From f2522af427e88d26e90e446b998122bcad3678b8 Mon Sep 17 00:00:00 2001
From: Markus Opahle <markus.opahle@schmalz.de>
Date: Fri, 24 Apr 2026 16:00:09 +0200
Subject: [PATCH 1/5] ci: add validation workflow

---
 .../workflows/validate-shared-actions.yml     | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .forgejo/workflows/validate-shared-actions.yml

diff --git a/.forgejo/workflows/validate-shared-actions.yml b/.forgejo/workflows/validate-shared-actions.yml
new file mode 100644
index 0000000..570918d
--- /dev/null
+++ b/.forgejo/workflows/validate-shared-actions.yml
@@ -0,0 +1,23 @@
+name: validate-shared-actions
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  validate-shared-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Validate shared action metadata
+        uses: mpalmer/action-validator@v0.9.0
+        with:
+          version: 0.9.0
+          patterns: |
+            :(glob)**/action.yml
+            :(glob)**/action.yaml
-- 
2.49.1


From 1aaa12bcea6d8cf30a9bf436e6122e5dce523bc3 Mon Sep 17 00:00:00 2001
From: Markus Opahle <markus.opahle@schmalz.de>
Date: Fri, 24 Apr 2026 16:00:20 +0200
Subject: [PATCH 2/5] feat: add aws configure action

---
 aws-configure copy/README.md  | 25 +++++++++++++++++++
 aws-configure copy/action.yml | 45 +++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 aws-configure copy/README.md
 create mode 100644 aws-configure copy/action.yml

diff --git a/aws-configure copy/README.md b/aws-configure copy/README.md
new file mode 100644
index 0000000..fa1c330
--- /dev/null
+++ b/aws-configure copy/README.md	
@@ -0,0 +1,25 @@
+# aws-configure
+
+Authenticate with AWS via OIDC and export credentials to the environment.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `role-arn` | Yes | | Full IAM role ARN |
+| `aws-profile` | No | `default` | Profile name written to `~/.aws/config` |
+| `region` | No | `eu-central-1` | AWS region |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+  with:
+    role-arn: arn:aws:iam::123456789012:role/my-role
+```
+
+## Notes
+
+- Requires `enable-openid-connect: true` on the Forgejo runner job.
+- Credentials are exported via `$FORGEJO_ENV` so subsequent steps can use them.
+- When `aws-profile` is not `default`, a named AWS CLI profile is also configured.
diff --git a/aws-configure copy/action.yml b/aws-configure copy/action.yml
new file mode 100644
index 0000000..b16219b
--- /dev/null
+++ b/aws-configure copy/action.yml	
@@ -0,0 +1,45 @@
+name: aws-configure
+description: Authenticate with AWS via OIDC
+
+inputs:
+  role-arn:
+    description: Full IAM role ARN
+    required: true
+  aws-profile:
+    description: Profile name written to ~/.aws/config
+    required: false
+    default: default
+  region:
+    description: AWS region
+    required: false
+    default: eu-central-1
+
+runs:
+  using: composite
+  steps:
+    - run: |
+        OIDC_TOKEN=$(curl -sf \
+          -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r .value)
+
+        CREDS=$(aws sts assume-role-with-web-identity \
+          --role-arn "$INPUT_ROLE_ARN" \
+          --role-session-name forgejo-ci \
+          --web-identity-token "$OIDC_TOKEN" \
+          --region "$INPUT_REGION" \
+          --query 'Credentials' --output json)
+
+        mkdir -p ~/.aws
+
+        echo "AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId)" >> $FORGEJO_ENV
+        echo "AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey)" >> $FORGEJO_ENV
+        echo "AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken)" >> $FORGEJO_ENV
+        echo "AWS_DEFAULT_REGION=$INPUT_REGION" >> $FORGEJO_ENV
+
+        if [ "$INPUT_AWS_PROFILE" != "default" ]; then
+          aws configure set aws_access_key_id "$(echo $CREDS | jq -r .AccessKeyId)" --profile "$INPUT_AWS_PROFILE"
+          aws configure set aws_secret_access_key "$(echo $CREDS | jq -r .SecretAccessKey)" --profile "$INPUT_AWS_PROFILE"
+          aws configure set aws_session_token "$(echo $CREDS | jq -r .SessionToken)" --profile "$INPUT_AWS_PROFILE"
+          aws configure set region "$INPUT_REGION" --profile "$INPUT_AWS_PROFILE"
+        fi
+      shell: bash
-- 
2.49.1


