Repo & Pipeline Setup¶
Already completed. This was done during initial CampusCore setup. You only need this if you're re-creating the GitHub repo or changing the admin account.
How the GitHub repository's repo-level secrets and variables are configured. These are shared across all client environments.
Prerequisites¶
- Admin role ARN from Admin Account Setup
Set Repo-Level Secrets¶
# Admin role ARN — allows the deploy workflow to authenticate via OIDC
gh secret set ADMIN_AWS_ROLE_ARN --body "arn:aws:iam::774222656146:role/CampusCore-Admin-Role"
# Initial superuser — created automatically on first deploy for each client
# This is always the CampusCore team's admin account, shared across all environments
gh secret set DJANGO_SUPERUSER_EMAIL --body "admin@campus-core.ai"
gh secret set DJANGO_SUPERUSER_PASSWORD --body "<strong-password>"
Set Repo-Level Variables¶
# Route53 hosted zone ID for campuscoreai.com — shared across all environments
gh variable set CAMPUSCORE_HOSTED_ZONE_ID --body "Z03938461UVED2L50LENJ"
How the Pipeline Uses These¶
The deploy workflow (.github/workflows/deploy-aws.yml) uses a two-role authentication model:
1. GitHub Actions authenticates via OIDC → assumes CampusCore-Admin-Role (admin account)
2. Initializes Terraform backend (reads/writes state in campuscore-tfstate-{client})
3. Chains into client's CampusCore-Deploy-Role via sts:AssumeRole
4. Provisions infrastructure in client's account (ECS, RDS, S3, etc.)
5. Returns to admin role for Terraform state writes
Repo-Level vs Environment-Level¶
| Level | Name | Type | Purpose |
|---|---|---|---|
| Repo | ADMIN_AWS_ROLE_ARN |
Secret | Our admin account's IAM role (OIDC auth) |
| Repo | DJANGO_SUPERUSER_EMAIL |
Secret | Initial admin email (created on first deploy) |
| Repo | DJANGO_SUPERUSER_PASSWORD |
Secret | Initial admin password |
| Repo | CAMPUSCORE_HOSTED_ZONE_ID |
Variable | Route53 hosted zone ID for campuscoreai.com |
| Environment | AWS_ROLE_ARN |
Variable | Client's deploy role ARN (per-client) |
| Environment | TF_STATE_BUCKET |
Variable | S3 bucket for this client's Terraform state |
| Environment | AWS_REGION |
Variable | AWS region (defaults to us-east-1) |
| Environment | All secrets | Secrets | DB creds, API keys, etc. (per-client) |
Environment-level configuration is set up per-client in Step 02 — Pipeline Setup.
Verify the Pipeline Configuration¶
After setting the secret, verify it's accessible:
# List repo-level secrets (should show ADMIN_AWS_ROLE_ARN, DJANGO_SUPERUSER_EMAIL, DJANGO_SUPERUSER_PASSWORD)
gh secret list
# List repo-level variables (should show CAMPUSCORE_HOSTED_ZONE_ID)
gh variable list
See also: Admin Account Setup