From 35d7e2146746d8203f26e5add73be9589c35cef8 Mon Sep 17 00:00:00 2001
From: Shubham Chaturvedi <scchatur@amazon.com>
Date: Wed, 4 Mar 2026 14:53:45 -0800
Subject: [PATCH 1/4] Allow GHA to git push

---
 .github/workflows/prod-release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml
index a27b3799b..353e64622 100644
--- a/.github/workflows/prod-release.yml
+++ b/.github/workflows/prod-release.yml
@@ -1,6 +1,6 @@
 name: Release
 permissions:
-  contents: read
+  contents: write
   id-token: write
 
 on:

From 567a57eff801f3f03ac4ea420960b4c56917735c Mon Sep 17 00:00:00 2001
From: Shubham Chaturvedi <scchatur@amazon.com>
Date: Wed, 4 Mar 2026 14:58:28 -0800
Subject: [PATCH 2/4] fix(CI): Empty commit


From da296ca86bb039d618b9b4510d8c2af3e8bfe728 Mon Sep 17 00:00:00 2001
From: Shubham Chaturvedi <scchatur@amazon.com>
Date: Wed, 4 Mar 2026 16:29:24 -0800
Subject: [PATCH 3/4] fix(ci): release bot credentials

---
 .github/workflows/prod-release.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml
index 353e64622..104b1e503 100644
--- a/.github/workflows/prod-release.yml
+++ b/.github/workflows/prod-release.yml
@@ -47,6 +47,28 @@ jobs:
       - name: Install dependencies
         run: npm ci --unsafe-perm
 
+      - name: Configure AWS Credentials for Release
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::587316601012:role/GitHub-CI-CI-Bot-Credential-Access-Role-us-west-2
+          role-session-name: CI_Bot_Release
+
+      # Use AWS Secrets Manager GHA to retrieve CI Bot Creds
+      - name: Get CI Bot Creds Secret
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: Github/aws-crypto-tools-ci-bot
+          parse-json-secrets: true
+
+      # Log in as the CI Bot
+      - name: Log in as CI Bot
+        run: |
+          echo ${{ env.GITHUB_AWS_CRYPTO_TOOLS_CI_BOT_ESDK_RELEASE_TOKEN }} > token.txt
+          gh auth login --with-token < token.txt
+          rm token.txt
+          gh auth status
+
       - name: Configure git
         env:
           BRANCH: ${{ github.event.inputs.branch }}

From f60f673a99c9dfd9508d17a5d1a67665b10ea3cd Mon Sep 17 00:00:00 2001
From: Shubham Chaturvedi <scchatur@amazon.com>
Date: Wed, 4 Mar 2026 17:31:47 -0800
Subject: [PATCH 4/4] fix(ci): git auth

---
 .github/workflows/prod-release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml
index 104b1e503..3bdb26af0 100644
--- a/.github/workflows/prod-release.yml
+++ b/.github/workflows/prod-release.yml
@@ -68,6 +68,7 @@ jobs:
           gh auth login --with-token < token.txt
           rm token.txt
           gh auth status
+          gh auth setup-git
 
       - name: Configure git
         env: