Merge branch 'develop' into feature/metrics-aspnetcore

Author: hjgraca

.github/workflows/build_changelog.yml

@@ -4,6 +4,9 @@ name: Build changelog
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   changelog:
     uses: ./.github/workflows/reusable_publish_changelog.yml

.github/workflows/codeql-analysis.yml

@@ -12,6 +12,9 @@ on:
   schedule:
     - cron: '42 8 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/dispatch_analytics.yml

@@ -7,22 +7,23 @@ on:
     - cron: '0 * * * *'
 
 permissions:
-  id-token: write
-  actions: read
-  checks: read
   contents: read
-  deployments: read
-  issues: read
-  discussions: read
-  packages: read
-  pages: read
-  pull-requests: read
-  repository-projects: read
-  security-events: read
-  statuses: read
 
 jobs:
   dispatch_token:
+    permissions:
+      id-token: write
+      actions: read
+      checks: read
+      deployments: read
+      issues: read
+      discussions: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: read
+      statuses: read
     if: github.repository == 'aws-powertools/powertools-lambda-dotnet'
     concurrency:
       group: analytics

.github/workflows/docs.yml

@@ -7,12 +7,13 @@ on:
   workflow_dispatch: {}
 
 permissions:
-  id-token: write
-  contents: write
-  pages: write
+  contents: read
 
 jobs:
   docs:
+    permissions:
+      id-token: write
+      contents: write
     # Force Github action to run only a single job at a time (based on the group name)
     # This is to prevent "race-condition" in publishing a new version of doc to `gh-pages`
     concurrency:
@@ -46,6 +47,9 @@ jobs:
             dist \
             s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-dotnet/
   apidocs:
+    permissions:
+      id-token: write
+      contents: write
     # Force Github action to run only a single job at a time (based on the group name)
     # This is to prevent "race-condition" in publishing a new version of doc to `gh-pages`
     concurrency:

.github/workflows/e2e-tests.yml

@@ -22,11 +22,12 @@ concurrency:
   group: e2e
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
   deploy-stack:
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -44,18 +45,25 @@ jobs:
         with:
           dotnet-version: '8.x'
 
-      - name: Install CDK
-        run: npm install -g aws-cdk
+      - name: Setup Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "22"
+
+      - name: Setup dependencies
+        uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
 
       - name: Install AWS Lambda .NET CLI Tools
         run: dotnet tool install -g Amazon.Lambda.Tools
 
       - name: Deploy Stack
         run: |
           cd libraries/tests/e2e/infra
-          cdk deploy --all --require-approval never
+          npx cdk deploy --all --require-approval never
 
   deploy-aot-stack:
+    permissions:
+      id-token: write
     strategy:
       matrix:
         os: [ubuntu-24.04-arm, ubuntu-latest]
@@ -81,18 +89,25 @@ jobs:
         with:
           dotnet-version: '8.x'
 
-      - name: Install CDK
-        run: npm install -g aws-cdk
+      - name: Setup Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "22"
+          
+      - name: Setup dependencies
+        uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
 
       - name: Install AWS Lambda .NET CLI Tools
         run: dotnet tool install -g Amazon.Lambda.Tools
 
       - name: Deploy AOT Stack
         run: |
           cd libraries/tests/e2e/infra-aot
-          cdk deploy --all -c architecture=${{ matrix.arch }} --require-approval never
+          npx cdk deploy --all -c architecture=${{ matrix.arch }} --require-approval never
 
   run-tests:
+    permissions:
+      id-token: write 
     strategy:
       matrix:
         utility: [core, idempotency]
@@ -126,6 +141,8 @@ jobs:
           dotnet test --filter Category=AOT
 
   destroy-stack:
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     needs: run-tests
     if: always()
@@ -140,18 +157,25 @@ jobs:
           aws-region: us-east-1
           mask-aws-account-id: true
 
-      - name: Install CDK
-        run: npm install -g aws-cdk
+      - name: Setup Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "22"
+          
+      - name: Setup dependencies
+        uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
 
       - name: Install AWS Lambda .NET CLI Tools
         run: dotnet tool install -g Amazon.Lambda.Tools
 
       - name: Destroy Stack
         run: |
           cd libraries/tests/e2e/infra
-          cdk destroy --all --force
+          npx cdk destroy --all --force
 
   destroy-aot-stack:
+    permissions:
+      id-token: write
     strategy:
       matrix:
         os: [ubuntu-24.04-arm, ubuntu-latest]
@@ -174,14 +198,19 @@ jobs:
           aws-region: us-east-1
           mask-aws-account-id: true
 
-      - name: Install CDK
-        run: npm install -g aws-cdk
+      - name: Setup Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "22"
+          
+      - name: Setup dependencies
+        uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
 
       - name: Install AWS Lambda .NET CLI Tools
         run: dotnet tool install -g Amazon.Lambda.Tools
 
       - name: Destroy arm64 AOT Stack
         run: |
           cd libraries/tests/e2e/infra-aot
-          cdk destroy --all -c architecture=${{ matrix.arch }} --force
+          npox cdk destroy --all -c architecture=${{ matrix.arch }} --force
       

.github/workflows/label_pr_on_title.yml

@@ -6,8 +6,13 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
+    permissions:
+      id-token: write
     # Guardrails to only ever run if PR recording workflow was indeed
     # run in a PR event and ran successfully
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
@@ -18,6 +23,8 @@ jobs:
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   label_pr:
+    permissions:
+      id-token: write
     needs: get_pr_details
     runs-on: ubuntu-latest
     steps:

.github/workflows/on_label_added.yml

@@ -6,8 +6,13 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
+    permissions:
+      id-token: write
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
@@ -20,8 +25,10 @@ jobs:
     needs: get_pr_details
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       issues: write
       pull-requests: write
+      id-token: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       # Maintenance: Persist state per PR as an artifact to avoid spam on label add

.github/workflows/on_merged_pr.yml

@@ -6,8 +6,14 @@ on:
     types:
       - completed
 
+permissions: 
+  contents: read
+
 jobs:
   get_pr_details:
+    permissions:
+      contents: read
+      id-token: write
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
@@ -16,6 +22,9 @@ jobs:
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   release_label_on_merge:
+    permissions:
+      contents: read
+      id-token: write
     needs: get_pr_details
     runs-on: ubuntu-latest
     if: needs.get_pr_details.outputs.prIsMerged == 'true'

.github/workflows/on_opened_pr.yml

@@ -6,8 +6,13 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
+    permissions:
+      id-token: write
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
@@ -16,6 +21,9 @@ jobs:
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   check_related_issue:
+    permissions:
+      contents: read
+      id-token: write
     needs: get_pr_details
     runs-on: ubuntu-latest
     steps:

.github/workflows/ossf_scorecard.yml

@@ -6,7 +6,7 @@ on:
   schedule:
     - cron: "0 9 * * *"
   push:
-    branches: [main]
+    branches: [develop]
   workflow_dispatch:
 
 permissions: read-all

.github/workflows/rebuild_latest_docs.yml

@@ -13,6 +13,9 @@ on:
         description: "Latest PyPi published version to rebuild latest docs for, e.g. 2.0.0"
         default: "2.0.0"
         required: true
+        
+permissions: 
+  contents: read
 
 jobs:
   changelog:

.github/workflows/record_pr.yml

@@ -4,6 +4,10 @@ on:
   pull_request:
     types: [opened, edited, closed]
 
+
+permissions: 
+  contents: read
+  
 jobs:
   record_pr:
     runs-on: ubuntu-latest

.github/workflows/release-drafter.yml

@@ -6,8 +6,13 @@ on:
       - develop
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v5.20.1

.github/workflows/reusable_export_pr_details.yml

@@ -36,8 +36,13 @@ on:
         description: "Whether PR is merged"
         value: ${{ jobs.export_pr_details.outputs.prIsMerged }}
 
+permissions:
+  contents: read
+
 jobs:
   export_pr_details:
+    permissions:
+      id-token: write
     # see https://github.com/aws-powertools/powertools-lambda-python/issues/1349
     if: inputs.workflow_origin == 'aws-powertools/powertools-lambda-dotnet'
     runs-on: ubuntu-latest

.github/workflows/reusable_publish_changelog.yml

@@ -4,13 +4,15 @@ on:
   workflow_call:
 
 permissions:
-  contents: write
+  contents: read
 
 env:
   BRANCH: develop
 
 jobs:
   publish_changelog:
+    permissions:
+      contents: write
     # Force Github action to run only a single job at a time (based on the group name)
     # This is to prevent race-condition and inconsistencies with changelog push
     concurrency: