Use configure-aws-credentials workflow instead of passing secret_access_key (#1363)
## Summary This PR fixes #1346 where we can get rid of the long term credentials by using OpenID Connect. OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Amazon Web Services (AWS), without needing to store the AWS credentials as long-lived GitHub secrets. --------- Signed-off-by: vudiep411 <vdiep@amazon.com>
This commit is contained in:
Vu Diep
GitHub
parent
2d92404522
commit
ab69a8a55d
43
.github/workflows/build-release-packages.yml
vendored
43
.github/workflows/build-release-packages.yml
vendored
@ -3,7 +3,12 @@ name: Build Release Packages
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
|
||||
push:
|
||||
paths:
|
||||
- '.github/workflows/build-release-packages.yml'
|
||||
- '.github/workflows/call-build-linux-arm-packages.yml'
|
||||
- '.github/workflows/call-build-linux-x86_64-packages.yml'
|
||||
- 'utils/releasetools/build-config.json'
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
version:
|
||||
@ -11,6 +16,7 @@ on:
|
||||
required: true
|
||||
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
@ -20,8 +26,8 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
version: ${{ steps.get_version.outputs.VERSION }}
|
||||
is_test: ${{ steps.check-if-testing.outputs.IS_TEST }}
|
||||
steps:
|
||||
|
||||
- run: |
|
||||
echo "Version: ${{ inputs.version || github.ref_name }}"
|
||||
shell: bash
|
||||
@ -32,8 +38,13 @@ jobs:
|
||||
- name: Get the version
|
||||
id: get_version
|
||||
run: |
|
||||
VERSION="${INPUT_VERSION}"
|
||||
if [[ "${{ github.event_name }}" == "push" ]]; then
|
||||
VERSION=${{ github.ref_name }}
|
||||
else
|
||||
VERSION="${INPUT_VERSION}"
|
||||
fi
|
||||
if [ -z "${VERSION}" ]; then
|
||||
echo "Error: No version specified"
|
||||
exit 1
|
||||
fi
|
||||
echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
|
||||
@ -43,6 +54,16 @@ jobs:
|
||||
# only ever be a tag
|
||||
INPUT_VERSION: ${{ inputs.version || github.ref_name }}
|
||||
|
||||
- name: Check if we are testing
|
||||
id: check-if-testing
|
||||
run: |
|
||||
if [[ "${{ github.event_name }}" == "push" ]]; then
|
||||
echo "IS_TEST=true" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "IS_TEST=false" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
shell: bash
|
||||
|
||||
generate-build-matrix:
|
||||
name: Generating build matrix
|
||||
runs-on: ubuntu-latest
|
||||
@ -56,7 +77,7 @@ jobs:
|
||||
- uses: ./.github/actions/generate-package-build-matrix
|
||||
id: set-matrix
|
||||
with:
|
||||
ref: ${{ inputs.version || github.ref_name }}
|
||||
ref: ${{ needs.release-build-get-meta.outputs.version }}
|
||||
|
||||
release-build-linux-x86-packages:
|
||||
needs:
|
||||
@ -67,11 +88,10 @@ jobs:
|
||||
version: ${{ needs.release-build-get-meta.outputs.version }}
|
||||
ref: ${{ inputs.version || github.ref_name }}
|
||||
build_matrix: ${{ needs.generate-build-matrix.outputs.x86_64-build-matrix }}
|
||||
region: us-west-2
|
||||
secrets:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
bucket: ${{ secrets.AWS_S3_BUCKET }}
|
||||
access_key_id: ${{ secrets.AWS_S3_ACCESS_KEY_ID }}
|
||||
secret_access_key: ${{ secrets.AWS_S3_ACCESS_KEY }}
|
||||
bucket_name: ${{ needs.release-build-get-meta.outputs.is_test == 'true' && secrets.AWS_TEST_BUCKET || secrets.AWS_S3_BUCKET }}
|
||||
role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
|
||||
|
||||
release-build-linux-arm-packages:
|
||||
needs:
|
||||
@ -82,8 +102,7 @@ jobs:
|
||||
version: ${{ needs.release-build-get-meta.outputs.version }}
|
||||
ref: ${{ inputs.version || github.ref_name }}
|
||||
build_matrix: ${{ needs.generate-build-matrix.outputs.arm64-build-matrix }}
|
||||
region: us-west-2
|
||||
secrets:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
bucket: ${{ secrets.AWS_S3_BUCKET }}
|
||||
access_key_id: ${{ secrets.AWS_S3_ACCESS_KEY_ID }}
|
||||
secret_access_key: ${{ secrets.AWS_S3_ACCESS_KEY }}
|
||||
bucket_name: ${{ needs.release-build-get-meta.outputs.is_test == 'true' && secrets.AWS_TEST_BUCKET || secrets.AWS_S3_BUCKET }}
|
||||
role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
|
||||
|
||||
@ -15,21 +15,20 @@ on:
|
||||
description: The build targets to produce as a JSON matrix.
