Test PrivateCIWorkflows role assumption from public repo #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test PrivateCIWorkflows Role | |
| on: | |
| pull_request: | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| test-role-assumption: | |
| runs-on: ubuntu-latest | |
| env: | |
| ROLE_ARN: arn:aws:iam::708167139547:role/PrivateCIWorkflows | |
| steps: | |
| - name: Get OIDC token | |
| id: get-token | |
| run: | | |
| TOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ | |
| "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r '.value') | |
| echo "::add-mask::$TOKEN" | |
| echo "token=$TOKEN" >> "$GITHUB_OUTPUT" | |
| - name: Attempt to assume role and report result | |
| env: | |
| OIDC_TOKEN: ${{ steps.get-token.outputs.token }} | |
| run: | | |
| echo "===========================================" | |
| echo "Testing PrivateCIWorkflows role assumption" | |
| echo "Role ARN: $ROLE_ARN" | |
| echo "Repository: $GITHUB_REPOSITORY" | |
| echo "Visibility: public" | |
| echo "===========================================" | |
| echo "" | |
| ERROR_FILE=$(mktemp) | |
| RESULT=$(aws sts assume-role-with-web-identity \ | |
| --role-arn "$ROLE_ARN" \ | |
| --role-session-name "test-session" \ | |
| --web-identity-token "$OIDC_TOKEN" \ | |
| --duration-seconds 900 2>"$ERROR_FILE") && SUCCESS=true || SUCCESS=false | |
| if [[ "$SUCCESS" == "true" ]]; then | |
| echo "✅ RESULT: Role assumed successfully" | |
| echo "" | |
| echo "This public repo CAN assume the PrivateCIWorkflows role." | |
| echo "⚠️ WARNING: This is NOT the expected behavior!" | |
| echo "The role should only be assumable by private repos." | |
| echo "" | |
| echo "Caller identity:" | |
| echo "$RESULT" | jq '.AssumedRoleUser' | |
| exit 1 | |
| fi | |
| ERROR=$(cat "$ERROR_FILE") | |
| echo "Role assumption failed (this may be expected)" | |
| echo "" | |
| if echo "$ERROR" | grep -q "NoSuchEntity\|does not exist"; then | |
| echo "📋 RESULT: Role does not exist yet" | |
| echo "" | |
| echo "The PrivateCIWorkflows role has not been created." | |
| echo "Action: Merge the infra PR to create the role, then re-run this workflow." | |
| elif echo "$ERROR" | grep -q "Not authorized\|AccessDenied\|not authorized to perform"; then | |
| echo "🔒 RESULT: Access denied (EXPECTED for public repos)" | |
| echo "" | |
| echo "The role exists and correctly rejects this public repository." | |
| echo "The repository_visibility=private constraint is working!" | |
| else | |
| echo "❓ RESULT: Unknown error" | |
| echo "" | |
| echo "Error details:" | |
| echo "$ERROR" | |
| fi | |
| echo "" | |
| echo "===========================================" |