diff --git a/.github/workflows/layers_partition_verify.yml b/.github/workflows/layers_partition_verify.yml index bc5cb25a71..e61bbac488 100644 --- a/.github/workflows/layers_partition_verify.yml +++ b/.github/workflows/layers_partition_verify.yml @@ -1,6 +1,14 @@ # Partition Layer Verification # --- # This workflow queries the Partition layer info in production only +# +# CodeQL Security Note: +# This workflow uses dynamic secret access via secrets[format(...)] which triggers +# an "Excessive Secrets Exposure" alert. However, this is safe because: +# - Secrets are scoped per environment (China/GovCloud Gamma/Prod) +# - Each job only accesses secrets for its specific partition and region +# - No global secrets array containing mixed credentials (API keys, PEM files, etc.) +# - The secrets object is already minimally scoped to the environment being used on: workflow_dispatch: @@ -102,7 +110,7 @@ jobs: permissions: id-token: write contents: read - # Environment should interperlate as "GovCloud Prod" or "China Beta" + # Environment should interpolate as "GovCloud Prod" or "China Beta" environment: ${{ inputs.partition }} ${{ inputs.environment }} strategy: matrix: @@ -118,6 +126,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: + # Dynamic secret access is safe here - secrets are scoped per environment role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }} aws-region: ${{ matrix.region}} mask-aws-account-id: true @@ -129,6 +138,7 @@ jobs: - name: Verify Layer run: | export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' + # Dynamic secret access is safe here - secrets are scoped per environment aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) diff --git a/.github/workflows/layers_partitions.yml b/.github/workflows/layers_partitions.yml index 20ebac6724..a6d8d41ad6 100644 --- a/.github/workflows/layers_partitions.yml +++ b/.github/workflows/layers_partitions.yml @@ -15,6 +15,14 @@ # 1. After the `make-release` workflow finishes and the PR for the documentation update gets created, trigger this workflow manually via `workflow_dispatch` with environment, version, and partition inputs for each Gamma and Prod environment in the China and GovCloud partitions # 2. Monitor deployment progress and verify successful layer publication across all target regions # 3. Once this workflow is completed, the PR for the documentation update can me merged +# +# CodeQL Security Note: +# This workflow uses dynamic secret access via secrets[format(...)] which triggers +# an "Excessive Secrets Exposure" alert. However, this is safe because: +# - Secrets are scoped per environment (China/GovCloud Gamma/Prod) +# - Each job only accesses secrets for its specific partition and region +# - No global secrets array containing mixed credentials (API keys, PEM files, etc.) +# - The secrets object is already minimally scoped to the environment being used on: workflow_dispatch: @@ -142,6 +150,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: + # Dynamic secret access is safe here - secrets are scoped per environment role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }} aws-region: ${{ matrix.region}} mask-aws-account-id: true @@ -175,6 +184,7 @@ jobs: LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} run: | export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' + # Dynamic secret access is safe here - secrets are scoped per environment aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) diff --git a/.github/workflows/update_ssm.yml b/.github/workflows/update_ssm.yml index 8958479a51..c9fe02d307 100644 --- a/.github/workflows/update_ssm.yml +++ b/.github/workflows/update_ssm.yml @@ -11,6 +11,14 @@ # /aws/service/powertools/python/arm64/python3.8/3.1.0 # And will have a value of: # arn:aws:lambda:eu-west-1:094274105915:layer:AWSLambdaPowertoolsPythonV3-python38-arm64:4 +# +# CodeQL Security Note: +# This workflow uses dynamic secret access via secrets[format(...)] which triggers +# an "Excessive Secrets Exposure" alert. However, this is safe because: +# - Secrets are scoped per environment (SSM) +# - Each job only accesses secrets for SSM +# - No global secrets array containing mixed credentials (API keys, PEM files, etc.) +# - The secrets object is already minimally scoped to the environment being used on: workflow_dispatch: @@ -96,6 +104,7 @@ jobs: uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a with: aws-region: ${{ matrix.region }} + # Dynamic secret access is safe here - secrets are scoped per environment role-to-assume: ${{ secrets[format('{0}', steps.transform.outputs.CONVERTED_REGION)] }} mask-aws-account-id: true - id: write-version