Merge branch 'main' into ml-dsa-private-seed

jakemas · web-flow · commit a719b514e6eb · 2025-02-04T09:03:58.000-08:00
diff --git a/tests/ci/cdk/cdk/ecr_stack.py b/tests/ci/cdk/cdk/ecr_stack.py
@@ -11,5 +11,6 @@ class EcrStack(Stack):
     def __init__(self, scope: Construct, id: str, repo_name: str, **kwargs) -> None:
         super().__init__(scope, id, **kwargs)
 
-        ecr.Repository(scope=self, id=id, repository_name=repo_name).grant_pull_push(
-            iam.ServicePrincipal("codebuild.amazonaws.com"))
+        repo = ecr.Repository(scope=self, id=id, repository_name=repo_name)
+        repo.grant_pull_push(iam.ServicePrincipal("codebuild.amazonaws.com"))
+        repo.grant_pull(iam.ArnPrincipal("arn:aws:iam::222961743098:role/scrutini-ecr"))
diff --git a/tests/ci/cdk/util/iam_policies.py b/tests/ci/cdk/util/iam_policies.py
@@ -207,17 +207,6 @@ def ecr_power_user_policy_in_json(ecr_repo_names):
                     "ecr:PutImage"
                 ],
                 "Resource": ecr_arns
-            },
-            {
-                "Sid": "scrutinice",
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "arn:aws:iam::222961743098:role/scrutini-ecr"
-                },
-                "Action": [
-                    "ecr:BatchGetImage",
-                    "ecr:GetDownloadUrlForLayer"
-                ]
             }
         ]
     }

Original file line number	Diff line number	Diff line change
`@@ -207,17 +207,6 @@ def ecr_power_user_policy_in_json(ecr_repo_names):`
`207`	`207`	`"ecr:PutImage"`
`208`	`208`	`],`
`209`	`209`	`"Resource": ecr_arns`
`210`		`- },`
`211`		`- {`
`212`		`- "Sid": "scrutinice",`
`213`		`- "Effect": "Allow",`
`214`		`- "Principal": {`
`215`		`- "AWS": "arn:aws:iam::222961743098:role/scrutini-ecr"`
`216`		`- },`
`217`		`- "Action": [`
`218`		`- "ecr:BatchGetImage",`
`219`		`- "ecr:GetDownloadUrlForLayer"`
`220`		`- ]`
`221`	`210`	`}`
`222`	`211`	`]`
`223`	`212`	`}`