Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

Commit 9ab87bf

Browse filesBrowse files
chore: use AWS OpenID Connect for S3 publish
1 parent 5ec1915 commit 9ab87bf
Copy full SHA for 9ab87bf

File tree

2 files changed

+43
-29
lines changed
Filter options

2 files changed

+43
-29
lines changed

‎.github/workflows/build.yml

Copy file name to clipboardExpand all lines: .github/workflows/build.yml
+30-21Lines changed: 30 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -203,7 +203,7 @@ jobs:
203203
echo "is-nightly=$is_nightly" >> $GITHUB_OUTPUT
204204
echo "channel-name=$channel_name" >> $GITHUB_OUTPUT
205205
# Only attempt upload to Amazon S3 if the credentials are available.
206-
echo "publish-to-s3=${{ secrets.AWS_SECRET_ACCESS_KEY != '' }}" >> $GITHUB_OUTPUT
206+
echo "publish-to-s3=${{ secrets.AWS_ROLE_ARN != '' }}" >> $GITHUB_OUTPUT
207207
208208
select-targets:
209209
needs: build-type-determination
@@ -284,8 +284,6 @@ jobs:
284284
- build-type-determination
285285
- select-targets
286286
env:
287-
# https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
288-
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
289287
# Location of artifacts generated by build.
290288
BUILD_ARTIFACTS_PATH: electron-app/dist/build-artifacts
291289
# to skip passing signing credentials to electron-builder
@@ -363,8 +361,6 @@ jobs:
363361
AC_USERNAME: ${{ secrets.AC_USERNAME }}
364362
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
365363
AC_TEAM_ID: ${{ secrets.AC_TEAM_ID }}
366-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
367-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
368364
IS_NIGHTLY: ${{ needs.build-type-determination.outputs.is-nightly }}
369365
IS_RELEASE: ${{ needs.build-type-determination.outputs.is-release }}
370366
CAN_SIGN: ${{ secrets[matrix.config.certificate-secret] != '' }}
@@ -588,6 +584,12 @@ jobs:
588584
env:
589585
ARTIFACTS_FOLDER: build-artifacts
590586

587+
environment: production
588+
589+
permissions:
590+
id-token: write
591+
contents: read
592+
591593
steps:
592594
- name: Download all job transfer artifacts
593595
uses: actions/download-artifact@v4
@@ -596,15 +598,15 @@ jobs:
596598
path: ${{ env.ARTIFACTS_FOLDER }}
597599
pattern: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}*
598600

601+
- name: Configure AWS Credentials for Nightly [S3]
602+
uses: aws-actions/configure-aws-credentials@v4
603+
with:
604+
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
605+
aws-region: us-east-1
606+
599607
- name: Publish Nightly [S3]
600-
uses: docker://plugins/s3
601-
env:
602-
PLUGIN_SOURCE: '${{ env.ARTIFACTS_FOLDER }}/*'
603-
PLUGIN_STRIP_PREFIX: '${{ env.ARTIFACTS_FOLDER }}/'
604-
PLUGIN_TARGET: '/arduino-ide/nightly'
605-
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
606-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
607-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
608+
run: |
609+
aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/nightly
608610
609611
release:
610612
needs:
@@ -625,6 +627,12 @@ jobs:
625627
env:
626628
ARTIFACTS_FOLDER: build-artifacts
627629

630+
environment: production
631+
632+
permissions:
633+
id-token: write
634+
contents: read
635+
628636
steps:
629637
- name: Download all job transfer artifacts
630638
uses: actions/download-artifact@v4
@@ -648,16 +656,17 @@ jobs:
648656
file_glob: true
649657
body: ${{ needs.changelog.outputs.BODY }}
650658

659+
- name: Configure AWS Credentials for Release [S3]
660+
if: needs.build-type-determination.outputs.publish-to-s3 == 'true'
661+
uses: aws-actions/configure-aws-credentials@v4
662+
with:
663+
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
664+
aws-region: us-east-1
665+
651666
- name: Publish Release [S3]
652667
if: needs.build-type-determination.outputs.publish-to-s3 == 'true'
653-
uses: docker://plugins/s3
654-
env:
655-
PLUGIN_SOURCE: '${{ env.ARTIFACTS_FOLDER }}/*'
656-
PLUGIN_STRIP_PREFIX: '${{ env.ARTIFACTS_FOLDER }}/'
657-
PLUGIN_TARGET: '/arduino-ide'
658-
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
659-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
660-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
668+
run: |
669+
aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide
661670
662671
clean:
663672
# This job must run after all jobs that use the transfer artifact.

‎.github/workflows/compose-full-changelog.yml

Copy file name to clipboardExpand all lines: .github/workflows/compose-full-changelog.yml
+13-8Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,11 @@ jobs:
1414
create-changelog:
1515
if: github.repository == 'arduino/arduino-ide'
1616
runs-on: ubuntu-latest
17+
permissions:
18+
id-token: write
19+
contents: read
20+
environment: production
21+
1722
steps:
1823
- name: Checkout
1924
uses: actions/checkout@v4
@@ -44,12 +49,12 @@ jobs:
4449
# Compose changelog
4550
yarn run compose-changelog "${{ github.workspace }}/${{ env.CHANGELOG_ARTIFACTS }}/$CHANGELOG_FILE_NAME"
4651
52+
- name: Configure AWS Credentials for Changelog [S3]
53+
uses: aws-actions/configure-aws-credentials@v4
54+
with:
55+
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
56+
aws-region: us-east-1
57+
4758
- name: Publish Changelog [S3]
48-
uses: docker://plugins/s3
49-
env:
50-
PLUGIN_SOURCE: '${{ env.CHANGELOG_ARTIFACTS }}/*'
51-
PLUGIN_STRIP_PREFIX: '${{ env.CHANGELOG_ARTIFACTS }}/'
52-
PLUGIN_TARGET: '/arduino-ide/changelog'
53-
PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
54-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
55-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
59+
run: |
60+
aws s3 sync ${{ env.CHANGELOG_ARTIFACTS }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/changelog

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.