Create a threat model for code flow to internal/public VMR-lite's

[premun]

Context

We need to make sure the code flows from the right branches and is not pushed to the wrong branches (e.g. internal/release doesn't end up in public VMR).

Goal

• Prepare a documentation with a diagram for the code flow and exercise few paths (branching, CVE, ..).
• Propose guards that will make sure we don't push where we should not.

[premun]

https://microsoft.sharepoint.com/:u:/t/Salmon.NET/EUoS1QiUO_BDjdf7IMhVyCsBAtYxC_voJ6OOSZ2xCy57xg?e=hZ3uSB

[premun]

I have identified these cases of potential leaks:

• internal/release/* branch is pushed to the public VMR
• Code from an internal branch is mistakenly merged into main or release/* of internal repo and pushed to the public VMR
  • There's a difference then when the code is in installer or some other repo

I propose following safe-guards:

1. YAML conditions around the push step verifying branch names (Only push main and release/* branches to the VMR installer#15144)
2. YAML variable groups with GH PAT are restricted to public branches only (Protect branches when synchronizing the VMR #11768)
3. VMR tooling verifies that every commit is in a public repo (Add the darc vmr push command #12082)

[premun]

@mmitche @tkapin I would like to discuss this issue (diagram + the proposal) on Wednesday/Thursday

[premun]

We have agreed I will compile a short document on how the code flow looks like, what guards we have in place and add it to UB docs

[premun]

Security review: https://threatmodelingportal.security.azure/reviewdetail/3053dcb9-9a09-4f45-b2ad-4ef8c1652a43/4cac191f-8b27-4d55-abee-2eafb6470803

[premun]

Closing this as we have updated all of the documents and it seems the review itself can't be updated any further.