From 016175b769738a3c3c86848754d06f6b459aabd4 Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Fri, 13 Mar 2026 23:37:38 +0100
Subject: [PATCH] Pin configure-aws-credentials to v5 for ci-infra role

v6 breaks OIDC AssumeRoleWithWebIdentity on the ci-infra role (main-only
trust condition). The ci-infra-plan role (any-ref) works fine with v6,
so only the apply and drift jobs are pinned back.
---
 .github/workflows/platform-ci.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/platform-ci.yml b/.github/workflows/platform-ci.yml
index fa22973..59b6b80 100644
--- a/.github/workflows/platform-ci.yml
+++ b/.github/workflows/platform-ci.yml
@@ -152,7 +152,8 @@ jobs:
           terraform_version: "1.7"
           terraform_wrapper: false
 
-      - uses: aws-actions/configure-aws-credentials@v6
+      # Pinned to v5 — v6 breaks OIDC AssumeRoleWithWebIdentity for this role
+      - uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra
           aws-region: ${{ env.AWS_REGION }}
@@ -200,7 +201,8 @@ jobs:
           terraform_version: "1.7"
           terraform_wrapper: false
 
-      - uses: aws-actions/configure-aws-credentials@v6
+      # Pinned to v5 — v6 breaks OIDC AssumeRoleWithWebIdentity for this role
+      - uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra
           aws-region: ${{ env.AWS_REGION }}