Skip to content

Commit d52633a

Browse files
dreamorosidreamorosi
authored
chore(ci): harden workflow permissions for security compliance (#4898)
1 parent 30eaed8 commit d52633a

6 files changed

Lines changed: 36 additions & 9 deletions

.github/workflows/layers_partitions.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,7 @@ on:
3737
name: Layer Deployment (Partitions)
3838
run-name: Layer Deployment (${{ inputs.partition }})
3939

40-
permissions:
41-
contents: read
40+
permissions: {}
4241

4342
jobs:
4443
# This job configures partition-specific settings including regions, partition names, and STS audience based on the target partition (China or GovCloud) selected in the workflow inputs.
@@ -108,6 +107,9 @@ jobs:
108107
deploy-gamma:
109108
name: Deploy Gamma Layer
110109
needs: [setup, download]
110+
permissions:
111+
id-token: write
112+
contents: read
111113
uses: ./.github/workflows/layers_partitions_deploy.yml
112114
with:
113115
environment: Gamma
@@ -120,6 +122,9 @@ jobs:
120122
deploy-prod:
121123
name: Deploy Prod Layer
122124
needs: [setup, download, deploy-gamma]
125+
permissions:
126+
id-token: write
127+
contents: read
123128
uses: ./.github/workflows/layers_partitions_deploy.yml
124129
with:
125130
environment: Prod

.github/workflows/layers_partitions_deploy.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
name: Copy Layer
22

3+
permissions: {}
4+
35
on:
46
workflow_call:
57
inputs:

.github/workflows/ossf_scorecard.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,14 +9,15 @@ on:
99
branches: [main]
1010
workflow_dispatch:
1111

12-
permissions: read-all
12+
permissions: {}
1313

1414
jobs:
1515
analysis:
1616
name: Scorecard analysis
1717
runs-on: ubuntu-latest
1818
# environment: scorecard
1919
permissions:
20+
contents: read # checkout repository
2021
security-events: write # update code-scanning dashboard
2122
id-token: write # confirm org+repo identity before publish results
2223

.github/workflows/publish_layer.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
name: Deploy layer to all regions
22

3-
permissions:
4-
contents: read
3+
permissions: {}
54

65
on:
76
# Manual trigger
@@ -32,6 +31,8 @@ on:
3231
jobs:
3332
# Build layer by running cdk synth in layer-publisher directory and uploading cdk.out for deployment
3433
build-layer:
34+
permissions:
35+
contents: read
3536
runs-on: ubuntu-latest
3637
if: ${{ (github.event.workflow_run.conclusion == 'success') || (github.event_name == 'workflow_dispatch') }}
3738
steps:

.github/workflows/quality_check.yml

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,12 @@ on:
99
branches:
1010
- main
1111

12-
permissions:
13-
contents: read
12+
permissions: {}
1413

1514
jobs:
1615
code-quality:
16+
permissions:
17+
contents: read
1718
runs-on: ubuntu-latest
1819
env:
1920
NODE_ENV: dev
@@ -52,6 +53,8 @@ jobs:
5253
npm run test:unit:coverage -w ${{ matrix.workspace }}
5354
npm run test:unit:types -w ${{ matrix.workspace }}
5455
check-examples:
56+
permissions:
57+
contents: read
5558
runs-on: ubuntu-latest
5659
env:
5760
NODE_ENV: dev
@@ -77,6 +80,8 @@ jobs:
7780
- name: Run tests
7881
run: npm t
7982
check-layer-publisher:
83+
permissions:
84+
contents: read
8085
runs-on: ubuntu-latest
8186
env:
8287
NODE_ENV: dev
@@ -95,6 +100,8 @@ jobs:
95100
- name: Run tests
96101
run: npm run test:unit -w layers
97102
check-docs-snippets:
103+
permissions:
104+
contents: read
98105
runs-on: ubuntu-latest
99106
env:
100107
NODE_ENV: dev
@@ -111,6 +118,8 @@ jobs:
111118
- name: Run linting
112119
run: npm run lint -w examples/snippets
113120
check-docs:
121+
permissions:
122+
contents: read
114123
runs-on: ubuntu-latest
115124
env:
116125
NODE_ENV: dev

.github/workflows/reusable-run-linting-check-and-unit-tests.yml

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,11 +29,12 @@ name: Run unit tests
2929
on:
3030
workflow_call:
3131

32-
permissions:
33-
contents: read
32+
permissions: {}
3433

3534
jobs:
3635
code-quality:
36+
permissions:
37+
contents: read
3738
runs-on: ubuntu-latest
3839
env:
3940
NODE_ENV: dev
@@ -74,6 +75,8 @@ jobs:
7475
npm run test:unit:coverage -w ${{ matrix.workspace }}
7576
npm run test:unit:types -w ${{ matrix.workspace }}
7677
check-examples:
78+
permissions:
79+
contents: read
7780
runs-on: ubuntu-latest
7881
env:
7982
NODE_ENV: dev
@@ -102,6 +105,8 @@ jobs:
102105
- name: Run tests
103106
run: npm t
104107
check-layer-publisher:
108+
permissions:
109+
contents: read
105110
runs-on: ubuntu-latest
106111
env:
107112
NODE_ENV: dev
@@ -114,6 +119,8 @@ jobs:
114119
- name: Run tests
115120
run: npm run test:unit -w layers
116121
check-docs-snippets:
122+
permissions:
123+
contents: read
117124
runs-on: ubuntu-latest
118125
env:
119126
NODE_ENV: dev
@@ -124,6 +131,8 @@ jobs:
124131
- name: Run linting
125132
run: npm run lint:ci -w examples/snippets
126133
check-docs:
134+
permissions:
135+
contents: read
127136
runs-on: ubuntu-latest
128137
env:
129138
NODE_ENV: dev

0 commit comments

Comments
 (0)