chore: permissions for github actions (aws#14767)

By default, all Github actions have read permissions via the standard `GITHUB_TOKEN`. For jobs that require write permission, explicitly add the necessary permissions. In the case of the 'Yarn Upgrade' Github action, separated the 'upgrade' step and the 'pull request' step into separate jobs to build a better security boundary between the two. Inspired from: https://github.com/projen/projen/blob/a4f875d07b57f8f8247b9352e34c3c83759afe82/.github/workflows/upgrade-dependencies.yml
pahud · May 19, 2021 · 7013f58 · 7013f58
1 parent 5c84696
commit 7013f58
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 19 deletions.
diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml
@@ -13,6 +13,8 @@ jobs:
         || github.event.pull_request.user.login == 'dependabot[bot]'
         || github.event.pull_request.user.login == 'dependabot-preview[bot]')
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
     - uses: hmarr/auto-approve-action@v2.1.0
       with:

diff --git a/.github/workflows/close-stale-issues.yml b/.github/workflows/close-stale-issues.yml
@@ -7,6 +7,8 @@ on:
 
 jobs:
   cleanup:
+    permissions:
+      issues: write
     runs-on: ubuntu-latest
     name: Stale issue job
     steps:

diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml
@@ -1,17 +1,19 @@
 name: Closed Issue Message
 on:
-    issues:
-       types: [closed]
+  issues:
+    types: [closed]
 jobs:
-    auto_comment:
-        runs-on: ubuntu-latest
-        steps:
-        - uses: aws-actions/closed-issue-message@v1
-          with:
-            # These inputs are both required
-            repo-token: "${{ secrets.GITHUB_TOKEN }}"
-            message: |
-                     ### ⚠️COMMENT VISIBILITY WARNING⚠️ 
-                     Comments on closed issues are hard for our team to see. 
-                     If you need more assistance, please either tag a team member or open a new issue that references this one. 
-                     If you wish to keep having a conversation with other community members under this issue feel free to do so.
+  auto_comment:
+    permissions:
+      issues: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: aws-actions/closed-issue-message@v1
+      with:
+        # These inputs are both required
+        repo-token: "${{ secrets.GITHUB_TOKEN }}"
+        message: |
+          ### ⚠️COMMENT VISIBILITY WARNING⚠️ 
+          Comments on closed issues are hard for our team to see. 
+          If you need more assistance, please either tag a team member or open a new issue that references this one.
+          If you wish to keep having a conversation with other community members under this issue feel free to do so.
diff --git a/.github/workflows/issue-label-assign.yml b/.github/workflows/issue-label-assign.yml
@@ -9,6 +9,8 @@ on:
 
 jobs:
   test:
+    permissions:
+      issues: write
     runs-on: ubuntu-latest
     steps:
       - uses: Naturalclar/issue-action@v2.0.2

diff --git a/.github/workflows/pr-linter.yml b/.github/workflows/pr-linter.yml
@@ -14,6 +14,8 @@ on:
 
 jobs:
   validate-pr:
+    permissions:
+      pull-requests: read
     runs-on: ubuntu-latest
     steps:
 

diff --git a/.github/workflows/v2-pull-request.yml b/.github/workflows/v2-pull-request.yml
@@ -16,6 +16,9 @@ on:
 jobs:
   # Run yarn pkglint on merge forward PRs and commit the results
   pkglint:
+    permissions:
+      pull-requests: write
+      contents: write
     if: contains(github.event.pull_request.labels.*.name, 'pr/forward-merge')
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/yarn-upgrade.yml b/.github/workflows/yarn-upgrade.yml
@@ -1,10 +1,9 @@
 name: Yarn Upgrade
 
 on:
-  # Disable this workflow
-  #schedule:
+  schedule:
     # Every wednesday at 13:37 UTC
-    #- cron: 37 13 * * 3
+    - cron: 37 13 * * 3
   workflow_dispatch: {}
 
 jobs:
@@ -69,6 +68,39 @@ jobs:
         # also - jest-enviroment-jsdom doesnt actually require 16.5.1 (https://github.com/facebook/jest/blob/master/packages/jest-environment-jsdom/package.json#L23)
         run: yarn upgrade --pattern '!(jsdom)'
 
+      # Next, create and upload the changes as a patch file. This will later be downloaded to create a pull request
+      # Creating a pull request requires write permissions and it's best to keep write privileges isolated.
+      - name: Create Patch
+        run: |-
+          git add .
+          git diff --patch --staged > ${{ runner.temp }}/upgrade.patch
+      - name: Upload Patch
+        uses: actions/upload-artifact@v2
+        with:
+          name: upgrade.patch
+          path: ${{ runner.temp }}/upgrade.patch
+
+  pr:
+    name: Create Pull Request
+    needs: upgrade
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Out
+        uses: actions/checkout@v2
+
+      - name: Download patch
+        uses: actions/download-artifact@v2
+        with:
+          name: upgrade.patch
+          path: ${{ runner.temp }}
+
+      - name: Apply patch
+        run: '[ -s ${{ runner.temp }}/upgrade.patch ] && git apply ${{ runner.temp
+          }}/upgrade.patch || echo "Empty patch. Skipping."'
+
       - name: Make Pull Request
         uses: peter-evans/create-pull-request@v3
         with:
@@ -83,5 +115,4 @@ jobs:
             Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
           labels: contribution/core,dependencies,pr/auto-approve
           team-reviewers: aws-cdk-team
-          # Privileged token so automated PR validation happens
-          token: ${{ secrets.AUTOMATION_GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}