The deploy-infra.yml workflow deploys both CDK stacks to AWS.
Trigger
| Event | Condition |
|---|
Push to main | Only when files under infra/ change |
| Manual | workflow_dispatch — no conditions |
Required GitHub variables
| Variable | Value |
|---|
AWS_DEPLOY_ROLE_ASSUME | ARN of github-oidc-deploy-role |
AWS_REGION | eu-west-1 |
AWS_ACCOUNT | AWS account ID (used as CDK context) |
What it does
- Checks out the repository.
- Assumes
github-oidc-deploy-role via OIDC — no long-lived credentials.
- Installs CDK dependencies.
- Deploys both stacks. CloudFormation applies only the diff since the last deploy.
Notes
- The deploy role uses least-privilege permissions (CloudFormation, S3, IAM PassRole, SSM, CDK bootstrap roles only).
- Stacks are deployed with
--require-approval never to avoid interactive prompts in CI.
- The S3 bucket has
removalPolicy: RETAIN — it is never deleted, even if the stack is destroyed.