opengovsg · eliotlim · May 31, 2026 · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
@@ -7,7 +7,7 @@ name: 'CodeQL'
 
 on:
   push:
-    branches: [develop, release-al2]
+    branches: [develop]
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [develop]

@@ -6,15 +6,15 @@ concurrency:
 
 on:
   push:
-    branches:
-      - release-al2
+    tags:
+      - 'v*'
 
 jobs:
   deploy:
     name: Deploy
     uses: ./.github/workflows/deploy-ecs.yml
     with:
-      gha-environment: 'release-al2'
+      gha-environment: 'production'
       # Environment configuration
       environment: 'production'
       environment-site-name: 'prod'

@@ -6,8 +6,8 @@ concurrency:
 
 on:
   push:
-    branches:
-      - stg
+    tags:
+      - 'v*'
 
 jobs:
   deploy:

@@ -10,16 +10,16 @@ permissions:
 
 on:
   push:
-    branches:
-      - release-al2
+    tags:
+      - 'v*'
 
 jobs:
   deploy-pdf-gen-lambda:
     name: Deploy PDF Generator Lambda
     uses: ./.github/workflows/deploy-pdf-gen-lambda.yml
     with:
-      gha-environment: 'release-al2'
-      checkoutBranch: 'release-al2'
+      gha-environment: 'production'
+      checkoutBranch: ${{ github.ref_name }}
       environment: 'production'
     secrets:
       cicd-role: ${{ secrets.IAC_AWS_CI_ROLE_TO_ASSUME }}
@@ -10,16 +10,16 @@ permissions:
 
 on:
   push:
-    branches:
-      - stg
+    tags:
+      - 'v*'
 
 jobs:
-  deploy-pdf-gen-lambda: 
+  deploy-pdf-gen-lambda:
     name: Deploy PDF Generator Lambda
     uses: ./.github/workflows/deploy-pdf-gen-lambda.yml
     with:
       gha-environment: 'stg'
-      checkoutBranch: 'stg'
+      checkoutBranch: ${{ github.ref_name }}
       environment: 'stg'
     secrets:
       cicd-role: ${{ secrets.IAC_AWS_CI_ROLE_TO_ASSUME }}
@@ -10,16 +10,16 @@ permissions:
 
 on:
   push:
-    branches:
-      - release-al2
+    tags:
+      - 'v*'
 
 jobs:
   deploy-scanner-guardduty:
     name: Deploy Scanner Guardduty
     uses: ./.github/workflows/aws-deploy-scanner-guardduty-iac.yml
     with:
-      checkoutBranch: 'release-al2'
-      gha-environment: 'release-al2'
+      checkoutBranch: ${{ github.ref_name }}
+      gha-environment: 'production'
       environment: 'production'
       provisionedConcurrency: 10
     secrets:

@@ -10,15 +10,15 @@ permissions:
 
 on:
   push:
-    branches:
-      - stg
+    tags:
+      - 'v*'
 
 jobs:
   deploy-scanner-guardduty:
     name: Deploy Scanner GuardDuty
     uses: ./.github/workflows/aws-deploy-scanner-guardduty-iac.yml
     with:
-      checkoutBranch: 'stg'
+      checkoutBranch: ${{ github.ref_name }}
       gha-environment: 'stg'
       environment: 'stg'
       provisionedConcurrency: 1

@@ -2,23 +2,19 @@ name: Publish SDK
 
 # Release job for @opengovsg/formsg-sdk, published from packages/sdk.
 #
-# Modeled after the old non-monorepo publish.yml
-# (github.com/opengovsg/formsg-javascript-sdk), which used npm's OIDC
-# "trusted publisher" flow (no NPM_TOKEN secret) and triggered on push
-# to a dedicated `release` branch. In the monorepo, `release-al2` plays
-# the same role: it is the branch that deploys to prod when a release
-# PR (created by scripts/release_prep.sh) is merged into it.
+# Uses npm's OIDC "trusted publisher" flow (no NPM_TOKEN secret). Triggered
+# by pushing a `sdk-v<version>` tag, which is cut separately from the app
+# release: bump packages/sdk/package.json via .external.versionrc.js, then
+# push the matching tag, e.g.
 #
-# release_prep.sh bumps packages/sdk/package.json via
-# .external.versionrc.js and pushes a `sdk-v<version>` tag before
-# opening the release PR, so by the time this workflow runs there is
-# already a matching tag on the remote — all that is left to do is
-# build, publish to npm via OIDC, and create the GitHub release.
+#   pnpm exec commit-and-tag-version --config .external.versionrc.js
+#   git push origin HEAD:develop && git push origin sdk-v<version>
 #
-# The version check in the `Resolve SDK version` step makes this job a
-# no-op for monorepo releases that did not also bump the SDK — npm will
-# already have the current version and the subsequent steps are
-# skipped.
+# By the time this workflow runs the tag already exists, so all that is left
+# is to build, publish to npm via OIDC, and create the GitHub release.
+#
+# The version check in the `Resolve SDK version` step makes this job a no-op
+# if the version is already on npm — the subsequent steps are skipped.
 
