CI/CD
This repository is deployed as a static site:
GitHub Actions -> build Docusaurus -> sync build/ to S3 -> invalidate CloudFront
|
-> Cloudflare Access protects engineering.spwhin.com
The app itself does not implement login. Authentication is enforced in front of CloudFront using Cloudflare Access + GitHub OAuth.
Repositories and workflows
| Repo | Purpose | Workflow |
|---|---|---|
spwhin-portal | Docusaurus docs portal | .github/workflows/preview.yml, .github/workflows/deploy.yml |
Preview flow
preview.yml runs on pull requests to main:
- Checks out the repo
- Installs Node 20
- Runs
npm ci - Runs
npm run build - Comments on the PR when the build succeeds
Production deploy flow
deploy.yml runs on pushes to main and can also be triggered manually with workflow_dispatch.
- Builds the Docusaurus site
- Downloads the build artifact in the deploy job
- Assumes an AWS IAM role using GitHub OIDC
- Syncs the static output to S3
- Invalidates CloudFront
AWS resources required
The production portal needs these AWS resources:
| Resource | Value | Notes |
|---|---|---|
| S3 bucket | engineering.spwhin.com | Stores built static files |
| ACM certificate | engineering.spwhin.com | Must be issued in us-east-1 for CloudFront |
| CloudFront distribution | Alias engineering.spwhin.com | Uses the S3 bucket as origin |
| IAM OIDC role | Example: github-actions-s3-deploy | Trusted by GitHub Actions for this repo |
Recommended bucket configuration
- Keep Block Public Access enabled
- Use CloudFront as the only public entrypoint
- Prefer CloudFront Origin Access Control (OAC) over a public bucket policy
- Enable default encryption (
AES256is sufficient for this site) - Versioning is optional but recommended
GitHub configuration required
This repo needs the following Actions secrets:
| Secret | Example | Purpose |
|---|---|---|
AWS_DEPLOY_ROLE_ARN | arn:aws:iam::763832339314:role/github-actions-s3-deploy | IAM role assumed by aws-actions/configure-aws-credentials |
CLOUDFRONT_DISTRIBUTION_ID | E123ABC456DEF | Used for cache invalidation after deploy |
Optional repo or environment variables:
| Variable | Default in workflow | Purpose |
|---|---|---|
AWS_REGION | ap-south-1 | AWS region for S3 and STS |
S3_BUCKET | engineering.spwhin.com | Static site bucket |
SITE_URL | https://engineering.spwhin.com | Deployment summary / environment URL |
Configure secrets with GitHub CLI
gh secret set AWS_DEPLOY_ROLE_ARN --repo SPW-HEALTHCARE-INNOVATIONS-Pvt-Ltd/spwhin-portal
gh secret set CLOUDFRONT_DISTRIBUTION_ID --repo SPW-HEALTHCARE-INNOVATIONS-Pvt-Ltd/spwhin-portal
AWS bootstrap checklist
The exact AWS creation commands depend on who has provisioning access, but the resource order should be:
- Request or import an ACM certificate for
engineering.spwhin.cominus-east-1 - Create the S3 bucket
engineering.spwhin.com - Create the CloudFront distribution with:
- alternate domain name
engineering.spwhin.com - ACM certificate from
us-east-1 - default root object
index.html - HTTPS redirect enabled
- OAC attached to the S3 origin
- alternate domain name
- Create or update the IAM OIDC role trusted by GitHub Actions for:
- repo:
SPW-HEALTHCARE-INNOVATIONS-Pvt-Ltd/spwhin-portal - branch:
refs/heads/main
- repo:
- Add the GitHub secrets listed above
- Point DNS for
engineering.spwhin.comat the CloudFront distribution - Put Cloudflare Access in front of the hostname
OIDC trust policy shape
The GitHub deploy role should trust the GitHub OIDC provider and scope access tightly to this repository and branch.
Example subject:
repo:SPW-HEALTHCARE-INNOVATIONS-Pvt-Ltd/spwhin-portal:ref:refs/heads/main
At minimum, the role needs:
s3:ListBucketonengineering.spwhin.coms3:PutObject,s3:DeleteObject,s3:GetObjectonengineering.spwhin.com/*cloudfront:CreateInvalidationon the target distribution
Cloudflare handoff
After AWS is ready:
- Create a proxied DNS record in Cloudflare for
engineering.spwhin.com - Point it to the CloudFront distribution domain name
- Follow the GitHub SSO Setup — Cloudflare Access guide
- Verify that anonymous traffic is blocked before opening access to the team
Validation
Before merging any deployment change, run:
npm run typecheck
npm run build
After merge to main:
- Check the
Deploy portal to S3 and CloudFrontworkflow - Open
https://engineering.spwhin.com - Confirm the Cloudflare Access login appears
- Sign in with a GitHub account inside the allowed org
- Confirm docs pages load and hard refresh succeeds