From 08b1d3798269fe0b96c1f103fb63bb9fe86aa2bb Mon Sep 17 00:00:00 2001
From: Claude Code <claude@anthropic.com>
Date: Sun, 6 Jul 2025 16:38:47 -0400
Subject: [PATCH] Switch from OIDC to access key authentication in
 deploy-scripts workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove id-token write permission
- Replace role-to-assume with aws-access-key-id and aws-secret-access-key
- Remove role-session-name parameter

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .forgejo/workflows/deploy-scripts.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.forgejo/workflows/deploy-scripts.yml b/.forgejo/workflows/deploy-scripts.yml
index 6c85ec7..a7ee442 100644
--- a/.forgejo/workflows/deploy-scripts.yml
+++ b/.forgejo/workflows/deploy-scripts.yml
@@ -9,7 +9,6 @@ on:
   workflow_dispatch:
 
 permissions:
-  id-token: write
   contents: write
   pull-requests: write
 
@@ -21,12 +20,12 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Configure AWS credentials using OIDC
+      - name: Configure AWS credentials using access keys
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ secrets.AWS_REGION }}
-          role-session-name: icewatch-deploy-scripts
 
       - name: Upload deployment script to S3
         run: |