Github Action Pipeline for the Landing Zone

We shipped a feature that improves how we deliver and operate our cloud platform: a GitHub Actions pipeline designed specifically for our Landing Zone workflow.

It is a structured delivery pipeline for infrastructure, built to support multi-account AWS operations, reduce manual risk, and keep deployments predictable as the platform grows.

At a high level, the pipeline automates the full lifecycle of infrastructure changes. Every update goes through a consistent sequence: validation, planning, controlled approval, and deployment. By codifying these steps in GitHub Actions, we removed the “it works on my machine” problem and established one reliable path from pull request to production-grade infrastructure changes.

A major design goal was security-first automation. The pipeline is built around short-lived credentials and explicit trust boundaries, so we avoid long-lived secrets and uncontrolled access patterns. This lets us keep developer experience fast while preserving strong governance. 

The workflow is also intentionally transparent. Pull requests produce clear plan output so reviewers can see exactly what will change before anything is applied. This improves collaboration between platform, security, and operations stakeholders because discussions happen on concrete execution results. The result is faster reviews with fewer surprises during rollout.

For enhanced security, given the time gap between plan and apply, we prevent a potential drift between review and execution: approvers must approve the exact change set that will be applied. Plan is generated first in job plan-for-apply, the workflow normalizes plan output, then computes a SHA256 hash. That hash is exposed as overall_plan_sha and shown in the workflow summary. The pipeline stops after plan and tells the operator to apply a plan that has the expected reviewed plan hash. If hashes differ, apply is blocked. If they match and the phrase is correct, apply-after-approval runs.

From an engineering perspective, this pipeline gives you a foundation that can evolve. Today it enforces a safer and more repeatable release process. Tomorrow it can support additional layers such as scheduled drift checks, richer policy validation, cost-awareness checks, environment-specific rollout strategies, and stronger change reporting for audit/compliance use cases. In other words, it is not just automation for today’s tasks, but a platform for future operational maturity.

Most importantly, this feature changes how you work as a team. If you chose, you move from manual-heavy, operator-dependent execution to a codified, reviewable, and scalable delivery flow. That shift increases reliability, improves security posture, and frees up time for higher-value platform work.

This is an important step in our Landing Zone journey: faster delivery, safer infrastructure changes, and a workflow that scales with the organization.

Read more about the Nimbiora Landing Zone.