Update: [AEA-6581] - make assist me regression role available to assist me repo#2270
Update: [AEA-6581] - make assist me regression role available to assist me repo#2270bencegadanyi1-nhs wants to merge 2 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates environment configuration to allow the NHSDigital/eps-assist-me GitHub Actions OIDC subject claim to assume the AssistMeRegressionTest role in non-prod environments, supporting regression workflows from the Assist Me repository.
Changes:
- Added
repo:NHSDigital/eps-assist-me:*toAssistMeRegressionTestClaimFiltersin dev/ref/qa/int environment settings. - Expanded the set of repositories permitted to assume the Assist Me regression test role via OIDC
subclaim filters.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| environmentSettings/ref.json | Adds eps-assist-me to Assist Me regression test OIDC claim filters in ref. |
| environmentSettings/qa.json | Adds eps-assist-me to Assist Me regression test OIDC claim filters in qa. |
| environmentSettings/int.json | Adds eps-assist-me to Assist Me regression test OIDC claim filters in int. |
| environmentSettings/dev.json | Adds eps-assist-me to Assist Me regression test OIDC claim filters in dev. |
| "repo:NHSDigital/electronic-prescription-service-api-regression-tests:*", | ||
| "repo:NHSDigital/eps-assist-me:*" |
There was a problem hiding this comment.
In int, most OIDC sub claim filters for sensitive roles (e.g. DeploySubjectClaimFilters) are scoped to a protected GitHub Environment (...:environment:int), but AssistMeRegressionTestClaimFilters uses the broad repo:...:* pattern. Adding repo:NHSDigital/eps-assist-me:* means any workflow ref (including non-environment contexts) in that repo could assume the regression role. If the intent is to restrict this to the int environment, consider using an environment-scoped subject claim here (and aligning the existing regression-tests entry similarly).
| "repo:NHSDigital/electronic-prescription-service-api-regression-tests:*", | |
| "repo:NHSDigital/eps-assist-me:*" | |
| "repo:NHSDigital/electronic-prescription-service-api-regression-tests:environment:int", | |
| "repo:NHSDigital/eps-assist-me:environment:int" |
| "AssistMeRegressionTestClaimFilters": [ | ||
| "repo:NHSDigital/electronic-prescription-service-api-regression-tests:*" | ||
| "repo:NHSDigital/electronic-prescription-service-api-regression-tests:*", | ||
| "repo:NHSDigital/eps-assist-me:*" | ||
| ], |
There was a problem hiding this comment.
PR description says the Assist Me regression role should be available to the eps-assist-me repo, but this change is only applied to dev/ref/qa/int. environmentSettings/prod.json still has AssistMeRegressionTestClaimFilters limited to the regression-tests repo, so eps-assist-me still won't be able to assume the role in prod. If prod access is intentionally excluded, consider updating the PR description to reflect that; otherwise, the prod environment settings likely need the same addition.
bencegadanyi1-nhs
temporarily deployed
to
dev-lambda
GitHub Actions
Inactive
|
Summary
Details
make assist me regression role available to assist me repo