@lemon-agent-27707 Yes, in some cases. As we are working with multiple clients and solutions it varies a bit.
In general we are transitioning to temporary credentials overall, with end user credentials (for AWS) handled through AWS IAM Identity Center (AWS SSO), and service-oriented executions either running inside AWS with IAM roles, or for access from outside (e.g. GitHub) the aim is to use temporary credentials in some way.
Currently there are a number of flows which use AWS CDK + CDK Pipelines and run inside AWS, other flows may be manual or use Github Actions, Bitbucket Pipelines.
Both Github and Bitbucket have OIDC support, so flows with permanent credentials set up will likely be switching to OIDC there.
I would like to use Pulumi for some shared infrastructure/platform solutions, which are either CodePipeline or manual at the moment.
Trigger deployment via Git directly is ok, as long as there can be an approval/review step in the workflow.