Allow seasonal-flu/* to assume GitHubActionsRoleNextstrainBatchJobs #19
Conversation
joverlee521
force-pushed
the
seasonal-flu-batch
branch
2 times, most recently
from
4bf4cfa
to
c0f3a2c
Compare
| # from AWS Batch before bundling/deploying them through Netlify. | ||
| # This special case can be removed when we finally sunset the private site. | ||
| # -Jover, 07 June 2024 | ||
| "repo:nextstrain/seasonal-flu:*:job_workflow_ref:nextstrain/seasonal-flu/.github/workflows/deploy-private-nextflu.yaml@*", |
There was a problem hiding this comment.
Ah, just reading the OIDC docs more closely, job_workflow_ref is for called reusable workflows only...what we need here would be workflow_ref
There was a problem hiding this comment.
Oy. Really wishing GitHub allowed mapping of other claims in its token so we could use PrincipalTags here without a bunch of effort. But they don't, so.
We could add workflow_ref to the sub claim and adjust other conditions to account for it too, e.g.
…/pathogen-repo-build@*:workflow_ref:*
or change nothing about sub and simply let everything in seasonal-flu access Batch for now.
repo:nextstrain/seasonal-flu:*
There was a problem hiding this comment.
The first option would look like 3dd92dd.
There was a problem hiding this comment.
The first option would look like 3dd92dd.
Thanks! I'll cherry-pick and deploy the changes to give it a try.
There was a problem hiding this comment.
Trying the second option with 81b8676
There was a problem hiding this comment.
...and that's working as expected 🎉
There was a problem hiding this comment.
\o/ Kinda surprised that adding the missing @* wasn't enough... wonder what it was.
There was a problem hiding this comment.
I'm leaving that mystery for another time...
joverlee521
force-pushed
the
seasonal-flu-batch
branch
from
c0f3a2c
to
538385e
Compare
We cannot use the usual `pathogen-repo-build` workflow for the seasonal flu deploy-private-nextflu workflow because these are private builds that should not be surfaced through public GH Action artifacts.¹ We attempted to use the custom claim `workflow_ref` in 538385e but that did not work as expected, so just allow any seasonal-flu GH Action workflow to access AWS Batch. ¹ <nextstrain/private#110 (comment)>
joverlee521
force-pushed
the
seasonal-flu-batch
branch
from
f7b4cd5
to
81b8676
Compare
joverlee521
changed the title
Follow up to #19 where I rebased and accidentally included unintended changes. I should have known better to not merge/deploy on a Friday afternoon, especially when my brain was fried.
| ] | ||
| "token.actions.githubusercontent.com:sub": flatten([ | ||
| [for repo in keys(local.repo_pathogens): | ||
| "repo:nextstrain/${repo}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*:workflow_ref:*"], |
There was a problem hiding this comment.
Unintended change here fixed in cefc83e 🤦♀️
We cannot use the usual
pathogen-repo-buildworkflow for the seasonal flu deploy-private-nextflu workflow because these are private builds that should not be surfaced through public GH Action artifacts.¹¹ https://github.com/nextstrain/private/issues/110#issuecomment-2155212036
Checklist