fix: inline org action that gets a token for aws

zejd-cicak · zejd-cicak · commit 1f3ef6fbba88 · 2025-01-31T13:57:32.000+01:00
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -19,13 +19,34 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - name: Get GH app token
-        id: gh-app-token
-        uses: cloudbeds/composite-actions/gh-app-token@v2
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::048781935247:role/GH-APP-OIDC-CBMyFrontDesk
+          aws-region: us-west-2
+
+      - name: Get app private key from SSM and apply mask
+        id: app-private-key
+        shell: bash
+        run: |
+          aws ssm get-parameter --name /github/app/CBMyFrontDesk/private-key --output text --with-decryption --query Parameter.Value > private.key
+          echo "APP_PRIVATE_KEY<<EOF" >> $GITHUB_ENV
+          cat private.key >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+          while read -r line;
+          do
+            if [[ -n "${line}" ]]; then
+              echo "::add-mask::${line}"
+            fi
+          done < private.key
+          rm private.key
+
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@v2
         with:
           app_id: 391670
-          aws_role_arn: arn:aws:iam::048781935247:role/GH-APP-OIDC-CBMyFrontDesk
-          aws_ssm_param_name: /github/app/CBMyFrontDesk/private-key
+          private_key: ${{ env.APP_PRIVATE_KEY }}
 
       - name: Checkout code
         uses: actions/checkout@v4
