Github-AWS openId

see https://bugtracker.codiodev.com/issue/codio-17207
2025-10-24 12:14:39 +01:00 · 2025-10-24 12:14:39 +01:00 · fbef827a8c
parent 719e1df166
commit fbef827a8c
3 changed files with 18 additions and 16 deletions
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@ -10,7 +10,7 @@ jobs:
  npm:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - run: |
          GITREV=$(git rev-parse --short HEAD)
          echo $GITREV
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -3,15 +3,26 @@ on:
  release:
    types: [created]

+permissions:
+  contents: write
+  id-token: write
+
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5.1.0
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::028537455170:role/Github/GithubAssetsUploadRole_jvm-oom-handler
+          role-session-name: GithubAction

      - name: Upload to s3
-        run: ./uploadToS3.sh "${{ secrets.ASSETS_UPLOADER_KEY }}" "${{ secrets.ASSETS_UPLOADER_SECRET }}" "${{ github.event.release.tag_name }}"
+        run: ./uploadToS3.sh "${{ github.event.release.tag_name }}"

      - name: Slack
        uses: codio/codio-slack-action@master
--- a/uploadToS3.sh
+++ b/uploadToS3.sh
@ -1,9 +1,7 @@
 #!/bin/bash
 set -xe

-s3Key=$1
-s3Secret=$2
-tag=$3
+tag=$1
 folder="noVNC"
 cdn="\/\/static-assets.codio.com\/${folder}\/${tag}"

@ -62,16 +60,9 @@ uploadFile () {
  fName="${file#./}"
  contentType=$2
  bucket="codio-assets"
-  resource="/${bucket}/${folder}/${tag}/${fName}"
-  dateValue=$(date -R)
-  stringToSign="PUT\n\n${contentType}\n${dateValue}\n${resource}"
-  signature=$(echo -en "${stringToSign}" | openssl sha1 -hmac "${s3Secret}" -binary | base64)
-  curl -X PUT -T "${file}" \
-    -H "Host: ${bucket}.s3.amazonaws.com" \
-    -H "Date: ${dateValue}" \
-    -H "Content-Type: ${contentType}" \
-    -H "Authorization: AWS ${s3Key}:${signature}" \
-    https://${bucket}.s3.amazonaws.com/"${folder}"/"${tag}"/"${fName}" || exit 1
+  resource="s3://${bucket}/${folder}/${tag}/${fName}"
+
+  aws s3 cp "${file}" "${resource}" --cache-control no-cache --content-type "${contentType}"
 }

 prepareSources