From 39bdc23927f0ab8b48e2bbede4815a6a1445bab5 Mon Sep 17 00:00:00 2001 From: Aaron Chung Date: Thu, 23 Jan 2025 01:58:02 -0800 Subject: [PATCH] test - add github openid connect to all github workflows --- .github/workflows/mysql_advanced_performance.yml | 7 +++++-- .github/workflows/mysql_performance.yml | 7 +++++-- .github/workflows/pg_advanced_performance.yml | 7 +++++-- .github/workflows/pg_performance.yml | 7 +++++-- .github/workflows/run-autoscaling-tests.yml | 7 +++++-- .github/workflows/run-integration-tests-codebuild.yml | 7 +++++-- .github/workflows/run-integration-tests-default.yml | 2 ++ .github/workflows/run-integration-tests-latest.yml | 7 +++++-- 8 files changed, 37 insertions(+), 14 deletions(-) diff --git a/.github/workflows/mysql_advanced_performance.yml b/.github/workflows/mysql_advanced_performance.yml index 7b6702921..3be9441b3 100644 --- a/.github/workflows/mysql_advanced_performance.yml +++ b/.github/workflows/mysql_advanced_performance.yml @@ -3,6 +3,10 @@ name: Run Aurora Mysql Advanced Performance Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: aurora-mysql-performance-tests: concurrency: AdvancedPerformanceTests-Aurora @@ -21,8 +25,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | diff --git a/.github/workflows/mysql_performance.yml b/.github/workflows/mysql_performance.yml index 7ff518fba..310f4ba0a 100644 --- a/.github/workflows/mysql_performance.yml +++ b/.github/workflows/mysql_performance.yml @@ -3,6 +3,10 @@ name: Run Aurora Mysql Performance Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: aurora-mysql-performance-tests: concurrency: PerformanceTests-Aurora @@ -21,8 +25,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | diff --git a/.github/workflows/pg_advanced_performance.yml b/.github/workflows/pg_advanced_performance.yml index fcc2786a5..5d9f1dea9 100644 --- a/.github/workflows/pg_advanced_performance.yml +++ b/.github/workflows/pg_advanced_performance.yml @@ -3,6 +3,10 @@ name: Run Aurora Postgres Advanced Performance Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: aurora-postgres-performance-tests: concurrency: AdvancedPerformanceTests-Aurora @@ -21,8 +25,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | diff --git a/.github/workflows/pg_performance.yml b/.github/workflows/pg_performance.yml index 346dc78dd..fe1a5afe3 100644 --- a/.github/workflows/pg_performance.yml +++ b/.github/workflows/pg_performance.yml @@ -3,6 +3,10 @@ name: Run Aurora Postgres Performance Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: aurora-postgres-performance-tests: concurrency: PerformanceTests-Aurora @@ -21,8 +25,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | diff --git a/.github/workflows/run-autoscaling-tests.yml b/.github/workflows/run-autoscaling-tests.yml index d5dea78c8..22ef72054 100644 --- a/.github/workflows/run-autoscaling-tests.yml +++ b/.github/workflows/run-autoscaling-tests.yml @@ -3,6 +3,10 @@ name: Run Autoscaling Tests on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -24,8 +28,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | diff --git a/.github/workflows/run-integration-tests-codebuild.yml b/.github/workflows/run-integration-tests-codebuild.yml index b92ffc949..9b2ef00f2 100644 --- a/.github/workflows/run-integration-tests-codebuild.yml +++ b/.github/workflows/run-integration-tests-codebuild.yml @@ -3,6 +3,10 @@ name: Run Aurora Integration Tests CodeBuild on: workflow_dispatch: +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -28,8 +32,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: | diff --git a/.github/workflows/run-integration-tests-default.yml b/.github/workflows/run-integration-tests-default.yml index 3ca5b1b69..8eb172fd9 100644 --- a/.github/workflows/run-integration-tests-default.yml +++ b/.github/workflows/run-integration-tests-default.yml @@ -5,9 +5,11 @@ on: push: branches: - main + permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout + jobs: all-integration-tests-default: name: 'Run Aurora integration tests with default engine version' diff --git a/.github/workflows/run-integration-tests-latest.yml b/.github/workflows/run-integration-tests-latest.yml index dea745e59..06295b8ee 100644 --- a/.github/workflows/run-integration-tests-latest.yml +++ b/.github/workflows/run-integration-tests-latest.yml @@ -6,6 +6,10 @@ on: branches: - main +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + jobs: all-integration-tests-latest: name: Run Aurora integration tests with latest engine version @@ -27,8 +31,7 @@ jobs: - name: 'Configure AWS credentials' uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: 'Set up temp AWS credentials' run: |