feat: add NPM frontend deployment workflow and update license workflow

.github/CODEOWNERS

@@ -4,13 +4,4 @@
 # More details are here: https://help.github.com/articles/about-codeowners/
 
 # The '*' pattern is global owners.
-
-# Order is important. The last matching pattern has the most precedence.
-# The folders are ordered as follows:
-
-# In each subsection folders are ordered first by depth, then alphabetically.
-# This should make it easy to add new rules without breaking existing ones.
-
-# Workflows
-/.github/*              @stefano-franco @nuvibit-team
-/.github/workflows/*    @stefano-franco @nuvibit-team
+# There are currently no codeowners defined.

.github/workflows/drawio-export.yml

@@ -8,6 +8,16 @@ on:
         default: "."
         required: false
         type: string
+      commit_user:
+        description: 'Username which should be used for commits by github action'
+        default: 'github-actions'
+        required: false
+        type: string
+      commit_email:
+        description: 'Email which should be used for commits by github action'
+        default: 'noreply@github.com'
+        required: false
+        type: string
 
 concurrency:
   group: drawio-export-${{ github.ref }}
@@ -35,15 +45,20 @@ jobs:
           quality: 95
           uncompressed: true
 
-      - name: Get author and committer info from HEAD commit
-        uses: rlespinasse/git-commit-data-action@v1.x
-        if: github.ref == 'refs/heads/main'
+      - name: Commit Changes
+        run: |
+          git config --local user.name "${{ inputs.commit_user }}"
+          git config --local user.email "${{ inputs.commit_email }}"
+          git add .
+          if [[ -z $(git status -s) ]]; then
+            echo "diff=false" >> $GITHUB_OUTPUT
+          else
+            echo "diff=true" >> $GITHUB_OUTPUT
+          fi
+          git diff-index --quiet HEAD || git commit -m "docs: sync draw.io exported files" -a
 
-      - name: Commit changed files
-        uses: stefanzweifel/git-auto-commit-action@v5
+      - name: Push Changes
+        uses: ad-m/github-push-action@v0.8.0
         with:
-          commit_message: "docs: sync draw.io exported files"
-          commit_user_name: "${{ env.GIT_COMMIT_COMMITTER_NAME }}"
-          commit_user_email: "${{ env.GIT_COMMIT_COMMITTER_EMAIL }}"
-          commit_author: "${{ env.GIT_COMMIT_AUTHOR }}"
-        if: github.ref == 'refs/heads/main'
+          github_token: ${{ steps.github_app_token.outputs.token }}
+          branch: ${{ github.ref }}

.github/workflows/ntc-workflow.yml → .github/workflows/license-update.yml

@@ -1,18 +1,22 @@
-name: NTC WORKFLOW
+name: LICENSE UPDATE
 
 on:
   workflow_call:
     inputs:
       license_file_source_repo:
-        description: 'Repository where license file is stored.'
-        default: "nuvibit-terraform-collection/module.tpl"
-        required: false
+        description: 'Repository where license file is stored (needs to be public or in the same Github organization).'
+        required: true
         type: string
       license_file_name:
         description: 'License file name.'
         default: "LICENSE"
         required: false
         type: string
+      company_name:
+        description: 'Company name to use in license header.'
+        default: "Nuvibit AG"
+        required: false
+        type: string
       insert_header_file_extension:
         description: 'File extension of files where license header should be added.'
         default: ".tf"
@@ -29,30 +33,45 @@ on:
         required: false
         type: string
     secrets:
-      GHE_API_TOKEN:
+      # GitHub App credentials to avoid using GITHUB_TOKEN
+      GH_APP_ID:
+        required: true
+      GH_APP_PRIVATE_KEY:
         required: true
 
 jobs:
-  ntc-license:
+  license-update:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Get Github Access Token
+        id: github_app_token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          # if owner and repositories are empty, access will be scoped to only the current repository
+          owner: ${{ github.repository_owner }}
+          repositories: |
+            ${{ inputs.license_file_source_repo }}
+            ${{ github.event.repository.name }}
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
-          token: ${{ secrets.GHE_API_TOKEN }}
+          token: ${{ steps.github_app_token.outputs.token }}
 
       - name: Checkout License File
         uses: actions/checkout@v4
         with:
-          repository: ${{ inputs.license_file_source_repo }}
+          repository: ${{ github.repository_owner }}/${{ inputs.license_file_source_repo }}
           path: remote_repo
           persist-credentials: false
           sparse-checkout: |
             ${{ inputs.license_file_name }}
           sparse-checkout-cone-mode: false
-          token: ${{ secrets.GHE_API_TOKEN }}
+          token: ${{ steps.github_app_token.outputs.token }}
 
       - name: Update License File
         run: |
@@ -68,7 +87,7 @@ jobs:
             sed -i '/^# Copyright/d' $file
             sed -i '/^# SPDX-License-Identifier/d' $file
             sed -i '/./,$!d' $file
-            sed -i '1s/^/# Copyright (c) Nuvibit AG\n# SPDX-License-Identifier: see terms and conditions in the LICENSE file\n\n/' $file
+            sed -i '1s/^/# Copyright (c) ${{ inputs.company_name }}\n# SPDX-License-Identifier: see terms and conditions in the LICENSE file\n\n/' $file
           done
 
       - name: Commit Changes
@@ -86,5 +105,5 @@ jobs:
       - name: Push Changes
         uses: ad-m/github-push-action@v0.8.0
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.github_app_token.outputs.token }}
           branch: ${{ github.event.pull_request.head.ref }}

.github/workflows/npm-frontend-deploy.yml

@@ -0,0 +1,130 @@
+name: NPM FRONTEND DEPLOYMENT
+
+on:
+  workflow_call:
+    inputs:
+      node_version:
+        description: 'Node.js version to use for the build (default: lts/*)'
+        default: 'lts/*'
+        required: false
+        type: string
+      aws_default_region:
+        description: 'AWS region to use for deployment (default: eu-central-1)'
+        default: 'eu-central-1'
+        required: false
+        type: string
+      aws_oidc_role_arn:
+        description: 'AWS OIDC IAM role ARN to assume for deployment (e.g. arn:aws:iam::111111111111:role/oidc-deployment-role)'
+        required: true
+        type: string
+      domain_name:
+        description: 'Domain name used for the frontend application (e.g. docs.nuvibit.com)'
+        required: true
+        type: string 
+      s3_deployment_dir:
+        description: 'S3 directory where the build artifacts will be uploaded (default: build)'
+        default: 'build'
+        required: false
+        type: string
+      local_build_dir:
+        description: 'Local directory where the build artifacts are located (default: build)'
+        default: 'build'
+        required: false
+        type: string
+      cloudfront_invalidate_paths:
+        description: 'Paths to invalidate in CloudFront after deployment (ALL, UPDATED, NONE)'
+        required: true
+        type: string
+        # ALL: Invalidate all paths (default)
+        # UPDATED: Invalidate only paths that were updated
+        # NONE: Do not invalidate any paths
+        default: 'ALL'
+
+jobs:
+  npm-frontend-deploy:
+    name: Deploy Frontend
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node_version }}
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Build website
+        run: npm run build
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ inputs.aws_oidc_role_arn }}
+          aws-region: ${{ inputs.aws_default_region }}
+
+      - name: Upload to S3 and track changed files
+        id: sync
+        run: |
+          # First identify which files will be synced
+          SYNC_OUTPUT=$(aws s3 sync ./${{ inputs.local_build_dir }} s3://${{ inputs.domain_name }}/${{ inputs.s3_deployment_dir }} --dryrun)
+          echo "Found changes to sync."
+
+          # Extract file paths that will be uploaded/updated
+          PATHS_TO_INVALIDATE=$(echo "$SYNC_OUTPUT" | grep -E 'upload:|update:' | sed -E 's/^\(dryrun\) (upload:|update:) (.*) to ([^ ]+).*/\3/' | sed 's|s3://${{ inputs.domain_name }}/${{ inputs.s3_deployment_dir }}||')
+          echo "Paths to be updated:"
+          echo "$PATHS_TO_INVALIDATE"
+
+          # Save paths for invalidation, adjust format for JSON array
+          if [ -n "$PATHS_TO_INVALIDATE" ]; then
+            PATHS_JSON=$(echo "$PATHS_TO_INVALIDATE" | sed 's/^/"/' | sed 's/$/"/' | paste -sd, -)
+            echo "paths_json=[$PATHS_JSON]" >> $GITHUB_OUTPUT
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "No changes to invalidate"
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          fi
+
+          # Perform the actual sync
+          aws s3 sync ./${{ inputs.local_build_dir }} s3://${{ inputs.domain_name }}/${{ inputs.s3_deployment_dir }}
+
+      - name: Find CloudFront distribution ID
+        id: cloudfront
+        if: steps.sync.outputs.has_changes == 'true'
+        run: |
+          # Find the CloudFront distribution that has our S3 bucket as origin
+          DISTRIBUTION_ID=$(aws cloudfront list-distributions --query "DistributionList.Items[?contains(Origins.Items[].DomainName, '${{ inputs.domain_name }}.s3.${{ inputs.aws_default_region }}.amazonaws.com')].Id" --output text)
+
+          if [ -z "$DISTRIBUTION_ID" ]; then
+            echo "::error::Could not find CloudFront distribution for ${{ inputs.domain_name }}"
+            exit 1
+          fi
+
+          echo "Found CloudFront distribution: $DISTRIBUTION_ID"
+          echo "distribution_id=$DISTRIBUTION_ID" >> $GITHUB_OUTPUT
+
+      - name: Invalidate CloudFront cache for ALL PATHS
+        if: steps.sync.outputs.has_changes == 'true' && inputs.cloudfront_invalidate_paths == 'ALL'
+        run: |
+          # Create CloudFront invalidation for all paths
+          DISTRIBUTION_ID=${{ steps.cloudfront.outputs.distribution_id }}
+
+          echo "Creating CloudFront invalidation for paths: /*"
+          aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --paths "/*"
+
+      - name: Invalidate CloudFront cache for UPDATED PATHS
+        if: steps.sync.outputs.has_changes == 'true' && inputs.cloudfront_invalidate_paths == 'UPDATED'
+        run: |
+          # Create CloudFront invalidation for the paths that were updated
+          PATHS=${{ toJSON(steps.sync.outputs.paths_json) }}
+          DISTRIBUTION_ID=${{ steps.cloudfront.outputs.distribution_id }}
+
+          echo "Creating Invalidation batch file"
+          echo "{\"Paths\": {\"Quantity\": $(echo $PATHS | jq length), \"Items\": $PATHS}, \"CallerReference\": \"$(date +%s)\"}" > inv-batch.json
+          echo "Creating CloudFront invalidation for paths: $PATHS"
+          aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --invalidation-batch file://inv-batch.json