From ebed12e895a21759c87f1d9411f572ecccdc5da8 Mon Sep 17 00:00:00 2001
From: Vadim Aleksandrov <valeksandrov@me.com>
Date: Fri, 9 Sep 2022 16:51:12 +0300
Subject: [PATCH 1/2] chore(workflows): DEVOPS-2557: update github workflow

---
 .github/workflows/deploy.yml | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index f9ceff6..d5fadbc 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -8,6 +8,9 @@ jobs:
   deploy:
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     environment:
       name: production
       url: https://images.csssr.com
@@ -35,12 +38,26 @@ jobs:
           HOST: http://master.csssr-images.csssr.cloud
           IMGPROXY_HOST: https://images.csssr.com
 
+      - name: Import secrets
+        id: secrets
+        uses: hashicorp/vault-action@v2.4.0
+        with:
+          url: https://vault.csssr.com:8200
+          jwtGithubAudience: ${{secrets.VAULT_JWT_KEY}}
+          role: s3-cdn-upload
+          method: jwt
+          exportEnv: false
+          secrets: |
+            aws/sts/s3-cdn-upload access_key | AWS_ACCESS_KEY_ID ;
+            aws/sts/s3-cdn-upload secret_key | AWS_SECRET_ACCESS_KEY ;
+            aws/sts/s3-cdn-upload security_token | AWS_SESSION_TOKEN ;
+
       - name: Deploy
         uses: ./actions/deploy-static-site/v1beta1
         with:
-          auth: ${{ secrets.CDN_UPLOAD_SECRET }}
+          auth: 'aws:${{steps.secrets.outputs.AWS_ACCESS_KEY_ID}}:${{steps.secrets.outputs.AWS_SECRET_ACCESS_KEY}}:${{steps.secrets.outputs.AWS_SESSION_TOKEN}}'
           token: ${{ secrets.GITHUB_TOKEN }}
           site-type: mpa
           project-id: csssr-images
           files: ./csssr_images/example
-          no-previous-files: "true"
+          no-previous-files: 'true'

From 8a9e6fe91866bb8eb5c41e76ef4d32d483b025fd Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 9 Sep 2022 13:52:00 +0000
Subject: [PATCH 2/2] chore(deps): bump ansi-regex from 5.0.0 to 5.0.1

Bumps [ansi-regex](https://github.com/chalk/ansi-regex) from 5.0.0 to 5.0.1.
- [Release notes](https://github.com/chalk/ansi-regex/releases)
- [Commits](https://github.com/chalk/ansi-regex/compare/v5.0.0...v5.0.1)

---
updated-dependencies:
- dependency-name: ansi-regex
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 yarn.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/yarn.lock b/yarn.lock
index 75dddb3..c1d1cbf 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1011,9 +1011,9 @@ ansi-escapes@^4.2.1:
     type-fest "^0.21.3"
 
 ansi-regex@^5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/ansi-regex/-/ansi-regex-5.0.0.tgz#388539f55179bf39339c81af30a654d69f87cb75"
-  integrity sha512-bY6fj56OUQ0hU1KjFNDQuJFezqKdrAyFdIevADiqrWHwSlbmBNMHp5ak2f40Pm8JTFyM2mqxkG6ngkHO11f/lg==
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/ansi-regex/-/ansi-regex-5.0.1.tgz#082cb2c89c9fe8659a311a53bd6a4dc5301db304"
+  integrity sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==
 
 ansi-styles@^3.2.1:
   version "3.2.1"