From 88654e2e10fa14bf90539f6b6c427763068c63d3 Mon Sep 17 00:00:00 2001
From: Jack Green <JackPGreen@Gmail.com>
Date: Thu, 28 May 2026 13:47:31 +0100
Subject: [PATCH] Rescope AWS ARN from `secret` to `var`

The name of the role isn't a `secret`, so storing at such means it's masked logs etc which makes debugging difficult. More specifically, authentication is handled via [OIDC](https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws), on it's own the role does nothing.

Instead, it should be rescoped as a `var`.
---
 .github/workflows/promote.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml
index 54d1d35..4b7d5a9 100644
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@@ -50,7 +50,7 @@ jobs:
         if: inputs.ENVIRONMENT == 'sandbox'
         id: jfrog
         with:
-          aws-role-to-assume: ${{ secrets.AWS_HAZELCAST_OIDC_GITHUB_ACTIONS_ROLE_ARN }}
+          aws-role-to-assume: ${{ vars.AWS_HAZELCAST_OIDC_GITHUB_ACTIONS_ROLE_ARN }}
           jfrog-oidc-provider-name: ${{ github.repository_owner }}-snapshot-internal
 
       - name: Install dependencies