From 9188b95e94781155bb78b1b179ecb25662085428 Mon Sep 17 00:00:00 2001 From: Swopnil Dangol Date: Fri, 22 Aug 2025 13:19:43 +0100 Subject: [PATCH 1/2] Moved the secrets expanded in the run block to env variables --- .github/workflows/bootstrap_region.yml | 4 +++- .github/workflows/dispatch_analytics.yml | 7 +++++-- .github/workflows/layer_balance.yml | 8 ++++++-- .github/workflows/make-release.yml | 4 +++- .github/workflows/publish-package.yml | 4 +++- .github/workflows/reusable_publish_docs.yml | 15 +++++++++------ 6 files changed, 29 insertions(+), 13 deletions(-) diff --git a/.github/workflows/bootstrap_region.yml b/.github/workflows/bootstrap_region.yml index d9551b72a8..60ac4f287b 100644 --- a/.github/workflows/bootstrap_region.yml +++ b/.github/workflows/bootstrap_region.yml @@ -99,4 +99,6 @@ jobs: run: go install github.com/aws-powertools/actions/layer-balancer/cmd/balance@29979bc5339bf54f76a11ac36ff67701986bb0f0 - id: run-balance name: Run Balance - run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false + env: + BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }} + run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false diff --git a/.github/workflows/dispatch_analytics.yml b/.github/workflows/dispatch_analytics.yml index 95e0cb3bb0..3cc4dee0e9 100644 --- a/.github/workflows/dispatch_analytics.yml +++ b/.github/workflows/dispatch_analytics.yml @@ -49,10 +49,13 @@ jobs: mask-aws-account-id: true - name: Invoke Lambda function + env: + TOKEN_GITHUB: ${{ secrets.GITHUB_TOKEN }} + AWS_ANALYTICS_DISPATCHER_ARN: ${{ secrets.AWS_ANALYTICS_DISPATCHER_ARN }} run: | - payload=$(echo -n '{"githubToken": "${{ secrets.GITHUB_TOKEN }}"}' | base64) + payload=$(echo -n '{"githubToken": "$TOKEN_GITHUB"}' | base64) response=$(aws lambda invoke \ - --function-name "${{ secrets.AWS_ANALYTICS_DISPATCHER_ARN }}" \ + --function-name "$AWS_ANALYTICS_DISPATCHER_ARN" \ --payload "$payload" \ response.json \ --query 'FunctionError' \ diff --git a/.github/workflows/layer_balance.yml b/.github/workflows/layer_balance.yml index 19931a124f..6761a3abe8 100644 --- a/.github/workflows/layer_balance.yml +++ b/.github/workflows/layer_balance.yml @@ -62,8 +62,12 @@ jobs: - id: run-balance-new-region name: Run Balance if: ${{ inputs.start_at == '' }} - run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false + env: + BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }} + run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false - id: run-balance-existing name: Run Balance (Existing Region) if: ${{ inputs.start_at != '' }} - run: balance -read-region us-east-1 -start-at ${{ inputs.start_at }} -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false + env: + BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }} + run: balance -read-region us-east-1 -start-at ${{ inputs.start_at }} -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index eecc6b793f..e4f3763a53 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -53,8 +53,10 @@ jobs: node-version: "22" cache: "npm" - name: Setup auth tokens + env: + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} run: | - npm set "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" + npm set "//registry.npmjs.org/:_authToken=$NPM_TOKEN" - name: Setup dependencies uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0 - name: Publish to npm diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml index 6973ca0ecf..faa980fb5a 100644 --- a/.github/workflows/publish-package.yml +++ b/.github/workflows/publish-package.yml @@ -44,8 +44,10 @@ jobs: node-version: "22" cache: "npm" - name: Setup auth tokens + env: + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} run: | - npm set "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" + npm set "//registry.npmjs.org/:_authToken=$NPM_TOKEN" - name: Setup dependencies uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0 - name: Publish to npm diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml index d99b6d36a6..86ba8bffda 100644 --- a/.github/workflows/reusable_publish_docs.yml +++ b/.github/workflows/reusable_publish_docs.yml @@ -97,22 +97,25 @@ jobs: env: VERSION: ${{ inputs.version }} ALIAS: ${{ inputs.alias }} + AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }} run: | aws s3 sync \ site/ \ - s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-typescript/${{ env.VERSION }}/ + s3://$AWS_DOCS_BUCKET/lambda-typescript/$VERSION/ - name: Deploy Docs (Alias) env: VERSION: ${{ inputs.version }} ALIAS: ${{ inputs.alias }} + AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }} run: | aws s3 sync \ site/ \ - s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-typescript/${{ env.ALIAS }}/ + s3://$AWS_DOCS_BUCKET/lambda-typescript/$ALIAS/ - name: Deploy Docs (Version JSON) env: VERSION: ${{ inputs.version }} ALIAS: ${{ inputs.alias }} + AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }} # We originally used "mike" from PyPi to manage versions for us, but since we moved to S3, we can't use it to manage versions any more. # Instead, we're using some shell script that manages the versions. # @@ -127,10 +130,10 @@ jobs: # 4. Once done, we'll upload it back to S3. run: | aws s3 cp \ - s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-typescript/versions.json \ + s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json \ versions_old.json - jq 'del(.