Skip to content

Promote deploy role fallback cleanup#9

Merged
OziinG merged 2 commits intomainfrom
dev
Apr 30, 2026
Merged

Promote deploy role fallback cleanup#9
OziinG merged 2 commits intomainfrom
dev

Conversation

@OziinG
Copy link
Copy Markdown
Contributor

@OziinG OziinG commented Apr 30, 2026

Summary

  • Promotes the cleanup that removes ECR build-only role fallback from deploy-ec2.
  • Keeps the workflow waiting for a Tomotono deploy-capable role reference.

Verification

  • workflow YAML parse
  • git diff --check

Follow-up for #3.

OziinG and others added 2 commits April 30, 2026 14:20
@OziinG
Avoid using the ECR build role for EC2 deploy
b4fb4db 
Keep the Tomotono EC2 workflow limited to deploy-capable role references after AWS rejected the visible ECR build role for this new repo.

Constraint: The only visible shared role ARN was not trusted for EVNSolution/tomotono-route-console and failed OIDC assume-role.

Rejected: Falling back to ECR_BUILD_AWS_ROLE_ARN | it is build-only and not the SSM deployment permission surface.

Confidence: high

Scope-risk: narrow

Directive: Add a Tomotono-specific deploy role variable/secret instead of reusing build-only roles.

Tested: workflow YAML parse; git diff --check.

Not-tested: Live deploy after removing the fallback because no trusted deploy role is currently exposed to this repo.

Related: #3

Co-authored-by: OmX <omx@oh-my-codex.dev>
@OziinG
Merge deploy role fallback cleanup
ecf01ce 
Merge PR #8 to avoid using build-only roles for EC2 deploy.
@OziinG OziinG merged commit e1ab6ed into main Apr 30, 2026
2 checks passed
@OziinG OziinG mentioned this pull request Apr 30, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@OziinG