wip: stats

Author: adamdotdevin

.github/workflows/deploy.yml

@@ -9,9 +9,15 @@ on:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   deploy:
+    if: github.repository == 'anomalyco/opencode' && (github.ref_name == 'dev' || github.ref_name == 'production')
     runs-on: ubuntu-latest
+    environment: ${{ github.ref_name }}
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
@@ -21,6 +27,12 @@ jobs:
         with:
           node-version: "24"
 
+      - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+        with:
+          role-to-assume: ${{ vars.AWS_DEPLOY_ROLE_ARN }}
+          role-session-name: opencode-${{ github.run_id }}
+          aws-region: us-east-1
+
       - run: bun sst deploy --stage=${{ github.ref_name }}
         env:
           CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}

infra/stage.ts

@@ -6,6 +6,49 @@ export const domain = (() => {
 
 export const zoneID = "430ba34c138cfb5360826c4909f99be8"
 
+const githubActionsDeployRole = (() => {
+  if ($app.stage !== "dev" && $app.stage !== "production") return
+
+  const provider = new aws.iam.OpenIdConnectProvider("GithubActionsOidcProvider", {
+    url: "https://token.actions.githubusercontent.com",
+    clientIdLists: ["sts.amazonaws.com"],
+  })
+  const role = new aws.iam.Role("GithubActionsDeployRole", {
+    name: `opencode-${$app.stage}-github-actions-deploy`,
+    maxSessionDuration: 3600,
+    assumeRolePolicy: aws.iam.getPolicyDocumentOutput({
+      statements: [
+        {
+          effect: "Allow",
+          actions: ["sts:AssumeRoleWithWebIdentity"],
+          principals: [{ type: "Federated", identifiers: [provider.arn] }],
+          conditions: [
+            {
+              test: "StringEquals",
+              variable: "token.actions.githubusercontent.com:aud",
+              values: ["sts.amazonaws.com"],
+            },
+            {
+              test: "StringEquals",
+              variable: "token.actions.githubusercontent.com:sub",
+              values: [`repo:anomalyco/opencode:environment:${$app.stage}`],
+            },
+          ],
+        },
+      ],
+    }).json,
+  })
+
+  new aws.iam.RolePolicyAttachment("GithubActionsDeployRoleAdmin", {
+    role: role.name,
+    policyArn: "arn:aws:iam::aws:policy/AdministratorAccess",
+  })
+
+  return role
+})()
+
+export const githubActionsDeployRoleArn = githubActionsDeployRole?.arn
+
 new cloudflare.RegionalHostname("RegionalHostname", {
   hostname: domain,
   regionKey: "us",

sst-env.d.ts

@@ -341,4 +341,4 @@ declare module "sst" {
 }
 
 import "sst"
-export {}
+export {}

sst.config.ts

@@ -28,6 +28,7 @@ export default $config({
     }
   },
   async run() {
+    const stage = await import("./infra/stage.js")
     await import("./infra/app.js")
     await import("./infra/lake.js")
     const stats = await import("./infra/stats.js")
@@ -40,6 +41,7 @@ export default $config({
     return {
       StatWorkerUrl: stat.url,
       StatsUrl: stats.app.url,
+      ...(stage.githubActionsDeployRoleArn ? { GithubActionsDeployRoleArn: stage.githubActionsDeployRoleArn } : {}),
     }
   },
 })