Skip to main content

Continuous Integration & Deployment

GitHub Actions with AWS

Deploy to AWS automatically with GitHub Actions — OIDC-first, SLSA-aligned, and production-safe.

Last updated:April 29, 2026Author:FactualMinds Cloud Integration TeamReviewed by:FactualMinds AWS-certified architects (Solutions Architect – Professional)

AI & assistant-friendly summary

This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.

Summary

GitHub Actions to AWS in 2026: OIDC keyless auth, Artifact Attestations, Immutable Actions, ARM runners, and reusable workflows to ECS, Lambda, EKS.

Key Facts

  • GitHub Actions to AWS in 2026: OIDC keyless auth, Artifact Attestations, Immutable Actions, ARM runners, and reusable workflows to ECS, Lambda, EKS
  • Deploy to AWS automatically with GitHub Actions — OIDC-first, SLSA-aligned, and production-safe
  • How do I authenticate GitHub Actions to AWS without long-lived keys
  • Create an IAM OIDC identity provider for token
  • com, then an IAM role whose trust policy restricts the sub claim to specific repos, branches, environments, or tags

Entity Definitions

Bedrock
Bedrock is relevant to github actions with aws.
SageMaker
SageMaker is relevant to github actions with aws.
Lambda
Lambda is relevant to github actions with aws.
AWS Lambda
AWS Lambda is relevant to github actions with aws.
EC2
EC2 is relevant to github actions with aws.
S3
S3 is relevant to github actions with aws.
CloudFront
CloudFront is relevant to github actions with aws.
CloudWatch
CloudWatch is relevant to github actions with aws.
IAM
IAM is relevant to github actions with aws.
VPC
VPC is relevant to github actions with aws.
EKS
EKS is relevant to github actions with aws.
ECS
ECS is relevant to github actions with aws.
EventBridge
EventBridge is relevant to github actions with aws.
Secrets Manager
Secrets Manager is relevant to github actions with aws.
AWS Secrets Manager
AWS Secrets Manager is relevant to github actions with aws.
Ask AI: ChatGPT Claude Perplexity Gemini

GitHub Actions + AWS overview

GitHub Actions is GitHub’s native CI/CD platform. Workflows live in .github/workflows/ alongside the code they build. For AWS workloads, the 2026 pattern we deploy is OIDC-first (no long-lived IAM access keys in GitHub Secrets), SLSA-aligned (every artifact ships with Artifact Attestations verifiable from ECS/EKS/Lambda deploy steps), and reusable-workflow-driven (a platform team owns the deploy contract once, every app repo calls it).

What’s new in 2026

Why GitHub Actions for AWS deployment

Built into GitHub

Cost efficient

Official AWS support

Core concept: workflows

Workflows are YAML files that define:

  1. Triggerpush, pull_request, schedule, workflow_dispatch, workflow_call (reusable).
  2. Jobs — parallel or sequential units with their own runner and permissions.
  3. Steps — commands and actions within a job.
  4. Environment — runner OS/arch, permissions, secrets, and deployment protection rules.

Example flow: push to main → run tests on matrix of Node versions → build container image on an ARM runner → attest build provenance → push to ECR → verify attestation → amazon-ecs-deploy-task-definition → Slack notification on success.

Authentication: OIDC is the only defensible default

OpenID Connect (recommended)

IAM access keys (legacy, do not use)

Common GitHub Actions → AWS patterns

Build, attest, and push Docker to ECR

Deploy Lambda via CloudFormation or lambda update-function-code

Deploy to App Runner or ECS on Fargate

Deploy static site to S3 + CloudFront

Apply Terraform or AWS CDK

Workflow structure (2026 reference)

name: Deploy to AWS
on:
  push:
    branches: [main]

concurrency:
  group: deploy-${{ github.ref }}
  cancel-in-progress: false

jobs:
  test:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - run: npm ci && npm test

  build-and-attest:
    needs: test
    runs-on: ubuntu-24.04-arm # Graviton-targeted images
    permissions:
      id-token: write
      contents: read
      attestations: write
      packages: write
    steps:
      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789:role/gha-ecr-push
          aws-region: us-east-1
      - uses: aws-actions/amazon-ecr-login@v2
      - run: docker buildx build --platform linux/arm64 -t $IMAGE .
      - uses: actions/attest-build-provenance@v2
        with:
          subject-name: ${{ env.ECR_REGISTRY }}/my-app
          subject-digest: ${{ steps.build.outputs.digest }}
          push-to-registry: true

  deploy:
    needs: build-and-attest
    runs-on: ubuntu-24.04
    environment: production # required reviewers + protection rules
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789:role/gha-deploy-prod
          aws-region: us-east-1
      - run: gh attestation verify oci://$IMAGE --repo $GITHUB_REPOSITORY
      - uses: aws-actions/amazon-ecs-deploy-task-definition@v2
        with:
          task-definition: task-def.json
          service: my-service
          cluster: prod
          wait-for-service-stability: true

Larger, ARM, and GPU runners

GitHub Environments and deployment protection rules

Failure modes & resilience

1. GitHub-hosted runner outages. GitHub publishes incidents at githubstatus.com; Actions can stall for 5–60 minutes during regional incidents. Mitigation: critical deploys must support manual workflow_dispatch from a self-hosted runner fallback, or use AWS CodeBuild as a break-glass deploy path. Do not have only one path to production.

