./.github/workflows/deploy-infrastructure.yml
name: Deploy Infrastructure (knowledge-base)
on:
push:
branches: [main]
paths:
- "knowledge-base/cdk/**"
- "knowledge-base/lambda/**"
- "knowledge-base/prompts/**"
workflow_dispatch:
inputs:
reason:
description: "手動デプロイの理由"
required: false
default: "手動実行"
permissions:
id-token: write # OIDC トークン取得に必要
contents: read
jobs:
deploy:
name: CDK Deploy (ap-northeast-1 + us-east-1)
runs-on: ubuntu-latest
env:
AWS_REGION: ap-northeast-1
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "18"
cache: "npm"
cache-dependency-path: knowledge-base/cdk/package.json
- name: Configure AWS credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::903877990773:role/github-actions-knowledge-base
aws-region: ap-northeast-1
role-session-name: GitHubActions-InfraDeploy-${{ github.run_id }}
- name: Verify AWS identity
run: aws sts get-caller-identity
- name: Install CDK dependencies
working-directory: knowledge-base/cdk
run: npm ci
- name: TypeScript build
working-directory: knowledge-base/cdk
run: npm run build
- name: Install CDK CLI
run: npm install -g aws-cdk@^2.120.0
- name: CDK diff (変更確認)
working-directory: knowledge-base/cdk
run: cdk diff --all 2>&1 || true
- name: "CDK deploy (--all: WafStack + HistoricalResearchStack)"
working-directory: knowledge-base/cdk
run: |
cdk deploy --all \
--require-approval never \
--outputs-file ./cdk-outputs.json
- name: Show stack outputs
if: success()
working-directory: knowledge-base/cdk
run: |
echo "=== Stack Outputs ==="
cat cdk-outputs.json 2>/dev/null || echo "(no outputs file)"