From b20de11c863d3bd8b0bee5f63f22cda58fc7182a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alex=20S=C3=B8rlie?= <alex@sorlie.io>
Date: Tue, 11 Feb 2025 10:36:32 +0000
Subject: [PATCH] Use trust relationship for S3 authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Alex Sørlie <alex@sorlie.io>
---
 .github/workflows/hydrun.yaml | 38 +++++++++++++++++------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/hydrun.yaml b/.github/workflows/hydrun.yaml
index 956bbb76c22..81ab596345f 100644
--- a/.github/workflows/hydrun.yaml
+++ b/.github/workflows/hydrun.yaml
@@ -77,14 +77,11 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           path: /tmp/out
-      - name: Extract branch name
-        id: extract_branch
-        run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
       - name: Publish pre-release to GitHub releases
         if: ${{ github.ref == 'refs/heads/main-live-migration-pvm' || github.ref == 'refs/heads/main-live-migration' || github.ref == 'refs/heads/firecracker-v1.8-live-migration-pvm' || github.ref == 'refs/heads/firecracker-v1.8-live-migration' }}
         uses: softprops/action-gh-release@v2
         with:
-          tag_name: release-${{ steps.extract_branch.outputs.branch }}
+          tag_name: release-${{ github.ref_name }}
           prerelease: true
           files: |
             /tmp/out/*/*
@@ -96,22 +93,25 @@ jobs:
           files: |
             /tmp/out/*/*
 
-      - name: Extract tag name (if exists)
-        run: |
-          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
-            echo "TAG_NAME=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-          fi
-
-      - name: Configure AWS Credentials (only if running on a tag)
-        if: startsWith(github.ref, 'refs/tags/v')
-        uses: aws-actions/configure-aws-credentials@v2
+      - name: "Configure AWS credentials"
+        uses: "aws-actions/configure-aws-credentials@v4"
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ vars.AWS_REGION }}
+          aws-region: "${{ vars.AWS_REGION }}"
+          role-to-assume: "${{ vars.AWS_IAM_ROLE }}"
+          role-session-name: "firecracker-hydrun-${{ github.job }}-${{ github.run_id }}"
+          role-duration-seconds: 10800 # 3h
 
-      - name: Upload to S3 (only if running on a tag)
-        if: startsWith(github.ref, 'refs/tags/')
+      - name: Upload to S3
+        if: "!startsWith(github.ref, 'refs/pull/')"
         run: |
-          aws s3 cp /tmp/out ${{ vars.S3_BUCKET_URL }}${{ env.TAG_NAME }}/ --recursive
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            UPLOAD_FOLDER="release/${GITHUB_REF#refs/tags/}"
+          elif [[ "${{ github.ref }}" == refs/heads/* ]]; then
+            UPLOAD_FOLDER="dev/${GITHUB_REF#refs/heads/}"
+          else
+            echo "Skipping S3 upload: unsupported ref type $GITHUB_REF"
+            exit 0
+          fi
+          echo "Uploading artifacts to: ${{ vars.S3_BUCKET_URL }}firecracker/${UPLOAD_FOLDER}/"
+          aws s3 cp /tmp/out ${{ vars.S3_BUCKET_URL }}firecracker/${UPLOAD_FOLDER}/ --recursive