deploy-scheduler.yml: Scheduler Deployment Workflow

The deploy-scheduler.yml workflow deploys the GSM EventBridge Scheduler CloudFormation stack, which manages automated start and stop schedules for the ECS services and their underlying EC2 instance. Like the infrastructure workflow, it uses GitHub OIDC to assume an AWS IAM role without static credentials. The scheduler stack controls cost by spinning down all ECS tasks and stopping the EC2 instance outside of business hours, then bringing everything back up on the configured cron expressions.

Triggers

The workflow fires on two events:

Push to the develop, quality, or main branches, but only when devops/scheduler/template.yml is modified. Unrelated commits do not trigger a re-deploy.
workflow_dispatch — allows manual execution from the GitHub Actions UI with an explicit environment input.

Trigger	Branch / Path	Resolved environment
Push	`develop` / `devops/scheduler/template.yml`	`dev`
Push	`quality` / `devops/scheduler/template.yml`	`qa`
Push	`main` / `devops/scheduler/template.yml`	`prod`
`workflow_dispatch`	Any	Value chosen in the input (default: `dev`)

Environment Variable

Variable	Value
`AWS_REGION`	`us-east-1`

Jobs

`determine-env`

Both jobs only execute when vars.WORKFLOW_SCHEDULER_ENABLED == 'true'. Setting this variable to any other value disables the scheduler workflow without deleting it, which is useful during initial environment setup.

Condition: vars.WORKFLOW_SCHEDULER_ENABLED == 'true'
Runner: ubuntu-latest
Purpose: Maps the triggering branch to a target environment string and exposes it as the environment job output.
Logic: workflow_dispatch uses the manually supplied input. Push events map main → prod, quality → qa, develop → dev (unknown branches fall back to dev).

Outputs:

Output key	Description
`environment`	Resolved environment string (`dev`, `qa`, or `prod`)

`deploy`

Condition: vars.WORKFLOW_SCHEDULER_ENABLED == 'true'
Needs: determine-env
Runner: ubuntu-latest
GitHub Environment: infra-{env} (e.g. infra-dev)
Permissions:

Permission	Level	Reason
`id-token`	`write`	Required to request the OIDC JWT for AWS role assumption
`contents`	`read`	Required to check out the repository

Deploy Job Steps

Step 1 — Checkout code

- name: Checkout code
  uses: actions/checkout@v4

Checks out the repository so the scheduler template is available on the runner.

Step 2 — Configure AWS credentials

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: ${{ secrets.AWS_INFRA_ROLE_ARN }}
    aws-region: ${{ env.AWS_REGION }}

Exchanges the GitHub OIDC token for temporary AWS credentials by assuming the AWS_INFRA_ROLE_ARN role. The same base role used by the infrastructure workflow is reused here.

Step 3 — Deploy CloudFormation Stack

- name: Deploy CloudFormation Stack
  uses: aws-actions/aws-cloudformation-github-deploy@v1.2.0
  with:
    name: "${{ needs.determine-env.outputs.environment }}-${{ vars.APP_NAME }}-scheduler-stack"
    template: devops/scheduler/template.yml
    capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM
    region: ${{ env.AWS_REGION }}
    no-fail-on-empty-changeset: "1"

Creates or updates the scheduler CloudFormation stack. no-fail-on-empty-changeset: "1" prevents pipeline failures when the schedule expressions have not changed.Stack name pattern: {env}-{appName}-scheduler-stack (e.g. dev-gsmapplication-scheduler-stack)

Parameter Overrides

All CloudFormation parameters for the scheduler stack are sourced from repository variables:

CloudFormation Parameter	Repository Variable	Description
`Environment`	`determine-env` output	Target environment (`dev` / `qa` / `prod`)
`AppName`	`vars.APP_NAME`	Application name used in resource naming
`EC2InstanceId`	`vars.EC2_INSTANCE_ID`	ID of the EC2 instance to start/stop
`EIPAllocationId`	`vars.EC2_ELASTIC_IP_ID`	Allocation ID of the Elastic IP to associate/disassociate
`ECSClusterName`	`vars.ECS_CLUSTER`	Name of the ECS cluster containing the services
`GatewayServiceName`	`vars.GATEWAY_SERVICE_NAME`	ECS service name for the gateway container
`AuthServiceName`	`vars.AUTH_SERVICE_NAME`	ECS service name for the auth container
`ApplicationServiceName`	`vars.APPLICATION_SERVICE_NAME`	ECS service name for the application container
`OperationsServiceName`	`vars.OPERATIONS_SERVICE_NAME`	ECS service name for the operations container
`SchedulerStartExpression`	`vars.SCHEDULER_START_EXPRESSION`	EventBridge cron/rate expression for the start schedule
`SchedulerStopExpression`	`vars.SCHEDULER_STOP_EXPRESSION`	EventBridge cron/rate expression for the stop schedule

Required Repository Variables

Configure these variables under Settings → Secrets and variables → Actions → Variables:

