From 82fa1a7dfc43169a2d07943ce2834a15cc900ff9 Mon Sep 17 00:00:00 2001 From: Doug Chapman Date: Thu, 17 Oct 2024 18:43:36 +0000 Subject: [PATCH 1/5] chore: update qns actions for OIDC --- .github/workflows/qns.yml | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml index 32ba590f50..c4bc095f7d 100644 --- a/.github/workflows/qns.yml +++ b/.github/workflows/qns.yml @@ -30,6 +30,9 @@ env: # should we taken before adding more permissions. permissions: statuses: write + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: env: @@ -213,8 +216,8 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2ntlsGHAS3Session aws-region: us-west-1 - name: Upload to S3 @@ -305,9 +308,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2ntlsGHAS3Session + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -361,14 +364,20 @@ jobs: sudo apt-get -o Acquire::Retries=3 update sudo apt-get -o Acquire::Retries=3 install -y gnuplot + - uses: aws-actions/configure-aws-credentials@v4.0.2 + if: github.repository == github.event.pull_request.head.repo.full_name + with: + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole + role-session-name: S2ntlsGHAECRSession + aws-region: us-west-2 + # authenticate pull to avoid hitting pull quota - - name: Login to Amazon Elastic Container Registry Public + - name: Login to Amazon ECR Public if: github.repository == github.event.pull_request.head.repo.full_name - uses: docker/login-action@v3.3.0 + id: login-ecr-public + uses: aws-actions/amazon-ecr-login@v2 with: - registry: public.ecr.aws - username: ${{ secrets.AWS_ACCESS_KEY_ID }} - password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + registry-type: public - name: Pull s2n-quic-qns:main if: github.event.pull_request From 86f58492ab8cf0dd5a1b5336797978b2a31df650 Mon Sep 17 00:00:00 2001 From: Doug Chapman Date: Thu, 17 Oct 2024 21:17:04 +0000 Subject: [PATCH 2/5] ECR region change --- .github/workflows/qns.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml index c4bc095f7d..7239d477a7 100644 --- a/.github/workflows/qns.yml +++ b/.github/workflows/qns.yml @@ -369,7 +369,7 @@ jobs: with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole role-session-name: S2ntlsGHAECRSession - aws-region: us-west-2 + aws-region: us-east-1 # authenticate pull to avoid hitting pull quota - name: Login to Amazon ECR Public From a63ba04a2e055db62a587cf2f1809cb441249111 Mon Sep 17 00:00:00 2001 From: Doug Chapman Date: Thu, 17 Oct 2024 21:34:40 +0000 Subject: [PATCH 3/5] final qns credentials needing OIDC --- .github/workflows/qns.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml index 7239d477a7..2d4f619c68 100644 --- a/.github/workflows/qns.yml +++ b/.github/workflows/qns.yml @@ -218,7 +218,7 @@ jobs: with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole role-session-name: S2ntlsGHAS3Session - aws-region: us-west-1 + aws-region: us-west-2 - name: Upload to S3 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -369,7 +369,7 @@ jobs: with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole role-session-name: S2ntlsGHAECRSession - aws-region: us-east-1 + aws-region: us-east-1 # Required for ECR # authenticate pull to avoid hitting pull quota - name: Login to Amazon ECR Public @@ -417,9 +417,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2ntlsGHAS3Session + aws-region: us-west-2 - name: Upload results if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name @@ -565,9 +565,9 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole + role-session-name: S2ntlsGHAS3Session + aws-region: us-west-2 - name: Upload results if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name From e711a5400b7a4d2593c69e76bcde503bdbb593df Mon Sep 17 00:00:00 2001 From: Doug Chapman Date: Thu, 17 Oct 2024 21:50:01 +0000 Subject: [PATCH 4/5] update qns release workflow with OIDC changes --- .github/workflows/release.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 64e2fd3a4d..6635b328bf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,10 @@ on: name: release +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: qns: runs-on: ubuntu-latest @@ -41,13 +45,18 @@ jobs: fi echo "tags=${TAGS}" >> $GITHUB_OUTPUT - - name: Login to Amazon Elastic Container Registry Public - uses: docker/login-action@v3.3.0 + - uses: aws-actions/configure-aws-credentials@v4.0.2 + with: + role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole + role-session-name: S2ntlsGHAECRSession + aws-region: us-east-1 # Required for ECR + + - name: Login to Amazon ECR Public if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name + id: login-ecr-public + uses: aws-actions/amazon-ecr-login@v2 with: - registry: public.ecr.aws - username: ${{ secrets.AWS_ACCESS_KEY_ID }} - password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + registry-type: public - name: Login to GitHub Container Registry uses: docker/login-action@v3.3.0 From 8fa9c91d704442976b36850df674b9610763eedc Mon Sep 17 00:00:00 2001 From: Doug Chapman Date: Thu, 17 Oct 2024 22:47:31 +0000 Subject: [PATCH 5/5] Fix the session names --- .github/workflows/qns.yml | 10 +++++----- .github/workflows/release.yml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml index 2d4f619c68..b9ccb9aacb 100644 --- a/.github/workflows/qns.yml +++ b/.github/workflows/qns.yml @@ -217,7 +217,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2ntlsGHAS3Session + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload to S3 @@ -309,7 +309,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2ntlsGHAS3Session + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload to S3 @@ -368,7 +368,7 @@ jobs: if: github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole - role-session-name: S2ntlsGHAECRSession + role-session-name: S2nQuicGHAECRSession aws-region: us-east-1 # Required for ECR # authenticate pull to avoid hitting pull quota @@ -418,7 +418,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2ntlsGHAS3Session + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload results @@ -566,7 +566,7 @@ jobs: if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole - role-session-name: S2ntlsGHAS3Session + role-session-name: S2nQuicGHAS3Session aws-region: us-west-2 - name: Upload results diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6635b328bf..42ea238bfa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,7 +48,7 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4.0.2 with: role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole - role-session-name: S2ntlsGHAECRSession + role-session-name: S2nQuicGHAECRSession aws-region: us-east-1 # Required for ECR - name: Login to Amazon ECR Public