diff --git a/.github/workflows/casper-node-launcher-publish.yml b/.github/workflows/casper-node-launcher-publish.yml index 6bc0af3..e2c5653 100644 --- a/.github/workflows/casper-node-launcher-publish.yml +++ b/.github/workflows/casper-node-launcher-publish.yml @@ -1,5 +1,8 @@ --- name: publish-casper-node-launcher +permissions: + contents: read + id-token: write on: push: @@ -18,6 +21,15 @@ jobs: steps: - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #v3.0.2 + with: + key: ${{ matrix.code_name }} + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_ACCESS_ROLE_REPO }} + role-session-name: GitHub_to_AWS_via_FederatedOIDC + aws-region: ${{ secrets.AWS_ACCESS_REGION_REPO }} - name: Install deps run: | @@ -44,23 +56,16 @@ jobs: - name: Upload binaries to repo env: - AWS_SECRET_ACCESS_KEY: ${{ secrets.APTLY_SECRET_KEY }} - AWS_ACCESS_KEY_ID: ${{ secrets.APTLY_ACCESS_KEY }} - PLUGIN_REPO_NAME: ${{ secrets.APTLY_REPO }} - PLUGIN_REGION: ${{ secrets.APTLY_REGION }} + PLUGIN_REPO_NAME: ${{ secrets.AWS_BUCKET_REPO }} + PLUGIN_REGION: ${{ secrets.AWS_ACCESS_REGION_REPO }} PLUGIN_GPG_KEY: ${{ secrets.APTLY_GPG_KEY }} PLUGIN_GPG_PASS: ${{ secrets.APTLY_GPG_PASS }} - PLUGIN_ACL: 'public-read' + PLUGIN_ACL: 'private' PLUGIN_PREFIX: 'releases' PLUGIN_DEB_PATH: './target/debian' PLUGIN_OS_CODENAME: ${{ matrix.code_name }} run: ./ci/publish_deb_to_repo.sh - - name: Invalidate cloudfront - uses: chetan/invalidate-cloudfront-action@c384d5f09592318a77b1e5c0c8d4772317e48b25 #v2.4 - env: - DISTRIBUTION: ${{ secrets.APTLY_DIST_ID }} - PATHS: "/*" - AWS_REGION: ${{ secrets.APTLY_REGION }} - AWS_ACCESS_KEY_ID: ${{ secrets.APTLY_ACCESS_KEY }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.APTLY_SECRET_KEY }} + - name: Invalidate CloudFront cache + run: | + aws cloudfront create-invalidation --distribution-id ${{ secrets.AWS_CLOUDFRONT_REPO }} --paths "/*"