From 1d51c634d0682205537b953dd239814a43e0deab Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Mon, 23 Sep 2024 00:07:42 -0500 Subject: [PATCH] gha: update release to use oidc --- .github/workflows/release.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ddbaf1c..e238535 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,18 +5,16 @@ on: tags: ['v*'] permissions: contents: write + id-token: write jobs: goreleaser: runs-on: ubuntu-latest steps: - - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} - aws-region: us-west-2 - - name: get secrets from aws sm - uses: aws-actions/aws-secretsmanager-get-secrets@v2 + aws-region: ${{ vars.RP_AWS_CRED_REGION }} + role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} + - uses: aws-actions/aws-secretsmanager-get-secrets@v2 with: secret-ids: | ,sdlc/prod/github/tf_provider_rp