Docs · last updated June 2026
CI/CD system.
Embrasure uses GitHub Actions and AWS to build, verify, and deploy the hosted web app, product API, and background worker. This page summarizes the current production pipeline for customer and auditor review.
| Source control | GitHub repository EmbrasureAI/embrasure. |
|---|---|
| Review gate | The protected main branch requires at least one approving pull request review before merge. |
| CI checks | Pull requests run workspace checks, API tests, desktop Rust checks, secret scanning, and CodeQL analysis. |
| Deploy workflow | The AWS ECS Deploy workflow runs on main after production-relevant app, API, infrastructure, or migration changes. |
| Cloud auth | GitHub Actions assumes a scoped AWS deployment role through OIDC rather than long-lived AWS access keys. |
| Artifacts | The workflow builds API, worker, and web container images, pushes immutable SHA-tagged images to Amazon ECR, then applies those tags through Terraform. |
| Runtime | Production web, API, and worker services run on AWS ECS/Fargate behind AWS Application Load Balancers. |
| Smoke checks | Deployment verifies the production API health route and the web service through the load balancer before the workflow completes. |
Change evidence
Production changes are traceable through pull requests, commit history, CI check output, AWS ECS deployment logs, and post-deploy smoke checks. Security-sensitive changes include additional review notes or follow-up tasks when risk remains.
Internal runbooks and workflow definitions live in source control. Customer-specific deployment details, incident notes, credentials, and environment-specific secrets are not published on this page.