From be9452c108decf3e26d350a276a499dd6bdd4e5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominique=20J=C3=A4ggi?= Date: Thu, 19 Mar 2026 13:53:34 +0100 Subject: [PATCH] feat(ci): migrate to centralized mysticat-ci workflow --- .github/actions/configure-aws/action.yaml | 29 --- .../actions/lint-test-coverage/action.yaml | 29 --- .../actions/protect-nyc-config/action.yaml | 59 ------ .github/actions/setup-node-npm/action.yaml | 35 ---- .github/workflows/ci.yaml | 195 +----------------- 5 files changed, 7 insertions(+), 340 deletions(-) delete mode 100644 .github/actions/configure-aws/action.yaml delete mode 100755 .github/actions/lint-test-coverage/action.yaml delete mode 100644 .github/actions/protect-nyc-config/action.yaml delete mode 100644 .github/actions/setup-node-npm/action.yaml diff --git a/.github/actions/configure-aws/action.yaml b/.github/actions/configure-aws/action.yaml deleted file mode 100644 index b1918c55..00000000 --- a/.github/actions/configure-aws/action.yaml +++ /dev/null @@ -1,29 +0,0 @@ -name: "Set up AWS Credentials and Fetch Secrets" -description: "Configures AWS credentials for use in subsequent steps. Fetches secrets from AWS Secrets Manager." - -inputs: - aws_role_to_assume: - description: "ARN of the IAM role to assume" - default: "arn:aws:iam::682033462621:role/spacecat-role-github-actions" - required: true - secret_ids: - description: "List of secret IDs to fetch from AWS Secrets Manager" - default: | - /spacecat/github-actions - required: true - -runs: - using: "composite" - steps: - - name: Configure AWS Credentials - id: creds - uses: aws-actions/configure-aws-credentials@v5 - with: - aws-region: us-east-1 - role-to-assume: ${{ inputs.aws_role_to_assume }} - - - name: Fetch AWS Secrets - uses: aws-actions/aws-secretsmanager-get-secrets@v2 - with: - parse-json-secrets: true - secret-ids: ${{ inputs.secret_ids }} diff --git a/.github/actions/lint-test-coverage/action.yaml b/.github/actions/lint-test-coverage/action.yaml deleted file mode 100755 index 8cda9ace..00000000 --- a/.github/actions/lint-test-coverage/action.yaml +++ /dev/null @@ -1,29 +0,0 @@ -name: "Lint, Test, and Coverage" -description: "Runs lint and test commands, plus coverage" - -inputs: - codecov_token: - description: "Codecov Token (optional)" - required: false - default: "" - upload_coverage: - description: "Whether to upload coverage to Codecov (true/false). Default false." - required: false - default: "false" - -runs: - using: "composite" - steps: - - name: Lint - run: npm run lint - shell: bash - - - name: Test - run: npm run test - shell: bash - - - name: Upload coverage to Codecov - if: ${{ inputs.upload_coverage == 'true' }} - uses: codecov/codecov-action@v5 - with: - token: ${{ inputs.codecov_token }} diff --git a/.github/actions/protect-nyc-config/action.yaml b/.github/actions/protect-nyc-config/action.yaml deleted file mode 100644 index eab9fcb3..00000000 --- a/.github/actions/protect-nyc-config/action.yaml +++ /dev/null @@ -1,59 +0,0 @@ -name: Protect NYC config -description: Block all edits to .nycrc.json - -runs: - using: composite - steps: - - name: Skip non-PR events - if: github.event_name != 'pull_request' - shell: bash - run: echo "Not a pull_request event; skipping Protect NYC config action." - - - name: Show basic PR info - if: github.event_name == 'pull_request' - shell: bash - run: | - echo "PR number: ${{ github.event.number }}" - echo "PR author: ${{ github.event.pull_request.user.login }}" - echo "Draft: ${{ github.event.pull_request.draft }}" - - - name: Detect .nycrc.json changes - if: github.event_name == 'pull_request' - id: detect - shell: bash - env: - FILES_API: ${{ github.api_url }}/repos/${{ github.repository }}/pulls/${{ github.event.number }}/files?per_page=100 - GITHUB_TOKEN: ${{ github.token }} - run: | - echo "Checking PR #${{ github.event.number }} file list for .nycrc.json changes..." - RESPONSE=$(curl -sS -H "Authorization: Bearer $GITHUB_TOKEN" \ - -H "Accept: application/vnd.github+json" \ - "$FILES_API") - echo "Files in PR:" - echo "$RESPONSE" | jq -r '.