feat: add AWS OIDC authentication support (#7)

- Add configure-aws composite action supporting both OIDC and static credentials
- Update build.yml workflow with optional AWS authentication and extra-env input
- Update release.yml to use configure-aws action and support OIDC
- OIDC is the recommended approach (no long-lived credentials)

Usage in build.yml:
  uses: redis/github-workflows/.github/workflows/build.yml@main
  with:
    aws-role-arn: arn:aws:iam::ACCOUNT:role/GitHubActions
    aws-region: us-west-1
    extra-env: '{"S3_TEST_BUCKET": "my-bucket"}'

AWS IAM setup required:
  1. Create OIDC identity provider for token.actions.githubusercontent.com
  2. Create IAM role with trust policy for your repository
  3. Attach required permissions (e.g., S3 access) to the role

Author: jruaux

.github/actions/configure-aws/action.yml

@@ -0,0 +1,61 @@
+name: 'Configure AWS Credentials'
+description: 'Configure AWS credentials using OIDC (preferred) or static credentials'
+
+inputs:
+  aws-role-arn:
+    description: 'AWS IAM role ARN for OIDC authentication (recommended)'
+    required: false
+  aws-access-key-id:
+    description: 'AWS access key ID (fallback if OIDC role not provided)'
+    required: false
+  aws-secret-access-key:
+    description: 'AWS secret access key (fallback if OIDC role not provided)'
+    required: false
+  aws-region:
+    description: 'AWS region'
+    required: false
+    default: 'us-east-1'
+  role-session-name:
+    description: 'Session name for OIDC role assumption'
+    required: false
+    default: 'github-actions'
+
+outputs:
+  aws-configured:
+    description: 'Whether AWS credentials were configured'
+    value: ${{ steps.check.outputs.configured }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Check AWS configuration
+      id: check
+      shell: bash
+      run: |
+        if [[ -n "${{ inputs.aws-role-arn }}" ]]; then
+          echo "configured=true" >> $GITHUB_OUTPUT
+          echo "method=oidc" >> $GITHUB_OUTPUT
+        elif [[ -n "${{ inputs.aws-access-key-id }}" && -n "${{ inputs.aws-secret-access-key }}" ]]; then
+          echo "configured=true" >> $GITHUB_OUTPUT
+          echo "method=static" >> $GITHUB_OUTPUT
+        else
+          echo "configured=false" >> $GITHUB_OUTPUT
+          echo "method=none" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Configure AWS credentials (OIDC)
+      if: steps.check.outputs.method == 'oidc'
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ inputs.aws-role-arn }}
+        role-session-name: ${{ inputs.role-session-name }}
+        aws-region: ${{ inputs.aws-region }}
+
+    - name: Configure AWS credentials (Static)
+      if: steps.check.outputs.method == 'static'
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-access-key-id: ${{ inputs.aws-access-key-id }}
+        aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
+        aws-region: ${{ inputs.aws-region }}
+

.github/workflows/build.yml

@@ -13,11 +13,35 @@ on:
         default: 'build'
         required: false
         type: string
+      aws-role-arn:
+        description: 'AWS IAM role ARN for OIDC authentication (for integration tests)'
+        required: false
+        type: string
+      aws-region:
+        description: 'AWS region (used with aws-role-arn or aws secrets)'
+        default: 'us-east-1'
+        required: false
+        type: string
+      extra-env:
+        description: 'Extra environment variables as JSON object (e.g., {"S3_TEST_BUCKET": "my-bucket"})'
+        default: '{}'
+        required: false
+        type: string
+    secrets:
+      aws-access-key-id:
+        description: 'AWS access key ID (alternative to OIDC)'
+        required: false
+      aws-secret-access-key:
+        description: 'AWS secret access key (alternative to OIDC)'
+        required: false
 
 jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write  # Required for OIDC
 
     steps:
       - name: Checkout code
@@ -30,6 +54,20 @@ jobs:
           distribution: 'temurin'
           cache: 'gradle'
 
+      - name: Configure AWS credentials
+        if: inputs.aws-role-arn != '' || (secrets.aws-access-key-id != '' && secrets.aws-secret-access-key != '')
+        uses: redis/github-workflows/.github/actions/configure-aws@main
+        with:
+          aws-role-arn: ${{ inputs.aws-role-arn }}
+          aws-access-key-id: ${{ secrets.aws-access-key-id }}
+          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
+          aws-region: ${{ inputs.aws-region }}
+
+      - name: Set extra environment variables
+        if: inputs.extra-env != '{}'
+        run: |
+          echo '${{ inputs.extra-env }}' | jq -r 'to_entries[] | "\(.key)=\(.value)"' >> $GITHUB_ENV
+
       - name: Grant execute permission for gradlew
         run: chmod +x gradlew
 

.github/workflows/release.yml

@@ -77,6 +77,15 @@ on:
         default: false
         required: false
         type: boolean
+      aws-role-arn:
+        description: 'AWS IAM role ARN for OIDC authentication (for pre-release-script)'
+        required: false
+        type: string
+      aws-region:
+        description: 'AWS region (used with aws-role-arn or aws secrets)'
+        default: 'us-east-1'
+        required: false
+        type: string
     secrets:
       git-access-token:
         description: 'GitHub token with write access'
@@ -106,10 +115,10 @@ on:
         description: 'Docker registry password (for bootBuildImage)'
         required: false
       aws-access-key-id:
-        description: 'AWS access key ID (for pre-release-script)'
+        description: 'AWS access key ID (for pre-release-script, alternative to OIDC)'
         required: false
       aws-secret-access-key:
-        description: 'AWS secret access key (for pre-release-script)'
+        description: 'AWS secret access key (for pre-release-script, alternative to OIDC)'
         required: false
 
 jobs:
@@ -118,6 +127,7 @@ jobs:
     permissions:
       contents: write
       packages: write
+      id-token: write  # Required for AWS OIDC
 
     steps:
       - name: Checkout
@@ -149,12 +159,13 @@ jobs:
         run: ./gradlew ${{ inputs.gradle-build-tasks }} ${{ inputs.skip-tests && '-x test' || '' }}
 
       - name: Configure AWS credentials
-        if: inputs.pre-release-script != ''
-        uses: aws-actions/configure-aws-credentials@v4
+        if: inputs.pre-release-script != '' && (inputs.aws-role-arn != '' || (secrets.aws-access-key-id != '' && secrets.aws-secret-access-key != ''))
+        uses: redis/github-workflows/.github/actions/configure-aws@main
         with:
+          aws-role-arn: ${{ inputs.aws-role-arn }}
           aws-access-key-id: ${{ secrets.aws-access-key-id }}
           aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
-          aws-region: us-east-1
+          aws-region: ${{ inputs.aws-region }}
         continue-on-error: true
 
       - name: Pre-Release Script

AGENTS.md

@@ -21,6 +21,7 @@ uses: redis/github-workflows/.github/actions/jreleaser@main
 │   └── docs.yml         # Antora documentation build + GitHub Pages
 └── actions/             # Composite actions
     ├── setup-gradle/    # Java + Gradle setup with caching
+    ├── configure-aws/   # AWS credentials via OIDC or static keys
     ├── jreleaser/       # GitHub release, Maven Central, Docker, Slack
     ├── create-release-tag/  # Axion-based version tagging
     ├── build-docs/      # Antora documentation builder
@@ -42,6 +43,7 @@ uses: redis/github-workflows/.github/actions/jreleaser@main
 | Action | Purpose |
 |--------|---------|
 | `setup-gradle` | Setup Java (Temurin) + Gradle with caching |
+| `configure-aws` | Configure AWS credentials via OIDC (preferred) or static credentials |
 | `jreleaser` | Run JReleaser for releases, signing, publishing |
 | `create-release-tag` | Create Git tag using Axion release plugin |
 | `build-docs` | Build Antora documentation with Algolia search |