Update Swift version, dependencies, and CI

.github/dependabot.yml

@@ -1,5 +1,4 @@
 version: 2
-enable-beta-ecosystems: true
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
@@ -9,14 +8,3 @@ updates:
       dependencies:
         patterns:
           - "*"
-  - package-ecosystem: "swift"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    open-pull-requests-limit: 6
-    allow:
-      - dependency-type: all
-    groups:
-      all-dependencies:
-        patterns:
-          - "*"

.github/workflows/ci.yaml

@@ -8,39 +8,37 @@ on:
       - main
 
 jobs:
-  lint:
-    # We need to use 5.10 for Publish (Swift 6 breaks) and that doesn't have an up to date version
-    # of python so run lint in a separate job
-    name: Lint
+  lint-and-deploy:
+    name: Lint, Build, and Deploy
     runs-on: ubuntu-latest
+    permissions: { id-token: write, deployments: write, contents: read }
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
-          python-version: '3.10'
+          python-version: '3.12'
+      - name: Install latesst Swift
+        uses: vapor/swiftly-action@v0.2
+        with:
+          toolchain: latest
+      - name: Checkout code
+        uses: actions/checkout@v5
       - name: Setup CloudFormation linter
         uses: ScottBrenner/cfn-lint-action@v2
       - name: Run CloudFormation linter
         run: cfn-lint -t stack.yaml
-  deploy:
-    needs: lint
-    name: Build and Deploy
-    runs-on: ubuntu-latest
-    container: swift:5.10
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
       - name: Build site   
         run: swift run
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ vars.OIDC_ROLE_ARN }}
+          aws-region: ${{ vars.OIDC_ROLE_REGION }}
       - name: Deploy S3 Website
         if: ${{ github.event.pull_request.head.repo.full_name == 'vapor/blog' && github.actor != 'dependabot[bot]' }}
         uses: brokenhandsio/s3-website-pr-action@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.BLOG_DEPLOYER_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.BLOG_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
         with:
           bucket-prefix: "vapor-blog-pulls"
           folder-to-copy: "./Output"

.github/workflows/deploy.yaml

@@ -9,61 +9,58 @@ jobs:
   build:
     name: Build and deploy
     runs-on: ubuntu-latest
-    container: swift:5.10
+    permissions: { id-token: write, contents: read }
     steps:
-    - name: Checkout
-      uses: actions/checkout@v5
-    - name: Build site
-      run: swift run
-    - name: Configure AWS credentials
-      id: cred
-      uses: aws-actions/configure-aws-credentials@v5
-      with:
-        aws-access-key-id: ${{ secrets.BLOG_DEPLOYER_AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.BLOG_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
-        aws-region: 'eu-west-2'
-    - name: Deploy to AWS Cloudformation
-      id: clouddeploy
-      uses: aws-actions/aws-cloudformation-github-deploy@v1
-      with:
-        name: vapor-blog-stack
-        template: stack.yaml
-        no-fail-on-empty-changeset: "1"
-        parameter-overrides: >-
-          DomainName=blog.vapor.codes,
-          S3BucketName=vapor-blog-site,
-          AcmCertificateArn=${{ secrets.CERTIFICATE_ARN }}
-      if: steps.cred.outcome == 'success'
-    - name: Deploy Main Site to S3
-      id: s3deploy
-      uses: jakejarvis/s3-sync-action@master
-      with:
-        args: --acl public-read --follow-symlinks --delete --exclude 'feed.rss'
-      env:
-        AWS_S3_BUCKET: 'vapor-blog-site'
-        AWS_ACCESS_KEY_ID: ${{ secrets.BLOG_DEPLOYER_AWS_ACCESS_KEY_ID }}
-        AWS_SECRET_ACCESS_KEY: ${{ secrets.BLOG_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
-        AWS_REGION: 'eu-west-2'
-        SOURCE_DIR: 'Output'
-      if: steps.clouddeploy.outcome == 'success'
-    # This is done as a separate step to ensure the RSS feed is served with the correct content type
-    - name: Deploy RSS Feed to S3
-      id: s3deploy-rss
-      uses: jakejarvis/s3-sync-action@master
-      with:
-        args: --acl public-read --follow-symlinks --delete --exclude '*' --include 'feed.rss' --content-type 'application/rss+xml'
-      env:
-        AWS_S3_BUCKET: 'vapor-blog-site'
-        AWS_ACCESS_KEY_ID: ${{ secrets.BLOG_DEPLOYER_AWS_ACCESS_KEY_ID }}
-        AWS_SECRET_ACCESS_KEY: ${{ secrets.BLOG_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
-        AWS_REGION: 'eu-west-2'
-        SOURCE_DIR: 'Output'
-      if: steps.clouddeploy.outcome == 'success'
-    - name: Invalidate CloudFront
-      uses: awact/cloudfront-action@master
-      env:
-        SOURCE_PATH: '/*'
-        AWS_REGION: 'eu-west-2'
-        AWS_ACCESS_KEY_ID: ${{ secrets.BLOG_DEPLOYER_AWS_ACCESS_KEY_ID }}
-        AWS_SECRET_ACCESS_KEY: ${{ secrets.BLOG_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
-        DISTRIBUTION_ID: ${{ secrets.VAPOR_BLOG_DISTRIBUTION_ID }}
+      - name: Install latesst Swift
+        uses: vapor/swiftly-action@v0.2
+        with:
+          toolchain: latest
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Build site
+        run: swift run
+      - name: Configure AWS credentials
+        id: cred
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ vars.OIDC_ROLE_ARN }}
+          aws-region: ${{ vars.OIDC_ROLE_REGION }}
+      - name: Deploy to AWS Cloudformation
+        id: clouddeploy
+        uses: aws-actions/aws-cloudformation-github-deploy@v1
+        with:
+          name: vapor-blog-stack
+          template: stack.yaml
+          no-fail-on-empty-changeset: "1"
+          parameter-overrides: >-
+            DomainName=blog.vapor.codes,
+            S3BucketName=vapor-blog-site,
+            AcmCertificateArn=${{ secrets.CERTIFICATE_ARN }}
+        if: steps.cred.outcome == 'success'
+      - name: Deploy Main Site to S3
+        id: s3deploy
+        uses: jakejarvis/s3-sync-action@master
+        with:
+          args: --acl public-read --follow-symlinks --delete --exclude 'feed.rss'
+        env:
+          AWS_S3_BUCKET: 'vapor-blog-site'
+          AWS_REGION: 'eu-west-2'
+          SOURCE_DIR: 'Output'
+        if: steps.clouddeploy.outcome == 'success'
+      # This is done as a separate step to ensure the RSS feed is served with the correct content type
+      - name: Deploy RSS Feed to S3
+        id: s3deploy-rss
+        uses: jakejarvis/s3-sync-action@master
+        with:
+          args: --acl public-read --follow-symlinks --delete --exclude '*' --include 'feed.rss' --content-type 'application/rss+xml'
+        env:
+          AWS_S3_BUCKET: 'vapor-blog-site'
+          AWS_REGION: 'eu-west-2'
+          SOURCE_DIR: 'Output'
+        if: steps.clouddeploy.outcome == 'success'
+      - name: Invalidate CloudFront
+        uses: awact/cloudfront-action@master
+        env:
+          SOURCE_PATH: '/*'
+          AWS_REGION: 'eu-west-2'
+          DISTRIBUTION_ID: ${{ secrets.VAPOR_BLOG_DISTRIBUTION_ID }}

.github/workflows/prs-closed.yaml

@@ -10,15 +10,19 @@ jobs:
   delete-s3:
     name: Delete S3 Website
     runs-on: ubuntu-latest
+    permissions: { id-token: write, deployments: write, contents: read }
     if: ${{ github.event.pull_request.head.repo.full_name == 'vapor/blog' && github.actor != 'dependabot[bot]' }}
     env:
-      AWS_ACCESS_KEY_ID: ${{ secrets.BLOG_DEPLOYER_AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.BLOG_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ vars.OIDC_ROLE_ARN }}
+          aws-region: ${{ vars.OIDC_ROLE_REGION }}
       - name: Delete Website Bucket
         uses: brokenhandsio/s3-website-pr-action@v2
         with:
           bucket-prefix: "vapor-blog-pulls"
-          bucket-region: "us-east-1"
+          bucket-region: "us-east-1"

Package.swift

@@ -1,4 +1,4 @@
-// swift-tools-version:5.7
+// swift-tools-version:6.2
 
 import PackageDescription