diff --git a/.github/workflows/development.yml b/.github/workflows/development.yml index 6cd68de..aa93fb9 100644 --- a/.github/workflows/development.yml +++ b/.github/workflows/development.yml @@ -82,23 +82,23 @@ jobs: uses: bahmutov/npm-install@v1 - name: "Lint code" run: npm run lint --if-present - # unit-test: - # strategy: - # fail-fast: false - # matrix: - # os: [windows-latest, ubuntu-latest, macos-latest] - # node: [14, 16, 18] - # name: Run unit tests - # runs-on: ${{ matrix.os }} - # timeout-minutes: 5 - # steps: - # - name: "Checkout repository" - # uses: actions/checkout@v3 - # - name: "Setup node" - # uses: actions/setup-node@v3 - # with: - # node-version: ${{ matrix.node }} - # - name: "Install dependencies" - # uses: bahmutov/npm-install@v1 - # - name: "Run tests" - # run: npm run test --if-present + unit-test: + strategy: + fail-fast: false + matrix: + os: [windows-latest, ubuntu-latest, macos-latest] + node: [14, 16, 18] + name: Run unit tests + runs-on: ${{ matrix.os }} + timeout-minutes: 5 + steps: + - name: "Checkout repository" + uses: actions/checkout@v3 + - name: "Setup node" + uses: actions/setup-node@v3 + with: + node-version: ${{ matrix.node }} + - name: "Install dependencies" + uses: bahmutov/npm-install@v1 + - name: "Run tests" + run: npm run test --if-present diff --git a/src/CredentialsClient.ts b/src/CredentialsClient.ts index 8782a34..4ccef3c 100644 --- a/src/CredentialsClient.ts +++ b/src/CredentialsClient.ts @@ -54,7 +54,9 @@ export class CredentialsClient { const actualAccessKeyId = credentials.accessKeyId; if (expectedAccessKeyId && expectedAccessKeyId !== actualAccessKeyId) { - throw new Error('Unexpected failure: Credentials loaded by the SDK do not match the access key ID configured by the action'); + throw new Error( + 'Unexpected failure: Credentials loaded by the SDK do not match the access key ID configured by the action' + ); } } } diff --git a/src/assumeRole.ts b/src/assumeRole.ts index f99b8cc..a5a1fe7 100644 --- a/src/assumeRole.ts +++ b/src/assumeRole.ts @@ -87,7 +87,7 @@ export async function assumeRole(params: assumeRoleParams) { webIdentityTokenFile, webIdentityToken, inlineSessionPolicy, - managedSessionPolicies + managedSessionPolicies, } = { ...params }; // Load GitHub environment variables @@ -133,7 +133,7 @@ export async function assumeRole(params: assumeRoleParams) { Tags: tags ? tags : undefined, ExternalId: roleExternalId ? roleExternalId : undefined, Policy: inlineSessionPolicy ? inlineSessionPolicy : undefined, - PolicyArns: managedSessionPolicies ? managedSessionPolicies : undefined, + PolicyArns: managedSessionPolicies?.length ? managedSessionPolicies : undefined, }; const keys = Object.keys(commonAssumeRoleParams) as Array; keys.forEach((k) => commonAssumeRoleParams[k] === undefined && delete commonAssumeRoleParams[k]); diff --git a/src/helpers.ts b/src/helpers.ts index ff61c38..9bcc7fd 100644 --- a/src/helpers.ts +++ b/src/helpers.ts @@ -34,7 +34,7 @@ export function exportRegion(region: string) { } // Obtains account ID from STS Client and sets it as output -export async function exportAccountId(credentialsClient: CredentialsClient, maskAccountId?: string) { +export async function exportAccountId(credentialsClient: CredentialsClient, maskAccountId?: boolean) { const client = credentialsClient.stsClient; const identity = await client.send(new GetCallerIdentityCommand({})); const accountId = identity.Account; diff --git a/src/index.ts b/src/index.ts index 5f34466..68edc75 100644 --- a/src/index.ts +++ b/src/index.ts @@ -17,7 +17,7 @@ export async function run() { const region = core.getInput('aws-region', { required: true }); const roleToAssume = core.getInput('role-to-assume', { required: false }); const audience = core.getInput('audience', { required: false }); - const maskAccountId = core.getInput('mask-aws-account-id', { required: false }); + const maskAccountId = core.getBooleanInput('mask-aws-account-id', { required: false }); const roleExternalId = core.getInput('role-external-id', { required: false }); const webIdentityTokenFile = core.getInput('web-identity-token-file', { required: false }); const roleDuration = parseInt(core.getInput('role-duration-seconds', { required: false })) || DEFAULT_ROLE_DURATION; @@ -27,10 +27,10 @@ export async function run() { const proxyServer = core.getInput('http-proxy', { required: false }); const disableOIDC = core.getInput('disable-oidc', { required: false }); const inlineSessionPolicy = core.getInput('inline-session-policy', { required: false }); - const managedSessionPoliciesInput = core.getMultilineInput('managed-session-policies', { required: false }) + const managedSessionPoliciesInput = core.getMultilineInput('managed-session-policies', { required: false }); const managedSessionPolicies: any[] = []; for (const managedSessionPolicy of managedSessionPoliciesInput) { - managedSessionPolicies.push({arn: managedSessionPolicy}); + managedSessionPolicies.push({ arn: managedSessionPolicy }); } const roleChainingInput = core.getInput('role-chaining', { required: false }) || 'false'; const roleChaining = roleChainingInput.toLowerCase() === 'true'; diff --git a/test/helpers.test.ts b/test/helpers.test.ts index b603714..2367a38 100644 --- a/test/helpers.test.ts +++ b/test/helpers.test.ts @@ -10,7 +10,7 @@ describe('helpers', () => { }); test('removes special characters from worflow names', () => { - expect(helpers.sanitizeGitHubVariables('sdf234@#$%$^&*()_+{}|:"<>?')).toEqual('sdf234@__________+___:_<>?'); + expect(helpers.sanitizeGitHubVariables('sdf234@#$%$^&*()_+{}|:"<>?')).toEqual('sdf234@__________+___:____'); }); test('can sleep', () => { diff --git a/test/index.test.ts b/test/index.test.ts index f079b03..b9a52dd 100644 --- a/test/index.test.ts +++ b/test/index.test.ts @@ -42,7 +42,7 @@ const DEFAULT_INPUTS = { ...CREDS_INPUTS, 'aws-session-token': FAKE_SESSION_TOKEN, 'aws-region': FAKE_REGION, - 'mask-aws-account-id': 'TRUE', + 'mask-aws-account-id': 'true', }; const ASSUME_ROLE_INPUTS = { ...CREDS_INPUTS, 'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION }; // #endregion @@ -85,6 +85,8 @@ describe('Configure AWS Credentials', () => { jest.clearAllMocks(); mockedSTS.reset(); (fromEnv as jest.Mock).mockReset(); + jest.spyOn(core, 'getMultilineInput').mockImplementation(() => []); + jest.spyOn(core, 'getBooleanInput').mockImplementation(); jest.spyOn(core, 'getIDToken').mockImplementation(async () => Promise.resolve('testtoken')); jest.spyOn(core, 'exportVariable').mockImplementation(); jest.spyOn(core, 'setSecret').mockImplementation(); @@ -137,7 +139,7 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleCommand)).toHaveLength(0); expect(core.exportVariable).toHaveBeenCalledTimes(5); - expect(core.setSecret).toHaveBeenCalledTimes(4); + expect(core.setSecret).toHaveBeenCalledTimes(3); expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', FAKE_ACCESS_KEY_ID); expect(core.setSecret).toHaveBeenCalledWith(FAKE_ACCESS_KEY_ID); expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', FAKE_SECRET_ACCESS_KEY); @@ -147,7 +149,6 @@ describe('Configure AWS Credentials', () => { expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', FAKE_REGION); expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', FAKE_REGION); expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', FAKE_ACCOUNT_ID); - expect(core.setSecret).toHaveBeenCalledWith(FAKE_ACCOUNT_ID); }); test('action fails when github env vars are not set', async () => { @@ -178,11 +179,9 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleCommand)).toHaveLength(0); expect(core.exportVariable).toHaveBeenCalledTimes(2); - expect(core.setSecret).toHaveBeenCalledTimes(1); expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', FAKE_REGION); expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', FAKE_REGION); expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', FAKE_ACCOUNT_ID); - expect(core.setSecret).toHaveBeenCalledWith(FAKE_ACCOUNT_ID); }); test('action with no accessible credentials fails', async () => { @@ -235,7 +234,7 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleCommand)).toHaveLength(0); expect(core.exportVariable).toHaveBeenCalledTimes(4); - expect(core.setSecret).toHaveBeenCalledTimes(3); + expect(core.setSecret).toHaveBeenCalledTimes(2); expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', FAKE_ACCESS_KEY_ID); expect(core.setSecret).toHaveBeenCalledWith(FAKE_ACCESS_KEY_ID); expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', FAKE_SECRET_ACCESS_KEY); @@ -243,7 +242,6 @@ describe('Configure AWS Credentials', () => { expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'eu-west-1'); expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'eu-west-1'); expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', FAKE_ACCOUNT_ID); - expect(core.setSecret).toHaveBeenCalledWith(FAKE_ACCOUNT_ID); }); test('existing env var creds are cleared', async () => { @@ -257,7 +255,7 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleCommand)).toHaveLength(0); expect(core.exportVariable).toHaveBeenCalledTimes(5); - expect(core.setSecret).toHaveBeenCalledTimes(3); + expect(core.setSecret).toHaveBeenCalledTimes(2); expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', FAKE_ACCESS_KEY_ID); expect(core.setSecret).toHaveBeenCalledWith(FAKE_ACCESS_KEY_ID); expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', FAKE_SECRET_ACCESS_KEY); @@ -266,7 +264,6 @@ describe('Configure AWS Credentials', () => { expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'eu-west-1'); expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'eu-west-1'); expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', FAKE_ACCOUNT_ID); - expect(core.setSecret).toHaveBeenCalledWith(FAKE_ACCOUNT_ID); }); test('validates region name', async () => { @@ -291,9 +288,10 @@ describe('Configure AWS Credentials', () => { ); }); - test('can opt out of masking account ID', async () => { - const mockInputs = { ...CREDS_INPUTS, 'aws-region': 'us-east-1', 'mask-aws-account-id': 'false' }; + test('can opt into masking account ID', async () => { + const mockInputs = { ...CREDS_INPUTS, 'aws-region': 'us-east-1', 'mask-aws-account-id': 'true' }; jest.spyOn(core, 'getInput').mockImplementation(mockGetInput(mockInputs)); + jest.spyOn(core, 'getBooleanInput').mockImplementation(() => true); await run(); @@ -306,7 +304,7 @@ describe('Configure AWS Credentials', () => { expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', 'us-east-1'); expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', 'us-east-1'); expect(core.setOutput).toHaveBeenCalledWith('aws-account-id', FAKE_ACCOUNT_ID); - expect(core.setSecret).toHaveBeenCalledTimes(2); + expect(core.setSecret).toHaveBeenCalledTimes(3); }); test('error is caught by core.setFailed and caught', async () => { @@ -319,72 +317,6 @@ describe('Configure AWS Credentials', () => { expect(core.setFailed).toHaveBeenCalled(); }); - test('basic role assumption exports', async () => { - jest.spyOn(core, 'getInput').mockImplementation(mockGetInput(ASSUME_ROLE_INPUTS)); - - await run(); - - expect(mockedSTS.commandCalls(AssumeRoleCommand)).toHaveLength(1); - expect(core.exportVariable).toHaveBeenCalledTimes(7); - expect(core.setSecret).toHaveBeenCalledTimes(7); - expect(core.setOutput).toHaveBeenCalledTimes(2); - - // first the source credentials are exported and masked - expect(core.setSecret).toHaveBeenNthCalledWith(1, FAKE_ACCESS_KEY_ID); - expect(core.setSecret).toHaveBeenNthCalledWith(2, FAKE_SECRET_ACCESS_KEY); - expect(core.setSecret).toHaveBeenNthCalledWith(3, FAKE_ACCOUNT_ID); - - expect(core.exportVariable).toHaveBeenNthCalledWith(1, 'AWS_DEFAULT_REGION', FAKE_REGION); - expect(core.exportVariable).toHaveBeenNthCalledWith(2, 'AWS_REGION', FAKE_REGION); - expect(core.exportVariable).toHaveBeenNthCalledWith(3, 'AWS_ACCESS_KEY_ID', FAKE_ACCESS_KEY_ID); - expect(core.exportVariable).toHaveBeenNthCalledWith(4, 'AWS_SECRET_ACCESS_KEY', FAKE_SECRET_ACCESS_KEY); - - expect(core.setOutput).toHaveBeenNthCalledWith(1, 'aws-account-id', FAKE_ACCOUNT_ID); - - // then the role credentials are exported and masked - expect(core.setSecret).toHaveBeenNthCalledWith(4, FAKE_STS_ACCESS_KEY_ID); - expect(core.setSecret).toHaveBeenNthCalledWith(5, FAKE_STS_SECRET_ACCESS_KEY); - expect(core.setSecret).toHaveBeenNthCalledWith(6, FAKE_STS_SESSION_TOKEN); - expect(core.setSecret).toHaveBeenNthCalledWith(7, FAKE_ROLE_ACCOUNT_ID); - - expect(core.exportVariable).toHaveBeenNthCalledWith(5, 'AWS_ACCESS_KEY_ID', FAKE_STS_ACCESS_KEY_ID); - expect(core.exportVariable).toHaveBeenNthCalledWith(6, 'AWS_SECRET_ACCESS_KEY', FAKE_STS_SECRET_ACCESS_KEY); - expect(core.exportVariable).toHaveBeenNthCalledWith(7, 'AWS_SESSION_TOKEN', FAKE_STS_SESSION_TOKEN); - - expect(core.setOutput).toHaveBeenNthCalledWith(2, 'aws-account-id', FAKE_ROLE_ACCOUNT_ID); - }); - - test('assume role can pull source credentials from self-hosted environment', async () => { - jest - .spyOn(core, 'getInput') - .mockImplementation(mockGetInput({ 'role-to-assume': ROLE_ARN, 'aws-region': FAKE_REGION })); - - await run(); - - expect(mockedSTS.commandCalls(AssumeRoleCommand)).toHaveLength(1); - expect(core.exportVariable).toHaveBeenCalledTimes(5); - expect(core.setSecret).toHaveBeenCalledTimes(5); - expect(core.setOutput).toHaveBeenCalledTimes(2); - - // first the source account is exported and masked - expect(core.setSecret).toHaveBeenNthCalledWith(1, FAKE_ACCOUNT_ID); - expect(core.exportVariable).toHaveBeenNthCalledWith(1, 'AWS_DEFAULT_REGION', FAKE_REGION); - expect(core.exportVariable).toHaveBeenNthCalledWith(2, 'AWS_REGION', FAKE_REGION); - expect(core.setOutput).toHaveBeenNthCalledWith(1, 'aws-account-id', FAKE_ACCOUNT_ID); - - // then the role credentials are exported and masked - expect(core.setSecret).toHaveBeenNthCalledWith(2, FAKE_STS_ACCESS_KEY_ID); - expect(core.setSecret).toHaveBeenNthCalledWith(3, FAKE_STS_SECRET_ACCESS_KEY); - expect(core.setSecret).toHaveBeenNthCalledWith(4, FAKE_STS_SESSION_TOKEN); - expect(core.setSecret).toHaveBeenNthCalledWith(5, FAKE_ROLE_ACCOUNT_ID); - - expect(core.exportVariable).toHaveBeenNthCalledWith(3, 