Skip to content

fix: exclude CI/CD trust-boundary repos from skip-review Tide queries#1214

Merged
cert-manager-prow[bot] merged 1 commit into
cert-manager:masterfrom
FelixPhipps:skip-review-testing-VC-53840
Jun 26, 2026
Merged

fix: exclude CI/CD trust-boundary repos from skip-review Tide queries#1214
cert-manager-prow[bot] merged 1 commit into
cert-manager:masterfrom
FelixPhipps:skip-review-testing-VC-53840

Conversation

@FelixPhipps

@FelixPhipps FelixPhipps commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown

Summary

  • The three bot Tide queries (github-actions[bot], octo-sts[bot], renovate[bot]) used orgs: [cert-manager] with no excludedRepos, making cert-manager/testing itself eligible for automatic no-review merges. A compromised bot identity could self-apply skip-review, merge a malicious config/jobs/** file, and have config-updater write it into the live job-config ConfigMap on prow-trusted — giving an attacker control of every secret in the trusted cluster with no maintainer notification.
  • Add excludedRepos: [cert-manager/testing, cert-manager/infrastructure, cert-manager/renovate-config] to all three bot Tide queries, scoping automatic merges away from repos that form the CI/CD trust boundary. This mirrors the existing pattern used by the default org query, which already excludes cert-manager/cert-manager.

Testing

  • Ran checkconfig --strict (the same image used by the pull-testing-config presubmit) against both the pre-fix and post-fix config — both pass, confirming the fix introduces no structural regressions.
  • Ran a Go scope validator against both configs to confirm: (a) on master all three bot queries have excludedRepos: [] and cert-manager/testing is in scope; (b) on this branch all three queries exclude the three trust-boundary repos.

@cert-manager-prow cert-manager-prow Bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 25, 2026
@cert-manager-prow

cert-manager-prow Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Hi @FelixPhipps. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-prow cert-manager-prow Bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jun 25, 2026
@claude
security: exclude CI/CD trust-boundary repos from skip-review Tide qu…
2e73894 
…eries

The three bot Tide queries (github-actions[bot], octo-sts[bot],
renovate[bot]) used orgs: [cert-manager] with no excludedRepos,
making cert-manager/testing itself eligible for automatic bot merges
without any human review. A compromised bot identity with label-write
access could self-apply skip-review, merge an arbitrary config/jobs/**
file, and have config-updater write a malicious prow-trusted periodic
into the live job-config ConfigMap — giving the attacker control of
every secret mounted in the trusted cluster.

Add excludedRepos: [cert-manager/testing, cert-manager/infrastructure,
cert-manager/renovate-config] to all three bot queries so automatic
merges can never bypass human review on repositories that form the
CI/CD trust boundary.

Fixes CWE-863 / CWE-284. Tracked as VC-53840.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: felix.phipps <felix.phipps@cyberark.com>
@FelixPhipps FelixPhipps force-pushed the skip-review-testing-VC-53840 branch from c16c71f to 2e73894 Compare June 25, 2026 11:11
@cert-manager-prow cert-manager-prow Bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Jun 25, 2026
@FelixPhipps FelixPhipps changed the title security: exclude CI/CD trust-boundary repos from skip-review Tide queries fix: exclude CI/CD trust-boundary repos from skip-review Tide queries Jun 25, 2026
@wallrj-cyberark wallrj-cyberark requested a review from Copilot June 26, 2026 07:52
@wallrj-cyberark

wallrj-cyberark commented Jun 26, 2026

Copy link
Copy Markdown
Member

/ok-to-test

@cert-manager-prow cert-manager-prow Bot added ok-to-test and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 26, 2026
Copilot AI reviewed Jun 26, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens Tide’s “skip-review” auto-merge scope for bot-authored PRs in the cert-manager org by excluding repositories that form the CI/CD trust boundary, reducing the risk of unattended merges into sensitive configuration repos.

Changes:

  • Added excludedRepos for the github-actions[bot] Tide query to exclude cert-manager/testing, cert-manager/infrastructure, and cert-manager/renovate-config.
  • Added the same excludedRepos exclusions for the octo-sts[bot] Tide query.
  • Added the same excludedRepos exclusions for the renovate[bot] Tide query.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

wallrj-cyberark
wallrj-cyberark reviewed Jun 26, 2026
View reviewed changes

@wallrj-cyberark wallrj-cyberark left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

The change is correct and well-scoped. Adding excludedRepos to the three bot Tide queries closes the gap where cert-manager/testing, cert-manager/infrastructure, and cert-manager/renovate-config were eligible for automatic no-review merges by bot-authored PRs carrying skip-review. This mirrors the existing excludedRepos mechanism already used by the default org-wide query (which excludes cert-manager/cert-manager).

All three excluded repos confirmed to exist. The YAML structure and indentation are consistent with the surrounding config.

Observations

  • Defence-in-depth follow-ups: this PR addresses the Tide query scope. Additional hardening measures — such as restricting which Secrets a cluster: prow-trusted job can mount (via ValidatingAdmissionPolicy or similar), or splitting config-updater's job-config so trusted-cluster jobs require a separate merge path — could be considered as follow-up work.

  • Commit message style: the fix: conventional-commit prefix is used by Renovate on this repo but not by human-authored commits (recent examples: "Fix cert-manager master required checks", "Make K8s 1.36 the primary version"). Consider dropping the prefix to match the prevailing style — though this is a minor nit.

  • Maintenance note: if a fourth bot identity is later added to Tide with skip-review semantics, the same excludedRepos block will need to be duplicated. The inline comments make this clear, which helps.

@wallrj-cyberark

wallrj-cyberark commented Jun 26, 2026

Copy link
Copy Markdown
Member

Tagging the authors and approvers of the original PRs that introduced the bot skip-review Tide queries being modified here:

PR Change Author Approver
#1036 github-actions[bot] skip-review query @inteon @SgtCoDFish
#1045 skip-review label (label-sync) @inteon
#1104 octo-sts[bot] skip-review query @ThatsMrTalbot @erikgb
#1121 renovate[bot] skip-review query @erikgb @ThatsMrTalbot

This PR adds excludedRepos to all three bot queries to scope automatic merges away from repos that form the CI/CD trust boundary (testing, infrastructure, renovate-config).

@FelixPhipps — the PR description mentions "Ran a Go scope validator against both configs". Could you link to or describe this tool? It's not clear whether this is an existing utility or something you wrote ad hoc, and it would help reviewers understand the test evidence.

erikgb
erikgb reviewed Jun 26, 2026
View reviewed changes

@erikgb erikgb left a comment
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

This makes a lot of sense! Thanks @FelixPhipps!

@cert-manager-prow cert-manager-prow Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 26, 2026
@FelixPhipps

FelixPhipps commented Jun 26, 2026

Copy link
Copy Markdown
Author

@FelixPhipps — the PR description mentions "Ran a Go scope validator against both configs". Could you link to or describe this tool? It's not clear whether this is an existing utility or something you wrote ad hoc, and it would help reviewers understand the test evidence.

@wallrj-cyberark Small tool that I wrote ad-hoc specifically for this, parses config.yaml and checks whether each bot Tide query has excludedRepos covering the three trust-boundary repos.

Linked here

wallrj-cyberark
wallrj-cyberark approved these changes Jun 26, 2026
View reviewed changes

@wallrj-cyberark wallrj-cyberark left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — the change correctly narrows the bot skip-review Tide queries to exclude CI/CD trust-boundary repos.

@wallrj-cyberark wallrj-cyberark requested a review from wallrj June 26, 2026 11:07
@wallrj-cyberark

wallrj-cyberark commented Jun 26, 2026

Copy link
Copy Markdown
Member

As a future improvement, it would be worth integrating the scope validator into make verify (e.g. as a verify-tide-scope target) so that pull-testing-verify catches regressions — for example if a new bot query is added without excludedRepos, or if the exclusions are accidentally removed.

@wallrj

wallrj commented Jun 26, 2026

Copy link
Copy Markdown
Member

/approve
/lgtm

@cert-manager-prow

cert-manager-prow Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wallrj, wallrj-cyberark

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 26, 2026
@cert-manager-prow cert-manager-prow Bot merged commit 2978559 into cert-manager:master Jun 26, 2026
6 checks passed
@cert-manager-prow

cert-manager-prow Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

@FelixPhipps: Updated the config configmap in namespace default at cluster default using the following files:

  • key config.yaml using file config/config.yaml
Details

In response to this:

Summary

  • The three bot Tide queries (github-actions[bot], octo-sts[bot], renovate[bot]) used orgs: [cert-manager] with no excludedRepos, making cert-manager/testing itself eligible for automatic no-review merges. A compromised bot identity could self-apply skip-review, merge a malicious config/jobs/** file, and have config-updater write it into the live job-config ConfigMap on prow-trusted — giving an attacker control of every secret in the trusted cluster with no maintainer notification.
  • Add excludedRepos: [cert-manager/testing, cert-manager/infrastructure, cert-manager/renovate-config] to all three bot Tide queries, scoping automatic merges away from repos that form the CI/CD trust boundary. This mirrors the existing pattern used by the default org query, which already excludes cert-manager/cert-manager.

Testing

  • Ran checkconfig --strict (the same image used by the pull-testing-config presubmit) against both the pre-fix and post-fix config — both pass, confirming the fix introduces no structural regressions.
  • Ran a Go scope validator against both configs to confirm: (a) on master all three bot queries have excludedRepos: [] and cert-manager/testing is in scope; (b) on this branch all three queries exclude the three trust-boundary repos.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erikgb erikgb erikgb left review comments
Copilot code review Copilot Copilot left review comments
@wallrj-cyberark wallrj-cyberark wallrj-cyberark approved these changes
@wallrj wallrj Awaiting requested review from wallrj

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. ok-to-test size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@FelixPhipps @wallrj-cyberark @wallrj @erikgb