Skip to content

CI: use OIDC #256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

CI: use OIDC #256

wants to merge 1 commit into from

Conversation

d4l3k
Copy link
Member

@d4l3k d4l3k commented Oct 14, 2021
edited
Loading

This switches our integration tests to use the GitHub OpenID Connect credentials provider instead of using hard coded AWS session tokens. This will issue tokens that last for 1 hour so should be a lot more secure (and trackable) than before.

https://awsteele.com/blog/2021/09/15/aws-federation-comes-to-github-actions.html

Test plan:

CI

created PR from external repo to verify they can't generate tokens #257

@d4l3k d4l3k marked this pull request as draft October 14, 2021 20:22
@facebook-github-bot facebook-github-bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Oct 14, 2021
@d4l3k d4l3k force-pushed the oidc branch 2 times, most recently from 5e9819d to a408283 Compare October 14, 2021 20:28
@codecov
Copy link

codecov bot commented Oct 14, 2021
edited
Loading

Codecov Report

Merging #256 (8d8425b) into main (fcf19f8) will increase coverage by 0.04%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #256      +/-   ##
==========================================
+ Coverage   91.56%   91.60%   +0.04%     
==========================================
  Files          60       60              
  Lines        2762     2764       +2     
==========================================
+ Hits         2529     2532       +3     
+ Misses        233      232       -1
Impacted Files Coverage Δ
torchx/runner/config.py 100.00% <0.00%> (ø)
torchx/specs/__init__.py 88.88% <0.00%> (ø)
torchx/specs/api.py 99.28% <0.00%> (+<0.01%) ⬆️
torchx/cli/cmd_run.py 89.79% <0.00%> (+0.68%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fcf19f8...8d8425b. Read the comment docs.

@d4l3k d4l3k force-pushed the oidc branch 10 times, most recently from 191bb98 to 014714a Compare October 14, 2021 22:06
@d4l3k d4l3k marked this pull request as ready for review October 15, 2021 01:04
@facebook-github-bot
Copy link
Contributor

@d4l3k has imported this pull request. If you are a Facebook employee, you can view this diff on Phabricator.

@facebook-github-bot
Copy link
Contributor

@d4l3k has updated the pull request. You must reimport the pull request before landing.

@facebook-github-bot
Copy link
Contributor

@d4l3k has updated the pull request. You must reimport the pull request before landing.

@facebook-github-bot
Copy link
Contributor

@d4l3k has updated the pull request. You must reimport the pull request before landing.

@facebook-github-bot
Copy link
Contributor

@d4l3k merged this pull request in 7195872.

@d4l3k d4l3k deleted the oidc branch October 21, 2021 16:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. Merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@d4l3k @facebook-github-bot