Skip to content

ci: add workflow permissions and update vulnerable dependencies#2388

Open
yonib05 wants to merge 2 commits into
strands-agents:mainfrom
yonib05:fix/workflow-permissions-and-deps
Open

ci: add workflow permissions and update vulnerable dependencies#2388
yonib05 wants to merge 2 commits into
strands-agents:mainfrom
yonib05:fix/workflow-permissions-and-deps

Conversation

@yonib05
Copy link
Copy Markdown
Member

@yonib05 yonib05 commented May 29, 2026

Summary

  • Add explicit permissions: declarations to jobs missing them (ci-gate in ci.yml, check-links in python-check-markdown-links.yml)
  • Bump aws-cdk-lib from 2.192.0 to 2.257.0 in all CDK example projects to resolve transitive dependency vulnerabilities (minimatch, yaml, ajv, fast-uri, brace-expansion)
  • Update root and site package-lock.json to resolve qs advisory

Test plan

  • Verify CI workflow still passes (ci-gate job uses no token, so permissions: {} is correct)
  • Verify CDK examples still synthesize correctly with aws-cdk-lib 2.257.0

yonib05 added 2 commits May 29, 2026 14:30
@yonib05
ci: add explicit permissions to workflow jobs
125bbfa 
- Add permissions: {} to ci-gate job (needs no token access)
- Add permissions: contents: read, issues: write to
  check-links job (reads repo, may create issues)
@yonib05
ci: update npm dependencies to resolve known vulnerabilities
2d74cb8 
- Bump aws-cdk-lib from 2.192.0 to 2.257.0 in CDK example projects
  (resolves minimatch, yaml, ajv, fast-uri, brace-expansion advisories)
- Run npm update on root and site package-lock.json (resolves qs advisory)
@yonib05 yonib05 force-pushed the fix/workflow-permissions-and-deps branch from a2984c1 to 2d74cb8 Compare May 29, 2026 18:31
@github-actions github-actions Bot added size/xl and removed size/xl labels May 29, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 29, 2026

Assessment: Approve

Clean and well-scoped security hardening PR. The workflow permission declarations follow the principle of least privilege correctly (permissions: {} for ci-gate which needs no token, and contents: read + issues: write for the link checker which needs exactly those). The aws-cdk-lib bump is consistent across all four CDK examples and resolves documented transitive vulnerabilities.

Review Notes
  • Workflow Permissions: Both additions are correct and minimal — no over-provisioning.
  • Dependency Updates: The aws-cdk-lib 2.192.0 → 2.257.0 bump is a minor-version update within CDK v2, low risk for example projects. Lock file churn accounts for virtually all the line count.
  • Scope: No production code or API changes — purely CI/infrastructure.

Straightforward security improvement — LGTM.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 29, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 29, 2026

Documentation Preview Ready

Your documentation preview has been successfully deployed!

Preview URL: https://d3ehv1nix5p99z.cloudfront.net/pr-cms-2388/docs/user-guide/quickstart/overview/

Updated at: 2026-05-29T18:36:50.319Z

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zastrowm zastrowm zastrowm approved these changes

Assignees

No one assigned

Labels

size/xl

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yonib05 @zastrowm