In a recent development, a member of the Platforms engineering team has championed best practices for provisioning infrastructure with GitHub automation. The team's goal is to create a secure cloud provisioning pipeline that integrates seamlessly with GitOps and OpenID Connect (OIDC). This approach enables the organization to extend their workflow with Actions from verified creators, such as aws-actions, while maintaining least-privilege provisioning permissions.

The team's approach involves using GitHub Actions' ephemeral runners and OpenTofu, a project backed by The Linux Foundation. They also utilize Test Double for inspiration on a "roll-your-own" deployment workflow and DevSecTop/TF-via-PR, an open-source project that combines the outlined concepts into a reusable Action.

This secure cloud provisioning pipeline provides several benefits, including streamlining the process of configuring AWS credentials via OIDC, preventing configuration drift from stale plans, and removing the overhead of maintaining dedicated containers or self-hosted compute instances. Additionally, it enables development teams to self-service scalably.

Source: https://dev.to/rdhar/secure-cloud-provisioning-pipeline-with-github-automation-27g4