Static AWS access keys in GitHub Actions secrets is how production environments get breached. Here's how I replaced every static key with OIDC federation for the Damolak Technologies DevOps challenge — and why you should too. The Problem With Static Keys When you do this: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} You have a long-lived credential sitting in GitHub that: Never rotates automatically Has blast radius if the repo is compromised Violates least-privilege by existing at all The Fix: OIDC GitHub Actions supports OIDC token exchange with AWS. Your pipeline requests a short-lived token. AWS validates it against a trust policy. No stored credentials.…