Run 2: Workflows — Completion Report
Date: 2026-03-19 Status: Complete Successful deployment run: 23320202262
Exit Criteria Results
Section titled “Exit Criteria Results”| # | Criterion | Status |
|---|---|---|
| 1 | reusable_deployment.yaml on demo | Pass |
| 2 | deploy.yaml on demo | Pass |
| 3 | redeploy.yaml on demo | Pass |
| 4 | test-oidc.yaml deleted | Pass |
| 5 | GitHub environments configured | Pass (dev, demo, stage, prod) |
| 6 | deploy.yaml succeeded at least once | Pass (run 23320202262) |
| 7 | Demo site loads | Pass (200 at demo.alpha001.app.arda.cards) |
Artifacts Produced
Section titled “Artifacts Produced”| Artifact | Location |
|---|---|
deploy.yaml (inlined) | arda-frontend-app/.github/workflows/deploy.yaml on demo branch |
redeploy.yaml | arda-frontend-app/.github/workflows/redeploy.yaml on demo branch |
reusable_deployment.yaml | arda-frontend-app/.github/workflows/reusable_deployment.yaml on demo branch |
| GitHub environments | dev (no gate), demo (no gate), stage (reviewers), prod (reviewers) |
Issues Encountered
Section titled “Issues Encountered”1. Reusable workflows require default branch (blocking, resolved)
Section titled “1. Reusable workflows require default branch (blocking, resolved)”GitHub Actions uses: ./.github/workflows/reusable_deployment.yaml requires the called workflow to exist on the default branch (main). Since all workflows are on demo, this caused startup_failure on every attempt to call the reusable workflow.
Also tried uses: Arda-cards/arda-frontend-app/.github/workflows/reusable_deployment.yaml@demo — same startup_failure.
Resolution: Inlined the deployment logic directly into deploy.yaml for the development phase. The reusable_deployment.yaml file is kept for refactoring at cutover (PR2) when workflows move to main.
Impact on cutover: At PR2, deploy.yaml must be refactored from inlined logic back to calling reusable_deployment.yaml. redeploy.yaml must also be updated to call the reusable workflow.
2. workflow_dispatch requires default branch (blocking, worked around)
Section titled “2. workflow_dispatch requires default branch (blocking, worked around)”GitHub Actions workflow_dispatch trigger only works for workflows indexed on the default branch. Workflows only on demo cannot be triggered via the UI or API.
Resolution: Added a temporary push trigger on demo branch filtered to workflow file path changes. Deployment is triggered by pushing changes to deploy.yaml or reusable_deployment.yaml.
Impact on cutover: Remove the push trigger at cutover (PR3). The workflow_dispatch and workflow_run triggers will work once the workflows are on main.
Impact on Run 3: redeploy.yaml cannot be tested via workflow_dispatch from demo. Redeploy testing must happen after PR2 merges workflows to main, or via a push-trigger workaround.
3. OIDC environment: subject format (blocking, resolved)
Section titled “3. OIDC environment: subject format (blocking, resolved)”When a job sets environment: demo, the OIDC sub claim changes from repo:Org/Repo:ref:refs/heads/demo to repo:Org/Repo:environment:demo. The IAM trust policy only had ref: patterns.
Resolution: Updated trust policy on both accounts via AWS CLI (immediate fix) and created infrastructure#428 for the CDK code fix. PR merged. Also added ref condition as defense-in-depth per reviewer feedback.
Changes to Infrastructure (out-of-band)
Section titled “Changes to Infrastructure (out-of-band)”| Change | PR |
|---|---|
| OIDC environment subjects + ref restriction | infrastructure#428 (merged) |
Guidance for Subsequent Runs
Section titled “Guidance for Subsequent Runs”Run 3 (Validation)
Section titled “Run 3 (Validation)”deploy.yamlcan be re-triggered by pushing a change to the workflow file ondemo, or by pushing an empty commit and temporarily removing thepaths:filter.redeploy.yamlcannot be tested fromdemoviaworkflow_dispatch. Options:- Temporarily add a
pushtrigger toredeploy.yamlwith a different path filter - Defer redeploy testing to after PR2 merges to
main - Test the redeploy logic manually via AWS CLI (
aws amplify start-job --commit-id {sha})
- Temporarily add a
- The demo site uses the
demobranch code, notmain. Ifmainhas diverged, the demo deployment reflectsdemobranch state.
Run 4 (Cutover)
Section titled “Run 4 (Cutover)”- PR2 must refactor
deploy.yaml: Replace inlined logic withuses: ./.github/workflows/reusable_deployment.yaml(will work onmain). Expand the matrix to[dev, stage, demo, prod]withamplify_region: us-east-2for prod. - PR2 must update
redeploy.yaml: Replace the directuses:call (currently pointing nowhere functional) with the reusable workflow call. - Remove the
pushtrigger fromdeploy.yamlat cutover (PR3). - The
reusable_deployment.yamlis already correct — no changes needed at cutover, just the callers.
Copyright: © Arda Systems 2025-2026, All rights reserved