From 6ff96aa4033614e7b736eae326df450aa7dc27f0 Mon Sep 17 00:00:00 2001 From: Matthew Warman Date: Fri, 13 Mar 2026 10:48:57 -0400 Subject: [PATCH 1/2] Refactor deployment workflow to use reusable GitHub Actions --- .github/workflows/deploy-dev.yml | 81 ++--------------------- .github/workflows/deploy-reusable.yml | 95 +++++++++++++++++++++++++++ 2 files changed, 102 insertions(+), 74 deletions(-) create mode 100644 .github/workflows/deploy-reusable.yml diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index bb941f7..09de3e4 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -9,77 +9,10 @@ concurrency: jobs: deploy: - name: Deploy - runs-on: ubuntu-latest - timeout-minutes: 15 - - permissions: - contents: read - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v6 - - - name: Setup Node.js - uses: actions/setup-node@v6 - with: - node-version-file: .nvmrc - cache: 'npm' - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v6 - with: - role-to-assume: ${{ vars.AWS_ROLE_ARN_DEV }} - aws-region: ${{ vars.AWS_REGION }} - role-session-name: deploy-dev-lambda-starter - - - name: Install dependencies - run: npm ci - - - name: Build application - run: npm run build - - - name: Run tests - run: npm run test - - - name: Install infrastructure dependencies - working-directory: ./infrastructure - run: npm ci - - - name: Create infrastructure .env file - working-directory: ./infrastructure - run: echo "${{ vars.CDK_ENV_DEV }}" > .env - - - name: Build infrastructure - working-directory: ./infrastructure - run: npm run build - - - name: Bootstrap CDK (if needed) - working-directory: ./infrastructure - run: | - # Check if bootstrap is needed - if ! aws cloudformation describe-stacks --stack-name CDKToolkit --region ${{ vars.AWS_REGION }} >/dev/null 2>&1; then - echo "Bootstrapping CDK..." - npm run bootstrap - else - echo "CDK already bootstrapped" - fi - - - name: Synthesize CDK stacks - working-directory: ./infrastructure - run: npm run synth - - - name: Deploy CDK stacks - working-directory: ./infrastructure - run: npm run deploy:all -- --require-approval never --progress events - - # Final Step: Clean up sensitive infrastructure files - - name: Clean up sensitive files - if: always() - working-directory: ./infrastructure - run: | - echo "🧹 Cleaning up sensitive files..." - rm -f .env - rm -rf cdk.out - echo "✅ Sensitive files cleaned up" + name: Deploy to DEV + uses: ./.github/workflows/deploy-reusable.yml + with: + aws_role_arn: ${{ vars.AWS_ROLE_ARN_DEV }} + aws_region: ${{ vars.AWS_REGION }} + cdk_env: ${{ vars.CDK_ENV_DEV }} + secrets: inherit diff --git a/.github/workflows/deploy-reusable.yml b/.github/workflows/deploy-reusable.yml new file mode 100644 index 0000000..c0d6785 --- /dev/null +++ b/.github/workflows/deploy-reusable.yml @@ -0,0 +1,95 @@ +name: Deploy (Reusable) + +on: + workflow_call: + inputs: + aws_role_arn: + description: 'AWS Role ARN for credential assumption' + required: true + type: string + aws_region: + description: 'AWS region' + required: false + type: string + default: 'us-east-1' + cdk_env: + description: 'CDK environment variables' + required: true + type: string + +jobs: + deploy: + name: Deploy + runs-on: ubuntu-latest + timeout-minutes: 15 + + permissions: + contents: read + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Setup Node.js + uses: actions/setup-node@v6 + with: + node-version-file: .nvmrc + cache: 'npm' + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ inputs.aws_role_arn }} + aws-region: ${{ inputs.aws_region }} + role-session-name: deploy-lambda-starter + + - name: Install dependencies + run: npm ci + + - name: Build application + run: npm run build + + - name: Run tests + run: npm run test + + - name: Install infrastructure dependencies + working-directory: ./infrastructure + run: npm ci + + - name: Create infrastructure .env file + working-directory: ./infrastructure + run: echo "${{ inputs.cdk_env }}" > .env + + - name: Build infrastructure + working-directory: ./infrastructure + run: npm run build + + - name: Bootstrap CDK (if needed) + working-directory: ./infrastructure + run: | + # Check if bootstrap is needed + if ! aws cloudformation describe-stacks --stack-name CDKToolkit --region ${{ inputs.aws_region }} >/dev/null 2>&1; then + echo "Bootstrapping CDK..." + npm run bootstrap + else + echo "CDK already bootstrapped" + fi + + - name: Synthesize CDK stacks + working-directory: ./infrastructure + run: npm run synth + + - name: Deploy CDK stacks + working-directory: ./infrastructure + run: npm run deploy:all -- --require-approval never --progress events + + # Final Step: Clean up sensitive infrastructure files + - name: Clean up sensitive files + if: always() + working-directory: ./infrastructure + run: | + echo "🧹 Cleaning up sensitive files..." + rm -f .env + rm -rf cdk.out + echo "✅ Sensitive files cleaned up" From 993a76a5940528200bbd0a280f030f37eef39e0c Mon Sep 17 00:00:00 2001 From: Matthew Warman Date: Fri, 13 Mar 2026 10:49:04 -0400 Subject: [PATCH 2/2] Update deployment workflows to use reusable patterns and enhance DEV deployment process --- docs/DevOpsGuide.md | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/docs/DevOpsGuide.md b/docs/DevOpsGuide.md index 32a5d6e..c14d032 100644 --- a/docs/DevOpsGuide.md +++ b/docs/DevOpsGuide.md @@ -36,13 +36,17 @@ The project utilizes the following workflows. ## Deployment Workflows -The project includes environment-specific deployment workflows that use GitHub Actions to deploy the application and infrastructure to AWS. Deployments require proper AWS credentials and environment variables to be configured. +The project includes deployment workflows that use GitHub Actions to deploy the application and infrastructure to AWS. These workflows use a reusable workflow pattern to maintain consistency across environments. Deployments require proper AWS credentials and environment variables to be configured. -### Deploy to DEV +### Deploy (Reusable) -**Workflow:** `deploy-dev.yml` +**Workflow:** `deploy-reusable.yml` + +A reusable workflow that provides the foundational deployment logic. This workflow is called by environment-specific deployment workflows and accepts the following inputs: -Manually triggered workflow that deploys the application and infrastructure to the DEV environment. +- `aws_role_arn` (required): AWS IAM role ARN for credential assumption +- `aws_region` (optional): AWS region (defaults to `us-east-1`) +- `cdk_env` (required): CDK environment variables containing stack configuration **Process:** @@ -51,11 +55,29 @@ Manually triggered workflow that deploys the application and infrastructure to t 3. Configures AWS credentials via OIDC role assumption 4. Installs and builds application code 5. Runs all application tests -6. Installs and builds infrastructure code -7. Bootstraps CDK (if needed) -8. Synthesizes CDK stacks -9. Deploys all CDK stacks -10. Cleans up sensitive files +6. Installs infrastructure dependencies +7. Creates `.env` file with CDK configuration +8. Builds infrastructure code +9. Bootstraps CDK (if needed) +10. Synthesizes CDK stacks +11. Deploys all CDK stacks using `npm run deploy:all -- --require-approval never --progress events` +12. Cleans up sensitive files (`.env`, `cdk.out`) + +### Deploy to DEV + +**Workflow:** `deploy-dev.yml` + +Environment-specific workflow that triggers the reusable deployment workflow for the DEV environment. + +**Process:** + +- Calls the reusable `deploy-reusable.yml` workflow +- Passes DEV-specific configuration: + - `AWS_ROLE_ARN_DEV` as the AWS role ARN + - `AWS_REGION` as the AWS region + - `CDK_ENV_DEV` as the CDK environment variables + +**Concurrency:** Only one DEV deployment can run at a time; subsequent requests will cancel the in-progress workflow. **Trigger:** Manual (`workflow_dispatch`)