Skip to content

feat(ladder): add per-account config + schema foundation (default-off) #1554

feat(ladder): add per-account config + schema foundation (default-off)

feat(ladder): add per-account config + schema foundation (default-off) #1554

Workflow file for this run

name: AWS Sanity (Read-only Dry Run)
on:
pull_request:
push:
branches: ["main"]
workflow_dispatch:
permissions:
id-token: write
contents: read
jobs:
sanity:
runs-on: ubuntu-latest
env:
AWS_REGION: us-east-1
REPORT_PATH: sanity_report.json
EXPECTED_ACCOUNT: ${{ secrets.AWS_EXPECTED_ACCOUNT_ID }}
steps:
- name: Precheck secrets (skip if not configured)
id: precheck
shell: bash
env:
AWS_CICD_READONLY_ROLE_ARN: ${{ secrets.AWS_CICD_READONLY_ROLE_ARN }}
AWS_EXPECTED_ACCOUNT_ID: ${{ secrets.AWS_EXPECTED_ACCOUNT_ID }}
run: |
if [[ -z "${AWS_CICD_READONLY_ROLE_ARN}" || -z "${AWS_EXPECTED_ACCOUNT_ID}" ]]; then
echo "should_run=false" >> "$GITHUB_OUTPUT"
echo "Missing AWS secrets. Skipping AWS sanity."
else
echo "should_run=true" >> "$GITHUB_OUTPUT"
fi
- name: Checkout
if: steps.precheck.outputs.should_run == 'true'
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
- name: Setup Go
if: steps.precheck.outputs.should_run == 'true'
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
- name: Configure AWS credentials via OIDC (read-only role)
if: steps.precheck.outputs.should_run == 'true'
uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
with:
role-to-assume: ${{ secrets.AWS_CICD_READONLY_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION }}
role-session-name: cudly-sanity
- name: Build
if: steps.precheck.outputs.should_run == 'true'
run: |
go test ./ci_cd_sanity_tests/... -count=1
go build -o sanity ./ci_cd_sanity_tests/cmd/sanity
- name: Run sanity (read-only)
if: steps.precheck.outputs.should_run == 'true'
run: |
./sanity \
--region "${AWS_REGION}" \
--expected-account "${EXPECTED_ACCOUNT}" \
--out "${REPORT_PATH}"
- name: Upload report artifact
if: always() && steps.precheck.outputs.should_run == 'true'
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: aws-sanity-report
path: ${{ env.REPORT_PATH }}
if-no-files-found: ignore
- name: Skipped summary
if: steps.precheck.outputs.should_run != 'true'
run: echo "AWS sanity skipped because required secrets are not configured."