From 164721c8f56a032bcd5a759491804a6857a599c6 Mon Sep 17 00:00:00 2001
From: Michael Marchetti <mike@rstudio.com>
Date: Tue, 28 Jun 2022 11:48:12 -0400
Subject: [PATCH 1/2] switch docs from AWSID/secret to a role

---
 .github/workflows/main.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 08aa4dd1..fcab8844 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -123,8 +123,7 @@ jobs:
     - if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') && (contains(github.ref, 'b') == false)
       uses: aws-actions/configure-aws-credentials@v1
       with:
-        aws-access-key-id: ${{ secrets.DOCS_AWS_ID }}
-        aws-secret-access-key: ${{ secrets.DOCS_AWS_SECRET }}
+        role-to-assume: ${{ secrets.DOCS_AWS_ROLE }}
         aws-region: us-east-1
     - if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') && (contains(github.ref, 'b') == false)
       run: make promote-docs-in-s3

From c6ea3d8e1b5da44fb182a663c7f3fba1fc3c1e08 Mon Sep 17 00:00:00 2001
From: Michael Marchetti <mike@rstudio.com>
Date: Wed, 6 Jul 2022 10:01:38 -0400
Subject: [PATCH 2/2] add permissions for docs role

---
 .github/workflows/main.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index fcab8844..e87908e3 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -9,6 +9,9 @@ on:
     types: [rsconnect_python_latest]
 env:
   DOCKER_TTY_FLAGS: ''
+permissions:
+  id-token: write
+  contents: write
 jobs:
   test:
     strategy: