Use separate GHA roles per stage

[danieljamesscott]

I would like to use a slightly different authentication pattern where each stage uses its own GHA role. The current configuration appears to only support a single role for the whole pipeline, which is then used to assume the CDK role for upload/deployment.

Would it be possible to modify the stage configuration pipeline.addStageWithGitHubOptions() to support a separate role per stage? Would you be open to accepting a PR which does this?

Background:

The reason for this request is that with a single role, it seems like we would need to either:

1. Have one stage account designated as the 'pipeline' account, which contains the GHA role and then have the other accounts setup with cdk bootstrap to trust it. OR
2. Have a completely separate pipeline account to contain the GHA role which is trusted by the stage accounts.

The above change, to support a role per stage, would make the configuration closer to the cdk pattern, where we 'bootstrap' the accounts first, to create the roles, with no need for an additional account, or mixing 'pipeline' and 'stage' accounts.

[nikovirtala]

I like that idea! The concept of 'pipeline' account doesn't make much sense in the world of GitHub Actions and OIDC. Actually... the GitHub Actions is the pipeline account 😄

[danieljamesscott]

@kaizencc , would you consider a PR to implement the above?

[kaizencc]

For reference: #307 (comment)