Each instance of hydros should be considered single tenant.
We don't have sufficient security guarantees in place to prevent a user of hydros to escalating their permissions to be those of hydros. So anyone who can use hydros e.g. by submitting to a repository hydros has access to should be considered to at least have viewer permission on all repositories to which an instance of hydros has access.
For example, we don't ensure that the repository/person who created a ManifestSync has access to the repositories mentioned in the ManifestSync. So suppose we have the following 3 repositories on which an instance of hydros is installed
RepoA
RepoB
RepoC
So hydros has access to all three.
Now suppose we check into RepoA a ManifestSync that hydrates from RepoB to RepoC.
Then in principle someone with access to RepoA & RepoC but not RepoB could use hydros to exfiltrate code to RepoC.
We should update the documentation to make this clear
Each instance of hydros should be considered single tenant. We don't have sufficient security guarantees in place to prevent a user of hydros to escalating their permissions to be those of hydros. So anyone who can use hydros e.g. by submitting to a repository hydros has access to should be considered to at least have viewer permission on all repositories to which an instance of hydros has access.
For example, we don't ensure that the repository/person who created a ManifestSync has access to the repositories mentioned in the ManifestSync. So suppose we have the following 3 repositories on which an instance of hydros is installed RepoA RepoB RepoC So hydros has access to all three. Now suppose we check into RepoA a ManifestSync that hydrates from RepoB to RepoC. Then in principle someone with access to RepoA & RepoC but not RepoB could use hydros to exfiltrate code to RepoC.
We should update the documentation to make this clear