Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| name: Set Deployment Environment | ||
| outputs: | ||
| env_name: ${{ steps.set_env.outputs.env_name }} | ||
| steps: | ||
| - id: set_env | ||
| run: echo "env_name=${{ github.ref_name == 'main' && 'production' || github.ref_name }}" >> $GITHUB_OUTPUT | ||
|
|
||
| trigger_build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the issue, we should add the explicit permissions key to the root of the workflow file (.github/workflows/deploy-aws.yml). This will set minimal default permissions for all jobs in the workflow, unless overridden per job. According to the CodeQL recommendation, permissions: {} is the most minimal starting point, which disables all access to the GITHUB_TOKEN for API operations. To prevent interruption of basic operations, and since most workflows need at least contents: read access for actions/checkout and possibly other minor actions, we can start with permissions: contents: read. If further write permissions are required by specific steps (for example, deploy or opening pull requests), those jobs should individually override the root permissions block. The change should be added right after the workflow name: and before on:.
| @@ -1,4 +1,6 @@ | ||
| name: Deploy to AWS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: |
| runs-on: ubuntu-latest | ||
| outputs: | ||
| build_cms: ${{ steps.changes.outputs.cms == 'true' || github.ref_name == 'staging' || github.ref_name == 'main' }} | ||
| build_client: ${{ steps.changes.outputs.client == 'true' || github.ref_name == 'staging' || github.ref_name == 'main' }} | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Detect changes in client and CMS paths | ||
| uses: dorny/paths-filter@v3 | ||
| id: changes | ||
| with: | ||
| filters: | | ||
| client: | ||
| - '.github/workflows/**' | ||
| - 'client/**' | ||
| cms: | ||
| - '.github/workflows/**' | ||
| - 'cms/**' | ||
|
|
||
| build_client: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
The best fix is to explicitly add a permissions: block that sets the minimum required permissions for the workflow. The recommended starting point is contents: read, which is sufficient for most workflows that only need to check out code. If a job or step requires additional permissions (e.g., creating deployments, writing to issues, or other repository operations), those should be added with the narrowest possible scope. As CodeQL highlighted trigger_build job but the workflow as a whole lacks permissions:, we should add it at the root level (just below name: and before on:), so all jobs will inherit these permissions unless overridden individually.
No additional YAML imports or definitions are needed: this is a policy/configuration change.
| @@ -1,4 +1,6 @@ | ||
| name: Deploy to AWS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: |
| needs: [set_environment, trigger_build] | ||
| if: ${{ github.event_name == 'workflow_dispatch' || needs.trigger_build.outputs.build_client == 'true' }} | ||
| environment: | ||
| name: ${{ needs.set_environment.outputs.env_name }} | ||
| runs-on: ubuntu-latest | ||
| name: Build Client image and push to Amazon ECR | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| aws-access-key-id: ${{ secrets.PIPELINE_USER_ACCESS_KEY_ID }} | ||
| aws-secret-access-key: ${{ secrets.PIPELINE_USER_SECRET_ACCESS_KEY }} | ||
| aws-region: ${{ vars.AWS_REGION }} | ||
|
|
||
| - name: Login to Amazon ECR | ||
| id: login-ecr | ||
| uses: aws-actions/amazon-ecr-login@v2 | ||
| with: | ||
| mask-password: 'true' | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Build, tag, and push Client image to Amazon ECR | ||
| uses: docker/build-push-action@v5 | ||
| env: | ||
| NEXT_PUBLIC_API_URL: ${{ vars.NEXT_PUBLIC_API_URL }} | ||
| NEXT_PUBLIC_MAPBOX_API_TOKEN: ${{ vars.NEXT_PUBLIC_MAPBOX_API_TOKEN }} | ||
| NEXT_PUBLIC_MAPBOX_USERNAME: ${{ vars.NEXT_PUBLIC_MAPBOX_USERNAME }} | ||
| NEXT_PUBLIC_MAPBOX_STYLE_ID: ${{ vars.NEXT_PUBLIC_MAPBOX_STYLE_ID }} | ||
| NEXT_PUBLIC_BASE_PATH: /impact-sphere | ||
| with: | ||
| build-args: | | ||
| NEXT_PUBLIC_API_URL=${{ vars.NEXT_PUBLIC_API_URL }} | ||
| NEXT_PUBLIC_MAPBOX_API_TOKEN=${{ vars.NEXT_PUBLIC_MAPBOX_API_TOKEN }} | ||
| NEXT_PUBLIC_MAPBOX_USERNAME=${{ vars.NEXT_PUBLIC_MAPBOX_USERNAME }} | ||
| NEXT_PUBLIC_MAPBOX_STYLE_ID=${{ vars.NEXT_PUBLIC_MAPBOX_STYLE_ID }} | ||
| NEXT_PUBLIC_BASE_PATH=/impact-sphere | ||
| context: . | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max | ||
| file: ./client/Dockerfile.prod | ||
| push: true | ||
| tags: | | ||
| ${{ steps.login-ecr.outputs.registry }}/${{ vars.CLIENT_REPOSITORY_NAME }}:${{ github.sha }} | ||
| ${{ steps.login-ecr.outputs.registry }}/${{ vars.CLIENT_REPOSITORY_NAME }}:${{ needs.set_environment.outputs.env_name }} | ||
|
|
||
| build_cms: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, we should add an explicit permissions key near the top of the workflow file (at the root level, just after name: and on:), setting the least privilege needed by all jobs in the workflow. As a minimal and safe default, we should set permissions: { contents: read }, which allows the workflow to read repository contents but not write or perform other sensitive operations. If jobs in the workflow do need higher privileges (for example, to interact with pull requests, deployments, or issues), we should add only those specific permissions for those jobs at the job level.
