From fe90b0ed4fb9569890fd3e1e8ea24a56854aab8c Mon Sep 17 00:00:00 2001 From: Gregory Schofield Date: Mon, 5 Jun 2023 12:28:40 -0400 Subject: [PATCH] Update workflows to use aws oidc auth. Signed-off-by: Gregory Schofield --- .github/workflows/build.yml | 29 +++++++++++++++++++++-------- .github/workflows/release.yml | 13 ++++++++++--- 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f9ec120927..b4ac1552c1 100755 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,11 @@ name: Build-Test-Deploy - cron: 0 0 * * * +# === Workflow Permissions === +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + # === JOBS === jobs: @@ -232,6 +237,14 @@ jobs: name: Generate Remote Install Deployment shell: bash run: state run generate-remote-install-deployment + + - # === Configure AWS credentials == + name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: arn:aws:iam::062663976825:role/gha_oidc_activestate_cli + role-session-name: gha-activestate-cli + aws-region: us-east-1 - # === Deploy for Integration Tests # NEVER run this against production branches. This is meant for PR deployments. === name: Deploy for Integration Tests # NEVER run this against production branches. This is meant for PR deployments. @@ -256,9 +269,6 @@ jobs: state run deploy-updates state run deploy-installers state run deploy-remote-installer - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - # === Integration Tests === name: Integration Tests @@ -309,8 +319,6 @@ jobs: INTEGRATION_TEST_PASSWORD: ${{ secrets.INTEGRATION_TEST_PASSWORD }} INTEGRATION_TEST_TOKEN: ${{ secrets.INTEGRATION_TEST_TOKEN }} PLATFORM_API_TOKEN: ${{ secrets.PLATFORM_API_TOKEN }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - # === Fail If Unscheduled Unit Tests Failed (Expand 'Unit Tests' above for more information) === name: Fail If Unscheduled Unit Tests Failed @@ -433,6 +441,14 @@ jobs: shell: bash run: rm build/state* || true + - # === Configure AWS credentials == + name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: arn:aws:iam::062663976825:role/gha_oidc_activestate_cli + role-session-name: gha-activestate-cli + aws-region: us-east-1 + - # === Deploy === name: Deploy shell: bash @@ -440,9 +456,6 @@ jobs: state run deploy-updates state run deploy-installers state run deploy-remote-installer - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - # === Cleanup Session Artifacts === name: Cleanup Session Artifacts diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4072a5511e..e43e1fff77 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,6 +13,8 @@ jobs: timeout-minutes: 30 runs-on: windows-2019 if: github.event.ref_type == 'tag' && contains(github.event.ref, 'release/remote-installer') + permissions: + id-token: write # This is required for requesting the JWT strategy: matrix: go-version: @@ -79,11 +81,16 @@ jobs: env: CODE_SIGNING_PASSWD: ${{ secrets.CODE_SIGNING_PASSWD }} MSI_CERT_BASE64: ${{ secrets.MSI_CERT_BASE64 }} + + - # === Configure AWS credentials == + name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: arn:aws:iam::062663976825:role/gha_oidc_activestate_cli + role-session-name: gha-activestate-cli + aws-region: us-east-1 - # === Deploy === name: Deploy shell: bash run: state run deploy-remote-installer - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}