From 3a402d886f174e427781d36efad47d9ac06ec0e1 Mon Sep 17 00:00:00 2001
From: Brian Murray <40031786+brmur@users.noreply.github.com>
Date: Wed, 26 Jun 2024 19:48:25 +0100
Subject: [PATCH] Update stats-lambda.yml

---
 .github/workflows/stats-lambda.yml | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/stats-lambda.yml b/.github/workflows/stats-lambda.yml
index 956d864b7d7..de5dd14ad10 100644
--- a/.github/workflows/stats-lambda.yml
+++ b/.github/workflows/stats-lambda.yml
@@ -1,9 +1,14 @@
-# This workflow executes a Lamdba function that records metrics for each successfully merged PR.
+# This workflow executes a Lamdba function that records metrics for each merged PR.
 #
 # For more information, see:
 # https://github.com/marketplace/actions/invoke-aws-lambda
 
 name: Trigger Lambda to capture metrics
+
+permissions:
+  contents: read
+  id-token: write
+
 on:   # yamllint disable-line rule:truthy
   pull_request:
     types:
@@ -12,20 +17,29 @@ on:   # yamllint disable-line rule:truthy
 env:
   COMMIT: ${{github.event.pull_request.head.sha}}
   PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+  AWS_REGION: "eu-west-1"
 jobs:
   if_merged:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     name: GitHub Statistics
     steps:
+      - name: Configure AWS Credentials
+        id: creds
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{env.AWS_REGION}}
+          role-to-assume: arn:aws:iam::959731285276:role/run-the-numbers-lambda
+          output-credentials: true
       - name: Create payload
         run: echo "JSON_PAYLOAD={\"commit\" :\"${{ env.COMMIT }}\",\"author\" :\"${{ env.PR_AUTHOR }}\"}" >> $GITHUB_ENV
       - name: Invoke Lambda
         uses: gagoar/invoke-aws-lambda@master
         with:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          REGION: 'eu-west-1'
+          AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
+          AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
+          AWS_SESSION_TOKEN: ${{ steps.creds.outputs.aws-session-token }}
+          REGION: ${{env.AWS_REGION}}
           FunctionName: runTheNumbers
           Payload: ${{env.JSON_PAYLOAD}}
           InvocationType: RequestResponse