From 2a0bc13fefc736e3a30d57123685cc0caa11df23 Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 00:36:36 -0700 Subject: [PATCH 01/13] feat(release): id-token write permissions --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9e4bf30..9dd4fec 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,7 @@ on: - master permissions: + id-token: write # Required to authenticate with ECR contents: write # Required to create tags & GitHub Releases jobs: From dd1f43fe645237d7a9377b01078c1fe7f017e2b5 Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 15:12:29 -0700 Subject: [PATCH 02/13] feat(gha): workflow to verify AWS OIDC --- .github/workflows/test-aws.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/test-aws.yml diff --git a/.github/workflows/test-aws.yml b/.github/workflows/test-aws.yml new file mode 100644 index 0000000..7d9b62a --- /dev/null +++ b/.github/workflows/test-aws.yml @@ -0,0 +1,31 @@ +name: Test AWS + +on: + pull_request: + branches: + - main + - master + types: + - opened + - synchronize + - reopened + - edited + workflow_dispatch: {} + +permissions: + id-token: write + +jobs: + test-aws: + name: Test AWS + runs-on: ubuntu-latest + environment: + name: release-ecr + + steps: + - name: Setup AWS + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-actions-test-aws From 976daeadddd4776cd2dea010a79328b399e682bf Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 15:36:56 -0700 Subject: [PATCH 03/13] feat(gha): add OIDC debug --- .github/workflows/test-aws.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test-aws.yml b/.github/workflows/test-aws.yml index 7d9b62a..0009e74 100644 --- a/.github/workflows/test-aws.yml +++ b/.github/workflows/test-aws.yml @@ -23,6 +23,9 @@ jobs: name: release-ecr steps: + - name: Debug OIDC + uses: github/actions-oidc-debugger@v1 + - name: Setup AWS uses: aws-actions/configure-aws-credentials@v4 with: From 822a08ccea4b38a4ccdb85164b1a245a4ba97082 Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 15:40:29 -0700 Subject: [PATCH 04/13] fix(gha): add audience to OIDC debug --- .github/workflows/test-aws.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test-aws.yml b/.github/workflows/test-aws.yml index 0009e74..3188067 100644 --- a/.github/workflows/test-aws.yml +++ b/.github/workflows/test-aws.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Debug OIDC uses: github/actions-oidc-debugger@v1 + with: + audience: https://github.com/DivergentCodes - name: Setup AWS uses: aws-actions/configure-aws-credentials@v4 From dfecff570a6be1feb9b6a167640897fa8058163e Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 15:42:28 -0700 Subject: [PATCH 05/13] fix: use main --- .github/workflows/test-aws.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-aws.yml b/.github/workflows/test-aws.yml index 3188067..8f0f201 100644 --- a/.github/workflows/test-aws.yml +++ b/.github/workflows/test-aws.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Debug OIDC - uses: github/actions-oidc-debugger@v1 + uses: github/actions-oidc-debugger@main with: audience: https://github.com/DivergentCodes From 900eea47f28b0ef49af7e32007686f1c81c9c45a Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 15:44:31 -0700 Subject: [PATCH 06/13] fix: no fail on error --- .github/workflows/test-aws.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test-aws.yml b/.github/workflows/test-aws.yml index 8f0f201..b10ad4a 100644 --- a/.github/workflows/test-aws.yml +++ b/.github/workflows/test-aws.yml @@ -27,6 +27,7 @@ jobs: uses: github/actions-oidc-debugger@main with: audience: https://github.com/DivergentCodes + fail-on-error: false - name: Setup AWS uses: aws-actions/configure-aws-credentials@v4 From 8844db320d022c991d9630b4d0cd875549662017 Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 15:46:49 -0700 Subject: [PATCH 07/13] fix: remove fail-on-error --- .github/workflows/test-aws.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test-aws.yml b/.github/workflows/test-aws.yml index b10ad4a..8f0f201 100644 --- a/.github/workflows/test-aws.yml +++ b/.github/workflows/test-aws.yml @@ -27,7 +27,6 @@ jobs: uses: github/actions-oidc-debugger@main with: audience: https://github.com/DivergentCodes - fail-on-error: false - name: Setup AWS uses: aws-actions/configure-aws-credentials@v4 From 63bc2134a1ad5f027cea36c37ebd2e4d3a96bb49 Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 15:56:20 -0700 Subject: [PATCH 08/13] fix: skip session tagging --- .github/workflows/test-aws.