Set GitHub Actions OIDC provider permissions

Attempting to fix the CI/CD breakage via "unset-current-credentials: true" in commit aed7091 didn't work: - https://github.com/mbland/elistman/actions/runs/6150150355/job/16687535254 Digging deeper, I realized that the token.actions.githubusercontent.com OIDC provider in my IAM providers was created yesterday when I ran "sam pipeline bootstrap" for mbland/ses-forwarder. A search for GitHub Actions OIDC provider documentation turned up: - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings Comparing the .github/workflows/pipeline.yaml for ses-forwarder created yesterday to the elistman version showed that the new file contained the "permissions:" block in this change.
mbland · Sep 11, 2023 · 025fbcd · 025fbcd
1 parent aed7091
commit 025fbcd
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
@@ -30,6 +30,11 @@ env:
   # PROD_IMAGE_REPOSITORY = '0123456789.dkr.ecr.region.amazonaws.com/repository-name'
   PROD_REGION: us-east-1
 
+# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   test:
     if: github.event_name == 'push'