|
||||
type: string
|
||||
required: true
|
||||
secrets:
|
||||
token:
|
||||
description: The Github token or similar to authenticate with.
|
||||
region:
|
||||
description: The AWS region to push packages into.
|
||||
type: string
|
||||
required: true
|
||||
secrets:
|
||||
bucket_name:
|
||||
description: The S3 bucket to push packages into.
|
||||
required: true
|
||||
role_to_assume:
|
||||
description: The role to assume for the S3 bucket.
|
||||
required: true
|
||||
bucket:
|
||||
description: The name of the S3 bucket to push packages into.
|
||||
required: false
|
||||
access_key_id:
|
||||
description: The S3 access key id for the bucket.
|
||||
required: false
|
||||
secret_access_key:
|
||||
description: The S3 secret access key for the bucket.
|
||||
required: false
|
||||
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
@ -46,6 +45,12 @@ jobs:
|
||||
with:
|
||||
ref: ${{ inputs.version }}
|
||||
|
||||
- name: Configure AWS credentials
|
||||
uses: aws-actions/configure-aws-credentials@v4
|
||||
with:
|
||||
aws-region: ${{ inputs.region }}
|
||||
role-to-assume: ${{ secrets.role_to_assume }}
|
||||
|
||||
- name: Make Valkey
|
||||
uses: uraimo/run-on-arch-action@v2
|
||||
with:
|
||||
@ -65,15 +70,5 @@ jobs:
|
||||
mkdir -p packages-files
|
||||
cp -rfv $TAR_FILE_NAME.tar* packages-files/
|
||||
|
||||
- name: Install AWS cli.
|
||||
run: |
|
||||
sudo apt-get install -y awscli
|
||||
|
||||
- name: Configure AWS credentials
|
||||
run: |
|
||||
aws configure set region us-west-2
|
||||
aws configure set aws_access_key_id ${{ secrets.access_key_id }}
|
||||
aws configure set aws_secret_access_key ${{ secrets.secret_access_key }}
|
||||
|
||||
- name: Sync to S3
|
||||
run: aws s3 sync packages-files s3://${{secrets.bucket}}/releases/
|
||||
run: aws s3 sync packages-files s3://${{ secrets.bucket_name }}/releases/
|
||||
|
||||
@ -15,21 +15,20 @@ on:
|
||||
description: The build targets to produce as a JSON matrix.
|
||||
type: string
|
||||
required: true
|
||||
secrets:
|
||||
token:
|
||||
description: The Github token or similar to authenticate with.
|
||||
region:
|
||||
description: The AWS region to upload the packages to.
|
||||
type: string
|
||||
required: true
|
||||
secrets:
|
||||
bucket_name:
|
||||
description: The name of the S3 bucket to upload the packages to.
|
||||
required: true
|
||||
role_to_assume:
|
||||
description: The role to assume for the S3 bucket.
|
||||
required: true
|
||||
bucket:
|
||||
description: The name of the S3 bucket to push packages into.
|
||||
required: false
|
||||
access_key_id:
|
||||
description: The S3 access key id for the bucket.
|
||||
required: false
|
||||
secret_access_key:
|
||||
description: The S3 secret access key for the bucket.
|
||||
required: false
|
||||
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
@ -46,6 +45,12 @@ jobs:
|
||||
with:
|
||||
ref: ${{ inputs.version }}
|
||||
|
||||
- name: Configure AWS credentials
|
||||
uses: aws-actions/configure-aws-credentials@v4
|
||||
with:
|
||||
aws-region: ${{ inputs.region }}
|
||||
role-to-assume: ${{ secrets.role_to_assume }}
|
||||
|
||||
- name: Install dependencies
|
||||
run: sudo apt-get update && sudo apt-get install -y build-essential libssl-dev libsystemd-dev
|
||||
|
||||
@ -63,15 +68,5 @@ jobs:
|
||||
mkdir -p packages-files
|
||||
cp -rfv $TAR_FILE_NAME.tar* packages-files/
|
||||
|
||||
- name: Install AWS cli.
|
||||
run: |
|
||||
sudo apt-get install -y awscli
|
||||
|
||||
- name: Configure AWS credentials
|
||||
run: |
|
||||
aws configure set region us-west-2
|
||||
aws configure set aws_access_key_id ${{ secrets.access_key_id }}
|
||||
aws configure set aws_secret_access_key ${{ secrets.secret_access_key }}
|
||||
|
||||
- name: Sync to S3
|
||||
run: aws s3 sync packages-files s3://${{secrets.bucket}}/releases/
|
||||
run: aws s3 sync packages-files s3://${{ secrets.bucket_name }}/releases/
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user