Merge pull request hms-dbmi-cellenics#496 from hms-dbmi-cellenics/rev…

…ert-495-move-to-oidc Revert "Move to OIDC -- test"
biomage-org · Oct 27, 2023 · c7cd00c · c7cd00c
2 parents 820c07d + 70cd688
commit c7cd00c
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 11 deletions.
diff --git a/.ci.yaml b/.ci.yaml
@@ -0,0 +1,29 @@
+ci-policies:
+    - PolicyName: "get-ecr-auth-token"
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - "ecr:GetAuthorizationToken"
+            Resource: "*"
+
+    - PolicyName: "manage-ecr-contents"
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - "ecr:BatchCheckLayerAvailability"
+              - "ecr:GetDownloadUrlForLayer"
+              - "ecr:GetRepositoryPolicy"
+              - "ecr:DescribeRepositories"
+              - "ecr:ListImages"
+              - "ecr:DescribeImages"
+              - "ecr:BatchGetImage"
+              - "ecr:InitiateLayerUpload"
+              - "ecr:UploadLayerPart"
+              - "ecr:CompleteLayerUpload"
+              - "ecr:PutImage"
+              - "ecr:CreateRepository"
+            Resource: !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/api"
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -15,11 +15,6 @@ on:
       - opened
       - synchronize
       - reopened
-
-permissions:
-  id-token: write
-  contents: read
-
 jobs:
   is-safe-to-run:
     name: Sensitive jobs are safe to be run
@@ -221,13 +216,13 @@ jobs:
           IMAGE_REPO_NAME=$(echo $GITHUB_REPOSITORY | awk -F '/' '{print $2}')
           echo "repo-name=$IMAGE_REPO_NAME" >> $GITHUB_OUTPUT
 
-      - id: setup-aws
+      - id: set-up-creds
         name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v1
         with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-role-api
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ secrets.AWS_REGION }}
-
       - id: login-ecr
         name: Login to Amazon ECR
         uses: aws-actions/amazon-ecr-login@v1
@@ -278,9 +273,10 @@ jobs:
 
       - id: setup-aws
         name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v1
         with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-role-api
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ secrets.AWS_REGION }}
 
       - id: login-ecr