Skip to content

chore(CI): add slack notifications #784

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rishav-karanjit wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(CI): add slack notifications #784

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion .github/workflows/daily_ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,4 +36,21 @@
tests:
# Don't run the cron builds on forks
if: github.event_name != 'schedule' || github.repository_owner == 'aws'
uses: ./.github/workflows/ci_tests.yaml
uses: ./.github/workflows/ci_tests.yaml

notify:
needs:
[
codebuild_batch,
codebuild_tests,
decrypt_oracle,
static_analysis,
test_vector_handler,
tests
]
if: ${{ failure() }}
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
message: "Daily CI failed on `${{ github.repository }}`. View run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_CI }}
Comment on lines +42 to +56

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 1 day ago

In general, the fix is to add an explicit permissions block to the workflow (at the root level, or per job) to restrict the GITHUB_TOKEN to the minimal access necessary. Root-level permissions act as defaults for all jobs that do not override them, which is appropriate here since none of the shown jobs declare their own permissions.

The safest change without altering existing functionality is to add a root-level permissions block just after the name: Daily CI line, setting contents: read. This is the minimal common permission needed for typical CI workflows (e.g., to fetch the repo). If any of the called reusable workflows require additional scopes (such as pull-requests: write for status updates), they should define those themselves; adding contents: read at the root will not block that. The notify job appears to send a Slack message using a secret and should not need elevated GITHUB_TOKEN scopes, so the root-level contents: read is appropriate.

Concretely, in .github/workflows/daily_ci.yml, insert:

permissions:
  contents: read

between lines 2 and 4. No imports or additional definitions are required, as this is purely YAML configuration within GitHub Actions.

Suggested changeset 1
.github/workflows/daily_ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/daily_ci.yml b/.github/workflows/daily_ci.yml
--- a/.github/workflows/daily_ci.yml
+++ b/.github/workflows/daily_ci.yml
@@ -1,6 +1,9 @@
 # This workflow runs every weekday at 15:00 UTC (8AM PDT)
 name: Daily CI
 
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: "00 15 * * 1-5"
EOF
@@ -1,6 +1,9 @@
# This workflow runs every weekday at 15:00 UTC (8AM PDT)
name: Daily CI

permissions:
contents: read

on:
schedule:
- cron: "00 15 * * 1-5"
Copilot is powered by AI and may make mistakes. Always verify output.
23 changes: 23 additions & 0 deletions .github/workflows/issue-notification.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Issue Created Notification
on:
issues:
types: [opened, reopened]
issue_comment:
types: [created]

jobs:
notify-issue:
if: github.event_name == 'issues'
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
message: "New github issue `${{ github.event.issue.title }}`. Link: ${{ github.event.issue.html_url }}"
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GHI }}

notify-comment:
Comment on lines +10 to +17

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 1 day ago

In general, the fix is to explicitly declare a permissions block in the workflow (at the top level, since neither job has its own) and restrict the default GITHUB_TOKEN permissions to the minimum necessary. This workflow only reacts to issues and issue_comment events and passes data plus a secret to a reusable Slack notification workflow; it doesn’t change repository contents or metadata itself. Therefore, the minimal safe default is contents: read, which allows basic read operations if needed while avoiding unnecessary write scopes.

The best fix without changing existing functionality is to add a top-level permissions block between the on: section and the jobs: section in .github/workflows/issue-notification.yml. Set contents: read as a conservative, least-privilege permission; if the reusable workflow needs something more, it can declare its own permissions in its own file, but that is outside the scope of this snippet. No imports or additional methods are needed, since this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/issue-notification.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/issue-notification.yml b/.github/workflows/issue-notification.yml
--- a/.github/workflows/issue-notification.yml
+++ b/.github/workflows/issue-notification.yml
@@ -5,6 +5,9 @@
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   notify-issue:
     if: github.event_name == 'issues'
EOF
@@ -5,6 +5,9 @@
issue_comment:
types: [created]

permissions:
contents: read

jobs:
notify-issue:
if: github.event_name == 'issues'
Copilot is powered by AI and may make mistakes. Always verify output.
if: github.event_name == 'issue_comment' && !github.event.issue.pull_request
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
message: "New comment on issue `${{ github.event.issue.title }}`. Link: ${{ github.event.comment.html_url }}"
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GHI }}
Comment on lines +18 to +23

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 1 day ago

In general, this issue is fixed by explicitly defining a permissions: block for the workflow or individual jobs, restricting the GITHUB_TOKEN to the minimal scopes needed. For an issue/comment notification workflow that only reads event payloads and sends a Slack message via a secret, no write permissions are needed; read-only access is sufficient, and often only contents: read (and optionally issues: read) is required.

The best fix here without changing functionality is to add a top-level permissions: block (applies to all jobs) near the top of .github/workflows/issue-notification.yml, underneath name: (or on:). Since the jobs simply consume github.event.issue and github.event.comment fields and delegate to a reusable Slack notification workflow, they do not perform any write operations on the repository. A safe and minimal configuration is:

permissions:
  contents: read
  issues: read

If the reusable workflow needs no GitHub API access, even issues: read may be unnecessary, but including it is harmless and explicit. No imports, methods, or additional definitions are needed; this is purely a YAML configuration change inside .github/workflows/issue-notification.yml.

Suggested changeset 1
.github/workflows/issue-notification.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/issue-notification.yml b/.github/workflows/issue-notification.yml
--- a/.github/workflows/issue-notification.yml
+++ b/.github/workflows/issue-notification.yml
@@ -1,4 +1,7 @@
 name: Issue Created Notification
+permissions:
+  contents: read
+  issues: read
 on:
   issues:
     types: [opened, reopened]
EOF
@@ -1,4 +1,7 @@
name: Issue Created Notification
permissions:
contents: read
issues: read
on:
issues:
types: [opened, reopened]
Copilot is powered by AI and may make mistakes. Always verify output.
Loading