fix(integ): gate integ CI on the existing deploy environment (#236)#535
Merged
krokoko merged 1 commit intoJul 7, 2026
Merged
Conversation
Switch the integ deploy→assert→destroy job from `environment: integ` to the already-configured `deploy` environment (reused from deploy.yml). The `deploy` environment already has required reviewers (coding-agents-admin / coding-agents-maintainers) and the `GitHub` deploy role's OIDC trust already accepts `environment:deploy`, so integ CI can go live with no account-side IAM change — where the separate `integ` environment needed a new role + trust-policy edit that was never wired up. Tradeoff: integ (including approved fork code) runs with the full deploy role rather than a dedicated least-privilege role. The fork `safe-to-test` label gate, the deploy-environment approval, and forced teardown are the compensating controls; a scoped role remains a later option. ADR-013's residual-risk section is updated to reflect this; comments reconciled. Follow-up to aws-samples#295 (merged). Refs aws-samples#236.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #535 +/- ##
=======================================
Coverage ? 88.88%
=======================================
Files ? 222
Lines ? 52547
Branches ? 5440
=======================================
Hits ? 46705
Misses ? 5842
Partials ? 0 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
isadeks
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #295 (merged, Phase 0 of #236). Switches the integ CI job from a separate
integGitHub environment to the already-configureddeployenvironment (reused fromdeploy.yml).Why: the
integenvironment path required an account-side IAM change that was never wired up — a dedicated role whose OIDC trustsubaccepts…:environment:integ. TheGitHubdeploy role's trust is locked toenvironment:deploy, soenvironment: integproduced a non-matchingsubandconfigure-aws-credentialswould fail. Setup was stuck there.The
deployenvironment already exists and is fully configured:coding-agents-admin+coding-agents-maintainersteams (self-review prevented) — the admin-approval gate is preserved unchanged.GitHubdeploy role's OIDC trust already acceptsenvironment:deploy.So integ CI can go live with no new environment, no new IAM role, and no trust-policy edit.
What changed
.github/workflows/integ.yml— one functional line:environment: integ→environment: deploy(line ~180). Comments reconciled to name thedeployenvironment/role.docs/decisions/ADR-013-tiered-validation-pyramid.md(+ regenerated Starlight mirror) — residual-risk section updated: the "dedicated least-privilegeGitHubIntegE2Erole is a hard prerequisite" mitigation is replaced with the environment-reuse decision and its tradeoff.No change to the three-job pipeline, path-filter, fork
safe-to-testgate, status-check logic, teardown, or the integ test itself.Tradeoff (explicit)
Integ now runs with the full
GitHubdeploy role rather than a dedicated least-privilege role. For approved fork PRs, that fork-authored test code runs with the deploy role. Compensating controls, all retained:safe-to-testlabel gate (maintainer-applied) in theresolvejob.deployenvironment required-reviewer approval before the job runs — the approver MUST reviewcdk/test/integ/**changes on fork PRs.if: always()forced teardown (fail-loudwait).Scoping a dedicated least-privilege integ role remains an option a maintainer can adopt later if the blast radius is judged too wide (noted in ADR-013).
Account-side follow-ups (do not block this PR; block only the live check)
integ-smokea required status check onmain(branch protection) — only selectable after the check posts once.integGitHub environment can be deleted by an admin (cleanup).Test plan
zizmorclean oninteg.yml(theworkflow_rundangerous-triggers annotation is retained with updated wording).environment: integ/GitHubIntegE2E/ dedicated-role references remain.cdk/**→ build passes →integ-smokepending → admin approves thedeployenvironment → deploy/assert/destroy runs →integ-smokeflips green.Refs #236.