From 9bd11170b584578bde510fcd51e0cd51181defc6 Mon Sep 17 00:00:00 2001 From: Andrea Amorosi Date: Fri, 26 Jan 2024 18:00:59 +0100 Subject: [PATCH 1/3] chore(ci): refactor more workflows to scope permissions --- .github/workflows/make-v2-release.yml | 1 - .github/workflows/on_doc_merge.yml | 5 ++--- .github/workflows/publish_layer.yml | 8 ++------ .github/workflows/rebuild_latest_docs.yml | 1 - .github/workflows/reusable_publish_docs.yml | 6 ------ 5 files changed, 4 insertions(+), 17 deletions(-) diff --git a/.github/workflows/make-v2-release.yml b/.github/workflows/make-v2-release.yml index 356fdf2bad..a6b4e3366f 100644 --- a/.github/workflows/make-v2-release.yml +++ b/.github/workflows/make-v2-release.yml @@ -15,7 +15,6 @@ jobs: # Needed as recommended by npm docs on publishing with provenance https://docs.npmjs.com/generating-provenance-statements permissions: id-token: write - contents: write environment: Release runs-on: ubuntu-latest outputs: diff --git a/.github/workflows/on_doc_merge.yml b/.github/workflows/on_doc_merge.yml index bcea9b0d7b..b0115b755c 100644 --- a/.github/workflows/on_doc_merge.yml +++ b/.github/workflows/on_doc_merge.yml @@ -14,10 +14,9 @@ permissions: jobs: release-docs: permissions: - actions: write - id-token: write + id-token: write # trade JWT token for AWS credentials in AWS Docs account secrets: inherit - uses: ./.github/workflows/reusable-publish-docs.yml + uses: ./.github/workflows/reusable_publish_docs.yml with: version: main alias: stage \ No newline at end of file diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index b72b59abd6..524b5fb26c 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -1,9 +1,7 @@ name: Deploy layer to all regions permissions: - id-token: write - contents: write - pages: write + contents: read on: # Manual trigger @@ -95,11 +93,9 @@ jobs: release-docs: needs: [ deploy-prod, prepare_docs_alias ] permissions: - contents: write - pages: write id-token: write secrets: inherit - uses: ./.github/workflows/reusable-publish-docs.yml + uses: ./.github/workflows/reusable_publish_docs.yml with: version: ${{ inputs.latest_published_version }} alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }} diff --git a/.github/workflows/rebuild_latest_docs.yml b/.github/workflows/rebuild_latest_docs.yml index 9b1f0b8908..b943dea3bc 100644 --- a/.github/workflows/rebuild_latest_docs.yml +++ b/.github/workflows/rebuild_latest_docs.yml @@ -28,7 +28,6 @@ permissions: jobs: release-docs: permissions: - actions: write # upload artifacts (for debugging issues with the docs build) id-token: write # trade JWT token for AWS credentials in AWS Docs account secrets: inherit uses: ./.github/workflows/reusable_publish_docs.yml diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml index 542dc6ac48..459b632f55 100644 --- a/.github/workflows/reusable_publish_docs.yml +++ b/.github/workflows/reusable_publish_docs.yml @@ -47,7 +47,6 @@ jobs: runs-on: ubuntu-latest environment: Docs permissions: - actions: write # upload artifacts (for debugging issues with the docs build) id-token: write # trade JWT token for AWS credentials in AWS Docs account steps: - name: Checkout code @@ -96,11 +95,6 @@ jobs: - name: Copy API Docs run: | cp -r api site/ - - name: Create Artifact (Site) - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 - with: - name: site - path: site - name: Deploy Docs (Version) env: VERSION: ${{ inputs.version }} From 4256a44af63b05c9dacd8ae14bc2f1e787cda8a0 Mon Sep 17 00:00:00 2001 From: Andrea Amorosi Date: Fri, 26 Jan 2024 18:01:58 +0100 Subject: [PATCH 2/3] chore(ci): revert change --- .github/workflows/reusable_publish_docs.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml index 459b632f55..cc44046321 100644 --- a/.github/workflows/reusable_publish_docs.yml +++ b/.github/workflows/reusable_publish_docs.yml @@ -95,6 +95,11 @@ jobs: - name: Copy API Docs run: | cp -r api site/ + - name: Create Artifact (Site) + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + with: + name: site + path: site - name: Deploy Docs (Version) env: VERSION: ${{ inputs.version }} From 5a4cc6628ce8e24fc549eaf5edaa56e6f118a95e Mon Sep 17 00:00:00 2001 From: Andrea Amorosi Date: Fri, 26 Jan 2024 19:13:05 +0100 Subject: [PATCH 3/3] chore(ci): add scoped id-token --- .github/workflows/publish_layer.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index 524b5fb26c..7b178e9c1d 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -1,7 +1,7 @@ name: Deploy layer to all regions permissions: - contents: read + contents: write on: # Manual trigger @@ -55,6 +55,8 @@ jobs: needs: - build-layer uses: ./.github/workflows/reusable_deploy_layer_stack.yml + permissions: + id-token: write with: stage: "BETA" artifact-name: "cdk-layer-artifact" @@ -67,6 +69,8 @@ jobs: needs: - deploy-beta uses: ./.github/workflows/reusable_deploy_layer_stack.yml + permissions: + id-token: write with: stage: "PROD" artifact-name: "cdk-layer-artifact"