This repo is for sharing different Github Actions workflows for corporate projects
Create releases with release-please-action.
Release-please configuration reference is here.
Example release-please configuration for an Elixir project:
{
"packages": {
".": {
"release-type": "elixir",
"bump-minor-pre-major": true,
"bump-patch-for-minor-pre-major": false,
"extra-files": [".deploy/Chart.yaml"]
}
}
}Example workflow:
name: Release
on:
push:
branches:
- main
permissions:
contents: write
pull-requests: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
release-please:
uses: strongsdcom/github-actions/.github/workflows/release-please.yaml@v2
with:
config-file: .github/release-please/config.json
manifest-file: .github/release-please/manifest.jsonCreates a Jira release and sets a fixed version for the found issues from github commits
Example of usage with custom GITHUB Token for Release Please can be found here.
Example of usage in single file can be found here.
awk '{$1=$1};1' # Removes leading and trailing spaces in multiline string
sed '/^$/d' # Removes empty rows in multiline string
sed 's/original-string/new-string/' # Replace original text to new text in the string
sed 's/.*/prefix&suffix/' # Replace each row to new prefixed and suffixed row in
# multiline string
sed '$!N;s/\n/ /' # Replace multiline string to single line string
The following error during a deployment indicates that the terraform with the new app was not applied or was applied incorrectly (not from erp-aws-infra/environments)
Run aws-actions/[email protected]
with:
role-to-assume: arn:aws:iam::590816193535:role/gha-ecr
aws-region: eu-north-1
mask-aws-account-id: false
audience: sts.amazonaws.com
output-env-credentials: true
Assuming role with OIDC
...
Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity
To ensure proper functioning of the AWS deployment via GitHub Actions, it is necessary to configure a custom OIDC token format (sub claim) to match the trust policy of the gha-ecr role in AWS IAM. This enables GitHub Actions to authenticate with AWS for access to ECR and EKS.
The thrust policy in gha-ecr expects user (actor) in OIDC token:
@"token.actions.githubusercontent.com:sub": "repo:strongsdcom/erp-:environment:dev:actor:", "repo:strongsdcom/erp-:environment:staging:actor:"@
The default OIDC token sub claim generated by GitHub Actions (e.g., repo:strongsdcom/erp-invoices:environment:staging) does not include the actor field required by the AWS IAM role's trust policy (repo:strongsdcom/erp-:environment:staging:actor:). Customizing the sub claim ensures compatibility, enabling successful authentication with AWS STS via sts:AssumeRoleWithWebIdentity.
There are two ways to fix the issue:
- apply the terraform config from the environments directory of the terraform
- issue a command which will customize the OIDC token for a repository
Applying the terraform is preferable way. If it is not possible the following command GitHub CLI can be used to customize the OIDC token of a repository
@gh api
--method PUT
-H "Accept: application/vnd.github+json"
-H "X-GitHub-Api-Version: 2022-11-28"
/repos/strongsdcom/erp-invoices/actions/oidc/customization/sub -f "include_claim_keys[]=repo" -f "include_claim_keys[]=context" -f "include_claim_keys[]=actor" -F "use_default=false"@
Command description:
/repos/strongsdcom/erp-invoices/actions/oidc/customization/sub: Endpoint to customize the sub claim for the repository. Change the repository to yours.
-f "include_claim_keys[]=repo": Includes the repository name (e.g., strongsdcom/erp-invoices).
-f "include_claim_keys[]=context": Includes the workflow context (e.g., environment:staging).
-f "include_claim_keys[]=actor": Includes the GitHub user who triggered the workflow (e.g., actor:username).