Skip to content

Maintenance: update bootstrap region automation to remove pinned/aliased dependencies #3573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 of 2 tasks
dreamorosi opened this issue Feb 7, 2025 · 4 comments · Fixed by #3576 or #3587
Closed
1 of 2 tasks

Maintenance: update bootstrap region automation to remove pinned/aliased dependencies #3573

dreamorosi opened this issue Feb 7, 2025 · 4 comments · Fixed by #3576 or #3587
Assignees
@dreamorosi
Labels
completed This item is complete and has been merged/shipped internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)

Comments

@dreamorosi
Copy link
Contributor

dreamorosi commented Feb 7, 2025
edited
Loading

Summary

Some of the changes introduced in #3438 lowered our OpenSSF Scorecard due to both pinned dependencies and actions using the latest tag instead of a commit hash.

Specifically, the two are:

  • the shared GitHub Action here
  • the CDK version here

Which correspond to these two alerts:

Note that neither of them involves code that we ship to customers, this is only automation used for us to bootstrap new regions we use to deploy resources.

Why is this needed?

So we can restore our OpenSSF Scorecard score.

Which area does this relate to?

Other

Solution

The first should use a commit hash, similar to what we do here.

The second one should use the CDK version already present in the monorepo rather than install a different one.

Acknowledgment

Future readers

Please react with 👍 and your use case to help us understand customer demand.
@dreamorosi dreamorosi added confirmed The scope is clear, ready for implementation internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.) labels Feb 7, 2025
@dreamorosi dreamorosi moved this from Triage to Backlog in Powertools for AWS Lambda (TypeScript) Feb 7, 2025
@dreamorosi dreamorosi self-assigned this Feb 10, 2025
@dreamorosi dreamorosi moved this from Backlog to Working on it in Powertools for AWS Lambda (TypeScript) Feb 10, 2025
@dreamorosi dreamorosi mentioned this issue Feb 10, 2025
Merged
@dreamorosi dreamorosi moved this from Working on it to Pending review in Powertools for AWS Lambda (TypeScript) Feb 10, 2025
@github-project-automation github-project-automation bot moved this from Pending review to Coming soon in Powertools for AWS Lambda (TypeScript) Feb 10, 2025
@github-actions GitHub Actions
Copy link
Contributor

⚠️ COMMENT VISIBILITY WARNING ⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot added pending-release This item has been merged and will be released soon and removed confirmed The scope is clear, ready for implementation labels Feb 10, 2025
@dreamorosi
Copy link
Contributor Author

Reopening because the changes fixed only one of the two. The https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/77 one is still open.

@sthulb could you please help me understand where is the hash missing? Please don't just dismiss it, thank you.

@dreamorosi dreamorosi reopened this Feb 10, 2025
@github-project-automation github-project-automation bot moved this from Coming soon to Pending review in Powertools for AWS Lambda (TypeScript) Feb 10, 2025
@dreamorosi dreamorosi added confirmed The scope is clear, ready for implementation and removed pending-release This item has been merged and will be released soon labels Feb 10, 2025
@dreamorosi dreamorosi moved this from Pending review to Working on it in Powertools for AWS Lambda (TypeScript) Feb 10, 2025
@dreamorosi
Copy link
Contributor Author

After discussing w/ @sthulb he explained that the finding is complaining about us not having a lock file for the Go dependency.

However since we are installing it with the commit hash of the source repo, it's already immutable.

Because of this, it's safe to dismiss since we control both this repo and the source of the pkg (aws-powertools/actions)

@github-project-automation github-project-automation bot moved this from Working on it to Coming soon in Powertools for AWS Lambda (TypeScript) Feb 11, 2025
@github-actions GitHub Actions
Copy link
Contributor

⚠️ COMMENT VISIBILITY WARNING ⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.

@dreamorosi dreamorosi moved this from Coming soon to Shipped in Powertools for AWS Lambda (TypeScript) Feb 11, 2025
@dreamorosi dreamorosi added completed This item is complete and has been merged/shipped and removed confirmed The scope is clear, ready for implementation labels Feb 11, 2025
@dreamorosi dreamorosi mentioned this issue Feb 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dreamorosi dreamorosi

Labels
completed This item is complete and has been merged/shipped internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)
Projects
Powertools for AWS Lambda (TypeScript)
Status: Shipped
Milestone
No milestone
1 participant
@dreamorosi