#1 Auto-update layers on release

brefphp · Oct 28, 2022 · e57b4ab · e57b4ab
1 parent 69535b9
commit e57b4ab
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 1 deletion.
diff --git a/.github/aws/README.md b/.github/aws/README.md
@@ -0,0 +1,9 @@
+## Setup
+
+In order to let GitHub Actions retrieve layer versions from the Bref AWS account, we authorize GitHub via [OIDC](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) instead of hardcoded AWS access keys.
+
+This needs to be done once in the AWS console (because no access keys have permissions to deploy via CloudFormation).
+
+- file: `github-role.yml`
+- stack name: github-oidc-layers-js
+- `FullRepoName` parameter: `brefphp/layers.js`
diff --git a/.github/aws/github-role.yml b/.github/aws/github-role.yml
@@ -0,0 +1,37 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: OIDC provider that lets brefphp/layers.js retrieve layer versions
+
+Parameters:
+    FullRepoName:
+        Type: String
+
+Resources:
+    Role:
+        Type: AWS::IAM::Role
+        Properties:
+            RoleName: bref-layer-js-github-actions
+            AssumeRolePolicyDocument:
+                Statement:
+                    - Effect: Allow
+                      Action: sts:AssumeRoleWithWebIdentity
+                      Principal:
+                          Federated: arn:aws:iam::534081306603:oidc-provider/token.actions.githubusercontent.com
+                      Condition:
+                          StringLike:
+                              token.actions.githubusercontent.com:sub: !Sub repo:${FullRepoName}:*
+            Policies:
+                -   PolicyName: RetrieveLayersForLayerJsRole
+                    PolicyDocument:
+                        Statement:
+                            -   Effect: Allow
+                                Action:
+                                    - lambda:GetLayerVersion
+                                    - lambda:GetLayerVersionPolicy
+                                    - lambda:ListLayers
+                                    - lambda:ListLayerVersions
+                                Resource:
+                                    - '*'
+
+Outputs:
+    Role:
+        Value: !GetAtt Role.Arn
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,7 +2,10 @@ name: Release
 
 on: workflow_dispatch
 
+# Necessary to deploy to AWS using OIDC
+# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
 permissions:
+    id-token: write # This is required for requesting the JWT
     # To allow creating the GitHub release
     contents: write
 
@@ -16,17 +19,28 @@ jobs:
                     fetch-depth: 0
 
             # Set git credentials (https://github.com/actions/checkout/issues/13#issuecomment-724415212)
-            -   run: |
+            -   name: Set Git credentials
+                run: |
                     git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
                     git config --local user.name "github-actions[bot]"
 
+            -   name: Set AWS credentials
+                uses: aws-actions/configure-aws-credentials@v1
+                with:
+                    role-to-assume: arn:aws:iam::534081306603:role/bref-layer-js-github-actions
+                    role-session-name: bref-layer-js-github-actions
+                    aws-region: us-east-1
+
             -   uses: actions/setup-node@v3
                 with:
                     node-version: 16
                     registry-url: https://registry.npmjs.org/
 
             -   run: npm install
 
+            -   run: npm run update
+            -   run: git commit -am "Update layer versions"
+
             -   name: Bump the version
                 run: npm version patch