feat!: Updates to the S3 Encryption Client#491
Merged
imabhichow merged 4 commits intomainfrom Dec 16, 2025
Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+27
to
+31
| uses: ./.github/workflows/examples.yml | ||
| secrets: inherit | ||
| with: | ||
| version: 17 | ||
| distribution: corretto |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
This autofix suggestion was applied.
Show autofix suggestion
Hide autofix suggestion
This autofix suggestion was applied.
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix this problem, the best approach is to add a permissions block setting the minimal required permissions for the Examples job (lines 27-32), since this job uses a reusable workflow and otherwise would run with the repository's default job permissions. Unless the examples.yml workflow needs special privileges, the recommended minimal level is contents: read, which grants read-only access to repository contents. This block should be added just above or below the uses key inside the Examples job mapping. No changes are otherwise required to logic or structure.
Suggested changeset
1
.github/workflows/ci-workflow.yml
| @@ -24,6 +24,8 @@ | ||
| distribution: ${{ matrix.distribution }} | ||
|
|
||
| Examples: | ||
| permissions: | ||
| contents: read | ||
| uses: ./.github/workflows/examples.yml | ||
| secrets: inherit | ||
| with: |
Copilot is powered by AI and may make mistakes. Always verify output.
imabhichow
committed this autofix suggestion 4 months ago.
imabhichow
force-pushed
the
publish-squash-improved
branch
from
12d6818 to
cfd2cad
Compare
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…t contain permissions" This reverts commit 9ac6ba9.
aws-crypto-tools-ci-bot
pushed a commit
that referenced
this pull request
Dec 17, 2025
## [4.0.0](v3.6.0...v4.0.0) (2025-12-17) ### ⚠ BREAKING CHANGES * The S3 Encryption Client now requires key committing algorithm suites by default. See migration guide from 3.x to 4.x: [link](https://docs.aws.amazon.com/amazon-s3-encryption-client/latest/developerguide/java-v4-migration.html) * `builder()` method has been removed; use `builderV4()` instead * `builderV4()` now defaults to `commitmentPolicy` (REQUIRE_ENCRYPT_REQUIRE_DECRYPT) and `encryptionAlgorithm` (ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY) * Updated expectations for custom implementations of the `CryptographicMaterialsManager` interface. * Custom implementations of the interface's `getEncryptionMaterials` method MUST set the `AlgorithmSuite` field on the returned `EncryptionMaterials`. * The provided `DefaultCryptoMaterialsManager`'s `getEncryptionMaterials` method sets this field from the `AlgorithmSuite` provided in the `EncryptionMaterialsRequest`. * If the custom implementation wraps the provided `DefaultCryptoMaterialsManager.getEncryptionMaterials` method, it's likely that no code updates are required. The provided logic has been updated with this change. * Custom implementations of the interface's `decryptMaterials` method MUST set the `KeyCommitment` field on the returned `DecryptionMaterials`. * The provided `DefaultCryptoMaterialsManager`'s `decryptMaterials` method sets this field from the `KeyCommitment` provided in the `DecryptMaterialsRequest`. * If the custom implementation wraps the provided `DefaultCryptoMaterialsManager.decryptMaterials` method, it's likely that no code updates are required. The provided logic has been updated with this change. * Updated expectations for custom implementations of the `Keyring` interface. * Custom implementations of the interface's `onDecrypt` method MUST preserve the `KeyCommitment` field on the returned `DecryptionMaterials`. * The provided `S3Keyring`'s `onDecrypt` method (base class for all keyrings including `KmsKeyring`) preserves this field through the builder pattern when returning updated materials. * If the custom implementation wraps the provided `S3Keyring.onDecrypt` method or uses the builder pattern to return materials, it's likely that no code updates are required. The provided logic has been updated with this change. ### Features * Updates to the S3 Encryption Client ([#491](#491)) ([9d4523e](9d4523e)) ### Maintenance * update releaserc ([#492](#492)) ([d423d8d](d423d8d))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: