After realizing that GitHub had become a single point of failure for valuable code, the author set out to create an off‑platform, automated backup system. Amazon S3 emerged as the ideal choice: independent, inexpensive, durable, and built for long‑term storage. The solution hinges on GitHub Actions running on a weekly schedule, issuing an OIDC token that AWS STS validates before issuing temporary credentials.

Those credentials let the workflow upload a git bundle—a single file that preserves every commit, branch, and tag—to an S3 bucket. Avoiding static AWS keys, the author uses OIDC and temporary credentials, keeping secrets out of the repository. A key lesson was understanding the difference between IAM role policies and S3 bucket policies; misplacing a principal in a bucket policy caused “Invalid principal” errors.

The Terraform configuration creates an OIDC provider, an IAM role that trusts GitHub, and a write‑only policy for the bucket. Restoring is as simple as cloning the bundle and pushing all refs back to GitHub. The result is a lean, reliable backup that works silently until a disaster forces a recovery.