From 28d5720276d3b7cd2892426780c751a7480a4d39 Mon Sep 17 00:00:00 2001 From: Jay McNallie Date: Wed, 1 Apr 2026 11:02:13 -0700 Subject: [PATCH 1/3] Switch to AWS CodeArtifact for artifact publishing Point reusable workflow at aws-codeartifact branch and update inline deploy job to use OIDC + CodeArtifact. --- .github/workflows/ci.yml | 54 ++++++++++++++++++++++++----------- .github/workflows/release.yml | 4 +-- 2 files changed, 40 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fc7264b..3d4c9a3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -67,7 +67,8 @@ jobs: runs-on: ubuntu-latest environment: production permissions: - packages: write + id-token: write + contents: read steps: - name: Checkout uses: actions/checkout@v4 @@ -79,25 +80,46 @@ jobs: distribution: 'temurin' cache: maven - - name: Configure Maven settings - uses: s4u/maven-settings-action@v3.0.0 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 with: - servers: | - [{ - "id": "releases", - "username": "${{ github.actor }}", - "password": "${{ secrets.GITHUB_TOKEN }}" - }, - { - "id": "snapshots", - "username": "${{ github.actor }}", - "password": "${{ secrets.GITHUB_TOKEN }}" - }] + role-to-assume: arn:aws:iam::072882638589:role/github-actions-codeartifact + aws-region: us-east-1 + + - name: Get CodeArtifact token + run: | + CODEARTIFACT_AUTH_TOKEN=$(aws codeartifact get-authorization-token \ + --domain codice \ + --domain-owner 072882638589 \ + --query authorizationToken \ + --output text) + echo "CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN" >> $GITHUB_ENV + + - name: Create Maven Settings + run: | + mkdir -p ~/.m2 + cat > ~/.m2/settings.xml << 'EOF' + + + + releases + aws + ${env.CODEARTIFACT_AUTH_TOKEN} + + + snapshots + aws + ${env.CODEARTIFACT_AUTH_TOKEN} + + + + EOF - name: Deploy run: | + CODEARTIFACT_URL=https://codice-072882638589.d.codeartifact.us-east-1.amazonaws.com/maven mvn deploy $MAVEN_CLI_OPTS \ -DskipTests=true \ -DretryFailedDeploymentCount=10 \ - -Dreleases.repository.url=https://maven.pkg.github.com/codice/usng4j \ - -Dsnapshots.repository.url=https://maven.pkg.github.com/codice/usng4j + -Dreleases.repository.url="${CODEARTIFACT_URL}/releases/" \ + -Dsnapshots.repository.url="${CODEARTIFACT_URL}/snapshots/" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cdf8d81..c516183 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,7 +3,7 @@ on: workflow_dispatch: permissions: contents: read - packages: write + id-token: write jobs: deploy: - uses: codice/release-pipelines/.github/workflows/maven-manual-deploy.yml@main + uses: codice/release-pipelines/.github/workflows/maven-manual-deploy.yml@aws-codeartifact From 2b9e41330c68cb870f4a3c8e196275bd6ab3ead4 Mon Sep 17 00:00:00 2001 From: Jay McNallie Date: Wed, 1 Apr 2026 11:05:41 -0700 Subject: [PATCH 2/3] Add workflow_dispatch trigger to CI for testing --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3d4c9a3..ad51b03 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,7 @@ on: branches: - master - '[0-9]+.[0-9]+.x' + workflow_dispatch: schedule: - cron: '0 18 * * *' From b05fd5edc3558f80ab27eb5700d9475fc396572e Mon Sep 17 00:00:00 2001 From: Jay McNallie Date: Wed, 1 Apr 2026 11:06:55 -0700 Subject: [PATCH 3/3] Remove temporary workflow_dispatch trigger from CI --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ad51b03..3d4c9a3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,6 @@ on: branches: - master - '[0-9]+.[0-9]+.x' - workflow_dispatch: schedule: - cron: '0 18 * * *'