CGC-2026 · NickSavino · Jan 31, 2026 · Jan 28, 2026 · Jan 28, 2026 · Jan 28, 2026
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -18,9 +18,6 @@ jobs:
       id-token: write
       contents: read
 
-    outputs:
-      image_uri: ${{ steps.build.outputs.image_uri }}
-
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -35,7 +32,6 @@ jobs:
         uses: aws-actions/amazon-ecr-login@v2
 
       - name: Build & push image
-        id: build
         env:
           IMAGE_TAG: ${{ github.sha }}
         run: |
@@ -45,8 +41,6 @@ jobs:
           docker build -f Dockerfile.prod -t "${IMAGE_URI}" .
           docker push "${IMAGE_URI}"
 
-          echo "IMAGE_URI=${IMAGE_URI}" >> $GITHUB_OUTPUT
-
   deploy:
     runs-on: ubuntu-latest
     needs: build
@@ -63,55 +57,98 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
 
       - name: Deploy to EC2 via SSM
-        env:
-          IMAGE_URI: ${{ needs.build.outputs.image_uri }}
         run: |
           set -euo pipefail
 
+          ECR_REGISTRY="$(aws sts get-caller-identity --query Account --output text).dkr.ecr.${AWS_REGION}.amazonaws.com"
+          IMAGE_URI="${ECR_REGISTRY}/${ECR_REPO}:${GITHUB_SHA}"
           echo "Deploying image ${IMAGE_URI} to instance"
           test -n "${IMAGE_URI}"
 
+          COMMANDS=$(cat <<JSON
+          [
+            "set -euo pipefail",
+            "AWS_REGION=${AWS_REGION}",
+            "IMAGE_URI=${IMAGE_URI}",
+            "CONTAINER_NAME=${CONTAINER_NAME}",
+            "echo IMAGE_URI=$IMAGE_URI",
+            "if ! command -v docker >/dev/null 2>&1; then sudo dnf -y install docker; sudo systemctl enable --now docker; fi",
+            "sudo usermod -aG docker ec2-user || true",
+            "ECR_REGISTRY=\${IMAGE_URI%%/*}",
+            "aws ecr get-login-password --region $AWS_REGION | sudo docker login --username AWS --password-stdin \$ECR_REGISTRY",
+            "DBURL=\$(aws ssm get-parameter --region $AWS_REGION --with-decryption --name /cgc-2026-prod/api/database_url --query Parameter.Value --output text)",
+            "CLERK_SECRET=\$(aws ssm get-parameter --region $AWS_REGION --with-decryption --name /cgc-2026-prod/api/clerk_secret_key --query Parameter.Value --output text)",
+            "sudo docker pull $IMAGE_URI",
+            "sudo docker rm -f $CONTAINER_NAME || true",
+            "sudo docker run -d --restart unless-stopped --name $CONTAINER_NAME -p 8080:8080 -e PORT=8080 -e DATABASE_URL=\"\$DBURL\" -e CLERK_SECRET_KEY=\"\$CLERK_SECRET\" $IMAGE_URI",
+            "sleep 2",
+            "curl -fsS http://localhost:8080/health"
+          ]
+          JSON
+          )
+
           COMMAND_ID=$(aws ssm send-command \
             --region "${AWS_REGION}" \
             --instance-ids "${EC2_INSTANCE_ID}" \
             --document-name "AWS-RunShellScript" \
-            --parameters commands="[
-              "set -e",
-              "AWS_REGION='${AWS_REGION}'",
-              "IMAGE_URI='${IMAGE_URI}'",
-              "CONTAINER_NAME='${CONTAINER_NAME}'",
-              "",
-              "if ! command -v docker >/dev/null 2>&1; then sudo dnf -y install docker; sudo systemctl enable --now docker; fi",
-              "",
-                "sudo usermod -aG docker ec2-user || true",
-                "",
-              "# Login to ECR",
-              "aws ecr get-login-password --region ${AWS_REGION} | sudo docker login --username AWS --password-stdin $(echo ${IMAGE_URI} | cut -d/ -f1)",
-              "",
-              "# Fetch runtime secrets from SSM",
-              "DBURL=$(aws ssm get-parameter --region ${AWS_REGION} --with-decryption --name /cgc-2026-prod/api/database_url --query Parameter.Value --output text)",
-              "CLERK_SECRET=$(aws ssm get-parameter --region ${AWS_REGION} --with-decryption --name /cgc-2026-prod/api/clerk_secret_key --query Parameter.Value --output text)",
-              "",
-              "# Pull new image",
-              "",
-              "sudo docker pull ${IMAGE_URI}",
-              "# Stop existing container (if any)",
-              "sudo docker rm -f ${CONTAINER_NAME} || true",
-              "",
-              "# Run container",
-              "sudo docker run -d --restart unless-stopped --name \"${CONTAINER_NAME}\" -p 8080:8080 -e PORT=8080 -e DATABASE_URL=\"${DBURL}\" -e CLERK_SECRET_KEY=\"${CLERK_SECRET}\" \"${IMAGE_URI}\"",
-              "",
-              "# Smoke check",
-              "sleep 2",
-              "curl -fsS http://localhost:8080/health"
-            ]"" \
+            --parameters "commands=${COMMANDS}" \
             --query 'Command.CommandId' \
             --output text)
 
-          sleep 2
-          aws ssm get-command-invocation \
+          echo "Waiting for SSM command ${COMMAND_ID} to complete..."
+          for i in {1..60}; do
+            STATUS=$(aws ssm get-command-invocation \
+              --region "${AWS_REGION}" \
+              --command-id "${COMMAND_ID}" \
+              --instance-id "${EC2_INSTANCE_ID}" \
+              --query 'Status' \
+              --output text 2>/dev/null || echo "Pending")
+
+            case "${STATUS}" in
+              Success)
+                echo "SSM command succeeded"
+                break
+                ;;
+              Failed|Cancelled|TimedOut)
+                echo "SSM command failed with status: ${STATUS}"
+                aws ssm get-command-invocation \
+                  --region "${AWS_REGION}" \
+                  --command-id "${COMMAND_ID}" \
+                  --instance-id "${EC2_INSTANCE_ID}" \
+                  --query 'StandardErrorContent' \
+                  --output text
+                exit 1
+                ;;
+              *)
+                echo "Status: ${STATUS} (attempt $i/60)"
+                sleep 5
+                ;;
+            esac
+          done
+
+      - name: Verify health
+        run: |
+          set -euo pipefail
+
+          PUBLIC_IP=$(aws ec2 describe-instances \
             --region "${AWS_REGION}" \
-            --command-id "${COMMAND_ID}" \
-            --instance-id "${EC2_INSTANCE_ID}" \
-            --query 'StandardErrorContent' \
-            --output text
+            --instance-ids "${EC2_INSTANCE_ID}" \
+            --query 'Reservations[0].Instances[0].PublicIpAddress' \
+            --output text)
+
+            test "${PUBLIC_IP}" != "None"
+
+          URL="http://${PUBLIC_IP}:8080/health"
+          echo "Checking ${URL}"
+
+          for i in {1..20}; do
+            if curl -fsS "${URL}" >/dev/null; then
+              echo "Health check passed"
+              exit 0
+            fi
+            echo "Health not ready yet (attempt $i/20) — retrying..."
+            sleep 3
+          done
+
+          echo "Health check failed"
+          exit 1
diff --git a/infra/env/prod/.terraform.lock.hcl b/infra/env/prod/.terraform.lock.hcl