fix(ci): allow ECR publish on workflow_dispatch and relax OIDC trust policy#369
Merged
fix(ci): allow ECR publish on workflow_dispatch and relax OIDC trust policy#369
Conversation
e9e4e5f0faef
force-pushed
the
fix/ci-oidc-and-publish
branch
from
de83d0a to
f313b2c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
workflow_dispatchevents (previously onlypush)job_workflow_reffrom IAM OIDC trust policy (not supported byaws-actions/configure-aws-credentials)Changes
.github/workflows/build-and-push.ymlworkflow_dispatchto publish and publish-disabled job conditionsinfra/pulumi/__main__.pyjob_workflow_refand redundantissfrom OIDC trust policyWhy
Two CI issues discovered during stage deployment validation:
Publish never ran on manual dispatch: the publish job condition required
github.event_name == 'push', soworkflow_dispatchbuilds succeeded but never pushed to ECR.stage-latestwas stale since Feb 27.Push-triggered builds failed OIDC auth: the
job_workflow_refclaim is present in GitHub OIDC tokens butaws-actions/configure-aws-credentialsdoes not pass it tosts:AssumeRoleWithWebIdentity. Including it as an IAM trust policy condition caused all push events to fail.Validation
pulumi up(IAM role updated immediately)stage-latestimageSafety
No impact on running services. The trust policy change is already live in AWS; this PR syncs the code to match.