Skip to content

Commit 890cacf

Browse files
Mark-SimulacrumMark-Simulacrum
committed
Change trust policies for bors app
1 parent b3aa7a0 commit 890cacf

File tree

3 files changed

+7
-1
lines changed

3 files changed

+7
-1
lines changed

terragrunt/accounts/bors-prod/app/terragrunt.hcl

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,4 +10,5 @@ include {
1010
inputs = {
1111
domain = "bors-prod.rust-lang.net"
1212
gh_app_id = "278306"
13+
trusted_sub = "repo:rust-lang/bors:environment:production"
1314
}

terragrunt/accounts/bors-staging/app/terragrunt.hcl

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,4 +10,5 @@ include {
1010
inputs = {
1111
domain = "bors-staging.rust-lang.net"
1212
gh_app_id = "343095"
13+
trusted_sub = "repo:rust-lang/bors:environment:staging"
1314
}

terragrunt/modules/bors/main.tf

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ resource "aws_iam_role" "gha" {
7070
}
7171
Condition = {
7272
StringLike = {
73-
"token.actions.githubusercontent.com:sub" : "repo:rust-lang/bors:ref:refs/heads/main"
73+
"token.actions.githubusercontent.com:sub" : "${var.trusted_sub}"
7474
}
7575
StringEquals = {
7676
"token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
@@ -498,3 +498,7 @@ variable "domain" {
498498
variable "gh_app_id" {
499499
description = "GitHub App ID"
500500
}
501+
502+
variable "trusted_sub" {
503+
description = "GitHub OIDC claim"
504+
}

0 commit comments

Comments
 (0)