From 0a676591f2df203f4fd6670cff6e9a847308a298 Mon Sep 17 00:00:00 2001 From: Vikram Date: Wed, 15 Apr 2026 11:35:02 +0530 Subject: [PATCH] Update cd.yml to use OIDC for AWS authentication Switch from static AWS access keys to GitHub OIDC-based authentication, matching the changes already made to staging-cd.yml. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/cd.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 08d5de9e..acfc9bf1 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -3,6 +3,10 @@ on: push: branches: - "main" +permissions: + id-token: write + contents: read + jobs: Deploy: runs-on: ubuntu-latest @@ -25,6 +29,8 @@ jobs: run: | rm -rf .env touch .env + echo AWS_ROLE_ARN=${{ secrets.WEBSITE_AWS_GITHUB_OIDC_ROLE_ARN }} >> .env + echo AWS_DEFAULT_REGION=us-east-1 >> .env echo BUCKET_NAME=${{ secrets.BUCKET_NAME }} >> .env echo HOST_NAME=${{ secrets.HOST_NAME }} >> .env echo ASSET_HOST=${{ secrets.ASSET_HOST }} >> .env @@ -39,14 +45,19 @@ jobs: echo TYPESENSE_API_KEY=${{ secrets.TYPESENSE_API_KEY }} >> .env echo TYPESENSE_SEARCH_API_KEY=${{ secrets.TYPESENSE_SEARCH_API_KEY }} >> .env cat .env + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.WEBSITE_AWS_GITHUB_OIDC_ROLE_ARN }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: 'us-east-1' + audience: sts.amazonaws.com + - name: Build run: | PREFIX_PATHS=true npm run build && npm run deploy env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: "us-east-1" - AWS_DEFAULT_OUTPUT: json TYPESENSE_HOST: ${{ secrets.TYPESENSE_HOST }} TYPESENSE_PORT: ${{ secrets.TYPESENSE_PORT }} TYPESENSE_PROTOCOL: ${{ secrets.TYPESENSE_PROTOCOL }}