[].filename' || echo "Failed to parse response" - if echo "$RESPONSE" | grep -qF '".nycrc.json"'; then - echo "nycrc-changed=true" >> "$GITHUB_OUTPUT" - echo "✗ .nycrc.json modifications detected - BLOCKING" - else - echo "nycrc-changed=false" >> "$GITHUB_OUTPUT" - echo "✓ No .nycrc.json modifications detected" - fi - - - name: Skip when .nycrc.json unchanged - if: github.event_name == 'pull_request' && steps.detect.outputs.nycrc-changed != 'true' - shell: bash - run: echo "Skipping protection check because .nycrc.json was not touched." - - - name: Skip check for draft PRs - if: github.event_name == 'pull_request' && steps.detect.outputs.nycrc-changed == 'true' && github.event.pull_request.draft == true - shell: bash - run: echo "PR is in draft state; skipping protection check." - - - name: Block .nycrc.json modifications - if: github.event_name == 'pull_request' && steps.detect.outputs.nycrc-changed == 'true' && github.event.pull_request.draft == false - shell: bash - run: | - echo "ERROR: Modifications to .nycrc.json are not allowed." >&2 - echo "This file is protected and cannot be changed via pull request." >&2 - exit 1 - diff --git a/.github/actions/setup-node-npm/action.yaml b/.github/actions/setup-node-npm/action.yaml deleted file mode 100644 index 70f9a12b..00000000 --- a/.github/actions/setup-node-npm/action.yaml +++ /dev/null @@ -1,35 +0,0 @@ -name: "Setup Node & NPM (with cache)" -description: "Checks out code, sets up Node, uses NPM cache, installs dependencies" - -runs: - using: "composite" - steps: - - name: Set up Node - uses: actions/setup-node@v6 - with: - node-version-file: '.nvmrc' - - - name: Get npm cache directory - id: npm-cache-dir - run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT - shell: bash - - - name: Set up NPM Cache - uses: actions/cache@v5 - id: npm-cache - with: - path: ${{ steps.npm-cache-dir.outputs.dir }} - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- - - - name: Configure Git auth for private Mysticat types repo - run: | - git config --global url."https://x-access-token:${MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN}@github.com/".insteadOf "https://github.com/" - git config --global --add url."https://x-access-token:${MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN}@github.com/".insteadOf "ssh://git@github.com/" - git config --global --add url."https://x-access-token:${MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN}@github.com/".insteadOf "git@github.com:" - shell: bash - - - name: Install dependencies (only if cache miss) - run: npm ci - shell: bash diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 7a327c05..16999227 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,200 +1,19 @@ -name: Build +name: CI permissions: id-token: write contents: write issues: read + pull-requests: read on: push: pull_request: types: [opened, synchronize, ready_for_review, reopened] -env: - CI_BUILD_NUM: ${{ github.run_id }} - CI_BRANCH: ${{ github.ref_name }} - HLX_AWS_REGION: ${{ secrets.AWS_REGION }} jobs: - protect-nyc-config: - if: github.event_name == 'pull_request' - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: read - steps: - - name: Check out - uses: actions/checkout@v6 - with: - persist-credentials: 'false' - - - name: Protect NYC config - uses: ./.github/actions/protect-nyc-config - - build: - runs-on: ubuntu-latest - steps: - - name: Check out - uses: actions/checkout@v6 - with: - persist-credentials: 'false' - - name: Setup Node & NPM - uses: ./.github/actions/setup-node-npm - env: - MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN: ${{ secrets.MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN }} - - - name: Lint, Test, Coverage Upload - uses: ./.github/actions/lint-test-coverage - with: - upload_coverage: "true" - codecov_token: ${{ secrets.CODECOV_TOKEN }} - - - name: Semantic Release (Dry Run) - if: github.event_name == 'push' && github.ref != 'refs/heads/main' - run: npm run semantic-release-dry - env: - GITHUB_TOKEN: ${{ secrets.ADOBE_BOT_GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.ADOBE_BOT_NPM_TOKEN }} - - - name: Print npm debug log if build fails - if: failure() - run: | - if [ -f /home/runner/.npm/_logs/*.log ]; then - echo "==== NPM DEBUG LOG ====" - find /home/runner/.npm/_logs -name '*.log' -exec cat {} \; - echo "==== END NPM DEBUG LOG ====" - else - echo "No npm debug log found." - fi - - - name: Clean npm cache - run: npm cache clean --force - - - name: Create empty cache directory - run: mkdir -p /tmp/empty-cache - - - name: Install dependencies - run: npm ci --cache /tmp/empty-cache - - semantic-release: - runs-on: ubuntu-latest - needs: build - if: github.event_name == 'push' && github.ref == 'refs/heads/main' - steps: - - name: Check out - uses: actions/checkout@v6 - with: - persist-credentials: 'false' - - - name: Configure Environment - run: echo -e "LOG_LEVEL=info\n" > .env - - - name: Setup Node & NPM - uses: ./.github/actions/setup-node-npm - env: - MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN: ${{ secrets.MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN }} - - - name: Configure AWS - uses: ./.github/actions/configure-aws - with: - aws_role_to_assume: 'arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PROD}}:role/spacecat-role-github-actions' - - - name: Semantic Release - run: npm run semantic-release - env: - GITHUB_TOKEN: ${{ secrets.ADOBE_BOT_GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.ADOBE_BOT_NPM_TOKEN }} - AWS_REGION: us-east-1 - AWS_ACCOUNT_ID: ${{secrets.AWS_ACCOUNT_ID_PROD}} - - deploy-stage: - runs-on: ubuntu-latest - needs: build - if: github.event_name == 'push' && github.ref == 'refs/heads/main' - steps: - - name: Check out - uses: actions/checkout@v6 - with: - persist-credentials: 'false' - - - name: Setup Node & NPM - uses: ./.github/actions/setup-node-npm - env: - MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN: ${{ secrets.MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN }} - - - name: Configure AWS for STAGE - uses: ./.github/actions/configure-aws - with: - aws_role_to_assume: 'arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_STAGE}}:role/spacecat-role-github-actions' - - - name: Branch Deployment - run: npm run deploy-stage - env: - AWS_REGION: us-east-1 - AWS_ACCOUNT_ID: ${{secrets.AWS_ACCOUNT_ID_STAGE}} - - upload-build-artifacts: - runs-on: ubuntu-latest - needs: build - if: github.event_name == 'push' && github.ref == 'refs/heads/main' - steps: - - name: Check out - uses: actions/checkout@v6 - with: - persist-credentials: 'false' - - - name: Setup Node & NPM - uses: ./.github/actions/setup-node-npm - env: - MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN: ${{ secrets.MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN }} - - - name: Configure AWS for DEV - uses: ./.github/actions/configure-aws - with: - aws_role_to_assume: 'arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_DEV}}:role/spacecat-role-github-actions' - - - name: Create Build Artifacts - run: npm run build - env: - AWS_REGION: us-east-1 - AWS_ACCOUNT_ID: ${{secrets.AWS_ACCOUNT_ID_DEV}} - - - name: Copy Build Artifact - run: cp dist/spacecat-services/task-processor@*.zip spacecat-services--task-processor-latest.zip - env: - AWS_REGION: us-east-1 - AWS_ACCOUNT_ID: ${{secrets.AWS_ACCOUNT_ID_DEV}} - - - name: Upload Build Artifact - run: aws s3 cp spacecat-services--task-processor-latest.zip s3://spacecat-artifacts-dev/spacecat-services--task-processor-latest.zip - env: - AWS_REGION: us-east-1 - AWS_ACCOUNT_ID: ${{secrets.AWS_ACCOUNT_ID_DEV}} - - branch-deploy: - runs-on: ubuntu-latest - needs: build - if: github.event_name == 'push' && github.ref != 'refs/heads/main' - steps: - - name: Check out - uses: actions/checkout@v6 - with: - persist-credentials: 'false' - - - name: Setup Node & NPM - uses: ./.github/actions/setup-node-npm - env: - MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN: ${{ secrets.MYSTICAT_DATA_SERVICE_REPO_READ_TOKEN }} - - - name: Configure AWS - uses: ./.github/actions/configure-aws - with: - aws_role_to_assume: 'arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_DEV}}:role/spacecat-role-github-actions' - - - name: Branch Deployment - run: npm run deploy-dev - env: - AWS_REGION: us-east-1 - AWS_ACCOUNT_ID: ${{secrets.AWS_ACCOUNT_ID_DEV}} - - - name: Post-Deployment Integration Test - run: npm run test-postdeploy + ci: + uses: adobe/mysticat-ci/.github/workflows/service-ci.yaml@v1 + with: + service-name: task-processor + secrets: inherit