From 46d80f39d23452cdbe8cb208ece6ed0075ec9537 Mon Sep 17 00:00:00 2001
From: bn-nz <brent.newson@supabase.io>
Date: Tue, 16 Dec 2025 12:45:34 +1300
Subject: [PATCH] test: testing to get aws role set

---
 .github/workflows/debug-role.yml | 46 ++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 .github/workflows/debug-role.yml

diff --git a/.github/workflows/debug-role.yml b/.github/workflows/debug-role.yml
new file mode 100644
index 000000000..9610ad7cb
--- /dev/null
+++ b/.github/workflows/debug-role.yml
@@ -0,0 +1,46 @@
+name: ⚙️ Manual AWS OIDC Debug Run
+
+# 1. Define the trigger for On-Demand/Manual runs
+on:
+  workflow_dispatch:
+    inputs:
+      aws_region:
+        description: 'AWS Region'
+        required: true
+        default: 'ap-southeast-1'
+  pull_request:
+    branches:
+      - develop
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  verify_role_assumption:
+    runs-on: ubuntu-latest
+
+    steps:
+
+      - name: Configure AWS Credentials (Assume Role)
+        id: aws-creds
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
+          aws-region: ${{ github.event.inputs.aws_region || 'ap-southeast-1' }}
+          # Set a unique session name for CloudTrail auditing
+          role-session-name: "BrentTestRoleSession" 
+          # Ensure this is set to true to load credentials into the environment
+          output-env-credentials: true
+          role-duration-seconds: 1800
+      
+        # Verify the Assumed Role Identity
+      - name: Verify Assumed Role with sts:GetCallerIdentity
+        if: ${{ steps.aws-creds.outcome == 'success' }}
+        run: |
+          echo "--- AWS CALLER IDENTITY CONFIRMATION ---"
+          # The AWS CLI is now authenticated with the temporary credentials
+          aws sts get-caller-identity --output json 
+          echo "----------------------------------------"
+
+          
\ No newline at end of file