feat(ci): use OIDC role for maven publish DEVOPS-1455

[ShahzebMahmood]

Summary

• Swaps the maven publish in build.yml's Release step from static TOWER_CI_AWS_* keys to OIDC role assumption.
• Assumes arn:aws:iam::195996028523:role/WaveMavenPublisherRole (created in seqeralabs/infrastructure#1549, already applied). Role is scoped tightly to s3://maven.seqera.io/releases/* and trusts only seqeralabs/wave:ref:refs/heads/master.
• Drops the unset AWS_SESSION_TOKEN hack (no longer needed — session token is now intentional and matches the role's region).
• Removes AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY env vars from the Release step.

The TOWER_CI_AWS_* GHA secrets stay in place for now — they're still used by the Tests step (make check) and the legacy ECR docker login. Those are separate consumers and out of scope.

DEVOPS-1455

[ShahzebMahmood]

@claude

[claude]

Claude finished @ShahzebMahmood's task —— View job

---

Code Review: OIDC Maven Publishing Migration ✅

Todo List:

• Read and analyze the workflow file changes
• Review OIDC configuration for security best practices
• Check credential scope and permissions
• Verify backwards compatibility considerations
• Provide comprehensive review feedback

Review Summary

This PR successfully migrates Maven publishing from static AWS credentials to OIDC role assumption. The implementation is secure and well-designed.

✅ Strengths

Security Improvements:

• Principle of Least Privilege: The WaveMavenPublisherRole is tightly scoped to s3://maven.seqera.io/releases/* only
• Branch Protection: Role trusts only seqeralabs/wave:ref:refs/heads/master, preventing unauthorized usage from other branches/repos
• Eliminates Static Credentials: Removes long-lived AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY from the Release step
• Session Isolation: Uses unique session names (GitHubActions-${{ github.run_id }}-maven-publish) for audit traceability

Implementation Quality:

• Surgical Change: Only affects Maven publishing while preserving existing authentication for tests and legacy ECR
• Proper Sequencing: AWS credential configuration happens right before the Release step that needs it (.github/workflows/build.yml:124-130)
• Clean Removal: Eliminates the unset AWS_SESSION_TOKEN workaround that's no longer needed

✅ Configuration Analysis

OIDC Setup (.github/workflows/build.yml:124-130):

- name: Configure AWS credentials for maven publish
  if: "steps.detect-release.outputs.is_release == 'true'"
  uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5
  with:
    aws-region: eu-west-1
    role-to-assume: arn:aws:iam::195996028523:role/WaveMavenPublisherRole
    role-session-name: GitHubActions-${{ github.run_id }}-maven-publish

• ✅ Only runs on release commits
• ✅ Uses correct AWS region (eu-west-1)
• ✅ Role ARN matches infrastructure setup
• ✅ Unique session naming for audit trails

✅ Backward Compatibility

• Preserved Dependencies: TOWER_CI_AWS_* secrets remain for Tests step and legacy ECR login
• No Breaking Changes: Other CI consumers (tests, ECR operations) continue using existing authentication
• Gradual Migration: Allows for phased credential migration across different CI operations

✅ Security Verification

The role configuration (per PR description) provides excellent security boundaries:

• Scope: Limited to s3://maven.seqera.io/releases/*
• Trust Policy: Only seqeralabs/wave:ref:refs/heads/master
• Action Isolation: Separate role from other AWS operations

Minor Observations

1. Action Version Pinning: Good use of SHA-pinned action versions with ratchet comments for security
2. Job Permissions: Workflow already has id-token: write permission required for OIDC (.github/workflows/build.yml:36)

Recommendation

✅ APPROVE - This PR implements OIDC authentication correctly with proper security controls and maintains backward compatibility. The migration is well-scoped and reduces the attack surface by eliminating static credentials for Maven publishing.

---