GitHub Actions workflow

The default GitHub Actions workflow connects to AWS using OIDC. A job declares an environment, which is associated with an AWS account using the AWS_ACCOUNT_ID environment variable. An OIDC provider is configured in each AWS account to allow access from the associated environment, using the GitHubActionRole construct from cdk-pipelines-github. A job assumes the GitHubActions role in its associated AWS account via the OIDC provider, using configure-aws-credentials and AssumeRoleWithWebIdentity. The GitHubActions role is allowed to assume any CDK role.