From 31a66b4d84db6765aa53e6d15188c7fea3832373 Mon Sep 17 00:00:00 2001 From: kellygavin96 Date: Tue, 31 Mar 2026 16:03:33 -0400 Subject: [PATCH 1/2] migrate all workflows to OIDC auth --- .github/workflows/main-CI.yml | 10 +++++++--- .github/workflows/main-deploy-dev.yml | 10 +++++++--- .github/workflows/main-deploy.yml | 13 +++++++++---- 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/.github/workflows/main-CI.yml b/.github/workflows/main-CI.yml index 9e051d88..b17e9775 100644 --- a/.github/workflows/main-CI.yml +++ b/.github/workflows/main-CI.yml @@ -13,6 +13,9 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: +permissions: + id-token: write + contents: read # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" @@ -32,12 +35,13 @@ jobs: run: make build - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }} aws-region: us-east-1 + - name: Verify AWS Identity + run: aws sts get-caller-identity - name: CI env: S3_ENCRYPT_KEY: ${{ secrets.S3_ENCRYPT_KEY }} diff --git a/.github/workflows/main-deploy-dev.yml b/.github/workflows/main-deploy-dev.yml index 4c291fb7..651b317b 100644 --- a/.github/workflows/main-deploy-dev.yml +++ b/.github/workflows/main-deploy-dev.yml @@ -7,6 +7,9 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: +permissions: + id-token: write + contents: read # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" @@ -26,12 +29,13 @@ jobs: run: make build - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }} aws-region: us-east-1 + - name: Verify AWS Identity + run: aws sts get-caller-identity - name: Deploy env: DEV_SECRET: ${{ secrets.DEV_SECRET }} diff --git a/.github/workflows/main-deploy.yml b/.github/workflows/main-deploy.yml index 7b86ae03..7b89a82b 100644 --- a/.github/workflows/main-deploy.yml +++ b/.github/workflows/main-deploy.yml @@ -7,6 +7,10 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: +permissions: + id-token: write + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" @@ -24,14 +28,15 @@ jobs: - name: Build run: make build - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }} aws-region: us-east-1 + - name: Verify AWS Identity + run: aws sts get-caller-identity + - name: Deploy env: DEV_SECRET: ${{ secrets.DEV_SECRET }} From 23557b37f654755cd09dcda8742bd8019a850d81 Mon Sep 17 00:00:00 2001 From: kellygavin96 Date: Tue, 31 Mar 2026 16:36:02 -0400 Subject: [PATCH 2/2] remove verify AWS Identity step --- .github/workflows/main-CI.yml | 2 -- .github/workflows/main-deploy-dev.yml | 2 -- .github/workflows/main-deploy.yml | 2 -- 3 files changed, 6 deletions(-) diff --git a/.github/workflows/main-CI.yml b/.github/workflows/main-CI.yml index b17e9775..27ad7234 100644 --- a/.github/workflows/main-CI.yml +++ b/.github/workflows/main-CI.yml @@ -40,8 +40,6 @@ jobs: role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }} aws-region: us-east-1 - - name: Verify AWS Identity - run: aws sts get-caller-identity - name: CI env: S3_ENCRYPT_KEY: ${{ secrets.S3_ENCRYPT_KEY }} diff --git a/.github/workflows/main-deploy-dev.yml b/.github/workflows/main-deploy-dev.yml index 651b317b..7ab44cbd 100644 --- a/.github/workflows/main-deploy-dev.yml +++ b/.github/workflows/main-deploy-dev.yml @@ -34,8 +34,6 @@ jobs: role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }} aws-region: us-east-1 - - name: Verify AWS Identity - run: aws sts get-caller-identity - name: Deploy env: DEV_SECRET: ${{ secrets.DEV_SECRET }} diff --git a/.github/workflows/main-deploy.yml b/.github/workflows/main-deploy.yml index 7b89a82b..cc2d7f07 100644 --- a/.github/workflows/main-deploy.yml +++ b/.github/workflows/main-deploy.yml @@ -34,8 +34,6 @@ jobs: role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }} aws-region: us-east-1 - - name: Verify AWS Identity - run: aws sts get-caller-identity - name: Deploy env: