feat: allowed-accounts-list

.github/dependabot.yml

@@ -6,4 +6,4 @@ updates:
     interval: weekly
     day: tuesday
   open-pull-requests-limit: 10
-  target-branch: 'main'
+  target-branch: 'master'

.github/workflows/automerge-approved-prs.yml

@@ -3,33 +3,29 @@ on:
     types: submitted
 
 jobs:
+  print_stuff:
+    name: Print stuff for the if stmt check
+    runs-on: ubuntu-latest
+    steps:
+    - name: Print context
+      run: |
+        echo "The review state is ${{ github.event.review.state }}"
+        echo "The repository is ${{ github.repository }}"
+        echo "The review author-association is ${{ github.event.review.author_association }}"
+        echo "The review user-login is ${{ github.event.review.user.login }}"
+
   approved_pr:
     name: Automerge approved PRs
+    needs: print_stuff
     permissions:
       contents: write
       pull-requests: write
       id-token: write
-    if: >-
-      github.event.review.state == 'approved' &&
-      github.event.repository == 'aws/configure-aws-credentials' &&
-      (github.event.review.author_association == 'OWNER' || github.event.review.user.login == 'aws-sdk-osds')
+    if: ${{ github.event.review.state == 'approved' && github.repository == 'lehmanmj/configure-aws-credentials' && (github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.user.login == 'aws-sdk-osds') }}
     runs-on: ubuntu-latest
     steps:
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: us-west-2
-          role-to-assume: ${{ secrets.SECRETS_AWS_PACKAGING_ROLE_TO_ASSUME }}
-          role-duration-seconds: 900
-          role-session-name: SecretsManagerFetch
-      - name: Get bot user token
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2
-        with:
-          parse-json-secrets: true
-          secret-ids: |
-            OSDS,arn:aws:secretsmanager:us-west-2:206735643321:secret:github-aws-sdk-osds-automation-gebs9n
       - name: Enable PR automerge
         run: gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ env.OSDS_ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.token }}

.github/workflows/dependabot-autoapprove.yml

@@ -2,36 +2,24 @@ name: Dependabot auto-approve
 on: pull_request
 permissions:
   pull-requests: write
+env:
+  PR_URL: ${{ github.event.pull_request.html_url }}
+  GH_TOKEN: ${{ secrets.TOKEN }}
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'aws/configure-aws-credentials'
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'lehmanmj/configure-aws-credentials' }}
     steps:
       - name: Get Metadata
         id: dependabot-metadata
         uses: dependabot/fetch-metadata@v2
       - uses: actions/checkout@v4
         name: Clone repo
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: us-west-2
-          role-to-assume: ${{ secrets.SECRETS_AWS_PACKAGING_ROLE_TO_ASSUME }}
-          role-duration-seconds: 900
-          role-session-name: SecretsManagerFetch
-      - name: Get bot user token
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2
-        with:
-          parse-json-secrets: true
-          secret-ids: |
-            OSDS,arn:aws:secretsmanager:us-west-2:206735643321:secret:github-aws-sdk-osds-automation-gebs9n
       - name: Approve PR if not already approved
         run: |
           gh pr checkout "$PR_URL"
           if [ "$(gh pr status --json reviewDecision - q .currentBranch.reviewDecision)" != "APPROVED" ]; then
             gh pr review "$PR_URL" --approve
           else echo "PR already approved"
           fi
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ env.OSDS_ACCESS_TOKEN }}
+

README.md

@@ -116,6 +116,7 @@ See [action.yml](./action.yml) for more detail.
 | disable-retry             | Disabled retry/backoff logic for assume role calls. By default, retries are enabled.              |    No    |
 | retry-max-attempts        | Limits the number of retry attempts before giving up. Defaults to 12.                             |    No    |
 | special-characters-workaround | Uncommonly, some environments cannot tolerate special characters in a secret key. This option will retry fetching credentials until the secret access key does not contain special characters. This option overrides disable-retry and retry-max-attempts. | No |
+| allowed-account-ids       | You may define a comma-separated list of allowed account IDs to configure credentials for. This is to prevent accidentally deploying to the wrong environment. | No |
 
 #### Credential Lifetime
 The default session duration is **1 hour**.

action.yml

@@ -73,6 +73,9 @@ inputs:
   special-characters-workaround:
     description: Some environments do not support special characters in AWS_SECRET_ACCESS_KEY. This option will retry fetching credentials until the secret access key does not contain special characters. This option overrides disable-retry and retry-max-attempts. This option is disabled by default
     required: false
+  allowed-account-ids:
+    description: Comma-separated list of allowed AWS account IDs to prevent accidentally deploying to the wrong environment.
+    required: false
 outputs:
   aws-account-id:
     description: The AWS account ID for the provided credentials

hi.txt

@@ -0,0 +1 @@
+Hello, world!