fix(gh-pages): use gha-s3-frontend-push role for build-artifacts upload (#436)

maiquanghiep · claude · web-flow · commit d55298db682c · 2026-05-06T18:51:05.000+09:00
* security: migrate from vulnerable gha-deployment to secure role * fix(gh-pages): use gha-s3-frontend-push role for build-artifacts upload The deployment role is read-only on build-artifact buckets by design; PutObject is denied. Switch to gha-s3-frontend-push, which grants write on artifact buckets (and intentionally omits DeleteObject to prevent artifact tampering). Requires babylonlabs-io/terraform#235 to be applied first so the push role's trust policy permits this repo. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
@@ -74,8 +74,8 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 https://github.com/aws-actions/configure-aws-credentials/releases/tag/v4.3.1
         with:
-          role-to-assume: arn:aws:iam::${{ matrix.account }}:role/gha-s3-frontend-deployment
-          role-session-name: gha-s3-frontend-deployment
+          role-to-assume: arn:aws:iam::${{ matrix.account }}:role/gha-s3-frontend-push
+          role-session-name: gha-s3-frontend-push
           aws-region: ${{ vars.AWS_ECR_REGION }}
 
       # Upload to S3
