diff --git a/.github/workflows/api.yml b/.github/workflows/api.yml index 36621f9..3dff13f 100644 --- a/.github/workflows/api.yml +++ b/.github/workflows/api.yml @@ -21,6 +21,10 @@ env: CUBE_TASK_DEFINITION: cube-dezswap-api CUBE_CONTAINER_NAME: cube-dezswap-api +permissions: + id-token: write + contents: read + jobs: check_paths: runs-on: ubuntu-latest @@ -63,15 +67,15 @@ jobs: uses: actions/checkout@v3 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@v3 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: terraswap-service-deploy aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v1.5.1 + uses: aws-actions/amazon-ecr-login@v2 - name: Test, build, tag, and push image to Amazon ECR id: build-image @@ -107,15 +111,16 @@ jobs: environment: production steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@v3 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: terraswap-service-deploy aws-region: ${{ env.AWS_REGION }} + - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v1.5.1 + uses: aws-actions/amazon-ecr-login@v2 - name: Download Task Definition id: download-task-definition @@ -146,15 +151,15 @@ jobs: environment: production steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@v3 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: terraswap-service-deploy aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v1.5.1 + uses: aws-actions/amazon-ecr-login@v2 - name: Download Task Definition id: download-task-definition diff --git a/.github/workflows/indexer.yml b/.github/workflows/indexer.yml index da0cca6..2139730 100644 --- a/.github/workflows/indexer.yml +++ b/.github/workflows/indexer.yml @@ -21,6 +21,10 @@ env: CUBE_TASK_DEFINITION: cube-dezswap-api-indexer CUBE_CONTAINER_NAME: cube-dezswap-api-indexer +permissions: + id-token: write + contents: read + jobs: check_paths: runs-on: ubuntu-latest @@ -63,15 +67,15 @@ jobs: uses: actions/checkout@v3 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@v3 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: terraswap-service-deploy aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v1.5.1 + uses: aws-actions/amazon-ecr-login@v2 - name: Test, build, tag, and push image to Amazon ECR id: build-image @@ -107,15 +111,15 @@ jobs: environment: production steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@v3 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: terraswap-service-deploy aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v1.5.1 + uses: aws-actions/amazon-ecr-login@v2 - name: Download Task Definition id: download-task-definition @@ -125,14 +129,14 @@ jobs: - name: Fill in the new image ID in the Amazon ECS task definition id: task-def - uses: aws-actions/amazon-ecs-render-task-definition@v1.1.3 + uses: aws-actions/amazon-ecs-render-task-definition@v1.5.1 with: task-definition: ./${{ env.DIMENSION_TASK_DEFINITION }}.json container-name: ${{ env.DIMENSION_CONTAINER_NAME }} image: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY}}:${{ needs.build.outputs.dimension-tag }} - name: Deploy Amazon ECS task definition - uses: aws-actions/amazon-ecs-deploy-task-definition@v1.4.11 + uses: aws-actions/amazon-ecs-deploy-task-definition@v2 with: task-definition: ${{ steps.task-def.outputs.task-definition }} service: ${{ env.DIMENSION_ECS_SERVICE }} @@ -146,15 +150,15 @@ jobs: environment: production steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@v3 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: terraswap-service-deploy aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v1.5.1 + uses: aws-actions/amazon-ecr-login@v2 - name: Download Task Definition id: download-task-definition