try to accomodate publishing via aws/github oidc env vars

CamJN · CamJN · commit 37563b4bf9ee · 2025-04-22T17:07:36.000-06:00
diff --git a/linux/publish b/linux/publish
@@ -8,15 +8,21 @@ DOCKER_IMAGE_VERSION=$(cat "$ROOTDIR/shared/definitions/docker_image_version")
 # shellcheck source=../shared/lib/library.sh
 source "$ROOTDIR/shared/lib/library.sh"
 
-INPUT_DIR=
-VERSION=
-SIGNING_KEY_FILE=
-FILE_SERVER_PASSWORD_FILE=
-AWS_ACCESS_KEY=
-AWS_SECRET_KEY_FILE=
-SIGNING_KEY_PASSWORD_FILE=
-ENTERPRISE=false
-TESTING=true
+declare INPUT_DIR
+declare VERSION
+declare SIGNING_KEY_FILE
+declare FILE_SERVER_PASSWORD_FILE
+if [ "${GITHUB_ACTION:-false}" != "true" ]; then
+	declare AWS_ACCESS_KEY
+	declare AWS_SECRET_KEY_FILE
+else
+	declare AWS_SECRET_ACCESS_KEY
+	declare AWS_ACCESS_KEY_ID
+	declare AWS_SESSION_TOKEN
+fi
+declare SIGNING_KEY_PASSWORD_FILE
+declare ENTERPRISE=false
+declare TESTING=true
 
 function usage()
 {
@@ -28,8 +34,14 @@ function usage()
 	echo "  -v VERSION Passenger version number"
 	echo "  -S PATH    File containing the package signing key"
 	echo "  -p PATH    File containing the binary build automation file server password"
-	echo "  -a KEY     Amazon S3 access key"
-	echo "  -s KEY     File containing the Amazon S3 secret key"
+	if [ "${GITHUB_ACTION:-false}" != "true" ]; then
+		echo "  -a KEY     Amazon S3 access key"
+		echo "  -s KEY     File containing the Amazon S3 secret key"
+	else
+		echo "  -k KEY     Amazon S3 secret access key"
+		echo "  -d ID      Amazon S3 access key id"
+		echo "  -t TOKEN   Amazon S3 session token"
+	fi
 	echo
 	echo "Optional options:"
 	echo "  -x PATH    File containing the package signing key password"
@@ -42,7 +54,7 @@ function parse_options()
 {
 	local OPTIND=1
 	local opt
-	while getopts "i:v:S:p:a:s:x:Euh" opt; do
+	while getopts "i:v:S:p:a:k:d:s:t:x:Euh" opt; do
 		case "$opt" in
 		i)
 			INPUT_DIR="$OPTARG"
@@ -59,9 +71,18 @@ function parse_options()
 		a)
 			AWS_ACCESS_KEY="$OPTARG"
 			;;
+		k)
+			AWS_SECRET_ACCESS_KEY="$OPTARG"
+			;;
+		d)
+			AWS_ACCESS_KEY_ID="$OPTARG"
+			;;
 		s)
 			AWS_SECRET_KEY_FILE="$OPTARG"
 			;;
+		t)
+			AWS_SESSION_TOKEN="$OPTARG"
+			;;
 		x)
 			SIGNING_KEY_PASSWORD_FILE="$OPTARG"
 			;;
@@ -101,17 +122,32 @@ function parse_options()
 		echo "ERROR: $FILE_SERVER_PASSWORD_FILE does not exist."
 		exit 1
 	fi
-	if [[ "$AWS_ACCESS_KEY" = "" ]]; then
-		echo "ERROR: please specify an AWS S3 access key with -a."
-		exit 1
-	fi
-	if [[ "$AWS_SECRET_KEY_FILE" = "" ]]; then
-		echo "ERROR: please specify an AWS S3 secret key file with -s."
-		exit 1
-	fi
-	if [[ ! -e "$AWS_SECRET_KEY_FILE" ]]; then
-		echo "ERROR: $AWS_SECRET_KEY_FILE does not exist."
-		exit 1
+	if [ "${GITHUB_ACTION:-false}" != "true" ]; then
+		if [[ "$AWS_ACCESS_KEY" = "" ]]; then
+			echo "ERROR: please specify an AWS S3 access key with -a."
+			exit 1
+		fi
+		if [[ "$AWS_SECRET_KEY_FILE" = "" ]]; then
+			echo "ERROR: please specify an AWS S3 secret key file with -s."
+			exit 1
+		fi
+		if [[ ! -e "$AWS_SECRET_KEY_FILE" ]]; then
+			echo "ERROR: $AWS_SECRET_KEY_FILE does not exist."
+			exit 1
+		fi
+	else
+		if [[ "$AWS_SECRET_ACCESS_KEY" = "" ]]; then
+			echo "ERROR: please specify an AWS S3 secret access key with -k."
+			exit 1
+		fi
+		if [[ "$AWS_ACCESS_KEY_ID" = "" ]]; then
+			echo "ERROR: please specify an AWS S3 access key id with -d."
+			exit 1
+		fi
+		if [[ "$AWS_SESSION_TOKEN" = "" ]]; then
+			echo "ERROR: please specify an AWS S3 session token with -t."
+			exit 1
+		fi
 	fi
 
