Skip to content

Commit 4f49f52

Browse files
MartinWheelerMTMartinWheelerMT
committed
NAID-3322 - Review GitGub Actions NHS Best Practices
* Restrict permissions per job to ensure that only the least required permissions are granted in `build` workflow. * Use SHAs for GitHub Actions `actions` instead of versions to ensure we have control over exactly which version is being used in `build` workflow.
1 parent 0294c7d commit 4f49f52

File tree

1 file changed

+13
-7
lines changed

1 file changed

+13
-7
lines changed

.github/workflows/build.yml

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -12,16 +12,21 @@ jobs:
1212
tests:
1313
name: Tests
1414
uses: ./.github/workflows/test.yml
15+
permissions:
16+
contents: read
17+
id-token: write
1518

1619
generate-build-id:
1720
name: "Generate Build Id"
1821
needs: [ tests ]
1922
runs-on: ubuntu-latest
23+
permissions:
24+
contents: read
2025
outputs:
2126
build-id: ${{ steps.generate.outputs.buildId }}
2227
steps:
2328
- name: Checkout Repository
24-
uses: actions/checkout@v4
29+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2530

2631
- id: generate
2732
working-directory: ./scripts
@@ -32,9 +37,9 @@ jobs:
3237
chmod +x ./create_build_id.sh
3338
3439
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
35-
GIT_BRANCH=PR
40+
GIT_BRANCH=PR
3641
elif [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then
37-
GIT_BRANCH=main
42+
GIT_BRANCH=main
3843
fi
3944
4045
BUILD_ID=$(./create_build_id.sh $GIT_BRANCH ${{ github.run_number }} ${{ github.sha }})
@@ -44,7 +49,9 @@ jobs:
4449
publish-docker-image:
4550
name: "Publish docker image to ECR"
4651
needs: [ generate-build-id ]
47-
52+
permissions:
53+
contents: read
54+
id-token: write
4855
uses: ./.github/workflows/publish.yml
4956
with:
5057
directory: .
@@ -63,10 +70,9 @@ jobs:
6370
runs-on: ubuntu-latest
6471
steps:
6572
- name: Comment PR
66-
uses: thollander/actions-comment-pull-request@v3
73+
uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
6774
with:
6875
message: |
6976
Images built and published to ECR using a Build Id of ${{ needs.generate-build-id.outputs.build-id }}
7077
comment-tag: images-built
71-
mode: upsert
72-
78+
mode: upsert

0 commit comments

Comments
 (0)