From f313b2c746e35677b5ee2ddcfed79a0757a26e70 Mon Sep 17 00:00:00 2001
From: Jonathan Alvarez Delgado <jonathan.adl@proton.me>
Date: Wed, 18 Mar 2026 00:25:05 +0100
Subject: [PATCH] fix(ci): allow ECR publish on workflow_dispatch and relax
 OIDC trust policy

---
 .github/workflows/build-and-push.yml |  6 +++---
 infra/pulumi/__main__.py             | 13 -------------
 2 files changed, 3 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
index 43f510c78af8..efb4c9c90b16 100644
--- a/.github/workflows/build-and-push.yml
+++ b/.github/workflows/build-and-push.yml
@@ -98,19 +98,19 @@ jobs:
     name: Publish (skipped - AWS_ROLE_ARN not set)
     needs: build
     runs-on: ubuntu-latest
-    if: github.event_name == 'push' && github.ref == 'refs/heads/stage' && vars.AWS_ROLE_ARN == ''
+    if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/stage' && vars.AWS_ROLE_ARN == ''
     steps:
       - name: Publishing not configured
         run: |
           echo "::notice::Publish skipped: AWS_ROLE_ARN repo variable not set (OIDC role not configured yet)"
           echo "See workflow header comments for IAM role setup instructions"
 
-  # Publish job: only runs on push to stage when OIDC role is configured
+  # Publish job: runs on push to stage or manual dispatch when OIDC role is configured
   publish:
     name: Publish to ECR
     needs: build
     runs-on: ubuntu-latest
-    if: github.event_name == 'push' && github.ref == 'refs/heads/stage' && vars.AWS_ROLE_ARN != ''
+    if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/stage' && vars.AWS_ROLE_ARN != ''
     concurrency:
       group: ecr-stage-publish
       cancel-in-progress: true
diff --git a/infra/pulumi/__main__.py b/infra/pulumi/__main__.py
index 599545a9bc64..32e16705c414 100755
--- a/infra/pulumi/__main__.py
+++ b/infra/pulumi/__main__.py
@@ -293,9 +293,6 @@ def main():
         github_org = gha_oidc_config.get("github_org", "thunderbird")
         github_repo = gha_oidc_config.get("github_repo", "addons-server")
         allowed_branches = gha_oidc_config.get("allowed_branches", ["stage"])
-        workflow_file = gha_oidc_config.get(
-            "workflow_file", ".github/workflows/build-and-push.yml"
-        )
 
         # Build the subject conditions for allowed branches
         sub_conditions = [
@@ -303,12 +300,6 @@ def main():
             for branch in allowed_branches
         ]
 
-        # Build workflow ref conditions (job_workflow_ref hardening)
-        workflow_ref_conditions = [
-            f"{github_org}/{github_repo}/{workflow_file}@refs/heads/{branch}"
-            for branch in allowed_branches
-        ]
-
         gha_trust_policy = json.dumps(
             {
                 "Version": "2012-10-17",
@@ -322,15 +313,11 @@ def main():
                         "Condition": {
                             "StringEquals": {
                                 "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
-                                "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com",
                             },
                             "StringLike": {
                                 "token.actions.githubusercontent.com:sub": sub_conditions
                                 if len(sub_conditions) > 1
                                 else sub_conditions[0],
-                                "token.actions.githubusercontent.com:job_workflow_ref": workflow_ref_conditions
-                                if len(workflow_ref_conditions) > 1
-                                else workflow_ref_conditions[0],
                             },
                         },
                     }