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test-aws.yml b/.github/workflows/test-aws.yml index 8f0f201..9bc1551 100644 --- a/.github/workflows/test-aws.yml +++ b/.github/workflows/test-aws.yml @@ -34,3 +34,4 @@ jobs: aws-region: ${{ vars.AWS_REGION }} role-to-assume: ${{ vars.AWS_ROLE_ARN }} role-session-name: github-actions-test-aws + role-skip-session-tagging: true From 3997e2a5086e405a7ccbb6d20aea538f8de0f03e Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 16:04:05 -0700 Subject: [PATCH 09/13] Update OIDC debugger aud --- .github/workflows/test-aws.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-aws.yml b/.github/workflows/test-aws.yml index 9bc1551..52380b4 100644 --- a/.github/workflows/test-aws.yml +++ b/.github/workflows/test-aws.yml @@ -26,7 +26,7 @@ jobs: - name: Debug OIDC uses: github/actions-oidc-debugger@main with: - audience: https://github.com/DivergentCodes + audience: sts.amazonaws.com - name: Setup AWS uses: aws-actions/configure-aws-credentials@v4 From a05f270e8e7961f20578111bfb74403c5b553cdd Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 18:41:01 -0700 Subject: [PATCH 10/13] feat: enable session tagging --- .github/workflows/test-aws.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test-aws.yml b/.github/workflows/test-aws.yml index 52380b4..a64e990 100644 --- a/.github/workflows/test-aws.yml +++ b/.github/workflows/test-aws.yml @@ -34,4 +34,3 @@ jobs: aws-region: ${{ vars.AWS_REGION }} role-to-assume: ${{ vars.AWS_ROLE_ARN }} role-session-name: github-actions-test-aws - role-skip-session-tagging: true From c5035262cade6f8e39943a24b0df6c6d37149020 Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 18:45:42 -0700 Subject: [PATCH 11/13] chore: pin OIDC debug action by SHA --- .github/workflows/test-aws.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-aws.yml b/.github/workflows/test-aws.yml index a64e990..186d869 100644 --- a/.github/workflows/test-aws.yml +++ b/.github/workflows/test-aws.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Debug OIDC - uses: github/actions-oidc-debugger@main + uses: github/actions-oidc-debugger@018a1dc4f8e47adca924d55e4bb0ddce917af32d with: audience: sts.amazonaws.com From f503a4604ffcc182f7b4ae79a9a6e5008287067a Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 18:52:34 -0700 Subject: [PATCH 12/13] chore: rename release workflow names --- .github/workflows/release.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9dd4fec..7c86b50 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,15 +30,20 @@ jobs: - name: Setup Python uses: actions/setup-python@v5 - - name: Install uv + - name: Setup uv uses: astral-sh/setup-uv@v6.4.3 - - name: Setup + - name: Setup packages run: uv run task setup - - name: Build + - name: Build image run: uv run task build + - name: Show OIDC + uses: github/actions-oidc-debugger@018a1dc4f8e47adca924d55e4bb0ddce917af32d + with: + audience: sts.amazonaws.com + - name: Setup AWS uses: aws-actions/configure-aws-credentials@v4 with: @@ -46,5 +51,5 @@ jobs: role-to-assume: ${{ vars.AWS_ROLE_ARN }} role-session-name: github-actions-release-ecr - - name: Release (ECR) + - name: Release image run: uv run task release-ecr-no-build From 2428e80d2289048c117459c90b89cfbaa083abe6 Mon Sep 17 00:00:00 2001 From: Jack Sullivan Date: Sun, 24 Aug 2025 18:56:10 -0700 Subject: [PATCH 13/13] chore: remove test workflow --- .github/workflows/test-aws.yml | 36 ---------------------------------- 1 file changed, 36 deletions(-) delete mode 100644 .github/workflows/test-aws.yml diff --git a/.github/workflows/test-aws.yml b/.github/workflows/test-aws.yml deleted file mode 100644 index 186d869..0000000 --- a/.github/workflows/test-aws.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Test AWS - -on: - pull_request: - branches: - - main - - master - types: - - opened - - synchronize - - reopened - - edited - workflow_dispatch: {} - -permissions: - id-token: write - -jobs: - test-aws: - name: Test AWS - runs-on: ubuntu-latest - environment: - name: release-ecr - - steps: - - name: Debug OIDC - uses: github/actions-oidc-debugger@018a1dc4f8e47adca924d55e4bb0ddce917af32d - with: - audience: sts.amazonaws.com - - - name: Setup AWS - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: ${{ vars.AWS_ROLE_ARN }} - role-session-name: github-actions-test-aws