Fix AWS S3 CLI error: Unable to locate credentials ...

input-output-hk · Mar 16, 2023 · 4418731 · 4418731
1 parent edcc33e
commit 4418731
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 21 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,13 +1,14 @@
 # This is a basic workflow to help you get started with Actions
 
-name: prebuild devx closures
+name: Prebuild DevX closures
 
 # Controls when the workflow will run
 on:
   # Triggers the workflow on push or pull request events but only for the "master" branch
-  push:
-    branches:
-      - main
+  # FIXME: disabled while working on it ...
+  # push:
+  #   branches:
+  #     - main
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
@@ -21,11 +22,17 @@ jobs:
         uses: cachix/install-nix-action@v17
         with:
           extra_nix_config: |
-            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= loony-tools:pr9m4BkM/5/eSTZlkQyRt57Jz7OMBxNSUiMC4FkcNfk= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= loony-tools:pr9m4BkM/5/eSTZlkQyRt57Jz7OMBxNSUiMC4FkcNfk= s3.zw3rk.com:fx41B+c2mUAvQt+wgzD0g/SBesJhUiShi0s6dV549Co=
             substituters = https://cache.iog.io/ https://cache.zw3rk.com/ https://cache.nixos.org/
-
+          nix_path: nixpkgs=channel:nixos-unstable
+      # TODO: @angerman do we want to cache /nix/store as a GitHub Action build artifact?
+      # https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts
       - name: Checkout repository
         uses: actions/checkout@v3
-
       - name: Compute and upload closure and developer environment on a custom S3 bucket
-        run: ./extra/s3-uploads.sh ${{ secrets.KEY_ID }} ${{ secrets.SECRET }} ${{ secrets.SECRET_KEY }}
+        env:
+          # TODO: @angerman better secrets naming?!
+          AWS_ACCESS_KEY_ID: ${{ secrets.KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.SECRET }}
+          NIX_STORE_SECRET_KEY: ${{ secrets.SECRET_KEY }}
+        run: ./extra/s3-uploads.sh
diff --git a/extra/s3-uploads.sh b/extra/s3-uploads.sh
@@ -1,5 +1,6 @@
 #! /usr/bin/env nix-shell
 #! nix-shell -i bash -p awscli zstd
+set -euo pipefail
 
 DEV_SHELLS=(
     "ghc8107"
@@ -13,26 +14,29 @@ DEV_SHELLS=(
     "ghc925-static-minimal"
 )
 
-SYSTEMS=("aarch64-darwin" "aarch64-linux" "x86_64-darwin" "x86_64-linux")
+# TODO: darwin builds need to run non-sandboxed ...
+SYSTEMS=("x86_64-linux") # ("aarch64-darwin" "aarch64-linux" "x86_64-darwin")
 
-# shellcheck disable=SC2034
-AWS_DEFAULT_REGION=us-east-1
-# shellcheck disable=SC2034
-AWS_ACCESS_KEY_ID="$1"
-# shellcheck disable=SC2034
-AWS_SECRET_ACCESS_KEY="$2"
+# `awscli` doesn't seems to provide a stateless mode :')
+aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}"
+aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}"
 
 # Generated with: % nix key generate-secret --key-name s3.zw3rk.com
-echo "$3" > ./secret-key
+echo "${NIX_STORE_SECRET_KEY}" > ./secret-key
 
 for system in "${SYSTEMS[@]}"; do
     for devShell in "${DEV_SHELLS[@]}"; do
-        nix build ".#devShells.${system}.${devShell}"
+        DEV_SHELL="${system}.${devShell}"
+        FLAKE=".#devShells.${DEV_SHELL} --no-write-lock-file --refresh --system ${system} --accept-flake-config"
+        # shellcheck disable=SC2086
+        nix build ${FLAKE}
         nix store sign --key-file ./secret-key --recursive ./result
         # shellcheck disable=SC2046
-        nix-store --export $(nix-store -qR result) | zstd -z8T8 > "${system}.${devShell}.zstd"
-        nix print-dev-env ".#devShells.${system}.${devShell}" > "${system}.${devShell}.sh"
-        aws --endpoint-url https://s3.zw3rk.com s3 cp "./${system}.${devShell}.sh" s3://devx/
-        aws --endpoint-url https://s3.zw3rk.com s3 cp "./${system}.${devShell}.zstd" s3://devx/
+        nix-store --export $(nix-store -qR ./result) | zstd -z8T8 > "${DEV_SHELL}.zstd"
+        # shellcheck disable=SC2086
+        nix print-dev-env ${FLAKE} > "${DEV_SHELL}.sh"
+        aws --endpoint-url https://s3.zw3rk.com s3 cp "./${DEV_SHELL}.zstd" s3://devx/
+        aws --endpoint-url https://s3.zw3rk.com s3 cp "./${DEV_SHELL}.sh" s3://devx/
+        rm result
     done
 done