Review: security around github actions

[davidkelliott]

User Story

Security review of our github actions to ensure they are still secure.
Wider conversation with the team to raise any concerns.

User Type(s)

Value

Questions / Assumptions / Hypothesis

Definition of done

• [ ] readme has been updated
• [ ] user docs have been updated
• [ ] another team member has reviewed
• [ ] tests are green
• [ ] UR test OR added to continual research plan
• [ ] List of security issues in GHA presented back to the team and discussed for prioritisation

Reference

How to write good user stories

[dms1981]

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

[davidkelliott]

We should add tag protection - https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_tag_protection

https://github.com/ministryofjustice/modernisation-platform/issues/2617

[davidkelliott]

We should stop using this 3rd party Slack bot - https://github.com/ministryofjustice/modernisation-platform/issues/2217

[davidkelliott]

Checked for injection script vulnerabilities in our main repos, none found

[davidkelliott]

Preventing GitHub Actions from creating or approving pull requests - not enabling as we have proper PR review oversight

Fork pull request workflows from outside collaborators - changed from first time to all, any users contributing should be in the org or have permissions to push.

[davidkelliott]

Use OSSF scanning - https://github.com/ministryofjustice/modernisation-platform/pull/2628