cdk infra updates

Author: benjamin-chavez

.github/CI-CD.md

@@ -0,0 +1,83 @@
+[//]: # (.github/CI-CD.md)
+
+## CI/CD & Automation
+
+This project uses GitHub Actions to build, validate, and deploy a static Next.js site to AWS (S3 + CloudFront).
+
+### Workflow Layout
+
+| Workflow | File | Trigger | Purpose |
+|----------|------|---------|---------|
+| CI | [`ci.yml`](workflows/ci.yml) | Push, pull request, manual dispatch | Orchestrates build, Lighthouse, and gated deploy |
+| Build Static Site | [`build-static-site.yml`](workflows/build-static-site.yml) | `workflow_call` | Builds the site and uploads the deployable artifact |
+| Lighthouse Static Site | [`lighthouse-static-site.yml`](workflows/lighthouse-static-site.yml) | `workflow_call` | Runs Lighthouse against the uploaded build artifact |
+| Deploy Static Site | [`deploy-static-site.yml`](workflows/deploy-static-site.yml) | `workflow_call` | Downloads the artifact, deploys to AWS, invalidates CloudFront, and tags the release |
+
+### CI Flow
+
+The top-level CI workflow builds once, validates that exact artifact with Lighthouse, and only then deploys it on `master`.
+
+| Job | Description |
+|-----|-------------|
+| Build | Installs dependencies, runs `pnpm build`, and uploads `dist/` as an artifact |
+| Lighthouse | Downloads the `dist/` artifact and runs `npx @lhci/cli autorun` |
+| Deploy | Downloads the same `dist/` artifact, syncs it to S3, invalidates CloudFront, and creates a semver deployment tag |
+
+### Reuse Across Repos
+
+The reusable workflows in `.github/workflows/` are designed to be called by another repo with the same stack. The caller should:
+
+1. Standardize on the same GitHub secret and variable names.
+2. Pass repo-specific values such as `app_url` and `cdk_stack_name` as workflow inputs.
+3. Pin external reusable workflow references to a commit SHA when another repo starts calling them.
+
+### Deployment Behavior
+
+Deploy runs only after both Build and Lighthouse succeed.
+
+| Step | Description |
+|------|-------------|
+| Configure AWS | OIDC authentication via `AWS_DEPLOY_ROLE_ARN` |
+| Read CDK stack outputs | Fetches the S3 bucket name and CloudFront distribution ID from CloudFormation |
+| Sync to S3 | `aws s3 sync dist/ s3://<bucket> --delete` |
+| Invalidate CloudFront | Creates a `/*` invalidation |
+| Tag deployment | Auto-increments the semver patch version on successful deploy |
+
+### Versioning
+
+Deployments are tagged with semver versions that auto-increment on each successful deploy.
+
+| Action | Example |
+|--------|---------|
+| Automatic (every deploy) | `v1.0.0` -> `v1.0.1` -> `v1.0.2` |
+| Manual minor bump | `git tag v1.1.0 && git push origin v1.1.0` |
+| Manual major bump | `git tag v2.0.0 && git push origin v2.0.0` |
+
+List all deployment versions:
+
+```bash
+git tag -l 'v*' --sort=-v:refname
+```
+
+### Required Secrets & Variables
+
+#### Secrets
+
+| Secret | Required | Purpose |
+|--------|----------|---------|
+| `AWS_DEPLOY_ROLE_ARN` | Yes | IAM role ARN for GitHub OIDC authentication |
+| `NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME` | Yes | Cloudinary cloud name embedded in the static build |
+
+#### Variables / Environment
+
+| Variable | Required | Default | Purpose |
+|----------|----------|---------|---------|
+| `AWS_REGION` | No | `us-east-2` | AWS region for deployment and public client config |
+| `NEXT_PUBLIC_APP_URL` | No | `http://localhost:3000` | Site URL embedded in static output |
+| `NEXT_PUBLIC_AWS_REGION` | No | `us-east-2` | AWS region exposed to the client |
+| `NEXT_PUBLIC_CF_ANALYTICS_TOKEN` | No | — | Cloudflare Web Analytics token |
+| `NEXT_PUBLIC_CW_RUM_APP_MONITOR_ID` | No | — | CloudWatch RUM App Monitor ID |
+| `NEXT_PUBLIC_CW_RUM_IDENTITY_POOL_ID` | No | — | CloudWatch RUM Cognito Identity Pool ID |
+| `NEXT_PUBLIC_SENTRY_DSN` | No | — | Sentry DSN |
+
+Environment variable schemas are validated at build time by [`src/buildEnv.ts`](../src/buildEnv.ts) and [`src/clientEnv.ts`](../src/clientEnv.ts).

.github/actions/setup-node-pnpm/action.yml

@@ -1,12 +1,16 @@
-name: 'Setup Node.js and PNPM'
-description: 'Sets up Node.js and PNPM based on project configuration files'
+# .github/actions/setup-node-pnpm/action.yml
+
+name: Setup Node.js and PNPM
+description: Sets up Node.js and PNPM based on project configuration
 
 runs:
-  using: "composite"
+  using: composite
   steps:
-    - uses: pnpm/action-setup@v4
+    - name: Setup PNPM
+      uses: pnpm/action-setup@v4
 
-    - uses: actions/setup-node@v4
+    - name: Setup Node.js
+      uses: actions/setup-node@v6
       with:
-        node-version-file: '.nvmrc'
-        cache: 'pnpm'
+        node-version-file: .nvmrc
+        cache: pnpm

.github/actions/tag-deployment/action.yml

@@ -0,0 +1,42 @@
+name: Tag deployment
+description: Find the latest semantic deployment tag, bump it, and push the new tag
+
+inputs:
+  tag-prefix:
+    description: Prefix for deployment tags
+    required: false
+    default: "v"
+
+  initial-version:
+    description: Version to start from when no matching tags exist
+    required: false
+    default: "0.0.0"
+
+  bump:
+    description: Which semver component to bump (major, minor, patch)
+    required: false
+    default: "patch"
+
+  remote:
+    description: Git remote to push the tag to
+    required: false
+    default: "origin"
+
+outputs:
+  new-tag:
+    description: The newly created tag
+    value: ${{ steps.tag.outputs.new-tag }}
+
+runs:
+  using: composite
+  steps:
+    - name: Run tag deployment script
+      id: tag
+      shell: bash
+      env:
+        INPUT_TAG_PREFIX: ${{ inputs.tag-prefix }}
+        INPUT_INITIAL_VERSION: ${{ inputs.initial-version }}
+        INPUT_BUMP: ${{ inputs.bump }}
+        INPUT_REMOTE: ${{ inputs.remote }}
+      run: |
+        bash "${{ github.action_path }}/tag-deployment.sh"

