Use keyless authentication for the release (#495)

* Use keyless authentication for the releasee * Pass AWS_SESSION_TOKEN to goreleaser publisher
elastic · Jun 25, 2024 · ae49a75 · ae49a75
1 parent c015eaf
commit ae49a75
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,15 +19,15 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
-    env:
-      # TODO: use keyless
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - uses: elastic/oblt-actions/aws/[email protected]
+        with:
+          aws-account-id: "267093732750"
+
       - name: Validate GitHub release is not available yet
         run: |
           if gh release view "${{ github.ref_name }} > /dev/null ; then

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -88,6 +88,7 @@ publishers:
     env:
       - AWS_ACCESS_KEY_ID={{ .Env.AWS_ACCESS_KEY_ID }}
       - AWS_SECRET_ACCESS_KEY={{ .Env.AWS_SECRET_ACCESS_KEY }}
+      - AWS_SESSION_TOKEN={{ .Env.AWS_SESSION_TOKEN }}
       - ELASTIC_LAYER_NAME=elastic-apm-extension-ver-{{ replace (trimprefix .Tag "v") "." "-" }}
       - VERSION={{ .Tag }}
       - ARCHITECTURE={{ if eq .Arch "amd64" }}x86_64{{ else }}{{ .Arch }}{{ end }}
@@ -101,4 +102,4 @@ release:
 # creates SBOMs of all archives and the source tarball using syft
 # https://goreleaser.com/customization/sbom
 sboms:
-  - artifacts: archive
+  - artifacts: archive