From 17ab6b480e5dd44ccbdfb0f1b7eda64db6912261 Mon Sep 17 00:00:00 2001
From: Vijaya Krishna Manne <krishna.manne08@gmail.com>
Date: Fri, 29 May 2026 14:13:12 -0400
Subject: [PATCH] Run AWS commands via dockerized aws-cli

---
 .forgejo/workflows/deploy-cfn.yml | 35 +++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/.forgejo/workflows/deploy-cfn.yml b/.forgejo/workflows/deploy-cfn.yml
index 72ada9a..0b772cf 100644
--- a/.forgejo/workflows/deploy-cfn.yml
+++ b/.forgejo/workflows/deploy-cfn.yml
@@ -28,13 +28,13 @@ jobs:
           echo "SRC_DIR=${SRC_DIR}" >> "$GITHUB_ENV"
           echo "Using source directory: ${SRC_DIR}"
 
-      - name: Ensure AWS CLI
+      - name: Ensure Docker is available
         run: |
-          if ! command -v aws >/dev/null 2>&1; then
-            echo "aws CLI is not available on this runner. Install aws cli on the runner host/container and rerun."
+          if ! command -v docker >/dev/null 2>&1; then
+            echo "docker is not available on this runner."
             exit 1
           fi
-          aws --version
+          docker --version
 
       - name: Check required AWS secrets
         run: |
@@ -50,19 +50,36 @@ jobs:
       - name: Verify AWS identity
         run: |
           set -e
-          if ! aws sts get-caller-identity; then
+          if ! docker run --rm \
+            -e AWS_ACCESS_KEY_ID \
+            -e AWS_SECRET_ACCESS_KEY \
+            -e AWS_SESSION_TOKEN \
+            -e AWS_DEFAULT_REGION \
+            amazon/aws-cli:2 sts get-caller-identity; then
             echo "AWS authentication failed. If using STS creds, regenerate and update all 3 secrets: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN."
             exit 1
           fi
 
       - name: Validate CFT
         run: |
-          aws cloudformation validate-template \
-            --template-body "file://${SRC_DIR}/infra/hello-lambda.yml"
+          docker run --rm \
+            -e AWS_ACCESS_KEY_ID \
+            -e AWS_SECRET_ACCESS_KEY \
+            -e AWS_SESSION_TOKEN \
+            -e AWS_DEFAULT_REGION \
+            -v "$PWD/${SRC_DIR}/infra:/infra" \
+            amazon/aws-cli:2 cloudformation validate-template \
+            --template-body file:///infra/hello-lambda.yml
 
       - name: Deploy CFT
         run: |
-          aws cloudformation deploy \
+          docker run --rm \
+            -e AWS_ACCESS_KEY_ID \
+            -e AWS_SECRET_ACCESS_KEY \
+            -e AWS_SESSION_TOKEN \
+            -e AWS_DEFAULT_REGION \
+            -v "$PWD/${SRC_DIR}/infra:/infra" \
+            amazon/aws-cli:2 cloudformation deploy \
             --stack-name hello-lambda-stack \
-            --template-file "${SRC_DIR}/infra/hello-lambda.yml" \
+            --template-file /infra/hello-lambda.yml \
             --capabilities CAPABILITY_NAMED_IAM