From e9116aff354f35d6701c23201d86ce21e6a5bdcc Mon Sep 17 00:00:00 2001
From: Andrew Hsu <xuzuan@gmail.com>
Date: Sat, 3 Aug 2024 13:09:59 -0500
Subject: [PATCH] gha: use oidc to retrieve secrets (#25)

---
 .github/workflows/build.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6f2be2c3..ad6886c2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,18 +5,18 @@ name: Build Production Site
 on:
   push:
     branches: [main]
+permissions:
+  id-token: write
+  contents: read
 jobs:
   dispatch:
     runs-on: ubuntu-latest
     steps:
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-      - name: get secrets from aws sm
-        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+          aws-region: ${{ vars.RP_AWS_CRED_REGION }}
+          aws-secret-access-key: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
+      - uses: aws-actions/aws-secretsmanager-get-secrets@v2
         with:
           secret-ids: |
             ,sdlc/prod/github/rp_connect_netlify_build_hook