From 025fbcd1e49191fb2656d5fb8ee9cd26661643f9 Mon Sep 17 00:00:00 2001
From: Mike Bland <mbland@acm.org>
Date: Mon, 11 Sep 2023 14:26:27 -0400
Subject: [PATCH] Set GitHub Actions OIDC provider permissions

Attempting to fix the CI/CD breakage via "unset-current-credentials:
true" in commit aed7091a451ec4e3067b418b968768546b7e17fc didn't work:

- https://github.com/mbland/elistman/actions/runs/6150150355/job/16687535254

Digging deeper, I realized that the token.actions.githubusercontent.com
OIDC provider in my IAM providers was created yesterday when I ran "sam
pipeline bootstrap" for mbland/ses-forwarder. A search for GitHub
Actions OIDC provider documentation turned up:

- https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings

Comparing the .github/workflows/pipeline.yaml for ses-forwarder created
yesterday to the elistman version showed that the new file contained the
"permissions:" block in this change.
---
 .github/workflows/pipeline.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index 357634a..de9bc6c 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -30,6 +30,11 @@ env:
   # PROD_IMAGE_REPOSITORY = '0123456789.dkr.ecr.region.amazonaws.com/repository-name'
   PROD_REGION: us-east-1
 
+# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   test:
     if: github.event_name == 'push'