From 0da30f0c936ea0adcd71d7c7032a2535cfab8c0f Mon Sep 17 00:00:00 2001
From: MarcoIeni <11428655+MarcoIeni@users.noreply.github.com>
Date: Wed, 4 Mar 2026 10:46:43 +0100
Subject: [PATCH] chore: update deployment workflows and add ECS action

---
 .github/actions/deploy-ecs/action.yml | 50 +++++++++++++++++++++++++++
 .github/workflows/deploy-dev.yml      | 27 ++++++++-------
 .github/workflows/deploy.yml          | 26 +++++++-------
 3 files changed, 77 insertions(+), 26 deletions(-)
 create mode 100644 .github/actions/deploy-ecs/action.yml

diff --git a/.github/actions/deploy-ecs/action.yml b/.github/actions/deploy-ecs/action.yml
new file mode 100644
index 000000000..c9dd26ee6
--- /dev/null
+++ b/.github/actions/deploy-ecs/action.yml
@@ -0,0 +1,50 @@
+name: Deploy to ECS
+description: Build Docker image, push to ECR, and deploy to ECS
+
+inputs:
+  aws-iam:
+    description: Ending part of the ARN of the IAM role to assume for AWS credentials
+    required: true
+  cluster:
+    description: Name of the ECS cluster to deploy to
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v6
+      with:
+        role-to-assume: arn:aws:iam::${{ inputs.aws-iam }}
+        aws-region: us-east-1
+
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build and tag the Docker image
+      env:
+        REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+      uses: docker/build-push-action@v6
+      with:
+        context: .
+        tags: ${{ env.REGISTRY }}/docs-rs-web:latest
+        target: web-server
+        file: dockerfiles/Dockerfile
+        push: true
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        build-args: GIT_VERSION=${{ github.sha }}
+
+    - name: Kick ECS to deploy new version
+      shell: bash
+      env:
+        CLUSTER: ${{ inputs.cluster }}
+        SERVICE: docs-rs-web
+      run: |
+        aws ecs update-service --service ${SERVICE} --cluster ${CLUSTER} --force-new-deployment
+        # Poll every 15 seconds until a successful state has been reached. Fail after 40 failed checks.
+        aws ecs wait services-stable --services ${SERVICE} --cluster ${CLUSTER}
diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
index 52bb4c040..9833fd8f4 100644
--- a/.github/workflows/deploy-dev.yml
+++ b/.github/workflows/deploy-dev.yml
@@ -9,19 +9,20 @@ jobs:
   docker:
     name: Build and upload docker image
     runs-on: ubuntu-latest
+    environment: staging
+    concurrency: staging
+    if: github.repository_owner == 'rust-lang'
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - uses: actions/checkout@v6
-
-      - name: Build the Docker image
-        run: docker build -t docs-rs-web -f dockerfiles/Dockerfile --target web-server .
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
-      - name: Upload the Docker image to ECR (dev)
-        uses: rust-lang/simpleinfra/github-actions/upload-docker-image@master
+      - name: Deploy to ECS
+        uses: ./.github/actions/deploy-ecs
         with:
-          image: docs-rs-web
-          repository: docs-rs-web
-          region: us-east-1
-          aws_access_key_id: "${{ secrets.staging_aws_access_key_id }}"
-          aws_secret_access_key: "${{ secrets.staging_aws_secret_access_key }}"
-          redeploy_ecs_cluster: docs-rs-staging
-          redeploy_ecs_service: docs-rs-web
+          aws-iam: "519825364412:role/ci--rust-lang--docs.rs--staging"
+          cluster: docs-rs-staging
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index de2917273..585ec7eae 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -8,19 +8,19 @@ jobs:
   prod:
     name: Production
     runs-on: ubuntu-latest
+    environment: production
+    concurrency: production
+    permissions:
+      id-token: write
+      contents: read
     steps:
-      - uses: actions/checkout@v6
-
-      - name: Build the Docker image
-        run: docker build -t docs-rs-web -f dockerfiles/Dockerfile --target web-server .
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
-      - name: Upload the Docker image to ECR (production)
-        uses: rust-lang/simpleinfra/github-actions/upload-docker-image@master
+      - name: Deploy to ECS
+        uses: ./.github/actions/deploy-ecs
         with:
-          image: docs-rs-web
-          repository: docs-rs-web
-          region: us-west-1
-          aws_access_key_id: "${{ secrets.aws_access_key_id }}"
-          aws_secret_access_key: "${{ secrets.aws_secret_access_key }}"
-          redeploy_ecs_cluster: rust-ecs-prod
-          redeploy_ecs_service: docs-rs-web
+          aws-iam: "760062276060:role/ci--rust-lang--docs.rs--production"
+          cluster: docs-rs-prod