# CI/CD ECR Deployment Flow Record

## Goal

Record the current production CI/CD state for the backend Docker deployment path and preserve the handoff point before EC2 manual service startup.

## Scope

- Document that pushes to `main` trigger the Gitea workflow to build the backend Docker image.
- Document that the workflow validates the image and pushes `${GITHUB_SHA}` and `latest` tags to AWS ECR.
- Document that Cloudflare IPv4 CIDR ingress rules were added for `tcp/80` and `tcp/443` on security group `sg-064bf6675c881fde3` in `us-east-2`.
- Document that the open `0.0.0.0/0` ingress rules for `tcp/80` and `tcp/443` remain in place until the API is healthy.
- Document that final EC2 service startup is intentionally manual: the operator will log in to the single EC2 host and run Docker Compose after confirming the image exists in ECR.

## Out of Scope

- Automated SSH or SSM deployment to EC2.
- ECS task definition or service deployment.
- Removing the public `0.0.0.0/0` security group rules before API health is confirmed.

## Acceptance Criteria

- Trellis task records the completed CI/CD preparation work.
- The task is archived after recording completion.
- The temporary root-level `DEPLOYMENT_REPORT.md` is removed.
- Current repository changes are committed on `dev`, pushed, and proposed for merge to `main`.
- After merge or main push triggers CI, ECR is checked for the uploaded backend image.