Skip to content

Migrate release workflow auth to deploy key + per-repo FG PAT#2349

Open
AlexDaines wants to merge 1 commit intodevfrom
migrate-release-workflow-auth
Open

Migrate release workflow auth to deploy key + per-repo FG PAT#2349
AlexDaines wants to merge 1 commit intodevfrom
migrate-release-workflow-auth

Conversation

@AlexDaines
Copy link
Copy Markdown
Contributor

@AlexDaines AlexDaines commented Apr 29, 2026

Switches release workflow authentication off the shared FG PAT onto:

  • A per-repo deploy key for git push (via actions/checkout ssh-key auth).
  • A per-repo FG PAT for GitHub API calls (gh pr create, gh release create).

Files changed

.github/workflows/create-release-pr.yml and .github/workflows/sync-master-dev.yml:

  1. AWS Secrets Manager read -- switches from a single shared SM secret to two per-repo SM secrets (prod/devops/aws-lambda-dotnet-deploy-key + prod/devops/aws-lambda-dotnet-fg-pat). Drops parse-json-secrets: true since the new SM secrets are raw strings.
  2. actions/checkout -- switches from token: ${{ env.AWS_SECRET_TOKEN }} to ssh-key: ${{ env.DEPLOY_KEY }}. git push now runs over SSH.
  3. gh CLI calls -- GITHUB_TOKEN env var swaps from ${{ env.AWS_SECRET_TOKEN }} to ${{ env.FG_PAT }}.

Do not merge yet

This PR depends on prod/devops/aws-lambda-dotnet-deploy-key and prod/devops/aws-lambda-dotnet-fg-pat being populated on the bot's credential-storage account by the change-management workstream coordinating this rollout. Merging before then would break the next release run.

Why

Aligns release workflow auth with internal per-repo credential scoping: 120-day FG PAT expiry, minimum scope, deploy-key push, and a DeployKey-bypass branch ruleset replacing the shared-PAT bypass.

@AlexDaines
Migrate release workflow auth to deploy key + per-repo FG PAT
7f88098 
Switches actions/checkout from token-auth (shared PAT) to ssh-key
(per-repo deploy key), and the gh CLI GITHUB_TOKEN from the shared
PAT to a per-repo FG PAT. Both reads pull from per-repo Secrets Manager
secrets (deploy-key + fg-pat).

Depends on per-repo SM secrets being created on the bot account; do not
merge before then or the workflow will fail at next release run.
@AlexDaines AlexDaines requested review from a team as code owners April 29, 2026 02:20
@AlexDaines AlexDaines requested review from GarrettBeatty and normj and removed request for a team April 29, 2026 02:20
@AlexDaines AlexDaines added the Release Not Needed Add this label if a PR does not need to be released. label Apr 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@normj normj Awaiting requested review from normj normj is a code owner automatically assigned from aws/aws-sdk-devex-reviewers

@GarrettBeatty GarrettBeatty Awaiting requested review from GarrettBeatty GarrettBeatty is a code owner automatically assigned from aws/aws-sdk-devex-reviewers

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Release Not Needed Add this label if a PR does not need to be released.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AlexDaines