From 15baaec7b80dc7b11adb272ca6d839bfb5a0a55c Mon Sep 17 00:00:00 2001
From: Sandipan Panda <samparksandipan@gmail.com>
Date: Fri, 25 Nov 2022 23:49:57 +0530
Subject: [PATCH] .clomonitor: Update CLOMonitor checks exemptions

Add dangerous workflow, signed releases and token permissions checks
to CLOMonitor exemptions.

Signed-off-by: Sandipan Panda <samparksandipan@gmail.com>
---
 .clomonitor.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.clomonitor.yml b/.clomonitor.yml
index 4b1bc5604b0ad..7a5a8e727e026 100644
--- a/.clomonitor.yml
+++ b/.clomonitor.yml
@@ -3,3 +3,20 @@
 exemptions:
   - check: slack_presence
     reason: "The Cilium slack community can be found at http://slack.cilium.io/" # Justification of this exemption
+
+  - check: dangerous_workflow
+    reason: >
+      "It is safe to run code checkout '${{ github.event.pull_request.head.sha }}' 
+      and 'github.event.pull_request.head.ref' in .github/workflows/build-images-base.yaml 
+      as this workflow is only permitted to be executed after an explicit approval of a 
+      subset of committers."
+
+  - check: signed_releases
+    reason: >
+      "All Cilium release images are cryptographically signed during build by cosign. 
+      Images are hosted in Quay. OpenSSF Scorecard check is currently limited to repositories 
+      hosted on GitHub, and does not support other source hosting repositories."
+
+  - check: token_permissions
+    reason: >
+      "Reason to use every non-read-only token in GitHub workflows is commented in the respective workflow files."