Secure building of third-party pull/merge requests #39
Description
Automatic building of third-party pull requests is a potential security problem because it gives anyone in the world arbitrary code execution on the Zeus build machine and consequently the ability to but artifacts into the Nix cache that Zeus populates. See for example the warning in GitHub's self-hosted runner documentation. The nix build sandbox protections are probably not sufficient to solve this security issue.
Currently Zeus is secure against this because it only builds when someone pushes to the repository. But it is inconvenient because when a third party opens a pull request Zeus does not trigger a build. There are a few different approaches we could take to fix this:
- Do nothing and require a trusted user to review the pull request and push it to the repo after verifying the code is ok.
- Require some kind of confirmation from someone who has permissions to the repo. This could be implemented in the Zeus web UI or potentially triggered by some kind of action on GitHub such as a pull request review, comment, etc.
- Build third-party PRs automatically, but in a special way such as on an ephemeral build machine spun up for a one-time build and without pushing build artifacts to the cache.
Approach #2 would be very easy if it was triggered by some kind of action on GitHub. The difficulty there is figuring out what that action should be so that is both easy and secure. If it is done in the Zeus UI, it would be a bit more work, probably 1-5 days of dev time.
Approach #3 would be the best end-user experience because it would generate a CI build status without requiring any effort from the maintainers, but it is significantly more complicated and requires infrastructure for multiple Zeus build machines.