From df9c7450bf8dd309a16d534672b97936bdc81874 Mon Sep 17 00:00:00 2001
From: Michael Zampani <michael.zampani@docker.com>
Date: Fri, 29 May 2026 23:07:27 -0700
Subject: [PATCH] feat(e2e): replace AWS_ACCESS_KEY_ID secrets with OIDC role
 assumption

Adds aws-role-to-assume input to .e2e-run.yml. Adds configure-aws-credentials
step (pinned SHA, with role-session-name) before the Login to Registry step,
conditioned on ECR registry detection. Updates e2e.yml to pass the OIDC role
ARN and remove AWS secrets from the matrix credential expressions.

Role: arn:aws:iam::175142243308:role/official_gha_cicd
Action: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/.e2e-run.yml | 15 +++++++++++++++
 .github/workflows/e2e.yml      |  5 +++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/.e2e-run.yml b/.github/workflows/.e2e-run.yml
index 995755a..1a2f9a4 100644
--- a/.github/workflows/.e2e-run.yml
+++ b/.github/workflows/.e2e-run.yml
@@ -22,6 +22,10 @@ on:
       slug:
         required: false
         type: string
+      aws-role-to-assume:
+        required: false
+        type: string
+        description: "IAM role ARN to assume via OIDC for ECR authentication. When set, configure-aws-credentials runs before registry login."
     secrets:
       registry_username:
         required: false
@@ -36,6 +40,9 @@ env:
 jobs:
   run:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -111,6 +118,14 @@ jobs:
           driver-opts: |
             image=${{ matrix.buildkit_image }}
             network=host
+      -
+        name: Configure AWS credentials
+        if: inputs.aws-role-to-assume != '' && (contains(inputs.registry, '.ecr.') || inputs.registry == 'public.ecr.aws')
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+        with:
+          role-to-assume: ${{ inputs.aws-role-to-assume }}
+          aws-region: us-east-1
+          role-session-name: gha-build-push-action-e2e-${{ github.run_id }}-${{ github.run_attempt }}
       -
         name: Login to Registry
         if: github.event_name != 'pull_request' && (inputs.type == 'remote' || env.REGISTRY_USER != '')
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 791a196..dfb1c8d 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -2,6 +2,7 @@ name: e2e
 
 permissions:
   contents: read
+  id-token: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -99,14 +100,15 @@ jobs:
       name: ${{ matrix.name }}
       registry: ${{ matrix.registry }}
       slug: ${{ matrix.slug }}
+      aws-role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
     secrets:
       # Pass only the two secrets needed by each matrix entry.
+      # AWS ECR entries use OIDC via aws-role-to-assume instead of static keys.
       registry_username: >-
         ${{
           matrix.auth == 'dockerhub' && secrets.DOCKERHUB_USERNAME ||
           matrix.auth == 'ghcr' && secrets.GHCR_USERNAME ||
           matrix.auth == 'gitlab' && secrets.GITLAB_USERNAME ||
-          matrix.auth == 'aws' && secrets.AWS_ACCESS_KEY_ID ||
           matrix.auth == 'gar' && secrets.GAR_USERNAME ||
           matrix.auth == 'acr' && secrets.AZURE_CLIENT_ID ||
           matrix.auth == 'quay' && secrets.QUAY_USERNAME ||
@@ -118,7 +120,6 @@ jobs:
           matrix.auth == 'dockerhub' && secrets.DOCKERHUB_TOKEN ||
           matrix.auth == 'ghcr' && secrets.GHCR_PAT ||
           matrix.auth == 'gitlab' && secrets.GITLAB_TOKEN ||
-          matrix.auth == 'aws' && secrets.AWS_SECRET_ACCESS_KEY ||
           matrix.auth == 'gar' && secrets.GAR_JSON_KEY ||
           matrix.auth == 'acr' && secrets.AZURE_CLIENT_SECRET ||
           matrix.auth == 'quay' && secrets.QUAY_TOKEN ||