-
Notifications
You must be signed in to change notification settings - Fork 892
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upload Rustup build artifacts to new S3 bucket #3909
Conversation
We are refactoring the release process for Rustup, which includes a new S3 bucket for build artifacts. In the new release process, every commit to the default branch builds and uploads artifacts. When a new release is cut, these pre-built artifacts get copied into the current S3 bucket for further testing and distribution. The artifacts are currently uploaded to both the old and new bucket to maintain backwards compatibility while implementing the new process.
The GitHub Actions workflows that upload build artifacts to S3 have been refactored to make use of OIDC to avoid long-lived authentication tokens.
The tracking issue for the new release process and its work can be found here: rust-lang/simpleinfra#420 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice!
Can I merge this and then iterate on the configuration if there are any issues? |
Sounds good to me! |
Hm, the merge queue build failed trying to fetch a base image from |
In rust-lang#3909, new steps were added to the GitHub Actions workflows that upload the build artifacts to a new S3 bucket. Authentication is done using short-lived tokens that are provisioned using OIDC. This scheme requires additional permissions[^1], which have been granted to the workflows. [^1]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
In #3909, new steps were added to the GitHub Actions workflows that upload the build artifacts to a new S3 bucket. Authentication is done using short-lived tokens that are provisioned using OIDC. This scheme requires additional permissions[^1], which have been granted to the workflows. [^1]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
We added steps to the GitHub Actions workflows in rust-lang#3909 to upload the build artifacts for the `master` branch as well as for the `stable` branch. But the scripts that prepare the `deploy/` directory were not set to run on `master`, causing the builds to fail.
We added steps to the GitHub Actions workflows in rust-lang#3909 to upload the build artifacts for the `master` branch as well as for the `stable` branch. But the scripts that prepare the `deploy/` directory were not set to run on `master`, causing the builds to fail.
We are implementing a new release process for Rustup, which changes slightly how build artifacts are uploaded. Going forward, every commit merged into
master
will produce a full set of release artifacts that will be stored in a new S3 bucket. The new bucket allows us to remove access for CI to the release bucket, which improves our security posture. And uploading every commit tomaster
will make it easier to test new releases.