-
Notifications
You must be signed in to change notification settings - Fork 527
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Suggestion] Update security guidelines on contribute.cncf.io #1260
Comments
A question was raised on today's TAG call: Is this intended to be TAG Security guidance, or is this a call for contributions from STAG members? |
The security guidelines on the contribute.CNCF.io site were contributed by TAG Security to provide projects with guidance on securing their project and repo, it was intended to pull together elements from the self assessment and best practices in a central location for project maintainers. This request to update those guidelines is, in addition to refreshing them for current best practices, intended to reduce the probability of uninformed security researchers or malicious entities from successfully exfiltrating secrets from projects leveraging GitHub actions. How the TAG chooses to facilitate this update is up to you all! We would like to ensure project maintainers are receiving the benefit of the STAG's expertise in securing their codebase. @eddie-knight does this additional context answer the question? |
Thanks for the quick reply @TheFoxAtWork Per @mnm678, we'll reach out to TAGCS and then document the relationship somewhere, so that the work is tracked and can be maintained over time. |
Of course! some additional context: |
We just spoke with TAGCS and concluded that we will:
|
Awesome thank you for the follow-up! |
Signed-off-by: Eddie Knight <[email protected]>
Signed-off-by: Eddie Knight <[email protected]>
Added maintainer guide as part of #1260
Could you update the security guidelines on contribute.cncf.io (https://github.com/cncf/tag-contributor-strategy/blob/main/website/content/maintainers/security/security-guidelines.md) to include configuration of repository settings which will require an approval from one of the repository owners/maintenance instead of starting a build for each created pull request?
Please refer to GitHub's details here: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories
This should be recommended as best practices for projects. Let me know if you have any questions. cc @TheFoxAtWork and @tpepper
The text was updated successfully, but these errors were encountered: