fix(ci): Workflow permissions (#774)

* fix(ci): Update image

* add aws-cdk-lib

* update branch to check

* permissions added

* use cached deps for node

Author: sthulb

.github/workflows/e2e-tests.yml

@@ -45,8 +45,13 @@ jobs:
         with:
           dotnet-version: '8.x'
 
-      - name: Install CDK
-        run: npm install
+      - name: Setup Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "22"
+
+      - name: Setup dependencies
+        uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
 
       - name: Install AWS Lambda .NET CLI Tools
         run: dotnet tool install -g Amazon.Lambda.Tools
@@ -84,8 +89,13 @@ jobs:
         with:
           dotnet-version: '8.x'
 
-      - name: Install CDK
-        run: npm install
+      - name: Setup Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "22"
+          
+      - name: Setup dependencies
+        uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
 
       - name: Install AWS Lambda .NET CLI Tools
         run: dotnet tool install -g Amazon.Lambda.Tools
@@ -147,8 +157,13 @@ jobs:
           aws-region: us-east-1
           mask-aws-account-id: true
 
-      - name: Install CDK
-        run: npm install
+      - name: Setup Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "22"
+          
+      - name: Setup dependencies
+        uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
 
       - name: Install AWS Lambda .NET CLI Tools
         run: dotnet tool install -g Amazon.Lambda.Tools
@@ -183,8 +198,13 @@ jobs:
           aws-region: us-east-1
           mask-aws-account-id: true
 
-      - name: Install CDK
-        run: npm install
+      - name: Setup Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "22"
+          
+      - name: Setup dependencies
+        uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
 
       - name: Install AWS Lambda .NET CLI Tools
         run: dotnet tool install -g Amazon.Lambda.Tools

.github/workflows/on_label_added.yml

@@ -25,6 +25,7 @@ jobs:
     needs: get_pr_details
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       issues: write
       pull-requests: write
       id-token: write

.github/workflows/on_merged_pr.yml

@@ -12,6 +12,7 @@ permissions:
 jobs:
   get_pr_details:
     permissions:
+      contents: read
       id-token: write
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
     uses: ./.github/workflows/reusable_export_pr_details.yml
@@ -22,6 +23,7 @@ jobs:
       token: ${{ secrets.GITHUB_TOKEN }}
   release_label_on_merge:
     permissions:
+      contents: read
       id-token: write
     needs: get_pr_details
     runs-on: ubuntu-latest

.github/workflows/on_opened_pr.yml

@@ -22,6 +22,7 @@ jobs:
       token: ${{ secrets.GITHUB_TOKEN }}
   check_related_issue:
     permissions:
+      contents: read
       id-token: write
     needs: get_pr_details
     runs-on: ubuntu-latest

.github/workflows/ossf_scorecard.yml

@@ -6,7 +6,7 @@ on:
   schedule:
     - cron: "0 9 * * *"
   push:
-    branches: [main]
+    branches: [develop]
   workflow_dispatch:
 
 permissions: read-all

Dockerfile

@@ -1,4 +1,5 @@
-FROM mcr.microsoft.com/dotnet/sdk:6.0-bullseye-slim AS build-image
+# 6.0-bullseye-slim
+FROM mcr.microsoft.com/dotnet/sdk@sha256:fc71510497ce2ec3575359068b9c7b1b9f449cfdb0371b5c71a939963a2fedfd AS build-image
 
 ARG FUNCTION_DIR="/build"
 ARG SAM_BUILD_MODE="run"