diff --git a/.github/workflows/pathogen-repo-build.yaml b/.github/workflows/pathogen-repo-build.yaml
index 0960083..d458604 100644
--- a/.github/workflows/pathogen-repo-build.yaml
+++ b/.github/workflows/pathogen-repo-build.yaml
@@ -272,14 +272,16 @@ jobs:
           REPO_FULL_NAME: ${{ github.repository }}
         run: |
           echo "arn=arn:aws:iam::827581582529:role/GitHubActionsRoleNextstrainRepo@${REPO_FULL_NAME#*/}" | tee -a "$GITHUB_OUTPUT"
-      - uses: aws-actions/configure-aws-credentials@v4
+      - name: Configure credentials for runtime access to AWS
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           role-to-assume: ${{ secrets.AWS_ACCESS_KEY_ID == '' && steps.role.outputs.arn || '' }}
           role-duration-seconds: 43200 # seconds, or 12 hours
-      - run: aws sts get-caller-identity
+      - name: Report identity of runtime access to AWS
+        run: aws sts get-caller-identity
       - name: Save runtime AWS credentials to ${{ env.NEXTSTRAIN_RUNTIME_ENVDIR }}
         run: |
           "$NEXTSTRAIN_GITHUB_DIR"/bin/write-envdir "$NEXTSTRAIN_RUNTIME_ENVDIR" \
@@ -292,6 +294,7 @@ jobs:
         # Comment only applies to this first use of the `&setup-aws-batch-credentials`, so
         # outdenting comments to not repeat it with expanded YAML
       - if: inputs.runtime == 'aws-batch'
+        name: Configure credentials for GitHub Actions job access to AWS Batch
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
@@ -300,6 +303,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ACCESS_KEY_ID == '' && 'arn:aws:iam::827581582529:role/GitHubActionsRoleNextstrainBatchJobs' || '' }}
           role-duration-seconds: 43200 # seconds, or 12 hours
       - if: inputs.runtime == 'aws-batch'
+        name: Report identity of GitHub Actions job access to AWS Batch
         run: aws sts get-caller-identity
       - name: Setup runtime ${{ inputs.runtime }}
         uses: ./.git/nextstrain/.github/actions/setup-nextstrain-cli
@@ -370,6 +374,7 @@ jobs:
           ref: ${{ needs.workflow-context.outputs.sha }}
           path: ${{ env.NEXTSTRAIN_GITHUB_DIR }}
       - if: inputs.runtime == 'aws-batch'
+        name: Configure credentials for GitHub Actions job access to AWS Batch
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
@@ -427,6 +432,7 @@ jobs:
           ref: ${{ needs.workflow-context.outputs.sha }}
           path: ${{ env.NEXTSTRAIN_GITHUB_DIR }}
       - if: inputs.runtime == 'aws-batch'
+        name: Configure credentials for GitHub Actions job access to AWS Batch
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
@@ -485,6 +491,7 @@ jobs:
           ref: ${{ needs.workflow-context.outputs.sha }}
           path: ${{ env.NEXTSTRAIN_GITHUB_DIR }}
       - if: inputs.runtime == 'aws-batch'
+        name: Configure credentials for GitHub Actions job access to AWS Batch
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
@@ -543,6 +550,7 @@ jobs:
           ref: ${{ needs.workflow-context.outputs.sha }}
           path: ${{ env.NEXTSTRAIN_GITHUB_DIR }}
       - if: inputs.runtime == 'aws-batch'
+        name: Configure credentials for GitHub Actions job access to AWS Batch
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
@@ -624,6 +632,7 @@ jobs:
           ref: ${{ needs.workflow-context.outputs.sha }}
           path: ${{ env.NEXTSTRAIN_GITHUB_DIR }}
       - if: inputs.runtime == 'aws-batch'
+        name: Configure credentials for GitHub Actions job access to AWS Batch
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
diff --git a/.github/workflows/pathogen-repo-build.yaml.in b/.github/workflows/pathogen-repo-build.yaml.in
index 0a961c5..03f3f0d 100644
--- a/.github/workflows/pathogen-repo-build.yaml.in
+++ b/.github/workflows/pathogen-repo-build.yaml.in
@@ -236,14 +236,17 @@ jobs:
         run: |
           echo "arn=arn:aws:iam::827581582529:role/GitHubActionsRoleNextstrainRepo@${REPO_FULL_NAME#*/}" | tee -a "$GITHUB_OUTPUT"
 
-      - uses: aws-actions/configure-aws-credentials@v4
+      - name: Configure credentials for runtime access to AWS
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           role-to-assume: ${{ secrets.AWS_ACCESS_KEY_ID == '' && steps.role.outputs.arn || '' }}
           role-duration-seconds: 43200 # seconds, or 12 hours
-      - run: aws sts get-caller-identity
+
+      - name: Report identity of runtime access to AWS
+        run: aws sts get-caller-identity
 
       - name: Save runtime AWS credentials to ${{ env.NEXTSTRAIN_RUNTIME_ENVDIR }}
         run: |
@@ -259,6 +262,7 @@ jobs:
     # outdenting comments to not repeat it with expanded YAML
       - &setup-aws-batch-credentials
         if: inputs.runtime == 'aws-batch'
+        name: Configure credentials for GitHub Actions job access to AWS Batch
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: us-east-1
@@ -266,7 +270,9 @@ jobs:
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           role-to-assume: ${{ secrets.AWS_ACCESS_KEY_ID == '' && 'arn:aws:iam::827581582529:role/GitHubActionsRoleNextstrainBatchJobs' || '' }}
           role-duration-seconds: 43200 # seconds, or 12 hours
+
       - if: inputs.runtime == 'aws-batch'
+        name: Report identity of GitHub Actions job access to AWS Batch
         run: aws sts get-caller-identity
 
       - &setup-runtime