diff --git a/.github/workflows/build_changelog.yml b/.github/workflows/build_changelog.yml index f15275d07a7..b2abf5aeb47 100644 --- a/.github/workflows/build_changelog.yml +++ b/.github/workflows/build_changelog.yml @@ -1,6 +1,16 @@ # Standalone workflow to update changelog if necessary name: Build changelog +# PROCESS +# +# 1. Fetch latest changes compared to the latest tag +# 2. Rebuild CHANGELOG.md using Keep A Changelog format +# 3. Create a PR with the latest changelog (close and reference any it supersedes) + +# USAGE +# +# Always triggered on PR merge or manually from GitHub UI if we must. + on: workflow_dispatch: push: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 31561d013ad..221aaa56cc9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,5 +1,15 @@ name: "CodeQL" +# PROCESS +# +# 1. Static code analysis with CodeQL + +# USAGE +# +# NOTE: This is our slowest workflow hence it only runs on code merged. +# +# Always triggered on PR merge when source code changes. + on: push: paths: @@ -11,6 +21,9 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + security-events: write + actions: read strategy: fail-fast: false diff --git a/.github/workflows/dispatch_analytics.yml b/.github/workflows/dispatch_analytics.yml index 2f7c2f5c8a3..fd35f66c9fc 100644 --- a/.github/workflows/dispatch_analytics.yml +++ b/.github/workflows/dispatch_analytics.yml @@ -1,5 +1,15 @@ name: Dispatch analytics +# PROCESS +# +# 1. Trade GitHub JWT token with AWS credentials for the analytics account +# 2. Invoke a Lambda function dispatcher synchronously with the read-only scoped JWT token +# 3. The dispatcher function will call GitHub APIs to read data from the last hour and aggregate for operational analytics + +# USAGE +# +# NOTE: meant to use as a scheduled task only (or manually for debugging purposes). + on: workflow_dispatch: diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml index 0183cb1155d..521377058ab 100644 --- a/.github/workflows/label_pr_on_title.yml +++ b/.github/workflows/label_pr_on_title.yml @@ -1,5 +1,25 @@ name: Label PR based on title +# PROCESS +# +# 1. Fetch PR details previously saved from untrusted location +# 2. Parse details for safety +# 3. Label PR based on semantic title (e.g., area, change type) + +# USAGE +# +# NOTE: meant to be used with ./.github/workflows/record_pr.yml +# +# Security Note: +# +# This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`. +# This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN. +# When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs. +# +# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated, +# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions. + + on: workflow_run: workflows: ["Record PR details"] @@ -8,6 +28,8 @@ on: jobs: get_pr_details: + permissions: + actions: read # download PR artifact # Guardrails to only ever run if PR recording workflow was indeed # run in a PR event and ran successfully if: ${{ github.event.workflow_run.conclusion == 'success' }} @@ -20,6 +42,8 @@ jobs: label_pr: needs: get_pr_details runs-on: ubuntu-latest + permissions: + issues: write # label respective PR steps: - name: Checkout repository uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 diff --git a/.github/workflows/on_closed_issues.yml b/.github/workflows/on_closed_issues.yml index dfe854c5fbe..f97ff42e6e9 100644 --- a/.github/workflows/on_closed_issues.yml +++ b/.github/workflows/on_closed_issues.yml @@ -1,18 +1,30 @@ name: Closed Issue Message + +# PROCESS +# +# 1. Comment on recently closed issues to warn future responses may not be looked after + +# USAGE +# +# Always triggered upon issue closure +# + on: - issues: - types: [closed] + issues: + types: [closed] jobs: - auto_comment: - runs-on: ubuntu-latest - steps: - - uses: aws-actions/closed-issue-message@8b6324312193476beecf11f8e8539d73a3553bf4 - with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" - message: | - ### ⚠️COMMENT VISIBILITY WARNING⚠️ - This issue is now closed. Please be mindful that future comments are hard for our team to see. + auto_comment: + runs-on: ubuntu-latest + permissions: + issues: write # comment on issues + steps: + - uses: aws-actions/closed-issue-message@8b6324312193476beecf11f8e8539d73a3553bf4 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" + message: | + ### ⚠️COMMENT VISIBILITY WARNING⚠️ + This issue is now closed. Please be mindful that future comments are hard for our team to see. - If you need more assistance, please either tag a [team member](https://github.com/awslabs/aws-lambda-powertools-python/blob/develop/MAINTAINERS.md#current-maintainers) or open a new issue that references this one. + If you need more assistance, please either tag a [team member](https://github.com/awslabs/aws-lambda-powertools-python/blob/develop/MAINTAINERS.md#current-maintainers) or open a new issue that references this one. - If you wish to keep having a conversation with other community members under this issue feel free to do so. + If you wish to keep having a conversation with other community members under this issue feel free to do so. diff --git a/.github/workflows/on_label_added.yml b/.github/workflows/on_label_added.yml index 88ca45439bd..58b88f51a1a 100644 --- a/.github/workflows/on_label_added.yml +++ b/.github/workflows/on_label_added.yml @@ -1,5 +1,24 @@ name: On Label added +# PROCESS +# +# 1. Fetch PR details previously saved from untrusted location +# 2. Parse details for safety +# 3. Comment on PR labels `size/XXL` and suggest splitting into smaller PRs if possible + +# USAGE +# +# NOTE: meant to be used with ./.github/workflows/record_pr.yml +# +# Security Note: +# +# This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`. +# This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN. +# When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs. +# +# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated, +# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions. + on: workflow_run: workflows: ["Record PR details"] @@ -8,6 +27,8 @@ on: jobs: get_pr_details: + permissions: + actions: read # download PR artifact if: ${{ github.event.workflow_run.conclusion == 'success' }} uses: ./.github/workflows/reusable_export_pr_details.yml with: @@ -16,12 +37,11 @@ jobs: secrets: token: ${{ secrets.GITHUB_TOKEN }} - split-large-pr: + split_large_pr: needs: get_pr_details runs-on: ubuntu-latest permissions: - issues: write - pull-requests: write + pull-requests: write # comment on PR steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 # Maintenance: Persist state per PR as an artifact to avoid spam on label add diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml index a4e8bf6d28d..589a735b5eb 100644 --- a/.github/workflows/on_merged_pr.yml +++ b/.github/workflows/on_merged_pr.yml @@ -1,5 +1,25 @@ name: On PR merge +# PROCESS +# +# 1. Fetch PR details previously saved from untrusted location +# 2. Parse details for safety +# 3. Add `pending-release` label for related issue +# 4. Make a comment in PR if related issue is invalid or can't be labeled + +# USAGE +# +# NOTE: meant to be used with ./.github/workflows/record_pr.yml +# +# Security Note: +# +# This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`. +# This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN. +# When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs. +# +# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated, +# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions. + on: workflow_run: workflows: ["Record PR details"] @@ -8,6 +28,8 @@ on: jobs: get_pr_details: + permissions: + actions: read # download PR artifact if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' uses: ./.github/workflows/reusable_export_pr_details.yml with: @@ -18,6 +40,8 @@ jobs: release_label_on_merge: needs: get_pr_details runs-on: ubuntu-latest + permissions: + pull-requests: write # make a comment in PR if unable to find related issue if: needs.get_pr_details.outputs.prIsMerged == 'true' steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml index 58f580e13af..a9131926081 100644 --- a/.github/workflows/on_opened_pr.yml +++ b/.github/workflows/on_opened_pr.yml @@ -1,5 +1,25 @@ name: On new PR +# PROCESS +# +# 1. Fetch PR details previously saved from untrusted location +# 2. Parse details for safety +# 3. Confirm there is a related issue for newly opened PR +# 4. Verify if PR template is used and legal acknowledgement hasn't been removed + +# USAGE +# +# NOTE: meant to be used with ./.github/workflows/record_pr.yml +# +# Security Note: +# +# This workflow depends on "Record PR" workflow that runs in an untrusted location (forks) instead of `pull_request_target`. +# This enforces zero trust where "Record PR" workflow always runs on fork with zero