Merge pull request #20 from serverless/setup-github-oidc

chore(github): setup Github oidc
serverless · Oct 15, 2024 · 3ce5c0a · 3ce5c0a
2 parents d5b0f1b + a63b141
commit 3ce5c0a
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 9 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -5,6 +5,11 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
 jobs:
   deploy:
     name: deploy-prod
@@ -24,11 +29,14 @@ jobs:
           cmd: |
             yq -i '.stages.prod.params.customDomainName = "${{ vars.CUSTOM_DOMAIN_NAME }}"' serverless-compose.yml
             yq -i '.stages.prod.params.customDomainCertificateARN = "${{ vars.CUSTOM_DOMAIN_CERTIFICATE_ARN }}"' serverless-compose.yml
-      - name: Serverless Deploy
+      - name: Configure AWS Credentials - Serverless Marketing AWS Account
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::488110005556:role/GithubActionsDeploymentRole
+          aws-region: us-east-1
+      - name: Serverless Deploy - Prod
         uses: serverless/github-action@v4
         with:
           args: deploy --stage prod
         env:
           SERVERLESS_LICENSE_KEY: ${{ secrets.SERVERLESS_LICENSE_KEY }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/.github/workflows/pr-deploy.yml b/.github/workflows/pr-deploy.yml
@@ -5,6 +5,11 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
 jobs:
   remove:
     name: deploy-pr-preview
@@ -18,11 +23,14 @@ jobs:
           cache: "npm"
       - name: Install dependencies
         run: npm ci
-      - name: serverless deploy
+      - name: Configure AWS Credentials - Serverless Marketing AWS Account
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::488110005556:role/GithubActionsDeploymentRole
+          aws-region: us-east-1
+      - name: Serverless Deploy - PR Preview
         uses: serverless/github-action@v4
         with:
           args: deploy --stage pr-${{ github.event.pull_request.number }}
         env:
           SERVERLESS_LICENSE_KEY: ${{ secrets.SERVERLESS_LICENSE_KEY }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/.github/workflows/pr-remove.yml b/.github/workflows/pr-remove.yml
@@ -5,6 +5,11 @@ on:
     types:
       - closed
 
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
 jobs:
   remove:
     name: remove-pr-preview
@@ -18,11 +23,14 @@ jobs:
           cache: "npm"
       - name: Install dependencies
         run: npm ci
-      - name: serverless remove
+      - name: Configure AWS Credentials - Serverless Marketing AWS Account
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::488110005556:role/GithubActionsDeploymentRole
+          aws-region: us-east-1
+      - name: Serverless Remove - PR Preview
         uses: serverless/github-action@v4
         with:
           args: remove --stage pr-${{ github.event.pull_request.number }}
         env:
           SERVERLESS_LICENSE_KEY: ${{ secrets.SERVERLESS_LICENSE_KEY }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}