Maintenance: Hardening of dependant workflows to run on base repo only

[heitorlessa]

Summary

GitHub Actions workflow_run event allows running workflows in response to other workflows. This makes it easier to secure PR automation where we can split workflows to extract PR details and to act on PR, instead of using pull_request_target that would send a write token to any fork.

However, the challenge with workflow_run is that GitHub doesn't allow restricting where such dependency (workflow) can be run. For example, Run Tests could be a workflow that runs in the base repo or any fork.

on:
  workflow_run:
    workflows: [Run Tests]
    types:
      - completed

Besides the practice of manually approving fork workflows to run on a per PR basis (we already do), we can do better by creating an additional security layer to only allow sensitive dependant workflows to run in the base repo.

Why is this needed?

Increases our security posture by not relying on human approval step only. It also provides an example to suggest a feature request to the GitHub Actions team.

Which area does this relate to?

Automation, Governance

Solution

No response

Acknowledgment

• This request meets Lambda Powertools Tenets
• Should this be considered in other Lambda Powertools languages? i.e. Java, TypeScript

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.