chore(ci): side-stepping OIDC to unblock nightlies#23167
Merged
benesjan merged 1 commit intoMay 12, 2026
Conversation
Reverts OIDC-based AWS auth in the ci-release-publish job back to access key credentials for the v4 backport branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
benesjan
changed the title
This was referenced May 12, 2026
benesjan
added a commit
that referenced
this pull request
May 12, 2026
## Summary - Drop OIDC auth from `ci-compat-e2e` and run with `AWS_ACCESS_KEY_ID`/`AWS_SECRET_ACCESS_KEY` instead. - The OIDC role (`pipeline-exec-aztecprotocol-aztec-packages-heads-next`) has no `ec2:RunInstances` policy attached, so spot requests time out and the on-demand fallback fails with `UnauthorizedOperation`. The job has been failing on every v4 nightly since #22930; `continue-on-error` for `-nightly.` tags has masked it. - Mirrors c3c1371 (#23167), which applied the same workaround to `ci-release-publish` on this branch. Example of the failure being patched: https://github.com/AztecProtocol/aztec-packages/actions/runs/25737242295/job/75580441745 ## Test plan - [ ] CI3 on this PR runs to green (regular `ci` job is unaffected — it already uses static keys). - [ ] Apply the `ci-compat-e2e` label here to exercise the compat-e2e job end-to-end and confirm the EC2 spot/on-demand request succeeds with the static credentials. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
2 tasks
1 task
rangozd
pushed a commit
to rangozd/aztec-packages
that referenced
this pull request
May 16, 2026
Forward-ports AztecProtocol#23167 from the v4 backport line onto next. Reverts OIDC-based AWS auth in the ci-release-publish job back to access key credentials to unblock nightlies.
rangozd
pushed a commit
to rangozd/aztec-packages
that referenced
this pull request
May 16, 2026
…col#23167) (AztecProtocol#23192) Forward-ports AztecProtocol#23167 to `v5` to hopefully get a v5 nightly tomorrow.
rangozd
pushed a commit
to rangozd/aztec-packages
that referenced
this pull request
May 16, 2026
…3192) (AztecProtocol#23234) ## Summary - Restores OIDC-based AWS auth in the `ci-release-publish` job, reverting AztecProtocol#23192. - Re-adds the `permissions: id-token: write / contents: read` block and the `aws-actions/configure-aws-credentials` step using `secrets.AWS_OIDC_ROLE_ARN`. - Removes the static `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` env vars that AztecProtocol#23192 reintroduced as a workaround. ## Context AztecProtocol#23192 forward-ported AztecProtocol#23167 to `next` (v5) as a temporary measure to unblock nightlies. This PR moves v5 back onto OIDC now that the underlying issue should be resolved. ## Test plan - [ ] Confirm a tagged release publish run on this branch authenticates to AWS successfully via OIDC before merging.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A workaround that should hopefully unblock nightlies that are currently not getting released. For more context see this comment on slack.
Summary
ci-release-publishjob back to usingAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYsecrets on the v4 backport line.permissions: id-token: writeblock and theaws-actions/configure-aws-credentialsstep that the OIDC flow required.