From 5e0c6d7ca9573deeee7a831439e8bffc0becd025 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:43:36 -0400 Subject: [PATCH 1/6] ci: scope down permissions for clang-format.yml --- .github/workflows/clang-format.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/clang-format.yml b/.github/workflows/clang-format.yml index 55f9ec49fa7..cc813e252ef 100644 --- a/.github/workflows/clang-format.yml +++ b/.github/workflows/clang-format.yml @@ -7,6 +7,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: format-check: runs-on: ubuntu-latest From cd48e9bad86b1f2e978c44918f6e258df7ffd864 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:43:38 -0400 Subject: [PATCH 2/6] ci: scope down permissions for license-scheduled-check.yml --- .github/workflows/license-scheduled-check.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/license-scheduled-check.yml b/.github/workflows/license-scheduled-check.yml index b68eb54aec7..c44049a1498 100644 --- a/.github/workflows/license-scheduled-check.yml +++ b/.github/workflows/license-scheduled-check.yml @@ -4,6 +4,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: build: From 72562706bd0bd4f0b66f7890738fa5368fef9b86 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:43:40 -0400 Subject: [PATCH 3/6] ci: scope down permissions for closed-issue-message.yml --- .github/workflows/closed-issue-message.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml index 2881a667a89..cae2d6b538a 100644 --- a/.github/workflows/closed-issue-message.yml +++ b/.github/workflows/closed-issue-message.yml @@ -2,6 +2,9 @@ name: Closed Issue Message on: issues: types: [closed] +permissions: + issues: write + jobs: auto_comment: runs-on: ubuntu-latest From 72012d5b4951482e529bf3126b50c9da2a006b48 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:43:42 -0400 Subject: [PATCH 4/6] ci: scope down permissions for license-check.yml --- .github/workflows/license-check.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml index f91f8c66632..5edc44ebfde 100644 --- a/.github/workflows/license-check.yml +++ b/.github/workflows/license-check.yml @@ -2,6 +2,9 @@ name: License Scan on: [pull_request] +permissions: + contents: read + jobs: build: From 5724d4490dfc1e9eebc4a4d5e0e895347860b4b8 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:43:44 -0400 Subject: [PATCH 5/6] ci: scope down permissions for cspell.yml --- .github/workflows/cspell.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/cspell.yml b/.github/workflows/cspell.yml index b0bc75bdbe9..1a4c257edb7 100644 --- a/.github/workflows/cspell.yml +++ b/.github/workflows/cspell.yml @@ -2,6 +2,9 @@ name: cspell on: [push] +permissions: + contents: read + jobs: cspell: name: cspell From 60aaa81bf0bf95a03a89e5f38dc9cfabdc177f06 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:43:46 -0400 Subject: [PATCH 6/6] ci: scope down permissions for stale_issue.yml remove License Scan / build (3.9) (pull_request) work flow --- .github/workflows/license-check.yml | 52 ------------------- .github/workflows/license-scheduled-check.yml | 51 ------------------ .github/workflows/stale_issue.yml | 4 ++ 3 files changed, 4 insertions(+), 103 deletions(-) delete mode 100644 .github/workflows/license-check.yml delete mode 100644 .github/workflows/license-scheduled-check.yml diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml deleted file mode 100644 index 5edc44ebfde..00000000000 --- a/.github/workflows/license-check.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: License Scan - -on: [pull_request] - -permissions: - contents: read - -jobs: - build: - - runs-on: ubuntu-latest - strategy: - matrix: - python-version: [3.9] - - steps: - - name: Checkout target - uses: actions/checkout@v2 - with: - path: sdkmain - ref: ${{ github.base_ref }} - - name: Checkout this ref - uses: actions/checkout@v3 - with: - path: new-ref - fetch-depth: 0 - - name: Get Diff - env: - BASE_COMMIT: ${{ github.event.pull_request.base.sha }} - COMMIT: ${{ github.sha }} - run: git --git-dir ./new-ref/.git diff --name-only --diff-filter=ACMRT "$BASE_COMMIT" "$COMMIT"| xargs > fileList.txt - - name: Checkout scancode - uses: actions/checkout@v2 - with: - repository: nexB/scancode-toolkit - path: scancode-toolkit - fetch-depth: 1 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 - with: - python-version: ${{ matrix.python-version }} - # ScanCode - - name: Self-configure scancode - working-directory: ./scancode-toolkit - run: ./scancode --help - - name: Run Scan code on pr ref - run: for filename in $(< fileList.txt); do ./scancode-toolkit/scancode -l -n 30 --json-pp - ./sdkmain/$filename | grep short_name | sort | uniq >> old-licenses.txt; done - - name: Run Scan code on target - run: for filename in $(< fileList.txt); do ./scancode-toolkit/scancode -l -n 30 --json-pp - ./new-ref/$filename | grep short_name | sort | uniq >> new-licenses.txt; done - # compare - - name: License test - run: if ! cmp old-licenses.txt new-licenses.txt; then echo "Licenses differ! Failing."; exit -1; else echo "Licenses are the same. Success."; exit 0; fi \ No newline at end of file diff --git a/.github/workflows/license-scheduled-check.yml b/.github/workflows/license-scheduled-check.yml deleted file mode 100644 index c44049a1498..00000000000 --- a/.github/workflows/license-scheduled-check.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: License Scan - -on: - schedule: - - cron: "0 0 * * *" - -permissions: - contents: read - -jobs: - build: - - runs-on: ubuntu-latest - strategy: - matrix: - python-version: [3.9] - - steps: - - name: Checkout main - uses: actions/checkout@v4 - with: - repository: aws/aws-sdk-cpp - path: aws-sdk-cpp - ref: main - - name: Checkout stable version - uses: actions/checkout@v4 - with: - repository: aws/aws-sdk-cpp - path: new-ref - ref: "1.9.85" - - name: Checkout scancode - uses: actions/checkout@v4 - with: - repository: nexB/scancode-toolkit - path: scancode-toolkit - fetch-depth: 1 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v4 - with: - python-version: ${{ matrix.python-version }} - # ScanCode - - name: Self-configure scancode - working-directory: ./scancode-toolkit - run: ./scancode --help - - name: Run Scan code - run: | - ./scancode-toolkit/scancode -l -n 30 --json-pp - ./aws-sdk-cpp/aws-cpp-sdk-core | grep short_name | sed -e 's/\"short_name\": //' -e 's/\"\,\?//g' | sort | uniq > old-licenses.txt - ./scancode-toolkit/scancode -l -n 30 --json-pp - ./new-ref/aws-cpp-sdk-core | grep short_name | sed -e 's/\"short_name\": //' -e 's/\"\,\?//g' | sort | uniq > new-licenses.txt - # compare - - name: License test - run: if ! cmp old-licenses.txt new-licenses.txt; then echo "Licenses differ! Failing."; exit -1; else echo "Licenses are the same. Success."; exit 0; fi diff --git a/.github/workflows/stale_issue.yml b/.github/workflows/stale_issue.yml index 4aff44e8e03..a20088a5ff5 100644 --- a/.github/workflows/stale_issue.yml +++ b/.github/workflows/stale_issue.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "0 0 * * *" +permissions: + issues: write + pull-requests: write + jobs: cleanup: runs-on: ubuntu-latest