 	if [[ "$SIGNING_KEY_PASSWORD_FILE" != "" && ! -e "$SIGNING_KEY_PASSWORD_FILE" ]]; then
@@ -122,17 +158,28 @@ function parse_options()
 
 parse_options "$@"
 
+declare -a TTY_ARGS
 if tty -s; then
-	TTY_ARGS="-t -i"
-else
-	TTY_ARGS=
+	TTY_ARGS=("-t" "-i")
 fi
 
-EXTRA_DOCKER_ARGS=()
+declare -a EXTRA_DOCKER_ARGS
 INPUT_DIR=$(absolute_path "$INPUT_DIR")
 FILE_SERVER_PASSWORD_FILE=$(absolute_path "$FILE_SERVER_PASSWORD_FILE")
-AWS_SECRET_KEY_FILE=$(absolute_path "$AWS_SECRET_KEY_FILE")
-
+declare -a S3_ARGS
+if [ "${GITHUB_ACTION:-false}" != "true" ]; then
+	AWS_SECRET_KEY_FILE=$(absolute_path "$AWS_SECRET_KEY_FILE")
+	S3_ARGS=("-v" "$AWS_SECRET_KEY_FILE:/aws_secret_key:ro" "-e" "AWS_ACCESS_KEY=$AWS_ACCESS_KEY")
+else
+	# docker's -e flag can use env var names without values
+	S3_ARGS=(
+		"-e" "AWS_ACCESS_KEY_ID"
+		"-e" "AWS_SECRET_ACCESS_KEY"
+		"-e" "AWS_SESSION_TOKEN"
+		"-e" "AWS_REGION=us-east-1"
+		"-e" "GITHUB_ACTION=true"
+	)
+fi
 if [[ "$SIGNING_KEY_PASSWORD_FILE" != "" ]]; then
 	EXTRA_DOCKER_ARGS+=(-v "$SIGNING_KEY_PASSWORD_FILE:/signing_key_password:ro")
 fi
@@ -148,19 +195,18 @@ function cleanup()
 }
 
