|
133 | 133 | type: string |
134 | 134 | description: "Flavor defines a global behavior for meta-tags" |
135 | 135 | required: false |
| 136 | + aws-region: |
| 137 | + type: string |
| 138 | + description: "AWS region to use when assuming the OIDC role for ECR auth" |
| 139 | + required: false |
| 140 | + aws-role-to-assume: |
| 141 | + type: string |
| 142 | + description: "IAM role ARN to assume via OIDC for ECR auth before docker/login-action" |
| 143 | + required: false |
136 | 144 | secrets: |
137 | 145 | registry-auths: |
138 | 146 | description: "Raw authentication to registries, defined as YAML objects (for image output)" |
@@ -467,6 +475,9 @@ jobs: |
467 | 475 | runs-on: ${{ matrix.runner }} |
468 | 476 | needs: |
469 | 477 | - prepare |
| 478 | + permissions: |
| 479 | + id-token: write |
| 480 | + contents: read |
470 | 481 | strategy: |
471 | 482 | fail-fast: ${{ inputs.fail-fast }} |
472 | 483 | matrix: |
@@ -814,6 +825,13 @@ jobs: |
814 | 825 | // for a public repository, we set max provenance mode |
815 | 826 | core.setOutput('provenance', Build.resolveProvenanceAttrs(`mode=max,version=v1`)); |
816 | 827 | } |
| 828 | + - |
| 829 | + name: Configure AWS Credentials |
| 830 | + if: ${{ inputs.push && inputs.output == 'image' && inputs.aws-role-to-assume != '' }} |
| 831 | + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 |
| 832 | + with: |
| 833 | + aws-region: ${{ inputs.aws-region }} |
| 834 | + role-to-assume: ${{ inputs.aws-role-to-assume }} |
817 | 835 | - |
818 | 836 | name: Login to registry |
819 | 837 | if: ${{ inputs.push && inputs.output == 'image' }} |
@@ -844,6 +862,13 @@ jobs: |
844 | 862 | env: |
845 | 863 | BUILDKIT_MULTI_PLATFORM: 1 |
846 | 864 | GIT_AUTH_TOKEN: ${{ secrets.github-token || github.token }} |
| 865 | + - |
| 866 | + name: Configure AWS Credentials for signing |
| 867 | + if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' && inputs.aws-role-to-assume != '' }} |
| 868 | + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 |
| 869 | + with: |
| 870 | + aws-region: ${{ inputs.aws-region }} |
| 871 | + role-to-assume: ${{ inputs.aws-role-to-assume }} |
847 | 872 | - |
848 | 873 | name: Login to registry for signing |
849 | 874 | if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }} |
@@ -964,6 +989,9 @@ jobs: |
964 | 989 |
|
965 | 990 | finalize: |
966 | 991 | runs-on: ubuntu-24.04 |
| 992 | + permissions: |
| 993 | + id-token: write |
| 994 | + contents: read |
967 | 995 | outputs: |
968 | 996 | meta-json: ${{ steps.meta.outputs.json }} |
969 | 997 | cosign-version: ${{ env.COSIGN_VERSION }} |
@@ -1010,6 +1038,13 @@ jobs: |
1010 | 1038 | flavor: ${{ inputs.meta-flavor }} |
1011 | 1039 | labels: ${{ inputs.meta-labels }} |
1012 | 1040 | annotations: ${{ inputs.meta-annotations }} |
| 1041 | + - |
| 1042 | + name: Configure AWS Credentials |
| 1043 | + if: ${{ inputs.push && inputs.output == 'image' && inputs.aws-role-to-assume != '' }} |
| 1044 | + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 |
| 1045 | + with: |
| 1046 | + aws-region: ${{ inputs.aws-region }} |
| 1047 | + role-to-assume: ${{ inputs.aws-role-to-assume }} |
1013 | 1048 | - |
1014 | 1049 | name: Login to registry |
1015 | 1050 | if: ${{ inputs.push && inputs.output == 'image' }} |
|
0 commit comments