Document GitHub actions AWS integration

.github/workflows/ci.yaml

@@ -57,9 +57,9 @@ jobs:
           python-version: ${{ matrix.python }}
           tox-envs: "py,typing"
         env:
-          LTD_TEST_AWS_ID: ${{ secrets.LTD_TEST_AWS_ID }}
+          LTD_TEST_AWS_ID: ${{ vars.LTD_TEST_AWS_ID }}
           LTD_TEST_AWS_SECRET: ${{ secrets.LTD_TEST_AWS_SECRET }}
-          LTD_TEST_BUCKET: ${{ secrets.LTD_TEST_BUCKET }}
+          LTD_TEST_BUCKET: ${{ vars.LTD_TEST_BUCKET }}
 
   docs:
 

changelog.d/20241118_133228_danfuchs_DM_47580.md

@@ -1,4 +1,3 @@
 ### Bug fixes
 
 - Change Slack channel references to refer to channels in the Rubin Slack instance.
-- Get non-sensitive CI vars from GitHub variables instead of secrets

docs/development.rst

@@ -29,3 +29,13 @@ Releases are made by creating a Git tag with a semantic version and pushing to G
    git push --tags
 
 Travis CI creates the PyPI release itself and `setuptools_scm <https://github.com/pypa/setuptools_scm/>`_ ensures the PyPI version matches the Git tag.
+
+GitHub CI
+=========
+
+The GitHub CI action needs AWS creds and an existing S3 bucket.
+These creds and the bucket name are injected via repository-scoped Actions `secrets <https://github.com/lsst-sqre/ltd-conveyor/settings/secrets/actions>`_ and `variables <https://github.com/lsst-sqre/ltd-conveyor/settings/variables/actions>`_
+
+These creds are attached to the `ltd-conveyor-tests IAM user <https://us-east-1.console.aws.amazon.com/iam/home?region=us-west-2#/users/details/ltd-conveyor-tests?section=permissions>`_.
+This user has an attached `ltd-conveyor-tests policy <https://us-east-1.console.aws.amazon.com/iam/home?region=us-west-2#/policies/details/arn%3Aaws%3Aiam%3A%3A039289279626%3Apolicy%2Fltd-conveyor-tests?section=permissions>`_.
+This policy grants access to the `lsst-the-docs-test S3 bucket <https://us-west-2.console.aws.amazon.com/s3/buckets/lsst-the-docs-test?region=us-west-2&bucketType=general&tab=objects>`_.