From 1aaa12bcea6d8cf30a9bf436e6122e5dce523bc3 Mon Sep 17 00:00:00 2001
From: Markus Opahle <markus.opahle@schmalz.de>
Date: Fri, 24 Apr 2026 16:00:20 +0200
Subject: [PATCH] feat: add aws configure action

---
 aws-configure copy/README.md  | 25 +++++++++++++++++++
 aws-configure copy/action.yml | 45 +++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 aws-configure copy/README.md
 create mode 100644 aws-configure copy/action.yml

diff --git a/aws-configure copy/README.md b/aws-configure copy/README.md
new file mode 100644
index 0000000..fa1c330
--- /dev/null
+++ b/aws-configure copy/README.md	
@@ -0,0 +1,25 @@
+# aws-configure
+
+Authenticate with AWS via OIDC and export credentials to the environment.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `role-arn` | Yes | | Full IAM role ARN |
+| `aws-profile` | No | `default` | Profile name written to `~/.aws/config` |
+| `region` | No | `eu-central-1` | AWS region |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+  with:
+    role-arn: arn:aws:iam::123456789012:role/my-role
+```
+
+## Notes
+
+- Requires `enable-openid-connect: true` on the Forgejo runner job.
+- Credentials are exported via `$FORGEJO_ENV` so subsequent steps can use them.
+- When `aws-profile` is not `default`, a named AWS CLI profile is also configured.
diff --git a/aws-configure copy/action.yml b/aws-configure copy/action.yml
new file mode 100644
index 0000000..b16219b
--- /dev/null
+++ b/aws-configure copy/action.yml	
@@ -0,0 +1,45 @@
+name: aws-configure
+description: Authenticate with AWS via OIDC
+
+inputs:
+  role-arn:
+    description: Full IAM role ARN
+    required: true
+  aws-profile:
+    description: Profile name written to ~/.aws/config
+    required: false
+    default: default
+  region:
+    description: AWS region
+    required: false
+    default: eu-central-1
+
+runs:
+  using: composite
+  steps:
+    - run: |
+        OIDC_TOKEN=$(curl -sf \
+          -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r .value)
+
+        CREDS=$(aws sts assume-role-with-web-identity \
+          --role-arn "$INPUT_ROLE_ARN" \
+          --role-session-name forgejo-ci \
+          --web-identity-token "$OIDC_TOKEN" \
+          --region "$INPUT_REGION" \
+          --query 'Credentials' --output json)
+
+        mkdir -p ~/.aws
+
+        echo "AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId)" >> $FORGEJO_ENV
+        echo "AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey)" >> $FORGEJO_ENV
+        echo "AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken)" >> $FORGEJO_ENV
+        echo "AWS_DEFAULT_REGION=$INPUT_REGION" >> $FORGEJO_ENV
+
+        if [ "$INPUT_AWS_PROFILE" != "default" ]; then
+          aws configure set aws_access_key_id "$(echo $CREDS | jq -r .AccessKeyId)" --profile "$INPUT_AWS_PROFILE"
+          aws configure set aws_secret_access_key "$(echo $CREDS | jq -r .SecretAccessKey)" --profile "$INPUT_AWS_PROFILE"
+          aws configure set aws_session_token "$(echo $CREDS | jq -r .SessionToken)" --profile "$INPUT_AWS_PROFILE"
+          aws configure set region "$INPUT_REGION" --profile "$INPUT_AWS_PROFILE"
+        fi
+      shell: bash