From 4dbe2a6fd0baffa137fb2f7619d4520d418358dd Mon Sep 17 00:00:00 2001
From: Neel Shah <neeljs@amazon.com>
Date: Thu, 14 May 2026 12:50:30 -0700
Subject: [PATCH 1/2] Replace static credentials with OIDC in docker publish
 workflow

---
 .github/workflows/docker_publish.yml | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml
index 8fbd5e49..89eb7add 100644
--- a/.github/workflows/docker_publish.yml
+++ b/.github/workflows/docker_publish.yml
@@ -19,18 +19,15 @@ jobs:
   build-and-push-image:
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       contents: read
-      packages: write
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
 
       - name: Get package version
-        uses: tyankatsu0105/read-package-version-actions@v1
-        with:
-          path: "./src/graph_notebook/widgets"
         id: package-version
+        run: echo "version=$(jq -r .version ./src/graph_notebook/widgets/package.json)" >> $GITHUB_OUTPUT
 
       - name: Get image tag
         id: get-image-tag
@@ -46,14 +43,10 @@ jobs:
           fi
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ECR }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ECR }}
+          role-to-assume: arn:aws:iam::967107632117:role/graph-notebook-ecr-publish
           aws-region: us-east-1
-          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_ECR }}
-          role-duration-seconds: 3600
-          role-session-name: NotebookImageUpdate
 
       - name: Login to Amazon ECR
         id: login-ecr-public

From 44385ab13efcf6869bda8a6064f5b6aec4e269e6 Mon Sep 17 00:00:00 2001
From: Neel Shah <neeljs@amazon.com>
Date: Mon, 18 May 2026 16:53:43 -0700
Subject: [PATCH 2/2] Update OIDC role to ECR repository account

---
 .github/workflows/docker_publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml
index 89eb7add..3ac54905 100644
--- a/.github/workflows/docker_publish.yml
+++ b/.github/workflows/docker_publish.yml
@@ -45,7 +45,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a
         with:
-          role-to-assume: arn:aws:iam::967107632117:role/graph-notebook-ecr-publish
+          role-to-assume: arn:aws:iam::344822624926:role/graph-notebook-ecr-publish
           aws-region: us-east-1
 
       - name: Login to Amazon ECR