Skip to content

Commit 61e707f

Browse files
Merge pull request #43 from arduino/iam-roles
github: Use IAM Roles to push files on AWS S3
2 parents bf73480 + a286d98 commit 61e707f

File tree

1 file changed

+13
-8
lines changed

1 file changed

+13
-8
lines changed

.github/workflows/release.yml

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ env:
1111
PYTHON_VERSION: "3.7"
1212
MCUBOOT_PATH: ${{ github.workspace }}/mcuboot
1313
IMGTOOL_PACKING_PATH: ${{ github.workspace }}/imgtool-packing
14+
AWS_REGION: "us-east-1"
1415

1516
on:
1617
push:
@@ -265,7 +266,11 @@ jobs:
265266

266267
create-release:
267268
runs-on: ubuntu-latest
269+
environment: production
268270
needs: [build, build-crosscompile, notarize-macos]
271+
permissions:
272+
contents: write
273+
id-token: write # This is required for requesting the JWT
269274

270275
steps:
271276
- name: Checkout repository # we need package_index.template
@@ -323,12 +328,12 @@ jobs:
323328
# (all the files we need are in the DIST_DIR root)
324329
artifacts: ${{ env.DIST_DIR }}/*
325330

331+
- name: configure aws credentials
332+
uses: aws-actions/configure-aws-credentials@v4
333+
with:
334+
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
335+
role-session-name: "github_${{ env.PROJECT_NAME }}"
336+
aws-region: ${{ env.AWS_REGION }}
337+
326338
- name: Upload release files on Arduino downloads servers
327-
uses: docker://plugins/s3
328-
env:
329-
PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*"
330-
PLUGIN_TARGET: ${{ env.AWS_PLUGIN_TARGET }}
331-
PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/"
332-
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
333-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
334-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
339+
run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }}

0 commit comments

Comments
 (0)