feat: Security fix and pre-commit fixes (#906)

vara-bonthu · web-flow · commit 2f476840c623 · 2025-09-26T12:12:49.000-07:00
Signed-off-by: vara-bonthu &lt;vara.bonthu@gmail.com&gt;
diff --git a/.github/workflows/plan-examples.yml b/.github/workflows/plan-examples.yml
@@ -7,6 +7,10 @@ concurrency:
   group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   getExampleDirectories:
     name: Get example directories
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -19,6 +19,10 @@ concurrency:
   group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   collectInputs:
     name: Collect workflow inputs
diff --git a/.github/workflows/website-deploy.yaml b/.github/workflows/website-deploy.yaml
@@ -7,10 +7,19 @@ on:
     # Review gh actions docs if you want to further define triggers, paths, etc
     # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#on
 
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
 jobs:
   deploy:
     name: Deploy to GitHub Pages
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     defaults:
       run:
         shell: bash
diff --git a/.github/workflows/website-test-deploy.yml b/.github/workflows/website-test-deploy.yml
@@ -5,10 +5,15 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   test-deploy:
     name: Test deployment
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     defaults:
       run:
         shell: bash
diff --git a/distributed-databases/cloudnative-postgres/README.md b/distributed-databases/cloudnative-postgres/README.md
@@ -47,7 +47,6 @@ Checkout the [documentation website](https://awslabs.github.io/data-on-eks/docs/
 | [kubernetes_storage_class.ebs_csi_encrypted_gp3_storage_class](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [random_password.grafana](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_string.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
-| [aws_ami.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
diff --git a/distributed-databases/cloudnative-postgres/data.tf b/distributed-databases/cloudnative-postgres/data.tf
@@ -13,21 +13,6 @@ data "aws_availability_zones" "available" {
 data "aws_caller_identity" "current" {}
 
 
-data "aws_ami" "eks" {
-  owners      = ["amazon"]
-  most_recent = true
-
-  filter {
-    name   = "name"
-    values = ["amazon-eks-node-al2023-arm64-standard-${var.eks_cluster_version}-*"]
-  }
-
-  filter {
-    name   = "architecture"
-    values = ["arm64"]
-  }
-}
-
 data "aws_iam_policy_document" "irsa_backup_policy" {
   statement {
     sid       = ""
diff --git a/streaming/emr-eks-flink/README.md b/streaming/emr-eks-flink/README.md
@@ -18,7 +18,6 @@ Checkout the [documentation website](https://awslabs.github.io/data-on-eks/docs/
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.95 |
-| <a name="provider_aws.ecr"></a> [aws.ecr](#provider\_aws.ecr) | ~> 5.95 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | ~> 2.17 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.10 |
 
@@ -50,7 +49,6 @@ Checkout the [documentation website](https://awslabs.github.io/data-on-eks/docs/
 | [kubernetes_namespace_v1.flink_team_a](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_ecrpublic_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecrpublic_authorization_token) | data source |
 | [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
 | [aws_iam_policy_document.flink_sample_job](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
diff --git a/streaming/emr-eks-flink/main.tf b/streaming/emr-eks-flink/main.tf
@@ -14,10 +14,6 @@ data "aws_eks_cluster_auth" "this" {
   name = module.eks.cluster_name
 }
 
-data "aws_ecrpublic_authorization_token" "token" {
-  provider = aws.ecr
-}
-
 data "aws_availability_zones" "available" {}
 
 data "aws_caller_identity" "current" {}
diff --git a/website/package-lock.json b/website/package-lock.json

Original file line number	Diff line number	Diff line change
`@@ -14,10 +14,6 @@ data "aws_eks_cluster_auth" "this" {`
`14`	`14`	`name = module.eks.cluster_name`
`15`	`15`	`}`
`16`	`16`
`17`		`-data "aws_ecrpublic_authorization_token" "token" {`
`18`		`- provider = aws.ecr`
`19`		`-}`
`20`		`-`
`21`	`17`	`data "aws_availability_zones" "available" {}`
`22`	`18`
`23`	`19`	`data "aws_caller_identity" "current" {}`