ci: drop configure-aws-credentials for log hash upload

gmarull · claude · gmarull · commit 095539cd895f · 2026-06-03T17:52:40.000+02:00
The configure-aws-credentials action always validates credentials via
an STS GetCallerIdentity call, which fails ("The security token
included in the request is invalid.") because the log hash bucket is a
non-AWS S3-compatible endpoint, not real AWS. There is no option to
skip that validation.

Drop the action and pass the credentials directly to the existing
aws s3 cp step via environment variables, restoring the behavior of
the previous Noelware/s3-action (raw S3 API against a custom endpoint,
no STS).

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
Signed-off-by: Gerard Marull-Paretas &lt;gerard@teslabs.com&gt;
diff --git a/.github/workflows/build-firmware.yml b/.github/workflows/build-firmware.yml
@@ -93,16 +93,12 @@ jobs:
         run: |
           echo "BUILD_ID=$(readelf -n build/src/fw/tintin_fw.elf | sed -n -e 's/^.*Build ID: //p')" >> "$GITHUB_OUTPUT"
 
-      - name: Configure AWS credentials
-        if: ${{ github.event_name == 'push' && github.repository == 'coredevices/PebbleOS' }}
-        uses: aws-actions/configure-aws-credentials@v6
-        with:
-          aws-access-key-id: ${{ secrets.LOG_HASH_BUCKET_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.LOG_HASH_BUCKET_SECRET }}
-          aws-region: us-east-1
-
       - name: Upload log hash dictionary
         if: ${{ github.event_name == 'push' && github.repository == 'coredevices/PebbleOS' }}
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.LOG_HASH_BUCKET_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.LOG_HASH_BUCKET_SECRET }}
+          AWS_DEFAULT_REGION: us-east-1
         run: |
           pip install awscli
           aws s3 cp build/src/fw/tintin_fw_loghash_dict.json \
diff --git a/.github/workflows/build-prf.yml b/.github/workflows/build-prf.yml
@@ -99,16 +99,12 @@ jobs:
         run: |
           echo "BUILD_ID=$(readelf -n build/src/fw/tintin_fw.elf | sed -n -e 's/^.*Build ID: //p')" >> "$GITHUB_OUTPUT"
 
-      - name: Configure AWS credentials
-        if: ${{ github.event_name == 'push' && github.repository == 'coredevices/PebbleOS' }}
-        uses: aws-actions/configure-aws-credentials@v6
-        with:
-          aws-access-key-id: ${{ secrets.LOG_HASH_BUCKET_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.LOG_HASH_BUCKET_SECRET }}
-          aws-region: us-east-1
-
       - name: Upload log hash dictionary
         if: ${{ github.event_name == 'push' && github.repository == 'coredevices/PebbleOS' }}
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.LOG_HASH_BUCKET_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.LOG_HASH_BUCKET_SECRET }}
+          AWS_DEFAULT_REGION: us-east-1
         run: |
           pip install awscli
           aws s3 cp build/src/fw/tintin_fw_loghash_dict.json \
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -67,14 +67,11 @@ jobs:
         run: |
           echo "BUILD_ID=$(readelf -n build/src/fw/tintin_fw.elf | sed -n -e 's/^.*Build ID: //p')" >> "$GITHUB_OUTPUT"
 
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v6
-        with:
-          aws-access-key-id: ${{ secrets.LOG_HASH_BUCKET_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.LOG_HASH_BUCKET_SECRET }}
-          aws-region: us-east-1
-
       - name: Upload PRF log hash dictionary
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.LOG_HASH_BUCKET_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.LOG_HASH_BUCKET_SECRET }}
+          AWS_DEFAULT_REGION: us-east-1
         run: |
           pip install awscli
           aws s3 cp build/src/fw/tintin_fw_loghash_dict.json \
@@ -181,16 +178,12 @@ jobs:
         run: |
           echo "BUILD_ID=$(readelf -n build/src/fw/tintin_fw.elf | sed -n -e 's/^.*Build ID: //p')" >> "$GITHUB_OUTPUT"
 
-      - name: Configure AWS credentials
-        if: ${{ github.repository == 'coredevices/PebbleOS' }}
-        uses: aws-actions/configure-aws-credentials@v6
-        with:
-          aws-access-key-id: ${{ secrets.LOG_HASH_BUCKET_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.LOG_HASH_BUCKET_SECRET }}
-          aws-region: us-east-1
-
       - name: Upload log hash dictionary
         if: ${{ github.repository == 'coredevices/PebbleOS' }}
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.LOG_HASH_BUCKET_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.LOG_HASH_BUCKET_SECRET }}
+          AWS_DEFAULT_REGION: us-east-1
         run: |
           pip install awscli
           aws s3 cp build/src/fw/tintin_fw_loghash_dict.json \
