From a43e2c22fab76b1ed48cc4631df2c00ef3ff8fc3 Mon Sep 17 00:00:00 2001
From: Rahul Patil <rahul@neon.tech>
Date: Mon, 9 Dec 2024 12:23:38 +0100
Subject: [PATCH] ci(fix): Use OIDC auth to upload artifact on s3

---
 .github/actions/upload/action.yml             | 7 +++++++
 .github/workflows/_build-and-test-locally.yml | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/.github/actions/upload/action.yml b/.github/actions/upload/action.yml
index 8a4cfe2effb8..17f5f8f04817 100644
--- a/.github/actions/upload/action.yml
+++ b/.github/actions/upload/action.yml
@@ -53,6 +53,13 @@ runs:
 
         echo 'SKIPPED=false' >> $GITHUB_OUTPUT
 
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: eu-central-1
+        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
+        role-duration-seconds: 3600
+
     - name: Upload artifact
       if: ${{ steps.prepare-artifact.outputs.SKIPPED == 'false' }}
       shell: bash -euxo pipefail {0}
diff --git a/.github/workflows/_build-and-test-locally.yml b/.github/workflows/_build-and-test-locally.yml
index 42c32a23e39c..e8d83a5f1e8f 100644
--- a/.github/workflows/_build-and-test-locally.yml
+++ b/.github/workflows/_build-and-test-locally.yml
@@ -37,6 +37,8 @@ env:
 jobs:
   build-neon:
     runs-on: ${{ fromJson(format('["self-hosted", "{0}"]', inputs.arch == 'arm64' && 'large-arm64' || 'large')) }}
+    permissions:
+      id-token: write # aws-actions/configure-aws-credentials
     container:
       image: ${{ inputs.build-tools-image }}
       credentials: