This document outlines the security model and protections in place to keep resources used in the Apache Beam environment safe.
Protected Resources
Secrets used to publish releases, snapshots, or other customer facing resources should be secured. GitHub tokens with sufficient permission to write repository or artifact contents should also be secured.
This includes resources like tokens used to authenticate to Docker, but does not include all secrets (see "Non-protected resources").
These are protected by:
- Scoping them to workflows which can only be run manually or on a schedule
- Disabling caching for these workflows
- Always provisioning a fresh worker for jobs
Non-protected Resources
There are some resources used by the CI environment which can be considered protected via "best effort". This includes all secrets not described in the above section, including access to the sandboxed GCP test environment and the CI cache.
These still should not be exfiltrated as a best practice, but the consequences of this happening are low since all impact is well scoped (and monitored) to at most incur compute costs or broken CI workflows.
FAQs
Usage of pull_request_target
Many workflows make use of pull_request_target and then check out user code. These usages are allowed because no protected resources are exposed in these workflows.
Cache Poisoning
Some workflows may use custom user code and then upload to a remote cache. These usages are allowed because no workflows with protected resources are exposed in workflows which read from the cache.