From f487a321497fd1aaab5e6c4d7791462e29a1c28d Mon Sep 17 00:00:00 2001
From: lincube <lincube3@hotmail.com>
Date: Mon, 20 Apr 2026 18:05:32 +0800
Subject: [PATCH] ci: wire aws cli credentials for rainyun s3

---
 .github/workflows/release.yml | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 517d4c6..59e4b7d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -733,6 +733,11 @@ jobs:
       UPDATE_PRIVATE_KEY_PEM: ${{ secrets.UPDATE_PRIVATE_KEY_PEM }}
       S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
       S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.S3_SECRET_KEY }}
+      AWS_DEFAULT_REGION: ${{ vars.S3_REGION }}
+      AWS_REGION: ${{ vars.S3_REGION }}
+      AWS_EC2_METADATA_DISABLED: "true"
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -817,6 +822,14 @@ jobs:
         shell: pwsh
         run: |
           $ErrorActionPreference = "Stop"
+
+          function Invoke-AwsChecked([string[]]$Arguments) {
+            & aws @Arguments
+            if ($LASTEXITCODE -ne 0) {
+              throw "aws command failed: aws $($Arguments -join ' ')"
+            }
+          }
+
           $probeDir = Join-Path $PWD "pdc-work"
           New-Item -ItemType Directory -Path $probeDir -Force | Out-Null
 
@@ -824,8 +837,8 @@ jobs:
           Set-Content -Path $probeFile -Value "lanmountain pdc probe $(Get-Date -Format o)" -NoNewline
 
           $probeKey = "lanmountain/update/probe/$($env:GITHUB_RUN_ID)-$($env:GITHUB_RUN_ATTEMPT).txt"
-          aws --endpoint-url "$env:S3_ENDPOINT" s3 cp $probeFile "s3://$env:S3_BUCKET/$probeKey" --only-show-errors
-          aws --endpoint-url "$env:S3_ENDPOINT" s3 rm "s3://$env:S3_BUCKET/$probeKey" --only-show-errors
+          Invoke-AwsChecked @("--endpoint-url", "$env:S3_ENDPOINT", "--region", "$env:S3_REGION", "s3", "cp", $probeFile, "s3://$env:S3_BUCKET/$probeKey", "--only-show-errors")
+          Invoke-AwsChecked @("--endpoint-url", "$env:S3_ENDPOINT", "--region", "$env:S3_REGION", "s3", "rm", "s3://$env:S3_BUCKET/$probeKey", "--only-show-errors")
           Write-Host "S3 probe succeeded."
 
       - name: Bootstrap PDC Endpoint and Token
@@ -1033,7 +1046,10 @@ jobs:
           }
 
           if (Test-Path (Join-Path $stageRoot "installers")) {
-            aws --endpoint-url "$env:S3_ENDPOINT" s3 sync (Join-Path $stageRoot "installers") "s3://$env:S3_BUCKET/lanmountain/update/installers/" --only-show-errors
+            & aws --endpoint-url "$env:S3_ENDPOINT" --region "$env:S3_REGION" s3 sync (Join-Path $stageRoot "installers") "s3://$env:S3_BUCKET/lanmountain/update/installers/" --only-show-errors
+            if ($LASTEXITCODE -ne 0) {
+              throw "aws s3 sync failed for installer mirror upload."
+            }
           }
 
       - name: Upload PDC Assets