update: Set remeber-ok-to-test settings to false by default

`remeber-ok-to-test` setting is set to false by default to mitigate
security risks of enabling an attacker to gain trust of repo owner
and push malicious code.

fixes: #1798

https://issues.redhat.com/browse/SRVKP-7238

Signed-off-by: Zaki Shaikh <[email protected]>

Author: zakisk

config/302-pac-configmap.yaml

@@ -129,7 +129,7 @@ data:
   # pull request if ok-to-test is done once
   #
   # you may want to disable this if ok-to-test should be done on each iteration
-  remember-ok-to-test: "true"
+  remember-ok-to-test: "false"
 
   # Configure a custom console here, the driver support custom parameters from
   # Repo CR along a few other template variable, see documentation for more

docs/content/docs/install/settings.md

@@ -130,7 +130,13 @@ There is a few things you can configure through the config map
   case of push event on pull request either through new commit or amend, then CI will
   re-run automatically
 
-  You can disable by setting false if you want to provide `ok-to-test` on every iteration
+  By default, the `remember-ok-to-test` setting is set to false in Pipelines-as-Code to mitigate serious security risks.
+  An attacker could submit a seemingly harmless PR to gain the repository owner's trust, and later
+  inject malicious code designed to compromise the build system, such as exfiltrating secrets.
+
+  Enabling this feature increases the risk of unauthorized access and is therefore strongly discouraged
+  unless absolutely necessary. If you choose to enable it you can set it to true, you do so at your own
+  risk and should be aware of the potential security vulnerabilities.
   (only GitHub and Gitea is supported at the moment).
 
 ### Tekton Hub support

pkg/params/settings/config.go

@@ -69,7 +69,7 @@ type Settings struct {
 	CustomConsolePRTaskLog    string `json:"custom-console-url-pr-tasklog"`
 	CustomConsoleNamespaceURL string `json:"custom-console-url-namespace"`
 
-	RememberOKToTest bool `default:"true" json:"remember-ok-to-test"`
+	RememberOKToTest bool `json:"remember-ok-to-test"`
 }
 
 func (s *Settings) DeepCopy(out *Settings) {

pkg/params/settings/config_test.go

@@ -43,7 +43,7 @@ func TestSyncConfig(t *testing.T) {
 				CustomConsolePRdetail:              "",
 				CustomConsolePRTaskLog:             "",
 				CustomConsoleNamespaceURL:          "",
-				RememberOKToTest:                   true,
+				RememberOKToTest:                   false,
 			},
 		},
 		{

pkg/params/settings/convert_test.go

@@ -36,7 +36,7 @@ func TestConvert(t *testing.T) {
 				"hub-catalog-name":                       "tekton",
 				"hub-url":                                "https://api.hub.tekton.dev/v1",
 				"max-keep-run-upper-limit":               "0",
-				"remember-ok-to-test":                    "true",
+				"remember-ok-to-test":                    "false",
 				"remote-tasks":                           "true",
 				"secret-auto-create":                     "true",
 				"secret-github-app-scope-extra-repos":    "",
@@ -74,7 +74,7 @@ func TestConvert(t *testing.T) {
 				"hub-catalog-name":                       "tekton",
 				"hub-url":                                "https://api.hub.tekton.dev/v1",
 				"max-keep-run-upper-limit":               "0",
-				"remember-ok-to-test":                    "true",
+				"remember-ok-to-test":                    "false",
 				"remote-tasks":                           "true",
 				"secret-auto-create":                     "true",
 				"secret-github-app-scope-extra-repos":    "",
@@ -113,7 +113,7 @@ func TestConvert(t *testing.T) {
 				"hub-catalog-name":                       "test tekton",
 				"hub-url":                                "https://api.hub.tekton.dev/v2",
 				"max-keep-run-upper-limit":               "0",
-				"remember-ok-to-test":                    "true",
+				"remember-ok-to-test":                    "false",
 				"remote-tasks":                           "true",
 				"secret-auto-create":                     "true",
 				"secret-github-app-scope-extra-repos":    "",
@@ -164,7 +164,7 @@ func TestConvert(t *testing.T) {
 				"hub-catalog-name":                       "test tekton",
 				"hub-url":                                "https://api.hub.tekton.dev/v2",
 				"max-keep-run-upper-limit":               "0",
-				"remember-ok-to-test":                    "true",
+				"remember-ok-to-test":                    "false",
 				"remote-tasks":                           "true",
 				"secret-auto-create":                     "true",
 				"secret-github-app-scope-extra-repos":    "",