fix(ci): harden AWS artifact and production DB workflow

leapfrog-bot · leapfrog-bot · commit 4a6e4e887d58 · 2026-05-16T13:04:20.000+05:45
diff --git a/.github/workflows/aws-artifact-db.yml b/.github/workflows/aws-artifact-db.yml
@@ -42,26 +42,11 @@ permissions:
   actions: read
 
 concurrency:
-  group: aws-artifact-db-${{ github.ref }}
+  group: aws-artifact-db-${{ github.ref }}-${{ github.event.inputs.environment || 'production' }}
   cancel-in-progress: true
 
 env:
   NODE_VERSION: '22'
-  AWS_REGION: ${{ secrets.AWS_REGION }}
-  AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }}
-  AWS_ACCESS_KEY_ID_VALUE: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY_VALUE: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  AWS_S3_ARTIFACT_BUCKET: ${{ secrets.AWS_S3_ARTIFACT_BUCKET }}
-  AWS_CODEARTIFACT_DOMAIN: ${{ secrets.AWS_CODEARTIFACT_DOMAIN }}
-  AWS_CODEARTIFACT_DOMAIN_OWNER: ${{ secrets.AWS_CODEARTIFACT_DOMAIN_OWNER }}
-  AWS_CODEARTIFACT_REPOSITORY: ${{ secrets.AWS_CODEARTIFACT_REPOSITORY }}
-  DB_TYPE: ${{ secrets.DB_TYPE }}
-  DB_HOST: ${{ secrets.DB_HOST }}
-  DB_PORT: ${{ secrets.DB_PORT }}
-  DB_NAME: ${{ secrets.DB_NAME }}
-  DB_USER: ${{ secrets.DB_USER }}
-  DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
-  DB_SSL: ${{ secrets.DB_SSL }}
 
 jobs:
   build-test-package:
@@ -100,7 +85,13 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          PACKAGE_FILE="$(npm pack --silent)"
+          npm pack --silent > /tmp/npm-pack-output.txt
+          cat /tmp/npm-pack-output.txt
+          PACKAGE_FILE="$(grep -E '\.tgz$' /tmp/npm-pack-output.txt | tail -n 1)"
+          if [ -z "$PACKAGE_FILE" ] || [ ! -f "$PACKAGE_FILE" ]; then
+            echo "npm pack did not produce a .tgz file" >&2
+            exit 1
+          fi
           echo "package_file=${PACKAGE_FILE}" >> "$GITHUB_OUTPUT"
           mkdir -p dist-artifact
           cp "$PACKAGE_FILE" dist-artifact/
@@ -127,11 +118,17 @@ jobs:
     name: Database connectivity check
     runs-on: ubuntu-latest
     needs: build-test-package
+    environment: ${{ github.event.inputs.environment || 'production' }}
     if: ${{ github.event_name == 'push' || github.event.inputs.run_db_check == 'true' }}
+    env:
+      DB_TYPE: ${{ secrets.DB_TYPE }}
+      DB_HOST: ${{ secrets.DB_HOST }}
+      DB_PORT: ${{ secrets.DB_PORT }}
+      DB_NAME: ${{ secrets.DB_NAME }}
+      DB_USER: ${{ secrets.DB_USER }}
+      DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
+      DB_SSL: ${{ secrets.DB_SSL }}
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
       - name: Setup Node.js ${{ env.NODE_VERSION }}
         uses: actions/setup-node@v4
         with:
@@ -230,6 +227,15 @@ jobs:
       - db-connectivity
     if: ${{ always() && needs.build-test-package.result == 'success' && (needs.db-connectivity.result == 'success' || needs.db-connectivity.result == 'skipped') && (github.event_name == 'push' || github.event.inputs.deploy_to_s3 == 'true' || github.event.inputs.publish_codeartifact == 'true') }}
     environment: ${{ github.event.inputs.environment || 'production' }}
+    env:
+      AWS_REGION: ${{ secrets.AWS_REGION }}
+      AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+      AWS_ACCESS_KEY_ID_VALUE: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY_VALUE: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_S3_ARTIFACT_BUCKET: ${{ secrets.AWS_S3_ARTIFACT_BUCKET }}
+      AWS_CODEARTIFACT_DOMAIN: ${{ secrets.AWS_CODEARTIFACT_DOMAIN }}
+      AWS_CODEARTIFACT_DOMAIN_OWNER: ${{ secrets.AWS_CODEARTIFACT_DOMAIN_OWNER }}
+      AWS_CODEARTIFACT_REPOSITORY: ${{ secrets.AWS_CODEARTIFACT_REPOSITORY }}
     steps:
       - name: Download GitHub artifact
         uses: actions/download-artifact@v4
@@ -252,8 +258,15 @@ jobs:
           aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY_VALUE }}
           aws-region: ${{ env.AWS_REGION || 'us-east-1' }}
 
-      - name: Verify AWS identity
-        run: aws sts get-caller-identity
+      - name: Verify AWS credentials configured
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [ -z "${AWS_ROLE_TO_ASSUME:-}" ] && { [ -z "${AWS_ACCESS_KEY_ID_VALUE:-}" ] || [ -z "${AWS_SECRET_ACCESS_KEY_VALUE:-}" ]; }; then
+            echo "AWS push skipped. Missing AWS_ROLE_TO_ASSUME or AWS access-key secrets."
+            exit 0
+          fi
+          aws sts get-caller-identity
 
       - name: Push artifact to S3
         if: ${{ env.AWS_S3_ARTIFACT_BUCKET != '' && (github.event_name == 'push' || github.event.inputs.deploy_to_s3 == 'true') }}
@@ -266,7 +279,7 @@ jobs:
           echo "Artifacts pushed to s3://${AWS_S3_ARTIFACT_BUCKET}/${PREFIX}/"
 
       - name: Publish package to AWS CodeArtifact
-        if: ${{ env.AWS_CODEARTIFACT_DOMAIN != '' && env.AWS_CODEARTIFACT_REPOSITORY != '' && (github.event.inputs.publish_codeartifact == 'true') }}
+        if: ${{ env.AWS_CODEARTIFACT_DOMAIN != '' && env.AWS_CODEARTIFACT_REPOSITORY != '' && github.event.inputs.publish_codeartifact == 'true' }}
         shell: bash
         run: |
           set -euo pipefail
@@ -285,6 +298,7 @@ jobs:
             echo "## AWS artifact workflow"
             echo "- Commit: $GITHUB_SHA"
             echo "- Branch: $GITHUB_REF_NAME"
+            echo "- Environment: ${{ github.event.inputs.environment || 'production' }}"
             echo "- GitHub artifact: sync-db-$GITHUB_SHA"
             echo "- S3 bucket: ${AWS_S3_ARTIFACT_BUCKET:-not configured}"
             echo "- CodeArtifact domain: ${AWS_CODEARTIFACT_DOMAIN:-not configured}"
