the coming days :)

@gburgessiv gburgessiv merged commit 5bebc1a into main Sep 9, 2025
1 check passed
@gburgessiv gburgessiv deleted the add-rotation-and-email-bot branch September 11, 2025 02:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gburgessiv @kbeyls