chore: fix packaging workflow (#805)

* fix: token permission in package workflow conflicting with unit tests

* change secret arn and role to assume in package workflow

---------

Co-authored-by: Tom Keller <[email protected]>

.github/workflows/package.yml

@@ -6,6 +6,7 @@ on:
       - main
     paths-ignore:
       - 'dist/**'
+  workflow_dispatch:
 
 jobs:
   package:
@@ -30,15 +31,15 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v3
         with:
           aws-region: us-west-2
-          role-to-assume: ${{ secrets.SECRETS_AWS_ROLE_TO_ASSUME }}
+          role-to-assume: ${{ secrets.SECRETS_AWS_PACKAGING_ROLE_TO_ASSUME }}
           role-duration-seconds: 900
           role-session-name: SecretsManagerFetch
       - name: Get bot user token
         uses: aws-actions/aws-secretsmanager-get-secrets@v1
         with:
           parse-json-secrets: true
           secret-ids: |
-            OSDS,arn:aws:secretsmanager:us-west-2:294535624312:secret:github-aws-sdk-osds-automation-ZHNalp
+            OSDS,arn:aws:secretsmanager:us-west-2:206735643321:secret:github-aws-sdk-osds-automation-gebs9n
       - name: Commit
         run: |
           echo "::add-mask::${{ env.OSDS_ACCESS_TOKEN }}"

test/index.test.ts

@@ -508,6 +508,7 @@ describe('Configure AWS Credentials', () => {
   });
 
   test('GH OIDC check fails if token is not set', async () => {
+    process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = undefined;
     process.env['GITHUB_ACTIONS'] = 'true';
     jest.spyOn(core, 'getInput').mockImplementation(
       mockGetInput({
@@ -528,6 +529,7 @@ describe('Configure AWS Credentials', () => {
   });
 
   test('Assume role with existing credentials if nothing else set', async () => {
+    process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN'] = undefined;
     process.env['AWS_ACCESS_KEY_ID'] = FAKE_ACCESS_KEY_ID;
     process.env['AWS_SECRET_ACCESS_KEY'] = FAKE_SECRET_ACCESS_KEY;
     jest.spyOn(core, 'getInput').mockImplementation(