GitHub Enterprise Production Readiness Document Review - Authentication, Authorization, Audit Log Ingestion, Monitoring and Alerting

[Danajoyluck]

Thanks everyone for investing time.....This issue is per Arnaud's request in response to the 4/30 TAC pre-read that CRob shared.

GitHub Enterprise Production Readiness Document needs TAC review and feedback. The document covers Authentication, Authorization, Audit Log Ingestion, Monitoring and Alerting. Authentication and authorization contents are built in conjunction with TAC issue 292 ( GitHub enterprise account structure and shared responsibility model). It is easier to review the account structure and shared responsibility model first before review the documents under this issue.

Production readiness document for this issue is here: https://docs.google.com/document/d/1E5RAj0EvOQp-bF8B3gf09Bp0NiZEcqMtZ5Sa__QXbDQ/edit#heading=h.whnal1dq5jsm

[mlieberman85]

I'm in favor of the hybrid model over the federated model. Federated lets a poorly governed org to be compromised more easily by a bad actor. The hybrid model gives LF staff a break glass mechanism.

[sevansdell]

Comments in document: https://docs.google.com/document/d/1E5RAj0EvOQp-bF8B3gf09Bp0NiZEcqMtZ5Sa__QXbDQ/edit#heading=h.whnal1dq5jsm

[SecurityCRob]

I've also added a series of comments in the doc. It looks like we have a few separate things to officially consider that the TAC will need to provide feedback on the preferred direction on. We can work these asynchronously or we can make it part of the next call (28May).

[SecurityCRob]

me-- fat.fingers--

[SecurityCRob]

Staff is seeking a decision from the TAC on these elements from Dana's doc:
1.) GitHub Enterprise Account Structure - Hybrid or Federated Model?
2.) Fork pull request workflows from outside collaborators - y/n?
3.) require approval for first-time contributors - y/n?
4.) Allow GitHub actions to create and approve pull requests - y/n?

@ossf/tac please add a comment that indicates your choices for these 4 items

[SecurityCRob]

1.) Hybrid
2.) yes
3.) yes
4.) i need more info/debate to understand pros/cons. Seems like we need this for software projects, but want to hear from experts

[bobcallaway]

Here's the collective view after polling several folks that work on Sigstore:

1. Hybrid: Sigstore wishes to stay as its own organization. We recognize that some projects may not have the backing to operate their own organizations however, so hybrid would be preferred over federated.
2. See answer below. Yes, we should enforce that first-time contributors cannot run workflows.
3. Require approval for first-time contributors or first-time contributors who are new. Anything more restrictive, "require approval for all outside collaborators", may be disruptive to maintainers.
4. We SHOULD allow GitHub Actions to create and approve pull requests. Within Sigstore, we need the ability to create PRs from GitHub Actions for TUF and infrastructure automation. However, we do not need approval, as we currently leverage a bot account to handle PR approvals, and could move to a GitHub app at a later point. Because these options cannot be separated, we would recommend enabling this.