From 274d8c3715eaacd66da6776b22baf4bc6c88fa63 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Tue, 4 Jul 2023 08:24:53 +0000
Subject: [PATCH] chore(ci): openssf remediation for GH Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/build_changelog.yml         |  3 +++
 .github/workflows/codeql-analysis.yml         |  3 +++
 .github/workflows/dependency-review.yml       | 22 +++++++++++++++++++
 .github/workflows/label_pr_on_title.yml       |  3 +++
 .github/workflows/on_closed_issues.yml        |  3 +++
 .github/workflows/on_label_added.yml          |  3 +++
 .github/workflows/on_merged_pr.yml            |  3 +++
 .github/workflows/on_opened_pr.yml            |  3 +++
 .github/workflows/on_push_docs.yml            |  3 +++
 .github/workflows/publish_v2_layer.yml        |  3 +++
 .github/workflows/quality_check.yml           |  3 +++
 .github/workflows/rebuild_latest_docs.yml     |  3 +++
 .github/workflows/record_pr.yml               |  3 +++
 .github/workflows/release-drafter.yml         |  3 +++
 .github/workflows/release.yml                 |  3 +++
 .../reusable_deploy_v2_layer_stack.yml        |  3 +++
 .../workflows/reusable_export_pr_details.yml  |  3 +++
 .../workflows/reusable_publish_changelog.yml  |  3 +++
 .github/workflows/run-e2e-tests.yml           |  3 +++
 .github/workflows/secure_workflows.yml        |  3 +++
 20 files changed, 79 insertions(+)
 create mode 100644 .github/workflows/dependency-review.yml

diff --git a/.github/workflows/build_changelog.yml b/.github/workflows/build_changelog.yml
index 1be01306109..a167868be05 100644
--- a/.github/workflows/build_changelog.yml
+++ b/.github/workflows/build_changelog.yml
@@ -17,6 +17,9 @@ on:
     branches:
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   changelog:
     permissions:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index ac4e4812eee..d8ef363c8f9 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -17,6 +17,9 @@ on:
     branches:
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 00000000000..627c9ca205b
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,22 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, 
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index 41bdeed0ec9..48fb24b2476 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -26,6 +26,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
     permissions:
diff --git a/.github/workflows/on_closed_issues.yml b/.github/workflows/on_closed_issues.yml
index 9b8af4a7690..61a14b028d4 100644
--- a/.github/workflows/on_closed_issues.yml
+++ b/.github/workflows/on_closed_issues.yml
@@ -12,6 +12,9 @@ name: Closed Issue Message
 on:
   issues:
       types: [closed]
+permissions:
+  contents: read
+
 jobs:
   auto_comment:
       runs-on: ubuntu-latest
diff --git a/.github/workflows/on_label_added.yml b/.github/workflows/on_label_added.yml
index 17ee840a7ea..d378a5d3e9d 100644
--- a/.github/workflows/on_label_added.yml
+++ b/.github/workflows/on_label_added.yml
@@ -25,6 +25,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
     permissions:
diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml
index e9ac01f1c17..f3896118d10 100644
--- a/.github/workflows/on_merged_pr.yml
+++ b/.github/workflows/on_merged_pr.yml
@@ -26,6 +26,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
     permissions:
diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
index 5e7914b09a3..79e77bd9488 100644
--- a/.github/workflows/on_opened_pr.yml
+++ b/.github/workflows/on_opened_pr.yml
@@ -26,6 +26,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
     permissions:
diff --git a/.github/workflows/on_push_docs.yml b/.github/workflows/on_push_docs.yml
index ec6e14c4273..fc1aa3786e6 100644
--- a/.github/workflows/on_push_docs.yml
+++ b/.github/workflows/on_push_docs.yml
@@ -20,6 +20,9 @@ on:
       - "examples/**"
       - "CHANGELOG.md"
 
