From 63ce7679f57b3c56f0cb72861565a5cf420b3b5a Mon Sep 17 00:00:00 2001
From: lukeocodes <luke@lukeoliff.com>
Date: Tue, 5 May 2026 01:06:11 +0100
Subject: [PATCH] ci(cdn): add workflow_dispatch trigger and PR dry-run for
 widget upload

Two pieces of validation tooling for the CDN publish pipeline:

1. workflow_dispatch on npm-publish.yml so the publish-cdn-widget job
   can be fired manually for ad-hoc validation. On dispatch the widget
   version is read from packages/widget/package.json (so re-upload of
   the current published version is the default behaviour). On
   release-please push the version still comes from the release-please
   output as before.

2. New cdn-dryrun.yml workflow that runs on PRs touching the widget,
   sdk, or either of the publish workflows. Authenticates via OIDC to
   the read-only github-actions-cdn-reader role, lists what is
   currently at s3://$BUCKET/widgets/, and performs aws s3 sync
   --dryrun against both the versioned and latest paths. No writes.
   Catches broken builds, missing dist artifacts, role mis-assumptions,
   and bucket-path drift before they hit a release.

Both wired against the existing org-level secrets:
CDN_AWS_ROLE_DEPLOYER (writes), CDN_AWS_ROLE_READER (reads),
CDN_AWS_REGION, CDN_S3_BUCKET, CDN_CLOUDFRONT_DISTRIBUTION_ID.
---
 .github/workflows/cdn-dryrun.yml  | 56 +++++++++++++++++++++++++++++++
 .github/workflows/npm-publish.yml | 20 +++++++++--
 2 files changed, 74 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/cdn-dryrun.yml

diff --git a/.github/workflows/cdn-dryrun.yml b/.github/workflows/cdn-dryrun.yml
new file mode 100644
index 0000000..43726cd
--- /dev/null
+++ b/.github/workflows/cdn-dryrun.yml
@@ -0,0 +1,56 @@
+name: CDN Dry-Run
+
+on:
+  pull_request:
+    paths:
+      - "packages/widget/**"
+      - "packages/sdk/**"
+      - ".github/workflows/cdn-dryrun.yml"
+      - ".github/workflows/npm-publish.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  dryrun-widget:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: "1.3.13"
+
+      - run: bun install
+
+      - run: bun run build
+
+      - name: Configure AWS credentials (read-only)
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: ${{ secrets.CDN_AWS_ROLE_READER }}
+          role-session-name: gha-cdn-dryrun-widget-${{ github.run_id }}
+          aws-region: ${{ secrets.CDN_AWS_REGION }}
+
+      - name: List existing widget objects at CDN
+        env:
+          BUCKET: ${{ secrets.CDN_S3_BUCKET }}
+        run: |
+          echo "::group::existing s3://${BUCKET}/widgets/"
+          aws s3 ls "s3://${BUCKET}/widgets/" --recursive --human-readable --summarize || echo "(no widgets at CDN yet)"
+          echo "::endgroup::"
+
+      - name: Dry-run widget sync
+        env:
+          BUCKET: ${{ secrets.CDN_S3_BUCKET }}
+        run: |
+          VER=$(node -p "require('./packages/widget/package.json').version")
+          echo "Would publish widget v${VER}"
+          echo "::group::dryrun → s3://${BUCKET}/widgets/v${VER}/"
+          aws s3 sync ./packages/widget/dist/ "s3://${BUCKET}/widgets/v${VER}/" --dryrun
+          echo "::endgroup::"
+          echo "::group::dryrun → s3://${BUCKET}/widgets/latest/"
+          aws s3 sync ./packages/widget/dist/ "s3://${BUCKET}/widgets/latest/" --dryrun
+          echo "::endgroup::"
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 169ca32..bfa553a 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -3,6 +3,7 @@ name: npm Publish
 on:
   push:
     branches: [main]
+  workflow_dispatch:
 
 permissions:
   contents: write
@@ -97,7 +98,9 @@ jobs:
 
   publish-cdn-widget:
     needs: release-please
-    if: needs.release-please.outputs.widget--release_created == 'true'
+    if: |
+      needs.release-please.outputs.widget--release_created == 'true' ||
+      github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -113,6 +116,19 @@ jobs:
 
       - run: bun run build
 
+      - name: Resolve widget version
+        id: ver
+        env:
+          RELEASE_VERSION: ${{ needs.release-please.outputs.widget--version }}
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VER=$(node -p "require('./packages/widget/package.json').version")
+          else
+            VER="${RELEASE_VERSION}"
+          fi
+          echo "version=${VER}" >> $GITHUB_OUTPUT
+          echo "Resolved widget version: ${VER}"
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v6
         with:
@@ -123,7 +139,7 @@ jobs:
       - name: Upload widget bundle to CDN (versioned + latest)
         env:
           BUCKET: ${{ secrets.CDN_S3_BUCKET }}
-          VERSION: ${{ needs.release-please.outputs.widget--version }}
+          VERSION: ${{ steps.ver.outputs.version }}
         run: |
           aws s3 sync ./packages/widget/dist/ "s3://${BUCKET}/widgets/v${VERSION}/" --delete
           aws s3 sync ./packages/widget/dist/ "s3://${BUCKET}/widgets/latest/" --delete