From ebed12e895a21759c87f1d9411f572ecccdc5da8 Mon Sep 17 00:00:00 2001
From: Vadim Aleksandrov <valeksandrov@me.com>
Date: Fri, 9 Sep 2022 16:51:12 +0300
Subject: [PATCH 1/2] chore(workflows): DEVOPS-2557: update github workflow

---
 .github/workflows/deploy.yml | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index f9ceff6..d5fadbc 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -8,6 +8,9 @@ jobs:
   deploy:
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     environment:
       name: production
       url: https://images.csssr.com
@@ -35,12 +38,26 @@ jobs:
           HOST: http://master.csssr-images.csssr.cloud
           IMGPROXY_HOST: https://images.csssr.com
 
+      - name: Import secrets
+        id: secrets
+        uses: hashicorp/vault-action@v2.4.0
+        with:
+          url: https://vault.csssr.com:8200
+          jwtGithubAudience: ${{secrets.VAULT_JWT_KEY}}
+          role: s3-cdn-upload
+          method: jwt
+          exportEnv: false
+          secrets: |
+            aws/sts/s3-cdn-upload access_key | AWS_ACCESS_KEY_ID ;
+            aws/sts/s3-cdn-upload secret_key | AWS_SECRET_ACCESS_KEY ;
+            aws/sts/s3-cdn-upload security_token | AWS_SESSION_TOKEN ;
+
       - name: Deploy
         uses: ./actions/deploy-static-site/v1beta1
         with:
-          auth: ${{ secrets.CDN_UPLOAD_SECRET }}
+          auth: 'aws:${{steps.secrets.outputs.AWS_ACCESS_KEY_ID}}:${{steps.secrets.outputs.AWS_SECRET_ACCESS_KEY}}:${{steps.secrets.outputs.AWS_SESSION_TOKEN}}'
           token: ${{ secrets.GITHUB_TOKEN }}
           site-type: mpa
           project-id: csssr-images
           files: ./csssr_images/example
-          no-previous-files: "true"
+          no-previous-files: 'true'

From 52da35aec3411913bd41bb174b5b01838814be62 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 9 Sep 2022 13:52:13 +0000
Subject: [PATCH 2/2] chore(deps): bump ws from 7.4.4 to 7.5.9

Bumps [ws](https://github.com/websockets/ws) from 7.4.4 to 7.5.9.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](https://github.com/websockets/ws/compare/7.4.4...7.5.9)

---
updated-dependencies:
- dependency-name: ws
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 yarn.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/yarn.lock b/yarn.lock
index 75dddb3..9229c49 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -5351,9 +5351,9 @@ write-file-atomic@^3.0.0:
     typedarray-to-buffer "^3.1.5"
 
 ws@^7.4.4:
-  version "7.4.4"
-  resolved "https://registry.yarnpkg.com/ws/-/ws-7.4.4.tgz#383bc9742cb202292c9077ceab6f6047b17f2d59"
-  integrity sha512-Qm8k8ojNQIMx7S+Zp8u/uHOx7Qazv3Yv4q68MiWWWOJhiwG5W3x7iqmRtJo8xxrciZUY4vRxUTJCKuRnF28ZZw==
+  version "7.5.9"
+  resolved "https://registry.yarnpkg.com/ws/-/ws-7.5.9.tgz#54fa7db29f4c7cec68b1ddd3a89de099942bb591"
+  integrity sha512-F+P9Jil7UiSKSkppIiD94dN07AwvFixvLIj1Og1Rl9GGMuNipJnV9JzjD6XuqmAeiswGvUmNLjr5cFuXwNS77Q==
 
 xml-name-validator@^3.0.0:
   version "3.0.0"