Skip to main content

Overview

The pipeline is built with GitHub Actions and deploys using AWS SAM, which packages artifacts to S3 and applies infrastructure changes through CloudFormation. 
GitHub Actions

    ├── PR opened   → test → deploy QA   (API Gateway + Lambda)
    ├── Merge main  → test → deploy Staging → (approval) → deploy Production

    └── AWS SAM → CloudFormation
                      └── API Gateway REST ──(cache GET, production only)──► Lambda (Node.js 20)
                                                                                  └── Express App

Pipeline stages

StageTriggerEnvironment
testAll PRs and every push to main
deploy-qaPR openedQA (duitama-taxi-pricing-qa)
deploy-stagingMerge to mainStaging (duitama-taxi-pricing-staging)
deploy-productionManual approvalProduction (duitama-taxi-pricing-production)
The deploy-production stage requires manual approval in GitHub Environments before it runs. No code is deployed to production automatically.

How it works

1

test — run on every PR and push to main

The test job runs npm test (Jest) on every pull request and on every push to the main branch. All subsequent deploy jobs depend on this job passing.
2

deploy-qa — triggered when a PR is opened

When a pull request is opened, the pipeline deploys the code to the QA stack (duitama-taxi-pricing-qa) after tests pass. This gives every PR a live preview environment in API Gateway.
sam build
sam deploy --config-env qa
3

deploy-staging — triggered on merge to main

When a PR is merged into main, the pipeline deploys to the staging stack (duitama-taxi-pricing-staging) after tests pass.
sam build
sam deploy --config-env staging
4

deploy-production — requires manual approval

After staging deploys successfully, the pipeline waits for a manual approval in the GitHub Environments UI before deploying to production. Once approved:
sam build
sam deploy --config-env production
Production is the only environment with API Gateway caching enabled (600-second TTL on GET endpoints).

Required secrets

Add the following secrets to your GitHub repository under Settings → Secrets and variables → Actions. The pipeline reads these to authenticate with AWS during SAM deploys.
SecretDescription
AWS_ACCESS_KEY_IDAWS IAM access key ID
AWS_SECRET_ACCESS_KEYAWS IAM secret access key
The IAM user or role must have permissions to deploy CloudFormation stacks, manage Lambda functions, create API Gateway resources, and read/write to S3 (for SAM artifact uploads).

Build docs developers (and LLMs) love

Get started for freeTalk to us