📝 update ci/cd docs

bu-ist · Jan 19, 2024 · 1fd6d68 · 1fd6d68
1 parent d3bd037
commit 1fd6d68
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 9 deletions.
diff --git a/docs/cicd.md b/docs/cicd.md
@@ -3,9 +3,9 @@
 Since [Github Actions](https://docs.github.com/actions) runs our CI/CD pipeline, a recommended refresher on CI/CD is the github ["CI/CD explained" article](https://resources.github.com/ci-cd/).
 The implementation of this pipeline is a one-time exercise, with this as a record detailing what was done.
 
-### Overview
+## Overview
 
-A rudimentary [workflow](https://docs.github.com/en/actions/using-workflows/about-workflows#about-workflows) has been setup for deployment of the app that breaks down into the following sequence:
+A [workflow](https://docs.github.com/en/actions/using-workflows/about-workflows#about-workflows) has been setup for deployment of the app that breaks down into the following sequence:
 
 1. A feature branch is approved and merged into the main branch of the github repository for the app.
    This kicks off the [workflow](https://docs.github.com/en/actions/using-workflows/about-workflows#about-workflows).
@@ -31,7 +31,7 @@ The abridged steps are:
    The role "WordpressProtectedAssetsGithubActionsCloudformingRole" can be found [here](https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/roles/details/WordpressProtectedAssetsGithubActionsCloudformingRole?section=permissions)
    Role policy:
 
-   ```
+   ```json
    {
        "Version": "2012-10-17",
        "Statement": [
@@ -60,7 +60,7 @@ The abridged steps are:
 
    Trust relationship:
 
-   ```
+   ```json
    {
        "Version": "2012-10-17",
        "Statement": [
@@ -87,7 +87,7 @@ The abridged steps are:
 3. Create the github action (located in `.github/workflows/cicd.yml`)
    Below are relevant excerpts that shows the deploy job step that uses the role (`role-session-name`)
 
-   ```
+   ```yaml
      env:
        AWS_REGION: us-east-1
 
@@ -98,9 +98,9 @@ The abridged steps are:
      ...
 
      jobs:
-   	...
-   	 deploy:
-   	 ...
+    ...
+    deploy:
+    ...
            - uses: aws-actions/configure-aws-credentials@v2
              with: 
                role-to-assume: arn:aws:iam::115619461932:role/WordpressProtectedAssetsGithubActionsCloudformingRole
@@ -121,4 +121,4 @@ OIDC (OpenID Connect) is an identity layer built on top of OAuth 2.0 that allows
 4. **Defense Against Key Exfiltration:** If an attacker gains access to the OIDC provider's private key used for token signing, they might try to insert their own public key into the provider's configuration. The OIDC thumbprint can help prevent such attacks by verifying that the public key used for token validation aligns with the trusted key.
 5. **Third-Party OIDC Providers:** In scenarios where the relying party trusts multiple OIDC providers, the thumbprint can help ensure that tokens are only accepted from the intended and validated OIDC provider, preventing tokens from unauthorized providers.
 
-In summary, the OIDC thumbprint is a security mechanism that enhances the trustworthiness of the OIDC authentication process by providing a means to verify the authenticity of the OIDC provider's token validation endpoint. It adds an additional layer of protection against various attack vectors, particularly those involving tampering, impersonation, and unauthorized token sources.
+In summary, the OIDC thumbprint is a security mechanism that enhances the trustworthiness of the OIDC authentication process by providing a means to verify the authenticity of the OIDC provider's token validation endpoint. It adds an additional layer of protection against various attack vectors, particularly those involving tampering, impersonation, and unauthorized token sources.
diff --git a/readme.md b/readme.md
@@ -57,6 +57,8 @@ wp access network-update-dynamodb
 
 The parameters of the BU production deployment are in the `samconfig.toml` file under the "prod" stanza.
 
+Deployments are handled automatically by a Github Action that runs a `sam build` and `sam deploy` with the `prod` configuration when a commit is made to the `main` branch. More details about the Github Action are available in the [Continuous integration/deployment (CI/CD)](./docs/cicd.md) documentation.
+
 ## Testing
 
 The package includes a suite of unit tests that can be run using the following command: