Skip to content

Commit d2cd985

Browse files
adil-testsigmaadil-testsigma
authored
Merge pull request #406 from testsigmahq/fix/remove-aws-hardcoding
Update GitHub Actions workflow for agent build
2 parents 2d27c74 + 8194678 commit d2cd985

4 files changed

Lines changed: 83 additions & 48 deletions

File tree

.github/workflows/agent-build.yml

Lines changed: 32 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,37 +1,52 @@
1-
name: 'Agent Zip Build'
1+
name: Agent Zip Build
22
on:
33
workflow_dispatch:
44
inputs:
55
buildType:
66
type: choice
7-
description: 'Build Type'
7+
description: "Build Type"
88
required: true
9-
options:
9+
options:
1010
- Testing
1111
- Release
1212
buildVersion:
13-
description: 'Build Version'
13+
description: "Build Version"
1414
required: true
15+
16+
permissions:
17+
id-token: write
18+
contents: write
19+
1520
jobs:
1621
Build:
1722
runs-on: ubuntu-latest
1823
steps:
1924
- uses: actions/checkout@v3
20-
- uses: actions/setup-java@v3
25+
26+
- uses: actions/setup-java@v4
2127
with:
22-
distribution: 'zulu'
23-
java-version: '11'
28+
distribution: "zulu"
29+
java-version: "11"
30+
31+
- name: Set AWS environment
32+
run: |
33+
echo "AWS_DEFAULT_REGION=us-east-1" >> $GITHUB_ENV
34+
echo "AWS_DEFAULT_OUTPUT=json" >> $GITHUB_ENV
35+
echo "AWS_ROLE_ARN=${{ secrets.STAGE_AWS_GITHUB_OIDC_ROLE_ARN }}" >> $GITHUB_ENV
36+
37+
- name: Configure AWS credentials (OIDC)
38+
uses: aws-actions/configure-aws-credentials@v4
39+
with:
40+
role-to-assume: ${{ env.AWS_ROLE_ARN }}
41+
role-session-name: GitHub_to_AWS_via_FederatedOIDC
42+
aws-region: ${{ env.AWS_DEFAULT_REGION }}
43+
2444
- name: Downloading Packages
2545
run: |
26-
mkdir $HOME/.testsigma_os
46+
mkdir -p $HOME/.testsigma_os
2747
aws s3 cp s3://hybrid-staging.testsigma.com/testsigma_os $HOME/.testsigma_os --recursive
28-
env:
29-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
30-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
31-
AWS_DEFAULT_REGION: 'us-east-1'
32-
AWS_DEFAULT_OUTPUT: json
33-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
34-
- name: Building
48+
49+
- name: Building
3550
run: |
3651
if [[ "${{ github.event.inputs.buildType }}" == "Testing" ]]; then
3752
bash agent/scripts/build.sh --VERSION=v${{ github.event.inputs.buildVersion }} --PUBLISH_TO_GIT=false
@@ -40,8 +55,5 @@ jobs:
4055
bash agent/scripts/build.sh --VERSION=v${{ github.event.inputs.buildVersion }} --PUBLISH_TO_GIT=true
4156
fi
4257
env:
43-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
44-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
45-
AWS_DEFAULT_REGION: 'us-east-1'
46-
AWS_DEFAULT_OUTPUT: json
47-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
58+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
59+

.github/workflows/docker-build-m1.yml

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ on:
1212
buildVersion:
1313
description: 'Build Version'
1414
required: true
15+
permissions:
16+
id-token: write
17+
contents: write
1518
jobs:
1619
Build:
1720
runs-on: ubuntu-latest
@@ -21,15 +24,24 @@ jobs:
2124
with:
2225
distribution: 'zulu'
2326
java-version: '11'
27+
28+
- name: Set AWS environment
29+
run: |
30+
echo "AWS_DEFAULT_REGION=us-east-1" >> $GITHUB_ENV
31+
echo "AWS_DEFAULT_OUTPUT=json" >> $GITHUB_ENV
32+
echo "AWS_ROLE_ARN=${{ secrets.STAGE_AWS_GITHUB_OIDC_ROLE_ARN }}" >> $GITHUB_ENV
33+
34+
- name: Configure AWS credentials (OIDC)
35+
uses: aws-actions/configure-aws-credentials@v4
36+
with:
37+
role-to-assume: ${{ env.AWS_ROLE_ARN }}
38+
role-session-name: GitHub_to_AWS_via_FederatedOIDC
39+
aws-region: ${{ env.AWS_DEFAULT_REGION }}
2440
- name: Downloading Packages
2541
run: |
2642
mkdir $HOME/.testsigma_os
2743
aws s3 cp s3://hybrid-staging.testsigma.com/testsigma_os $HOME/.testsigma_os --recursive
28-
env:
29-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
30-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
31-
AWS_DEFAULT_REGION: 'us-east-1'
32-
AWS_DEFAULT_OUTPUT: json
44+
3345
- name: Set up QEMU
3446
uses: docker/setup-qemu-action@v2
3547

