feat(oidc): replace creds with oidc for aws configurations

.github/actions/build-artifact-downloader/README.MD

@@ -6,8 +6,7 @@ Downloads and extracts build artifacts from S3.
 
 | Input | Required | Default | Description |
 |-------|----------|---------|-------------|
-| `aws-access-key-id` | Yes | - | AWS access key ID |
-| `aws-secret-access-key` | Yes | - | AWS secret access key |
+| `aws-role-arn` | Yes | - | IAM Role ARN to assume via GitHub OIDC |
 | `aws-region` | Yes | `ap-south-1` | AWS region |
 | `project-name` | Yes | - | Name of the project used during upload |
 | `s3-base-path` | Yes | - | Base S3 path used during upload |
@@ -19,8 +18,7 @@ Downloads and extracts build artifacts from S3.
 - name: Download Build Artifacts
         uses: naxa-developers/gh-workflows/.github/actions/build-artifact-downloader@artifact_downloader/v1.0.1
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
           aws-region: ${{ env.AWS_REGION }}
           project-name: ${{ env.PROJECT_NAME }}
           s3-base-path: "s3://naxa-ci-artifacts"

.github/actions/build-artifact-downloader/action.yml

@@ -1,12 +1,9 @@
 name: 'Build Artifact Downloader'
 description: 'Downloads and extracts build artifacts from S3'
 inputs:
-  aws-access-key-id:
+  aws-role-arn:
     required: true
-    description: 'AWS access key ID'
-  aws-secret-access-key:
-    required: true
-    description: 'AWS secret access key'
+    description: "IAM Role ARN to assume via GitHub OIDC"
   aws-region:
     required: true
     default: 'ap-south-1'
@@ -25,24 +22,23 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        aws-access-key-id: ${{ inputs.aws-access-key-id }}
-        aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
-        aws-region: ${{ inputs.aws-region }}
+  - name: Configure AWS Credentials
+    uses: aws-actions/configure-aws-credentials@v5
+    with:
+      role-to-assume: ${{ inputs.aws-role-arn }}
+      aws-region: ${{ inputs.aws-region }}
+
+  - name: Download and extract artifact
+    shell: bash
+    run: |
+      ZIP_NAME="${{ inputs.project-name }}-${{ github.run_id }}-${{ github.run_number }}.zip"
+      S3_SOURCE_PATH="${{ inputs.s3-base-path }}/${{ inputs.project-name }}-${{ github.run_id }}/${ZIP_NAME}"
+      TARGET_DIR="${{ inputs.target-directory }}"
+
+      echo "Downloading artifact from: ${S3_SOURCE_PATH}"
+      aws s3 cp "${S3_SOURCE_PATH}" "${ZIP_NAME}"
 
-    - name: Download and extract artifact
-      shell: bash
-      run: |
-        ZIP_NAME="${{ inputs.project-name }}-${{ github.run_id }}-${{ github.run_number }}.zip"
-        S3_SOURCE_PATH="${{ inputs.s3-base-path }}/${{ inputs.project-name }}-${{ github.run_id }}/${ZIP_NAME}"
-        TARGET_DIR="${{ inputs.target-directory }}"
-
-        echo "Downloading artifact from: ${S3_SOURCE_PATH}"
-        aws s3 cp "${S3_SOURCE_PATH}" "${ZIP_NAME}"
-
-        echo "Extracting to: ${TARGET_DIR}"
-        mkdir -p "${TARGET_DIR}"
-        unzip -o "${ZIP_NAME}" -d "${TARGET_DIR}"
-        rm "${ZIP_NAME}"
+      echo "Extracting to: ${TARGET_DIR}"
+      mkdir -p "${TARGET_DIR}"
+      unzip -o "${ZIP_NAME}" -d "${TARGET_DIR}"
+      rm "${ZIP_NAME}"

.github/actions/build-artifact-uploader/README.MD

@@ -6,8 +6,7 @@ Zips and uploads the build artifact to S3.
 
