Use configure-aws-credentials workflow instead of passing secret_access_key (#1363)

## Summary This PR fixes #1346 where we can get rid of the long term credentials by using OpenID Connect. OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Amazon Web Services (AWS), without needing to store the AWS credentials as long-lived GitHub secrets. --------- Signed-off-by: vudiep411 <vdiep@amazon.com>
2024-12-12 14:42:52 -08:00 · 2024-12-12 14:42:52 -08:00 · db15d7f148
commit db15d7f148
parent 3318ea0293
3 changed files with 67 additions and 58 deletions
--- a/.github/workflows/build-release-packages.yml
+++ b/.github/workflows/build-release-packages.yml
@ -3,7 +3,12 @@ name: Build Release Packages
 on:
  release:
    types: [published]
-
+  push:
    paths:
      - '.github/workflows/build-release-packages.yml'
      - '.github/workflows/call-build-linux-arm-packages.yml'
      - '.github/workflows/call-build-linux-x86_64-packages.yml'
      - 'utils/releasetools/build-config.json'
  workflow_dispatch:
    inputs:
      version:
@ -11,6 +16,7 @@ on:
        required: true
 permissions:
  id-token: write
  contents: read
 jobs:
@ -21,8 +27,8 @@ jobs:
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.get_version.outputs.VERSION }}
      is_test: ${{ steps.check-if-testing.outputs.IS_TEST }}
    steps:
      - run: |
          echo "Version: ${{ inputs.version || github.ref_name }}"
        shell: bash
@ -33,8 +39,13 @@ jobs:
      - name: Get the version
        id: get_version
        run: |
          if [[ "${{ github.event_name }}" == "push" ]]; then
            VERSION=${{ github.ref_name }}
          else
            VERSION="${INPUT_VERSION}"
          fi
          if [ -z "${VERSION}" ]; then
            echo "Error: No version specified"
            exit 1
          fi
          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
@ -44,6 +55,16 @@ jobs:
          # only ever be a tag
          INPUT_VERSION: ${{ inputs.version || github.ref_name }}
      - name: Check if we are testing
        id: check-if-testing
        run: |
          if [[ "${{ github.event_name }}" == "push" ]]; then
            echo "IS_TEST=true" >> $GITHUB_OUTPUT
          else
            echo "IS_TEST=false" >> $GITHUB_OUTPUT
          fi
        shell: bash
  generate-build-matrix:
    name: Generating build matrix
    if: github.repository == 'valkey-io/valkey'
@ -58,7 +79,7 @@ jobs:
      - uses: ./.github/actions/generate-package-build-matrix
        id: set-matrix
        with:
-          ref: ${{ inputs.version || github.ref_name }}
+          ref: ${{ needs.release-build-get-meta.outputs.version }}
  release-build-linux-x86-packages:
    needs:
@ -69,11 +90,10 @@ jobs:
      version: ${{ needs.release-build-get-meta.outputs.version }}
      ref: ${{ inputs.version || github.ref_name }}
      build_matrix: ${{ needs.generate-build-matrix.outputs.x86_64-build-matrix }}
      region: us-west-2
    secrets:
-      token: ${{ secrets.GITHUB_TOKEN }}
+      bucket_name: ${{ needs.release-build-get-meta.outputs.is_test == 'true' && secrets.AWS_TEST_BUCKET || secrets.AWS_S3_BUCKET }}
-      bucket: ${{ secrets.AWS_S3_BUCKET }}
+      role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
      access_key_id: ${{ secrets.AWS_S3_ACCESS_KEY_ID }}
      secret_access_key: ${{ secrets.AWS_S3_ACCESS_KEY }}
  release-build-linux-arm-packages:
    needs:
@ -84,8 +104,7 @@ jobs:
      version: ${{ needs.release-build-get-meta.outputs.version }}
      ref: ${{ inputs.version || github.ref_name }}
      build_matrix: ${{ needs.generate-build-matrix.outputs.arm64-build-matrix }}
      region: us-west-2
    secrets:
-      token: ${{ secrets.GITHUB_TOKEN }}
+      bucket_name: ${{ needs.release-build-get-meta.outputs.is_test == 'true' && secrets.AWS_TEST_BUCKET || secrets.AWS_S3_BUCKET }}
-      bucket: ${{ secrets.AWS_S3_BUCKET }}
+      role_to_assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
      access_key_id: ${{ secrets.AWS_S3_ACCESS_KEY_ID }}
      secret_access_key: ${{ secrets.AWS_S3_ACCESS_KEY }}
--- a/.github/workflows/call-build-linux-arm-packages.yml
+++ b/.github/workflows/call-build-linux-arm-packages.yml
@ -15,21 +15,20 @@ on:
        description: The build targets to produce as a JSON matrix.
        type: string
        required: true
-    secrets:
+      region:
-      token:
+        description: The AWS region to push packages into.
-        description: The Github token or similar to authenticate with.
+        type: string
        required: true
    secrets:
      bucket_name:
        description: The S3 bucket to push packages into.
        required: true
      role_to_assume:
        description: The role to assume for the S3 bucket.
        required: true
      bucket:
        description: The name of the S3 bucket to push packages into.
        required: false
      access_key_id:
        description: The S3 access key id for the bucket.
        required: false
      secret_access_key:
        description: The S3 secret access key for the bucket.
        required: false
 permissions:
  id-token: write
  contents: read
 jobs:
@ -46,6 +45,12 @@ jobs:
        with:
          ref: ${{ inputs.version }}
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ${{ inputs.region }}
          role-to-assume: ${{ secrets.role_to_assume }}
      - name: Make Valkey
        uses: uraimo/run-on-arch-action@v2
        with:
@ -65,15 +70,5 @@ jobs:
          mkdir -p packages-files
          cp -rfv $TAR_FILE_NAME.tar* packages-files/
      - name: Install AWS cli.
        run: |
          sudo apt-get install -y awscli
      - name: Configure AWS credentials
        run: |
          aws configure set region us-west-2
          aws configure set aws_access_key_id ${{ secrets.access_key_id }}
          aws configure set aws_secret_access_key ${{ secrets.secret_access_key }}
      - name: Sync to S3
-        run: aws s3 sync packages-files s3://${{secrets.bucket}}/releases/
+        run: aws s3 sync packages-files s3://${{ secrets.bucket_name }}/releases/
--- a/.github/workflows/call-build-linux-x86-packages.yml
+++ b/.github/workflows/call-build-linux-x86-packages.yml
@ -15,21 +15,20 @@ on:
        description: The build targets to produce as a JSON matrix.
        type: string
        required: true
-    secrets:
+      region:
-      token:
+        description: The AWS region to upload the packages to.
-        description: The Github token or similar to authenticate with.
+        type: string
        required: true
    secrets:
      bucket_name:
        description: The name of the S3 bucket to upload the packages to.
        required: true
      role_to_assume:
        description: The role to assume for the S3 bucket.
        required: true
      bucket:
        description: The name of the S3 bucket to push packages into.
        required: false
      access_key_id:
        description: The S3 access key id for the bucket.
        required: false
      secret_access_key:
        description: The S3 secret access key for the bucket.
        required: false
 permissions:
  id-token: write
  contents: read
 jobs:
@ -46,6 +45,12 @@ jobs:
        with:
          ref: ${{ inputs.version }}
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ${{ inputs.region }}
          role-to-assume: ${{ secrets.role_to_assume }}
      - name: Install dependencies
        run: sudo apt-get update && sudo apt-get install -y build-essential libssl-dev libsystemd-dev
@ -63,15 +68,5 @@ jobs:
          mkdir -p packages-files
          cp -rfv $TAR_FILE_NAME.tar* packages-files/
      - name: Install AWS cli.
        run: |
          sudo apt-get install -y awscli
      - name: Configure AWS credentials
        run: |
          aws configure set region us-west-2
          aws configure set aws_access_key_id ${{ secrets.access_key_id }}
          aws configure set aws_secret_access_key ${{ secrets.secret_access_key }}
      - name: Sync to S3
-        run: aws s3 sync packages-files s3://${{secrets.bucket}}/releases/
+        run: aws s3 sync packages-files s3://${{ secrets.bucket_name }}/releases/