From 82fa1a7dfc43169a2d07943ce2834a15cc900ff9 Mon Sep 17 00:00:00 2001
From: Doug Chapman <dougch@amazon.com>
Date: Thu, 17 Oct 2024 18:43:36 +0000
Subject: [PATCH 1/5] chore: update qns actions for OIDC
---
.github/workflows/qns.yml | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml
index 32ba590f50..c4bc095f7d 100644
--- a/.github/workflows/qns.yml
+++ b/.github/workflows/qns.yml
@@ -30,6 +30,9 @@ env:
# should we taken before adding more permissions.
permissions:
statuses: write
+ id-token: write # This is required for requesting the JWT
+ contents: read # This is required for actions/checkout
+
jobs:
env:
@@ -213,8 +216,8 @@ jobs:
- uses: aws-actions/configure-aws-credentials@v4.0.2
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2ntlsGHAS3Session
aws-region: us-west-1
- name: Upload to S3
@@ -305,9 +308,9 @@ jobs:
- uses: aws-actions/configure-aws-credentials@v4.0.2
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2ntlsGHAS3Session
+ aws-region: us-west-2
- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -361,14 +364,20 @@ jobs:
sudo apt-get -o Acquire::Retries=3 update
sudo apt-get -o Acquire::Retries=3 install -y gnuplot
+ - uses: aws-actions/configure-aws-credentials@v4.0.2
+ if: github.repository == github.event.pull_request.head.repo.full_name
+ with:
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
+ role-session-name: S2ntlsGHAECRSession
+ aws-region: us-west-2
+
# authenticate pull to avoid hitting pull quota
- - name: Login to Amazon Elastic Container Registry Public
+ - name: Login to Amazon ECR Public
if: github.repository == github.event.pull_request.head.repo.full_name
- uses: docker/login-action@v3.3.0
+ id: login-ecr-public
+ uses: aws-actions/amazon-ecr-login@v2
with:
- registry: public.ecr.aws
- username: ${{ secrets.AWS_ACCESS_KEY_ID }}
- password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ registry-type: public
- name: Pull s2n-quic-qns:main
if: github.event.pull_request
From 86f58492ab8cf0dd5a1b5336797978b2a31df650 Mon Sep 17 00:00:00 2001
From: Doug Chapman <dougch@amazon.com>
Date: Thu, 17 Oct 2024 21:17:04 +0000
Subject: [PATCH 2/5] ECR region change
---
.github/workflows/qns.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml
index c4bc095f7d..7239d477a7 100644
--- a/.github/workflows/qns.yml
+++ b/.github/workflows/qns.yml
@@ -369,7 +369,7 @@ jobs:
with:
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
role-session-name: S2ntlsGHAECRSession
- aws-region: us-west-2
+ aws-region: us-east-1
# authenticate pull to avoid hitting pull quota
- name: Login to Amazon ECR Public
From a63ba04a2e055db62a587cf2f1809cb441249111 Mon Sep 17 00:00:00 2001
From: Doug Chapman <dougch@amazon.com>
Date: Thu, 17 Oct 2024 21:34:40 +0000
Subject: [PATCH 3/5] final qns credentials needing OIDC
---
.github/workflows/qns.yml | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml
index 7239d477a7..2d4f619c68 100644
--- a/.github/workflows/qns.yml
+++ b/.github/workflows/qns.yml
@@ -218,7 +218,7 @@ jobs:
with:
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
role-session-name: S2ntlsGHAS3Session
- aws-region: us-west-1
+ aws-region: us-west-2
- name: Upload to S3
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -369,7 +369,7 @@ jobs:
with:
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
role-session-name: S2ntlsGHAECRSession
- aws-region: us-east-1
+ aws-region: us-east-1 # Required for ECR
# authenticate pull to avoid hitting pull quota
- name: Login to Amazon ECR Public
@@ -417,9 +417,9 @@ jobs:
- uses: aws-actions/configure-aws-credentials@v4.0.2
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2ntlsGHAS3Session
+ aws-region: us-west-2
- name: Upload results
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
@@ -565,9 +565,9 @@ jobs:
- uses: aws-actions/configure-aws-credentials@v4.0.2
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- aws-region: us-west-1
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
+ role-session-name: S2ntlsGHAS3Session
+ aws-region: us-west-2
- name: Upload results
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
From e711a5400b7a4d2593c69e76bcde503bdbb593df Mon Sep 17 00:00:00 2001
From: Doug Chapman <dougch@amazon.com>
Date: Thu, 17 Oct 2024 21:50:01 +0000
Subject: [PATCH 4/5] update qns release workflow with OIDC changes
---
.github/workflows/release.yml | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 64e2fd3a4d..6635b328bf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,10 @@ on:
name: release
+permissions:
+ id-token: write # This is required for requesting the JWT
+ contents: read # This is required for actions/checkout
+
jobs:
qns:
runs-on: ubuntu-latest
@@ -41,13 +45,18 @@ jobs:
fi
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
- - name: Login to Amazon Elastic Container Registry Public
- uses: docker/login-action@v3.3.0
+ - uses: aws-actions/configure-aws-credentials@v4.0.2
+ with:
+ role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
+ role-session-name: S2ntlsGHAECRSession
+ aws-region: us-east-1 # Required for ECR
+
+ - name: Login to Amazon ECR Public
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
+ id: login-ecr-public
+ uses: aws-actions/amazon-ecr-login@v2
with:
- registry: public.ecr.aws
- username: ${{ secrets.AWS_ACCESS_KEY_ID }}
- password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ registry-type: public
- name: Login to GitHub Container Registry
uses: docker/login-action@v3.3.0
From 8fa9c91d704442976b36850df674b9610763eedc Mon Sep 17 00:00:00 2001
From: Doug Chapman <dougch@amazon.com>
Date: Thu, 17 Oct 2024 22:47:31 +0000
Subject: [PATCH 5/5] Fix the session names
---
.github/workflows/qns.yml | 10 +++++-----
.github/workflows/release.yml | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml
index 2d4f619c68..b9ccb9aacb 100644
--- a/.github/workflows/qns.yml
+++ b/.github/workflows/qns.yml
@@ -217,7 +217,7 @@ jobs:
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
- role-session-name: S2ntlsGHAS3Session
+ role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2
- name: Upload to S3
@@ -309,7 +309,7 @@ jobs:
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
- role-session-name: S2ntlsGHAS3Session
+ role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2
- name: Upload to S3
@@ -368,7 +368,7 @@ jobs:
if: github.repository == github.event.pull_request.head.repo.full_name
with:
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
- role-session-name: S2ntlsGHAECRSession
+ role-session-name: S2nQuicGHAECRSession
aws-region: us-east-1 # Required for ECR
# authenticate pull to avoid hitting pull quota
@@ -418,7 +418,7 @@ jobs:
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
- role-session-name: S2ntlsGHAS3Session
+ role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2
- name: Upload results
@@ -566,7 +566,7 @@ jobs:
if: github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name
with:
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
- role-session-name: S2ntlsGHAS3Session
+ role-session-name: S2nQuicGHAS3Session
aws-region: us-west-2
- name: Upload results
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6635b328bf..42ea238bfa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -48,7 +48,7 @@ jobs:
- uses: aws-actions/configure-aws-credentials@v4.0.2
with:
role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCEcrRole
- role-session-name: S2ntlsGHAECRSession
+ role-session-name: S2nQuicGHAECRSession
aws-region: us-east-1 # Required for ECR
- name: Login to Amazon ECR Public