Remove use of web proxy in workflows

The use of a proxy causes the calls to the AWS API that pull Assessor Workbench files from an S3 bucket to fail. This is because the AWS CLI and boto3 both verify all certificates by default, and this is impossible with a proxy between them and AWS.
cisagov · Dec 13, 2024 · aed1661 · aed1661
1 parent e63ba29
commit aed1661
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 12 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -244,10 +244,14 @@ jobs:
           # - arm64
           - x86_64
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
-        with:
-          # Uses the organization variable unless overridden
-          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # If we use this proxy then the calls to the AWS API to retrieve
+      # Assessor Workbench files from an S3 bucket fail.  For example, this
+      # Ansible task fails:
+      # https://github.com/cisagov/ansible-role-assessor-workbench/blob/26ef0a5e7d282f7656eb9687ddb1667b2e386f1b/tasks/main.yml#L11-L18
+      # - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      #   with:
+      #     # Uses the organization variable unless overridden
+      #     config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2

diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -51,10 +51,14 @@ jobs:
           # - arm64
           - x86_64
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
-        with:
-          # Uses the organization variable unless overridden
-          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # If we use this proxy then the calls to the AWS API to retrieve
+      # Assessor Workbench files from an S3 bucket fail.  For example, this
+      # Ansible task fails:
+      # https://github.com/cisagov/ansible-role-assessor-workbench/blob/26ef0a5e7d282f7656eb9687ddb1667b2e386f1b/tasks/main.yml#L11-L18
+      # - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      #   with:
+      #     # Uses the organization variable unless overridden
+      #     config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -58,10 +58,14 @@ jobs:
           # - arm64
           - x86_64
     steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
-        with:
-          # Uses the organization variable unless overridden
-          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # If we use this proxy then the calls to the AWS API to retrieve
+      # Assessor Workbench files from an S3 bucket fail.  For example, this
+      # Ansible task fails:
+      # https://github.com/cisagov/ansible-role-assessor-workbench/blob/26ef0a5e7d282f7656eb9687ddb1667b2e386f1b/tasks/main.yml#L11-L18
+      # - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      #   with:
+      #     # Uses the organization variable unless overridden
+      #     config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2