release security improvements

[jku]

PyPI releases currently happen based on GitHub release. GitHub releases can be made from unreviewed commits in unprotected branches by just a single maintainer (see #893).

A possible improvement is to use GitHub Environments to make sure deployment to PyPI is only possible from protected branches:

• Create "release" environment
• Set Deployment branches and tags to Protected branches only
• Block deployment to PyPI behind "release" environment
• Make sure main and series/* are all protected branches with required PRs and reviews
• (optional) Add required reviewers to the environment (with no self-review)

This should make sure that releases cannot be made from code that has not been reviewed.

[jku]

Set Deployment branches and tags to Protected branches only

Note that this is something I've not used myself so I don't know 100% how this works: I assume it only means the workflow ref needs to be part of the branch but the docs are not clear.

[jku]

There's indeed a few wrinkles here:

• Astonishingly creating a new branch is not covered by Branch protection (so while maintainers cannot just push to protected series/* branches as they wish they can create new ones)
• the Deployment branches and tags option really seems to refer to the workflow trigger. So we would have to change the trigger mechanism of our releases to use this...

Alternative solution: Use release environment to ensure deployment review (deployment reviewers should make sure the code comes reviewed branches):

• Create "release" environment
• Block deployment to PyPI behind "release" environment
• Add required reviewers to the environment (with no self-review)

[jku]

no self-review

Final wrinkle: this is not available via Pulumi (so even if we added support for deployment environments to sigstore/github-sync, we could not set that boolean argument via Pulumi: this requires an actual admin fiddling with the repository settings)

[woodruffw]

What a mess 🙂

Alternative solution: Use release environment to ensure deployment review (deployment reviewers should make sure the code comes reviewed branches):

This sounds good to me. For some reason I could have sworn we already had a release environment including mandatory sign-offs, but maybe it got reverted as part of a Pulumi refresh at some point.

[jku]

Update on GitHub environment situation: Pulumi now supports the no self-review option for environments

Plan

Our release environment should

• contain a reviewer list
• prevent self reviews
• define a tag pattern (something like v* or even v[0-9]*.[0-9]*.[0-9]* )

Other changes:

• make sure main branch, series/* branches and v* tags are protected
• set the release workflow trigger to be the v* tag (I think we can still start the process by initiating a GitHub release since that should create the tag but we'll see)

I think that should do it?

options for handling the environment setup

1. hard way
   • Add environment support to pulumi code in github-sync
   • Use that to configure an environment for sigstore-python in sigstore/community
   • Hopefully don't break other sigstore projects that already have manually configured environment
2. easy way
   • Manually configure environment in GH UI

@haydentherapper I'm leaning towards manual config here: I can also spend some time on release environment support in github-sync if you think other sigstore projects will need it...

[haydentherapper]

We had thought about something similar in protobuf-specs, so we could reuse it there. If this is a significant amount of work though, just manually configuring it (with documentation ideally so we can replicate it) sounds good.