cdk-pipelines-github icon indicating copy to clipboard operation
cdk-pipelines-github copied to clipboard

Published 20 hours ago verified publisher icon cdklabs

Token in role-to-assume constantly changing, causing errors

Open njdister opened this issue 1 year ago • 0 comments

I'm trying to demo the github pipelines in our organization, but I'm running into an issue where I can't get past the synth step because every time I run it, the token seems to change:

pipelines-github/src/pipeline.ts:469
        throw new Error(`Please commit the updated workflow file ${path.relative(__dirname, this.workflowPath)} when you change your pipeline definition.`);

I have successfully deployed the GithubActionRole into our environment, although it is using our existing provider because we already had one. This is the sample code that gets consumed:

import * as cdk from 'aws-cdk-lib';
import * as cdkpg from 'cdk-pipelines-github';
import { Construct } from 'constructs';
import { Stage1 } from '../constructs/stage-1';

export interface DemoGHARoleProps {
  repo: string;
}

export class DemoGHARoleStack extends cdk.Stack{
  public provider: cdkpg.GitHubActionRole;

  constructor(scope: Construct, id: string, ghaRoleProps: DemoGHARoleProps, props?: cdk.StackProps) {
    super(scope, id, props);

    this.provider = new cdkpg.GitHubActionRole(this, 'PipelineRole', {
      provider: cdkpg.GitHubActionRole.existingGitHubActionsProvider(this),
      repos: [ghaRoleProps.repo],
    });
  }
}

export interface DemoGithubPipelineProps {
  envs: cdk.Environment[];
  ghaRoleArn: string;
}

export class DemoGithubPipeline {
  public pipeline: cdkpg.GitHubWorkflow;

  constructor(scope: Construct, id: string, pipelineProps: DemoGithubPipelineProps) {

    this.pipeline = new cdkpg.GitHubWorkflow(scope, id, {
      awsCreds: cdkpg.AwsCredentials.fromOpenIdConnect({
        gitHubActionRoleArn: pipelineProps.ghaRoleArn,
      }),
      synth: new cdk.pipelines.ShellStep('Synth', {
        commands: [
          'corepack enable',
          'pnpm install --frozen-lockfile',
          'npx projen synth:silent',
        ],
      }),
    });

    for (const env of pipelineProps.envs) {
      const stage = new Stage1(scope, `${env.region}-${env.account}`, { env: env });

      this.pipeline.addStage(stage);
    }
  }
}

Am I doing anything obviously wrong?

njdister avatar Oct 17 '24 15:10 njdister