Commit 2914e73

committed

Use IAM Roles to push files on AWS S3.

For security reasons long lived credentials are not considered secure. To overcome this issue we can configure Github Workflows to use AWS OpenID Connect instead: For further details: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect

1 parent a84441d commit 2914e73Copy full SHA for 2914e73

File tree

5 files changed

+49

-29

lines changed

workflow-templates

5 files changed

+49

-29

lines changed

`‎workflow-templates/publish-go-nightly-task.yml‎`

Lines changed: 12 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ env:`
`8`	`8`	`DIST_DIR: dist`
`9`	`9`	`# The project's folder on Arduino's download server for uploading builds`
`10`	`10`	`AWS_PLUGIN_TARGET: TODO_AWS_PLUGIN_TARGET`
	`11`	`+ AWS_REGION: "us-east-1"`
`11`	`12`	`ARTIFACT_NAME: dist`
`12`	`13`
`13`	`14`	`# See: https://docs.github.com/actions/using-workflows/events-that-trigger-workflows`
`@@ -172,8 +173,10 @@ jobs:`
`172`	`173`
`173`	`174`	`publish-nightly:`
`174`	`175`	`runs-on: ubuntu-latest`
	`176`	`+ environment: production`
`175`	`177`	`needs: notarize-macos`
`176`		`- permissions: {}`
	`178`	`+ permissions:`
	`179`	`+ id-token: write # This is required for requesting the JWT`
`177`	`180`
`178`	`181`	`steps:`
`179`	`182`	`- name: Download artifact`
`@@ -188,15 +191,15 @@ jobs:`
`188`	`191`	`TAG="nightly-$(date -u +"%Y%m%d")"`
`189`	`192`	`sha256sum ${{ env.PROJECT_NAME }}_${TAG}* > ${TAG}-checksums.txt`
`190`	`193`
	`194`	`+ - name: configure aws credentials`
	`195`	`+ uses: aws-actions/configure-aws-credentials@v4`
	`196`	`+ with:`
	`197`	`+ role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}`
	`198`	`+ role-session-name: "github_${{ env.PROJECT_NAME }}"`
	`199`	`+ aws-region: ${{ env.AWS_REGION }}`
	`200`	`+`
`191`	`201`	`- name: Upload release files on Arduino downloads servers`
`192`		`- uses: docker://plugins/s3`
`193`		`- env:`
`194`		`- PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*"`
`195`		`- PLUGIN_TARGET: "${{ env.AWS_PLUGIN_TARGET }}nightly"`
`196`		`- PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/"`
`197`		`- PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}`
`198`		`- AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}`
`199`		`- AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}`
	`202`	`+ run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }}nightly`
`200`	`203`
`201`	`204`	`report:`
`202`	`205`	`runs-on: ubuntu-latest`

`‎workflow-templates/release-go-crosscompile-task.md‎`

Lines changed: 7 additions & 2 deletions

Original file line number	Diff line number	Diff line change
@@ -37,6 +37,10 @@ The following project-specific variables must be set/configured in `release-go-c
`37`	`37`	- `AWS_PLUGIN_TARGET`
`38`	`38`	- `GO_VERSION`: version of Go used for development of the project, use at least [GO 1.16 to be able to use 64-bit ARM architecture on macOS](https://tip.golang.org/doc/go1.16#ports)
`39`	`39`
	`40`	`+#### AWS IAM Role`
	`41`	`+`
	`42`	`+We need a special [IAM Role](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html#access) to upload files on the S3 bucket. This IAM Role is able to generate short lived credentials with push access to specific S3 subpaths. To generate a new role for a new repository kindly ask DevOps (prividing the repository link and path you need files on S3).`
	`43`	`+`
`40`	`44`	`#### Repository secrets`
`41`	`45`
`42`	`46`	`The following [repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository) must be defined:`
`@@ -47,8 +51,9 @@ The following [repository secrets](https://docs.github.com/actions/security-guid`
`47`	`51`	- `AC_PROVIDER` - the App Store Connect provider via. You can use the ID of the certificate identity (e.g., `7KT7ZWMCJT`) for this.
`48`	`52`	- `AC_PASSWORD` - [App-specific password](https://support.apple.com/en-us/HT204397) created for the Apple ID.
`49`	`53`	- `DOWNLOADS_BUCKET` - [AWS bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingBucket.html) on the downloads server.
`50`		-- `AWS_ACCESS_KEY_ID` - [AWS access key ID](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) for the downloads server.
`51`		-- `AWS_SECRET_ACCESS_KEY` - [AWS secret access key](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) for the downloads server.
	`54`	`+`
	`55`	+The following [environment secrets](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets) must be defined under `production` environment:
	`56`	+- `AWS_ROLE_TO_ASSUME` - [AWS role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) to generate temporary security credentials.
`52`	`57`
`53`	`58`	`### Readme badge`
`54`	`59`

