Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect GHCR releases #915

Open
15 tasks
xopham opened this issue Feb 25, 2023 · 0 comments
Open
15 tasks

Protect GHCR releases #915

xopham opened this issue Feb 25, 2023 · 0 comments

Comments

@xopham
Copy link
Collaborator

xopham commented Feb 25, 2023
edited
Loading

Describe the feature
Releases to GHCR and gh-pages (documentation, Helm charts, artifacthub base) should be protected.

Optional: Is your feature request related to a problem? Please describe.
Rolling out automated build may expose artifacts to unauthorized users by overwriting the GitHub Actions in PRs and forging requests via the pipeline to delete/modify released artifacts (container images, documentation, Helm charts).

Optional: Implementation ideas
Several combined steps can help to mitigate the described risk:

  • Configure CODEOWNERS
  • Create an admin GitHub user ("alice") and a development GitHub user ("bob")
    • sole purpose is to provide credentials only scoped to Connaisseur with high and low privileges
    • this may be achievable via organizational settings
  • Configure GitHub Environment for protected branches
    • Enable "Required Reviewers" to trusted contributors
    • Enable "Protected Branches only" scoped to required envs
    • Configure secrets (Cosign private & public keys, Cosign password, GitHub PATs for write & delete packages and push to GH pages)
  • Setup 1 Environment for each develop and master scoped to bob and alice, respectively
    • release environment for master
    • development environment for develop
    • enforce "Required Reviewers" for release
  • Protect gh-pages to exclusively allow pushes from alice (if possible, but may collide with dev docs)
  • Configure Connaisseur package to restricted access
    • only "read" access by repository and contributors
    • "admin" only for alice
  • Scope release and cicd workflows to environments
    • Set release environment for release
    • Make cicd a reusable workflow and call separately for develop and master branch with development and release environment, respectively
  • Open up non-protected branches to allow development work via bob or even lower-privileged user with special access to connaisseur-test package
  • Centrally restrict GITHUB_TOKEN (GH Actions)
  • Make public cosign key configurable during workflow
  • Rotate all static Secrets
  • Publish official public Cosign key
  • Make sse-secure-systems/connaisseur packages public
  • Document layout in ADR
  • Publish article on protection
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xopham