Allow seasonal-flu/deploy-private-nextflu to assume GitHubActionsRole…

…NextstrainBatchJobs We cannot use the usual `pathogen-repo-build` workflow for the seasonal flu deploy-private-nextflu workflow because these are private builds that should not be surfaced through public GH Action artifacts.¹ Adds workflow_ref to the GitHub OIDC token's sub claim since we're conditioning on a regular workflow not a reusable workflow that's been called. ¹ <nextstrain/private#110 (comment)> Co-authored-by: Thomas Sibley <tsibley@fredhutch.org>
nextstrain · Jun 7, 2024 · 538385e · 538385e
1 parent 41cde05
commit 538385e
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 6 deletions.
diff --git a/env/production/aws-iam-role-GitHubActionsRoleNextstrainBatchJobs.tf b/env/production/aws-iam-role-GitHubActionsRoleNextstrainBatchJobs.tf
@@ -22,10 +22,16 @@ resource "aws_iam_role" "GitHubActionsRoleNextstrainBatchJobs" {
         "Condition": {
           "StringLike": {
             "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
-            "token.actions.githubusercontent.com:sub": [
-              for repo in keys(local.repo_pathogens):
-                "repo:nextstrain/${repo}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*"
-            ]
+            "token.actions.githubusercontent.com:sub": flatten([
+              [for repo in keys(local.repo_pathogens):
+                "repo:nextstrain/${repo}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*:workflow_ref:*"],
+
+              # Special case for seasonal flu's deploy-private-nextflu workflow which needs to download the private builds
+              # from AWS Batch before bundling/deploying them through Netlify.
+              # This special case can be removed when we finally sunset the private site.
+              #   -Jover, 07 June 2024
+              "repo:nextstrain/seasonal-flu:*:job_workflow_ref::workflow_ref:nextstrain/seasonal-flu/.github/workflows/deploy-private-nextflu.yaml",
+            ])
           }
         },
       }

diff --git a/env/production/aws-iam-role-GitHubActionsRoleNextstrainRepo@.tf b/env/production/aws-iam-role-GitHubActionsRoleNextstrainRepo@.tf
@@ -19,7 +19,7 @@ resource "aws_iam_role" "GitHubActionsRoleNextstrainRepo" {
         "Condition": {
           "StringLike": {
             "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
-            "token.actions.githubusercontent.com:sub": "repo:nextstrain/${each.key}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*"
+            "token.actions.githubusercontent.com:sub": "repo:nextstrain/${each.key}:*:job_workflow_ref:nextstrain/.github/.github/workflows/pathogen-repo-build.yaml@*:workflow_ref:*"
           }
         },
       }

diff --git a/env/production/github-oidc.tf b/env/production/github-oidc.tf
@@ -9,7 +9,10 @@ resource "github_actions_repository_oidc_subject_claim_customization_template" "
     "repo",
     "context",
 
-    # …plus the <org>/<repo>/<path>@<ref> of the workflow obtaining the token, if any.
+    # …plus the <org>/<repo>/<path>@<ref> of the *reusable* workflow obtaining the token, if any.
     "job_workflow_ref",
+
+    # …plus the <org>/<repo>/<path>@<ref> of the workflow obtaining the token.
+    "workflow_ref",
   ]
 }