From 2f368822bca4ca7c9bd91ad15ac6fa98df355fc0 Mon Sep 17 00:00:00 2001
From: Tom Keller <1083460+kellertk@users.noreply.github.com>
Date: Fri, 25 Jul 2025 15:08:17 -0700
Subject: [PATCH] update workflow file ARNs (#1403)

---
 .github/workflows/automerge-approved-prs.yml | 2 +-
 .github/workflows/dependabot-autoapprove.yml | 6 +++---
 .github/workflows/package-dist.yml           | 2 +-
 .github/workflows/release-please.yml         | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/automerge-approved-prs.yml b/.github/workflows/automerge-approved-prs.yml
index d0d6ade..969a204 100644
--- a/.github/workflows/automerge-approved-prs.yml
+++ b/.github/workflows/automerge-approved-prs.yml
@@ -24,7 +24,7 @@ jobs:
         with:
           parse-json-secrets: true
           secret-ids: |
-            OSDS,arn:aws:secretsmanager:us-west-2:206735643321:secret:github-aws-sdk-osds-automation-gebs9n
+            ${{ secrets.OSDS_PACKAGING_ROLE }}
       - name: Enable PR automerge
         run: gh pr merge --auto --squash "$PR_URL"
         env:
diff --git a/.github/workflows/dependabot-autoapprove.yml b/.github/workflows/dependabot-autoapprove.yml
index f64f1f0..4245c68 100644
--- a/.github/workflows/dependabot-autoapprove.yml
+++ b/.github/workflows/dependabot-autoapprove.yml
@@ -1,5 +1,5 @@
 name: Dependabot auto-approve
-on: 
+on:
   pull_request:
   workflow_dispatch:
 
@@ -21,14 +21,14 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-west-2
-          role-to-assume: arn:aws:iam::206735643321:role/ConfigureAwsCredentialsPackageRole
+          role-to-assume: ${{ secrets.SECRETS_AWS_PACKAGING_ROLE_TO_ASSUME }}
           role-duration-seconds: 900
       - name: Get bot user token
         uses: aws-actions/aws-secretsmanager-get-secrets@v2
         with:
           parse-json-secrets: true
           secret-ids: |
-            OSDS,arn:aws:secretsmanager:us-west-2:206735643321:secret:github-aws-sdk-osds-automation-gebs9n
+            ${{ secrets.OSDS_PACKAGING_ROLE }}
       - name: Approve PR if not already approved
         run: |
           gh pr checkout "$PR_URL"
diff --git a/.github/workflows/package-dist.yml b/.github/workflows/package-dist.yml
index 6ca6924..695ca3a 100644
--- a/.github/workflows/package-dist.yml
+++ b/.github/workflows/package-dist.yml
@@ -39,7 +39,7 @@ jobs:
         with:
           parse-json-secrets: true
           secret-ids: |
-            OSDS,arn:aws:secretsmanager:us-west-2:206735643321:secret:github-aws-sdk-osds-automation-gebs9n
+            ${{ secrets.OSDS_PACKAGING_ROLE }}
       - name: Commit
         run: |
           echo "::add-mask::${{ env.OSDS_ACCESS_TOKEN }}"
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 3c03599..1d25122 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -32,7 +32,7 @@
           with:
             parse-json-secrets: true
             secret-ids: |
-              OSDS,arn:aws:secretsmanager:us-west-2:206735643321:secret:github-aws-sdk-osds-automation-gebs9n
+              ${{ secrets.OSDS_PACKAGING_ROLE }}
 
         - name: Run release-please
           uses: googleapis/release-please-action@v4