⌘K
v2026.1 Open Portal ↗
On this page

Deployment & CI/CD

Deployment Architecture

StackFlow uses a GitOps deployment model where all changes are made via pull requests to the GitHub repository. The GitHub Actions CI/CD pipeline runs tests, builds the Lambda deployment package, uploads to S3, and updates the Lambda function code. Database migrations are applied automatically as part of the deployment pipeline using the StackFlowPatcher Lambda.

⚙️ Minimum Requirements
  • S3: stackflow-deployments-373544523367 bucket for Lambda deployment packages
  • GitHub Actions: Workflow must have AWS credentials configured as repository secrets (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
  • IAM: Deployment role with lambda:UpdateFunctionCode, lambda:PublishVersion, cloudfront:CreateInvalidation
  • Lambda Alias: Production alias pointing to stable version; new deployments shift traffic gradually via weighted alias

GitHub Actions Pipeline

name: StackFlow Deploy
on:
  push:
    branches: [main]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: {node-version: '22'}
      - run: npm ci && npm test

  deploy:
    needs: test
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::373544523367:role/StackFlowCICDRole
          aws-region: us-east-1
      - run: |
          npm ci
          zip -r lambda.zip . -x "*.git*" -x "*.test.*"
          aws s3 cp lambda.zip s3://stackflow-deployments-prod/lambda.zip
          aws lambda update-function-code             --function-name StackFlowAPI             --s3-bucket stackflow-deployments-prod             --s3-key lambda.zip
          aws lambda wait function-updated --function-name StackFlowAPI
OIDC Authentication: The CI/CD pipeline uses GitHub OIDC to authenticate with AWS — no long-lived AWS credentials stored in GitHub Secrets. The StackFlowCICDRole IAM role trusts the GitHub OIDC provider with conditions scoped to the specific repository and branch.

Lambda Deployment

Lambda deployments use versioning and aliases for zero-downtime updates. The deployment process: upload new code → create new Lambda version → run smoke tests against the new version → update the PROD alias to point to the new version. The API Gateway points to the Lambda alias, not a specific version, enabling instant rollback by updating the alias.

Database Migrations

Database schema migrations are managed by the StackFlowPatcher Lambda, which applies migration scripts from S3. Migrations are run in order using a sequential numbering scheme. Each migration is idempotent and recorded in the schema_migrations table in Aurora to prevent re-application.

aws lambda invoke   --function-name StackFlowPatcher   --payload '{"action": "migrate", "dry_run": true}'   --region us-east-1   output.json
cat output.json

Rollback Procedures

Lambda code rollback: update the PROD alias to point to the previous Lambda version (takes <1 second). Database rollback: run the reverse migration script from StackFlowPatcher with "action": "rollback". If a critical bug is discovered post-deployment, Lambda alias rollback first, then assess whether database rollback is needed based on what data was written by the buggy version.

← Previous
Security & Encryption
KMS, field encryption, secrets
Sample Scripts
Admin and automation code examples