[[CICD]] tool built into [[GitHub]]. ## #OpenQuestions - How to deploy to AWS without using long-lived IAM credentials? - ~~[See this solution](https://github.com/glassechidna/actions2aws#how-it-work)~~ - Best solution: [AWS federation comes to GitHub Actions | Aidan Steele’s blog ](https://awsteele.com/blog/2021/09/15/aws-federation-comes-to-github-actions.html) by [[@Aidan Steele]]. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services - How would a human gate be performed? And should this even be implemented as it actively discourages fully automated [[Continuous Deployment]]? - How to ensure that only engineers with elevated permissions can make changes to the GitHub workflow steps? - How to ensure that secrets are scoped to specific branches, e.g. that PRs can't deploy to production by accidentally reading the wrong secret - What are its weaknesses for [[Continuous Deployment]] of [[AWS]] serverless apps compared to [[AWS CodePipeline|CodePipeline]]? --- ## References --- tags: