Skip to content

DEVEX-1087: sync CDN assets during release candidate promotion#116

Merged
pdodgen-revparts merged 1 commit intomainfrom
DEVEX-1087-cdn-sync-on-promote
Apr 20, 2026
Merged

DEVEX-1087: sync CDN assets during release candidate promotion#116
pdodgen-revparts merged 1 commit intomainfrom
DEVEX-1087-cdn-sync-on-promote

Conversation

@pdodgen-revparts
Copy link
Copy Markdown
Contributor

@pdodgen-revparts pdodgen-revparts commented Apr 20, 2026

Problem

Services that ship tag-versioned JS/CSS assets (webstore, checkout, manage) upload them during Build to s3://<cdn-bucket>/<repo>/<TAG>/ where TAG is the -main.N tag. After promotion, the docker image is retagged v1.5.0-main.3 → v1.5.0 (no rebuild), but the helm chart passes image.tag into the running app as package_version. The app builds CDN URLs like <cdn>/<repo>/<package_version>/* — pointing at a pretty-tag path that does not exist in S3.

Observed on webstore QA today: promoted v0.405.0, app tried to load .../webstore/v0.405.0/*.css → 404.

Fix

Add an optional sync_cdn_assets boolean input plus three optional secrets (cdn_bucket, cdn_aws_access_id, cdn_aws_access_secret). When enabled, the reusable runs:

aws s3 sync s3://<cdn_bucket>/<repo>/<source_tag>/ s3://<cdn_bucket>/<repo>/<pretty_tag>/

Server-side copy, preserves Content-Encoding and Cache-Control metadata set at Build time. Takes seconds.

Callers

  • webstore — sync_cdn_assets=true
  • checkout — sync_cdn_assets=true
  • manage — sync_cdn_assets=true

Wrapper PRs will follow in each of those repos.

Trade-off considered

Retag-without-rebuild (our current design) sacrifices automatic re-upload of tag-pathed side artifacts. Alternatives were discussed:

  • Rebuild on promote — simplest but loses speed and image identity guarantee
  • Decouple asset_version from image.tag in helm — requires per-repo helm + app changes

The S3 sync keeps the complexity contained to the reusable and 3 thin wrappers, with no app/helm edits.

Part of DEVEX-1087.

@pdodgen-revparts
feat: sync CDN assets during release candidate promotion
a413eb5 
Some repos (webstore, checkout, manage) build tag-versioned JS/CSS assets and
upload them to s3://<bucket>/<repo>/<TAG>/ during Build. After promotion, the
docker image is retagged v1.5.0-main.3 -> v1.5.0, but the helm chart passes
image.tag through to the app as a 'package_version' env var, which the app
uses to build CDN URLs like <cdn>/<repo>/<package_version>/*. Those URLs 404
because the assets were only uploaded under the -main.N path.

Add an optional sync_cdn_assets input plus cdn_bucket / cdn_aws_access_id /
cdn_aws_access_secret secrets. When enabled, the reusable does a server-side
aws s3 sync from the source tag path to the pretty tag path, preserving all
object metadata (Content-Encoding, Cache-Control) set at Build time.

Callers that need it: webstore, checkout, manage. Wrapper updates to follow.
@pdodgen-revparts pdodgen-revparts requested a review from a team as a code owner April 20, 2026 18:31
@cursor
Copy link
Copy Markdown

cursor Bot commented Apr 20, 2026
edited
Loading

PR Summary

Medium Risk
Adds an optional S3 sync step and AWS credentials to the release-candidate promotion workflow; misconfiguration or missing AWS setup could cause promotion runs to fail when enabled.

Overview
Adds an optional sync_cdn_assets input to the reusable promote-release-candidate workflow to copy tag-versioned CDN assets from s3://<bucket>/<repo>/<source_tag>/ to s3://<bucket>/<repo>/<pretty_tag>/ during promotion.

Introduces three new optional secrets (cdn_bucket, cdn_aws_access_id, cdn_aws_access_secret) and gates the new aws s3 sync step behind the input, with a hard error if the secrets are missing when the option is enabled.

Reviewed by Cursor Bugbot for commit a413eb5. Bugbot is set up for automated code reviews on this repo. Configure here.

@pdodgen-revparts pdodgen-revparts merged commit fa939e9 into main Apr 20, 2026
2 checks passed
@pdodgen-revparts pdodgen-revparts deleted the DEVEX-1087-cdn-sync-on-promote branch April 20, 2026 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ronneseth ronneseth Awaiting requested review from ronneseth ronneseth is a code owner automatically assigned from encodium/developer-experience

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pdodgen-revparts