Skip to content

feat(bootstrap): mise tasks and deploy.yml integration #127

Open
Open
feat(bootstrap): mise tasks and deploy.yml integration#127
Labels
enhancementNew feature or request
@scottschreckengaust

Description

@scottschreckengaust
scottschreckengaust
opened on May 19, 2026

Parent

Sub-issue 7 of #120 (RFC: Least-privilege CDK bootstrap policies as code)

Branch strategy

feat/bootstrap-cicd → targets feat/bootstrap-preflight

Estimated review time: ~20 min

Summary

Wire the preflight validator into the deployment pipeline and local task dependency chain. Ensures no deploy happens without validation — in CI or locally.

Deliverables

  • Update cdk/mise.toml:
    • Add task dependency: deploy depends on preflight
    • Add //cdk:bootstrap:check task — CI-only variant (read-only, no deploy, just validation)
    • Document --force override for emergency deploys that skip preflight
  • Update .github/workflows/deploy.yml:
    • Add preflight step before cdk deploy step
    • Preflight uses read-only AWS credentials (only cloudformation:DescribeStacks)
    • Preflight failure blocks the deploy with clear output
  • Update .github/workflows/build.yml:
    • Add bootstrap:check step after synth
    • Validates generated cdk/bootstrap/ artifacts are up to date (no uncommitted drift)
    • Validates Aspect passes (already happens during synth, but make explicit in CI output)
  • Create cdk/test/bootstrap/integration.test.ts:
    • End-to-end test: synth → aspect passes → preflight mock returns PASS → deploy would proceed
    • End-to-end test: synth → aspect passes → preflight mock returns FAIL → deploy blocked

Key design decisions

  • build.yml (PR CI): runs Aspect via synth + checks generated artifacts are committed. No AWS credentials needed.
  • deploy.yml (deploy CI): runs live preflight. Needs only cloudformation:DescribeStacks (not full deploy creds).
  • Local mise //cdk:deploy depends on preflight — developers can't accidentally skip it. --force flag exists for emergencies but is documented as "you better know what you're doing."
  • Preflight is a separate step (not embedded in deploy) so CI logs clearly show "preflight passed" vs "deploy started."

Acceptance criteria

  • mise //cdk:deploy fails if preflight fails (locally)
  • deploy.yml blocks deploy on preflight failure
  • build.yml catches stale generated artifacts
  • Force-override is documented and works
  • No regression in existing CI workflows

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions