upload-release-s3.yaml

# Trigger the workflow on creating a new release/tag

name: Publish release to s3

# Controls when the workflow will run
on:
  workflow_dispatch:

permissions:
  # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
  # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
  id-token: write
  contents: read    # This is required for actions/checkout

jobs:
  upload-please:
    runs-on: ubuntu-latest
    steps:
      - name: Download last release
        uses: robinraju/release-downloader@a96f54c1b5f5e09e47d9504526e96febd949d4c2 # v1.11
        with:
          repository: "runfinch/finch-core"
          latest: true
          tarBall: true
          zipBall: true

      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: ${{ secrets.ROLE }}
          role-session-name: upload release
          aws-region: ${{ secrets.REGION }}

      - name: Upload release artifacts to s3
        run: |
          aws s3 cp . s3://${{ secrets.ARTIFACT_BUCKET_NAME }} --recursive --exclude "*" --include "finch-core*"