diff --git a/.forgejo/workflows/validate-shared-actions.yml b/.forgejo/workflows/validate-shared-actions.yml new file mode 100644 index 0000000..0535b7e --- /dev/null +++ b/.forgejo/workflows/validate-shared-actions.yml @@ -0,0 +1,20 @@ +name: validate-shared-actions + +on: + pull_request: + types: [opened, reopened, synchronize] + +permissions: + contents: read + +jobs: + validate-shared-actions: + runs-on: stackit-ubuntu-20 + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Validate shared action metadata + uses: docker://data.forgejo.org/forgejo/runner:12 + with: + entrypoint: /bin/sh + args: -ec "find . -mindepth 2 -maxdepth 2 -name action.yml -exec forgejo-runner validate --action --path {} \\;" diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..18f26d4 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +.* @schmalz/Developers \ No newline at end of file diff --git a/README.md b/README.md index db9329b..78d702e 100644 --- a/README.md +++ b/README.md @@ -6,14 +6,15 @@ Shared composite actions for Forgejo CI/CD pipelines. | Action | Description | |--------|-------------| -| | | +| [aws-configure](aws-configure) | Authenticate with AWS via OIDC | + ## Usage Reference actions from your project's workflow: ```yaml -- uses: schmalz/shared-actions/.github/actions/@v1 +- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/@v1 with: # see each action's README for inputs ``` diff --git a/aws-configure/README.md b/aws-configure/README.md new file mode 100644 index 0000000..fa1c330 --- /dev/null +++ b/aws-configure/README.md @@ -0,0 +1,25 @@ +# aws-configure + +Authenticate with AWS via OIDC and export credentials to the environment. + +## Inputs + +| Input | Required | Default | Description | +|-------|----------|---------|-------------| +| `role-arn` | Yes | | Full IAM role ARN | +| `aws-profile` | No | `default` | Profile name written to `~/.aws/config` | +| `region` | No | `eu-central-1` | AWS region | + +## Usage + +```yaml +- uses: schmalz/shared-actions/.github/actions/aws-configure@v1 + with: + role-arn: arn:aws:iam::123456789012:role/my-role +``` + +## Notes + +- Requires `enable-openid-connect: true` on the Forgejo runner job. +- Credentials are exported via `$FORGEJO_ENV` so subsequent steps can use them. +- When `aws-profile` is not `default`, a named AWS CLI profile is also configured. diff --git a/aws-configure/action.yml b/aws-configure/action.yml new file mode 100644 index 0000000..b16219b --- /dev/null +++ b/aws-configure/action.yml @@ -0,0 +1,45 @@ +name: aws-configure +description: Authenticate with AWS via OIDC + +inputs: + role-arn: + description: Full IAM role ARN + required: true + aws-profile: + description: Profile name written to ~/.aws/config + required: false + default: default + region: + description: AWS region + required: false + default: eu-central-1 + +runs: + using: composite + steps: + - run: | + OIDC_TOKEN=$(curl -sf \ + -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r .value) + + CREDS=$(aws sts assume-role-with-web-identity \ + --role-arn "$INPUT_ROLE_ARN" \ + --role-session-name forgejo-ci \ + --web-identity-token "$OIDC_TOKEN" \ + --region "$INPUT_REGION" \ + --query 'Credentials' --output json) + + mkdir -p ~/.aws + + echo "AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId)" >> $FORGEJO_ENV + echo "AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey)" >> $FORGEJO_ENV + echo "AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken)" >> $FORGEJO_ENV + echo "AWS_DEFAULT_REGION=$INPUT_REGION" >> $FORGEJO_ENV + + if [ "$INPUT_AWS_PROFILE" != "default" ]; then + aws configure set aws_access_key_id "$(echo $CREDS | jq -r .AccessKeyId)" --profile "$INPUT_AWS_PROFILE" + aws configure set aws_secret_access_key "$(echo $CREDS | jq -r .SecretAccessKey)" --profile "$INPUT_AWS_PROFILE" + aws configure set aws_session_token "$(echo $CREDS | jq -r .SessionToken)" --profile "$INPUT_AWS_PROFILE" + aws configure set region "$INPUT_REGION" --profile "$INPUT_AWS_PROFILE" + fi + shell: bash