Use token from secrets manager instead

aws · May 1, 2024 · 0c1fafc · 0c1fafc
1 parent 9e7120b
commit 0c1fafc
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/.github/workflows/manual.yml b/.github/workflows/manual.yml
@@ -40,10 +40,25 @@ jobs:
 
   cut-issue-on-failure:
     runs-on: ubuntu-latest
-    env:
-      GH_TOKEN: ${{ secrets.DAFNY_ISSUE_CUTTING_TOKEN }}
     steps:
+      # We need access to the role that is able to get CI Bot Creds
+      - name: Configure AWS Credentials for Release
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::587316601012:role/GitHub-CI-CI-Bot-Credential-Access-Role-us-west-2
+          role-session-name: CI_Bot_Release
+
+      # Use AWS Secrets Manger GHA to retrieve CI Bot Creds
+      - name: Get CI Bot Creds Secret
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: Github/aws-crypto-tools-ci-bot
+          parse-json-secrets: true
+
       - name: Create release blocker on dafny-lang/dafny
+        env:
+          GH_TOKEN: ${{ env.GITHUB_AWS_CRYPTO_TOOLS_CI_BOT_ESDK_RELEASE_TOKEN }}
         run: |
           gh issue create \
             --repo "dafny-lang/dafny" \