chore: move more release logic to gha (#3676)

- Trigger Deployment Pipeline from GitHub Actions
- Move "prod stage" into GitHub Actions, under an enviro that requires a
rubberstamp
- Soon, the rubberstamp will be done automatically when the remains of
the TeamJenkins phase runs.
  - Eventually, something something ootb from the dep pipeline
  - For now, manual rubberstamp.
 
 Rationale: Jenkins is a PITA, running stuff in GHA should help.
 
 ## What's going on:
 
 ```mermaid
 sequenceDiagram
    box blue Public network
    participant SFDC
    participant NPM
    participant GitHub-public
    end
    box purple VPC network
    participant GitHub-coveo
    participant DepPipeline
    participant AWS
    participant TeamJenkins
    end
    GitHub-public->>+NPM: Publish package on beta tag
    GitHub-public->>+SFDC: Publish package
GitHub-public->>+GitHub-coveo: Continue GitHub workflow on Coveo Hosted
Runner
    GitHub-coveo-)DepPipeline: Trigger Deployment Pipeline
GitHub-coveo->>+GitHub-public: Continue GitHub workflow on GitHub Hosted
runner
    activate GitHub-public
    DepPipeline->>DepPipeline: Do the usual checks
    DepPipeline->>+AWS: Deploy files to S3
    DepPipeline->>+TeamJenkins: Dispatch Jenkins Job
    DepPipeline->>+AWS: Invalidate CloudFront Cache
    Note right of GitHub-public: Wait for ✅ 
    deactivate GitHub-public
TeamJenkins->>+GitHub-public: Approve Production GitHub Environment
usage
    GitHub-public->>+NPM: Promote package to latest
    GitHub-public->>+SFDC: Promote package to latest
```

.cspell.json

@@ -133,6 +133,7 @@
     "sfcreatedbyid",
     "sfcreatedbyname",
     "SFCT",
+    "SFDC",
     "sfdx",
     "sffeeditemid",
     "sfid",

.deployment.config.json

@@ -198,6 +198,9 @@
         "job_name": "ui-kit-production-release",
         "prd": {
           "disabled": false
+        },
+        "extra_parameters": {
+          "GITHUB_RUN_ID": "$[GITHUB_RUN_ID]"
         }
       }
     }

.eslintrc.js

@@ -9,6 +9,7 @@ module.exports = {
     'dist',
     'www',
     '!.storybook',
+    'scripts/deploy/execute-deployment-pipeline.mjs',
   ],
   env: {
     jest: true,

.github/workflows/release.yml

@@ -52,3 +52,37 @@ jobs:
         run: npm run release:phase5
         env:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  start-deployment:
+    needs: release
+    runs-on: [coveo, linux, x64, ec2]
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          ref: 'release/v2'
+      - uses: ./.github/actions/setup
+      - name: Build
+        run: npm run build
+      - name: Start deployment pipeline
+        run: node ./scripts/deploy/execute-deployment-pipeline.mjs
+  promote-prod:
+    needs: start-deployment
+    environment: 'Production'
+    runs-on: 'ubuntu-latest'
+    env:
+      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        with:
+          ref: 'release/v2'
+      - uses: ./.github/actions/setup
+      - uses: ./.github/actions/setup-sfdx
+      - name: Promote NPM package to production
+        run: npm run promote:npm:latest
+      - name: Promote SFDX package to production
+        run: npx --no-install nx run quantic:"promote:sfdx:ci"
+        env:
+          SFDX_AUTH_CLIENT_ID: ${{ secrets.SFDX_AUTH_CLIENT_ID }}
+          SFDX_AUTH_JWT_KEY: ${{ secrets.SFDX_AUTH_JWT_KEY }}
+          SFDX_AUTH_JWT_USERNAME: ${{ secrets.SFDX_AUTH_JWT_USERNAME }}
+      - name: Notify Docs
+        run: npm run notify:docs

.prettierignore

@@ -10,4 +10,5 @@ LICENSE.md
 **/.storybook/**
 **/.angular/**
 **/.next/**
-**/www/**
+**/www/**
+scripts/deploy/execute-deployment-pipeline.mjs

JenkinsfileProductionRelease

@@ -17,36 +17,17 @@ node('heavy && linux && docker') {
   dockerUtils.withDocker(image: 'node:18', args: '-e HOME=/tmp -e NPM_CONFIG_PREFIX=/tmp/.npm -v /etc/passwd:/etc/passwd:ro') {
     stage('Setup') {
       sh 'npm ci'
-      sh 'npm i -g @salesforce/[email protected]'
-    }
-
-    stage('Npm publish') {
-      withCredentials([
-      string(credentialsId: 'NPM_TOKEN', variable: 'NPM_TOKEN')]) {
-        sh 'echo //registry.npmjs.org/:_authToken=$NPM_TOKEN > ~/.npmrc'
-        sh 'npm run promote:npm:latest'
-      }
-    }
-
-    stage('Quantic publish') {
-      withCredentials([
-        usernamePassword(credentialsId: 'github-commit-token', usernameVariable: 'GITHUB_USERNAME', passwordVariable: 'GITHUB_TOKEN'),
-        string(credentialsId: 'sfdx-auth-pkg-client-id', variable: 'SFDX_AUTH_CLIENT_ID'),
-        file(credentialsId: 'sfdx-auth-pkg-jwt-key', variable: 'SFDX_AUTH_JWT_KEY_FILE'),
-      ]) {
-        withEnv([
-          '[email protected]'
-        ]) {
-          sh 'npx --no-install nx run quantic:"promote:sfdx:ci"'
-        }
-      }
     }
 
-    stage('Notify Docs') {
+    stage('Approve production release') {
       withCredentials([
-        usernamePassword(credentialsId: 'github-commit-token', usernameVariable: 'GITHUB_USERNAME', passwordVariable: 'GITHUB_TOKEN')
+        string(credentialsId: 'ui-kit-releaser-app-id', variable: 'RELEASER_APP_ID'),
+        string(credentialsId: 'ui-kit-releaser-private-key', variable: 'RELEASER_PRIVATE_KEY'),
+        string(credentialsId: 'ui-kit-releaser-client-id', variable: 'RELEASER_CLIENT_ID'),
+        string(credentialsId: 'ui-kit-releaser-client-secret', variable: 'RELEASER_CLIENT_SECRET'),
+        string(credentialsId: 'ui-kit-releaser-installation-id', variable: 'RELEASER_INSTALLATION_ID'),
       ]) {
-        sh 'npm run notify:docs'
+        sh "node ./scripts/deploy/approve-production-release.mjs ${params.GITHUB_RUN_ID}"
       }
     }
 

internal-docs/release-process.md

@@ -104,14 +104,35 @@ This task will do the same thing as `release:phase2`, but is intended to publish
 
 # Deploying
 
-Whenever a new version bump is pushed to the main branch by the scheduled release process, the Jenkins CI will run the `Jenkinsfile` on it.
-
-The purpose of this step is to:
-
-1. Publish some packages to the dev and staging CDN.
-2. After QA approval:
-   1. Publish Quantic to Salesforce.
-   2. Publish packages to the production CDN.
-   3. Update the `latest` NPM tag of each package.
-
-Specifically, the Jenkins CI will create a deployment package and push it to the deployment pipeline, which will run the instructions from `.deployment.config.json`.
+After the release is completed on Git, GitHub and NPM, the release workflow will start a job on a Coveo-Hosted-runners to trigger the deployment pipeline.
+From there on, the process then follows this diagram (starting with 'Continue GitHub workflow on Coveo Hosted Runner):
+
+```mermaid
+sequenceDiagram
+   box blue Public network
+   participant SFDC
+   participant NPM
+   participant GitHub-public
+   end
+   box purple VPC network
+   participant GitHub-coveo
+   participant DepPipeline
+   participant AWS
+   participant TeamJenkins
+   end
+   GitHub-public->>+NPM: Publish package on beta tag
+   GitHub-public->>+SFDC: Publish package
+   GitHub-public->>+GitHub-coveo: Continue GitHub workflow on Coveo Hosted Runner
+   GitHub-coveo-)DepPipeline: Trigger Deployment Pipeline
+   GitHub-coveo->>+GitHub-public: Continue GitHub workflow on GitHub Hosted runner
+   activate GitHub-public
+   DepPipeline->>DepPipeline: Do the usual checks
+   DepPipeline->>+AWS: Deploy files to S3
+   DepPipeline->>+TeamJenkins: Dispatch Jenkins Job
+   DepPipeline->>+AWS: Invalidate CloudFront Cache
+   Note right of GitHub-public: Wait for ✅
+   deactivate GitHub-public
+   TeamJenkins->>+GitHub-public: Approve Production GitHub Environment usage
+   GitHub-public->>+NPM: Promote package to latest
+   GitHub-public->>+SFDC: Promote package to latest
+```

