fix(stacks.api): oidc auth prior to synth #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # AUTOMATICALLY GENERATED FILE, DO NOT EDIT MANUALLY. | |
| # Generated by AWS CDK and [cdk-pipelines-github](https://github.com/cdklabs/cdk-pipelines-github) | |
| name: deploy | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: {} | |
| jobs: | |
| Build-crisiscleanup-infra-pipeline-synth: | |
| name: Synthesize | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| needs: [] | |
| env: | |
| GIGET_AUTH: ${{ secrets.GIGET_AUTH }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - name: Install | |
| run: >- | |
| n stable | |
| echo Installing Sops... | |
| curl -L https://github.com/mozilla/sops/releases/download/v3.7.3/sops-v3.7.3.linux -o sops | |
| chmod 755 sops | |
| mv sops /usr/local/bin | |
| sops --version | |
| echo Installing Helm... | |
| curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | |
| chmod 700 get_helm.sh | |
| ./get_helm.sh | |
| helm version | |
| npm install -g pnpm [email protected] | |
| pnpm install | |
| - name: Build | |
| run: |- | |
| pnpm build | |
| pnpm -F 'stacks.api' run synth:silent | |
| cp -r packages/stacks/api/cdk.out ./cdk.out | |
| - name: Upload cdk.out | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| Assets-FileAsset1: | |
| name: Publish Assets Assets-FileAsset1 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset1 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset1-step.sh | |
| Assets-FileAsset10: | |
| name: Publish Assets Assets-FileAsset10 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset10 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset10-step.sh | |
| Assets-FileAsset11: | |
| name: Publish Assets Assets-FileAsset11 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset11 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset11-step.sh | |
| Assets-FileAsset12: | |
| name: Publish Assets Assets-FileAsset12 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset12 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset12-step.sh | |
| Assets-FileAsset13: | |
| name: Publish Assets Assets-FileAsset13 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset13 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset13-step.sh | |
| Assets-FileAsset2: | |
| name: Publish Assets Assets-FileAsset2 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset2 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset2-step.sh | |
| Assets-FileAsset3: | |
| name: Publish Assets Assets-FileAsset3 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset3 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset3-step.sh | |
| Assets-FileAsset4: | |
| name: Publish Assets Assets-FileAsset4 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset4 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset4-step.sh | |
| Assets-FileAsset5: | |
| name: Publish Assets Assets-FileAsset5 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset5 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset5-step.sh | |
| Assets-FileAsset6: | |
| name: Publish Assets Assets-FileAsset6 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset6 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset6-step.sh | |
| Assets-FileAsset7: | |
| name: Publish Assets Assets-FileAsset7 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset7 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset7-step.sh | |
| Assets-FileAsset8: | |
| name: Publish Assets Assets-FileAsset8 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset8 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset8-step.sh | |
| Assets-FileAsset9: | |
| name: Publish Assets Assets-FileAsset9 | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| asset-hash: ${{ steps.Publish.outputs.asset-hash }} | |
| steps: | |
| - name: Download cdk.out | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: cdk.out | |
| path: cdk.out | |
| - name: Install | |
| run: npm install --no-save cdk-assets | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - id: Publish | |
| name: Publish Assets-FileAsset9 | |
| run: /bin/bash ./cdk.out/publish-Assets-FileAsset9-step.sh | |
| development-development-blueprint-Deploy: | |
| name: Deploy | |
| crisiscleanupinfrapipelinestackdevelopmentdevelopmentblueprint44D37614 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| environment: | |
| name: development | |
| url: https://app.dev.crisiscleanup.io | |
| needs: | |
| - Build-crisiscleanup-infra-pipeline-synth | |
| - Assets-FileAsset1 | |
| - Assets-FileAsset2 | |
| - Assets-FileAsset3 | |
| - Assets-FileAsset4 | |
| - Assets-FileAsset5 | |
| - Assets-FileAsset6 | |
| - Assets-FileAsset7 | |
| - Assets-FileAsset8 | |
| - Assets-FileAsset9 | |
| - Assets-FileAsset10 | |
| - Assets-FileAsset11 | |
| - Assets-FileAsset12 | |
| - Assets-FileAsset13 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Authenticate Via OIDC Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GithubActionsRole | |
| role-session-name: gh-actions-infrastructure | |
| - name: Assume CDK Deploy Role | |
| uses: aws-actions/configure-aws-credentials@v1-node16 | |
| with: | |
| aws-region: us-east-1 | |
| role-duration-seconds: 1800 | |
| role-skip-session-tagging: true | |
| aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }} | |
| aws-session-token: ${{ env.AWS_SESSION_TOKEN }} | |
| role-to-assume: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}:role/cdk-hnb659fds-deploy-role-${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}-us-east-1 | |
| role-external-id: Pipeline | |
| - id: Deploy | |
| uses: aws-actions/[email protected] | |
| with: | |
| name: development-development-blueprint | |
| template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}-us-east-1.s3.us-east-1.amazonaws.com/${{ | |
| needs.Assets-FileAsset1.outputs.asset-hash }}.json | |
| no-fail-on-empty-changeset: "1" | |
| role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}-us-east-1 |