generated from amazon-archives/__template_Apache-2.0
-
Notifications
You must be signed in to change notification settings - Fork 112
Chore add main branch pr source validation #167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Closed
Changes from all commits
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
b57d8f4
Merge pull request #53 from aws/develop
valerena 49c35f6
v1.3 release
valerena 43a7a09
Merge changes for v1.8 release
valerena 5a79e1e
Merge changes for v1.9 release
valerena 9de974f
Merge changes for v1.11 release
valerena 23f8171
Merge changes for v1.12 release
valerena c6779f7
Merge changes for v1.15 release
valerena 25a2eac
Merge changes for v1.17 release
valerena c99378b
Merge changes for v1.19 release
valerena 394ab66
Merge the check for vulnerabilities
valerena 566545f
Merge pull request #144 from aws/develop
roger-zhangg 9dc822b
Release 1.27
valerena eac2355
feat: Add support for multi-tenancy
licjun 696d97a
Merge commit 'develop' to 'main' multi-tenancy
valerena 07bf88e
Merge pull request #159 from aws/develop
valerena 9e9cceb
Merge develop into main for release (#164)
seshubaws a90cb39
Merge pull request #166 from aws/develop
vicheey a38bd50
chore: add pr branch validation working for main branch
vicheey File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| name: Validate PR Branch into Main | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
|
|
||
| jobs: | ||
| validate-pr-branch: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check source branch | ||
| run: | | ||
| SOURCE_BRANCH="${{ github.head_ref }}" | ||
| if [[ "$SOURCE_BRANCH" != "develop" ]]; then | ||
| echo "Error: Only pull requests from develop branch are allowed into main" | ||
| echo "Current source branch ($SOURCE_BRANCH)." | ||
| exit 1 | ||
| fi | ||
| echo "Source branch is develop - merge allowed" | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Copilot Autofix
AI 2 days ago
In general, the fix is to explicitly declare a
permissionsblock in the workflow (either at the root or per job) that grants only the minimal required permissions for theGITHUB_TOKEN. Since this workflow only readsgithub.head_ref(context data) and runs a shell script without calling the GitHub API or modifying repository resources, it does not need any special write permissions. The safest minimal configuration is to set all token permissions tononeat the job level forvalidate-pr-branch.The best fix without changing existing functionality is to add a
permissions: {}or, more explicitly,permissions: {}with specific keys. GitHub supportspermissions: read-all/write-all, or a fine-grained map; setting everything tononeis achieved by setting all scopes tononeor usingpermissions: {}withcontents: read. However, because this job does not need to read repository contents via token either, we can simply setpermissions: {}toread-all? That’s not correct; the recommended minimal restrictive pattern for a workflow that does not need the token ispermissions: {}? Actually the canonical way ispermissions: {}? To be explicit and future-proof, we should set the job-levelpermissionstoread-allor to specific read scopes. Since the job uses no API, we can completely disable the token withpermissions: {}andpermissions: contents: readis still more permissive than needed. GitHub’s documented method to fully disableGITHUB_TOKENispermissions: {}combined withpermissions: {}? To avoid ambiguity and stay strictly within well-documented patterns, we’ll setpermissions: read-allto enforce read-only, which is the recommended minimal starting point in many security guides. That ensures the token cannot perform write operations while remaining fully compatible with typical Actions behavior.Concretely, in
.github/workflows/validate-branch-into-main.yaml, under thevalidate-pr-branchjob (same indentation level asruns-on), add:or
read-all. To keep it minimal and explicit, usecontents: read. This limits repository contents access to read-only and removes default write powers. No imports or extra methods are needed; it’s a pure YAML change.