Summary

• Adds .github/workflows/deploy.yml for continuous deployment to the live OKE cluster
• Triggers automatically after Integration Test workflow succeeds on main
• Uses OCI CLI for ephemeral kubeconfig token generation (no static credentials)
• Includes post-deploy verification (kubectl status + helm test)
• Collects diagnostics on failure for debugging

Prerequisites (before this can function)

The following GitHub secrets must be provisioned on the deploy repo:

• OCI_CLI_TENANCY — OCI tenancy OCID
• OCI_CLI_USER — OCI user/service-principal OCID
• OCI_CLI_FINGERPRINT — API key fingerprint
• OCI_CLI_KEY_CONTENT — Private key PEM content
• OCI_CLI_REGION — Region (us-phoenix-1)
• OKE_CLUSTER_OCID — OKE cluster OCID

Optionally, configure a GitHub environment called production with required reviewers for manual approval gate.

Safety

• Only deploys after integration tests pass (workflow_run trigger)
• --wait --timeout=300s ensures Helm reports deployment health
• Helm test suite runs post-deploy
• Failure diagnostics collected automatically
• Helm revision history enables helm rollback if needed

Test plan

• Verify workflow YAML is valid (lint)
• Provision secrets on repo
• Merge and verify workflow triggers after next Integration Test pass
• Confirm helm upgrade succeeds on live cluster
• Confirm helm tests pass post-deploy