ci(docs) migrate to OIDC authentication

why: Replace legacy IAM credentials with short-lived OIDC tokens
what:
- Add id-token: write permission for OIDC
- Add docs environment for scoped credentials
- Use aws-actions/configure-aws-credentials with role assumption
- Add targeted CloudFront invalidation

Author: tony

.github/workflows/docs.yml

@@ -5,9 +5,14 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    environment: docs
     strategy:
       matrix:
         python-version: ['3.14']
@@ -60,17 +65,25 @@ jobs:
         run: |
           pushd docs; make SPHINXBUILD='uv run sphinx-build' html; popd
 
-      - name: Push documentation to S3
+      - name: Configure AWS Credentials
         if: env.PUBLISH == 'true'
-        uses: jakejarvis/s3-sync-action@v0.5.1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          args: --follow-symlinks --delete
-        env:
-          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: 'us-west-1' # optional: defaults to us-east-1
-          SOURCE_DIR: 'docs/_build/html' # optional: defaults to entire repository
+          role-to-assume: ${{ secrets.G_DOCS_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: Push documentation to S3
+        if: env.PUBLISH == 'true'
+        run: |
+          aws s3 sync docs/_build/html "s3://${{ secrets.G_DOCS_BUCKET }}" \
+            --delete --follow-symlinks
+
+      - name: Invalidate CloudFront
+        if: env.PUBLISH == 'true'
+        run: |
+          aws cloudfront create-invalidation \
+            --distribution-id "${{ secrets.G_DOCS_DISTRIBUTION }}" \
+            --paths "/index.html" "/objects.inv" "/searchindex.js"
 
       - name: Purge cache on Cloudflare
         if: env.PUBLISH == 'true'