From 70d4739eb3b0b03b77258ca563c18607ee0cd1b6 Mon Sep 17 00:00:00 2001
From: Richard Lee <dlackty@gmail.com>
Date: Thu, 2 Apr 2026 03:46:18 +0800
Subject: [PATCH] Switch GitHub Actions to OIDC for AWS authentication

Replace long-lived access keys with IAM role assumption via OIDC.

Refs: sc-102055
---
 .github/workflows/release.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9d4b1aa..f29b96f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -55,13 +55,15 @@ jobs:
     needs: build-and-push-docker-image
     runs-on: ubuntu-latest
     if: success()
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::635002287587:role/GitHubActionsDeployRole
           aws-region: us-east-1
 
       - name: Login to Amazon ECR Public