Replace Jenkins + SonarQube with a fully GitHub-native CI/CD platform. Production stays on AWS, dev/staging moves to Hetzner VPS. Deterministic infrastructure, promotion governance, auditability, cost discipline.
No more server maintenance, plugin updates, or credential management
Replaced by CodeQL, PHPStan, Codecov — all free, zero infrastructure
Ephemeral AWS credentials via GitHub OIDC. No static keys anywhere
Production infrastructure as code. Auditable, reproducible, drift-free
Side-by-side comparison of the current and proposed infrastructure.
| SonarQube Feature | GitHub Replacement | Status |
|---|---|---|
| Code quality analysis | PHPStan (level 6) + ESLint | Already configured |
| Security scanning | GitHub CodeQL (GHAS) | In CI workflow |
| Dependency vulnerabilities | Dependabot + composer audit + npm audit |
Active |
| Coverage tracking | Codecov (40% threshold) | In CI workflow |
| Quality gate (block merge) | GitHub required status checks | Branch protection |
| Dashboard / metrics | GitHub Security tab + Codecov dashboard | Per-PR diffs |
The existing network diagram specifies a 6-VPC architecture. We recommend a single-VPC approach instead.
| Component | 6-VPC Architecture | Right-Sized | Savings |
|---|---|---|---|
| Transit Gateway (6 attachments) | ~$216/mo | $0 | $216/mo |
| AWS Network Firewall | ~$300/mo | $0 (Security Groups + WAF) | $300/mo |
| VPC networking (NAT, endpoints) | ~$150/mo | ~$35/mo (1 NAT) | $115/mo |
| Multiple RDS instances | ~$400+/mo | ~$70/mo (1 Multi-AZ) | $330/mo |
| Networking overhead | ~$1,000+/mo | ~$100/mo | ~$900/mo |
When a client contract requires physical PII isolation (not just logical)
When you have multiple independent applications needing cross-VPC communication
When a regulatory audit demands network-level traffic inspection beyond Security Groups
GitHub as single control plane. All environments on AWS in one VPC. OIDC for identity.
Identity and secrets are separate concerns. OIDC handles identity. Secrets Manager and GitHub Secrets handle configuration.
No static AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY stored anywhere. Scoped to repo + branch.
| Secret Type | Location | Rationale |
|---|---|---|
| AWS deploy identity | OIDC (no secret stored) | Ephemeral, identity only |
| Production DB password | AWS Secrets Manager | KMS-encrypted, rotatable, CloudTrail audited |
| Production API keys (Stripe, SendGrid, Twilio) | AWS Secrets Manager | Central control, audit logging |
| SSH deploy key | AWS Secrets Manager | Retrieved via OIDC during deploy only |
| Staging / UAT secrets | GitHub Encrypted Secrets | No PHI, simpler ops, per-environment scoped |
| Local development | .env.local | Developer-only, gitignored |
Net reduction of ~$80+/month while gaining staging, UAT, and enterprise-grade security posture.
| Item | Current | Proposed | Savings |
|---|---|---|---|
| Jenkins server | ~$30–50/mo | $0 (GitHub Actions free tier) | ~$40/mo |
| SonarQube server | ~$30–50/mo | $0 (CodeQL + Codecov free) | ~$40/mo |
| Staging environment | Not provisioned ($60–100 planned) | Hetzner CX32 ~€8/mo | ~$75/mo vs AWS plan |
| Non-prod object storage | S3 ~$5/mo | Hetzner Object Storage ~€5/mo | ~$0 |
| Net monthly | ~$60–100+ | ~$15 | ~$80+/mo |
4-phase rollout over 10 weeks. Each phase is independently valuable.
CI workflow (ci.yml), branch protection, Codecov, CodeQL, Dependabot. Replaces Jenkins CI stages and SonarQube analysis. Code complete
Provision CX32, harden OS, Docker Compose stack, self-hosted runner, staging deploy workflow, .env.staging, object storage.
Terraform modules (VPC, RDS, ECS, ALB, IAM, monitoring). Import existing AWS resources. OIDC trust. Production deploy workflow. AWS self-hosted runner.
Dual deploy (Jenkins + GitHub Actions) for 2 weeks. Decommission Jenkins. Remove Jenkinsfile + sonar-project.properties. Decommission SonarQube.
Every component is selected to satisfy SOC2 Trust Service Criteria without over-engineering.
Full breakdown of work items tracked in GitHub Issues.
8 issues — 2FA, RBAC roles, branch protection (main, uat, develop), environments, approval gates, signed commits
8 issues — Reusable CI workflow, lint, test, coverage, security scan, build artifact, required status checks
10 issues — VPS provisioning, OS hardening, Docker, staging/UAT stacks, self-hosted runner, anonymization pipeline
14 issues — VPC, RDS Multi-AZ, ECS/EC2, ALB, IAM, Backup, CloudWatch, GuardDuty, WAF, S3, OIDC, runner, rollback
10 issues — CI, staging, UAT, production workflows, OIDC, smoke tests, notifications, rollback, dual deploy, decommission
8 issues — Change management docs, log retention, encryption, TLS, data flow, security scanning, access review, incident response
Approve the migration from Jenkins + SonarQube to GitHub Actions with the described architecture. Phase 1 (CI foundation) is already code-complete and ready for activation.