Code drop of security group rotation email bot (#2)

This implements a bot that emails the security group when new draft
advisories show up in the llvm security group repo. This bot @s people
who are currently oncall.

To this end, it also introduces a yaml file (and supporting Python
script) to define and extend the rotation.

For running this, Github Actions presents a few challenges:

1. All bot runs are public - observable changes in logs/etc could
   disclose security issues prior to us publishing them.
2. This requires non-committed state (mostly "what advisories have been
   emailed about already?")

So for now, the plan is just to run on one of my machines - I already
run llvmbb-monitor with reasonable uptime; adding to that isn't hard.

See https://github.com/gburgessiv/test-gha for development history
(though it's entirely just me hacking on my own with no input ;) )

Author: gburgessiv

.github/actions/setup-repo-env/action.yml

@@ -0,0 +1,15 @@
+name: 'Set up Repo Environment'
+description: 'Sets up Python and its deps'
+runs:
+  using: "composite"
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+      shell: bash
+      working-directory: ./email-rotation

.github/workflows/run-tests.yml

@@ -0,0 +1,46 @@
+name: Run Tests
+
+on:
+  pull_request:
+    paths:
+      - '**/*.py'
+      - '**/*.yaml'
+      - '.github/**'
+
+jobs:
+  run_tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up repo environment
+        uses: ./.github/actions/setup-repo-env
+
+      - name: Run email script tests
+        run: python3 email_about_issues_test.py
+        working-directory: ./email-rotation
+
+      - name: Run rotation extension tests
+        run: python3 extend_rotation_test.py
+        working-directory: ./email-rotation
+
+      - name: Run yaml verification test
+        run: python3 verify_yaml_files_test.py
+        working-directory: ./email-rotation
+
+      - name: Run pyright
+        run: pyright *.py
+        working-directory: ./email-rotation
+
+      - name: Run mypy
+        run: mypy . --explicit-package-bases --strict
+        working-directory: ./email-rotation
+
+      - name: Run isort
+        run: isort . --check-only
+        working-directory: ./email-rotation
+
+      - name: Run black
+        run: black . --check
+        working-directory: ./email-rotation

email-rotation/.gitignore

@@ -0,0 +1,4 @@
+**/__pycache__
+github-token
+secrets
+state.json

email-rotation/Dockerfile

@@ -0,0 +1,28 @@
+FROM debian:stable-slim
+LABEL maintainer="George Burgess <[email protected]>"
+
+# Grab the packages
+RUN apt-get update
+RUN apt-get install -y python3 python3-requests python3-yaml
+
+ENV LANG=C.UTF-8
+
+# Rootn't
+RUN \
+  useradd email-bot && \
+  mkdir /home/email-bot && \
+  chown email-bot:email-bot /home/email-bot
+
+USER email-bot
+WORKDIR /home/email-bot
+
+# Example build'n'run invocation:
+# docker build -t llvm-security-group-emails . && docker run --rm -it -v $PWD:/home/email-bot/llvm-security-repo/email-rotation llvm-security-group-emails
+#
+# Example `secrets` file:
+# export [email protected]
+# export GITHUB_REPOSITORY=llvm/llvm-security-repo
+# export GITHUB_TOKEN=[redacted]
+# export GMAIL_PASSWORD=[redacted]
+# export [email protected]
+CMD ["bash", "-c", "cd llvm-security-repo && . secrets && exec ./email_about_issues.py --state-file=state.json --debug"]

email-rotation/README.md

@@ -0,0 +1,20 @@
+This directory implements an oncall rotation for security issues, essentially.
+
+Relevant files (ignoring tests) are:
+
+- `rotation-members.yaml`, which is the set of all members currently on the
+  security group who are eligible for this rotation.
+
+- `rotation.yaml`, which specifies the rotation. This is generally extended by
+  `rotation-members.yaml`, though can be edited by humans (e.g., to remove
+  people from rotations, swap with others, etc.)
+
+- `email_about_issues.py` actually emails about the issues; it's run on
+  a machine through a Docker image produced by the `Dockerfile`.
+  The `docker run` invocation looks like:
+  ```
+  docker run --rm -it -v $PWD:/home/email-bot/llvm-security-repo llvm-security-group-emails
+  ```
+- `extend_rotation.py` extends the `rotation.yaml` file automatically. This
+  script only appends to the rotation, and takes into account who's already been
+  in the rotation recently when creating new rotation instances.