From 451e60b2aa2bb911d8e9a8d00f2c189dac8334f0 Mon Sep 17 00:00:00 2001 From: philnewm Date: Thu, 12 Sep 2024 09:35:01 +0200 Subject: [PATCH] Update security guidelines --- docs/security_guidelines.md | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/docs/security_guidelines.md b/docs/security_guidelines.md index 6f1389f..f152d46 100644 --- a/docs/security_guidelines.md +++ b/docs/security_guidelines.md @@ -3,8 +3,24 @@ Implementing appropriate controls and settings to govern what can run and when -* Define workkflow settings at Settings -> Actions -> General -* Restrict Action permissions: Last option allows org owned, github owned and explicitly allowed actions (would reccomend) -* Allow external collaborators to run workflows on PRs? -* Default workflow permissions: Only read -* Add CODEOWNERS file: Define groups or individuals reponsible for code files (Can automatically assign reviewers for PRs) +* Workflow settings + * Define workflow settings at Settings -> Actions -> General + * Restrict Action permissions: Last option allows org owned, github owned and explicitly allowed actions (would reccomend) + * Allow external collaborators to run workflows on PRs? + * Default workflow permissions: Only read +* CODEWONERS file + * Add CODEOWNERS file: Define groups or individuals reponsible for code files (Can automatically assign reviewers for PRs) + * Check github documentation for details about [CODEOWNERS file](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) +* Protected Tags + * Protect release tags to prevent them from being moved + * Only spcific users should have permissions to modify and create tags + * Allows consistency for CI/CD pipelines if tags are a trigger or a reference +* Protected Branches + * PR before merging + * Require status checks before merging + * Require merge queue + * Require deployments to succeed before merging + * Settings -> Code and automation -> Branches -> Add branch protection rule + * See [docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule) +* Repo Rules + *