Master & Dev branches Snapshot, Release repository uses S3 Wagon Semantic versioning with suffix of build number, Git SHA Maven site generated with version numbers Github pages published with version numbers
There may be ways to shift some of the Maven functionality into Github Actions specific tasks instead of having them in the build
Consider changes for pull requests vs. commits to dev, master branches
github: npiper/npiper-parent-org
Need to change from encrypting keys in .travis.yml file to using AWS roles.
Region: eu-west-2
(Dublin, Ireland)
Permissions: S3 Read/Write/Get/Put
AccountID: 329799773336
Role to be created
arn:aws:iam::329799773336:role/npiper-githubactions-role
Parameters:
GitHubOrg = npiper
RepositoryName = npiper-parent-org
aws cloudformation create-stack --stack-name teststack --template-body file://$(pwd)/role-cloudformation.yaml --parameters ParameterKey=GitHubOrg,ParameterValue=npiper ParameterKey=RepositoryName,ParameterValue=npiper-parent-org --capabilities CAPABILITY_NAMED_IAM
maven-enforcer-plugin
maven-scm-plugin
maven-deploy-plugin
com.github.github:site-maven-plugin
maven-project-info-reports-plugin
maven-s3-wagon
wagon-webdav-jackrabbit
env.TRAVIS - need a build variable for profile (Github actions env variable)
github actions: aws-actions/configure-aws-credential
Role: arn:aws:iam::329799773336:role/npiper-githubactions-role
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::329799773336:role/npiper-githubactions-role
aws-region: eu-west-2
Info about assuming roles via AWS CLI
s3://solveapuzzle-repo/release
<!-- My AWS Public repo -->
<repository>
<id>solveapuzzle-repo</id>
<url>https://s3-ap-southeast-2.amazonaws.com/solveapuzzle-repo/release/</url>
</repository>
https://github.com/npiper/npiper-parent-org/actions
<ciManagement>
<system>Travis-CI</system>
<url>https://travis-ci.org/${githubOrg}/${project.name}</url>
</ciManagement>
<scm>
<url>https://github.com/${githubOrg}/${project.name}</url>
<connection>scm:git:git://github.com/${githubOrg}/${project.name}.git</connection>
<!-- <developerConnection>scm:git:[email protected]:npiper/${project.name}.git</developerConnection> -->
<developerConnection>scm:git:https://github.com/${githubOrg}/${project.name}.git</developerConnection>
<tag>HEAD</tag>
</scm>
https://${githubOrg}.github.io/${project.name}/
mvn clean install -Drevision=${TRAVIS_BUILD_NUMBER}.$(git rev-parse --short HEAD)
Site generate, publish, deploy
mvn site deploy scm:tag -Drevision=${TRAVIS_BUILD_NUMBER}.$(git rev-parse --short
HEAD) -Dusername=${GIT_USER_NAME} -Dpassword=${GITPW}
AWS cloudformation - attach a managed policy
github actions - configure aws credentials
github actions - git semantic version action
github actions - OpenID connect guide
AWS S3 example bucket policies
AWS IAM - Create role for OpenID connect
StackOverflow - getting the branch, Short SHA in github action
Github Actions for a Maven project
Older version, group of S3 Wagon didn't work well with Role STS Token
s3-wagon-private/s3-wagon-private#30
The problem seems to be far downstream in aws-java-sdk, actually. Versions prior to 1.8.0 do not seem to work with AWS STS credentials, while subsequent versions do. I opened an issue with aws-maven: spring-attic/aws-maven#49
New Repos added:
<groupId>com.github.seahen</groupId>
<artifactId>maven-s3-wagon</artifactId>
<version>1.3.3</version>
<groupId>org.apache.maven.wagon</groupId>
<artifactId>wagon-webdav-jackrabbit</artifactId>
<version>3.5.1</version>
What is a good least privelege bucket policy?
maven-s3-wagon - what is the least privelege s3 bucket policy needed?
{
"Statement": [
{
"Sid": "Stmt1372216541",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::solveapuzzle-repo/release/*",
"arn:aws:s3:::solveapuzzle-repo/site/*",
"arn:aws:s3:::solveapuzzle-repo/snapshot/*",
]
}
],
"Statement": [
{
"Sid": "Stmt1372212814",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::solveapuzzle-repo"
}
]
}
Go S3 Private? https://github.com/s3-wagon-private/s3-wagon-private