From 98c1958beede50402e4558f60398bffb0bcf47ea Mon Sep 17 00:00:00 2001
From: ppawlowski <piotr@devopswizards.com>
Date: Wed, 22 Oct 2025 14:40:51 +0200
Subject: [PATCH] Use OIDC when pushing images to ECR in Flowforge build and
 deploy

---
 .github/workflows/flowforge-container.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/flowforge-container.yml b/.github/workflows/flowforge-container.yml
index 834d2ef6..6ad3d8e3 100644
--- a/.github/workflows/flowforge-container.yml
+++ b/.github/workflows/flowforge-container.yml
@@ -30,7 +30,7 @@ concurrency:
 jobs:
   build:
     name: Build single-architecture container images
-    uses: flowfuse/github-actions-workflows/.github/workflows/build_container_image.yml@v0.42.0
+    uses: flowfuse/github-actions-workflows/.github/workflows/build_container_image.yml@v0.43.0
     with:
       image_name: 'forge-k8s'
       package_dependencies: |
@@ -47,7 +47,7 @@ jobs:
     if: github.ref_name == 'main'
     name: Upload image to staging registry
     needs: build
-    uses: flowfuse/github-actions-workflows/.github/workflows/deploy_container_image.yml@v0.42.0
+    uses: flowfuse/github-actions-workflows/.github/workflows/deploy_container_image.yml@v0.43.0
     with:
       environment: stage
       service_name: 'forge-k8s'
@@ -55,9 +55,9 @@ jobs:
       container_name: forge
       deploy: false
       image: ${{ needs.build.outputs.image }}
+      aws_ecr_iam_role_name: ECR_push_pull_images
     secrets:
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      aws_secret_access_key: ${{ secrets.AWS_ACCESS_KEY_SECRET }}
+      aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
       temporary_registry_token: ${{ secrets.GITHUB_TOKEN }}
       eks_cluster_name: ${{ secrets.EKS_CLUSTER_NAME }}
 
@@ -65,7 +65,7 @@ jobs:
     if: github.ref_name == 'main'
     name: Upload image to production registry
     needs: build
-    uses: flowfuse/github-actions-workflows/.github/workflows/deploy_container_image.yml@v0.42.0
+    uses: flowfuse/github-actions-workflows/.github/workflows/deploy_container_image.yml@v0.43.0
     with:
       environment: production
       service_name: 'forge-k8s'
@@ -73,9 +73,9 @@ jobs:
       container_name: forge
       deploy: false
       image: ${{ needs.build.outputs.image }}
+      aws_ecr_iam_role_name: ECR_push_pull_images
     secrets:
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      aws_secret_access_key: ${{ secrets.AWS_ACCESS_KEY_SECRET }}
+      aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
       temporary_registry_token: ${{ secrets.GITHUB_TOKEN }}
       eks_cluster_name: ${{ secrets.EKS_CLUSTER_NAME }}