Skip to content

Commit a286d98

Browse files
github: Use IAM Roles to push files on AWS S3
For security reasons long lived credentials are not considered secure. To overcome this issue we can configure Github Workflows to use AWS OpenID Connect instead: For further details: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
1 parent bf73480 commit a286d98

File tree

1 file changed

+13
-8
lines changed

1 file changed

+13
-8
lines changed

.github/workflows/release.yml

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ env:
1111
PYTHON_VERSION: "3.7"
1212
MCUBOOT_PATH: ${{ github.workspace }}/mcuboot
1313
IMGTOOL_PACKING_PATH: ${{ github.workspace }}/imgtool-packing
14+
AWS_REGION: "us-east-1"
1415

1516
on:
1617
push:
@@ -265,7 +266,11 @@ jobs:
265266

266267
create-release:
267268
runs-on: ubuntu-latest
269+
environment: production
268270
needs: [build, build-crosscompile, notarize-macos]
271+
permissions:
272+
contents: write
273+
id-token: write # This is required for requesting the JWT
269274

270275
steps:
271276
- name: Checkout repository # we need package_index.template
@@ -323,12 +328,12 @@ jobs:
323328
# (all the files we need are in the DIST_DIR root)
324329
artifacts: ${{ env.DIST_DIR }}/*
325330

331+
- name: configure aws credentials
332+
uses: aws-actions/configure-aws-credentials@v4
333+
with:
334+
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
335+
role-session-name: "github_${{ env.PROJECT_NAME }}"
336+
aws-region: ${{ env.AWS_REGION }}
337+
326338
- name: Upload release files on Arduino downloads servers
327-
uses: docker://plugins/s3
328-
env:
329-
PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*"
330-
PLUGIN_TARGET: ${{ env.AWS_PLUGIN_TARGET }}
331-
PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/"
332-
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
333-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
334-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
339+
run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }}

0 commit comments

Comments
 (0)