chore(ci): refactor workflows to scope permissions (#1978)

Author: dreamorosi

.github/scripts/label_missing_acknowledgement_section.js

@@ -0,0 +1,50 @@
+const {
+  PR_ACTION,
+  PR_AUTHOR,
+  PR_BODY,
+  PR_NUMBER,
+  IGNORE_AUTHORS,
+  LABEL_BLOCK,
+  LABEL_BLOCK_MISSING_LICENSE_AGREEMENT,
+} = require('./constants');
+
+module.exports = async ({ github, context, core }) => {
+  if (IGNORE_AUTHORS.includes(PR_AUTHOR)) {
+    return core.notice('Author in IGNORE_AUTHORS list; skipping...');
+  }
+
+  if (PR_ACTION != 'opened') {
+    return core.notice(
+      'Only newly open PRs are labelled to avoid spam; skipping'
+    );
+  }
+
+  const RELATED_ACK_SECTION_REGEX =
+    /By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice./;
+
+  const isMatch = RELATED_ACK_SECTION_REGEX.exec(PR_BODY);
+
+  if (isMatch == null) {
+    core.info(
+      `No acknowledgement section found, maybe the author didn't use the template but there is one.`
+    );
+
+    const msg =
+      "No acknowledgement section found. Please make sure you used the template to open a PR and didn't remove the acknowledgment section. Check the template here: https://github.com/aws-powertools/powertools-lambda-python/blob/develop/.github/PULL_REQUEST_TEMPLATE.md#acknowledgment";
+
+    await Promise.allSettled([
+      github.rest.issues.createComment({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        body: msg,
+        issue_number: PR_NUMBER,
+      }),
+      github.rest.issues.addLabels({
+        issue_number: PR_NUMBER,
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        labels: [LABEL_BLOCK, LABEL_BLOCK_MISSING_LICENSE_AGREEMENT],
+      }),
+    ]);
+  }
+};

.github/workflows/closed-issues-message.yml

@@ -1,25 +1,23 @@
 name: Dispatch analytics
 
+# PROCESS
+#
+# 1. Trade GitHub JWT token with AWS credentials for the analytics account
+# 2. Invoke a Lambda function dispatcher synchronously with the read-only scoped JWT token
+# 3. The dispatcher function will call GitHub APIs to read data from the last hour and aggregate for operational analytics
+
+# USAGE
+#
+# NOTE: meant to use as a scheduled task only (or manually for debugging purposes).
+
 on:
   workflow_dispatch:
 
   schedule:
     - cron: '0 * * * *'
 
 permissions:
-  id-token: write
-  actions: read
-  checks: read
   contents: read
-  deployments: read
-  issues: read
-  discussions: read
-  packages: read
-  pages: read
-  pull-requests: read
-  repository-projects: read
-  security-events: read
-  statuses: read
 
 jobs:
   dispatch_token:
@@ -28,6 +26,20 @@ jobs:
       group: analytics
     runs-on: ubuntu-latest
     environment: analytics
+    permissions:
+      id-token: write
+      actions: read
+      checks: read
+      contents: read    # previously we needed `write` to use GH_TOKEN in our dispatcher (Lambda)
+      deployments: read
+      issues: read
+      discussions: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: read
+      statuses: read
     steps:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
@@ -39,7 +51,16 @@ jobs:
       - name: Invoke Lambda function
         run: |
           payload=$(echo -n '{"githubToken": "${{ secrets.GITHUB_TOKEN }}"}' | base64)
-          aws lambda invoke \
-            --function-name ${{ secrets.AWS_ANALYTICS_DISPATCHER_ARN }} \
-            --payload "$payload" response.json
-          cat response.json
+          response=$(aws lambda invoke \
+            --function-name "${{ secrets.AWS_ANALYTICS_DISPATCHER_ARN }}" \
+            --payload "$payload" \
+            response.json \
+            --query 'FunctionError' \
+            --output text)
+
+          cat response.json ; echo # add newline at the end
+
+          if [ "$response" != "None" ]; then
+            echo "Error invoking lambda function: $response. Aborting."
+            exit 1
+          fi

.github/workflows/dispatch_analytics.yml

@@ -1,5 +1,24 @@
 name: Label PR based on title
 
+# PROCESS
+#
+# 1. Fetch PR details previously saved from untrusted location
+# 2. Parse details for safety
+# 3. Label PR based on semantic title (e.g., area, change type)
+
+# USAGE
+#
+# NOTE: meant to be used with ./.github/workflows/record_pr.yml
+#
+# Security Note:
+#
+#   This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`.
+#   This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN.
+#   When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs.
+#
+#   Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated,
+#   since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions.
+
 on:
   workflow_run:
     workflows: ["Record PR details"]
@@ -11,23 +30,23 @@ permissions:
 
 jobs:
   get_pr_details:
+    permissions:
+      actions: read  # download PR artifact
+      contents: read # checkout code
     # Guardrails to only ever run if PR recording workflow was indeed
     # run in a PR event and ran successfully
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
       record_pr_workflow_id: ${{ github.event.workflow_run.id }}
       workflow_origin: ${{ github.event.repository.full_name }}
-    permissions:
-      contents: read
-      pull-requests: read
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   label_pr:
-    permissions:
-      pull-requests: write
     needs: get_pr_details
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write  # label respective PR
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
@@ -43,4 +62,4 @@ jobs:
           # and label PR based on semantic title accordingly
           script: |
             const script = require('.github/scripts/label_pr_based_on_title.js')
-            await script({github, context, core})
+            await script({github, context, core})

.github/workflows/label_pr_on_title.yml

@@ -0,0 +1,34 @@
+name: Closed Issue Message
+
+# PROCESS
+#
+# 1. Comment on recently closed issues to warn future responses may not be looked after
+
+# USAGE
+#
+# Always triggered upon issue closure
+
+on:
+  issues:
+      types: [closed]
+
+permissions:
+  contents: read
+
+jobs:
+  auto_comment:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write  # comment on issues
+    steps:
+      - uses: aws-actions/closed-issue-message@36b7048ea77bb834d16e7a7c5b5471ac767a4ca1 # v1.0.0
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          message: |
+              ⚠️ **COMMENT VISIBILITY WARNING** ⚠️
+              
+              This issue is now closed. Please be mindful that future comments are hard for our team to see.
+
+              If you need more assistance, please either tag a [team member](https://docs.powertools.aws.dev/lambda/typescript/latest/maintainers/#current-maintainers) or open a new issue that references this one.
+
+              If you wish to keep having a conversation with other community members under this issue feel free to do so.

.github/workflows/measure-packages-size.yml

@@ -14,8 +14,7 @@ permissions:
 jobs:
   release-docs:
     permissions:
-      contents: write
-      pages: write
+      actions: write
       id-token: write
     secrets: inherit
     uses: ./.github/workflows/reusable-publish-docs.yml