feat(ci): add deploy.yml workflow triggered by build completion

scottschreckengaust · claude · scottschreckengaust · commit feccf16091bd · 2026-05-15T01:19:57.000Z
Adds a deploy workflow that: - Fires on workflow_run after build.yml succeeds - Resolves deploy targets from PR labels (deploy=all, deploy:<type>=one) or defaults to all registered types on push to main - Skips entirely (no approval prompt) when no deploy labels are present - Downloads the exact cdk-<compute_type>-out artifact from the build run - Uses OIDC to assume the CDK bootstrap deploy role - Deploys via `cdk deploy --app cdk/cdk.out --all --require-approval never` - Protected by the `deploy` GitHub environment (manual approval required) - Concurrency: non-cancellable once started, max-parallel 3 Part of #73 Phase 3. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,116 @@
+name: deploy
+on:
+  # zizmor: ignore[dangerous-triggers] — intentional; workflow_run is required
+  # for OIDC id-token on PR builds. Mitigations: env-var-only untrusted input,
+  # least-privilege permissions per job, deploy environment approval gate.
+  workflow_run:
+    workflows: [build]
+    types: [completed]
+permissions: {}
+jobs:
+  resolve-targets:
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      pull-requests: read
+    outputs:
+      matrix: ${{ steps.targets.outputs.matrix }}
+      has_targets: ${{ steps.targets.outputs.has_targets }}
+      run_id: ${{ github.event.workflow_run.id }}
+    steps:
+      - name: Resolve deploy targets from labels
+        id: targets
+        env:
+          GH_TOKEN: ${{ github.token }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          EVENT_TYPE: ${{ github.event.workflow_run.event }}
+          REPO: ${{ github.repository }}
+          PR_NUMBER_FROM_EVENT: ${{ github.event.workflow_run.pull_requests[0].number }}
+        run: |
+          ALL_TYPES='["agentcore"]'
+
+          # Push to main always deploys all registered types
+          if [[ "$HEAD_BRANCH" == "main" && "$EVENT_TYPE" == "push" ]]; then
+            echo "matrix=$ALL_TYPES" >> "$GITHUB_OUTPUT"
+            echo "has_targets=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # For PRs, look up labels via API
+          if [[ -z "$PR_NUMBER_FROM_EVENT" ]]; then
+            echo "matrix=[]" >> "$GITHUB_OUTPUT"
+            echo "has_targets=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          LABELS=$(gh api "repos/$REPO/pulls/$PR_NUMBER_FROM_EVENT" --jq '[.labels[].name]')
+
+          if echo "$LABELS" | jq -e 'index("deploy:*")' > /dev/null 2>&1; then
+            echo "matrix=$ALL_TYPES" >> "$GITHUB_OUTPUT"
+            echo "has_targets=true" >> "$GITHUB_OUTPUT"
+          elif echo "$LABELS" | jq -e '[.[] | select(startswith("deploy:"))] | length > 0' > /dev/null 2>&1; then
+            TYPES=$(echo "$LABELS" | jq -c '[.[] | select(startswith("deploy:")) | ltrimstr("deploy:")]')
+            echo "matrix=$TYPES" >> "$GITHUB_OUTPUT"
+            echo "has_targets=true" >> "$GITHUB_OUTPUT"
+          elif echo "$LABELS" | jq -e 'index("deploy")' > /dev/null 2>&1; then
+            echo "matrix=$ALL_TYPES" >> "$GITHUB_OUTPUT"
+            echo "has_targets=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "matrix=[]" >> "$GITHUB_OUTPUT"
+            echo "has_targets=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  deploy:
+    needs: resolve-targets
+    if: needs.resolve-targets.outputs.has_targets == 'true'
+    runs-on: ubuntu-latest
+    environment: deploy
+    concurrency:
+      group: deploy-${{ matrix.compute_type }}
+      cancel-in-progress: false
+    strategy:
+      matrix:
+        compute_type: ${{ fromJson(needs.resolve-targets.outputs.matrix) }}
+      max-parallel: 3
+    permissions:
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Download CDK artifact (${{ matrix.compute_type }})
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: cdk-${{ matrix.compute_type }}-out
+          path: cdk/
+          run-id: ${{ needs.resolve-targets.outputs.run_id }}
+          github-token: ${{ github.token }}
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Install mise
+        uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
+        with:
+          cache: true
+
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 22.x
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Deploy
+        env:
+          COMPUTE_TYPE: ${{ matrix.compute_type }}
+        run: npx cdk deploy --app cdk/cdk.out --all --require-approval never
