In addition it updates the role assumed to read Scala dependencies from S3 to be a much more restrictive role. This is required as the operation will now run on GitHub actions runners which do not require such far-reaching permissions and are not under our direct ownership.
[ ] GitHub will correctly report the dependency graph for this project and highlight Scala vulnerabilities. This only happens for the default branch, so we'll see this only after merging.
Have we considered potential risks?
This change does update the permissions of GitHub actions running in this repository (see discussion here on risks). We believe the scope of the permissions are restrictive enough to be acceptable in this case.
kenoir
commented
4 months ago
What does this change?
This change uses the
aws-actions/configure-aws-credentialsGitHub action to assume a role provided by a GitHub OIDC provider set up in AWS (see: https://github.com/wellcomecollection/aws-account-infrastructure/pull/18).In addition it updates the role assumed to read Scala dependencies from S3 to be a much more restrictive role. This is required as the operation will now run on GitHub actions runners which do not require such far-reaching permissions and are not under our direct ownership.
See https://github.com/wellcomecollection/buildkite-infrastructure/pull/24 for the change required to allow Buildkite to assume the s3 read role which is also a requirement of this change.
How to test
How can we measure success?
Have we considered potential risks?
This change does update the permissions of GitHub actions running in this repository (see discussion here on risks). We believe the scope of the permissions are restrictive enough to be acceptable in this case.