feature/aws-configure #2
5 changed files with 94 additions and 2 deletions
20
.forgejo/workflows/validate-shared-actions.yml
Normal file
20
.forgejo/workflows/validate-shared-actions.yml
Normal file
|
|
@ -0,0 +1,20 @@
|
||||||
|
name: validate-shared-actions
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
types: [opened, reopened, synchronize]
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
validate-shared-actions:
|
||||||
|
runs-on: stackit-ubuntu-20
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
- name: Validate shared action metadata
|
||||||
|
uses: docker://data.forgejo.org/forgejo/runner:12
|
||||||
|
with:
|
||||||
|
entrypoint: /bin/sh
|
||||||
|
args: -ec "find . -mindepth 2 -maxdepth 2 -name action.yml -exec forgejo-runner validate --action --path {} \\;"
|
||||||
1
CODEOWNERS
Normal file
1
CODEOWNERS
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
.* @schmalz/Developers
|
||||||
|
|
@ -6,14 +6,15 @@ Shared composite actions for Forgejo CI/CD pipelines.
|
||||||
|
|
||||||
| Action | Description |
|
| Action | Description |
|
||||||
|--------|-------------|
|
|--------|-------------|
|
||||||
| | |
|
| [aws-configure](aws-configure) | Authenticate with AWS via OIDC |
|
||||||
|
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
Reference actions from your project's workflow:
|
Reference actions from your project's workflow:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- uses: schmalz/shared-actions/.github/actions/<action-name>@v1
|
- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/<action-name>@v1
|
||||||
with:
|
with:
|
||||||
# see each action's README for inputs
|
# see each action's README for inputs
|
||||||
```
|
```
|
||||||
|
|
|
||||||
25
aws-configure/README.md
Normal file
25
aws-configure/README.md
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
# aws-configure
|
||||||
|
|
||||||
|
Authenticate with AWS via OIDC and export credentials to the environment.
|
||||||
|
|
||||||
|
## Inputs
|
||||||
|
|
||||||
|
| Input | Required | Default | Description |
|
||||||
|
|-------|----------|---------|-------------|
|
||||||
|
| `role-arn` | Yes | | Full IAM role ARN |
|
||||||
|
| `aws-profile` | No | `default` | Profile name written to `~/.aws/config` |
|
||||||
|
| `region` | No | `eu-central-1` | AWS region |
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
- uses: schmalz/shared-actions/.github/actions/aws-configure@v1
|
||||||
|
with:
|
||||||
|
role-arn: arn:aws:iam::123456789012:role/my-role
|
||||||
|
```
|
||||||
|
|
||||||
|
## Notes
|
||||||
|
|
||||||
|
- Requires `enable-openid-connect: true` on the Forgejo runner job.
|
||||||
|
- Credentials are exported via `$FORGEJO_ENV` so subsequent steps can use them.
|
||||||
|
- When `aws-profile` is not `default`, a named AWS CLI profile is also configured.
|
||||||
45
aws-configure/action.yml
Normal file
45
aws-configure/action.yml
Normal file
|
|
@ -0,0 +1,45 @@
|
||||||
|
name: aws-configure
|
||||||
|
description: Authenticate with AWS via OIDC
|
||||||
|
|
||||||
|
inputs:
|
||||||
|
role-arn:
|
||||||
|
description: Full IAM role ARN
|
||||||
|
required: true
|
||||||
|
aws-profile:
|
||||||
|
description: Profile name written to ~/.aws/config
|
||||||
|
required: false
|
||||||
|
default: default
|
||||||
|
region:
|
||||||
|
description: AWS region
|
||||||
|
required: false
|
||||||
|
default: eu-central-1
|
||||||
|
|
||||||
|
runs:
|
||||||
|
using: composite
|
||||||
|
steps:
|
||||||
|
- run: |
|
||||||
|
OIDC_TOKEN=$(curl -sf \
|
||||||
|
-H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
|
||||||
|
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r .value)
|
||||||
|
|
||||||
|
CREDS=$(aws sts assume-role-with-web-identity \
|
||||||
|
--role-arn "$INPUT_ROLE_ARN" \
|
||||||
|
--role-session-name forgejo-ci \
|
||||||
|
--web-identity-token "$OIDC_TOKEN" \
|
||||||
|
--region "$INPUT_REGION" \
|
||||||
|
--query 'Credentials' --output json)
|
||||||
|
|
||||||
|
mkdir -p ~/.aws
|
||||||
|
|
||||||
|
echo "AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId)" >> $FORGEJO_ENV
|
||||||
|
echo "AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey)" >> $FORGEJO_ENV
|
||||||
|
echo "AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken)" >> $FORGEJO_ENV
|
||||||
|
echo "AWS_DEFAULT_REGION=$INPUT_REGION" >> $FORGEJO_ENV
|
||||||
|
|
||||||
|
if [ "$INPUT_AWS_PROFILE" != "default" ]; then
|
||||||
|
aws configure set aws_access_key_id "$(echo $CREDS | jq -r .AccessKeyId)" --profile "$INPUT_AWS_PROFILE"
|
||||||
|
aws configure set aws_secret_access_key "$(echo $CREDS | jq -r .SecretAccessKey)" --profile "$INPUT_AWS_PROFILE"
|
||||||
|
aws configure set aws_session_token "$(echo $CREDS | jq -r .SessionToken)" --profile "$INPUT_AWS_PROFILE"
|
||||||
|
aws configure set region "$INPUT_REGION" --profile "$INPUT_AWS_PROFILE"
|
||||||
|
fi
|
||||||
|
shell: bash
|
||||||
Loading…
Add table
Add a link
Reference in a new issue