Since the CodeQL fix proposal suggests { contents: read } as a safe starting point and no jobs in the text obviously require additional permissions (such as writing to pull requests), we should add this at the workflow root, right after the name and on keys.
Specific changes:
- In
.github/workflows/deploy-aws.yml, add the following near the top (aftername: Deploy to AWSand after/in betweenon:):permissions: contents: read
- Ensure proper YAML indentation.
| @@ -13,6 +13,9 @@ | ||
| - 'infrastructure/**' | ||
| - 'package.json' | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| set_environment: | ||
| runs-on: ubuntu-latest |
| needs: [set_environment, trigger_build] | ||
| if: ${{ github.event_name == 'workflow_dispatch' || needs.trigger_build.outputs.build_cms == 'true' }} | ||
| environment: | ||
| name: ${{ needs.set_environment.outputs.env_name }} | ||
| runs-on: ubuntu-latest | ||
| name: Build CMS image and push to Amazon ECR | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| aws-access-key-id: ${{ secrets.PIPELINE_USER_ACCESS_KEY_ID }} | ||
| aws-secret-access-key: ${{ secrets.PIPELINE_USER_SECRET_ACCESS_KEY }} | ||
| aws-region: ${{ vars.AWS_REGION }} | ||
|
|
||
| - name: Login to Amazon ECR | ||
| id: login-ecr | ||
| uses: aws-actions/amazon-ecr-login@v2 | ||
| with: | ||
| mask-password: 'true' | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Build, tag, and push CMS image to Amazon ECR | ||
| uses: docker/build-push-action@v5 | ||
| with: | ||
| context: . | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max | ||
| file: ./cms/Dockerfile.prod | ||
| push: true | ||
| tags: | | ||
| ${{ steps.login-ecr.outputs.registry }}/${{ vars.CMS_REPOSITORY_NAME }}:${{ github.sha }} | ||
| ${{ steps.login-ecr.outputs.registry }}/${{ vars.CMS_REPOSITORY_NAME }}:${{ needs.set_environment.outputs.env_name }} | ||
|
|
||
| deploy: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the issue, explicitly set a permissions block in the workflow file. The ideal approach is placing the block at the root, which will apply to all jobs, unless a job has its own specific block. Since the workflow performs actions like source checkout and docker pushes using AWS credentials (not GITHUB_TOKEN), the minimal required permission is typically contents: read. If jobs require greater permissions (e.g., creating PRs), those should be set only for those jobs. For this fix, we'll follow least privilege and add:
permissions:
contents: readat the top level, immediately after the name: field (and before on:). This ensures all jobs use the restricted permissions unless overridden.
| @@ -1,4 +1,6 @@ | ||
| name: Deploy to AWS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: |
| name: Deploy Services to Amazon EBS | ||
| needs: [set_environment, build_client, build_cms] | ||
| if: > | ||
| !failure() && | ||
| ( | ||
| needs.build_client.result == 'success' || | ||
| needs.build_cms.result == 'success' | ||
| ) | ||
| runs-on: ubuntu-latest | ||
| environment: | ||
| name: ${{ needs.set_environment.outputs.env_name }} | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v4 | ||
| with: | ||
| aws-access-key-id: ${{ secrets.PIPELINE_USER_ACCESS_KEY_ID }} | ||
| aws-secret-access-key: ${{ secrets.PIPELINE_USER_SECRET_ACCESS_KEY }} | ||
| aws-region: ${{ vars.AWS_REGION }} | ||
|
|
||
| - name: Login to Amazon ECR | ||
| id: login-ecr | ||
| uses: aws-actions/amazon-ecr-login@v2 | ||
|
|
||
| - name: Generate docker compose file | ||
| working-directory: infrastructure/terraform/source_bundle | ||
| env: | ||
| ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | ||
| ECR_REPOSITORY_CLIENT: ${{ vars.CLIENT_REPOSITORY_NAME }} | ||
| ECR_REPOSITORY_CMS: ${{ vars.CMS_REPOSITORY_NAME }} | ||
| IMAGE_TAG: ${{ needs.set_environment.outputs.env_name }} | ||
| run: | | ||
| cat <<EOF >> docker-compose.yml | ||
