Skip to content

Repo & Pipeline Setup

Already completed. This was done during initial CampusCore setup. You only need this if you're re-creating the GitHub repo or changing the admin account.

How the GitHub repository's repo-level secrets and variables are configured. These are shared across all client environments.


Prerequisites


Set Repo-Level Secrets

# Admin role ARN — allows the deploy workflow to authenticate via OIDC
gh secret set ADMIN_AWS_ROLE_ARN --body "arn:aws:iam::774222656146:role/CampusCore-Admin-Role"

# Initial superuser — created automatically on first deploy for each client
# This is always the CampusCore team's admin account, shared across all environments
gh secret set DJANGO_SUPERUSER_EMAIL --body "admin@campus-core.ai"
gh secret set DJANGO_SUPERUSER_PASSWORD --body "<strong-password>"

Set Repo-Level Variables

# Route53 hosted zone ID for campuscoreai.com — shared across all environments
gh variable set CAMPUSCORE_HOSTED_ZONE_ID --body "Z03938461UVED2L50LENJ"

How the Pipeline Uses These

The deploy workflow (.github/workflows/deploy-aws.yml) uses a two-role authentication model:

1. GitHub Actions authenticates via OIDC → assumes CampusCore-Admin-Role (admin account)
2. Initializes Terraform backend (reads/writes state in campuscore-tfstate-{client})
3. Chains into client's CampusCore-Deploy-Role via sts:AssumeRole
4. Provisions infrastructure in client's account (ECS, RDS, S3, etc.)
5. Returns to admin role for Terraform state writes

Repo-Level vs Environment-Level

Level Name Type Purpose
Repo ADMIN_AWS_ROLE_ARN Secret Our admin account's IAM role (OIDC auth)
Repo DJANGO_SUPERUSER_EMAIL Secret Initial admin email (created on first deploy)
Repo DJANGO_SUPERUSER_PASSWORD Secret Initial admin password
Repo CAMPUSCORE_HOSTED_ZONE_ID Variable Route53 hosted zone ID for campuscoreai.com
Environment AWS_ROLE_ARN Variable Client's deploy role ARN (per-client)
Environment TF_STATE_BUCKET Variable S3 bucket for this client's Terraform state
Environment AWS_REGION Variable AWS region (defaults to us-east-1)
Environment All secrets Secrets DB creds, API keys, etc. (per-client)

Environment-level configuration is set up per-client in Step 02 — Pipeline Setup.


Verify the Pipeline Configuration

After setting the secret, verify it's accessible:

# List repo-level secrets (should show ADMIN_AWS_ROLE_ARN, DJANGO_SUPERUSER_EMAIL, DJANGO_SUPERUSER_PASSWORD)
gh secret list

# List repo-level variables (should show CAMPUSCORE_HOSTED_ZONE_ID)
gh variable list

See also: Admin Account Setup