chore: use AWS OpenID Connect for S3 publish

giacomocusinato · giacomocusinato · commit 9ab87bf8b574 · 2025-03-11T21:42:12.000+07:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -203,7 +203,7 @@ jobs:
           echo "is-nightly=$is_nightly" >> $GITHUB_OUTPUT
           echo "channel-name=$channel_name" >> $GITHUB_OUTPUT
           # Only attempt upload to Amazon S3 if the credentials are available.
-          echo "publish-to-s3=${{ secrets.AWS_SECRET_ACCESS_KEY != '' }}" >> $GITHUB_OUTPUT
+          echo "publish-to-s3=${{ secrets.AWS_ROLE_ARN != '' }}" >> $GITHUB_OUTPUT
 
   select-targets:
     needs: build-type-determination
@@ -284,8 +284,6 @@ jobs:
       - build-type-determination
       - select-targets
     env:
-      # https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
-      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
       # Location of artifacts generated by build.
       BUILD_ARTIFACTS_PATH: electron-app/dist/build-artifacts
       # to skip passing signing credentials to electron-builder
@@ -363,8 +361,6 @@ jobs:
           AC_USERNAME: ${{ secrets.AC_USERNAME }}
           AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
           AC_TEAM_ID: ${{ secrets.AC_TEAM_ID }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           IS_NIGHTLY: ${{ needs.build-type-determination.outputs.is-nightly }}
           IS_RELEASE: ${{ needs.build-type-determination.outputs.is-release }}
           CAN_SIGN: ${{ secrets[matrix.config.certificate-secret] != '' }}
@@ -588,6 +584,12 @@ jobs:
     env:
       ARTIFACTS_FOLDER: build-artifacts
 
+    environment: production
+
+    permissions:
+      id-token: write
+      contents: read 
+
     steps:
       - name: Download all job transfer artifacts
         uses: actions/download-artifact@v4
@@ -596,15 +598,15 @@ jobs:
           path: ${{ env.ARTIFACTS_FOLDER }}
           pattern: ${{ env.JOB_TRANSFER_ARTIFACT_PREFIX }}*
 
+      - name: Configure AWS Credentials for Nightly [S3]
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }} 
+          aws-region: us-east-1 
+
       - name: Publish Nightly [S3]
-        uses: docker://plugins/s3
-        env:
-          PLUGIN_SOURCE: '${{ env.ARTIFACTS_FOLDER }}/*'
-          PLUGIN_STRIP_PREFIX: '${{ env.ARTIFACTS_FOLDER }}/'
-          PLUGIN_TARGET: '/arduino-ide/nightly'
-          PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: |
+          aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/nightly
 
   release:
     needs:
@@ -625,6 +627,12 @@ jobs:
     env:
       ARTIFACTS_FOLDER: build-artifacts
 
+    environment: production
+
+    permissions:
+      id-token: write
+      contents: read
+
     steps:
       - name: Download all job transfer artifacts
         uses: actions/download-artifact@v4
@@ -648,16 +656,17 @@ jobs:
           file_glob: true
           body: ${{ needs.changelog.outputs.BODY }}
 
+      - name: Configure AWS Credentials for Release [S3]
+        if: needs.build-type-determination.outputs.publish-to-s3 == 'true'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }} 
+          aws-region: us-east-1 
+
       - name: Publish Release [S3]
         if: needs.build-type-determination.outputs.publish-to-s3 == 'true'
-        uses: docker://plugins/s3
-        env:
-          PLUGIN_SOURCE: '${{ env.ARTIFACTS_FOLDER }}/*'
-          PLUGIN_STRIP_PREFIX: '${{ env.ARTIFACTS_FOLDER }}/'
-          PLUGIN_TARGET: '/arduino-ide'
-          PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: |
+          aws s3 sync ${{ env.ARTIFACTS_FOLDER }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide
 
   clean:
     # This job must run after all jobs that use the transfer artifact.
diff --git a/.github/workflows/compose-full-changelog.yml b/.github/workflows/compose-full-changelog.yml
@@ -14,6 +14,11 @@ jobs:
   create-changelog:
     if: github.repository == 'arduino/arduino-ide'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    environment: production
+      
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -44,12 +49,12 @@ jobs:
           # Compose changelog
           yarn run compose-changelog "${{ github.workspace }}/${{ env.CHANGELOG_ARTIFACTS }}/$CHANGELOG_FILE_NAME"
 
+      - name: Configure AWS Credentials for Changelog [S3]
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }} 
+          aws-region: us-east-1 
+
       - name: Publish Changelog [S3]
-        uses: docker://plugins/s3
-        env:
-          PLUGIN_SOURCE: '${{ env.CHANGELOG_ARTIFACTS }}/*'
-          PLUGIN_STRIP_PREFIX: '${{ env.CHANGELOG_ARTIFACTS }}/'
-          PLUGIN_TARGET: '/arduino-ide/changelog'
-          PLUGIN_BUCKET: ${{ secrets.DOWNLOADS_BUCKET }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: |
+          aws s3 sync ${{ env.CHANGELOG_ARTIFACTS }} s3://${{ secrets.DOWNLOADS_BUCKET }}/arduino-ide/changelog
