Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/ci_codegen.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ on:

jobs:
code-generation:
permissions:
contents: read
pull-requests: write

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this job need pull-requests write permission?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am looking at https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax and it doesn't seem we need this permissions

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I experimented by adding one permission at a time.
You can see the experiments in this PR: https://github.com/aws/aws-database-encryption-sdk-dynamodb/pull/2135/commits

It was not until I had all three that CI passed.

id-token: write
strategy:
fail-fast: false
matrix:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/ci_duvet.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ on:

jobs:
duvet:
permissions:
contents: read
pull-requests: write
id-token: write
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v6
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/ci_static_analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:

jobs:
not-grep:
permissions:
contents: read
pull-requests: write
id-token: write
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v6
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/ci_todos.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:

jobs:
findTodos:
permissions:
contents: read
pull-requests: write
id-token: write
runs-on: macos-14
steps:
- uses: actions/checkout@v6
Expand Down
28 changes: 28 additions & 0 deletions .github/workflows/dafny-interop.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,18 @@ on:

jobs:
getMplHeadVersion:
permissions:
contents: read
pull-requests: write
id-token: write
uses: ./.github/workflows/mpl_head_version.yml
with:
mpl-head: ${{inputs.mpl-commit}}
dafny-interop-java:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getMplHeadVersion
uses: ./.github/workflows/dafny_interop_java.yml
with:
Expand All @@ -34,6 +42,10 @@ jobs:
mpl-version: ${{needs.getMplHeadVersion.outputs.version}}
dbesdk-dafny: ${{inputs.dbesdk-dafny}}
dafny-interop-java-test-vectors:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getMplHeadVersion
uses: ./.github/workflows/dafny_interop_test_vector_java.yml
with:
Expand All @@ -42,6 +54,10 @@ jobs:
mpl-version: ${{needs.getMplHeadVersion.outputs.version}}
dbesdk-dafny: ${{inputs.dbesdk-dafny}}
dafny-interop-java-examples:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getMplHeadVersion
uses: ./.github/workflows/dafny_interop_examples_java.yml
with:
Expand All @@ -50,18 +66,30 @@ jobs:
mpl-version: ${{needs.getMplHeadVersion.outputs.version}}
dbesdk-dafny: ${{inputs.dbesdk-dafny}}
dafny-interop-net:
permissions:
contents: read
pull-requests: write
id-token: write
uses: ./.github/workflows/dafny_interop_test_net.yml
with:
mpl-dafny: ${{inputs.mpl-dafny}}
mpl-commit: ${{inputs.mpl-commit}}
dbesdk-dafny: ${{inputs.dbesdk-dafny}}
dafny-interop-net-test-vectors:
permissions:
contents: read
pull-requests: write
id-token: write
uses: ./.github/workflows/dafny_interop_test_vector_net.yml
with:
mpl-dafny: ${{inputs.mpl-dafny}}
mpl-commit: ${{inputs.mpl-commit}}
dbesdk-dafny: ${{inputs.dbesdk-dafny}}
dafny-interop-net-examples:
permissions:
contents: read
pull-requests: write
id-token: write
uses: ./.github/workflows/dafny_interop_examples_net.yml
with:
mpl-dafny: ${{inputs.mpl-dafny}}
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/dafny_verify_version.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ on:

jobs:
getDafnyVerifyVersion:
permissions:
contents: read
pull-requests: write
id-token: write
runs-on: ubuntu-22.04
outputs:
version: ${{ steps.read_property.outputs.dafnyVerifyVersion }}
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/dafny_version.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ on:

jobs:
getDafnyVersion:
permissions:
contents: read
pull-requests: write
id-token: write
runs-on: ubuntu-22.04
outputs:
version: ${{ steps.read_property.outputs.dafnyVersion }}
Expand Down
58 changes: 57 additions & 1 deletion .github/workflows/daily_ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,71 +13,127 @@ on:

jobs:
getVersion:
permissions:
contents: read
pull-requests: write
id-token: write
# Don't run the cron builds on forks
if: github.event_name != 'schedule' || github.repository_owner == 'aws'
uses: ./.github/workflows/dafny_version.yml
getVerifyVersion:
permissions:
contents: read
pull-requests: write
id-token: write
if: github.event_name != 'schedule' || github.repository_owner == 'aws'
uses: ./.github/workflows/dafny_verify_version.yml
daily-ci-format:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getVersion
if: github.event_name != 'schedule' || github.repository_owner == 'aws'
uses: ./.github/workflows/library_format.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
daily-ci-codegen:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getVersion
if: github.event_name != 'schedule' || github.repository_owner == 'aws'
uses: ./.github/workflows/ci_codegen.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
daily-ci-verification:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getVerifyVersion
if: github.event_name != 'schedule' || github.repository_owner == 'aws'
uses: ./.github/workflows/library_dafny_verification.yml
with:
dafny: ${{needs.getVerifyVersion.outputs.version}}
daily-ci-test-vector-verification:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getVerifyVersion
uses: ./.github/workflows/test_vector_verification.yml
with:
dafny: ${{needs.getVerifyVersion.outputs.version}}
daily-ci-java:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getVersion
uses: ./.github/workflows/ci_test_java.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
daily-ci-java-test-vectors:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getVersion
uses: ./.github/workflows/ci_test_vector_java.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
daily-ci-java-examples:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getVersion
uses: ./.github/workflows/ci_examples_java.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
daily-ci-net:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getVersion
uses: ./.github/workflows/ci_test_net.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
daily-ci-rust:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getVersion
uses: ./.github/workflows/library_rust_tests.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
daily-ci-net-test-vectors:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getVersion
uses: ./.github/workflows/ci_test_vector_net.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
daily-ci-net-examples:
permissions:
contents: read
pull-requests: write
id-token: write
needs: getVersion
uses: ./.github/workflows/ci_examples_net.yml
with:
dafny: ${{needs.getVersion.outputs.version}}
notify:
permissions:
contents: read
pull-requests: write
id-token: write
needs:
[
getVersion,
Expand All @@ -94,7 +150,7 @@ jobs:
daily-ci-net-test-vectors,
daily-ci-net-examples,
]
if: ${{ failure() }}
if: ${{ failure() && github.event_name == 'schedule'}}
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
message: "Daily CI failed on `${{ github.repository }}`. View run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/go-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ on:

jobs:
get-dafny-version:
permissions:
contents: read
pull-requests: write
id-token: write
uses: ./.github/workflows/dafny_version.yml

go-release:
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/issue-notification.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ on:

jobs:
notify-issue:
permissions:
contents: read
pull-requests: write
id-token: write
if: github.event_name == 'issues'
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
Expand All @@ -15,6 +19,10 @@ jobs:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GHI }}

notify-comment:
permissions:
contents: read
pull-requests: write
id-token: write
if: github.event_name == 'issue_comment' && !github.event.issue.pull_request
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/library_dafny_verification.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ on:

jobs:
verification:
permissions:
contents: read
pull-requests: write
id-token: write
# Don't run the nightly build on forks
if: github.event_name != 'schedule' || github.repository_owner == 'aws'
strategy:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/library_format.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ on:
type: boolean
jobs:
format_projects:
permissions:
contents: read
pull-requests: write
id-token: write
# Don't run the nightly build on forks
if: github.event_name != 'schedule' || github.repository_owner == 'aws'
strategy:
Expand Down
Loading
Loading