Bug Bounty: refactor workflow for maintainability and security

[lucasgonze]

Description

On reviewing the Github Action workflows, we found that one was too complicated for maintainability. Its complexity constrains the ability to reason and debug, and this is limiting our ability to ensure security.

The workflow needs to be refactored. In doing this it will be broken up into multiple files.

Each one of those files must follow best practices for security.

Proposed differences

1. Break up each of the larger units into a separate file
2. add a new secret github_token_rw that has write priveledges
3. make the existing github_token a read only token
4. change the pull_request_target trigger to pull_request.

(See also https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token, where there is a described way of changing to the restricted mode for the token)

Additional context

• Related links:
  • Bounty Program for Magma Community (google doc)
  • chore: write bounty items #15308
  • Update OpenSSF Security Scorecard #144
  • Chore: refactor reviewdog-workflow.yml for security #147
• link to source of the file: https://github.com/magma/magma/blob/master/.github/workflows/reviewdog-workflow.yml
• path to file: /magma/.github/workflows/reviewdog-workflow.yml
• Guidance on using security scorecard to identify best practices
  • Dangerous-Workflow
  • Token-Permissions

Perceived complexity

The technical obstacles are roughly at medium difficulty. They entail:

• Breaking up a single long file into a bunch of smaller ones
• Figuring out how to test-drive and debug items in the CI
• Changing privilege levels on tokens

Proposed bounty reward

$1000

[lucasgonze]

Discussed and approved for vote in TSC Oct 30.