ForgeRock · ryanbas21 · Nov 5, 2025 · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025
diff --git a/.github/actions/publish-beta/action.yml b/.github/actions/publish-beta/action.yml
@@ -0,0 +1,24 @@
+name: 'Publish Beta Steps'
+description: 'Steps to run when packages are not published (beta branch)'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Create PR for beta publish
+      shell: bash
+      run: pnpm pkg-pr-new publish './packages/*' './packages/sdk-effects/*' --packageManager=pnpm --comment=off
+
+    - name: Run Builds
+      shell: bash
+      run: pnpm nx run-many -t build --no-agents
+
+    - name: Generate API Docs
+      shell: bash
+      run: pnpm generate-docs
+
+    - name: Publish api docs [beta]
+      uses: JamesIves/github-pages-deploy-action@v4.7.3
+      with:
+        folder: docs
+        commit-message: 'chore: release-api-docs-beta'
+        target-folder: 'beta'
diff --git a/.github/actions/publish-release/action.yml b/.github/actions/publish-release/action.yml
@@ -0,0 +1,45 @@
+name: 'Publish Release Steps'
+description: 'Steps to run when packages are published'
+inputs:
+  publishedPackages:
+    description: 'Published packages JSON'
+    required: true
+  slackWebhook:
+    description: 'Slack webhook URL'
+    required: true
+runs:
+  using: 'composite'
+  steps:
+    - name: Format publishedPackages for Slack
+      id: slackify
+      shell: bash
+      run: |
+        raw='${{ inputs.publishedPackages }}'
+        message=$(echo "$raw" | jq -r '.[] | "- \(.name) v\(.version)"')
+        echo "message<<EOF" >> $GITHUB_OUTPUT
+        echo "$message" >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+
+    - name: Send to Slack Workflow
+      uses: slackapi/slack-github-action@v2.0.0
+      with:
+        webhook: ${{ inputs.slackWebhook }}
+        webhook-type: webhook-trigger
+        payload: >
+          {
+            "publishedPackages": "${{ steps.slackify.outputs.message }}"
+          }
+
+    - name: Run Builds
+      shell: bash
+      run: pnpm nx run-many -t build --no-agents
+
+    - name: Generate API Docs
+      shell: bash
+      run: pnpm generate-docs
+
+    - name: Publish api docs
+      uses: JamesIves/github-pages-deploy-action@v4.7.3
+      with:
+        folder: docs
+        commit-message: 'chore: release-api-docs'
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -0,0 +1,78 @@
+name: 'Setup Project'
+description: 'Centralized setup for CI jobs'
+inputs:
+  node-version-file:
+    description: 'Node version file'
+    required: false
+    default: '.node-version'
+  pnpm-cache-folder:
+    description: 'pnpm cache folder'
+    required: false
+    default: '.pnpm-store'
+  CODECOV_TOKEN:
+    description: 'CODECOV_TOKEN'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - uses: pnpm/action-setup@v4
+      with:
+        run_install: false
+
+    - name: Setup pnpm config
+      run: pnpm config set store-dir ${{ inputs.pnpm-cache-folder }} --global
+      shell: bash
+
+    - uses: actions/setup-node@v6
+      with:
+        node-version-file: ${{ inputs.node-version-file }}
+        cache: 'pnpm'
+        registry-url: 'https://registry.npmjs.org'
+
+    - name: Update npm
+      run: npm install -g npm@latest
+      shell: bash
+
+    - name: Install dependencies
+      run: pnpm install --frozen-lockfile
+      shell: bash
+
+    - name: Nx Cloud start
+      run: pnpm dlx nx-cloud start-ci-run --distribute-on=".nx/workflows/dynamic-changesets.yml" --stop-agents-after="e2e-ci" --with-env-vars="CODECOV_TOKEN"
+      shell: bash
+      env:
+        CODECOV_TOKEN: ${{ inputs.CODECOV_TOKEN }}
+
+    - name: Cache Playwright browsers
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/ms-playwright
+        key: ${{ runner.os }}-playwright-${{ hashFiles('**/pnpm-lock.yaml') }}
+        restore-keys: |
+          ${{ runner.os }}-playwright-
+
+    - name: Install Playwright
+      run: pnpm exec playwright install
+      shell: bash
+
+    - name: Set Nx SHAs
+      uses: nrwl/nx-set-shas@v4
+
+    - name: Check TS References are Synced
+      shell: bash
+      run: pnpm nx sync:check
+
+    - name: Run Nx build/lint/test/e2e
+      run: pnpm exec nx affected -t build lint test e2e-ci
+      shell: bash
+
+    - name: Upload Playwright report
+      uses: actions/upload-artifact@v4
+      if: ${{ !cancelled() }}
+      with:
+        name: playwright-report
+        path: |
+          ./e2e/*/.playwright/**
+          ./e2e/**/.playwright/**
+        retention-days: 30
diff --git a/.github/workflows/ci-fork.yml b/.github/workflows/ci-fork.yml
@@ -0,0 +1,58 @@
+name: ForgeRock Fork Pull Request CI
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  actions: read
+
+concurrency:
+  group: pr-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  pr:
+    # Only run for forks
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - uses: pnpm/action-setup@v4
+        with:
+          run_install: false
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version-file: '.node-version'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+
+      - run: pnpm install --frozen-lockfile
+
+      # Restore-only cache to avoid save attempts/noise on forks
+      - name: Restore Playwright browsers cache
+        uses: actions/cache/restore@v4
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+
+      - run: pnpm exec playwright install --with-deps
+
+      - name: Track base repository main
+        run: |
+          git fetch origin +refs/heads/main:refs/remotes/upstream/main
+          git branch --force main upstream/main
+
+      - uses: nrwl/nx-set-shas@v4
+
+      - run: pnpm nx format:check
+      - run: pnpm nx affected -t build typecheck lint test e2e-ci --no-agents
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,7 +5,6 @@ on:
 env:
   NX_CLOUD_ENCRYPTION_KEY: ${{ secrets.NX_CLOUD_ENCRYPTION_KEY }}
   NX_CLOUD_ACCESS_TOKEN: ${{ secrets.PR_NX_CLOUD_ACCESS_TOKEN }} # Read Only
-  NX_CLOUD_DISTRIBUTED_EXECUTION: true
   CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   CI: true
 
