This github action sets the CodeArtifact auth-token so it can be used by later workflow steps.
When AWS CodeArtifact is used as artifactory-store then this actions is useful.
Add the following step to your workflow - after the configure-aws-credentials step:
- name: Configure AWS CodeArtifact
uses: KnowKit/configure-aws-codeartifact@v1
with:
domain: my-codeartifact-domain
domain-owner: my-codeartifact-domain-owner-account-id
duration-seconds: optional-token-duration-in-seconds- create a IAM Policy with these permission:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "codeartifact:Describe*", "codeartifact:Get*", "codeartifact:List*", "codeartifact:Read*", "codeartifact:PublishPackageVersion" ], "Resource": "*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "sts:AWSServiceName": "codeartifact.amazonaws.com" } }, "Action": "sts:GetServiceBearerToken", "Resource": "*", "Effect": "Allow" } ] }- Create an IAM user oder role with this policy, to use in the
configure aws clientworkflow-step.-
docs:
-
have a
pyproject.yamlwith a private (AWS CodeArtifact) repository:[[tool.poetry.source]] name = "artifact" url = "https://DOMAIN-OWNER.d.codeartifact.REGION.amazonaws.com/pypi/DOMAIN/simple"
⚠️ : The/simpleat the end of the repo-url is important.(see next chapter for details on AWS CodeArtifact)
docs:
-
create a workflow like this:
name: build-pipeline on: push: paths: - ... workflow_dispatch: {} jobs: lint: runs-on: ubuntu-latest permissions: contents: read steps: - name: Checkout uses: actions/checkout@v2 - name: configure aws client uses: aws-actions/configure-aws-credentials@v1 with: aws-region: eu-central-1 # using aws-user: aws-access-key-id: ${{ secrets.AWS_CODEARTIACT_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.AWS_CODEARTIFACT_SECRET }} # or github-oidc iam provider: role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - name: Configure AWS CodeArtifact uses: KnowKit/configure-aws-codeartifact@v1 with: domain: ${{ secrets.AWS_CODEARTIACT_DOMAIN }} domain-owner: ${{ secrets.AWS_ACCOUNT_ID }} - name: Poetry Install run: poetry install with: env: POETRY_HTTP_BASIC_ARTIFACT_USERNAME: aws POETRY_HTTP_BASIC_ARTIFACT_PASSWORD: ${{ env.CODEARTIFACT_AUTH_TOKEN }}
-
- Create an IAM user oder role with this policy, to use in the
Github Packages supports everything, except pypi 😭
And PyPi itself supports only public packages - but no organisations or private packages. See: https://dustingram.com/articles/2019/04/02/pypi-as-a-service/
What should you do to publish private packages in your org?
Enter AWS CodeArtifact! (never heard of it before? me neither!)
val domain = CfnDomain(
this,
"code-artifact-domain",
CfnDomainProps.builder()
.domainName(codeArtifactDomain)
.encryptionKey("alias/aws/codeartifact")
.build()
)
val repository = CfnRepository(
this,
"code-artifact-repository",
CfnRepositoryProps.builder()
.repositoryName(codeArtifactRepo)
.domainName(codeArtifactDomain)
.domainOwner(stageConfig.accountId)
.permissionsPolicyDocument(
mapOf(
"Version" to "2012-10-17",
"Statement" to listOf(
mapOf<String, Any>(
"Action" to listOf(
"codeartifact:Describe*",
"codeartifact:Get*",
"codeartifact:List*",
"codeartifact:Read*"
),
"Resource" to "*",
"Effect" to "Allow",
"Principal" to mapOf(
"AWS" to artifactUser.userArn
),
)
)
)
)
.build()
)[[tool.poetry.source]]
name = "artifact"
url = "https://DOMAIN-OWNER.d.codeartifact.REGION.amazonaws.com/pypi/DOMAIN/simple"CODEARTIFACT_TOKEN=$(aws codeartifact get-authorization-token --domain knowkit --query authorizationToken --output text)poetry build
poetry publish --repository artifact --username aws --password $CODEARTIFACT_TOKENPOETRY_HTTP_BASIC_ARTIFACT_USERNAME=aws POETRY_HTTP_BASIC_ARTIFACT_PASSWORD=$CODEARTIFACT_TOKEN poetry add my-private-pkg --source artifact
