GitHub Secrets Setup for CyberOrigen CI/CD

This document describes the GitHub secrets required for the AWS ECS deployment workflows.

Required Secrets

Add these secrets in your GitHub repository under Settings > Secrets and variables > Actions.

AWS Credentials

Secret Name	Description	How to Obtain
`AWS_ACCESS_KEY_ID`	AWS IAM access key ID	Create in AWS IAM Console
`AWS_SECRET_ACCESS_KEY`	AWS IAM secret access key	Create in AWS IAM Console

IAM Policy Requirements: The IAM user/role needs the following permissions:

ecr:GetAuthorizationToken
ecr:BatchCheckLayerAvailability
ecr:GetDownloadUrlForLayer
ecr:BatchGetImage
ecr:PutImage
ecr:InitiateLayerUpload
ecr:UploadLayerPart
ecr:CompleteLayerUpload
ecs:DescribeTaskDefinition
ecs:RegisterTaskDefinition
ecs:UpdateService
ecs:DescribeServices
iam:PassRole (for ECS task execution role)

Build-Time Secrets

Secret Name	Description	How to Obtain
`STRIPE_PUBLISHABLE_KEY`	Stripe publishable API key (starts with `pk_`)	Stripe Dashboard > API Keys

Note: The publishable key is safe to embed in client-side code. It's different from the secret key which must never be exposed.

Optional Secrets (if using Cloudflare Pages for marketing)

Secret Name	Description	How to Obtain
`CLOUDFLARE_API_TOKEN`	Cloudflare API token with Pages deploy permission	Cloudflare Dashboard > API Tokens
`CLOUDFLARE_ACCOUNT_ID`	Your Cloudflare account ID	Cloudflare Dashboard > Account Home

Environment Configuration

The workflows support multiple environments. Create GitHub Environments for:

production - Main production deployment
staging - Staging/preview environment (optional)

Environment-Specific Secrets

You can override secrets per environment if needed (e.g., different Stripe keys for staging).

Setting Up Secrets

Via GitHub UI

Go to your repository on GitHub
Click Settings > Secrets and variables > Actions
Click New repository secret
Enter the secret name and value
Click Add secret

Via GitHub CLI

bash

# Install GitHub CLI if not already installed
# https://cli.github.com/

# Login to GitHub
gh auth login

# Set secrets
gh secret set AWS_ACCESS_KEY_ID
gh secret set AWS_SECRET_ACCESS_KEY
gh secret set STRIPE_PUBLISHABLE_KEY

Recommended IAM Policy

Create an IAM user with this policy for GitHub Actions:

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ECRAuth",
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ECRPush",
      "Effect": "Allow",
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:PutImage",
        "ecr:InitiateLayerUpload",
        "ecr:UploadLayerPart",
        "ecr:CompleteLayerUpload"
      ],
      "Resource": [
        "arn:aws:ecr:us-east-1:*:repository/cyberorigen-*"
      ]
    },
    {
      "Sid": "ECSDeployment",
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeTaskDefinition",
        "ecs:RegisterTaskDefinition",
        "ecs:UpdateService",
        "ecs:DescribeServices"
      ],
      "Resource": "*"
    },
    {
      "Sid": "PassRole",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/cyberorigen-*"
      ]
    },
    {
      "Sid": "CloudFormation",
      "Effect": "Allow",
      "Action": [
        "cloudformation:DescribeStacks"
      ],
      "Resource": "*"
    }
  ]
}

Workflow Triggers

Workflow	Trigger	Path Filters
`deploy-backend-aws.yml`	Push to main, manual	`backend/**`, `docker/Dockerfile.backend`
`deploy-worker-aws.yml`	Push to main, manual	`backend/**`, `docker/Dockerfile.worker`
`deploy-marketing-aws.yml`	Push to main, manual	`src/**`, `Dockerfile`, `Caddyfile`
`deploy-app-ui-aws.yml`	Push to main, manual	`ui_cyberorigen/**`
`deploy-all-aws.yml`	Manual only	N/A (deploys all services)

Manual Deployment

To manually trigger a deployment:

Go to Actions tab in your repository
Select the workflow (e.g., "Deploy All Services to AWS ECS")
Click Run workflow
Select environment and services to deploy
Click Run workflow

Troubleshooting

Common Issues

ECR Login Failed
- Check AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are correct
- Verify IAM permissions include ecr:GetAuthorizationToken
Push to ECR Failed
- Verify ECR repository exists
- Check IAM permissions for ECR push actions
ECS Update Failed
- Verify ECS cluster and service names match
- Check IAM ecs:UpdateService permission
- Ensure iam:PassRole is granted for ECS task roles
Service Not Stabilizing
- Check CloudWatch logs for container errors
- Verify health check endpoints are responding
- Check security group allows traffic from ALB

Security Best Practices

Rotate credentials regularly - Update AWS access keys every 90 days
Use least privilege - Only grant permissions needed for deployment
Enable MFA - Require MFA for AWS IAM users
Audit access - Review CloudTrail logs for unauthorized access
Use OIDC - Consider using GitHub OIDC for keyless AWS authentication (advanced)

GitHub Secrets Setup for CyberOrigen CI/CD ​

Required Secrets ​

AWS Credentials ​

Build-Time Secrets ​

Optional Secrets (if using Cloudflare Pages for marketing) ​

Environment Configuration ​

Environment-Specific Secrets ​

Setting Up Secrets ​

Via GitHub UI ​

Via GitHub CLI ​

Recommended IAM Policy ​

Workflow Triggers ​

Manual Deployment ​

Troubleshooting ​

Common Issues ​

Security Best Practices ​