CSPL-4201 use OIDC in GitHub pipelines #1630
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…of static credentials - Replaced aws-actions/configure-aws-credentials@v1 with v5 across multiple workflows. - Updated AWS credential configuration to use role-based access with role-to-assume and role-session-name. - Added permissions for contents, packages, and pull-requests in several workflows.
…ase branch - Added CSPL-4201-pipeline-tests-base branch to the trigger conditions for multiple workflows including build-test-push, distroless integration tests, helm tests, and various integration tests for Azure and GCP.
…eout settings - Added role-duration-seconds parameter to AWS credential configurations across multiple workflows. - Increased timeout settings for integration and smoke tests to 420 minutes and 360 minutes respectively in various workflows.
- Added 'id-token: write' permission to the build-test-push workflow for enhanced security and access control.
…bserved values Reduce timeout settings across multiple GitHub Actions workflows for integration and smoke tests from 360/420 minutes to 240 minutes, optimizing resource usage and execution time.
…redentials - Added environment variables TEST_S3_ACCESS_KEY_ID and TEST_S3_SECRET_ACCESS_KEY to multiple workflows for integration and smoke tests, allowing for optional overrides of AWS credentials. - Updated test scripts to utilize these environment variables when creating S3 secrets, enhancing flexibility and security in credential management.
…ests - Changed skipLogOutput from true to false in the S3 copy command for multiple helm test YAML files, ensuring that log output is captured during execution for better debugging and monitoring.
Switch to newest LTS version
…ons [added for debug]
Collaborator
Pull Request Test Coverage Report for Build 19769455144Details
💛 - Coveralls |
kubabuczak
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CSPL-4201: Migrate GitHub Actions to OIDC Authenticationa
Overview
Replaces static AWS credentials with OIDC authentication across all GitHub Actions workflows, eliminating long-lived credentials.
Key Changes
GitHub Workflows (24 updated)
aws-actions/configure-aws-credentials@v5id-token: writepermissionTEST_S3_ACCESS_KEY_ID,TEST_S3_SECRET_ACCESS_KEY)Test Infrastructure
test/testenv/testcaseenv.goto support new credential sources (with fallback)Security Benefits
Testing
All workflows tested with OIDC authentication:
ARM Workflows:
Main Workflows:
Required Setup
GitHub Variables:
AWS_ROLE_ARNAWS_REGIONAWS_ROLE_DURATION_SECONDSTEST_S3_ACCESS_KEY_IDGitHub Secrets:
TEST_S3_SECRET_ACCESS_KEYPost-Merge
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY) after 1 week