Skip to content

feat: support OIDC invalidate cloudfront#259

Merged
jirimoravcik merged 2 commits intomainfrom
feat/support-oidc-invalidate-cloudfront
Mar 11, 2026
Merged

feat: support OIDC invalidate cloudfront#259
jirimoravcik merged 2 commits intomainfrom
feat/support-oidc-invalidate-cloudfront

Conversation

@jirimoravcik
Copy link
Member

@jirimoravcik jirimoravcik commented Mar 11, 2026

This PR adds OIDC support to invalidate cloudfront

Copilot AI review requested due to automatic review settings March 11, 2026 09:27
@jirimoravcik jirimoravcik added the adhoc Ad-hoc unplanned task added during the sprint. label Mar 11, 2026
@github-actions github-actions bot added the t-infra Issues with this label are in the ownership of the infrastructure team. label Mar 11, 2026
Copilot AI reviewed Mar 11, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds OIDC-based AWS role assumption support to the reusable “invalidate cloudfront distribution” workflow, enabling CloudFront invalidations without long-lived AWS access keys.

Changes:

  • Introduces useOIDC and githubOIDCRoleArn inputs to enable OIDC-based auth.
  • Makes AWS access key secrets optional and conditionally skips the static-credential assume-role step.
  • Adds a two-step role assumption flow for OIDC (GitHub OIDC role → deployer role with chaining).
Comments suppressed due to low confidence (1)

.github/workflows/invalidate_cloudfront.yaml:75

  • awsAccessKeyId/awsSecretAccessKey are now optional, but when inputs.useOIDC == false the workflow still attempts to use them and will fail with a non-obvious error if callers omit these secrets. Consider adding an early validation step that checks required inputs/secrets based on useOIDC and fails with a clear message (e.g., require access keys when useOIDC is false; require awsRoleArn/githubOIDCRoleArn when useOIDC is true).
      - name: assume IAM role
        if: inputs.useOIDC == false
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.awsAccessKeyId }}
          aws-secret-access-key: ${{ secrets.awsSecretAccessKey }}
          aws-region: ${{ inputs.awsRegion }}
          role-to-assume: ${{ inputs.awsRoleArn }}
          role-duration-seconds: ${{ inputs.awsSessionDuration }}

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jirimoravcik jirimoravcik merged commit 974611a into main Mar 11, 2026
2 of 3 checks passed
@jirimoravcik jirimoravcik deleted the feat/support-oidc-invalidate-cloudfront branch March 11, 2026 09:39
@github-actions github-actions bot mentioned this pull request Mar 11, 2026
Merged
@seyhello seyhello added the validated Issues that are resolved and their solutions fulfill the acceptance criteria. label Mar 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MrkMrk00 MrkMrk00 MrkMrk00 approved these changes

@lukasmrtvy lukasmrtvy Awaiting requested review from lukasmrtvy

Assignees

@jirimoravcik jirimoravcik

Labels

adhoc Ad-hoc unplanned task added during the sprint. t-infra Issues with this label are in the ownership of the infrastructure team. validated Issues that are resolved and their solutions fulfill the acceptance criteria.

Projects

None yet

Milestone

136th sprint - Infrastructure team

Development

Successfully merging this pull request may close these issues.

4 participants

@jirimoravcik @MrkMrk00 @seyhello