Skip to content

ci(cdn): add workflow_dispatch trigger and PR dry-run for registry upload#20

Merged
lukeocodes merged 1 commit into
mainfrom
ci/cdn-validation-tooling
May 5, 2026
Merged

ci(cdn): add workflow_dispatch trigger and PR dry-run for registry upload#20
lukeocodes merged 1 commit into
mainfrom
ci/cdn-validation-tooling

Conversation

@lukeocodes
Copy link
Copy Markdown
Member

@lukeocodes lukeocodes commented May 5, 2026

Summary

Two pieces of validation tooling for the CDN publish pipeline added in #19:

  • workflow_dispatch on npm-publish.yml so publish-cdn-registry can be fired manually for ad-hoc validation without waiting for a release.
  • New cdn-dryrun.yml workflow that runs on PRs touching ui/registry/publish workflows. Uses the read-only CDN_AWS_ROLE_READER to list bucket state and aws s3 sync --dryrun against /ui/r/. No writes.

Why

Validating the CDN pipeline shouldn't require cutting a real release. After this lands:

  1. To smoke-test the live publish path: trigger npm Publish manually from the Actions UI (or gh workflow run npm-publish.yml --repo deepgram/ui). It rebuilds the registry, re-uploads to /ui/r/, and invalidates /ui/r/*.
  2. Every PR that touches ui/registry/publish gets a free dry-run that confirms creds work, bucket is reachable, the build produces all 17 registry items, and the planned sync makes sense.

Dispatch behaviour

On `workflow_dispatch`:

  • `release-please` runs but produces no release (no commits to release).
  • `publish` skips (gated on `release_created`).
  • `publish-cdn-registry` runs because the `if:` now also accepts `github.event_name == 'workflow_dispatch'`.
  • Registry is rebuilt and synced to `/ui/r/` (no versioned path; that's the cache config).

Dry-run behaviour

PRs that touch `packages/ui/`, `packages/registry/`, `.github/workflows/cdn-dryrun.yml`, or `.github/workflows/npm-publish.yml` get a `dryrun-registry` job that:

  • Runs `bun run build:registry` to produce `packages/registry/dist/r/*.json`.
  • Assumes `CDN_AWS_ROLE_READER` via OIDC.
  • `aws s3 ls s3://$BUCKET/ui/r/ --recursive` to surface what is already there.
  • `aws s3 sync ./packages/registry/dist/r/ s3://$BUCKET/ui/r/ --dryrun`

No `--delete` on the dryrun (the live job keeps it). No CloudFront invalidation either.

Risk

Both changes are additive. Existing release flow is untouched aside from the new `if:` that adds the dispatch path.

Follow-up

Matching change for the agent widget upload in deepgram/agent#45.

@lukeocodes
ci(cdn): add workflow_dispatch trigger and PR dry-run for registry up…
7943cf5 
…load

Two pieces of validation tooling for the CDN publish pipeline:

1. workflow_dispatch on npm-publish.yml so the publish-cdn-registry
   job can be fired manually for ad-hoc validation. The registry has
   no versioned path so no extra version resolution is needed; on
   dispatch the registry is rebuilt from packages/registry/dist/r/
   and synced to s3://$BUCKET/ui/r/ with /ui/r/* invalidated.

2. New cdn-dryrun.yml workflow that runs on PRs touching the ui
   package, the registry package, or either of the publish workflows.
   Authenticates via OIDC to the read-only github-actions-cdn-reader
   role, lists what is currently at s3://$BUCKET/ui/r/, and performs
   aws s3 sync --dryrun against the registry path. No writes. Catches
   broken builds, missing registry items, role mis-assumptions, and
   bucket-path drift before they hit a release.

Both wired against the existing org-level secrets:
CDN_AWS_ROLE_DEPLOYER (writes), CDN_AWS_ROLE_READER (reads),
CDN_AWS_REGION, CDN_S3_BUCKET, CDN_CLOUDFRONT_DISTRIBUTION_ID.
@lukeocodes lukeocodes merged commit 486b46c into main May 5, 2026
2 checks passed
@lukeocodes lukeocodes deleted the ci/cdn-validation-tooling branch May 5, 2026 00:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lukeocodes