---

Introduction

Modern applications should be deployed automatically whenever code is merged into the main branch.

Instead of manually:

• Building the application
• Running tests
• Building Docker images
• Pushing images to ECR
• Updating ECS Tasks
• Restarting containers

we can automate everything using GitHub Actions.

GitHub Actions is one of the most popular CI/CD platforms because it integrates directly with GitHub repositories and works seamlessly with AWS.

In this article, we will build a production-ready CI/CD pipeline that:

• Builds a Spring Boot application
• Runs unit tests
• Creates a Docker image
• Pushes the image to Amazon ECR
• Deploys the application to Amazon ECS

---

Learning Objectives

After completing this article, you will understand:

• GitHub Actions fundamentals
• Workflow files
• GitHub Runners
• Amazon ECR
• Amazon ECS
• Docker Build Automation
• AWS Authentication
• GitHub Secrets
• Rolling Deployments
• Deployment Verification
• Production Best Practices

---

What is GitHub Actions?

GitHub Actions is GitHub's native CI/CD platform.

It automatically executes workflows when repository events occur.

Common triggers:

• Push
• Pull Request
• Release
• Schedule
• Manual Trigger

---

Why GitHub Actions?

Without CI/CD

Developer

↓

Build

↓

Docker

↓

Push Image

↓

Deploy ECS

↓

Verify

Everything is manual.

---

With GitHub Actions

Git Push

↓

GitHub Actions

↓

Production

Deployment becomes fully automated.

---

High-Level Architecture

flowchart LR

Developer

GitHub

GitHubActions

AmazonECR

AmazonECS

Developer --> GitHub
GitHub --> GitHubActions
GitHubActions --> AmazonECR
AmazonECR --> AmazonECS

---

Enterprise Architecture

flowchart TD

Developer

GitHub

PullRequest

MainBranch

GitHubActions

JUnit

SonarQube

DockerBuild

AmazonECR

AmazonECS

ALB

SpringBootContainers

Aurora

CloudWatch

Developer --> GitHub
GitHub --> PullRequest
PullRequest --> MainBranch
MainBranch --> GitHubActions

GitHubActions --> JUnit
GitHubActions --> SonarQube
GitHubActions --> DockerBuild

DockerBuild --> AmazonECR

AmazonECR --> AmazonECS

AmazonECS --> ALB
ALB --> SpringBootContainers

SpringBootContainers --> Aurora
SpringBootContainers --> CloudWatch

---

CI/CD Workflow

flowchart LR

Push

Checkout

Build

Test

Docker

PushECR

DeployECS

Verify

Push --> Checkout
Checkout --> Build
Build --> Test
Test --> Docker
Docker --> PushECR
PushECR --> DeployECS
DeployECS --> Verify

---

Project Structure

springboot-ecs-demo

├── .github
│   └── workflows
│       └── deploy.yml
├── Dockerfile
├── pom.xml
├── src
└── target

---

Step 1 Create Amazon ECR Repository

AWS Console

↓

Amazon ECR

↓

Create Repository

Example

springboot-demo

---

Step 2 Create ECS Cluster

AWS Console

↓

Amazon ECS

↓

Create Cluster

Launch Type

Fargate

Recommended for most new workloads because you don't manage EC2 instances.

---

Step 3 Create ECS Service

Configure

• Task Definition
• CPU
• Memory
• ALB
• Target Group

---

Step 4 Create GitHub Workflow

Create

.github/workflows/deploy.yml

---

Workflow Trigger

on:

  push:

    branches:

      - main

Every push to main starts deployment.

---

GitHub Runner

GitHub provides managed Linux runners.

runs-on:

  ubuntu-latest

No infrastructure required.

---

Checkout Code

- name: Checkout

  uses: actions/checkout@v4

---

Setup Java

- name: Setup Java

  uses: actions/setup-java@v4

  with:

    distribution: corretto

    java-version: 21

---

Build Application

- name: Maven Build

  run: mvn clean package -DskipTests

---

Run Tests

- name: Run Tests

  run: mvn test

Pipeline fails automatically if tests fail.

---

Configure AWS Credentials

Recommended approach:

Use GitHub OIDC with an IAM Role instead of long-lived AWS access keys.

- name: Configure AWS Credentials

  uses: aws-actions/configure-aws-credentials@v4

  with:

    role-to-assume: arn:aws:iam::123456789012:role/github-actions-role

    aws-region: us-east-1

---

Login to Amazon ECR

- name: Login to Amazon ECR

  uses: aws-actions/amazon-ecr-login@v2

---

Build Docker Image

- name: Build Docker Image

  run: |

    docker build \
      -t springboot-demo:${{ github.sha }} .

---

Tag Image

docker tag springboot-demo:${GITHUB_SHA} \
123456789012.dkr.ecr.us-east-1.amazonaws.com/springboot-demo:${GITHUB_SHA}

---

Push Image

docker push \
123456789012.dkr.ecr.us-east-1.amazonaws.com/springboot-demo:${GITHUB_SHA}

---

Update ECS Service

- name: Deploy ECS

  run: |

    aws ecs update-service \
      --cluster production \
      --service springboot-service \
      --force-new-deployment

ECS automatically launches new tasks.

