Skip to content

fix: scope id-token:write to only AWS OIDC deploy jobs#706

Merged
backnotprop merged 1 commit into
mainfrom
fix/deploy-permissions
May 12, 2026
Merged

fix: scope id-token:write to only AWS OIDC deploy jobs#706
backnotprop merged 1 commit into
mainfrom
fix/deploy-permissions

Conversation

@backnotprop
Copy link
Copy Markdown
Owner

@backnotprop backnotprop commented May 12, 2026

Summary

  • Removes id-token: write from the workflow-level permissions block in deploy.yml
  • Adds job-level permissions with id-token: write only to deploy-marketing and deploy-portal (the two jobs that use aws-actions/configure-aws-credentials with OIDC)
  • deploy-paste gets only contents: read since it authenticates via CLOUDFLARE_API_TOKEN
  • detect-changes inherits only contents: read — it just reads git diffs and has no need for OIDC minting

Motivated by the TanStack supply chain attack (TanStack/router#7383) which used GitHub Actions cache poisoning + OIDC trusted publishing. Our pipelines don't use actions/cache and aren't vulnerable, but least-privilege on OIDC is good hygiene.

Test plan

  • Trigger deploy workflow via workflow_dispatch targeting marketing — confirm AWS OIDC auth succeeds
  • Confirm detect-changes job still works without id-token: write

@backnotprop
fix: scope id-token:write to only AWS OIDC deploy jobs
a351fef 
The workflow-level permissions block granted id-token:write to every
job, including detect-changes which only reads git diffs. Move the
OIDC capability to only deploy-marketing and deploy-portal (which
need it for aws-actions/configure-aws-credentials). deploy-paste
uses a Cloudflare API token and doesn't need OIDC at all.
@backnotprop backnotprop requested a review from Copilot May 12, 2026 02:19
Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces GitHub Actions OIDC exposure by removing id-token: write from the workflow-level permissions and granting it only to the specific deploy jobs that require AWS OIDC authentication. This aligns the deploy workflow with least-privilege principles and limits the blast radius of any future workflow compromise.

Changes:

  • Removed workflow-wide id-token: write permission.
  • Added job-level permissions with id-token: write only for the AWS OIDC deploy jobs (deploy-marketing, deploy-portal).
  • Explicitly scoped deploy-paste to contents: read only.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@backnotprop backnotprop merged commit d0e13d7 into main May 12, 2026
14 checks passed
@backnotprop backnotprop deleted the fix/deploy-permissions branch May 12, 2026 03:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@backnotprop