'AWS_ACCESS_KEY_ID', FAKE_STS_ACCESS_KEY_ID); - expect(core.exportVariable).toHaveBeenNthCalledWith(4, 'AWS_SECRET_ACCESS_KEY', FAKE_STS_SECRET_ACCESS_KEY); - expect(core.exportVariable).toHaveBeenNthCalledWith(5, 'AWS_SESSION_TOKEN', FAKE_STS_SESSION_TOKEN); - - expect(core.setOutput).toHaveBeenNthCalledWith(2, 'aws-account-id', FAKE_ROLE_ACCOUNT_ID); - }); - test('role assumption tags', async () => { jest.spyOn(core, 'getInput').mockImplementation(mockGetInput(ASSUME_ROLE_INPUTS)); @@ -393,7 +325,7 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleCommand)[0]?.args[0].input).toEqual({ RoleArn: ROLE_ARN, RoleSessionName: 'GitHubActions', - DurationSeconds: 6 * 3600, + DurationSeconds: 3600, Tags: [ { Key: 'GitHub', Value: 'Actions' }, { Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY }, @@ -437,28 +369,6 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleCommand)[0]?.args[0].input).toEqual({ RoleArn: ROLE_ARN, RoleSessionName: 'MySessionName', - DurationSeconds: 6 * 3600, - Tags: [ - { Key: 'GitHub', Value: 'Actions' }, - { Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY }, - { Key: 'Workflow', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_WORKFLOW }, - { Key: 'Action', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_ACTION }, - { Key: 'Actor', Value: GITHUB_ACTOR_SANITIZED }, - { Key: 'Commit', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_SHA }, - { Key: 'Branch', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REF }, - ], - }); - }); - - test('sets durationSeconds to one hour when session token provided and no duration is provided', async () => { - jest - .spyOn(core, 'getInput') - .mockImplementation(mockGetInput({ ...ASSUME_ROLE_INPUTS, 'aws-session-token': FAKE_SESSION_TOKEN })); - - await run(); - expect(mockedSTS.commandCalls(AssumeRoleCommand)[0]?.args[0].input).toEqual({ - RoleArn: ROLE_ARN, - RoleSessionName: 'GitHubActions', DurationSeconds: 3600, Tags: [ { Key: 'GitHub', Value: 'Actions' }, @@ -472,26 +382,6 @@ describe('Configure AWS Credentials', () => { }); }); - test('sets durationSeconds to one 6 hours no session token or duration is provided', async () => { - jest.spyOn(core, 'getInput').mockImplementation(mockGetInput({ ...ASSUME_ROLE_INPUTS })); - - await run(); - expect(mockedSTS.commandCalls(AssumeRoleCommand)[0]?.args[0].input).toEqual({ - RoleArn: ROLE_ARN, - RoleSessionName: 'GitHubActions', - DurationSeconds: 6 * 3600, - Tags: [ - { Key: 'GitHub', Value: 'Actions' }, - { Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY }, - { Key: 'Workflow', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_WORKFLOW }, - { Key: 'Action', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_ACTION }, - { Key: 'Actor', Value: GITHUB_ACTOR_SANITIZED }, - { Key: 'Commit', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_SHA }, - { Key: 'Branch', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REF }, - ], - }); - }); - test('role name provided instead of ARN', async () => { jest .spyOn(core, 'getInput') @@ -501,7 +391,7 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleCommand)[0]?.args[0].input).toEqual({ RoleArn: 'arn:aws:iam::123456789012:role/MY-ROLE', RoleSessionName: 'GitHubActions', - DurationSeconds: 6 * 3600, + DurationSeconds: 3600, Tags: [ { Key: 'GitHub', Value: 'Actions' }, { Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY }, @@ -528,7 +418,7 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleWithWebIdentityCommand)[0]?.args[0].input).toEqual({ RoleArn: 