# ecs-run-migration

> ECS run migration

Run the app's one-off migrate task definition on Fargate and fail unless the migrate container exits 0. The task's network configuration (private subnets + security group) is cloned from an existing service in the cluster, so no networking coordinates are needed. Assumes the deploy role (DEPLOY_ROLE_ARN) via OIDC -- the calling job needs `permissions: id-token: write`. On failure the task's CloudWatch logs are printed (best effort). Gate service deploys on this step.

## Inputs

| Input | Required | Default | Description |
|---|---|---|---|
| `role-arn` | yes | — | DEPLOY_ROLE_ARN -- the deploy IAM role to assume via OIDC. |
| `region` | yes | — | Region of the cluster (run migrations in the tier's primary region only). |
| `cluster` | yes | — | ECS cluster name (e.g. codegen-example-app-prod-primary). |
| `task-definition` | yes | — | Migrate task definition FAMILY (e.g. codegen-example-app-prod-primary-migrate); the latest ACTIVE revision runs. |
| `network-from-service` | yes | — | Service in the cluster whose awsvpc network configuration the task clones (the api service). |
| `container` | no | `migrate` | Container whose exit code decides success. |
| `timeout-minutes` | no | `15` | Give up (and fail) if the task hasn't stopped after this long. |

## Usage

```yaml
- uses: actions/checkout@v6
- uses: FSHTech/github-actions/ecs-run-migration@v1
  with:
    role-arn: ...
    region: ...
    cluster: ...
    task-definition: ...
    network-from-service: ...
```