Added security patch delivery workflows (#71101)

* adding security patch workflows

* adding grafana-delivery as codeowners for new pr-security-check workflows

* adding release branch triggers to PR security patch github action

* joined security patching mirror and apply jobs

* remove temp files

.github/CODEOWNERS

@@ -611,6 +611,8 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/pr-codeql-analysis-python.yml @DanCech
 /.github/workflows/pr-commands-closed.yml @tolzhabayev
 /.github/workflows/pr-commands.yml @marefr
+/.github/workflows/pr-security-patch-check.yml @grafana/grafana-delivery
+/.github/workflows/pr-security-patch-mirror-and-apply.yml @grafana/grafana-delivery
 /.github/workflows/publish-technical-documentation-next.yml @grafana/docs-grafana
 /.github/workflows/publish-technical-documentation-release.yml @grafana/docs-grafana
 /.github/workflows/remove-milestone.yml @grafana/grafana-delivery

.github/workflows/pr-security-patch-check.yml

@@ -0,0 +1,24 @@
+# Owned by grafana-delivery-squad
+# Intended to be dropped into the base repo Ex: grafana/grafana 
+name: Check for security patch conflicts
+run-name: check-security-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
+on:
+  pull_request_target:
+    types:
+      - opened
+    branches:
+      - "main"
+      - "v*.*.*"
+      - "release-*"
+
+# Since this is run on a pull request, we want to apply the patches intended for the
+# target branch onto the source branch, to verify compatibility before merging.
+jobs:
+  trigger_downstream_patch_check:
+    uses: grafana/security-patch-actions/.github/workflows/test-patches.yml@main
+    with:
+      src_repo: "${{ github.repository }}"
+      src_ref: "${{ github.head_ref }}" # this is the source branch name, Ex: "feature/newthing"
+      patch_repo: "${{ github.repository }}-security-patches"
+      patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
+    secrets: inherit

.github/workflows/pr-security-patch-mirror-and-apply.yml

@@ -0,0 +1,26 @@
+# Owned by grafana-delivery-squad
+# Intended to be dropped into the base repo, Ex: grafana/grafana
+name: Sync to security mirror
+run-name: sync-to-security-mirror-${{ github.base_ref }}-${{ github.head_ref }}
+on:
+  pull_request_target:
+    types:
+      - closed
+    branches:
+      - "main"
+      - "v*.*.*"
+      - "release-*"
+
+# This is run after the pull request has been merged, so we'll run against the target branch
+jobs:
+  trigger_downstream_security_mirror:
+    concurrency: security-mirror-${{ github.ref }}
+    if: github.event.pull_request.merged == true
+    uses: grafana/security-patch-actions/.github/workflows/mirror-branch-and-apply-patches.yml@main
+    with:
+      ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
+      src_repo: "${{ github.repository }}"
+      dest_repo: "${{ github.repository }}-security-mirror"
+      patch_repo: "${{ github.repository }}-security-patches"
+    secrets: inherit
+