Adding a temporary fix to stop non-maintainers from RCE

[unlox775-code-dot-org]

Summary

This PR introduces a change to our CI/CD process concerning the AWS CodeBuild project. Specifically, we’re implementing a filter to the primary GitHub source, which checks against a regex pattern of user IDs. These IDs currently represent our existing maintainers and repository owners. While this is a quick, interim solution to a larger security issue, I acknowledge its unsustainability in the long run.

Security Issue Background

A vulnerability was identified where an external entity could push a change to the build spec in our public repositories. When this happens, GitHub sends a webhook push, and CodeBuild, in turn, reads and executes the modified build spec. This behavior effectively grants remote code execution capabilities in our environment. While we can limit access through specific IAM roles, the potential risk remains significant.

Long-Term Solution Ideas

1.	Private Repository for CI: Migrate our CI infrastructure code to a private repository. This action would ensure the main code remains accessible for public contribution while safeguarding our CI setup.
2.	GitHub Actions with Quality Gate: Use GitHub Actions and introduce a quality gate that halts PRs not originating from maintainers, giving us the chance to review and approve changes before execution.

The current change is a temporary measure. It’ll necessitate manual updates as team dynamics evolve. In the meantime, we’re actively exploring more sustainable solutions to ensure a secure CI/CD process.

See Child PR's:

• https://github.com/code-dot-org/cicd-pipeline-demo/pull/4
• Adding a temporary fix to stop non-maintainers from RCE javabuilder#395

[cat5inthecradle]

This will need to be deployed manually.

[unlox775-code-dot-org]

As it was a list of lists, I read somewhere that the outer list was AND, with the inner list was OR. I will look that up

[cat5inthecradle]

deployed manually