From 7994bc8f40b1eb62a48c1b60571009c92e88884f Mon Sep 17 00:00:00 2001
From: April Bates <aprilb@aleios.com>
Date: Tue, 12 Sep 2023 15:13:00 +0100
Subject: [PATCH] fix: ci permissions changes

---
 .github/workflows/pr.yml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 50375057..bf2e91e1 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -5,9 +5,14 @@ on:
     branches: [main]
 
 permissions:
+  id-token: write
   pull-requests: write
   contents: read
 
+env:
+  CI: true
+  WS_REGION: eu-west-2
+
 jobs:
   build_and_test_code_review_gpt:
     runs-on: ubuntu-latest
@@ -70,14 +75,17 @@ jobs:
           cache: "npm"
           cache-dependency-path: '**/package-lock.json'
 
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-region: ${{ env.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN_STAGING }}
+
       - name: 🚀 Deploy web-app
         run: npm i && npm run lint-test && npm run deploy-staging
 
   build_and_test_core:
     runs-on: ubuntu-latest
-    env:
-      CI: true
-      AWS_REGION: eu-west-2
 
     defaults:
       run: