From 143e1c80b983924bc4cdf6ab66ef606cf66d3b91 Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 17 Dec 2024 14:51:43 +0100 Subject: [PATCH 1/2] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20(workflows):=20refacto?= =?UTF-8?q?r=20AWS=20credentials=20in=20GitHub=20workflows=20to=20use=20OI?= =?UTF-8?q?DC=20role=20for=20improved=20security=20and=20maintainability?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/pro-extension-test.yml | 11 +++-------- .github/workflows/sonar-pull-request.yml | 3 +-- .github/workflows/sonar-push.yml | 3 +-- 3 files changed, 5 insertions(+), 12 deletions(-) diff --git a/.github/workflows/pro-extension-test.yml b/.github/workflows/pro-extension-test.yml index 84568479..4205e1ea 100644 --- a/.github/workflows/pro-extension-test.yml +++ b/.github/workflows/pro-extension-test.yml @@ -65,18 +65,13 @@ on: PRO_LICENSE_KEY: description: "PRO_LICENSE_KEY from the caller workflow" required: true - GHA_AWS_KEY_ID: - description: "GHA_AWS_KEY_ID from the caller workflow" + AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA: + description: "OIDC Role from the caller workflow" required: true - GHA_AWS_KEY: - description: "GHA_AWS_KEY from the caller workflow" - required: true - env: AWS_REGION: us-east-1 LIQUIBASE_PRO_LICENSE_KEY: ${{ secrets.PRO_LICENSE_KEY }} - AWS_ACCESS_KEY_ID: ${{ secrets.GHA_AWS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.GHA_AWS_KEY }} + AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} MAVEN_VERSION: "3.9.5" diff --git a/.github/workflows/sonar-pull-request.yml b/.github/workflows/sonar-pull-request.yml index 3ddbfb4c..9a721c18 100644 --- a/.github/workflows/sonar-pull-request.yml +++ b/.github/workflows/sonar-pull-request.yml @@ -25,8 +25,7 @@ jobs: env: LIQUIBASE_PRO_LICENSE_KEY: ${{ secrets.PRO_LICENSE_KEY }} - AWS_ACCESS_KEY_ID: ${{ secrets.GHA_AWS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.GHA_AWS_KEY }} + AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }} steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/sonar-push.yml b/.github/workflows/sonar-push.yml index e0ec9779..e9fa3383 100644 --- a/.github/workflows/sonar-push.yml +++ b/.github/workflows/sonar-push.yml @@ -26,8 +26,7 @@ jobs: env: AWS_REGION: us-east-1 LIQUIBASE_PRO_LICENSE_KEY: ${{ secrets.PRO_LICENSE_KEY }} - AWS_ACCESS_KEY_ID: ${{ secrets.GHA_AWS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.GHA_AWS_KEY }} + AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }} steps: - uses: actions/checkout@v4 From 210c8cc9934bf7df085ea07cb8ca675f901aaef3 Mon Sep 17 00:00:00 2001 From: jandroav Date: Tue, 17 Dec 2024 15:02:09 +0100 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=A7=20(GitHub=20Actions):=20remove?= =?UTF-8?q?=20AWS=5FGITHUB=5FOIDC=5FROLE=5FARN=5FS3=5FGHA=20from=20env=20a?= =?UTF-8?q?nd=20add=20Configure=20AWS=20Credentials=20step=20to=20improve?= =?UTF-8?q?=20security=20and=20streamline=20AWS=20credential=20management?= =?UTF-8?q?=20in=20workflows?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/pro-extension-test.yml | 13 ++++++++++++- .github/workflows/sonar-pull-request.yml | 7 ++++++- .github/workflows/sonar-push.yml | 7 ++++++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pro-extension-test.yml b/.github/workflows/pro-extension-test.yml index 4205e1ea..498b3568 100644 --- a/.github/workflows/pro-extension-test.yml +++ b/.github/workflows/pro-extension-test.yml @@ -71,7 +71,6 @@ on: env: AWS_REGION: us-east-1 LIQUIBASE_PRO_LICENSE_KEY: ${{ secrets.PRO_LICENSE_KEY }} - AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} MAVEN_VERSION: "3.9.5" @@ -88,6 +87,12 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha || github.ref }} + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }} + aws-region: us-east-1 + - name: Set up JDK 17 uses: actions/setup-java@v4 with: @@ -238,6 +243,12 @@ jobs: distribution: "temurin" cache: "maven" + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }} + aws-region: us-east-1 + - name: Set up Maven uses: stCarolas/setup-maven@v5 with: diff --git a/.github/workflows/sonar-pull-request.yml b/.github/workflows/sonar-pull-request.yml index 9a721c18..b4793fc7 100644 --- a/.github/workflows/sonar-pull-request.yml +++ b/.github/workflows/sonar-pull-request.yml @@ -25,7 +25,6 @@ jobs: env: LIQUIBASE_PRO_LICENSE_KEY: ${{ secrets.PRO_LICENSE_KEY }} - AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }} steps: - uses: actions/checkout@v4 @@ -39,6 +38,12 @@ jobs: distribution: 'temurin' cache: 'maven' + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }} + aws-region: us-east-1 + # look for dependencies in maven - name: maven-settings-xml-action uses: whelk-io/maven-settings-xml-action@v22 diff --git a/.github/workflows/sonar-push.yml b/.github/workflows/sonar-push.yml index e9fa3383..31f89ce7 100644 --- a/.github/workflows/sonar-push.yml +++ b/.github/workflows/sonar-push.yml @@ -26,7 +26,6 @@ jobs: env: AWS_REGION: us-east-1 LIQUIBASE_PRO_LICENSE_KEY: ${{ secrets.PRO_LICENSE_KEY }} - AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }} steps: - uses: actions/checkout@v4 @@ -40,6 +39,12 @@ jobs: distribution: 'temurin' cache: 'maven' + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.AWS_GITHUB_OIDC_ROLE_ARN_S3_GHA }} + aws-region: us-east-1 + - name: Cache SonarCloud packages uses: actions/cache@v4 with: