Currently we use two org/repo level secrets to manage access to AWS Secrets Manager for the equivalent of the SANDPAPER_WORKFLOW token.
A new formal OIDC support beta feature has been rolled out in public preview which would allow us to use proper short-lived tokens per workflow instead of manually regenerated PATs per month. This may be useful for repo-scoped properties to control behaviour, instead of the current access levels per singular carpentries-bot PAT.
Currently we use two org/repo level secrets to manage access to AWS Secrets Manager for the equivalent of the SANDPAPER_WORKFLOW token.
A new formal OIDC support beta feature has been rolled out in public preview which would allow us to use proper short-lived tokens per workflow instead of manually regenerated PATs per month. This may be useful for repo-scoped properties to control behaviour, instead of the current access levels per singular carpentries-bot PAT.