From a7099c5d90fcb9dc44b674932e9cdd351d8fcfe5 Mon Sep 17 00:00:00 2001
From: Yousei Takahashi <yousei.takahashi@ncdc.co.jp>
Date: Wed, 8 Apr 2026 19:34:19 +0900
Subject: [PATCH 1/2] =?UTF-8?q?fix:=20GitHub=20Actions=E3=83=AF=E3=83=BC?=
 =?UTF-8?q?=E3=82=AF=E3=83=95=E3=83=AD=E3=83=BC=E3=81=AE=E3=82=BB=E3=82=AD?=
 =?UTF-8?q?=E3=83=A5=E3=83=AA=E3=83=86=E3=82=A3=E6=8C=87=E6=91=98=E4=BA=8B?=
 =?UTF-8?q?=E9=A0=85=E3=82=92=E4=BF=AE=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- actions/checkoutにpersist-credentials: falseを追加（artipacked対策）
- 呼び出し元ワークフローにpermissions: contents: readを追加（excessive-permissions対策）
- secrets: inheritを明示的なsecrets指定に変更（secrets-inherit対策）
- zizmor設定ファイルを追加しsecrets-outside-envをdisable（Environment設定が必要なため）

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/_reusable_cdk_synth.yml       | 2 ++
 .github/workflows/_reusable_check.yml           | 2 ++
 .github/workflows/_reusable_deploy.yml          | 2 ++
 .github/workflows/_reusable_lambda_rie_test.yml | 2 ++
 .github/workflows/on-pull_request.yml           | 3 +++
 .github/workflows/on-push-to-main.yml           | 7 ++++++-
 .github/zizmor.yml                              | 3 +++
 7 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 .github/zizmor.yml

diff --git a/.github/workflows/_reusable_cdk_synth.yml b/.github/workflows/_reusable_cdk_synth.yml
index 4319701..c72f0ec 100644
--- a/.github/workflows/_reusable_cdk_synth.yml
+++ b/.github/workflows/_reusable_cdk_synth.yml
@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
diff --git a/.github/workflows/_reusable_check.yml b/.github/workflows/_reusable_check.yml
index de895c7..c5bb2bb 100644
--- a/.github/workflows/_reusable_check.yml
+++ b/.github/workflows/_reusable_check.yml
@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
diff --git a/.github/workflows/_reusable_deploy.yml b/.github/workflows/_reusable_deploy.yml
index 40cb9a9..3781d14 100644
--- a/.github/workflows/_reusable_deploy.yml
+++ b/.github/workflows/_reusable_deploy.yml
@@ -16,6 +16,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
diff --git a/.github/workflows/_reusable_lambda_rie_test.yml b/.github/workflows/_reusable_lambda_rie_test.yml
index 57ec191..a287964 100644
--- a/.github/workflows/_reusable_lambda_rie_test.yml
+++ b/.github/workflows/_reusable_lambda_rie_test.yml
@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
diff --git a/.github/workflows/on-pull_request.yml b/.github/workflows/on-pull_request.yml
index 6def5fd..3540a83 100644
--- a/.github/workflows/on-pull_request.yml
+++ b/.github/workflows/on-pull_request.yml
@@ -2,6 +2,9 @@ name: on Pull Request
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
diff --git a/.github/workflows/on-push-to-main.yml b/.github/workflows/on-push-to-main.yml
index 7dcd2b8..8e84898 100644
--- a/.github/workflows/on-push-to-main.yml
+++ b/.github/workflows/on-push-to-main.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -11,4 +14,6 @@ concurrency:
 jobs:
   deploy:
     uses: ./.github/workflows/_reusable_deploy.yml
-    secrets: inherit
+    secrets:
+      SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+      SLACK_SIGNING_SECRET: ${{ secrets.SLACK_SIGNING_SECRET }}
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..39d1b18
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,3 @@
+rules:
+  secrets-outside-env:
+    disable: true

From d5fb406e7bfd5697a37fc781797e79de637bf0f4 Mon Sep 17 00:00:00 2001
From: Yousei Takahashi <yousei.takahashi@ncdc.co.jp>
Date: Wed, 8 Apr 2026 19:39:25 +0900
Subject: [PATCH 2/2] =?UTF-8?q?fix:=20=E3=83=87=E3=83=97=E3=83=AD=E3=82=A4?=
 =?UTF-8?q?=E3=83=AF=E3=83=BC=E3=82=AF=E3=83=95=E3=83=AD=E3=83=BC=E3=81=AB?=
 =?UTF-8?q?id-token:=20write=E6=A8=A9=E9=99=90=E3=82=92=E8=BF=BD=E5=8A=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

reusable側でOIDC認証に必要なid-token: writeが呼び出し元で許可されていないと
aws-actions/configure-aws-credentialsが失敗するため追加

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/on-push-to-main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/on-push-to-main.yml b/.github/workflows/on-push-to-main.yml
index 8e84898..4573450 100644
--- a/.github/workflows/on-push-to-main.yml
+++ b/.github/workflows/on-push-to-main.yml
@@ -6,6 +6,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}