WIP:Enhance CI/CD workflows and deployment configurations for TalentStreamAI

.github/aws/github-oidc-trust-policy.json.example

@@ -12,7 +12,10 @@
           "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
         },
         "StringLike": {
-          "token.actions.githubusercontent.com:sub": "repo:GITHUB_ORG/REPO:*"
+          "token.actions.githubusercontent.com:sub": [
+            "repo:OWNER/REPO:ref:refs/heads/main",
+            "repo:OWNER/REPO:ref:refs/tags/*"
+          ]
         }
       }
     }

.github/aws/github-oidc-trust-policy.json.tftpl

@@ -0,0 +1,20 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "${provider_arn}"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+        },
+        "StringLike": {
+          "token.actions.githubusercontent.com:sub": ${github_subs_json}
+        }
+      }
+    }
+  ]
+}

.github/workflows/ci.yml

@@ -1,7 +1,4 @@
-# Scaffold — replace this workflow with real checks when the team is ready.
-# Suggested jobs: uv sync + tests (backend), npm ci + lint + build (frontend), terraform fmt/validate.
-
-name: CI (scaffold)
+name: CI
 
 on:
   pull_request:
@@ -12,12 +9,57 @@ permissions:
   contents: read
 
 jobs:
-  placeholder:
+  frontend:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
-      - name: CI not wired yet
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Require Clerk publishable key for frontend build
+        run: |
+          if [ -z "${{ vars.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}" ]; then
+            echo "Set Actions variable NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY (Clerk publishable key, e.g. pk_test_...)."
+            echo "Repository Settings → Secrets and variables → Actions → Variables"
+            exit 1
+          fi
+
+      - name: Lint and build frontend
+        working-directory: frontend
+        env:
+          NEXT_PUBLIC_API_URL: ""
+          NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ vars.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
+        run: |
+          npm ci
+          npm run lint
+          npm run build
+
+  backend-lambda-package:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Build Lambda artifact
+        run: python3 scripts/prep_backend_lambda.py
+
+  terraform-validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.6.6
+
+      - name: Terraform fmt and validate
+        working-directory: terraform
         run: |
-          echo "TalentStreamAI CI scaffold: no commands run here."
-          echo "Add jobs for backend (uv), frontend (npm), and Terraform when pipelines should gate merges."
+          terraform fmt -check
+          terraform init -input=false -backend=false
+          terraform validate

.github/workflows/deploy-aws.yml

@@ -1,31 +1,116 @@
-# Scaffold — no AWS calls. Copy patterns from AWS docs when you add OIDC, terraform apply, image push, etc.
-
-name: Deploy (scaffold)
+name: Deploy AWS
 
 on:
   workflow_dispatch:
     inputs:
       environment:
-        description: Placeholder label for future dev/staging/prod deploys
+        description: Deployment environment
         type: choice
         options:
           - dev
           - staging
           - prod
         default: dev
+      target:
+        description: Which deployment flow to run
+        type: choice
+        options:
+          - oidc
+          - frontend
+          - backend
+          - all
+        default: all
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
-  placeholder:
+  deploy:
     runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
     steps:
       - uses: actions/checkout@v4
 
