use OIDC to retrieve the credentials (#2541)

umbynos · web-flow · commit 2ad8b878fd38 · 2024-02-16T15:04:03.000+01:00
diff --git a/.github/workflows/publish-go-nightly-task.yml b/.github/workflows/publish-go-nightly-task.yml
@@ -8,6 +8,7 @@ env:
   DIST_DIR: dist
   # The project's folder on Arduino's download server for uploading builds
   AWS_PLUGIN_TARGET: /arduino-cli/
+  AWS_REGION: "us-east-1"
   ARTIFACT_NAME: dist
 
 # See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows
@@ -18,6 +19,10 @@ on:
   workflow_dispatch:
   repository_dispatch:
 
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
+
 jobs:
   create-nightly-artifacts:
     outputs:
@@ -258,15 +263,20 @@ jobs:
           VERSION=${{ needs.create-nightly-artifacts.outputs.version }}
           sha256sum ${{ env.PROJECT_NAME }}_${VERSION}* > ${VERSION}-checksums.txt
 
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-session-name: "github_${{ env.PROJECT_NAME }}"
+          aws-region: ${{ env.AWS_REGION }}
+
       - name: Upload release files on Arduino downloads servers
         uses: docker://plugins/s3
         env:
           PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*"
           PLUGIN_TARGET: "${{ env.AWS_PLUGIN_TARGET }}nightly"
           PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/"
           PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
   report:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-go-task.yml b/.github/workflows/release-go-task.yml
@@ -8,13 +8,18 @@ env:
   DIST_DIR: dist
   # The project's folder on Arduino's download server for uploading builds
   AWS_PLUGIN_TARGET: /arduino-cli/
+  AWS_REGION: "us-east-1"
   ARTIFACT_NAME: dist
 
 on:
   push:
     tags:
       - "v[0-9]+.[0-9]+.[0-9]+*"
 
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
+
 jobs:
   create-release-artifacts:
     outputs:
@@ -283,15 +288,20 @@ jobs:
           # (all the files we need are in the DIST_DIR root)
           artifacts: ${{ env.DIST_DIR }}/*
 
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-session-name: "github_${{ env.PROJECT_NAME }}"
+          aws-region: ${{ env.AWS_REGION }}
+
       - name: Upload release files on Arduino downloads servers
         uses: docker://plugins/s3
         env:
           PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*"
           PLUGIN_TARGET: ${{ env.AWS_PLUGIN_TARGET }}
           PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/"
           PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
       - name: Update Homebrew formula
         if: steps.prerelease.outputs.IS_PRE != 'true'
