From 56b717e1b857b671bd2dee8290d25b501eab35e1 Mon Sep 17 00:00:00 2001 From: miztch Date: Tue, 19 Dec 2023 23:41:43 +0900 Subject: [PATCH] chore: use GitHub's OIDC provider in workflow --- .github/workflows/actions.yml | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml index f61c913..f1c9466 100644 --- a/.github/workflows/actions.yml +++ b/.github/workflows/actions.yml @@ -1,24 +1,33 @@ on: + workflow_dispatch: push: branches: - main + paths-ignore: + - ".github/workflows/*" + - "**.md" + +permissions: + id-token: write + contents: read + jobs: build-and-deploy: runs-on: ubuntu-latest environment: production steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Python - uses: actions/setup-python@v3 + uses: actions/setup-python@v5 - name: Setup AWS SAM CLI uses: aws-actions/setup-sam@v2 - - name: Setup AWS credentials - uses: aws-actions/configure-aws-credentials@v1-node16 + - name: Setup AWS Credentials + uses: aws-actions/configure-aws-credentials@v4.0.1 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }} aws-region: ${{ secrets.AWS_REGION }} + mask-aws-account-id: true - name: Prepare SAM parameters env: SCHEDULE_EXPRESSION: ${{ vars.SCHEDULE_EXPRESSION }}