Trigger
The generated workflow (cloudformation-deploy-<environment>.yml) runs on pushes to main by default. Duplicate or adjust the trigger section if you want pull request previews or scheduled deploys.
on:
push:
branches: [main]Job flow
- Checkout — pulls the repository so Rain, Checkov, and cfn-lint have access to your templates.
- Configure AWS credentials — uses
aws-actions/configure-aws-credentials@v4with OIDC to assumeGitHubActionsServiceRoleinside the account specified byvars.<ENV>_AWS_ACCOUNT_ID. - Install Rain — downloads the latest Rain release, installs it into
/usr/local/bin, and prints the version for audit trails. - Static analysis — runs
cfn-lintand the Checkov GitHub Action with.checkov.ymlto enforce policy. - Deploy — calls
./scripts/deploy-templates.sh -e <environment>to apply every template in the repository.
Each step fails the job on error, so your templates will not deploy if any linting or scanning issue is detected.
Customizing the pipeline
- To limit deployments to a subset of templates, edit the deploy script or wrap it in another script that filters the file list.
- To post results in Slack or Teams, add a step after deployment that consumes the Rain output and sends a message.
- To promote changes through multiple accounts, chain jobs and reuse the deploy step with different
role-to-assumevalues and-eflags.
Observability
Rain logs stack events directly to the workflow output. For deeper troubleshooting, open the CloudFormation console in the target account and inspect the stack events that match the template name you deployed.
Ready to work locally? Head to the Local Development guide.