Migrate web service from Serverless Framework to AWS SAM#559
Merged
IanButterworth merged 10 commits intomasterfrom Apr 11, 2026
Merged
Migrate web service from Serverless Framework to AWS SAM#559IanButterworth merged 10 commits intomasterfrom
IanButterworth merged 10 commits intomasterfrom
Conversation
Serverless Framework v4 requires a paid license/login, making CI
validation impractical. AWS SAM is free, maintained by AWS, and needs
no authentication for build/validate.
- Replace serverless.yml with template.yaml (SAM)
- Add samconfig.toml for dev/prod deploy config
- Add tagbot/web/lambda_handler.py (WSGI-to-Lambda adapter,
replaces serverless-wsgi plugin)
- Update CI workflow to use sam validate + sam build
- Remove package.json, package-lock.json, serverless.yml
- Remove docs/TODO-serverless-v4.md (completed)
- Update AGENTS.md with SAM deploy docs and migration notes
Function names (TagBotWeb-{stage}-api, TagBotWeb-{stage}-reports)
are preserved for compatibility.
Co-Authored-By: Claude <claude@users.noreply.github.com>
- Migrate pyproject.toml metadata to PEP 621 [project] table - Update build-system to use poetry-core - Export fully pinned requirements.txt from poetry.lock - Add CI check that requirements.txt matches poetry.lock - Add pyproject.toml and poetry.lock to web.yml path triggers
- Show version (from pyproject.toml) and commit SHA on julia-tagbot.com - Use stdlib tomllib instead of toml package (available in Lambda) - Upgrade Lambda runtime from python3.11 to python3.12 - Add TagbotCommit parameter to SAM template - Add resolve_s3 to samconfig.toml
- Remove explicit FunctionName (fixes dev/prod name mismatch) - Remove unmanaged CustomDomain/CustomDomainMapping resources - Remove unused Stage parameter and IsProd condition - Add tests for lambda_handler WSGI adapter
Member
Author
|
This is deployed now, and I will redeploy after merge |
The token is now stored as a SecureString in SSM at /tagbot/github-token and fetched lazily at runtime by ReportsFunction only. ApiFunction has no token access at all. This removes the plaintext token from Lambda environment variables.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrate web service from Serverless Framework to AWS SAM
Serverless Framework v4 requires a paid license/login, making CI validation impractical. We're currently stuck on v3 which is deprecated, and not getting all security updates.
AWS SAM is free, maintained by AWS, and needs no authentication for build/validate.
SAM migration
serverless.ymlwithtemplate.yaml(SAM) andsamconfig.tomltagbot/web/lambda_handler.py(WSGI-to-Lambda adapter, replaces serverless-wsgi plugin)sam validate --lint+sam buildserverless.yml,package.json,package-lock.json,docs/TODO-serverless-v4.mdDependency management
requirements.txtfrompoetry.lock(with hashes)requirements.txtstays in sync withpoetry.lockpyproject.toml modernization
[project]table[project.optional-dependencies]poetry-coreOther
julia-tagbot.comindex pagejulia-tagbot.com) managed manually outside CloudFormation