From 7f2350f1d5d9fd9d8a9ec3b3e5b60d9adbc708b4 Mon Sep 17 00:00:00 2001
From: Markus Opahle <markus.opahle@schmalz.de>
Date: Fri, 24 Apr 2026 16:02:10 +0200
Subject: [PATCH 3/5] chore: add readme

---
 README.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index db9329b..78d702e 100644
--- a/README.md
+++ b/README.md
@@ -6,14 +6,15 @@ Shared composite actions for Forgejo CI/CD pipelines.
 
 | Action | Description |
 |--------|-------------|
-|  |  |
+| [aws-configure](aws-configure) | Authenticate with AWS via OIDC |
+
 
 ## Usage
 
 Reference actions from your project's workflow:
 
 ```yaml
-- uses: schmalz/shared-actions/.github/actions/<action-name>@v1
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/<action-name>@v1
   with:
     # see each action's README for inputs
 ```
-- 
2.49.1


From 5d6b2ce81baff16cefd87ab622efdcf4e7e7556d Mon Sep 17 00:00:00 2001
From: Markus Opahle <markus.opahle@schmalz.de>
Date: Fri, 24 Apr 2026 16:02:54 +0200
Subject: [PATCH 4/5] ci: add codeowners

---
 CODEOWNERS                                       | 1 +
 {aws-configure copy => aws-configure}/README.md  | 0
 {aws-configure copy => aws-configure}/action.yml | 0
 3 files changed, 1 insertion(+)
 create mode 100644 CODEOWNERS
 rename {aws-configure copy => aws-configure}/README.md (100%)
 rename {aws-configure copy => aws-configure}/action.yml (100%)

diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 0000000..18f26d4
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1 @@
+.* @schmalz/Developers
\ No newline at end of file
diff --git a/aws-configure copy/README.md b/aws-configure/README.md
similarity index 100%
rename from aws-configure copy/README.md
rename to aws-configure/README.md
diff --git a/aws-configure copy/action.yml b/aws-configure/action.yml
similarity index 100%
rename from aws-configure copy/action.yml
rename to aws-configure/action.yml
-- 
2.49.1


From 6fb1549aeac790740885986ff617100a09db8e9c Mon Sep 17 00:00:00 2001
From: Markus Opahle <markus.opahle@schmalz.de>
Date: Mon, 27 Apr 2026 10:54:02 +0200
Subject: [PATCH 5/5] fix: use forgejo runner to validate actions

Co-authored-by: Copilot <copilot@github.com>
---
 .forgejo/workflows/validate-shared-actions.yml | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/.forgejo/workflows/validate-shared-actions.yml b/.forgejo/workflows/validate-shared-actions.yml
index 570918d..0535b7e 100644
--- a/.forgejo/workflows/validate-shared-actions.yml
+++ b/.forgejo/workflows/validate-shared-actions.yml
@@ -9,15 +9,12 @@ permissions:
 
 jobs:
   validate-shared-actions:
-    runs-on: ubuntu-latest
+    runs-on: stackit-ubuntu-20
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-
       - name: Validate shared action metadata
-        uses: mpalmer/action-validator@v0.9.0
+        uses: docker://data.forgejo.org/forgejo/runner:12
         with:
-          version: 0.9.0
-          patterns: |
-            :(glob)**/action.yml
-            :(glob)**/action.yaml
+          entrypoint: /bin/sh
+          args: -ec "find . -mindepth 2 -maxdepth 2 -name action.yml -exec forgejo-runner validate --action --path {} \\;"
-- 
2.49.1