Fix GHA Permissions

cabutlermit · cabutlermit · commit ab7c05f26769 · 2025-05-05T17:19:02.000-04:00
Why these changes are being introduced:
The workflows do not need to permission to make any changes to the code
itself, so we restrict to just `read-only`.

How this addresses that need:
* Add a line to each of the GHA workflows to restrict the workflow to
just read-only permissions to the code in the repository.
* Update the permissions for the job to allow GitHub Actions to
interact with the OIDC endpoint

Additionally,
* Add a `temp/` directory to the .gitignore file so that it's possible
to do some local work moving files around without worrying about
content getting accidentally pushed to GitHub
* Minor formatting changes to a few files

Side effects of this change:
None.
diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml
@@ -1,7 +1,8 @@
-### This is the Terraform-generated dev-build.yml workflow for the docker-matomo-dev app repository ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the document     ###
-### If the container requires any additional pre-build commands, uncomment and edit      ###
-### the PREBUILD line at the end of the document.                                        ###
+### This is the Terraform-generated dev-build.yml workflow for the          ###
+### docker-matomo-dev app repository.                                       ###
+### If this is a Lambda repo, uncomment the FUNCTION line at the end of the ###
+### document. If the container requires any additional pre-build commands,  ###
+### uncomment and edit the PREBUILD line at the end of the document.        ###
 name: Dev Container Build and Deploy
 on:
   workflow_dispatch:
@@ -11,8 +12,15 @@ on:
     paths-ignore:
       - '.github/**'
 
+permissions: read-all
+
 jobs:
   deploy:
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+      contents: read
+
     name: Dev Container Deploy
     uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@main
     secrets: inherit
diff --git a/.github/workflows/prod-promote.yml b/.github/workflows/prod-promote.yml
@@ -1,13 +1,22 @@
-### This is the Terraform-generated prod-promote.yml workflow for the docker-matomo-prod repository. ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the document.         ###
+### This is the Terraform-generated prod-promote.yml workflow for the       ###
+### docker-matomo-prod repository.                                          ###
+### If this is a Lambda repo, uncomment the FUNCTION line at the end of the ###
+### document.                                                               ###
 name: Prod Container Promote
 on:
   workflow_dispatch:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   deploy:
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+      contents: read
+
     name: Prod Container Promote
     uses: mitlibraries/.github/.github/workflows/ecr-shared-promote-prod.yml@main
     secrets: inherit
diff --git a/.github/workflows/stage-build.yml b/.github/workflows/stage-build.yml
@@ -1,7 +1,8 @@
-### This is the Terraform-generated dev-build.yml workflow for the docker-matomo-stage app repository ###
-### If this is a Lambda repo, uncomment the FUNCTION line at the end of the document     ###
-### If the container requires any additional pre-build commands, uncomment and edit      ###
-### the PREBUILD line at the end of the document.                                        ###
+### This is the Terraform-generated dev-build.yml workflow for the          ###
+### docker-matomo-stage app repository.                                     ###
+### If this is a Lambda repo, uncomment the FUNCTION line at the end of the ###
+### document. If the container requires any additional pre-build commands,  ###
+### uncomment and edit the PREBUILD line at the end of the document.        ###
 name: Stage Container Build and Deploy
 on:
   workflow_dispatch:
@@ -11,8 +12,15 @@ on:
     paths-ignore:
       - '.github/**'
 
+permissions: read-all
+
 jobs:
   deploy:
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+      contents: read
+
     name: Stage Container Deploy
     uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-stage.yml@main
     secrets: inherit
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 .env
 **/.DS_Store
+temp/
diff --git a/Makefile b/Makefile
@@ -1,12 +1,12 @@
 .PHONY: help dist-dev publish-dev dist-stage publish-stage
 SHELL=/bin/bash
 ### This is the Terraform-generated header for docker-matomo-dev. If  ###
-###   this is a Lambda repo, uncomment the FUNCTION line below  ###
-###   and review the other commented lines in the document.     ###
+###   this is a Lambda repo, uncomment the FUNCTION line below        ###
+###   and review the other commented lines in the document.           ###
 ECR_NAME_DEV:=docker-matomo-dev
 ECR_URL_DEV:=222053980223.dkr.ecr.us-east-1.amazonaws.com/docker-matomo-dev
 # FUNCTION_DEV:=
-### End of Terraform-generated header                            ###
+### End of Terraform-generated header                                 ###
 
 help: ## Print this message
 	@awk 'BEGIN { FS = ":.*##"; print "Usage:  make <target>\n\nTargets:" } \

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`.env`
`2`	`2`	`**/.DS_Store`
	`3`	`+temp/`