Trask Stalnaker

icon indicating an email [email protected]

icon company Microsoft icon location Portland, OR

Results 339 comments of Trask Stalnaker

Proposal: Use harden-runner in jobs using OPENTELEMETRYBOT_GITHUB_TOKEN

> We can consider using https://github.com/step-security/harden-runner in places where `OPENTELEMETRYBOT_GITHUB_TOKEN` is used. the `OPENTELEMETRYBOT_GITHUB_TOKEN` fine-grained PAT org secret will have very limited permissions once #1549 is implemented do you mean...

Proposal: Use harden-runner in jobs using OPENTELEMETRYBOT_GITHUB_TOKEN

cc @open-telemetry/sig-security-maintainers

Convert OPENTELEMETRYBOT_GITHUB_TOKEN org secret to fine-grained PAT

pinging all maintainers for repos that are using `OPENTELEMETRYBOT_GITHUB_TOKEN` * https://github.com/open-telemetry/opentelemetry-collector - @open-telemetry/collector-maintainers * https://github.com/open-telemetry/opentelemetry-collector-contrib - @open-telemetry/collector-contrib-maintainer * https://github.com/open-telemetry/opentelemetry-go - @open-telemetry/go-maintainers * https://github.com/open-telemetry/opentelemetry-go-build-tools - @open-telemetry/go-maintainers * https://github.com/open-telemetry/opentelemetry-go-contrib - @open-telemetry/go-maintainers *...

Convert OPENTELEMETRYBOT_GITHUB_TOKEN org secret to fine-grained PAT

@pavolloffay I think you will need more access for that usage. I've created a separate fine-grained PAT that I think will give you the access you need to opentelemetrybot's forks...

Convert OPENTELEMETRYBOT_GITHUB_TOKEN org secret to fine-grained PAT

> @open-telemetry/technical-committee what do you think about storing this new fine-grained PAT in an org secret scoped to only `opentelemetry-operator` repository, named `OPENTELEMETRYBOT_OPERATOR_FORKS_GITHUB_TOKEN`. @arminru what do you think?

Convert OPENTELEMETRYBOT_GITHUB_TOKEN org secret to fine-grained PAT

@arminru and I discussed on slack and agreed for now at least that we would share repo-specific tokens directly with maintainers of those repos instead of adding them as repo-scoped...

Need certificate for signing binaries: Windows

> a random PR from a random person can't result in a leak. (Someone please confirm my understanding is correct). this is correct, here is the important part from https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#accessing-secrets...

Need certificate for signing binaries: macOS

(linking to related #1672 which has more follow-up discussion)

Secure OpenSSF/Core Infra Initiative Best Practices Badge

@open-telemetry/sig-security-maintainers is this something you can drive?

Secure OpenSSF/Core Infra Initiative Best Practices Badge

> I sent a formal request to get OpenSSF access for the organization. Not sure if the GC or TC has access to accept that cc @open-telemetry/technical-committee