From dd689d8c6712ec946bec290ad597a00a39abd3a7 Mon Sep 17 00:00:00 2001
From: Maximiliano Duthey <maxi.duthey@txpipe.io>
Date: Thu, 16 Apr 2026 11:22:01 -0300
Subject: [PATCH 1/2] ci: add deploy workflow

---
 .github/workflows/deploy.yml | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 .github/workflows/deploy.yml

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..a48a27f
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,36 @@
+name: Deploy
+
+on:
+  workflow_run:
+    workflows: ["Build"]
+    types:
+      - completed
+
+  workflow_dispatch: {}
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-session-name: ${{ secrets.AWS_ROLE_SESSION_NAME }}
+          role-duration-seconds: 1200
+
+      - name: Setup kubeconfig
+        shell: bash
+        run: aws eks update-kubeconfig --name ${{ secrets.AWS_EKS_CLUSTER_NAME }} --region us-west-2
+
+      - name: Update Kubernetes Docs deployment
+        run: |
+          kubectl set image ${{ secrets.AWS_EKS_DEPLOYMENT_NAME }} main=ghcr.io/txpipe/docs:${{ github.sha }} --namespace=${{ secrets.AWS_EKS_NAMESPACE }}

From ca2f29daa9a286e5894c1c763c17175fb1a8c59d Mon Sep 17 00:00:00 2001
From: Maximiliano Duthey <maxi.duthey@txpipe.io>
Date: Thu, 16 Apr 2026 11:23:55 -0300
Subject: [PATCH 2/2] ci: add check on secrets

---
 .github/workflows/deploy.yml | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index a48a27f..9998671 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -13,9 +13,31 @@ permissions:
   contents: read
 
 jobs:
-  deploy:
+  check-secrets:
     if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - id: check
+        run: |
+          if [ -z "${{ secrets.AWS_ACCESS_KEY_ID }}" ] || \
+             [ -z "${{ secrets.AWS_SECRET_ACCESS_KEY }}" ] || \
+             [ -z "${{ secrets.AWS_ROLE_TO_ASSUME }}" ] || \
+             [ -z "${{ secrets.AWS_ROLE_SESSION_NAME }}" ] || \
+             [ -z "${{ secrets.AWS_EKS_CLUSTER_NAME }}" ] || \
+             [ -z "${{ secrets.AWS_EKS_DEPLOYMENT_NAME }}" ] || \
+             [ -z "${{ secrets.AWS_EKS_NAMESPACE }}" ]; then
+            echo "has-secrets=false" >> "$GITHUB_OUTPUT"
+            echo "::warning::One or more required secrets are missing. Skipping deploy."
+          else
+            echo "has-secrets=true" >> "$GITHUB_OUTPUT"
+          fi
+
+  deploy:
+    needs: check-secrets
+    if: ${{ needs.check-secrets.outputs.has-secrets == 'true' }}
+    runs-on: ubuntu-latest
 
     steps:
       - uses: aws-actions/configure-aws-credentials@v4