Merge pull request #395 from co-cddo/chore/role-chaining

fix(ci-lease): role-chaining=true on lease-account assume

Author: chrisns

.github/workflows/scenario-ai-contact-centre.yml

@@ -0,0 +1,26 @@
+name: Scenario / ai-contact-centre
+
+on:
+  pull_request:
+    paths:
+      - 'cloudformation/scenarios/ai-contact-centre/**'
+      - '.github/workflows/scenario-ci.yml'
+      - '.github/workflows/scenario-ai-contact-centre.yml'
+      - 'scripts/isb/**'
+      - 'tests/smoke/**'
+  workflow_dispatch:
+
+concurrency:
+  group: scenario-ai-contact-centre-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  smoke:
+    uses: ./.github/workflows/scenario-ci.yml
+    with:
+      scenario: ai-contact-centre
+    secrets: inherit

.github/workflows/scenario-bops-planning.yml

@@ -0,0 +1,26 @@
+name: Scenario / bops-planning
+
+on:
+  pull_request:
+    paths:
+      - 'cloudformation/scenarios/bops-planning/**'
+      - '.github/workflows/scenario-ci.yml'
+      - '.github/workflows/scenario-bops-planning.yml'
+      - 'scripts/isb/**'
+      - 'tests/smoke/**'
+  workflow_dispatch:
+
+concurrency:
+  group: scenario-bops-planning-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  smoke:
+    uses: ./.github/workflows/scenario-ci.yml
+    with:
+      scenario: bops-planning
+    secrets: inherit

.github/workflows/scenario-ci.yml

@@ -91,14 +91,18 @@ jobs:
             --template '${{ inputs.lease_template }}' \
             --user-email '${{ inputs.ci_lease_email }}'
 
-      # Now assume the in-lease CIDeployRole using the account_id we just got.
+      # Now assume the in-lease CIDeployRole. role-chaining=true tells
+      # configure-aws-credentials to sigv4-sign from the already-loaded
+      # hub creds (sts:AssumeRole) instead of trying OIDC against the
+      # leased account (which has no OIDC provider).
       - uses: aws-actions/configure-aws-credentials@v6
         id: lease-creds
         with:
           role-to-assume: arn:aws:iam::${{ steps.lease.outputs.account_id }}:role/InnovationSandbox-ndx-CIDeployRole
           role-session-name: scenario-ci-deploy-${{ github.run_id }}
           aws-region: us-east-1
           role-duration-seconds: 21600
+          role-chaining: true
 
       - name: Deploy scenario stack
         id: deploy

.github/workflows/scenario-digital-planning-register.yml

@@ -0,0 +1,26 @@
+name: Scenario / digital-planning-register
+
+on:
+  pull_request:
+    paths:
+      - 'cloudformation/scenarios/digital-planning-register/**'
+      - '.github/workflows/scenario-ci.yml'
+      - '.github/workflows/scenario-digital-planning-register.yml'
+      - 'scripts/isb/**'
+      - 'tests/smoke/**'
+  workflow_dispatch:
+
+concurrency:
+  group: scenario-digital-planning-register-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  smoke:
+    uses: ./.github/workflows/scenario-ci.yml
+    with:
+      scenario: digital-planning-register
+    secrets: inherit

.github/workflows/scenario-fixmystreet.yml

@@ -0,0 +1,26 @@
+name: Scenario / fixmystreet
+
+on:
+  pull_request:
+    paths:
+      - 'cloudformation/scenarios/fixmystreet/**'
+      - '.github/workflows/scenario-ci.yml'
+      - '.github/workflows/scenario-fixmystreet.yml'
+      - 'scripts/isb/**'
+      - 'tests/smoke/**'
+  workflow_dispatch:
+
+concurrency:
+  group: scenario-fixmystreet-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  smoke:
+    uses: ./.github/workflows/scenario-ci.yml
+    with:
+      scenario: fixmystreet
+    secrets: inherit

.github/workflows/scenario-foi-redaction.yml

@@ -0,0 +1,26 @@
+name: Scenario / foi-redaction
+
+on:
+  pull_request:
+    paths:
+      - 'cloudformation/scenarios/foi-redaction/**'
+      - '.github/workflows/scenario-ci.yml'
+      - '.github/workflows/scenario-foi-redaction.yml'
+      - 'scripts/isb/**'
+      - 'tests/smoke/**'
+  workflow_dispatch:
+
+concurrency:
+  group: scenario-foi-redaction-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  smoke:
+    uses: ./.github/workflows/scenario-ci.yml
+    with:
+      scenario: foi-redaction
+    secrets: inherit

.github/workflows/scenario-localgov-drupal.yml

@@ -0,0 +1,26 @@
+name: Scenario / localgov-drupal
+
+on:
+  pull_request:
+    paths:
+      - 'cloudformation/scenarios/localgov-drupal/**'
+      - '.github/workflows/scenario-ci.yml'
+      - '.github/workflows/scenario-localgov-drupal.yml'
+      - 'scripts/isb/**'
+      - 'tests/smoke/**'
+  workflow_dispatch:
+
+concurrency:
+  group: scenario-localgov-drupal-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  smoke:
+    uses: ./.github/workflows/scenario-ci.yml
+    with:
+      scenario: localgov-drupal
+    secrets: inherit

.github/workflows/scenario-localgov-ims.yml

@@ -0,0 +1,26 @@
+name: Scenario / localgov-ims
+
+on:
+  pull_request:
+    paths:
+      - 'cloudformation/scenarios/localgov-ims/**'
+      - '.github/workflows/scenario-ci.yml'
+      - '.github/workflows/scenario-localgov-ims.yml'
+      - 'scripts/isb/**'
+      - 'tests/smoke/**'
+  workflow_dispatch:
+
+concurrency:
+  group: scenario-localgov-ims-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  smoke:
+    uses: ./.github/workflows/scenario-ci.yml
+    with:
+      scenario: localgov-ims
+    secrets: inherit

.github/workflows/scenario-minute.yml

@@ -0,0 +1,26 @@
+name: Scenario / minute
+
+on:
+  pull_request:
+    paths:
+      - 'cloudformation/scenarios/minute/**'
+      - '.github/workflows/scenario-ci.yml'
+      - '.github/workflows/scenario-minute.yml'
+      - 'scripts/isb/**'
+      - 'tests/smoke/**'
+  workflow_dispatch:
+
+concurrency:
+  group: scenario-minute-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  smoke:
+    uses: ./.github/workflows/scenario-ci.yml
+    with:
+      scenario: minute
+    secrets: inherit

.github/workflows/scenario-paperless-ngx.yml

@@ -0,0 +1,26 @@
+name: Scenario / paperless-ngx
+
+on:
+  pull_request:
+    paths:
+      - 'cloudformation/scenarios/paperless-ngx/**'
+      - '.github/workflows/scenario-ci.yml'
+      - '.github/workflows/scenario-paperless-ngx.yml'
+      - 'scripts/isb/**'
+      - 'tests/smoke/**'
+  workflow_dispatch:
+
+concurrency:
+  group: scenario-paperless-ngx-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  smoke:
+    uses: ./.github/workflows/scenario-ci.yml
+    with:
+      scenario: paperless-ngx
+    secrets: inherit