fix(ci-lease): add role-chaining=true on the leased-account assume step

The configure-aws-credentials@v6 action's default credential resolution
preferentially uses OIDC when an id-token is available. For the second
step in scenario-ci.yml (assuming CIDeployRole inside the leased pool
account), this caused:

  Could not assume role with OIDC: No OpenIDConnect provider found
  in your account for https://token.actions.githubusercontent.com

The leased pool account has no GitHub OIDC provider — we want the
action to sigv4-sign from the already-loaded hub credentials instead.
role-chaining: true forces that behavior.

The third step (switching BACK to the hub role for the release call)
keeps the default OIDC resolution: GitHub still emits an id-token
(thanks to permissions: id-token: write), and the hub role trusts the
GHA OIDC provider but not the leased-account principal.

Author: chrisns

.github/workflows/scenario-ci.yml

@@ -91,14 +91,18 @@ jobs:
             --template '${{ inputs.lease_template }}' \
             --user-email '${{ inputs.ci_lease_email }}'
 
-      # Now assume the in-lease CIDeployRole using the account_id we just got.
+      # Now assume the in-lease CIDeployRole. role-chaining=true tells
+      # configure-aws-credentials to sigv4-sign from the already-loaded
+      # hub creds (sts:AssumeRole) instead of trying OIDC against the
+      # leased account (which has no OIDC provider).
       - uses: aws-actions/configure-aws-credentials@v6
         id: lease-creds
         with:
           role-to-assume: arn:aws:iam::${{ steps.lease.outputs.account_id }}:role/InnovationSandbox-ndx-CIDeployRole
           role-session-name: scenario-ci-deploy-${{ github.run_id }}
           aws-region: us-east-1
           role-duration-seconds: 21600
+          role-chaining: true
 
       - name: Deploy scenario stack
         id: deploy