Fetch access tokens from AWS Secrets Manager

We no longer have non-rotating secrets stored in the repository
configuration. Implementation copied and adapted from proof-debugger.

.github/cloudformation/README.md

@@ -0,0 +1,3 @@
+These are
+[AWS CloudFormation templates](https://aws.amazon.com/cloudformation/resources/templates/)
+for maintaining pypi and homebrew credentials used to publish the CBMC viewer.

.github/cloudformation/oidc.yaml

@@ -0,0 +1,23 @@
+Description:
+ Register the GitHub identity provider with the AWS security token service.
+
+Resources:
+ GithubIdentityProvider:
+ Type: AWS::IAM::OIDCProvider
+ Properties:
+ Url:
+ # The GitHub identity provider supporting OIDC
+ https://token.actions.githubusercontent.com
+ ThumbprintList:
+ # The GitHub certification authority (the signature of its certificate)
+ - 6938fd4d98bab03faadb97b34396831e3780aea1
+ ClientIdList:
+ # The AWS security token service
+ - sts.amazonaws.com
+
+
+Outputs:
+ GithubIdentityProvider:
+ Value: !Ref GithubIdentityProvider
+ Export:
+ Name: GithubIdentityProvider

.github/cloudformation/token.yaml

@@ -0,0 +1,77 @@
+Description: >
+ Enable storage of access tokens in AWS Secrets Manager and access to the PAT
+ from the GitHub workflows in model-checking/cbmc-viewer.
+
+Parameters:
+ GithubRepoOrganization:
+ Type: String
+ Description: GitHub organization for the CBMC viewer
+ Default: model-checking
+ CbmcViewerRepoName:
+ Type: String
+ Description: GitHub repository for CBMC viewer
+ Default: cbmc-viewer
+ CbmcViewerPublicationTag:
+ Type: String
+ Description: GitHub tag for CBMC viewer triggering the GitHub publication workflow
+ Default: viewer-*
+
+Resources:
+
+ BrewBotEmail:
+ Type: AWS::SecretsManager::Secret
+ Properties:
+ Name: BOT_EMAIL
+ Description: >
+ The email address to use with Homebrew commits.
+
+ BrewToken:
+ Type: AWS::SecretsManager::Secret
+ Properties:
+ Name: RELEASE_CI_ACCESS_TOKEN
+ Description: >
+ GitHub access token.
+
+ PypiToken:
+ Type: AWS::SecretsManager::Secret
+ Properties:
+ Name: PYPI_ACCESS_TOKEN
+ Description: >
+ Pypi access token.
+
+ PublisherTokenReader:
+ Type: AWS::IAM::Role
+ Properties:
+ RoleName: PublisherTokenReader
+ Description: >
+ This role can retrieve the personal access token for the model
+ checking publisher in the Microsoft Marketplace.
+
+ AssumeRolePolicyDocument:
+ Version: "2012-10-17"
+ Statement:
+ - Effect: Allow
+ Principal:
+ Federated: !ImportValue GithubIdentityProvider
+ Action: sts:AssumeRoleWithWebIdentity
+ Condition:
+ StringEquals:
+ token.actions.githubusercontent.com:aud: sts.amazonaws.com
+ StringLike:
+ token.actions.githubusercontent.com:sub:
+ !Sub repo:${GithubRepoOrganization}/${CbmcViewerRepoName}:ref:refs/tags/${CbmcViewerPublicationTag}
+
+ Policies:
+ - PolicyName: PublisherTokenAccess
+ PolicyDocument:
+ Version: "2012-10-17"
+ Statement:
+ - Effect: Allow
+ Action: secretsmanager:GetSecretValue
+ Resource: !Ref BrewBotEmail
+ - Effect: Allow
+ Action: secretsmanager:GetSecretValue
+ Resource: !Ref BrewToken
+ - Effect: Allow
+ Action: secretsmanager:GetSecretValue
+ Resource: !Ref PypiToken

.github/workflows/release-brew.yaml

@@ -46,29 +46,37 @@ env:
  FORMULA: cbmc-viewer
  TAP: aws/tap
  BOT_USER: aws-viewer-for-cbmc-release-ci
- BOT_EMAIL: ${{ secrets.BOT_EMAIL }}
- BOT_TOKEN: ${{ secrets.RELEASE_CI_ACCESS_TOKEN }}
  RELEASE_TAG: ${GITHUB_REF/refs\/tags\/} # GITHUB_REF = refs/tags/STRING-MAJOR.MINOR
  VERSION: $(echo $GITHUB_REF | cut -d "/" -f 3 | cut -d "-" -f 2)
- FORK_REPO: https://$BOT_TOKEN@github.com/$BOT_USER/homebrew-$(echo $TAP |cut -d "/" -f 2).git
+ AWS_ROLE: arn:aws:iam::${{secrets.AWS_ACCOUNT}}:role/PublisherTokenReader
+ AWS_REGION: us-west-2
 
 jobs:
  homebrew-pr:
  name: Homebrew Bump Formula PR
  runs-on: macos-latest
  steps:
+ - name: Authenticate GitHub workflow to AWS
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ env.AWS_ROLE }}
+ aws-region: ${{ env.AWS_REGION }}
+
+ - name: Fetch secrets
+ run: |
+ echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
+ echo "HOMEBREW_GITHUB_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+
  - name: Configure git user name and email
  run: |
  git config --global user.name ${{ env.BOT_USER }}
- git config --global user.email ${{ env.BOT_EMAIL }}
+ git config --global user.email $BOT_EMAIL
 
