From e07c482fb2f01d7444cb74a61a2f50749cbb7d2e Mon Sep 17 00:00:00 2001
From: Anthony Lukach <anthonylukach@gmail.com>
Date: Fri, 18 Apr 2025 09:29:59 -0700
Subject: [PATCH 1/5] chore: update deployment workflow to support pull
 requests and configure AWS credentials

- Added support for pull request triggers in the deployment workflow for specific paths.
- Configured AWS credentials using a role to assume, enhancing security.
- Updated the AWS region to 'us-west-2' and removed hardcoded access keys.
---
 .github/workflows/deploy.yaml | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 69514f9..6b65705 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -2,18 +2,31 @@ name: Deployment
 
 on:
   workflow_dispatch:
+  pull_request:
+    paths:
+      - "lib/**"
+      - "integration_tests/**"
+      - "package.json"
+      - "package-lock.json"
 
 jobs:
   build_package_and_deploy:
     name: Build, package and deploy
     runs-on: ubuntu-latest
     timeout-minutes: 90
+    permissions:
+      id-token: write
+      contents: read
     env:
-      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION_DEPLOY }}
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_DEPLOY }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_DEPLOY }}
-      AWS_DEFAULT_ACCOUNT: ${{ secrets.AWS_ACCOUNT_ID }}
+      AWS_ROLE_ARN: ${{ vars.AWS_ROLE_ARN }}
+      AWS_DEFAULT_REGION: 'us-west-2'
     steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.AWS_ROLE_ARN }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
       - uses: actions/checkout@v4
 
       - uses: actions/setup-node@v4
@@ -30,7 +43,6 @@ jobs:
       - name: Generate distribution packages
         run: npm run package
 
-
       - name: Install deployment environment
         id: install_deploy_env
         run: |
@@ -56,12 +68,6 @@ jobs:
           PROJECT_ID: ${{ steps.short-sha.outputs.sha }}
         run: |
           source .deployment_venv/bin/activate
-
-          # synthesize the stack
-          cd integration_tests/cdk
-          npx cdk synth --debug --all --require-approval never
-
-          # deploy the stack
           npx cdk deploy --ci --all --require-approval never
           deactivate
           cd -

From cad25e3a6b145f803e3a4c51b9f202b7e4b160a7 Mon Sep 17 00:00:00 2001
From: Anthony Lukach <anthonylukach@gmail.com>
Date: Fri, 18 Apr 2025 09:31:03 -0700
Subject: [PATCH 2/5] update template

---
 .github/pull_request_template.md | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 01aff37..c14850a 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,4 +1 @@
-## :warning: Checklist if your PR is changing anything else than documentation
-- [ ] Posted the link to a successful manually triggered deployment workflow (successful including the resources destruction)
-
 ## Merge request description

From 2ea693fc2d6f43fe015d7fd00b5436ce60ee24ba Mon Sep 17 00:00:00 2001
From: Anthony Lukach <anthonylukach@gmail.com>
Date: Fri, 18 Apr 2025 09:39:11 -0700
Subject: [PATCH 3/5] Change email (test deployment trigger)

---
 package.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 2549b48..4ea3743 100644
--- a/package.json
+++ b/package.json
@@ -19,8 +19,8 @@
   },
   "keywords": [],
   "author": {
-    "name": "Anthony Lukach",
-    "email": "anthony@developmentseed.org"
+    "name": "DevelopmentSeed",
+    "email": "eoapi@developmentseed.org"
   },
   "repository": {
     "type": "git",

From c242cb43a1e986c584d75e638aba06bf3c62b91b Mon Sep 17 00:00:00 2001
From: Anthony Lukach <anthonylukach@gmail.com>
Date: Fri, 18 Apr 2025 09:50:44 -0700
Subject: [PATCH 4/5] Fix deploy

---
 .github/workflows/deploy.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 6b65705..20defbd 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -68,6 +68,7 @@ jobs:
           PROJECT_ID: ${{ steps.short-sha.outputs.sha }}
         run: |
           source .deployment_venv/bin/activate
+          cd integration_tests/cdk
           npx cdk deploy --ci --all --require-approval never
           deactivate
           cd -

From 1a7eee0e672d2876901dce27e0f32ec6fb13bb62 Mon Sep 17 00:00:00 2001
From: Anthony Lukach <anthonylukach@gmail.com>
Date: Sun, 20 Apr 2025 22:15:04 -0700
Subject: [PATCH 5/5] re-add default_account

---
 .github/workflows/deploy.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 20defbd..2ef96b0 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -19,6 +19,7 @@ jobs:
       contents: read
     env:
       AWS_ROLE_ARN: ${{ vars.AWS_ROLE_ARN }}
+      AWS_DEFAULT_ACCOUNT: ${{ secrets.AWS_ACCOUNT_ID }}
       AWS_DEFAULT_REGION: 'us-west-2'
     steps:
       - name: Configure AWS credentials