github-workflows-dojo360-serverless-promotion
Promote serverless deployments across environments (dev→qa→cert→prod) using Dojo360 serverless-cd-promotion with deployment-path validation and approval gates
Serverless CD Promotion Workflow Skill
Overview
The Serverless-CD Promotion workflow is a reusable GitHub Actions workflow that promotes (deploys) a serverless release candidate through multiple environments using a single workflow run.
It validates that the user-provided deployment-path matches the promotion-path defined in team metadata, then executes environment jobs in order. Between stages it can pause behind GitHub Environment protection rules (“approval gateway”), and it preserves the same ref for the entire promotion run.
Workflow Reference
Repository: dojo360/pipelines-workflows
Workflow: .github/workflows/serverless-cd-promotion.yml
Version: @beta (latest)
Documentation: https://github.com/dojo360/pipelines-workflows/tree/main/web/serverless-cd-promotion/index.md
Key Features
- Multi-environment promotion: one workflow run promotes across multiple stages
- Path validation: validates
deployment-pathagainst metadatapromotion-path - Approval gates: uses GitHub Environments/protection rules between stages
- Stable ref across stages: keeps the same git reference (
ref) through all stages - Reuses Serverless-CD: runs Serverless-CD for each environment stage
- E2E testing per stage: optional E2E workflow execution after selected stages
- CI output integration: can pass
artifact-namefrom CI job outputs - EFIX support: supports user-defined stages for emergency fix flows
Prerequisites
- Team metadata: Product must be onboarded to Dojo360 Metadata API (or equivalent local metadata) and include a valid
promotion-path. - GitHub Environments: Create environments matching your deployment stages (e.g.,
dev,qa,cert,prod) and configure protection rules/approvers as needed. - OIDC setup (cloud dependent):
- AWS (e.g.,
awsOptum,awsChc20): GitHub OIDC trust + IAM role for the workflow runner - Azure (e.g.,
azureOptum): OIDC app registration/service principal configuration
- AWS (e.g.,
- Artifact access: Ensure the workflow has access to the artifact repository (Artifactory / GitHub / etc.) where your serverless build artifact lives.
Requirements
- Terraform ~> 1.9.x
- AWS ~> 5.xx (for AWS operations)
- AzureRM ~> 3.xx (for Azure operations)
- GCP ~> 6.xx (for GCP operations)
Required Inputs
| Input | Type | Description |
|---|---|---|
aide-id | string | AIDE ID used to fetch team metadata |
artifact-name | string | Name of the artifact to deploy |
cloud-type | string | Cloud provider for metadata/deployment (see Supported Cloud Types in Dojo360 docs) |
deployment-path | string | Promotion path to execute (e.g., dev-qa-cert-prod) |
domain | string | Domain used for metadata lookup |
environment | string | Initial environment value used to define approvals (required in Dojo360 usage examples) |
team-name | string | Team name used for metadata lookup |
Common Optional Inputs
| Input | Type | Default | Description |
|---|---|---|---|
artifact-repo-path | string | '' | Path within the artifact repository/repo where artifacts are stored |
artifact-repository | string | '' | Repository/registry where artifacts are stored |
e2e-tests-enabled-stages | string | '' | Comma-separated stages where E2E should run (e.g., qa,cert) |
e2e-workflow-file | string | '' | Workflow file to run for E2E |
e2e-workflow-inputs | string (JSON) | '' | JSON string of inputs for the E2E workflow |
jfrog-project-key | string | '' | JFrog project key (SaaS Artifactory) |
prm-base-url | string | https://prm.optum.com | PRM base URL |
ref | string | (auto) | Branch/tag/SHA to checkout; promotion keeps the same ref across stages |
remote-state-file-name | string | '' | Remote Terraform state file name |
remote-state-folder-name | string | '' | Remote Terraform state folder name |
runner-labels | string | '' | Comma-separated runner labels |
terraform-directory | string | tf | Terraform directory relative to repo |
terraform-prm-secrets | string | '' | Comma-separated PRM secret names mapped to tfvars |
terraform-provider-network-mirror | string | Dojo360 default | Terraform provider mirror/proxy URL |
terraform-vars-files | string | '' | Comma-separated list of .tfvars files |
terraform-vars-values | string (JSON) | '' | JSON string of Terraform vars |
terraform-version | string | 1.9.2 | Terraform version |
terraform-volcan-secrets | string | '' | Comma-separated Volcan secret names mapped to tfvars |
volcan-base-url | string | volcan-cloud.optum.com | Volcan base URL |
Required Workflow Permissions
permissions:
id-token: write
contents: write
actions: read
pull-requests: write
security-events: write
checks: write
issues: read
Required Secrets
GH_TOKEN: GitHub token for workflow operationsREPO_USERNAME: Artifact repository username (required when your artifact source requires auth)REPO_PASSWORD: Artifact repository password/token (required when your artifact source requires auth)
Templates
See the ready-to-copy examples in .github/skills/github-workflows-dojo360-serverless-promotion/templates/:
basic-serverless-promotion.ymlpromotion-with-e2e-testing.ymlpromotion-with-prm-secrets.ymlci-cd-integrated-promotion.yml
Notes / Gotchas
- Promotion workflows are intended for default branch and tag-triggered pipelines.
deployment-pathmust align with your metadatapromotion-path(otherwise the workflow exits early).- GitHub Environment protection rules are what create the approval “stop points” between stages.
Related Assets
github-workflows-dojo360-azure-infrastructure
Deploy Azure infrastructure using Terraform with PCAM vaulted access and native Azure authentication through Dojo360 Azure Infrastructure workflow
Owner: pcorazao
github-workflows-dojo360-container-cd
Deploy containerized applications to AWS ECS/Azure ACS using Dojo360 Container CD workflow with blue-green and rolling update strategies
Owner: pcorazao
github-workflows-dojo360-container-promotion
Multi-environment container deployment promotion through prescribed deployment paths with automated approval gates and E2E testing
Owner: pcorazao
github-workflows-dojo360-database
Automate database schema updates using Liquibase via the Dojo360 database workflow (with rollback and validation patterns)
Owner: pcorazao
github-workflows-dojo360-database-promotion
Promote Liquibase database changes across environments (dev→qa→cert→prod) with deployment-path validation and approval gates
Owner: pcorazao
github-workflows-dojo360-dockerfile-ci
Build and scan container images from a Dockerfile using Optum golden images and the recommended UHG reusable workflow
Owner: pcorazao

