From 14b6c355cafa2bae995cd776f3fe1a75e9736402 Mon Sep 17 00:00:00 2001
From: Peter Woodworth <44349620+peterwoodworth@users.noreply.github.com>
Date: Fri, 25 Aug 2023 13:35:09 -0700
Subject: [PATCH] chore: fix packaging workflow (#805)

* fix: token permission in package workflow conflicting with unit tests

* change secret arn and role to assume in package workflow

---------

Co-authored-by: Tom Keller <1083460+kellertk@users.noreply.github.com>
---
 .github/workflows/package.yml | 5 +++--
 test/index.test.ts            | 2 ++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index f4d20b4..8f2f8fc 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -6,6 +6,7 @@ on:
       - main
     paths-ignore:
       - 'dist/**'
+  workflow_dispatch:
 
 jobs:
   package:
@@ -30,7 +31,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v3
         with:
           aws-region: us-west-2
-          role-to-assume: ${{ secrets.SECRETS_AWS_ROLE_TO_ASSUME }}
+          role-to-assume: ${{ secrets.SECRETS_AWS_PACKAGING_ROLE_TO_ASSUME }}
           role-duration-seconds: 900
           role-session-name: SecretsManagerFetch
       - name: Get bot user token
@@ -38,7 +39,7 @@ jobs:
         with:
           parse-json-secrets: true
           secret-ids: |
-            OSDS,arn:aws:secretsmanager:us-west-2:294535624312:secret:github-aws-sdk-osds-automation-ZHNalp
+            OSDS,arn:aws:secretsmanager:us-west-2:206735643321:secret:github-aws-sdk-osds-automation-gebs9n
       - name: Commit
         run: |
           echo "::add-mask::${{ env.OSDS_ACCESS_TOKEN }}"
diff --git a/test/index.test.ts b/test/index.test.ts
index a2951d7..ccb6fc4 100644
--- a/test/index.test.ts
+++ b/test/index.test.ts
@@ -508,6 +508,7 @@ describe('Configure AWS Credentials', () => {
   });
 
   test('GH OIDC check fails if token is not set', async () => {
+    process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = undefined;
     process.env['GITHUB_ACTIONS'] = 'true';
     jest.spyOn(core, 'getInput').mockImplementation(
       mockGetInput({
@@ -528,6 +529,7 @@ describe('Configure AWS Credentials', () => {
   });
 
   test('Assume role with existing credentials if nothing else set', async () => {
+    process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = undefined;
     process.env['AWS_ACCESS_KEY_ID'] = FAKE_ACCESS_KEY_ID;
     process.env['AWS_SECRET_ACCESS_KEY'] = FAKE_SECRET_ACCESS_KEY;
     jest.spyOn(core, 'getInput').mockImplementation(