permissions on GH_TOKEN. +# When "Record PR" completes, this workflow runs in our repository with the appropriate permissions and sanitize inputs. +# +# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated, +# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions. + on: workflow_run: workflows: ["Record PR details"] @@ -8,6 +28,8 @@ on: jobs: get_pr_details: + permissions: + actions: read # download PR artifact if: ${{ github.event.workflow_run.conclusion == 'success' }} uses: ./.github/workflows/reusable_export_pr_details.yml with: @@ -16,6 +38,8 @@ jobs: secrets: token: ${{ secrets.GITHUB_TOKEN }} check_related_issue: + permissions: + pull-requests: write # label and comment on PR if missing related issue (requirement) needs: get_pr_details runs-on: ubuntu-latest steps: @@ -35,6 +59,8 @@ jobs: check_acknowledge_section: needs: get_pr_details runs-on: ubuntu-latest + permissions: + pull-requests: write # label and comment on PR if missing acknowledge section (requirement) steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Ensure acknowledgement section is present" diff --git a/.github/workflows/on_push_docs.yml b/.github/workflows/on_push_docs.yml index b6051f8fa94..ec6e14c4273 100644 --- a/.github/workflows/on_push_docs.yml +++ b/.github/workflows/on_push_docs.yml @@ -1,5 +1,15 @@ name: Docs +# PROCESS +# +# 1. Build User Guide and API docs +# 2. Publish to GitHub Pages +# 3. Publish to S3 (new home) + +# USAGE +# +# Always triggered on PR merge when changes in documentation changes occur. + on: push: branches: @@ -10,15 +20,12 @@ on: - "examples/**" - "CHANGELOG.md" -permissions: - id-token: write - jobs: release-docs: permissions: - contents: write - pages: write - id-token: write + contents: write # push to gh-pages + pages: write # deploy gh-pages website + id-token: write # trade JWT token for AWS credentials in AWS Docs account secrets: inherit uses: ./.github/workflows/reusable_publish_docs.yml with: diff --git a/.github/workflows/publish_v2_layer.yml b/.github/workflows/publish_v2_layer.yml index 296ea1376c7..28f767a3a3f 100644 --- a/.github/workflows/publish_v2_layer.yml +++ b/.github/workflows/publish_v2_layer.yml @@ -1,5 +1,31 @@ name: Deploy v2 layer to all regions +# PROCESS +# +# 1. Compile Layer using cdk-aws-lambda-powertools-layer CDK construct for x86 and ARM (uses custom runner as it's CPU heavy) +# 2. Kick off pipeline for beta, prod, and canary releases +# 3. Create PR to update trunk so staged docs also point to the latest Layer ARN, when merged +# 4. Builds and publishes docs with latest Layer ARN using given version (generally coming from release) + + +# USAGE +# +# NOTE: meant to be used with ./.github/workflows/release.yml +# +# publish_layer: +# needs: [seal, release, create_tag] +# secrets: inherit +# permissions: +# id-token: write +# contents: write +# pages: write +# pull-requests: write +# uses: ./.github/workflows/publish_v2_layer.yml +# with: +# latest_published_version: ${{ needs.seal.outputs.RELEASE_VERSION }} +# pre_release: ${{ inputs.pre_release }} + + on: workflow_dispatch: inputs: @@ -91,7 +117,7 @@ jobs: id-token: write contents: read pages: write # docs will be updated with latest Layer ARNs - pull-requests: write # creation-action will create a PR with Layer ARN updates + pull-requests: write # creation-action will create a PR with Layer ARN updates uses: ./.github/workflows/reusable_deploy_v2_layer_stack.yml secrets: inherit with: @@ -107,7 +133,7 @@ jobs: id-token: write contents: read pages: write # docs will be updated with latest Layer ARNs - pull-requests: write # creation-action will create a PR with Layer ARN updates + pull-requests: write # creation-action will create a PR with Layer ARN updates uses: ./.github/workflows/reusable_deploy_v2_layer_stack.yml secrets: inherit with: @@ -133,7 +159,7 @@ jobs: package-version: ${{ inputs.latest_published_version }} sar-prod: - needs: [build-layer, sar-beta] + needs: [build-layer, beta, sar-beta] permissions: # lower privilege propagated from parent workflow (release.yml) id-token: write diff --git a/.github/workflows/python_build.yml b/.github/workflows/quality_check.yml similarity index 70% rename from .github/workflows/python_build.yml rename to .github/workflows/quality_check.yml index 0648fc30d17..3ae93bd26cf 100644 --- a/.github/workflows/python_build.yml +++ b/.github/workflows/quality_check.yml @@ -1,5 +1,20 @@ name: Code quality +# PROCESS +# +# 1. Install all dependencies and spin off containers for all supported Python versions +# 2. Run code formatters and linters (various checks) for code standard +# 3. Run static typing checker for potential bugs +# 4. Run entire test suite for regressions except end-to-end (unit, functional, performance) +# 5. Run static analysis (in addition to CodeQL) for common insecure code practices +# 6. Run complexity baseline to avoid error-prone bugs and keep maintenance lower +# 7. Collect and report on test coverage + +# USAGE +# +# Always triggered on new PRs, PR changes and PR merge. + + on: pull_request: paths: @@ -10,7 +25,6 @@ on: - "mypy.ini" branches: - develop - - v2 push: paths: - "aws_lambda_powertools/**" @@ -20,10 +34,9 @@ on: - "mypy.ini" branches: - develop - - v2 jobs: - build: + quality_check: runs-on: ubuntu-latest strategy: max-parallel: 4 @@ -31,6 +44,8 @@ jobs: python-version: ["3.7", "3.8", "3.9", "3.10"] env: PYTHON: "${{ matrix.python-version }}" + permissions: + contents: read # checkout code only steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Install poetry diff --git a/.github/workflows/rebuild_latest_docs.yml b/.github/workflows/rebuild_latest_docs.yml index fc65bd71673..927d6f8dc91 100644 --- a/.github/workflows/rebuild_latest_docs.yml +++ b/.github/workflows/rebuild_latest_docs.yml @@ -1,7 +1,16 @@ name: Rebuild latest docs +# PROCESS # -# === Documentation hotfix === +# 1. Build User Guide and API docs +# 2. Publish to GitHub Pages +# 3. Publish to S3 (new home) + +# USAGE +# +# Only used for deploying a documentation hotfix to /latest and its associated version w/o a full release. +# +# Steps: # # 1. Trigger "Rebuild latest docs" workflow manually: https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow # 2. Use the latest version released under Releases e.g. 2.0.0 @@ -10,19 +19,16 @@ on: workflow_dispatch: inputs: latest_published_version: - description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.0.0" - default: "2.0.0" + description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.16.3" + default: "2.16.3" required: true -permissions: - id-token: write - jobs: release-docs: permissions: - contents: write - pages: write - id-token: write + contents: write # push to gh-pages + pages: write # deploy gh-pages website + id-token: write # trade JWT token for AWS credentials in AWS Docs account secrets: inherit uses: ./.github/workflows/reusable_publish_docs.yml with: diff --git a/.github/workflows/record_pr.yml b/.github/workflows/record_pr.yml index 20cd93b897f..6fd933222c6 100644 --- a/.github/workflows/record_pr.yml +++ b/.github/workflows/record_pr.yml @@ -1,5 +1,38 @@ name: Record PR details +# PROCESS +# +# 1. Runs in fork location upon PR creation or changes +# 2. Saves GitHub Pull Request Webhook payload +# 3. Uploads as a temporary GitHub Action Artifact with shortest retention + +# USAGE +# +# see .github/workflows/on_merged_pr.yml and related for full example. +# +# on: +# workflow_run: +# workflows: ["Record PR details"] +# types: +# - completed +# +# Security Note: +# +# For security, this is intended to be a 2-step process: (1) collect PR, (2) act on PR. +# Do not ever use `pull_request_target` to "simplify", as it sends a write-token to the fork. Our linter should catch it. +# +# The first step runs in untrusted location (fork), therefore we limit permissions to only check out code. +# +# The second step will be workflows that want to act on a given PR, this time with intended permissions, and +# it runs on its base location (this repo!). +# +# This enforces zero trust where this workflow always runs on fork with zero permissions on GH_TOKEN. +# When this workflow completes, X workflows run in our repository with the appropriate permissions and sanitize inputs. +# +# Coupled with "Approve GitHub Action to run on forks", we have confidence no privilege can be escalated, +# since any malicious change would need to be approved, and upon social engineering, it'll have zero permissions. + + on: pull_request: types: [opened, edited, closed, labeled] @@ -7,7 +40,8 @@ on: jobs: record_pr: runs-on: ubuntu-latest - + permissions: + contents: read # NOTE: treat as untrusted location steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: "Extract PR details" @@ -20,3 +54,4 @@ jobs: with: name: pr path: pr.txt + retention-days: 1 diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 2da4bd58b79..76e75446220 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -1,5 +1,17 @@ name: Release Drafter +# PROCESS +# +# 1. Enumerate all PRs in merged state +# 2. Filter out any PR labeled `skip-changelog` +# 3. Updates or creates a new release in Draft mode + +# USAGE +# +# Always run on merged PRs or manually via GitHub UI for debugging purposes. +# +# see .github/release-drafter.yml for configuration + on: push: branches: @@ -9,6 +21,8 @@ on: jobs: update_release_draft: runs-on: ubuntu-latest + permissions: + contents: write # create release in draft mode steps: - uses: release-drafter/release-drafter@569eb7ee3a85817ab916c8f8ff03a5bd96c9c83e # v5.20.1 env: diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml index 425b8a092f3..66142e7bb98 100644 --- a/.github/workflows/reusable_deploy_v2_layer_stack.yml +++ b/.github/workflows/reusable_deploy_v2_layer_stack.yml @@ -1,5 +1,32 @@ name: Deploy CDK Layer v2 stack +# PROCESS +# +# 1. Split what AWS regions support ARM vs regions that Lambda support ARM +# 2. Deploy previously built layer for each AWS commercial region +# 3. Export all published Layers as JSON +# 4. Deploy Canaries to every deployed region to test whether Powertools can be imported etc. + +# USAGE +# +# NOTE: meant to be used with ./.github/workflows/publish_v2_layer.yml +# +# beta: +# needs: build-layer +# # lower privilege propagated from parent workflow (release.yml) +# permissions: +# id-token: write +# contents: read +# pages: write # docs will be updated with latest Layer ARNs +# pull-requests: write # creation-action will create a PR with Layer ARN updates +# uses: ./.github/workflows/reusable_deploy_v2_layer_stack.yml +# secrets: inherit +# with: +# stage: "BETA" +# artefact-name: "cdk-layer-artefact" +# environment: "layer-beta" +# latest_published_version: ${{ inputs.latest_published_version }} + on: workflow_call: inputs: diff --git a/.github/workflows/reusable_deploy_v2_sar.yml b/.github/workflows/reusable_deploy_v2_sar.yml index d9e2f046e9a..e50a815979d 100644 --- a/.github/workflows/reusable_deploy_v2_sar.yml +++ b/.github/workflows/reusable_deploy_v2_sar.yml @@ -1,6 +1,6 @@ name: Deploy V2 SAR -# SAR deployment process +# PROCESS # # 1. This workflow starts after the layer artifact is produced on `publish_v2_layer` # 2. We use the same layer artifact to ensure the SAR app is consistent with the published Lambda Layer @@ -9,6 +9,26 @@ name: Deploy V2 SAR # 5. We remove the previous Canary stack (if present) and deploy a new one to test the SAR App. We retain the Canary in the account for debugging purposes # 6. Finally the published SAR app is made public on the PROD environment +# USAGE +# +# NOTE: meant to be used with ./.github/workflows/publish_v2_layer.yml +# +# sar-beta: +# needs: build-layer +# permissions: +# # lower privilege propagated from parent workflow (release.yml) +# id-token: write +# contents: read +# pull-requests: none +# pages: none +# uses: ./.github/workflows/reusable_deploy_v2_sar.yml +# secrets: inherit +# with: +# stage: "BETA" +# artefact-name: "cdk-layer-artefact" +# environment: "layer-beta" +# package-version: ${{ inputs.latest_published_version }} + permissions: id-token: write contents: read diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml index 39ce20672c6..089d735278e 100644 --- a/.github/workflows/reusable_export_pr_details.yml +++ b/.github/workflows/reusable_export_pr_details.yml @@ -1,5 +1,19 @@ name: Export previously recorded PR +# PROCESS +# +# 1. Fetch PR details previously saved from untrusted location +# 2. Parse details for safety +# 3. Export only what's needed for automation, e.g., PR number, title, body, author, action, whether is merged + +# USAGE +# +# see .github/workflows/on_merged_pr.yml and related for full example. +# +# NOTE: meant to be used with workflows that react to a given PR state (labeling, new, merged, etc.) +# done separately to isolate security practices and make it reusable. + + on: workflow_call: inputs: @@ -38,6 +52,8 @@ on: jobs: export_pr_details: + permissions: + actions: read # download PR artifact # see https://github.com/awslabs/aws-lambda-powertools-python/issues/1349 if: inputs.workflow_origin == 'awslabs/aws-lambda-powertools-python' runs-on: ubuntu-latest diff --git