From bf7b9962fad1a0b21f67dbe322d78b7ddedd0641 Mon Sep 17 00:00:00 2001 From: Colby Pike Date: Wed, 4 Feb 2026 15:42:31 -0700 Subject: [PATCH 1/4] Switch the upload target bucket based on the project/patch status This change replaces all references to the mciuploads bucket in the CI configuration file with a template expansion that conditionally refers to an alternate bucket in certain scenarios. This templating also sets the role_arn for S3 operations based on the same conditions. --- .evergreen/config.yml | 116 ++++++++++++++++++++---------------------- 1 file changed, 55 insertions(+), 61 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index dde08c70b..c98e45f24 100755 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -80,19 +80,17 @@ functions: include: [./**] - command: s3.put params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: '${project}/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read local_file: 'libmongocrypt.tar.gz' content_type: '${content_type|application/x-gzip}' - command: s3.put params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: '${project}/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix_copy}/libmongocrypt.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read local_file: 'libmongocrypt.tar.gz' content_type: '${content_type|application/x-gzip}' @@ -138,10 +136,9 @@ functions: include: [./**] - command: s3.put params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: '${project}/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt-distro-packages.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read local_file: 'libmongocrypt-distro-packages.tar.gz' content_type: '${content_type|application/x-gzip}' @@ -224,10 +221,9 @@ functions: "download tarball": - command: s3.get params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: '${project}/${variant_name}/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} extract_to: all/${variant_name} "setup packaging credentials": @@ -323,11 +319,10 @@ functions: - "*" - command: s3.put params: - aws_key: ${aws_key} - aws_secret: ${aws_secret} + role_arn: ${upload_arn} local_file: release-files.tgz remote_file: '${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/${task_id}-${execution}-release-files.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read content_type: ${content_type|application/gzip} display_name: Release Python files @@ -358,7 +353,7 @@ functions: script: | set -o xtrace # Download all the release files. - aws s3 cp --recursive s3://mciuploads/${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/ release/ + aws s3 cp --recursive s3://${upload_bucket}/${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/ release/ # Combine releases into one directory. ls -la release/ mkdir releases @@ -373,11 +368,10 @@ functions: - "*" - command: s3.put params: - aws_key: ${aws_key} - aws_secret: ${aws_secret} + role_arn: ${upload_arn} local_file: release-files-all.tgz remote_file: '${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/${task_id}-${execution}-release-files-all.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read content_type: ${content_type|application/gzip} display_name: Release Python files all @@ -432,9 +426,8 @@ functions: type: test params: display_name: Augmented SBOM - aws_key: ${aws_key} - aws_secret: ${aws_secret} - bucket: mciuploads + role_arn: ${upload_arn} + bucket: ${upload_bucket} content_type: application/json local_file: libmongocrypt/cyclonedx.augmented.sbom.json permissions: public-read @@ -640,19 +633,17 @@ tasks: fi - command: s3.put params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: 'libmongocrypt/java/${revision}/libmongocrypt-java.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read local_file: 'libmongocrypt-java.tar.gz' content_type: '${content_type|application/x-gzip}' - command: s3.put params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: 'libmongocrypt/java/${tag_upload_location}/libmongocrypt-java.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read optional: true display_name: 'libmongocrypt-java-${tag_upload_location}.tar.gz' @@ -835,28 +826,25 @@ tasks: fi - command: s3.put params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt-all.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read local_file: 'libmongocrypt-all.tar.gz' content_type: '${content_type|application/x-gzip}' - command: s3.put params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix_copy}/libmongocrypt-all.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read local_file: 'libmongocrypt-all.tar.gz' content_type: '${content_type|application/x-gzip}' - command: s3.put params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: 'libmongocrypt/all/${tag_upload_location}/libmongocrypt-all.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for tagged release. display_name: 'libmongocrypt-all-${tag_upload_location}.tar.gz' @@ -864,10 +852,9 @@ tasks: content_type: '${content_type|application/x-gzip}' - command: s3.put params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: 'libmongocrypt/all/latest/stable/libmongocrypt-all.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for stable release. display_name: 'stable/libmongocrypt-all-${tag_upload_location}.tar.gz' @@ -875,10 +862,9 @@ tasks: content_type: '${content_type|application/x-gzip}' - command: s3.put params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: 'libmongocrypt/all/latest/unstable/libmongocrypt-all.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for unstable release. display_name: 'unstable/libmongocrypt-all-${tag_upload_location}.tar.gz' @@ -931,10 +917,9 @@ tasks: file: libmongocrypt/expansions.yml - command: s3.get # Download Windows build. params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: '${project}/windows-test/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} extract_to: libmongocrypt_download - command: shell.exec params: @@ -960,21 +945,19 @@ tasks: # Documentation now refers to the GitHub release page, which includes the per-release tarball. # The fixed URL upload is kept to avoid possibly breaking expectations. Consider removing in the future. params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: 'libmongocrypt/windows/latest_release/libmongocrypt${upload_suffix}.tar.gz' display_name: (Deprecated) libmongocrypt${upload_suffix}.tar.gz - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read local_file: 'libmongocrypt_upload.tar.gz' content_type: 'application/x-gzip' - command: s3.put # Upload tarball for GitHub Release. params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: '${project}/${build_variant}/${branch_name}/${revision}/${version_id}/libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.tar.gz' display_name: libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.tar.gz - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read local_file: 'libmongocrypt_upload.tar.gz' content_type: 'application/x-gzip' @@ -990,11 +973,10 @@ tasks: args: --secret garasign_username=${garasign_username} --secret garasign_password=${garasign_password} +sign --file_to_sign=libmongocrypt_upload.tar.gz --output_file=libmongocrypt_upload.asc - command: s3.put # Upload signature for GitHub Release. params: - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} remote_file: '${project}/${build_variant}/${branch_name}/${revision}/${version_id}/libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.asc' display_name: libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.asc - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read local_file: 'libmongocrypt/libmongocrypt_upload.asc' content_type: 'application/pgp-signature' @@ -1017,11 +999,10 @@ tasks: bash .evergreen/debian_package_build.sh --is-patch=${is_patch} - command: s3.put params: - aws_key: ${aws_key} - aws_secret: ${aws_secret} + role_arn: ${upload_arn} local_file: deb.tar.gz remote_file: libmongocrypt/${branch_name}/${revision}/${version_id}/${build_id}/${execution}/debian-packages.tar.gz - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read content_type: ${content_type|application/x-gzip} display_name: "deb.tar.gz" @@ -1042,11 +1023,10 @@ tasks: bash .evergreen/debian_package_build.sh --arch=i386 --is-patch=${is_patch} - command: s3.put params: - aws_key: ${aws_key} - aws_secret: ${aws_secret} + role_arn: ${upload_arn} local_file: deb.tar.gz remote_file: libmongocrypt/${branch_name}/${revision}/${version_id}/${build_id}/${execution}/debian-packages-i386.tar.gz - bucket: mciuploads + bucket: ${upload_bucket} permissions: public-read content_type: ${content_type|application/x-gzip} display_name: "deb.tar.gz" @@ -1142,15 +1122,29 @@ pre: REMOTE_SUFFIX_COPY="latest-${branch_name}" fi + # If we are a non-patch build in the libmongocrypt-release project, we upload to a restricted + # CDN S3 bucket. Otherwise, we upload to a less restricted bucket for convenience. The corresponding + # role_arn_... values come from EVG project configuration variables stored on the EVG server + if test "${is_patch}" = 'true' || "${project}" != 'libmongocrypt-release'; then + upload_bucket='mciuploads' + upload_arn='${role_arn_for_mciuploads}' + else + upload_bucket='cdn-origin-libmongocrypt' + upload_arn='${role_arn_for_release}' + fi + PROJECT_DIRECTORY="$(pwd)" echo "libmongocrypt_s3_suffix: $REMOTE_SUFFIX" echo "libmongocrypt_s3_suffix_copy: $REMOTE_SUFFIX_COPY" echo "project_directory: $PROJECT_DIRECTORY" + echo "Upload S3 bucket: $upload_bucket" cat < expansion.yml libmongocrypt_s3_suffix: "$REMOTE_SUFFIX" libmongocrypt_s3_suffix_copy: "$REMOTE_SUFFIX_COPY" project_directory: "$PROJECT_DIRECTORY" + upload_bucket: "$upload_bucket" + upload_arn: "$upload_arn" EOT - command: expansions.update params: From 832bdb183b76db30fed5148d876c43cb23281f16 Mon Sep 17 00:00:00 2001 From: vector-of-bool Date: Thu, 5 Feb 2026 13:57:20 -0700 Subject: [PATCH 2/4] Restrict access to files posted in S3 --- .evergreen/config.yml | 54 ++++++++++++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 18 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index c98e45f24..1aaf46aa7 100755 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -83,7 +83,8 @@ functions: role_arn: ${upload_arn} remote_file: '${project}/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt.tar.gz' bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed local_file: 'libmongocrypt.tar.gz' content_type: '${content_type|application/x-gzip}' - command: s3.put @@ -91,7 +92,8 @@ functions: role_arn: ${upload_arn} remote_file: '${project}/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix_copy}/libmongocrypt.tar.gz' bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed local_file: 'libmongocrypt.tar.gz' content_type: '${content_type|application/x-gzip}' @@ -139,7 +141,8 @@ functions: role_arn: ${upload_arn} remote_file: '${project}/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt-distro-packages.tar.gz' bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed local_file: 'libmongocrypt-distro-packages.tar.gz' content_type: '${content_type|application/x-gzip}' optional: true @@ -323,7 +326,8 @@ functions: local_file: release-files.tgz remote_file: '${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/${task_id}-${execution}-release-files.tar.gz' bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed content_type: ${content_type|application/gzip} display_name: Release Python files @@ -372,7 +376,8 @@ functions: local_file: release-files-all.tgz remote_file: '${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/${task_id}-${execution}-release-files-all.tar.gz' bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed content_type: ${content_type|application/gzip} display_name: Release Python files all earthly: @@ -430,7 +435,8 @@ functions: bucket: ${upload_bucket} content_type: application/json local_file: libmongocrypt/cyclonedx.augmented.sbom.json - permissions: public-read + permissions: private + visibility: signed remote_file: ${project}/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix}/sbom/cyclonedx.augmented.sbom.json tasks: @@ -636,7 +642,8 @@ tasks: role_arn: ${upload_arn} remote_file: 'libmongocrypt/java/${revision}/libmongocrypt-java.tar.gz' bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed local_file: 'libmongocrypt-java.tar.gz' content_type: '${content_type|application/x-gzip}' - command: s3.put @@ -644,7 +651,8 @@ tasks: role_arn: ${upload_arn} remote_file: 'libmongocrypt/java/${tag_upload_location}/libmongocrypt-java.tar.gz' bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed optional: true display_name: 'libmongocrypt-java-${tag_upload_location}.tar.gz' local_file: 'libmongocrypt-java-${tag_upload_location}.tar.gz' @@ -829,7 +837,8 @@ tasks: role_arn: ${upload_arn} remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt-all.tar.gz' bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed local_file: 'libmongocrypt-all.tar.gz' content_type: '${content_type|application/x-gzip}' - command: s3.put @@ -837,7 +846,8 @@ tasks: role_arn: ${upload_arn} remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix_copy}/libmongocrypt-all.tar.gz' bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed local_file: 'libmongocrypt-all.tar.gz' content_type: '${content_type|application/x-gzip}' - command: s3.put @@ -845,7 +855,8 @@ tasks: role_arn: ${upload_arn} remote_file: 'libmongocrypt/all/${tag_upload_location}/libmongocrypt-all.tar.gz' bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for tagged release. display_name: 'libmongocrypt-all-${tag_upload_location}.tar.gz' local_file: 'libmongocrypt-all-${tag_upload_location}.tar.gz' @@ -855,7 +866,8 @@ tasks: role_arn: ${upload_arn} remote_file: 'libmongocrypt/all/latest/stable/libmongocrypt-all.tar.gz' bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for stable release. display_name: 'stable/libmongocrypt-all-${tag_upload_location}.tar.gz' local_file: 'stable/libmongocrypt-all-${tag_upload_location}.tar.gz' @@ -865,7 +877,8 @@ tasks: role_arn: ${upload_arn} remote_file: 'libmongocrypt/all/latest/unstable/libmongocrypt-all.tar.gz' bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for unstable release. display_name: 'unstable/libmongocrypt-all-${tag_upload_location}.tar.gz' local_file: 'unstable/libmongocrypt-all-${tag_upload_location}.tar.gz' @@ -949,7 +962,8 @@ tasks: remote_file: 'libmongocrypt/windows/latest_release/libmongocrypt${upload_suffix}.tar.gz' display_name: (Deprecated) libmongocrypt${upload_suffix}.tar.gz bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed local_file: 'libmongocrypt_upload.tar.gz' content_type: 'application/x-gzip' - command: s3.put # Upload tarball for GitHub Release. @@ -958,7 +972,8 @@ tasks: remote_file: '${project}/${build_variant}/${branch_name}/${revision}/${version_id}/libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.tar.gz' display_name: libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.tar.gz bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed local_file: 'libmongocrypt_upload.tar.gz' content_type: 'application/x-gzip' - command: shell.exec @@ -977,7 +992,8 @@ tasks: remote_file: '${project}/${build_variant}/${branch_name}/${revision}/${version_id}/libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.asc' display_name: libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.asc bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed local_file: 'libmongocrypt/libmongocrypt_upload.asc' content_type: 'application/pgp-signature' @@ -1003,7 +1019,8 @@ tasks: local_file: deb.tar.gz remote_file: libmongocrypt/${branch_name}/${revision}/${version_id}/${build_id}/${execution}/debian-packages.tar.gz bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed content_type: ${content_type|application/x-gzip} display_name: "deb.tar.gz" @@ -1027,7 +1044,8 @@ tasks: local_file: deb.tar.gz remote_file: libmongocrypt/${branch_name}/${revision}/${version_id}/${build_id}/${execution}/debian-packages-i386.tar.gz bucket: ${upload_bucket} - permissions: public-read + permissions: private + visibility: signed content_type: ${content_type|application/x-gzip} display_name: "deb.tar.gz" From 7f60088b3fac79ba1c5b5c39b53c29c408416fa3 Mon Sep 17 00:00:00 2001 From: vector-of-bool Date: Mon, 9 Feb 2026 18:10:49 -0700 Subject: [PATCH 3/4] Python steps use the unrestricted bucket --- .evergreen/config.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 1aaf46aa7..d853f43d2 100755 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -322,10 +322,13 @@ functions: - "*" - command: s3.put params: - role_arn: ${upload_arn} + # The upload of this component uses the less restricted bucket because it is only + # used for transferring temporary files until they are later merged in the next build step + aws_key: '${aws_key}' + aws_secret: '${aws_secret}' local_file: release-files.tgz remote_file: '${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/${task_id}-${execution}-release-files.tar.gz' - bucket: ${upload_bucket} + bucket: mciuploads permissions: private visibility: signed content_type: ${content_type|application/gzip} @@ -354,10 +357,12 @@ functions: - command: shell.exec params: shell: "bash" + # This script downloads from the less restricted bucket to the location that was pushed by the + # `upload python release` step script: | set -o xtrace # Download all the release files. - aws s3 cp --recursive s3://${upload_bucket}/${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/ release/ + aws s3 cp --recursive s3://mciuploads/${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/ release/ # Combine releases into one directory. ls -la release/ mkdir releases @@ -375,6 +380,7 @@ functions: role_arn: ${upload_arn} local_file: release-files-all.tgz remote_file: '${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/${task_id}-${execution}-release-files-all.tar.gz' + # The merged results are placed in the CDN bucket for releases bucket: ${upload_bucket} permissions: private visibility: signed From 610561e3de94d0ddba8048f19dacce9d4e10402b Mon Sep 17 00:00:00 2001 From: vector-of-bool Date: Thu, 5 Feb 2026 13:50:16 -0700 Subject: [PATCH 4/4] Use the same role to download files for the Python release script --- .evergreen/config.yml | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index d853f43d2..06aa5e3b4 100755 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -324,17 +324,20 @@ functions: params: # The upload of this component uses the less restricted bucket because it is only # used for transferring temporary files until they are later merged in the next build step - aws_key: '${aws_key}' - aws_secret: '${aws_secret}' + role_arn: ${upload_arn} local_file: release-files.tgz remote_file: '${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/${task_id}-${execution}-release-files.tar.gz' - bucket: mciuploads + bucket: ${upload_bucket} permissions: private visibility: signed content_type: ${content_type|application/gzip} display_name: Release Python files "download and merge python releases": + - command: ec2.assume_role + type: setup + params: + role_arn: ${upload_arn} - command: shell.exec params: silent: true @@ -348,21 +351,17 @@ functions: [default] region = us-east-1 EOF - - cat <> ~/.aws/credentials - [default] - aws_access_key_id = ${aws_key} - aws_secret_access_key = ${aws_secret} - EOF - command: shell.exec params: shell: "bash" - # This script downloads from the less restricted bucket to the location that was pushed by the - # `upload python release` step + include_expansions_in_env: &aws-params-env + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN script: | set -o xtrace # Download all the release files. - aws s3 cp --recursive s3://mciuploads/${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/ release/ + aws s3 cp --recursive s3://${upload_bucket}/${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/ release/ # Combine releases into one directory. ls -la release/ mkdir releases @@ -405,10 +404,7 @@ functions: type: setup params: binary: bash - include_expansions_in_env: - - AWS_ACCESS_KEY_ID - - AWS_SECRET_ACCESS_KEY - - AWS_SESSION_TOKEN + include_expansions_in_env: *aws-params-env args: - -c - |