+permissions:
+  contents: read
+
 jobs:
   release-docs:
     permissions:
diff --git a/.github/workflows/publish_v2_layer.yml b/.github/workflows/publish_v2_layer.yml
index 67a073e627b..864fc74241a 100644
--- a/.github/workflows/publish_v2_layer.yml
+++ b/.github/workflows/publish_v2_layer.yml
@@ -49,6 +49,9 @@ on:
         type: boolean
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   build-layer:
     permissions:
diff --git a/.github/workflows/quality_check.yml b/.github/workflows/quality_check.yml
index 51eebc668ff..74da419bab3 100644
--- a/.github/workflows/quality_check.yml
+++ b/.github/workflows/quality_check.yml
@@ -35,6 +35,9 @@ on:
     branches:
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   quality_check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/rebuild_latest_docs.yml b/.github/workflows/rebuild_latest_docs.yml
index 927d6f8dc91..665cad81dd1 100644
--- a/.github/workflows/rebuild_latest_docs.yml
+++ b/.github/workflows/rebuild_latest_docs.yml
@@ -23,6 +23,9 @@ on:
         default: "2.16.3"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   release-docs:
     permissions:
diff --git a/.github/workflows/record_pr.yml b/.github/workflows/record_pr.yml
index 55377f06981..0cdcb9bc8ad 100644
--- a/.github/workflows/record_pr.yml
+++ b/.github/workflows/record_pr.yml
@@ -37,6 +37,9 @@ on:
   pull_request:
     types: [opened, edited, closed, labeled]
 
+permissions:
+  contents: read
+
 jobs:
   record_pr:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index 1f766d070d9..8781eba3bef 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -18,6 +18,9 @@ on:
       - develop
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f7dfedeec00..566fe9db3da 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -51,6 +51,9 @@ on:
         type: boolean
         required: false
 
+permissions:
+  contents: read
+
 jobs:
 
   # This job bumps the package version to the release version
diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml
index 04abcfaee1b..76b6950267c 100644
--- a/.github/workflows/reusable_deploy_v2_layer_stack.yml
+++ b/.github/workflows/reusable_deploy_v2_layer_stack.yml
@@ -47,6 +47,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   deploy-cdk-stack:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml
index c81c0915af4..30eb9241b08 100644
--- a/.github/workflows/reusable_export_pr_details.yml
+++ b/.github/workflows/reusable_export_pr_details.yml
@@ -50,6 +50,9 @@ on:
         description: "Whether PR is merged"
         value: ${{ jobs.export_pr_details.outputs.prIsMerged }}
 
+permissions:
+  contents: read
+
 jobs:
   export_pr_details:
     permissions:
diff --git a/.github/workflows/reusable_publish_changelog.yml b/.github/workflows/reusable_publish_changelog.yml
index 23139b77729..1df1ceb5953 100644
--- a/.github/workflows/reusable_publish_changelog.yml
+++ b/.github/workflows/reusable_publish_changelog.yml
@@ -10,6 +10,9 @@ env:
   PULL_REQUEST_TITLE: "chore(ci): changelog rebuild"
   FILES_TO_COMMIT: "CHANGELOG.md"
 
+permissions:
+  contents: read
+
 jobs:
   publish_changelog:
     # Force Github action to run only a single job at a time (based on the group name)
diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml
index 7648eb77c53..8173596769f 100644
--- a/.github/workflows/run-e2e-tests.yml
+++ b/.github/workflows/run-e2e-tests.yml
@@ -35,6 +35,9 @@ env:
 
 concurrency: e2e
 
+permissions:
+  contents: read
+
 jobs:
   run:
     runs-on: aws-powertools_ubuntu-latest_8-core
diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml
index 1430e91d6f2..bf0823b091b 100644
--- a/.github/workflows/secure_workflows.yml
+++ b/.github/workflows/secure_workflows.yml
@@ -19,6 +19,9 @@ on:
     paths:
       - ".github/workflows/**"
 
+permissions:
+  contents: read
+
 jobs:
   enforce_pinned_workflows:
     name: Harden Security