Skip to content

chore(ci): sets base permissions on all workflows #1801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 29, 2023
Merged

chore(ci): sets base permissions on all workflows #1801

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/closed-issues-message.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,15 @@ name: Closed Issue Message
on:
issues:
types: [closed]

permissions:
contents: read

jobs:
auto_comment:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- uses: aws-actions/closed-issue-message@36b7048ea77bb834d16e7a7c5b5471ac767a4ca1 # v1.0.0
with:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/label_pr_on_title.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
types:
- completed

permissions:
contents: read

jobs:
get_pr_details:
# Guardrails to only ever run if PR recording workflow was indeed
Expand All @@ -18,6 +21,8 @@ jobs:
secrets:
token: ${{ secrets.GITHUB_TOKEN }}
label_pr:
permissions:
pull-requests: write
needs: get_pr_details
runs-on: ubuntu-latest
steps:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/make-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
name: Make Release
on:
workflow_dispatch: {}

permissions:
contents: read

concurrency:
group: on-release-publish
jobs:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/make-v2-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
name: Make Release v2 (pre-release)
on:
workflow_dispatch: {}

permissions:
contents: read

concurrency:
group: on-release-publish
jobs:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/measure-packages-size.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,13 @@ on:
description: "PR Number"
required: true

permissions:
contents: read

jobs:
measure-utils-sizes:
permissions:
pull-requests: write
runs-on: ubuntu-latest
env:
NODE_ENV: dev
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/on-doc-v2-merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
- "docs/**"
- "mkdocs.yml"

permissions:
contents: read

jobs:
release-docs:
permissions:
Expand Down
11 changes: 11 additions & 0 deletions .github/workflows/on-merge-to-main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,18 @@ on:
workflows: ["Record PR details"]
types:
- completed

concurrency:
group: on-merge-to-main

permissions:
contents: read

jobs:
get_pr_details:
if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
permissions:
pull-requests: read
uses: ./.github/workflows/reusable_export_pr_details.yml
with:
record_pr_workflow_id: ${{ github.event.workflow_run.id }}
Expand All @@ -22,6 +28,8 @@ jobs:
if: ${{ needs.get_pr_details.outputs.prIsMerged == 'true' }}
uses: ./.github/workflows/reusable-run-linting-check-and-unit-tests.yml
update-release-draft:
permissions:
contents: write
needs: run-unit-tests
runs-on: ubuntu-latest
steps:
Expand All @@ -32,6 +40,9 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release_label_on_merge:
permissions:
pull-requests: read
contents: write
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this contents: write be scoped down only to issues?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With issues: write yes, but removing content would not prevent from merge, or?

needs: [get_pr_details, update-release-draft]
runs-on: ubuntu-latest
steps:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/on-workflows-push-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,15 @@ on:
paths:
- ".github/workflows/**"

permissions:
contents: read

jobs:
enforce_pinned_workflows:
name: Harden Security
runs-on: ubuntu-latest
permissions:
actions: read
steps:
- name: Checkout code
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/on_doc_merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
- "docs/**"
- "mkdocs.yml"

permissions:
contents: read

jobs:
release-docs:
permissions:
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/on_opened_pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
types:
- completed

permissions:
contents: read

jobs:
get_pr_details:
if: ${{ github.event.workflow_run.conclusion == 'success' }}
Expand All @@ -16,6 +19,9 @@ jobs:
secrets:
token: ${{ secrets.GITHUB_TOKEN }}
check_related_issue:
permissions:
issues: read
pull-requests: write
needs: get_pr_details
runs-on: ubuntu-latest
steps:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/post-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ on:
release:
types: [released]

permissions:
contents: read

jobs:
post_release:
permissions:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/pr-run-linting-check-and-unit-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ name: On PR code update
on:
pull_request:
types: [opened, synchronize]

permissions:
contents: read

jobs:
run-unit-tests:
uses: ./.github/workflows/reusable-run-linting-check-and-unit-tests.yml
3 changes: 3 additions & 0 deletions .github/workflows/rebuild-latest-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ on:
description: "Latest npm published version to rebuild latest docs for, e.g. 1.6.0"
required: true

permissions:
contents: read

jobs:
release-docs:
permissions:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/record_pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
pull_request:
types: [opened, edited, closed]

permissions:
contents: read

jobs:
record_pr:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/reusable-run-linting-check-and-unit-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: Run unit tests
on:
workflow_call:

permissions:
contents: read

jobs:
run-linting-check-and-unit-tests-on-utilities:
runs-on: ubuntu-latest
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/reusable_deploy_layer_stack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
name: Deploy cdk stack

permissions:
id-token: write
contents: read

on:
workflow_call:
inputs:
Expand All @@ -23,9 +19,13 @@ on:
target-account-role:
required: true

permissions:
contents: read

jobs:
deploy-cdk-stack:
permissions:
id-token: write
runs-on: ubuntu-latest
strategy:
fail-fast: false
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/reusable_export_pr_details.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,15 @@ on:
description: "Whether PR is merged"
value: ${{ jobs.export_pr_details.outputs.prIsMerged }}

permissions:
contents: read

jobs:
export_pr_details:
# see https://github.com/aws-powertools/powertools-lambda-python/issues/1349
if: inputs.workflow_origin == 'aws-powertools/powertools-lambda-typescript'
permissions:
pull-requests: read
runs-on: ubuntu-latest
env:
FILENAME: pr.txt
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/run-e2e-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
required: false
default: ''

permissions:
contents: read

jobs:
run-e2e-tests-on-utils:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/stale-issues.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
schedule:
- cron: "0 0 * * *"

permissions:
contents: read

jobs:
check-issues:
runs-on: ubuntu-latest
Expand Down