Skip to content

Add github:* resource tagging strategy to CDK stacks #84

Closed
#85
Closed
Add github:* resource tagging strategy to CDK stacks#84
#85
Assignees
scottschreckengaust
Labels
enhancementNew feature or request
@scottschreckengaust

Description

@scottschreckengaust
scottschreckengaust
opened on May 13, 2026

Parent

Sub-issue of #73 (RFC: GitHub Actions CI/CD with protected deployment environment and approval gates)

Summary

Implement github:* resource tagging on all CDK stack resources via Tags.of(stack).add() in main.ts. Tags are injected through CDK context (-c) and default to sentinel none when not provided.

See tagging strategy addendum on #73: #73 (comment)

Scope

  • Add github:* tag resolution in cdk/src/main.ts (9 tags, all defaulting to none)
  • Pass tags through CDK context values
  • Add/update tests to verify tags are applied
  • No CI/CD workflow changes — this is infrastructure-only

Tags

Tag key Default $GITHUB_* variable gh CLI git CLI
github:sha none $GITHUB_SHA gh api /repos/{owner}/{repo}/commits/{ref} --jq .sha git rev-parse HEAD
github:ref none $GITHUB_REF_NAME gh api /repos/{owner}/{repo}/git/ref/heads/{branch} --jq .ref git branch --show-current
github:ref-type none $GITHUB_REF_TYPE gh api /repos/{owner}/{repo}/git/ref/heads/{branch}branch; /tags/{tag}tag inferred from git describe --exact-match success/failure
github:actor none $GITHUB_ACTOR gh api /user --jq .login git config user.name
github:head-ref none $GITHUB_HEAD_REF gh pr view --json headRefName --jq .headRefName N/A (PR context only)
github:run-id none $GITHUB_RUN_ID gh run list --limit 1 --json databaseId --jq '.[0].databaseId' N/A (CI only)
github:event none $GITHUB_EVENT_NAME gh run view {run-id} --json event --jq .event N/A (CI only)
github:repository none $GITHUB_REPOSITORY gh repo view --json nameWithOwner --jq .nameWithOwner git remote get-url origin | sed 's/.*github.com[:/]//' | sed 's/.git$//'
github:clean none true (CI always clean) N/A [ -z "$(git status --porcelain)" ] && echo true || echo false

Local deploy example

npx cdk deploy \
  -c github:sha=$(git rev-parse HEAD) \
  -c github:ref=$(git branch --show-current || echo detached) \
  -c github:ref-type=branch \
  -c github:actor=$(git config user.name) \
  -c github:repository=$(gh repo view --json nameWithOwner --jq .nameWithOwner) \
  -c github:clean=$([ -z "$(git status --porcelain)" ] && echo true || echo false)

CI deploy example (GitHub Actions)

- name: CDK Synth
  run: |
    npx cdk synth \
      -c github:sha=${{ github.sha }} \
      -c github:ref=${{ github.ref_name }} \
      -c github:ref-type=${{ github.ref_type }} \
      -c github:actor=${{ github.actor }} \
      -c github:head-ref=${{ github.head_ref || '' }} \
      -c github:run-id=${{ github.run_id }} \
      -c github:event=${{ github.event_name }} \
      -c github:repository=${{ github.repository }} \
      -c github:clean=true

Acceptance criteria

  • All 9 tags applied to every taggable resource in synthesized template
  • Missing context values default to none
  • Existing tests pass
  • New test verifies tag presence in synth output

Implementation

PR #85

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions