Update GHA GITHUB_TOKEN Permissions

cabutlermit · cabutlermit · commit 9de7121e3386 · 2025-05-07T14:15:50.000-04:00
Why these changes are being introduced: There is a potential conflict between GITHUB_TOKEN permissions declared in a caller workflow (like this) and the shared workflow that is being called. After testing various combinations, the end result is as simple as setting the correct GITHUB_TOKEN permissions in the shared workflow and not declaring any permissions in the calling workflow. If there is some need to declare GITHUB_TOKEN permissions in the calling workflow, they MUST match the permissions in the shared workflow. Since checkov will throw a warning if no permissions are declared at all there is a checkov:skip comment in the caller workflow. Sadly, for an unknown reason, checkov doesn't register this skip comment and still shows a warning. How this addresses that need: * Remove all permissions declared in the caller workflows * Add a checkov:skip comment in the workflows, even though it doesn't properly work (this at least lets any future developer know that there is a good reason for not having a permissions statement in the yaml) Side effects of this change: None. Related Jira Tickets: * https://mitlibraries.atlassian.net/browse/IR-238
diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml
@@ -1,9 +1,10 @@
 ### This is the Terraform-generated dev-build.yml workflow for the          ###
 ### docker-matomo-dev app repository.                                       ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the ###
-### document. If the container requires any additional pre-build commands,  ###
-### uncomment and edit the PREBUILD line at the end of the document.        ###
 name: Dev Container Build and Deploy
+
+# checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints
+# NOTE: The above checkov skip command doesn't actually work and this workflow
+#       will always show a checkov warning.
 on:
   workflow_dispatch:
   pull_request:
@@ -12,21 +13,12 @@ on:
     paths-ignore:
       - '.github/**'
 
-permissions: read-all
-
 jobs:
   deploy:
-    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
-    permissions:
-      id-token: write
-      contents: read
-
     name: Dev Container Deploy
-    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@main
+    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@INFRA-526
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"
       GHA_ROLE: "docker-matomo-gha-dev"
       ECR: "docker-matomo-dev"
-      # FUNCTION: ""
-      # PREBUILD: 
diff --git a/.github/workflows/prod-promote.yml b/.github/workflows/prod-promote.yml
@@ -1,22 +1,18 @@
 ### This is the Terraform-generated prod-promote.yml workflow for the       ###
 ### docker-matomo-prod repository.                                          ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the ###
-### document.                                                               ###
+
 name: Prod Container Promote
+# checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints
+# NOTE: The above checkov skip command doesn't actually work and this workflow
+#       will always show a checkov warning.
+
 on:
   workflow_dispatch:
   release:
     types: [published]
 
-permissions: read-all
-
 jobs:
   deploy:
-    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
-    permissions:
-      id-token: write
-      contents: read
-
     name: Prod Container Promote
     uses: mitlibraries/.github/.github/workflows/ecr-shared-promote-prod.yml@main
     secrets: inherit
diff --git a/.github/workflows/stage-build.yml b/.github/workflows/stage-build.yml
@@ -1,9 +1,10 @@
 ### This is the Terraform-generated dev-build.yml workflow for the          ###
 ### docker-matomo-stage app repository.                                     ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the ###
-### document. If the container requires any additional pre-build commands,  ###
-### uncomment and edit the PREBUILD line at the end of the document.        ###
 name: Stage Container Build and Deploy
+# checkov:skip=CKV2_GHA_1:The shared workflow contains the permissions constraints
+# NOTE: The above checkov skip command doesn't actually work and this workflow
+#       will always show a checkov warning.
+
 on:
   workflow_dispatch:
   push:
@@ -12,21 +13,13 @@ on:
     paths-ignore:
       - '.github/**'
 
-permissions: read-all
-
 jobs:
   deploy:
-    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
-    permissions:
-      id-token: write
-      contents: read
-
     name: Stage Container Deploy
     uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-stage.yml@main
     secrets: inherit
     with:
       AWS_REGION: "us-east-1"
       GHA_ROLE: "docker-matomo-gha-stage"
       ECR: "docker-matomo-stage"
-      # FUNCTION: ""
-      # PREBUILD: 
+ 
