From fd9e28f8d4ab37d4e9105b0b39992ec93fc237c1 Mon Sep 17 00:00:00 2001 From: Eito Katagiri Date: Sat, 3 Aug 2024 13:54:12 +0900 Subject: [PATCH] update GitHub Actions workflow to use OpenID Connect --- .github/workflows/main.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 893894f..4f6a3a0 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -8,24 +8,24 @@ on: types: [opened, synchronize, reopened] workflow_dispatch: ~ +permissions: + id-token: write + contents: read + jobs: build: runs-on: ubuntu-latest name: Build and publish artifacts steps: - name: Checkout - uses: actions/checkout@v2 - - name: Check if secrets are available for publishing - run: echo "SECRETS_AVAILABLE=${{ secrets.AWS_ACCESS_KEY_ID }}" >> $GITHUB_ENV - - name: Configure AWS Credentials - if: env.SECRETS_AVAILABLE - uses: aws-actions/configure-aws-credentials@v1 + uses: actions/checkout@v4 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v3 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::985752656544:role/reporting-github-actions + role-session-name: reporting-github-actions aws-region: us-west-2 - name: Create application bundle - if: env.SECRETS_AVAILABLE uses: Safecast/github-actions/bundle-application@v1 with: app: reporting