Skip to content

feat(H-041): GitHub Actions CI/CD deploy + SSM secrets management#55

Merged
dashprotocol merged 1 commit into
mainfrom
feat/H-041-github-actions-deploy
May 29, 2026
Merged

feat(H-041): GitHub Actions CI/CD deploy + SSM secrets management#55
dashprotocol merged 1 commit into
mainfrom
feat/H-041-github-actions-deploy

Conversation

@dashprotocol
Copy link
Copy Markdown
Owner

@dashprotocol dashprotocol commented May 29, 2026
edited
Loading

Closes #53

Summary

  • Automates production deploys on push to main via GitHub Actions
  • Migrates production secrets from a manually-maintained .env file to AWS SSM Parameter Store
  • GitHub Actions authenticates to AWS via OIDC — no static credentials stored in GitHub secrets or on the server
  • Deploy job fetches secrets from SSM, validates all required keys are present and non-empty, SCPs .env files to the server, and runs deploy.sh over SSH
  • Adds Terraform resources for the GitHub OIDC provider and a least-privilege IAM role scoped to SSM reads on /havenhold/prod/*

Key decisions

Decision Choice
AWS auth OIDC federation — short-lived credentials per workflow run, no long-lived keys
Secrets store SSM Parameter Store (SecureString)
.env on server Written at deploy time by CI runner; Lightsail has no instance profile so the app cannot fetch from SSM directly
Known-hosts Pinned DEPLOY_KNOWN_HOST secret — no TOFU risk
Action versioning SHA-pinned aws-actions/configure-aws-credentials

Test plan

  • CI jobs (frontend, backend) pass on this PR
  • Deploy job shows as skipped on this PR (expected — only runs on push to main)
  • After merge: OIDC credentials step shows assumed role ARN
  • After merge: SSM validation prints All required parameters present and non-empty
  • After merge: deploy completes all 12 steps and health check returns HTTP 200

@dashprotocol
feat(H-041): GitHub Actions CI/CD deploy + SSM secrets management
19d7e1f 
  - Add OIDC-authenticated deploy job to ci.yml; runs on push to main after CI passes
  - Fetch production secrets from SSM Parameter Store at deploy time; no static
  credentials stored anywhere
  - SCP .env files to server and invoke deploy.sh over SSH
  - Add Terraform resources: GitHub Actions OIDC provider, IAM role with SSM read-only
   policy
  - Fix .env file ownership in deploy.sh for havenhold systemd service user
  - Document deployment architecture in docs/deployment.md
  - Annotate server/.env.example with SSM parameter paths
@dashprotocol dashprotocol merged commit c828498 into main May 29, 2026
6 checks passed
@dashprotocol dashprotocol deleted the feat/H-041-github-actions-deploy branch May 29, 2026 09:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

H-041 GitHub Actions CI/CD deploy + SSM secrets management

1 participant

@dashprotocol