CI/CD Pipeline

Essential

Automated deployment with GitHub Actions

What You'll Learn

This guide covers setting up a complete CI/CD pipeline using GitHub Actions to automatically deploy your Next.js application to AWS when you push to specific branches.

Overview

Continuous Integration and Continuous Deployment (CI/CD) automates the process of building, testing, and deploying your application. With GitHub Actions, you can trigger deployments automatically when code is pushed to your repository.

Plain Text

Developer pushes code
        ↓
GitHub Actions triggered
        ↓
┌─────────────────────────┐
│   Build & Test Stage    │
│  - Install dependencies │
│  - Run linting          │
│  - Run tests            │
│  - Build Docker image   │
└─────────────────────────┘
        ↓
┌─────────────────────────┐
│     Deploy Stage        │
│  - Push to ECR          │
│  - Deploy via Copilot   │
│  - Health check         │
└─────────────────────────┘
        ↓
Application live on AWS

Prerequisites

AWS Account with appropriate permissions
GitHub repository with your Next.js application
AWS Copilot application already initialized
Docker installed locally for testing

Before setting up CI/CD, you need to gather some information and configure your GitHub repository.

Required GitHub Information

Item	Where to Find	Used For
Repository URL	Your repo page → Code button	Copilot Pipeline source
Branch Name	Usually `main` or `master`	Trigger deployments
GitHub Secrets	Settings → Secrets and variables → Actions	Store AWS credentials

Step-by-Step: Get Repository URL

Plain Text

1. Go to your GitHub repository
2. Click the green "Code" button
3. Copy the HTTPS URL

Example: https://github.com/your-username/your-repo-name

For Copilot Pipeline, use: https://github.com/your-username/your-repo-name
(without .git at the end)

Step-by-Step: Add GitHub Secrets

GitHub Secrets securely store sensitive information like AWS credentials.

Plain Text

1. Go to your GitHub repository
2. Click "Settings" tab (top navigation)
3. Left sidebar → "Secrets and variables" → "Actions"
4. Click "New repository secret"
5. Add each secret:

┌─────────────────────────────────────────────────────┐
│  Repository secrets                                  │
├─────────────────────────────────────────────────────┤
│  AWS_ACCESS_KEY_ID          ••••••••••••            │
│  AWS_SECRET_ACCESS_KEY      ••••••••••••            │
│  AWS_REGION                 ap-southeast-1          │
└─────────────────────────────────────────────────────┘

Where to Get AWS Credentials

Go to AWS Console → IAM → Users
Select your deployment user (or create one)
Click Security credentials tab
Click Create access key
Choose Application running outside AWS
Copy the Access Key ID and Secret Access Key

Step-by-Step: Set Up AWS CodeStar Connection (for Copilot Pipeline)

CodeStar Connection allows AWS to securely access your GitHub repository.

Plain Text

Method 1: Create via AWS Console (Recommended)
──────────────────────────────────────────────
1. Go to AWS Console
2. Search for "CodePipeline" and open it
3. Left sidebar → "Settings" → "Connections"
4. Click "Create connection"
5. Select "GitHub" as provider
6. Connection name: "github-connection"
7. Click "Connect to GitHub"
8. A popup appears → Click "Install a new app"
9. Select your GitHub account
10. Choose "Only select repositories"
11. Select your repository
12. Click "Install & Authorize"
13. Back in AWS → Click "Connect"
14. Status should change to "Available"

Your connection ARN will look like:
arn:aws:codestar-connections:ap-southeast-1:123456789:connection/abc-123-def

Terminal

$# Method 2: Create via CLI aws codestar-connections create-connection \ --provider-type GitHub \ --connection-name github-connection \ --region ap-southeast-1

{
    "ConnectionArn": "arn:aws:codestar-connections:ap-southeast-1:123456789:connection/abc-123"
}

Important: Authorize the Connection

If you create the connection via CLI, you MUST authorize it in the AWS Console:

Go to AWS Console → CodePipeline → Settings → Connections
Find your connection (status: "Pending")
Click Update pending connection
Complete the GitHub OAuth authorization
Status must change to "Available"

Without authorization, Copilot Pipeline cannot access your repository!

Verify GitHub Connection

Terminal

$aws codestar-connections list-connections --provider-type GitHub

{
    "Connections": [
        {
            "ConnectionName": "github-connection",
            "ConnectionArn": "arn:aws:codestar-connections:ap-southeast-1:123456789:connection/abc-123",
            "ProviderType": "GitHub",
            "ConnectionStatus": "AVAILABLE",  ← Must be AVAILABLE
            "OwnerAccountId": "123456789"
        }
    ]
}

GitHub Repository Requirements

Requirement	Details
Dockerfile	Must exist in root directory for container builds
copilot/ folder	Contains Copilot manifests (created by `copilot init`)
package.json	With `build`, `lint`, `test` scripts
Branch protection	Recommended for `main` branch (optional)

Enable Branch Protection (Recommended)

Plain Text

1. Go to GitHub repo → Settings → Branches
2. Click "Add branch protection rule"
3. Branch name pattern: main
4. Enable:
   ✓ Require a pull request before merging
   ✓ Require status checks to pass before merging
   ✓ Require branches to be up to date before merging
5. Click "Create"

This ensures:
- No direct pushes to main
- All changes go through PR review
- CI checks must pass before merge

Choose Your CI/CD Approach

Approach	Best For	GitHub Requirements
GitHub Actions	Teams familiar with GitHub	Repository Secrets (AWS credentials)
Copilot Pipeline	AWS-native deployments	CodeStar Connection (OAuth)

Branch-Based Deployment Strategy

Plain Text

Branch Strategy:

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│   Feature   │────▶│   Develop   │────▶│    Main     │
│   Branch    │     │   Branch    │     │   Branch    │
└─────────────┘     └─────────────┘     └─────────────┘
       │                   │                   │
       │                   ▼                   ▼
       │            ┌──────────────┐   ┌──────────────┐
       │            │   Staging    │   │  Production  │
       │            │ Environment  │   │ Environment  │
       │            └──────────────┘   └──────────────┘
       │
       ▼
  Pull Request
  (Tests Only)

Best Practices

Practice	Description
Use OIDC	Use OIDC for AWS authentication instead of long-lived credentials
Environment Protection	Require approvals for production deployments
Semantic Versioning	Tag Docker images with git SHA and semantic versions
Health Checks	Always verify deployment with health checks
Notifications	Alert team on deployment success/failure

Security Reminders

Never commit AWS credentials to your repository
Use GitHub Secrets for all sensitive values
Rotate credentials regularly
Use IAM roles with least privilege
Enable branch protection for production branches

Terraform

Pipeline Notifications

CI/CD Pipeline

Overview

Prerequisites

What You Need from GitHub

Required GitHub Information

Step-by-Step: Get Repository URL

Step-by-Step: Add GitHub Secrets

Step-by-Step: Set Up AWS CodeStar Connection (for Copilot Pipeline)

Verify GitHub Connection

GitHub Repository Requirements

Enable Branch Protection (Recommended)

Choose Your CI/CD Approach

Option 1: GitHub Actions Setup

Full CI/CD Pipeline with Tests

Branch-Based Deployment Strategy

Option 2: AWS Copilot Pipeline (Recommended)

Environment-Specific Deployments

Docker Build Caching

Notifications

Rollback Strategy

Best Practices

Quick Start Summary

Troubleshooting