Virtual-Robert · May 23, 2026 07:47
diff --git a/oidc-to-static-keys-complete.patch b/oidc-to-static-keys-complete.patch
 diff --git a/.github/actions/build_deploy_backend/action.yml b/.github/actions/build_deploy_backend/action.yml
 index 8983d3c..199865d 100644
 --- a/.github/actions/build_deploy_backend/action.yml
 +++ b/.github/actions/build_deploy_backend/action.yml
 @@ -4,8 +4,11 @@ inputs:
     ENVIRONMENT:
         description: "Environment to deploy to"
         required: true
 -    AWS_ROLE_ARN:
 -        description: "ARN of the role to assume"
 +    AWS_ACCESS_KEY_ID:
 +        description: "AWS Access Key ID"
 +        required: true
 +    AWS_SECRET_ACCESS_KEY:
 +        description: "AWS Secret Access Key"
         required: true
     GITHUB_SHA:
         description: "SHA of the commit"
 @@ -28,8 +31,8 @@ runs:
         - name: Configure AWS credentials
           uses: aws-actions/configure-aws-credentials@v4
           with:
 -              role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
 -              role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
 +              aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
 +              aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
               aws-region: eu-west-1
 
         - name: Login to Amazon ECR
 diff --git a/.github/actions/build_deploy_frontend/action.yml b/.github/actions/build_deploy_frontend/action.yml
 index f03bf7d..4bf7f61 100644
 --- a/.github/actions/build_deploy_frontend/action.yml
 +++ b/.github/actions/build_deploy_frontend/action.yml
 @@ -7,8 +7,11 @@ inputs:
     NEXT_PUBLIC_API_URL:
         description: "API URL to use in the frontend"
         required: true
 -    AWS_ROLE_ARN:
 -        description: "ARN of the role to assume"
 +    AWS_ACCESS_KEY_ID:
 +        description: "AWS Access Key ID"
 +        required: true
 +    AWS_SECRET_ACCESS_KEY:
 +        description: "AWS Secret Access Key"
         required: true
     GITHUB_SHA:
         description: "SHA of the commit"
 @@ -40,8 +43,8 @@ runs:
         - name: Configure AWS credentials
           uses: aws-actions/configure-aws-credentials@v4
           with:
 -              role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
 -              role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
 +              aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
 +              aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
               aws-region: eu-west-1
 
         - name: Login to Amazon ECR
 diff --git a/.github/actions/build_deploy_image_processing_queue_handler/action.yml b/.github/actions/build_deploy_image_processing_queue_handler/action.yml
 index 86bed9e..270232d 100644
 --- a/.github/actions/build_deploy_image_processing_queue_handler/action.yml
 +++ b/.github/actions/build_deploy_image_processing_queue_handler/action.yml
 @@ -4,8 +4,11 @@ inputs:
     ENVIRONMENT:
         description: "Environment to deploy to"
         required: true
 -    AWS_ROLE_ARN:
 -        description: "ARN of the role to assume"
 +    AWS_ACCESS_KEY_ID:
 +        description: "AWS Access Key ID"
 +        required: true
 +    AWS_SECRET_ACCESS_KEY:
 +        description: "AWS Secret Access Key"
         required: true
     GITHUB_SHA:
         description: "SHA of the commit"
 @@ -28,8 +31,8 @@ runs:
         - name: Configure AWS credentials
           uses: aws-actions/configure-aws-credentials@v4
           with:
 -              role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
 -              role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
 +              aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
 +              aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
               aws-region: eu-west-1
 
         - name: Login to Amazon ECR
 diff --git a/.github/actions/build_deploy_kling_video_queue_handler/action.yml b/.github/actions/build_deploy_kling_video_queue_handler/action.yml
 index 8bfe5cd..07f5738 100644
 --- a/.github/actions/build_deploy_kling_video_queue_handler/action.yml
 +++ b/.github/actions/build_deploy_kling_video_queue_handler/action.yml
 @@ -1,11 +1,14 @@
 -name: "Build and Deploy Backend"
 -description: "Build and deploy the backend to AWS ECR and ECS"
 +name: "Build and Deploy Kling Video Queue Handler"
 +description: "Build and deploy the Kling video queue handler to AWS ECR and ECS"
 inputs:
     ENVIRONMENT:
         description: "Environment to deploy to"
         required: true
 -    AWS_ROLE_ARN:
 -        description: "ARN of the role to assume"
 +    AWS_ACCESS_KEY_ID:
 +        description: "AWS Access Key ID"
 +        required: true
 +    AWS_SECRET_ACCESS_KEY:
 +        description: "AWS Secret Access Key"
         required: true
     GITHUB_SHA:
         description: "SHA of the commit"
 @@ -28,8 +31,8 @@ runs:
         - name: Configure AWS credentials
           uses: aws-actions/configure-aws-credentials@v4
           with:
 -              role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
 -              role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
 +              aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
 +              aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
               aws-region: eu-west-1
 
         - name: Login to Amazon ECR
 diff --git a/.github/actions/build_deploy_nano_banana_image_generation_queue_handler/action.yml b/.github/actions/build_deploy_nano_banana_image_generation_queue_handler/action.yml
 index b0cf603..7c0530b 100644
 --- a/.github/actions/build_deploy_nano_banana_image_generation_queue_handler/action.yml
 +++ b/.github/actions/build_deploy_nano_banana_image_generation_queue_handler/action.yml
 @@ -4,8 +4,11 @@ inputs:
     ENVIRONMENT:
         description: "Environment to deploy to"
         required: true
 -    AWS_ROLE_ARN:
 -        description: "ARN of the role to assume"
 +    AWS_ACCESS_KEY_ID:
 +        description: "AWS Access Key ID"
 +        required: true
 +    AWS_SECRET_ACCESS_KEY:
 +        description: "AWS Secret Access Key"
         required: true
     GITHUB_SHA:
         description: "SHA of the commit"
 @@ -25,8 +28,8 @@ runs:
         - name: Configure AWS credentials
           uses: aws-actions/configure-aws-credentials@v4
           with:
 -              role-session-name: gha-nano-banana-lambda-${{ steps.short-sha.outputs.SHORT_SHA }}
 -              role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
 +              aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
 +              aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
               aws-region: eu-west-1
 
         - name: Login to Amazon ECR
 diff --git a/.github/actions/build_deploy_seedream_image_generation_queue_handler/action.yml b/.github/actions/build_deploy_seedream_image_generation_queue_handler/action.yml
 index 39e2fbc..f347996 100644
 --- a/.github/actions/build_deploy_seedream_image_generation_queue_handler/action.yml
 +++ b/.github/actions/build_deploy_seedream_image_generation_queue_handler/action.yml
 @@ -4,8 +4,11 @@ inputs:
     ENVIRONMENT:
         description: "Environment to deploy to"
         required: true
 -    AWS_ROLE_ARN:
 -        description: "ARN of the role to assume"
 +    AWS_ACCESS_KEY_ID:
 +        description: "AWS Access Key ID"
 +        required: true
 +    AWS_SECRET_ACCESS_KEY:
 +        description: "AWS Secret Access Key"
         required: true
     GITHUB_SHA:
         description: "SHA of the commit"
 @@ -28,8 +31,8 @@ runs:
         - name: Configure AWS credentials
           uses: aws-actions/configure-aws-credentials@v4
           with:
 -              role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
 -              role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
 +              aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
 +              aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
               aws-region: eu-west-1
 
         - name: Login to Amazon ECR
 diff --git a/.github/actions/build_deploy_video_processing_queue_handler/action.yml b/.github/actions/build_deploy_video_processing_queue_handler/action.yml
 index 023578c..d0e7d7c 100644
 --- a/.github/actions/build_deploy_video_processing_queue_handler/action.yml
 +++ b/.github/actions/build_deploy_video_processing_queue_handler/action.yml
 @@ -4,8 +4,11 @@ inputs:
     ENVIRONMENT:
         description: "Environment to deploy to"
         required: true
 -    AWS_ROLE_ARN:
 -        description: "ARN of the role to assume"
 +    AWS_ACCESS_KEY_ID:
 +        description: "AWS Access Key ID"
 +        required: true
 +    AWS_SECRET_ACCESS_KEY:
 +        description: "AWS Secret Access Key"
         required: true
     GITHUB_SHA:
         description: "SHA of the commit"
 @@ -28,8 +31,8 @@ runs:
         - name: Configure AWS credentials
           uses: aws-actions/configure-aws-credentials@v4
           with:
 -              role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
 -              role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
 +              aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
 +              aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
               aws-region: eu-west-1
 
         - name: Login to Amazon ECR
 diff --git a/.github/actions/build_deploy_worker/action.yml b/.github/actions/build_deploy_worker/action.yml
 index d3c0a64..25a0b47 100644
 --- a/.github/actions/build_deploy_worker/action.yml
 +++ b/.github/actions/build_deploy_worker/action.yml
 @@ -4,8 +4,11 @@ inputs:
     ENVIRONMENT:
         description: "Environment to deploy to"
         required: true
 -    AWS_ROLE_ARN:
 -        description: "ARN of the role to assume"
 +    AWS_ACCESS_KEY_ID:
 +        description: "AWS Access Key ID"
 +        required: true
 +    AWS_SECRET_ACCESS_KEY:
 +        description: "AWS Secret Access Key"
         required: true
     GITHUB_SHA:
         description: "SHA of the commit"
 @@ -27,8 +30,8 @@ runs:
         - name: Configure AWS credentials
           uses: aws-actions/configure-aws-credentials@v4
           with:
 -              role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
 -              role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
 +              aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
 +              aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
               aws-region: eu-west-1
 
         - name: Login to Amazon ECR
 diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml
 index e400099..0bb460f 100644
 --- a/.github/workflows/staging.yml
 +++ b/.github/workflows/staging.yml
 @@ -23,7 +23,7 @@ jobs:
               with:
                   ENVIRONMENT: staging
                   ROOT_DOMAIN: "ava-factory.ai"
 -                  # BOOTSTRAP: Using static keys instead of OIDC (no 1-hour token expiry)
 +                  # Using static keys instead of OIDC (GitHub-hosted runners)
                   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
                   AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                   AWS_ACCOUNT_ID: ${{ secrets.AWS_STAGING_ACCOUNT_ID }}
 @@ -78,7 +78,8 @@ jobs:
               with:
                   ENVIRONMENT: staging
                   NEXT_PUBLIC_API_URL: "https://ava-factory.ai"
 -                  AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
 +                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
 +                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                   GITHUB_SHA: ${{ github.sha }}
                   GITHUB_JOB: ${{ github.job }}
                   NEXT_PUBLIC_SENTRY_FRONTEND_DSN: ${{ secrets.SENTRY_FRONTEND_DSN }}
 @@ -96,7 +97,8 @@ jobs:
             - uses: ./.github/actions/build_deploy_backend
               with:
                   ENVIRONMENT: staging
 -                  AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
 +                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
 +                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                   GITHUB_SHA: ${{ github.sha }}
                   GITHUB_JOB: ${{ github.job }}
 
 @@ -112,7 +114,8 @@ jobs:
             - uses: ./.github/actions/build_deploy_worker
               with:
                   ENVIRONMENT: staging
 -                  AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
 +                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
 +                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                   GITHUB_SHA: ${{ github.sha }}
                   GITHUB_JOB: ${{ github.job }}
 
 @@ -128,7 +131,8 @@ jobs:
             - uses: ./.github/actions/build_deploy_kling_video_queue_handler
               with:
                   ENVIRONMENT: staging
 -                  AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
 +                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
 +                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                   GITHUB_SHA: ${{ github.sha }}
                   GITHUB_JOB: ${{ github.job }}
 
 @@ -144,7 +148,8 @@ jobs:
             - uses: ./.github/actions/build_deploy_seedream_image_generation_queue_handler
               with:
                   ENVIRONMENT: staging
 -                  AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
 +                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
 +                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                   GITHUB_SHA: ${{ github.sha }}
                   GITHUB_JOB: ${{ github.job }}
 
 @@ -160,7 +165,8 @@ jobs:
             - uses: ./.github/actions/build_deploy_nano_banana_image_generation_queue_handler
               with:
                   ENVIRONMENT: staging
 -                  AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
 +                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
 +                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                   GITHUB_SHA: ${{ github.sha }}
 
     build_deploy_image_processing_queue_handler:
 @@ -175,7 +181,8 @@ jobs:
             - uses: ./.github/actions/build_deploy_image_processing_queue_handler
               with:
                   ENVIRONMENT: staging
 -                  AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
 +                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
 +                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                   GITHUB_SHA: ${{ github.sha }}
                   GITHUB_JOB: ${{ github.job }}
 
 @@ -191,6 +198,7 @@ jobs:
             - uses: ./.github/actions/build_deploy_video_processing_queue_handler
               with:
                   ENVIRONMENT: staging
 -                  AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
 +                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
 +                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                   GITHUB_SHA: ${{ github.sha }}
                   GITHUB_JOB: ${{ github.job }}
	diff --git a/.github/actions/build_deploy_backend/action.yml b/.github/actions/build_deploy_backend/action.yml
	index 8983d3c..199865d 100644
	--- a/.github/actions/build_deploy_backend/action.yml
	+++ b/.github/actions/build_deploy_backend/action.yml
	@@ -4,8 +4,11 @@ inputs:
	ENVIRONMENT:
	description: "Environment to deploy to"
	required: true
	- AWS_ROLE_ARN:
	- description: "ARN of the role to assume"
	+ AWS_ACCESS_KEY_ID:
	+ description: "AWS Access Key ID"
	+ required: true
	+ AWS_SECRET_ACCESS_KEY:
	+ description: "AWS Secret Access Key"
	required: true
	GITHUB_SHA:
	description: "SHA of the commit"
	@@ -28,8 +31,8 @@ runs:
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	- role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
	- role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
	+ aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
	+ aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
	aws-region: eu-west-1

	- name: Login to Amazon ECR
	diff --git a/.github/actions/build_deploy_frontend/action.yml b/.github/actions/build_deploy_frontend/action.yml
	index f03bf7d..4bf7f61 100644
	--- a/.github/actions/build_deploy_frontend/action.yml
	+++ b/.github/actions/build_deploy_frontend/action.yml
	@@ -7,8 +7,11 @@ inputs:
	NEXT_PUBLIC_API_URL:
	description: "API URL to use in the frontend"
	required: true
	- AWS_ROLE_ARN:
	- description: "ARN of the role to assume"
	+ AWS_ACCESS_KEY_ID:
	+ description: "AWS Access Key ID"
	+ required: true
	+ AWS_SECRET_ACCESS_KEY:
	+ description: "AWS Secret Access Key"
	required: true
	GITHUB_SHA:
	description: "SHA of the commit"
	@@ -40,8 +43,8 @@ runs:
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	- role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
	- role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
	+ aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
	+ aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
	aws-region: eu-west-1

	- name: Login to Amazon ECR
	diff --git a/.github/actions/build_deploy_image_processing_queue_handler/action.yml b/.github/actions/build_deploy_image_processing_queue_handler/action.yml
	index 86bed9e..270232d 100644
	--- a/.github/actions/build_deploy_image_processing_queue_handler/action.yml
	+++ b/.github/actions/build_deploy_image_processing_queue_handler/action.yml
	@@ -4,8 +4,11 @@ inputs:
	ENVIRONMENT:
	description: "Environment to deploy to"
	required: true
	- AWS_ROLE_ARN:
	- description: "ARN of the role to assume"
	+ AWS_ACCESS_KEY_ID:
	+ description: "AWS Access Key ID"
	+ required: true
	+ AWS_SECRET_ACCESS_KEY:
	+ description: "AWS Secret Access Key"
	required: true
	GITHUB_SHA:
	description: "SHA of the commit"
	@@ -28,8 +31,8 @@ runs:
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	- role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
	- role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
	+ aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
	+ aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
	aws-region: eu-west-1

	- name: Login to Amazon ECR
	diff --git a/.github/actions/build_deploy_kling_video_queue_handler/action.yml b/.github/actions/build_deploy_kling_video_queue_handler/action.yml
	index 8bfe5cd..07f5738 100644
	--- a/.github/actions/build_deploy_kling_video_queue_handler/action.yml
	+++ b/.github/actions/build_deploy_kling_video_queue_handler/action.yml
	@@ -1,11 +1,14 @@
	-name: "Build and Deploy Backend"
	-description: "Build and deploy the backend to AWS ECR and ECS"
	+name: "Build and Deploy Kling Video Queue Handler"
	+description: "Build and deploy the Kling video queue handler to AWS ECR and ECS"
	inputs:
	ENVIRONMENT:
	description: "Environment to deploy to"
	required: true
	- AWS_ROLE_ARN:
	- description: "ARN of the role to assume"
	+ AWS_ACCESS_KEY_ID:
	+ description: "AWS Access Key ID"
	+ required: true
	+ AWS_SECRET_ACCESS_KEY:
	+ description: "AWS Secret Access Key"
	required: true
	GITHUB_SHA:
	description: "SHA of the commit"
	@@ -28,8 +31,8 @@ runs:
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	- role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
	- role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
	+ aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
	+ aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
	aws-region: eu-west-1

