configure OIDC

Author: 0marperez

.github/workflows/run-release.yml

@@ -1,14 +1,18 @@
 name: Release
 
 on:
-  pull_request:
+  pull_request: # TODO: REMOVE
   workflow_dispatch:
     inputs:
       version-override:
         type: string
         required: false
         description: 'Optionally specify a custom release version (minor version bump e.g.)'
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -50,7 +54,7 @@ jobs:
       - name: Configure Gradle
         uses: awslabs/aws-kotlin-repo-tools/.github/actions/configure-gradle@main
 
-      - name: Configure AWS Credentials
+      - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ secrets.PUBLISHING_ROLE_ARN }}
@@ -59,7 +63,7 @@ jobs:
       - name: Run release
         env:
           RELEASE_BUCKET: ${{ secrets.RELEASE_BUCKET }}
-          PUBLISHING_ROLE_ARN: ${{ secrets.PUBLISHING_ROLE_ARN }}
+          PUBLISHING_ROLE_ARN: ${{ secrets.PUBLISHING_ROLE_ARN }} # TODO: REMOVE
         run: |
           ./scripts/release.sh
 

scripts/release.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 [ -z "$RELEASE_BUCKET" ] && { echo "RELEASE_BUCKET environment variable not set"; exit 1; }
-[ -z "$PUBLISHING_ROLE_ARN" ] && { echo "PUBLISHING_ROLE_ARN environment variable not set"; exit 1; }
+[ -z "$PUBLISHING_ROLE_ARN" ] && { echo "PUBLISHING_ROLE_ARN environment variable not set"; exit 1; } # TODO: REMOVE
 
 VERSION=$(git describe --tags --abbrev=0)
 HEAD_COMMIT=$(git rev-parse HEAD)