Skip to content

chore(CI): add slack notifications #2179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rishav-karanjit wants to merge 1 commit into
base: master
Choose a base branch
from
+41 −0
Open

chore(CI): add slack notifications #2179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,3 +206,20 @@ jobs:
JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }}
JAVA_NUMERIC_VERSION: ${{ matrix.version }}
GITHUB_EVENT_NAME: $GITHUB_EVENT_NAME
notify:
needs:
[
staticAnalysis,
vectorTests,
vectorTestsMasterKeyProvider,
netVectorTests,
generateTestVectors,
releaseCI,
validateCI
]
if: ${{ failure() && github.event_name == 'schedule' }}
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
message: "Daily CI failed on `${{ github.repository }}`. View run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_CI }}
24 changes: 24 additions & 0 deletions .github/workflows/issue-notification.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: Issue Created Notification
on:
issues:
types: [opened, reopened]
issue_comment:
types: [created]

jobs:
notify-issue:
if: github.event_name == 'issues'
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
message: "New github issue `${{ github.event.issue.title }}`. Link: ${{ github.event.issue.html_url }}"
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GHI }}

notify-comment:
Comment on lines +10 to +17

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 days ago

To fix the problem, explicitly declare permissions so the GITHUB_TOKEN used by this workflow is restricted to the minimum needed. Since this workflow only reacts to issues and issue comments and sends notifications to Slack via a reusable workflow, it does not need write access to repository contents or other resources. The minimal safe configuration is to set permissions: { contents: read } at the workflow root, which ensures read-only access to repo contents while still allowing GitHub to expose the issue/comment event payload to the workflow. If the reusable workflow needs more (for example, issues: write), it can be requested there; from the caller’s perspective we keep things as tight as possible without changing any functional behavior.

Concretely:

  • Edit .github/workflows/issue-notification.yml.
  • Add a permissions: block right after the name: line (before on:) so it applies to all jobs.
  • Set contents: read as a minimal, least-privilege default. We are not changing any jobs, conditions, or secrets handling.

No additional imports or methods are needed, because this is a YAML configuration change only.

Suggested changeset 1
.github/workflows/issue-notification.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/issue-notification.yml b/.github/workflows/issue-notification.yml
--- a/.github/workflows/issue-notification.yml
+++ b/.github/workflows/issue-notification.yml
@@ -1,4 +1,6 @@
 name: Issue Created Notification
+permissions:
+  contents: read
 on:
   issues:
     types: [opened, reopened]
EOF
@@ -1,4 +1,6 @@
name: Issue Created Notification
permissions:
contents: read
on:
issues:
types: [opened, reopened]
Copilot is powered by AI and may make mistakes. Always verify output.
if: github.event_name == 'issue_comment' && !github.event.issue.pull_request
uses: aws/aws-cryptographic-material-providers-library/.github/workflows/slack-notification.yml@main
with:
message: "New comment on issue `${{ github.event.issue.title }}`. Link: ${{ github.event.comment.html_url }}"
secrets:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_GHI }}

Comment on lines +18 to +24

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 4 days ago

To fix the problem, explicitly set permissions for this workflow to the minimum required. These jobs only read issue and comment metadata to build Slack messages and do not need write access to the repository or issues. The safest general approach is to add a top-level permissions block (so it applies to both jobs) with read-only access to repository contents. If the reusable workflow needs additional scopes, they can be added there, but we should start from a restrictive baseline.

The single best change, without altering existing functionality, is to add at the root level of .github/workflows/issue-notification.yml a block such as:

permissions:
  contents: read

placed after the name: (or after the on: block—both are valid as long as it’s top-level). This will ensure the GITHUB_TOKEN has only read access to repository contents unless further narrowed or expanded in the called reusable workflow. No imports or additional methods are needed; it is purely a YAML configuration change.

Concretely: in .github/workflows/issue-notification.yml, insert a new permissions: block between the existing on: section and the jobs: section (around line 8), leaving all other lines unchanged.

Suggested changeset 1
.github/workflows/issue-notification.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/issue-notification.yml b/.github/workflows/issue-notification.yml
--- a/.github/workflows/issue-notification.yml
+++ b/.github/workflows/issue-notification.yml
@@ -5,6 +5,9 @@
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   notify-issue:
     if: github.event_name == 'issues'
EOF
@@ -5,6 +5,9 @@
issue_comment:
types: [created]

permissions:
contents: read

jobs:
notify-issue:
if: github.event_name == 'issues'
Copilot is powered by AI and may make mistakes. Always verify output.
Loading