	- name: Login to Amazon ECR
	diff --git a/.github/actions/build_deploy_nano_banana_image_generation_queue_handler/action.yml b/.github/actions/build_deploy_nano_banana_image_generation_queue_handler/action.yml
	index b0cf603..7c0530b 100644
	--- a/.github/actions/build_deploy_nano_banana_image_generation_queue_handler/action.yml
	+++ b/.github/actions/build_deploy_nano_banana_image_generation_queue_handler/action.yml
	@@ -4,8 +4,11 @@ inputs:
	ENVIRONMENT:
	description: "Environment to deploy to"
	required: true
	- AWS_ROLE_ARN:
	- description: "ARN of the role to assume"
	+ AWS_ACCESS_KEY_ID:
	+ description: "AWS Access Key ID"
	+ required: true
	+ AWS_SECRET_ACCESS_KEY:
	+ description: "AWS Secret Access Key"
	required: true
	GITHUB_SHA:
	description: "SHA of the commit"
	@@ -25,8 +28,8 @@ runs:
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	- role-session-name: gha-nano-banana-lambda-${{ steps.short-sha.outputs.SHORT_SHA }}
	- role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
	+ aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
	+ aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
	aws-region: eu-west-1

	- name: Login to Amazon ECR
	diff --git a/.github/actions/build_deploy_seedream_image_generation_queue_handler/action.yml b/.github/actions/build_deploy_seedream_image_generation_queue_handler/action.yml
	index 39e2fbc..f347996 100644
	--- a/.github/actions/build_deploy_seedream_image_generation_queue_handler/action.yml
	+++ b/.github/actions/build_deploy_seedream_image_generation_queue_handler/action.yml
	@@ -4,8 +4,11 @@ inputs:
	ENVIRONMENT:
	description: "Environment to deploy to"
	required: true
	- AWS_ROLE_ARN:
	- description: "ARN of the role to assume"
	+ AWS_ACCESS_KEY_ID:
	+ description: "AWS Access Key ID"
	+ required: true
	+ AWS_SECRET_ACCESS_KEY:
	+ description: "AWS Secret Access Key"
	required: true
	GITHUB_SHA:
	description: "SHA of the commit"
	@@ -28,8 +31,8 @@ runs:
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	- role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
	- role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
	+ aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
	+ aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
	aws-region: eu-west-1

	- name: Login to Amazon ECR
	diff --git a/.github/actions/build_deploy_video_processing_queue_handler/action.yml b/.github/actions/build_deploy_video_processing_queue_handler/action.yml
	index 023578c..d0e7d7c 100644
	--- a/.github/actions/build_deploy_video_processing_queue_handler/action.yml
	+++ b/.github/actions/build_deploy_video_processing_queue_handler/action.yml
	@@ -4,8 +4,11 @@ inputs:
	ENVIRONMENT:
	description: "Environment to deploy to"
	required: true
	- AWS_ROLE_ARN:
	- description: "ARN of the role to assume"
	+ AWS_ACCESS_KEY_ID:
	+ description: "AWS Access Key ID"
	+ required: true
	+ AWS_SECRET_ACCESS_KEY:
	+ description: "AWS Secret Access Key"
	required: true
	GITHUB_SHA:
	description: "SHA of the commit"
	@@ -28,8 +31,8 @@ runs:
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	- role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
	- role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
	+ aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
	+ aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
	aws-region: eu-west-1

