From c04623ffbe2dcc4a6392087a44da6ad55b48b7fa Mon Sep 17 00:00:00 2001 From: Rob Westbrook Date: Thu, 1 May 2025 14:54:20 +0100 Subject: [PATCH 1/3] build(PLT-816): update workflows to use temporary credentials --- .github/workflows/pull-request.yml | 15 +++++++++++++-- .github/workflows/release.yml | 16 ++++++++++++++-- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index b1e72f2..052db0b 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -45,6 +45,9 @@ jobs: deploy-preview: runs-on: ubuntu-latest name: deploy-preview + permissions: + contents: read + id-token: write steps: - name: Check out Git repository uses: actions/checkout@v3 @@ -82,12 +85,20 @@ jobs: - run: yarn add -W @typeform/jarvis - run: git checkout HEAD -- package.json # do not save jarvis dependency to package.json because it is private (the file is committed by semantic-release to bump version) + # authenticate to AWS + - uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: 'us-east-1' + mask-aws-account-id: true + role-to-assume: ${{ secrets.DEPLOYMENT_AWS_ROLE }} + role-session-name: ${{ github.run_id }}-${{ github.run_attempt }} + role-duration-seconds: 900 + unset-current-credentials: true + # deploy preview version of the package - run: yarn release:aws --preview --notify-preview env: AWS_ASSETS_BUCKET: 'typeform-public-assets/btn' - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }} GH_TOKEN: ${{ secrets.GH_TOKEN }} JARVIS_NOTIFY_PREVIEW_TEMPLATE: ${{ secrets.JARVIS_NOTIFY_PREVIEW_TEMPLATE }} PUBLIC_CDN_URL: 'https://btn.typeform.com' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 895e39a..49cc7ba 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,10 @@ jobs: release: name: Release runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + packages: write steps: - name: Check out Git repository uses: actions/checkout@v3 @@ -47,12 +51,20 @@ jobs: - run: yarn add -W @typeform/jarvis - run: git checkout HEAD -- package.json # do not save jarvis dependency to package.json because it is private (the file is committed by semantic-release to bump version) + # authenticate to AWS + - uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: 'us-east-1' + mask-aws-account-id: true + role-to-assume: ${{ secrets.DEPLOYMENT_AWS_ROLE }} + role-session-name: ${{ github.run_id }}-${{ github.run_attempt }} + role-duration-seconds: 900 + unset-current-credentials: true + - run: yarn release env: AWS_ASSETS_BUCKET: 'typeform-public-assets/btn' - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }} AWS_CLOUDFRONT_DIST: 'E3IUO95IYL1RI3' - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }} GH_TOKEN: ${{ secrets.GH_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} JARVIS_NOTIFY_PREVIEW_TEMPLATE: ${{ secrets.JARVIS_NOTIFY_PREVIEW_TEMPLATE }} From 405e25a44a3ebe4216b84d5971ec0f9e1999abca Mon Sep 17 00:00:00 2001 From: Rob Westbrook Date: Thu, 1 May 2025 15:26:45 +0100 Subject: [PATCH 2/3] fix(PLT-816): update cache action to use v4 --- .github/workflows/pull-request.yml | 4 ++-- .github/workflows/release.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 052db0b..0d0b0d0 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -18,7 +18,7 @@ jobs: node-version: 20 - name: Get yarn cache - uses: actions/cache@v2 + uses: actions/cache@v4 id: yarn-cache with: path: | @@ -58,7 +58,7 @@ jobs: node-version: 20 - name: Get yarn cache - uses: actions/cache@v2 + uses: actions/cache@v4 id: yarn-cache with: path: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 49cc7ba..86bc7eb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,7 +22,7 @@ jobs: node-version: 20 - name: Get yarn cache - uses: actions/cache@v3 + uses: actions/cache@v4 id: yarn-cache with: path: | From 317087264385c56a545c04c03b48da35056c31ef Mon Sep 17 00:00:00 2001 From: Rob Westbrook Date: Fri, 2 May 2025 10:33:44 +0100 Subject: [PATCH 3/3] build(PLT-816): update deployment secret name --- .github/workflows/pull-request.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 0d0b0d0..ef7d8b5 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -90,7 +90,7 @@ jobs: with: aws-region: 'us-east-1' mask-aws-account-id: true - role-to-assume: ${{ secrets.DEPLOYMENT_AWS_ROLE }} + role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: ${{ github.run_id }}-${{ github.run_attempt }} role-duration-seconds: 900 unset-current-credentials: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 86bc7eb..65094a7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,7 +56,7 @@ jobs: with: aws-region: 'us-east-1' mask-aws-account-id: true - role-to-assume: ${{ secrets.DEPLOYMENT_AWS_ROLE }} + role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} role-session-name: ${{ github.run_id }}-${{ github.run_attempt }} role-duration-seconds: 900 unset-current-credentials: true