我有两个 GitHub Actions,两者都是相同的,只是一个是手动触发的,另一个是在主分支上完成拉取请求时触发的。手动部署工作流程工作得很好,但是部署工作流程失败,并显示“错误:未授权执行 sts:AssumeRoleWithWebIdentity”。我缺少什么?我的猜测是两个事件之间的子项一定是不同的?我该如何检查?
这个有效
name: manual-deploy
on:
workflow_dispatch:
env:
REACT_APP_VERSION: 0.1.0
jobs:
build-and-deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: checkout code
uses: actions/checkout@v3
- name: install node
uses: actions/setup-node@v3
# using later versions of node breaks due to react-scripts v5.0.1 incompatible with typescript v5;
# this specific node version works though
with:
node-version: "16.14.2"
- name: install dependencies
run: npm install
- name: run tests
run: npm run test
- name: get current date
id: date
# pacific time = UTC-7:00
run: echo "REACT_APP_BUILD_DATE=$(date -u +'%m/%d/%Y %H:%M:%SPT' -d '7 hours ago')" >> $GITHUB_ENV
- name: build project
run: npm run build
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ SECRETS.AWS_GITHUB_ROLE }}
aws-region: us-west-2
- name: deploy to S3 bucket
run: aws s3 sync ./build/ s3://myProject --delete
- name: invalidate cloudfront cache
run: aws cloudfront create-invalidation --distribution-id ${{ SECRETS.AWS_CLOUDFRONT_DIST_ID}} --paths "/*"
这行不通
name: deploy
on:
pull_request:
branches:
- main
types: closed
paths-ignore:
- '.github/workflows/**'
env:
REACT_APP_VERSION: 0.1.0
jobs:
build-and-deploy:
runs-on: ubuntu-latest
if: github.event.pull_request.merged == true
permissions:
id-token: write
contents: read
steps:
- name: checkout code
uses: actions/checkout@v3
- name: install node
uses: actions/setup-node@v3
# using later versions of node breaks due to react-scripts v5.0.1 incompatible with typescript v5;
# this specific node version works though
with:
node-version: "16.14.2"
- name: install dependencies
run: npm install
- name: run tests
run: npm run test
- name: get current date
id: date
# pacific time = UTC-7:00
run: echo "REACT_APP_BUILD_DATE=$(date -u +'%m/%d/%Y %H:%M:%SPT' -d '7 hours ago')" >> $GITHUB_ENV
- name: build project
run: npm run build
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ SECRETS.AWS_GITHUB_ROLE }}
aws-region: us-west-2
- name: deploy to S3 bucket
run: aws s3 sync ./build/ s3://myProject --delete
- name: invalidate cloudfront cache
run: aws cloudfront create-invalidation --distribution-id ${{ SECRETS.AWS_CLOUDFRONT_DIST_ID}} --paths "/*"
信托政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<not-sure-if-this-is-sensitive-info>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:myGitHub/myProject:ref:refs/heads/main"
}
}
}
]
}
我尝试在调试模式下重新运行该操作,但这没有提供更多有用的信息。
好的,所以想通了。拉取请求事件使用不同的子事件,即“repo:myGitHub/myProject:pull_request”。通过设置 AWS CloudTrail 并在日志中搜索从 github 连接失败的尝试发现了这一点。
我刚刚花了几个小时,找到了解决方案
on: pull_request
-
改变
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:myGitHub/myProject:ref:refs/heads/main"
}
至
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:myGitHub/myProject:*"
}
这将使条件变为
AssumeRoleWithWebIdentity
true。