From 01e3cbd78b60a40c559dc6493a4a2e2bc7b41511 Mon Sep 17 00:00:00 2001
From: Derek <alexanderderekrein@gmail.com>
Date: Wed, 10 Jan 2024 16:42:30 -0500
Subject: [PATCH] feat(github): use OIDC to push images (#4077)

---
 .github/workflows/ci_sign_client.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci_sign_client.yml b/.github/workflows/ci_sign_client.yml
index 53841f732..8928c67b6 100644
--- a/.github/workflows/ci_sign_client.yml
+++ b/.github/workflows/ci_sign_client.yml
@@ -15,17 +15,20 @@ env:
 jobs:
   push:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: eu-central-1
+          role-to-assume: ${{ secrets.AWS_ROLE_ECR_DEPLOYER }}
+          aws-region: ${{ vars.AWS_REGION }}
 
       - name: Login to Amazon ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v2
+        with:
+          mask-password: 'true'
 
       - name: Checkout
         uses: actions/checkout@v4