diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8ced70b..b6c48a5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -9,6 +9,9 @@ permissions:
   id-token: write
   contents: read
 
+env:
+  AWS_ROLE: ${{ secrets.awsIAMS3UploadRole }}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -42,9 +45,9 @@ jobs:
       run: yarn
 
     - name: Configure AWS Credentials using OIDC
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 on 2025-01-06
       with:
-        role-to-assume: ${{ secrets.awsIAMS3UploadRole }}
+        role-to-assume: ${{ env.AWS_ROLE }}
         role-session-name: github-action-account-link-extension-publish
         aws-region: us-west-1