Skip to content

feat(eks-ci): declare the GitHub Actions OIDC identity provider#2

Merged
devantler merged 1 commit into
claude/aws-config-tenant-scaffoldfrom
claude/eks-ci-github-oidc-provider
Jul 10, 2026
Merged

feat(eks-ci): declare the GitHub Actions OIDC identity provider#2
devantler merged 1 commit into
claude/aws-config-tenant-scaffoldfrom
claude/eks-ci-github-oidc-provider

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Engineer

Why

The platform side of the EKS CI identity went live today (platform#2565) but was deliberately left dark — no AWS-side manifests existed, so ksail's EKS smoke test still can't authenticate and its epic stays blocked on this.

What

Declares the account's GitHub Actions OIDC identity provider (the trust anchor every repo-scoped CI role will federate through). Kept to step 1 on purpose: the follow-up role's trust policy must name this provider's exact ARN, which only becomes observable once this reconciles — reconciling it also proves the OpenBao bootstrap credential end-to-end.

Operational note: after merge, the provider's status.atProvider.arn supplies the account id; step 2 (the Role with inline least-privilege policy, trust scoped to repo:devantler-tech/ksail:environment:ci) follows immediately.

Part of platform#2326.

Step 1 of the EKS CI identity (platform#2326): the account's GitHub OIDC
trust anchor, assumed via provider-aws-iam (activated platform#2565).
Reconciling it proves the OpenBao bootstrap credential end-to-end and
surfaces the account id needed for step 2's role trust policy in
status.atProvider.arn. Delete omitted from managementPolicies so a prune
can never remove the trust anchor under roles referencing it.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a Crossplane IAM OpenIDConnectProvider for GitHub Actions with configured issuer, client ID, thumbprints, management policies, and provider reference. Adds an EKS CI Kustomization that registers the provider manifest, then updates the root Kustomization to include the EKS CI resources.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly summarizes the main change: declaring the GitHub Actions OIDC identity provider for eks-ci.
Description check ✅ Passed The description is directly related to the changeset and explains the OIDC provider rollout and follow-up role work.

Comment @coderabbitai help to get the list of available commands.

@devantler
devantler marked this pull request as ready for review July 10, 2026 14:23
@devantler
devantler merged commit 5ff59b1 into claude/aws-config-tenant-scaffold Jul 10, 2026
9 checks passed
@devantler
devantler deleted the claude/eks-ci-github-oidc-provider branch July 10, 2026 14:32
devantler added a commit that referenced this pull request Jul 10, 2026
Re-lands #2 (which was accidentally based on the stale scaffold branch
rather than main) as a clean commit on top of main.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
devantler added a commit that referenced this pull request Jul 11, 2026
Re-lands #2 (which was accidentally based on the stale scaffold branch
rather than main) as a clean commit on top of main.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants