Skip to content

EIP1-13829 Deploy from main without using Github environment #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
StephenPenney wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

EIP1-13829 Deploy from main without using Github environment #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
af775ce
EIP1-13829 Deploy from main without using Github environment
StephenPenney May 6, 2026
c11702a
EIP1-13829 Temporary commit to use this branch version of actions
StephenPenney May 6, 2026
6594d13
EIP1-13829 Use read only IAM Github role where appropriate
StephenPenney May 19, 2026
23ad53a
EIP1-13829 Fix typo in deploy workflow var is deploy_environment
StephenPenney May 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions .github/workflows/build-and-push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# Implicitly requires the IAM_GITHUB_ROLE_ARN secret to be set for the target environment
# Implicitly requires the IAM_GITHUB_ROLE_ARN secret to be set for the target environment or
# if use_preprod_main_iam_github_role is true the PREPROD_IAM_GITHUB_ROLE_ARN secret must be set

name: Build image and push to ECR

Expand All @@ -21,6 +22,11 @@ on:
required: true
type: string
description: The environment to deploy to, e.g., dev2, int
use_preprod_main_iam_github_role:
required: false
type: boolean
default: false
description: If true, use the repository preprod main IAM role rather than the environment specific role

# Needed for OIDC authentication to AWS
permissions:
Expand All @@ -29,7 +35,7 @@ permissions:

jobs:
build-and-push:
environment: ${{ inputs.preprod_deploy_environment }}
environment: ${{ case(inputs.use_preprod_main_iam_github_role, null, inputs.preprod_deploy_environment) }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
Expand All @@ -44,7 +50,7 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{ secrets.IAM_GITHUB_ROLE_ARN }}
role-to-assume: ${{ case(inputs.use_preprod_main_iam_github_role, secrets.PREPROD_IAM_GITHUB_ROLE_ARN, secrets.IAM_GITHUB_ROLE_ARN) }}
role-session-name: ${{ github.run_id }}
aws-region: eu-west-2

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/build-and-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Implicitly requires the PREPROD_IAM_GITHUB_ROLE_ARN secret to be set for the repository (not in any environment)
# Implicitly requires the PREPROD_READ_ONLY_IAM_GITHUB_ROLE_ARN secret to be set for the repository (not in any environment)

name: Build and Test

Expand Down Expand Up @@ -32,7 +32,7 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{ secrets.PREPROD_IAM_GITHUB_ROLE_ARN }}
role-to-assume: ${{ secrets.PREPROD_READ_ONLY_IAM_GITHUB_ROLE_ARN }}
role-session-name: ${{ github.run_id }}
aws-region: eu-west-2

Expand Down
14 changes: 11 additions & 3 deletions .github/workflows/build-image-and-deploy-to-dev2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# Implicitly requires the IAM_GITHUB_ROLE_ARN secret to be set for the dev2 environment
# if use_preprod_main_iam_github_role is true the PREPROD_IAM_GITHUB_ROLE_ARN secret must be set instead

name: Build image and deploy to dev2 on merge to main

Expand All @@ -17,6 +18,11 @@ on:
required: true
type: string
description: The app name with the dev2 environment prepended, e.g., dev2-applications-api
use_preprod_main_iam_github_role:
required: false
type: boolean
default: false
description: If true, use the repository preprod main IAM role rather than the environment specific role

jobs:
get-latest-tag:
Expand All @@ -35,28 +41,30 @@ jobs:

bump-and-push-tag:
needs: get-latest-tag
uses: communitiesuk/eip-ero-shared-workflows/.github/workflows/bump-and-push-tag.yml@main
uses: communitiesuk/eip-ero-shared-workflows/.github/workflows/bump-and-push-tag.yml@eip1-13829-use-read-only-rule-and-avoid-dev2-environment-on-main
Copy link
Copy Markdown
Contributor

@emisto3 emisto3 May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this (and the others) going to be updated to main before merging?

Copy link
Copy Markdown
Author

@StephenPenney StephenPenney May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. My plan was to get this draft reviewed first to make sure the code is okay before running it on Print API then merge (after changing these back to main) once confirm it all works

with:
version: ${{ needs.get-latest-tag.outputs.version }}
bump_level: minor

build-and-push:
needs: bump-and-push-tag
uses: communitiesuk/eip-ero-shared-workflows/.github/workflows/build-and-push.yml@main
uses: communitiesuk/eip-ero-shared-workflows/.github/workflows/build-and-push.yml@eip1-13829-use-read-only-rule-and-avoid-dev2-environment-on-main
with:
version: ${{ needs.bump-and-push-tag.outputs.version }}
image_name: ${{ inputs.image_name }}
ecr_repo: ${{ inputs.ecr_repo }}
preprod_deploy_environment: dev2
use_preprod_main_iam_github_role: true
secrets: inherit

deploy:
needs:
- bump-and-push-tag
- build-and-push
uses: communitiesuk/eip-ero-shared-workflows/.github/workflows/deploy.yml@main
uses: communitiesuk/eip-ero-shared-workflows/.github/workflows/deploy.yml@eip1-13829-use-read-only-rule-and-avoid-dev2-environment-on-main
with:
deploy_environment: dev2
use_preprod_main_iam_github_role: true
version: ${{ needs.bump-and-push-tag.outputs.version }}
app_name_with_env: ${{ inputs.app_name_dev2_prefix }}
ecr_repo: ${{ inputs.ecr_repo }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/copy-preprod-image-to-prod.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Implicitly requires the IAM_GITHUB_ROLE_ARN secret to be set for the live environment,
# and PREPROD_IAM_GITHUB_ROLE_ARN secrets to be set for the repository (not in any environment)
# and PREPROD_READ_ONLY_IAM_GITHUB_ROLE_ARN secrets to be set for the repository (not in any environment)

name: Copy preprod image to prod

Expand Down Expand Up @@ -29,7 +29,7 @@ jobs:
- name: Configure AWS credentials (preprod)
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{ secrets.PREPROD_IAM_GITHUB_ROLE_ARN }}
role-to-assume: ${{ secrets.PREPROD_READ_ONLY_IAM_GITHUB_ROLE_ARN }}
role-session-name: ${{ github.run_id }}
aws-region: eu-west-2

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependency-submission.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{ secrets.PREPROD_IAM_GITHUB_ROLE_ARN }}
role-to-assume: ${{ secrets.PREPROD_READ_ONLY_IAM_GITHUB_ROLE_ARN }}
role-session-name: ${{ github.run_id }}
aws-region: eu-west-2

Expand Down
13 changes: 9 additions & 4 deletions .github/workflows/deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Implicitly requires the IAM_GITHUB_ROLE_ARN secret to be set for the target environment.
# If the target environment is live, the PREPROD_IAM_GITHUB_ROLE_ARN secret must also set.
# If the target environment is live, the PREPROD_READ_ONLY_IAM_GITHUB_ROLE_ARN secret must also set.

name: Deploy

Expand All @@ -21,6 +21,11 @@ on:
required: true
type: string
description: The ECR repository name, e.g., applications-api-repo
use_preprod_main_iam_github_role:
required: false
type: boolean
default: false
description: If true, use the repository preprod main IAM role rather than the environment specific role

# Needed for OIDC authentication to AWS
permissions:
Expand All @@ -30,15 +35,15 @@ permissions:
jobs:
copy-preprod-image-to-live:
if: inputs.deploy_environment == 'live'
uses: communitiesuk/eip-ero-shared-workflows/.github/workflows/copy-preprod-image-to-prod.yml@main
uses: communitiesuk/eip-ero-shared-workflows/.github/workflows/copy-preprod-image-to-prod.yml@eip1-13829-use-read-only-rule-and-avoid-dev2-environment-on-main
with:
version: ${{ github.ref_name }}
ecr_repo: ${{ inputs.ecr_repo }}
secrets: inherit

deployment:
runs-on: ubuntu-latest
environment: ${{ inputs.deploy_environment }}
environment: ${{ case(inputs.use_preprod_main_iam_github_role, null, inputs.deploy_environment) }}
# Should run this if the copy-preprod-image-to-live step is skipped as not always needed
# Avoid using always() as failures or cancellations should not require this step to run
if: ${{ !failure() && !cancelled() }}
Expand All @@ -49,7 +54,7 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{ secrets.IAM_GITHUB_ROLE_ARN }}
role-to-assume: ${{ case(inputs.use_preprod_main_iam_github_role, secrets.PREPROD_IAM_GITHUB_ROLE_ARN, secrets.IAM_GITHUB_ROLE_ARN) }}
role-session-name: ${{ github.run_id }}
aws-region: eu-west-2

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/hotfix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,14 +59,14 @@ jobs:

bump-and-push-tag:
needs: get-latest-tag
uses: communitiesuk/eip-ero-shared-workflows/.github/workflows/bump-and-push-tag.yml@main
uses: communitiesuk/eip-ero-shared-workflows/.github/workflows/bump-and-push-tag.yml@eip1-13829-use-read-only-rule-and-avoid-dev2-environment-on-main
with:
version: ${{ needs.get-latest-tag.outputs.version }}
bump_level: patch

build-and-push:
needs: bump-and-push-tag
uses: communitiesuk/eip-ero-shared-workflows/.github/workflows/build-and-push.yml@main
uses: communitiesuk/eip-ero-shared-workflows/.github/workflows/build-and-push.yml@eip1-13829-use-read-only-rule-and-avoid-dev2-environment-on-main
with:
version: ${{ needs.bump-and-push-tag.outputs.version }}
image_name: ${{ inputs.image_name }}
Expand Down
8 changes: 6 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,12 @@ each environment should have the environment secret `IAM_GITHUB_ROLE_ARN`
set to the AWS IAM role ARN of the GitHub role for that specific environment.

The repositories should also have a repository secret `PREPROD_IAM_GITHUB_ROLE_ARN`
set to the IAM role ARN of the GitHub role for a preprod environment,
which could be the `dev2` role.
set to the IAM role ARN of the read/write GitHub role for a preprod environment,
which must be one allowed to act on the `main` branch.
Note that this is a repository secret, not an environment secret.

The repositories should also have a repository secret `PREPROD_READ_ONLY_IAM_GITHUB_ROLE_ARN`
set to the IAM role ARN of a read only GitHub role in the AWS preprod account.
Copy link
Copy Markdown
Contributor

@emisto3 emisto3 May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feel free to ignore but I wonder if making it clear what this is used for would make this clearer?

Suggested change
set to the IAM role ARN of a read only GitHub role in the AWS preprod account.
set to the IAM role ARN of a read only GitHub role in the AWS preprod account. This is used for actions triggered on main.

Note that this is a repository secret, not an environment secret.

Any repositories using the `todo-check-with-slack-notify` workflow should also have
Expand Down