Variable	Description
`WORKFLOW_SCHEDULER_ENABLED`	Set to `'true'` to enable this workflow; any other value skips all jobs
`APP_NAME`	Application name prefix used in all CloudFormation resource names
`EC2_INSTANCE_ID`	The EC2 instance ID that runs the ECS tasks (e.g. `i-0abc1234def56789`)
`EC2_ELASTIC_IP_ID`	Allocation ID of the Elastic IP (e.g. `eipalloc-0abc1234`)
`ECS_CLUSTER`	Full name of the ECS cluster (e.g. `dev-gsmapplication-cluster`)
`GATEWAY_SERVICE_NAME`	Full ECS service name for the gateway (e.g. `dev-gsmapplication-gateway-service`)
`AUTH_SERVICE_NAME`	Full ECS service name for auth (e.g. `dev-gsmapplication-auth-service`)
`APPLICATION_SERVICE_NAME`	Full ECS service name for application (e.g. `dev-gsmapplication-application-service`)
`OPERATIONS_SERVICE_NAME`	Full ECS service name for operations (e.g. `dev-gsmapplication-operations-service`)
`SCHEDULER_START_EXPRESSION`	EventBridge cron for start (e.g. `cron(0 8 ? * MON-FRI *)`)
`SCHEDULER_STOP_EXPRESSION`	EventBridge cron for stop (e.g. `cron(0 20 ? * MON-FRI *)`)

Required Secret

Secret	Description
`AWS_INFRA_ROLE_ARN`	ARN of the IAM role to assume via OIDC (shared with the infrastructure workflow)

AWS_INFRA_ROLE_ARN must be stored as an Actions secret scoped to the infra-{env} GitHub Environment. The IAM role’s trust policy allows assumption only from the infra-* environment token claim, so the secret must live there — not at the repository level.

Full Workflow YAML

name: Deploy Scheduler
on:
  push:
    branches: ["develop", "quality", "main"]
    paths:
      - "devops/scheduler/template.yml"
  workflow_dispatch:
    inputs:
      environment:
        description: 'Environment (dev/qa/prod)'
        default: 'dev'

env:
  AWS_REGION: us-east-1

jobs:
  determine-env:
    if: ${{ vars.WORKFLOW_SCHEDULER_ENABLED == 'true' }}
    name: Determine Environment
    runs-on: ubuntu-latest
    outputs:
      environment: ${{ steps.set-env.outputs.environment }}
    steps:
      - name: Set Environment
        id: set-env
        run: |
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            ENV="${{ github.event.inputs.environment }}"
          else
            BRANCH="${{ github.ref_name }}"
            if [ "$BRANCH" = "main" ]; then
              ENV="prod"
            elif [ "$BRANCH" = "quality" ]; then
              ENV="qa"
            elif [ "$BRANCH" = "develop" ]; then
              ENV="dev"
            else
              ENV="dev"
            fi
          fi
          echo "environment=$ENV" >> $GITHUB_OUTPUT
          echo "Deploying $ENV-gsmapplication-scheduler-stack"
  
  deploy:
    if: ${{ vars.WORKFLOW_SCHEDULER_ENABLED == 'true' }}
    name: Deploy Scheduler
    needs: determine-env
    runs-on: ubuntu-latest
    environment: infra-${{ needs.determine-env.outputs.environment }}
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_INFRA_ROLE_ARN }}
          aws-region: ${{ env.AWS_REGION }}
      
      - name: Deploy CloudFormation Stack
        uses: aws-actions/aws-cloudformation-github-deploy@v1.2.0
        with:
          name: "${{ needs.determine-env.outputs.environment }}-${{ vars.APP_NAME }}-scheduler-stack"
          template: devops/scheduler/template.yml
          capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM
          region: ${{ env.AWS_REGION }}
          parameter-overrides: >-
            Environment="${{ needs.determine-env.outputs.environment }}",
            AppName="${{ vars.APP_NAME }}",
            EC2InstanceId="${{ vars.EC2_INSTANCE_ID }}",
            EIPAllocationId="${{ vars.EC2_ELASTIC_IP_ID }}",
            ECSClusterName="${{ vars.ECS_CLUSTER }}",
            GatewayServiceName="${{ vars.GATEWAY_SERVICE_NAME }}",
            AuthServiceName="${{ vars.AUTH_SERVICE_NAME }}",
            ApplicationServiceName="${{ vars.APPLICATION_SERVICE_NAME }}",
            OperationsServiceName="${{ vars.OPERATIONS_SERVICE_NAME }}",
            SchedulerStartExpression="${{ vars.SCHEDULER_START_EXPRESSION }}",
            SchedulerStopExpression="${{ vars.SCHEDULER_STOP_EXPRESSION }}"
          no-fail-on-empty-changeset: "1"

CloudFormation Stacks

GitHub Actions Workflows

AWS Services

deploy-scheduler.yml: Scheduler Deployment Workflow

Triggers

Environment Variable

Jobs

`determine-env`

`deploy`

Deploy Job Steps

Parameter Overrides

Required Repository Variables

Required Secret

Full Workflow YAML

Build docs developers (and LLMs) love

CloudFormation Stacks

GitHub Actions Workflows

AWS Services

Documentation Index

​Triggers

​Environment Variable

​Jobs

​determine-env

​deploy

​Deploy Job Steps

​Parameter Overrides

​Required Repository Variables

​Required Secret

​Full Workflow YAML

Build docs developers (and LLMs) love

Triggers

Environment Variable

Jobs

`determine-env`

`deploy`

Deploy Job Steps

Parameter Overrides

Required Repository Variables

Required Secret

Full Workflow YAML