Switch to OIDC tokens (#30)

* Delete .github/workflows/projectboard.yml * Switch to OIDC token * Update build-and-deploy-docs-workflow.yml * Update deploy-api-docs.yml * Update theme-settings.json * Create dependabot.yml
vapor · Nov 3, 2023 · 2edbba5 · 2edbba5
1 parent 236928b
commit 2edbba5
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 53 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    groups:
+      dependencies:
+        patterns:
+          - "*"
diff --git a/.github/workflows/build-and-deploy-docs-workflow.yml b/.github/workflows/build-and-deploy-docs-workflow.yml
@@ -1,5 +1,7 @@
 name: Shared Build DocC docs and Deploy
-
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 on:
   workflow_call:
     inputs:
@@ -35,47 +37,43 @@ on:
         description: "The paths to invalidate in CloudFront, e.g. '/vapor /xctvapor'."
 
 jobs:
-
   build-docs:
     runs-on: ubuntu-latest
-    container: swiftlang/swift:nightly-5.9-jammy@sha256:2a862801753871b00f7fd424f2b47d75338e7a50d819cd34a425aef6a1bce56d
+    permissions: { id-token: write, contents: read }
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: ${{ inputs.repository || github.repository }}
           fetch-depth: 0
-      - name: Install curl and awscliv2
-        run: | 
-          apt-get update && apt-get install -y curl
-          curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
-          unzip awscliv2.zip
-          ./aws/install
-      - name: Download Files
+      - name: Install latest Swift
+        uses: vapor/[email protected]
+        with:
+          toolchain: latest
+      - name: Download files
         run: | 
           curl -sL \
-            https://raw.githubusercontent.com/vapor/api-docs/main/generate-package-api-docs.swift -o generate-package-api-docs.swift \
-            https://raw.githubusercontent.com/vapor/api-docs/main/theme-settings.json -o theme-settings.json
-      - name: Builds Docs
-        env:
-          PACKAGE: ${{ inputs.package_name }}
-          MODULES: ${{ inputs.modules }}
-        run: swift generate-package-api-docs.swift ${PACKAGE} ${MODULES}
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v2
+            "https://raw.githubusercontent.com/vapor/api-docs/main/generate-package-api-docs.swift" \
+              -o generate-package-api-docs.swift \
+            "https://raw.githubusercontent.com/vapor/api-docs/main/theme-settings.json" \
+              -o theme-settings.json
+      - name: Build docs
+        run: |
+          swift generate-package-api-docs.swift "${INPUT_PACKAGE_NAME}" ${INPUT_MODULES}
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.API_DOCS_DEPLOYER_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.API_DOCS_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::177420307256:role/GithubOIdP-Role-zJ3kkJbhrNkr
           aws-region: 'eu-west-2'
       - name: Deploy to S3 and invalidate CloudFront
         env:
+          S3_BUCKET_URL: ${{ secrets.VAPOR_API_DOCS_S3_BUCKET_URL }}
           DISTRIBUTION_ID: ${{ secrets.VAPOR_API_DOCS_DISTRIBUTION_ID }}
-          INVALIDATE_PATHS: ${{ inputs.pathsToInvalidate }}
         run: |
           aws --no-cli-pager s3 sync \
-            ./public s3://vapor-api-docs-site \
+            ./public "${S3_BUCKET_URL}" \
             --no-progress \
             --acl public-read
           aws --no-cli-pager cloudfront create-invalidation \
-            --distribution-id ${DISTRIBUTION_ID} \
-            --paths ${INVALIDATE_PATHS}
+            --distribution-id "${DISTRIBUTION_ID}" \
+            --paths "${INPUT_PATHSTOINVALIDATE}"
diff --git a/.github/workflows/deploy-api-docs.yml b/.github/workflows/deploy-api-docs.yml
@@ -1,4 +1,7 @@
-name: deploy-api-docs
+name: API Docs website deploy
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 on:
   push:
     branches:
@@ -8,23 +11,20 @@ jobs:
   deploy:
     name: Build and deploy
     runs-on: ubuntu-latest
-    container: swiftlang/swift:nightly-5.9-jammy@sha256:2a862801753871b00f7fd424f2b47d75338e7a50d819cd34a425aef6a1bce56d
+    permissions: { id-token: write, contents: read }
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+      - name: Install latest Swift
+        uses: vapor/[email protected]
+        with:
+          toolchain: latest
       - name: Build site
         run: swift generate-api-docs.swift
-      - name: Install curl and awscliv2
-        run: | 
-          apt-get update && apt-get upgrade -y && apt-get install -y curl
-          curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
-          unzip awscliv2.zip
-          ./aws/install
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.API_DOCS_DEPLOYER_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.API_DOCS_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::177420307256:role/GithubOIdP-Role-zJ3kkJbhrNkr
           aws-region: 'eu-west-2'
       - name: Deploy to AWS CloudFormation
         uses: aws-actions/aws-cloudformation-github-deploy@v1
@@ -39,12 +39,13 @@ jobs:
             AcmCertificateArn=${{ secrets.API_DOCS_CERTIFICATE_ARN }}
       - name: Deploy to S3 and invalidate CloudFront
         env:
+          S3_BUCKET_URL: ${{ secrets.VAPOR_API_DOCS_S3_BUCKET_URL }}
           DISTRIBUTION_ID: ${{ secrets.VAPOR_API_DOCS_DISTRIBUTION_ID }}
         run: |
           aws --no-cli-pager s3 sync \
-            ./public s3://vapor-api-docs-site \
+            ./public "${S3_BUCKET_URL}" \
             --no-progress \
             --acl public-read
           aws --no-cli-pager cloudfront create-invalidation \
-            --distribution-id ${DISTRIBUTION_ID} \
+            --distribution-id "${DISTRIBUTION_ID}" \
             --paths '/*'
diff --git a/.github/workflows/projectboard.yml b/.github/workflows/projectboard.yml
diff --git a/theme-settings.json b/theme-settings.json
@@ -18,10 +18,10 @@
         },
         "color": {
             "fill": {
-                "dark": "rgb(20, 20, 22)",
+                "dark": "rgb(0, 0, 0)",
                 "light": "rgb(255, 255, 255)"
             },
-            "documentation-intro-fill": "radial-gradient(circle at top, var(--color-documentation-intro-accent) 15%, rgb(17, 17, 17) 100%)",
+            "documentation-intro-fill": "radial-gradient(circle at top, var(--color-documentation-intro-accent) 15%, #000 100%)",
             "documentation-intro-accent": "rgb(204, 204, 204)"
         },
         "icons": {