Move CI to OIDC role assumption

Mark-Simulacrum · Mark-Simulacrum · commit 45bee1af7282 · 2022-08-27T12:25:39.000-04:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -17,8 +17,11 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           build_only: ${{ github.ref != 'refs/heads/master' }}
+      - name: Configure AWS credentials
+        if: github.ref == 'refs/heads/master'
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: arn:aws:iam::890664054962:role/forge-rust-lang-org-ci
+          aws-region: us-east-1
       - run: aws cloudfront create-invalidation --distribution-id E12A3GKHZSREHP --paths "/*"
         if: github.ref == 'refs/heads/master'
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
