test: add premission block

samrose · samrose · commit 9b3b0d2111a9 · 2025-04-30T15:37:12.000-04:00
diff --git a/.github/workflows/testinfra-only.yml b/.github/workflows/testinfra-only.yml
@@ -1,4 +1,9 @@
 name: Testinfra Test Only
+
+permissions:
+  contents: read
+  id-token: write
+
 on:
   workflow_dispatch:
     inputs:
@@ -17,11 +22,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role
-          aws-region: ${{ env.AWS_REGION }}
       - name: Run tests
         timeout-minutes: 10
         env:
diff --git a/flake.nix b/flake.nix
@@ -870,6 +870,13 @@
                 # Get current repository name
                 REPO=$(git remote get-url origin | sed -E 's/.*github.com[:/](.*)\.git/\1/')
 
+                # Check AWS credentials
+                if [ -z "${AWS_VAULT:-}" ]; then
+                  echo "Error: AWS_VAULT environment variable must be set with the profile name"
+                  echo "Usage: aws-vault exec supabase-dev -- nix run .#run-testinfra <ami-name> [branch]"
+                  exit 1
+                fi
+
                 # Trigger the workflow with the AMI name
                 echo "Triggering testinfra-only workflow for AMI: $AMI_NAME on branch: $BRANCH"
                 gh workflow run testinfra-only.yml --ref "$BRANCH" -f ami_name="$AMI_NAME"
@@ -879,7 +886,7 @@
                 sleep 5
                 
                 # Get the latest run ID for this workflow
-                RUN_ID=$(gh run list --workflow=testinfra-only.yml  --branch "$BRANCH" --limit 1 --json databaseId --jq '.[0].databaseId')
+                RUN_ID=$(gh run list --workflow=testinfra-only.yml --branch "$BRANCH" --limit 1 --json databaseId --jq '.[0].databaseId')
                 
                 if [ -z "$RUN_ID" ]; then
                   echo "Error: Could not find workflow run ID"
@@ -893,11 +900,11 @@
 
                 # Try to watch the run, but handle network errors gracefully
                 while true; do
-                  if gh run watch "$RUN_ID" --repo "$REPO" --exit-status; then
+                  if gh run watch "$RUN_ID" --exit-status; then
                     break
                   else
                     echo "Network error while watching workflow. Retrying in 5 seconds..."
-                    echo "You can also check the status manually with: gh run view $RUN_ID --repo $REPO"
+                    echo "You can also check the status manually with: gh run view $RUN_ID"
                     sleep 5
                   fi
                 done