'arn:aws:iam::111111111111:role/MY-ROLE', RoleSessionName: 'GitHubActions', - DurationSeconds: 6 * 3600, + DurationSeconds: 3600, WebIdentityToken: 'testpayload', }); }); @@ -547,7 +437,7 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleWithWebIdentityCommand)[0]?.args[0].input).toEqual({ RoleArn: 'arn:aws:iam::111111111111:role/MY-ROLE', RoleSessionName: 'GitHubActions', - DurationSeconds: 6 * 3600, + DurationSeconds: 3600, WebIdentityToken: 'testpayload', }); }); @@ -568,9 +458,6 @@ describe('Configure AWS Credentials', () => { DurationSeconds: 3600, WebIdentityToken: 'testtoken', }); - expect(core.setSecret).toHaveBeenNthCalledWith(1, FAKE_STS_ACCESS_KEY_ID); - expect(core.setSecret).toHaveBeenNthCalledWith(2, FAKE_STS_SECRET_ACCESS_KEY); - expect(core.setSecret).toHaveBeenNthCalledWith(3, FAKE_STS_SESSION_TOKEN); }); test('GH OIDC With custom role duration', async () => { @@ -593,9 +480,6 @@ describe('Configure AWS Credentials', () => { DurationSeconds: parseInt(CUSTOM_ROLE_DURATION), WebIdentityToken: 'testtoken', }); - expect(core.setSecret).toHaveBeenNthCalledWith(1, FAKE_STS_ACCESS_KEY_ID); - expect(core.setSecret).toHaveBeenNthCalledWith(2, FAKE_STS_SECRET_ACCESS_KEY); - expect(core.setSecret).toHaveBeenNthCalledWith(3, FAKE_STS_SESSION_TOKEN); }); test('role assumption fails after maximum trials using OIDC provider', async () => { @@ -622,7 +506,7 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleCommand)[0]?.args[0].input).toEqual({ RoleArn: ROLE_ARN, RoleSessionName: 'GitHubActions', - DurationSeconds: 6 * 3600, + DurationSeconds: 3600, Tags: [ { Key: 'GitHub', Value: 'Actions' }, { Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY }, @@ -646,14 +530,14 @@ describe('Configure AWS Credentials', () => { }; const sanitizedWorkflowName = - 'Workflow__________+_ -./:;<=>?@____________1yFvMOeD3ZHYsHrGjCceOboMYzBPo0CRNFdcsVRG6UgR3A912a8KfcBtEVvkAS7kRBq80umGff8mux5IN1y55HQWPNBNyaruuVr4islFXte4FDQZexGJRUSMyHQpxJ8OmZnET84oDmbvmIjgxI6IBrdihX9PHMapT4gQvRYnLqNiKb18rEMWDNoZRy51UPX5sWK2GKPipgKSO9kqLckZa'; + 'Workflow__________+_ -./:__=__@____________1yFvMOeD3ZHYsHrGjCceOboMYzBPo0CRNFdcsVRG6UgR3A912a8KfcBtEVvkAS7kRBq80umGff8mux5IN1y55HQWPNBNyaruuVr4islFXte4FDQZexGJRUSMyHQpxJ8OmZnET84oDmbvmIjgxI6IBrdihX9PHMapT4gQvRYnLqNiKb18rEMWDNoZRy51UPX5sWK2GKPipgKSO9kqLckZa'; await run(); expect(mockedSTS.commandCalls(AssumeRoleCommand)[0]?.args[0].input).toEqual({ RoleArn: ROLE_ARN, RoleSessionName: 'GitHubActions', - DurationSeconds: 6 * 3600, + DurationSeconds: 3600, Tags: [ { Key: 'GitHub', Value: 'Actions' }, { Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY }, @@ -676,7 +560,7 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleCommand)[0]?.args[0].input).toEqual({ RoleArn: ROLE_ARN, RoleSessionName: 'GitHubActions', - DurationSeconds: 21600, + DurationSeconds: 3600, Tags: undefined, }); }); @@ -691,7 +575,7 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleCommand)[0]?.args[0].input).toEqual({ RoleArn: ROLE_ARN, RoleSessionName: 'GitHubActions', - DurationSeconds: 21600, + DurationSeconds: 3600, Tags: [ { Key: 'GitHub', Value: 'Actions' }, { Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY }, @@ -712,7 +596,7 @@ describe('Configure AWS Credentials', () => { expect(mockedSTS.commandCalls(AssumeRoleCommand)[0]?.args[0].input).toEqual({ RoleArn: ROLE_ARN, RoleSessionName: 'GitHubActions', - DurationSeconds: 21600, + DurationSeconds: 3600, Tags: [ { Key: 'GitHub', Value: 'Actions' }, { Key: 'Repository', Value: ENVIRONMENT_VARIABLE_OVERRIDES.GITHUB_REPOSITORY },