From 6c81b96f3b86ec07a15213364ac1736a06f4b99f Mon Sep 17 00:00:00 2001 From: Dmytro <2937451+vorotech@users.noreply.github.com> Date: Mon, 14 Mar 2022 19:14:41 +0200 Subject: [PATCH] Update s3_upload.yml (#18962) assume deployment role instead of aws creds --- .github/workflows/s3_upload.yml | 74 ++++++++++++++++++--------------- 1 file changed, 41 insertions(+), 33 deletions(-) diff --git a/.github/workflows/s3_upload.yml b/.github/workflows/s3_upload.yml index d40a5595f..6b7c458a2 100644 --- a/.github/workflows/s3_upload.yml +++ b/.github/workflows/s3_upload.yml @@ -1,44 +1,52 @@ name: Upload S3 on: push: - branches: [ master ] - + branches: + - master + workflow_dispatch: +permissions: + id-token: write + +env: + AWS_REGION: us-east-1 + jobs: upload-s3: runs-on: ubuntu-latest + steps: - - uses: actions/checkout@v2 - - - name: Upload (from main repo only) - if: github.repository_owner == 'trustwallet' - uses: jakejarvis/s3-sync-action@master - with: - args: --follow-symlinks --delete --exclude '*' --include 'dapps/*' --include 'blockchains/*' --include 'history/*' --size-only - env: - AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_REGION: 'us-east-1' + - uses: actions/checkout@v2 - - name: Get changed files - uses: jitterbit/get-changed-files@v1 - if: github.event_name == 'push' - id: files + - name: Confiugre AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} + aws-region: ${{ env.AWS_REGION }} + + - name: Deploy to S3 + if: github.repository_owner == 'trustwallet' + shell: bash + run: aws s3 sync . s3://$AWS_S3_BUCKET --follow-symlinks --delete --exclude '*' --include 'dapps/*' --include 'blockchains/*' --size-only + env: + AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} + + - name: Get changed files + uses: jitterbit/get-changed-files@v1 + if: github.event_name == 'push' + id: files + + - name: Filter files to invalidate + run: | + echo "::set-output name=paths::$(echo ${{ steps.files.outputs.added_modified }} | tr ' ' '\n' | grep -E 'blockchains/|dapps/' | awk '{print "/"$1}' | tr '\n' ' ')" + if: github.event_name == 'push' + id: filter + + - name: Invalidate CloudFront + if: github.repository_owner == 'trustwallet' && github.event_name == 'push' && steps.filter.outputs.paths != '' + uses: chetan/invalidate-cloudfront-action@v2 + env: + PATHS: ${{ steps.filter.outputs.paths }} + DISTRIBUTION: ${{ secrets.AWS_DISTRIBUTION }} - - name: Filter files to invalidate - run: | - echo "::set-output name=paths::$(echo ${{ steps.files.outputs.added_modified }} | tr ' ' '\n' | grep -E 'blockchains/|dapps/' | awk '{print "/"$1}' | tr '\n' ' ')" - if: github.event_name == 'push' - id: filter - - - name: Invalidate CloudFront - if: github.repository_owner == 'trustwallet' && github.event_name == 'push' && steps.filter.outputs.paths != '' - uses: chetan/invalidate-cloudfront-action@v2 - env: - PATHS: ${{ steps.filter.outputs.paths }} - DISTRIBUTION: ${{ secrets.AWS_DISTRIBUTION }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_REGION: "us-east-1"