Evaluate Security Concerns regarding Zuul CI Usage

[o-otte]

As a SCS Developer, I want the CI Tooling to fulfill certain security aspects so that it is safe to use and can not be abused by any third parties.

The Zuul is used for our CI tooling. We need to ensure that it is configured in a way that we are able to use it securely. I.E. https://owasp.org/www-project-top-10-ci-cd-security-risks/

We should evaluate which security aspects are important for us and amend our configuration accordingly.

Definition of Ready:

• [ ] User Story is small enough to be finished within one sprint
• [ ] User Story is clear and understood by the whole team
• [ ] Acceptance criteria are defined
• [ ] Acceptance criteria are clear and understood by the whole team

Definition of Done:

• [ ] Security Aspects are evaluated
• [ ] Zuul Config is modified with respect to security settings
• [ ] All acceptance criteria are met
• [ ] Changes have been reviewed
• [ ] CI tests have run successfully
• [ ] Documentation has been updated
• [ ] Release Notes have been updated

[artificial-intelligence]

regarding personal access tokens:

it should now be possible to restrict their access to certain repositories and even certain actions, like only reading issues, according to the github blog:

https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/

[bitkeks]

What's the status here?