2. Actions minutes quota exhaustion. Free / Team plans are capped (2,000 / 3,000 minutes/month). Hitting the cap blocks all private-repo workflows org-wide. Mitigation: monitor minutes via the REST API (/orgs/{org}/settings/billing/actions); set a CloudWatch alarm via a small EventBridge-scheduled Lambda; budget alerts at 70% / 90%. ARM and larger runners are billed at higher multipliers — model before adopting.

3. ECR pull rate limits during deploy. ECR is generous but VPC endpoints with low concurrency can throttle. For high-velocity deploys (>50 task definitions/min), pre-cache base layers with image-pull-policy: IfNotPresent and run an ECR pull-through cache for non-AWS public images.

4. CodeDeploy alarm-rollback edge cases. The CloudWatch alarm used for auto-rollback evaluates at the alarm’s period; a low-volume canary may not trip a > X errors per 5 min alarm before traffic shifts to 100%. Pair with a synthetic Canary (CloudWatch Synthetics) running every minute against the canary task group, and use that as the rollback alarm.

5. OIDC token-exchange throttling. STS AssumeRoleWithWebIdentity is rate-limited per role (5,000 transactions/sec account-wide, lower per role). Massive matrix builds assuming the same role can throttle. Mitigation: split into per-environment roles, or stagger jobs with concurrency groups.

6. Reusable workflow upgrades break callers. Pinning callers to @v1 (mutable major) means a compatibility break in a v1.x.x release blasts all repos. Use SemVer with immutable SHA refs for production; cut a @v2 for breaking changes and migrate callers explicitly.

7. Action supply-chain compromise. A malicious tag-push on a popular community action would historically run with workflow secrets. Mitigation: Immutable Actions (2025) — pin uses: to a SHA that GitHub guarantees immutable; also enable the org-level “allow specified actions” allow-list.

Observability runbook

Metrics worth surfacing:

SignalSourceAlarm threshold / action
Workflow success_rate per repoREST /repos/{}/actions/runs< 95% over 24h → review failing job logs
Actions minutes consumed/orgs/{}/settings/billing/actions> 70% of monthly quota at day 20 → review heavy-use repos
OIDC AssumeRoleWithWebIdentity count by roleCloudTrailSudden spike on a single role → check matrix size, concurrency
Deploy duration p95Workflow run timing> baseline + 50% → investigate runner health, dependency caches
Attestation verify failuregh attestation verify exitAny failure on production deploy → block; investigate provenance

Debug path: “deploy job failed”:

  1. Workflow run page → failed step → expand log; copy the exact AWS API error.
  2. CloudTrail in the target account → filter by the OIDC role’s session name (set role-session-name to include ${{ github.run_id }}) → identify the denying API call.
  3. If AccessDenied: validate the IAM trust policy sub claim allows this branch/environment, and the role’s permission policy includes the failing API.
  4. If Throttling: reduce job concurrency, add aws-actions/configure-aws-credentials retry with role-duration-seconds, or move heavy work to AWS-side (CodeBuild) to eliminate the runner→AWS chatty path.
  5. Attestation failures: gh attestation verify oci://<image> --repo <repo> locally; check that the actions/attest-build-provenance action ran in the build job, and the deploy job has attestations: read permission.

Incident attachment: for any production deploy incident, attach gh run view <run-id> --log output to the postmortem alongside CloudTrail event IDs from the target account. Log retention on free/Team plans is 90 days; archive critical incident logs to S3 if your compliance regime requires longer.

When GitHub Actions is NOT the right call

Best practices

Security

Efficiency

Reliability

0
Long-lived AWS keys in the recommended OIDC pattern
SLSA v1
Build provenance via Artifact Attestations
2-64
vCPU range on GitHub-hosted larger and ARM runners

Tools & Calculators

Self-serve calculators and assessments that pair with this integration.

AWS Architecture Review

Have an AWS-certified architect review your CI/CD and IAM OIDC trust policies.

Open Tool

Related AWS Services

Consulting engagements that frequently pair with this integration.

AWS DevOps Consulting

AWS DevOps consulting — CI/CD pipeline setup, infrastructure as code (SAM/CDK), and deployment automation.

Explore Service

AWS Application Modernization — From Legacy to Cloud-Native

AWS application modernization — legacy migration, microservices, containers. Expert consulting from FactualMinds.

Explore Service

Hire a Dedicated AWS Consultant | FactualMinds

Hire a dedicated AWS consultant — a certified expert embedded with your team for cloud management, cost optimization, security, and architecture work.

Explore Service

Who typically runs this integration?

The roles that most often own or review this stack.

