Merge remote-tracking branch 'origin/main' into feature/oidc-secrets-apm-aws-lambda

* origin/main:
  Use keyless authentication for smoke tests (#496)
  build(deps): bump the github-actions group with 2 updates (#494)

Author: v1v

.github/workflows/release.yml

@@ -61,7 +61,7 @@ jobs:
           retention-days: 5
 
       - name: generate build provenance (binaries)
-        uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a  # v1.3.1
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e  # v1.3.2
         with:
           subject-path: "${{ github.workspace }}/dist/*.*"
 
@@ -71,13 +71,13 @@ jobs:
         run: .ci/get-docker-provenance.sh
 
       - name: generate build provenance (containers x86_64)
-        uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a  # v1.3.1
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e  # v1.3.2
         with:
           subject-name: ${{ steps.image.outputs.name_1 }}
           subject-digest: ${{ steps.image.outputs.digest_1 }}
 
       - name: generate build provenance (containers arm64)
-        uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a  # v1.3.1
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e  # v1.3.2
         with:
           subject-name: ${{ steps.image.outputs.name_2 }}
           subject-digest: ${{ steps.image.outputs.digest_2 }}
@@ -89,7 +89,7 @@ jobs:
           VERSION: ${{ github.ref_name }}
 
       - if: ${{ success() }}
-        uses: elastic/oblt-actions/slack/[email protected].2
+        uses: elastic/oblt-actions/slack/[email protected].3
         with:
           bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
           channel-id: "#apm-aws-lambda"
@@ -98,7 +98,7 @@ jobs:
             Build: (<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>)
 
       - if: ${{ failure() }}
-        uses: elastic/oblt-actions/slack/[email protected].2
+        uses: elastic/oblt-actions/slack/[email protected].3
         with:
           bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
           channel-id: "#apm-aws-lambda"

.github/workflows/smoke-tests.yml

@@ -14,6 +14,7 @@ concurrency: ${{ github.workflow }}
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   test:
@@ -30,9 +31,6 @@ jobs:
       TF_VAR_REPO: "${{ github.repository }}"
       SMOKETEST_VERSIONS: "${{ inputs.smoketest_versions || 'latest' }}"
       SKIP_DESTROY: 0
-      # TODO: replace with keyless (likely AWS)
-      AWS_ACCESS_KEY_ID: ${{ secrets.OBSERVABILITY_AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.OBSERVABILITY_AWS_SECRET_ACCESS_KEY }}
     permissions:
       contents: read
       id-token: write
@@ -45,22 +43,19 @@ jobs:
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: 1.2.3
-
-      - uses: elastic/oblt-actions/google/auth@v1
-
+      - uses: elastic/oblt-actions/aws/auth@v1
       - uses: google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae # v2.1.3
         with:
           export_to_environment: true
           secrets: |-
             EC_API_KEY:elastic-observability/elastic-cloud-observability-team-pro-api-key
-
       - run: make smoketest/run TEST_DIR=./tf
       - if: always()
         name: Tear down
         run: make smoketest/all/cleanup TEST_DIR=./tf
 
       - if: always()
-        uses: elastic/oblt-actions/slack/[email protected].2
+        uses: elastic/oblt-actions/slack/[email protected].3
         with:
           bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
           channel-id: "#apm-aws-lambda"

tf/main.tf

@@ -108,7 +108,7 @@ locals {
 
 resource "aws_lambda_layer_version" "lambda_layer" {
   filename   = "../dist/${local.zip_files[0]}"
-  layer_name = "lambda_layer_name"
+  layer_name = "apm-aws-lambda-smoke-testing-lambda_layer_name"
 
   description         = "AWS Lambda Extension Layer for Elastic APM - smoke testing"
   compatible_runtimes = ["nodejs16.x"]