Onboard a New Repo/Service
This is the happy path for adding a new static service (the strategy the orchestrator implements today) to the multi-repo, orchestrated deploy. Four pieces wire it together.
1. Add a service to the central manifest
In foundry-ops/platform.json, add an entry with repository / path, a stack, a deploy.strategy, the environment→branch map, and a deploy.iac block:
"docs": {
"repository": "FoundryMedia/my-repo",
"path": ".",
"environments": { "prod": { "branch": "main" } },
"scope": "public",
"stack": { "type": "frontend", "framework": "vite", "language": "typescript" },
"deploy": {
"strategy": "static",
"buildCommand": "npm ci && npm run build",
"cdn": true,
"dependsOn": ["iac"],
"iac": {
"stackPath": "ci/iac/prod",
"domain": "docs.example.com",
"distDir": "dist",
"region": "us-east-2",
"roleArn": "arn:aws:iam::<acct>:role/my-repo-tofu-runner",
"bucketOutput": "bucket_name",
"distributionIdOutput": "distribution_id"
}
}
}2. Add the per-repo app-edge stack
In the service repo, create the OpenTofu stack at deploy.iac.stackPath (e.g. ci/iac/prod) — bucket, certificate, CloudFront, DNS, and the tofu-runner IAM role. It must expose the outputs named in the manifest (bucket_name, distribution_id). See IaC Layout.
3. Generate the thin caller workflow
Run foundry generate callers against the central manifest to emit the service's thin-caller workflow into its repo — it delegates to the ops repo's reusable deploy workflow with secrets: inherit. See Thin Caller.
4. Create the tofu-runner role
Provision the IAM role referenced by deploy.iac.roleArn as a GitHub OIDC assume-role, scoped to the repo. The reusable workflow assumes it to plan/apply the stack and publish the build.
Deploy
Trigger the caller workflow (push to the mapped branch or workflow_dispatch). The orchestrator runs smart IaC on the stack, builds, syncs to S3, and invalidates CloudFront.
Onlystaticworks end-to-end through the orchestrator today.service,desktop, andgame-publisherare stubbed — see Orchestrator & Strategies.