From 4862c3e7650b8a90da868efd48cbf1558b17455f Mon Sep 17 00:00:00 2001
From: Adam <2363879+adamdotdevin@users.noreply.github.com>
Date: Mon, 25 May 2026 20:35:40 -0500
Subject: [PATCH] chore: remove gh role from infra

---
 infra/stage.ts | 43 -------------------------------------------
 sst.config.ts  |  1 -
 2 files changed, 44 deletions(-)

diff --git a/infra/stage.ts b/infra/stage.ts
index f988672389..5dc17fc85a 100644
--- a/infra/stage.ts
+++ b/infra/stage.ts
@@ -9,49 +9,6 @@ export const zoneID = "430ba34c138cfb5360826c4909f99be8"
 export const awsStage = $app.stage === "production" ? "production" : "dev"
 export const deployAws = $app.stage === awsStage
 
-const githubActionsDeployRole = (() => {
-  if ($app.stage !== "dev" && $app.stage !== "production") return
-
-  const provider = new aws.iam.OpenIdConnectProvider("GithubActionsOidcProvider", {
-    url: "https://token.actions.githubusercontent.com",
-    clientIdLists: ["sts.amazonaws.com"],
-  })
-  const role = new aws.iam.Role("GithubActionsDeployRole", {
-    name: `opencode-${$app.stage}-github-actions-deploy`,
-    maxSessionDuration: 3600,
-    assumeRolePolicy: aws.iam.getPolicyDocumentOutput({
-      statements: [
-        {
-          effect: "Allow",
-          actions: ["sts:AssumeRoleWithWebIdentity"],
-          principals: [{ type: "Federated", identifiers: [provider.arn] }],
-          conditions: [
-            {
-              test: "StringEquals",
-              variable: "token.actions.githubusercontent.com:aud",
-              values: ["sts.amazonaws.com"],
-            },
-            {
-              test: "StringEquals",
-              variable: "token.actions.githubusercontent.com:sub",
-              values: [`repo:anomalyco/opencode:environment:${$app.stage}`],
-            },
-          ],
-        },
-      ],
-    }).json,
-  })
-
-  new aws.iam.RolePolicyAttachment("GithubActionsDeployRoleAdmin", {
-    role: role.name,
-    policyArn: "arn:aws:iam::aws:policy/AdministratorAccess",
-  })
-
-  return role
-})()
-
-export const githubActionsDeployRoleArn = githubActionsDeployRole?.arn
-
 new cloudflare.RegionalHostname("RegionalHostname", {
   hostname: domain,
   regionKey: "us",
diff --git a/sst.config.ts b/sst.config.ts
index cc04bd1a91..526fefabd4 100644
--- a/sst.config.ts
+++ b/sst.config.ts
@@ -51,7 +51,6 @@ export default $config({
       StatWorkerUrl: stat.url,
       // StatsUrl: stats.app.url,
       AwsStage: stage.awsStage,
-      ...(stage.githubActionsDeployRoleArn ? { GithubActionsDeployRoleArn: stage.githubActionsDeployRoleArn } : {}),
     }
   },
 })