a/.github/workflows/reusable_publish_changelog.yml b/.github/workflows/reusable_publish_changelog.yml index f08b23ca9f1..34dfc7342fe 100644 --- a/.github/workflows/reusable_publish_changelog.yml +++ b/.github/workflows/reusable_publish_changelog.yml @@ -1,5 +1,7 @@ name: Build and publish latest changelog +# see ./.github/workflows/build_changelog.yml for docs + on: workflow_call: @@ -16,8 +18,8 @@ jobs: group: changelog-build runs-on: ubuntu-latest permissions: - contents: write - pull-requests: write + contents: write # create temporary branch with changelog + pull-requests: write # create PR steps: - name: Checkout repository # reusable workflows start clean, so we need to checkout again uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml index c5d4fd2dfcc..74047d7ebde 100644 --- a/.github/workflows/reusable_publish_docs.yml +++ b/.github/workflows/reusable_publish_docs.yml @@ -1,5 +1,7 @@ name: Reusable publish documentation +# see .github/workflows/on_push_docs.yml for docs + env: ORIGIN: awslabs/aws-lambda-powertools-python @@ -26,9 +28,9 @@ on: default: develop permissions: - id-token: write - contents: write - pages: write + id-token: write # trade JWT token for AWS credentials in AWS Docs account + contents: write # push to gh-pages + pages: write # deploy gh-pages website jobs: publish_docs: diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml index dbdc9b1849a..46c303ad707 100644 --- a/.github/workflows/run-e2e-tests.yml +++ b/.github/workflows/run-e2e-tests.yml @@ -1,10 +1,24 @@ name: Run end-to-end tests +# PROCESS +# +# 1. Install all dependencies and spin off containers for all supported Python versions +# 2. Install pinned CDK version +# 3. Trade JWT token for AWS credentials to Test account +# 4. Run E2E in parallel for each feature + +# USAGE +# +# see MAINTAINERS.md#internals for full details on mechanics. +# +# Always triggered on new PR merge. + on: workflow_dispatch: push: - branches: [develop, v2] + branches: + - develop paths: - "aws_lambda_powertools/**" - "tests/e2e/**" @@ -26,7 +40,7 @@ jobs: runs-on: aws-lambda-powertools_ubuntu-latest_8-core permissions: id-token: write # needed to request JWT with GitHub's OIDC Token endpoint. docs: https://bit.ly/3MNgQO9 - contents: read + contents: read # checkout code strategy: fail-fast: false # needed so if a version fails, the others will still be able to complete and cleanup matrix: diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml index b8ad121169c..bca7eaa80d8 100644 --- a/.github/workflows/secure_workflows.yml +++ b/.github/workflows/secure_workflows.yml @@ -1,5 +1,16 @@ name: Lockdown untrusted workflows +# PROCESS +# +# 1. Scans for any external GitHub Action being used without version pinning (@ vs @v3) +# 2. Scans for insecure practices for inline bash scripts (shellcheck) +# 3. Fail CI and prevent PRs to be merged if any malpractice is found + +# USAGE +# +# Always triggered on new PR, PR changes and PR merge. + + on: push: paths: @@ -12,6 +23,8 @@ jobs: enforce_pinned_workflows: name: Harden Security runs-on: ubuntu-latest + permissions: + contents: read # checkout code and subsequently GitHub action workflows steps: - name: Checkout code uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 diff --git a/README.md b/README.md index 9aa79dc3f2c..d9cf9a5eb85 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Powertools for AWS Lambda (Python) -[![Build](https://github.com/awslabs/aws-lambda-powertools-python/actions/workflows/python_build.yml/badge.svg)](https://github.com/awslabs/aws-lambda-powertools-python/actions/workflows/python_build.yml) +[![Build](https://github.com/awslabs/aws-lambda-powertools-python/actions/workflows/quality_check.yml/badge.svg)](https://github.com/awslabs/aws-lambda-powertools-python/actions/workflows/python_build.yml) [![codecov.io](https://codecov.io/github/awslabs/aws-lambda-powertools-python/branch/develop/graphs/badge.svg)](https://app.codecov.io/gh/awslabs/aws-lambda-powertools-python) ![PythonSupport](https://img.shields.io/static/v1?label=python&message=%203.7|%203.8|%203.9|%203.10&color=blue?style=flat-square&logo=python) ![PyPI version](https://badge.fury.io/py/aws-lambda-powertools.svg) ![PyPi monthly downloads](https://img.shields.io/pypi/dm/aws-lambda-powertools) [![Join our Discord](https://dcbadge.vercel.app/api/server/B8zZKbbyET)](https://discord.gg/B8zZKbbyET)