[AWS] Story 6: CI/CD Pipeline (GitHub Actions)

## Summary

Implement the CI/CD pipeline: GitHub Actions workflow for building, pushing to ECR, and deploying to ECS based on tag conventions.

**Epic**: #174  
**Architecture**: [`docs/architecture/planned/aws-ecs-cdk.md`](https://github.com/sofatutor/llm-proxy/blob/main/docs/architecture/planned/aws-ecs-cdk.md)  
**Related**: #175 (Git Tagging & Release Workflow)

---

## Tasks

### AWS Authentication
- [ ] Configure OIDC identity provider in AWS
- [ ] Create IAM role for GitHub Actions
- [ ] Scope permissions to ECR push and ECS update
- [ ] Document role ARN in repository secrets

### ECR Repository
- [ ] Create ECR repository (if not in CDK)
- [ ] Configure lifecycle policy (keep last 10 images)
- [ ] Enable image scanning on push

### GitHub Actions Workflow
- [ ] Create `.github/workflows/deploy.yml`
- [ ] Trigger on:
  - Push to `main` (staging, if `DEPLOY_STAGING=true`)
  - Tags matching `*-stable` (production)
- [ ] Build Docker image with multi-arch (ARM64)
- [ ] Push to ECR with appropriate tags
- [ ] Force ECS deployment (production only)

### Deployment Strategy
- [ ] Staging: Push to ECR on `main` (configurable)
- [ ] Production: Push + deploy on `*-stable` tags
- [ ] Add deployment status check/wait
- [ ] Fail workflow if deployment unhealthy

### Repository Configuration
- [ ] Document required secrets:
  - `AWS_ROLE_ARN`
- [ ] Document required variables:
  - `AWS_REGION`
  - `ECR_REPOSITORY`
  - `ECS_CLUSTER`
  - `ECS_SERVICE_PROXY`
  - `ECS_SERVICE_DISPATCHER`
  - `DEPLOY_STAGING` (true/false)

---

## Workflow Triggers

| Trigger | ECR Push | ECS Deploy | Environment |
|---------|----------|------------|-------------|
| Push to `main` | ✅ (if staging enabled) | ❌ | Staging |
| Tag `v*` | ✅ | ❌ | - |
| Tag `v*-stable` | ✅ | ✅ | Production |

---

## Acceptance Criteria

- [ ] OIDC authentication works (no long-lived keys)
- [ ] Push to main builds and optionally pushes to staging ECR
- [ ] `*-stable` tags deploy to production
- [ ] ECS services update successfully
- [ ] Workflow waits for deployment health
- [ ] Failed deployments fail the workflow

---

## Dependencies

- Story 3: Compute Layer (ECS services to deploy to)
- #175: Git Tagging & Release Workflow (recommended)

---

## Estimated Effort

**Medium** - 2-3 days

---

## Notes

- Use OIDC for security (no stored AWS credentials)
- Consider adding Slack/Discord notifications
- May want to add manual approval for production

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[AWS] Story 6: CI/CD Pipeline (GitHub Actions) #181

Summary

Tasks

AWS Authentication

ECR Repository

GitHub Actions Workflow

Deployment Strategy

Repository Configuration

Workflow Triggers

Acceptance Criteria

Dependencies

Estimated Effort

Notes

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Trigger	ECR Push	ECS Deploy	Environment
Push to `main`	✅ (if staging enabled)	❌	Staging
Tag `v*`	✅	❌	-
Tag `v*-stable`	✅	✅	Production

[AWS] Story 6: CI/CD Pipeline (GitHub Actions) #181

Description

Summary

Tasks

AWS Authentication

ECR Repository

GitHub Actions Workflow

Deployment Strategy

Repository Configuration

Workflow Triggers

Acceptance Criteria

Dependencies

Estimated Effort

Notes

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions