chore: synced local '.github/workflows/s3-backup.yml' with remote 'tools/sre_file_sync/s3-backup.yml'

Author: sre-read-write[bot]

.github/workflows/s3-backup.yml

@@ -4,6 +4,10 @@ on:
   schedule:
     - cron: "0 6 * * *"
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   s3-backup:
     runs-on: ubuntu-latest
@@ -13,24 +17,20 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0 # retrieve all history
+        persist-credentials: false
 
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
       with:
-        aws-access-key-id: ${{ secrets.AWS_S3_BACKUP_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.AWS_S3_BACKUP_SECRET_ACCESS_KEY }}
+        role-to-assume: ${{ secrets.AWS_S3_BACKUP_IAM_ROLE_ARN }}
+        role-session-name: S3Backup
         aws-region: ca-central-1
 
-    - name: Create ZIP bundle
+    - name: Upload zip to S3 bucket
       run: |
         ZIP_FILE=`basename ${{ github.repository }}`-`date '+%Y-%m-%d'`.zip
         zip -rq "${ZIP_FILE}" .
-        mkdir -p ${{ github.repository }}
-        mv "${ZIP_FILE}" ${{ github.repository }}
-
-    - name: Upload to S3 bucket
-      run: |
-        aws s3 sync . s3://${{ secrets.AWS_S3_BACKUP_BUCKET }} --exclude='*' --include='${{ github.repository }}/*'
+        aws s3 cp "${ZIP_FILE}" s3://${{ secrets.AWS_S3_BACKUP_BUCKET }}/${{ github.repository }}/"${ZIP_FILE}"
 
     - name: Notify Slack channel if this job failed
       if: ${{ failure() }}