txpipe · mduthey · Apr 16, 2026 · Apr 16, 2026 · coderabbitai · Apr 16, 2026
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,58 @@
+name: Deploy
+
+on:
+  workflow_run:
+    workflows: ["Build"]
+    types:
+      - completed
+
+  workflow_dispatch: {}
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  check-secrets:
+    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - id: check
+        run: |
+          if [ -z "${{ secrets.AWS_ACCESS_KEY_ID }}" ] || \
+             [ -z "${{ secrets.AWS_SECRET_ACCESS_KEY }}" ] || \
+             [ -z "${{ secrets.AWS_ROLE_TO_ASSUME }}" ] || \
+             [ -z "${{ secrets.AWS_ROLE_SESSION_NAME }}" ] || \
+             [ -z "${{ secrets.AWS_EKS_CLUSTER_NAME }}" ] || \
+             [ -z "${{ secrets.AWS_EKS_DEPLOYMENT_NAME }}" ] || \
+             [ -z "${{ secrets.AWS_EKS_NAMESPACE }}" ]; then
+            echo "has-secrets=false" >> "$GITHUB_OUTPUT"
+            echo "::warning::One or more required secrets are missing. Skipping deploy."
+          else
+            echo "has-secrets=true" >> "$GITHUB_OUTPUT"
+          fi
+
+  deploy:
+    needs: check-secrets
+    if: ${{ needs.check-secrets.outputs.has-secrets == 'true' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-session-name: ${{ secrets.AWS_ROLE_SESSION_NAME }}
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
-          role-session-name: ${{ secrets.AWS_ROLE_SESSION_NAME }}
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-session-name: ${{ secrets.AWS_ROLE_SESSION_NAME }}
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
-          role-session-name: ${{ secrets.AWS_ROLE_SESSION_NAME }}
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-session-name: ${{ secrets.AWS_ROLE_SESSION_NAME }}
+          role-duration-seconds: 1200
+
+      - name: Setup kubeconfig
+        shell: bash
+        run: aws eks update-kubeconfig --name ${{ secrets.AWS_EKS_CLUSTER_NAME }} --region us-west-2
+
+      - name: Update Kubernetes Docs deployment
+        run: |
+          kubectl set image ${{ secrets.AWS_EKS_DEPLOYMENT_NAME }} main=ghcr.io/txpipe/docs:${{ github.sha }} --namespace=${{ secrets.AWS_EKS_NAMESPACE }}
-      - name: Update Kubernetes Docs deployment
-        run: |
-          kubectl set image ${{ secrets.AWS_EKS_DEPLOYMENT_NAME }} main=ghcr.io/txpipe/docs:${{ github.sha }} --namespace=${{ secrets.AWS_EKS_NAMESPACE }}
+      - name: Update Kubernetes Docs deployment
+        run: |
+          kubectl set image ${{ secrets.AWS_EKS_DEPLOYMENT_NAME }} main=ghcr.io/txpipe/docs:${{ github.sha }} --namespace=${{ secrets.AWS_EKS_NAMESPACE }}
+          kubectl rollout status deployment/${{ secrets.AWS_EKS_DEPLOYMENT_NAME }} --namespace=${{ secrets.AWS_EKS_NAMESPACE }} --timeout=300s
-      - name: Update Kubernetes Docs deployment
-        run: |
-          kubectl set image ${{ secrets.AWS_EKS_DEPLOYMENT_NAME }} main=ghcr.io/txpipe/docs:${{ github.sha }} --namespace=${{ secrets.AWS_EKS_NAMESPACE }}
+      - name: Update Kubernetes Docs deployment
+        run: |
+          kubectl set image ${{ secrets.AWS_EKS_DEPLOYMENT_NAME }} main=ghcr.io/txpipe/docs:${{ github.sha }} --namespace=${{ secrets.AWS_EKS_NAMESPACE }}
+          kubectl rollout status deployment/${{ secrets.AWS_EKS_DEPLOYMENT_NAME }} --namespace=${{ secrets.AWS_EKS_NAMESPACE }} --timeout=300s