Publish release artifacts to S3.

This uses GitHub Action's federated OIDC support, so it does not require any explicit credentials. The role ARN is stored in a GitHub secret to avoid leaking our account ID, but it's not sensitive data otherwise. Signed-off-by: Aaron Jacobs <[email protected]>
rstudio · Apr 5, 2022 · 3cd9b22 · 3cd9b22
1 parent 41d9c98
commit 3cd9b22
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -24,6 +24,11 @@ jobs:
       uses: sigstore/cosign-installer@main
       with:
         cosign-release: 'v1.6.0'
+    - uses: aws-actions/configure-aws-credentials@v1
+      with:
+        role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+        role-session-name: gha-rskey
+        aws-region: us-east-1
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
       with:

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -24,6 +24,10 @@ archives:
   format_overrides:
   - goos: windows
     format: zip
+blobs:
+- provider: s3
+  bucket: rstudio-platform-public-artifacts
+  folder: "rskey/{{ .Version }}"
 release:
   draft: true
   header: |