-
Notifications
You must be signed in to change notification settings - Fork 1
107 lines (92 loc) · 3.24 KB
/
reusable-s3.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
---
# Copyright 2023 Skyscanner Limited.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Reusable Workflow for S3 uploads
name: Upload to S3
on:
workflow_call:
inputs:
dry-run:
required: false
type: boolean
description: Displays the operations that would be performed without actually running them.
default: false
artifact-name:
required: false
type: string
description: Name of the artifact to upload.
default: static-content
permissions:
contents: read
id-token: write
env:
BUCKET: 'x'
ROLE_TO_ASSUME: 'arn:aws:iam::####:role/X'
REGION: 'x-x-#'
jobs:
bucket-upload:
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v6
id: prepare-aws-role-session-name
with:
# https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
# RoleSessionName only permits [\w+=,.@-]*
script: return "GitHubActions," + context.repo.owner + "@" + context.repo.repo
result-encoding: string
- name: Login AWS
uses: aws-actions/[email protected]
with:
role-to-assume: ${{ env.ROLE_TO_ASSUME }}
role-session-name: ${{ steps.prepare-aws-role-session-name.outputs.result }}
aws-region: ${{ env.REGION }}
mask-aws-account-id: 'no'
inline-session-policy: >-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::${{ env.BUCKET }}"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::${{ env.BUCKET }}/${{ github.repository }}/*"
]
}
]
}
- name: "Debug: sts get-caller-identity"
run: |
aws sts get-caller-identity --output table --color on
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: ${{ inputs.artifact-name }}
path: /tmp/bucket-upload/
- name: List content to be uploaded
run: ls /tmp/bucket-upload/
- name: Upload to S3 bucket
run: |
aws s3 cp ${{ inputs.dry-run && '--dryrun' || '' }} --recursive /tmp/bucket-upload/ s3://${{ env.BUCKET }}/${{ github.repository }}