From 82fa1a7dfc43169a2d07943ce2834a15cc900ff9 Mon Sep 17 00:00:00 2001
From: Doug Chapman <dougch@amazon.com>
Date: Thu, 17 Oct 2024 18:43:36 +0000
Subject: [PATCH 1/5] chore: update qns actions for OIDC

---
 .github/workflows/qns.yml | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml
index 32ba590f50..c4bc095f7d 100644
--- a/.github/workflows/qns.yml
+++ b/.github/workflows/qns.yml
@@ -30,6 +30,9 @@ env:
 # should we taken before adding more permissions.
 permissions:
   statuses: write
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
+
 
 jobs:
   env:
@@ -213,8 +216,8 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@v4.0.2
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+          role-session-name: S2ntlsGHAS3Session
           aws-region: us-west-1
 
       - name: Upload to S3
@@ -305,9 +308,9 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@v4.0.2
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-1
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+          role-session-name: S2ntlsGHAS3Session
+          aws-region: us-west-2
 
       - name: Upload to S3
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -361,14 +364,20 @@ jobs:
           sudo apt-get -o Acquire::Retries=3 update
           sudo apt-get -o Acquire::Retries=3 install -y gnuplot
 
+      - uses: aws-actions/configure-aws-credentials@v4.0.2
+        if: github.repository == github.event.pull_request.head.repo.full_name
+        with:
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
+          role-session-name: S2ntlsGHAECRSession
+          aws-region: us-west-2
+
       # authenticate pull to avoid hitting pull quota
-      - name: Login to Amazon Elastic Container Registry Public
+      - name: Login to Amazon ECR Public
         if: github.repository == github.event.pull_request.head.repo.full_name
-        uses: docker/login-action@v3.3.0
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@v2
         with:
-          registry: public.ecr.aws
-          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          registry-type: public
 
       - name: Pull s2n-quic-qns:main
         if: github.event.pull_request

From 86f58492ab8cf0dd5a1b5336797978b2a31df650 Mon Sep 17 00:00:00 2001
From: Doug Chapman <dougch@amazon.com>
Date: Thu, 17 Oct 2024 21:17:04 +0000
Subject: [PATCH 2/5] ECR region change

---
 .github/workflows/qns.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml
index c4bc095f7d..7239d477a7 100644
--- a/.github/workflows/qns.yml
+++ b/.github/workflows/qns.yml
@@ -369,7 +369,7 @@ jobs:
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
           role-session-name: S2ntlsGHAECRSession
-          aws-region: us-west-2
+          aws-region: us-east-1
 
       # authenticate pull to avoid hitting pull quota
       - name: Login to Amazon ECR Public

From a63ba04a2e055db62a587cf2f1809cb441249111 Mon Sep 17 00:00:00 2001
From: Doug Chapman <dougch@amazon.com>
Date: Thu, 17 Oct 2024 21:34:40 +0000
Subject: [PATCH 3/5] final qns credentials needing OIDC

---
 .github/workflows/qns.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml
index 7239d477a7..2d4f619c68 100644
--- a/.github/workflows/qns.yml
+++ b/.github/workflows/qns.yml
@@ -218,7 +218,7 @@ jobs:
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
           role-session-name: S2ntlsGHAS3Session
-          aws-region: us-west-1
+          aws-region: us-west-2
 
       - name: Upload to S3
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -369,7 +369,7 @@ jobs:
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
           role-session-name: S2ntlsGHAECRSession
-          aws-region: us-east-1
+          aws-region: us-east-1   # Required for ECR
 
       # authenticate pull to avoid hitting pull quota
       - name: Login to Amazon ECR Public
@@ -417,9 +417,9 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@v4.0.2
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-1
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+          role-session-name: S2ntlsGHAS3Session
+          aws-region: us-west-2
 
       - name: Upload results
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -565,9 +565,9 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@v4.0.2
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-1
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+          role-session-name: S2ntlsGHAS3Session
+          aws-region: us-west-2
 
       - name: Upload results
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name

From e711a5400b7a4d2593c69e76bcde503bdbb593df Mon Sep 17 00:00:00 2001
From: Doug Chapman <dougch@amazon.com>
Date: Thu, 17 Oct 2024 21:50:01 +0000
Subject: [PATCH 4/5] update qns release workflow with OIDC changes

---
 .github/workflows/release.yml | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 64e2fd3a4d..6635b328bf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,10 @@ on:
 
 name: release
 
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
+
 jobs:
   qns:
     runs-on: ubuntu-latest
@@ -41,13 +45,18 @@ jobs:
           fi
           echo "tags=${TAGS}" >> $GITHUB_OUTPUT
 
-      - name: Login to Amazon Elastic Container Registry Public
-        uses: docker/login-action@v3.3.0
+      - uses: aws-actions/configure-aws-credentials@v4.0.2
+        with:
+          role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
+          role-session-name: S2ntlsGHAECRSession
+          aws-region: us-east-1   # Required for ECR
+
+      - name: Login to Amazon ECR Public
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@v2
         with:
-          registry: public.ecr.aws
-          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          registry-type: public
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3.3.0

From 8fa9c91d704442976b36850df674b9610763eedc Mon Sep 17 00:00:00 2001
From: Doug Chapman <dougch@amazon.com>
Date: Thu, 17 Oct 2024 22:47:31 +0000
Subject: [PATCH 5/5] Fix the session names

---
 .github/workflows/qns.yml     | 10 +++++-----
 .github/workflows/release.yml |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml
index 2d4f619c68..b9ccb9aacb 100644
--- a/.github/workflows/qns.yml
+++ b/.github/workflows/qns.yml
@@ -217,7 +217,7 @@ jobs:
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
-          role-session-name: S2ntlsGHAS3Session
+          role-session-name: S2nQuicGHAS3Session
           aws-region: us-west-2
 
       - name: Upload to S3
@@ -309,7 +309,7 @@ jobs:
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
-          role-session-name: S2ntlsGHAS3Session
+          role-session-name: S2nQuicGHAS3Session
           aws-region: us-west-2
 
       - name: Upload to S3
@@ -368,7 +368,7 @@ jobs:
         if: github.repository == github.event.pull_request.head.repo.full_name
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
-          role-session-name: S2ntlsGHAECRSession
+          role-session-name: S2nQuicGHAECRSession
           aws-region: us-east-1   # Required for ECR
 
       # authenticate pull to avoid hitting pull quota
@@ -418,7 +418,7 @@ jobs:
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
-          role-session-name: S2ntlsGHAS3Session
+          role-session-name: S2nQuicGHAS3Session
           aws-region: us-west-2
 
       - name: Upload results
@@ -566,7 +566,7 @@ jobs:
         if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
-          role-session-name: S2ntlsGHAS3Session
+          role-session-name: S2nQuicGHAS3Session
           aws-region: us-west-2
 
       - name: Upload results
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6635b328bf..42ea238bfa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -48,7 +48,7 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@v4.0.2
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
-          role-session-name: S2ntlsGHAECRSession
+          role-session-name: S2nQuicGHAECRSession
           aws-region: us-east-1   # Required for ECR
 
       - name: Login to Amazon ECR Public