  - name: Create homebrew PR
  run: |
  brew tap ${{ env.TAP }}
  brew update-reset
  brew bump-formula-pr --tag "${{ env.RELEASE_TAG }}" --revision "$GITHUB_SHA" ${{ env.TAP }}/${{ env.FORMULA }} --force
- env:
- HOMEBREW_GITHUB_API_TOKEN: ${{ env.BOT_TOKEN }}
 
  build-bottle:
  needs: homebrew-pr
@@ -81,12 +89,24 @@ jobs:
  id: set-up-homebrew
  uses: Homebrew/actions/setup-homebrew@master
 
+ - name: Authenticate GitHub workflow to AWS
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ env.AWS_ROLE }}
+ aws-region: ${{ env.AWS_REGION }}
+
+ - name: Fetch secrets
+ run: |
+ echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
+ echo "HOMEBREW_GITHUB_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+ echo "FORK_REPO=https://$HOMEBREW_GITHUB_API_TOKEN@github.com/$BOT_USER/homebrew-$(echo $TAP |cut -d / -f 2).git" >> $GITHUB_ENV
+
  - name: Checkout PR
  run: |
  brew tap ${{ env.TAP }}
  brew update-reset
  cd $(brew --repo ${{ env.TAP }})
- git remote add fork-repo ${{ env.FORK_REPO }}
+ git remote add fork-repo $FORK_REPO
  git fetch fork-repo
  git checkout -B bump-${{ env.FORMULA }}-${{ env.VERSION }} fork-repo/bump-${{ env.FORMULA }}-${{ env.VERSION }}
 
@@ -136,17 +156,29 @@ jobs:
  with:
  name: bottles
 
+ - name: Authenticate GitHub workflow to AWS
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ env.AWS_ROLE }}
+ aws-region: ${{ env.AWS_REGION }}
+
+ - name: Fetch secrets
+ run: |
+ echo "BOT_EMAIL=$(aws secretsmanager get-secret-value --secret-id BOT_EMAIL | jq -r '.SecretString')" >> $GITHUB_ENV
+ echo "HOMEBREW_GITHUB_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id RELEASE_CI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
+ echo "FORK_REPO=https://$HOMEBREW_GITHUB_API_TOKEN@github.com/$BOT_USER/homebrew-$(echo $TAP |cut -d / -f 2).git" >> $GITHUB_ENV
+
  - name: Configure git user name and email
  run: |
  git config --global user.name ${{ env.BOT_USER }}
- git config --global user.email ${{ env.BOT_EMAIL }}
+ git config --global user.email BOT_EMAIL
 
  - name: Checkout PR
  run: |
  brew tap ${{ env.TAP }}
  brew update-reset
  cd $(brew --repo ${{ env.TAP }})
- git remote add fork-repo ${{ env.FORK_REPO }}
+ git remote add fork-repo $FORK_REPO
  git fetch fork-repo
  git checkout -B bump-${{ env.FORMULA }}-${{ env.VERSION }} fork-repo/bump-${{ env.FORMULA }}-${{ env.VERSION }}
 

.github/workflows/release-pypi.yaml

@@ -3,6 +3,10 @@ on:
  release:
  types: [created]
 
+env:
+ AWS_ROLE: arn:aws:iam::${{secrets.AWS_ACCOUNT}}:role/PublisherTokenReader
+ AWS_REGION: us-west-2
+
 jobs:
  upload-to-pypi:
  name: Upload to PyPi
@@ -27,8 +31,15 @@ jobs:
  asset_path: dist/${{ steps.get_package_name.outputs.package_name }}
  asset_name: ${{ steps.get_package_name.outputs.package_name }}
  asset_content_type: application/zip
+ - name: Authenticate GitHub workflow to AWS
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ env.AWS_ROLE }}
+ aws-region: ${{ env.AWS_REGION }}
+ - name: Fetch secrets
+ run: |
+ echo "TWINE_PASSWORD=$(aws secretsmanager get-secret-value --secret-id PYPI_ACCESS_TOKEN | jq -r '.SecretString')" >> $GITHUB_ENV
  - name: Upload to PyPi
  env:
  TWINE_USERNAME: __token__
- TWINE_PASSWORD: ${{ secrets.PYPI_ACCESS_TOKEN }}
  run: python3 -m twine upload dist/*

.github/workflows/release.yaml

@@ -10,7 +10,7 @@ jobs:
  name: CBMC viewer release
  runs-on: ubuntu-20.04
  env:
- GITHUB_TOKEN: ${{ secrets.RELEASE_CI_ACCESS_TOKEN }}
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  steps:
  - name: Checkout code
  uses: actions/checkout@v2