@@ -40,35 +40,53 @@ outputs:
4040runs :
4141 using : ' composite'
4242 steps :
43- # - name: Configure AWS credentials
44- # uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
45- # with:
46- # role-to-assume: arn:aws:iam::460386131003:role/SonarGitHubActionsS3CacheRole
47- # aws-region: eu-central-1
48-
49- - name : Authenticate using Enhanced AuthFlow
50- uses : catnekaise/cognito-idpool-auth@main
51- with :
52- auth-flow : enhanced
53- cognito-identity-pool-id : eu-central-1:502e0bc7-5fdf-4cbc-bd38-0119f310fcef
54- aws-account-id : 460386131003
55- aws-region : eu-central-1
56- audience : cognito-identity.amazonaws.com
57- set-in-environment : true
58-
59- - name : " STS Get Caller Identity"
43+ - name : Authenticate to AWS
6044 shell : bash
45+ id : aws-auth
46+ env :
47+ POOL_ID : eu-central-1:9baeef83-23fd-40a3-83f1-3d8ac55547ec
48+ AWS_ACCOUNT_ID : 460386131003
49+ IDENTITY_PROVIDER_NAME : token.actions.githubusercontent.com
50+ AUDIENCE : cognito-identity.amazonaws.com
51+ AWS_REGION : eu-central-1
6152 run : |
62- aws sts get-caller-identity
53+ # Get GitHub Actions ID token
54+ ACCESS_TOKEN=$(curl -sLS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$AUDIENCE" | jq -r ".value")
6355
64- name : Validate branch reference
65- shell : bash
66- run : |
67- if [ -z "$GITHUB_HEAD_REF" ]; then
68- echo "::error::GITHUB_HEAD_REF environment variable is not set"
56+ # Get Identity ID
57+ identityId=$(aws cognito-identity get-id \
58+ --identity-pool-id "$POOL_ID" \
59+ --account-id "$AWS_ACCOUNT_ID" \
60+ --logins '{"'"$IDENTITY_PROVIDER_NAME"'":"'"$ACCESS_TOKEN"'"}' \
61+ --query 'IdentityId' --output text)
62+
63+ # Get and validate AWS credentials
64+ awsCredentials=$(aws cognito-identity get-credentials-for-identity \
65+ --identity-id "$identityId" \
66+ --logins '{"'"$IDENTITY_PROVIDER_NAME"'":"'"$ACCESS_TOKEN"'"}')
67+
68+ AWS_ACCESS_KEY_ID=$(echo "$awsCredentials" | jq -r ".Credentials.AccessKeyId")
69+ AWS_SECRET_ACCESS_KEY=$(echo "$awsCredentials" | jq -r ".Credentials.SecretKey")
70+ AWS_SESSION_TOKEN=$(echo "$awsCredentials" | jq -r ".Credentials.SessionToken")
71+
72+ if [[ "$AWS_ACCESS_KEY_ID" == "null" || -z "$AWS_ACCESS_KEY_ID" ]]; then
73+ echo "::error::Failed to obtain AWS Access Key ID"
74+ exit 1
75+ fi
76+
77+ if [[ "$AWS_SECRET_ACCESS_KEY" == "null" || -z "$AWS_SECRET_ACCESS_KEY" ]]; then
78+ echo "::error::Failed to obtain AWS Secret Access Key"
79+ exit 1
80+ fi
81+
82+ if [[ "$AWS_SESSION_TOKEN" == "null" || -z "$AWS_SESSION_TOKEN" ]]; then
83+ echo "::error::Failed to obtain AWS Session Token"
6984 exit 1
7085 fi
71- echo "Using branch reference: $GITHUB_HEAD_REF"
86+
87+ echo "AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID" >> $GITHUB_ENV
88+ echo "AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY" >> $GITHUB_ENV
89+ echo "AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN" >> $GITHUB_ENV
7290
7391name : Prepare cache keys
7492 shell : bash
7896 BRANCH_KEY="${GITHUB_HEAD_REF}/${{ inputs.key }}"
7997 echo "branch-key=${BRANCH_KEY}" >> $GITHUB_OUTPUT
8098
81- # Prepend GITHUB_HEAD_REF to restore keys if they exist
99+ # Process restore keys: keep branch-specific keys and add fallback to default branch
82100 if [ -n "${{ inputs.restore-keys }}" ]; then
83101 RESTORE_KEYS=""
102+ # First, add branch-specific restore keys
84103 while IFS= read -r line; do
85104 if [ -n "$line" ]; then
86105 if [ -n "$RESTORE_KEYS" ]; then
@@ -90,6 +109,14 @@ runs:
90109 fi
91110 fi
92111 done <<< "${{ inputs.restore-keys }}"
112+
113+ # Then, add default branch fallback keys (without GITHUB_HEAD_REF prefix)
114+ while IFS= read -r line; do
115+ if [ -n "$line" ]; then
116+ RESTORE_KEYS="${RESTORE_KEYS}"$'\n'"${line}"
117+ fi
118+ done <<< "${{ inputs.restore-keys }}"
119+
93120 echo "branch-restore-keys<<EOF" >> $GITHUB_OUTPUT
94121 echo "$RESTORE_KEYS" >> $GITHUB_OUTPUT
95122 echo "EOF" >> $GITHUB_OUTPUT
0 commit comments