.forgejo/workflows/validate-shared-actions.yml

@@ -0,0 +1,20 @@
+name: validate-shared-actions
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  validate-shared-actions:
+    runs-on: stackit-ubuntu-20
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Validate shared action metadata
+        uses: docker://data.forgejo.org/forgejo/runner:12
+        with:
+          entrypoint: /bin/sh
+          args: -ec "find . -mindepth 2 -maxdepth 2 -name action.yml -exec forgejo-runner validate --action --path {} \\;"

CODEOWNERS

@@ -0,0 +1 @@
+.* @schmalz/Developers

README.md

@@ -6,14 +6,15 @@ Shared composite actions for Forgejo CI/CD pipelines.
 
 | Action | Description |
 |--------|-------------|
-|  |  |
+| [aws-configure](aws-configure) | Authenticate with AWS via OIDC |
+
 
 ## Usage
 
 Reference actions from your project's workflow:
 
 ```yaml
-- uses: schmalz/shared-actions/.github/actions/<action-name>@v1
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/<action-name>@v1
   with:
     # see each action's README for inputs
 ```

aws-configure/README.md

@@ -0,0 +1,25 @@
+# aws-configure
+
+Authenticate with AWS via OIDC and export credentials to the environment.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `role-arn` | Yes | | Full IAM role ARN |
+| `aws-profile` | No | `default` | Profile name written to `~/.aws/config` |
+| `region` | No | `eu-central-1` | AWS region |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+  with:
+    role-arn: arn:aws:iam::123456789012:role/my-role
+```
+
+## Notes
+
+- Requires `enable-openid-connect: true` on the Forgejo runner job.
+- Credentials are exported via `$FORGEJO_ENV` so subsequent steps can use them.
+- When `aws-profile` is not `default`, a named AWS CLI profile is also configured.

aws-configure/action.yml

@@ -0,0 +1,45 @@
+name: aws-configure
+description: Authenticate with AWS via OIDC
+
+inputs:
+  role-arn:
+    description: Full IAM role ARN
+    required: true
+  aws-profile:
+    description: Profile name written to ~/.aws/config
+    required: false
+    default: default
+  region:
+    description: AWS region
+    required: false
+    default: eu-central-1
+
+runs:
+  using: composite
+  steps:
+    - run: |
+        OIDC_TOKEN=$(curl -sf \
+          -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r .value)
+
+        CREDS=$(aws sts assume-role-with-web-identity \
+          --role-arn "$INPUT_ROLE_ARN" \
+          --role-session-name forgejo-ci \
+          --web-identity-token "$OIDC_TOKEN" \
+          --region "$INPUT_REGION" \
+          --query 'Credentials' --output json)
+
+        mkdir -p ~/.aws
+
+        echo "AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId)" >> $FORGEJO_ENV
+        echo "AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey)" >> $FORGEJO_ENV
+        echo "AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken)" >> $FORGEJO_ENV
+        echo "AWS_DEFAULT_REGION=$INPUT_REGION" >> $FORGEJO_ENV
+
+        if [ "$INPUT_AWS_PROFILE" != "default" ]; then
+          aws configure set aws_access_key_id "$(echo $CREDS | jq -r .AccessKeyId)" --profile "$INPUT_AWS_PROFILE"
+          aws configure set aws_secret_access_key "$(echo $CREDS | jq -r .SecretAccessKey)" --profile "$INPUT_AWS_PROFILE"
+          aws configure set aws_session_token "$(echo $CREDS | jq -r .SessionToken)" --profile "$INPUT_AWS_PROFILE"
+          aws configure set region "$INPUT_REGION" --profile "$INPUT_AWS_PROFILE"
+        fi
+      shell: bash