---

Deployment Flow

flowchart LR

GitHubActions

AmazonECR

TaskDefinition

AmazonECS

RunningContainers

GitHubActions --> AmazonECR
AmazonECR --> TaskDefinition
TaskDefinition --> AmazonECS
AmazonECS --> RunningContainers

---

ECS Rolling Deployment

Old Task

↓

New Task

↓

Health Check

↓

Traffic Switch

↓

Old Task Removed

No downtime.

---

Application Load Balancer

flowchart LR

Users

ALB

Task1

Task2

Task3

Users --> ALB
ALB --> Task1
ALB --> Task2
ALB --> Task3

---

GitHub Secrets

Store:

• AWS Role ARN (if needed)
• ECS Cluster Name
• ECS Service Name
• AWS Region

Never store secrets directly inside workflow files.

---

Environment Variables

Example

env:

  AWS_REGION: us-east-1

  ECR_REPOSITORY: springboot-demo

---

Dockerfile

FROM eclipse-temurin:21-jre

WORKDIR /app

COPY target/*.jar app.jar

ENTRYPOINT ["java","-jar","app.jar"]

---

Health Check

Spring Boot

/actuator/health

ALB verifies every container.

Unhealthy containers are replaced automatically.

---

Monitoring

Monitor:

• Workflow Success
• Deployment Duration
• ECS Task Status
• CPU
• Memory
• Failed Deployments

Using:

• CloudWatch
• GitHub Actions Logs

---

Notifications

Integrate with:

• Slack
• Microsoft Teams
• Amazon SNS
• Email

Notify:

• Build Success
• Deployment Success
• Deployment Failure

---

Production Architecture

flowchart TD

Developer

GitHub

GitHubActions

DockerBuild

AmazonECR

AmazonECS

ALB

SpringBootTask1

SpringBootTask2

Aurora

CloudWatch

Developer --> GitHub
GitHub --> GitHubActions
GitHubActions --> DockerBuild
DockerBuild --> AmazonECR
AmazonECR --> AmazonECS
AmazonECS --> ALB

ALB --> SpringBootTask1
ALB --> SpringBootTask2

SpringBootTask1 --> Aurora
SpringBootTask2 --> Aurora

SpringBootTask1 --> CloudWatch
SpringBootTask2 --> CloudWatch

---

Common Errors

Workflow Failed

Check:

• YAML syntax
• Java version
• Maven build

---

Docker Push Failed

Verify:

• ECR login
• Repository exists
• IAM permissions

---

ECS Deployment Failed

Verify:

• Task Definition
• ECS Service
• Cluster Name
• ALB Health Check

---

Container Crash

Review:

CloudWatch Logs

---

Security Best Practices

• Use GitHub OIDC with IAM Roles
• Avoid long-lived AWS access keys
• Store sensitive configuration in AWS Secrets Manager
• Use immutable Docker image tags
• Enable branch protection
• Require pull request reviews
• Scan Docker images for vulnerabilities
• Enable CloudTrail logging
• Use least-privilege IAM policies
• Keep GitHub Actions pinned to major versions

---

Developer Checklist

Before production deployment:

• GitHub repository created
• Dockerfile verified
• Amazon ECR repository created
• ECS Cluster created
• ECS Service created
• ALB configured
• GitHub Actions workflow added
• GitHub OIDC IAM Role configured
• CloudWatch logging enabled
• Deployment tested successfully

---

Interview Questions

What is GitHub Actions?

GitHub Actions is a CI/CD platform that automates building, testing, and deploying applications directly from GitHub repositories.

---

What is Amazon ECR?

Amazon Elastic Container Registry (ECR) is AWS's managed container image registry used to securely store Docker images.

---

What is Amazon ECS?

Amazon Elastic Container Service (ECS) is a managed container orchestration service for running Docker containers on AWS.

---

Why use GitHub OIDC instead of AWS Access Keys?

GitHub OIDC allows GitHub Actions to assume an IAM role using short-lived credentials, eliminating the need to store long-lived AWS access keys as secrets.

---

What happens when aws ecs update-service --force-new-deployment is executed?

ECS starts new tasks with the latest task definition, waits for them to become healthy, shifts traffic, and then terminates the old tasks.

---

Why use immutable Docker image tags?

Immutable tags (such as Git commit SHAs) ensure deployments are repeatable, traceable, and prevent accidental overwriting of images.

---

Summary

In this article, we built a complete CI/CD pipeline for Spring Boot using GitHub Actions, Amazon ECR, and Amazon ECS.

We covered:

• GitHub Actions fundamentals
• Workflow creation
• Java build automation
• Docker image creation
• Amazon ECR integration
• Amazon ECS deployment
• Rolling updates
• Application Load Balancer
• GitHub OIDC authentication
• Monitoring
• Security best practices

GitHub Actions combined with Amazon ECR and Amazon ECS provides a modern, scalable, and secure deployment pipeline for Spring Boot applications. By automating builds, tests, containerization, and deployments, teams can deliver software faster while maintaining high reliability and operational excellence.

---