ci: embed prod policy settings on release

This commit blesses the Microsoft fork of the Kata Containers policy and
settings.

Why not ours?

* Any divergence from upstream configs risks security relevant
  divergence and would need continuous justification.
* We can contribute missing policy features upstream, if needed.

Why not kata-containers/kata-containers?

* We assume that the Microsoft fork is customized to the AKS environment
  that we're targeting, and we want to stay compatible with that.
* The genpolicy tool and its config are not compatible across minor
  versions (e.g., a policy generated from Kata head today is not
  accepted by the Kata Agent available in the AKS preview today).

Author: burgerdev

packages/by-name/cli-release/package.nix

@@ -1,6 +1,16 @@
-{ nunki }:
+{ lib
+, nunki
+, genpolicy-msft
+, genpolicy ? genpolicy-msft
+}:
 
 (nunki.overrideAttrs (_finalAttrs: previousAttrs: {
+  prePatch = ''
+    install -D ${lib.getExe genpolicy} cli/assets/genpolicy
+    install -D ${genpolicy.settings}/genpolicy-settings.json cli/assets/genpolicy-settings.json
+    install -D ${genpolicy.rules}/genpolicy-rules.rego cli/assets/genpolicy-rules.rego
+  '';
+
   ldflags = previousAttrs.ldflags ++ [
     "-X main.DefaultCoordinatorPolicyHash=${builtins.readFile ../../../cli/assets/coordinator-policy-hash}"
   ];