ci: standardize / clarify comments around privileged checkouts

[ upstream commit 96f3fd7 ]

Workflows running on PRs and based on `pull_request_target` and
`workflow_dispatch` are executed in a privileged context (e.g. access to
repository secrets), hence we take extra care not to execute anything
coming from the PR directly in the context of the workflow steps, but
instead always in a sandboxed or controlled environment (e.g. a managed
Kubernetes cluster or LVH VMs).

This commit standardizes and adds some context around which checkouts
are trusted and which are not, and where to be start being careful with
what the workflow steps are doing.

Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>

.github/workflows/build-images-base.yaml

@@ -31,7 +31,9 @@ jobs:
         id: qemu
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
-      - name: Checkout Source Code
+      # Warning: since this is a privileged workflow, subsequent workflow job
+      # steps must take care not to execute untrusted code.
+      - name: Checkout pull request branch (NOT TRUSTED)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           persist-credentials: false

.github/workflows/build-images-ci.yaml

@@ -69,7 +69,9 @@ jobs:
             echo tag=${{ github.sha }} >> $GITHUB_OUTPUT
           fi
 
-      - name: Checkout Source Code
+      # Warning: since this is a privileged workflow, subsequent workflow job
+      # steps must take care not to execute untrusted code.
+      - name: Checkout pull request branch (NOT TRUSTED)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           persist-credentials: false

.github/workflows/conformance-aks.yaml

@@ -76,7 +76,7 @@ jobs:
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
@@ -117,7 +117,7 @@ jobs:
       matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}}
 
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
@@ -225,8 +225,9 @@ jobs:
             until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
           done
 
-      # Checkout source code to install Cilium using local Helm chart.
-      - name: Checkout code
+      # Warning: since this is a privileged workflow, subsequent workflow job
+      # steps must take care not to execute untrusted code.
+      - name: Checkout pull request branch (NOT TRUSTED)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ steps.vars.outputs.sha }}

.github/workflows/conformance-aws-cni.yaml

@@ -75,7 +75,7 @@ jobs:
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
@@ -116,7 +116,7 @@ jobs:
       matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}}
 
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
@@ -223,8 +223,9 @@ jobs:
             until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
           done
 
-      # Checkout source code to install Cilium using local Helm chart.
-      - name: Checkout code
+      # Warning: since this is a privileged workflow, subsequent workflow job
+      # steps must take care not to execute untrusted code.
+      - name: Checkout pull request branch (NOT TRUSTED)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ steps.vars.outputs.sha }}

.github/workflows/conformance-clustermesh.yaml

@@ -151,7 +151,7 @@ jobs:
             kube-proxy: 'iptables'
 
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
@@ -323,13 +323,9 @@ jobs:
             until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
           done
 
-      # We need to checkout the SHA to retrieve the Helm chart
-      # Warning: since this is a privileged workflow, we should be careful NOT to
-      # use anything coming from an external contributor in a privileged
-      # environment. Here it's fine because we pass the Helm chart to be installed
-      # in a Kubernetes cluster, so it won't have access to the privileged
-      # environment from there.
-      - name: Checkout SHA
+      # Warning: since this is a privileged workflow, subsequent workflow job
+      # steps must take care not to execute untrusted code.
+      - name: Checkout pull request branch (NOT TRUSTED)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ steps.vars.outputs.sha }}

.github/workflows/conformance-eks.yaml

@@ -75,7 +75,7 @@ jobs:
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
@@ -116,7 +116,7 @@ jobs:
       matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}}
 
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
@@ -214,8 +214,9 @@ jobs:
             until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
           done
 
-      # Checkout source code to install Cilium using local Helm chart.
-      - name: Checkout code
+      # Warning: since this is a privileged workflow, subsequent workflow job
+      # steps must take care not to execute untrusted code.
+      - name: Checkout pull request branch (NOT TRUSTED)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ steps.vars.outputs.sha }}

.github/workflows/conformance-externalworkloads.yaml

@@ -76,7 +76,7 @@ jobs:
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
@@ -117,7 +117,7 @@ jobs:
       matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}}
 
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
@@ -172,7 +172,9 @@ jobs:
           echo sha=${SHA} >> $GITHUB_OUTPUT
           echo owner=${OWNER} >> $GITHUB_OUTPUT
 
-      - name: Checkout code
+      # Warning: since this is a privileged workflow, subsequent workflow job
+      # steps must take care not to execute untrusted code.
+      - name: Checkout pull request branch (NOT TRUSTED)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ steps.vars.outputs.sha }}

.github/workflows/conformance-gke.yaml

@@ -74,7 +74,7 @@ jobs:
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
@@ -122,7 +122,7 @@ jobs:
       matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}}
 
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
@@ -171,8 +171,9 @@ jobs:
           echo sha=${SHA} >> $GITHUB_OUTPUT
           echo owner=${OWNER} >> $GITHUB_OUTPUT
 
-      # Checkout source code to install Cilium using local Helm chart.
-      - name: Checkout code
+      # Warning: since this is a privileged workflow, subsequent workflow job
+      # steps must take care not to execute untrusted code.
+      - name: Checkout pull request branch (NOT TRUSTED)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ steps.vars.outputs.sha }}

.github/workflows/conformance-ingress.yaml

@@ -74,8 +74,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:
-      - name: Checkout context ref
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Checkout context ref (trusted)
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
           persist-credentials: false
@@ -101,7 +101,9 @@ jobs:
           fi
           echo sha=${SHA} >> $GITHUB_OUTPUT
 
-      - name: Checkout
+      # Warning: since this is a privileged workflow, subsequent workflow job
+      # steps must take care not to execute untrusted code.
+      - name: Checkout pull request branch (NOT TRUSTED)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ steps.vars.outputs.sha }}

.github/workflows/tests-ipsec-upgrade.yaml

@@ -108,7 +108,7 @@ jobs:
 
     timeout-minutes: 60
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}

.github/workflows/tests-l4lb.yaml

@@ -73,7 +73,7 @@ jobs:
     runs-on: ubuntu-22.04
     timeout-minutes: 45
     steps:
-      - name: Checkout context ref
+      - name: Checkout context ref (trusted)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           ref: ${{ inputs.context-ref || github.sha }}
@@ -98,7 +98,9 @@ jobs:
           release-version: ${{ env.cilium_cli_version }}
           ci-version: ${{ env.cilium_cli_ci_version }}
 
-      - name: Checkout upstream for test files
+      # Warning: since this is a privileged workflow, subsequent workflow job
+      # steps must take care not to execute untrusted code.
+      - name: Checkout pull request branch (NOT TRUSTED)
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           # This is intentionally set to stable branch to avoid using test.sh from pull requests.