chore(CI): update template and workflows

.github/workflows/duvet.yaml

@@ -20,13 +20,13 @@ jobs:
       DOTNET_CLI_TELEMETRY_OPTOUT: 1
       DOTNET_NOLOGO: 1
     steps:
+      - name: Support longpaths on Git checkout
+        run: |
+          git config --global core.longpaths true
+
       - uses: actions/checkout@v3
         with:
-          # This secret is in the configured environment
-          # Token created on # 12/14/2022
-          # expires in ~30 days 01/13/2023
-          token: ${{ secrets.PAT_SPEC }}
-          submodules: true
+         submodules: true
 
       - name: Install duvet
         shell: bash

.github/workflows/library_dafny_verification.yml

@@ -41,15 +41,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Init Submodules
-        env:
-          # This secret is in the configured environment
-          # Token created on # 09/26/2023
-          # expires in ~30 days 10/26/2023
-          MPL_PAT: ${{ secrets.MPL_DAFNY }}
         run: |
-            AUTH="$(echo -n "pat:${MPL_PAT}" | base64 | tr -d '\n')"
-            git config --global http.https://github.com/.extraheader "AUTHORIZATION: basic $AUTH"
-            git config --global --add url.https://github.com/.insteadOf git@github.com:
             git submodule update --init libraries
             git submodule update --init --recursive mpl
 

.github/workflows/library_net_tests.yml

@@ -54,23 +54,15 @@ jobs:
       - uses: actions/checkout@v2
       - name: Init Submodules
         shell: bash
-        env:
-          # This secret is in the configured environment
-          # Token created on # 09/26/2023
-          # expires in ~30 days 10/26/2023
-          MPL_PAT: ${{ secrets.MPL_DAFNY }}
         run: |
-          AUTH="$(echo -n "pat:${MPL_PAT}" | base64 | tr -d '\n')"
-          git config --global http.https://github.com/.extraheader "AUTHORIZATION: basic $AUTH"
-          git config --global --add url.https://github.com/.insteadOf git@github.com:
           git submodule update --init libraries
           git submodule update --init --recursive mpl
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
           aws-region: us-west-2
-          role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-ESDK-Dafny-Role-us-west-2
+          role-to-assume: arn:aws:iam::370957321024:role/GitHub-CI-Public-ESDK-Dafny-Role-us-west-2
           role-session-name: NetTests
 
       - name: Setup .NET Core SDK ${{ matrix.dotnet-version }}

cfn/CI.yaml

@@ -13,197 +13,23 @@ Parameters:
   ProjectName:
     Type: String
     Description: A prefix that will be applied to any names
-    Default: ESDK-Dafny
+    Default: Public-ESDK-Dafny
   GitHubRepo:
     Type: String
     Description: GitHub Repo that invokes CI
-    Default: aws/private-aws-encryption-sdk-dafny-staging
+    Default: aws/aws-encryption-sdk-dafny
 
