cdk-pipelines-github icon indicating copy to clipboard operation
cdk-pipelines-github copied to clipboard

Published 20 hours ago verified publisher icon cdklabs

feat: Add support to provide GHA role per stage

Open danieljamesscott opened this issue 3 years ago • 1 comments

Fixes #302.

danieljamesscott avatar Aug 19 '22 15:08 danieljamesscott

Hi @danieljamesscott! Thanks for opening this PR! I'm not opposed to adding this feature but I think there are some things to think through before we can merge.

Great. Thanks for the reply.

I've addressed a few issues, but have a few questions around others. If you can let me know which way you'd prefer things to work, I'll make the changes. I may be missing something, but the only testing strategy I could see was to ensure that the entire snapshot matches, or that a specific substring is present in the generated file.

I'm most worried about the behavior when gitHubActionRoleArn is not supplied. Today that means we will search for GitHub Secrets to authenticate. I don't see that behavior changed in the PR so I can only assume it will still do that. How will we be able to guess whether the user means to send their roles per stage instead of using github secrets?

I was following the same logic, but with an additional "stage role arn". So it should "fall back" if not supplied. e.g.

  1. Use stage role if supplied, if not:
  2. Use pipeline role if supplied, if not:
  3. Use secrets

danieljamesscott avatar Aug 23 '22 08:08 danieljamesscott