From 2511236d26fd3a020e49d27d932ad2bd1e30da7d Mon Sep 17 00:00:00 2001 From: scottschreckengaust <345885+scottschreckengaust@users.noreply.github.com> Date: Thu, 14 May 2026 17:00:40 +0000 Subject: [PATCH 1/7] feat(ci): add CDK synth-per-variant with artifact upload in build.yml Add matrix strategy (agentcore variant) to build job. After the full mise build, synthesize CDK output per variant and upload as immutable artifact for downstream deploy workflow consumption. Refs: #73 Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/build.yml | 14 +++++++++++++- .gitignore | 1 + 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 27428281..1aeeacf5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,6 +24,9 @@ jobs: actions: write # upload-artifact when self-mutation is detected contents: read runs-on: ubuntu-latest + strategy: + matrix: + variant: [agentcore] outputs: self_mutation_happened: ${{ steps.self_mutation.outputs.self_mutation_happened }} env: @@ -53,11 +56,20 @@ jobs: run: mise run install - name: build run: mise run build + - name: CDK Synth (${{ matrix.variant }}) + run: npx cdk synth -c computeVariant=${{ matrix.variant }} --output cdk-${{ matrix.variant }}.out + working-directory: cdk + - name: Upload CDK artifact (${{ matrix.variant }}) + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: cdk-${{ matrix.variant }}-out + path: cdk/cdk-${{ matrix.variant }}.out/ + retention-days: 5 - name: Find mutations id: self_mutation run: |- git add . - git diff --staged --patch --exit-code > repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT + git diff --staged --patch --exit-code -- . ':!cdk/cdk-*.out' > repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT shell: bash working-directory: ./ diff --git a/.gitignore b/.gitignore index 94b21e98..60b31701 100644 --- a/.gitignore +++ b/.gitignore @@ -52,6 +52,7 @@ agent/.venv/ # ────────────────────────────────────────────── cdk.out/ /cdk/cdk.out*/ +/cdk/cdk-*.out/ .cdk.staging/ cdk.context.json /assets/ From 798ec589bc0cd6d6b11c836fbfcb41699ec9457f Mon Sep 17 00:00:00 2001 From: scottschreckengaust <345885+scottschreckengaust@users.noreply.github.com> Date: Thu, 14 May 2026 17:14:59 +0000 Subject: [PATCH 2/7] fix(ci): remove redundant git diff exclusion MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The .gitignore already excludes /cdk/cdk-*.out/, so git add . never stages synth output — the pathspec exclusion was belt-and- suspenders with no effect. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1aeeacf5..270e8672 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -69,7 +69,7 @@ jobs: id: self_mutation run: |- git add . - git diff --staged --patch --exit-code -- . ':!cdk/cdk-*.out' > repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT + git diff --staged --patch --exit-code > repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT shell: bash working-directory: ./ From 629eb9a233d87dea97045846453fac638b2cd131 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 14 May 2026 10:45:27 -0700 Subject: [PATCH 3/7] fix: remove explicit retention days for artifact uploads Removed retention days for uploaded artifacts in build workflow. --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 270e8672..b29dc50a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,7 +64,6 @@ jobs: with: name: cdk-${{ matrix.variant }}-out path: cdk/cdk-${{ matrix.variant }}.out/ - retention-days: 5 - name: Find mutations id: self_mutation run: |- From f6fd68db00feb61d2ae6f1c463620154eb6a21d4 Mon Sep 17 00:00:00 2001 From: scottschreckengaust <345885+scottschreckengaust@users.noreply.github.com> Date: Thu, 14 May 2026 19:36:30 +0000 Subject: [PATCH 4/7] refactor(ci): use mise build synth output instead of redundant cdk synth step MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove the separate `npx cdk synth` step — `mise run build` already runs `cdk synth -q` via the //cdk:build task chain. Upload the existing cdk/cdk.out/ directly as the variant artifact. