Skip to content

Commit 75da36f

Browse files
authored
Merge pull request #13 from Typeform/chore/PLT-816
build(PLT-816): update workflows to use temporary credentials
2 parents a03b3e9 + 3170872 commit 75da36f

File tree

2 files changed

+30
-7
lines changed

2 files changed

+30
-7
lines changed

.github/workflows/pull-request.yml

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ jobs:
1818
node-version: 20
1919

2020
- name: Get yarn cache
21-
uses: actions/cache@v2
21+
uses: actions/cache@v4
2222
id: yarn-cache
2323
with:
2424
path: |
@@ -45,6 +45,9 @@ jobs:
4545
deploy-preview:
4646
runs-on: ubuntu-latest
4747
name: deploy-preview
48+
permissions:
49+
contents: read
50+
id-token: write
4851
steps:
4952
- name: Check out Git repository
5053
uses: actions/checkout@v3
@@ -55,7 +58,7 @@ jobs:
5558
node-version: 20
5659

5760
- name: Get yarn cache
58-
uses: actions/cache@v2
61+
uses: actions/cache@v4
5962
id: yarn-cache
6063
with:
6164
path: |
@@ -82,12 +85,20 @@ jobs:
8285
- run: yarn add -W @typeform/jarvis
8386
- run: git checkout HEAD -- package.json # do not save jarvis dependency to package.json because it is private (the file is committed by semantic-release to bump version)
8487

88+
# authenticate to AWS
89+
- uses: aws-actions/configure-aws-credentials@v4
90+
with:
91+
aws-region: 'us-east-1'
92+
mask-aws-account-id: true
93+
role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }}
94+
role-session-name: ${{ github.run_id }}-${{ github.run_attempt }}
95+
role-duration-seconds: 900
96+
unset-current-credentials: true
97+
8598
# deploy preview version of the package
8699
- run: yarn release:aws --preview --notify-preview
87100
env:
88101
AWS_ASSETS_BUCKET: 'typeform-public-assets/btn'
89-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
90-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
91102
GH_TOKEN: ${{ secrets.GH_TOKEN }}
92103
JARVIS_NOTIFY_PREVIEW_TEMPLATE: ${{ secrets.JARVIS_NOTIFY_PREVIEW_TEMPLATE }}
93104
PUBLIC_CDN_URL: 'https://btn.typeform.com'

.github/workflows/release.yml

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@ jobs:
88
release:
99
name: Release
1010
runs-on: ubuntu-latest
11+
permissions:
12+
contents: write
13+
id-token: write
14+
packages: write
1115
steps:
1216
- name: Check out Git repository
1317
uses: actions/checkout@v3
@@ -18,7 +22,7 @@ jobs:
1822
node-version: 20
1923

2024
- name: Get yarn cache
21-
uses: actions/cache@v3
25+
uses: actions/cache@v4
2226
id: yarn-cache
2327
with:
2428
path: |
@@ -47,12 +51,20 @@ jobs:
4751
- run: yarn add -W @typeform/jarvis
4852
- run: git checkout HEAD -- package.json # do not save jarvis dependency to package.json because it is private (the file is committed by semantic-release to bump version)
4953

54+
# authenticate to AWS
55+
- uses: aws-actions/configure-aws-credentials@v4
56+
with:
57+
aws-region: 'us-east-1'
58+
mask-aws-account-id: true
59+
role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }}
60+
role-session-name: ${{ github.run_id }}-${{ github.run_attempt }}
61+
role-duration-seconds: 900
62+
unset-current-credentials: true
63+
5064
- run: yarn release
5165
env:
5266
AWS_ASSETS_BUCKET: 'typeform-public-assets/btn'
53-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
5467
AWS_CLOUDFRONT_DIST: 'E3IUO95IYL1RI3'
55-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
5668
GH_TOKEN: ${{ secrets.GH_TOKEN }}
5769
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
5870
JARVIS_NOTIFY_PREVIEW_TEMPLATE: ${{ secrets.JARVIS_NOTIFY_PREVIEW_TEMPLATE }}

0 commit comments

Comments
 (0)