Every CI/CD pipeline I inherited had the same problem: AWS access keys stored in GitHub secrets, rotation schedules nobody followed, and pipelines running with AdministratorAccess because scoping permissions was tedious.
I rebuilt my deployment infrastructure using GitHub Actions OIDC: short-lived tokens, no stored credentials, exact IAM permissions discovered through practical iteration. 100% elimination of stored secrets across three isolated environments, 15-minute token expiration, and a complete CloudWatch audit trail.
The interesting part was not the technical implementation. It was discovering the exact permissions required by actually running the pipeline and watching what failed. That is a discipline most teams skip by just granting broad access.