switching personal pat token to service pat token

.github/workflows/draft-release.yml

@@ -12,13 +12,31 @@ on:
     branches:
       - release/**
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
 
   # Generate new release notes
   update_release_draft:
     runs-on: ubuntu-latest
     steps:
+      - name: Configure AWS Credentials via OIDC
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: arn:aws:iam::730335206644:role/delegatedadmin/developer/qppa-github-actions-role-1
+          aws-region: us-east-1
 
+      - name: Retrieve GitHub service account token from secops account
+        id: get-token
+        run: |
+          SECRET_VALUE=$(aws secretsmanager get-secret-value \
+            --secret-id "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e" \
+            --query SecretString \
+            --output text | jq -r ".GITHUB_TOKEN")
+          echo "::add-mask::$SECRET_VALUE"
+          echo "GITHUB_TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT
       - name: Checkout Codebase
         uses: actions/checkout@v2
         with:
@@ -41,4 +59,4 @@ jobs:
           version: v${{ steps.package-version.outputs.current-version }}
           tag: v${{ steps.package-version.outputs.current-version }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.get-token.outputs.GITHUB_TOKEN }}

.github/workflows/publish-artifacts.yml

@@ -9,7 +9,7 @@ on:
   workflow_dispatch:
   release:
     types: [ published ]
-    
+
 permissions:
   id-token: write  # Required for OIDC
   contents: read
@@ -18,6 +18,21 @@ jobs:
   publish-npm:
     runs-on: ubuntu-latest
     steps:
+      - name: Configure AWS Credentials via OIDC
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: arn:aws:iam::730335206644:role/delegatedadmin/developer/qppa-github-actions-role-1
+          aws-region: us-east-1
+
+      - name: Retrieve GitHub service account token from secops account
+        id: get-token
+        run: |
+          SECRET_VALUE=$(aws secretsmanager get-secret-value \
+            --secret-id "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e" \
+            --query SecretString \
+            --output text | jq -r ".GITHUB_TOKEN")
+          echo "::add-mask::$SECRET_VALUE"
+          echo "GITHUB_TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT
       - uses: actions/checkout@v6
 
       - uses: actions/setup-node@v6
@@ -45,11 +60,10 @@ jobs:
         id: pr
         uses: peter-evans/create-pull-request@45c510e1f68ba052e3cd911f661a799cfb9ba3a3 #v3.6.0
         with:
-          token: ${{ secrets.GH_USER_TOKEN }}
+          token: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
           commit-message: Backfill ${{ github.event.release.repository.default_branch }} with release tag ${{ github.event.release.tag_name }}
           title: Backfill master -  ${{github.event.release.tag_name}}
           branch: feature/merge_release_${{github.event.release.tag_name}}
           base: ${{ github.event.release.repository.default_branch}}
           body: |
             Auto generated pull request to backfill `${{ github.event.release.tag_name }} into ${{ github.event.release.repository.default_branch }}`.
-

.github/workflows/quality-checks.yml

@@ -10,12 +10,30 @@ on:
     types:
       - completed
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
   perform-quality-checks:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.event == 'pull_request' }}
 
     steps:
+      - name: Configure AWS Credentials via OIDC
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: arn:aws:iam::730335206644:role/delegatedadmin/developer/qppa-github-actions-role-1
+          aws-region: us-east-1
+      - name: Retrieve GitHub service account token from secops account
+        id: get-token
+        run: |
+          SECRET_VALUE=$(aws secretsmanager get-secret-value \
+            --secret-id "arn:aws:secretsmanager:us-east-1:863249929524:secret:qpp/qppa/github/token/automation-bhLO2e" \
+            --query SecretString \
+            --output text | jq -r ".GITHUB_TOKEN")
+          echo "::add-mask::$SECRET_VALUE"
+          echo "GITHUB_TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT
 
       - name: Checkout Codebase
         uses: actions/checkout@v2
@@ -26,7 +44,7 @@ jobs:
       - name: Download Coverage Artifacts
         uses: dawidd6/action-download-artifact@891cccee4b25d3306cf5edafa174ddc1d969871f
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
           workflow: ${{ github.event.workflow_run.workflow_id }}
           commit: ${{ github.event.workflow_run.head_commit.id }}
           name: coverage
@@ -37,9 +55,8 @@ jobs:
         uses: 5monkeys/cobertura-action@67ec5c1b5ee78e49d22300126df88761ca6a7031 # pin @v7
         with:
           path: coverage/cobertura-coverage.xml
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          repo_token: ${{ steps.get-token.outputs.GITHUB_TOKEN }}
           only_changed_files: ${{github.base_ref != null}}
           show_line: true
           show_branch: true
           minimum_coverage: 90
-