feat(infra): deploy web app to Vercel with CI workflow and SSM-backed env vars

.github/workflows/web-deploy.yml

@@ -0,0 +1,232 @@
+name: web-deploy
+
+permissions:
+  contents: read
+
+concurrency:
+  group: web-deploy-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+  push:
+    branches:
+      - stage
+      - main
+  workflow_dispatch:
+
+jobs:
+  affected:
+    if: github.event_name != 'workflow_dispatch'
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    outputs:
+      web: ${{ steps.affected.outputs.web }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - id: affected
+        name: Detect affected web package
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            BASE="${{ github.event.pull_request.base.sha }}"
+          else
+            BASE="${{ github.event.before }}"
+          fi
+
+          if [ -z "$BASE" ] || [ "$BASE" = "0000000000000000000000000000000000000000" ]; then
+            BASE=$(git rev-parse HEAD^ 2>/dev/null || true)
+          fi
+
+          if [ -z "$BASE" ]; then
+            echo "web=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          TURBO_STDERR=$(mktemp)
+          if ! TURBO_OUT=$(TURBO_SCM_BASE="$BASE" pnpm turbo run lint --affected --dry-run=json 2>"$TURBO_STDERR"); then
+            cat "$TURBO_STDERR" >&2
+            echo "$TURBO_OUT" >&2
+            rm -f "$TURBO_STDERR"
+            echo "Affected detection failed; forcing deploy to avoid false negative." >&2
+            echo "web=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          WEB_AFFECTED=$(echo "$TURBO_OUT" | jq -r 'try ([.tasks[]?.package] | any(. == "@forge/web")) catch "true"' 2>/dev/null || echo "true")
+          rm -f "$TURBO_STDERR"
+          echo "web=$WEB_AFFECTED" >> "$GITHUB_OUTPUT"
+
+  deploy:
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
+    needs: affected
+    if: >-
+      always() && (
+        (github.event_name == 'workflow_dispatch' && (github.ref_name == 'main' || github.ref_name == 'stage'))
+        || (github.event_name != 'workflow_dispatch' && needs.affected.outputs.web == 'true')
+      )
+    environment: ${{ github.event_name == 'pull_request' && 'web-preview' || (github.ref_name == 'main' && 'web-prod' || 'web-stage') }}
+    runs-on: ubuntu-latest
+    env:
+      AWS_REGION: ${{ vars.AWS_REGION || 'us-east-2' }}
+      VERCEL_ORG_ID: ${{ vars.VERCEL_ORG_ID }}
+      VERCEL_PROJECT_ID: ${{ vars.VERCEL_WEB_PROJECT_ID }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Resolve environment
+        id: vars
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            DEPLOY_ENV="preview"
+            VERCEL_ENV="preview"
+            PROD_FLAG=""
+          elif [ "${GITHUB_REF_NAME}" = "main" ]; then
+            DEPLOY_ENV="prod"
+            VERCEL_ENV="production"
+            PROD_FLAG="--prod"
+          elif [ "${GITHUB_REF_NAME}" = "stage" ]; then
+            DEPLOY_ENV="stage"
+            VERCEL_ENV="preview"
+            PROD_FLAG=""
+          else
+            echo "Unsupported branch: ${GITHUB_REF_NAME}" >&2
+            exit 1
+          fi
+
+          echo "role_arn=${{ secrets.WEB_DEPLOY_ROLE_ARN }}" >> "$GITHUB_OUTPUT"
+          echo "deploy_env=$DEPLOY_ENV" >> "$GITHUB_OUTPUT"
+          echo "vercel_env=$VERCEL_ENV" >> "$GITHUB_OUTPUT"
+          echo "prod_flag=$PROD_FLAG" >> "$GITHUB_OUTPUT"
+
+      - name: Validate role ARN is configured
+        if: steps.vars.outputs.role_arn == ''
+        run: |
+          echo "Missing WEB_DEPLOY_ROLE_ARN secret for ${GITHUB_JOB} environment on ${GITHUB_REF_NAME}" >&2
+          exit 1
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ steps.vars.outputs.role_arn }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Read Vercel API token from SSM
+        id: ssm
+        run: |
+          TOKEN=$(aws ssm get-parameter --name /forge/vercel/api_token --with-decryption --query 'Parameter.Value' --output text)
+          echo "::add-mask::$TOKEN"
+          echo "vercel_token=$TOKEN" >> "$GITHUB_OUTPUT"
+
+      - name: Pull Vercel environment
+        run: pnpm vercel pull --yes --environment=${{ steps.vars.outputs.vercel_env }} --token=${{ steps.ssm.outputs.vercel_token }}
+
+      - name: Build
+        run: pnpm vercel build ${{ steps.vars.outputs.prod_flag }} --token=${{ steps.ssm.outputs.vercel_token }}
+
+      - name: Deploy
+        id: deploy
+        run: |
+          URL=$(pnpm vercel deploy --prebuilt ${{ steps.vars.outputs.prod_flag }} --token=${{ steps.ssm.outputs.vercel_token }})
+          echo "url=$URL" >> "$GITHUB_OUTPUT"
+
+      - name: Post preview URL on PR
+        if: always() && github.event_name == 'pull_request' && steps.deploy.outputs.url
+        continue-on-error: true
+        uses: actions/github-script@v8
+        env:
+          DEPLOY_URL: ${{ steps.deploy.outputs.url }}
+          JOB_STATUS: ${{ job.status }}
+        with:
+          script: |
+            const marker = "<!-- web-deploy-preview -->"
+            const status = process.env.JOB_STATUS === "success" ? "deployed" : "failed"
+            const url = process.env.DEPLOY_URL
+            const body = [
+              marker,
+              `**Web preview ${status}**`,
+              "",
+              url ? `URL: ${url}` : "",
+              `Run: ${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
+            ].filter(Boolean).join("\n")
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            })
+            const existing = comments.find(c => c.body?.includes(marker))
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body,
+              })
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body,
+              })
+            }
+
+      - name: Post deployment status comment
+        if: always() && github.event_name != 'pull_request'
+        continue-on-error: true
+        uses: actions/github-script@v8
+        env:
+          DEPLOY_ENV: ${{ steps.vars.outputs.deploy_env }}
+          DEPLOY_URL: ${{ steps.deploy.outputs.url }}
+          JOB_STATUS: ${{ job.status }}
+        with:
+          script: |
+            const status = process.env.JOB_STATUS === "success" ? "SUCCESS" : "FAILED"
+            const body = [
+              `Web deploy ${status}`,
+              "",
+              `- Environment: \`${process.env.DEPLOY_ENV || "unknown"}\``,
+              `- Branch: \`${context.ref.replace("refs/heads/", "")}\``,
+              `- URL: ${process.env.DEPLOY_URL || "n/a"}`,
+              `- Run: ${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
+            ].join("\n")
+
+            await github.rest.repos.createCommitComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              commit_sha: context.sha,
+              body,
+            })

infra/aws/github/outputs.tf

@@ -3,6 +3,11 @@ output "github_actions_cms_deploy_role_arn" {
   value       = aws_iam_role.github_actions_cms_deploy.arn
 }
 
+output "github_actions_web_deploy_role_arn" {
+  description = "GitHub Actions role for web Vercel deploy."
+  value       = aws_iam_role.github_actions_web_deploy.arn
+}
+
 output "github_actions_terraform_apply_role_arn" {
   description = "GitHub Actions role for Terraform apply."
   value       = aws_iam_role.github_actions_terraform_apply.arn

infra/aws/github/ssm.tf

@@ -60,6 +60,12 @@ resource "aws_ssm_parameter" "cms_deploy_role_arn" {
   value = aws_iam_role.github_actions_cms_deploy.arn
 }
 
+resource "aws_ssm_parameter" "web_deploy_role_arn" {
+  name  = "/forge/github/web_deploy_role_arn_${var.environment}"
+  type  = "String"
+  value = aws_iam_role.github_actions_web_deploy.arn
+}
+
 resource "aws_ssm_parameter" "terraform_vercel_role_plan_arn" {
   count = local.create_github_secure_parameters ? 1 : 0
 

infra/aws/github/terraform.tf

@@ -340,6 +340,26 @@ data "aws_kms_key" "cms_ssm_prod" {
   key_id = data.aws_kms_alias.cms_ssm_prod[0].target_key_arn
 }
 
+data "aws_kms_alias" "web_ssm_stage" {
+  count = local.create_shared_github_resources ? 1 : 0
+  name  = "alias/forge-web-stage-ssm"
+}
+
+data "aws_kms_key" "web_ssm_stage" {
+  count  = local.create_shared_github_resources ? 1 : 0
+  key_id = data.aws_kms_alias.web_ssm_stage[0].target_key_arn
+}
+
+data "aws_kms_alias" "web_ssm_prod" {
+  count = local.create_shared_github_resources ? 1 : 0
+  name  = "alias/forge-web-prod-ssm"
+}
+
+data "aws_kms_key" "web_ssm_prod" {
+  count  = local.create_shared_github_resources ? 1 : 0
+  key_id = data.aws_kms_alias.web_ssm_prod[0].target_key_arn
+}
+
 locals {
   terraform_stack_roles = local.create_shared_github_resources ? {
     vercel_plan = {
@@ -361,13 +381,19 @@ locals {
       ]
       ssm_parameter_arns = [
         "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/vercel/api_token",
-        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/cms/stage/STRAPI_INTERNAL_API_TOKEN",
-        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/cms/prod/STRAPI_INTERNAL_API_TOKEN",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/stage/STRAPI_API_TOKEN",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/prod/STRAPI_API_TOKEN",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/stage/STRAPI_PREVIEW_SECRET",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/prod/STRAPI_PREVIEW_SECRET",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/stage/NEXT_PUBLIC_GRAPHQL_URL",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/prod/NEXT_PUBLIC_GRAPHQL_URL",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/stage/NEXT_PUBLIC_CMS_HOSTNAME",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/prod/NEXT_PUBLIC_CMS_HOSTNAME",
       ]
       ssm_kms_key_arns = [
         var.vercel_ssm_kms_key_arn,
-        data.aws_kms_key.cms_ssm_stage[0].arn,
-        data.aws_kms_key.cms_ssm_prod[0].arn,
+        data.aws_kms_key.web_ssm_stage[0].arn,
+        data.aws_kms_key.web_ssm_prod[0].arn,
       ]
     }
     vercel_apply = {
@@ -397,13 +423,19 @@ locals {
       ]
       ssm_parameter_arns = [
         "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/vercel/api_token",
-        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/cms/stage/STRAPI_INTERNAL_API_TOKEN",
-        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/cms/prod/STRAPI_INTERNAL_API_TOKEN",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/stage/STRAPI_API_TOKEN",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/prod/STRAPI_API_TOKEN",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/stage/STRAPI_PREVIEW_SECRET",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/prod/STRAPI_PREVIEW_SECRET",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/stage/NEXT_PUBLIC_GRAPHQL_URL",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/prod/NEXT_PUBLIC_GRAPHQL_URL",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/stage/NEXT_PUBLIC_CMS_HOSTNAME",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/web/prod/NEXT_PUBLIC_CMS_HOSTNAME",
       ]
       ssm_kms_key_arns = [
         var.vercel_ssm_kms_key_arn,
-        data.aws_kms_key.cms_ssm_stage[0].arn,
-        data.aws_kms_key.cms_ssm_prod[0].arn,
+        data.aws_kms_key.web_ssm_stage[0].arn,
+        data.aws_kms_key.web_ssm_prod[0].arn,
       ]
     }
     github_plan = {
@@ -425,6 +457,8 @@ locals {
       ]
       ssm_parameter_arns = [
         "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/github/*",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/vercel/org_id",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/vercel/web_project_id",
         "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/cms/stage/STRAPI_INTERNAL_API_TOKEN",
         "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/cms/prod/STRAPI_INTERNAL_API_TOKEN",
       ]
@@ -461,6 +495,8 @@ locals {
       ]
       ssm_parameter_arns = [
         "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/github/*",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/vercel/org_id",
+        "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/vercel/web_project_id",
         "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/cms/stage/STRAPI_INTERNAL_API_TOKEN",
         "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/forge/aws/cms/prod/STRAPI_INTERNAL_API_TOKEN",
       ]