From f328e3c4ab13cab6fa6cff6e293d04eecd06ed24 Mon Sep 17 00:00:00 2001 From: Giacomo Cusinato <7659518+giacomocusinato@users.noreply.github.com> Date: Wed, 5 Mar 2025 21:46:08 +0700 Subject: [PATCH] chore: use AWS OpenID Connect for S3 publish --- .github/workflows/build.yml | 51 ++++++++++++-------- .github/workflows/compose-full-changelog.yml | 21 +++++--- 2 files changed, 43 insertions(+), 29 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e4e09b73f..5bb25811a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -203,7 +203,7 @@ jobs: echo "is-nightly=$is_nightly" >> $GITHUB_OUTPUT echo "channel-name=$channel_name" >> $GITHUB_OUTPUT # Only attempt upload to Amazon S3 if the credentials are available. - echo "publish-to-s3=${{ secrets.AWS_SECRET_ACCESS_KEY != '' }}" >> $GITHUB_OUTPUT + echo "publish-to-s3=${{ secrets.AWS_ROLE_ARN != '' }}" >> $GITHUB_OUTPUT select-targets: needs: build-type-determination @@ -284,8 +284,6 @@ jobs: - build-type-determination - select-targets env: - # https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/ - ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true # Location of artifacts generated by build. BUILD_ARTIFACTS_PATH: electron-app/dist/build-artifacts # to skip passing signing credentials to electron-builder @@ -363,8 +361,6 @@ jobs: AC_USERNAME: ${{ secrets.AC_USERNAME }} AC_PASSWORD: ${{ secrets.AC_PASSWORD }} AC_TEAM_ID: ${{ secrets.AC_TEAM_ID }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} IS_NIGHTLY: ${{ needs.build-type-determination.outputs.is-nightly }} IS_RELEASE: ${{ needs.build-type-determination.outputs.is-release }} CAN_SIGN: ${{ secrets[matrix.config.certificate-secret] != '' }} @@ -588,6 +584,12 @@ jobs: env: ARTIFACTS_FOLDER: build-artifacts + environment: production + + permissions: + id-token: write + contents: read + steps: - name: Download all job transfer artifacts uses: actions/download-artifact@v4 @@ -596,15 +598,15 @@ jobs: path: ${{ env.ARTIFACTS_FOLDER }} pattern: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}* + - name: Configure AWS Credentials for Nightly [S3] + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + aws-region: us-east-1 + - name: Publish Nightly [S3] - uses: docker://plugins/s3 - env: - PLUGIN_SOURCE: '${{ env.ARTIFACTS_FOLDER }}/*' - PLUGIN_STRIP_PREFIX: '${{ env.ARTIFACTS_FOLDER }}/' - PLUGIN_TARGET: '/arduino-ide/nightly' - PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: | + aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/nightly release: needs: @@ -625,6 +627,12 @@ jobs: env: ARTIFACTS_FOLDER: build-artifacts + environment: production + + permissions: + id-token: write + contents: read + steps: - name: Download all job transfer artifacts uses: actions/download-artifact@v4 @@ -648,16 +656,17 @@ jobs: file_glob: true body: ${{ needs.changelog.outputs.BODY }} + - name: Configure AWS Credentials for Release [S3] + if: needs.build-type-determination.outputs.publish-to-s3 == 'true' + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + aws-region: us-east-1 + - name: Publish Release [S3] if: needs.build-type-determination.outputs.publish-to-s3 == 'true' - uses: docker://plugins/s3 - env: - PLUGIN_SOURCE: '${{ env.ARTIFACTS_FOLDER }}/*' - PLUGIN_STRIP_PREFIX: '${{ env.ARTIFACTS_FOLDER }}/' - PLUGIN_TARGET: '/arduino-ide' - PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: | + aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide clean: # This job must run after all jobs that use the transfer artifact. diff --git a/.github/workflows/compose-full-changelog.yml b/.github/workflows/compose-full-changelog.yml index d126f37f4..2c328e52e 100644 --- a/.github/workflows/compose-full-changelog.yml +++ b/.github/workflows/compose-full-changelog.yml @@ -14,6 +14,11 @@ jobs: create-changelog: if: github.repository == 'arduino/arduino-ide' runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + environment: production + steps: - name: Checkout uses: actions/checkout@v4 @@ -44,12 +49,12 @@ jobs: # Compose changelog yarn run compose-changelog "${{ github.workspace }}/${{ env.CHANGELOG_ARTIFACTS }}/$CHANGELOG_FILE_NAME" + - name: Configure AWS Credentials for Changelog [S3] + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + aws-region: us-east-1 + - name: Publish Changelog [S3] - uses: docker://plugins/s3 - env: - PLUGIN_SOURCE: '${{ env.CHANGELOG_ARTIFACTS }}/*' - PLUGIN_STRIP_PREFIX: '${{ env.CHANGELOG_ARTIFACTS }}/' - PLUGIN_TARGET: '/arduino-ide/changelog' - PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: | + aws s3 sync ${{ env.CHANGELOG_ARTIFACTS }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/changelog \ No newline at end of file