feat(gha): move OIDC config to the reusable workflow

BREAKING CHANGE: remove aws cli installation and credential configuration from consumer workflow

docs/breaking-changes/v2.md

@@ -0,0 +1,55 @@
+# Breaking changes in v2
+
+Move OIDC config to the reusable workflow
+
+## Description of changes
+
+The OIDC configuration has been moved to the reusable workflow. This change enable developers to use the OIDC configuration in multiple actions without duplicating the configuration.
+
+## Upgrade instructions
+
+Update from:
+
+```
+permissions:
+  id-token: write # This is required for requesting the JWT for OIDC
+  contents: read
+
+  ...
+  - name: Install aws cli
+    run: |
+        pip install awscli==1.33.21
+        aws --version
+
+  - name: Configure AWS credentials
+    uses: aws-actions/configure-aws-credentials@v4
+    with:
+        role-skip-session-tagging: true
+        role-to-assume: ROLE-TO-ASSUME-WITH-OIDC
+        aws-region: us-east-1
+
+  - name: Upload to S3 bucket
+    uses: open-turo/actions-s3-artifact/upload@v1
+    id: aws-s3-upload
+    with:
+      compress: false
+      path: PATH-TO-UPLOAD
+      s3uri: S3-URI
+      aws-region: us-east-1
+
+```
+
+to the following:
+
+```
+  - name: Upload to S3 bucket
+    uses: open-turo/actions-s3-artifact/upload@v2
+    id: aws-s3-upload
+    with:
+      compress: false
+      path: PATH-TO-UPLOAD
+      s3uri: S3-URI
+      aws-region: us-east-1
+      role-to-assume-with-oidc: ${{ ROLE-TO-ASSUME-WITH-OIDC }} # the role can be defined in the GHA Repository secrets or inline
+
+```

upload/README.md

@@ -138,6 +138,12 @@ This action is a `composite` action.
     # Required: false
     # Default: ${{ github.sha }}-${{ github.run_number }}-${{ github.run_attempt }}
 
+    role-to-assume-with-oidc:
+    # ARN of the role to assume with OIDC. If not provided, the action will use the provided AWS access key and secret access key
+    #
+    # Required: false
+    # Default: ""
+
     aws-access-key-id:
     # AWS access key ID of the S3 location
     #

upload/action.yaml

@@ -1,5 +1,6 @@
 name: S3 upload
 description: Upload a set of artifacts to S3
+
 inputs:
   # Path(s) to the artifacts to upload
   path:
@@ -14,6 +15,9 @@ inputs:
     required: false
     description: Artifact key name (a unique hash or timestamp or other identifier)
     default: ${{ github.sha }}-${{ github.run_number }}-${{ github.run_attempt }}
+  role-to-assume-with-oidc:
+    required: false
+    description: ARN of the role to assume with OIDC. If not provided, the action will use the provided AWS access key and secret access key
   aws-access-key-id:
     required: false
     description: AWS access key ID of the S3 location
@@ -95,13 +99,28 @@ runs:
           echo "folder=$TMPARTIFACT" >> $GITHUB_OUTPUT
         fi
 
-    - name: Configure AWS credentials
-      if: inputs.aws-access-key-id != '' && inputs.aws-secret-access-key != ''
+    - name: Install aws cli
+      run: |
+        pip install awscli==1.33.21
+        aws --version
+      shell: bash
+
+    - name: Configure AWS credentials via OIDC
+      if: inputs.role-to-assume-with-oidc != ''
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-skip-session-tagging: true
+        role-to-assume: ${{ inputs.role-to-assume-with-oidc }}
+        aws-region: ${{ inputs.aws-region }}
+
+    - name: Configure AWS credentials via Access Keys
+      if: inputs.role-to-assume-with-oidc == '' && inputs.aws-access-key-id != '' && inputs.aws-secret-access-key != ''
       uses: aws-actions/configure-aws-credentials@v1
       with:
         aws-access-key-id: ${{ inputs.aws-access-key-id }}
         aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
         aws-region: ${{ inputs.aws-region }}
+
     - name: Upload artifact to S3
       id: s3
       shell: bash