From 8476565ebbbc12d450c67ce09b2b5fb5cc9e040d Mon Sep 17 00:00:00 2001 From: Siddharth Venkatesan Date: Tue, 10 Sep 2024 10:21:20 -0700 Subject: [PATCH] [ci] moving to temporary iam credentials for publishing steps (#3462) --- .github/workflows/docker_publish.yml | 7 ++-- .github/workflows/docs.yml | 7 ++-- .github/workflows/native_jni_s3_pytorch.yml | 33 +++++++++++-------- .../native_jni_s3_pytorch_android.yml | 7 ++-- .github/workflows/native_jni_s3_tensorrt.yml | 9 +++-- .github/workflows/native_s3_fasttext.yml | 14 ++++---- .github/workflows/native_s3_huggingface.yml | 29 +++++++++------- .github/workflows/native_s3_pytorch.yml | 7 ++-- .../workflows/native_s3_pytorch_android.yml | 7 ++-- .github/workflows/native_s3_sentencepiece.yml | 20 +++++------ .github/workflows/native_s3_tensorflow.yml | 7 ++-- .github/workflows/native_s3_xgboost.yml | 9 +++-- .github/workflows/nightly_publish.yml | 6 ---- .github/workflows/serving_publish.yml | 7 ++-- 14 files changed, 103 insertions(+), 66 deletions(-) diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml index b60a9cad827..86dc0becf73 100644 --- a/.github/workflows/docker_publish.yml +++ b/.github/workflows/docker_publish.yml @@ -10,6 +10,10 @@ on: required: true default: 'nightly' +permissions: + id-token: write + contents: read + jobs: publish: if: github.repository == 'deepjavalibrary/djl' @@ -21,8 +25,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Login to Amazon ECR id: login-ecr diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index d0f6e8bd171..5aa529dacb1 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -10,6 +10,10 @@ on: default: master required: false +permissions: + id-token: write + contents: read + jobs: documentation: if: github.repository == 'deepjavalibrary/djl' @@ -85,8 +89,7 @@ jobs: - name: Configure Deployment AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI diff --git a/.github/workflows/native_jni_s3_pytorch.yml b/.github/workflows/native_jni_s3_pytorch.yml index 81e6a96696a..79639623cc8 100644 --- a/.github/workflows/native_jni_s3_pytorch.yml +++ b/.github/workflows/native_jni_s3_pytorch.yml @@ -13,6 +13,10 @@ on: schedule: - cron: '0 5 * * *' +permissions: + id-token: write + contents: read + jobs: build-pytorch-jni-linux: if: github.repository == 'deepjavalibrary/djl' @@ -55,10 +59,9 @@ jobs: ./gradlew :engines:pytorch:pytorch-native:compileJNI -Pprecxx11 -Pcuda=$CUDA_VERSION -Ppt_version=$PYTORCH_VERSION ./gradlew :engines:pytorch:pytorch-native:cleanJNI - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v3 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | @@ -74,8 +77,6 @@ jobs: image: amazonlinux:2 env: JAVA_HOME: /usr/lib/jvm/java-17-amazon-corretto - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} timeout-minutes: 30 needs: create-aarch64-runner steps: @@ -101,6 +102,11 @@ jobs: ./gradlew :engines:pytorch:pytorch-native:compileJNI -Pprecxx11 -Ppt_version=$PYTORCH_VERSION export PYTORCH_PRECXX11=true ./gradlew -Pjni -Ppt_version=$PYTORCH_VERSION :integration:test "-Dai.djl.default_engine=PyTorch" + - name: Configure Deployment AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role + aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | PYTORCH_VERSION=${{ github.event.inputs.pt_version }} @@ -148,11 +154,10 @@ jobs: set CUDA_VERSION=${{ github.event.inputs.cuda }} if "%CUDA_VERSION%" == "" set CUDA_VERSION=cu124 gradlew :engines:pytorch:pytorch-native:cleanJNI :engines:pytorch:pytorch-native:compileJNI -Pcuda=%CUDA_VERSION% -Ppt_version=${{ github.event.inputs.pt_version }} - - name: Configure AWS Credentials + - name: Configure Deployment AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI shell: bash @@ -187,11 +192,10 @@ jobs: echo $PYTORCH_VERSION ./gradlew :engines:pytorch:pytorch-native:compileJNI -Ppt_version=$PYTORCH_VERSION ./gradlew -Pjni -Ppt_version=$PYTORCH_VERSION :integration:test "-Dai.djl.default_engine=PyTorch" - - name: Configure AWS Credentials + - name: Configure Deployment AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI shell: bash @@ -224,8 +228,6 @@ jobs: image: amazonlinux:2 env: JAVA_HOME: /usr/lib/jvm/java-17-amazon-corretto.aarch64 - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} timeout-minutes: 30 needs: create-aarch64-runner steps: @@ -250,6 +252,11 @@ jobs: echo $PYTORCH_VERSION ./gradlew :engines:pytorch:pytorch-native:compileJNI -Pprecxx11 -Ppt_version=$PYTORCH_VERSION ./gradlew -Pjni -Ppt_version=$PYTORCH_VERSION :integration:test "-Dai.djl.default_engine=PyTorch" + - name: Configure Deployment AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role + aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | PYTORCH_VERSION=${{ github.event.inputs.pt_version }} diff --git a/.github/workflows/native_jni_s3_pytorch_android.yml b/.github/workflows/native_jni_s3_pytorch_android.yml index edf8e80c3b1..a73fd666cc6 100644 --- a/.github/workflows/native_jni_s3_pytorch_android.yml +++ b/.github/workflows/native_jni_s3_pytorch_android.yml @@ -5,6 +5,10 @@ on: schedule: - cron: '0 6 * * *' +permissions: + id-token: write + contents: read + jobs: build-pytorch-jni-android: if: github.repository == 'deepjavalibrary/djl' @@ -35,8 +39,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | diff --git a/.github/workflows/native_jni_s3_tensorrt.yml b/.github/workflows/native_jni_s3_tensorrt.yml index fc658b7b037..5285e837ed7 100644 --- a/.github/workflows/native_jni_s3_tensorrt.yml +++ b/.github/workflows/native_jni_s3_tensorrt.yml @@ -3,6 +3,10 @@ name: Native JNI S3 TensorRT on: workflow_dispatch: +permissions: + id-token: write + contents: read + jobs: build-tensorrt-jni-linux: runs-on: ubuntu-latest @@ -25,10 +29,9 @@ jobs: - name: Release JNI prep run: ./gradlew :engines:tensorrt:compileJNI - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v3 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | diff --git a/.github/workflows/native_s3_fasttext.yml b/.github/workflows/native_s3_fasttext.yml index 9a2a4c704e5..0f82a66152e 100644 --- a/.github/workflows/native_s3_fasttext.yml +++ b/.github/workflows/native_s3_fasttext.yml @@ -3,6 +3,10 @@ name: Native S3 fastText on: workflow_dispatch: +permissions: + id-token: write + contents: read + jobs: build-fasttext-jni-linux: runs-on: ubuntu-latest @@ -33,10 +37,9 @@ jobs: ./gradlew :extensions:fasttext:compileJNI ./gradlew -Pjni :extensions:fasttext:test - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | @@ -64,11 +67,10 @@ jobs: run: | ./gradlew :extensions:fasttext:compileJNI ./gradlew -Pjni :extensions:fasttext:test - - name: Configure AWS Credentials + - name: Configure Deployment AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | diff --git a/.github/workflows/native_s3_huggingface.yml b/.github/workflows/native_s3_huggingface.yml index 819407c5b91..e635c540399 100644 --- a/.github/workflows/native_s3_huggingface.yml +++ b/.github/workflows/native_s3_huggingface.yml @@ -8,6 +8,10 @@ on: paths: - extensions/tokenizers/rust/** +permissions: + id-token: write + contents: read + jobs: build-tokenizers-jni-linux: runs-on: ubuntu-latest @@ -15,8 +19,6 @@ jobs: image: amazonlinux:2 env: JAVA_HOME: /usr/lib/jvm/java-17-amazon-corretto - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Install Environment run: | @@ -35,6 +37,11 @@ jobs: - name: Build djl-converter wheel working-directory: extensions/tokenizers/src/main/python/ run: ./setup.py bdist_wheel + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role + aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | DJL_VERSION=$(awk -F '=' '/djl / {gsub(/ ?"/, "", $2); print $2}' gradle/libs.versions.toml) @@ -73,8 +80,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI shell: bash @@ -111,8 +117,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI shell: bash @@ -157,8 +162,6 @@ jobs: image: amazonlinux:2 env: JAVA_HOME: /usr/lib/jvm/java-17-amazon-corretto.aarch64 - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Install Environment run: | @@ -174,6 +177,11 @@ jobs: source "$HOME/.cargo/env" ./gradlew :extensions:tokenizers:compileJNI PYTORCH_PRECXX11=true ./gradlew -Pjni :extensions:tokenizers:test + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role + aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | DJL_VERSION=$(awk -F '=' '/djl / {gsub(/ ?"/, "", $2); print $2}' gradle/libs.versions.toml) @@ -217,10 +225,9 @@ jobs: . "$HOME/.cargo/env" ./gradlew :extensions:tokenizers:compileJNI -Pcuda=${{ env.CUDA_VERSION }} - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | diff --git a/.github/workflows/native_s3_pytorch.yml b/.github/workflows/native_s3_pytorch.yml index d8e9747a0ec..6b871ff16dc 100644 --- a/.github/workflows/native_s3_pytorch.yml +++ b/.github/workflows/native_s3_pytorch.yml @@ -3,6 +3,10 @@ name: Native S3 PyTorch on: workflow_dispatch: +permissions: + id-token: write + contents: read + jobs: build: runs-on: macos-latest @@ -23,8 +27,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 run: | diff --git a/.github/workflows/native_s3_pytorch_android.yml b/.github/workflows/native_s3_pytorch_android.yml index b21600813d2..b7b0a846a7e 100644 --- a/.github/workflows/native_s3_pytorch_android.yml +++ b/.github/workflows/native_s3_pytorch_android.yml @@ -3,6 +3,10 @@ name: Native S3 PyTorch Android on: workflow_dispatch: +permissions: + id-token: write + contents: read + jobs: build: runs-on: ubuntu-latest @@ -41,8 +45,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | diff --git a/.github/workflows/native_s3_sentencepiece.yml b/.github/workflows/native_s3_sentencepiece.yml index 12fca8e12c2..72d20d09d52 100644 --- a/.github/workflows/native_s3_sentencepiece.yml +++ b/.github/workflows/native_s3_sentencepiece.yml @@ -3,6 +3,10 @@ name: Native S3 Sentencepiece on: workflow_dispatch: +permissions: + id-token: write + contents: read + jobs: build-sentencepiece-jni-linux: if: ${{ github.repository == 'deepjavalibrary/djl' && always() }} @@ -34,10 +38,9 @@ jobs: ./gradlew :extensions:sentencepiece:compileJNI ./gradlew -Pjni :extensions:sentencepiece:test - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | @@ -68,8 +71,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI shell: bash @@ -105,8 +107,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | @@ -150,10 +151,9 @@ jobs: ./gradlew :extensions:sentencepiece:compileJNI ./gradlew -Pjni :extensions:sentencepiece:test - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | diff --git a/.github/workflows/native_s3_tensorflow.yml b/.github/workflows/native_s3_tensorflow.yml index c1d7ca9cc2d..24827949bcf 100644 --- a/.github/workflows/native_s3_tensorflow.yml +++ b/.github/workflows/native_s3_tensorflow.yml @@ -3,6 +3,10 @@ name: Native S3 Tensorflow on: workflow_dispatch: +permissions: + id-token: write + contents: read + jobs: upload: runs-on: ubuntu-latest @@ -23,8 +27,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Upload tensorflow native binaries to s3 run: ./gradlew :engines:tensorflow:tensorflow-native:uTNL diff --git a/.github/workflows/native_s3_xgboost.yml b/.github/workflows/native_s3_xgboost.yml index 1bb89879af6..716c5655dbe 100644 --- a/.github/workflows/native_s3_xgboost.yml +++ b/.github/workflows/native_s3_xgboost.yml @@ -7,6 +7,10 @@ on: description: 'xgboost version' required: false +permissions: + id-token: write + contents: read + jobs: create-aarch64-runner: if: github.repository == 'deepjavalibrary/djl' @@ -56,10 +60,9 @@ jobs: python3 create_jni.py cd ../.. - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy files to S3 with the AWS CLI run: | diff --git a/.github/workflows/nightly_publish.yml b/.github/workflows/nightly_publish.yml index 529c65f8413..411c0e288b1 100644 --- a/.github/workflows/nightly_publish.yml +++ b/.github/workflows/nightly_publish.yml @@ -205,12 +205,6 @@ jobs: ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.ORG_GRADLE_PROJECT_signingPassword }} ORG_GRADLE_PROJECT_ossrhUsername: ${{ secrets.ORG_GRADLE_PROJECT_ossrhUsername }} ORG_GRADLE_PROJECT_ossrhPassword: ${{ secrets.ORG_GRADLE_PROJECT_ossrhPassword }} - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-2 create-runners: if: github.repository == 'deepjavalibrary/djl' diff --git a/.github/workflows/serving_publish.yml b/.github/workflows/serving_publish.yml index dc4fcd94d1e..8ba5e4b548a 100644 --- a/.github/workflows/serving_publish.yml +++ b/.github/workflows/serving_publish.yml @@ -18,6 +18,10 @@ on: required: false default: '' +permissions: + id-token: write + contents: read + jobs: publish: if: github.repository == 'deepjavalibrary/djl' @@ -43,8 +47,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::425969335547:role/djl-ci-publish-role aws-region: us-east-2 - name: Copy serving snapshot artifacts to S3 if: ${{ github.event.inputs.mode == '' || github.event.inputs.mode == 'snapshot' }}