update GitHub Actions workflow to use OpenID Connect

Safecast · Aug 3, 2024 · f10b555 · f10b555
1 parent bba064e
commit f10b555
Showing 1 changed file with 8 additions and 9 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -8,24 +8,23 @@ on:
     types: [opened, synchronize, reopened]
   workflow_dispatch: ~
 
+permissions:
+  id-tokens: write
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     name: Build and publish artifacts
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
-      - name: Check if secrets are available for publishing
-        run: echo "SECRETS_AVAILABLE=${{ secrets.AWS_ACCESS_KEY_ID }}" >> $GITHUB_ENV
-      - name: Configure AWS Credentials
-        if: env.SECRETS_AVAILABLE
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: actions/checkout@v4
+        uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::985752656544:role/reporting-github-actions
+          role-session-name: reporting-github-actions
           aws-region: us-west-2
       - name: Create application bundle
-        if: env.SECRETS_AVAILABLE
         uses: Safecast/github-actions/bundle-application@v1
         with:
             app: reporting