chore(infra): migrate AWS auth to OIDC, add CODEOWNERS, SHA-pin actions

[mikanmarusan]

Goal

Tighten the deploy supply chain. Three related hardening items surfaced during the WebACL fix (PR #39) review but were intentionally out of scope.

Items

1. Migrate AWS auth from long-lived keys to GitHub OIDC

Currently `.github/workflows/deploy-production.yml` uses `secrets.AWS_ACCESS_KEY_ID_PROD` / `secrets.AWS_SECRET_ACCESS_KEY_PROD`. These are long-lived IAM access keys with broad blast radius if leaked.

Replace with OIDC role assumption:

1. Create an IAM Role `gh-actions-deploy-prod` with a trust policy scoped to `repo:mikanmarusan/lambda-function-transit:environment:production`.
2. Replace `aws-actions/configure-aws-credentials@v4` inputs with `role-to-assume` instead of access keys.
3. Delete the old IAM user / access keys.

2. Add `.github/CODEOWNERS`

No CODEOWNERS file exists today. Add one covering at minimum:
```
template.yml @mikanmarusan
samconfig.toml @mikanmarusan
.github/workflows/ @mikanmarusan
CLAUDE.md @mikanmarusan
```
Then enable branch protection on `main` requiring code-owner review for those paths.

3. SHA-pin third-party Actions

Currently `deploy-production.yml` and `ci.yml` reference Actions by major-version tag (`actions/checkout@v4`, `aws-actions/setup-sam@v2`, etc.). Tag refs can be hijacked. Replace with full SHAs:

```

• uses: actions/checkout@ # v4.x.x
  ```

Use pin-github-action or Dependabot's GitHub Actions ecosystem to keep them current.

Acceptance

Each item can ship as its own PR, but ideally bundled if scope is small.

Related

• Surfaced in the security review for PR fix(infra): preserve CloudFront WebACL attachment in SAM template #39 (WebACL fix); out of scope there to keep that PR minimal.

[mikanmarusan]

Closing — Item 1 done, Items 2 and 3 intentionally not pursued

Item 1: AWS auth → GitHub OIDC — Done

Shipped in #51.

Cutover summary:

• New IAM Role gh-actions-deploy-prod created with trust policy pinned to repo:mikanmarusan/lambda-function-transit:environment:production (StringEquals, no wildcards). 6 managed policies migrated 1:1 from the old user to preserve deploy behavior.
• AWS_DEPLOY_ROLE_ARN_PROD registered on the production GitHub Environment.
• deploy-production.yml switched from aws-access-key-id/aws-secret-access-key (repo-level) to role-to-assume (env-level), with job-level permissions: { id-token: write, contents: read }.
• Verified end-to-end on two production runs:
  • dry-run (dry-run=true): https://github.com/mikanmarusan/lambda-function-transit/actions/runs/26607810715 — OIDC assume + sam dry-run + WebACL secret-vs-live check all green.
  • real (dry-run=false): https://github.com/mikanmarusan/lambda-function-transit/actions/runs/26608052303 — full path (sam deploy / s3 sync / cloudfront invalidate / health checks incl. 3 security headers) green under STS-vended credentials.
• Old IAM user lambda-function-transit-prod-deploy, its sole access key, and the repo-level AWS_ACCESS_KEY_ID_PROD / AWS_SECRET_ACCESS_KEY_PROD secrets all deleted. No long-lived prod credentials remain.

Item 2: CODEOWNERS — Not pursued (intentional)

Single-owner repo. CODEOWNERS would auto-request review from the only person who can merge, making the gate a self-review ceremony rather than a real check. The protections actually worth having for main (require status checks, disallow force-push) don't need CODEOWNERS and can be set as branch protection rules directly when desired.

Item 3: SHA-pin third-party Actions — Not pursued (intentional)

Current workflows only use first-party Actions (actions/*, aws-actions/*). The supply-chain incident class SHA-pinning defends against (mutable major-tag hijack on community Actions, e.g., the tj-actions/changed-files event) does not match this attack surface. Retrofitting first-party Actions would add Dependabot churn without proportionate benefit. Future policy: any new third-party Action introduced into this repo should be SHA-pinned at the point of introduction.

Follow-ups out of scope here

• Tighten the new Role's permissions away from six *FullAccess policies (incl. IAMFullAccess) toward least privilege. Migration kept policy parity to minimize cutover risk; tightening is a separate exercise.
• actions/checkout and friends are emitting Node 20 deprecation warnings. Unrelated to OIDC; track separately.

Closing.