And even better can scope assuming an AWS IAM role to a specific branch name & workflow filename so only code/workflows that have been through review have access to CD secrets/prod infra.

IE no prod access by editing the workflow definition and pushing it to a branch.