gha: use oidc (#778)

.github/workflows/backport.yml

@@ -15,62 +15,31 @@ jobs:
       user: ${{ steps.get-labels.outputs.user }}
       valid: ${{ steps.get-labels.outputs.valid }}
     steps:
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-      - name: get secrets from aws sm
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2
-        with:
-          secret-ids: |
-            ,sdlc/prod/github/actions_bot_token
-          parse-json-secrets: true
       - name: Determine branches to cherry-pick to
         id: get-labels
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          set -e
-          RESPONSE=$(curl -s -H "Authorization: token ${{ env.ACTIONS_BOT_TOKEN }}" https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }})
-          LABELS_JSON=$(echo "$RESPONSE" | jq .labels[])
-          USER=$(echo $RESPONSE | jq -r '.user.login')
-
-          if [[ $? -ne 0 ]]; then
-            echo "Failed to fetch labels from GitHub API."
-            exit 1
-          fi
-
-          BACKPORT_LABELS=$(echo "$LABELS_JSON" | jq -r 'if type == "object" then [.] else . end | map(select(.name | startswith("backport to")))[] | .name')
-          if [[ -z "$BACKPORT_LABELS" ]]; then
+          # concat labels into comman-separated string, e.g. "bug,backport to all versions,remediation"
+          PR_LABELS="${{ join(github.event.pull_request.labels.*.name, ',') }}"
+          if [[ -z "$PR_LABELS" ]]; then
             echo "valid=false" >> $GITHUB_OUTPUT
             exit 0
           else
             echo "valid=true" >> $GITHUB_OUTPUT
           fi
 
           BRANCHES=""
-          if [[ $BACKPORT_LABELS == "backport to all versions" ]]; then
-            PAGE=1
-            ALL_BRANCHES=""
-
-            # Loop to fetch all branches with 'v/' prefix from the GitHub API
-            while : ; do
-              RAW_RESPONSE=$(curl -s -H "Authorization: token ${{ env.ACTIONS_BOT_TOKEN }}" "https://api.github.com/repos/${{ github.repository }}/branches?per_page=100&page=$PAGE")
-
-              if [[ $(echo "$RAW_RESPONSE" | jq '. | length') -eq 0 ]]; then
-                  break
-              fi
-
-              PAGE_BRANCHES=$(echo "$RAW_RESPONSE" | jq -r '.[].name' | grep '^v/')
-              ALL_BRANCHES+=$PAGE_BRANCHES$'\n'
-              ((PAGE++))
-            done
+          if [[ $PR_LABELS =~ "backport to all versions" ]]; then
+            # fetch all branches with 'v/' prefix from the GitHub API
+            RAW_RESPONSE=$(gh api --paginate --jq '.[].name' /repos/${{ github.repository }}/branches)
+            ALL_BRANCHES=$(echo "$RAW_RESPONSE" | grep '^v/')
 
             # Prepare the BRANCHES variable, remove trailing comma and newline
             BRANCHES=$(echo "$ALL_BRANCHES" | tr '\n' ',')
             BRANCHES=${BRANCHES%,}  # Removing the trailing comma and newline
           else
-            BRANCH_NAMES=$(echo "$BACKPORT_LABELS" | grep -o 'backport to v/[0-9]\+\.[0-9]\+' | sed -e 's/backport to //')
+            BRANCH_NAMES=$(echo "$PR_LABELS" | grep -o 'backport to v/[0-9]\+\.[0-9]\+' | sed -e 's/backport to //')
             BRANCHES=$(echo "$BRANCH_NAMES" | tr '\n' ',')
             BRANCHES=${BRANCHES::-1}  # Removing the trailing comma
           fi
@@ -80,23 +49,23 @@ jobs:
           BRANCHES_ARRAY="[$BRANCHES_ARRAY]"
 
           echo "branches=$BRANCHES_ARRAY" >> $GITHUB_OUTPUT
-          echo "user=$USER" >> $GITHUB_OUTPUT
+          echo "user=${{ github.actor }}" >> $GITHUB_OUTPUT
   backport:
     needs: get-labels
     if: needs.get-labels.outputs.branches != '' && needs.get-labels.outputs.valid == 'true'
     strategy:
       matrix:
         branch: ${{fromJson(needs.get-labels.outputs.branches)}}
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-      - name: get secrets from aws sm
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+          aws-region: ${{ vars.RP_AWS_CRED_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
+      - uses: aws-actions/aws-secretsmanager-get-secrets@v2
         with:
           secret-ids: |
             ,sdlc/prod/github/actions_bot_token

.github/workflows/build.yml

@@ -8,15 +8,15 @@ on:
 jobs:
   dispatch:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-      - name: get secrets from aws sm
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+          aws-region: ${{ vars.RP_AWS_CRED_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
+      - uses: aws-actions/aws-secretsmanager-get-secrets@v2
         with:
           secret-ids: |
             ,sdlc/prod/github/docs_netlify_build_hook

