Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GHA OIDC - WIP #1257

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
+88 −144
Draft

GHA OIDC - WIP #1257

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
07a91fe
test - add github openid connect to run-integration-tests-default
aaronchung-bitquill Dec 12, 2024
39bdc23
test - add github openid connect to all github workflows
aaronchung-bitquill Jan 23, 2025
0cb1c8f
test - try add role-session-name, and output-credentials flag, and re…
aaronchung-bitquill Jan 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 11 additions & 18 deletions .github/workflows/mysql_advanced_performance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ name: Run Aurora Mysql Advanced Performance Tests
on:
workflow_dispatch:

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:
aurora-mysql-performance-tests:
concurrency: AdvancedPerformanceTests-Aurora
Expand All @@ -19,33 +23,22 @@ jobs:
distribution: 'corretto'
java-version: 8
- name: 'Configure AWS credentials'
id: creds
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
role-session-name: run_adv_perf_test_mysql
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
- name: 'Set up temp AWS credentials'
run: |
creds=($(aws sts get-session-token \
--duration-seconds 21600 \
--query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \
--output text \
| xargs));
echo "::add-mask::${creds[0]}"
echo "::add-mask::${creds[1]}"
echo "::add-mask::${creds[2]}"
echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV
echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV
echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV
output-credentials: true
- name: 'Run performance tests (OpenJDK)'
run: |
./gradlew --no-parallel --no-daemon test-aurora-mysql-advanced-performance
env:
AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }}
RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
MYSQL_VERSION: "default"
PG_VERSION: "default"
- name: 'Archive Performance Results'
Expand Down
29 changes: 11 additions & 18 deletions .github/workflows/mysql_performance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ name: Run Aurora Mysql Performance Tests
on:
workflow_dispatch:

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:
aurora-mysql-performance-tests:
concurrency: PerformanceTests-Aurora
Expand All @@ -19,33 +23,22 @@ jobs:
distribution: 'corretto'
java-version: 8
- name: 'Configure AWS credentials'
id: creds
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
role-session-name: run_perf_test_mysql
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
- name: 'Set up temp AWS credentials'
run: |
creds=($(aws sts get-session-token \
--duration-seconds 21600 \
--query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \
--output text \
| xargs));
echo "::add-mask::${creds[0]}"
echo "::add-mask::${creds[1]}"
echo "::add-mask::${creds[2]}"
echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV
echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV
echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV
output-credentials: true
- name: 'Run performance tests (OpenJDK)'
run: |
./gradlew --no-parallel --no-daemon test-aurora-mysql-performance
env:
AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }}
RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
MYSQL_VERSION: "default"
PG_VERSION: "default"
- name: 'Archive Performance Results'
Expand Down
29 changes: 11 additions & 18 deletions .github/workflows/pg_advanced_performance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ name: Run Aurora Postgres Advanced Performance Tests
on:
workflow_dispatch:

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:
aurora-postgres-performance-tests:
concurrency: AdvancedPerformanceTests-Aurora
Expand All @@ -19,33 +23,22 @@ jobs:
distribution: 'corretto'
java-version: 8
- name: 'Configure AWS credentials'
id: creds
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
role-session-name: run_adv_perf_test_pgsql
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
- name: 'Set up temp AWS credentials'
run: |
creds=($(aws sts get-session-token \
--duration-seconds 21600 \
--query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \
--output text \
| xargs));
echo "::add-mask::${creds[0]}"
echo "::add-mask::${creds[1]}"
echo "::add-mask::${creds[2]}"
echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV
echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV
echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV
output-credentials: true
- name: 'Run performance tests (OpenJDK)'
run: |
./gradlew --no-parallel --no-daemon test-aurora-pg-advanced-performance
env:
AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }}
RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
MYSQL_VERSION: "default"
PG_VERSION: "default"
- name: 'Archive Performance Results'
Expand Down
29 changes: 11 additions & 18 deletions .github/workflows/pg_performance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ name: Run Aurora Postgres Performance Tests
on:
workflow_dispatch:

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:
aurora-postgres-performance-tests:
concurrency: PerformanceTests-Aurora
Expand All @@ -19,33 +23,22 @@ jobs:
distribution: 'corretto'
java-version: 8
- name: 'Configure AWS credentials'
id: creds
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
role-session-name: run_perf_test_pgsql
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
- name: 'Set up temp AWS credentials'
run: |
creds=($(aws sts get-session-token \
--duration-seconds 21600 \
--query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \
--output text \
| xargs));
echo "::add-mask::${creds[0]}"
echo "::add-mask::${creds[1]}"
echo "::add-mask::${creds[2]}"
echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV
echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV
echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV
output-credentials: true
- name: 'Run performance tests (OpenJDK)'
run: |
./gradlew --no-parallel --no-daemon test-aurora-pg-performance
env:
AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }}
RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
MYSQL_VERSION: "default"
PG_VERSION: "default"
- name: 'Archive Performance Results'
Expand Down
29 changes: 11 additions & 18 deletions .github/workflows/run-autoscaling-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ name: Run Autoscaling Tests
on:
workflow_dispatch:

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Expand All @@ -22,33 +26,22 @@ jobs:
distribution: 'corretto'
java-version: 8
- name: 'Configure AWS credentials'
id: creds
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
role-session-name: run_autoscale_test
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
- name: 'Set up temp AWS credentials'
run: |
creds=($(aws sts get-session-token \
--duration-seconds 21600 \
--query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \
--output text \
| xargs));
echo "::add-mask::${creds[0]}"
echo "::add-mask::${creds[1]}"
echo "::add-mask::${creds[2]}"
echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV
echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV
echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV
output-credentials: true
- name: Run integration tests
run: |
./gradlew --no-parallel --no-daemon test-autoscaling-only
env:
AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }}
AURORA_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
MYSQL_VERSION: "default"
PG_VERSION: "default"
- name: Mask data
Expand Down
29 changes: 11 additions & 18 deletions .github/workflows/run-integration-tests-codebuild.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ name: Run Aurora Integration Tests CodeBuild
on:
workflow_dispatch:

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Expand All @@ -26,33 +30,22 @@ jobs:
distribution: 'corretto'
java-version: 8
- name: 'Configure AWS credentials'
id: creds
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
role-session-name: run_integration_test_codebuild
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
- name: 'Set up temp AWS credentials'
run: |
creds=($(aws sts get-session-token \
--duration-seconds 21600 \
--query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \
--output text \
| xargs));
echo "::add-mask::${creds[0]}"
echo "::add-mask::${creds[1]}"
echo "::add-mask::${creds[2]}"
echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV
echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV
echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV
output-credentials: true
- name: Run integration tests
run: |
./gradlew --no-parallel --no-daemon test-all-${{ matrix.environment }}-aurora
env:
AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }}
RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
RDS_ENDPOINT: ${{ secrets.RDS_ENDPOINT }}
MYSQL_VERSION: "latest"
PG_VERSION: "latest"
Expand Down
29 changes: 11 additions & 18 deletions .github/workflows/run-integration-tests-default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
branches:
- main

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:
all-integration-tests-default:
name: 'Run Aurora integration tests with default engine version'
Expand All @@ -25,33 +29,22 @@ jobs:
distribution: 'corretto'
java-version: 8
- name: 'Configure AWS credentials'
id: creds
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
role-session-name: run_integration_test_default
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
- name: 'Set up temp AWS credentials'
run: |
creds=($(aws sts get-session-token \
--duration-seconds 21600 \
--query 'Credentials.[AccessKeyId, SecretAccessKey, SessionToken]' \
--output text \
| xargs));
echo "::add-mask::${creds[0]}"
echo "::add-mask::${creds[1]}"
echo "::add-mask::${creds[2]}"
echo "TEMP_AWS_ACCESS_KEY_ID=${creds[0]}" >> $GITHUB_ENV
echo "TEMP_AWS_SECRET_ACCESS_KEY=${creds[1]}" >> $GITHUB_ENV
echo "TEMP_AWS_SESSION_TOKEN=${creds[2]}" >> $GITHUB_ENV
output-credentials: true
- name: Run integration tests
run: |
./gradlew --no-parallel --no-daemon test-all-${{ matrix.dbEngine }}
env:
AURORA_CLUSTER_DOMAIN: ${{ secrets.DB_CONN_SUFFIX }}
RDS_DB_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
AWS_ACCESS_KEY_ID: ${{ env.TEMP_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.TEMP_AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ env.TEMP_AWS_SESSION_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
MYSQL_VERSION: "default"
PG_VERSION: "default"
- name: Mask data
Expand Down
Loading
Loading