AWS Solutions for DevOps & Platform Engineers

EKS Auto Mode, OIDC-native CI/CD, supply-chain security, CDK Toolkit v2, and eBPF observability for platform teams building the platform on AWS in 2026.

Explore

AWS Solutions for CTOs

Cloud strategy, multi-account governance, agentic AI platform decisions, and FinOps culture for technology leaders scaling AWS in 2026 and beyond.

Explore

Related Integrations

Other AWS integration guides commonly deployed alongside this one.

Kubernetes on AWS (EKS)

Amazon EKS in 2026: Auto Mode GA, Hybrid Nodes, Karpenter 1.0, Pod Identity, Graviton-first node pools, and ECR enhanced scanning — cheaper, safer K8s.

View Guide

Terraform on AWS

Terraform + AWS in 2026: Stacks GA, ephemeral values, provider-defined functions, Test Framework, OpenTofu 1.8 encryption — vs CDK and CloudFormation.

View Guide

Frequently Asked Questions

How do I authenticate GitHub Actions to AWS without long-lived keys?
Use OpenID Connect (OIDC). Create an IAM OIDC identity provider for token.actions.githubusercontent.com, then an IAM role whose trust policy restricts the sub claim to specific repos, branches, environments, or tags. The aws-actions/configure-aws-credentials@v4 action exchanges the workflow's short-lived OIDC token for temporary AWS credentials — no secrets, nothing to rotate.
How do I restrict the OIDC role so one repo cannot deploy to another project's account?
Use OIDC subject-claim filtering in the IAM role's trust policy. Require sub to equal repo:acme/payments:ref:refs/heads/main for production, or repo:acme/payments:environment:production when you use GitHub Environments. You can combine with aud checks and, for extra defense in depth, explicitly deny any session that is missing the expected tag. A single wildcard (repo:acme/*) is a common mistake that lets any repo in the org assume the role.
What are Artifact Attestations and why do I need them for AWS deploys?
Artifact Attestations (GA 2024) produce a SLSA-v1-aligned, cryptographically signed provenance statement tying a build to the specific workflow, commit, and runner that produced it. For AWS, the pattern is: build → attest (actions/attest-build-provenance) → push to ECR with push-to-registry: true → in the deploy step verify the attestation via gh attestation verify before calling amazon-ecs-deploy-task-definition. This closes the supply-chain gap that static IAM permissions do not address.
When should I use GitHub-hosted larger runners vs self-hosted runners on EC2?
GitHub-hosted larger runners (up to 64 vCPU, including ARM and GPU variants) are the default choice — no maintenance, isolation per job, and supply-chain guarantees from GitHub. Self-hosted runners on EC2 make sense for (a) regulated workloads that must run inside a VPC with no egress, (b) sustained high utilisation where per-minute pricing becomes uneconomic, or (c) specialised hardware AWS offers but GitHub does not (e.g., Graviton3E, Inferentia2). For self-hosted, use GitHub's Actions Runner Controller on EKS for auto-scaling rather than raw EC2 Auto Scaling groups.
How do I handle secrets that are not AWS credentials (database URLs, third-party API keys)?
Three layers. (1) OIDC handles AWS. (2) For third-party secrets, prefer AWS Secrets Manager + Systems Manager Parameter Store fetched at runtime from Lambda/ECS, not injected into the workflow. (3) When a workflow genuinely needs a third-party secret (e.g., Stripe API key for a migration), use GitHub Environments with environment-scoped secrets and required reviewers — never repo-level secrets for production. Immutable Actions (2025) ensure the action consuming the secret cannot be silently swapped for a malicious version.
How do reusable workflows change CI/CD governance across many repos?
Reusable workflows live in a central repo (e.g., acme/platform-workflows) and are called by every app repo via uses: acme/platform-workflows/.github/workflows/deploy.yml@v1. Your platform team owns the deployment contract (OIDC role name pattern, attestation emission, Slack notification, rollback flag) and can upgrade all callers by cutting a new tag. Combined with Immutable Actions (which pin uses: refs to an immutable SHA) and deployment protection rules, reusable workflows are the canonical 2026 way to enforce CI/CD standards at scale without CODEOWNERS gymnastics.
What is the best rollback pattern for GitHub Actions deploys on AWS?
Three tiers. (1) For ECS/Fargate and Lambda: use CodeDeploy with canary or linear deployment and a CloudWatch alarm-based rollback — GitHub Actions kicks off the deployment, CodeDeploy handles progressive shift and automatic rollback. (2) For S3 + CloudFront static sites: keep the previous build prefix and flip the CloudFront origin or function. (3) For ad-hoc rollback: re-run the previous successful workflow run from the Actions UI, which replays the exact same SHA and attested artifact. Avoid "git revert then redeploy" as the primary rollback path — too slow under incident pressure.

Related Reading

Need Help with This Integration?

Our AWS-certified engineers can design, implement, and operate this integration end-to-end — or review what you already have.

Talk to AWS Experts
AWS Architecture Review