name: Deploy Hello Lambda CFT on: workflow_dispatch: push: branches: [ main ] jobs: deploy: runs-on: nas-safe env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }} AWS_DEFAULT_REGION: ${{ secrets.LOWER }} steps: - uses: actions/checkout@v4 - name: Ensure AWS CLI run: | if ! command -v aws >/dev/null 2>&1; then if command -v apk >/dev/null 2>&1; then apk add --no-cache aws-cli elif command -v apt-get >/dev/null 2>&1; then apt-get update && apt-get install -y awscli else echo "No supported package manager found for awscli install" exit 1 fi fi aws --version - name: Check required AWS secrets run: | for v in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_DEFAULT_REGION; do if [ -z "${!v}" ]; then echo "Missing required secret/env: $v" exit 1 fi done if [ -z "${AWS_SESSION_TOKEN}" ]; then echo "AWS_SESSION_TOKEN is empty. Proceeding with long-lived access keys." else echo "AWS_SESSION_TOKEN is set. Proceeding with STS temporary credentials." fi - name: Verify AWS identity run: | set -e if ! aws sts get-caller-identity; then echo "AWS authentication failed. If using STS creds, regenerate and update all 3 secrets: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN." exit 1 fi - name: Validate CFT run: | aws cloudformation validate-template \ --template-body file://infra/hello-lambda.yml - name: Deploy CFT run: | aws cloudformation deploy \ --stack-name hello-lambda-stack \ --template-file infra/hello-lambda.yml \ --capabilities CAPABILITY_NAMED_IAM