From 372930aaba99d7252ce9aa217664d9f2a8fc1040 Mon Sep 17 00:00:00 2001 From: chris3ware <36608309+chris3ware@users.noreply.github.com> Date: Thu, 16 Mar 2023 16:37:17 +0000 Subject: [PATCH 1/3] set `persist-credentials: true` in tfsec workflow tfsec job fails authentication when set to false. --- .github/workflows/tfsec-pr.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tfsec-pr.yaml b/.github/workflows/tfsec-pr.yaml index c81698c..1d96e86 100644 --- a/.github/workflows/tfsec-pr.yaml +++ b/.github/workflows/tfsec-pr.yaml @@ -31,7 +31,7 @@ jobs: - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: - persist-credentials: false + persist-credentials: true # tfsec step fails when false - name: Add tfsec comments to pull request uses: aquasecurity/tfsec-pr-commenter-action@7a44c5dcde5dfab737363e391800629e27b6376b # v1.3.1 From 0d66f3ea76cd0f9422259d2fde515a9f15dcf655 Mon Sep 17 00:00:00 2001 From: chris3ware <36608309+chris3ware@users.noreply.github.com> Date: Thu, 16 Mar 2023 16:40:05 +0000 Subject: [PATCH 2/3] change top level permissions to `contents: read` in terraform-docs This is better than read-all. --- .github/workflows/terraform-docs.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/terraform-docs.yaml b/.github/workflows/terraform-docs.yaml index ebb0403..bc3c531 100644 --- a/.github/workflows/terraform-docs.yaml +++ b/.github/workflows/terraform-docs.yaml @@ -2,7 +2,8 @@ name: Generate terraform docs on: workflow_call # Declare default permissions as read only. -permissions: read-all +permissions: + contents: read jobs: get-temp-token: From afb49c3c3462e75ed1b52276c59d7393dca269a6 Mon Sep 17 00:00:00 2001 From: chris3ware <36608309+chris3ware@users.noreply.github.com> Date: Thu, 16 Mar 2023 16:53:05 +0000 Subject: [PATCH 3/3] add `check: write` to lint Not required, but produces an error in the logs if removed. See slack: https://trunkcommunity.slack.com/archives/C04GAE5EA5S/p1677846825881319?thread_ts=1676214812.584879&cid=C04GAE5EA5S --- .github/workflows/lint.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 3a50bd6..092723d 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -19,6 +19,9 @@ jobs: lint: runs-on: ubuntu-latest + permissions: + checks: write # not required (see slack) but produces an error in the logs + # https://trunkcommunity.slack.com/archives/C04GAE5EA5S/p1677846825881319?thread_ts=1676214812.584879&cid=C04GAE5EA5S timeout-minutes: 10 concurrency: group: ${{ github.workflow }}-${{ github.head_ref }}