 | Input | Required | Default | Description |
 |-------|----------|---------|-------------|
-| `aws-access-key-id` | Yes | - | AWS access key ID |
-| `aws-secret-access-key` | Yes | - | AWS secret access key |
+| `aws-role-arn` | Yes | - | IAM Role ARN to assume via GitHub OIDC |
 | `aws-region` | Yes | `ap-south-1` | AWS region |
 | `project-name` | Yes | - | Name of the project |
 | `s3-base-path` | Yes | - | Base S3 path for uploads |
@@ -19,8 +18,7 @@ Zips and uploads the build artifact to S3.
 - name: Upload Build Artifacts
         uses: naxa-developers/gh-workflows/.github/actions/build-artifact-uploader@artifact_uploader/v1.0.0
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
           aws-region: ${{ env.AWS_REGION }}
           project-name: ${{ env.PROJECT_NAME }}
           s3-base-path: "s3://naxa-ci-artifacts"

.github/actions/build-artifact-uploader/action.yml

@@ -1,12 +1,9 @@
 name: 'Build Artifact Uploader'
 description: 'Zips and uploads the build artifact to S3'
 inputs:
-  aws-access-key-id:
+  aws-role-arn:
     required: true
-    description: 'AWS access key ID'
-  aws-secret-access-key:
-    required: true
-    description: 'AWS secret access key'
+    description: "IAM Role ARN to assume via GitHub OIDC"
   aws-region:
     required: true
     default: 'ap-south-1'
@@ -25,42 +22,41 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        aws-access-key-id: ${{ inputs.aws-access-key-id }}
-        aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
-        aws-region: ${{ inputs.aws-region }}
-
-    - name: Zip contents and upload to S3
-      shell: bash
-      run: |
-        set -e
-
-        PROJECT_NAME="${{ inputs.project-name }}"
-        SOURCE_DIRECTORY="${{ inputs.source-directory }}"
-        S3_BASE_PATH="${{ inputs.s3-base-path }}"
-
-        ZIP_NAME="${{ inputs.project-name }}-${{ github.run_id }}-${{ github.run_number }}.zip"
-        ABS_SOURCE_DIR="$(realpath "$SOURCE_DIRECTORY")"
-        PARENT_DIR="$(dirname "$ABS_SOURCE_DIR")"
-        ZIP_PATH="${PARENT_DIR}/${ZIP_NAME}"
-        S3_BUILD_PATH="${{ inputs.s3-base-path }}/${{ inputs.project-name }}-${{ github.run_id }}/${ZIP_NAME}"
-
-        cd "$ABS_SOURCE_DIR"
-        zip -r "$ZIP_PATH" . > /dev/null
-        cd - > /dev/null
-
-        aws s3 cp "$ZIP_PATH" "$S3_BUILD_PATH"
-
-        echo "✅ Upload complete: $S3_BUILD_PATH"
-
-        rm "$ZIP_PATH"
-
-        # delete source directory if it is not '.'
-        if [ "$SOURCE_DIRECTORY" != "." ]; then
-          rm -r "$SOURCE_DIRECTORY"
-          echo "✅Clean complete: $ZIP_NAME & $SOURCE_DIRECTORY"
-        else
-          echo "⚠️ Skipping deletion of SOURCE_DIRECTORY because it's '.'"
-        fi
+  - name: Configure AWS Credentials
+    uses: aws-actions/configure-aws-credentials@v5
+    with:
+      role-to-assume: ${{ inputs.aws-role-arn }}
+      aws-region: ${{ inputs.aws-region }}
+
+  - name: Zip contents and upload to S3
+    shell: bash
+    run: |
+      set -e
+
+      PROJECT_NAME="${{ inputs.project-name }}"
+      SOURCE_DIRECTORY="${{ inputs.source-directory }}"
+      S3_BASE_PATH="${{ inputs.s3-base-path }}"
+
+      ZIP_NAME="${{ inputs.project-name }}-${{ github.run_id }}-${{ github.run_number }}.zip"
+      ABS_SOURCE_DIR="$(realpath "$SOURCE_DIRECTORY")"
+      PARENT_DIR="$(dirname "$ABS_SOURCE_DIR")"
+      ZIP_PATH="${PARENT_DIR}/${ZIP_NAME}"
+      S3_BUILD_PATH="${{ inputs.s3-base-path }}/${{ inputs.project-name }}-${{ github.run_id }}/${ZIP_NAME}"
+
+      cd "$ABS_SOURCE_DIR"
+      zip -r "$ZIP_PATH" . > /dev/null
+      cd - > /dev/null
+
+      aws s3 cp "$ZIP_PATH" "$S3_BUILD_PATH"
+
+      echo "✅ Upload complete: $S3_BUILD_PATH"
+
+      rm "$ZIP_PATH"
+
+      # delete source directory if it is not '.'
+      if [ "$SOURCE_DIRECTORY" != "." ]; then
+        rm -r "$SOURCE_DIRECTORY"
+        echo "✅Clean complete: $ZIP_NAME & $SOURCE_DIRECTORY"
+      else
+        echo "⚠️ Skipping deletion of SOURCE_DIRECTORY because it's '.'"
+      fi

