feat(ci): OIDC deploy workflow with dev/prod branching and Secrets Manager by Jing-yilin · Pull Request #2 · ReScienceLab/KickWatch

Jing-yilin · 2026-02-27T05:09:02Z

Changes

Replace static AWS access keys with OIDC role-to-assume (more secure, no long-lived credentials)
Dev deploy on develop push, prod deploy on main push
Inline ECS task definition generated in CI (no stale JSON in repo)
All secrets pulled from AWS Secrets Manager at deploy time
Add Dockerfile.ci for pre-built binary deploy (faster image build)
Update test workflow to use go.mod for Go version + verify linux build

IAM OIDC provider for token.actions.githubusercontent.com
IAM role kickwatch-deploy-role with OIDC trust
GitHub secret: AWS_DEPLOY_ROLE_ARN, AWS_ACCOUNT_ID
Secrets Manager: kickwatch(-dev)/{database-url,apns-key-id,apns-team-id,apns-bundle-id,apns-key}

…ne task def

…build

Jing-yilin added 5 commits February 27, 2026 13:06

feat(ci): add Dockerfile.ci for CI pre-built binary deploy

a956228

feat(ci): rewrite deploy workflow with OIDC, dev/prod branching, inli…

6ee54ae

…ne task def

feat(ci): update test workflow to use go.mod version file and verify …

efd37c7

…build

fix(ci): set AWS_REGION to us-east-2

bf70741

feat(ci): inject APNS_KEY from Secrets Manager into ECS task

6914ea0

Jing-yilin merged commit ebc5ec9 into develop Feb 27, 2026
1 check failed