.github/workflows/generate-crd.yml

@@ -7,15 +7,15 @@ on:
 jobs:
   trigger:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-      - name: get secrets from aws sm
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+          aws-region: ${{ vars.RP_AWS_CRED_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
+      - uses: aws-actions/aws-secretsmanager-get-secrets@v2
         with:
           secret-ids: |
             ,sdlc/prod/github/actions_bot_token

.github/workflows/generate-helm-spec.yml

@@ -7,15 +7,15 @@ on:
 jobs:
   trigger:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-      - name: get secrets from aws sm
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+          aws-region: ${{ vars.RP_AWS_CRED_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
+      - uses: aws-actions/aws-secretsmanager-get-secrets@v2
         with:
           secret-ids: |
             ,sdlc/prod/github/actions_bot_token

.github/workflows/generate-kubernetes-compatibility.yaml → .github/workflows/generate-kubernetes-compatibility.yml

@@ -11,15 +11,15 @@ on:
 jobs:
   generate-matrix:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-      - name: get secrets from aws sm
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+          aws-region: ${{ vars.RP_AWS_CRED_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
+      - uses: aws-actions/aws-secretsmanager-get-secrets@v2
         with:
           secret-ids: |
             ,sdlc/prod/github/actions_bot_token

.github/workflows/get-cloud-api-spec.yml

@@ -7,15 +7,15 @@ on:
 jobs:
   fetch-and-save-cloud-api-spec:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-      - name: get secrets from aws sm
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+          aws-region: ${{ vars.RP_AWS_CRED_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
+      - uses: aws-actions/aws-secretsmanager-get-secrets@v2
         with:
           secret-ids: |
             ,sdlc/prod/github/actions_bot_token
@@ -44,7 +44,6 @@ jobs:
           ref: api
           token: ${{ env.ACTIONS_BOT_TOKEN }}
           path: redpanda-docs-api
-        # Copy the generated file to the api branch
       - name: Move generated file to API branch
         run: mv ./redpanda-docs/cloud-api.yaml ./redpanda-docs-api/modules/ROOT/attachments/cloud-api.yaml
       - name: Create pull request

.github/workflows/test-docs.yml

@@ -1,12 +1,11 @@
+---
 name: Run doc tests
-
 on:
   pull_request:
     types: [opened, reopened, synchronize]
   workflow_dispatch:
   repository_dispatch:
     types: [trigger-tests]
-
 jobs:
   setup:
     runs-on: ubuntu-latest
@@ -15,7 +14,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-
       - name: Determine changed paths
         id: filter
         uses: dorny/paths-filter@v3
@@ -30,40 +28,19 @@ jobs:
       pull-requests: write
       issues: write
     strategy:
-      fail-fast: false # Ensure all matrix jobs run to completion even if one fails
+      fail-fast: false  # Ensure all matrix jobs run to completion even if one fails
       matrix:
-        os: [ubuntu-latest] # Only using Linux for now since macOS takes a long time
+        os: [ubuntu-latest]  # Only using Linux for now since macOS takes a long time
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Test docs
         if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'repository_dispatch' }}
         run: npm i && npm run test-docs
         working-directory: setup-tests
-
       - name: Test Console docs
         if: needs.setup.outputs.console == 'true'
         run: npm i && npm run test-console-docs
         working-directory: setup-tests
-
-      #- name: Test docs
-      #  if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'repository_dispatch' }}
-      #  uses: doc-detective/github-action@v1
-      #  with:
-      #    input: modules
-      #    config: setup-tests
-      #    exit_on_fail: true
-          # create a PR/issue only if the workflow wasn't already triggered by a PR
-      #    create_pr_on_change: true
-      #    create_issue_on_fail: true
-
-      #- name: Test Console docs
-      #  if: needs.setup.outputs.console == 'true'
-      #  uses: doc-detective/github-action@v1
-      #  with:
-      #    input: modules/console
-      #    config: setup-tests
-      #    exit_on_fail: true

.github/workflows/update-extensions.yml

@@ -1,27 +1,24 @@
+---
 name: Update @redpanda-data/docs-extensions-and-macros
-
 on:
   workflow_dispatch:
   repository_dispatch:
     types: [trigger-npm-update]
-
 jobs:
   update-dependency:
     runs-on: ubuntu-latest
-
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       matrix:
         branch: [main, 'v/24.1', 'v/23.3', api]
-
     steps:
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-      - name: get secrets from aws sm
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+          aws-region: ${{ vars.RP_AWS_CRED_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
+      - uses: aws-actions/aws-secretsmanager-get-secrets@v2
         with:
           secret-ids: |
             ,sdlc/prod/github/actions_bot_token
@@ -31,18 +28,14 @@ jobs:
         with:
           ref: ${{ matrix.branch }}
           token: ${{ env.ACTIONS_BOT_TOKEN }}
-
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '18'
-
       - name: Install dependencies
         run: npm install
-
       - name: Update @redpanda-data/docs-extensions-and-macros
         run: npm update @redpanda-data/docs-extensions-and-macros
-
       - name: Commit changes
         run: |
           git config --global user.name "vbotbuildovich"