Skip to content

chore(ci): migrate GitHub Actions to OIDC auth#54

Open
jonthia-drift wants to merge 1 commit into
mainnet-betafrom
chore/gha-oidc-migration-mainnet-beta
Open

chore(ci): migrate GitHub Actions to OIDC auth#54
jonthia-drift wants to merge 1 commit into
mainnet-betafrom
chore/gha-oidc-migration-mainnet-beta

Conversation

@jonthia-drift
Copy link
Copy Markdown
Contributor

@jonthia-drift jonthia-drift commented May 19, 2026

Replaces long-lived AWS_ACCESS_KEY_* secrets with short-lived STS credentials via GitHub OIDC.

Changes

  • Add workflow-level permissions: { id-token: write, contents: read }
  • Replace aws-access-key-id / aws-secret-access-key with role-to-assume: ${{ vars.AWS_DEPLOY_ROLE_PROD/NONPROD }}
  • Pin floating action refs to commit SHAs

Prerequisites before merge

  1. Set GitHub org-level variables AWS_DEPLOY_ROLE_PROD and AWS_DEPLOY_ROLE_NONPROD (role ARNs).
  2. Update the IAM role trust policy in each account to include this repo's sub claims (will be applied centrally as part of the migration).

CI on this PR is expected to fail at the AWS credentials step until both of the above are in place.

@jonthia-drift
chore(ci): migrate GitHub Actions to OIDC auth
a645430 
Replace long-lived AWS_ACCESS_KEY_* secrets with sts:AssumeRoleWithWebIdentity
via GitHub OIDC.

- Add workflow-level permissions (id-token: write, contents: read)
- Replace aws-access-key-id/aws-secret-access-key with role-to-assume
- Reference org-level vars AWS_DEPLOY_ROLE_PROD / AWS_DEPLOY_ROLE_NONPROD
- Pin floating action refs to commit SHAs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonthia-drift