Skip to main content

Pipeline Wiring Workshop

This workshop takes the Terraform root from Lab 1 and wires it to a real GitHub Actions pipeline with OIDC cloud credentials.

Retrieval Prompts

  1. State the three jobs of the minimal capstone workflow.
  2. State the GitHub token claims that the cloud trust policy must constrain.
  3. State the difference between a preview environment and a staging cut-over.
  4. State what permissions: id-token: write enables.
  5. State the condition under which terraform apply is allowed to run.

Compare and Distinguish

Separate these pairs clearly:

  • static cloud access key vs OIDC role assumption
  • PR deploy (pull_request) vs main deploy (push to main)
  • needs: dependency vs if: conditional
  • a GitHub environment with protection rules vs a plain secret

Common Mistake Check

For each statement, identify the error:

  1. "My OIDC trust uses sub: repo:org/capstone:* so any branch can deploy."
  2. "I put id-token: write at the top of the workflow because it's easier."
  3. "We run terraform apply on every PR to see what it would do."
  4. "Our preview environments have never been torn down and that's fine because none of them get traffic."
  5. "I'll commit the AWS access key to a repo secret; rotation handles it."

Mini Application

Produce all four, committed to your capstone repo:

  1. .github/workflows/deploy.yml that runs build-test on every push/PR and runs deploy only on push to main.
  2. A working OIDC identity provider and role in your cloud, with trust constrained to repo:<you>/<capstone>:ref:refs/heads/main.
  3. A plan-on-pr job (or step) that runs terraform plan on every PR and posts the plan summary as a comment.
  4. Either (a) a preview-env up/down pair of jobs keyed on pull_request events, or (b) a staging promotion workflow with a GitHub environment: prod that requires manual approval.

Evidence Check

This page is complete only if you can show:

  • one PR whose preview URL (or staging URL) was reachable
  • one merge to main that produced a successful deploy run in Actions
  • zero long-lived cloud access keys in repo or org secrets
  • a terraform plan posted as a comment on one PR

If your pipeline is green but depends on a static cloud key, the workshop is not done.