Skip to content

Commit

Permalink
feat(gha): move OIDC config to the reusable workflow
Browse files Browse the repository at this point in the history
BREAKING CHANGE: remove aws cli installation and credential configuration from consumer workflow
  • Loading branch information
kennedy-whytech committed Dec 13, 2024
1 parent 83c63a1 commit a3c6170
Show file tree
Hide file tree
Showing 3 changed files with 86 additions and 2 deletions.
55 changes: 55 additions & 0 deletions docs/breaking-changes/v2.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# Breaking changes in v2

Move OIDC config to the reusable workflow

## Description of changes

The OIDC configuration has been moved to the reusable workflow. This change enable developers to use the OIDC configuration in multiple actions without duplicating the configuration.

## Upgrade instructions

Update from:

```
permissions:
id-token: write # This is required for requesting the JWT for OIDC
contents: read
...
- name: Install aws cli
run: |
pip install awscli==1.33.21
aws --version
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-skip-session-tagging: true
role-to-assume: ROLE-TO-ASSUME-WITH-OIDC
aws-region: us-east-1
- name: Upload to S3 bucket
uses: open-turo/actions-s3-artifact/upload@v1
id: aws-s3-upload
with:
compress: false
path: PATH-TO-UPLOAD
s3uri: S3-URI
aws-region: us-east-1
```

to the following:

```
- name: Upload to S3 bucket
uses: open-turo/actions-s3-artifact/upload@v2
id: aws-s3-upload
with:
compress: false
path: PATH-TO-UPLOAD
s3uri: S3-URI
aws-region: us-east-1
role-to-assume-with-oidc: ${{ ROLE-TO-ASSUME-WITH-OIDC }} # the role can be defined in the GHA Repository secrets or inline
```
6 changes: 6 additions & 0 deletions upload/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,12 @@ This action is a `composite` action.
# Required: false
# Default: ${{ github.sha }}-${{ github.run_number }}-${{ github.run_attempt }}
role-to-assume-with-oidc:
# ARN of the role to assume with OIDC. If not provided, the action will use the provided AWS access key and secret access key
#
# Required: false
# Default: ""
aws-access-key-id:
# AWS access key ID of the S3 location
#
Expand Down
27 changes: 25 additions & 2 deletions upload/action.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
name: S3 upload
description: Upload a set of artifacts to S3

permissions:
id-token: write # This is required for requesting the JWT for OIDC
contents: read

inputs:
# Path(s) to the artifacts to upload
path:
Expand All @@ -14,6 +19,9 @@ inputs:
required: false
description: Artifact key name (a unique hash or timestamp or other identifier)
default: ${{ github.sha }}-${{ github.run_number }}-${{ github.run_attempt }}
role-to-assume-with-oidc:
required: false
description: ARN of the role to assume with OIDC. If not provided, the action will use the provided AWS access key and secret access key
aws-access-key-id:
required: false
description: AWS access key ID of the S3 location
Expand Down Expand Up @@ -95,13 +103,28 @@ runs:
echo "folder=$TMPARTIFACT" >> $GITHUB_OUTPUT
fi
- name: Configure AWS credentials
if: inputs.aws-access-key-id != '' && inputs.aws-secret-access-key != ''
- name: Install aws cli
run: |
pip install awscli==1.33.21
aws --version
shell: bash

- name: Configure AWS credentials via OIDC
if: inputs.role-to-assume-with-oidc != ''
uses: aws-actions/configure-aws-credentials@v4
with:
role-skip-session-tagging: true
role-to-assume: ${{ inputs.role-to-assume-with-oidc }}
aws-region: ${{ inputs.aws-region }}

- name: Configure AWS credentials via Access Keys
if: inputs.role-to-assume-with-oidc == '' && inputs.aws-access-key-id != '' && inputs.aws-secret-access-key != ''
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ inputs.aws-access-key-id }}
aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
aws-region: ${{ inputs.aws-region }}

- name: Upload artifact to S3
id: s3
shell: bash
Expand Down

0 comments on commit a3c6170

Please sign in to comment.