chore(CI): add slack notifications#498
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| needs: | ||
| [ | ||
| Static_Analysis, | ||
| Build, | ||
| Examples, | ||
| ] | ||
| if: ${{ failure() && github.event_name == 'schedule' }} | ||
| uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main | ||
| with: | ||
| message: "Daily CI failed on `${{ github.repository }}`. View run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | ||
| secrets: | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_CI }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
This autofix suggestion was applied.
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
In general, the fix is to add an explicit permissions: block limiting the GITHUB_TOKEN to the minimum required scopes, either at the workflow root (applies to all jobs) and/or per job when some jobs need elevated access. Since we cannot see the internals of the reusable workflows being called, the safest non‑breaking change is to define a conservative but commonly sufficient set of permissions. A typical minimal baseline for CI jobs that only need to read the repo and update checks is contents: read and, if required by reusable workflows, statuses: write. Because we can’t infer that write access is definitely unnecessary, we should at least set contents: read at the workflow level; further, many reusable workflows that report status or annotations rely on checks or statuses. To avoid breaking existing behavior while still being explicit, we can add a workflow‑level permissions: block with contents: read and leave other scopes at their implicit default of none.
Concretely, edit .github/workflows/ci-workflow.yml near the top of the file, after the name: and before on: (lines 1–3), to insert a permissions: section. This will apply to all jobs (Static_Analysis, Build, Examples, notify) because none of them define their own permissions. No imports or additional methods are needed; this is purely a YAML configuration change.
| @@ -1,5 +1,8 @@ | ||
| name: Continuous Integration Workflow | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| push: |
rishav-karanjit
committed this autofix suggestion 3 months ago.
There was a problem hiding this comment.
It does see permissions in workflow
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
3 participants
Issue #, if available:
Description of changes:
Adding slacking notification on daily CI failure and issue creation.
Similar PR in DB-ESDK: aws/aws-database-encryption-sdk-dynamodb#1964
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: