Skip to content

Commit 703590b

Browse files
cmetz100cmetz100
authored
chore(ci): Migrate smp regression workflow auth from static secrets to oidc (#25112)
* migrate smp regression workflow auth to oidc Signed-off-by: Caleb Metz <caleb.metz@datadoghq.com> * increase token duration Signed-off-by: Caleb Metz <caleb.metz@datadoghq.com> * fmt Signed-off-by: Caleb Metz <caleb.metz@datadoghq.com> --------- Signed-off-by: Caleb Metz <caleb.metz@datadoghq.com>
1 parent 738c1d7 commit 703590b

1 file changed

Lines changed: 27 additions & 12 deletions

File tree

.github/workflows/regression.yml

Lines changed: 27 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -278,13 +278,16 @@ jobs:
278278
needs:
279279
- should-run-gate
280280
- resolve-inputs
281+
# Job level permissions for downloading SMP binary
282+
permissions:
283+
id-token: write # Required for GitHub OIDC token exchange
281284
steps:
282285
- name: Configure AWS Credentials
283286
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
284287
with:
285-
aws-access-key-id: ${{ secrets.SINGLE_MACHINE_PERFORMANCE_BOT_ACCESS_KEY_ID }}
286-
aws-secret-access-key: ${{ secrets.SINGLE_MACHINE_PERFORMANCE_BOT_SECRET_ACCESS_KEY }}
288+
role-to-assume: arn:aws:iam::850406765696:role/smp-regression-oidc
287289
aws-region: us-west-2
290+
role-duration-seconds: 14400 # 4 hours
288291

289292
- name: Download SMP binary
290293
run: |
@@ -303,6 +306,9 @@ jobs:
303306
- resolve-inputs
304307
- confirm-valid-credentials
305308
- build-baseline
309+
# Job level permissions for uploading baseline image to SMP ECR
310+
permissions:
311+
id-token: write # Required for GitHub OIDC token exchange
306312
steps:
307313
- name: "Download baseline image"
308314
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
@@ -316,9 +322,9 @@ jobs:
316322
- name: Configure AWS Credentials
317323
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
318324
with:
319-
aws-access-key-id: ${{ secrets.SINGLE_MACHINE_PERFORMANCE_BOT_ACCESS_KEY_ID }}
320-
aws-secret-access-key: ${{ secrets.SINGLE_MACHINE_PERFORMANCE_BOT_SECRET_ACCESS_KEY }}
325+
role-to-assume: arn:aws:iam::850406765696:role/smp-regression-oidc
321326
aws-region: us-west-2
327+
role-duration-seconds: 14400 # 4 hours
322328

323329
- name: Login to Amazon ECR
324330
id: login-ecr
@@ -343,6 +349,9 @@ jobs:
343349
- resolve-inputs
344350
- confirm-valid-credentials
345351
- build-comparison
352+
# Job level permissions for uploading comparison image to SMP ECR
353+
permissions:
354+
id-token: write # Required for GitHub OIDC token exchange
346355
steps:
347356
- name: "Download comparison image"
348357
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
@@ -356,9 +365,9 @@ jobs:
356365
- name: Configure AWS Credentials
357366
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
358367
with:
359-
aws-access-key-id: ${{ secrets.SINGLE_MACHINE_PERFORMANCE_BOT_ACCESS_KEY_ID }}
360-
aws-secret-access-key: ${{ secrets.SINGLE_MACHINE_PERFORMANCE_BOT_SECRET_ACCESS_KEY }}
368+
role-to-assume: arn:aws:iam::850406765696:role/smp-regression-oidc
361369
aws-region: us-west-2
370+
role-duration-seconds: 14400 # 4 hours
362371

363372
- name: Login to Amazon ECR
364373
id: login-ecr
@@ -387,6 +396,7 @@ jobs:
387396
permissions:
388397
contents: read # Required to checkout code
389398
actions: write # Required to upload artifacts
399+
id-token: write # Required for GitHub OIDC token exchange
390400
steps:
391401
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
392402
with:
@@ -395,9 +405,9 @@ jobs:
395405
- name: Configure AWS Credentials
396406
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
397407
with:
398-
aws-access-key-id: ${{ secrets.SINGLE_MACHINE_PERFORMANCE_BOT_ACCESS_KEY_ID }}
399-
aws-secret-access-key: ${{ secrets.SINGLE_MACHINE_PERFORMANCE_BOT_SECRET_ACCESS_KEY }}
408+
role-to-assume: arn:aws:iam::850406765696:role/smp-regression-oidc
400409
aws-region: us-west-2
410+
role-duration-seconds: 14400 # 4 hours
401411

402412
- name: Login to Amazon ECR
403413
id: login-ecr
@@ -462,15 +472,19 @@ jobs:
462472
- submit-job
463473
- should-run-gate
464474
- resolve-inputs
475+
# Job level permissions for downloading SMP results
476+
permissions:
477+
contents: read # Required to checkout code
478+
id-token: write # Required for GitHub OIDC token exchange
465479
steps:
466480
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
467481

468482
- name: Configure AWS Credentials
469483
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
470484
with:
471-
aws-access-key-id: ${{ secrets.SINGLE_MACHINE_PERFORMANCE_BOT_ACCESS_KEY_ID }}
472-
aws-secret-access-key: ${{ secrets.SINGLE_MACHINE_PERFORMANCE_BOT_SECRET_ACCESS_KEY }}
485+
role-to-assume: arn:aws:iam::850406765696:role/smp-regression-oidc
473486
aws-region: us-west-2
487+
role-duration-seconds: 14400 # 4 hours
474488

475489
- name: Download SMP binary
476490
run: |
@@ -503,6 +517,7 @@ jobs:
503517
permissions:
504518
contents: read # Required to checkout code
505519
actions: write # Required to upload artifacts
520+
id-token: write # Required for GitHub OIDC token exchange
506521
steps:
507522
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
508523
with:
@@ -511,9 +526,9 @@ jobs:
511526
- name: Configure AWS Credentials
512527
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
513528
with:
514-
aws-access-key-id: ${{ secrets.SINGLE_MACHINE_PERFORMANCE_BOT_ACCESS_KEY_ID }}
515-
aws-secret-access-key: ${{ secrets.SINGLE_MACHINE_PERFORMANCE_BOT_SECRET_ACCESS_KEY }}
529+
role-to-assume: arn:aws:iam::850406765696:role/smp-regression-oidc
516530
aws-region: us-west-2
531+
role-duration-seconds: 14400 # 4 hours
517532

518533
- name: Download SMP binary
519534
run: |

0 commit comments

Comments
 (0)