Update ECR PW #700
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update ECR PW | |
| on: | |
| schedule: | |
| # CodeArtifact token expires in 12 hours, update token every 11 hours | |
| - cron: 02 */11 * * * | |
| # Allows you to run this workflow manually from the Actions tab | |
| workflow_dispatch: | |
| jobs: | |
| update-ecr-pw: | |
| runs-on: ubuntu-latest | |
| # These permissions are needed to interact with GitHub's OIDC Token endpoint. | |
| permissions: | |
| id-token: write | |
| contents: read | |
| env: | |
| # need an Github Access token with Admin access to update secret | |
| GH_TOKEN: ${{ secrets.GH_CLI }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: aws-actions/configure-aws-credentials@v2 | |
| with: | |
| aws-region: us-gov-west-1 | |
| # should be the arn to your role created for oidc | |
| role-to-assume: arn:aws-us-gov:iam::008577686731:role/gha-frontend-prod-role | |
| - name: Get pw and update secret | |
| run: | | |
| export ECR_PW=`aws ecr get-login-password --region us-gov-west-1 --output text` | |
| gh secret set AWS_ECR_PW --org department-of-veterans-affairs --visibility all --body "$ECR_PW" |