scripts/deploy/approve-production-release.mjs

@@ -0,0 +1,25 @@
+import {createAppAuth} from '@octokit/auth-app';
+import {Octokit} from 'octokit';
+
+const authSecrets = {
+  appId: process.env.RELEASER_APP_ID,
+  privateKey: process.env.RELEASER_PRIVATE_KEY,
+  clientId: process.env.RELEASER_CLIENT_ID,
+  clientSecret: process.env.RELEASER_CLIENT_SECRET,
+  installationId: process.env.RELEASER_INSTALLATION_ID,
+};
+
+const octokit = new Octokit({
+  authStrategy: createAppAuth,
+  auth: authSecrets,
+});
+await octokit.request(
+  `POST /repos/coveo/ui-kit/actions/runs/${process.argv[2]}/deployment_protection_rule`,
+  {
+    state: 'approved',
+    environment_name: 'Production',
+    headers: {
+      'X-GitHub-Api-Version': '2022-11-28',
+    },
+  }
+);

scripts/deploy/execute-deployment-pipeline.mjs

@@ -0,0 +1,39 @@
+import {context} from '@actions/github';
+import {execSync} from 'child_process';
+import {parse} from 'semver';
+import atomicHostedPageJson from '../../packages/atomic-hosted-page/package.json' assert {type: 'json'};
+import atomicReactJson from '../../packages/atomic-react/package.json' assert {type: 'json'};
+import atomicJson from '../../packages/atomic/package.json' assert {type: 'json'};
+import headlessJson from '../../packages/headless/package.json' assert {type: 'json'};
+
+const releaseCommit = execSync('git rev-parse HEAD').toString().trim();
+
+function getVersionComposants(version) {
+  const parsedVersion = parse(version);
+  return {
+    major: parsedVersion?.major,
+    minor: parsedVersion?.minor,
+    patch: parsedVersion?.patch,
+  };
+}
+
+const headless = getVersionComposants(headlessJson.version);
+const atomic = getVersionComposants(atomicJson.version);
+const atomicReact = getVersionComposants(atomicReactJson.version);
+const atomicHostedPage = getVersionComposants(atomicHostedPageJson.version);
+execSync(`
+deployment-package package create --with-deploy \
+        --resolve HEADLESS_MAJOR_VERSION=${headless.major} \
+        --resolve HEADLESS_MINOR_VERSION=${headless.minor} \
+        --resolve HEADLESS_PATCH_VERSION=${headless.patch} \
+        --resolve ATOMIC_MAJOR_VERSION=${atomic.major} \
+        --resolve ATOMIC_MINOR_VERSION=${atomic.minor} \
+        --resolve ATOMIC_PATCH_VERSION=${atomic.patch} \
+        --resolve ATOMIC_REACT_MAJOR_VERSION=${atomicReact.major} \
+        --resolve ATOMIC_REACT_MINOR_VERSION=${atomicReact.minor} \
+        --resolve ATOMIC_REACT_PATCH_VERSION=${atomicReact.patch} \
+        --resolve ATOMIC_HOSTED_PAGE_MAJOR_VERSION=${atomicHostedPage.major} \
+        --resolve ATOMIC_HOSTED_PAGE_MINOR_VERSION=${atomicHostedPage.minor} \
+        --resolve ATOMIC_HOSTED_PAGE_PATCH_VERSION=${atomicHostedPage.patch} \
+        --resolve GITHUB_RUN_ID=${context.runId} \
+        --changeset ${releaseCommit}`);