@@ -16,48 +15,23 @@ concurrency:
 
 jobs:
   pr:
+    if: ${{github.event.pull_request.head.repo.full_name == github.repository}}
     runs-on: ubuntu-latest
     timeout-minutes: 20
     permissions:
       pull-requests: write
       contents: write
-      id-token: write
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-      - uses: actions/setup-node@v5
-        id: cache
-        with:
-          node-version-file: '.node-version'
-          cache: 'pnpm'
-
-      - run: pnpm install --frozen-lockfile
+          token: ${{ secrets.GH_TOKEN }}
 
-      # This line enables distribution
-      # The "--stop-agents-after" is optional, but allows idle agents to shut down once the "e2e-ci" targets have been requested
-      - run: pnpm dlx nx-cloud start-ci-run --distribute-on=".nx/workflows/dynamic-changesets.yml" --stop-agents-after="e2e-ci" --with-env-vars="CODECOV_TOKEN"
-      - run: pnpm nx sync:check
-
-      - name: Cache Playwright browsers
-        uses: actions/cache@v4
+      - name: Setup Project
+        uses: ./.github/actions/setup
         with:
-          path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-playwright-
-
-      - run: pnpm exec playwright install
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
-      - uses: nrwl/nx-set-shas@v4
-      # This line is needed for nx affected to work when CI is running on a PR
-      - run: git branch --track main origin/main
-
-      - run: pnpm exec nx-cloud record -- nx format:check
-      - run: pnpm exec nx affected -t build typecheck lint test e2e-ci
       - run: npx nx-cloud fix-ci
         if: always()
 
@@ -66,19 +40,8 @@ jobs:
           directory: ./packages/
           token: ${{ secrets.CODECOV_TOKEN }}
 
-      - uses: actions/upload-artifact@v4
-        if: ${{ !cancelled() }}
-        with:
-          name: playwright-report
-          path: |
-            **/.playwright
-            **/test-results
-          retention-days: 30
-
       - name: Ensure builds run
-        run: pnpm nx run-many -t build
-        env:
-          NX_CLOUD_DISTRIBUTED_EXECUTION: false
+        run: pnpm nx run-many -t build --no-agents
 
       - run: pnpm pkg-pr-new publish './packages/*' './packages/sdk-effects/*' --packageManager=pnpm