Open linsun opened 5 months ago
A question was raised on today's TAG call:
Is this intended to be TAG Security guidance, or is this a call for contributions from STAG members?
The security guidelines on the contribute.CNCF.io site were contributed by TAG Security to provide projects with guidance on securing their project and repo, it was intended to pull together elements from the self assessment and best practices in a central location for project maintainers.
This request to update those guidelines is, in addition to refreshing them for current best practices, intended to reduce the probability of uninformed security researchers or malicious entities from successfully exfiltrating secrets from projects leveraging GitHub actions. How the TAG chooses to facilitate this update is up to you all!
We would like to ensure project maintainers are receiving the benefit of the STAG's expertise in securing their codebase.
@eddie-knight does this additional context answer the question?
Thanks for the quick reply @TheFoxAtWork
Per @mnm678, we'll reach out to TAGCS and then document the relationship somewhere, so that the work is tracked and can be maintained over time.
Of course! some additional context: All the security content (templates and guidance) were contributed by TAG Security previously (I did the templates when I was an active member, and @ragashreeshekar i believe worked on the guidance). The guidance was a request from the TOC liaison at the time (also me) to ensure projects had a central location (contribute.cncf.io) to get all their resources, guides, and templates for starting and maintaining their project rather than searching through TAG repos for content of interest/relevance that may not be written in a manner that is easily actionable.
We just spoke with TAGCS and concluded that we will:
Awesome thank you for the follow-up!
Could you update the security guidelines on contribute.cncf.io (https://github.com/cncf/tag-contributor-strategy/blob/main/website/content/maintainers/security/security-guidelines.md) to include configuration of repository settings which will require an approval from one of the repository owners/maintenance instead of starting a build for each created pull request?
Please refer to GitHub's details here: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories
This should be recommended as best practices for projects. Let me know if you have any questions. cc @TheFoxAtWork and @tpepper