Maintenance: Harden GitHub Actions workflow permissions for security compliance

[dreamorosi]

Summary

Multiple GitHub Actions workflows in this repository have security code scanning alerts related to token permissions. There are 6 open alerts across 6 workflow files related to permission configuration:

Alert	Rule	Severity	File
#239	githubactions:S8264	Low	reusable-run-linting-check-and-unit-tests.yml
#238	githubactions:S8234	Low	ossf_scorecard.yml
#237	githubactions:S8264	Low	quality_check.yml
#236	githubactions:S8264	Low	publish_layer.yml
#235	githubactions:S8264	Low	layers_partitions.yml
#233	TokenPermissionsID	High	layers_partitions_deploy.yml

The alerts fall into two categories:

1. S8264: Read permissions defined at workflow level instead of job level (4 alerts)
2. S8234/TokenPermissionsID: Overly broad permission declarations (2 alerts)

Why is this needed?

1. Security best practice: Following the principle of least privilege reduces attack surface if a workflow is compromised
2. OSSF Scorecard compliance: Proper permission configuration contributes to a higher security score
3. Defense in depth: Ensures new jobs fail safely (no permissions) rather than inheriting potentially unnecessary access
4. CWE-266 compliance: Addresses "Incorrect Privilege Assignment" vulnerability class

Which area does this relate to?

Automation

Solution

Apply a two-layer permission strategy that satisfies both SonarCloud and OSSF Scorecard requirements:

1. Set restrictive top-level permissions

permissions: {}  # Disables all permissions at workflow level

Per GitHub docs, this "disables permissions for all available scopes."

2. Declare permissions at each job level

jobs:
  example-job:
    permissions:
      contents: read  # Only grant what this specific job needs
    runs-on: ubuntu-latest

Job-level permissions override workflow-level, so each job gets exactly what it declares.

Files to update:

• .github/workflows/reusable-run-linting-check-and-unit-tests.yml
• .github/workflows/ossf_scorecard.yml
• .github/workflows/quality_check.yml
• .github/workflows/publish_layer.yml
• .github/workflows/layers_partitions.yml
• .github/workflows/layers_partitions_deploy.yml

Benefits:

Requirement	Result
OSSF Scorecard	10/10 - Top-level permissions defined and restrictive
SonarCloud S8264	Resolved - Read permissions at job level
SonarCloud S8234	Resolved - No read-all/write-all at workflow level

Acknowledgment

• This request meets Powertools for AWS Lambda (TypeScript) Tenets
• Should this be considered in other Powertools for AWS Lambda languages? i.e. Python, Java, and .NET

Future readers

Please react with 👍 and your use case to help us understand customer demand.

[powertools-for-aws-oss-automation]

Warning

This issue is now closed. Please be mindful that future comments are hard for our team to see.
If you need more assistance, please either reopen the issue, or open a new issue referencing this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[github-actions]

This is now released under v2.30.1 version!