feat: add Danger task

Adds a common-ci-task configuration for Danger.

Unfortunately, the GitLab component could not be used since it does not
rely on Vault.

danger.md

+# [`danger`](./danger.yml)
+
+[Danger](https://github.com/danger/danger) is a tool used for automated merge request review tasks.
+
+It can be useful for reminding merge request contributors and reviewers of tasks which may need to be carried out.
+
+Danger is widely used across GitLab.
+
+```yaml
+variables:
+  GL_DEDICATED_GITLAB_DANGERFILES_VERSION: "4.7.0" # datasource=gitlab-releases depName=gitlab-org/ruby/gems/gitlab-dangerfiles
+
+include:
+  # Run Danger during merge requests to alert on messages, warnings and errors.
+  - project: 'gitlab-com/gl-infra/common-ci-tasks'
+    ref: v2.20.4  # renovate:managed
+    file: 'danger.yml'
+    inputs:
+        # stage: defaults to `validate`
+        gitlab_dangerfiles_version: "${GL_DEDICATED_GITLAB_DANGERFILES_VERSION}"
+```
+
+Next, commit a `Dangerfile` in the root of the project.
+
+```ruby
+# frozen_string_literal: true
+
+require 'gitlab-dangerfiles'
+
+Gitlab::Dangerfiles.for_project(self, &:import_defaults)
+
+message("Hello from Danger!")
+```
+
+This `Dangerfile` will be run on each pipeline in merge requests.
+
+# Token configuration
+
+The `danger` task relies on Vault tokens to be configured using the GitLab Project Module.
+
+The `common_ci_tasks.danger` configuration must be set to `true`.
+
+Review [the Project Setup documentation](./docs/project-setup.md) for further details.

danger.yml

+spec:
+  inputs:
+    stage:
+      default: validate
+    gitlab_dangerfiles_version:
+      description: 'Version requirement for `gitlab-dangerfiles`.'
+
+---
+
+# Taken from https://gitlab.com/gitlab-org/components/danger-review
+danger-review:
+  image: ruby:3.2.3
+  id_tokens:
+    VAULT_ID_TOKEN:
+      aud: https://vault.gitlab.net
+  secrets:
+    DANGER_GITLAB_API_TOKEN:
+      file: false
+      vault: "access_tokens/${VAULT_SECRETS_PATH}/danger/token@ci"
+      token: $VAULT_ID_TOKEN
+  stage: $[[ inputs.stage ]]
+  needs: []
+  retry:
+    max: 2
+    when:
+      - unknown_failure
+      - api_failure
+      - runner_system_failure
+      - stuck_or_timeout_failure
+  before_script:
+    # If we have a `Gemfile`, then we're good (we assume `danger`/`gitlab-dangerfiles` is part of the `Gemfile`), otherwise, we create a `Gemfile` and add `gitlab-dangerfiles` to it.
+    - '[[ -f "Gemfile" ]] || (bundle init && bundle add gitlab-dangerfiles --version "$[[ inputs.gitlab_dangerfiles_version ]]")'
+    # If we have no `Gemfile.lock`, then we're good (because we don't have a precise list of gem versions to install anyway), otherwise, we freeze the gems, just in case.
+    - '[[ ! -f "Gemfile.lock" ]] || bundle config set --local frozen "true"'
+    - bundle install
+  script:
+    danger_id=$(echo -n ${DANGER_GITLAB_API_TOKEN} | md5sum | awk '{print $1}' | cut -c5-10);
+    bundle exec danger --fail-on-errors=true --verbose --danger_id="${danger_id}" --dangerfile="Dangerfile";
+  after_script: |
+    cat <<-EOD
+    ----------------------------------------------------------
+    Need help? Documentation on the danger CI job can be found at:
+    https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/danger.md
+    EOD
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+      exists:
+        - Dangerfile

docs/project-setup.md

@@ -25,6 +25,7 @@ There are two ways of setting up projects: the automated way and the manual way.
             mirroring        = true
             renovate_bot     = true
             semantic_release = true
+            danger           = false # Enable for projects using Danger
         }
     }
     ```

test/downstream-pipeline-tests/tests.gitlab-ci.yml

@@ -30,7 +30,6 @@ test_downstream_pipeline_tests:
       # - promlint.yml
       # - gitlint.yml
       # - gitleaks.yml
-      # - semantic-release.yml
       - COMMON_CI_TASKS_TEST:
           - asdf-tool-versions.yml
           - checkov.yml