[].aliases[] | select(. == "${{ env.ALIAS }}"))' < versions_old.json > versions_proc.json - jq '. as $o | [{"title": "${{ env.VERSION }}", "version": "${{ env.VERSION }}", "aliases": ["${{ env.ALIAS }}"] }] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json + jq 'del(.[].aliases[] | select(. == "$ALIAS"))' < versions_old.json > versions_proc.json + jq '. as $o | [{"title": "$VERSION", "version": "$VERSION", "aliases": ["$ALIAS"] }] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json aws s3 cp \ versions.json \ - s3://${{ secrets.AWS_DOCS_BUCKET }}/lambda-typescript/versions.json + s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json From 349db0f70bbc770a2751d2b917687ccda60f4214 Mon Sep 17 00:00:00 2001 From: Swopnil Dangol Date: Fri, 22 Aug 2025 15:03:39 +0100 Subject: [PATCH 2/2] Removed the dispatch workflow and moved env to job level for layer_balance.yml --- .github/workflows/dispatch_analytics.yml | 69 ------------------------ .github/workflows/layer_balance.yml | 6 +-- 2 files changed, 2 insertions(+), 73 deletions(-) delete mode 100644 .github/workflows/dispatch_analytics.yml diff --git a/.github/workflows/dispatch_analytics.yml b/.github/workflows/dispatch_analytics.yml deleted file mode 100644 index 3cc4dee0e9..0000000000 --- a/.github/workflows/dispatch_analytics.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: Dispatch analytics - -# PROCESS -# -# 1. Trade GitHub JWT token with AWS credentials for the analytics account -# 2. Invoke a Lambda function dispatcher synchronously with the read-only scoped JWT token -# 3. The dispatcher function will call GitHub APIs to read data from the last hour and aggregate for operational analytics - -# USAGE -# -# NOTE: meant to use as a scheduled task only (or manually for debugging purposes). - -on: - workflow_dispatch: - - schedule: - - cron: '0 * * * *' - -permissions: - contents: read - -jobs: - dispatch_token: - if: github.repository == 'aws-powertools/powertools-lambda-typescript' - concurrency: - group: analytics - runs-on: ubuntu-latest - environment: analytics - permissions: - id-token: write - actions: read - checks: read - contents: read # previously we needed `write` to use GH_TOKEN in our dispatcher (Lambda) - deployments: read - issues: read - discussions: read - packages: read - pages: read - pull-requests: read - repository-projects: read - security-events: read - statuses: read - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 - with: - aws-region: eu-central-1 - role-to-assume: ${{ secrets.AWS_ANALYTICS_ROLE_ARN }} - mask-aws-account-id: true - - - name: Invoke Lambda function - env: - TOKEN_GITHUB: ${{ secrets.GITHUB_TOKEN }} - AWS_ANALYTICS_DISPATCHER_ARN: ${{ secrets.AWS_ANALYTICS_DISPATCHER_ARN }} - run: | - payload=$(echo -n '{"githubToken": "$TOKEN_GITHUB"}' | base64) - response=$(aws lambda invoke \ - --function-name "$AWS_ANALYTICS_DISPATCHER_ARN" \ - --payload "$payload" \ - response.json \ - --query 'FunctionError' \ - --output text) - - cat response.json ; echo # add newline at the end - - if [ "$response" != "None" ]; then - echo "Error invoking lambda function: $response. Aborting." - exit 1 - fi \ No newline at end of file diff --git a/.github/workflows/layer_balance.yml b/.github/workflows/layer_balance.yml index 6761a3abe8..ef99f15ffa 100644 --- a/.github/workflows/layer_balance.yml +++ b/.github/workflows/layer_balance.yml @@ -40,6 +40,8 @@ jobs: contents: read id-token: write environment: layer-${{ inputs.environment }} + env: + BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }} steps: - id: credentials name: AWS Credentials @@ -62,12 +64,8 @@ jobs: - id: run-balance-new-region name: Run Balance if: ${{ inputs.start_at == '' }} - env: - BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }} run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false - id: run-balance-existing name: Run Balance (Existing Region) if: ${{ inputs.start_at != '' }} - env: - BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }} run: balance -read-region us-east-1 -start-at ${{ inputs.start_at }} -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false