ci: Added STS token-based authorization for integration tests

orlowskilp · Oct 12, 2024 · ecc2279 · ecc2279
1 parent 448f457
commit ecc2279
Showing 1 changed file with 22 additions and 11 deletions.
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -13,6 +13,10 @@ on:
     branches:
       - master
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   run-tests:
     name: Execute tests and measure coverage
@@ -21,7 +25,7 @@ jobs:
       LCOV_UT_OUT: unit-test-cov.lcov
       LCOV_IT_OUT: integration-test-cov.lcov
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Install llvm-cov for code coverage
         uses: taiki-e/install-action@cargo-llvm-cov
@@ -31,18 +35,25 @@ jobs:
           LLVM_COV_ARGS: --lcov --output-path ${{ env.LCOV_UT_OUT }} --lib
         run: make test-coverage ARGS="${{ env.LLVM_COV_ARGS }}"
 
-    #   - name: Run integration tests and measure coverage
-    #     env:
-    #       LLVM_COV_ARGS: --lcov --output-path ${{ env.LCOV_IT_OUT }} --tests
-    #     run: make test-coverage ARGS="${{ env.LLVM_COV_ARGS }}"
+      - name: Assume AWS role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_KMS_IAM_ROLE }}
+          role-session-name: ${{ vars.AWS_STS_SESSION_NAME}}
+          mask-aws-account-id: true
+
+      - name: Run integration tests and measure coverage
+        env:
+          LLVM_COV_ARGS: --lcov --output-path ${{ env.LCOV_IT_OUT }} --tests
+          KMS_KEY_ID: ${{ secrets.KMS_KEY_ID }}
+        run: make test-coverage ARGS="${{ env.LLVM_COV_ARGS }}"
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
-          files:
-            ${{ env.LCOV_UT_OUT }}
-            # ${{ env.LCOV_IT_OUT }}
+          files: ./${{ env.LCOV_UT_OUT }},./${{ env.LCOV_IT_OUT }}
           fail_ci_if_error: true
 
   build-x86-gnu:
@@ -51,7 +62,7 @@ jobs:
       TOOL_CHAIN : x86_64-unknown-linux-gnu
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Build for ${{ env.TOOL_CHAIN }}
         env:
@@ -64,7 +75,7 @@ jobs:
       TOOL_CHAIN : x86_64-unknown-linux-musl
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Install musl toolchain
         run: |