Skip to content

feat(ci): synth-per-variant build with github:* context in artifact#91

Merged
scottschreckengaust merged 7 commits into
mainfrom
feat/build-synth-per-variant
May 14, 2026
Merged

feat(ci): synth-per-variant build with github:* context in artifact#91
scottschreckengaust merged 7 commits into
mainfrom
feat/build-synth-per-variant

Conversation

@scottschreckengaust
Copy link
Copy Markdown
Contributor

@scottschreckengaust scottschreckengaust commented May 14, 2026
edited
Loading

Summary

  • Adds strategy.matrix with variant: [agentcore] to the build job
  • Generates cdk/cdk.context.json before build with all 13 github:* tags, computeVariant, and stackName — CDK reads this automatically during synth, baking tags into CloudFormation templates
  • Resolves tag values per event type (pull_request, merge_group, push, workflow_dispatch) using intermediate env vars to prevent script injection (CWE-78)
  • Uploads cdk/cdk.out/ + cdk/cdk.context.json as immutable artifact (cdk-<variant>-out) for downstream deploy.yml
  • Adds /cdk/cdk-*.out/ to .gitignore

How it works

build.yml:
  Resolve github:* → Generate cdk.context.json → mise run build (synth reads context) → Upload artifact
                                                                                              ↓
deploy.yml (future):                                                     Download artifact → cdk deploy --app cdk.out

CDK's Tags.of(stack).add() in main.ts calls app.node.tryGetContext('github:sha') etc. during synthesis. The values come from cdk.context.json, so they are baked directly into the template's resource Tags arrays. No context flags needed at deploy time.

Context values generated

Key Source (pull_request) Source (merge_group) Source (push)
github:sha PR head SHA merge group head SHA commit SHA
github:ref head branch base ref (target) ref name
github:ref-type branch branch branch or tag
github:actor github.actor github.actor github.actor
github:head-ref source branch queue branch empty
github:base-ref target branch target branch empty
github:pr-number PR number extracted from queue ref empty
github:run-id github.run_id github.run_id github.run_id
github:run-attempt github.run_attempt github.run_attempt github.run_attempt
github:event github.event_name github.event_name github.event_name
github:workflow github.workflow github.workflow github.workflow
github:repository github.repository github.repository github.repository
github:clean true true true

Local verification

$ jq -n '{...}' > cdk/cdk.context.json && cd cdk && npx cdk synth -q
$ jq '[ .. | objects | .Tags? // empty | arrays | .[] | select(.Key? | startswith("github:")) ] | unique_by(.Key)' cdk.out/*.template.json
→ All 13 tags present, 132/299 resources tagged (all taggable resources)

Follow-ups

  • Additional variants (ecs, eks) added to matrix when compute paths are implemented
  • deploy.yml downloads the artifact and runs cdk deploy --app cdk.out — no re-synthesis needed

Test plan

  • CI build passes with matrix strategy (build (agentcore))
  • cdk-agentcore-out artifact appears in workflow run (contains cdk.out/ + cdk.context.json)
  • Mutation check passes (cdk.context.json is gitignored)
  • Local synth confirms all 13 github:* tags baked into CloudFormation template
  • Semgrep passes — no script injection (all GitHub context via env: + jq --arg)

Refs: #73, #84, #93

🤖 Generated with Claude Code

scottschreckengaust
scottschreckengaust commented May 14, 2026
View reviewed changes
Comment thread .github/workflows/build.yml Outdated
@scottschreckengaust scottschreckengaust mentioned this pull request May 14, 2026
Closed
@scottschreckengaust scottschreckengaust marked this pull request as ready for review May 14, 2026 17:46
@scottschreckengaust scottschreckengaust requested a review from a team as a code owner May 14, 2026 17:46
krokoko
krokoko reviewed May 14, 2026
View reviewed changes
Comment thread .github/workflows/build.yml Outdated
mayakost
mayakost previously approved these changes May 14, 2026
View reviewed changes
scottschreckengaust and others added 6 commits May 14, 2026 19:56
@scottschreckengaust @claude
feat(ci): add CDK synth-per-variant with artifact upload in build.yml
2511236 
Add matrix strategy (agentcore variant) to build job. After the full
mise build, synthesize CDK output per variant and upload as immutable
artifact for downstream deploy workflow consumption.

Refs: #73

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust @claude
fix(ci): remove redundant git diff exclusion
798ec58 
The .gitignore already excludes /cdk/cdk-*.out/, so git add .
never stages synth output — the pathspec exclusion was belt-and-
suspenders with no effect.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust
fix: remove explicit retention days for artifact uploads
629eb9a 
Removed retention days for uploaded artifacts in build workflow.
@scottschreckengaust @claude
refactor(ci): use mise build synth output instead of redundant cdk sy…
f6fd68d 
…nth step

Remove the separate `npx cdk synth` step — `mise run build` already
runs `cdk synth -q` via the //cdk:build task chain. Upload the
existing cdk/cdk.out/ directly as the variant artifact.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust @claude
feat(ci): pass computeVariant context via CDK_CONTEXT env var
f6fc937 
CDK reads CDK_CONTEXT_<key> env vars as context values, so setting
CDK_CONTEXT_computeVariant=${{ matrix.variant }} flows the variant
through mise run build → cdk synth without modifying mise tasks.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust @claude
feat(ci): generate cdk.context.json with github:* tags before build
5b5dbd5 
Replace CDK_CONTEXT env var with a cdk.context.json generation step
that populates all 13 github:* tag values plus computeVariant and
stackName. CDK reads cdk.context.json automatically during synth,
so tags are baked into templates and carried in the artifact for
deploy.yml to use without re-synthesis.

Event-specific resolution normalizes github.sha/ref/head-ref across
pull_request, merge_group, push, and workflow_dispatch triggers.
All GitHub context is passed through env: variables to prevent
script injection (CWE-78).

Refs: #73

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust scottschreckengaust force-pushed the feat/build-synth-per-variant branch from 09e3fa0 to 5b5dbd5 Compare May 14, 2026 19:58
@scottschreckengaust @claude
fix(ci): include cdk.context.json in CDK artifact upload
4230fdb 
CDK does not copy cdk.context.json into cdk.out/ during synthesis.
Include it explicitly in the artifact so deploy.yml and release
assets carry provenance of what context produced the templates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust scottschreckengaust changed the title feat(ci): add CDK synth-per-variant with artifact upload feat(ci): synth-per-variant build with github:* context in artifact May 14, 2026
@scottschreckengaust scottschreckengaust added this pull request to the merge queue May 14, 2026
Merged via the queue into main with commit 992e6bd May 14, 2026
7 checks passed
@scottschreckengaust scottschreckengaust mentioned this pull request May 15, 2026
Open
22 tasks
@scottschreckengaust scottschreckengaust deleted the feat/build-synth-per-variant branch May 20, 2026 23:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krokoko krokoko krokoko approved these changes

@mayakost mayakost mayakost left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@scottschreckengaust @krokoko @mayakost