ci: fix quickstart files upload

[bzp2010]

Summary by CodeRabbit

• Chores
  • Improved CI/CD security by switching to token-based role assumption for deployments, adding scoped identity-token permissions, and clarifying checkout steps in workflows to make authentication and provenance more explicit.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1bed4efa-f019-4645-9fed-6d353167f0ec

📥 Commits

Reviewing files that changed from the base of the PR and between 38ac92f and b0727a0.

📒 Files selected for processing (1)

• .github/workflows/docker.yaml

---

📝 Walkthrough

Walkthrough

The pull request updates the GitHub Actions Docker workflow (.github/workflows/docker.yaml) to switch the publish-quickstart job from static AWS keys to OIDC role assumption (role-to-assume) and adds id-token: write permission; it also adds explicit name: Checkout code steps (including in verify).

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/docker.yaml	publish-quickstart: removed aws-access-key-id / aws-secret-access-key, added role-to-assume: ${{ secrets.AWS_QUICKSTART_ROLE }} and jobs.publish-quickstart.permissions.id-token: write. Replaced anonymous actions/checkout steps with name: Checkout code in publish-quickstart and verify.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰
I hopped from keys to OIDC air,
A role to trust — light as a hare.
Checkout named, permissions set,
My quickstart leaps without regret.
🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing CI workflow configuration for quickstart files upload by switching to OIDC-based AWS authentication.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bzp/ci-fix-quickstart-provision

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/docker.yaml:
- Around line 72-82: The `test` GitHub Actions job only configures AWS
credentials via the
aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
step but performs no actions; either add a verification step (e.g., run `aws sts
get-caller-identity`) to validate OIDC/assumed-role access, or rename the job to
indicate it's purely credential setup, or remove the job if it was temporary.
Locate the job named `test` and modify its `steps` after the Configure AWS
credentials step to include a verification `run` step that exercises the AWS CLI
(or drop/rename the job) so the workflow actually uses the configured
credentials.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b5d9a610-659c-43fd-b536-4f9fefd63cb9

📥 Commits

Reviewing files that changed from the base of the PR and between 30d3ca8 and 38ac92f.

📒 Files selected for processing (1)

• .github/workflows/docker.yaml