Add Role ARN to access S3 (#2473)

.github/workflows/release-build-sign-upload.yml

@@ -854,17 +854,31 @@ jobs:
           signed/win32/*zip \
           signed/winx64/*zip
 
-    - name: Upload installers to CLAW S3 bucket
-      # forked for security considerations
-      uses: pivotalsoftware/[email protected] #pinned to no-default-region change
+    - name: Setup aws to upload installers to CLAW S3 bucket
+      if: ${{ github.ref_type == 'tag' }}
+      uses: aws-actions/configure-aws-credentials@v2
       env:
-        DEST_DIR:              "releases/v${{ env.VERSION_BUILD }}"
-        SOURCE_DIR:            upload
+        AWS_ACCESS_KEY_ID:     ${{ secrets.AWS_ACCESS_KEY_ID }}
+        AWS_S3_BUCKET:         ${{ secrets.AWS_S3_BUCKET }}
+        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        AWS_S3_ROLE_ARN:       ${{ secrets.AWS_S3_ROLE_ARN }}
+        SOURCE_DIR: upload
+        DEST_DIR: "releases/v${{ env.INSTALLER_RELEASE_VERSION }}"
+      with:
+        aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+        aws-region: us-west-1
+        role-to-assume: ${{ env.AWS_S3_ROLE_ARN }}
+        role-skip-session-tagging: true
+        role-duration-seconds: 1200
+
+    - name: Upload installers to CLAW S3 bucket
+      run: |
+          aws s3 sync upload "s3://${{ env.AWS_S3_BUCKET }}/releases/v${{ env.INSTALLER_RELEASE_VERSION }}/"
 
     - name: list S3 for human verification
-      uses: docker://amazon/aws-cli:latest
-      with:
-        args: s3 ls "${{ env.AWS_S3_BUCKET }}/releases/v${{ env.VERSION_BUILD }}/"
+      run: |
+          aws s3 ls "s3://${{ env.AWS_S3_BUCKET }}/releases/v${{ env.INSTALLER_RELEASE_VERSION }}/"
 
     - name: Instruct human to update CLAW
       run: |