 Resources:
-  KeyStoreTestTable:
-    Type: AWS::DynamoDB::Table
-    Properties:
-      AttributeDefinitions:
-        - AttributeName: "branch-key-id"
-          AttributeType: "S"
-        - AttributeName: "type"
-          AttributeType: "S"
-        - AttributeName: "status"
-          AttributeType: "S"
-      KeySchema:
-        - AttributeName: "branch-key-id"
-          KeyType: "HASH"
-        - AttributeName: "type"
-          KeyType: "RANGE"
-      ProvisionedThroughput:
-        ReadCapacityUnits: "5"
-        WriteCapacityUnits: "5"
-      TableName: !Ref KeyStoreTable
-      GlobalSecondaryIndexes:
-      - IndexName: !Sub "Active-Keys"
-        KeySchema:
-          - AttributeName: "branch-key-id"
-            KeyType: "HASH"
-          - AttributeName: "status"
-            KeyType: "RANGE"
-        Projection:
-          ProjectionType: "ALL"
-        ProvisionedThroughput:
-          ReadCapacityUnits: "5"
-          WriteCapacityUnits: "5"
-
-  HierarchicalKeyringTestTable:
-    Type: AWS::DynamoDB::Table
-    Properties:
-      AttributeDefinitions:
-        - AttributeName: "branch-key-id"
-          AttributeType: "S"
-        - AttributeName: "version"
-          AttributeType: "S"
-        - AttributeName: "status"
-          AttributeType: "S"
-      KeySchema:
-        - AttributeName: "branch-key-id"
-          KeyType: "HASH"
-        - AttributeName: "version"
-          KeyType: "RANGE"
-      ProvisionedThroughput:
-        ReadCapacityUnits: "5"
-        WriteCapacityUnits: "5"
-      TableName: !Ref TableName
-      GlobalSecondaryIndexes:
-      - IndexName: "Active-Keys"
-        KeySchema:
-          - AttributeName: "status"
-            KeyType: "HASH"
-          - AttributeName: "branch-key-id"
-            KeyType: "RANGE"
-        Projection:
-          ProjectionType: "ALL"
-        ProvisionedThroughput:
-          ReadCapacityUnits: "5"
-          WriteCapacityUnits: "5"
-
-  # This policy SHOULD be given to:
-  #  - aws/private-aws-encryption-sdk-dafny-staging
-  #  - ToolsDevelopment
-  HierarchicalKeyringTestTableUsage:
-    Type: "AWS::IAM::ManagedPolicy"
-    Properties:
-      Description: "Allow Read, Write, and Delete of Items in HierarchicalKeyringTestTable"
-      ManagedPolicyName: !Sub "${ProjectName}-DDB-ReadWriteDelete-${AWS::Region}"
-      PolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          - Effect: Allow
-            Action:
-              - dynamodb:PutItem
-              - dynamodb:DeleteItem
-              - dynamodb:GetItem
-              - dynamodb:Query
-            Resource:
-              - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${TableName}"
-              - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${TableName}/index/*"
-          - Effect: Allow
-            Action:
-              - dynamodb:DescribeTable
-              - dynamodb:CreateTable
-              - dynamodb:PutItem
-              - dynamodb:DeleteItem
-              - dynamodb:GetItem
-              - dynamodb:Query
-              - dynamodb:ConditionCheckItem
-              - dynamodb:UpdateItem
-            Resource:
-              - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${KeyStoreTable}"
-              - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${KeyStoreTable}/index/*"
-
-
-  HierarchicalGitHubKMSKeyID:
-    Type: 'AWS::KMS::Key'
-    Properties:
-      Description: KMS Key for GitHub Action Workflow
-      Enabled: true
-      KeyPolicy:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Principal:
-              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
-            Action: 'kms:*'
-            Resource: '*'
-
-  KMSUsage:
-    Type: 'AWS::IAM::ManagedPolicy'
-    Properties:
-      PolicyDocument: !Sub |
-        {
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Action": [
-                "kms:Decrypt",
-                "kms:GenerateDataKeyWithoutPlaintext",
-                "kms:ReEncrypt*"
-              ],
-              "Resource": "arn:aws:kms:*:${AWS::AccountId}:key/${HierarchicalGitHubKMSKeyID}"
-            }
-          ]
-        }
-      ManagedPolicyName: Hierarchical-GitHub-KMS-Key-Policy
-
-  RSAGitHubKMSKeyID:
-    Type: 'AWS::KMS::Key'
-    Properties:
-      Description: KMS RSA Key for GitHub Action Workflow
-      Enabled: true
-      KeyPolicy:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Principal:
-              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
-            Action: 'kms:*'
-            Resource: '*'
-      KeySpec: "RSA_2048"
-      KeyUsage: "ENCRYPT_DECRYPT"
-      MultiRegion: true
-
-  RSAKMSUsage:
-    Type: 'AWS::IAM::ManagedPolicy'
-    Properties:
-      PolicyDocument: !Sub |
-        {
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Effect": "Allow",
-              "Action": [
-                "kms:Encrypt",
-                "kms:Decrypt",
-                "kms:ReEncrypt*",
-                "kms:Generate*",
-                "kms:GetPublicKey",
-                "kms:DescribeKey"
-              ],
-              "Resource": "arn:aws:kms:*:${AWS::AccountId}:key/${RSAGitHubKMSKeyID}"
-            }
-          ]
-        }
-      ManagedPolicyName: RSA-GitHub-KMS-Key-Policy
-
   GitHubCIRole:
     Type: 'AWS::IAM::Role'
     Properties:
       RoleName: !Sub "GitHub-CI-${ProjectName}-Role-${AWS::Region}"
       Description: "Access DDB, KMS, Resources for CI from GitHub"
       ManagedPolicyArns:
-        - "arn:aws:iam::370957321024:policy/PolymorphTestModels-KMS-us-west-2"
-        - !Ref KMSUsage
-        - !Ref RSAKMSUsage  
-        - "arn:aws:iam::370957321024:policy/PolymorphTestModels-DDB-ReadWriteDelete-us-west-2"
-        - !Ref HierarchicalKeyringTestTableUsage
+        - "arn:aws:iam::370957321024:policy/ESDK-Dafny-DDB-ReadWriteDelete-us-west-2"
+        - "arn:aws:iam::370957321024:policy/Hierarchical-GitHub-KMS-Key-Policy"
+        - "arn:aws:iam::370957321024:policy/KMS-Public-CMK-EncryptDecrypt-Key-Access"
+        - "arn:aws:iam::370957321024:policy/RSA-GitHub-KMS-Key-Policy"
       AssumeRolePolicyDocument: !Sub |
         {
           "Version": "2012-10-17",