fix(ci): Permissions and depdendencies

fix(ci): Permissions and depdendencies

Author: sthulb

.github/workflows/build_changelog.yml

@@ -4,6 +4,9 @@ name: Build changelog
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   changelog:
     uses: ./.github/workflows/reusable_publish_changelog.yml

.github/workflows/codeql-analysis.yml

@@ -12,6 +12,9 @@ on:
   schedule:
     - cron: '42 8 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/dispatch_analytics.yml

@@ -7,22 +7,23 @@ on:
     - cron: '0 * * * *'
 
 permissions:
-  id-token: write
-  actions: read
-  checks: read
   contents: read
-  deployments: read
-  issues: read
-  discussions: read
-  packages: read
-  pages: read
-  pull-requests: read
-  repository-projects: read
-  security-events: read
-  statuses: read
 
 jobs:
   dispatch_token:
+    permissions:
+      id-token: write
+      actions: read
+      checks: read
+      deployments: read
+      issues: read
+      discussions: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: read
+      statuses: read
     if: github.repository == 'aws-powertools/powertools-lambda-dotnet'
     concurrency:
       group: analytics

.github/workflows/docs.yml

@@ -7,12 +7,13 @@ on:
   workflow_dispatch: {}
 
 permissions:
-  id-token: write
-  contents: write
-  pages: write
+  contents: read
 
 jobs:
   docs:
+    permissions:
+      id-token: write
+      contents: write
     # Force Github action to run only a single job at a time (based on the group name)
     # This is to prevent "race-condition" in publishing a new version of doc to `gh-pages`
     concurrency:
@@ -46,6 +47,9 @@ jobs:
             dist \
             s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-dotnet/
   apidocs:
+    permissions:
+      id-token: write
+      contents: write
     # Force Github action to run only a single job at a time (based on the group name)
     # This is to prevent "race-condition" in publishing a new version of doc to `gh-pages`
     concurrency:

.github/workflows/e2e-tests.yml

@@ -22,11 +22,12 @@ concurrency:
   group: e2e
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
   deploy-stack:
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -45,17 +46,19 @@ jobs:
           dotnet-version: '8.x'
 
       - name: Install CDK
-        run: npm install -g aws-cdk
+        run: npm install
 
       - name: Install AWS Lambda .NET CLI Tools
         run: dotnet tool install -g Amazon.Lambda.Tools
 
       - name: Deploy Stack
         run: |
           cd libraries/tests/e2e/infra
-          cdk deploy --all --require-approval never
+          npx cdk deploy --all --require-approval never
 
   deploy-aot-stack:
+    permissions:
+      id-token: write
     strategy:
       matrix:
         os: [ubuntu-24.04-arm, ubuntu-latest]
@@ -82,17 +85,19 @@ jobs:
           dotnet-version: '8.x'
 
       - name: Install CDK
-        run: npm install -g aws-cdk
+        run: npm install
 
       - name: Install AWS Lambda .NET CLI Tools
         run: dotnet tool install -g Amazon.Lambda.Tools
 
       - name: Deploy AOT Stack
         run: |
           cd libraries/tests/e2e/infra-aot
-          cdk deploy --all -c architecture=${{ matrix.arch }} --require-approval never
+          npx cdk deploy --all -c architecture=${{ matrix.arch }} --require-approval never
 
   run-tests:
+    permissions:
+      id-token: write 
     strategy:
       matrix:
         utility: [core, idempotency]
@@ -126,6 +131,8 @@ jobs:
           dotnet test --filter Category=AOT
 
   destroy-stack:
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     needs: run-tests
     if: always()
@@ -141,17 +148,19 @@ jobs:
           mask-aws-account-id: true
 
       - name: Install CDK
-        run: npm install -g aws-cdk
+        run: npm install
 
       - name: Install AWS Lambda .NET CLI Tools
         run: dotnet tool install -g Amazon.Lambda.Tools
 
       - name: Destroy Stack
         run: |
           cd libraries/tests/e2e/infra
-          cdk destroy --all --force
+          npx cdk destroy --all --force
 
   destroy-aot-stack:
+    permissions:
+      id-token: write
     strategy:
       matrix:
         os: [ubuntu-24.04-arm, ubuntu-latest]
@@ -175,13 +184,13 @@ jobs:
           mask-aws-account-id: true
 
       - name: Install CDK
-        run: npm install -g aws-cdk
+        run: npm install
 
       - name: Install AWS Lambda .NET CLI Tools
         run: dotnet tool install -g Amazon.Lambda.Tools
 
       - name: Destroy arm64 AOT Stack
         run: |
           cd libraries/tests/e2e/infra-aot
-          cdk destroy --all -c architecture=${{ matrix.arch }} --force
+          npox cdk destroy --all -c architecture=${{ matrix.arch }} --force
       

.github/workflows/label_pr_on_title.yml

@@ -6,8 +6,13 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
+    permissions:
+      id-token: write
     # Guardrails to only ever run if PR recording workflow was indeed
     # run in a PR event and ran successfully
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
@@ -18,6 +23,8 @@ jobs:
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   label_pr:
+    permissions:
+      id-token: write
     needs: get_pr_details
     runs-on: ubuntu-latest
     steps:

.github/workflows/on_label_added.yml

@@ -6,8 +6,13 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
+    permissions:
+      id-token: write
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
@@ -22,6 +27,7 @@ jobs:
     permissions:
       issues: write
       pull-requests: write
+      id-token: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       # Maintenance: Persist state per PR as an artifact to avoid spam on label add

.github/workflows/on_merged_pr.yml

@@ -6,8 +6,13 @@ on:
     types:
       - completed
 
+permissions: 
+  contents: read
+
 jobs:
   get_pr_details:
+    permissions:
+      id-token: write
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
@@ -16,6 +21,8 @@ jobs:
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   release_label_on_merge:
+    permissions:
+      id-token: write
     needs: get_pr_details
     runs-on: ubuntu-latest
     if: needs.get_pr_details.outputs.prIsMerged == 'true'

.github/workflows/on_opened_pr.yml

@@ -6,8 +6,13 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
+    permissions:
+      id-token: write
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
@@ -16,6 +21,8 @@ jobs:
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   check_related_issue:
+    permissions:
+      id-token: write
     needs: get_pr_details
     runs-on: ubuntu-latest
     steps:

.github/workflows/rebuild_latest_docs.yml

@@ -13,6 +13,9 @@ on:
         description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.0.0"
         default: "2.0.0"
         required: true
+        
+permissions: 
+  contents: read
 
 jobs:
   changelog:

.github/workflows/record_pr.yml

@@ -4,6 +4,10 @@ on:
   pull_request:
     types: [opened, edited, closed]
 
+
+permissions: 
+  contents: read
+  
 jobs:
   record_pr:
     runs-on: ubuntu-latest

.github/workflows/release-drafter.yml

@@ -6,8 +6,13 @@ on:
       - develop
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v5.20.1

.github/workflows/reusable_export_pr_details.yml

@@ -36,8 +36,13 @@ on:
         description: "Whether PR is merged"
         value: ${{ jobs.export_pr_details.outputs.prIsMerged }}
 
+permissions:
+  contents: read
+
 jobs:
   export_pr_details:
+    permissions:
+      id-token: write
     # see https://github.com/aws-powertools/powertools-lambda-python/issues/1349
     if: inputs.workflow_origin == 'aws-powertools/powertools-lambda-dotnet'
     runs-on: ubuntu-latest

.github/workflows/reusable_publish_changelog.yml

@@ -4,13 +4,15 @@ on:
   workflow_call:
 
 permissions:
-  contents: write
+  contents: read
 
 env:
   BRANCH: develop
 
 jobs:
   publish_changelog:
+    permissions:
+      contents: write
     # Force Github action to run only a single job at a time (based on the group name)
     # This is to prevent race-condition and inconsistencies with changelog push
     concurrency:

.github/workflows/reusable_publish_docs.yml

@@ -22,12 +22,13 @@ on:
         type: boolean
 
 permissions:
-  id-token: write
-  contents: write
-  pages: write
+  contents: read
 
 jobs:
   publish_docs:
+    permissions:
+      id-token: write
+      contents: write
     # Force Github action to run only a single job at a time (based on the group name)
     # This is to prevent "race-condition" in publishing a new version of doc to `gh-pages`
     concurrency:
@@ -80,6 +81,9 @@ jobs:
 
 
   apidocs:
+    permissions:
+      id-token: write
+      contents: write
     # Force Github action to run only a single job at a time (based on the group name)
     # This is to prevent "race-condition" in publishing a new version of doc to `gh-pages`
     concurrency:

.github/workflows/secure_workflows.yml

@@ -8,6 +8,9 @@ on:
     paths:
       - ".github/workflows/**"
 
+permissions:
+  contents: read
+
 jobs:
   enforce_pinned_workflows:
     name: Harden Security

.gitignore

@@ -12,6 +12,8 @@ deploy/**
 .vs/
 .aws-sam
 
+node_modules/*
+
 examples/SimpleLambda/.aws-sam
 examples/SimpleLambda/samconfig.toml
 

Dockerfile

@@ -19,7 +19,7 @@ WORKDIR $FUNCTION_DIR/examples/SimpleLambda/src/HelloWorld/
 RUN if [ "$SAM_BUILD_MODE" = "debug" ]; then dotnet lambda package --configuration Debug; else dotnet lambda package --configuration Release; fi
 RUN if [ "$SAM_BUILD_MODE" = "debug" ]; then cp -r /bin/Debug/net6.0/publish/* /build/build_artifacts; else cp -r bin/Release/net6.0/publish/* /build/build_artifacts; fi
 
-FROM public.ecr.aws/lambda/dotnet:6
+FROM public.ecr.aws/lambda/dotnet@sha256:ec61a7f638e2a0c86d75204117cc7710bcdc70222ffc777e3fc1458287b09834
 
 COPY --from=build-image /build/build_artifacts/ /var/task/
 # Command can be overwritten by providing a different command in the template directly.