chore(docs): Created GitHub runner cryptographic overview

[alithethird]

Applicable spec: SEC0030 - SSDLC - Cryptographic Documentation

Overview

Created the GitHub runner cryptographic overview document.

Rationale

Juju Events Changes

Module Changes

Library Changes

Checklist

• The charm style guide was applied.
• The contributing guide was applied.
• The changes are compliant with ISD054 - Managing Charm Complexity
• The documentation is generated using src-docs.
• The documentation for charmhub is updated.
• The PR is tagged with appropriate label (urgent, trivial, complex).
• The changelog is updated with changes that affects the users of the charm.

[github-actions]

Test coverage for 514725e

Name                         Stmts   Miss Branch BrPart  Cover   Missing
------------------------------------------------------------------------
src/charm.py                   613    160    153     26    71%   242-244, 310-329, 347-349, 350->354, 380-384, 463, 470-472, 493-498, 515-521, 542, 554-560, 575-576, 595-596, 605, 610, 640-641, 643->652, 647->652, 657-663, 697, 701-706, 757-762, 771->774, 797-809, 813-814, 842-869, 882-887, 906-916, 931-933, 980-981, 983-984, 986-987, 1066->1068, 1133-1134, 1172-1174, 1182-1188, 1266-1298, 1312-1317, 1332-1366, 1370
src/charm_state.py             456     17     98      5    95%   276-288, 513-517, 639-640, 695-696, 1131->1134, 1138-1139, 1186
src/errors.py                   25      0      0      0   100%
src/event_timer.py              52      6      0      0    88%   105-106, 143-144, 160-161
src/firewall.py                 51     18     20      0    61%   42-43, 66-69, 111-185
src/github_client.py            23      2      6      1    90%   66->exit, 71-72
src/logrotate.py                43      0      2      0   100%
src/lxd_type.py                 35      0      2      0   100%
src/runner_manager_type.py      39      0      6      0   100%
src/runner_type.py              38      0     10      0   100%
src/shared_fs.py                93     17     10      1    83%   52-53, 120-121, 146-147, 155-156, 162-163, 181, 184-185, 197-198, 241-242
src/utilities.py                32      4      6      2    79%   66-69, 111
------------------------------------------------------------------------
TOTAL                         1500    224    313     35    83%

Static code analysis report

Run started:2024-10-03 09:08:06.665251

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 4976
  Total lines skipped (#nosec): 2
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 6

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

[yanksyoon]

wow, great research, thank you for doing it!

[cbartz]

Thanks! Mostly have nits

[cbartz]

Could we elaborate which Cloud image is meant here?

[cbartz]

I think this sentence should be updated here, too.

[cbartz]

Thanks. Some follow-up comments.

[cbartz]

Suggested change

	Images that run in the OpenStack vm are built using the [Image Builder](https://github.com/canonical/github-runner-image-builder-operator). This application needs to download the runner binary, yq and the cloud image to base the image on. All these images are downloaded with TLS.
	Images that run in the OpenStack vm are built using the [Image Builder](https://github.com/canonical/github-runner-image-builder. This application needs to download the runner binary, yq and the cloud image to base the image on. All these images are downloaded with TLS.

[cbartz]

@yanksyoon Can you have a look on "Cloud images that are downloaded by the Image Builder are verified by SHA256 checksum." if its correct in terms of the technical implementation?

[cbartz]

I think this sentence should be updated here, too.