From 899f7772ad18624731c3133096be4b2c553c31cb Mon Sep 17 00:00:00 2001 From: philip pittle Date: Thu, 14 Nov 2024 17:49:49 -0800 Subject: [PATCH] update workflows to use new github oidc connection --- .../sam-build-and-deploy-containers/action.yml | 8 ++++---- .../sam-build-and-deploy-native-arm/action.yml | 8 ++++---- .../sam-build-and-deploy-native/action.yml | 8 ++++---- .github/actions/sam-build-and-deploy/action.yml | 8 ++++---- .github/workflows/metrics-lambda-pipeline.yaml | 9 +++++---- .github/workflows/net-31-otel-pipelinE.yaml | 7 ++++--- .github/workflows/net-31-pipeline.yaml | 7 ++++--- .../workflows/net-6-containers-pipeline.yaml | 9 +++++---- .../net-6-custumRuntime-pipeline-canary.yaml | 9 +++++---- .github/workflows/net-6-minimal-api.yaml | 9 +++++---- .github/workflows/net-6-pipeline-canary.yaml | 9 +++++---- .github/workflows/net-6-pipeline.yaml | 17 +++++++++-------- .../workflows/net-6-top-level-statements.yaml | 5 +---- .github/workflows/net-6-with-power-tools.yaml | 9 +++++---- .github/workflows/net-7-native-aot-canary.yaml | 7 ++++--- .../workflows/net-7-native-aot-pipeline.yaml | 7 ++++--- .github/workflows/net-7-pipeline-canary.yaml | 7 ++++--- .github/workflows/net-7-pipeline.yaml | 7 ++++--- .../net-8-native-aot-pipeline-canary.yaml | 7 ++++--- .../workflows/net-8-native-aot-pipeline.yaml | 11 ++++------- .github/workflows/net-8-pipeline-canary.yaml | 7 ++++--- .github/workflows/net-8-pipeline.yaml | 15 ++++++++------- .github/workflows/net-9-pipeline-canary.yaml | 7 ++++--- 23 files changed, 104 insertions(+), 93 deletions(-) diff --git a/.github/actions/sam-build-and-deploy-containers/action.yml b/.github/actions/sam-build-and-deploy-containers/action.yml index 97502b8..ff10863 100644 --- a/.github/actions/sam-build-and-deploy-containers/action.yml +++ b/.github/actions/sam-build-and-deploy-containers/action.yml @@ -36,11 +36,11 @@ runs: - uses: aws-actions/setup-sam@v2 with: use-installer: true - - uses: aws-actions/configure-aws-credentials@v1 + - uses: aws-actions/configure-aws-credentials@v2 with: - aws-access-key-id: ${{ inputs.aws-access-key }} - aws-secret-access-key: ${{ inputs.aws-secret-key }} - aws-region: ${{ inputs.aws-region }} + role-to-assume: ${{ secrets.AWS_SAM_DEPLOYMENT_ROLE }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ secrets.AWS_REGION }} # Build and deploy x86 - run: sam build -t ${{ inputs.template-file-path }} --parameter-overrides LambdaArchitecture=${{ inputs.architecture }} --parallel --cached diff --git a/.github/actions/sam-build-and-deploy-native-arm/action.yml b/.github/actions/sam-build-and-deploy-native-arm/action.yml index 4acafb2..bc7dc90 100644 --- a/.github/actions/sam-build-and-deploy-native-arm/action.yml +++ b/.github/actions/sam-build-and-deploy-native-arm/action.yml @@ -37,11 +37,11 @@ runs: - uses: aws-actions/setup-sam@v2 with: use-installer: false # use-installer Currently supports Linux x86-64 runners. https://github.com/aws-actions/setup-sam?tab=readme-ov-file#inputs - - uses: aws-actions/configure-aws-credentials@v1 + - uses: aws-actions/configure-aws-credentials@v2 with: - aws-access-key-id: ${{ inputs.aws-access-key }} - aws-secret-access-key: ${{ inputs.aws-secret-key }} - aws-region: ${{ inputs.aws-region }} + role-to-assume: ${{ secrets.AWS_SAM_DEPLOYMENT_ROLE }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ secrets.AWS_REGION }} # Build and deploy ARM # Because native apps are built in a container, and SAM CLI doesn't know how to mount extra things outside the project directory to the container, move this file manually diff --git a/.github/actions/sam-build-and-deploy-native/action.yml b/.github/actions/sam-build-and-deploy-native/action.yml index 43a77b2..1537a19 100644 --- a/.github/actions/sam-build-and-deploy-native/action.yml +++ b/.github/actions/sam-build-and-deploy-native/action.yml @@ -36,11 +36,11 @@ runs: - uses: aws-actions/setup-sam@v2 with: use-installer: true - - uses: aws-actions/configure-aws-credentials@v1 + - uses: aws-actions/configure-aws-credentials@v2 with: - aws-access-key-id: ${{ inputs.aws-access-key }} - aws-secret-access-key: ${{ inputs.aws-secret-key }} - aws-region: ${{ inputs.aws-region }} + role-to-assume: ${{ secrets.AWS_SAM_DEPLOYMENT_ROLE }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ secrets.AWS_REGION }} # Build and deploy x86 # Because native apps are built in a container, and SAM CLI doesn't know how to mount extra things outside the project directory to the container, move this file manually diff --git a/.github/actions/sam-build-and-deploy/action.yml b/.github/actions/sam-build-and-deploy/action.yml index de191fc..6e2f38b 100644 --- a/.github/actions/sam-build-and-deploy/action.yml +++ b/.github/actions/sam-build-and-deploy/action.yml @@ -33,11 +33,11 @@ runs: - uses: aws-actions/setup-sam@v2 with: use-installer: true - - uses: aws-actions/configure-aws-credentials@v1 + - uses: aws-actions/configure-aws-credentials@v2 with: - aws-access-key-id: ${{ inputs.aws-access-key }} - aws-secret-access-key: ${{ inputs.aws-secret-key }} - aws-region: ${{ inputs.aws-region }} + role-to-assume: ${{ secrets.AWS_SAM_DEPLOYMENT_ROLE }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ secrets.AWS_REGION }} # Build and deploy ARM - run: sam build -t ${{ inputs.template-file-path }} --parameter-overrides LambdaArchitecture=arm64 diff --git a/.github/workflows/metrics-lambda-pipeline.yaml b/.github/workflows/metrics-lambda-pipeline.yaml index 14e09b6..e55a2a6 100644 --- a/.github/workflows/metrics-lambda-pipeline.yaml +++ b/.github/workflows/metrics-lambda-pipeline.yaml @@ -1,5 +1,9 @@ name: Metrics Lambda +permissions: + id-token: write + contents: read + on: workflow_dispatch: push: @@ -15,10 +19,7 @@ jobs: - uses: actions/checkout@v2 - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy - with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} + with: dotnet-version: '8.x' template-file-path: ./metrics/template.yaml stack-name: metrics-lambda diff --git a/.github/workflows/net-31-otel-pipelinE.yaml b/.github/workflows/net-31-otel-pipelinE.yaml index d349b72..4489e26 100644 --- a/.github/workflows/net-31-otel-pipelinE.yaml +++ b/.github/workflows/net-31-otel-pipelinE.yaml @@ -1,5 +1,9 @@ name: NET 31 OTEL +permissions: + id-token: write + contents: read + on: workflow_dispatch: push: @@ -16,9 +20,6 @@ jobs: - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} dotnet-version: '3.1.x' template-file-path: ./src/NET31-OTel/template.yaml stack-name: net-31-otel diff --git a/.github/workflows/net-31-pipeline.yaml b/.github/workflows/net-31-pipeline.yaml index bd04518..7599b38 100644 --- a/.github/workflows/net-31-pipeline.yaml +++ b/.github/workflows/net-31-pipeline.yaml @@ -1,5 +1,9 @@ name: NET 31 +permissions: + id-token: write + contents: read + on: workflow_dispatch: push: @@ -16,9 +20,6 @@ jobs: - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} dotnet-version: '3.1.x' template-file-path: ./src/NET31/template.yaml stack-name: net-31-base diff --git a/.github/workflows/net-6-containers-pipeline.yaml b/.github/workflows/net-6-containers-pipeline.yaml index 130c127..ad45628 100644 --- a/.github/workflows/net-6-containers-pipeline.yaml +++ b/.github/workflows/net-6-containers-pipeline.yaml @@ -1,5 +1,9 @@ name: NET 6 Containers +permissions: + id-token: write + contents: read + on: workflow_dispatch: push: @@ -16,10 +20,7 @@ jobs: - uses: actions/checkout@v2 - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy-containers - with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} + with: dotnet-version: '6.x' template-file-path: ./src/NET6Containers/template.yaml stack-name: net-6-containers-x86-64 diff --git a/.github/workflows/net-6-custumRuntime-pipeline-canary.yaml b/.github/workflows/net-6-custumRuntime-pipeline-canary.yaml index 2f3da48..34b9f71 100644 --- a/.github/workflows/net-6-custumRuntime-pipeline-canary.yaml +++ b/.github/workflows/net-6-custumRuntime-pipeline-canary.yaml @@ -1,5 +1,9 @@ name: NET 6 Custom Runtime Canary +permissions: + id-token: write + contents: read + on: workflow_dispatch: schedule: @@ -14,10 +18,7 @@ jobs: - uses: actions/checkout@v2 - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy-native - with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} + with: dotnet-version: '6.x' template-file-path: ./src/NET6CustomRuntime/template.yaml project-directory: ./src/NET6CustomRuntime/ diff --git a/.github/workflows/net-6-minimal-api.yaml b/.github/workflows/net-6-minimal-api.yaml index a68b130..5fccd34 100644 --- a/.github/workflows/net-6-minimal-api.yaml +++ b/.github/workflows/net-6-minimal-api.yaml @@ -1,5 +1,9 @@ name: NET 6 Mimimal +permissions: + id-token: write + contents: read + on: workflow_dispatch: push: @@ -15,10 +19,7 @@ jobs: - uses: actions/checkout@v2 - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy - with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} + with: dotnet-version: '6.x' template-file-path: ./src/MinimalAPI/template.yaml stack-name: net-6-minimal diff --git a/.github/workflows/net-6-pipeline-canary.yaml b/.github/workflows/net-6-pipeline-canary.yaml index 340e97b..ec65a11 100644 --- a/.github/workflows/net-6-pipeline-canary.yaml +++ b/.github/workflows/net-6-pipeline-canary.yaml @@ -1,5 +1,9 @@ name: NET 6 Canary +permissions: + id-token: write + contents: read + on: workflow_dispatch: schedule: @@ -14,10 +18,7 @@ jobs: - uses: actions/checkout@v2 - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy - with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} + with: dotnet-version: '6.x' template-file-path: ./src/NET6/template.yaml stack-name: net-6-base diff --git a/.github/workflows/net-6-pipeline.yaml b/.github/workflows/net-6-pipeline.yaml index 9daa6e1..f61c406 100644 --- a/.github/workflows/net-6-pipeline.yaml +++ b/.github/workflows/net-6-pipeline.yaml @@ -1,5 +1,9 @@ name: NET 6 +permissions: + id-token: write + contents: read + on: workflow_dispatch: push: @@ -21,10 +25,7 @@ jobs: uses: actions/checkout@v2 - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy - with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} + with: dotnet-version: '6.x' template-file-path: ./src/NET6/template.yaml stack-name: net-6-base @@ -37,7 +38,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: ${{ secrets.AWS_ROLE }} + role-to-assume: ${{ secrets.AWS_LOAD_TEST_RUNNER_ROLE }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ secrets.AWS_REGION }} - name: checkoutRepo @@ -54,7 +55,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: ${{ secrets.AWS_ROLE }} + role-to-assume: ${{ secrets.AWS_LOAD_TEST_RUNNER_ROLE }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ secrets.AWS_REGION }} - name: checkoutRepo @@ -71,7 +72,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: ${{ secrets.AWS_ROLE }} + role-to-assume: ${{ secrets.AWS_LOAD_TEST_RUNNER_ROLE }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ secrets.AWS_REGION }} - name: checkoutRepo @@ -89,7 +90,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: ${{ secrets.AWS_ROLE }} + role-to-assume: ${{ secrets.AWS_LOAD_TEST_RUNNER_ROLE }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ secrets.AWS_REGION }} - name: checkoutRepo diff --git a/.github/workflows/net-6-top-level-statements.yaml b/.github/workflows/net-6-top-level-statements.yaml index 610fb5e..82d3502 100644 --- a/.github/workflows/net-6-top-level-statements.yaml +++ b/.github/workflows/net-6-top-level-statements.yaml @@ -15,10 +15,7 @@ jobs: - uses: actions/checkout@v2 - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy - with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} + with: dotnet-version: '6.x' template-file-path: ./src/NET6TopLevelStatements/template.yaml stack-name: net-6-top-level diff --git a/.github/workflows/net-6-with-power-tools.yaml