Practice & Assessment
Test your understanding of Deployment Workflows
Multiple Choice Questions
5What permission is required in a workflow to use OIDC authentication with AWS?
An environment has a required reviewer set. When does the deployment job run?
What is the main security advantage of OIDC over storing AWS_SECRET_ACCESS_KEY in GitHub Secrets?
What does the if: failure() condition on a step do?
Environment secrets and repository secrets have the same name. Which takes precedence when a job references that environment?
Coding Challenges
1Staged Deployment with Environment Approval
Create a workflow that builds a static site (can be a simple echo command representing a build) and deploys it to staging, then waits for approval before deploying to production. Configure two GitHub Environments: staging (no protection rules) and production (required reviewer: yourself). The workflow must have three jobs: build (runs npm run build or echo), deploy-staging (references staging environment, echoes 'Deployed to staging'), and deploy-production (needs deploy-staging, references production environment with a url output, echoes 'Deployed to production'). Trigger via push to main and verify the workflow pauses at the production gate. Estimated time: 20 minutes.
Mini Project
Full Deploy Pipeline: Build, Approve, Deploy
Build a complete deployment pipeline for a Node.js application. The pipeline triggers on push to main and has four jobs: test (runs Jest tests), build (needs test, runs npm run build, uploads dist/ as an artifact), deploy-staging (needs build, downloads the artifact, references staging environment, simulates deployment with echo commands and a curl health check to a mock URL using --fail flag), and deploy-production (needs deploy-staging, references production environment with required reviewer approval, re-downloads artifact and simulates production deploy). Store a DEPLOY_TOKEN secret at repository level and a different DEPLOY_TOKEN at production environment level. Verify the environment-level secret overrides the repository secret by echoing the first 3 characters of the token in each deploy job (values should differ).