What the reusable workflow does, step by step

When `deploy_service.yaml` runs on the platform repo, it:

Reads service.yaml from the calling repo to get the service name, env file paths, and helm values paths for the target environment. Builds the Docker image using the repo's Dockerfile, passing any docker_build_args defined in service.yaml. Pushes to ECR — tags the image with the git SHA so every deploy is reproducible. Resolves secrets — reads the .env file, finds every {{ SECRET_NAME }} reference, fetches the value from AWS Secrets Manager, and produces a clean .env with real values (this is your "Ravnica" step). Runs helm upgrade --install using your generic Helm chart, the resolved env as a Kubernetes Secret, and the environment's values.yml for replica count, resources, ingress rules, etc. Authenticates to AWS via OIDC — no static AWS_ACCESS_KEY_ID anywhere. The GitHub Actions OIDC token is exchanged for a short-lived IAM role credential.