.github/actions/tag-deployment/tag-deployment.sh

@@ -0,0 +1,167 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+TAG_PREFIX="${INPUT_TAG_PREFIX:-v}"
+INITIAL_VERSION="${INPUT_INITIAL_VERSION:-0.0.0}"
+BUMP="${INPUT_BUMP:-patch}"
+REMOTE="${INPUT_REMOTE:-origin}"
+
+log_info() {
+  echo ""
+  echo "==> $1"
+}
+
+log_success() {
+  echo "✅ $1"
+}
+
+log_warn() {
+  echo "⚠️  $1"
+}
+
+log_error() {
+  echo "ERROR: $1" >&2
+}
+
+fetch_tags() {
+  log_info "Fetching tags from remote '$REMOTE'"
+  git fetch --force --tags "$REMOTE"
+  log_success "Tags fetched successfully"
+}
+
+get_latest_tag() {
+  git tag -l "${TAG_PREFIX}*" --sort=-v:refname | head -n 1
+}
+
+resolve_latest_tag() {
+  local latest_tag
+  latest_tag="$(get_latest_tag)"
+
+  if [ -z "$latest_tag" ]; then
+    log_warn "No existing tags found with prefix '${TAG_PREFIX}'"
+    latest_tag="${TAG_PREFIX}${INITIAL_VERSION}"
+    echo "$latest_tag"
+    return
+  fi
+
+  echo "$latest_tag"
+}
+
+extract_version() {
+  local tag="$1"
+  echo "${tag#${TAG_PREFIX}}"
+}
+
+validate_version() {
+  local version="$1"
+
+  if ! [[ "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+    log_error "Latest matching tag version '$version' is not valid semver"
+    exit 1
+  fi
+}
+
+bump_version() {
+  local version="$1"
+  local major minor patch
+
+  IFS='.' read -r major minor patch <<< "$version"
+
+  case "$BUMP" in
+    major)
+      major=$((major + 1))
+      minor=0
+      patch=0
+      ;;
+    minor)
+      minor=$((minor + 1))
+      patch=0
+      ;;
+    patch)
+      patch=$((patch + 1))
+      ;;
+    *)
+      log_error "Unsupported bump type '$BUMP'. Use: major, minor, or patch."
+      exit 1
+      ;;
+  esac
+
+  echo "${major}.${minor}.${patch}"
+}
+
+ensure_tag_does_not_exist() {
+  local new_tag="$1"
+
+  if git rev-parse "$new_tag" >/dev/null 2>&1; then
+    log_error "Tag '$new_tag' already exists"
+    exit 1
+  fi
+}
+
+create_and_push_tag() {
+  local new_tag="$1"
+
+  log_info "Creating tag '$new_tag'"
+  git tag "$new_tag"
+
+  log_info "Pushing tag '$new_tag' to remote '$REMOTE'"
+  git push "$REMOTE" "$new_tag"
+
+  log_success "Tagged deployment as $new_tag"
+}
+
+write_outputs() {
+  local new_tag="$1"
+
+  if [ -n "${GITHUB_OUTPUT:-}" ]; then
+    echo "new-tag=$new_tag" >> "$GITHUB_OUTPUT"
+    log_success "Exported output new-tag=$new_tag"
+  else
+    log_warn "GITHUB_OUTPUT is not set; skipping GitHub Actions output export"
+  fi
+}
+
+print_summary() {
+  local latest_tag="$1"
+  local new_tag="$2"
+
+  echo ""
+  echo "Tag deployment summary"
+  echo "----------------------"
+  echo "Remote:        $REMOTE"
+  echo "Prefix:        $TAG_PREFIX"
+  echo "Bump type:     $BUMP"
+  echo "Previous tag:  $latest_tag"
+  echo "New tag:       $new_tag"
+}
+
+main() {
+  local latest_tag version bumped_version new_tag
+
+  log_info "Starting deployment tagging"
+  echo "Remote: $REMOTE"
+  echo "Tag prefix: $TAG_PREFIX"
+  echo "Initial version: $INITIAL_VERSION"
+  echo "Bump type: $BUMP"
+
+  fetch_tags
+
+  log_info "Resolving latest tag"
+  latest_tag="$(resolve_latest_tag)"
+  echo "Latest tag: $latest_tag"
+
+  version="$(extract_version "$latest_tag")"
+  validate_version "$version"
+
+  log_info "Calculating next version from '$version'"
+  bumped_version="$(bump_version "$version")"
+  new_tag="${TAG_PREFIX}${bumped_version}"
+  echo "Next tag: $new_tag"
+
+  ensure_tag_does_not_exist "$new_tag"
+  create_and_push_tag "$new_tag"
+  write_outputs "$new_tag"
+  print_summary "$latest_tag" "$new_tag"
+}
+
+main "$@"

.github/workflows/build-static-site.yml

@@ -0,0 +1,59 @@
+name: Build Static Site
+
+on:
+  workflow_call:
+    inputs:
+      app_url:
+        description: Public site URL embedded in the build output.
+        required: true
+        type: string
+      artifact_name:
+        description: Name for the uploaded build artifact.
+        required: false
+        type: string
+        default: dist
+      aws_region:
+        description: AWS region exposed to the client build.
+        required: false
+        type: string
+        default: us-east-2
+    secrets:
+      NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME:
+        description: Cloudinary cloud name used in the static build.
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    env:
+      NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME: ${{ secrets.NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME }}
+      NEXT_PUBLIC_APP_URL: ${{ inputs.app_url }}
+      NEXT_PUBLIC_AWS_REGION: ${{ inputs.aws_region }}
+      NEXT_PUBLIC_CF_ANALYTICS_TOKEN: ${{ vars.NEXT_PUBLIC_CF_ANALYTICS_TOKEN }}
+      NEXT_PUBLIC_CW_RUM_APP_MONITOR_ID: ${{ vars.NEXT_PUBLIC_CW_RUM_APP_MONITOR_ID }}
+      NEXT_PUBLIC_CW_RUM_IDENTITY_POOL_ID: ${{ vars.NEXT_PUBLIC_CW_RUM_IDENTITY_POOL_ID }}
+      NEXT_PUBLIC_SENTRY_DSN: ${{ vars.NEXT_PUBLIC_SENTRY_DSN }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: Build
+        run: pnpm build
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.artifact_name }}
+          path: dist/
+          retention-days: 1