This change uses the recent work to provide GitHub actions with AWS permissions to perform build actions in a secure way. Specifically this change runs the prismic linting job which uploads a report to S3 as a first example of using this new pattern.
We can remove the prismic linting job from Buildkite and rely on the scheduled job in GitHub.
Have we considered potential risks?
This is our first venture into providing GitHub actions with AWS permissions to write things (we currently do read scala libs from s3 in some repos). The risk should have been mitigated by keeping the permissions as narrow as possible
What does this change?
This change uses the recent work to provide GitHub actions with AWS permissions to perform build actions in a secure way. Specifically this change runs the prismic linting job which uploads a report to S3 as a first example of using this new pattern.
For https://github.com/wellcomecollection/wellcomecollection.org/issues/10843
Follows https://github.com/wellcomecollection/aws-account-infrastructure/pull/22
See also https://github.com/wellcomecollection/platform/issues/5752
How to test
Does the prismic linting GitHub action pass and successfully upload to S3 and clear CloudFront cache as the current buildkite job does?
See succesful build: https://github.com/wellcomecollection/wellcomecollection.org/actions/runs/9699593557/job/26769281605
How can we measure success?
We can remove the prismic linting job from Buildkite and rely on the scheduled job in GitHub.
Have we considered potential risks?
This is our first venture into providing GitHub actions with AWS permissions to write things (we currently do read scala libs from s3 in some repos). The risk should have been mitigated by keeping the permissions as narrow as possible