fix(iam): grant deploy role update + invoke on regime Lambdas#239
Merged
cipher813 merged 1 commit intoMay 14, 2026
Merged
Conversation
The codified github-actions-lambda-deploy policy missed the two
regime Lambdas added 2026-05-14:
- alpha-engine-predictor-regime-substrate (Stage A)
- alpha-engine-predictor-regime-retrospective-eval (Stage C.2 T1)
Symptom: today's predictor deploy.yml run (CI 25884911718) logged
"NOT FOUND — skipping" for both functions in deploy.sh Step 9 + 10.
That branch was protective at the time (the functions hadn't been
created yet via setup-regime-{lambda,retrospective-eval-lambda}.sh).
But adding the ARNs now unblocks the auto-create fall-through being
shipped in alpha-engine-predictor (parallel PR) so the manual
setup scripts become break-glass-only rather than required.
Both Lambdas need explicit ARNs in two statements:
- LambdaUpdate (CreateFunction / UpdateFunctionCode / PublishVersion
/ UpdateAlias / CreateAlias — needed for auto-create + update path)
- LambdaInvokeCanary (InvokeFunction on both bare + versioned ARNs —
needed for deploy.sh's post-update dry_run canary)
Applied to live AWS via:
bash infrastructure/iam/apply.sh github-actions-lambda-deploy
Verified:
python3 infrastructure/iam/check-drift.py → clean
pytest tests/test_sf_iam_lambda_grants.py → 2 passed, 1 skipped
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cipher813
deleted the
fix/iam-drift-github-actions-lambda-deploy-create-perms
branch
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The codified
github-actions-lambda-deploypolicy missed the two regime Lambdas added 2026-05-14:alpha-engine-predictor-regime-substrate(Stage A)alpha-engine-predictor-regime-retrospective-eval(Stage C.2 T1)Symptom
Today's predictor deploy.yml run (CI 25884911718) logged "NOT FOUND — skipping" for both functions in deploy.sh Step 9 + 10. That branch was protective at the time (the functions hadn't been created yet via the setup scripts), but it masked the fact that even if they DID exist, the deploy role couldn't update them.
Fix
Add explicit ARNs to two statements:
LambdaUpdate(CreateFunction/UpdateFunctionCode/PublishVersion/UpdateAlias/CreateAlias— needed for auto-create + update path)LambdaInvokeCanary(InvokeFunctionon both bare + versioned ARNs — needed fordeploy.sh's post-updatedry_runcanary)Composes with parallel alpha-engine-predictor PR that adds create-function fall-through to deploy.sh Step 9 + 10, so the manual
setup-regime-{lambda,retrospective-eval-lambda}.shoperator step becomes break-glass-only.Applied + verified
🤖 Generated with Claude Code