-
Notifications
You must be signed in to change notification settings - Fork 25
50 lines (49 loc) · 2.37 KB
/
get-signed-from-stampy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
name: get-signed-installers-from-stampy
on:
workflow_dispatch:
# schedule:
# - cron: '25 * * * *'
jobs:
get-signed-from-stampy:
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v3
- name: download
env:
STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
AWS_EC2_METADATA_DISABLED: true
# switch AWS identity to the one that can access stampy
run: |
ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
aws s3 cp --recursive ${{ secrets.STAMPY_SIGNED_BUCKET }}/ .
- name: upload to CLI s3
env:
AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
AWS_EC2_METADATA_DISABLED: true
run: |
node scripts/stampy-signed-upload.js
- name: clean up stampy in/out buckets
# waiting on Stampy to enable delete permission on these buckets
# at that point, we can make this an hourly job
if: false
env:
STAMPY_UNSIGNED_BUCKET: ${{ secrets.STAMPY_UNSIGNED_BUCKET }}
STAMPY_SIGNED_BUCKET: ${{ secrets.STAMPY_SIGNED_BUCKET }}
AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
AWS_EC2_METADATA_DISABLED: true
run: |
ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
node scripts/stampy-signed-delete.js