fix: switch to aws roles

inian · inian · commit 37093af00f69 · 2023-01-17T20:47:58.000+08:00
diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
@@ -14,12 +14,16 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: us-east-1
       - uses: docker/login-action@v2
         with:
           registry: public.ecr.aws
-          username: ${{ secrets.PROD_ACCESS_KEY_ID }}
-          password: ${{ secrets.PROD_SECRET_ACCESS_KEY }}
       - uses: docker/login-action@v2
         with:
           registry: ghcr.io
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -16,6 +16,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
       - id: meta
         uses: docker/metadata-action@v4
@@ -36,12 +37,15 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: us-east-1
       - name: Login to ECR
         uses: docker/login-action@v2
         with:
           registry: public.ecr.aws
-          username: ${{ secrets.PROD_ACCESS_KEY_ID }}
-          password: ${{ secrets.PROD_SECRET_ACCESS_KEY }}
       - name: Login to GHCR
         uses: docker/login-action@v2
         with:
