gha: Add update static files workflow

bbc · Oct 8, 2024 · d2a081e · d2a081e
1 parent e0b9048
commit d2a081e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/.github/workflows/shared-ext-update-static-files-workflow.yml b/.github/workflows/shared-ext-update-static-files-workflow.yml
@@ -14,6 +14,9 @@ on:
       COMMONTOOLING_DEPLOY_KEY:
         description: 'A deploy key that is used to fetch Commontooling'
         required: true
+      AWS_ACCOUNT_ID:
+        description: 'An AWS Account ID, used to access ECR'
+        required: true
 
 env:
   COMMONTOOLING_BRANCH: ${{ inputs.commontoolingBranch == '' && 'main' || inputs.commontoolingBranch }}
@@ -22,6 +25,7 @@ jobs:
   UpdateStaticFiles:
     permissions:
       contents: read
+      id-token: write
     runs-on: ubuntu-22.04
     environment:
       name: update-static-files
@@ -32,6 +36,13 @@ jobs:
           fetch-depth: 1
           ssh-key: ${{ secrets.WRITE_ACCESS_DEPLOY_KEY }}
 
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/gha_ecr_public_read
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: us-east-1
+
       - name: Login to Amazon ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v2

diff --git a/.github/workflows/update-static-files-workflow.yml b/.github/workflows/update-static-files-workflow.yml
@@ -14,6 +14,7 @@ jobs:
     name: Shared Workflow
     permissions:
       contents: read
+      id-token: write
     # Github Actions doesn't allow the use of parameters in `uses` statements. If you want to use a different shared workflow branch, change it here
     uses: ./.github/workflows/shared-ext-update-static-files-workflow.yml
     with: