GitHub Actions OIDC: Drop Long-Lived Cloud Secrets From CI

GitHub documents OpenID Connect (OIDC) for Actions: workflows can request short-lived tokens from GitHub's OIDC issuer and exchange them for cloud credentials using federation trust configured in your cloud account (AWS IAM, Google Workload Identity, Azure OIDC federated credentials, etc.).

Compared with storing static `AWS_ACCESS_KEY_ID` secrets in GitHub, federation binds credentials to a specific repository, environment, and branch/ref policy you configure on the cloud side.

Implementation checklist: restrict `sub`/`aud` claims, scope IAM roles to least privilege, rotate nothing manually when tokens are ephemeral, and audit failed assumption attempts in cloud logs.