From 95f0ed559e4b68c84a296dbe0f392a31a44d4b06 Mon Sep 17 00:00:00 2001 From: Anderson Banihirwe <13301940+andersy005@users.noreply.github.com> Date: Thu, 21 Nov 2024 13:54:42 -0800 Subject: [PATCH] Update GitHub Actions workflow to configure AWS credentials (#129) * Update GitHub Actions workflow to configure AWS credentials * Configure AWS credentials in GitHub Actions workflows --- .github/workflows/fly.yml | 9 +++++++-- .github/workflows/main.yaml | 13 +++++++++++-- .github/workflows/update-db.yaml | 13 +++++++++++-- 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/.github/workflows/fly.yml b/.github/workflows/fly.yml index 3f8f3bc..76f5829 100644 --- a/.github/workflows/fly.yml +++ b/.github/workflows/fly.yml @@ -20,8 +20,7 @@ concurrency: env: FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: us-west-2 OFFSETS_DB_API_KEY_STAGING: ${{ secrets.OFFSETS_DB_API_KEY_STAGING }} OFFSETS_DB_API_KEY_PRODUCTION: ${{ secrets.OFFSETS_DB_API_KEY_PRODUCTION }} PRODUCTION_URL: 'https://offsets-db.fly.dev/docs' @@ -39,6 +38,12 @@ jobs: if: ${{ (contains(github.event.pull_request.labels.*.name, 'api') && github.event_name == 'pull_request') || (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'workflow_dispatch'}} steps: - uses: actions/checkout@v4 + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::631969445205:role/github-action-role + role-session-name: offsets-db-fly-role-session + aws-region: ${{ env.AWS_DEFAULT_REGION }} - name: Get Current time in UTC in format YYYY-MM-DD HH:MM if: always() id: time diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 74d3dc0..747eee2 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -15,13 +15,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + env: OFFSETS_DB_DATABASE_URL: postgres://postgres_user:postgres_password@localhost:5432/postgres_db OFFSETS_DB_STAGING: true OFFSETS_DB_API_KEY: cowsay - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_DEFAULT_REGION: us-west-2 jobs: @@ -53,6 +55,13 @@ jobs: steps: - uses: actions/checkout@v4 + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::631969445205:role/github-action-role + role-session-name: offsets-db-ci-role-session + aws-region: ${{ env.AWS_DEFAULT_REGION }} + - name: set up conda environment uses: mamba-org/setup-micromamba@v2 with: diff --git a/.github/workflows/update-db.yaml b/.github/workflows/update-db.yaml index e89c7bb..df0120d 100644 --- a/.github/workflows/update-db.yaml +++ b/.github/workflows/update-db.yaml @@ -13,8 +13,6 @@ on: - cron: '45 6 * * *' # 6:45am UTC every day env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_DEFAULT_REGION: us-west-2 OFFSETS_DB_API_KEY_STAGING: ${{ secrets.OFFSETS_DB_API_KEY_STAGING }} OFFSETS_DB_API_KEY_PRODUCTION: ${{ secrets.OFFSETS_DB_API_KEY_PRODUCTION }} @@ -23,12 +21,23 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: seed-db: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::631969445205:role/github-action-role + role-session-name: offsets-db-update-role-session + aws-region: ${{ env.AWS_DEFAULT_REGION }} + - name: Get Current time in UTC in format YYYY-MM-DD HH:MM if: always() id: time