docs: mandate GitHub Workflows as the only deployment path

Cataldir · Cataldir · commit 662e68fbf86d · 2026-03-09T21:08:22.000-03:00
- Add deployment policy to azd-deployment.md runbook (mandatory directive)
- Add deployment section to CONTRIBUTING.md
- Add .github/copilot-instructions.md enforcing GitHub Workflow deployment
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -0,0 +1,14 @@
+# Copilot Instructions for Tutor Platform
+
+## Deployment Policy (MANDATORY)
+
+All deployments to Azure **MUST** be performed via GitHub Workflows. Never suggest or execute direct `azd deploy`, `az containerapp update`, or manual Docker pushes for production environments.
+
+**Authorized deployment paths:**
+
+- `.github/workflows/azd-deploy.yml` — Infrastructure + 8 backend services (triggers on push to `main` or `workflow_dispatch`)
+- `.github/workflows/azure-static-web-apps-polite-wave-029b18f0f.yml` — Frontend SWA (triggers on push to `main`, PR events, or `workflow_dispatch`)
+
+When a user asks to deploy, always guide them to merge into `main` (which auto-triggers workflows) or to use `workflow_dispatch` from the GitHub Actions UI.
+
+Local `azd provision` and `azd deploy` are permitted **only** for first-time environment bootstrap per the [deployment runbook](docs/runbooks/azd-deployment.md).
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -74,3 +74,14 @@ Before you submit your Pull Request (PR) consider the following guidelines:
     ```
 
 That's it! Thank you for your contribution!
+
+## <a name="deployment"></a> Deployment Policy
+
+**All deployments to Azure MUST use GitHub Workflows.** Manual `azd deploy`, `az containerapp update`, or direct Docker pushes are not permitted for production environments.
+
+| Workflow | Scope |
+|----------|-------|
+| `.github/workflows/azd-deploy.yml` | Infrastructure provisioning + backend services (Container Apps) |
+| `.github/workflows/azure-static-web-apps-polite-wave-029b18f0f.yml` | Frontend (Static Web App) |
+
+Both workflows trigger automatically on push to `main`. They can also be run manually via `workflow_dispatch`. See the [deployment runbook](docs/runbooks/azd-deployment.md) for full details.
diff --git a/docs/runbooks/azd-deployment.md b/docs/runbooks/azd-deployment.md
@@ -2,6 +2,19 @@
 
 This runbook describes how to provision and deploy Tutor with Azure Developer CLI (`azd`) and Terraform.
 
+> **DEPLOYMENT POLICY — MANDATORY**
+>
+> All deployments to Azure **MUST** be performed via GitHub Workflows. Direct `azd deploy`, `az containerapp update`, or manual Docker pushes to ACR are **prohibited** for production environments. The only authorized deployment paths are:
+>
+> | Workflow | Scope | Trigger |
+> |----------|-------|---------|
+> | `.github/workflows/azd-deploy.yml` | Infrastructure + 8 backend services (Container Apps) | Push to `main` or `workflow_dispatch` |
+> | `.github/workflows/azure-static-web-apps-polite-wave-029b18f0f.yml` | Frontend (Static Web App) | Push to `main`, PR events, or `workflow_dispatch` |
+>
+> **Why:** GitHub Workflows provide auditable, reproducible deployments with proper secret management via OIDC federation. Manual deployments bypass CI checks, status gates, and deployment traceability.
+>
+> Local `azd provision` and `azd deploy` are permitted **only** for first-time bootstrap of a new environment (see [First-Time Bootstrap](#first-time-bootstrap-local)).
+
 ## Scope
 
 - Repository: `Azure-Samples/tutor`
