Skip to content

Commit 556f7ee

Browse files
jdnojdno
committed
Authenticate CI uploads with OIDC
The GitHub Actions workflows that upload build artifacts to S3 have been refactored to make use of OIDC to avoid long-lived authentication tokens.
1 parent 0573de8 commit 556f7ee

File tree

4 files changed

+88
-44
lines changed

4 files changed

+88
-44
lines changed

.github/workflows/ci.yaml

+64-32
Original file line numberDiff line numberDiff line change
@@ -154,13 +154,17 @@ jobs:
154154
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
155155
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
156156
AWS_DEFAULT_REGION: us-west-1
157+
- name: Configure AWS credentials
158+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
159+
uses: aws-actions/configure-aws-credentials@v1
160+
with:
161+
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
162+
aws-region: us-east-1
157163
- name: Deploy build to rustup-builds bucket for release team
158-
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
164+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
159165
run: |
160-
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
166+
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
161167
env:
162-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
163-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
164168
AWS_DEFAULT_REGION: us-east-1
165169
- name: Clear the cargo caches
166170
run: |
@@ -304,13 +308,17 @@ jobs:
304308
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
305309
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
306310
AWS_DEFAULT_REGION: us-west-1
311+
- name: Configure AWS credentials
312+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
313+
uses: aws-actions/configure-aws-credentials@v1
314+
with:
315+
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
316+
aws-region: us-east-1
307317
- name: Deploy build to rustup-builds bucket for release team
308-
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
318+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
309319
run: |
310-
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
320+
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
311321
env:
312-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
313-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
314322
AWS_DEFAULT_REGION: us-east-1
315323
- name: Clear the cargo caches
316324
run: |
@@ -460,13 +468,17 @@ jobs:
460468
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
461469
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
462470
AWS_DEFAULT_REGION: us-west-1
471+
- name: Configure AWS credentials
472+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
473+
uses: aws-actions/configure-aws-credentials@v1
474+
with:
475+
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
476+
aws-region: us-east-1
463477
- name: Deploy build to rustup-builds bucket for release team
464-
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
478+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
465479
run: |
466-
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
480+
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
467481
env:
468-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
469-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
470482
AWS_DEFAULT_REGION: us-east-1
471483
- name: Clear the cargo caches
472484
run: |
@@ -612,13 +624,17 @@ jobs:
612624
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
613625
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
614626
AWS_DEFAULT_REGION: us-west-1
627+
- name: Configure AWS credentials
628+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
629+
uses: aws-actions/configure-aws-credentials@v1
630+
with:
631+
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
632+
aws-region: us-east-1
615633
- name: Deploy build to rustup-builds bucket for release team
616-
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
634+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
617635
run: |
618-
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
636+
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
619637
env:
620-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
621-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
622638
AWS_DEFAULT_REGION: us-east-1
623639
- name: Clear the cargo caches
624640
run: |
@@ -769,13 +785,17 @@ jobs:
769785
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
770786
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
771787
AWS_DEFAULT_REGION: us-west-1
788+
- name: Configure AWS credentials
789+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
790+
uses: aws-actions/configure-aws-credentials@v1
791+
with:
792+
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
793+
aws-region: us-east-1
772794
- name: Deploy build to rustup-builds bucket for release team
773-
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
795+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
774796
run: |
775-
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
797+
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
776798
env:
777-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
778-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
779799
AWS_DEFAULT_REGION: us-east-1
780800
- name: Clear the cargo caches
781801
run: |
@@ -947,13 +967,17 @@ jobs:
947967
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
948968
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
949969
AWS_DEFAULT_REGION: us-west-1
970+
- name: Configure AWS credentials
971+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
972+
uses: aws-actions/configure-aws-credentials@v1
973+
with:
974+
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
975+
aws-region: us-east-1
950976
- name: Deploy build to rustup-builds bucket for release team
951-
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
977+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
952978
run: |
953-
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
979+
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
954980
env:
955-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
956-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
957981
AWS_DEFAULT_REGION: us-east-1
958982
- name: Clear the cargo caches
959983
run: |
@@ -1065,13 +1089,17 @@ jobs:
10651089
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
10661090
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
10671091
AWS_DEFAULT_REGION: us-west-1
1092+
- name: Configure AWS credentials
1093+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
1094+
uses: aws-actions/configure-aws-credentials@v1
1095+
with:
1096+
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
1097+
aws-region: us-east-1
10681098
- name: Deploy build to rustup-builds bucket for release team
1069-
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
1099+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
10701100
run: |
1071-
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
1101+
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
10721102
env:
1073-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
1074-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
10751103
AWS_DEFAULT_REGION: us-east-1
10761104
- name: Clear the cargo caches
10771105
run: |
@@ -1189,13 +1217,17 @@ jobs:
11891217
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
11901218
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
11911219
AWS_DEFAULT_REGION: us-west-1
1220+
- name: Configure AWS credentials
1221+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
1222+
uses: aws-actions/configure-aws-credentials@v1
1223+
with:
1224+
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
1225+
aws-region: us-east-1
11921226
- name: Deploy build to rustup-builds bucket for release team
1193-
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
1227+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
11941228
run: |
1195-
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
1229+
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
11961230
env:
1197-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
1198-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
11991231
AWS_DEFAULT_REGION: us-east-1
12001232
- name: Clear the cargo caches
12011233
run: |