 echo "-------- Entering Docker container --------"
-exec docker run $TTY_ARGS --rm \
+exec docker run "${TTY_ARGS[@]}" --rm \
 	-v "$ROOTDIR:/system:ro" \
 	-v "$INPUT_DIR:/input:ro" \
 	-v "$SIGNING_KEY_FILE:/signing_key:ro" \
 	-v "$FILE_SERVER_PASSWORD_FILE:/file_server_password:ro" \
-	-v "$AWS_SECRET_KEY_FILE:/aws_secret_key:ro" \
 	-e "APP_UID=$(/usr/bin/id -u)" \
 	-e "APP_GID=$(/usr/bin/id -g)" \
 	-e "TESTING=$TESTING" \
 	-e "REPOSITORY_NAME=$REPOSITORY_NAME" \
 	-e "S3_BUCKET_NAME=$S3_BUCKET_NAME" \
 	-e "VERSION=$VERSION" \
-	-e "AWS_ACCESS_KEY=$AWS_ACCESS_KEY" \
+	"${S3_ARGS[@]}" \
 	"${EXTRA_DOCKER_ARGS[@]}" \
 	"phusion/passenger_binary_build_automation:$DOCKER_IMAGE_VERSION" \
 	/system/linux/support/publish-script-docker-entrypoint.sh
diff --git a/linux/support/publish-script-docker-entrypoint.sh b/linux/support/publish-script-docker-entrypoint.sh
@@ -9,7 +9,15 @@ source /system/shared/lib/library.sh
 export WORKDIR=`setuser builder mktemp -d /tmp/publish.XXXXXXXX`
 export INPUT_DIR=/input
 export FILE_SERVER_PASSWORD=`cat /file_server_password`
-export AWS_SECRET_KEY=`cat /aws_secret_key`
+if [ "${GITHUB_ACTION:-false}" != "true" ]; then
+	export AWS_SECRET_KEY=`cat /aws_secret_key`
+else
+	export "AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID"
+	export "AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY"
+	export "AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN"
+	export "AWS_REGION=$AWS_REGION"
+	export "GITHUB_ACTION=$GITHUB_ACTION"
+fi
 
 setuser builder mkdir ~builder/.gnupg
 setuser builder chmod 700 ~builder/.gnupg
diff --git a/shared/publish/publish.sh b/shared/publish/publish.sh
@@ -11,8 +11,15 @@ require_envvar VERSION "$VERSION"
 require_envvar FILE_SERVER_PASSWORD "$FILE_SERVER_PASSWORD"
 require_envvar REPOSITORY_NAME "$REPOSITORY_NAME"
 require_envvar S3_BUCKET_NAME "$S3_BUCKET_NAME"
-require_envvar AWS_ACCESS_KEY "$AWS_ACCESS_KEY"
-require_envvar AWS_SECRET_KEY "$AWS_SECRET_KEY"
+if [ "${GITHUB_ACTION:-false}" != "true" ]; then
+	require_envvar AWS_ACCESS_KEY "$AWS_ACCESS_KEY"
+	require_envvar AWS_SECRET_KEY "$AWS_SECRET_KEY"
+else
+	require_envvar AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
+	require_envvar AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
+	require_envvar AWS_SESSION_TOKEN "$AWS_SESSION_TOKEN"
+	require_envvar AWS_REGION "$AWS_REGION"
+fi
 require_envvar TESTING "$TESTING"
 
 
@@ -53,16 +60,21 @@ curl --fail -L -K "$WORKDIR/curl.cfg" \
 	https://oss-binaries.phusionpassenger.com/binary_build_automation/add
 echo
 
-S3CMD_ARGS=()
+declare -a S3CMD_ARGS
 if ! $TESTING; then
 	S3CMD_ARGS+=(--skip-existing)
 fi
+if [ "${GITHUB_ACTION:-false}" != "true" ]; then
 cat >>"$WORKDIR/s3cfg" <<EOF
 access_key = $AWS_ACCESS_KEY
 secret_key = $AWS_SECRET_KEY
 EOF
-echo "+ s3cmd -c $WORKDIR/s3cfg	--storage-class=STANDARD_IA --human-readable-sizes --follow-symlinks --no-delete-removed --acl-public --guess-mime-type	${S3CMD_ARGS[*]} sync $WORKDIR/content/	s3://phusion-passenger/binaries/$S3_BUCKET_NAME/by_release/$VERSION/"
-s3cmd -c "$WORKDIR/s3cfg" \
+S3CMD_ARGS+=("-c" "$WORKDIR/s3cfg")
+else
+
+fi
+echo "+ s3cmd --storage-class=STANDARD_IA --human-readable-sizes --follow-symlinks --no-delete-removed --acl-public --guess-mime-type	${S3CMD_ARGS[*]} sync $WORKDIR/content/	s3://phusion-passenger/binaries/$S3_BUCKET_NAME/by_release/$VERSION/"
+s3cmd \
 	--storage-class=STANDARD_IA \
 	--human-readable-sizes \
 	--follow-symlinks \