@@ -50,8 +62,3 @@ jobs:
5062
if [[ "${{ github.event.inputs.buildType }}" == "Release" ]]; then
5163
bash deploy/docker/build.sh --DOCKER_VERSION=v${{ github.event.inputs.buildVersion }}-m1 --AGENT_TAG=v${{ github.event.inputs.buildVersion }} --IMAGE_NAME=server
5264
fi
53-
env:
54-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
55-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
56-
AWS_DEFAULT_REGION: 'us-east-1'
57-
AWS_DEFAULT_OUTPUT: json

.github/workflows/docker-build.yml

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ on:
1212
buildVersion:
1313
description: 'Build Version'
1414
required: true
15+
permissions:
16+
id-token: write
17+
contents: write
1518
jobs:
1619
Build:
1720
runs-on: ubuntu-latest
@@ -21,15 +24,24 @@ jobs:
2124
with:
2225
distribution: 'zulu'
2326
java-version: '11'
27+
- name: Set AWS environment
28+
run: |
29+
echo "AWS_DEFAULT_REGION=us-east-1" >> $GITHUB_ENV
30+
echo "AWS_DEFAULT_OUTPUT=json" >> $GITHUB_ENV
31+
echo "AWS_ROLE_ARN=${{ secrets.STAGE_AWS_GITHUB_OIDC_ROLE_ARN }}" >> $GITHUB_ENV
32+
33+
- name: Configure AWS credentials (OIDC)
34+
uses: aws-actions/configure-aws-credentials@v4
35+
with:
36+
role-to-assume: ${{ env.AWS_ROLE_ARN }}
37+
role-session-name: GitHub_to_AWS_via_FederatedOIDC
38+
aws-region: ${{ env.AWS_DEFAULT_REGION }}
39+
2440
- name: Downloading Packages
2541
run: |
2642
mkdir $HOME/.testsigma_os
2743
aws s3 cp s3://hybrid-staging.testsigma.com/testsigma_os $HOME/.testsigma_os --recursive
28-
env:
29-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
30-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
31-
AWS_DEFAULT_REGION: 'us-east-1'
32-
AWS_DEFAULT_OUTPUT: json
44+
3345
3446
- name: Set up QEMU
3547
uses: docker/setup-qemu-action@v2
@@ -51,8 +63,3 @@ jobs:
5163
if [[ "${{ github.event.inputs.buildType }}" == "Release" ]]; then
5264
bash deploy/docker/build.sh --DOCKER_VERSION=v${{ github.event.inputs.buildVersion }} --AGENT_TAG=v${{ github.event.inputs.buildVersion }} --IMAGE_NAME=server
5365
fi
54-
env:
55-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
56-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
57-
AWS_DEFAULT_REGION: 'us-east-1'
58-
AWS_DEFAULT_OUTPUT: json

.github/workflows/server-build.yml

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ on:
1212
buildVersion:
1313
description: 'Build Version'
1414
required: true
15+
permissions:
16+
id-token: write
17+
contents: write
1518
jobs:
1619
Build:
1720
runs-on: ubuntu-latest
@@ -21,15 +24,25 @@ jobs:
2124
with:
2225
distribution: 'zulu'
2326
java-version: '11'
27+
28+
- name: Set AWS environment
29+
run: |
30+
echo "AWS_DEFAULT_REGION=us-east-1" >> $GITHUB_ENV
31+
echo "AWS_DEFAULT_OUTPUT=json" >> $GITHUB_ENV
32+
echo "AWS_ROLE_ARN=${{ secrets.STAGE_AWS_GITHUB_OIDC_ROLE_ARN }}" >> $GITHUB_ENV
33+
34+
- name: Configure AWS credentials (OIDC)
35+
uses: aws-actions/configure-aws-credentials@v4
36+
with:
37+
role-to-assume: ${{ env.AWS_ROLE_ARN }}
38+
role-session-name: GitHub_to_AWS_via_FederatedOIDC
39+
aws-region: ${{ env.AWS_DEFAULT_REGION }}
40+
2441
- name: Downloading Packages
2542
run: |
2643
mkdir $HOME/.testsigma_os
2744
aws s3 cp s3://hybrid-staging.testsigma.com/testsigma_os $HOME/.testsigma_os --recursive
2845
env:
29-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
30-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
31-
AWS_DEFAULT_REGION: 'us-east-1'
32-
AWS_DEFAULT_OUTPUT: json
3346
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3447
- name: Building
3548
run: |
@@ -40,8 +53,4 @@ jobs:
4053
bash deploy/installer/build.sh --VERSION=v${{ github.event.inputs.buildVersion }} --PUBLISH_TO_GIT=true
4154
fi
4255
env:
43-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
44-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
45-
AWS_DEFAULT_REGION: 'us-east-1'
46-
AWS_DEFAULT_OUTPUT: json
4756
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)