b/.github/workflows/net-6-with-power-tools.yaml index 73949ab..eb2c4b7 100644 --- a/.github/workflows/net-6-with-power-tools.yaml +++ b/.github/workflows/net-6-with-power-tools.yaml @@ -1,5 +1,9 @@ name: NET 6 with PowerTools +permissions: + id-token: write + contents: read + on: workflow_dispatch: push: @@ -15,10 +19,7 @@ jobs: - uses: actions/checkout@v2 - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy - with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} + with: dotnet-version: '6.x' template-file-path: ./src/NET6WithPowerTools/template.yaml stack-name: net-6-power-tools diff --git a/.github/workflows/net-7-native-aot-canary.yaml b/.github/workflows/net-7-native-aot-canary.yaml index 2b4ef09..a1df9d8 100644 --- a/.github/workflows/net-7-native-aot-canary.yaml +++ b/.github/workflows/net-7-native-aot-canary.yaml @@ -1,5 +1,9 @@ name: NET 7 NativeAOT Canary +permissions: + id-token: write + contents: read + on: workflow_dispatch: schedule: @@ -15,9 +19,6 @@ jobs: - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy-native with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} dotnet-version: '7.x' template-file-path: ./src/NET7Native/template.yaml project-directory: ./src/NET7Native/ diff --git a/.github/workflows/net-7-native-aot-pipeline.yaml b/.github/workflows/net-7-native-aot-pipeline.yaml index 5c3e611..f3ca4fa 100644 --- a/.github/workflows/net-7-native-aot-pipeline.yaml +++ b/.github/workflows/net-7-native-aot-pipeline.yaml @@ -1,5 +1,9 @@ name: NET 7 NativeAOT +permissions: + id-token: write + contents: read + on: workflow_dispatch: push: @@ -16,9 +20,6 @@ jobs: - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy-native with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} dotnet-version: '7.x' template-file-path: ./src/NET7Native/template.yaml project-directory: ./src/NET7Native/ diff --git a/.github/workflows/net-7-pipeline-canary.yaml b/.github/workflows/net-7-pipeline-canary.yaml index 95256c6..f1421eb 100644 --- a/.github/workflows/net-7-pipeline-canary.yaml +++ b/.github/workflows/net-7-pipeline-canary.yaml @@ -1,5 +1,9 @@ name: NET 7 Canary +permissions: + id-token: write + contents: read + on: workflow_dispatch: schedule: @@ -15,9 +19,6 @@ jobs: - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy-native with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} dotnet-version: '7.x' template-file-path: ./src/NET7/template.yaml project-directory: ./src/NET7/ diff --git a/.github/workflows/net-7-pipeline.yaml b/.github/workflows/net-7-pipeline.yaml index 35c7e66..2a7a65a 100644 --- a/.github/workflows/net-7-pipeline.yaml +++ b/.github/workflows/net-7-pipeline.yaml @@ -1,5 +1,9 @@ name: NET 7 +permissions: + id-token: write + contents: read + on: workflow_dispatch: push: @@ -16,9 +20,6 @@ jobs: - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy-native with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} dotnet-version: '7.x' template-file-path: ./src/NET7/template.yaml project-directory: ./src/NET7/ diff --git a/.github/workflows/net-8-native-aot-pipeline-canary.yaml b/.github/workflows/net-8-native-aot-pipeline-canary.yaml index 968532f..ffb5c62 100644 --- a/.github/workflows/net-8-native-aot-pipeline-canary.yaml +++ b/.github/workflows/net-8-native-aot-pipeline-canary.yaml @@ -1,5 +1,9 @@ name: NET 8 NativeAOT Canary +permissions: + id-token: write + contents: read + on: workflow_dispatch: schedule: @@ -15,9 +19,6 @@ jobs: - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy-native with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} dotnet-version: '8.x' template-file-path: ./src/NET8Native/template.yaml project-directory: ./src/NET8Native/ diff --git a/.github/workflows/net-8-native-aot-pipeline.yaml b/.github/workflows/net-8-native-aot-pipeline.yaml index d59010f..97b8e97 100644 --- a/.github/workflows/net-8-native-aot-pipeline.yaml +++ b/.github/workflows/net-8-native-aot-pipeline.yaml @@ -22,9 +22,6 @@ jobs: - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy-native with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} dotnet-version: '8.x' template-file-path: ./src/NET8Native/template.yaml project-directory: ./src/NET8Native/ @@ -38,7 +35,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: ${{ secrets.AWS_ROLE }} + role-to-assume: ${{ secrets.AWS_LOAD_TEST_RUNNER_ROLE }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ secrets.AWS_REGION }} - name: checkoutRepo @@ -55,7 +52,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: ${{ secrets.AWS_ROLE }} + role-to-assume: ${{ secrets.AWS_LOAD_TEST_RUNNER_ROLE }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ secrets.AWS_REGION }} - name: checkoutRepo @@ -72,7 +69,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: ${{ secrets.AWS_ROLE }} + role-to-assume: ${{ secrets.AWS_LOAD_TEST_RUNNER_ROLE }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ secrets.AWS_REGION }} - name: checkoutRepo @@ -90,7 +87,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: ${{ secrets.AWS_ROLE }} + role-to-assume: ${{ secrets.AWS_LOAD_TEST_RUNNER_ROLE }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ secrets.AWS_REGION }} - name: checkoutRepo diff --git a/.github/workflows/net-8-pipeline-canary.yaml b/.github/workflows/net-8-pipeline-canary.yaml index 9745fc1..4ec23bf 100644 --- a/.github/workflows/net-8-pipeline-canary.yaml +++ b/.github/workflows/net-8-pipeline-canary.yaml @@ -1,5 +1,9 @@ name: NET 8 Canary +permissions: + id-token: write + contents: read + on: workflow_dispatch: schedule: @@ -15,9 +19,6 @@ jobs: - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} dotnet-version: '8.x' template-file-path: ./src/NET8/template.yaml project-directory: ./src/NET8/ diff --git a/.github/workflows/net-8-pipeline.yaml b/.github/workflows/net-8-pipeline.yaml index b06264d..f831e27 100644 --- a/.github/workflows/net-8-pipeline.yaml +++ b/.github/workflows/net-8-pipeline.yaml @@ -1,5 +1,9 @@ name: NET 8 +permissions: + id-token: write + contents: read + on: workflow_dispatch: push: @@ -17,9 +21,6 @@ jobs: - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} dotnet-version: '8.x' template-file-path: ./src/NET8/template.yaml stack-name: net-8-base @@ -32,7 +33,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: ${{ secrets.AWS_ROLE }} + role-to-assume: ${{ secrets.AWS_LOAD_TEST_RUNNER_ROLE }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ secrets.AWS_REGION }} - name: checkoutRepo @@ -49,7 +50,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: ${{ secrets.AWS_ROLE }} + role-to-assume: ${{ secrets.AWS_LOAD_TEST_RUNNER_ROLE }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ secrets.AWS_REGION }} - name: checkoutRepo @@ -66,7 +67,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: ${{ secrets.AWS_ROLE }} + role-to-assume: ${{ secrets.AWS_LOAD_TEST_RUNNER_ROLE }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ secrets.AWS_REGION }} - name: checkoutRepo @@ -84,7 +85,7 @@ jobs: - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: ${{ secrets.AWS_ROLE }} + role-to-assume: ${{ secrets.AWS_LOAD_TEST_RUNNER_ROLE }} role-session-name: GitHub_to_AWS_via_FederatedOIDC aws-region: ${{ secrets.AWS_REGION }} - name: checkoutRepo diff --git a/.github/workflows/net-9-pipeline-canary.yaml b/.github/workflows/net-9-pipeline-canary.yaml index 6b54789..4719ab7 100644 --- a/.github/workflows/net-9-pipeline-canary.yaml +++ b/.github/workflows/net-9-pipeline-canary.yaml @@ -1,5 +1,9 @@ name: NET 9 Custom Runtime Canary +permissions: + id-token: write + contents: read + on: workflow_dispatch: schedule: @@ -15,9 +19,6 @@ jobs: - name: Build and Deploy uses: ./.github/actions/sam-build-and-deploy-native with: - aws-access-key: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} dotnet-version: '9.x' template-file-path: ./src/NET9CustomRuntime/template.yaml project-directory: ./src/NET9CustomRuntime/