Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Use harden-runner in jobs using OPENTELEMETRYBOT_GITHUB_TOKEN #74

Open
pellared opened this issue Jun 22, 2023 · 7 comments
Open

Proposal: Use harden-runner in jobs using OPENTELEMETRYBOT_GITHUB_TOKEN #74

pellared opened this issue Jun 22, 2023 · 7 comments

Comments

@pellared
Copy link
Member

We can consider using https://github.com/step-security/harden-runner in places where OPENTELEMETRYBOT_GITHUB_TOKEN is used.

Proposal:

  1. Try using in one repository (e.g. in https://github.com/open-telemetry/opentelemetry-go/blob/main/.github/workflows/create-dependabot-pr.yml)
  2. Propose a PR for https://github.com/open-telemetry/community/blob/main/assets.md#opentelemetry-bot to recommend using https://github.com/step-security/harden-runner
  3. Create issues for repos which are using OPENTELEMETRYBOT_GITHUB_TOKEN so that they add https://github.com/step-security/harden-runner
@pellared
Copy link
Member Author

CC @trask

@trask
Copy link
Member

trask commented Jul 6, 2023

We can consider using https://github.com/step-security/harden-runner in places where OPENTELEMETRYBOT_GITHUB_TOKEN is used.

the OPENTELEMETRYBOT_GITHUB_TOKEN fine-grained PAT org secret will have very limited permissions once open-telemetry/community#1549 is implemented

do you mean specifically for the additional fine-grained PATs with write access to a single repo for those who want to grant write permission to @opentelemetrybot? (open-telemetry/community#1503 (comment))

@pellared
Copy link
Member Author

pellared commented Jul 13, 2023
edited
Loading

do you mean specifically for the additional fine-grained PATs with write access to a single repo for those who want to grant write permission to @opentelemetrybot?

Yup. However, it may be safer to use it everywhere where OPENTELEMETRYBOT_GITHUB_TOKEN is used as the permissions of the PAT may change and the contributor may not know what are the permissions.

@tigrannajaryan
Copy link
Member

@pellared this fell through the cracks. Is it is still actual?

@pellared
Copy link
Member Author

@tigrannajaryan, yes it is. I think that the proposal should be reviewed by Security SIG.

@trask
Copy link
Member

trask commented May 15, 2024

cc @open-telemetry/sig-security-maintainers

@trask trask transferred this issue from open-telemetry/community Sep 17, 2024
@jpkrohling
Copy link
Member

@pellared, sounds really cool. Would you be able to make a list of alternatives, and why the one from this specific vendor is the one we should use? We currently have a set of tools provided by the CNCF, like Snyk.io . Couldn't we use one of them instead?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jpkrohling @trask @tigrannajaryan @pellared