Dispatch analytics #829
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Dispatch analytics | |
# PROCESS | |
# | |
# 1. Trade GitHub JWT token with AWS credentials for the analytics account | |
# 2. Invoke a Lambda function dispatcher synchronously with the read-only scoped JWT token | |
# 3. The dispatcher function will call GitHub APIs to read data from the last hour and aggregate for operational analytics | |
# USAGE | |
# | |
# NOTE: meant to use as a scheduled task only (or manually for debugging purposes). | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: "0 * * * *" | |
permissions: | |
contents: read | |
jobs: | |
dispatch_token: | |
if: github.repository == 'aws-powertools/powertools-lambda-python' | |
concurrency: | |
group: analytics | |
runs-on: ubuntu-latest | |
environment: analytics | |
permissions: | |
id-token: write | |
actions: read | |
checks: read | |
contents: read # previously we needed `write` to use GH_TOKEN in our dispatcher (Lambda) | |
deployments: read | |
issues: read | |
discussions: read | |
packages: read | |
pages: read | |
pull-requests: read | |
repository-projects: read | |
security-events: read | |
statuses: read | |
steps: | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 | |
with: | |
aws-region: eu-central-1 | |
role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }} | |
mask-aws-account-id: true | |
- name: Invoke Lambda function | |
run: | | |
payload=$(echo -n '{"githubToken": "${{ secrets.GITHUB_TOKEN }}"}' | base64) | |
response=$(aws lambda invoke \ | |
--function-name "${{ secrets.AWS_ANALYTICS_DISPATCHER_ARN }}" \ | |
--payload "$payload" \ | |
response.json \ | |
--query 'FunctionError' \ | |
--output text) | |
cat response.json ; echo # add newline at the end | |
if [ "$response" != "None" ]; then | |
echo "Error invoking lambda function: $response. Aborting." | |
exit 1 | |
fi |