Recommendations about using pull_request_target event in image builder

[dekiel]

Description

The image builder user guide and GitHub workflow integration documentation must contains basic information about security concerns about using pull_request_target event. The documentation must contain a brief guidelines how to use image builder in workflow in secure way.

Internal documentation: https://github.com/kyma-project/community/blob/main/docs/contributing/05-gh-actions.md Example usage of image builder: https://github.com/VOID404/application-connector-manager/blob/move-other-builds/.github/workflows/cra.yaml

Area

Image Builder

Reasons

A image builder requires using a pull_request_target event. The usage of this event has implications in github token permissions and scopes. Because of the token permissions when using a pull_request_target event, a workflow author must pay more attention how it is used and what code is executed in a workflow to prevent damage from untrusted code execution.

Acceptance Criteria

• [ ] Documentation describe security concerns of using pull_request_target event.
• [ ] Documentation provide guideline of image builder secure usage.

[VOID404]

We group workflows by area right now, so tests and builds for the same thing are in the same workflow. This means that our tests are also running in pull_request_target context.

It could be enough to limit permissions per job, to mitigate this. Example of a workflow that runs tests and builds, with different permissions: https://github.com/VOID404/application-connector-manager/blob/bfb8b46d47057fb3614fc299f3515f677c6926c8/.github/workflows/cra.yaml#L43-L45