feat(ci): improve release process#9518
Open
eliotlim wants to merge 4 commits into
Open
Conversation
eliotlim
changed the title
eliotlim
force-pushed
the
feat/improve-release-process
branch
from
c6abc43 to
9d7b107
Compare
Replaces the laptop release script (scripts/release_prep.sh) with a workflow_dispatch job gated by the `release` GitHub Environment. It bumps the app package.json files via .internal.versionrc.js, regenerates CHANGELOG.md, commits to develop, pushes the vX.Y.Z tag, and updates the GitHub Releases page. A GitHub App token is used rather than GITHUB_TOKEN: the default token can neither bypass develop's branch protection nor trigger the downstream tag-driven build and deploy workflows. Part of the Improved Release Process RFC. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Point staging and production deploys (app, pdf-gen lambda, virus-scanner guardduty) at `v*` tag pushes rather than the release-al2 and stg mirror branches, and gate production behind the `production` GitHub Environment. Sidecar workflows check out the tag via github.ref_name. This retires the long-lived release branches: deploys now target immutable tags cut by the release workflow, and the prod approval is an explicit environment gate rather than a branch-merge convention. Part of the Improved Release Process RFC. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
release-al2 is being decommissioned, so trigger the npm publish on sdk-v* tag pushes instead of release-al2 branch pushes. The sdk-v* tag is cut separately from the app release (documented in the workflow header); the SDK release flow is otherwise unchanged. Part of the Improved Release Process RFC. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The CI release workflow (.github/workflows/release.yml) replaces the manual release_prep.sh / release_hotfix.sh flow and their generate_pr_body.sh helper. Hotfixes now go through the same release workflow. Part of the Improved Release Process RFC. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
eliotlim
force-pushed
the
feat/improve-release-process
branch
from
9d7b107 to
c452e7e
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates the app release process from local, laptop-run shell scripts to GitHub Actions, aiming to make cutting releases possible from the GitHub UI while simplifying the previous multi-PR flow.
Changes:
- Remove legacy local release/hotfix helper scripts (
scripts/release_prep.sh,scripts/release_hotfix.sh,scripts/generate_pr_body.sh). - Add a new manually-triggered GitHub Actions workflow to bump versions, generate changelog, tag, and create a GitHub Release (
.github/workflows/release.yml). - Rewire deployment workflows (ECS app + pdf-gen + virus-scanner) to trigger from
v*tag pushes instead ofstg/release-al2branch pushes; update SDK publishing to trigger fromsdk-v*tags.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/release_prep.sh | Removes the previous laptop-driven release cut script. |
| scripts/release_hotfix.sh | Removes the previous laptop-driven hotfix release script. |
| scripts/generate_pr_body.sh | Removes the script that assembled release PR bodies and aggregated “Tests” sections. |
| .github/workflows/release.yml | Adds a workflow_dispatch release cutter that bumps versions, tags, and creates GitHub Releases. |
| .github/workflows/publish-sdk.yml | Changes SDK publishing trigger from branch/path-based to sdk-v* tag-based. |
| .github/workflows/deploy-virus-scanner-guardduty-stg.yml | Switches staging scanner deploy trigger to v* tags and checks out the tag ref. |
| .github/workflows/deploy-virus-scanner-guardduty-prod.yml | Switches production scanner deploy trigger to v* tags; updates GitHub Environment name to production. |
| .github/workflows/deploy-pdf-gen-stg.yml | Switches staging pdf-gen deploy trigger to v* tags and checks out the tag ref. |
| .github/workflows/deploy-pdf-gen-prod.yml | Switches production pdf-gen deploy trigger to v* tags; updates GitHub Environment name to production. |
| .github/workflows/deploy-ecs-stg.yml | Switches staging ECS deploy trigger to v* tags. |
| .github/workflows/deploy-ecs-prod.yml | Switches production ECS deploy trigger to v* tags; updates GitHub Environment name to production. |
| .github/workflows/codeql-analysis.yml | Stops running CodeQL on release-al2 pushes (now only on develop pushes + PRs). |
Comment on lines
+3
to
+7
| # Cuts a monorepo app release from `develop`, replacing the old laptop flow | ||
| # (scripts/release_prep.sh). Does exactly what that script did by hand: | ||
| # bumps the app package.json files via .internal.versionrc.js, regenerates | ||
| # CHANGELOG.md, commits both back to develop, pushes the vX.Y.Z tag, and | ||
| # updates the GitHub Releases page. |
Comment on lines
7
to
+10
| on: | ||
| push: | ||
| branches: | ||
| - release-al2 | ||
| tags: | ||
| - 'v*' |
Comment on lines
11
to
24
| on: | ||
| push: | ||
| branches: | ||
| - release-al2 | ||
| tags: | ||
| - 'v*' | ||
|
|
||
| jobs: | ||
| deploy-scanner-guardduty: | ||
| name: Deploy Scanner Guardduty | ||
| uses: ./.github/workflows/aws-deploy-scanner-guardduty-iac.yml | ||
| with: | ||
| checkoutBranch: 'release-al2' | ||
| gha-environment: 'release-al2' | ||
| checkoutBranch: ${{ github.ref_name }} | ||
| gha-environment: 'production' | ||
| environment: 'production' | ||
| provisionedConcurrency: 10 |
Comment on lines
11
to
23
| on: | ||
| push: | ||
| branches: | ||
| - release-al2 | ||
| tags: | ||
| - 'v*' | ||
|
|
||
| jobs: | ||
| deploy-pdf-gen-lambda: | ||
| name: Deploy PDF Generator Lambda | ||
| uses: ./.github/workflows/deploy-pdf-gen-lambda.yml | ||
| with: | ||
| gha-environment: 'release-al2' | ||
| checkoutBranch: 'release-al2' | ||
| gha-environment: 'production' | ||
| checkoutBranch: ${{ github.ref_name }} | ||
| environment: 'production' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Changes currently take 3 PRs to merge and release, which means:
Closes FRM-2341
Solution
Breaking Changes
Features:
Improvements:
Bug Fixes:
Before & After Screenshots
BEFORE:
AFTER:
Tests
Deploy Notes
New environment variables:
env var: env var detailsNew scripts:
script: script detailsNew dependencies:
dependency: dependency detailsNew dev dependencies:
dependency: dependency details