AWS codebuild high security documentation change
Summary
Added troubleshooting guidance for GitHub deployment protection rule misconfigurations
Security assessment
The change documents a security-related misconfiguration where builds could trigger before deployment approval, emphasizing proper permissions to prevent unauthorized execution.
Diff
diff --git a/codebuild/latest/userguide/action-runner-troubleshoot-webhook.md b/codebuild/latest/userguide/action-runner-troubleshoot-webhook.md index ad2a3579a..2b186bc39 100644 --- a//codebuild/latest/userguide/action-runner-troubleshoot-webhook.md +++ b//codebuild/latest/userguide/action-runner-troubleshoot-webhook.md @@ -60,0 +61,6 @@ After finding the webhook delivery you're looking to debug and noting the delive +**Issue:** Your GitHub Actions with [deployment protection](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-deployments/reviewing-deployments) rules enabled triggers builds within CodeBuild before the deployment has been approved. + +**Possible causes:** CodeBuild fetches the deployment and environment associated with the GitHub Actions job if they exist to verify if the is approved. If CodeBuild fails to fetch either the deployment or environment, the CodeBuild build may be triggered prematurely. + +**Recommended solutions:** Verify that the credentials associated with your CodeBuild projects have read permissions for deployments and actions within GitHub. +