CI/CD pipeline platform¶
| ID | MOD-156 |
| System | SD07 |
| Repo | bank-platform |
| Build status | Deployed |
| Deployed | Yes |
| Last commit | 9f092d2 |
Purpose¶
MOD-156 is the CI/CD platform that governs how every module in every code repository is built, tested, and deployed. It provides two reusable GitHub Actions workflow templates, a wiki-driven workflow generator, cross-repo build ordering via repository_dispatch, and the GitHub configuration (Environments, branch protection, OIDC federation) that enforces the bank's change and deployment standards across all eight repositories.
Without this module, each code repository would need its own bespoke pipeline configuration, build-sequence dependencies would be undocumented, and the audit trail required by DT-007 and OPS-006 would be incomplete.
Architecture¶
bank-wiki (source of truth)
└── source/entities/modules/*.yaml ← dependency graph, build sequence
└── scripts/generate-workflows.py ← emits per-repo workflow YAML files
│
▼
bank-platform/
.github/
workflows/reusable-lambda.yml ← template for Lambda modules
workflows/reusable-iac.yml ← template for IaC modules
│
├── called by ───────────────────────► bank-core/.github/workflows/
│ bank-kyc/.github/workflows/
│ bank-aml/.github/workflows/
│ bank-payments/.github/workflows/
│ bank-credit/.github/workflows/
│ bank-risk-platform/.github/workflows/
│ bank-app/.github/workflows/
│ bank-platform/.github/workflows/
│
└── update-wiki.py (on Built)
└── repository_dispatch ──────► downstream dependent repos
Reusable templates¶
Two GitHub Actions reusable workflows live in bank-platform/.github/workflows/:
reusable-lambda.yml — for Lambda-type modules. Parameters: module_id, module_dir, node_version, stage. Steps: npm install, TypeScript typecheck, unit tests (≥80% coverage gate), integration tests (RUN_INTEGRATION=1), SST deploy via OIDC role, update-wiki.py status push.
reusable-iac.yml — for IaC-only modules. Parameters: module_id, module_dir, stage. Steps: npm install, SST drift detection on PR (sst diff), SST deploy on merge, SSM output verification, update-wiki.py status push.
Workflow generation¶
scripts/generate-workflows.py in bank-wiki reads every source/entities/modules/*.yaml, resolves the dependencies graph into a phase-ordered DAG (matching the build sequence in source/pages/delivery/build-sequence.md), and emits one workflow YAML file per module per repo. Within a phase, independent modules run as parallel jobs. Between phases, jobs are gated on the completion of all modules in the preceding phase.
The generator is re-run whenever compile.py produces a new module YAML. Generated files are committed to the code repos by the operator.
Cross-repo ordering (repository_dispatch)¶
scripts/update-wiki.py is extended (FR-736) to fire a repository_dispatch event to the GitHub repositories of all modules that declare the just-Built module as a dependency. The payload carries the module_id and the new build_status. The receiving repo's generated workflow re-evaluates its readiness gate and begins its own pipeline if all dependencies are now Built.
GitHub configuration¶
OIDC federation (FR-739)¶
All eight repositories use GitHub Actions OIDC to assume the AWS IAM role at /bank/{env}/iam/cicd/arn (provisioned by MOD-104). No long-lived AWS credentials are stored as GitHub Secrets. The OIDC trust policy is scoped to the specific repo and branch using the sub claim.
GitHub Environments (FR-737)¶
Three environments are configured on all eight repositories:
| Environment | Approval requirement |
|---|---|
dev |
None — ungated |
uat |
One approver from platform-leads team |
prod |
Two approvers from platform-leads team |
Branch protection (FR-738)¶
The main branch of every repository is protected:
- All CI status checks defined in the generated workflow must pass
- Minimum one approving human review required per PR
- Stale review approvals dismissed on new commits
- No direct push to main for any identity (including admins)
Policy compliance¶
DT-007 (GATE): the CI pipeline is the single mandatory path to any deployed environment. The generated workflows contain no bypass flags and no skip conditions.
DT-010 (AUTO): environments and protection rules are emitted from the generator and applied via GitHub API; no engineer manually configures an environment.
OPS-006 (LOG): GitHub Actions produces an immutable workflow run log per execution. update-wiki.py additionally writes a structured entry to the bank-wiki commit history on every status change, creating a cross-repository audit trail.
Outputs consumed by other modules¶
| Output | Purpose |
|---|---|
bank-platform/.github/workflows/reusable-lambda.yml |
Called by every Lambda module workflow |
bank-platform/.github/workflows/reusable-iac.yml |
Called by every IaC module workflow |
{repo}/.github/workflows/mod-NNN-*.yml (generated) |
Per-module CI/CD pipeline |
Constraints¶
- Generated workflow files are the only permitted CI configuration for bank modules. Hand-written workflows that bypass the reusable templates are non-compliant with DT-010.
- The
generate-workflows.pyscript must be re-run and the generated files committed whenever a module'sdependencieschange in the wiki. - MOD-104 must be deployed before any generated workflow can authenticate. The generated workflows enforce this via the OIDC role lookup rather than hard-coded credentials.
Module dependencies¶
Depends on¶
| Module | Title | Required? | Contract | Reason |
|---|---|---|---|---|
| MOD-104 | AWS shared infrastructure bootstrap | Required | — | AWS OIDC provider and CI/CD IAM role are provisioned by MOD-104 and must exist before any repository workflow can authenticate against AWS. |
| MOD-076 | Observability platform | Required | — | ADOT observability layer ARN is read from MOD-076 SSM outputs and embedded in generated Lambda workflow templates. |
Required by¶
| Module | Title | As | Contract |
|---|---|---|---|
| MOD-169 | Public website | Hard dependency | — |
Policies satisfied¶
| Policy | Title | Mode | How |
|---|---|---|---|
| DT-007 | Change and release management | GATE |
No module may be deployed to any environment without the CI pipeline passing all mandated checks — no manual bypass path exists. |
| DT-010 | Environments and deployment standards | AUTO |
GitLab Environments, protected branch rules, and OIDC role bindings are automatically provisioned from source-controlled config — no manual environment configuration is permitted. |
| OPS-006 | Change Management Policy | LOG |
Every pipeline execution, approval gate decision, and environment promotion is logged as an immutable event linked to the triggering commit and approver identity. |
Capabilities satisfied¶
(No capabilities mapped)
Part of SD07 — Data Platform & Governance Infrastructure
Compiled 2026-05-22 from source/entities/modules/MOD-156.yaml