github-workflows/.github/workflows/stampyUpload.yml at 3b5bf4c18821b4d8f227803cd7ea0fb33eb20cf7 · salesforcecli/github-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
on:
  workflow_call:
    inputs:
      version:
        type: string
        required: true
        description: version for upload. do not include the 'v'

jobs:
  upload:
    runs-on: ubuntu-latest
    steps:
      - uses: salesforcecli/github-workflows/.github/actions/versionInfo@main
        id: version-info
        with:
          version: ${{ inputs.version }}
          npmPackage: "@salesforce/cli"

      - name: Save filename (without arch/extension) for reuse
        id: filename
        run: echo "FILEBASE=sf-v$INPUTS_VERSION-$STEPS_VERSION_INFO_SHA" >> "$GITHUB_OUTPUT"
        env:
          INPUTS_VERSION: ${{ inputs.version }}
          STEPS_VERSION_INFO_SHA: ${{ steps.version-info.outputs.sha }}

      - name: Download from s3
        run: |
          aws s3 cp "s3://dfc-data-production/media/salesforce-cli/sf/versions/$INPUTS_VERSION/$STEPS_VERSION_INFO_SHA/$STEPS_FILENAME_FILEBASE-x64.exe" .
          aws s3 cp "s3://dfc-data-production/media/salesforce-cli/sf/versions/$INPUTS_VERSION/$STEPS_VERSION_INFO_SHA/$STEPS_FILENAME_FILEBASE-arm64.exe" .
        env:
          INPUTS_VERSION: ${{ inputs.version }}
          STEPS_VERSION_INFO_SHA: ${{ steps.version-info.outputs.sha }}
          STEPS_FILENAME_FILEBASE: ${{ steps.filename.outputs.FILEBASE }}
          # workaround for AWS CLI not having its region set (see https://github.com/actions/runner-images/issues/2791)
          AWS_EC2_METADATA_DISABLED: true
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      # Note: we first need to switch AWS identity to the one that can access stampy
      - name: Upload to unsigned bucket
        run: |
          ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
          TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
          export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
          export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
          export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
          aws s3 cp "$STEPS_FILENAME_FILEBASE-x64.exe" "$STAMPY_UNSIGNED_BUCKET/$STEPS_FILENAME_FILEBASE-x64.exe"
          aws s3 cp "$STEPS_FILENAME_FILEBASE-arm64.exe" "$STAMPY_UNSIGNED_BUCKET/$STEPS_FILENAME_FILEBASE-arm64.exe"
        env:
          STEPS_FILENAME_FILEBASE: ${{ steps.filename.outputs.FILEBASE }}
          STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
          STAMPY_UNSIGNED_BUCKET: ${{ secrets.STAMPY_UNSIGNED_BUCKET }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_EC2_METADATA_DISABLED: true