Skip to content

Commit

Permalink
Authenticate CI uploads with OIDC
Browse files Browse the repository at this point in the history
The GitHub Actions workflows that upload build artifacts to S3 have been
refactored to make use of OIDC to avoid long-lived authentication
tokens.
  • Loading branch information
jdno committed Jun 25, 2024
1 parent b2b6145 commit 5f0aca9
Show file tree
Hide file tree
Showing 4 changed files with 88 additions and 44 deletions.
96 changes: 64 additions & 32 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -154,13 +154,17 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-1
- name: Configure AWS credentials
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
aws-region: us-east-1
- name: Deploy build to rustup-builds bucket for release team
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
run: |
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
- name: Clear the cargo caches
run: |
Expand Down Expand Up @@ -304,13 +308,17 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-1
- name: Configure AWS credentials
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
aws-region: us-east-1
- name: Deploy build to rustup-builds bucket for release team
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
run: |
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
- name: Clear the cargo caches
run: |
Expand Down Expand Up @@ -460,13 +468,17 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-1
- name: Configure AWS credentials
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
aws-region: us-east-1
- name: Deploy build to rustup-builds bucket for release team
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
run: |
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
- name: Clear the cargo caches
run: |
Expand Down Expand Up @@ -612,13 +624,17 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-1
- name: Configure AWS credentials
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
aws-region: us-east-1
- name: Deploy build to rustup-builds bucket for release team
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
run: |
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
- name: Clear the cargo caches
run: |
Expand Down Expand Up @@ -769,13 +785,17 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-1
- name: Configure AWS credentials
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
aws-region: us-east-1
- name: Deploy build to rustup-builds bucket for release team
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
run: |
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
- name: Clear the cargo caches
run: |
Expand Down Expand Up @@ -947,13 +967,17 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-1
- name: Configure AWS credentials
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
aws-region: us-east-1
- name: Deploy build to rustup-builds bucket for release team
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
run: |
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
- name: Clear the cargo caches
run: |
Expand Down Expand Up @@ -1065,13 +1089,17 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-1
- name: Configure AWS credentials
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
aws-region: us-east-1
- name: Deploy build to rustup-builds bucket for release team
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
run: |
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
- name: Clear the cargo caches
run: |
Expand Down Expand Up @@ -1189,13 +1217,17 @@ jobs:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-1
- name: Configure AWS credentials
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
aws-region: us-east-1
- name: Deploy build to rustup-builds bucket for release team
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
run: |
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
- name: Clear the cargo caches
run: |
Expand Down
12 changes: 8 additions & 4 deletions ci/actions-templates/linux-builds-template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -169,13 +169,17 @@ jobs: # skip-master skip-pr skip-stable
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-1
- name: Configure AWS credentials
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
aws-region: us-east-1
- name: Deploy build to rustup-builds bucket for release team
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
run: |
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
- name: Clear the cargo caches
run: |
Expand Down
12 changes: 8 additions & 4 deletions ci/actions-templates/macos-builds-template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -110,13 +110,17 @@ jobs: # skip-x86_64 skip-aarch64
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-1
- name: Configure AWS credentials
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
aws-region: us-east-1
- name: Deploy build to rustup-builds bucket for release team
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
run: |
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
- name: Clear the cargo caches
run: |
Expand Down
12 changes: 8 additions & 4 deletions ci/actions-templates/windows-builds-template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -147,13 +147,17 @@ jobs: # skip-master skip-pr skip-stable
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-1
- name: Configure AWS credentials
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
aws-region: us-east-1
- name: Deploy build to rustup-builds bucket for release team
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
run: |
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
- name: Clear the cargo caches
run: |
Expand Down

0 comments on commit 5f0aca9

Please sign in to comment.