`‎workflow-templates/release-go-crosscompile-task.yml‎`

Lines changed: 12 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ env:`
`8`	`8`	`DIST_DIR: dist`
`9`	`9`	`# The project's folder on Arduino's download server for uploading builds`
`10`	`10`	`AWS_PLUGIN_TARGET: TODO_AWS_PLUGIN_TARGET`
	`11`	`+ AWS_REGION: "us-east-1"`
`11`	`12`	`ARTIFACT_NAME: dist`
`12`	`13`	`# See: https://github.com/actions/setup-go/tree/main#supported-version-syntax`
`13`	`14`	`GO_VERSION: "1.17"`
`@@ -181,9 +182,11 @@ jobs:`
`181`	`182`
`182`	`183`	`create-release:`
`183`	`184`	`runs-on: ubuntu-latest`
	`185`	`+ environment: production`
`184`	`186`	`needs: notarize-macos`
`185`	`187`	`permissions:`
`186`	`188`	`contents: write`
	`189`	`+ id-token: write # This is required for requesting the JWT`
`187`	`190`
`188`	`191`	`steps:`
`189`	`192`	`- name: Download artifact`
`@@ -217,13 +220,14 @@ jobs:`
`217`	`220`	`# NOTE: "Artifact is a directory" warnings are expected and don't indicate a problem`
`218`	`221`	`# (all the files we need are in the DIST_DIR root)`
`219`	`222`	`artifacts: ${{ env.DIST_DIR }}/*`
	`223`	`+`
	`224`	`+ - name: configure aws credentials`
	`225`	`+ uses: aws-actions/configure-aws-credentials@v4`
	`226`	`+ with:`
	`227`	`+ role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}`
	`228`	`+ role-session-name: "github_${{ env.PROJECT_NAME }}"`
	`229`	`+ aws-region: ${{ env.AWS_REGION }}`
`220`	`230`
`221`	`231`	`- name: Upload release files on Arduino downloads servers`
`222`		`- uses: docker://plugins/s3`
`223`		`- env:`
`224`		`- PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*"`
`225`		`- PLUGIN_TARGET: ${{ env.AWS_PLUGIN_TARGET }}`
`226`		`- PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/"`
`227`		`- PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}`
`228`		`- AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}`
`229`		`- AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}`
	`232`	`+ run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }}`
	`233`	`+`

