From 7943cf506a5f5fdf3c82d002639b109bd4d5f96d Mon Sep 17 00:00:00 2001 From: lukeocodes Date: Tue, 5 May 2026 01:06:26 +0100 Subject: [PATCH] ci(cdn): add workflow_dispatch trigger and PR dry-run for registry upload Two pieces of validation tooling for the CDN publish pipeline: 1. workflow_dispatch on npm-publish.yml so the publish-cdn-registry job can be fired manually for ad-hoc validation. The registry has no versioned path so no extra version resolution is needed; on dispatch the registry is rebuilt from packages/registry/dist/r/ and synced to s3://$BUCKET/ui/r/ with /ui/r/* invalidated. 2. New cdn-dryrun.yml workflow that runs on PRs touching the ui package, the registry package, or either of the publish workflows. Authenticates via OIDC to the read-only github-actions-cdn-reader role, lists what is currently at s3://$BUCKET/ui/r/, and performs aws s3 sync --dryrun against the registry path. No writes. Catches broken builds, missing registry items, role mis-assumptions, and bucket-path drift before they hit a release. Both wired against the existing org-level secrets: CDN_AWS_ROLE_DEPLOYER (writes), CDN_AWS_ROLE_READER (reads), CDN_AWS_REGION, CDN_S3_BUCKET, CDN_CLOUDFRONT_DISTRIBUTION_ID. --- .github/workflows/cdn-dryrun.yml | 53 +++++++++++++++++++++++++++++++ .github/workflows/npm-publish.yml | 5 ++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/cdn-dryrun.yml diff --git a/.github/workflows/cdn-dryrun.yml b/.github/workflows/cdn-dryrun.yml new file mode 100644 index 0000000..a11abad --- /dev/null +++ b/.github/workflows/cdn-dryrun.yml @@ -0,0 +1,53 @@ +name: CDN Dry-Run + +on: + pull_request: + paths: + - "packages/ui/**" + - "packages/registry/**" + - ".github/workflows/cdn-dryrun.yml" + - ".github/workflows/npm-publish.yml" + workflow_dispatch: + +permissions: + contents: read + id-token: write + +jobs: + dryrun-registry: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + + - uses: oven-sh/setup-bun@v2 + with: + bun-version: "1.3.10" + + - run: bun install + + - run: bun run build:registry + + - name: Configure AWS credentials (read-only) + uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ secrets.CDN_AWS_ROLE_READER }} + role-session-name: gha-cdn-dryrun-registry-${{ github.run_id }} + aws-region: ${{ secrets.CDN_AWS_REGION }} + + - name: List existing registry objects at CDN + env: + BUCKET: ${{ secrets.CDN_S3_BUCKET }} + run: | + echo "::group::existing s3://${BUCKET}/ui/r/" + aws s3 ls "s3://${BUCKET}/ui/r/" --recursive --human-readable --summarize || echo "(no registry at CDN yet)" + echo "::endgroup::" + + - name: Dry-run registry sync + env: + BUCKET: ${{ secrets.CDN_S3_BUCKET }} + run: | + ITEM_COUNT=$(ls -1 ./packages/registry/dist/r/*.json 2>/dev/null | wc -l | tr -d ' ') + echo "Built ${ITEM_COUNT} registry JSON files" + echo "::group::dryrun → s3://${BUCKET}/ui/r/" + aws s3 sync ./packages/registry/dist/r/ "s3://${BUCKET}/ui/r/" --dryrun + echo "::endgroup::" diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 64e8ba4..db21cbc 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -3,6 +3,7 @@ name: npm Publish on: push: branches: [main] + workflow_dispatch: permissions: contents: write @@ -53,7 +54,9 @@ jobs: publish-cdn-registry: needs: release-please - if: needs.release-please.outputs.release_created == 'true' + if: | + needs.release-please.outputs.release_created == 'true' || + github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest permissions: contents: read