Skip to content

Commit 758dfd9

Browse files
committed
feat: add support for aws OIDC authentication
1 parent ddbae5b commit 758dfd9

1 file changed

Lines changed: 35 additions & 0 deletions

File tree

.github/workflows/build.yml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,14 @@ on:
133133
type: string
134134
description: "Flavor defines a global behavior for meta-tags"
135135
required: false
136+
aws-region:
137+
type: string
138+
description: "AWS region to use when assuming the OIDC role for ECR auth"
139+
required: false
140+
aws-role-to-assume:
141+
type: string
142+
description: "IAM role ARN to assume via OIDC for ECR auth before docker/login-action"
143+
required: false
136144
secrets:
137145
registry-auths:
138146
description: "Raw authentication to registries, defined as YAML objects (for image output)"
@@ -467,6 +475,9 @@ jobs:
467475
runs-on: ${{ matrix.runner }}
468476
needs:
469477
- prepare
478+
permissions:
479+
id-token: write
480+
contents: read
470481
strategy:
471482
fail-fast: ${{ inputs.fail-fast }}
472483
matrix:
@@ -814,6 +825,13 @@ jobs:
814825
// for a public repository, we set max provenance mode
815826
core.setOutput('provenance', Build.resolveProvenanceAttrs(`mode=max,version=v1`));
816827
}
828+
-
829+
name: Configure AWS Credentials
830+
if: ${{ inputs.push && inputs.output == 'image' && inputs.aws-role-to-assume != '' }}
831+
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
832+
with:
833+
aws-region: ${{ inputs.aws-region }}
834+
role-to-assume: ${{ inputs.aws-role-to-assume }}
817835
-
818836
name: Login to registry
819837
if: ${{ inputs.push && inputs.output == 'image' }}
@@ -844,6 +862,13 @@ jobs:
844862
env:
845863
BUILDKIT_MULTI_PLATFORM: 1
846864
GIT_AUTH_TOKEN: ${{ secrets.github-token || github.token }}
865+
-
866+
name: Configure AWS Credentials for signing
867+
if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' && inputs.aws-role-to-assume != '' }}
868+
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
869+
with:
870+
aws-region: ${{ inputs.aws-region }}
871+
role-to-assume: ${{ inputs.aws-role-to-assume }}
847872
-
848873
name: Login to registry for signing
849874
if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }}
@@ -964,6 +989,9 @@ jobs:
964989
965990
finalize:
966991
runs-on: ubuntu-24.04
992+
permissions:
993+
id-token: write
994+
contents: read
967995
outputs:
968996
meta-json: ${{ steps.meta.outputs.json }}
969997
cosign-version: ${{ env.COSIGN_VERSION }}
@@ -1010,6 +1038,13 @@ jobs:
10101038
flavor: ${{ inputs.meta-flavor }}
10111039
labels: ${{ inputs.meta-labels }}
10121040
annotations: ${{ inputs.meta-annotations }}
1041+
-
1042+
name: Configure AWS Credentials
1043+
if: ${{ inputs.push && inputs.output == 'image' && inputs.aws-role-to-assume != '' }}
1044+
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
1045+
with:
1046+
aws-region: ${{ inputs.aws-region }}
1047+
role-to-assume: ${{ inputs.aws-role-to-assume }}
10131048
-
10141049
name: Login to registry
10151050
if: ${{ inputs.push && inputs.output == 'image' }}

0 commit comments

Comments
 (0)