fix(ci): add permissions and bump docker pipeline to v0.16.1#533
fix(ci): add permissions and bump docker pipeline to v0.16.1#533RafilxTenfen merged 1 commit intomainfrom
Conversation
mpastecki
requested review from
KonradStaniec and
RafilxTenfen
as code owners
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
This PR adds required job-level permissions to the docker_pipeline job in the CI workflow and updates the reusable docker pipeline workflow from v0.15.0 to v0.16.1. The permissions are necessary for the reusable workflow to perform checkout operations, AWS OIDC authentication, and Trivy SARIF security scan uploads.
Changes:
- Added three permissions to the docker_pipeline job: contents:read, id-token:write, and security-events:write
- Updated the reusable_docker_pipeline.yml reference from v0.15.0 (commit 22ae8ed) to v0.16.1 (commit d2299e8)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read # Required by reusable workflow | ||
| id-token: write # Required for AWS OIDC | ||
| security-events: write # Required for Trivy SARIF uploads |
There was a problem hiding this comment.
The docker_pipeline job is missing the packages: read permission that is present in the same job in publish.yml (line 62). According to the comment in publish.yml, this permission is "required to fetch internal or private CodeQL packs". For consistency and to ensure the workflow has all necessary permissions, this should be added here as well.
| contents: read # Required by reusable workflow | ||
| id-token: write # Required for AWS OIDC | ||
| security-events: write # Required for Trivy SARIF uploads |
There was a problem hiding this comment.
The permission comments use "Required" with only the first letter capitalized, while the same permissions in publish.yml use "REQUIRED" in all caps (see publish.yml lines 36-37, 57-58). For consistency across the codebase, consider using the same capitalization style as in publish.yml.
Add job-level permissions for docker_pipeline job.
Required by reusable_docker_pipeline.yml: