PR Custody

PRPR Custody

ci: switch proxy deploy from static AWS keys to GitHub OIDC

@alanbraulio-plankchecks n/achecks…mcpg-243-oidc-deploy → main1 files · +4 −3updated 14h ago

GitHub

▸Description· 2 comments · 3 noise

Summary

Replace long-lived IAM access keys with GitHub Actions OIDC federation for the proxy ECS deploy workflow
Each CI run now gets short-lived (1h) STS credentials via role assumption instead of static keys in GitHub Secrets
Addresses the credential exfiltration risk identified in the security sweep (Fix 1)

What changed

Added id-token: write permission to the workflow
Replaced aws-access-key-id/aws-secret-access-key with role-to-assume pointing to the new OIDC role

IAM setup (done out-of-band via AWS CLI)

Created OIDC identity provider for token.actions.githubusercontent.com
Created IAM role github-actions-deploy-proxy with trust policy scoped to ComposioHQ/composio-enterprise on refs/heads/main
Role permissions are identical to the existing deploy-proxy-ecs policy (ECR push, ECS task def, ECS service update, IAM PassRole)

Test plan

Merge to main and trigger workflow_dispatch
Verify OIDC role assumption succeeds (no static key usage)
Verify ECR push, ECS task def registration, ECS service update, health check pass
After success: remove AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from GitHub Secrets
After 48h: deactivate and delete IAM user github-actions-deploy

Rollback

Old IAM user and static keys remain active until cleanup step. If OIDC fails, revert this PR and the deploy will use the existing keys.

Closes MCPG-243

@alanbraulio-plank14h ago

@codex review

@chatgpt-codex-connector[bot]agent14h ago

Codex Review: Didn't find any major issues. Delightful!

Reviewed commit: b21a06511b

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

▸ 3 bot/status comments hidden

@linear-code[bot]14h ago

Priority: P1 (week 1) · Effort: S · Type: ops · (Missed by the original sweep)

Why: The latest commit swapped OIDC federation for long-lived static AWS access keys in CI — the opposite of post-incident hygiene (the breach was credential exfiltration).

Evidence: commit 31f1ea9 ci: switch proxy deploy from OIDC to access key auth; .github/workflows/deploy-proxy-aws.yml.

Fix: Restore aws-actions/configure-aws-credentials with role-to-assume + OIDC; delete the static keys from GitHub secrets and IAM.

Acceptance: Deploy uses short-lived assumed-role creds; no static AWS keys in CI or IAM.

@vercel[bot]14h ago

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
composio-enterprise-internal	Error		Jun 12, 2026 6:26pm

@vercel[bot]14h ago

loading diff…