Adding actions:write to cla assistant workflow

[doggydogworld]

CLA Assistant will rerun itself on issue comments and therefore needs actions:write permissions. This is because jobs from pull request comments (which are issue comments) are not considered for status checks. This will allow it to rerun the previously failed job.

[fheinecke]

Requiring this isn't great as we're giving a pull request target workflow the ability to trigger any other workflow in our repo. I'm pretty sure that this could lead to compromising other repos (cloud-terraform via flux creds, shared-workflows via GH token, other repos via "reviewers" creds), eventually leading to a release compromise, which is effectively a compromise of everything else.

I'm concerned that if there is a vulnerability in this workflow (or any of its dependencies, now or in the future), then a malicious actor could cause a lot of damage with this permission, without any action required on our part. Are we certain this feature is worth the risk?

[doggydogworld]

Requiring this isn't great as we're giving a pull request target workflow the ability to trigger any other workflow in our repo. I'm pretty sure that this could lead to compromising other repos (cloud-terraform via flux creds, shared-workflows via GH token, other repos via "reviewers" creds), eventually leading to a release compromise, which is effectively a compromise of everything else.

I'm concerned that if there is a vulnerability in this workflow (or any of its dependencies, now or in the future), then a malicious actor could cause a lot of damage with this permission, without any action required on our part. Are we certain this feature is worth the risk?

Hmm yeah that's a concern I had as well. Thinking about it, a workaround could be to use a 'recheck' label since that is tied to the pr. It would then function similarly to our changelog checker.