ci: Use organisation-level AWS secrets
This commit updates the CI workflows to use the `zephyrproject-rtos`
organisation-level AWS secrets instead of the repository-level secrets.
Using organisation-level secrets allows more centralised management of
the access keys used throughout the GitHub Actions CI infrastructure.
Note that the `AWS_*_ACCESS_KEY_ID` is now stored in plaintext as a
variable instead of a secret because it is equivalent to username and
needs to be identifiable for management and audit purposes.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
(cherry picked from commit 8233f8ef91762867bf13d4f22b2f023313421ac6)
diff --git a/.github/workflows/bug_snapshot.yaml b/.github/workflows/bug_snapshot.yaml
index e9c536f..99163b4 100644
--- a/.github/workflows/bug_snapshot.yaml
+++ b/.github/workflows/bug_snapshot.yaml
@@ -44,7 +44,7 @@
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
- aws-access-key-id: ${{ secrets.AWS_BUILDS_ZEPHYR_BUG_SNAPSHOT_ACCESS_KEY_ID }}
+ aws-access-key-id: ${{ vars.AWS_BUILDS_ZEPHYR_BUG_SNAPSHOT_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_BUILDS_ZEPHYR_BUG_SNAPSHOT_SECRET_ACCESS_KEY }}
aws-region: us-east-1
diff --git a/.github/workflows/clang.yaml b/.github/workflows/clang.yaml
index e81303f..f1edace 100644
--- a/.github/workflows/clang.yaml
+++ b/.github/workflows/clang.yaml
@@ -87,8 +87,8 @@
key: ${{ steps.ccache_cache_timestamp.outputs.repo }}-${{ github.ref_name }}-clang-${{ matrix.platform }}-ccache
path: /github/home/.ccache
aws-s3-bucket: ccache.zephyrproject.org
- aws-access-key-id: ${{ secrets.CCACHE_S3_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.CCACHE_S3_SECRET_ACCESS_KEY }}
+ aws-access-key-id: ${{ vars.AWS_CCACHE_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_CCACHE_SECRET_ACCESS_KEY }}
aws-region: us-east-2
- name: ccache stats initial
diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml
index 0431f2d..726691f 100644
--- a/.github/workflows/codecov.yaml
+++ b/.github/workflows/codecov.yaml
@@ -71,8 +71,8 @@
key: ${{ steps.ccache_cache_prop.outputs.repo }}-${{github.event_name}}-${{matrix.platform}}-codecov-ccache
path: /github/home/.ccache
aws-s3-bucket: ccache.zephyrproject.org
- aws-access-key-id: ${{ secrets.CCACHE_S3_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.CCACHE_S3_SECRET_ACCESS_KEY }}
+ aws-access-key-id: ${{ vars.AWS_CCACHE_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_CCACHE_SECRET_ACCESS_KEY }}
aws-region: us-east-2
- name: ccache stats initial
diff --git a/.github/workflows/daily_test_version.yml b/.github/workflows/daily_test_version.yml
index 1ff2301..338112f 100644
--- a/.github/workflows/daily_test_version.yml
+++ b/.github/workflows/daily_test_version.yml
@@ -19,8 +19,8 @@
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TESTING }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TESTING }}
+ aws-access-key-id: ${{ vars.AWS_TESTING_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: install-pip
diff --git a/.github/workflows/doc-publish-pr.yml b/.github/workflows/doc-publish-pr.yml
index 0f653ef..ea46bf0 100644
--- a/.github/workflows/doc-publish-pr.yml
+++ b/.github/workflows/doc-publish-pr.yml
@@ -50,7 +50,7 @@
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
- aws-access-key-id: ${{ secrets.AWS_BUILDS_ZEPHYR_PR_ACCESS_KEY_ID }}
+ aws-access-key-id: ${{ vars.AWS_BUILDS_ZEPHYR_PR_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_BUILDS_ZEPHYR_PR_SECRET_ACCESS_KEY }}
aws-region: us-east-1
diff --git a/.github/workflows/doc-publish.yml b/.github/workflows/doc-publish.yml
index c537608..f91b532 100644
--- a/.github/workflows/doc-publish.yml
+++ b/.github/workflows/doc-publish.yml
@@ -36,8 +36,8 @@
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ aws-access-key-id: ${{ vars.AWS_DOCS_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_DOCS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Upload to AWS S3
diff --git a/.github/workflows/footprint-tracking.yml b/.github/workflows/footprint-tracking.yml
index c80dbcd..09976ac 100644
--- a/.github/workflows/footprint-tracking.yml
+++ b/.github/workflows/footprint-tracking.yml
@@ -60,8 +60,8 @@
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
- aws-access-key-id: ${{ secrets.FOOTPRINT_AWS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.FOOTPRINT_AWS_ACCESS_KEY }}
+ aws-access-key-id: ${{ vars.AWS_TESTING_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Record Footprint
diff --git a/.github/workflows/issue_count.yml b/.github/workflows/issue_count.yml
index 8becf20..bf88d65 100644
--- a/.github/workflows/issue_count.yml
+++ b/.github/workflows/issue_count.yml
@@ -44,8 +44,8 @@
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TESTING }}
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TESTING }}
+ aws-access-key-id: ${{ vars.AWS_TESTING_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_TESTING_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Post Results
diff --git a/.github/workflows/twister.yaml b/.github/workflows/twister.yaml
index 39aa8ec..2b17875 100644
--- a/.github/workflows/twister.yaml
+++ b/.github/workflows/twister.yaml
@@ -197,8 +197,8 @@
key: ${{ steps.ccache_cache_timestamp.outputs.repo }}-${{ github.ref_name }}-${{github.event_name}}-${{ matrix.subset }}-ccache
path: /github/home/.ccache
aws-s3-bucket: ccache.zephyrproject.org
- aws-access-key-id: ${{ secrets.CCACHE_S3_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.CCACHE_S3_SECRET_ACCESS_KEY }}
+ aws-access-key-id: ${{ vars.AWS_CCACHE_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_CCACHE_SECRET_ACCESS_KEY }}
aws-region: us-east-2
- name: ccache stats initial
