diff --git a/.github/workflows/make-v2-release.yml b/.github/workflows/make-v2-release.yml index 356fdf2bad..a6b4e3366f 100644 --- a/.github/workflows/make-v2-release.yml +++ b/.github/workflows/make-v2-release.yml @@ -15,7 +15,6 @@ jobs: # Needed as recommended by npm docs on publishing with provenance https://docs.npmjs.com/generating-provenance-statements permissions: id-token: write - contents: write environment: Release runs-on: ubuntu-latest outputs: diff --git a/.github/workflows/on_doc_merge.yml b/.github/workflows/on_doc_merge.yml index bcea9b0d7b..b0115b755c 100644 --- a/.github/workflows/on_doc_merge.yml +++ b/.github/workflows/on_doc_merge.yml @@ -14,10 +14,9 @@ permissions: jobs: release-docs: permissions: - actions: write - id-token: write + id-token: write # trade JWT token for AWS credentials in AWS Docs account secrets: inherit - uses: ./.github/workflows/reusable-publish-docs.yml + uses: ./.github/workflows/reusable_publish_docs.yml with: version: main alias: stage \ No newline at end of file diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index b72b59abd6..7b178e9c1d 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -1,9 +1,7 @@ name: Deploy layer to all regions permissions: - id-token: write contents: write - pages: write on: # Manual trigger @@ -57,6 +55,8 @@ jobs: needs: - build-layer uses: ./.github/workflows/reusable_deploy_layer_stack.yml + permissions: + id-token: write with: stage: "BETA" artifact-name: "cdk-layer-artifact" @@ -69,6 +69,8 @@ jobs: needs: - deploy-beta uses: ./.github/workflows/reusable_deploy_layer_stack.yml + permissions: + id-token: write with: stage: "PROD" artifact-name: "cdk-layer-artifact" @@ -95,11 +97,9 @@ jobs: release-docs: needs: [ deploy-prod, prepare_docs_alias ] permissions: - contents: write - pages: write id-token: write secrets: inherit - uses: ./.github/workflows/reusable-publish-docs.yml + uses: ./.github/workflows/reusable_publish_docs.yml with: version: ${{ inputs.latest_published_version }} alias: ${{ needs.prepare_docs_alias.outputs.DOCS_ALIAS }} diff --git a/.github/workflows/rebuild_latest_docs.yml b/.github/workflows/rebuild_latest_docs.yml index 9b1f0b8908..b943dea3bc 100644 --- a/.github/workflows/rebuild_latest_docs.yml +++ b/.github/workflows/rebuild_latest_docs.yml @@ -28,7 +28,6 @@ permissions: jobs: release-docs: permissions: - actions: write # upload artifacts (for debugging issues with the docs build) id-token: write # trade JWT token for AWS credentials in AWS Docs account secrets: inherit uses: ./.github/workflows/reusable_publish_docs.yml diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml index 542dc6ac48..cc44046321 100644 --- a/.github/workflows/reusable_publish_docs.yml +++ b/.github/workflows/reusable_publish_docs.yml @@ -47,7 +47,6 @@ jobs: runs-on: ubuntu-latest environment: Docs permissions: - actions: write # upload artifacts (for debugging issues with the docs build) id-token: write # trade JWT token for AWS credentials in AWS Docs account steps: - name: Checkout code