Skip to content

chore(CI): add slack notifications #2179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rishav-karanjit wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(CI): add slack notifications #2179

rishav-karanjit wants to merge 1 commit into from

Conversation

@rishav-karanjit
Copy link
Member

@rishav-karanjit rishav-karanjit commented Jan 9, 2026

Issue #, if available:

Description of changes:

Adding slacking notification on daily CI failure and issue creation.

Similar PR in DB-ESDK: aws/aws-database-encryption-sdk-dynamodb#1964

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Check any applicable:

  • Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.

@rishav-karanjit rishav-karanjit requested a review from a team as a code owner January 9, 2026 18:25
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 9, 2026
View reviewed changes
.github/workflows/issue-notification.yml
Comment on lines +10 to +17
if: github.event_name == 'issues'
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
message: "New github issue `${{ github.event.issue.title }}`. Link: ${{ github.event.issue.html_url }}"
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GHI }}

notify-comment:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 days ago

To fix the problem, explicitly declare permissions so the GITHUB_TOKEN used by this workflow is restricted to the minimum needed. Since this workflow only reacts to issues and issue comments and sends notifications to Slack via a reusable workflow, it does not need write access to repository contents or other resources. The minimal safe configuration is to set permissions: { contents: read } at the workflow root, which ensures read-only access to repo contents while still allowing GitHub to expose the issue/comment event payload to the workflow. If the reusable workflow needs more (for example, issues: write), it can be requested there; from the caller’s perspective we keep things as tight as possible without changing any functional behavior.

Concretely:

  • Edit .github/workflows/issue-notification.yml.
  • Add a permissions: block right after the name: line (before on:) so it applies to all jobs.
  • Set contents: read as a minimal, least-privilege default. We are not changing any jobs, conditions, or secrets handling.

No additional imports or methods are needed, because this is a YAML configuration change only.

Suggested changeset 1
.github/workflows/issue-notification.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/issue-notification.yml b/.github/workflows/issue-notification.yml
--- a/.github/workflows/issue-notification.yml
+++ b/.github/workflows/issue-notification.yml
@@ -1,4 +1,6 @@
 name: Issue Created Notification
+permissions:
+  contents: read
 on:
   issues:
     types: [opened, reopened]
EOF
@@ -1,4 +1,6 @@
name: Issue Created Notification
permissions:
contents: read
on:
issues:
types: [opened, reopened]
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/issue-notification.yml
Comment on lines +18 to +24
if: github.event_name == 'issue_comment' && !github.event.issue.pull_request
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
message: "New comment on issue `${{ github.event.issue.title }}`. Link: ${{ github.event.comment.html_url }}"
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GHI }}

No newline at end of file

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 days ago

To fix the problem, explicitly set permissions for this workflow to the minimum required. These jobs only read issue and comment metadata to build Slack messages and do not need write access to the repository or issues. The safest general approach is to add a top-level permissions block (so it applies to both jobs) with read-only access to repository contents. If the reusable workflow needs additional scopes, they can be added there, but we should start from a restrictive baseline.

The single best change, without altering existing functionality, is to add at the root level of .github/workflows/issue-notification.yml a block such as:

permissions:
  contents: read

placed after the name: (or after the on: block—both are valid as long as it’s top-level). This will ensure the GITHUB_TOKEN has only read access to repository contents unless further narrowed or expanded in the called reusable workflow. No imports or additional methods are needed; it is purely a YAML configuration change.

Concretely: in .github/workflows/issue-notification.yml, insert a new permissions: block between the existing on: section and the jobs: section (around line 8), leaving all other lines unchanged.

Suggested changeset 1
.github/workflows/issue-notification.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/issue-notification.yml b/.github/workflows/issue-notification.yml
--- a/.github/workflows/issue-notification.yml
+++ b/.github/workflows/issue-notification.yml
@@ -5,6 +5,9 @@
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   notify-issue:
     if: github.event_name == 'issues'
EOF
@@ -5,6 +5,9 @@
issue_comment:
types: [created]

permissions:
contents: read

jobs:
notify-issue:
if: github.event_name == 'issues'
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rishav-karanjit