ops: enable live-deploy CI matrix (operator-side OIDC + staging accounts)

[intel352]

Design merged at workflow#727 / docs/plans/2026-05-19-live-deploy-validation-design.md. Execution is operator-gated on cloud-account + GitHub-OIDC setup. This issue tracks the operator-side work.

Per-provider checklist

AWS

• Create dedicated AWS staging account (or sub-account in the org's payer).
• In that account: IAM role workflow-live-deploy-staging with the policies needed by workflow-plugin-aws (ECS / EKS / RDS / ElastiCache / VPC / ALB / Route53 / ECR / API Gateway / Security Groups / IAM / S3 / ACM).
• Add the GitHub OIDC provider (https://token.actions.githubusercontent.com) as a trust principal on the role with condition sub: repo:GoCodeAlone/workflow:ref:refs/heads/main.
• Repo secret STAGING_AWS_ROLE_ARN in workflow repo settings.

GCP

• Create dedicated GCP staging project.
• Set up Workload Identity Federation provider for GitHub Actions: pool + provider + binding to a service account with the IAM roles needed by workflow-plugin-gcp.
• Repo secrets: STAGING_GCP_WORKLOAD_IDENTITY_PROVIDER (resource path) + STAGING_GCP_SERVICE_ACCOUNT (email).

Azure

• Create dedicated Azure staging subscription.
• App registration for federated credential against repo:GoCodeAlone/workflow:ref:refs/heads/main.
• Role assignment (Contributor on the subscription, or scoped narrower).
• Repo secrets: STAGING_AZURE_TENANT_ID, STAGING_AZURE_CLIENT_ID, STAGING_AZURE_SUBSCRIPTION_ID.

DigitalOcean

• DO does not yet publish a first-class GitHub OIDC integration. Two options:
  • Long-lived staging token stored as STAGING_DIGITALOCEAN_TOKEN (lowest friction; rotate quarterly).
  • OIDC + Vault with vault-action minting short-lived DO tokens. Higher setup cost; better security.
• Choose one and document in docs/plans/2026-05-19-live-deploy-validation-design.md under Phase 1.

Workflow file

Once secrets are populated, drop in .github/workflows/live-deploy.yml (the design doc has the YAML skeleton). Trigger weekly via cron + manual workflow_dispatch.

Post-enable

• First run on workflow_dispatch is the smoke test. If a provider fails, surface that as the action plan.
• After 2 consecutive green runs across all 5 IaC plugins, the auto-promotion path is live and wfctl plugin marketplace-verify --explain can be implemented as the user-visible counterpart.

Cost estimate

<$5/week if examples include teardown. Add a budget alert to each staging account at $20/month as a tripwire.

Dependencies

• workflow#725 ✅ shipped — wfctl plugin marketplace-verify <name> subcommand
• workflow#727 ✅ shipped — design doc
• docs/plans/2026-05-19-live-deploy-validation-design.md ✅ merged

What blocks completion of the umbrella sweep (workflow#714)

This + analytics→verified promotion (separate issue) are the only two items NOT shipped from the original 2026-05-19 QoL sweep + follow-up passes. 127 PRs shipped; this is the final operator-action item.

[intel352]

Audit result: still relevant and operator-gated.

Verified against latest origin/main: the live-deploy design exists, but the repo still has no .github/workflows/live-deploy.yml. The remaining work is external account/OIDC/secret provisioning plus enabling the workflow, which matches this issue's stated scope.