Agent 2: GitHub Actions CI/CD (.github/workflows/) #2
Description
Objective
Create 4 GitHub Actions workflow files for CI/CD — infrastructure deployment, container image builds, portal deployment, and PR validation.
Scope
Files to create (ALL in .github/workflows/ — do NOT touch any other directory):
1. .github/workflows/infra.yml — Infrastructure Deployment
- Triggers: push to
main(paths:infra/**), workflow_dispatch with environment input (dev/prod) - Auth: OIDC workload identity federation (azure/login with client-id, tenant-id, subscription-id from secrets)
- Steps: checkout → azure/login → terraform init (backend-config from environment) → terraform plan → terraform apply (only on main, not PRs)
- PR behavior:
terraform planoutput posted as PR comment (use actions/github-script) - Concurrency:
group: terraform-{environment}, cancel-in-progress: false
2. .github/workflows/container-image.yml — Multi-Arch Docker Build
- Triggers: push to
main(paths:Dockerfile,entrypoint.sh,agentbox,tools/**), workflow_dispatch - Steps: checkout → docker/setup-buildx-action → docker/setup-qemu-action → docker/login-action (ghcr.io, GITHUB_TOKEN) → docker/build-push-action (platforms: linux/amd64,linux/arm64, tags: latest + sha-{commit})
- Cache: GitHub Actions cache (type=gha)
3. .github/workflows/portal.yml — Portal Build + Deploy
- Triggers: push to
main(paths:src/portal/**), workflow_dispatch - Steps: checkout → setup-dotnet (10.0) → setup-node (22) → npm ci + npm run build (ClientApp) → dotnet restore → dotnet build → dotnet test → dotnet publish → docker build (portal Dockerfile) → push to GHCR → azure/login (OIDC) → az containerapp update
- Concurrency: portal-deploy
4. .github/workflows/pr-checks.yml — PR Validation
- Triggers: pull_request to
main - Jobs (parallel):
terraform: init → validate → fmt -check → plan (comment on PR)dotnet: restore → build → testdocker: build --no-push (both Dockerfile and portal Dockerfile)
Key Design Decisions
- OIDC auth everywhere — no stored Azure secrets, workload identity federation
- GHCR for all images — both agentbox container and portal, using GITHUB_TOKEN
- Matrix builds not needed yet (single Dockerfile target)
- Portal workflow installs Node.js for the React frontend build step before dotnet publish
- All workflows use
permissions: id-token: write, contents: readfor OIDC
Conflict Prevention
This agent works ONLY in .github/workflows/. No other agent touches this directory.
Acceptance Criteria
- All 4 YAML files are valid GitHub Actions syntax
- OIDC auth configured correctly (azure/login@v2)
- Container image workflow builds linux/amd64 + linux/arm64
- PR checks run terraform validate + dotnet build + docker build
- Proper path filters so workflows only trigger on relevant changes