Update the github certificate thumbprints #2033
Conversation
Looks like github changed certs, so we need a new fingerprint. Otherwise, ECR builds are faining fith error: "OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint" I manually added the new fingerprint in the AWS console to see that is fixed the build problem, so now adding it here. The old fingerprint is still there in case this is a temporary situation and github changes back, or some servers still present the old certs.
Codecov ReportPatch coverage has no change and project coverage change:
❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more. Additional details and impacted files@@ Coverage Diff @@
## main #2033 +/- ##
==========================================
+ Coverage 47.46% 47.80% +0.33%
==========================================
Files 87 94 +7
Lines 10047 10286 +239
==========================================
+ Hits 4769 4917 +148
- Misses 4720 4801 +81
- Partials 558 568 +10 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
The new thumbprint does not match the one adverised by github?
https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/
| @@ -6,7 +6,8 @@ resource "aws_iam_openid_connect_provider" "github" { | |||
| ] | |||
|
|
|||
| thumbprint_list = [ | |||
| "6938fd4d98bab03faadb97b34396831e3780aea1" | |||
| "6938fd4d98bab03faadb97b34396831e3780aea1", | |||
| "a3b59e5fe884ee1f34d98eef858e3fb662ac104a" | |||
There was a problem hiding this comment.
Should this be 1c58a3a8518e8759bf075b76b750d4f2df264fcd ?
There was a problem hiding this comment.
Maybe. I grabbed "a3b59e5fe884ee1f34d98eef858e3fb662ac104a" from the github.com certificate that I saw, and I tested that using it fixed the problem. If there are other valid github certs then we should include their fingerprints as well.
|
I did a |
Looks like github changed certs, so we need a new fingerprint. Otherwise, ECR builds are failing with error:
"OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint"
I manually added the new fingerprint in the AWS console (IAM > identity providers > token.actions.githubusercontent.com) to see that it fixed the build problem, so now adding it here. The old fingerprint is still there in case this is a temporary situation and github changes back, or some servers still present the old certs.