Skip to content

Commit

Permalink
Fix permissions to enable configure-aws-credentials
Browse files Browse the repository at this point in the history
See https://github.com/aws-actions/configure-aws-credentials and also
how proof-debugger does it.
  • Loading branch information
tautschnig committed Jul 16, 2024
1 parent 0f1ece3 commit 68f1a57
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 10 deletions.
8 changes: 8 additions & 0 deletions .github/workflows/release-brew.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ jobs:
homebrew-pr:
name: Homebrew Bump Formula PR
runs-on: macos-latest
permissions:
id-token: write
steps:
- name: Authenticate GitHub workflow to AWS
uses: aws-actions/configure-aws-credentials@v4
Expand Down Expand Up @@ -84,6 +86,9 @@ jobs:
matrix:
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
permissions:
id-token: write
contents: write
steps:
- name: Set up Homebrew
id: set-up-homebrew
Expand All @@ -100,6 +105,7 @@ jobs:
echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
echo "HOMEBREW_GITHUB_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
echo "FORK_REPO=https://$HOMEBREW_GITHUB_API_TOKEN@github.com/$BOT_USER/homebrew-$(echo $TAP |cut -d / -f 2).git" >> $GITHUB_ENV
echo "GITHUB_TOKEN=$HOMEBREW_GITHUB_API_TOKEN" >> $GITHUB_ENV
- name: Checkout PR
run: |
Expand Down Expand Up @@ -151,6 +157,8 @@ jobs:
update-pr:
needs: build-bottle
runs-on: macos-latest
permissions:
id-token: write
steps:
- uses: actions/download-artifact@v3
with:
Expand Down
22 changes: 12 additions & 10 deletions .github/workflows/release-pypi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,34 +11,36 @@ jobs:
upload-to-pypi:
name: Upload to PyPi
runs-on: ubuntu-20.04
permissions:
id-token: write
contents: write
steps:
- uses: actions/checkout@v2
- name: Install dependencies
run: python3 -m pip install --upgrade pip build setuptools wheel twine
- name: Build pip package
run: python3 -m build
- name: Authenticate GitHub workflow to AWS
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ env.AWS_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Fetch secrets
run: |
echo "GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
echo "TWINE_PASSWORD=$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
- name: set asset path and name
id: get_package_name
run: |
package_name="$(ls dist/*.whl | cut -d "/" -f 2)"
echo "::set-output name=package_name::$package_name"
- name: Upload release binary
uses: actions/upload-release-asset@v1.0.2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ github.event.release.upload_url }}
asset_path: dist/${{ steps.get_package_name.outputs.package_name }}
asset_name: ${{ steps.get_package_name.outputs.package_name }}
asset_content_type: application/zip
- name: Authenticate GitHub workflow to AWS
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ env.AWS_ROLE }}
aws-region: ${{ env.AWS_REGION }}
- name: Fetch secrets
run: |
echo "TWINE_PASSWORD=$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
- name: Upload to PyPi
env:
TWINE_USERNAME: __token__
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ jobs:
Release:
name: CBMC viewer release
runs-on: ubuntu-20.04
permissions:
id-token: write
contents: write
steps:
- name: Checkout code
uses: actions/checkout@v2
Expand Down

0 comments on commit 68f1a57

Please sign in to comment.