Update GitHub Actions workflow for agent build

adil-testsigma · web-flow · commit 19e9d4787c36 · 2026-04-05T13:46:46.000+05:30
diff --git a/.github/workflows/agent-build.yml b/.github/workflows/agent-build.yml
@@ -1,37 +1,52 @@
-name: 'Agent Zip Build'
+name: Agent Zip Build
 on:
   workflow_dispatch:
     inputs:
       buildType:
         type: choice
-        description: 'Build Type'
+        description: "Build Type"
         required: true
-        options: 
+        options:
           - Testing
           - Release
       buildVersion:
-        description: 'Build Version'
+        description: "Build Version"
         required: true
+
+permissions:
+  id-token: write
+  contents: write
+
 jobs:
   Build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
+
+      - uses: actions/setup-java@v4
         with:
-          distribution: 'zulu'
-          java-version: '11'
+          distribution: "zulu"
+          java-version: "11"
+
+      - name: Set AWS environment
+        run: |
+          echo "AWS_DEFAULT_REGION=us-east-1" >> $GITHUB_ENV
+          echo "AWS_DEFAULT_OUTPUT=json" >> $GITHUB_ENV
+          echo "AWS_ROLE_ARN=${{ secrets.STAGE_AWS_GITHUB_OIDC_ROLE_ARN }}" >> $GITHUB_ENV
+
+      - name: Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.AWS_ROLE_ARN }}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
       - name: Downloading Packages
         run: |
-          mkdir $HOME/.testsigma_os
+          mkdir -p $HOME/.testsigma_os
           aws s3 cp s3://hybrid-staging.testsigma.com/testsigma_os $HOME/.testsigma_os --recursive
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: 'us-east-1'
-          AWS_DEFAULT_OUTPUT: json
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Building 
+
+      - name: Building
         run: |
           if [[ "${{ github.event.inputs.buildType }}" == "Testing" ]]; then
             bash agent/scripts/build.sh --VERSION=v${{ github.event.inputs.buildVersion }} --PUBLISH_TO_GIT=false
@@ -40,8 +55,5 @@ jobs:
             bash agent/scripts/build.sh --VERSION=v${{ github.event.inputs.buildVersion }} --PUBLISH_TO_GIT=true
           fi
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: 'us-east-1'
-          AWS_DEFAULT_OUTPUT: json
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