| services: | ||
| client: | ||
| image: $ECR_REGISTRY/$ECR_REPOSITORY_CLIENT:$IMAGE_TAG | ||
| restart: always | ||
| ports: | ||
| - 3000:3000 | ||
| environment: | ||
| - NODE_ENV=production | ||
| - NEXTAUTH_SECRET=${{ secrets.NEXTAUTH_SECRET }} | ||
| - NEXT_PUBLIC_PREVIEW_SECRET=${{ vars.NEXT_PUBLIC_PREVIEW_SECRET }} | ||
| cms: | ||
| image: $ECR_REGISTRY/$ECR_REPOSITORY_CMS:$IMAGE_TAG | ||
| restart: always | ||
| ports: | ||
| - 1337:1337 | ||
| environment: | ||
| - NODE_ENV=production | ||
| - CMS_URL=${{ vars.CMS_URL }} | ||
| - DATABASE_URL=${{ secrets.DATABASE_URL }} | ||
| - DATABASE_HOST=${{ secrets.DATABASE_HOST }} | ||
| - DATABASE_NAME=${{ secrets.DATABASE_NAME }} | ||
| - DATABASE_PASSWORD=${{ secrets.DATABASE_PASSWORD }} | ||
| - DATABASE_USERNAME=${{ secrets.DATABASE_USERNAME }} | ||
| - DATABASE_PORT=${{ secrets.DATABASE_PORT }} | ||
| - DATABASE_SSL=${{ vars.DATABASE_SSL }} | ||
| - DATABASE_SSL_REJECT_UNAUTHORIZED=${{ vars.DATABASE_SSL_REJECT_UNAUTHORIZED }} | ||
| - AWS_SES_ACCESS_KEY_ID=${{ secrets.AWS_SES_ACCESS_KEY_ID }} | ||
| - AWS_SES_ACCESS_KEY_SECRET=${{ secrets.AWS_SES_ACCESS_KEY_SECRET }} | ||
| - AWS_SES_DOMAIN=${{ secrets.AWS_SES_DOMAIN }} | ||
| - AWS_S3_BUCKET=${{ vars.AWS_S3_BUCKET }} | ||
| - AWS_S3_REGION=${{ vars.AWS_S3_REGION }} | ||
| - AWS_S3_BUCKET_URL=${{ vars.AWS_S3_BUCKET_URL }} | ||
| - ADMIN_JWT_SECRET=${{ secrets.ADMIN_JWT_SECRET }} | ||
| - API_TOKEN_SALT=${{ secrets.API_TOKEN_SALT }} | ||
| - JWT_SECRET=${{ secrets.JWT_SECRET }} | ||
| - PORT=${{ secrets.PORT }} | ||
| nginx: | ||
| image: nginx | ||
| restart: always | ||
| volumes: | ||
| - ./proxy/conf.d:/etc/nginx/conf.d | ||
| - "\${EB_LOG_BASE_DIR}/nginx:/var/log/nginx" | ||
| ports: | ||
| - 80:80 | ||
| depends_on: | ||
| - cms | ||
| - client | ||
| EOF | ||
|
|
||
| - name: Generate zip file | ||
| working-directory: infrastructure/terraform/source_bundle | ||
| run: | | ||
| zip -r deploy.zip * .[^.]* | ||
|
|
||
| - name: Deploy to Amazon EB | ||
| uses: einaregilsson/beanstalk-deploy@v21 | ||
| with: | ||
| aws_access_key: ${{ secrets.PIPELINE_USER_ACCESS_KEY_ID }} | ||
| aws_secret_key: ${{ secrets.PIPELINE_USER_SECRET_ACCESS_KEY }} | ||
| application_name: ${{ vars.PROJECT_NAME}}-${{ needs.set_environment.outputs.env_name }} | ||
| environment_name: ${{ vars.PROJECT_NAME}}-${{ needs.set_environment.outputs.env_name }}-env | ||
| region: ${{ vars.AWS_REGION }} | ||
| version_label: ${{ github.sha }}-${{ github.run_id }}-${{ github.run_attempt }} | ||
| deployment_package: infrastructure/terraform/source_bundle/deploy.zip | ||
| wait_for_deployment: true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this error, add an explicit permissions key to the workflow, either at the root level or per job. The best approach is to add a root-level permissions block, which applies to all jobs that do not define their own. Since the workflow only runs jobs that interact with external services and not with repository contents, issues, or pull requests on GitHub, setting the contents: read permission is sufficient and the most restrictive reasonable option. The change should be inserted after the workflow's name and before the on block (typically at the top of the file, before job definitions). No additional imports or code changes are required.
| @@ -1,4 +1,6 @@ | ||
| name: Deploy to AWS | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: |
- Add Terraform configuration for AWS infrastructure - Set up Elastic Beanstalk modules - Configure Docker deployment - Update infrastructure documentation asd qwe asd a as ACL acl jj ACL ac asd
Remove AWS SES integration as email functionality is no longer needed: - Remove email module from env module - Remove SES IAM access key resource and environment variables - Remove contact_email variable
3 participants
No description provided.