# CI/CD pipeline control gates (worksheet)

Use alongside [GitHub Actions for AWS: Secure CI/CD](https://www.factualminds.com/blog/github-actions-aws-cicd-security-best-practices/). Check each box before promoting to production.

- [ ] **OIDC** — no long-lived `AWS_ACCESS_KEY_ID` in GitHub secrets for deploy roles
- [ ] **Pinned third-party actions** — SHA-pinned `@actions/checkout` and custom actions
- [ ] **IaC scan** — `cfn-guard`, `checkov`, or equivalent on every Terraform/CDK diff
- [ ] **SAST/DAST slot** — language linter + dependency audit (e.g. `pnpm audit` / OSV) on default branch
- [ ] **Container image** — digest-signed image; ECS/EKS deploy references digest, not `:latest`
- [ ] **Environment promotion** — manual approval or change window for prod; staging receives same artifact hash as prod
- [ ] **Secrets** — no tokens in build logs; AWS Secrets Manager / Parameter Store for runtime only
- [ ] **Rollback drill** — documented revert path tested within last quarter