-      - name: Deploy not wired yet
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.6.6
+
+      - name: Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION || 'eu-central-1' }}
+
+      - name: Setup Terraform backend and tfvars
         run: |
-          echo "TalentStreamAI deploy scaffold: no AWS credentials or Terraform apply in this workflow."
-          echo "When ready: add OIDC (see .github/aws/github-oidc-trust-policy.json.example), repository secrets/vars,"
-          echo "then steps for terraform init/apply, ECR push, S3 sync, CloudFront invalidation, etc."
-          echo "Environment label (for future use): ${{ inputs.environment }}"
+          cat > terraform/backend.hcl <<EOF
+          bucket         = "${{ vars.TF_STATE_BUCKET }}"
+          key            = "${{ vars.TF_STATE_KEY_PREFIX || 'talentstreamai' }}/${{ inputs.environment }}/terraform.tfstate"
+          region         = "${{ vars.AWS_REGION || 'eu-central-1' }}"
+          dynamodb_table = "${{ vars.TF_STATE_LOCK_TABLE }}"
+          encrypt        = true
+          EOF
+          cat > terraform/terraform.tfvars <<EOF
+          aws_region   = "${{ vars.AWS_REGION || 'eu-central-1' }}"
+          project_name = "${{ vars.TF_PROJECT_NAME || 'talentstreamai' }}"
+          environment  = "${{ inputs.environment }}"
+          github_org   = "${{ vars.REPOSITORY_OWNER }}"
+          github_repo  = "${{ vars.REPOSITORY_NAME }}"
+          github_ref_patterns = ["ref:refs/heads/main"]
+          create_oidc_provider = ${{ vars.TF_CREATE_OIDC_PROVIDER || 'true' }}
+          existing_oidc_provider_arn = "${{ vars.TF_EXISTING_OIDC_PROVIDER_ARN || '' }}"
+          deploy_role_name = "${{ vars.TF_DEPLOY_ROLE_NAME || 'github-actions-talentstreamai-deploy' }}"
+          frontend_bucket_name = "${{ vars.FRONTEND_BUCKET_NAME }}"
+          lambda_function_name = "${{ vars.LAMBDA_FUNCTION_NAME || 'talentstreamai-api' }}"
+          lambda_handler = "app.lambda_handler.handler"
+          clerk_jwt_issuer = "${{ vars.CLERK_JWT_ISSUER }}"
+          clerk_jwt_audiences = ["${{ vars.CLERK_JWT_AUDIENCE }}"]
+          cors_origins = "${{ vars.CORS_ORIGINS }}"
+          deployment_environment = "${{ inputs.environment }}"
+          lambda_environment = {}
+          lambda_secret_arns = []
+          create_app_config_secret = true
+          app_config_secret_name = "${{ vars.APP_CONFIG_SECRET_NAME || 'talentstreamai/app-config' }}"
+          app_config_secret_description = "Application runtime secret payload for TalentStreamAI Lambda."
+          api_stage_name = "\$default"
+          state_bucket_arn = "arn:aws:s3:::${{ vars.TF_STATE_BUCKET }}"
+          state_bucket_objects_arn = "arn:aws:s3:::${{ vars.TF_STATE_BUCKET }}/*"
+          state_lock_table_arn = "arn:aws:dynamodb:${{ vars.AWS_REGION || 'eu-central-1' }}:${{ vars.AWS_ACCOUNT_ID }}:table/${{ vars.TF_STATE_LOCK_TABLE }}"
+          EOF
+
+      - name: Bootstrap OIDC role only
+        if: ${{ inputs.target == 'oidc' }}
+        env:
+          TF_ENVIRONMENT: ${{ inputs.environment }}
+        run: python3 scripts/setup_github_oidc.py --environment "${TF_ENVIRONMENT}"
+
+      - name: Deploy frontend only
+        if: ${{ inputs.target == 'frontend' }}
+        env:
+          TF_ENVIRONMENT: ${{ inputs.environment }}
+          NEXT_PUBLIC_API_URL: ""
+          NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ vars.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
+        run: python3 scripts/deploy_frontend.py --environment "${TF_ENVIRONMENT}"
+
+      - name: Deploy backend only
+        if: ${{ inputs.target == 'backend' }}
+        env:
+          TF_ENVIRONMENT: ${{ inputs.environment }}
+        run: python3 scripts/deploy_backend.py --environment "${TF_ENVIRONMENT}"
+
+      - name: Deploy full stack
+        if: ${{ inputs.target == 'all' }}
+        env:
+          TF_ENVIRONMENT: ${{ inputs.environment }}
+          NEXT_PUBLIC_API_URL: ""
+          NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ vars.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
+        run: python3 scripts/deploy_all.py --environment "${TF_ENVIRONMENT}"

.gitignore

@@ -34,6 +34,8 @@ yarn-error.log*
 # Terraform
 .terraform/
 terraform/terraform.tfvars
+terraform/bootstrap/terraform.tfvars
+terraform.tfstate.d/
 terraform/backend.hcl
 *.tfstate
 *.tfstate.*