Add CI OIDC access to new bors branches #355
Merged
Commits on Mar 9, 2024
-
-
Add access for new bors to PUT into artifacts bucket
This grants access under a new directory prefix (rustc-builds-try) as a temporary measure to avoid mistakes overwriting any actual artifacts. It might be a good idea in any case to scope try builds into a different bucket or place than real builds.
-
Limit write access to specific prefix
This uses Cognito as a dispatch authority to convert OIDC claims to IAM condition values, and then fitlers the resulting role to only writing into the passed sha. See https://awsteele.com/blog/2023/10/25/aws-role-session-tags-for-github-actions.html for some related context.
-
Revert "Limit write access to specific prefix"
See write up here: rust-lang#355 (comment). We decided not to pursue this for the time being and revisit at a later point. This reverts commit 2f7aefc.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.