wip! amortization's Rangoon

nextstrain · Aug 18, 2023 · fa4f2ab · fa4f2ab
1 parent be6036a
commit fa4f2ab
Showing 1 changed file with 29 additions and 14 deletions.
diff --git a/.github/workflows/pathogen-repo-build.yaml b/.github/workflows/pathogen-repo-build.yaml
@@ -29,7 +29,14 @@ on:
           Currently only supports docker, conda, and aws-batch.
           Defaults to "docker".
 
-          The aws-batch runtime requires the secrets:
+          The aws-batch runtime requires AWS credentials.  These may indirectly
+          come from assuming a role via GitHub Actions' OIDC provider or
+          directly from secrets.
+
+          The AWS_ROLE_ARN environment variable or GitHub Actions configuration
+          variable is used if present.
+
+          The following secrets are used if present and no role is to be assumed:
 
           - AWS_ACCESS_KEY_ID
           - AWS_SECRET_ACCESS_KEY
@@ -136,11 +143,12 @@ on:
 env:
   NEXTSTRAIN_GITHUB_DIR: .git/nextstrain/.github
 
+permissions:
+  id-token: write
+
 jobs:
   workflow-context:
     runs-on: ubuntu-latest
-    permissions:
-      id-token: write
     steps:
       - id: workflow-context
         uses: nextstrain/.github/actions/workflow-context@master
@@ -168,17 +176,6 @@ jobs:
           ref: ${{ needs.workflow-context.outputs.sha }}
           path: ${{ env.NEXTSTRAIN_GITHUB_DIR }}
 
-      - &setup-runtime
-        name: Setup runtime ${{ inputs.runtime }}
-        uses: ./.git/nextstrain/.github/actions/setup-nextstrain-cli
-        with:
-          cli-version: ">=7.1.0"
-          runtime: ${{ inputs.runtime }}
-        # Required to set up aws-batch as default runtime
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-
       - if: inputs.env
         name: Set environment variables
         env:
@@ -201,6 +198,21 @@ jobs:
           | "$NEXTSTRAIN_GITHUB_DIR"/bin/json-to-envvars
           | tee -a "$GITHUB_ENV"
 
+      - &setup-aws-credentials
+        if: inputs.runtime == 'aws-batch'
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ env.AWS_ROLE_ARN || vars.AWS_ROLE_ARN }}
+
+      - &setup-runtime
+        name: Setup runtime ${{ inputs.runtime }}
+        uses: ./.git/nextstrain/.github/actions/setup-nextstrain-cli
+        with:
+          cli-version: ">=7.1.0"
+          runtime: ${{ inputs.runtime }}
+
       - name: Run build via ${{ inputs.runtime }}
         env:
           NEXTSTRAIN_BUILD_COMMAND: ${{ inputs.run }}
@@ -242,6 +254,8 @@ jobs:
   # Wait for up to 6 hours (the GitHub Actions job timeout) for the AWS Batch
   # job to finish.
   wait-1: &wait
+    # XXX FIXME: drop this
+    timeout-minutes: 2
     needs: [run-build, workflow-context]
     if: needs.run-build.outputs.AWS_BATCH_JOB_ID
 
@@ -261,6 +275,7 @@ jobs:
     steps:
       # Uses needs.workflow-context.outputs
       - *checkout-workflow-support
+      - *setup-aws-credentials
       - *setup-runtime
 
       # XXX TODO: This will reiterate the full logs emitted so far on every