Update panda to v7

.github/workflows/ci.yml

@@ -10,9 +10,12 @@ jobs:
     build:
         runs-on: ubuntu-20.04
 
-        permissions: # required by aws-actions/configure-aws-credentials
+        permissions:
+            # Allow GitHub to request an OIDC JWT ID token, for exchange with AWS Security Token Service (STS)
+            # See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow
             id-token: write
             contents: read
+            pull-requests: write
 
         steps:
             # Seed the build number with last number from TeamCity.
@@ -30,12 +33,6 @@ jobs:
                   java-version: "11"
                   cache: "sbt"
 
-            - name: AWS Auth
-              uses: aws-actions/configure-aws-credentials@v4
-              with:
-                  role-to-assume: ${{ secrets.GU_RIFF_RAFF_ROLE_ARN }}
-                  aws-region: eu-west-1
-
             - name: Install Node
               uses: actions/setup-node@v3
               with:
@@ -54,11 +51,13 @@ jobs:
               run: |
                   sbt clean compile test Debian/packageBin
 
-            - uses: guardian/actions-riff-raff@v2
+            - uses: guardian/actions-riff-raff@v4
               with:
                   projectName: Editorial Tools::Workflow::Workflow Frontend
+                  roleArn: ${{ secrets.GU_RIFF_RAFF_ROLE_ARN }}
+                  githubToken: ${{ secrets.GITHUB_TOKEN }}
                   buildNumber: ${{ env.BUILD_NUMBER }}
                   configPath: conf/riff-raff.yaml
                   contentDirectories: |
                       workflow-frontend:
-                        - target/workflow-frontend_0.1_all.deb
+                        - target/workflow-frontend_0.1_all.deb

app/AppComponents.scala

@@ -1,4 +1,4 @@
-import com.gu.pandomainauth.PanDomainAuthSettingsRefresher
+import com.gu.pandomainauth.{PanDomainAuthSettingsRefresher, S3BucketLoader}
 import com.gu.permissions.{PermissionsConfig, PermissionsProvider}
 import com.gu.workflow.api.{DesksAPI, SectionDeskMappingsAPI, SectionsAPI, StubAPI}
 import com.gu.workflow.lib.TagService
@@ -24,12 +24,10 @@ class AppComponents(context: Context)
 
   val config = new Config(context.initialConfiguration)
 
-  val panDomainRefresher = new PanDomainAuthSettingsRefresher(
+  val panDomainRefresher = PanDomainAuthSettingsRefresher(
     domain = config.domain,
     system = config.pandaSystem,
-    bucketName = config.pandaBucketName,
-    settingsFileKey = config.pandaSettingsFile,
-    s3Client = AWS.S3Client
+    S3BucketLoader.forAwsSdkV1(AWS.S3Client, "pan-domain-auth-settings")
   )
 
   val permissions: PermissionsProvider =

project/Dependencies.scala

@@ -12,10 +12,12 @@ object Dependencies {
     "com.gu" %% "content-api-client-aws" % "0.7"
   )
 
+  val pandaVersion = "7.0.0"
+
   val authDependencies = Seq(
-    "com.gu" %% "pan-domain-auth-play_3-0" % "4.0.0",
+    "com.gu" %% "pan-domain-auth-play_3-0" % pandaVersion,
     "com.gu" %% "hmac-headers" % "2.0.0",
-    "com.gu" %% "panda-hmac-play_3-0" % "4.0.0"
+    "com.gu" %% "panda-hmac-play_3-0" % pandaVersion
   )
 
   val testDependencies = Seq(