gateway: fine-grained trust levels

[raboof]

It would be great if we had a way to define more fine-grained trust levels for GitHub actions: for example, it might be fine to allow many 'questionable' actions in pull_request workflows, since those don't have many permissions in the first place. For push actions or actions that have access to secrets or write access to caches we might want to be more strict.

I suspect GitHub won't have any provision for this, and I don't see such a concept in other tools such as https://otterdog.readthedocs.io/ and https://docs.zizmor.sh/ .

Filed zizmorcore/zizmor#1271 for this idea at zizmor.

[dave2wave]

@potiuk @kevinjqliu Any thoughts about checking on actions for trust levels?

[potiuk]

This is tricky. The issue is that we have no check at the moment of adding actions in the PR - and it could be added to any workflow at any time- and I do not think we have hook/control over it.

[kevinjqliu]

alongside zizmor, we also use codeql for github actions, https://github.com/apache/iceberg/blob/main/.github/workflows/codeql.yml

It scans workflows for different rules like "actions/missing-workflow-permissions", https://github.com/apache/iceberg/security/code-scanning/1

Its not exactly what you described, but it gives maintainers more context/information on the right thing to do

[kevinjqliu]

we could enhance the ASF Allowlist Check action to check both the github action AND its associated permissions. But that gets complicated real quick