Run 1: Infrastructure — Warnings and Insights for Future Runs
Critical: Update GitHub Secrets Before GH Actions Runs
Section titled “Critical: Update GitHub Secrets Before GH Actions Runs”The AMPLIFY_GITHUB_ACCESSTOKEN GitHub secret in the infrastructure repo contains the old (invalidated) PAT. It was regenerated during Run 1 and updated in 1Password, but the GitHub secret was NOT updated.
Before any amm.yml workflow run: Update the AMPLIFY_GITHUB_ACCESSTOKEN secret in the infrastructure repo’s GitHub settings with the value from 1Password (Arda-SystemsOAM/Amplify_GitHub_AccessToken).
Critical: workflow_dispatch on Non-Default Branches
Section titled “Critical: workflow_dispatch on Non-Default Branches”GitHub Actions workflow_dispatch only works for workflows that exist on the default branch (main). Workflows that exist only on demo cannot be triggered via the GitHub UI or API workflow_dispatch endpoint.
Impact on Run 2: The deploy.yaml, redeploy.yaml, and reusable_deployment.yaml workflows will be created on demo but won’t be triggerable via workflow_dispatch from the UI unless a matching workflow file also exists on main.
Workarounds (investigate in Run 2):
- Add a
pushtrigger for thedemobranch during development (remove at cutover) - Create minimal stub workflow files on
mainthat match the names (may cause confusion) - Use
repository_dispatchinstead ofworkflow_dispatchfor the demo phase
This is a significant workflow development constraint that was not anticipated in the plan.
Important: aws amplify update-app --environment-variables Replaces, Not Merges
Section titled “Important: aws amplify update-app --environment-variables Replaces, Not Merges”Any call to update-app --environment-variables with a partial set will overwrite all existing env vars. This caused a production-impacting issue during Run 1 (all 16 CloudFormation-managed env vars were wiped).
Safe pattern:
EXISTING=$(aws amplify get-app --app-id {id} --query "app.environmentVariables" --output json)MERGED=$(echo "${EXISTING}" | jq --arg val "value" '. + {"KEY": $val}')aws amplify update-app --app-id {id} --environment-variables "${MERGED}"Important: GITHUB_TOKEN Not in CloudFormation Template
Section titled “Important: GITHUB_TOKEN Not in CloudFormation Template”New Amplify apps created via amplify.cfn.yaml will fail to build because the template doesn’t include GITHUB_TOKEN for GitHub Packages authentication. Tracked in infrastructure#427.
For Run 4 cutover: Existing apps already have GITHUB_TOKEN set manually. But any CloudFormation stack update that triggers a full Amplify app resource replacement could lose it. Monitor stack events during cutover.
Useful: Demo App Reference Data
Section titled “Useful: Demo App Reference Data”| Property | Value |
|---|---|
| App ID | d2jmcx9om9gokx |
| Region | us-east-1 |
| Branch | demo |
| Amplify URL | https://demo.d2jmcx9om9gokx.amplifyapp.com |
| Custom domain | demo.alpha001.app.arda.cards (check propagation) |
| Environment variables | 17 (16 from CloudFormation + 1 manual GITHUB_TOKEN) |
Useful: Local Deployment Commands
Section titled “Useful: Local Deployment Commands”# Alpha001/demo (with correct API key override)export ARDA_API_KEY="$(op read 'op://Arda-DemoOAM/ARDA-API-KEY/password')"./amm.sh --profile Admin-Alpha1 --region us-east-1 Alpha001 demo
# Alpha002/dev (for IAM role deployment)./amm.sh --profile Alpha002-Admin --region us-east-1 Alpha002 dev
# Kyle regression./amm.sh --profile Admin-SandboxKyle002 --region us-east-1 SandboxKyle002 kyleNote the inconsistent profile naming: Admin-Alpha1, Alpha002-Admin, Admin-SandboxKyle002.
Copyright: © Arda Systems 2025-2026, All rights reserved