Skip to content

fix(integ): gate integ CI on the existing deploy environment (#236)#535

Merged
krokoko merged 1 commit into
aws-samples:mainfrom
ayushtr-aws:fix/236-integ-deploy-environment
Jul 7, 2026
Merged

fix(integ): gate integ CI on the existing deploy environment (#236)#535
krokoko merged 1 commit into
aws-samples:mainfrom
ayushtr-aws:fix/236-integ-deploy-environment

Conversation

@ayushtr-aws

Copy link
Copy Markdown
Contributor

Summary

Follow-up to #295 (merged, Phase 0 of #236). Switches the integ CI job from a separate integ GitHub environment to the already-configured deploy environment (reused from deploy.yml).

Why: the integ environment path required an account-side IAM change that was never wired up — a dedicated role whose OIDC trust sub accepts …:environment:integ. The GitHub deploy role's trust is locked to environment:deploy, so environment: integ produced a non-matching sub and configure-aws-credentials would fail. Setup was stuck there.

The deploy environment already exists and is fully configured:

  • Required reviewers: coding-agents-admin + coding-agents-maintainers teams (self-review prevented) — the admin-approval gate is preserved unchanged.
  • The GitHub deploy role's OIDC trust already accepts environment:deploy.

So integ CI can go live with no new environment, no new IAM role, and no trust-policy edit.

What changed

  • .github/workflows/integ.yml — one functional line: environment: integenvironment: deploy (line ~180). Comments reconciled to name the deploy environment/role.
  • docs/decisions/ADR-013-tiered-validation-pyramid.md (+ regenerated Starlight mirror) — residual-risk section updated: the "dedicated least-privilege GitHubIntegE2E role is a hard prerequisite" mitigation is replaced with the environment-reuse decision and its tradeoff.

No change to the three-job pipeline, path-filter, fork safe-to-test gate, status-check logic, teardown, or the integ test itself.

Tradeoff (explicit)

Integ now runs with the full GitHub deploy role rather than a dedicated least-privilege role. For approved fork PRs, that fork-authored test code runs with the deploy role. Compensating controls, all retained:

  1. Fork safe-to-test label gate (maintainer-applied) in the resolve job.
  2. deploy environment required-reviewer approval before the job runs — the approver MUST review cdk/test/integ/** changes on fork PRs.
  3. Status-only tokens per job + if: always() forced teardown (fail-loud wait).

Scoping a dedicated least-privilege integ role remains an option a maintainer can adopt later if the blast radius is judged too wide (noted in ADR-013).

Account-side follow-ups (do not block this PR; block only the live check)

  • Mark integ-smoke a required status check on main (branch protection) — only selectable after the check posts once.
  • The pre-existing, now-unused integ GitHub environment can be deleted by an admin (cleanup).

Test plan

  • zizmor clean on integ.yml (the workflow_run dangerous-triggers annotation is retained with updated wording).
  • Starlight mirror regenerated + idempotent (no mutation diff).
  • Grep guard: no stray environment: integ / GitHubIntegE2E / dedicated-role references remain.
  • End-to-end CI proof (admin-side, after merge): PR touching cdk/** → build passes → integ-smoke pending → admin approves the deploy environment → deploy/assert/destroy runs → integ-smoke flips green.

Refs #236.

Switch the integ deploy→assert→destroy job from `environment: integ` to
the already-configured `deploy` environment (reused from deploy.yml). The
`deploy` environment already has required reviewers
(coding-agents-admin / coding-agents-maintainers) and the `GitHub` deploy
role's OIDC trust already accepts `environment:deploy`, so integ CI can go
live with no account-side IAM change — where the separate `integ`
environment needed a new role + trust-policy edit that was never wired up.

Tradeoff: integ (including approved fork code) runs with the full deploy
role rather than a dedicated least-privilege role. The fork `safe-to-test`
label gate, the deploy-environment approval, and forced teardown are the
compensating controls; a scoped role remains a later option. ADR-013's
residual-risk section is updated to reflect this; comments reconciled.

Follow-up to aws-samples#295 (merged). Refs aws-samples#236.
@ayushtr-aws ayushtr-aws requested review from a team as code owners July 7, 2026 15:22
@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@98736c1). Learn more about missing BASE report.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #535   +/-   ##
=======================================
  Coverage        ?   88.88%           
=======================================
  Files           ?      222           
  Lines           ?    52547           
  Branches        ?     5440           
=======================================
  Hits            ?    46705           
  Misses          ?     5842           
  Partials        ?        0           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@krokoko krokoko added this pull request to the merge queue Jul 7, 2026
Merged via the queue into aws-samples:main with commit b93dcc6 Jul 7, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants