ci: assume role with GitHub OIDCProvider from workflow

- needs permission to write id-token and read contents

.github/workflows/deploy.yaml

@@ -63,8 +63,6 @@ jobs:
     with:
       environment: staging
       s3-bucket: staging.deepumohan.com
-    secrets:
-      role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_STAGING }}
 
   production:
     if: github.ref == 'refs/heads/main'
@@ -73,5 +71,3 @@ jobs:
     with:
       environment: production
       s3-bucket: deepumohan.com
-    secrets:
-      role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_PRODUCTION }}

.github/workflows/deployment.yaml

@@ -10,9 +10,13 @@ on:
       s3-bucket:
         required: true
         type: string
-    secrets:
-      role-to-assume:
-        required: true
+    # secrets:
+    #   role-to-assume:
+    #     required: true
+
+permissions:
+  id-token: write
+  contents: read
 
 jobs:
   deploy:
@@ -29,9 +33,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-            aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-            aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-            role-to-assume: ${{ secrets.role-to-assume }}
+            role-to-assume: arn:aws:iam::106172881994:role/GitHubActionsRole
             aws-region: eu-west-1
             role-duration-seconds: 1200
             role-session-name: publish-to-s3-action