ci/actions-templates/linux-builds-template.yaml

+8-4
Original file line numberDiff line numberDiff line change
@@ -170,13 +170,17 @@ jobs: # skip-master skip-pr skip-stable
170170
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
171171
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
172172
AWS_DEFAULT_REGION: us-west-1
173+
- name: Configure AWS credentials
174+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
175+
uses: aws-actions/configure-aws-credentials@v1
176+
with:
177+
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
178+
aws-region: us-east-1
173179
- name: Deploy build to rustup-builds bucket for release team
174-
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
180+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
175181
run: |
176-
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
182+
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
177183
env:
178-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
179-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
180184
AWS_DEFAULT_REGION: us-east-1
181185
- name: Clear the cargo caches
182186
run: |

ci/actions-templates/macos-builds-template.yaml

+8-4
Original file line numberDiff line numberDiff line change
@@ -110,13 +110,17 @@ jobs: # skip-x86_64 skip-aarch64
110110
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
111111
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
112112
AWS_DEFAULT_REGION: us-west-1
113+
- name: Configure AWS credentials
114+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
115+
uses: aws-actions/configure-aws-credentials@v1
116+
with:
117+
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
118+
aws-region: us-east-1
113119
- name: Deploy build to rustup-builds bucket for release team
114-
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
120+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
115121
run: |
116-
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
122+
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
117123
env:
118-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
119-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
120124
AWS_DEFAULT_REGION: us-east-1
121125
- name: Clear the cargo caches
122126
run: |

ci/actions-templates/windows-builds-template.yaml

+8-4
Original file line numberDiff line numberDiff line change
@@ -147,13 +147,17 @@ jobs: # skip-master skip-pr skip-stable
147147
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
148148
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
149149
AWS_DEFAULT_REGION: us-west-1
150+
- name: Configure AWS credentials
151+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
152+
uses: aws-actions/configure-aws-credentials@v1
153+
with:
154+
role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--rustup
155+
aws-region: us-east-1
150156
- name: Deploy build to rustup-builds bucket for release team
151-
# if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
157+
if: github.event_name == 'push' && github.ref == 'refs/heads/master' && matrix.mode == 'release'
152158
run: |
153-
aws --debug s3 cp --recursive dist s3://rustup-builds/${{ github.sha }}
159+
aws --debug s3 cp --recursive deploy/ s3://rustup-builds/${{ github.sha }}
154160
env:
155-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
156-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
157161
AWS_DEFAULT_REGION: us-east-1
158162
- name: Clear the cargo caches
159163
run: |

0 commit comments

Comments
 (0)