From e04d4728a0aa0312b51f91775442cb3eb6b6be04 Mon Sep 17 00:00:00 2001 From: Swopnil Dangol Date: Tue, 26 Aug 2025 13:14:05 +0100 Subject: [PATCH 1/2] Inherited the secrets for update ssm workflow --- .github/workflows/make-release.yml | 5 ++--- .github/workflows/publish_layer.yml | 3 +++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index e4f3763a53..f826503c7c 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -94,9 +94,8 @@ jobs: publish_layer: needs: publish-npm secrets: - AWS_LAYERS_BETA_ROLE_ARN: ${{ secrets.AWS_LAYERS_BETA_ROLE_ARN }} - AWS_LAYERS_PROD_ROLE_ARN: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }} - TOKEN_GITHUB: ${{ secrets.GITHUB_TOKEN }} + # The update_ssm workflow called from the publish_layer workflow needs the secrets for all the regions. This will trigger a SonarQube warning. + inherit permissions: id-token: write contents: write diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index bd6aa14079..559dbf94d6 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -97,6 +97,9 @@ jobs: environment: prod package_version: ${{ inputs.latest_published_version }} layer-version: ${{ needs.deploy-prod.outputs.layer-version }} + secrets: + # The update_ssm workflow needs the secrets for all the regions. This will trigger a SonarQube warning. + inherit update_layer_arn_docs: needs: [deploy-prod] From e16d54c5244b6c43593af16e2360b2c94137a963 Mon Sep 17 00:00:00 2001 From: Swopnil Dangol Date: Tue, 26 Aug 2025 15:06:18 +0100 Subject: [PATCH 2/2] Updated the excemption message for using inherit --- .github/workflows/make-release.yml | 2 +- .github/workflows/publish_layer.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index f826503c7c..5b08d04870 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -94,7 +94,7 @@ jobs: publish_layer: needs: publish-npm secrets: - # The update_ssm workflow called from the publish_layer workflow needs the secrets for all the regions. This will trigger a SonarQube warning. + # We use "inherit" because need to propagate the secrets to the reusable workflow, secrets are already scoped by using GitHub's deployment environments to mitigate the risk of secret exposure. inherit permissions: id-token: write diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index 559dbf94d6..e96bbbc8d8 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -98,7 +98,7 @@ jobs: package_version: ${{ inputs.latest_published_version }} layer-version: ${{ needs.deploy-prod.outputs.layer-version }} secrets: - # The update_ssm workflow needs the secrets for all the regions. This will trigger a SonarQube warning. + # We use "inherit" because need to propagate the secrets to the reusable workflow, secrets are already scoped by using GitHub's deployment environments to mitigate the risk of secret exposure. inherit update_layer_arn_docs: