Fix CI: E2E OIDC credential failure and npm audit vulnerabilities#3
Merged
Conversation
The E2E tests require AWS OIDC credentials (E2E_AWS_ROLE_ARN secret and e2e-testing environment) that only exist on the upstream aws/agentcore-cli repo. On forks, the push-to-main trigger fires on every merge but always fails with "Could not load credentials from any providers" since the OIDC trust policy is scoped to the upstream repo. Remove the push trigger so E2E only runs via workflow_dispatch (manual) and weekly schedule. GitHub Actions already suppresses scheduled workflows on forks, so this effectively makes E2E manual-only on forks while preserving full functionality upstream.
npm audit fix resolves 7 of 11 vulnerabilities: - protobufjs: code injection, DoS, prototype pollution (high) - fast-uri: path traversal, host confusion (high) - fast-xml-builder: attribute bypass, comment regex bypass (high) - uuid: buffer bounds check (moderate) - @protobufjs/utf8: overlong UTF-8 decoding (moderate) - ip-address: XSS in Address6 (moderate) Remaining 4 moderate-severity findings (fast-xml-parser in @aws-sdk/core, fast-uri bundled in aws-cdk-lib) cannot be resolved without major version bumps from AWS SDK upstream. The security:audit CI check uses --audit-level=high so these moderate findings do not block.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
E2E Tests: Remove
push: branches: [main]trigger frome2e-tests-full.yml. The E2E suite requires AWS OIDC credentials (E2E_AWS_ROLE_ARNsecret,e2e-testingenvironment) that only exist on the upstreamaws/agentcore-clirepo. On our fork, every merge to main triggered the workflow, which always failed with "Could not load credentials from any providers." The workflow retainsworkflow_dispatch(manual) andschedule(weekly) triggers.npm audit:
npm audit fixresolves all high-severity findings (protobufjs code injection/DoS/prototype pollution, fast-uri path traversal/host confusion, fast-xml-builder attribute bypass). Remaining moderate-severity findings are in AWS SDK transitive deps that require upstream major bumps. Thesecurity:auditCI check uses--audit-level=highso moderate findings pass.Test plan
Quality and Safety Checksworkflow passes (security:audit job exits 0)E2E Tests (Full Suite)no longer triggers on push to mainBuild and Testcontinues to pass