Deploy workflow
cloudformation-deploy-<environment>.yml handles end-to-end deployments for a single environment.
- Trigger:
pushtomainby default. Modify theonblock if you want manual dispatch or pull-request previews. - Credentials: Assumes
arn:aws:iam::${{ vars.<ENV>_AWS_ACCOUNT_ID }}:role/GitHubActionsServiceRoleusing GitHub OIDC. Make sure the role exists (created by the OIDC provider template) and trust policy matches your repository. - Rain install: Downloads the latest Rain release from GitHub. If you need a pinned version, hard-code the tag in the script block.
- Validation steps: Runs
cfn-lintandbridgecrewio/checkov-action@v12. Extend this section with additional scanners if your organization requires them. - Deployment: Executes
./scripts/deploy-templates.sh -e <environment>. Update this line if you wrap the deploy script with additional logic.
Lint-only workflow
cfn-lint-scan.yml executes CloudFormation linting without deploying. It is useful for pull requests when you want fast syntax checks.
- Triggered on pull requests to
main. - Runs
cfn-lintagainst every template in the repository. - Can be extended with matrix strategies if you want to support multiple Python versions or regions.
Security scan workflow
checkov-scan.yml runs Checkov in isolation.
- Triggered on pull requests to
main. - Uses
.checkov.ymlto focus tests on CloudFormation (skip Terraform or Kubernetes checks you do not need). - Fails the build if any high severity finding is detected. Adjust the
soft_failinput if you want warnings instead.
Best practices
- Keep workflows small and composable; it is easier to reason about validators when they do one thing.
- If you add organization-wide actions (for example Slack notifications), use composite actions so you can reuse them across environments.
- Protect the
mainbranch so only passing workflows can merge, ensuring infrastructure changes always pass validation and deployment checks.
For a walkthrough of how these workflows execute during day-to-day operations, revisit the CI/CD Workflow guide.