From 598170c496f09ec70bbd07934574c24824e6b733 Mon Sep 17 00:00:00 2001 From: Vinod Dampuru Date: Tue, 25 Feb 2025 17:40:56 +0800 Subject: [PATCH 1/2] Using GHA OIDC IAM role to sync the artifacts with S3 bucket. --- .github/workflows/build_and_publish.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_and_publish.yml b/.github/workflows/build_and_publish.yml index 63ddb406..2914386d 100644 --- a/.github/workflows/build_and_publish.yml +++ b/.github/workflows/build_and_publish.yml @@ -9,6 +9,10 @@ on: # Push events to branches matching refs/heads/release-* - 'release-*' +permissions: + id-token: write + contents: read + env: RUN_EXTERNAL_CHECKS: true @@ -54,12 +58,15 @@ jobs: runs-on: ubuntu-latest env: S3_BUCKET: "${{ secrets.S3_BUCKET }}" - AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}" - AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" steps: - uses: actions/checkout@v4 with: fetch-depth: 0 + - name: Configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: "${{ secrets.AWS_ROLE_TO_ASSUME }}" + aws-region: "${{ secrets.AWS_REGION }}" - name: Set up Ruby uses: ruby/setup-ruby@v1 with: From 3d7d4d1470ece756c56629d8cbbdac9ba37abdf5 Mon Sep 17 00:00:00 2001 From: Chad Wilson Date: Fri, 28 Feb 2025 22:50:04 +0800 Subject: [PATCH 2/2] Add back write permissions for github-pages --- .github/workflows/build_and_publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_publish.yml b/.github/workflows/build_and_publish.yml index 2914386d..2f770ad6 100644 --- a/.github/workflows/build_and_publish.yml +++ b/.github/workflows/build_and_publish.yml @@ -11,7 +11,7 @@ on: permissions: id-token: write - contents: read + contents: write env: RUN_EXTERNAL_CHECKS: true