Skip to content

Commit

Permalink
Merge pull request #1720 from bryan-aguilar/roleFixDev
Browse files Browse the repository at this point in the history
[dev] fix IAM Roles used in CI workflow
  • Loading branch information
bryan-aguilar authored Dec 20, 2022
2 parents 1a96fc1 + ededb58 commit 0cceb95
Showing 1 changed file with 18 additions and 10 deletions.
28 changes: 18 additions & 10 deletions .github/workflows/CI.yml
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,12 @@ jobs:
Invoke-WebRequest -Uri "https://awscli.amazonaws.com/AWSCLIV2.msi" -OutFile "AWSCLIV2.msi"
msiexec.exe /i AWSCLIV2.msi /passive
[System.Environment]::SetEnvironmentVariable('Path',$Env:Path + ";C:\\Program Files\\Amazon\\AWSCLIV2",'User')
- uses: aws-actions/configure-aws-credentials@v1-node16
with:
role-to-assume: ${{ secrets.COLLECTOR_PROD_PKG_SIGNER_ROLE_ARN }}
aws-region: us-west-2

- name: Sign windows artifacts
run: |
$pkgfile = "build\packages\windows\amd64\aws-otel-collector.msi"
Expand All @@ -224,10 +230,6 @@ jobs:
Throw "Could not find the signed artifact"
}
aws s3api get-object "--bucket" ${{ env.WIN_SIGNED_PKG_BUCKET }} "--key" $objkey $pkgfile
env:
AWS_ACCESS_KEY_ID: ${{ secrets.SIGN_PKG_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.SIGN_PKG_AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-2
- name: Verify package signature
run: |
Expand Down Expand Up @@ -273,14 +275,17 @@ jobs:
run: |
ARCH=x86_64 SOURCE_ARCH=amd64 DEST=$PACKAGING_ROOT/linux/amd64 tools/packaging/linux/create_rpm.sh
ARCH=aarch64 SOURCE_ARCH=arm64 DEST=$PACKAGING_ROOT/linux/arm64 tools/packaging/linux/create_rpm.sh
- uses: aws-actions/configure-aws-credentials@v1-node16
with:
role-to-assume: ${{ secrets.COLLECTOR_PROD_PKG_SIGNER_ROLE_ARN }}
aws-region: us-west-2

- name: Download Package Signing GPG key
if: steps.cached_rpms.outputs.cache-hit != 'true'
run: |
aws secretsmanager get-secret-value --region us-west-2 --secret-id "$PKG_SIGN_PRIVATE_KEY_NAME" | jq -r ".SecretString" > pkg_sign_private.key
md5sum pkg_sign_private.key
env:
AWS_ACCESS_KEY_ID: ${{ secrets.SIGN_PKG_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.SIGN_PKG_AWS_SECRET_ACCESS_KEY }}
- name: Import Package Signing GPG Key
if: steps.cached_rpms.outputs.cache-hit != 'true'
Expand Down Expand Up @@ -327,14 +332,17 @@ jobs:
run: |
ARCH=amd64 DEST=$PACKAGING_ROOT/debian/amd64 tools/packaging/debian/create_deb.sh
ARCH=arm64 DEST=$PACKAGING_ROOT/debian/arm64 tools/packaging/debian/create_deb.sh
- uses: aws-actions/configure-aws-credentials@v1-node16
with:
role-to-assume: ${{ secrets.COLLECTOR_PROD_PKG_SIGNER_ROLE_ARN }}
aws-region: us-west-2

- name: Download Package Signing GPG key
if: steps.cached_debs.outputs.cache-hit != 'true'
run: |
aws secretsmanager get-secret-value --region us-west-2 --secret-id "$PKG_SIGN_PRIVATE_KEY_NAME" | jq -r ".SecretString" > pkg_sign_private.key
md5sum pkg_sign_private.key
env:
AWS_ACCESS_KEY_ID: ${{ secrets.SIGN_PKG_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.SIGN_PKG_AWS_SECRET_ACCESS_KEY }}
- name: Import Package Signing GPG Key
if: steps.cached_debs.outputs.cache-hit != 'true'
Expand Down

0 comments on commit 0cceb95

Please sign in to comment.