ci: add write permission ssh key and read secret from AWS (#13)

Di Wu · web-flow · commit 01460c0aa4fe · 2023-05-24T17:17:27.000-07:00
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -5,7 +5,7 @@ version: 2.1
 orbs:
   macos: circleci/macos@2.3.3
   ruby: circleci/ruby@2.0.0
-
+  aws-cli: circleci/aws-cli@3.1.4
 
 default-executor: &default-executor
   macos:
@@ -14,7 +14,6 @@ default-executor: &default-executor
   environment:
     FL_OUTPUT_DIR: output
 
-
 jobs:
   build-test-ios:
     <<: *default-executor
@@ -48,6 +47,10 @@ jobs:
             - "1d:f2:37:1e:7e:38:02:e0:76:2d:6a:a8:47:2e:85:09"
       - checkout
       - ruby/install-deps
+      - aws-cli/setup:
+          role-arn: $AWS_OIDC_ROLE_ARN
+          role-session-name: "${CIRCLE_WORKFLOW_JOB_ID}.release"
+          session-duration: '900'
       - run:
           name: Publish new version to cocoapods trunk
           command: bundle exec fastlane ios release
@@ -78,6 +81,8 @@ workflows:
           requires:
             - build-test-ios
             - build-test-macos
+          context: amplify-swift-aws-oidc
+
       - publish-doc:
           filters:
             branches:
diff --git a/fastlane/Fastfile b/fastlane/Fastfile
@@ -1,3 +1,5 @@
+require 'json'
+
 PODSPEC_PATH = "AmplifyUtilsNotifications.podspec"
 CHANGELOG_PATH = "CHANGELOG.md"
 
@@ -103,6 +105,15 @@ platform :ios do
 
     desc "Publish new version to cocoapod trunck"
     private_lane :publish_to_cocoapod_trunk do
+        # Define `COCOAPODS_TRUNK_TOKEN` env var for trunk authentication
+        # https://github.com/CocoaPods/cocoapods-trunk/commit/9e6ec1c1faf96fa837dc2ed70b5f54006b181ed6
+        secret = sh(
+            command: 'aws secretsmanager get-secret-value --secret-id ${COCOAPODS_SECRET_ARN}',
+            log: false
+        )
+
+        ENV['COCOAPODS_TRUNK_TOKEN'] = JSON.parse(secret)["SecretString"]
+
         pod_push(
             use_bundle_exec: true,
             allow_warnings: true,
