Skip to content

Commit d2f4804

Browse files
chore: use AWS OpenID Connect for S3 publish
1 parent 6d96e22 commit d2f4804

File tree

2 files changed

+38
-32
lines changed

2 files changed

+38
-32
lines changed

.github/workflows/build.yml

+26-24
Original file line numberDiff line numberDiff line change
@@ -203,7 +203,7 @@ jobs:
203203
echo "is-nightly=$is_nightly" >> $GITHUB_OUTPUT
204204
echo "channel-name=$channel_name" >> $GITHUB_OUTPUT
205205
# Only attempt upload to Amazon S3 if the credentials are available.
206-
echo "publish-to-s3=${{ secrets.AWS_SECRET_ACCESS_KEY != '' }}" >> $GITHUB_OUTPUT
206+
echo "publish-to-s3=${{ secrets.AWS_ROLE_ARN != '' }}" >> $GITHUB_OUTPUT
207207
208208
select-targets:
209209
needs: build-type-determination
@@ -284,8 +284,6 @@ jobs:
284284
- build-type-determination
285285
- select-targets
286286
env:
287-
# https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
288-
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
289287
# Location of artifacts generated by build.
290288
BUILD_ARTIFACTS_PATH: electron-app/dist/build-artifacts
291289
# to skip passing signing credentials to electron-builder
@@ -360,11 +358,6 @@ jobs:
360358
- name: Package
361359
env:
362360
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
363-
AC_USERNAME: ${{ secrets.AC_USERNAME }}
364-
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
365-
AC_TEAM_ID: ${{ secrets.AC_TEAM_ID }}
366-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
367-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
368361
IS_NIGHTLY: ${{ needs.build-type-determination.outputs.is-nightly }}
369362
IS_RELEASE: ${{ needs.build-type-determination.outputs.is-release }}
370363
CAN_SIGN: ${{ secrets[matrix.config.certificate-secret] != '' }}
@@ -588,6 +581,10 @@ jobs:
588581
env:
589582
ARTIFACTS_FOLDER: build-artifacts
590583

584+
permissions:
585+
id-token: write
586+
contents: read
587+
591588
steps:
592589
- name: Download all job transfer artifacts
593590
uses: actions/download-artifact@v4
@@ -596,15 +593,15 @@ jobs:
596593
path: ${{ env.ARTIFACTS_FOLDER }}
597594
pattern: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}*
598595

596+
- name: Configure AWS Credentials for Nightly [S3]
597+
uses: aws-actions/configure-aws-credentials@v4
598+
with:
599+
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
600+
aws-region: us-east-1
601+
599602
- name: Publish Nightly [S3]
600-
uses: docker://plugins/s3
601-
env:
602-
PLUGIN_SOURCE: '${{ env.ARTIFACTS_FOLDER }}/*'
603-
PLUGIN_STRIP_PREFIX: '${{ env.ARTIFACTS_FOLDER }}/'
604-
PLUGIN_TARGET: '/arduino-ide/nightly'
605-
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
606-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
607-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
603+
run: |
604+
aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/nightly
608605
609606
release:
610607
needs:
@@ -625,6 +622,10 @@ jobs:
625622
env:
626623
ARTIFACTS_FOLDER: build-artifacts
627624

625+
permissions:
626+
id-token: write
627+
contents: read
628+
628629
steps:
629630
- name: Download all job transfer artifacts
630631
uses: actions/download-artifact@v4
@@ -648,16 +649,17 @@ jobs:
648649
file_glob: true
649650
body: ${{ needs.changelog.outputs.BODY }}
650651

652+
- name: Configure AWS Credentials for Release [S3]
653+
if: needs.build-type-determination.outputs.publish-to-s3 == 'true'
654+
uses: aws-actions/configure-aws-credentials@v4
655+
with:
656+
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
657+
aws-region: us-east-1
658+
651659
- name: Publish Release [S3]
652660
if: needs.build-type-determination.outputs.publish-to-s3 == 'true'
653-
uses: docker://plugins/s3
654-
env:
655-
PLUGIN_SOURCE: '${{ env.ARTIFACTS_FOLDER }}/*'
656-
PLUGIN_STRIP_PREFIX: '${{ env.ARTIFACTS_FOLDER }}/'
657-
PLUGIN_TARGET: '/arduino-ide'
658-
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
659-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
660-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
661+
run: |
662+
aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide
661663
662664
clean:
663665
# This job must run after all jobs that use the transfer artifact.

.github/workflows/compose-full-changelog.yml

+12-8
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,10 @@ jobs:
1414
create-changelog:
1515
if: github.repository == 'arduino/arduino-ide'
1616
runs-on: ubuntu-latest
17+
permissions:
18+
id-token: write
19+
contents: read
20+
1721
steps:
1822
- name: Checkout
1923
uses: actions/checkout@v4
@@ -44,12 +48,12 @@ jobs:
4448
# Compose changelog
4549
yarn run compose-changelog "${{ github.workspace }}/${{ env.CHANGELOG_ARTIFACTS }}/$CHANGELOG_FILE_NAME"
4650
51+
- name: Configure AWS Credentials for Changelog [S3]
52+
uses: aws-actions/configure-aws-credentials@v4
53+
with:
54+
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
55+
aws-region: us-east-1
56+
4757
- name: Publish Changelog [S3]
48-
uses: docker://plugins/s3
49-
env:
50-
PLUGIN_SOURCE: '${{ env.CHANGELOG_ARTIFACTS }}/*'
51-
PLUGIN_STRIP_PREFIX: '${{ env.CHANGELOG_ARTIFACTS }}/'
52-
PLUGIN_TARGET: '/arduino-ide/changelog'
53-
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
54-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
55-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
58+
run: |
59+
aws s3 sync ${{ env.CHANGELOG_ARTIFACTS }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/changelog

0 commit comments

Comments
 (0)