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/build.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b29dc50a..b1ad967b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -56,14 +56,11 @@ jobs: run: mise run install - name: build run: mise run build - - name: CDK Synth (${{ matrix.variant }}) - run: npx cdk synth -c computeVariant=${{ matrix.variant }} --output cdk-${{ matrix.variant }}.out - working-directory: cdk - name: Upload CDK artifact (${{ matrix.variant }}) uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: cdk-${{ matrix.variant }}-out - path: cdk/cdk-${{ matrix.variant }}.out/ + path: cdk/cdk.out/ - name: Find mutations id: self_mutation run: |- From f6fc9372f0d4e51e0279786bb50c7e8277c4ed99 Mon Sep 17 00:00:00 2001 From: scottschreckengaust <345885+scottschreckengaust@users.noreply.github.com> Date: Thu, 14 May 2026 19:45:07 +0000 Subject: [PATCH 5/7] feat(ci): pass computeVariant context via CDK_CONTEXT env var MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CDK reads CDK_CONTEXT_ env vars as context values, so setting CDK_CONTEXT_computeVariant=${{ matrix.variant }} flows the variant through mise run build → cdk synth without modifying mise tasks. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b1ad967b..0a2a53f4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,6 +37,7 @@ jobs: AQUA_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Keep secret and dependency scanning enabled in CI; only disable the # remaining tools that are intentionally skipped here. + CDK_CONTEXT_computeVariant: ${{ matrix.variant }} MISE_DISABLE_TOOLS: "aqua:aquasecurity/trivy,grype,semgrep" steps: - name: Checkout From 5b5dbd580a1855e4933e396057f25b0a5c835e75 Mon Sep 17 00:00:00 2001 From: scottschreckengaust <345885+scottschreckengaust@users.noreply.github.com> Date: Thu, 14 May 2026 19:58:17 +0000 Subject: [PATCH 6/7] feat(ci): generate cdk.context.json with github:* tags before build Replace CDK_CONTEXT env var with a cdk.context.json generation step that populates all 13 github:* tag values plus computeVariant and stackName. CDK reads cdk.context.json automatically during synth, so tags are baked into templates and carried in the artifact for deploy.yml to use without re-synthesis. Event-specific resolution normalizes github.sha/ref/head-ref across pull_request, merge_group, push, and workflow_dispatch triggers. All GitHub context is passed through env: variables to prevent script injection (CWE-78). Refs: #73 Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/build.yml | 100 +++++++++++++++++++++++++++++++++++- 1 file changed, 99 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0a2a53f4..8bba892c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,7 +37,6 @@ jobs: AQUA_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Keep secret and dependency scanning enabled in CI; only disable the # remaining tools that are intentionally skipped here. - CDK_CONTEXT_computeVariant: ${{ matrix.variant }} MISE_DISABLE_TOOLS: "aqua:aquasecurity/trivy,grype,semgrep" steps: - name: Checkout @@ -45,6 +44,105 @@ jobs: with: fetch-depth: 1 # shallow clone persist-credentials: false + - name: Resolve github:* tag values + id: tags + env: + EVENT_NAME: ${{ github.event_name }} + GH_SHA: ${{ github.sha }} + GH_REF_NAME: ${{ github.ref_name }} + GH_REF_TYPE: ${{ github.ref_type }} + GH_HEAD_REF: ${{ github.head_ref }} + GH_BASE_REF: ${{ github.base_ref }} + MG_HEAD_SHA: ${{ github.event.merge_group.head_sha }} + MG_BASE_REF: ${{ github.event.merge_group.base_ref }} + MG_HEAD_REF: ${{ github.event.merge_group.head_ref }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + PR_NUMBER: ${{ github.event.pull_request.number }} + run: | + case "$EVENT_NAME" in + merge_group) + echo "sha=${MG_HEAD_SHA}" >> "$GITHUB_OUTPUT" + echo "ref=${MG_BASE_REF}" >> "$GITHUB_OUTPUT" + echo "ref-type=branch" >> "$GITHUB_OUTPUT" + echo "head-ref=${MG_HEAD_REF}" >> "$GITHUB_OUTPUT" + echo "base-ref=${MG_BASE_REF}" >> "$GITHUB_OUTPUT" + PR_NUM=$(echo "$MG_HEAD_REF" | grep -oP 'pr-\K[0-9]+' || echo "") + echo "pr-number=${PR_NUM}" >> "$GITHUB_OUTPUT" + ;; + pull_request|pull_request_target) + echo "sha=${PR_HEAD_SHA}" >> "$GITHUB_OUTPUT" + echo "ref=${GH_HEAD_REF}" >> "$GITHUB_OUTPUT" + echo "ref-type=branch" >> "$GITHUB_OUTPUT" + echo "head-ref=${GH_HEAD_REF}" >> "$GITHUB_OUTPUT" + echo "base-ref=${GH_BASE_REF}" >> "$GITHUB_OUTPUT" + echo "pr-number=${PR_NUMBER}" >> "$GITHUB_OUTPUT" + ;; + push) + echo "sha=${GH_SHA}" >> "$GITHUB_OUTPUT" + echo "ref=${GH_REF_NAME}" >> "$GITHUB_OUTPUT" + echo "ref-type=${GH_REF_TYPE}" >> "$GITHUB_OUTPUT" + echo "head-ref=" >> "$GITHUB_OUTPUT" + echo "base-ref=" >> "$GITHUB_OUTPUT" + echo "pr-number=" >> "$GITHUB_OUTPUT" + ;; + *) + echo "sha=${GH_SHA}" >> "$GITHUB_OUTPUT" + echo "ref=${GH_REF_NAME}" >> "$GITHUB_OUTPUT" + echo "ref-type=${GH_REF_TYPE}" >> "$GITHUB_OUTPUT" + echo "head-ref=" >> "$GITHUB_OUTPUT" + echo "base-ref=" >> "$GITHUB_OUTPUT" + echo "pr-number=" >> "$GITHUB_OUTPUT" + ;; + esac + - name: Generate CDK context + env: + VARIANT: ${{ matrix.variant }} + TAG_SHA: ${{ steps.tags.outputs.sha }} + TAG_REF: ${{ steps.tags.outputs.ref }} + TAG_REF_TYPE: ${{ steps.tags.outputs.ref-type }} + TAG_ACTOR: ${{ github.actor }} + TAG_HEAD_REF: ${{ steps.tags.outputs.head-ref }} + TAG_BASE_REF: ${{ steps.tags.outputs.base-ref }} + TAG_PR_NUMBER: ${{ steps.tags.outputs.pr-number }} + TAG_RUN_ID: ${{ github.run_id }} + TAG_RUN_ATTEMPT: ${{ github.run_attempt }} + TAG_EVENT: ${{ github.event_name }} + TAG_WORKFLOW: ${{ github.workflow }} + TAG_REPOSITORY: ${{ github.repository }} + run: | + jq -n \ + --arg computeVariant "$VARIANT" \ + --arg stackName "backgroundagent-dev" \ + --arg sha "$TAG_SHA" \ + --arg ref "$TAG_REF" \ + --arg ref_type "$TAG_REF_TYPE" \ + --arg actor "$TAG_ACTOR" \ + --arg head_ref "$TAG_HEAD_REF" \ + --arg base_ref "$TAG_BASE_REF" \ + --arg pr_number "$TAG_PR_NUMBER" \ + --arg run_id "$TAG_RUN_ID" \ + --arg run_attempt "$TAG_RUN_ATTEMPT" \ + --arg event "$TAG_EVENT" \ + --arg workflow "$TAG_WORKFLOW" \ + --arg repository "$TAG_REPOSITORY" \ + '{ + "computeVariant": $computeVariant, + "stackName": $stackName, + "github:sha": $sha, + "github:ref": $ref, + "github:ref-type": $ref_type, + "github:actor": $actor, + "github:head-ref": $head_ref, + "github:base-ref": $base_ref, + "github:pr-number": $pr_number, + "github:run-id": $run_id, + "github:run-attempt": $run_attempt, + "github:event": $event, + "github:workflow": $workflow, + "github:repository": $repository, + "github:clean": "true" + }' > cdk/cdk.context.json + cat cdk/cdk.context.json - name: Install mise uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 with: From 4230fdb8d7ce5e8a0c6180c088782e2abf1fa929 Mon Sep 17 00:00:00 2001 From: scottschreckengaust <345885+scottschreckengaust@users.noreply.github.com> Date: Thu, 14 May 2026 20:06:37 +0000 Subject: [PATCH 7/7] fix(ci): include cdk.context.json in CDK artifact upload CDK does not copy cdk.context.json into cdk.out/ during synthesis. Include it explicitly in the artifact so deploy.yml and release assets carry provenance of what context produced the templates. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8bba892c..3fd3cc4b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -159,7 +159,9 @@ jobs: uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: cdk-${{ matrix.variant }}-out - path: cdk/cdk.out/ + path: | + cdk/cdk.out/ + cdk/cdk.context.json - name: Find mutations id: self_mutation run: |-