burningmantech · wsanchez · Nov 13, 2025
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
@@ -3,13 +3,33 @@
 
 name: CI/CD
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["master"]
   pull_request:
     branches: ["master"]
 
 
+defaults:
+  run:
+    shell: bash
+
+
+env:
+  AWS_DEPLOY_ROLE: "arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ranger-gha-deploy"
+  AWS_ECR_IMAGE_PREFIX: "/${{ vars.DEPARTMENT_ID }}/"
+  AWS_ECR_IMAGE_NAME: "${{ vars.PROJECT_ID }}"
+  AWS_ECS_CLUSTER: ${{ vars.DEPARTMENT_ID }}
+  AWS_ECS_CONTAINER_NAME: ${{ vars.PROJECT_ID }}
+  AWS_ECS_SERVICE_STAGING: ${{ vars.PROJECT_ID }}-staging-fg
+  AWS_ECS_TASK_DEFINITION_ARN_STAGING: "arn:aws:ecs:us-west-2:${{ secrets.AWS_ACCOUNT_ID }}:task-definition/${{ vars.PROJECT_ID }}-staging-fg"
+  AWS_ECS_TASK_DEFINITION_FAMILY_STAGING: ${{ vars.PROJECT_ID }}-staging-fg
+  AWS_REGION: us-west-2
+
+
 jobs:
 
   check-syntax:
@@ -19,7 +39,7 @@ jobs:
     timeout-minutes: 5
 
     steps:
-      - name: Harden CI
+      - name: Harden Runner
         uses: step-security/[email protected]
         with:
           egress-policy: audit
@@ -44,7 +64,7 @@ jobs:
 
     steps:
 
-      - name: Harden CI
+      - name: Harden Runner
         uses: step-security/[email protected]
         with:
           egress-policy: audit
@@ -68,7 +88,7 @@ jobs:
         run: ./bin/build
 
       - name: Save Docker image
-        run: docker image save ranger-clubhouse-api:dev | gzip -9 > docker_image.tgz
+        run: docker image save "${{ vars.PROJECT_ID }}:dev" | gzip -9 > docker_image.tgz
 
       - name: Upload Docker image artifacts
         uses: actions/upload-artifact@v5
@@ -86,7 +106,7 @@ jobs:
 
     steps:
 
-      - name: Harden CI
+      - name: Harden Runner
         uses: step-security/[email protected]
         with:
           egress-policy: audit
@@ -115,7 +135,7 @@ jobs:
 
     steps:
 
-      - name: Harden CI
+      - name: Harden Runner
         uses: step-security/[email protected]
         with:
           egress-policy: audit
@@ -136,23 +156,26 @@ jobs:
 
 
   deploy-staging:
-    name: Deploy code from master branch to the staging environment
+    name: Deploy to staging
 
     needs: [check-syntax, unit, docker-build, docker-test]
     if: github.ref == 'refs/heads/master'
 
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 30
+
+    permissions:
+      id-token: write
 
     steps:
 
-      - name: Harden CI
+      - name: Harden Runner
         uses: step-security/[email protected]
         with:
-          egress-policy: audit
-
-      - name: Checkout source code
-        uses: actions/checkout@v5
+          egress-policy: block
+          allowed-endpoints: >
+            *.amazonaws.com:443
+            *.docker.io:443
 
       - name: Download Docker image artifacts
         uses: actions/download-artifact@v6
@@ -162,34 +185,65 @@ jobs:
       - name: Load Docker image
         run: gzip --uncompress --stdout docker_image.tgz | docker image load
 
-      - name: Install Python
-        uses: actions/setup-python@v6
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          aws-region: ${{ env.AWS_REGION }}
+          role-to-assume: ${{ env.AWS_DEPLOY_ROLE }}
+          role-session-name: ranger-gha-${{ github.repository_id }}-${{ github.job }}-${{ github.run_id }}
+
+      - name: Login to AWS ECR
+        id: aws-login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Push docker image to Amazon ECR
+        run: |
+          image_repository="${{ steps.aws-login-ecr.outputs.registry }}${{ env.AWS_ECR_IMAGE_NAME }}"
+          docker login
+          # Push SHA tag
+          docker tag "${{ vars.PROJECT_ID }}:${{ github.sha }}" "${image_repository}:${{ github.sha }}"
+          docker push "${image_repository}:${{ github.sha }}"
+          # Push staging rollback tag
+          if docker pull "${image_repository}:staging"; then
+            echo "Pushing rollback tag for staging"
+            docker tag "${image_repository}:staging" "${image_repository}:staging_rollback"
+            docker push "${image_repository}:staging_rollback"
+          fi
+          # Push staging tag
+          echo "Pushing staging tag"
+          docker tag "${image_repository}:${{ github.sha }}" "${image_repository}:staging"
+          docker push "${image_repository}:staging"
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date "+%Y-%m-%dT%H:%M:%S")" >> "${GITHUB_OUTPUT}"
+
+      - name: Fetch and update current task definition
+        id: new-task-definition
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition-arn: "${{ env.AWS_ECS_TASK_DEFINITION_ARN_STAGING }}"
+          task-definition-family: "${{ env.AWS_ECS_TASK_DEFINITION_FAMILY_STAGING }}"
+          container-name: "${{ env.AWS_ECS_CONTAINER_NAME }}"
+          image: "${{ steps.aws-login-ecr.outputs.registry }}${{ env.AWS_ECR_IMAGE_NAME }}:${{ github.sha }}"
+          environment-variables: |
+            GHA_ACTOR_ID=${{ github.actor_id }}
+            GHA_ACTOR=${{ github.actor }}
+            GHA_EVENT_NAME=${{ github.event_name }}
+            GHA_JOB=${{ github.job }}
+            GHA_REF=${{ github.ref }}
+            GHA_RUN_ATTEMPT=${{ github.run_attempt }}
+            GHA_RUN_ID=${{ github.run_id }}
+            GHA_RUN_NUMBER=${{ github.run_number }}
+            GHA_TRIGGERING_ACTOR=${{ github.triggering_actor }}
+            GHA_WORKFLOW=${{ github.workflow }}
+            GIT_SHA=${{ github.sha }}
+            TASK_UPDATED=${{ steps.date.outputs.date }}
+
+      - name: Update task definition and ECS service
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
         with:
-          python-version: "3.12"
-
-      - name: Deploy to staging
-        run: ./bin/deploy staging
-        env:
-          # https://github.com/burningmantech/ranger-secret-clubhouse/settings/secrets
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
-          AWS_ECR_IMAGE_NAME: ${{ secrets.AWS_ECR_IMAGE_NAME }}
-          AWS_ECS_CLUSTER_STAGING: rangers
-          AWS_ECS_SERVICE_STAGING: ${{ secrets.AWS_ECS_SERVICE_STAGING }}
-          NOTIFY_SMTP_HOST: ${{ secrets.NOTIFY_SMTP_HOST }}
-          NOTIFY_SMTP_USER: ${{ secrets.NOTIFY_SMTP_USER }}
-          NOTIFY_SMTP_PASSWORD: ${{ secrets.NOTIFY_SMTP_PASSWORD }}
-          NOTIFY_EMAIL_RECIPIENT: ${{ secrets.NOTIFY_EMAIL_RECIPIENT }}
-          NOTIFY_EMAIL_SENDER: ${{ secrets.NOTIFY_EMAIL_SENDER }}
-          CI: true
-          PROJECT_NAME: Ranger Secret Clubhouse API Service
-          REPOSITORY_ID: ${{ github.repository }}
-          BUILD_NUMBER: 0
-          BUILD_URL: https://github.com/burningmantech/ranger-secret-clubhouse/commit/${{ github.sha }}/checks
-          COMMIT_ID: ${{ github.event.head_commit.id }}
-          COMMIT_URL: ${{ github.event.head_commit.url }}
-          COMMIT_AUTHOR_USER: ${{ github.event.head_commit.author.username }}
-          COMMIT_AUTHOR_NAME: ${{ github.event.head_commit.author.name }}
-          COMMIT_AUTHOR_EMAIL: ${{ github.event.head_commit.author.email }}
-          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+          task-definition: "${{ steps.new-task-definition.outputs.task-definition }}"
+          service: "${{ env.AWS_ECS_SERVICE_STAGING }}"
+          cluster: "${{ env.AWS_ECS_CLUSTER }}"
+          wait-for-service-stability: true