The Refresh Artifact Manifest workflow (.github/workflows/publish-artifacts.yml) requires these repository-level Actions variables:
ARTIFACTS_BUCKET: S3 bucket name that stores published artifact files andmanifest.json.ARTIFACTS_DISTRIBUTION_ID: CloudFront distribution ID for the artifact edge cache. The workflow invalidates/manifest.jsonafter each refresh.
The workflow also expects AWS_ARTIFACTS_PUBLISHER_ROLE_ARN as a repository or organization Actions secret. GitHub Actions assumes this role through OIDC before regenerating manifest.json from the existing S3 objects and invalidating CloudFront.