Skip to content

chore(CI): add slack notifications #498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rishav-karanjit merged 7 commits into from
Apr 6, 2026
+39 −0
Merged

chore(CI): add slack notifications #498

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1b20e73
m
rishav-karanjit Jan 9, 2026
9edeab4
m
rishav-karanjit Jan 9, 2026
11d643e
Potential fix for code scanning alert no. 8: Workflow does not contai…
rishav-karanjit Jan 9, 2026
f75c945
Potential fix for code scanning alert no. 6: Workflow does not contai…
rishav-karanjit Jan 9, 2026
3627636
Add id-token permission to CI workflow
rishav-karanjit Jan 9, 2026
4cbbf36
Merge branch 'main' into rishav/slack-notification
rishav-karanjit Jan 12, 2026
e0555e7
Merge branch 'main' into rishav/slack-notification
rishav-karanjit Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions .github/workflows/ci-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,17 @@ jobs:
with:
version: 17
distribution: corretto

notify:
needs:
[
Static_Analysis,
Build,
Examples,
]
if: ${{ failure() && github.event_name == 'schedule' }}
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
message: "Daily CI failed on `${{ github.repository }}`. View run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_CI }}
Comment on lines +38 to +49

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

In general, the fix is to add an explicit permissions: block limiting the GITHUB_TOKEN to the minimum required scopes, either at the workflow root (applies to all jobs) and/or per job when some jobs need elevated access. Since we cannot see the internals of the reusable workflows being called, the safest non‑breaking change is to define a conservative but commonly sufficient set of permissions. A typical minimal baseline for CI jobs that only need to read the repo and update checks is contents: read and, if required by reusable workflows, statuses: write. Because we can’t infer that write access is definitely unnecessary, we should at least set contents: read at the workflow level; further, many reusable workflows that report status or annotations rely on checks or statuses. To avoid breaking existing behavior while still being explicit, we can add a workflow‑level permissions: block with contents: read and leave other scopes at their implicit default of none.

Concretely, edit .github/workflows/ci-workflow.yml near the top of the file, after the name: and before on: (lines 1–3), to insert a permissions: section. This will apply to all jobs (Static_Analysis, Build, Examples, notify) because none of them define their own permissions. No imports or additional methods are needed; this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/ci-workflow.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci-workflow.yml b/.github/workflows/ci-workflow.yml
--- a/.github/workflows/ci-workflow.yml
+++ b/.github/workflows/ci-workflow.yml
@@ -1,5 +1,8 @@
 name: Continuous Integration Workflow
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:
EOF
@@ -1,5 +1,8 @@
name: Continuous Integration Workflow

permissions:
contents: read

on:
pull_request:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
@rishav-karanjit rishav-karanjit committed this autofix suggestion 3 months ago.
Copy link
Copy Markdown
Member Author

@rishav-karanjit rishav-karanjit Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does see permissions in workflow

25 changes: 25 additions & 0 deletions .github/workflows/issue-notification.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: Issue Created Notification
permissions:
contents: read
on:
issues:
types: [opened, reopened]
issue_comment:
types: [created]

jobs:
notify-issue:
if: github.event_name == 'issues'
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
message: "New github issue `${{ github.event.issue.title }}`. Link: ${{ github.event.issue.html_url }}"
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GHI }}

notify-comment:
if: github.event_name == 'issue_comment' && !github.event.issue.pull_request
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
message: "New comment on issue `${{ github.event.issue.title }}`. Link: ${{ github.event.comment.html_url }}"
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GHI }}
Loading