From f84f5f02b3e10efa8468460c21a4e027cd91ff68 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Fri, 1 May 2026 10:49:22 -0700 Subject: [PATCH] C0: review compensating control trusted-ci-only Verified Forgejo runner is registered only to forge.ops.eblu.me and the forge has registration disabled, so no untrusted users can trigger privileged CI. Tightened notes to reflect the closed-forge mechanism (not a per-repo allow-list). Co-Authored-By: Claude Opus 4.7 (1M context) --- compensating-controls.yaml | 13 ++++++++++--- docs/changelog.d/+review-cc-trusted-ci-only.misc.md | 1 + 2 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 docs/changelog.d/+review-cc-trusted-ci-only.misc.md diff --git a/compensating-controls.yaml b/compensating-controls.yaml index fb5450d..a6dbc56 100644 --- a/compensating-controls.yaml +++ b/compensating-controls.yaml @@ -110,10 +110,17 @@ controls: forge (forge.ops.eblu.me). No external or untrusted repos can trigger privileged CI jobs. created: 2026-03-30 - last-reviewed: 2026-03-30 + last-reviewed: 2026-05-01 notes: >- - Verify runner registration is limited to the forge instance. - Check Forgejo runner config for repo allow-lists. + Verification: (1) Runner config (argocd/manifests/forgejo-runner/ + config.yaml) connects only to https://forge.ops.eblu.me/. (2) Forge + app.ini has DISABLE_REGISTRATION=true and ALLOW_ONLY_EXTERNAL_REGISTRATION + =true (ansible/roles/forgejo/defaults/main.yml) — no untrusted users + can sign up or create repos. The runner registers at instance scope + (repo_id=0/owner_id=0 in action_runner table), but the instance itself + is closed, so no per-repo allow-list is needed. Re-evaluate if the + forge ever opens to additional users or if the runner is repointed + to an external forge. - id: init-container-isolation description: >- diff --git a/docs/changelog.d/+review-cc-trusted-ci-only.misc.md b/docs/changelog.d/+review-cc-trusted-ci-only.misc.md new file mode 100644 index 0000000..89dc653 --- /dev/null +++ b/docs/changelog.d/+review-cc-trusted-ci-only.misc.md @@ -0,0 +1 @@ +Reviewed compensating control `trusted-ci-only`: Forgejo runner is registered only to the private forge, which has registration disabled — no untrusted users can create repos or trigger privileged CI. Tightened the notes to reflect that the closed-forge property (not a per-repo allow-list) is what actually mitigates the risk.