 env:
   NODE_VERSION: '22.22'
@@ -27,11 +23,8 @@ env:
 
 on:
   push:
-    branches:
-      - release-al2
-    paths:
-      - 'packages/sdk/**'
-      - '.github/workflows/publish-sdk.yml'
+    tags:
+      - 'sdk-v*'
 
 jobs:
   release:

@@ -0,0 +1,98 @@
+name: Release
+
+# Cuts a monorepo app release from `develop`, replacing the old laptop flow
+# (scripts/release_prep.sh). Does exactly what that script did by hand:
+# bumps the app package.json files via .internal.versionrc.js, regenerates
+# CHANGELOG.md, commits both back to develop, pushes the vX.Y.Z tag, and
+# updates the GitHub Releases page.
+#
+# The tag push fans out to the build (build-release-image.yml), staging deploy
+# (deploy-ecs-stg.yml) and production deploy (deploy-ecs-prod.yml) workflows.
+#
+# The SDK release flow is separate: see .github/workflows/publish-sdk.yml.
+
+on:
+  workflow_dispatch:
+
+# Only one release may be in flight at a time, so two dispatches can't race to
+# bump the version off the same base commit.
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+env:
+  NODE_VERSION: '22.22'
+  PNPM_VERSION: '10.30.3'
+  CTV_VERSION: '12.6.1' # commit-and-tag-version, pinned to package.json
+
+jobs:
+  release:
+    name: Cut release
+    runs-on: ubuntu-latest
+    # `release` GitHub Environment gates who can cut a tag (required reviewers
+    # configured in repo settings).
+    environment: release
+    steps:
+      # A GitHub App token (not GITHUB_TOKEN) is required for two reasons:
+      # 1. it can be granted bypass of develop's branch protection to push the
+      #    version-bump commit; and
+      # 2. pushes made with GITHUB_TOKEN do not trigger other workflows, so the
+      #    tag push would not start the build/deploy workflows.
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.RELEASE_BOT_APP_ID }}
+          private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }}
+
+      - name: Checkout develop
+        uses: actions/checkout@v4.3.1
+        with:
+          ref: develop
+          fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Configure git identity
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
+        run: |
+          bot_user_id="$(gh api "/users/${APP_SLUG}[bot]" --jq .id)"
+          git config user.name "${APP_SLUG}[bot]"
+          git config user.email "${bot_user_id}+${APP_SLUG}[bot]@users.noreply.github.com"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
+        with:
+          version: ${{ env.PNPM_VERSION }}
+
+      - name: Use Node.js
+        uses: actions/setup-node@v4.4.0
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      # Bumps the eight app package.json files, regenerates CHANGELOG.md, and
+      # creates the `chore: bump version to vX.Y.Z` commit + matching vX.Y.Z tag
+      # locally. Same config the laptop flow used.
+      - name: Bump version, regenerate changelog and tag
+        run: pnpm dlx commit-and-tag-version@${{ env.CTV_VERSION }} --config .internal.versionrc.js
+
+      - name: Resolve release version
+        id: version
+        run: echo "tag=v$(jq -r .version package.json)" >> "$GITHUB_OUTPUT"
+
+      - name: Push commit and tag
+        run: |
+          git push origin HEAD:develop
+          git push origin "refs/tags/${{ steps.version.outputs.tag }}"
+
+      - name: Update GitHub Releases page
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          gh release create "${{ steps.version.outputs.tag }}" \
+            --verify-tag \
+            --generate-notes
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,8 +6,8 @@ concurrency: @@
     on:
       push:
-        branches:
-          - stg
+        tags:
+          - 'v*'
     jobs:
       deploy:
@@ Expand Down @@