[AWS] Story 6: CI/CD Pipeline (GitHub Actions)

[mfittko]

Problem Statement

Production deployment needs a repeatable CI/CD path that builds artifacts,
publishes images, and deploys safely only from approved release triggers.

Scope

In scope:

• GitHub Actions deployment workflow
• AWS OIDC authentication
• ECR publishing
• ECS deployment health checks
• Trigger policy for main and stable tags

Out of scope:

• Replacing the release policy from the release workflow story
• Manual approval tooling outside GitHub Actions
• Non-ECS deployment targets

Technical Approach

• Use GitHub OIDC for AWS authentication.
• Build and publish the image to ECR.
• Deploy ECS services on approved triggers only.
• Wait for service stabilization and fail unhealthy rollouts.

Dependencies

Hard dependencies:

• Release workflow contract
• CDK foundation and config contract
• Compute layer
  Blocks:
• Production readiness gate

Acceptance Criteria

• OIDC authentication works (no long-lived keys)
• Push to main builds and optionally pushes to staging ECR
• *-stable tags deploy to production
• ECS services update successfully
• Workflow waits for deployment health
• Failed deployments fail the workflow

Proposed Definition Of Done

• Main-push workflow evidence is attached.
• Stable-tag production workflow evidence is attached.
• Invalid or non-stable trigger behavior evidence is attached.
• Image digest and scan evidence are attached.

Validation Plan

1. Verify OIDC auth works without stored AWS keys.
2. Verify main-branch flow builds and handles staging behavior correctly.
3. Verify a stable tag triggers production deployment.
4. Verify unhealthy rollout causes workflow failure.
5. Verify published artifact metadata is available for audit.

Risks And Mitigations

• Risk: Trigger rules drift from the release workflow contract.
  • Mitigation: Reuse the exact release contract in workflow rules.
• Risk: Workflow reports success before ECS is healthy.
  • Mitigation: Require steady-state wait and failure on unhealthy rollout.

Handoff Notes

This story implements the delivery mechanism defined by the release workflow
contract and depends on the runtime contract established by compute.

AC/DoD Coverage Matrix

Item	Type (AC/DoD/Non-goal)	Status (Met/Partial/Unmet/Unverified)	Evidence (spec/tests/behavior)	Notes
OIDC authentication works (no long-lived keys)	AC	Unverified	Workflow auth proof	Source AC
Push to main builds and optionally pushes to staging ECR	AC	Unverified	Main workflow run	Source AC
*-stable tags deploy to production	AC	Unverified	Stable-tag run	Source AC
ECS services update successfully	AC	Unverified	ECS rollout evidence	Source AC
Workflow waits for deployment health	AC	Unverified	Workflow logs	Source AC
Failed deployments fail the workflow	AC	Unverified	Failure-path run	Source AC
Main-push workflow evidence is attached.	DoD	Unverified	Issue evidence	Proposed DoD
Stable-tag production workflow evidence is attached.	DoD	Unverified	Issue evidence	Proposed DoD
Invalid or non-stable trigger behavior evidence is attached.	DoD	Unverified	Issue evidence	Proposed DoD
Image digest and scan evidence are attached.	DoD	Unverified	Issue evidence	Proposed DoD

[mfittko]

Refinement update applied. This issue now has explicit scope, hard dependencies, measurable acceptance criteria, a proposed Definition of Done, a validation plan, and an AC/DoD coverage matrix so it is ready for assignment.