We're iterating towards GHA for CI, AWS CodeBuild for the CD. At least on AWS projects. Mainly because managing IAM permissions to permit the github runner to do everything the deployment wants is an astonishingly large waste of time. But you need a secret to trigger one from the other.

▲

jamescrowley a day ago | parent [-]

You actually don’t need (long-lived / hard-coded) secrets in this scenario if you use OIDC:

https://docs.github.com/en/actions/how-tos/secure-your-work/...

▲

regularfry a day ago | parent | next [-]

Technically yes. It depends on whether you consider the account ID to be a secret or not (AWS say "sensitive but not secret" which doesn't help much). But also it can make sense to treat all environment variables as secrets by default just so you don't accidentally end up putting something somewhere that turns out to have been Wrong.

▲

Kinrany a day ago | parent [-]

GP is saying that GHA would need zero information about AWS if CodeBuild used a Github token and listened for GHA runs.

▲

regularfry 20 hours ago | parent [-]

That may be true, but it's not what the link describes.

	▲	Kinrany 20 hours ago \| parent [-]
		Fair!

▲

everfrustrated a day ago | parent | prev [-]

And even better can scope assuming an AWS IAM role to a specific branch name & workflow filename so only code/workflows that have been through review have access to CD secrets/prod infra.

IE no prod access by editing the workflow definition and pushing it to a branch.