From e7954cceb40eb02ecf165bc7b7d3e87ff60a3224 Mon Sep 17 00:00:00 2001
From: Jack <jack.green@hazelcast.com>
Date: Wed, 14 Jan 2026 12:31:27 +0000
Subject: [PATCH] Replace explicit AWS token with tokenless-OIDC authentication
 [DI-706]

See:
- https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws
- [ADR](https://hazelcast.atlassian.net/wiki/spaces/EN/pages/6645022721/ADR-00089-+Type+2+-Migrate+GitHub+Actions+to+use+tokenless+OIDC+authentication)
- [reference `hazelcast-docker` implementation](https://github.com/hazelcast/hazelcast-docker/pull/1197)

Fixes: [DI-706](https://hazelcast.atlassian.net/browse/DI-706)
---
 .github/workflows/coverage_runner.yml | 5 +++--
 .github/workflows/nightly_runner.yml  | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/coverage_runner.yml b/.github/workflows/coverage_runner.yml
index 9a35f67c79..8c3685b66b 100644
--- a/.github/workflows/coverage_runner.yml
+++ b/.github/workflows/coverage_runner.yml
@@ -35,6 +35,8 @@ jobs:
 
   run-tests:
     runs-on: ${{ matrix.os }}
+    permissions:
+      id-token: write
     needs: [check_for_membership, python-versions]
     if: github.event_name == 'push' || needs.check_for_membership.outputs.check-result == 'true' || github.event_name == 'workflow_dispatch'
     name: Run tests with Python ${{ matrix.python-version }} on ${{ matrix.os }}
@@ -78,8 +80,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_HAZELCAST_OIDC_GITHUB_ACTIONS_ROLE_ARN }}
           aws-region: 'us-east-1'
 
       - name: Get Secrets
diff --git a/.github/workflows/nightly_runner.yml b/.github/workflows/nightly_runner.yml
index 18378de104..c35f8bf6a9 100644
--- a/.github/workflows/nightly_runner.yml
+++ b/.github/workflows/nightly_runner.yml
@@ -10,6 +10,8 @@ jobs:
   run-tests:
     needs: python-versions
     runs-on: ${{ matrix.os }}
+    permissions:
+      id-token: write
     name: Run tests with Python ${{ matrix.python-version }} on ${{ matrix.os }}
     strategy:
       matrix:
@@ -34,8 +36,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_HAZELCAST_OIDC_GITHUB_ACTIONS_ROLE_ARN }}
           aws-region: 'us-east-1'
       - name: Get Secrets
         uses: aws-actions/aws-secretsmanager-get-secrets@v2