.github/actions/build_and_push/action.yml

@@ -2,12 +2,9 @@ name: Build Docker Image
 description: Builds and pushes a Docker image to AWS ECR.
 
 inputs:
-  AWS_ACCESS_KEY_ID:
+  AWS_ROLE_ARN:
     required: true
-    description: "AWS access key for configuring AWS credentials."
-  AWS_SECRET_ACCESS_KEY:
-    required: true
-    description: "AWS secret key for configuring AWS credentials."
+    description: "IAM Role ARN to assume via GitHub OIDC"
   AWS_REGION:
     required: true
     description: "AWS region for configuring AWS credentials."
@@ -61,11 +58,6 @@ inputs:
 runs:
   using: 'composite'
   steps:
-  - name: Checkout Code
-    uses: actions/checkout@v6
-    with:
-      ref: ${{ inputs.BRANCH_NAME }}
-
   - name: Copy Dependency Files - Skip if not present
     shell: bash
     run: |
@@ -83,10 +75,9 @@ runs:
       fi
 
   - name: Configure AWS Credentials
-    uses: aws-actions/configure-aws-credentials@v4
+    uses: aws-actions/configure-aws-credentials@v5
     with:
-      aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
+      role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
       aws-region: ${{ inputs.AWS_REGION }}
 
   - name: Login to Amazon ECR

.github/actions/build_and_push_w_secure_modules/action.yml

@@ -2,12 +2,9 @@ name: Build Docker Image
 description: Builds and pushes a Docker image to AWS ECR.
 
 inputs:
-  AWS_ACCESS_KEY_ID:
+  AWS_ROLE_ARN:
     required: true
-    description: "AWS access key for configuring AWS credentials."
-  AWS_SECRET_ACCESS_KEY:
-    required: true
-    description: "AWS secret key for configuring AWS credentials."
+    description: "IAM Role ARN to assume via GitHub OIDC"
   AWS_REGION:
     required: true
     description: "AWS region for configuring AWS credentials."
@@ -46,52 +43,46 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - name: Checkout Code
-      uses: actions/checkout@v4
-      with:
-        ref: ${{ inputs.BRANCH_NAME }}
+  - name: Copy Dependency Files
+    shell: bash
+    run: |
+      if [ -n "${{ inputs.APT_MODULES_FILE }}" ]; then
+        cp "${{ inputs.APT_MODULES_FILE }}" apt_requirements.txt
+      fi
+
+      if [ -n "${{ inputs.PIP_MODULES_FILE }}" ]; then
+        cp "${{ inputs.PIP_MODULES_FILE }}" requirements.txt
+      fi
+
+  - name: Configure AWS Credentials
+    uses: aws-actions/configure-aws-credentials@v5
+    with:
+      role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
+      aws-region: ${{ inputs.AWS_REGION }}
+
+  - name: Login to Amazon ECR
+    uses: aws-actions/amazon-ecr-login@v2
 
-    - name: Copy Dependency Files
-      shell: bash
-      run: |
-        if [ -n "${{ inputs.APT_MODULES_FILE }}" ]; then
-          cp "${{ inputs.APT_MODULES_FILE }}" apt_requirements.txt
-        fi
-
-        if [ -n "${{ inputs.PIP_MODULES_FILE }}" ]; then
-          cp "${{ inputs.PIP_MODULES_FILE }}" requirements.txt
-        fi
+  - name: Set IMAGE_TAG
+    shell: bash
+    run: |
+      IMAGE_TAG="${{ inputs.IMAGE_TAG }}"
+      if [[ -z "$IMAGE_TAG" ]]; then
+        IMAGE_TAG="${{ inputs.BRANCH_NAME }}"
+      fi
+      echo "Using IMAGE_TAG: $IMAGE_TAG"
+      echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV 
 
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
-        aws-region: ${{ inputs.AWS_REGION }}
+  - name: Build Docker Image
+    shell: bash
+    run: |
+      export RAW_GH_KEY=$(echo -n "${{ inputs.GH_RAW_SSH_KEY }}" | sed ':a;N;$!ba;s/\n/\\n/g')
+      docker build -f ${{ inputs.DOCKERFILE_PATH }} \
+        --build-arg "GIT_KEY=${RAW_GH_KEY}" \
+        -t ${{ inputs.ECR_REGISTRY }}/${{ inputs.ECR_REPOSITORY }}:$IMAGE_TAG \
+        ${{ inputs.BUILD_CONTEXT }}
 
-    - name: Login to Amazon ECR
-      uses: aws-actions/amazon-ecr-login@v2
-
-    - name: Set IMAGE_TAG
-      shell: bash
-      run: |
-        IMAGE_TAG="${{ inputs.IMAGE_TAG }}"
-        if [[ -z "$IMAGE_TAG" ]]; then
-          IMAGE_TAG="${{ inputs.BRANCH_NAME }}"
-        fi
-        echo "Using IMAGE_TAG: $IMAGE_TAG"
-        echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV 
-
-    - name: Build Docker Image
-      shell: bash
-      run: |
-        export RAW_GH_KEY=$(echo -n "${{ inputs.GH_RAW_SSH_KEY }}" | sed ':a;N;$!ba;s/\n/\\n/g')
-        docker build -f ${{ inputs.DOCKERFILE_PATH }} \
-          --build-arg "GIT_KEY=${RAW_GH_KEY}" \
-          -t ${{ inputs.ECR_REGISTRY }}/${{ inputs.ECR_REPOSITORY }}:$IMAGE_TAG \
-          ${{ inputs.BUILD_CONTEXT }}
-
-    - name: Push Docker Image to ECR
-      shell: bash
-      run: |
-        docker push ${{ inputs.ECR_REGISTRY }}/${{ inputs.ECR_REPOSITORY }}:$IMAGE_TAG
+  - name: Push Docker Image to ECR
+    shell: bash
+    run: |
+      docker push ${{ inputs.ECR_REGISTRY }}/${{ inputs.ECR_REPOSITORY }}:$IMAGE_TAG

.github/actions/deploy_to_vm/action.yml

@@ -4,12 +4,9 @@ inputs:
   SSH_PRIVATE_KEY:
     required: true
     description: "The SSH private key to connect to the deployment server."
-  AWS_ACCESS_KEY_ID:
+  AWS_ROLE_ARN:
     required: true
-    description: "AWS access key for configuring AWS credentials."
-  AWS_SECRET_ACCESS_KEY:
-    required: true
-    description: "AWS secret key for configuring AWS credentials."
+    description: "IAM Role ARN to assume via GitHub OIDC"
   AWS_REGION:
     required: true
     description: "AWS region for configuring AWS credentials."
@@ -45,9 +42,6 @@ inputs:
 runs:
   using: 'composite'
   steps:
-  - name: Checkout Repository
-    uses: actions/checkout@v4
-
   - name: Configure SSH Key
     uses: webfactory/ssh-agent@v0.9.0
     with:
@@ -59,10 +53,9 @@ runs:
       ssh-keyscan -H ${{ inputs.DEPLOYMENT_SERVER_IP }} >> ~/.ssh/known_hosts
 
   - name: Configure AWS Credentials
-    uses: aws-actions/configure-aws-credentials@v4
+    uses: aws-actions/configure-aws-credentials@v5
     with:
-      aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
+      role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
       aws-region: ${{ inputs.AWS_REGION }}
 
   - name: Login to Amazon ECR