`‎workflow-templates/release-go-task.md‎`

Lines changed: 7 additions & 2 deletions

Original file line number	Diff line number	Diff line change
@@ -36,6 +36,10 @@ The following project-specific variables must be set in `release-go-task.yml`:
`36`	`36`	- `PROJECT_NAME`
`37`	`37`	- `AWS_PLUGIN_TARGET`
`38`	`38`
	`39`	`+#### AWS IAM Role`
	`40`	`+`
	`41`	`+We need a special [IAM Role](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html#access) to upload files on the S3 bucket. This IAM Role is able to generate short lived credentials with push access to specific S3 subpaths. To generate a new role for a new repository kindly ask DevOps (prividing the repository link and path you need files on S3).`
	`42`	`+`
`39`	`43`	`#### Repository secrets`
`40`	`44`
`41`	`45`	`The following [repository secrets](https://docs.github.com/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository) must be defined:`
`@@ -46,8 +50,9 @@ The following [repository secrets](https://docs.github.com/actions/security-guid`
`46`	`50`	- `AC_PROVIDER` - the App Store Connect provider via. You can use the ID of the certificate identity (e.g., `7KT7ZWMCJT`) for this.
`47`	`51`	- `AC_PASSWORD` - [App-specific password](https://support.apple.com/en-us/HT204397) created for the Apple ID.
`48`	`52`	- `DOWNLOADS_BUCKET` - [AWS bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingBucket.html) on the downloads server.
`49`		-- `AWS_ACCESS_KEY_ID` - [AWS access key ID](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) for the downloads server.
`50`		-- `AWS_SECRET_ACCESS_KEY` - [AWS secret access key](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) for the downloads server.
	`53`	`+`
	`54`	+The following [environment secrets](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets) must be defined under `production` environment:
	`55`	+- `AWS_ROLE_TO_ASSUME` - [AWS role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) to generate temporary security credentials.
`51`	`56`
`52`	`57`	`### Readme badge`
`53`	`58`

`‎workflow-templates/release-go-task.yml‎`

Lines changed: 11 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ env:`
`8`	`8`	`DIST_DIR: dist`
`9`	`9`	`# The project's folder on Arduino's download server for uploading builds`
`10`	`10`	`AWS_PLUGIN_TARGET: TODO_AWS_PLUGIN_TARGET`
	`11`	`+ AWS_REGION: "us-east-1"`
`11`	`12`	`ARTIFACT_NAME: dist`
`12`	`13`
`13`	`14`	`on:`
`@@ -177,9 +178,11 @@ jobs:`
`177`	`178`
`178`	`179`	`create-release:`
`179`	`180`	`runs-on: ubuntu-latest`
	`181`	`+ environment: production`
`180`	`182`	`needs: notarize-macos`
`181`	`183`	`permissions:`
`182`	`184`	`contents: write`
	`185`	`+ id-token: write # This is required for requesting the JWT`
`183`	`186`
`184`	`187`	`steps:`
`185`	`188`	`- name: Download artifact`
`@@ -222,12 +225,12 @@ jobs:`
`222`	`225`	`# (all the files we need are in the DIST_DIR root)`
`223`	`226`	`artifacts: ${{ env.DIST_DIR }}/*`
`224`	`227`
	`228`	`+ - name: configure aws credentials`
	`229`	`+ uses: aws-actions/configure-aws-credentials@v4`
	`230`	`+ with:`
	`231`	`+ role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}`
	`232`	`+ role-session-name: "github_${{ env.PROJECT_NAME }}"`
	`233`	`+ aws-region: ${{ env.AWS_REGION }}`
	`234`	`+`
`225`	`235`	`- name: Upload release files on Arduino downloads servers`
`226`		`- uses: docker://plugins/s3`
`227`		`- env:`
`228`		`- PLUGIN_SOURCE: "${{ env.DIST_DIR }}/*"`
`229`		`- PLUGIN_TARGET: ${{ env.AWS_PLUGIN_TARGET }}`
`230`		`- PLUGIN_STRIP_PREFIX: "${{ env.DIST_DIR }}/"`
`231`		`- PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}`
`232`		`- AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}`
`233`		`- AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}`
	`236`	`+ run: aws s3 sync ${{ env.DIST_DIR }} s3://${{ secrets.DOWNLOADS_BUCKET }}${{ env.AWS_PLUGIN_TARGET }}`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 2914e73

File tree

5 files changed

5 files changed

`‎workflow-templates/publish-go-nightly-task.yml‎`

`‎workflow-templates/release-go-crosscompile-task.md‎`

`‎workflow-templates/release-go-crosscompile-task.yml‎`

`‎workflow-templates/release-go-task.md‎`

`‎workflow-templates/release-go-task.yml‎`

0 commit comments