chore(ci): address ossf scorecard findings on npm, pip, and top-level permission leftover (#2694)

heitorlessa · web-flow · commit 1d53b840777e · 2023-07-06T14:34:15.000+02:00
diff --git a/.github/workflows/publish_v2_layer.yml b/.github/workflows/publish_v2_layer.yml
@@ -85,7 +85,7 @@ jobs:
         # therefore it ignores both activated virtual env and cached interpreter by GH
         run: |
           poetry export --format requirements.txt --output requirements.txt
-          pip install -r requirements.txt
+          pip install --require-hashes -r requirements.txt
       - name: Set up QEMU
         uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.0.0
         with:
@@ -101,7 +101,7 @@ jobs:
       - name: install cdk and deps
         working-directory: ./
         run: |
-          npm install
+          npm ci
           npx cdk --version
       - name: CDK build
         run: npx cdk synth --verbose --context version="${{ inputs.latest_published_version }}" -o cdk.out
diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml
@@ -147,11 +147,11 @@ jobs:
         # therefore it ignores both activated virtual env and cached interpreter by GH
         run: |
           poetry export --format requirements.txt --output requirements.txt
-          pip install -r requirements.txt
+          pip install --require-hashes -r requirements.txt
       - name: install cdk and deps
         working-directory: ./
         run: |
-          npm install
+          npm ci
           npx cdk --version
       - name: install deps
         run: poetry install
diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml
@@ -28,9 +28,7 @@ on:
         default: develop
 
 permissions:
-  id-token: write  # trade JWT token for AWS credentials in AWS Docs account
-  contents: write  # push to gh-pages
-  pages: write     # deploy gh-pages website
+  contents: read
 
 jobs:
   publish_docs:
@@ -40,6 +38,10 @@ jobs:
       group: on-docs-rebuild
     runs-on: ubuntu-latest
     environment: "Docs"
+    permissions:
+      contents: write  # push to gh-pages
+      id-token: write  # trade JWT token for AWS credentials in AWS Docs account
+      pages: write     # uncomment if mike fails as we migrated to S3 hosting
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
         with:
@@ -110,7 +112,7 @@ jobs:
         #   1. Download the versions.json file from S3
         #   2. Find any reference to the alias and delete it from the versions file
         #   3. This is voodoo (don't use JQ):
-        #      - we assign the input as $o and the new version/alias as $n, 
+        #      - we assign the input as $o and the new version/alias as $n,
         #      - we check if the version number exists in the file already (for republishing docs)
         #      - if it's an alias (stage/latest/*) or old version, we do nothing and output $o (original input)
         #      - if it's a new version number, we add it at position 0 in the array.
diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml
@@ -66,7 +66,7 @@ jobs:
           node-version: "16.12"
       - name: Install CDK CLI
         run: |
-          npm install
+          npm ci
           npx cdk --version
       - name: Install dependencies
         run: make dev
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -3,5 +3,8 @@
   "version": "1.0.0",
   "devDependencies": {
     "aws-cdk": "^2.86.0"
+  },
+  "dependencies": {
+    "package-lock.json": "^1.0.0"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -3,5 +3,8 @@`
`3`	`3`	`"version": "1.0.0",`
`4`	`4`	`"devDependencies": {`
`5`	`5`	`"aws-cdk": "^2.86.0"`
	`6`	`+ },`
	`7`	`+ "dependencies": {`
	`8`	`+ "package-lock.json": "^1.0.0"`
`6`	`9`	`}`
`7`	`10`	`}`