	- name: Login to Amazon ECR
	diff --git a/.github/actions/build_deploy_worker/action.yml b/.github/actions/build_deploy_worker/action.yml
	index d3c0a64..25a0b47 100644
	--- a/.github/actions/build_deploy_worker/action.yml
	+++ b/.github/actions/build_deploy_worker/action.yml
	@@ -4,8 +4,11 @@ inputs:
	ENVIRONMENT:
	description: "Environment to deploy to"
	required: true
	- AWS_ROLE_ARN:
	- description: "ARN of the role to assume"
	+ AWS_ACCESS_KEY_ID:
	+ description: "AWS Access Key ID"
	+ required: true
	+ AWS_SECRET_ACCESS_KEY:
	+ description: "AWS Secret Access Key"
	required: true
	GITHUB_SHA:
	description: "SHA of the commit"
	@@ -27,8 +30,8 @@ runs:
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	- role-session-name: gha-${{ inputs.GITHUB_JOB }}-${{ steps.short-sha.outputs.SHORT_SHA }}
	- role-to-assume: ${{ inputs.AWS_ROLE_ARN }}
	+ aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
	+ aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
	aws-region: eu-west-1

	- name: Login to Amazon ECR
	diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml
	index e400099..0bb460f 100644
	--- a/.github/workflows/staging.yml
	+++ b/.github/workflows/staging.yml
	@@ -23,7 +23,7 @@ jobs:
	with:
	ENVIRONMENT: staging
	ROOT_DOMAIN: "ava-factory.ai"
	- # BOOTSTRAP: Using static keys instead of OIDC (no 1-hour token expiry)
	+ # Using static keys instead of OIDC (GitHub-hosted runners)
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	AWS_ACCOUNT_ID: ${{ secrets.AWS_STAGING_ACCOUNT_ID }}
	@@ -78,7 +78,8 @@ jobs:
	with:
	ENVIRONMENT: staging
	NEXT_PUBLIC_API_URL: "https://ava-factory.ai"
	- AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
	+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	GITHUB_SHA: ${{ github.sha }}
	GITHUB_JOB: ${{ github.job }}
	NEXT_PUBLIC_SENTRY_FRONTEND_DSN: ${{ secrets.SENTRY_FRONTEND_DSN }}
	@@ -96,7 +97,8 @@ jobs:
	- uses: ./.github/actions/build_deploy_backend
	with:
	ENVIRONMENT: staging
	- AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
	+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	GITHUB_SHA: ${{ github.sha }}
	GITHUB_JOB: ${{ github.job }}

	@@ -112,7 +114,8 @@ jobs:
	- uses: ./.github/actions/build_deploy_worker
	with:
	ENVIRONMENT: staging
	- AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
	+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	GITHUB_SHA: ${{ github.sha }}
	GITHUB_JOB: ${{ github.job }}

	@@ -128,7 +131,8 @@ jobs:
	- uses: ./.github/actions/build_deploy_kling_video_queue_handler
	with:
	ENVIRONMENT: staging
	- AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
	+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	GITHUB_SHA: ${{ github.sha }}
	GITHUB_JOB: ${{ github.job }}

	@@ -144,7 +148,8 @@ jobs:
	- uses: ./.github/actions/build_deploy_seedream_image_generation_queue_handler
	with:
	ENVIRONMENT: staging
	- AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
	+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	GITHUB_SHA: ${{ github.sha }}
	GITHUB_JOB: ${{ github.job }}

	@@ -160,7 +165,8 @@ jobs:
	- uses: ./.github/actions/build_deploy_nano_banana_image_generation_queue_handler
	with:
	ENVIRONMENT: staging
	- AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
	+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	GITHUB_SHA: ${{ github.sha }}

	build_deploy_image_processing_queue_handler:
	@@ -175,7 +181,8 @@ jobs:
	- uses: ./.github/actions/build_deploy_image_processing_queue_handler
	with:
	ENVIRONMENT: staging
	- AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
	+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	GITHUB_SHA: ${{ github.sha }}
	GITHUB_JOB: ${{ github.job }}

	@@ -191,6 +198,7 @@ jobs:
	- uses: ./.github/actions/build_deploy_video_processing_queue_handler
	with:
	ENVIRONMENT: staging
	- AWS_ROLE_ARN: ${{ secrets.AWS_STAGING_ROLE_ARN }}
	+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	GITHUB_SHA: ${{ github.sha }}
	GITHUB_JOB: ${{ github.job }}
No results found