Proposal: Use harden-runner in jobs using OPENTELEMETRYBOT_GITHUB_TOKEN

[pellared]

We can consider using https://github.com/step-security/harden-runner in places where OPENTELEMETRYBOT_GITHUB_TOKEN is used.

Proposal:

1. Try using in one repository (e.g. in https://github.com/open-telemetry/opentelemetry-go/blob/main/.github/workflows/create-dependabot-pr.yml)
2. Propose a PR for https://github.com/open-telemetry/community/blob/main/assets.md#opentelemetry-bot to recommend using https://github.com/step-security/harden-runner
3. Create issues for repos which are using OPENTELEMETRYBOT_GITHUB_TOKEN so that they add https://github.com/step-security/harden-runner

[pellared]

CC @trask

[trask]

We can consider using https://github.com/step-security/harden-runner in places where OPENTELEMETRYBOT_GITHUB_TOKEN is used.

the OPENTELEMETRYBOT_GITHUB_TOKEN fine-grained PAT org secret will have very limited permissions once #1549 is implemented

do you mean specifically for the additional fine-grained PATs with write access to a single repo for those who want to grant write permission to @opentelemetrybot? (#1503 (comment))

[pellared]

do you mean specifically for the additional fine-grained PATs with write access to a single repo for those who want to grant write permission to @opentelemetrybot?

Yup. However, it may be safer to use it everywhere where OPENTELEMETRYBOT_GITHUB_TOKEN is used as the permissions of the PAT may change and the contributor may not know what are the permissions.

[tigrannajaryan]

@pellared this fell through the cracks. Is it is still actual?

[pellared]

@tigrannajaryan, yes it is. I think that the proposal should be reviewed by Security SIG.

[trask]

cc @open-telemetry/sig-security-maintainers